refactor($auth): 调度器与任务节点支持HTTPS双向认证

2017-09-07 18:01:48 +08:00 · 2017-09-07 18:01:48 +08:00 · 250cbdde7c
parent a966f3aeda
commit 250cbdde7c
10 changed files with 255 additions and 81 deletions
--- a/gocron-node.go
+++ b/gocron-node.go
@ -9,29 +9,62 @@ import (
    "runtime"
    "os"
    "fmt"
+    "strings"
+    "github.com/ouqiang/gocron/modules/rpc/auth"
+    "github.com/ouqiang/gocron/modules/utils"
 )

-const AppVersion = "1.2"
+const AppVersion = "1.2.2"

 func main()  {
 	var serverAddr string
    var allowRoot bool
    var version bool
+    var CAFile string
+    var certFile string
+    var keyFile string
+    var enableTLS bool
    flag.BoolVar(&allowRoot, "allow-root", false, "./gocron-node -allow-root")
    flag.StringVar(&serverAddr, "s", "0.0.0.0:5921", "./gocron-node -s ip:port")
    flag.BoolVar(&version, "v", false, "./gocron-node -v")
+    flag.BoolVar(&enableTLS, "enable-tls", false, "./gocron-node -enable-tls")
+    flag.StringVar(&CAFile, "ca-file", "", "./gocron-node -ca-file path")
+    flag.StringVar(&certFile, "cert-file", "", "./gocron-node -cert-file path")
+    flag.StringVar(&keyFile, "key-file", "", "./gocron-node -key-file path")
    flag.Parse()

    if version {
        fmt.Println(AppVersion)
-        os.Exit(0)
+        return
    }

+    if (enableTLS) {
+        if !utils.FileExist(CAFile) {
+            fmt.Printf("failed to read ca cert file: %s", CAFile)
+            return
+        }
+        if !utils.FileExist(certFile) {
+            fmt.Printf("failed to read server cert file: %s", certFile)
+            return
+        }
+        if !utils.FileExist(keyFile) {
+            fmt.Printf("failed to read server key file: %s", keyFile)
+            return
+        }
+    }
+
+    certificate := auth.Certificate{
+        CAFile: strings.TrimSpace(CAFile),
+        CertFile: strings.TrimSpace(certFile),
+        KeyFile: strings.TrimSpace(keyFile),
+    }
+
+
    if runtime.GOOS != "windows" && os.Getuid() == 0 && !allowRoot   {
        fmt.Println("Do not run gocron-node as root user")
-        os.Exit(1)
+        return
    }


-	server.Start(serverAddr)
+	server.Start(serverAddr, enableTLS, certificate)
 }
--- a/gocron.go
+++ b/gocron.go
@ -10,7 +10,7 @@ import (
    "github.com/ouqiang/gocron/cmd"
 )

-const AppVersion = "1.1"
+const AppVersion = "1.2.2"

 func main() {
    app := cli.NewApp()
--- a/models/model.go
+++ b/models/model.go
@ -9,8 +9,8 @@ import (
    "strings"
    "github.com/ouqiang/gocron/modules/logger"
    "github.com/ouqiang/gocron/modules/app"
-    "strconv"
    "time"
+    "github.com/ouqiang/gocron/modules/setting"
 )

 type Status int8
@ -65,27 +65,18 @@ func (model *BaseModel) pageLimitOffset() int {

 // 创建Db
 func CreateDb() *xorm.Engine {
-    config := getDbConfig()
-    dsn := getDbEngineDSN(config["engine"], config)
-    engine, err := xorm.NewEngine(config["engine"], dsn)
+    dsn := getDbEngineDSN(app.Setting)
+    engine, err := xorm.NewEngine(app.Setting.Db.Engine, dsn)
    if err != nil {
        logger.Fatal("创建xorm引擎失败", err)
    }
-    maxIdleConns, err := strconv.Atoi(config["max_idle_conns"])
-    maxOpenConns, err := strconv.Atoi(config["max_open_conns"])
-    if maxIdleConns <= 0 {
-        maxIdleConns = 30
-    }
-    if maxOpenConns <= 0 {
-        maxOpenConns = 100
-    }
-    engine.SetMaxIdleConns(maxIdleConns)
-    engine.SetMaxOpenConns(maxOpenConns)
+    engine.SetMaxIdleConns(app.Setting.Db.MaxIdleConns)
+    engine.SetMaxOpenConns(app.Setting.Db.MaxOpenConns)

