-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fixes #2487
- Loading branch information
Showing
5 changed files
with
366 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
/* | ||
* | ||
* Copyright 2018 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
*/ | ||
|
||
// Binary client is an example client. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"log" | ||
"time" | ||
|
||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/credentials/alts" | ||
ecpb "google.golang.org/grpc/examples/features/proto/echo" | ||
) | ||
|
||
var addr = flag.String("addr", "localhost:50051", "the address to connect to") | ||
|
||
func callUnaryEcho(client ecpb.EchoClient, message string) { | ||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) | ||
defer cancel() | ||
resp, err := client.UnaryEcho(ctx, &ecpb.EchoRequest{Message: message}) | ||
if err != nil { | ||
log.Fatalf("client.UnaryEcho(_) = _, %v: ", err) | ||
} | ||
fmt.Println("UnaryEcho: ", resp.Message) | ||
} | ||
|
||
func main() { | ||
flag.Parse() | ||
|
||
// Create alts based credential. | ||
altsTC := alts.NewClientCreds(alts.DefaultClientOptions()) | ||
|
||
// Set up a connection to the server. | ||
conn, err := grpc.Dial(*addr, grpc.WithTransportCredentials(altsTC)) | ||
if err != nil { | ||
log.Fatalf("did not connect: %v", err) | ||
} | ||
defer conn.Close() | ||
|
||
// Make a echo client and send an RPC. | ||
rgc := ecpb.NewEchoClient(conn) | ||
callUnaryEcho(rgc, "hello world") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
/* | ||
* | ||
* Copyright 2018 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
*/ | ||
|
||
// Binary server is an example server. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"log" | ||
"net" | ||
|
||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/codes" | ||
"google.golang.org/grpc/credentials/alts" | ||
ecpb "google.golang.org/grpc/examples/features/proto/echo" | ||
"google.golang.org/grpc/status" | ||
) | ||
|
||
var port = flag.Int("port", 50051, "the port to serve on") | ||
|
||
type ecServer struct{} | ||
|
||
func (s *ecServer) UnaryEcho(ctx context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { | ||
return &ecpb.EchoResponse{Message: req.Message}, nil | ||
} | ||
|
||
func (s *ecServer) ServerStreamingEcho(*ecpb.EchoRequest, ecpb.Echo_ServerStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func (s *ecServer) ClientStreamingEcho(ecpb.Echo_ClientStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func (s *ecServer) BidirectionalStreamingEcho(ecpb.Echo_BidirectionalStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func main() { | ||
flag.Parse() | ||
|
||
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port)) | ||
if err != nil { | ||
log.Fatalf("failed to listen: %v", err) | ||
} | ||
// Create alts based credential. | ||
altsTC := alts.NewServerCreds(alts.DefaultServerOptions()) | ||
|
||
s := grpc.NewServer(grpc.Creds(altsTC)) | ||
|
||
// Register EchoServer on the server. | ||
ecpb.RegisterEchoServer(s, &ecServer{}) | ||
|
||
if err := s.Serve(lis); err != nil { | ||
log.Fatalf("failed to serve: %v", err) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
# Encryption | ||
|
||
The example for encryption includes two individual examples for TLS and ALTS | ||
encryption mechanism respectively. | ||
|
||
## Try it | ||
|
||
In each example's subdirectory: | ||
|
||
``` | ||
go run server/main.go | ||
``` | ||
|
||
``` | ||
go run client/main.go | ||
``` | ||
|
||
## Explanation | ||
|
||
### TLS | ||
|
||
TLS is a commonly used cryptographic protocol to provide end-to-end | ||
communication security. In the example, we show how to set up a server | ||
authenticated TLS connection to transmit RPC. | ||
|
||
In our `grpc/credentials` package, we provide several convenience methods to | ||
create grpc | ||
[`credentials.TransportCredentials`](https://godoc.org/google.golang.org/grpc/credentials#TransportCredentials) | ||
base on TLS. Refer to the | ||
[godoc](https://godoc.org/google.golang.org/grpc/credentials) for details. | ||
|
||
In our example, we use the public/private keys created ahead: | ||
* "server1.pem" contains the server certificate (public key). | ||
* "server1.key" contains the server private key. | ||
* "ca.pem" contains the certificate (certificate authority) | ||
that can verify the server's certificate. | ||
|
||
On server side, we provide the paths to "server1.pem" and "server1.key" to | ||
configure TLS and create the server credential using | ||
[`credentials.NewServerTLSFromFile`](https://godoc.org/google.golang.org/grpc/credentials#NewServerTLSFromFile). | ||
|
||
On client side, we provide the path to the "ca.pem" to configure TLS and create | ||
the client credential using | ||
[`credentials.NewClientTLSFromFile`](https://godoc.org/google.golang.org/grpc/credentials#NewClientTLSFromFile). | ||
Note that we override the server name with "x.test.youtube.com", as the server | ||
certificate is valid for *.test.youtube.com but not localhost. It is solely for | ||
the convenience of making an example. | ||
|
||
Once the credentials have been created at both sides, we can start the server | ||
with the just created server credential (by calling | ||
