envoy: Initial changes

2025-08-02 08:19:23 +02:00 · 2020-05-18 16:34:31 -04:00 · 2020-05-18 16:34:31 -04:00 · 99e788a9b4
commit 99e788a9b4
parent 8f78497e99
107 changed files with 2542 additions and 3322 deletions
--- a/internal/grpc/server.go
+++ b/internal/grpc/server.go
@ -2,7 +2,6 @@ package grpc

 import (
 	"crypto/tls"
-	"errors"
 	"net"
 	"os"
 	"os/signal"
@ -34,21 +33,17 @@ func NewServer(opt *ServerOptions, registrationFn func(s *grpc.Server), wg *sync
 		grpc.KeepaliveParams(opt.KeepaliveParams),
 	}

-	if len(opt.TLSCertificate) == 1 {
-		cert := credentials.NewServerTLSFromCert(&opt.TLSCertificate[0])
+	if opt.TLSCertificate != nil {
+		log.Debug().Str("addr", opt.Addr).Msg("internal/grpc: serving over TLS")
+		cert := credentials.NewServerTLSFromCert(opt.TLSCertificate)
 		grpcOpts = append(grpcOpts, grpc.Creds(cert))
-	} else if !opt.InsecureServer {
-		return nil, errors.New("internal/grpc: unexpected number of certificates")
+	} else {
+		log.Warn().Str("addr", opt.Addr).Msg("internal/grpc: serving without TLS")
 	}

 	srv := grpc.NewServer(grpcOpts...)
 	registrationFn(srv)
-	log.Info().
-		Str("addr", opt.Addr).
-		Bool("insecure", opt.InsecureServer).
-		Str("service", opt.ServiceName).
-		Interface("grpc-service-info", srv.GetServiceInfo()).
-		Msg("internal/grpc: registered")
+	log.Info().Interface("grpc-service-info", srv.GetServiceInfo()).Msg("internal/grpc: registered")

 	wg.Add(1)
 	go func() {
@ -68,7 +63,7 @@ type ServerOptions struct {
 	Addr string

 	// TLS certificates to use, if any.
-	TLSCertificate []tls.Certificate
+	TLSCertificate *tls.Certificate

 	// InsecureServer when enabled disables all transport security.
 	// In this mode, Pomerium is susceptible to man-in-the-middle attacks.
--- a/internal/grpc/server_test.go
+++ b/internal/grpc/server_test.go
@ -1,7 +1,6 @@
 package grpc

 import (
-	"crypto/tls"
 	"encoding/base64"
 	"os"
 	"os/signal"
@ -33,8 +32,6 @@ BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBHbhVnGbwXqaMZ1dB8eBAK56jyeWDZ
 -----END CERTIFICATE-----`

 func TestNewServer(t *testing.T) {
-	// to make friendly to testing environments where 443 requires root
-	defaultServerOptions.Addr = ":0"
 	certb64, err := cryptutil.CertifcateFromBase64(
 		base64.StdEncoding.EncodeToString([]byte(pubKey)),
 		base64.StdEncoding.EncodeToString([]byte(privKey)))
@ -50,12 +47,10 @@ func TestNewServer(t *testing.T) {
 		wantNil        bool
 		wantErr        bool
 	}{
-		{"simple", &ServerOptions{Addr: ":0", InsecureServer: true}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
-		{"simple keepalive options", &ServerOptions{Addr: ":0", InsecureServer: true, KeepaliveParams: keepalive.ServerParameters{MaxConnectionAge: 5 * time.Minute}}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
+		{"simple", &ServerOptions{Addr: ":0"}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
+		{"simple keepalive options", &ServerOptions{Addr: ":0", KeepaliveParams: keepalive.ServerParameters{MaxConnectionAge: 5 * time.Minute}}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
 		{"bad tcp port", &ServerOptions{Addr: ":9999999"}, func(s *grpc.Server) {}, &sync.WaitGroup{}, true, true},
-		{"with cert", &ServerOptions{Addr: ":0", TLSCertificate: []tls.Certificate{*certb64}}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
-		{"with multiple certs", &ServerOptions{Addr: ":0", TLSCertificate: []tls.Certificate{*certb64, *certb64}}, func(s *grpc.Server) {}, &sync.WaitGroup{}, true, true},
-		{"with no certs or insecure", &ServerOptions{Addr: ":0", TLSCertificate: []tls.Certificate{}}, func(s *grpc.Server) {}, &sync.WaitGroup{}, true, true},
+		{"with certs", &ServerOptions{Addr: ":0", TLSCertificate: certb64}, func(s *grpc.Server) {}, &sync.WaitGroup{}, false, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {