From ad302d1a1bfa33d9260e03060bcac86b51f7c32c Mon Sep 17 00:00:00 2001 From: Jacob Shufro Date: Fri, 31 Jan 2025 18:20:30 -0500 Subject: [PATCH 1/2] Make TLS truly optional for rescue-proxy connections --- config.go | 2 +- external/rescue_proxy.go | 31 +++++++++---------------------- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/config.go b/config.go index 3d540c1..929c72c 100644 --- a/config.go +++ b/config.go @@ -54,7 +54,7 @@ Use 'dd if=/dev/urandom bs=4 count=8 | base64' if you need to generate a new sec proxyAPIAddr := flag.String("rescue-proxy-api-addr", "", "Address for the Rescue Proxy gRPC API") rocketscanAPIURL := flag.String("rocketscan-api-url", "", "URL for the Rocketscan REST API") allowedOrigins := flag.String("allowed-origins", "http://localhost:8080", "Comma-separated list of allowed CORS origins") - secureGRPC := flag.Bool("secure-grpc", true, "Whether to enforce gRPC over TLS") + secureGRPC := flag.Bool("secure-grpc", true, "Whether to use gRPC over TLS") debug := flag.Bool("debug", false, "Whether to enable verbose logging") enableSoloValidators := flag.Bool("enable-solo-validators", true, "Whether or not to enable solo validator credentials") flag.Parse() diff --git a/external/rescue_proxy.go b/external/rescue_proxy.go index 8ba4aef..a9de2f2 100644 --- a/external/rescue_proxy.go +++ b/external/rescue_proxy.go @@ -34,36 +34,23 @@ func NewRescueProxyAPIClient(logger *zap.Logger, address string, secure bool) *R func (c *RescueProxyAPIClient) connect() error { var err error - // Try to connect to the Rescue Proxy API using TLS. - // An empty TLS config will use the system's root CAs. - tc := credentials.NewTLS(&tls.Config{}) - if c.conn, err = grpc.NewClient( - c.address, - grpc.WithTransportCredentials(tc), - ); err == nil { - c.client = proxy.NewApiClient(c.conn) - c.logger.Debug("connected to rescue-proxy with TLS", zap.String("address", c.address)) - return nil + c.logger.Debug("connecting to rescue-proxy", zap.Bool("tls", c.secure)) + var transportCredentials credentials.TransportCredentials + if !c.secure { + transportCredentials = insecure.NewCredentials() + } else { + // An empty TLS config will use the system's root CAs. + transportCredentials = credentials.NewTLS(&tls.Config{}) } - // If TLS fails, try falling back to insecure gRPC. - if c.secure { - c.logger.Debug("not attempting to connect to rescue-proxy without TLS, since insecure grpc is disallowed", zap.String("address", c.address)) - return err - } - - c.logger.Debug("attempting to connect to rescue-proxy without TLS, since insecure grpc is allowed", zap.String("address", c.address)) - if c.conn, err = grpc.NewClient( c.address, - grpc.WithTransportCredentials(insecure.NewCredentials()), + grpc.WithTransportCredentials(transportCredentials), ); err != nil { return err } - - c.logger.Debug("connected to rescue-proxy without TLS", zap.String("address", c.address)) - c.client = proxy.NewApiClient(c.conn) + c.logger.Debug("connected to rescue-proxy", zap.String("address", c.address)) return nil } From 52ada7d758542e87ca8972c80c8f1cba8ca88b1f Mon Sep 17 00:00:00 2001 From: Jacob Shufro Date: Fri, 31 Jan 2025 18:29:33 -0500 Subject: [PATCH 2/2] Update README.md usage block --- README.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 0daa339..4d3bc7c 100644 --- a/README.md +++ b/README.md @@ -27,21 +27,27 @@ make build ``` Usage of ./rescue-api: -addr string - Address on which to listen to HTTP requests (default "0.0.0.0:8080") + Address on which to listen to HTTP requests (default "0.0.0.0:8080") -allowed-origins string - Comma-separated list of allowed CORS origins (default "localhost") - -auth-valid-for string - The duration after which a credential should be considered invalid, eg, 360h for 15 days (default "360h") + Comma-separated list of allowed CORS origins (default "http://localhost:8080") -db-path string - sqlite3 database path (default "db.sqlite3") + sqlite3 database path (default "db.sqlite3") -debug - Whether to enable verbose logging + Whether to enable verbose logging + -enable-solo-validators + Whether or not to enable solo validator credentials (default true) -hmac-secret string - The secret to use for HMAC (default "test-secret") + The secret to use for HMAC. + Value must be at least 32 bytes of entropy, base64-encoded. + Use 'dd if=/dev/urandom bs=4 count=8 | base64' if you need to generate a new secret. + -metrics-addr string + Address on which to listen for /metrics requests (default "0.0.0.0:9000") -rescue-proxy-api-addr string - Address for the Rescue Proxy gRPC API + Address for the Rescue Proxy gRPC API -rocketscan-api-url string - URL for the Rocketscan REST API + URL for the Rocketscan REST API + -secure-grpc + Whether to use gRPC over TLS (default true) ``` * `-hmac-secret` must match the one used with the