Make TLS truly optional for rescue-proxy connections

README.md

@@ -27,21 +27,27 @@ make build
 ```
 Usage of ./rescue-api:
   -addr string
-        Address on which to listen to HTTP requests (default "0.0.0.0:8080")
+	Address on which to listen to HTTP requests (default "0.0.0.0:8080")
   -allowed-origins string
-        Comma-separated list of allowed CORS origins (default "localhost")
-  -auth-valid-for string
-        The duration after which a credential should be considered invalid, eg, 360h for 15 days (default "360h")
+	Comma-separated list of allowed CORS origins (default "http://localhost:8080")
   -db-path string
-        sqlite3 database path (default "db.sqlite3")
+	sqlite3 database path (default "db.sqlite3")
   -debug
-        Whether to enable verbose logging
+	Whether to enable verbose logging
+  -enable-solo-validators
+	Whether or not to enable solo validator credentials (default true)
   -hmac-secret string
-        The secret to use for HMAC (default "test-secret")
+	The secret to use for HMAC.
+	Value must be at least 32 bytes of entropy, base64-encoded.
+	Use 'dd if=/dev/urandom bs=4 count=8 | base64' if you need to generate a new secret.
+  -metrics-addr string
+	Address on which to listen for /metrics requests (default "0.0.0.0:9000")
   -rescue-proxy-api-addr string
-        Address for the Rescue Proxy gRPC API
+	Address for the Rescue Proxy gRPC API
   -rocketscan-api-url string
-        URL for the Rocketscan REST API
+	URL for the Rocketscan REST API
+  -secure-grpc
+	Whether to use gRPC over TLS (default true)
 ```
 
   * `-hmac-secret` must match the one used with the

config.go

@@ -54,7 +54,7 @@ Use 'dd if=/dev/urandom bs=4 count=8 | base64' if you need to generate a new sec
 	proxyAPIAddr := flag.String("rescue-proxy-api-addr", "", "Address for the Rescue Proxy gRPC API")
 	rocketscanAPIURL := flag.String("rocketscan-api-url", "", "URL for the Rocketscan REST API")
 	allowedOrigins := flag.String("allowed-origins", "http://localhost:8080", "Comma-separated list of allowed CORS origins")
-	secureGRPC := flag.Bool("secure-grpc", true, "Whether to enforce gRPC over TLS")
+	secureGRPC := flag.Bool("secure-grpc", true, "Whether to use gRPC over TLS")
 	debug := flag.Bool("debug", false, "Whether to enable verbose logging")
 	enableSoloValidators := flag.Bool("enable-solo-validators", true, "Whether or not to enable solo validator credentials")
 	flag.Parse()

external/rescue_proxy.go

@@ -34,36 +34,23 @@ func NewRescueProxyAPIClient(logger *zap.Logger, address string, secure bool) *R
 func (c *RescueProxyAPIClient) connect() error {
 	var err error
 
-	// Try to connect to the Rescue Proxy API using TLS.
-	// An empty TLS config will use the system's root CAs.
-	tc := credentials.NewTLS(&tls.Config{})
-	if c.conn, err = grpc.NewClient(
-		c.address,
-		grpc.WithTransportCredentials(tc),
-	); err == nil {
-		c.client = proxy.NewApiClient(c.conn)
-		c.logger.Debug("connected to rescue-proxy with TLS", zap.String("address", c.address))
-		return nil
+	c.logger.Debug("connecting to rescue-proxy", zap.Bool("tls", c.secure))
+	var transportCredentials credentials.TransportCredentials
+	if !c.secure {
+		transportCredentials = insecure.NewCredentials()
+	} else {
+		// An empty TLS config will use the system's root CAs.
+		transportCredentials = credentials.NewTLS(&tls.Config{})
 	}
 
-	// If TLS fails, try falling back to insecure gRPC.
-	if c.secure {
-		c.logger.Debug("not attempting to connect to rescue-proxy without TLS, since insecure grpc is disallowed", zap.String("address", c.address))
-		return err
-	}
-
-	c.logger.Debug("attempting to connect to rescue-proxy without TLS, since insecure grpc is allowed", zap.String("address", c.address))
-
 	if c.conn, err = grpc.NewClient(
 		c.address,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithTransportCredentials(transportCredentials),
 	); err != nil {
 		return err
 	}
-
-	c.logger.Debug("connected to rescue-proxy without TLS", zap.String("address", c.address))
-
 	c.client = proxy.NewApiClient(c.conn)
+	c.logger.Debug("connected to rescue-proxy", zap.String("address", c.address))
 	return nil
 }