diff --git a/Makefile b/Makefile index e8b7f80ebbf..8d3cad8cbe4 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,13 @@ GOARCH ?= amd64 VERSION ?= $(shell git describe --abbrev=0 --tags) COMMIT ?= $(shell git rev-parse HEAD) TIME ?= $(shell date +%F_%T) +USER_REPO ?= $(shell git remote get-url origin | sed -e 's/.*\/\([^/]*\)\/\([^/]*\).*/\1_\2/' ) +BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) +BRANCH_SHORT_HASH ?= $(shell git rev-parse --short HEAD) +empty:= +space:= $(empty) $(empty) +DOCKER_PROJECT ?= $(subst $(space),,$(USER_REPO)_/$(BRANCH)_$(BRANCH_SHORT_HASH)) +DOCKER_PROJECT := $(subst /,_,$(DOCKER_PROJECT)) ifneq ($(MF_BROKER_TYPE),) MF_BROKER_TYPE := $(MF_BROKER_TYPE) @@ -120,4 +127,10 @@ rundev: run: sed -i "s,file: brokers/.*.yml,file: brokers/${MF_BROKER_TYPE}.yml," docker/docker-compose.yml sed -i "s,MF_BROKER_URL=.*,MF_BROKER_URL=$$\{MF_$(shell echo ${MF_BROKER_TYPE} | tr 'a-z' 'A-Z')_URL\}," docker/.env - docker-compose -f docker/docker-compose.yml up + docker-compose -f docker/docker-compose.yml -p $(DOCKER_PROJECT) up + +run_mtls_grpc: + sed -i "s,file: brokers/.*.yml,file: brokers/${MF_BROKER_TYPE}.yml," docker/docker-compose.yml + sed -i "s,MF_BROKER_URL=.*,MF_BROKER_URL=$$\{MF_$(shell echo ${MF_BROKER_TYPE} | tr 'a-z' 'A-Z')_URL\}," docker/.env + make -C docker/ssl users_grpc_certs things_grpc_certs + docker-compose -f docker/docker-compose.yml -f docker/ssl/docker-compose.grpc-mtls.yaml -p $(DOCKER_PROJECT) up \ No newline at end of file diff --git a/docker/.env b/docker/.env index 34216459ae8..2501705203a 100644 --- a/docker/.env +++ b/docker/.env @@ -48,8 +48,9 @@ MF_USERS_DB_SSL_KEY= MF_USERS_DB_SSL_ROOT_CERT= MF_USERS_HTTP_PORT=9002 MF_USERS_GRPC_PORT=7001 -MF_USERS_GRPC_URL=users:7001 -MF_USERS_GRPC_TIMEOUT=1s +MF_USERS_GRPC_SERVER_CERT=./ssl/certs/users-grpc-server.crt +MF_USERS_GRPC_SERVER_KEY=./ssl/certs/users-grpc-server.key +MF_USERS_GRPC_SERVER_CA_CERTS=./ssl/certs/ca.crt MF_USERS_SERVER_CERT= MF_USERS_SERVER_KEY= MF_USERS_SECRET_KEY=HyE2D4RUt9nnKG6v8zKEqAp6g6ka8hhZsqUpzgKvnwpXrNVQSH @@ -61,6 +62,15 @@ MF_USERS_RESET_PWD_TEMPLATE=users.tmpl MF_USERS_PASS_REGEX=^.{8,}$$ MF_USERS_INSTANCE_ID= +### Users gRPC Client +MF_USERS_GRPC_URL=users:7001 +MF_USERS_GRPC_TIMEOUT=1s +MF_USERS_GRPC_CLIENT_TLS=true +MF_USERS_GRPC_CLIENT_MTLS=true +MF_USERS_GRPC_CLIENT_CERT=./ssl/certs/users-grpc-client.crt +MF_USERS_GRPC_CLIENT_KEY=./ssl/certs/users-grpc-client.key +MF_USERS_GRPC_CLIENT_CA_CERTS=./ssl/certs/ca.crt + ### Email utility MF_EMAIL_HOST=smtp.mailtrap.io MF_EMAIL_PORT=2525 @@ -79,8 +89,9 @@ MF_THINGS_LOG_LEVEL=debug MF_THINGS_HTTP_PORT=9000 MF_THINGS_AUTH_HTTP_PORT=9001 MF_THINGS_AUTH_GRPC_PORT=7000 -MF_THINGS_AUTH_GRPC_URL=things:7000 -MF_THINGS_AUTH_GRPC_TIMEOUT=1s +MF_THINGS_AUTH_GRPC_SERVER_CERT=./ssl/certs/things-grpc-server.crt +MF_THINGS_AUTH_GRPC_SERVER_KEY=./ssl/certs/things-grpc-server.key +MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS=./ssl/certs/ca.crt MF_THINGS_DB_HOST=things-db MF_THINGS_DB_PORT=5432 MF_THINGS_DB_USER=mainflux @@ -98,6 +109,15 @@ MF_THINGS_ES_PASS= MF_THINGS_ES_DB= MF_THINGS_INSTANCE_ID= +### Things gRPC Client +MF_THINGS_AUTH_GRPC_URL=things:7000 +MF_THINGS_AUTH_GRPC_TIMEOUT=1s +MF_THINGS_AUTH_GRPC_CLIENT_TLS=true +MF_THINGS_AUTH_GRPC_CLIENT_MTLS=true +MF_THINGS_AUTH_GRPC_CLIENT_CERT=./ssl/certs/things-grpc-client.crt +MF_THINGS_AUTH_GRPC_CLIENT_KEY=./ssl/certs/things-grpc-client.key +MF_THINGS_AUTH_GRPC_CLIENT_CA_CERTS=./ssl/certs/ca.crt + ### HTTP MF_HTTP_ADAPTER_PORT=8008 MF_HTTP_ADAPTER_INSTANCE_ID= diff --git a/docker/addons/bootstrap/docker-compose.grpc-mtls.yaml b/docker/addons/bootstrap/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..3abbb6f5d7b --- /dev/null +++ b/docker/addons/bootstrap/docker-compose.grpc-mtls.yaml @@ -0,0 +1,14 @@ +services: + bootstrap: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt \ No newline at end of file diff --git a/docker/addons/cassandra-reader/docker-compose.grpc-mtls.yaml