Merge insecureGRPC and insecureJSONRPC (#435)

Create insecureTransport as a unification of insecureGRPC and insecureJSONRPC.
kolide · Feb 27, 2019 · 69bed63 · 69bed63
1 parent 61f1d0e
commit 69bed63
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 38 deletions.
diff --git a/cmd/grpc.ext/grpc.go b/cmd/grpc.ext/grpc.go
@@ -55,10 +55,10 @@ func main() {
 		enrollSecret  = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "")
 		rootDirectory = env.String("KOLIDE_LAUNCHER_ROOT_DIRECTORY", "")
 
-		serverURL       = env.String("KOLIDE_LAUNCHER_HOSTNAME", "")
-		insecureTLS     = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
-		insecureGRPC    = env.Bool("KOLIDE_LAUNCHER_INSECURE_GRPC", false)
-		loggingInterval = env.Duration("KOLIDE_LAUNCHER_LOGGING_INTERVAL", 60*time.Second)
+		serverURL         = env.String("KOLIDE_LAUNCHER_HOSTNAME", "")
+		insecureTLS       = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
+		insecureTransport = env.Bool("KOLIDE_LAUNCHER_INSECURE_TRANSPORT", false)
+		loggingInterval   = env.Duration("KOLIDE_LAUNCHER_LOGGING_INTERVAL", 60*time.Second)
 
 		// TODO(future pr): these values are unset
 		// they'll have to be parsed from a string
@@ -68,7 +68,7 @@ func main() {
 	conn, err := service.DialGRPC(
 		serverURL,
 		insecureTLS,
-		insecureGRPC,
+		insecureTransport,
 		certPins,
 		rootPool,
 		logger,

diff --git a/cmd/launcher/README.md b/cmd/launcher/README.md
@@ -35,9 +35,13 @@ To use The Launcher to easily connect osquery to a server that is compliant with
   --enroll_secret=32IeN3QLgckHUmMD3iW40kyLdNJcGzP5
 ```
 
-You can also define the enroll secret via a file path (`--enroll_secret_path`) or an environment variable (`KOLIDE_LAUNCHER_ENROLL_SECRET`). See `launcher --help` for more information.
+You can also define the enroll secret via a file path
+(`--enroll_secret_path`) or an environment variable
+(`KOLIDE_LAUNCHER_ENROLL_SECRET`). See `launcher --help` for more
+information.
 
-You may need to define the `--insecure` and/or `--insecure_grpc` flag depending on your server configurations.
+Depending on your transport configuration, you may need any of the
+`--transport`, `--insecure` or `--insecure_transport` flags.
 
 ### Running an extension socket
 

diff --git a/cmd/launcher/flare.go b/cmd/launcher/flare.go
@@ -34,11 +34,11 @@ func runFlare(args []string) error {
 		flHostname = flag.String("hostname", "dababe.launcher.kolide.com:443", "")
 
 		// not documented via flags on purpose
-		enrollSecret    = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "flare_ping")
-		serverURL       = env.String("KOLIDE_LAUNCHER_HOSTNAME", *flHostname)
-		insecureTLS     = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
-		insecureGRPC    = env.Bool("KOLIDE_LAUNCHER_INSECURE_GRPC", false)
-		flareSocketPath = env.String("FLARE_SOCKET_PATH", filepath.Join(os.TempDir(), "flare.sock"))
+		enrollSecret      = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "flare_ping")
+		serverURL         = env.String("KOLIDE_LAUNCHER_HOSTNAME", *flHostname)
+		insecureTLS       = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
+		insecureTransport = env.Bool("KOLIDE_LAUNCHER_INSECURE_TRANSPORT", false)
+		flareSocketPath   = env.String("FLARE_SOCKET_PATH", filepath.Join(os.TempDir(), "flare.sock"))
 
 		certPins [][]byte
 		rootPool *x509.CertPool
@@ -115,7 +115,7 @@ func runFlare(args []string) error {
 		logger,
 		serverURL,
 		insecureTLS,
-		insecureGRPC,
+		insecureTransport,
 		enrollSecret,
 		certPins,
 		rootPool,
@@ -259,7 +259,7 @@ func reportGRPCNetwork(
 	logger log.Logger,
 	serverURL string,
 	insecureTLS bool,
-	insecureGRPC bool,
+	insecureTransport bool,
 	enrollSecret string,
