Главная Обзор Помощь
Вход
SMusatov
/
ydb
зеркало из https://github.com/ydb-platform/ydb.git
1
0
Ответвить 0
Файлы
Ветка: docs-dark-theme
Ветки Метки
ydb
/
vendor
/
google.golang.org
/
grpc
/
internal
/
credentials
/
spiffe.go

spiffe.go 2.2 KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. /*
    2. 

  2.  *
    3. 

  3.  * Copyright 2020 gRPC authors.
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  *
    17. 

  17.  */
    18. 

  18. 

  19. // Package credentials defines APIs for parsing SPIFFE ID.
    20. 

  20. //
    21. 

  21. // All APIs in this package are experimental.
    22. 

  22. package credentials
    23. 

  23. 

  24. import (
    25. 

  25. 	"crypto/tls"
    26. 

  26. 	"crypto/x509"
    27. 

  27. 	"net/url"
    28. 

  28. 

  29. 	"google.golang.org/grpc/grpclog"
    30. 

  30. )
    31. 

  31. 

  32. var logger = grpclog.Component("credentials")
    33. 

  33. 

  34. // SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format
    35. 

  35. // is invalid, return nil with warning.
    36. 

  36. func SPIFFEIDFromState(state tls.ConnectionState) *url.URL {
    37. 

  37. 	if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 {
    38. 

  38. 		return nil
    39. 

  39. 	}
    40. 

  40. 	return SPIFFEIDFromCert(state.PeerCertificates[0])
    41. 

  41. }
    42. 

  42. 

  43. // SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE
    44. 

  44. // ID format is invalid, return nil with warning.
    45. 

  45. func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL {
    46. 

  46. 	if cert == nil || cert.URIs == nil {
    47. 

  47. 		return nil
    48. 

  48. 	}
    49. 

  49. 	var spiffeID *url.URL
    50. 

  50. 	for _, uri := range cert.URIs {
    51. 

  51. 		if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
    52. 

  52. 			continue
    53. 

  53. 		}
    54. 

  54. 		// From this point, we assume the uri is intended for a SPIFFE ID.
    55. 

  55. 		if len(uri.String()) > 2048 {
    56. 

  56. 			logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
    57. 

  57. 			return nil
    58. 

  58. 		}
    59. 

  59. 		if len(uri.Host) == 0 || len(uri.Path) == 0 {
    60. 

  60. 			logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
    61. 

  61. 			return nil
    62. 

  62. 		}
    63. 

  63. 		if len(uri.Host) > 255 {
    64. 

  64. 			logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
    65. 

  65. 			return nil
    66. 

  66. 		}
    67. 

  67. 		// A valid SPIFFE certificate can only have exactly one URI SAN field.
    68. 

  68. 		if len(cert.URIs) > 1 {
    69. 

  69. 			logger.Warning("invalid SPIFFE ID: multiple URI SANs")
    70. 

  70. 			return nil
    71. 

  71. 		}
    72. 

  72. 		spiffeID = uri
    73. 

  73. 	}
    74. 

  74. 	return spiffeID
    75. 

  75. }
    76.