From c40f036d03bf50922bbc226fb203006046d09608 Mon Sep 17 00:00:00 2001 From: Yong Zhao Date: Tue, 25 Jan 2022 14:20:23 -0800 Subject: [PATCH 1/5] [telemetry server] Reloads telemetry server configuration once receiving the `SIGHUP` signal. Signed-off-by: Yong Zhao --- gnmi_server/server.go | 11 +++ telemetry/telemetry.go | 214 +++++++++++++++++++++++------------------ 2 files changed, 129 insertions(+), 96 deletions(-) diff --git a/gnmi_server/server.go b/gnmi_server/server.go index f21f8d68a..7951f5aaa 100644 --- a/gnmi_server/server.go +++ b/gnmi_server/server.go @@ -157,6 +157,17 @@ func (srv *Server) Serve() error { return srv.s.Serve(srv.lis) } +// Stop stops all gRPC server. It immediately closes all open connections and listeners. It +// cancels all active RPCs on the server side and the corresponding pending RPCs on the client +// side will get notified by connection errors. +func (srv *Server) Stop() { + s := srv.s + if s == nil { + fmt.Errorf("gRPC server failed to stop!") + } + srv.s.Stop() +} + // Address returns the port the Server is listening to. func (srv *Server) Address() string { addr := srv.lis.Addr().String() diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index 4ec580c6b..3428ba378 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -5,6 +5,9 @@ import ( "crypto/x509" "flag" "io/ioutil" + "os" + "os/signal" + "syscall" "time" log "github.com/golang/glog" @@ -16,7 +19,7 @@ import ( ) var ( - userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} + userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} port = flag.Int("port", -1, "port to listen on") // Certificate files. caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") @@ -29,118 +32,137 @@ var ( jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") ) +// SignalHandler will block and wait for the signal `SIGHUP`. Once it receives this signal, +// the gRPC server will be stopped and new gRPC server instance will be created with +// updated certificate and key files. +func SignalHandler(server *gnmi.server, signalChannel <-chan os.signal) { + signal_receiver := <-signalChannel + log.v(1).infof("gRPC server receives signal: %s and will be stopped!", signal_receiver) + log.v(1).infof("gRPC server is being stopped ...") + server.Stop() + log.v(1).infof("gRPC server is stopped!") +} + func main() { flag.Var(userAuth, "client_auth", "Client auth mode(s) - none,cert,password") flag.Parse() - var defUserAuth gnmi.AuthTypes - if gnmi.READ_WRITE_MODE { - //In read/write mode we want to enable auth by default. - defUserAuth = gnmi.AuthTypes{"password": true, "cert": false, "jwt": true} - }else { - defUserAuth = gnmi.AuthTypes{"jwt": false, "password": false, "cert": false} - } + signalChannel := make(chan os.Signal, 1) + signal.Notify(signalChannel, syscall.SIGHUP) - if isFlagPassed("client_auth") { - log.V(1).Infof("client_auth provided") - }else { - log.V(1).Infof("client_auth not provided, using defaults.") - userAuth = defUserAuth - } + for { + var defUserAuth gnmi.AuthTypes + if gnmi.READ_WRITE_MODE { + //In read/write mode we want to enable auth by default. + defUserAuth = gnmi.AuthTypes{"password": true, "cert": false, "jwt": true} + }else { + defUserAuth = gnmi.AuthTypes{"jwt": false, "password": false, "cert": false} + } - switch { - case *port <= 0: - log.Errorf("port must be > 0.") - return - } - gnmi.JwtRefreshInt = time.Duration(*jwtRefInt*uint64(time.Second)) - gnmi.JwtValidInt = time.Duration(*jwtValInt*uint64(time.Second)) - - cfg := &gnmi.Config{} - cfg.Port = int64(*port) - var opts []grpc.ServerOption - - if !*noTLS { - var certificate tls.Certificate - var err error - if *insecure { - certificate, err = testcert.NewCert() - if err != nil { - log.Exitf("could not load server key pair: %s", err) + if isFlagPassed("client_auth") { + log.V(1).Infof("client_auth provided") + }else { + log.V(1).Infof("client_auth not provided, using defaults.") + userAuth = defUserAuth + } + + switch { + case *port <= 0: + log.Errorf("port must be > 0.") + return + } + + gnmi.JwtRefreshInt = time.Duration(*jwtRefInt*uint64(time.Second)) + gnmi.JwtValidInt = time.Duration(*jwtValInt*uint64(time.Second)) + + cfg := &gnmi.Config{} + cfg.Port = int64(*port) + var opts []grpc.ServerOption + + if !