 	certPins [][]byte,
 	rootPool *x509.CertPool,
@@ -270,7 +270,7 @@ func reportGRPCNetwork(
 	conn, err := service.DialGRPC(
 		serverURL,
 		insecureTLS,
-		insecureGRPC,
+		insecureTransport,
 		certPins,
 		rootPool,
 		logger,

diff --git a/cmd/launcher/launcher.go b/cmd/launcher/launcher.go
@@ -250,7 +250,7 @@ func runLauncher(ctx context.Context, cancel func(), opts *options, logger log.L
 	{
 		switch opts.transport {
 		case "grpc":
-			grpcConn, err := service.DialGRPC(opts.kolideServerURL, opts.insecureTLS, opts.insecureGRPC, opts.certPins, rootPool, logger)
+			grpcConn, err := service.DialGRPC(opts.kolideServerURL, opts.insecureTLS, opts.insecureTransport, opts.certPins, rootPool, logger)
 			if err != nil {
 				return errors.Wrap(err, "dialing grpc server")
 			}
@@ -259,7 +259,7 @@ func runLauncher(ctx context.Context, cancel func(), opts *options, logger log.L
 			queryTargeter := createQueryTargetUpdater(logger, db, grpcConn)
 			runGroup.Add(queryTargeter.Execute, queryTargeter.Interrupt)
 		case "jsonrpc":
-			client = service.NewJSONRPCClient(opts.kolideServerURL, opts.insecureTLS, opts.insecureJSONRPC, opts.certPins, rootPool, logger)
+			client = service.NewJSONRPCClient(opts.kolideServerURL, opts.insecureTLS, opts.insecureTransport, opts.certPins, rootPool, logger)
 		default:
 			return errors.New("invalid transport option selected")
 		}

diff --git a/cmd/launcher/options.go b/cmd/launcher/options.go
@@ -37,8 +37,7 @@ type options struct {
 	debug              bool
 	disableControlTLS  bool
 	insecureTLS        bool
-	insecureGRPC       bool
-	insecureJSONRPC    bool
+	insecureTransport  bool
 	notaryServerURL    string
 	mirrorServerURL    string
 	autoupdateInterval time.Duration
@@ -85,8 +84,7 @@ func parseOptions(args []string) (*options, error) {
 		flDebug             = flagset.Bool("debug", false, "Whether or not debug logging is enabled (default: false)")
 		flDeveloperUsage    = flagset.Bool("dev_help", false, "Print full Launcher help, including developer options")
 		flDisableControlTLS = flagset.Bool("disable_control_tls", false, "Disable TLS encryption for the control features")
-		flInsecureGRPC      = flagset.Bool("insecure_grpc", false, "Dial GRPC without a TLS config (default: false)")
-		flInsecureJSONRPC   = flagset.Bool("insecure_jsonrpc", false, "Use JSONPRC without a tls config (default: false)")
+		flInsecureTransport = flagset.Bool("insecure_transport", false, "Do not use TLS for transport layer (default: false)")
 		flInsecureTLS       = flagset.Bool("insecure", false, "Do not verify TLS certs for outgoing connections (default: false)")
 	)
 	ff.Parse(flagset, args,
@@ -160,8 +158,7 @@ func parseOptions(args []string) (*options, error) {
 		debug:               *flDebug,
 		disableControlTLS:   *flDisableControlTLS,
 		insecureTLS:         *flInsecureTLS,
-		insecureGRPC:        *flInsecureGRPC,
-		insecureJSONRPC:     *flInsecureJSONRPC,
+		insecureTransport:   *flInsecureTransport,
 		notaryServerURL:     *flNotaryServerURL,
 		mirrorServerURL:     *flMirrorURL,
 		autoupdateInterval:  *flAutoupdateInterval,
@@ -243,7 +240,7 @@ func developerUsage(flagset *flag.FlagSet) {
 	printOpt("debug")
 	fmt.Fprintf(os.Stderr, "\n")
 	printOpt("insecure")
-	printOpt("insecure_grpc")
+	printOpt("insecure_transport")
 	fmt.Fprintf(os.Stderr, "\n")
 	printOpt("logging_interval")
 	fmt.Fprintf(os.Stderr, "\n")

diff --git a/cmd/package-builder/package-builder.go b/cmd/package-builder/package-builder.go
@@ -69,15 +69,20 @@ func runMake(args []string) error {
 			env.String("SIGNING_KEY", ""),
 			"The name of the key that should be used to packages. Behavior is platform and packaging specific",
 		)
