1 //
2 //
3 // Copyright 2019 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <algorithm>
20 #include <memory>
21 #include <string>
22 #include <vector>
23
24 #include "upb/mem/arena.hpp"
25
26 #include <grpc/grpc_security_constants.h>
27 #include <grpc/support/log.h>
28 #include <grpcpp/security/alts_context.h>
29 #include <grpcpp/security/alts_util.h>
30 #include <grpcpp/security/auth_context.h>
31 #include <grpcpp/support/status.h>
32 #include <grpcpp/support/string_ref.h>
33
34 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
35 #include "src/proto/grpc/gcp/altscontext.upb.h"
36
37 namespace grpc {
38 namespace experimental {
39
GetAltsContextFromAuthContext(const std::shared_ptr<const AuthContext> & auth_context)40 std::unique_ptr<AltsContext> GetAltsContextFromAuthContext(
41 const std::shared_ptr<const AuthContext>& auth_context) {
42 if (auth_context == nullptr) {
43 gpr_log(GPR_ERROR, "auth_context is nullptr.");
44 return nullptr;
45 }
46 std::vector<string_ref> ctx_vector =
47 auth_context->FindPropertyValues(TSI_ALTS_CONTEXT);
48 if (ctx_vector.size() != 1) {
49 gpr_log(GPR_ERROR, "contains zero or more than one ALTS context.");
50 return nullptr;
51 }
52 upb::Arena context_arena;
53 grpc_gcp_AltsContext* ctx = grpc_gcp_AltsContext_parse(
54 ctx_vector[0].data(), ctx_vector[0].size(), context_arena.ptr());
55 if (ctx == nullptr) {
56 gpr_log(GPR_ERROR, "fails to parse ALTS context.");
57 return nullptr;
58 }
59 if (grpc_gcp_AltsContext_security_level(ctx) < GRPC_SECURITY_MIN ||
60 grpc_gcp_AltsContext_security_level(ctx) > GRPC_SECURITY_MAX) {
61 gpr_log(GPR_ERROR, "security_level is invalid.");
62 return nullptr;
63 }
64 return std::make_unique<AltsContext>(AltsContext(ctx));
65 }
66
AltsClientAuthzCheck(const std::shared_ptr<const AuthContext> & auth_context,const std::vector<std::string> & expected_service_accounts)67 grpc::Status AltsClientAuthzCheck(
68 const std::shared_ptr<const AuthContext>& auth_context,
69 const std::vector<std::string>& expected_service_accounts) {
70 std::unique_ptr<AltsContext> alts_ctx =
71 GetAltsContextFromAuthContext(auth_context);
72 if (alts_ctx == nullptr) {
73 return grpc::Status(grpc::StatusCode::PERMISSION_DENIED,
74 "fails to parse ALTS context.");
75 }
76 if (std::find(expected_service_accounts.begin(),
77 expected_service_accounts.end(),
78 alts_ctx->peer_service_account()) !=
79 expected_service_accounts.end()) {
80 return grpc::Status::OK;
81 }
82 return grpc::Status(
83 grpc::StatusCode::PERMISSION_DENIED,
84 "client " + alts_ctx->peer_service_account() + " is not authorized.");
85 }
86
87 } // namespace experimental
88 } // namespace grpc
89