feat(gm): support GM

Author: Zippo-Wang

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.0
+	github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540
 	golang.org/x/net v0.17.0
 	golang.org/x/sync v0.4.0
 	golang.org/x/sys v0.14.0
@@ -54,6 +55,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/afero v1.8.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/oauth2 v0.11.0 // indirect
 	golang.org/x/term v0.14.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -319,6 +319,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540 h1:Q7nxhP4rDahaXbLofX2fRX1dcEoQRvlJA0Hd2hGgh9k=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -340,8 +342,11 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -405,6 +410,7 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=

pkg/config/cloud.go

@@ -7,6 +7,8 @@ import (
 
 	"github.com/chnsz/golangsdk"
 	"github.com/chnsz/golangsdk/openstack"
+	"github.com/tjfoc/gmsm/gmtls"
+	"github.com/tjfoc/gmsm/x509"
 
 	"github.com/huaweicloud/huaweicloud-csi-driver/pkg/utils"
 )
@@ -26,6 +28,7 @@ type CloudCredentials struct {
 		SecretKey string `gcfg:"secret-key"`
 		ProjectID string `gcfg:"project-id"`
 		Idc       bool   `gcfg:"idc"`
+		GMSupport bool   `gcfg:"gm-support"`
 	}
 
 	Vpc struct {
@@ -82,8 +85,8 @@ func newServiceClient(cc *CloudCredentials, catalogName, region string) (*golang
 	if !ok {
 		return nil, fmt.Errorf("service type %s is invalid or not supportted", catalogName)
 	}
-
 	client := cc.CloudClient
+
 	// update ProjectID and region in ProviderClient
 	clone := new(golangsdk.ProviderClient)
 	*clone = *client
@@ -137,27 +140,45 @@ func (c *CloudCredentials) newCloudClient() error {
 		return err
 	}
 
-	transport := &http.Transport{
+	defaultTransport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		TLSClientConfig: &tls.Config{
 			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: c.Global.Insecure,
 		},
 	}
 
+	wrappers := []utils.WrapperFunc{
+		utils.NewLogRoundTripper(),
+	}
+	if c.Global.GMSupport {
+		gmCfg := &gmtls.Config{
+			GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeAutoSwitch},
+			InsecureSkipVerify: true,
+			VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+				for _, v := range rawCerts {
+					_, err = x509.ParseCertificate(v)
+					if err != nil {
+						return err
+					}
+				}
+				return nil
+			},
+		}
+		wrappers = append(wrappers, utils.NewGMRoundTripper(gmCfg))
+	}
+
 	client.HTTPClient = http.Client{
-		Transport: &utils.LogRoundTripper{
-			Rt: transport,
-		},
+		Transport: utils.Wrappers(wrappers...)(defaultTransport),
 	}
 
-	err = openstack.Authenticate(client, ao)
-	if err != nil {
+	if err := openstack.Authenticate(client, ao); err != nil {
 		return err
 	}
 
 	c.CloudClient = client
 	c.CloudClient.UserAgent.Prepend(UserAgent)
+
 	return nil
 }
 

pkg/utils/gm_round_tripper.go

@@ -0,0 +1,43 @@
+package utils
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/tjfoc/gmsm/gmtls"
+)
+
+func NewGMRoundTripper(cfg *gmtls.Config) WrapperFunc {
+	return func(inner http.RoundTripper) http.RoundTripper {
+		return &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: cfg.InsecureSkipVerify,
+			},
+			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				dialer := &net.Dialer{}
+				conn, err := gmtls.DialWithDialer(dialer, network, addr, cfg)
+				if err != nil {
+					return nil, err
+				}
+				return conn, nil
+			},
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				dialer := &net.Dialer{
+					Timeout:   10 * time.Second,
+					KeepAlive: 60 * time.Second,
+				}
+				conn, err := gmtls.DialWithDialer(dialer, network, addr, cfg)
+				if err != nil {
+					return nil, err
+				}
+				return conn, nil
+			},
+			TLSHandshakeTimeout: 15 * time.Second,
+			IdleConnTimeout:     30 * time.Second,
+		}
+	}
+}