[`grpc.Creds`](https://godoc.org/google.golang.org/grpc#Creds)) and let client dial | ||
to the server with the created client credential (by calling | ||
[`grpc.WithTransportCredentials`](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)) | ||
|
||
And finally we make an RPC call over the created `grpc.ClientConn` to test the secure | ||
connection based upon TLS is successfully up. | ||
|
||
### ALTS | ||
|
||
ALTS is the Google's Application Layer Transport Security, which supports mutual | ||
authentication and transport encryption. Note that ALTS is currently only | ||
supported on Google Cloud Platform, and therefore you can only run the example | ||
successfully in a GCP environment. In our example, we show how to initiate a | ||
secure connection that is based on ALTS. | ||
|
||
Unlike TLS, ALTS makes certificate/key management transparent to user. So it is | ||
easier to set up. | ||
|
||
On server side, first call | ||
[`alts.DefaultServerOptions`](https://godoc.org/google.golang.org/grpc/credentials/alts#DefaultServerOptions) | ||
to get the configuration for alts and then provide the configuration to | ||
[`alts.NewServerCreds`](https://godoc.org/google.golang.org/grpc/credentials/alts#NewServerCreds) | ||
to create the server credential based upon alts. | ||
|
||
On client side, first call | ||
[`alts.DefaultClientOptions`](https://godoc.org/google.golang.org/grpc/credentials/alts#DefaultClientOptions) | ||
to get the configuration for alts and then provide the configuration to | ||
[`alts.NewClientCreds`](https://godoc.org/google.golang.org/grpc/credentials/alts#NewClientCreds) | ||
to create the client credential based upon alts. | ||
|
||
Next, same as TLS, start the server with the server credential and let client | ||
dial to server with the client credential. | ||
|
||
Finally, make an RPC to test the secure connection based upon ALTS is | ||
successfully up. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
/* | ||
* | ||
* Copyright 2018 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
*/ | ||
|
||
// Binary client is an example client. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"log" | ||
"time" | ||
|
||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/credentials" | ||
ecpb "google.golang.org/grpc/examples/features/proto/echo" | ||
"google.golang.org/grpc/testdata" | ||
) | ||
|
||
var addr = flag.String("addr", "localhost:50051", "the address to connect to") | ||
|
||
func callUnaryEcho(client ecpb.EchoClient, message string) { | ||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) | ||
defer cancel() | ||
resp, err := client.UnaryEcho(ctx, &ecpb.EchoRequest{Message: message}) | ||
if err != nil { | ||
log.Fatalf("client.UnaryEcho(_) = _, %v: ", err) | ||
} | ||
fmt.Println("UnaryEcho: ", resp.Message) | ||
} | ||
|
||
func main() { | ||
flag.Parse() | ||
|
||
// Create tls based credential. | ||
creds, err := credentials.NewClientTLSFromFile(testdata.Path("ca.pem"), "x.test.youtube.com") | ||
if err != nil { | ||
log.Fatalf("failed to load credentials: %v", err) | ||
} | ||
|
||
// Set up a connection to the server. | ||
conn, err := grpc.Dial(*addr, grpc.WithTransportCredentials(creds)) | ||
if err != nil { | ||
log.Fatalf("did not connect: %v", err) | ||
} | ||
defer conn.Close() | ||
|
||
// Make a echo client and send an RPC. | ||
rgc := ecpb.NewEchoClient(conn) | ||
callUnaryEcho(rgc, "hello world") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
/* | ||
* | ||
* Copyright 2018 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
*/ | ||
|
||
// Binary server is an example server. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"log" | ||
"net" | ||
|
||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/codes" | ||
"google.golang.org/grpc/credentials" | ||
ecpb "google.golang.org/grpc/examples/features/proto/echo" | ||
"google.golang.org/grpc/status" | ||
"google.golang.org/grpc/testdata" | ||
) | ||
|
||
var port = flag.Int("port", 50051, "the port to serve on") | ||
|
||
type ecServer struct{} | ||
|
||
func (s *ecServer) UnaryEcho(ctx context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { | ||
return &ecpb.EchoResponse{Message: req.Message}, nil | ||
} | ||
|
||
func (s *ecServer) ServerStreamingEcho(*ecpb.EchoRequest, ecpb.Echo_ServerStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func (s *ecServer) ClientStreamingEcho(ecpb.Echo_ClientStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func (s *ecServer) BidirectionalStreamingEcho(ecpb.Echo_BidirectionalStreamingEchoServer) error { | ||
return status.Errorf(codes.Unimplemented, "not implemented") | ||
} | ||
|
||
func main() { | ||
flag.Parse() | ||
|
||
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port)) | ||
if err != nil { | ||
log.Fatalf("failed to listen: %v", err) | ||
} | ||
|
||
// Create tls based credential. | ||
creds, err := credentials.NewServerTLSFromFile(testdata.Path("server1.pem"), testdata.Path("server1.key")) | ||
if err != nil { | ||
log.Fatalf("failed to create credentials: %v", err) | ||
} | ||
|
||
s := grpc.NewServer(grpc.Creds(creds)) | ||
|
||
// Register EchoServer on the server. | ||
ecpb.RegisterEchoServer(s, &ecServer{}) | ||
|
||
if err := s.Serve(lis); err != nil { | ||
log.Fatalf("failed to serve: %v", err) | ||
} | ||
} |