refactor: use reference tls verification from akash-api

Signed-off-by: Artur Troian <[email protected]>
akash-network · May 1, 2024 · ce1d185 · ce1d185
1 parent 567267f
commit ce1d185
Show file tree

Hide file tree

Showing 17 changed files with 158 additions and 253 deletions.
diff --git a/cmd/provider-services/cmd/leaseEvents.go b/cmd/provider-services/cmd/leaseEvents.go
@@ -88,7 +88,7 @@ func doLeaseEvents(cmd *cobra.Command) error {
 	for _, lid := range leases {
 		stream := result{lid: lid}
 		prov, _ := sdk.AccAddressFromBech32(lid.Provider)
-		gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+		gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 		if err == nil {
 			stream.stream, stream.error = gclient.LeaseEvents(ctx, lid, svcs, follow)
 		} else {

diff --git a/cmd/provider-services/cmd/leaseLogs.go b/cmd/provider-services/cmd/leaseLogs.go
@@ -109,7 +109,7 @@ func doLeaseLogs(cmd *cobra.Command) error {
 	for _, lid := range leases {
 		stream := result{lid: lid}
 		prov, _ := sdk.AccAddressFromBech32(lid.Provider)
-		gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+		gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 		if err == nil {
 			stream.stream, stream.error = gclient.LeaseLogs(ctx, lid, svcs, follow, tailLines)
 		} else {

diff --git a/cmd/provider-services/cmd/leaseStatus.go b/cmd/provider-services/cmd/leaseStatus.go
@@ -59,7 +59,7 @@ func doLeaseStatus(cmd *cobra.Command) error {
 		return markRPCServerError(err)
 	}
 
-	gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+	gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 	if err != nil {
 		return err
 	}

diff --git a/cmd/provider-services/cmd/manifest.go b/cmd/provider-services/cmd/manifest.go
@@ -100,12 +100,12 @@ func doSendManifest(cmd *cobra.Command, sdlpath string) error {
 
 	for i, lid := range leases {
 		prov, _ := sdk.AccAddressFromBech32(lid.Provider)
-		gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+		gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 		if err != nil {
 			return err
 		}
 
-		err = gclient.SubmitManifest(cmd.Context(), dseq, mani)
+		err = gclient.SubmitManifest(ctx, dseq, mani)
 		res := result{
 			Provider: prov,
 			Status:   "PASS",

diff --git a/cmd/provider-services/cmd/migrate_endpoints.go b/cmd/provider-services/cmd/migrate_endpoints.go
@@ -44,7 +44,7 @@ func migrateEndpoints(cmd *cobra.Command, args []string) error {
 		return markRPCServerError(err)
 	}
 
-	gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+	gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 	if err != nil {
 		return err
 	}

diff --git a/cmd/provider-services/cmd/migrate_hostnames.go b/cmd/provider-services/cmd/migrate_hostnames.go
@@ -43,7 +43,7 @@ func migrateHostnames(cmd *cobra.Command, args []string) error {
 		return markRPCServerError(err)
 	}
 
-	gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+	gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 	if err != nil {
 		return err
 	}
@@ -58,7 +58,7 @@ func migrateHostnames(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	err = gclient.MigrateHostnames(cmd.Context(), hostnames, dseq, gseq)
+	err = gclient.MigrateHostnames(ctx, hostnames, dseq, gseq)
 	if err != nil {
 		return showErrorToUser(err)
 	}

diff --git a/cmd/provider-services/cmd/serviceStatus.go b/cmd/provider-services/cmd/serviceStatus.go
@@ -67,7 +67,7 @@ func doServiceStatus(cmd *cobra.Command) error {
 		return markRPCServerError(err)
 	}
 
-	gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+	gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 	if err != nil {
 		return err
 	}

diff --git a/cmd/provider-services/cmd/shell.go b/cmd/provider-services/cmd/shell.go
@@ -129,7 +129,7 @@ func doLeaseShell(cmd *cobra.Command, args []string) error {
 		return markRPCServerError(err)
 	}
 
-	gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
+	gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
 	if err != nil {
 		return err
 	}

diff --git a/cmd/provider-services/cmd/status.go b/cmd/provider-services/cmd/status.go
@@ -43,7 +43,7 @@ func doStatus(cmd *cobra.Command, addr sdk.Address) error {
 		return err
 	}
 
-	gclient, err := gwrest.NewClient(cl, addr, nil)
+	gclient, err := gwrest.NewClient(ctx, cl, addr, nil)
 	if err != nil {
 		return err
 	}

diff --git a/gateway/grpc/server.go b/gateway/grpc/server.go
@@ -3,11 +3,11 @@ package grpc
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"net"
 	"time"
 
+	atls "github.com/akash-network/akash-api/go/util/tls"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -121,61 +121,11 @@ func mtlsInterceptor() grpc.UnaryServerInterceptor {
 				certificates := mtls.State.PeerCertificates
 
 				if len(certificates) > 0 {
-					if len(certificates) != 1 {
-						return nil, fmt.Errorf("tls: invalid certificate chain") // nolint: goerr113
-					}
-
 					cquery := QueryClientFromCtx(ctx)
 
-					cert := certificates[0]
-
-					// validation
-					var owner sdk.Address
-					if owner, err = sdk.AccAddressFromBech32(cert.Subject.CommonName); err != nil {
-						return nil, fmt.Errorf("tls: invalid certificate's subject common name: %w", err)
-					}
-
-					// 1. CommonName in issuer and Subject must match and be as Bech32 format
-					if cert.Subject.CommonName != cert.Issuer.CommonName {
-						return nil, fmt.Errorf("tls: invalid certificate's issuer common name: %w", err)
-					}
-
-					// 2. serial number must be in
-					if cert.SerialNumber == nil {
-						return nil, fmt.Errorf("tls: invalid certificate serial number: %w", err)
-					}
-
-					// 3. look up certificate on chain
-					var resp *ctypes.QueryCertificatesResponse
-					resp, err = cquery.Certificates(
-						ctx,
-						&ctypes.QueryCertificatesRequest{
-							Filter: ctypes.CertificateFilter{
-								Owner:  owner.String(),
-								Serial: cert.SerialNumber.String(),
-								State:  "valid",
-							},
-						},
-					)
+					owner, _, err := atls.ValidatePeerCertificates(ctx, cquery, certificates, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth})
 					if err != nil {
-						return nil, fmt.Errorf("tls: unable to fetch certificate from chain: %w", err)
-					}
-					if (len(resp.Certificates) != 1) || !resp.Certificates[0].Certificate.IsState(ctypes.CertificateValid) {
-						return nil, errors.New("tls: attempt to use non-existing or revoked certificate") // nolint: goerr113
-					}
-
-					clientCertPool := x509.NewCertPool()
-					clientCertPool.AddCert(cert)
-
-					opts := x509.VerifyOptions{
-						Roots:                     clientCertPool,
-						CurrentTime:               time.Now(),
-						KeyUsages:                 []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-						MaxConstraintComparisions: 0,
-					}
-
-					if _, err = cert.Verify(opts); err != nil {
-						return nil, fmt.Errorf("tls: unable to verify certificate: %w", err)
+						return nil, err
 					}
 
 					ctx = ContextWithOwner(ctx, owner)