From 9efc026712b693670bbde6ebd5e015778ae1afdf Mon Sep 17 00:00:00 2001
From: Florian Forster <octo@google.com>
Date: Tue, 5 Dec 2017 12:15:00 +0100
Subject: [PATCH] grpc plugin: Implement the VerifyPeer option for servers.

---
 src/collectd.conf.in  |  1 +
 src/collectd.conf.pod |  7 +++++++
 src/grpc.cc           | 11 ++++++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/collectd.conf.in b/src/collectd.conf.in
index 4efa29e4..2b54a6e2 100644
--- a/src/collectd.conf.in
+++ b/src/collectd.conf.in
@@ -643,6 +643,7 @@
 #		SSLCACertificateFile "/path/to/root.pem"
 #		SSLCertificateFile "/path/to/client.pem"
 #		SSLCertificateKeyFile "/path/to/client.key"
+#		VerifyPeer true
 #	</Listen>
 #</Plugin>
 
diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 0e7a6046..c8cd7e51 100644
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -3094,6 +3094,13 @@ Whether to enable SSL for incoming connections. Default: false.
 Filenames specifying SSL certificate and key material to be used with SSL
 connections.
 
+=item B<VerifyPeer> B<true>|B<false>
+
+When enabled, a valid client certificate is required to connect to the server.
+When disabled, a client certifiacte is not requested and any unsolicited client
+certificate is accepted.
+Enabled by default.
+
 =back
 
 =back
diff --git a/src/grpc.cc b/src/grpc.cc
index 0f5cfec0..87ef754a 100644
--- a/src/grpc.cc
+++ b/src/grpc.cc
@@ -626,7 +626,8 @@ static int c_grpc_config_listen(oconfig_item_t *ci) {
   listener.port = grpc::string(ci->values[1].value.string);
   listener.ssl = nullptr;
 
-  auto ssl_opts = new (grpc::SslServerCredentialsOptions);
+  auto ssl_opts = new grpc::SslServerCredentialsOptions(
+      GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
   grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {};
   bool use_ssl = false;
 
@@ -659,6 +660,14 @@ static int c_grpc_config_listen(oconfig_item_t *ci) {
         return -1;
       }
       pkcp.cert_chain = read_file(cert);
+    } else if (!strcasecmp("VerifyPeer", child->key)) {
+      _Bool verify = 0;
+      if (cf_util_get_boolean(child, &verify)) {
+        return -1;
+      }
+      ssl_opts->client_certificate_request =
+          verify ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
+                 : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
     } else {
       WARNING("grpc: Option `%s` not allowed in <%s> block.", child->key,
               ci->key);
-- 
2.11.0