allowed wildcard domain

docker/Makefile

@@ -48,11 +48,11 @@ clean:
 certstrap:
 	go get github.com/square/certstrap
 	certstrap --depot-path compose/tls init --passphrase "" --common-name "SeaweedFS CA" || true
-	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name volume01 || true
-	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name master01 || true
-	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name filer01 || true
-	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name client01 || true
-	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" volume01 || true
-	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" master01 || true
-	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" filer01 || true
-	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" client01 || true
+	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name volume01.dev || true
+	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name master01.dev || true
+	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name filer01.dev || true
+	certstrap --depot-path compose/tls request-cert --passphrase "" --common-name client01.dev || true
+	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" volume01.dev || true
+	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" master01.dev || true
+	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" filer01.dev || true
+	certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" client01.dev || true

docker/compose/tls.env

@@ -1,13 +1,10 @@
 WEED_GRPC_CA=/etc/seaweedfs/tls/SeaweedFS_CA.crt
-WEED_GRPC_MASTER_CERT=/etc/seaweedfs/tls/master01.crt
-WEED_GRPC_MASTER_KEY=/etc/seaweedfs/tls/master01.key
-WEED_GRPC_VOLUME_CERT=/etc/seaweedfs/tls/volume01.crt
-WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.key
-WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.crt
-WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.key
-WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.crt
-WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.key
-WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01"
-WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01"
-WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01"
-WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01"
+WEED_GRPC_ALLOWED_WILDCARD_DOMAIN=".dev"
+WEED_GRPC_MASTER_CERT=/etc/seaweedfs/tls/master01.dev.crt
+WEED_GRPC_MASTER_KEY=/etc/seaweedfs/tls/master01.dev.key
+WEED_GRPC_VOLUME_CERT=/etc/seaweedfs/tls/volume01.dev.crt
+WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key
+WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt
+WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key
+WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt
+WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key

weed/command/scaffold.go

@@ -440,6 +440,7 @@ expires_after_seconds = 10           # seconds
 # the host name is not checked, so the PERM files can be shared.
 [grpc]
 ca = ""
+allowed_wildcard_domain = "" # .mycompany.com
 
 [grpc.volume]
 cert = ""

weed/security/tls.go

@@ -19,7 +19,8 @@ import (
 )
 
 type Authenticator struct {
-	PermitCommonNames map[string]bool
+	AllowedWildcardDomain string
+	AllowedCommonNames    map[string]bool
 }
 
 func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
@@ -49,14 +50,16 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 	})
 
-	permitCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",")
-	if len(permitCommonNames) > 0 {
-		permitCommonNamesMap := make(map[string]bool)
-		for _, s := range permitCommonNames {
-			permitCommonNamesMap[s] = true
+	allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",")
+	allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
+	if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" {
+		allowedCommonNamesMap := make(map[string]bool)
+		for _, s := range allowedCommonNames {
+			allowedCommonNamesMap[s] = true
 		}
 		auther := Authenticator{
-			PermitCommonNames: permitCommonNamesMap,
+			AllowedCommonNames:    allowedCommonNamesMap,
+			AllowedWildcardDomain: allowedWildcardDomain,
 		}
 		return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
 	}
@@ -109,9 +112,12 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context
 	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
 		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
 	}
-
-	if _, ok := a.PermitCommonNames[tlsAuth.State.VerifiedChains[0][0].Subject.CommonName]; !ok {
-		return ctx, status.Error(codes.Unauthenticated, "invalid subject common name")
+	commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
+	if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
+		return ctx, nil
 	}
-	return ctx, nil
+	if _, ok := a.AllowedCommonNames[commonName]; ok {
+		return ctx, nil
+	}
+	return ctx, status.Error(codes.Unauthenticated, "invalid subject common name")
 }