From 6aad159cabcde77af632eec1534d648061e52332 Mon Sep 17 00:00:00 2001
From: Sergiusz Bazanski <q3k@q3k.org>
Date: Sun, 21 Apr 2019 01:32:44 +0200
Subject: [PATCH] add hspki_disable and client logic

---
 grpc.go | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/grpc.go b/grpc.go
index 5f9be78..9e60d6c 100644
--- a/grpc.go
+++ b/grpc.go
@@ -38,6 +38,7 @@ var (
 	flagCertificatePath string
 	flagKeyPath         string
 	flagPKIRealm        string
+	flagPKIDisable      bool
 
 	// Enable logging HSPKI info into traces
 	Trace = true
@@ -53,6 +54,7 @@ func init() {
 	flag.StringVar(&flagCertificatePath, "hspki_tls_certificate_path", "pki/service.pem", "Path to PKI service certificate")
 	flag.StringVar(&flagKeyPath, "hspki_tls_key_path", "pki/service-key.pem", "Path to PKI service private key")
 	flag.StringVar(&flagPKIRealm, "hspki_realm", "svc.cluster.local", "PKI realm")
+	flag.BoolVar(&flagPKIDisable, "hspki_disable", false, "Disable PKI entirely (insecure!)")
 	Log.SetHandler(log.DiscardHandler())
 }
 
@@ -166,6 +168,9 @@ func WithServerHSPKI() []grpc.ServerOption {
 		log.Crit("WithServerHSPKI called before flag.Parse!")
 		os.Exit(1)
 	}
+	if flagPKIDisable {
+		return []grpc.ServerOption{}
+	}
 	serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
 	if err != nil {
 		log.Crit("WithServerHSPKI: cannot load service certificate/key", "err", err)
@@ -193,3 +198,38 @@ func WithServerHSPKI() []grpc.ServerOption {
 
 	return []grpc.ServerOption{creds, interceptor}
 }
+
+// WithClientHSPKI is a grpc.DialOption that ensures that we have the right credentials
+// loaded when talking to a HSPKI service.
+func WithClientHSPKI() grpc.DialOption {
+	if !flag.Parsed() {
+		log.Crit("WithServerHSPKI called before flag.Parse!")
+		os.Exit(1)
+	}
+	if flagPKIDisable {
+		return grpc.WithInsecure()
+	}
+
+	certPool := x509.NewCertPool()
+	ca, err := ioutil.ReadFile(flagCAPath)
+	if err != nil {
+		log.Crit("WithClientHSPKI: cannot load CA certificate", "err", err)
+		os.Exit(1)
+	}
+	if ok := certPool.AppendCertsFromPEM(ca); !ok {
+		log.Crit("WithClientHSPKI: cannot use CA certificate", "err", err)
+		os.Exit(1)
+	}
+
+	clientCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+	if err != nil {
+		log.Crit("WithClientHSPKI: cannot load service certificate/key", "err", err)
+		os.Exit(1)
+	}
+
+	creds := credentials.NewTLS(&tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      certPool,
+	})
+	return grpc.WithTransportCredentials(creds)
+}