xref: /aosp_15_r20/external/grpc-grpc/src/cpp/common/alts_util.cc (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1*cc02d7e2SAndroid Build Coastguard Worker //
2*cc02d7e2SAndroid Build Coastguard Worker //
3*cc02d7e2SAndroid Build Coastguard Worker // Copyright 2019 gRPC authors.
4*cc02d7e2SAndroid Build Coastguard Worker //
5*cc02d7e2SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License");
6*cc02d7e2SAndroid Build Coastguard Worker // you may not use this file except in compliance with the License.
7*cc02d7e2SAndroid Build Coastguard Worker // You may obtain a copy of the License at
8*cc02d7e2SAndroid Build Coastguard Worker //
9*cc02d7e2SAndroid Build Coastguard Worker //     http://www.apache.org/licenses/LICENSE-2.0
10*cc02d7e2SAndroid Build Coastguard Worker //
11*cc02d7e2SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
12*cc02d7e2SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS,
13*cc02d7e2SAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14*cc02d7e2SAndroid Build Coastguard Worker // See the License for the specific language governing permissions and
15*cc02d7e2SAndroid Build Coastguard Worker // limitations under the License.
16*cc02d7e2SAndroid Build Coastguard Worker //
17*cc02d7e2SAndroid Build Coastguard Worker //
18*cc02d7e2SAndroid Build Coastguard Worker 
19*cc02d7e2SAndroid Build Coastguard Worker #include <algorithm>
20*cc02d7e2SAndroid Build Coastguard Worker #include <memory>
21*cc02d7e2SAndroid Build Coastguard Worker #include <string>
22*cc02d7e2SAndroid Build Coastguard Worker #include <vector>
23*cc02d7e2SAndroid Build Coastguard Worker 
24*cc02d7e2SAndroid Build Coastguard Worker #include "upb/mem/arena.hpp"
25*cc02d7e2SAndroid Build Coastguard Worker 
26*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/grpc_security_constants.h>
27*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/support/log.h>
28*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/security/alts_context.h>
29*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/security/alts_util.h>
30*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/security/auth_context.h>
31*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/status.h>
32*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/string_ref.h>
33*cc02d7e2SAndroid Build Coastguard Worker 
34*cc02d7e2SAndroid Build Coastguard Worker #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
35*cc02d7e2SAndroid Build Coastguard Worker #include "src/proto/grpc/gcp/altscontext.upb.h"
36*cc02d7e2SAndroid Build Coastguard Worker 
37*cc02d7e2SAndroid Build Coastguard Worker namespace grpc {
38*cc02d7e2SAndroid Build Coastguard Worker namespace experimental {
39*cc02d7e2SAndroid Build Coastguard Worker 
GetAltsContextFromAuthContext(const std::shared_ptr<const AuthContext> & auth_context)40*cc02d7e2SAndroid Build Coastguard Worker std::unique_ptr<AltsContext> GetAltsContextFromAuthContext(
41*cc02d7e2SAndroid Build Coastguard Worker     const std::shared_ptr<const AuthContext>& auth_context) {
42*cc02d7e2SAndroid Build Coastguard Worker   if (auth_context == nullptr) {
43*cc02d7e2SAndroid Build Coastguard Worker     gpr_log(GPR_ERROR, "auth_context is nullptr.");
44*cc02d7e2SAndroid Build Coastguard Worker     return nullptr;
45*cc02d7e2SAndroid Build Coastguard Worker   }
46*cc02d7e2SAndroid Build Coastguard Worker   std::vector<string_ref> ctx_vector =
47*cc02d7e2SAndroid Build Coastguard Worker       auth_context->FindPropertyValues(TSI_ALTS_CONTEXT);
