@gravity-ui/gateway 3.2.1 → 3.2.2-alpha.0

package/README.md

@@ -102,9 +102,13 @@ interface GatewayConfig {
   onRequestFailed?: (req: Request, res: Response, error: any) => any;
   // List of paths to the necessary proto files for the gateway.
   includeProtoRoots?: string[];
-  // Configuration of the path to the certificate in gRPC.
+  // Configuration of the path to the CA certificate in gRPC.
   // Set to null to use system certificates by default.
   caCertificatePath?: string | null;
+  // Configuration of the path to the client certificate for mTLS in gRPC.
+  clientCertificatePath?: string | null;
+  // Configuration of the path to the client private key for mTLS in gRPC.
+  clientKeyPath?: string | null;
   // Telemetry sending configuration.
   sendStats?: SendStats;
   // Configuration of headers sent to the API.
@@ -143,6 +147,9 @@ const config = {
   includeProtoRoots: ['...'],
   timeout: 25000, // default 25 seconds
   caCertificatePath: '...',
+  // Optional: paths for mTLS client certificate and key
+  clientCertificatePath: '...',
+  clientKeyPath: '...',
 };
 
 const {api: gatewayApi} = getGatewayControllers({root: Schema}, config);

package/build/components/grpc.d.ts

@@ -19,6 +19,6 @@ export interface GrpcContext {
     credentials: CredentialsMap;
 }
 export declare function createRoot(includeGrpcPaths?: string[]): protobufjs.Root;
-export declare function getCredentialsMap(caCertificatePath?: string | null): CredentialsMap;
+export declare function getCredentialsMap(caCertificatePath?: string | null, clientCertificatePath?: string | null, clientKeyPath?: string | null): CredentialsMap;
 export default function createGrpcAction<Context extends GatewayContext>({ root, credentials }: GrpcContext, endpoints: EndpointsConfig | undefined, config: ApiServiceGrpcActionConfig<Context, any, any>, serviceKey: string, actionName: string, options: GatewayApiOptions<Context>, ErrorConstructor: AppErrorConstructor): (actionConfig: ApiActionConfig<Context, any, any>) => Promise<import("../models/common").GatewayActionClientStreamResponse<any> | import("../models/common").GatewayActionServerStreamResponse<any> | import("../models/common").GatewayActionDuplexStreamResponse<any> | import("../models/common").GatewayActionUnaryResponse<any>>;
 export {};

