github.com/RobustRoundRobin/quorum@v20.10.0+incompatible/plugin/security/gateway.go

github.com/RobustRoundRobin/quorum@v20.10.0+incompatible/plugin/security/gateway.go (about)

     1  package security
     2  
     3  import (
     4  	"context"
     5  	"crypto/tls"
     6  	"errors"
     7  	"math"
     8  
     9  	"github.com/jpmorganchase/quorum-security-plugin-sdk-go/proto"
    10  )
    11  
    12  var (
    13  	// harden the cipher strength by only using ciphers >=256bits
    14  	defaultCipherSuites = []uint16{
    15  		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    16  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    17  		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    18  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    19  	}
    20  )
    21  
    22  type TLSConfigurationSourcePluginGateway struct {
    23  	client proto.TLSConfigurationSourceClient
    24  }
    25  
    26  func (c *TLSConfigurationSourcePluginGateway) Get(ctx context.Context) (*tls.Config, error) {
    27  	resp, err := c.client.Get(ctx, &proto.TLSConfiguration_Request{})
    28  	if err != nil {
    29  		return nil, err
    30  	}
    31  	if resp == nil || resp.GetData() == nil { // no tls config
    32  		return nil, nil
    33  	}
    34  	return transform(resp.GetData())
    35  }
    36  
    37  // transform raw configuration received from the plugin to `tls.Config` object being used
    38  // to configure TLS for JSON RPC servers
    39  // The customized tls.Config follows: https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go
    40  func transform(tlsData *proto.TLSConfiguration_Data) (*tls.Config, error) {
    41  	tlsConfig := &tls.Config{
    42  		// prioritize curve preferences from crypto/tls/common.go#defaultCurvePreferences
    43  		CurvePreferences: []tls.CurveID{
    44  			tls.CurveP521,
    45  			tls.CurveP384,
    46  			tls.CurveP256,
    47  			tls.X25519,
    48  		},
    49  		// Support only TLS1.2 & Above
    50  		MinVersion: tls.VersionTLS12,
    51  	}
    52  	receivedCipherSuites := tlsData.GetCipherSuites()
    53  	cipherSuites := make([]uint16, len(receivedCipherSuites))
    54  	if len(receivedCipherSuites) > 0 {
    55  		for i, cs := range receivedCipherSuites {
    56  			if cs > math.MaxUint16 {
    57  				return nil, errors.New("cipher suite value overflow")
    58  			}
    59  			cipherSuites[i] = uint16(cs)
    60  		}
    61  	} else {
    62  		cipherSuites = defaultCipherSuites
    63  	}
    64  	tlsConfig.CipherSuites = cipherSuites
    65  	tlsConfig.PreferServerCipherSuites = true
    66  
    67  	cer, err := tls.X509KeyPair(tlsData.GetCertPem(), tlsData.GetKeyPem())
    68  	if err != nil {
    69  		return nil, err
    70  	}
    71  	tlsConfig.Certificates = []tls.Certificate{cer}
    72  
    73  	return tlsConfig, nil
    74  }
    75  
    76  type AuthenticationManagerPluginGateway struct {
    77  	client proto.AuthenticationManagerClient
    78  }
    79  
    80  func (a *AuthenticationManagerPluginGateway) Authenticate(ctx context.Context, token string) (*proto.PreAuthenticatedAuthenticationToken, error) {
    81  	return a.client.Authenticate(ctx, &proto.AuthenticationToken{
    82  		RawToken: []byte(token),
    83  	})
    84  }
    85  
    86  func (a *AuthenticationManagerPluginGateway) IsEnabled(ctx context.Context) (bool, error) {
    87  	return true, nil
    88  }