✨ Adding optional TLS auth for provider communication

Signed-off-by: Shawn Hurley <[email protected]>
shawn-hurley · May 14, 2024 · 8272cc3 · 8272cc3
1 parent 005a232
commit 8272cc3
Show file tree

Hide file tree

Showing 9 changed files with 104 additions and 23 deletions.
diff --git a/external-providers/dotnet-external-provider/main.go b/external-providers/dotnet-external-provider/main.go
@@ -13,8 +13,10 @@ import (
 )
 
 var (
-	port = flag.Int("port", 0, "Port must be set")
+	port     = flag.Int("port", 0, "Port must be set")
 	logLevel = flag.Int("log-level", 5, "Level to log")
+	certFile = flag.String("certFile", "", "Path to the cert file")
+	keyFile  = flag.String("keyFile", "", "Path to the key file")
 )
 
 func main() {
@@ -36,7 +38,18 @@ func main() {
 		panic(1)
 	}
 
-	s := provider.NewServer(client, *port, log)
+	var c string
+	var k string
+
+	if certFile != nil {
+		c = *certFile
+	}
+
+	if keyFile != nil {
+		k = *keyFile
+	}
+
+	s := provider.NewServer(client, *port, c, k, log)
 	ctx := context.TODO()
 	s.Start(ctx)
 }
diff --git a/external-providers/generic-external-provider/main.go b/external-providers/generic-external-provider/main.go
@@ -15,6 +15,8 @@ import (
 var (
 	port          = flag.Int("port", 0, "Port must be set")
 	lspServerName = flag.String("name", "", "lsp server name")
+	certFile      = flag.String("certFile", "", "Path to the cert file")
+	keyFile       = flag.String("keyFile", "", "Path to the key file")
 )
 
 func main() {
@@ -53,7 +55,18 @@ func main() {
 		panic(fmt.Errorf("must pass in the port for the external provider"))
 	}
 
-	s := provider.NewServer(client, *port, log)
+	var c string
+	var k string
+
+	if certFile != nil {
+		c = *certFile
+	}
+
+	if keyFile != nil {
+		k = *keyFile
+	}
+
+	s := provider.NewServer(client, *port, c, k, log)
 	ctx := context.TODO()
 	s.Start(ctx)
 }
diff --git a/external-providers/java-external-provider/go.mod b/external-providers/java-external-provider/go.mod
@@ -9,13 +9,13 @@ require (
 	github.com/vifraa/gopom v1.0.0
 	go.lsp.dev/uri v0.3.0
 	go.opentelemetry.io/otel v1.11.2
-	google.golang.org/grpc v1.62.1
+	google.golang.org/grpc v1.62.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require github.com/sirupsen/logrus v1.9.0
 
-require google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
+require google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
 
 require (
 	github.com/PaesslerAG/gval v1.2.2 // indirect
@@ -36,3 +36,5 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002 // indirect
 )
+
+replace github.com/konveyor/analyzer-lsp => ../../
diff --git a/external-providers/java-external-provider/go.sum b/external-providers/java-external-provider/go.sum
@@ -23,8 +23,6 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/iancoleman/orderedmap v0.3.0 h1:5cbR2grmZR/DiVt+VJopEhtVs9YGInGIxAoMJn+Ichc=
-github.com/konveyor/analyzer-lsp v0.4.0-alpha.1 h1:3KGNfZtQ11Xm+evZ1GegoQMEwCAMhiggB23HqhNw0Uo=
-github.com/konveyor/analyzer-lsp v0.4.0-alpha.1/go.mod h1:Cxdhi1mAoz+rjUQmBiRjRyBy1oADavx4BbAZ9BkSwjk=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
@@ -70,10 +68,10 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 h1:Jyp0Hsi0bmHXG6k9eATXoYtjd6e2UzZ1SCn/wIupY14=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:oQ5rr10WTTMvP4A36n8JpR1OrO1BEiV4f78CneXZxkA=
-google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0=
-google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
+google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
+google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002 h1:V7Da7qt0MkY3noVANIMVBk28nOnijADeOR3i5Hcvpj4=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/external-providers/java-external-provider/main.go b/external-providers/java-external-provider/main.go
@@ -15,8 +15,10 @@ import (
 var (
 	port          = flag.Int("port", 0, "Port must be set")
 	logLevel      = flag.Int("log-level", 5, "Level to log")
-	lspServerName = flag.String("name", "java", "Level to log")
+	lspServerName = flag.String("name", "java", "name of the lsp to be used in rules")
 	contextLines  = flag.Int("contxtLines", 10, "lines of context for the code snippet")
+	certFile      = flag.String("certFile", "", "Path to the cert file")
+	keyFile       = flag.String("keyFile", "", "Path to the key file")
 )
 
 func main() {
@@ -38,8 +40,18 @@ func main() {
 		log.Error(fmt.Errorf("port unspecified"), "port number must be specified")
 		panic(1)
 	}
+	var c string
+	var k string
 
-	s := provider.NewServer(client, *port, log)
+	if certFile != nil {
+		c = *certFile
+	}
+
+	if keyFile != nil {
+		k = *keyFile
+	}
+
+	s := provider.NewServer(client, *port, c, k, log)
 	ctx := context.TODO()
 	s.Start(ctx)
 }
diff --git a/external-providers/yq-external-provider/main.go b/external-providers/yq-external-provider/main.go
@@ -13,8 +13,10 @@ import (
 )
 
 var (
-	port = flag.Int("port", 0, "Port must be set")
-	name = flag.String("name", "yaml", "Port must be set")
+	port     = flag.Int("port", 0, "Port must be set")
+	name     = flag.String("name", "yaml", "Port must be set")
+	certFile = flag.String("certFile", "", "Path to the cert file")
+	keyFile  = flag.String("keyFile", "", "Path to the key file")
 )
 
 func main() {
@@ -32,8 +34,18 @@ func main() {
 	if port == nil || *port == 0 {
 		panic(fmt.Errorf("must pass in the port for the external provider"))
 	}
+	var c string
+	var k string
 
