tidb security 源码
tidb security 代码
文件路径:/br/pkg/lightning/common/security.go
// Copyright 2020 PingCAP, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package common
import (
"context"
"crypto/tls"
"net"
"net/http"
"net/http/httptest"
"github.com/pingcap/errors"
"github.com/pingcap/tidb/br/pkg/httputil"
"github.com/pingcap/tidb/util"
"github.com/tikv/client-go/v2/config"
pd "github.com/tikv/pd/client"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
type TLS struct {
caPath string
certPath string
keyPath string
caBytes []byte
certBytes []byte
keyBytes []byte
inner *tls.Config
client *http.Client
url string
}
// NewTLS constructs a new HTTP client with TLS configured with the CA,
// certificate and key paths.
func NewTLS(caPath, certPath, keyPath, host string, caBytes, certBytes, keyBytes []byte) (*TLS, error) {
inner, err := util.NewTLSConfig(
util.WithCAPath(caPath),
util.WithCertAndKeyPath(certPath, keyPath),
util.WithCAContent(caBytes),
util.WithCertAndKeyContent(certBytes, keyBytes),
)
if err != nil {
return nil, errors.Trace(err)
}
if inner == nil {
return &TLS{
inner: nil,
client: &http.Client{},
url: "http://" + host,
}, nil
}
return &TLS{
caPath: caPath,
certPath: certPath,
keyPath: keyPath,
caBytes: caBytes,
certBytes: certBytes,
keyBytes: keyBytes,
inner: inner,
client: httputil.NewClient(inner),
url: "https://" + host,
}, nil
}
// NewTLSFromMockServer constructs a new TLS instance from the certificates of
// an *httptest.Server.
func NewTLSFromMockServer(server *httptest.Server) *TLS {
return &TLS{
inner: server.TLS,
client: server.Client(),
url: server.URL,
}
}
// WithHost creates a new TLS instance with the host replaced.
func (tc *TLS) WithHost(host string) *TLS {
var url string
if tc.inner != nil {
url = "https://" + host
} else {
url = "http://" + host
}
shallowClone := *tc
shallowClone.url = url
return &shallowClone
}
// ToGRPCDialOption constructs a gRPC dial option.
func (tc *TLS) ToGRPCDialOption() grpc.DialOption {
if tc.inner != nil {
return grpc.WithTransportCredentials(credentials.NewTLS(tc.inner))
}
return grpc.WithInsecure()
}
// WrapListener places a TLS layer on top of the existing listener.
func (tc *TLS) WrapListener(l net.Listener) net.Listener {
if tc.inner == nil {
return l
}
return tls.NewListener(l, tc.inner)
}
func (tc *TLS) GetJSON(ctx context.Context, path string, v interface{}) error {
return GetJSON(ctx, tc.client, tc.url+path, v)
}
// ToPDSecurityOption converts the TLS configuration to a PD security option.
func (tc *TLS) ToPDSecurityOption() pd.SecurityOption {
return pd.SecurityOption{
CAPath: tc.caPath,
CertPath: tc.certPath,
KeyPath: tc.keyPath,
SSLCABytes: tc.caBytes,
SSLCertBytes: tc.certBytes,
SSLKEYBytes: tc.keyBytes,
}
}
// ToTiKVSecurityConfig converts the TLS configuration to a TiKV security config.
// TODO: TiKV does not support pass in content.
func (tc *TLS) ToTiKVSecurityConfig() config.Security {
return config.Security{
ClusterSSLCA: tc.caPath,
ClusterSSLCert: tc.certPath,
ClusterSSLKey: tc.keyPath,
ClusterVerifyCN: nil, // FIXME should fill this in?
}
}
func (tc *TLS) TLSConfig() *tls.Config {
return tc.inner
}
相关信息
相关文章
0
赞
热门推荐
-
2、 - 优质文章
-
3、 gate.io
-
6、 golang
-
7、 openharmony