pkg/utils/gm_round_tripper_test.go

@@ -0,0 +1,178 @@
+package utils
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/tjfoc/gmsm/gmtls"
+	"github.com/tjfoc/gmsm/x509"
+)
+
+func TestNewGMRoundTripper(t *testing.T) {
+	tests := []struct {
+		name        string
+		description string
+		cfg         *gmtls.Config
+		request     *http.Request
+		expected    bool
+	}{
+		{
+			name:        "test1",
+			description: "support both GM and no-GM encryption algorithm",
+			cfg: &gmtls.Config{
+				InsecureSkipVerify: true,
+			},
+			request:  httpNewRequest("GET", "https://sm2test.ovssl.cn", nil, t),
+			expected: false,
+		},
+		{
+			name:        "test2",
+			description: "support both GM and no-GM encryption algorithm",
+			cfg: &gmtls.Config{
+				GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeAutoSwitch},
+				InsecureSkipVerify: true,
+			},
+			request:  httpNewRequest("GET", "https://sm2test.ovssl.cn", nil, t),
+			expected: false,
+		},
+		{
+			name:        "test3",
+			description: "support both GM and no-GM encryption algorithm",
+			cfg: &gmtls.Config{
+				GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeGMSSLOnly},
+				InsecureSkipVerify: true,
+			},
+			request:  httpNewRequest("GET", "https://sm2test.ovssl.cn", nil, t),
+			expected: false,
+		},
+		{
+			name:        "test4",
+			description: "support both GM and no-GM encryption algorithm",
+			cfg: &gmtls.Config{
+				GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeAutoSwitch},
+				InsecureSkipVerify: true,
+				VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					for _, v := range rawCerts {
+						_, err := x509.ParseCertificate(v)
+						if err != nil {
+							return err
+						}
+					}
+					return nil
+				},
+			},
+			request:  httpNewRequest("GET", "https://sm2test.ovssl.cn", nil, t),
+			expected: false,
+		},
+		{
+			name:        "test5",
+			description: "support both GM and no-GM encryption algorithm",
+			cfg: &gmtls.Config{
+				GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeGMSSLOnly},
+				InsecureSkipVerify: true,
+				VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					for _, v := range rawCerts {
+						_, err := x509.ParseCertificate(v)
+						if err != nil {
+							return err
+						}
+					}
+					return nil
+				},
+			},
+			request:  httpNewRequest("GET", "https://sm2test.ovssl.cn", nil, t),
+			expected: false,
+		},
+
+		{
+			name:        "test6",
+			description: "don not support GM",
+			cfg: &gmtls.Config{
+				InsecureSkipVerify: true,
+			},
+			request:  httpNewRequest("GET", "https://baidu.com", nil, t),
+			expected: true,
+		},
+		//{
+		//	name:        "test7",
+		//	description: "don not support GM",
+		//	cfg: &gmtls.Config{
+		//		GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeAutoSwitch},
+		//		InsecureSkipVerify: true,
+		//	},
+		//	request:  httpNewRequest("GET", "https://baidu.com", nil, t),
+		//	expected: true,
+		//},
+		//{
+		//	name:        "test8",
+		//	description: "don not support GM",
+		//	cfg: &gmtls.Config{
+		//		GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeGMSSLOnly},
+		//		InsecureSkipVerify: true,
+		//	},
+		//	request:  httpNewRequest("GET", "https://baidu.com", nil, t),
+		//	expected: true,
+		//},
+		//{
+		//	name:        "test9",
+		//	description: "don not support GM",
+		//	cfg: &gmtls.Config{
+		//		GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeAutoSwitch},
+		//		InsecureSkipVerify: true,
+		//		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		//			for _, v := range rawCerts {
+		//				_, err := x509.ParseCertificate(v)
+		//				if err != nil {
+		//					return err
+		//				}
+		//			}
+		//			return nil
+		//		},
+		//	},
+		//	request:  httpNewRequest("GET", "https://baidu.com", nil, t),
+		//	expected: true,
+		//},
+		//{
+		//	name:        "test10",
+		//	description: "don not support GM",
+		//	cfg: &gmtls.Config{
+		//		GMSupport:          &gmtls.GMSupport{WorkMode: gmtls.ModeGMSSLOnly},
+		//		InsecureSkipVerify: true,
+		//		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		//			for _, v := range rawCerts {
+		//				_, err := x509.ParseCertificate(v)
+		//				if err != nil {
+		//					return err
+		//				}
+		//			}
+		//			return nil
+		//		},
+		//	},
+		//	request:  httpNewRequest("GET", "https://baidu.com", nil, t),
+		//	expected: true,
+		//},
+	}
+
+	for _, testCase := range tests {
+		t.Run(testCase.name, func(t *testing.T) {
+			wrapper := NewGMRoundTripper(testCase.cfg)
+			wrappedTransport := wrapper(http.DefaultTransport)
+			client := &http.Client{
+				Transport: wrappedTransport,
+			}
+
+			resp, err := client.Do(testCase.request)
+
+			if testCase.expected && err == nil {
+				t.Errorf("expected error but got none")
+			}
+			if !testCase.expected && err != nil {
+				t.Errorf("expected: %v, but got err: %v", testCase.expected, err)
+			}
+
+			if resp != nil && resp.Body != nil {
+				resp.Body.Close()
+			}
+		})
+	}
+}

pkg/utils/logroundtripper.go

@@ -37,6 +37,12 @@ var (
 	serverGRPCEndpointCallCounter uint64
 )
 
+func NewLogRoundTripper() WrapperFunc {
+	return func(rt http.RoundTripper) http.RoundTripper {
+		return &LogRoundTripper{Rt: rt}
+	}
+}
+
 // LogRoundTripper satisfies the http.RoundTripper interface and is used to
 // customize the default http client RoundTripper to allow for logging.
 type LogRoundTripper struct {