b/docker/addons/cassandra-reader/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..9d2ac21d23b --- /dev/null +++ b/docker/addons/cassandra-reader/docker-compose.grpc-mtls.yaml @@ -0,0 +1,24 @@ +services: + cassandra-reader: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/docker/addons/certs/docker-compose.grpc-mtls.yaml b/docker/addons/certs/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..b553f8461b7 --- /dev/null +++ b/docker/addons/certs/docker-compose.grpc-mtls.yaml @@ -0,0 +1,14 @@ +services: + certs: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt \ No newline at end of file diff --git a/docker/addons/influxdb-reader/docker-compose.grpc-mtls.yaml b/docker/addons/influxdb-reader/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..fbfbff6bf4f --- /dev/null +++ b/docker/addons/influxdb-reader/docker-compose.grpc-mtls.yaml @@ -0,0 +1,24 @@ +services: + influxdb-reader: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/docker/addons/mongodb-reader/docker-compose.grpc-mtls.yaml b/docker/addons/mongodb-reader/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..672c1532109 --- /dev/null +++ b/docker/addons/mongodb-reader/docker-compose.grpc-mtls.yaml @@ -0,0 +1,24 @@ +services: + mongodb-reader: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/docker/addons/postgres-reader/docker-compose.grpc-mtls.yaml b/docker/addons/postgres-reader/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..6d0e8877afb --- /dev/null +++ b/docker/addons/postgres-reader/docker-compose.grpc-mtls.yaml @@ -0,0 +1,24 @@ +services: + postgres-reader: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/docker/addons/smpp-notifier/docker-compose.grpc-mtls.yaml b/docker/addons/smpp-notifier/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..7b0fc4fff1d --- /dev/null +++ b/docker/addons/smpp-notifier/docker-compose.grpc-mtls.yaml @@ -0,0 +1,14 @@ +services: + smpp-notifier: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt \ No newline at end of file diff --git a/docker/addons/smtp-notifier/docker-compose.grpc-mtls.yaml b/docker/addons/smtp-notifier/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..dc3121ffa88 --- /dev/null +++ b/docker/addons/smtp-notifier/docker-compose.grpc-mtls.yaml @@ -0,0 +1,14 @@ +services: + smtp-notifier: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt \ No newline at end of file diff --git a/docker/addons/timescale-reader/docker-compose.grpc-mtls.yaml b/docker/addons/timescale-reader/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..98c4872b7ce --- /dev/null +++ b/docker/addons/timescale-reader/docker-compose.grpc-mtls.yaml @@ -0,0 +1,24 @@ +services: + timescale-reader: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/docker/addons/twins/docker-compose.grpc-mtls.yaml b/docker/addons/twins/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..cbe9e9dbf0d --- /dev/null +++ b/docker/addons/twins/docker-compose.grpc-mtls.yaml @@ -0,0 +1,14 @@ +services: + twins: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + volumes: + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 50fba3dc77a..3613aa0f552 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -172,8 +172,8 @@ services: networks: - mainflux-base-net volumes: - - ./templates/${MF_USERS_RESET_PWD_TEMPLATE}:/email.tmpl - + - ./templates/${MF_USERS_RESET_PWD_TEMPLATE}:/email.tmpl + jaeger: image: jaegertracing/all-in-one:1.38.0 container_name: mainflux-jaeger diff --git a/docker/ssl/.gitignore b/docker/ssl/.gitignore new file mode 100644 index 00000000000..2bbf1c351ba --- /dev/null +++ b/docker/ssl/.gitignore @@ -0,0 +1,4 @@ +*grpc-server* +*grpc-client* +*srl +*conf \ No newline at end of file diff --git a/docker/ssl/Makefile b/docker/ssl/Makefile index d2581a664df..8720179de8a 100644 --- a/docker/ssl/Makefile +++ b/docker/ssl/Makefile @@ -7,8 +7,48 @@ CN_CA = Mainflux_Self_Signed_CA CN_SRV = localhost THING_SECRET = # e.g. 8f65ed04-0770-4ce4-a291-6d1bf2000f4d