Skip to content

Commit

Permalink
making zero https more vigilant with more checks
Browse files Browse the repository at this point in the history
  • Loading branch information
aman-bansal committed Oct 21, 2020
1 parent 6304186 commit a3398f4
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 9 deletions.
8 changes: 4 additions & 4 deletions dgraph/cmd/zero/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,18 +264,18 @@ func startServers(m cmux.CMux) {
if !ok {
return false
}
_, ok = opts.tlsEnabledRoute[path]
return !ok
enabled, ok := opts.tlsEnabledRoute[path]
return ok && !enabled
})
go startListen(httpRule)

// if enabled, tls has to be default behaviour because there is no clean way to decrypt request params using cmux.
// So when it says tlsEnabledRoute, these route will not be available without TLS.
if len(opts.tlsEnabledRoute) > 0 {
if Zero.Conf.GetString("tls_dir") != "" {
tlsCfg, err := x.LoadServerTLSConfig(Zero.Conf, "node.crt", "node.key")
x.Check(err)
if tlsCfg == nil {
glog.Fatalf("tls_enabled_route is set but tls config is not provided. Please define variable --tls_dir")
glog.Fatalf("tls_enabled_route is set but tls config provided is not correct. Please define correct variable --tls_dir")
}

httpsRule := m.Match(cmux.Any())
Expand Down
33 changes: 28 additions & 5 deletions dgraph/cmd/zero/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ type options struct {
peer string
w string
rebalanceInterval time.Duration
tlsEnabledRoute map[string]struct{}
tlsEnabledRoute map[string]bool
totalCache int64
}

Expand Down Expand Up @@ -93,8 +93,8 @@ instances to achieve high-availability.
flag.String("tls_dir", "", "Path to directory that has TLS certificates and keys.")
flag.Bool("tls_use_system_ca", true, "Include System CA into CA Certs.")
flag.String("tls_client_auth", "VERIFYIFGIVEN", "Enable TLS client authentication")
flag.String("tls_enabled_route", "", "comma separated zero endpoint which will configured with TLS." +
"Valid values could be /health,/state,/removeNode,/moveTablet,/assign,/enterpriseLicense")
flag.String("tls_enabled_route", "", "comma separated zero endpoint which will configured with TLS."+
"Valid values are /health,/state,/removeNode,/moveTablet,/assign,/enterpriseLicense")
}

func setupListener(addr string, port int, kind string) (listener net.Listener, err error) {
Expand Down Expand Up @@ -167,11 +167,34 @@ func run() {
}

x.PrintVersion()
tlsRoutes := make(map[string]struct{})
tlsRoutes := map[string]bool{
"/health": false,
"/state": false,
"/removeNode": false,
"/moveTablet": false,
"/assign": false,
"/enterpriseLicense": false,
}

if Zero.Conf.GetString("tls_enabled_route") != "" {
routes := strings.Split(Zero.Conf.GetString("tls_enabled_route"), ",")
for _, r := range routes {
tlsRoutes[r] = struct{}{}
if _, ok := tlsRoutes[r]; !ok {
glog.Fatalf("tls_enabled_route has wrong entry. " +
"Valid values are /health,/state,/removeNode,/moveTablet,/assign,/enterpriseLicense")
}

tlsRoutes[r] = true
}

if Zero.Conf.GetString("tls_dir") == "" {
glog.Fatalf("tls_enabled_route is set but tls config is not provided. " +
"Please define variable --tls_dir")
}
} else { // checking when tls_enabled is not defined but tls is defined
if Zero.Conf.GetString("tls_dir") != "" {
glog.Fatalf("tls_dir is defined but tls enabled route is not provided. " +
"Please define variable --tls_enabled_route")
}
}

Expand Down

0 comments on commit a3398f4

Please sign in to comment.