-    if config["prefix"] != "" {
+    if app.Setting.Db.Prefix != "" {
        // 设置表前缀
-        TablePrefix = config["prefix"]
-        mapper := core.NewPrefixMapper(core.SnakeMapper{}, config["prefix"])
+        TablePrefix = app.Setting.Db.Prefix
+        mapper := core.NewPrefixMapper(core.SnakeMapper{}, app.Setting.Db.Prefix)
        engine.SetTableMapper(mapper)
    }
    // 本地环境开启日志
@ -100,48 +91,30 @@ func CreateDb() *xorm.Engine {
 }

 // 创建临时数据库连接
-func CreateTmpDb(config map[string]string) (*xorm.Engine, error)  {
-    dsn := getDbEngineDSN(config["engine"], config)
+func CreateTmpDb(setting *setting.Setting) (*xorm.Engine, error)  {
+    dsn := getDbEngineDSN(setting)

-    return xorm.NewEngine(config["engine"], dsn)
+    return xorm.NewEngine(setting.Db.Engine, dsn)
 }

 // 获取数据库引擎DSN  mysql,sqlite
-func getDbEngineDSN(engine string, config map[string]string) string {
-    engine = strings.ToLower(engine)
+func getDbEngineDSN(setting *setting.Setting) string {
+    engine := strings.ToLower(setting.Db.Engine)
    var dsn string = ""
    switch engine {
    case "mysql":
-        dsn = fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?charset=%s",
-            config["user"],
-            config["password"],
-            config["host"],
-            config["port"],
-            config["database"],
-            config["charset"])
+        dsn = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=%s",
+            setting.Db.User,
+            setting.Db.Password,
+            setting.Db.Host,
+            setting.Db.Port    ,
+            setting.Db.Database,
+            setting.Db.Charset)
    }

    return dsn
 }

-
-// 获取数据库配置
-func getDbConfig() map[string]string {
-    var db map[string]string = make(map[string]string)
-    db["user"] = app.Setting.Key("db.user").String()
-    db["password"] = app.Setting.Key("db.password").String()
-    db["host"] = app.Setting.Key("db.host").String()
-    db["port"] = app.Setting.Key("db.port").String()
-    db["database"] = app.Setting.Key("db.database").String()
-    db["charset"] = app.Setting.Key("db.charset").String()
-    db["prefix"] = app.Setting.Key("db.prefix").String()
-    db["engine"] = app.Setting.Key("db.engine").String()
-    db["max_idle_conns"] = app.Setting.Key("db.max.idle.conns").String()
-    db["max_open_conns"] = app.Setting.Key("db.max.open.conns").String()
-
-    return db
-}
-
 func keepDbAlived(engine *xorm.Engine)  {
    t := time.Tick(180 * time.Second)
    for {
--- a/modules/app/app.go
+++ b/modules/app/app.go
@ -5,10 +5,10 @@ import (

    "github.com/ouqiang/gocron/modules/logger"
    "github.com/ouqiang/gocron/modules/utils"
-    "gopkg.in/ini.v1"
    "io/ioutil"
    "strconv"
    "strings"
+    "github.com/ouqiang/gocron/modules/setting"
 )

 var (
@ -18,7 +18,7 @@ var (
    DataDir      string // 存放session等
    AppConfig    string // 应用配置文件
    Installed    bool   // 应用是否安装过
-    Setting      *ini.Section // 应用配置
+    Setting      *setting.Setting // 应用配置
    VersionId    int    // 版本号
    VersionFile  string // 版本号文件
 )
--- a/modules/rpc/auth/Certification.go
+++ b/modules/rpc/auth/Certification.go
@ -0,0 +1,71 @@
+package auth
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"errors"
+	"fmt"
+	"google.golang.org/grpc/credentials"
+)
+
+type Certificate struct {
+	CAFile string
+	CertFile string
+	KeyFile string
+	ServerName string
+}
+
+func (c Certificate) GetTLSConfigForServer() (*tls.Config, error) {
+	certificate, err := tls.LoadX509KeyPair(
+		c.CertFile,
+		c.KeyFile,
+	)
+
+	certPool := x509.NewCertPool()
+	bs, err := ioutil.ReadFile(c.CAFile)
+	if err != nil {
+		return nil, errors.New(fmt.Sprintf("failed to read client ca cert: %s", err))
+	}
+
+	ok := certPool.AppendCertsFromPEM(bs)
+	if !ok {
+		return nil, errors.New("failed to append client certs")
+	}
+
+
+	tlsConfig := &tls.Config{
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		Certificates: []tls.Certificate{certificate},
+		ClientCAs:    certPool,
+	}
+
+
+	return tlsConfig, nil
+}
+
+func (c Certificate) GetTransportCredsForClient() (credentials.TransportCredentials, error) {
+	certificate, err := tls.LoadX509KeyPair(
+		c.CertFile,
+		c.KeyFile,
+	)
+
+	certPool := x509.NewCertPool()
+	bs, err := ioutil.ReadFile(c.CAFile)
+	if err != nil {
+		return nil, errors.New(fmt.Sprintf("failed to read ca cert: %s", err))
+	}
+
+	ok := certPool.AppendCertsFromPEM(bs)
+	if !ok {
+		return nil, errors.New("failed to append certs")
+	}
+
+	transportCreds := credentials.NewTLS(&tls.Config{
+		ServerName:   c.ServerName,
+		Certificates: []tls.Certificate{certificate},
+		RootCAs:      certPool,
+	})
+
+	return transportCreds, nil
+}
--- a/modules/rpc/grpcpool/grpc_pool.go
+++ b/modules/rpc/grpcpool/grpc_pool.go
@ -6,6 +6,9 @@ import (
    "time"
    "google.golang.org/grpc"
    "errors"
+    "github.com/ouqiang/gocron/modules/rpc/auth"
+    "github.com/ouqiang/gocron/modules/app"
+    "strings"
 )


