cta-dcache: add possibility to use gRPC over TLS

the new conf options to cta.conf file is added: gRPC TlsCert /path/to/cert.pem gRPC TlsKey /path/to/key.pem gRPC TlsChain /path/to/chain.pem

cta-dcache: add possibility to use gRPC over TLS
the new conf options to cta.conf file is added: gRPC TlsCert /path/to/cert.pem gRPC TlsKey /path/to/key.pem gRPC TlsChain /path/to/chain.pem
cae1e70b · Tigran Mkrtchyan · 212556fd · cae1e70b · cae1e70b · cae1e70b
Commit cae1e70b authored Mar 28, 2022 by Tigran Mkrtchyan ☕
--- a/FrontendGRpcSvc.h
+++ b/FrontendGRpcSvc.h
@@ -3,6 +3,7 @@

 #include "version.h"
 #include <grpcpp/grpcpp.h>
+#include <grpcpp/security/server_credentials.h>

 #include <scheduler/Scheduler.hpp>
 #include "common/log/Logger.hpp"

--- a/Main.cpp
+++ b/Main.cpp
@@ -40,7 +40,8 @@ std::string help =
        "\t--port <port>, -p <port>:\tTCP port number to use, defaults to 17017\n"
        "\t--log-header, -n         \tadd hostname and timestamp to log outputs, default\n"
        "\t--no-log-header, -s      \tdon't add hostname and timestamp to log outputs\n"
-        "\t--version, -v            \tprint version and exit.\n"
+        "\t--tls, -t                \tenable Transport Layer Security (TLS)\n"
+        "\t--version, -v            \tprint version and exit\n"
        "\t--help, -h               \tprint this help and exit\n";

 static struct option long_options[] =
@@ -49,7 +50,8 @@ static struct option long_options[] =
                {"log-header", no_argument, 0, 'n'},
                {"no-log-header", no_argument, 0, 's'},
                {"help", no_argument, 0, 'h'},
-                { "version", no_argument, 0, 'v'},
+                {"version", no_argument, 0, 'v'},
+                {"tls", no_argument, 0, 't'},
                {0, 0, 0, 0}
        };

@@ -63,6 +65,13 @@ void printVersionAndExit() {
    exit(0);
 }

+std::string file2string(std::string filename){
+    std::ifstream as_stream(filename);
+    std::ostringstream as_string;
+    as_string << as_stream.rdbuf();
+    return as_string.str();
+}
+
 int main(const int argc, char *const *const argv) {

    std::string port = "17017";
@@ -71,6 +80,7 @@ int main(const int argc, char *const *const argv) {
    bool shortHeader = false;
    int option_index = 0;
    const std::string shortHostName = utils::getShortHostname();
+    bool useTLS = false;

    while( (c = getopt_long(argc, argv, "p:nshv", long_options, &option_index)) != EOF) {

@@ -90,6 +100,9 @@ int main(const int argc, char *const *const argv) {
            case 'v':
                printVersionAndExit();
                break;
+            case 't':
+                useTLS = true;
+                break;
            default:
                printHelpAndExit(1);
        }
@@ -137,8 +150,25 @@ int main(const int argc, char *const *const argv) {
    // start gRPC service

    ServerBuilder builder;
+
+    std::shared_ptr<grpc::ServerCredentials> creds;
+
+    if (useTLS) {
+        grpc::SslServerCredentialsOptions tls_options;
+        grpc::SslServerCredentialsOptions::PemKeyCertPair cert;
+
+        cert.private_key = file2string(config.getConfEntString("gRPC", "TlsKey"));
+        cert.cert_chain = file2string(config.getConfEntString("gRPC", "TlsCert"));
+        tls_options.pem_root_certs = file2string(config.getConfEntString("gRPC", "TlsChain"));
+        tls_options.pem_key_cert_pairs.emplace_back(std::move(cert));
+
+        creds = grpc::SslServerCredentials(tls_options);
+    } else {
+        creds = grpc::InsecureServerCredentials();
+    }
+
    // Listen on the given address without any authentication mechanism.
-    builder.AddListeningPort(server_address, grpc::InsecureServerCredentials());
+    builder.AddListeningPort(server_address, creds);

    // Register "service" as the instance through which we'll communicate with
    // clients. In this case it corresponds to an *synchronous* service.

--- a/cta-dcache.1cta
+++ b/cta-dcache.1cta
@@ -38,6 +38,11 @@ Include timestamp and host name into the log messages.
 \fB\-s, \-\-no\-log\-header
 Don't include timestamp and host name into the log messages, default behaviour.
 .TP
+\fB\-t, \-\-tls
+Enable TLS for communication. The paths to the TLS certificate, key and root-ca chan files in PEM
+format should be specified by '\fBgRPC TlsCert\fP', '\fBgRPC TlsKey\fP' and '\fBgRPC TlsChain\fP'
+in the cta.conf configuration file.
+.TP
 \fB\-v, \-\-version
 Print the version number and exit.


--- a/cta-dcache.service
+++ b/cta-dcache.service
@@ -4,7 +4,7 @@ After=syslog.target network-online.target

 [Service]
 EnvironmentFile=/etc/sysconfig/cta-dcache
-ExecStart=/usr/bin/cta-dcache --no-log-header --port ${GRPC_PORT}
+ExecStart=/usr/bin/cta-dcache --no-log-header ${GRPC_USE_TLS} --port ${GRPC_PORT}
 Type=simple
 Restart=always
 User=cta

--- a/cta-dcache.sysconfig
+++ b/cta-dcache.sysconfig
@@ -3,4 +3,7 @@
 #

 # port number to accept TCP connections
-GRPC_PORT=17017
\ No newline at end of file
+GRPC_PORT=17017
+
+# change to '--tls' to enable
+GRPC_USE_TLS=""
\ No newline at end of file