alts_util.cc
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2019 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <algorithm>
20 #include <memory>
21 #include <string>
22 #include <vector>
23 
24 #include "absl/memory/memory.h"
25 #include "upb/upb.hpp"
26 
27 #include <grpc/grpc_security_constants.h>
28 #include <grpc/support/log.h>
29 #include <grpcpp/security/alts_context.h>
30 #include <grpcpp/security/alts_util.h>
31 #include <grpcpp/security/auth_context.h>
32 #include <grpcpp/support/config.h>
33 #include <grpcpp/support/status.h>
34 #include <grpcpp/support/string_ref.h>
35 
36 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
37 #include "src/proto/grpc/gcp/altscontext.upb.h"
38 
39 namespace grpc {
40 namespace experimental {
41 
42 std::unique_ptr<AltsContext> GetAltsContextFromAuthContext(
43  const std::shared_ptr<const AuthContext>& auth_context) {
44  if (auth_context == nullptr) {
45  gpr_log(GPR_ERROR, "auth_context is nullptr.");
46  return nullptr;
47  }
48  std::vector<string_ref> ctx_vector =
49  auth_context->FindPropertyValues(TSI_ALTS_CONTEXT);
50  if (ctx_vector.size() != 1) {
51  gpr_log(GPR_ERROR, "contains zero or more than one ALTS context.");
52  return nullptr;
53  }
54  upb::Arena context_arena;
55  grpc_gcp_AltsContext* ctx = grpc_gcp_AltsContext_parse(
56  ctx_vector[0].data(), ctx_vector[0].size(), context_arena.ptr());
57  if (ctx == nullptr) {
58  gpr_log(GPR_ERROR, "fails to parse ALTS context.");
59  return nullptr;
60  }
61  if (grpc_gcp_AltsContext_security_level(ctx) < GRPC_SECURITY_MIN ||
62  grpc_gcp_AltsContext_security_level(ctx) > GRPC_SECURITY_MAX) {
63  gpr_log(GPR_ERROR, "security_level is invalid.");
64  return nullptr;
65  }
66  return absl::make_unique<AltsContext>(AltsContext(ctx));
67 }
68 
69 grpc::Status AltsClientAuthzCheck(
70  const std::shared_ptr<const AuthContext>& auth_context,
71  const std::vector<std::string>& expected_service_accounts) {
72  std::unique_ptr<AltsContext> alts_ctx =
73  GetAltsContextFromAuthContext(auth_context);
74  if (alts_ctx == nullptr) {
75  return grpc::Status(grpc::StatusCode::PERMISSION_DENIED,
76  "fails to parse ALTS context.");
77  }
78  if (std::find(expected_service_accounts.begin(),
79  expected_service_accounts.end(),
80  alts_ctx->peer_service_account()) !=
81  expected_service_accounts.end()) {
82  return grpc::Status::OK;
83  }
84  return grpc::Status(
85  grpc::StatusCode::PERMISSION_DENIED,
86  "client " + alts_ctx->peer_service_account() + " is not authorized.");
87 }
88 
89 } // namespace experimental
90 } // namespace grpc
altscontext.upb.h
GRPC_SECURITY_MIN
@ GRPC_SECURITY_MIN
Definition: grpc_security_constants.h:132
log.h
ctx
Definition: benchmark-async.c:30
find
static void ** find(grpc_chttp2_stream_map *map, uint32_t key)
Definition: stream_map.cc:99
grpc
Definition: grpcpp/alarm.h:33
grpc::experimental::AltsClientAuthzCheck
grpc::Status AltsClientAuthzCheck(const std::shared_ptr< const AuthContext > &auth_context, const std::vector< std::string > &expected_service_accounts)
Definition: alts_util.cc:69
alts_tsi_handshaker.h
alts_context.h
grpc.StatusCode.PERMISSION_DENIED
tuple PERMISSION_DENIED
Definition: src/python/grpcio/grpc/__init__.py:268
gpr_log
GPRAPI void gpr_log(const char *file, int line, gpr_log_severity severity, const char *format,...) GPR_PRINT_FORMAT_CHECK(4
grpc::experimental::AltsContext
Definition: alts_context.h:34
grpc_gcp_AltsContext
struct grpc_gcp_AltsContext grpc_gcp_AltsContext
Definition: altscontext.upb.h:25
grpc::Status::OK
static const Status & OK
An OK pre-defined instance.
Definition: include/grpcpp/impl/codegen/status.h:113
data
char data[kBufferLength]
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1006
GPR_ERROR
#define GPR_ERROR
Definition: include/grpc/impl/codegen/log.h:57
config.h
upb::Arena::ptr
upb_Arena * ptr()
Definition: upb.hpp:76
upb::Arena
Definition: upb.hpp:68
grpc::experimental::GetAltsContextFromAuthContext
std::unique_ptr< AltsContext > GetAltsContextFromAuthContext(const std::shared_ptr< const AuthContext > &auth_context)
Definition: alts_util.cc:42
upb.hpp
grpc::protobuf::util::Status
GRPC_CUSTOM_UTIL_STATUS Status
Definition: include/grpcpp/impl/codegen/config_protobuf.h:93
grpc_gcp_AltsContext_parse
UPB_INLINE grpc_gcp_AltsContext * grpc_gcp_AltsContext_parse(const char *buf, size_t size, upb_Arena *arena)
Definition: altscontext.upb.h:39
grpc_security_constants.h
grpc::Status
Definition: include/grpcpp/impl/codegen/status.h:35
alts_util.h
TSI_ALTS_CONTEXT
#define TSI_ALTS_CONTEXT
Definition: alts_tsi_handshaker.h:37
size
voidpf void uLong size
Definition: bloaty/third_party/zlib/contrib/minizip/ioapi.h:136
auth_context.h
string_ref.h
status.h
grpc_gcp_AltsContext_security_level
UPB_INLINE int32_t grpc_gcp_AltsContext_security_level(const grpc_gcp_AltsContext *msg)
Definition: altscontext.upb.h:80
GRPC_SECURITY_MAX
@ GRPC_SECURITY_MAX
Definition: grpc_security_constants.h:136

grpc
Author(s):
autogenerated on Thu Mar 13 2025 02:58:30