CRT_FILE_NAME = thing +THINGS_GRPC_SERVER_CONF_FILE_NAME=thing-grpc-server.conf +THINGS_GRPC_CLIENT_CONF_FILE_NAME=thing-grpc-client.conf +THINGS_GRPC_SERVER_CN=things +THINGS_GRPC_CLIENT_CN=things-client +THINGS_GRPC_SERVER_CRT_FILE_NAME=things-grpc-server +THINGS_GRPC_CLIENT_CRT_FILE_NAME=things-grpc-client +USERS_GRPC_SERVER_CONF_FILE_NAME=users-grpc-server.conf +USERS_GRPC_CLIENT_CONF_FILE_NAME=users-grpc-client.conf +USERS_GRPC_SERVER_CN=users +USERS_GRPC_CLIENT_CN=users-client +USERS_GRPC_SERVER_CRT_FILE_NAME=users-grpc-server +USERS_GRPC_CLIENT_CRT_FILE_NAME=users-grpc-client -all: clean_certs ca server_cert +define GRPC_CERT_CONFIG +[req] +req_extensions = v3_req +distinguished_name = dn +prompt = no + +[dn] +CN = mf.svc +C = RS +ST = RS +L = BELGRADE +O = MAINFLUX +OU = MAINFLUX + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = <> +endef + +define ANNOUNCE_BODY +Version $(VERSION) of $(PACKAGE_NAME) has been released. + +It can be downloaded from $(DOWNLOAD_URL). + +etc, etc. +endef +all: clean_certs ca server_cert test things_grpc_certs users_grpc_certs # CA name and key is "ca". ca: @@ -38,6 +78,90 @@ thing_cert: # Remove CSR. rm $(CRT_LOCATION)/$(CRT_FILE_NAME).csr +things_grpc_certs: + # Things server grpc certificates + $(file > $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).conf,$(subst <>,$(THINGS_GRPC_SERVER_CN),$(GRPC_CERT_CONFIG)) ) + + openssl req -new -sha256 -newkey rsa:4096 -nodes \ + -keyout $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).key \ + -out $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).csr \ + -config $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).conf \ + -extensions v3_req + + openssl x509 -req -sha256 \ + -in $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).csr \ + -CA $(CRT_LOCATION)/ca.crt \ + -CAkey $(CRT_LOCATION)/ca.key \ + -CAcreateserial \ + -out $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).crt \ + -days 365 \ + -extfile $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).conf \ + -extensions v3_req + + rm -rf $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).csr $(CRT_LOCATION)/$(THINGS_GRPC_SERVER_CRT_FILE_NAME).conf + # Things client grpc certificates + $(file > $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).conf,$(subst <>,$(THINGS_GRPC_CLIENT_CN),$(GRPC_CERT_CONFIG)) ) + + openssl req -new -sha256 -newkey rsa:4096 -nodes \ + -keyout $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).key \ + -out $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).csr \ + -config $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).conf \ + -extensions v3_req + + openssl x509 -req -sha256 \ + -in $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).csr \ + -CA $(CRT_LOCATION)/ca.crt \ + -CAkey $(CRT_LOCATION)/ca.key \ + -CAcreateserial \ + -out $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).crt \ + -days 365 \ + -extfile $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).conf \ + -extensions v3_req + + rm -rf $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).csr $(CRT_LOCATION)/$(THINGS_GRPC_CLIENT_CRT_FILE_NAME).conf + +users_grpc_certs: + # Users gRPC server certificate + $(file > $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).conf,$(subst <>,$(USERS_GRPC_SERVER_CN),$(GRPC_CERT_CONFIG)) ) + + openssl req -new -sha256 -newkey rsa:4096 -nodes \ + -keyout $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).key \ + -out $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).csr \ + -config $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).conf \ + -extensions v3_req + + openssl x509 -req -sha256 \ + -in $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).csr \ + -CA $(CRT_LOCATION)/ca.crt \ + -CAkey $(CRT_LOCATION)/ca.key \ + -CAcreateserial \ + -out $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).crt \ + -days 365 \ + -extfile $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).conf \ + -extensions v3_req + + rm -rf $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).csr $(CRT_LOCATION)/$(USERS_GRPC_SERVER_CRT_FILE_NAME).conf + # Users gRPC client certificate + $(file > $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).conf,$(subst <>,$(USERS_GRPC_CLIENT_CN),$(GRPC_CERT_CONFIG)) ) + + openssl req -new -sha256 -newkey rsa:4096 -nodes \ + -keyout $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).key \ + -out $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).csr \ + -config $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).conf \ + -extensions v3_req + + openssl x509 -req -sha256 \ + -in $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).csr \ + -CA $(CRT_LOCATION)/ca.crt \ + -CAkey $(CRT_LOCATION)/ca.key \ + -CAcreateserial \ + -out $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).crt \ + -days 365 \ + -extfile $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).conf \ + -extensions v3_req + + rm -rf $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).csr $(CRT_LOCATION)/$(USERS_GRPC_CLIENT_CRT_FILE_NAME).conf + clean_certs: rm -r $(CRT_LOCATION)/*.crt rm -r $(CRT_LOCATION)/*.key diff --git a/docker/ssl/docker-compose.grpc-mtls.yaml b/docker/ssl/docker-compose.grpc-mtls.yaml new file mode 100644 index 00000000000..899d29e9b53 --- /dev/null +++ b/docker/ssl/docker-compose.grpc-mtls.yaml @@ -0,0 +1,284 @@ +services: + users: + environment: + # Users gRPC server environmental varaibles + MF_USERS_GRPC_SERVER_CERT: /users-grpc-server.crt + MF_USERS_GRPC_SERVER_KEY: /users-grpc-server.key + MF_USERS_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + MF_USERS_GRPC_CLIENT_CA_CERTS: /users-grpc-client-ca.crt + volumes: + # Users gRPC server certificates + - ${MF_USERS_GRPC_SERVER_CERT}:/users-grpc-server.crt + - ${MF_USERS_GRPC_SERVER_KEY}:/users-grpc-server.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + - ${MF_USERS_GRPC_CLIENT_CA_CERTS}:/users-grpc-client-ca.crt + + things: + environment: + # Users gRPC client environmental varaibles + MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # Things gRPC server environmental varaibles + MF_THINGS_AUTH_GRPC_SERVER_CERT: /things-grpc-server.crt + MF_THINGS_AUTH_GRPC_SERVER_KEY: /things-grpc-server.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /things-grpc-server-ca.crt + MF_THINGS_AUTH_GRPC_CLIENT_CA_CERTS: /things-grpc-client-ca.crt + volumes: + # Things gRPC server certificates + - ${MF_THINGS_AUTH_GRPC_SERVER_CERT}:/things-grpc-server.crt + - ${MF_THINGS_AUTH_GRPC_SERVER_KEY}:/things-grpc-server.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/things-grpc-server-ca.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_CA_CERTS}:/things-grpc-client-ca.crt + # Users gRPC client certificates + - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + mqtt-adapter: + environment: + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + http-adapter: + environment: + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + coap-adapter: + environment: + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + ws-adapter: + environment: + # Things gRPC client environmental varaibles + MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + volumes: + # Things gRPC client certificates + - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + # bootstrap: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + # certs: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + # smpp-notifier: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + # smtp-notifier: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + # twins: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + + # postgres-reader: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # # Things gRPC client environmental varaibles + # MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + # MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + # MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + # MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + # MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # # Things gRPC client certificates + # - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + # - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + # - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + # timescale-reader: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # # Things gRPC client environmental varaibles + # MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + # MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + # MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + # MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + # MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # # Things gRPC client certificates + # - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + # - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + # - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + # influxdb-reader: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # # Things gRPC client environmental varaibles + # MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + # MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + # MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + # MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + # MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # # Things gRPC client certificates + # - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + # - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + # - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + # mongodb-reader: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # # Things gRPC client environmental varaibles + # MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + # MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + # MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + # MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + # MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # # Things gRPC client certificates + # - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + # - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + # - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt + + # cassandra-reader: + # environment: + # # Users gRPC client environmental varaibles + # MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS} + # MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS} + # MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt + # MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key + # MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt + # # Things gRPC client environmental varaibles + # MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS} + # MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS} + # MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt + # MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key + # MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt + # volumes: + # # Users gRPC client certificates + # - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt + # - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key + # - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt + # # Things gRPC client certificates + # - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt + # - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key + # - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt \ No newline at end of file diff --git a/internal/clients/grpc/connect.go b/internal/clients/grpc/connect.go index 1d1ffd462eb..53efb372963 100644 --- a/internal/clients/grpc/connect.go +++ b/internal/clients/grpc/connect.go @@ -4,6 +4,10 @@ package grpc import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" "time" "github.com/mainflux/mainflux/pkg/errors" @@ -19,10 +23,13 @@ var ( ) type Config struct { - ClientTLS bool `env:"CLIENT_TLS" envDefault:"false"` - CACerts string `env:"CA_CERTS" envDefault:""` - URL string `env:"URL" envDefault:""` - Timeout time.Duration `env:"TIMEOUT" envDefault:"1s"` + ClientTLS