48*cc02d7e2SAndroid Build Coastguard Worker   if (ctx_vector.size() != 1) {
49*cc02d7e2SAndroid Build Coastguard Worker     gpr_log(GPR_ERROR, "contains zero or more than one ALTS context.");
50*cc02d7e2SAndroid Build Coastguard Worker     return nullptr;
51*cc02d7e2SAndroid Build Coastguard Worker   }
52*cc02d7e2SAndroid Build Coastguard Worker   upb::Arena context_arena;
53*cc02d7e2SAndroid Build Coastguard Worker   grpc_gcp_AltsContext* ctx = grpc_gcp_AltsContext_parse(
54*cc02d7e2SAndroid Build Coastguard Worker       ctx_vector[0].data(), ctx_vector[0].size(), context_arena.ptr());
55*cc02d7e2SAndroid Build Coastguard Worker   if (ctx == nullptr) {
56*cc02d7e2SAndroid Build Coastguard Worker     gpr_log(GPR_ERROR, "fails to parse ALTS context.");
57*cc02d7e2SAndroid Build Coastguard Worker     return nullptr;
58*cc02d7e2SAndroid Build Coastguard Worker   }
59*cc02d7e2SAndroid Build Coastguard Worker   if (grpc_gcp_AltsContext_security_level(ctx) < GRPC_SECURITY_MIN ||
60*cc02d7e2SAndroid Build Coastguard Worker       grpc_gcp_AltsContext_security_level(ctx) > GRPC_SECURITY_MAX) {
61*cc02d7e2SAndroid Build Coastguard Worker     gpr_log(GPR_ERROR, "security_level is invalid.");
62*cc02d7e2SAndroid Build Coastguard Worker     return nullptr;
63*cc02d7e2SAndroid Build Coastguard Worker   }
64*cc02d7e2SAndroid Build Coastguard Worker   return std::make_unique<AltsContext>(AltsContext(ctx));
65*cc02d7e2SAndroid Build Coastguard Worker }
66*cc02d7e2SAndroid Build Coastguard Worker 
AltsClientAuthzCheck(const std::shared_ptr<const AuthContext> & auth_context,const std::vector<std::string> & expected_service_accounts)67*cc02d7e2SAndroid Build Coastguard Worker grpc::Status AltsClientAuthzCheck(
68*cc02d7e2SAndroid Build Coastguard Worker     const std::shared_ptr<const AuthContext>& auth_context,
69*cc02d7e2SAndroid Build Coastguard Worker     const std::vector<std::string>& expected_service_accounts) {
70*cc02d7e2SAndroid Build Coastguard Worker   std::unique_ptr<AltsContext> alts_ctx =
71*cc02d7e2SAndroid Build Coastguard Worker       GetAltsContextFromAuthContext(auth_context);
72*cc02d7e2SAndroid Build Coastguard Worker   if (alts_ctx == nullptr) {
73*cc02d7e2SAndroid Build Coastguard Worker     return grpc::Status(grpc::StatusCode::PERMISSION_DENIED,
74*cc02d7e2SAndroid Build Coastguard Worker                         "fails to parse ALTS context.");
75*cc02d7e2SAndroid Build Coastguard Worker   }
76*cc02d7e2SAndroid Build Coastguard Worker   if (std::find(expected_service_accounts.begin(),
77*cc02d7e2SAndroid Build Coastguard Worker                 expected_service_accounts.end(),
78*cc02d7e2SAndroid Build Coastguard Worker                 alts_ctx->peer_service_account()) !=
79*cc02d7e2SAndroid Build Coastguard Worker       expected_service_accounts.end()) {
80*cc02d7e2SAndroid Build Coastguard Worker     return grpc::Status::OK;
81*cc02d7e2SAndroid Build Coastguard Worker   }
82*cc02d7e2SAndroid Build Coastguard Worker   return grpc::Status(
83*cc02d7e2SAndroid Build Coastguard Worker       grpc::StatusCode::PERMISSION_DENIED,
84*cc02d7e2SAndroid Build Coastguard Worker       "client " + alts_ctx->peer_service_account() + " is not authorized.");
85*cc02d7e2SAndroid Build Coastguard Worker }
86*cc02d7e2SAndroid Build Coastguard Worker 
87*cc02d7e2SAndroid Build Coastguard Worker }  // namespace experimental
88*cc02d7e2SAndroid Build Coastguard Worker }  // namespace grpc
89