Home Explore Help
Sign In
algorithm
/
alirec
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
alirec
/
vendor
/
google.golang.org
/
grpc
/
internal
/
credentials
/
go110.go

go110.go 2.0 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. // +build go1.10
    2. 

  2. 

  3. /*
    4. 

  4.  *
    5. 

  5.  * Copyright 2020 gRPC authors.
    6. 

  6.  *
    7. 

  7.  * Licensed under the Apache License, Version 2.0 (the "License");
    8. 

  8.  * you may not use this file except in compliance with the License.
    9. 

  9.  * You may obtain a copy of the License at
    10. 

  10.  *
    11. 

  11.  *     http://www.apache.org/licenses/LICENSE-2.0
    12. 

  12.  *
    13. 

  13.  * Unless required by applicable law or agreed to in writing, software
    14. 

  14.  * distributed under the License is distributed on an "AS IS" BASIS,
    15. 

  15.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16. 

  16.  * See the License for the specific language governing permissions and
    17. 

  17.  * limitations under the License.
    18. 

  18.  *
    19. 

  19.  */
    20. 

  20. 

  21. // Package credentials defines APIs for parsing SPIFFE ID.
    22. 

  22. //
    23. 

  23. // All APIs in this package are experimental.
    24. 

  24. package credentials
    25. 

  25. 

  26. import (
    27. 

  27. 	"crypto/tls"
    28. 

  28. 	"net/url"
    29. 

  29. 

  30. 	"google.golang.org/grpc/grpclog"
    31. 

  31. )
    32. 

  32. 

  33. // SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format
    34. 

  34. // is invalid, return nil with warning.
    35. 

  35. func SPIFFEIDFromState(state tls.ConnectionState) *url.URL {
    36. 

  36. 	if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 {
    37. 

  37. 		return nil
    38. 

  38. 	}
    39. 

  39. 	var spiffeID *url.URL
    40. 

  40. 	for _, uri := range state.PeerCertificates[0].URIs {
    41. 

  41. 		if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
    42. 

  42. 			continue
    43. 

  43. 		}
    44. 

  44. 		// From this point, we assume the uri is intended for a SPIFFE ID.
    45. 

  45. 		if len(uri.String()) > 2048 {
    46. 

  46. 			grpclog.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
    47. 

  47. 			return nil
    48. 

  48. 		}
    49. 

  49. 		if len(uri.Host) == 0 || len(uri.RawPath) == 0 || len(uri.Path) == 0 {
    50. 

  50. 			grpclog.Warning("invalid SPIFFE ID: domain or workload ID is empty")
    51. 

  51. 			return nil
    52. 

  52. 		}
    53. 

  53. 		if len(uri.Host) > 255 {
    54. 

  54. 			grpclog.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
    55. 

  55. 			return nil
    56. 

  56. 		}
    57. 

  57. 		// A valid SPIFFE certificate can only have exactly one URI SAN field.
    58. 

  58. 		if len(state.PeerCertificates[0].URIs) > 1 {
    59. 

  59. 			grpclog.Warning("invalid SPIFFE ID: multiple URI SANs")
    60. 

  60. 			return nil
    61. 

  61. 		}
    62. 

  62. 		spiffeID = uri
    63. 

  63. 	}
    64. 

  64. 	return spiffeID
    65. 

  65. }
    66.