From d187ddd206bde77664dd4df7309120257d8099fc Mon Sep 17 00:00:00 2001 From: Joshua Foster Date: Mon, 4 Nov 2024 23:25:34 -0500 Subject: [PATCH] initial POC for grpc tls --- nodebuilder/core/config.go | 7 ++++--- nodebuilder/core/flags.go | 17 ++++++++++++--- nodebuilder/state/core.go | 3 +-- state/core_access.go | 43 +++++++++++++++++++------------------- state/core_access_test.go | 2 +- state/integration_test.go | 2 +- 6 files changed, 43 insertions(+), 31 deletions(-) diff --git a/nodebuilder/core/config.go b/nodebuilder/core/config.go index b82be1d809..038239a68c 100644 --- a/nodebuilder/core/config.go +++ b/nodebuilder/core/config.go @@ -16,9 +16,10 @@ var MetricsEnabled bool // Config combines all configuration fields for managing the relationship with a Core node. type Config struct { - IP string - RPCPort string - GRPCPort string + IP string + RPCPort string + GRPCPort string + EnableTLS bool } // DefaultConfig returns default configuration for managing the diff --git a/nodebuilder/core/flags.go b/nodebuilder/core/flags.go index 127ee5ee60..ec693e1465 100644 --- a/nodebuilder/core/flags.go +++ b/nodebuilder/core/flags.go @@ -8,9 +8,10 @@ import ( ) var ( - coreFlag = "core.ip" - coreRPCFlag = "core.rpc.port" - coreGRPCFlag = "core.grpc.port" + coreFlag = "core.ip" + coreRPCFlag = "core.rpc.port" + coreGRPCFlag = "core.grpc.port" + coreEnableTLSFlag = "core.grpc.tls" ) // Flags gives a set of hardcoded Core flags. @@ -34,6 +35,11 @@ func Flags() *flag.FlagSet { DefaultGRPCPort, "Set a custom gRPC port for the core node connection. The --core.ip flag must also be provided.", ) + flags.Bool( + coreEnableTLSFlag, + false, + "Enables grpc TLS. The --core.ip flag must also be provided.", + ) return flags } @@ -60,6 +66,11 @@ func ParseFlags( cfg.GRPCPort = grpc } + if cmd.Flag(coreEnableTLSFlag).Changed { + enabled := cmd.Flag(coreEnableTLSFlag).Value.String() == "true" + cfg.EnableTLS = enabled + } + cfg.IP = coreIP return cfg.Validate() } diff --git a/nodebuilder/state/core.go b/nodebuilder/state/core.go index 39ab732368..d2febebdc5 100644 --- a/nodebuilder/state/core.go +++ b/nodebuilder/state/core.go @@ -30,8 +30,7 @@ func coreAccessor( *modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader], error, ) { - ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort, - network.String(), opts...) + ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort, corecfg.EnableTLS, network.String(), opts...) sBreaker := &modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader]{ Service: ca, diff --git a/state/core_access.go b/state/core_access.go index a363577b1c..af0798b0bc 100644 --- a/state/core_access.go +++ b/state/core_access.go @@ -2,11 +2,18 @@ package state import ( "context" + "crypto/tls" "errors" "fmt" "sync" "time" + "github.com/celestiaorg/celestia-app/v3/app" + "github.com/celestiaorg/celestia-app/v3/app/encoding" + apperrors "github.com/celestiaorg/celestia-app/v3/app/errors" + "github.com/celestiaorg/celestia-app/v3/pkg/user" + libhead "github.com/celestiaorg/go-header" + libshare "github.com/celestiaorg/go-square/v2/share" nodeservice "github.com/cosmos/cosmos-sdk/client/grpc/node" "github.com/cosmos/cosmos-sdk/client/grpc/tmservice" "github.com/cosmos/cosmos-sdk/crypto/keyring" @@ -20,15 +27,9 @@ import ( "github.com/tendermint/tendermint/proto/tendermint/crypto" "google.golang.org/grpc" "google.golang.org/grpc/connectivity" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" - "github.com/celestiaorg/celestia-app/v3/app" - "github.com/celestiaorg/celestia-app/v3/app/encoding" - apperrors "github.com/celestiaorg/celestia-app/v3/app/errors" - "github.com/celestiaorg/celestia-app/v3/pkg/user" - libhead "github.com/celestiaorg/go-header" - libshare "github.com/celestiaorg/go-square/v2/share" - "github.com/celestiaorg/celestia-node/header" ) @@ -67,10 +68,11 @@ type CoreAccessor struct { prt *merkle.ProofRuntime - coreConn *grpc.ClientConn - coreIP string - grpcPort string - network string + coreConn *grpc.ClientConn + coreIP string + grpcPort string + enableTLS bool + network string // these fields are mutatable and thus need to be protected by a mutex lock sync.Mutex @@ -86,15 +88,7 @@ type CoreAccessor struct { // NewCoreAccessor dials the given celestia-core endpoint and // constructs and returns a new CoreAccessor (state service) with the active // connection. -func NewCoreAccessor( - keyring keyring.Keyring, - keyname string, - getter libhead.Head[*header.ExtendedHeader], - coreIP, - grpcPort string, - network string, - options ...Option, -) (*CoreAccessor, error) { +func NewCoreAccessor(keyring keyring.Keyring, keyname string, getter libhead.Head[*header.ExtendedHeader], coreIP, grpcPort string, enableTLS bool, network string, options ...Option) (*CoreAccessor, error) { // create verifier prt := merkle.DefaultProofRuntime() prt.RegisterOpDecoder(storetypes.ProofOpIAVLCommitment, storetypes.CommitmentOpDecoder) @@ -106,6 +100,7 @@ func NewCoreAccessor( getter: getter, coreIP: coreIP, grpcPort: grpcPort, + enableTLS: enableTLS, prt: prt, network: network, } @@ -124,9 +119,15 @@ func (ca *CoreAccessor) Start(ctx context.Context) error { // dial given celestia-core endpoint endpoint := fmt.Sprintf("%s:%s", ca.coreIP, ca.grpcPort) + grpcOpts := make([]grpc.DialOption, 0) + if ca.enableTLS { + grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))) + } else { + grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials())) + } client, err := grpc.NewClient( endpoint, - grpc.WithTransportCredentials(insecure.NewCredentials()), + grpcOpts..., ) if err != nil { return err diff --git a/state/core_access_test.go b/state/core_access_test.go index c487944749..1a456c402d 100644 --- a/state/core_access_test.go +++ b/state/core_access_test.go @@ -264,7 +264,7 @@ func buildAccessor(t *testing.T) (*CoreAccessor, []string) { WithAppCreator(appCreator) // needed until https://github.com/celestiaorg/celestia-app/pull/3680 merges cctx, _, grpcAddr := testnode.NewNetwork(t, config) - ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), chainID) + ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), false, chainID) require.NoError(t, err) return ca, getNames(accounts) } diff --git a/state/integration_test.go b/state/integration_test.go index 8680b4d181..620b7e8987 100644 --- a/state/integration_test.go +++ b/state/integration_test.go @@ -52,7 +52,7 @@ func (s *IntegrationTestSuite) SetupSuite() { s.Require().Greater(len(s.accounts), 0) accountName := s.accounts[0].Name - accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", "") + accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", false, "") require.NoError(s.T(), err) setClients(accessor, s.cctx.GRPCClient) s.accessor = accessor