grpclib/examples/mtls/server.py

import os
import ssl
import asyncio
import logging

from pathlib import Path

from grpclib.utils import graceful_exit
from grpclib.server import Server
from grpclib.health.service import Health


DIR = Path(__file__).parent.joinpath('keys')
SPY_MODE = 'SPY_MODE' in os.environ

CLIENT_CERT = DIR.joinpath('spock.pem')
SERVER_CERT = DIR.joinpath('mccoy-imposter.pem' if SPY_MODE else 'mccoy.pem')
SERVER_KEY = DIR.joinpath('mccoy-imposter.key' if SPY_MODE else 'mccoy.key')


def create_secure_context(
    server_cert: Path, server_key: Path, *, trusted: Path,
) -> ssl.SSLContext:
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.load_cert_chain(str(server_cert), str(server_key))
    ctx.load_verify_locations(str(trusted))
    ctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
    ctx.set_ciphers('ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20')
    ctx.set_alpn_protocols(['h2'])
    try:
        ctx.set_npn_protocols(['h2'])
    except NotImplementedError:
        pass
    return ctx


async def main(*, host: str = '0.0.0.0', port: int = 50051) -> None:
    server = Server([Health()])
    with graceful_exit([server]):
        await server.start(host, port, ssl=create_secure_context(
            SERVER_CERT, SERVER_KEY, trusted=CLIENT_CERT,
        ))
        print(f'Serving on {host}:{port}')
        await server.wait_closed()


if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO)
    asyncio.run(main())
Added simple example of the mTLS setup 2019-06-11 18:29:30 +00:00			`import os`
			`import ssl`
			`import asyncio`
			`import logging`

			`from pathlib import Path`

			`from grpclib.utils import graceful_exit`
			`from grpclib.server import Server`
			`from grpclib.health.service import Health`


			`DIR = Path(__file__).parent.joinpath('keys')`
			`SPY_MODE = 'SPY_MODE' in os.environ`

			`CLIENT_CERT = DIR.joinpath('spock.pem')`
			`SERVER_CERT = DIR.joinpath('mccoy-imposter.pem' if SPY_MODE else 'mccoy.pem')`
			`SERVER_KEY = DIR.joinpath('mccoy-imposter.key' if SPY_MODE else 'mccoy.key')`


			`def create_secure_context(`
			`server_cert: Path, server_key: Path, *, trusted: Path,`
			`) -> ssl.SSLContext:`
			`ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)`
			`ctx.verify_mode = ssl.CERT_REQUIRED`
			`ctx.load_cert_chain(str(server_cert), str(server_key))`
			`ctx.load_verify_locations(str(trusted))`
			`ctx.options \|= ssl.OP_NO_TLSv1 \| ssl.OP_NO_TLSv1_1`
			`ctx.set_ciphers('ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20')`
			`ctx.set_alpn_protocols(['h2'])`
			`try:`
			`ctx.set_npn_protocols(['h2'])`
			`except NotImplementedError:`
			`pass`
			`return ctx`


			`async def main(*, host: str = '0.0.0.0', port: int = 50051) -> None:`
			`server = Server([Health()])`
			`with graceful_exit([server]):`
			`await server.start(host, port, ssl=create_secure_context(`
			`SERVER_CERT, SERVER_KEY, trusted=CLIENT_CERT,`
			`))`
			`print(f'Serving on {host}:{port}')`
			`await server.wait_closed()`


			`if __name__ == '__main__':`
			`logging.basicConfig(level=logging.INFO)`
			`asyncio.run(main())`