*noTLS { + var certificate tls.Certificate + var err error + if *insecure { + certificate, err = testcert.NewCert() + if err != nil { + log.Exitf("could not load server key pair: %s", err) + } + } else { + switch { + case *serverCert == "": + log.Errorf("serverCert must be set.") + return + case *serverKey == "": + log.Errorf("serverKey must be set.") + return + } + certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey) + if err != nil { + log.Exitf("could not load server key pair: %s", err) + } + } + + tlsCfg := &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + Certificates: []tls.Certificate{certificate}, + MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, } - } else { - switch { - case *serverCert == "": - log.Errorf("serverCert must be set.") - return - case *serverKey == "": - log.Errorf("serverKey must be set.") - return + + if *allowNoClientCert { + // RequestClientCert will ask client for a certificate but won't + // require it to proceed. If certificate is provided, it will be + // verified. + tlsCfg.ClientAuth = tls.RequestClientCert } - certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey) - if err != nil { - log.Exitf("could not load server key pair: %s", err) + + if *caCert != "" { + ca, err := ioutil.ReadFile(*caCert) + if err != nil { + log.Exitf("could not read CA certificate: %s", err) + } + certPool := x509.NewCertPool() + if ok := certPool.AppendCertsFromPEM(ca); !ok { + log.Exit("failed to append CA certificate") + } + tlsCfg.ClientCAs = certPool + } else { + if userAuth.Enabled("cert") { + userAuth.Unset("cert") + log.Warning("client_auth mode cert requires ca_crt option. Disabling cert mode authentication.") + } } - } - tlsCfg := &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - Certificates: []tls.Certificate{certificate}, - MinVersion: tls.VersionTLS12, - CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, - PreferServerCipherSuites: true, - CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - }, - } + opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} + cfg := &gnmi.Config{} + cfg.Port = int64(*port) + cfg.UserAuth = userAuth - if *allowNoClientCert { - // RequestClientCert will ask client for a certificate but won't - // require it to proceed. If certificate is provided, it will be - // verified. - tlsCfg.ClientAuth = tls.RequestClientCert - } + gnmi.GenerateJwtSecretKey() + } - if *caCert != "" { - ca, err := ioutil.ReadFile(*caCert) + s, err := gnmi.NewServer(cfg, opts) if err != nil { - log.Exitf("could not read CA certificate: %s", err) + log.Errorf("Failed to create gNMI server: %v", err) + return } - certPool := x509.NewCertPool() - if ok := certPool.AppendCertsFromPEM(ca); !ok { - log.Exit("failed to append CA certificate") - } - tlsCfg.ClientCAs = certPool - } else { - if userAuth.Enabled("cert") { - userAuth.Unset("cert") - log.Warning("client_auth mode cert requires ca_crt option. Disabling cert mode authentication.") - } - } - opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} - cfg := &gnmi.Config{} - cfg.Port = int64(*port) - cfg.UserAuth = userAuth + go SignalHandler(s, signalChannel) - gnmi.GenerateJwtSecretKey() -} - - s, err := gnmi.NewServer(cfg, opts) - if err != nil { - log.Errorf("Failed to create gNMI server: %v", err) - return + log.V(1).Infof("Auth Modes: ", userAuth) + log.V(1).Infof("Starting RPC server on address: %s", s.Address()) + s.Serve() // blocks until close + log.Flush() } - - log.V(1).Infof("Auth Modes: ", userAuth) - log.V(1).Infof("Starting RPC server on address: %s", s.Address()) - s.Serve() // blocks until close - log.Flush() } func isFlagPassed(name string) bool { From 063239a4be7c07dc019bbed0f121201e142fb2ea Mon Sep 17 00:00:00 2001 From: Yong Zhao Date: Tue, 25 Jan 2022 14:43:05 -0800 Subject: [PATCH 2/5] [telemetry server] Remove extra spaces. Signed-off-by: Yong Zhao --- telemetry/telemetry.go | 52 +++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index 3428ba378..da9ee37b2 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -1,35 +1,35 @@ package main import ( - "crypto/tls" - "crypto/x509" - "flag" - "io/ioutil" - "os" - "os/signal" - "syscall" - "time" - - log "github.com/golang/glog" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - - gnmi "github.com/Azure/sonic-telemetry/gnmi_server" - testcert "github.com/Azure/sonic-telemetry/testdata/tls" + "crypto/tls" + "crypto/x509" + "flag" + "io/ioutil" + "os" + "os/signal" + "syscall" + "time" + + log "github.com/golang/glog" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + + gnmi "github.com/Azure/sonic-telemetry/gnmi_server" + testcert "github.com/Azure/sonic-telemetry/testdata/tls" ) var ( - userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} - port = flag.Int("port", -1, "port to listen on") - // Certificate files. - caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") - serverCert = flag.String("server_crt", "", "TLS server certificate") - serverKey = flag.String("server_key", "", "TLS server private key") - insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") - noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") - allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") - jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") - jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") + userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} + port = flag.Int("port", -1, "port to listen on") + // Certificate files. + caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") + serverCert = flag.String("server_crt", "", "TLS server certificate") + serverKey = flag.String("server_key", "", "TLS server private key") + insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") + noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") + allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") + jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") + jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") ) // SignalHandler will block and wait for the signal `SIGHUP`. Once it receives this signal, From 205107114879df4d66cd3d1bfdefcc70c813261b Mon Sep 17 00:00:00 2001 From: Yong Zhao Date: Tue, 25 Jan 2022 14:44:32 -0800 Subject: [PATCH 3/5] [telemetry server] Remove extra spaces. Signed-off-by: Yong Zhao --- telemetry/telemetry.go | 52 +++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index da9ee37b2..a6425c023 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -1,35 +1,35 @@ package main import ( - "crypto/tls" - "crypto/x509" - "flag" - "io/ioutil" - "os" - "os/signal" - "syscall" - "time" - - log "github.com/golang/glog" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - - gnmi "github.com/Azure/sonic-telemetry/gnmi_server" - testcert "github.com/Azure/sonic-telemetry/testdata/tls" + "crypto/tls" + "crypto/x509" + "flag" + "io/ioutil" + "os" + "os/signal" + "syscall" + "time" + + log "github.com/golang/glog" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + + gnmi "github.com/Azure/sonic-telemetry/gnmi_server" + testcert "github.com/Azure/sonic-telemetry/testdata/tls" ) var ( - userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} - port = flag.Int("port", -1, "port to listen on") - // Certificate files. - caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") - serverCert = flag.String("server_crt", "", "TLS server certificate") - serverKey = flag.String("server_key", "", "TLS server private key") - insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") - noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") - allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") - jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") - jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") + userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} + port = flag.Int("port", -1, "port to listen on") + // Certificate files. + caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") + serverCert = flag.String("server_crt", "", "TLS server certificate") + serverKey = flag.String("server_key", "", "TLS server private key") + insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") + noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") + allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") + jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") + jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") ) // SignalHandler will block and wait for the signal `SIGHUP`. Once it receives this signal, From c2b10cdddb37cc5ea96b08e59ab2edb0c8514922 Mon Sep 17 00:00:00 2001 From: Yong Zhao Date: Tue, 25 Jan 2022 15:10:24 -0800 Subject: [PATCH 4/5] [telemetry] Fix the typoes. Signed-off-by: Yong Zhao --- telemetry/telemetry.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index a6425c023..79eeed9c1 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -35,12 +35,12 @@ var ( // SignalHandler will block and wait for the signal `SIGHUP`. Once it receives this signal, // the gRPC server will be stopped and new gRPC server instance will be created with // updated certificate and key files. -func SignalHandler(server *gnmi.server, signalChannel <-chan os.signal) { - signal_receiver := <-signalChannel - log.v(1).infof("gRPC server receives signal: %s and will be stopped!", signal_receiver) - log.v(1).infof("gRPC server is being stopped ...") +func SignalHandler(server *gnmi.Server, signalChannel <-chan os.Signal) { + signalReceiver := <-signalChannel + log.V(1).Infof("gRPC server receives signal: %s and will be stopped!", signalReceiver) + log.V(1).Infof("gRPC server is being stopped ...") server.Stop() - log.v(1).infof("gRPC server is stopped!") + log.V(1).Infof("gRPC server is stopped!") } func main() { From d396fe4ff4daa4909eb25cdbeac8829e3233a163 Mon Sep 17 00:00:00 2001 From: Yong Zhao Date: Wed, 2 Feb 2022 11:53:48 -0800 Subject: [PATCH 5/5] [telemetry] Fix the indentation issue. Signed-off-by: Yong Zhao --- gnmi_server/server.go | 10 +- telemetry/telemetry.go | 288 ++++++++++++++++++++--------------------- 2 files changed, 149 insertions(+), 149 deletions(-) diff --git