Fwd: Access to SSL connection state in Thrift Go handler

[Anatol Pomozov <an...@gmail.com>]

Hello folks

I have a simple Thrift server that utilizes TLS. I was using sample code
and it works fine

protocolFactory := thrift.NewTBinaryProtocolFactoryDefault()
transportFactory := thrift.NewTBufferedTransportFactory(8192)
transport, err := thrift.NewTSSLServerSocket(ADDRESS, tlsConf)
handler := &MyHandler{}
processor := my.NewMyProcessor(handler)
server := thrift.NewTSimpleServer4(processor, transport, transportFactory,
protocolFactory)

I see a client (also written in Go) can connect the server and call
following function:

func (p *MyHandler) GetKey(ctx context.Context, req *KeyRequest) (resp
*KeyResponse, err error) {
return nil, &KeyNotFound{}
}

In my handler function I want to get information about client's certificate
to get its id. And I need to get
https://golang.org/pkg/crypto/tls/#Conn.ConnectionState struct from
Connection object.

So my question - how do I get access to TLS connection info from my
handler. I was trying to google but did not find any good examples on this
topic.

Re: Access to SSL connection state in Thrift Go handler

[Duru Can Celasun <dc...@apache.org>]

We definitely won't be exposing any transport level information to the handlers, which must remain transport agnostic.

Yuxuan's example is definitely the way to go. Personally I'd just copy TSimpleServer into my own code, modify processRequests and inject whatever is needed into the context.

On Tue, 11 Feb 2020, at 17:58, Yuxuan Wang wrote:
> I'm most certain that we don't want to expose the raw connection object to the handler functions. That opens a whole new can of worms you don't want to deal with (they can do all sorts of crazy things with the connection object).
> 
> If you don't want to modify the library code, one possible way is to implement your own version of TSSLServerSocket.
> 
> On Tue, Feb 11, 2020 at 9:56 AM Anatol Pomozov <an...@gmail.com> wrote:
>> Hello
>> 
>> On Tue, Feb 11, 2020 at 9:21 AM Yuxuan Wang <yu...@reddit.com> wrote:
>>> I believe you can't get that in your handler function now. You'll need to make some changes to the library code to inject the info to the context object passed to the handlers.
>>> 
>>> The easiest way to do so is probably similar to how we inject THeader headers here: https://github.com/apache/thrift/blob/ded326101af3c6c9daad9814ce6404d385f36a1f/lib/go/thrift/simple_server.go#L281-L293, basically check if outputTransport is wrapping TSSLSocket, and get the ConnectionState struct there. But "wrapping" is the tricky word here, as we rarely use TSSLSocket directly, and it's usually wrapped layers of transport wrappers, and there's no common interface to unwrap them.
>> 
>> Thank you for the information. I wonder if in this case it would be better to "wrap" the Connection object that might be useful for other operations.
>> 
>> While modifying the library itself is one option I wonder if there other possibilities. For example avoid using thrift.NewTSimpleServer4 and handle incoming connections in the application code itself. Something like simple_server.go does but explicitly in the code. Is it something doable and if yes are there any good examples that achieve it?
>> 
>>> If you do want to go that route, please create a JIRA ticket first: https://issues.apache.org/jira/browse/THRIFT
>>> 
>>> On Mon, Feb 10, 2020 at 11:26 PM Anatol Pomozov <an...@gmail.com> wrote:
>>>> Hello folks
>>>> 
>>>> I have a simple Thrift server that utilizes TLS. I was using sample code and it works fine
>>>> 
>>>> protocolFactory := thrift.NewTBinaryProtocolFactoryDefault()
>>>>  transportFactory := thrift.NewTBufferedTransportFactory(8192)
>>>>  transport, err := thrift.NewTSSLServerSocket(ADDRESS, tlsConf)
>>>> handler := &MyHandler{}
>>>>  processor := my.NewMyProcessor(handler)
>>>>  server := thrift.NewTSimpleServer4(processor, transport, transportFactory, protocolFactory)
>>>> 
>>>> I see a client (also written in Go) can connect the server and call following function:
>>>> 
>>>> func (p *MyHandler) GetKey(ctx context.Context, req *KeyRequest) (resp *KeyResponse, err error) {
>>>>  return nil, &KeyNotFound{}
>>>> }
>>>> 
>>>> In my handler function I want to get information about client's certificate to get its id. And I need to get https://golang.org/pkg/crypto/tls/#Conn.ConnectionState struct from Connection object.
>>>> 
>>>> So my question - how do I get access to TLS connection info from my handler. I was trying to google but did not find any good examples on this topic.

Re: Access to SSL connection state in Thrift Go handler

[Anatol Pomozov <an...@gmail.com>]

Hello

On Tue, Feb 11, 2020 at 9:21 AM Yuxuan Wang <yu...@reddit.com> wrote:

> I believe you can't get that in your handler function now. You'll need to
> make some changes to the library code to inject the info to the context
> object passed to the handlers.
>
> The easiest way to do so is probably similar to how we inject THeader
> headers here:
> https://github.com/apache/thrift/blob/ded326101af3c6c9daad9814ce6404d385f36a1f/lib/go/thrift/simple_server.go#L281-L293,
> basically check if outputTransport is wrapping TSSLSocket, and get the
> ConnectionState struct there. But "wrapping" is the tricky word here, as we
> rarely use TSSLSocket directly, and it's usually wrapped layers of
> transport wrappers, and there's no common interface to unwrap them.
>

Thank you for the information. I wonder if in this case it would be better
to "wrap" the Connection object that might be useful for other operations.

While modifying the library itself is one option I wonder if there other
possibilities. For example avoid using thrift.NewTSimpleServer4 and handle
incoming connections in the application code itself. Something like
simple_server.go does but explicitly in the code. Is it something doable
and if yes are there any good examples that achieve it?


> If you do want to go that route, please create a JIRA ticket first:
> https://issues.apache.org/jira/browse/THRIFT
>
> On Mon, Feb 10, 2020 at 11:26 PM Anatol Pomozov <an...@gmail.com>
> wrote:
>
>> Hello folks
>>
>> I have a simple Thrift server that utilizes TLS. I was using sample code
>> and it works fine
>>
>> protocolFactory := thrift.NewTBinaryProtocolFactoryDefault()
>> transportFactory := thrift.NewTBufferedTransportFactory(8192)
>> transport, err := thrift.NewTSSLServerSocket(ADDRESS, tlsConf)
>> handler := &MyHandler{}
>> processor := my.NewMyProcessor(handler)
>> server := thrift.NewTSimpleServer4(processor, transport,
>> transportFactory, protocolFactory)
>>
>> I see a client (also written in Go) can connect the server and call
>> following function:
>>
>> func (p *MyHandler) GetKey(ctx context.Context, req *KeyRequest) (resp
>> *KeyResponse, err error) {
>> return nil, &KeyNotFound{}
>> }
>>
>> In my handler function I want to get information about client's
>> certificate to get its id. And I need to get
>> https://golang.org/pkg/crypto/tls/#Conn.ConnectionState struct from
>> Connection object.
>>
>> So my question - how do I get access to TLS connection info from my
>> handler. I was trying to google but did not find any good examples on this
>> topic.
>>
>