package/build/components/grpc.js

@@ -59,13 +59,21 @@ function createRoot(includeGrpcPaths) {
     return root;
 }
 exports.createRoot = createRoot;
-function getCredentialsMap(caCertificatePath) {
+function getCredentialsMap(caCertificatePath, clientCertificatePath, clientKeyPath) {
     let certificate;
+    let clientCertificate;
+    let clientKey;
     if (caCertificatePath && fs_1.default.existsSync(caCertificatePath)) {
         certificate = fs_1.default.readFileSync(caCertificatePath);
     }
+    if (clientCertificatePath && fs_1.default.existsSync(clientCertificatePath)) {
+        clientCertificate = fs_1.default.readFileSync(clientCertificatePath);
+    }
+    if (clientKeyPath && fs_1.default.existsSync(clientKeyPath)) {
+        clientKey = fs_1.default.readFileSync(clientKeyPath);
+    }
     return {
-        secure: grpc.ChannelCredentials.createSsl(certificate),
+        secure: grpc.ChannelCredentials.createSsl(certificate, clientKey, clientCertificate),
         secureWithoutRootCert: grpc.ChannelCredentials.createSsl(),
         insecure: grpc.ChannelCredentials.createInsecure(),
     };
@@ -170,12 +178,37 @@ function clearInstancesCache(service, instancesMap, cachePath, closeTimeout, ctx
 function getChannelCredential(config, endpointData, credentials) {
     let endpointInsecure;
     let endpointSecureWithoutRootCert;
+    let endpointCaCertificatePath;
+    let endpointClientCertificatePath;
+    let endpointClientKeyPath;
     if ((0, common_2.isExtendedGrpcActionEndpoint)(endpointData)) {
         endpointInsecure = endpointData === null || endpointData === void 0 ? void 0 : endpointData.insecure;
         endpointSecureWithoutRootCert = endpointData === null || endpointData === void 0 ? void 0 : endpointData.secureWithoutRootCert;
+        endpointCaCertificatePath = endpointData === null || endpointData === void 0 ? void 0 : endpointData.caCertificatePath;
+        endpointClientCertificatePath = endpointData === null || endpointData === void 0 ? void 0 : endpointData.clientCertificatePath;
+        endpointClientKeyPath = endpointData === null || endpointData === void 0 ? void 0 : endpointData.clientKeyPath;
     }
     const isInsecure = config.insecure || endpointInsecure;
     const isSecureWithoutRootCert = config.secureWithoutRootCert || endpointSecureWithoutRootCert;
+    // If endpoint-specific certificates are provided, create new credentials
+    if (endpointCaCertificatePath || endpointClientCertificatePath || endpointClientKeyPath) {
+        let certificate;
+        let clientCertificate;
+        let clientKey;
+        const caCertPath = endpointCaCertificatePath || config.caCertificatePath;
+        const clientCertPath = endpointClientCertificatePath || config.clientCertificatePath;
+        const clientKeyPath = endpointClientKeyPath || config.clientKeyPath;
+        if (caCertPath && fs_1.default.existsSync(caCertPath)) {
+            certificate = fs_1.default.readFileSync(caCertPath);
+        }
+        if (clientCertPath && fs_1.default.existsSync(clientCertPath)) {
+            clientCertificate = fs_1.default.readFileSync(clientCertPath);
+        }
+        if (clientKeyPath && fs_1.default.existsSync(clientKeyPath)) {
+            clientKey = fs_1.default.readFileSync(clientKeyPath);
+        }
+        return grpc.ChannelCredentials.createSsl(certificate, clientKey, clientCertificate);
+    }
     let creds = credentials.secure;
     if (isInsecure) {
         creds = credentials.insecure;

package/build/index.js

@@ -244,7 +244,7 @@ function getGatewayControllers(schemasByScope, config) {
             console.warn('Error when parse GATEWAY_ENDPOINTS_OVERRIDES', err);
         }
     }
-    const credentials = (0, grpc_1.getCredentialsMap)(config.caCertificatePath);
+    const credentials = (0, grpc_1.getCredentialsMap)(config.caCertificatePath, config.clientCertificatePath, config.clientKeyPath);
     for (const scope of (0, common_1.getKeys)(schemasByScope)) {
         apiByScope[scope] = generateGatewayApi(schemasByScope[scope], config, { root: (0, grpc_1.createRoot)(config.includeProtoRoots), credentials }, apiByScope);
     }

package/build/models/common.d.ts

@@ -106,6 +106,9 @@ export interface ExtendedBaseActionEndpoint {
 export interface ExtendedGrpcActionEndpoint extends ExtendedBaseActionEndpoint {
     insecure?: boolean;
     secureWithoutRootCert?: boolean;
+    caCertificatePath?: string;
+    clientCertificatePath?: string;
+    clientKeyPath?: string;
     grpcOptions?: object;
 }
 export interface ExtendedRestActionEndpoint extends ExtendedBaseActionEndpoint {
@@ -140,6 +143,9 @@ export interface ApiServiceBaseGrpcActionConfig<Context extends GatewayContext,
     protoKey: string;
     insecure?: boolean;
     secureWithoutRootCert?: boolean;
+    caCertificatePath?: string;
+    clientCertificatePath?: string;
+    clientKeyPath?: string;
     encodedFields?: string[];
     type?: HandlerType;
     decodeAnyMessageProtoLoaderOptions?: protobufjs.IConversionOptions;
@@ -255,6 +261,8 @@ export interface GatewayConfig<Context extends GatewayContext, Req extends Gatew
     sendStats?: SendStats<Context>;
     includeProtoRoots?: string[];
     caCertificatePath: string | null;
+    clientCertificatePath?: string | null;
+    clientKeyPath?: string | null;
     proxyHeaders: ProxyHeaders;
     proxyDebugHeaders?: ProxyHeaders;
     withDebugHeaders?: boolean | ((req: Req, res: Res) => boolean);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gravity-ui/gateway",
-  "version": "3.2.1",
+  "version": "3.2.2-alpha.0",
   "description": "",
   "license": "MIT",
   "main": "build/index.js",