a/gnmi_server/server.go b/gnmi_server/server.go index 7951f5aaa..8a70226d3 100644 --- a/gnmi_server/server.go +++ b/gnmi_server/server.go @@ -161,11 +161,11 @@ func (srv *Server) Serve() error { // cancels all active RPCs on the server side and the corresponding pending RPCs on the client // side will get notified by connection errors. func (srv *Server) Stop() { - s := srv.s - if s == nil { - fmt.Errorf("gRPC server failed to stop!") - } - srv.s.Stop() + s := srv.s + if s == nil { + fmt.Errorf("gRPC server failed to stop!") + } + srv.s.Stop() } // Address returns the port the Server is listening to. diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index 79eeed9c1..79ac20619 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -1,168 +1,168 @@ package main import ( - "crypto/tls" - "crypto/x509" - "flag" - "io/ioutil" - "os" - "os/signal" - "syscall" - "time" - - log "github.com/golang/glog" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - - gnmi "github.com/Azure/sonic-telemetry/gnmi_server" - testcert "github.com/Azure/sonic-telemetry/testdata/tls" + "crypto/tls" + "crypto/x509" + "flag" + "io/ioutil" + "os" + "os/signal" + "syscall" + "time" + + log "github.com/golang/glog" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + + gnmi "github.com/Azure/sonic-telemetry/gnmi_server" + testcert "github.com/Azure/sonic-telemetry/testdata/tls" ) var ( - userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} - port = flag.Int("port", -1, "port to listen on") - // Certificate files. - caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") - serverCert = flag.String("server_crt", "", "TLS server certificate") - serverKey = flag.String("server_key", "", "TLS server private key") - insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") - noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") - allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") - jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") - jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") + userAuth = gnmi.AuthTypes{"password": false, "cert": false, "jwt": false} + port = flag.Int("port", -1, "port to listen on") + // Certificate files. + caCert = flag.String("ca_crt", "", "CA certificate for client certificate validation. Optional.") + serverCert = flag.String("server_crt", "", "TLS server certificate") + serverKey = flag.String("server_key", "", "TLS server private key") + insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") + noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!") + allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") + jwtRefInt = flag.Uint64("jwt_refresh_int", 900, "Seconds before JWT expiry the token can be refreshed.") + jwtValInt = flag.Uint64("jwt_valid_int", 3600, "Seconds that JWT token is valid for.") ) -// SignalHandler will block and wait for the signal `SIGHUP`. Once it receives this signal, +// SignalHandler will block and wait for the signal `SIGHUP`. Once it receives signal, // the gRPC server will be stopped and new gRPC server instance will be created with // updated certificate and key files. func SignalHandler(server *gnmi.Server, signalChannel <-chan os.Signal) { - signalReceiver := <-signalChannel - log.V(1).Infof("gRPC server receives signal: %s and will be stopped!", signalReceiver) - log.V(1).Infof("gRPC server is being stopped ...") - server.Stop() - log.V(1).Infof("gRPC server is stopped!") + signalReceiver := <-signalChannel + log.V(1).Infof("gRPC server receives signal: %s and will be stopped!", signalReceiver) + log.V(1).Infof("gRPC server is being stopped ...") + server.Stop() + log.V(1).Infof("gRPC server is stopped!") } func main() { - flag.Var(userAuth, "client_auth", "Client auth mode(s) - none,cert,password") - flag.Parse() - - signalChannel := make(chan os.Signal, 1) - signal.Notify(signalChannel, syscall.SIGHUP) - - for { - var defUserAuth gnmi.AuthTypes - if gnmi.READ_WRITE_MODE { - //In read/write mode we want to enable auth by default. - defUserAuth = gnmi.AuthTypes{"password": true, "cert": false, "jwt": true} - }else { - defUserAuth = gnmi.AuthTypes{"jwt": false, "password": false, "cert": false} - } + flag.Var(userAuth, "client_auth", "Client auth mode(s) - none,cert,password") + flag.Parse() + + signalChannel := make(chan os.Signal, 1) + signal.Notify(signalChannel, syscall.SIGHUP) + + for { + var defUserAuth gnmi.AuthTypes + if gnmi.READ_WRITE_MODE { + //In read/write mode we want to enable auth by default. + defUserAuth = gnmi.AuthTypes{"password": true, "cert": false, "jwt": true} + }else { + defUserAuth = gnmi.AuthTypes{"jwt": false, "password": false, "cert": false} + } - if isFlagPassed("client_auth") { - log.V(1).Infof("client_auth provided") - }else { - log.V(1).Infof("client_auth not provided, using defaults.") - userAuth = defUserAuth - } + if isFlagPassed("client_auth") { + log.V(1).Infof("client_auth provided") + }else { + log.V(1).Infof("client_auth not provided, using defaults.") + userAuth = defUserAuth + } - switch { - case *port <= 0: - log.Errorf("port must be > 0.") - return + switch { + case *port <= 0: + log.Errorf("port must be > 0.") + return } - gnmi.JwtRefreshInt = time.Duration(*jwtRefInt*uint64(time.Second)) - gnmi.JwtValidInt = time.Duration(*jwtValInt*uint64(time.Second)) - - cfg := &gnmi.Config{} - cfg.Port = int64(*port) - var opts []grpc.ServerOption - - if !