+		flTransport = flagset.String(
+			"transport",
+			env.String("TRANSPORT", ""),
+			"Transport for launcher. Expected as grpc, jsonrpc. Default is up to launcher",
+		)
 		flInsecure = flagset.Bool(
 			"insecure",
 			env.Bool("INSECURE", false),
 			"whether or not the launcher packages should invoke the launcher's --insecure flag",
 		)
-		flInsecureGrpc = flagset.Bool(
-			"insecure_grpc",
-			env.Bool("INSECURE_GRPC", false),
-			"whether or not the launcher packages should invoke the launcher's --insecure_grpc flag",
+		flInsecureTransport = flagset.Bool(
+			"insecure_transport",
+			env.Bool("INSECURE_TRANSPORT", false),
+			"whether or not the launcher packages should invoke the launcher's --insecure_transport flag",
 		)
 		flAutoupdate = flagset.Bool(
 			"autoupdate",
@@ -194,8 +199,9 @@ func runMake(args []string) error {
 		Hostname:          *flHostname,
 		Secret:            *flEnrollSecret,
 		SigningKey:        *flSigningKey,
+		Transport:         *flTransport,
 		Insecure:          *flInsecure,
-		InsecureGrpc:      *flInsecureGrpc,
+		InsecureTransport: *flInsecureTransport,
 		Autoupdate:        *flAutoupdate,
 		UpdateChannel:     *flUpdateChannel,
 		Control:           *flControl,

diff --git a/pkg/packaging/packaging.go b/pkg/packaging/packaging.go
@@ -33,8 +33,9 @@ type PackageOptions struct {
 	Hostname          string
 	Secret            string
 	SigningKey        string
+	Transport         string
 	Insecure          bool
-	InsecureGrpc      bool
+	InsecureTransport bool
 	Autoupdate        bool
 	UpdateChannel     string
 	Control           bool
@@ -129,8 +130,12 @@ func (p *PackageOptions) Build(ctx context.Context, packageWriter io.Writer, tar
 		launcherBoolFlags = append(launcherBoolFlags, "disable_control_tls")
 	}
 
-	if p.InsecureGrpc {
-		launcherBoolFlags = append(launcherBoolFlags, "insecure_grpc")
+	if p.Transport != "" {
+		launcherMapFlags["transport"] = p.Transport
+	}
+
+	if p.InsecureTransport {
+		launcherBoolFlags = append(launcherBoolFlags, "insecure_transport")
 	}
 
 	if p.Insecure {

diff --git a/pkg/service/client_grpc.go b/pkg/service/client_grpc.go
@@ -102,7 +102,7 @@ func NewGRPCClient(conn *grpc.ClientConn, logger log.Logger) KolideService {
 func DialGRPC(
 	serverURL string,
 	insecureTLS bool,
-	insecureGRPC bool,
+	insecureTransport bool,
 	certPins [][]byte,
 	rootPool *x509.CertPool,
 	logger log.Logger,
@@ -112,13 +112,13 @@ func DialGRPC(
 		"msg", "dialing grpc server",
 		"server", serverURL,
 		"tls_secure", insecureTLS == false,
-		"grpc_secure", insecureGRPC == false,
+		"transport_secure", insecureTransport == false,
 		"cert_pinning", len(certPins) > 0,
 	)
 	grpcOpts := []grpc.DialOption{
 		grpc.WithTimeout(time.Second),
 	}
-	if insecureGRPC {
+	if insecureTransport {
 		grpcOpts = append(grpcOpts, grpc.WithInsecure())
 	} else {
 		host, _, err := net.SplitHostPort(serverURL)

diff --git a/pkg/service/client_jsonrpc.go b/pkg/service/client_jsonrpc.go
@@ -43,7 +43,7 @@ func forceNoChunkedEncoding(ctx context.Context, r *http.Request) context.Contex
 func NewJSONRPCClient(
 	serverURL string,
 	insecureTLS bool,
-	insecureJSONRPC bool,
+	insecureTransport bool,
 	certPins [][]byte,
 	rootPool *x509.CertPool,
 	logger log.Logger,
@@ -53,7 +53,7 @@ func NewJSONRPCClient(
 		Host:   serverURL,
 	}
 
-	if insecureJSONRPC {
+	if insecureTransport {
 		serviceURL.Scheme = "http"
 	}
 
@@ -63,7 +63,7 @@ func NewJSONRPCClient(
 			DisableKeepAlives: true,
 		},
 	}
-	if !insecureJSONRPC {
+	if !insecureTransport {
 		tlsConfig := makeTLSConfig(serverURL, insecureTLS, certPins, rootPool, logger)
 		httpClient.Transport = &http.Transport{
 			TLSClientConfig:   tlsConfig,