consul/agent/grpc-external/server.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package external

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/armon/go-metrics"
	middleware "github.com/grpc-ecosystem/go-grpc-middleware"
	recovery "github.com/grpc-ecosystem/go-grpc-middleware/recovery"
	"github.com/hashi-derek/grpc-proxy/proxy"
	"github.com/hashicorp/go-hclog"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/keepalive"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/agent/consul/rate"
	agentmiddleware "github.com/hashicorp/consul/agent/grpc-middleware"
	"github.com/hashicorp/consul/tlsutil"
)

const FORWARD_SERVICE_NAME_PREFIX = "/hashicorp.consul."

var (
	metricsLabels = []metrics.Label{{
		Name:  "server_type",
		Value: "external",
	}}
)

// NewServer constructs a gRPC server for the external gRPC port, to which
// handlers can be registered.
func NewServer(
	logger hclog.Logger,
	metricsObj *metrics.Metrics,
	tls *tlsutil.Configurator,
	limiter rate.RequestLimitsHandler,
	keepaliveParams keepalive.ServerParameters,
	serverConn *grpc.ClientConn,
) *grpc.Server {
	if metricsObj == nil {
		metricsObj = metrics.Default()
	}
	recoveryOpts := agentmiddleware.PanicHandlerMiddlewareOpts(logger)

	unaryInterceptors := []grpc.UnaryServerInterceptor{
		// Add middlware interceptors to recover in case of panics.
		recovery.UnaryServerInterceptor(recoveryOpts...),
	}
	streamInterceptors := []grpc.StreamServerInterceptor{
		// Add middlware interceptors to recover in case of panics.
		recovery.StreamServerInterceptor(recoveryOpts...),
		agentmiddleware.NewActiveStreamCounter(metricsObj, metricsLabels).Intercept,
	}

	if tls != nil {
		// Attach TLS middleware if TLS is provided.
		authInterceptor := agentmiddleware.AuthInterceptor{TLS: tls, Logger: logger}
		unaryInterceptors = append(unaryInterceptors, authInterceptor.InterceptUnary)
		streamInterceptors = append(streamInterceptors, authInterceptor.InterceptStream)
	}
	opts := []grpc.ServerOption{
		grpc.MaxConcurrentStreams(2048),
		grpc.MaxRecvMsgSize(50 * 1024 * 1024),
		grpc.InTapHandle(agentmiddleware.ServerRateLimiterMiddleware(limiter, agentmiddleware.NewPanicHandler(logger), logger)),
		grpc.StatsHandler(agentmiddleware.NewStatsHandler(metricsObj, metricsLabels)),
		middleware.WithUnaryServerChain(unaryInterceptors...),
		middleware.WithStreamServerChain(streamInterceptors...),
		grpc.KeepaliveParams(keepaliveParams),
		grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{
			// This must be less than the keealive.ClientParameters Time setting, otherwise
			// the server will disconnect the client for sending too many keepalive pings.
			// Currently the client param is set to 30s.
			MinTime: 15 * time.Second,
		}),
	}

	// forward FORWARD_SERVICE_NAME_PREFIX services from client agent to server agent
	if serverConn != nil {
		opts = append(opts, grpc.UnknownServiceHandler(proxy.TransparentHandler(makeDirector(serverConn, logger))))
	}

	if tls != nil {
		// Attach TLS credentials, if provided.
		tlsCreds := agentmiddleware.NewOptionalTransportCredentials(
			credentials.NewTLS(tls.IncomingGRPCConfig()),
			logger)
		opts = append(opts, grpc.Creds(tlsCreds))
	}
	return grpc.NewServer(opts...)
}

func makeDirector(serverConn *grpc.ClientConn, logger hclog.Logger) func(ctx context.Context, fullMethodName string) (context.Context, *grpc.ClientConn, error) {
	return func(ctx context.Context, fullMethodName string) (context.Context, *grpc.ClientConn, error) {
		var mdCopy metadata.MD
		md, ok := metadata.FromIncomingContext(ctx)
		if !ok {
			mdCopy = metadata.MD{}
		} else {
			mdCopy = md.Copy()
		}
		outCtx := metadata.NewOutgoingContext(ctx, mdCopy)

		logger.Debug("forwarding the request to the consul server", "method", fullMethodName)
		// throw unimplemented error if the method is not meant to be forwarded
		if !strings.HasPrefix(fullMethodName, FORWARD_SERVICE_NAME_PREFIX) {
			return outCtx, nil, status.Errorf(codes.Unimplemented, fmt.Sprintf("Unknown method %s", fullMethodName))
		}

		return outCtx, serverConn, nil
	}
}