*noTLS { - var certificate tls.Certificate - var err error - if *insecure { - certificate, err = testcert.NewCert() - if err != nil { - log.Exitf("could not load server key pair: %s", err) - } - } else { - switch { - case *serverCert == "": - log.Errorf("serverCert must be set.") - return - case *serverKey == "": - log.Errorf("serverKey must be set.") - return - } - certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey) - if err != nil { - log.Exitf("could not load server key pair: %s", err) - } - } - - tlsCfg := &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - Certificates: []tls.Certificate{certificate}, - MinVersion: tls.VersionTLS12, - CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, - PreferServerCipherSuites: true, - CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - }, - } - - if *allowNoClientCert { - // RequestClientCert will ask client for a certificate but won't - // require it to proceed. If certificate is provided, it will be - // verified. - tlsCfg.ClientAuth = tls.RequestClientCert - } - - if *caCert != "" { - ca, err := ioutil.ReadFile(*caCert) - if err != nil { - log.Exitf("could not read CA certificate: %s", err) - } - certPool := x509.NewCertPool() - if ok := certPool.AppendCertsFromPEM(ca); !ok { - log.Exit("failed to append CA certificate") - } - tlsCfg.ClientCAs = certPool - } else { - if userAuth.Enabled("cert") { - userAuth.Unset("cert") - log.Warning("client_auth mode cert requires ca_crt option. Disabling cert mode authentication.") - } - } - - opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} - cfg := &gnmi.Config{} - cfg.Port = int64(*port) - cfg.UserAuth = userAuth - - gnmi.GenerateJwtSecretKey() - } + gnmi.JwtRefreshInt = time.Duration(*jwtRefInt*uint64(time.Second)) + gnmi.JwtValidInt = time.Duration(*jwtValInt*uint64(time.Second)) + + cfg := &gnmi.Config{} + cfg.Port = int64(*port) + var opts []grpc.ServerOption + + if !*noTLS { + var certificate tls.Certificate + var err error + if *insecure { + certificate, err = testcert.NewCert() + if err != nil { + log.Exitf("could not load server key pair: %s", err) + } + } else { + switch { + case *serverCert == "": + log.Errorf("serverCert must be set.") + return + case *serverKey == "": + log.Errorf("serverKey must be set.") + return + } + certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey) + if err != nil { + log.Exitf("could not load server key pair: %s", err) + } + } + + tlsCfg := &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + Certificates: []tls.Certificate{certificate}, + MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + } + + if *allowNoClientCert { + // RequestClientCert will ask client for a certificate but won't + // require it to proceed. If certificate is provided, it will be + // verified. + tlsCfg.ClientAuth = tls.RequestClientCert + } + + if *caCert != "" { + ca, err := ioutil.ReadFile(*caCert) + if err != nil { + log.Exitf("could not read CA certificate: %s", err) + } + certPool := x509.NewCertPool() + if ok := certPool.AppendCertsFromPEM(ca); !ok { + log.Exit("failed to append CA certificate") + } + tlsCfg.ClientCAs = certPool + } else { + if userAuth.Enabled("cert") { + userAuth.Unset("cert") + log.Warning("client_auth mode cert requires ca_crt option. Disabling cert mode authentication.") + } + } + + opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} + cfg := &gnmi.Config{} + cfg.Port = int64(*port) + cfg.UserAuth = userAuth + + gnmi.GenerateJwtSecretKey() + } - s, err := gnmi.NewServer(cfg, opts) - if err != nil { - log.Errorf("Failed to create gNMI server: %v", err) - return - } + s, err := gnmi.NewServer(cfg, opts) + if err != nil { + log.Errorf("Failed to create gNMI server: %v", err) + return + } - go SignalHandler(s, signalChannel) + go SignalHandler(s, signalChannel) - log.V(1).Infof("Auth Modes: ", userAuth) - log.V(1).Infof("Starting RPC server on address: %s", s.Address()) - s.Serve() // blocks until close - log.Flush() - } + log.V(1).Infof("Auth Modes: ", userAuth) + log.V(1).Infof("Starting RPC server on address: %s", s.Address()) + s.Serve() // blocks until close + log.Flush() + } } func isFlagPassed(name string) bool {