@ -97,7 +100,25 @@ func (p *GRPCPool) newCommonPool(addr string) (error) {
        InitialCap: 1,
        MaxCap: 30,
        Factory: func() (interface{}, error) {
+            if !app.Setting.EnableTLS {
                return grpc.Dial(addr, grpc.WithInsecure())
+            }
+
+            server := strings.Split(addr, ":")
+
+            certificate := auth.Certificate{
+                CAFile: app.Setting.CAFile,
+                CertFile: app.Setting.CertFile,
+                KeyFile: app.Setting.KeyFile,
+                ServerName: server[0],
+            }
+
+            transportCreds, err := certificate.GetTransportCredsForClient()
+            if err != nil {
+                return nil, err
+            }
+
+            return grpc.Dial(addr, grpc.WithTransportCredentials(transportCreds))
        },
        Close: func(v interface{}) error {
            conn, ok := v.(*grpc.ClientConn)
--- a/modules/rpc/server/server.go
+++ b/modules/rpc/server/server.go
@ -7,6 +7,8 @@ import (
    "google.golang.org/grpc"
    pb "github.com/ouqiang/gocron/modules/rpc/proto"
    "github.com/ouqiang/gocron/modules/utils"
+    "github.com/ouqiang/gocron/modules/rpc/auth"
+    "google.golang.org/grpc/credentials"
 )

 type Server struct {}
@ -29,22 +31,35 @@ func (s Server) Run(ctx context.Context, req *pb.TaskRequest) (*pb.TaskResponse,
    return resp, nil
 }

-func Start(addr string)  {
+func Start(addr string, enableTLS bool, certificate auth.Certificate)  {
    defer func() {
       if err := recover(); err != nil {
           grpclog.Println("panic", err)
       }
    } ()
+
    l, err := net.Listen("tcp", addr)
    if err != nil {
        grpclog.Fatal(err)
    }
-    s := grpc.NewServer()
-    pb.RegisterTaskServer(s, Server{})
-    grpclog.Println("listen ", addr)
-    err = s.Serve(l)
+
+    var s *grpc.Server
+    if enableTLS {
+        tlsConfig, err := certificate.GetTLSConfigForServer()
        if err != nil {
            grpclog.Fatal(err)
        }
+        opt := grpc.Creds(credentials.NewTLS(tlsConfig))
+        s = grpc.NewServer(opt)
+        pb.RegisterTaskServer(s, Server{})
+        grpclog.Printf("listen %s with TLS", addr)
+    } else {
+        s = grpc.NewServer()
+        pb.RegisterTaskServer(s, Server{})
+        grpclog.Printf("listen %s", addr)
+    }
+
+    err = s.Serve(l)
+    grpclog.Fatal(err)
 }

--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -3,19 +3,84 @@ package setting
 import (
    "errors"
    "gopkg.in/ini.v1"
+    "github.com/ouqiang/gocron/modules/utils"
+    "github.com/ouqiang/gocron/modules/logger"
 )

 const DefaultSection = "default"

+type Setting struct {
+    Db struct{
+        Engine string
+        Host string
+        Port int
+        User string
+        Password string
+        Database string
+        Prefix string
+        Charset string
+        MaxIdleConns int
+        MaxOpenConns int
+    }
+    AllowIps string
+    AppName string
+    ApiKey string
+    ApiSecret string
+    ApiSignEnable bool
+
+    EnableTLS bool
+    CAFile string
+    CertFile string
+    KeyFile string
+}
+
 // 读取配置
-func Read(filename string) (*ini.Section,error) {
+func Read(filename string) (*Setting,error) {
    config, err := ini.Load(filename)
    if err != nil {
        return nil, err
    }
    section := config.Section(DefaultSection)

