search

opentdf / platform

Persistent data centric security that extends owner control wherever data travels
BSD 3-Clause Clear License
19 stars 10 forks source link

add `WithGrpcPlainText` sdk option #631

Closed strantalis closed 6 months ago

strantalis commented 6 months ago

We are currently using the WithInsecure option in the sdk to signal in my opinion the following tls config option. 

// InsecureSkipVerify controls whether a client verifies the server's
// certificate chain and host name. If InsecureSkipVerify is true, crypto/tls
// accepts any certificate presented by the server and any host name in that
// certificate. In this mode, TLS is susceptible to machine-in-the-middle
// attacks unless custom verification is used. This should be used only for
// testing or in combination with VerifyConnection or VerifyPeerCertificate.
InsecureSkipVerify [bool](https://pkg.go.dev/builtin#bool)

This is not the case though . We should add a new option called WithGrpcPlainText maybe to support non-tls connections.

pflynn-virtru commented 6 months ago

or require all endpoints be Secure in development. Some libraries like MSAL will not work at all in clear (even in dev mode)

strantalis commented 6 months ago

@pflynn-virtru I think that will align with #451 so we are always testing against a secure connection. Maybe we shouldn't even add the ability to do a WithPlainText like grpccurl.

pflynn-virtru commented 6 months ago

Feedback from the larger group, gave use a requirement to support clear. Documentation about how to use it and where not to use it. Provide warning about its usage

pflynn-virtru commented 6 months ago

Should this propagate to all clients perfuming a connection? Http and Grpc?