bool `env:"CLIENT_TLS" envDefault:"false"` + ClientMTLS bool `env:"CLIENT_MTLS" envDefault:"false"` + ClientCert string `env:"CLIENT_CERT" envDefault:""` + ClientKey string `env:"CLIENT_KEY" envDefault:""` + ServerCAFile string `env:"SERVER_CA_CERTS" envDefault:""` + URL string `env:"URL" envDefault:""` + Timeout time.Duration `env:"TIMEOUT" envDefault:"1s"` } type ClientHandler interface { @@ -45,20 +52,52 @@ func NewClientHandler(c *Client) ClientHandler { // Connect creates new gRPC client and connect to gRPC server. func Connect(cfg Config) (*gogrpc.ClientConn, bool, error) { - var opts []gogrpc.DialOption + opts := []gogrpc.DialOption{ + gogrpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor()), + } secure := false tc := insecure.NewCredentials() - if cfg.ClientTLS && cfg.CACerts != "" { - var err error - tc, err = credentials.NewClientTLSFromFile(cfg.CACerts, "") + if cfg.ClientTLS { + tlsConfig := &tls.Config{} + + // Loading System certificates + sysCertPool, err := x509.SystemCertPool() + if err != nil { + fmt.Printf("failed to load system certificate %s\n", err.Error()) + } + if sysCertPool != nil { + tlsConfig.RootCAs = sysCertPool + } + + // Loading root ca certificates file + rootCA, err := loadCertFile(cfg.ServerCAFile) if err != nil { - return nil, secure, err + return nil, secure, fmt.Errorf("failed to load root ca file: %w", err) } + if rootCA != nil { + if tlsConfig.RootCAs == nil { + tlsConfig.RootCAs = x509.NewCertPool() + } + if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) { + return nil, secure, fmt.Errorf("failed to append root ca to tls.Config") + } + } + + // Loading mtls certificates file + if cfg.ClientMTLS { + certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey) + if err != nil { + return nil, secure, fmt.Errorf("failed to client certificate and key %w", err) + } + tlsConfig.Certificates = []tls.Certificate{certificate} + } + + tc = credentials.NewTLS(tlsConfig) secure = true } - opts = append(opts, gogrpc.WithTransportCredentials(tc), gogrpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor())) + opts = append(opts, gogrpc.WithTransportCredentials(tc)) conn, err := gogrpc.Dial(cfg.URL, opts...) if err != nil { @@ -105,3 +144,14 @@ func (c *Client) Secure() string { } return "without TLS" } + +func loadCertFile(certFile string) ([]byte, error) { + if certFile != "" { + data, err := ioutil.ReadFile(certFile) + if err != nil { + return nil, err + } + return data, nil + } + return nil, nil +} diff --git a/internal/env/parser.go b/internal/env/parser.go index 4bf127d809a..e5262cf5667 100644 --- a/internal/env/parser.go +++ b/internal/env/parser.go @@ -62,7 +62,7 @@ func parseGrpcConfig(cfg *grpc.Config, altPrefix string, opts ...env.Options) er return err } - if !cfg.ClientTLS || cfg.CACerts == "" { + if !cfg.ClientTLS || cfg.ServerCAFile == "" { altOpts := []env.Options{} for _, opt := range opts { if opt.Prefix != "" { @@ -74,8 +74,8 @@ func parseGrpcConfig(cfg *grpc.Config, altPrefix string, opts ...env.Options) er if err := env.Parse(&altCfg, altOpts...); err != nil { return err } - if cfg.CACerts == "" && altCfg.CACerts != "" { - cfg.CACerts = altCfg.CACerts + if cfg.ServerCAFile == "" && altCfg.ServerCAFile != "" { + cfg.ServerCAFile = altCfg.ServerCAFile } if !cfg.ClientTLS && altCfg.ClientTLS { cfg.ClientTLS = altCfg.ClientTLS diff --git a/internal/env/parser_test.go b/internal/env/parser_test.go index 4f846ad7c4d..c77902c532a 100644 --- a/internal/env/parser_test.go +++ b/internal/env/parser_test.go @@ -209,10 +209,10 @@ func TestParseGRPCConfig(t *testing.T) { "Parsing conflicting configs", &grpc.Config{}, &grpc.Config{ - URL: "val.com", - Timeout: time.Second, - ClientTLS: true, - CACerts: "cert", + URL: "val.com", + Timeout: time.Second, + ClientTLS: true, + ServerCAFile: "cert", }, []Options{ { diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go index 6c13e90a308..7446131fc15 100644 --- a/internal/server/grpc/grpc.go +++ b/internal/server/grpc/grpc.go @@ -5,7 +5,10 @@ package grpc import ( "context" + "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "net" "time" @@ -14,6 +17,7 @@ import ( "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc" "google.golang.org/grpc" "google.golang.org/grpc/credentials" + "google.golang.org/grpc/credentials/insecure" ) const ( @@ -47,30 +51,75 @@ func New(ctx context.Context, cancel context.CancelFunc, name string, config ser func (s *Server) Start() error { errCh := make(chan error) + grpcServerOptions := []grpc.ServerOption{ + grpc.UnaryInterceptor(otelgrpc.UnaryServerInterceptor()), + } listener, err := net.Listen("tcp", s.Address) if err != nil { return fmt.Errorf("failed to listen on port %s: %w", s.Address, err) } + creds := grpc.Creds(insecure.NewCredentials()) switch { case s.Config.CertFile != "" || s.Config.KeyFile != "": - creds, err := credentials.NewServerTLSFromFile(s.Config.CertFile, s.Config.KeyFile) + certificate, err := tls.LoadX509KeyPair(s.Config.CertFile, s.Config.KeyFile) if err != nil { return fmt.Errorf("failed to load auth certificates: %w", err) } + tlsConfig := &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + Certificates: []tls.Certificate{certificate}, + } + + // Loading System certificates + sysCertPool, err := x509.SystemCertPool() + if err != nil { + s.Logger.Warn(fmt.Sprintf("failed to load system certificate %s", err.Error())) + } + if sysCertPool != nil { + tlsConfig.RootCAs = sysCertPool + tlsConfig.ClientCAs = sysCertPool + } + + // Loading Server CA file + rootCA, err := loadCertFile(s.Config.ServerCAFile) + if err != nil { + return fmt.Errorf("failed to load root ca file: %w", err) + } + if rootCA != nil { + if tlsConfig.RootCAs == nil { + tlsConfig.RootCAs = x509.NewCertPool() + } + if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) { + return fmt.Errorf("failed to append root ca to tls.Config") + } + } + + // Loading Client CA File + clientCA, err := loadCertFile(s.Config.ClientCAFile) + if err != nil { + return fmt.Errorf("failed to load client ca file: %w", err) + } + if clientCA != nil { + if tlsConfig.ClientCAs == nil { + tlsConfig.ClientCAs = x509.NewCertPool() + } + if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) { + return fmt.Errorf("failed to append client ca to tls.Config") + } + } + + creds = grpc.Creds(credentials.NewTLS(tlsConfig)) s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS cert %s and key %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile)) - s.server = grpc.NewServer( - grpc.Creds(creds), - grpc.UnaryInterceptor(otelgrpc.UnaryServerInterceptor()), - ) default: s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s without TLS", s.Name, s.Address)) - s.server = grpc.NewServer( - grpc.UnaryInterceptor(otelgrpc.UnaryServerInterceptor()), - ) + } + grpcServerOptions = append(grpcServerOptions, creds) + + s.server = grpc.NewServer(grpcServerOptions...) s.registerService(s.server) go func() { @@ -101,3 +150,14 @@ func (s *Server) Stop() error { return nil } + +func loadCertFile(certFile string) ([]byte, error) { + if certFile != "" { + data, err := ioutil.ReadFile(certFile) + if err != nil { + return nil, err + } + return data, nil + } + return nil, nil +} diff --git a/internal/server/server.go b/internal/server/server.go index b49c31ec3cc..29674c7f41e 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -18,10 +18,12 @@ type Server interface { } type Config struct { - Host string `env:"HOST" envDefault:""` - Port string `env:"PORT" envDefault:""` - CertFile string `env:"SERVER_CERT" envDefault:""` - KeyFile string `env:"SERVER_KEY" envDefault:""` + Host string `env:"HOST" envDefault:""` + Port string `env:"PORT" envDefault:""` + CertFile string `env:"SERVER_CERT" envDefault:""` + KeyFile string `env:"SERVER_KEY" envDefault:""` + ServerCAFile string `env:"SERVER_CA_CERTS" envDefault:""` + ClientCAFile string `env:"CLIENT_CA_CERTS" envDefault:""` } type BaseServer struct {