-    return section, nil
+    var s Setting
+
+    s.Db.Engine = section.Key("db.engine").MustString("mysql")
+    s.Db.Host = section.Key("db.host").MustString("127.0.0.1")
+    s.Db.Port = section.Key("db.port").MustInt(3306)
+    s.Db.User = section.Key("db.user").MustString("")
+    s.Db.Password = section.Key("db.password").MustString("")
+    s.Db.Database = section.Key("db.database").MustString("gocron")
+    s.Db.Prefix = section.Key("db.prefix").MustString("")
+    s.Db.Charset = section.Key("db.charset").MustString("utf8")
+    s.Db.MaxIdleConns = section.Key("db.max.idle.conns").MustInt(30)
+    s.Db.MaxOpenConns = section.Key("db.max.open.conns").MustInt(100)
+
+    s.AllowIps = section.Key("allow_ips").MustString("")
+    s.AppName = section.Key("app.name").MustString("定时任务管理系统")
+    s.ApiKey = section.Key("api.key").MustString("")
+    s.ApiSecret = section.Key("api.secret").MustString("")
+    s.ApiSignEnable = section.Key("api.sign.enable").MustBool(true)
+
+    s.EnableTLS = section.Key("enable_tls").MustBool(false)
+    s.CAFile = section.Key("ca_file").MustString("")
+    s.CertFile = section.Key("cert_file").MustString("")
+    s.KeyFile = section.Key("key_file").MustString("")
+
+    if s.EnableTLS {
+        if !utils.FileExist(s.CAFile) {
+            logger.Fatalf("failed to read ca cert file: %s", s.CAFile)
+        }
+
+        if !utils.FileExist(s.CertFile) {
+            logger.Fatalf("failed to read client cert file: %s", s.CertFile)
+        }
+
+        if !utils.FileExist(s.KeyFile) {
+            logger.Fatalf("failed to read client key file: %s", s.KeyFile)
+        }
+    }
+
+    return &s, nil
 }

 // 写入配置
--- a/routers/install/install.go
+++ b/routers/install/install.go
@ -139,14 +139,14 @@ func createAdminUser(form InstallForm) error {

 // 测试数据库连接
 func testDbConnection(form InstallForm) error {
-    var dbConfig map[string]string = make(map[string]string)
-    dbConfig["engine"] = form.DbType
-    dbConfig["host"] = form.DbHost
-    dbConfig["port"] = strconv.Itoa(form.DbPort)
-    dbConfig["user"] = form.DbUsername
-    dbConfig["password"] = form.DbPassword
-    dbConfig["charset"] = "utf8"
-    db, err := models.CreateTmpDb(dbConfig)
+    var s setting.Setting
+    s.Db.Engine = form.DbType
+    s.Db.Host = form.DbHost
+    s.Db.Port = form.DbPort
+    s.Db.User = form.DbUsername
+    s.Db.Password = form.DbPassword
+    s.Db.Charset = "utf8"
+    db, err := models.CreateTmpDb(&s)
    if err != nil {
        return err
    }
--- a/routers/routers.go
+++ b/routers/routers.go
@ -184,7 +184,7 @@ func checkAppInstall(m *macaron.Macaron)  {

 // IP验证, 通过反向代理访问gocron，需设置Header X-Real-IP才能获取到客户端真实IP
 func ipAuth(ctx *macaron.Context)  {
-    allowIpsStr := app.Setting.Key("allow_ips").String()
+    allowIpsStr := app.Setting.AllowIps
    if allowIpsStr == "" {
        return
    }
@ -230,20 +230,16 @@ func setShareData(ctx *macaron.Context, sess session.Store)  {
    }
    ctx.Data["LoginUsername"] = user.Username(sess)
    ctx.Data["LoginUid"] = user.Uid(sess)
-    ctx.Data["AppName"] = app.Setting.Key("app.name").String()
+    ctx.Data["AppName"] = app.Setting.AppName
 }

 /** API接口签名验证 **/
 func apiAuth(ctx *macaron.Context)  {
-    apiSignEnable := app.Setting.Key("api.sign.enable").String()
-    apiSignEnable = strings.TrimSpace(apiSignEnable)
-    if apiSignEnable == "false" {
+    if !app.Setting.ApiSignEnable {
        return
    }
-    apiKey := app.Setting.Key("api.key").String()
-    apiSecret := app.Setting.Key("api.secret").String()
-    apiKey = strings.TrimSpace(apiKey)
-    apiSecret = strings.TrimSpace(apiSecret)
+    apiKey := strings.TrimSpace(app.Setting.ApiKey)
+    apiSecret := strings.TrimSpace(app.Setting.ApiSecret)
    json := utils.JsonResponse{}
    if apiKey == "" || apiSecret == "" {
        msg := json.CommonFailure("使用API前, 请先配置密钥")