-	s := provider.NewServer(client, *port, log)
+	if certFile != nil {
+		c = *certFile
+	}
+
+	if keyFile != nil {
+		k = *keyFile
+	}
+
+	s := provider.NewServer(client, *port, c, k, log)
 	ctx := context.TODO()
 	s.Start(ctx)
 }
diff --git a/provider/grpc/provider.go b/provider/grpc/provider.go
@@ -16,6 +16,7 @@ import (
 	"github.com/phayes/freeport"
 	"go.lsp.dev/uri"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -263,12 +264,24 @@ func start(ctx context.Context, config provider.Config) (*grpc.ClientConn, io.Re
 		return conn, out, nil
 	}
 	if config.Address != "" {
-		conn, err := grpc.Dial(fmt.Sprintf(config.Address), grpc.WithTransportCredentials(insecure.NewCredentials()))
-		if err != nil {
-			log.Fatalf("did not connect: %v", err)
+		if config.CertPath == "" {
+			conn, err := grpc.Dial(fmt.Sprintf(config.Address), grpc.WithTransportCredentials(insecure.NewCredentials()))
+			if err != nil {
+				log.Fatalf("did not connect: %v", err)
+			}
+			return conn, nil, nil
+		} else {
+			creds, err := credentials.NewClientTLSFromFile(config.CertPath, "")
+			if err != nil {
+				return nil, nil, err
+			}
+			fmt.Printf("here: %#v", creds)
+			conn, err := grpc.Dial(fmt.Sprintf(config.Address), grpc.WithTransportCredentials(creds))
+			if err != nil {
+				log.Fatalf("did not connect: %v", err)
+			}
+			return conn, nil, nil
 		}
-		return conn, nil, nil
-
 	}
 	return nil, nil, fmt.Errorf("must set Address or Binary Path for a GRPC provider")
 }

diff --git a/provider/provider.go b/provider/provider.go
@@ -84,6 +84,8 @@ type Config struct {
 	Name         string       `yaml:"name,omitempty" json:"name,omitempty"`
 	BinaryPath   string       `yaml:"binaryPath,omitempty" json:"binaryPath,omitempty"`
 	Address      string       `yaml:"address,omitempty" json:"address,omitempty"`
+	CertPath     string       `yaml:"certPath,omitempty" json:"certPath,omitempty"`
+	KeyPath      string       `yaml:"keyPath,omitempty" json:"keyPath,omitempty"`
 	Proxy        *Proxy       `yaml:"proxyConfig,omitempty" json:"proxyConfig,omitempty"`
 	InitConfig   []InitConfig `yaml:"initConfig,omitempty" json:"initConfig,omitempty"`
 	ContextLines int

diff --git a/provider/server.go b/provider/server.go
@@ -15,6 +15,7 @@ import (
 	libgrpc "github.com/konveyor/analyzer-lsp/provider/internal/grpc"
 	"go.lsp.dev/uri"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -31,6 +32,8 @@ type server struct {
 	DepLocationResolver DependencyLocationResolver
 	Log                 logr.Logger
 	Port                int
+	CertPath            string
+	KeyPath             string
 
 	mutex   sync.RWMutex
 	clients map[int64]clientMapItem
@@ -47,7 +50,7 @@ type clientMapItem struct {
 
 // Provider GRPC Service
 // TOOD: HANDLE INIT CONFIG CHANGES
-func NewServer(client BaseClient, port int, logger logr.Logger) Server {
+func NewServer(client BaseClient, port int, certPath string, keyPath string, logger logr.Logger) Server {
 	s := rand.NewSource(time.Now().Unix())
 
 	var depLocationResolver DependencyLocationResolver
@@ -67,6 +70,8 @@ func NewServer(client BaseClient, port int, logger logr.Logger) Server {
 		Client:                             client,
 		Port:                               port,
 		Log:                                logger,
+		CertPath:                           certPath,
+		KeyPath:                            keyPath,
 		UnimplementedProviderServiceServer: libgrpc.UnimplementedProviderServiceServer{},
 		mutex:                              sync.RWMutex{},
 		clients:                            make(map[int64]clientMapItem),
@@ -82,7 +87,18 @@ func (s *server) Start(ctx context.Context) error {
 		s.Log.Error(err, "failed to listen")
 		return err
 	}
-	gs := grpc.NewServer()
+	var gs *grpc.Server
+	if s.CertPath != "" && s.KeyPath != "" {
+		creds, err := credentials.NewServerTLSFromFile(s.CertPath, s.KeyPath)
+		if err != nil {
+			return err
+		}
+		gs = grpc.NewServer(grpc.Creds(creds))
+	} else if s.CertPath == "" && s.KeyPath == "" {
+		gs = grpc.NewServer()
+	} else {
+		return fmt.Errorf("cert: %v, and key: %v are invalid", s.CertPath, s.KeyPath)
+	}
 	if s.DepLocationResolver != nil {
 		libgrpc.RegisterProviderDependencyLocationServiceServer(gs, s)
 	}