grpc/interceptors/auth/x509.go

50 lines
1.1 KiB
Go
Raw Normal View History

2021-12-13 11:08:10 +00:00
package auth
import (
"context"
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/peer"
"go.linka.cloud/grpc/errors"
)
type X509Validator func(ctx context.Context, sans []string) (context.Context, error)
// func _(ctx context.Context) {
// p, ok := peer.FromContext(ctx)
// if !ok {
// return
// }
// i, ok := p.AuthInfo.(credentials.TLSInfo)
// if !ok {
// return
// }
// i.State.VerifiedChains
// }
func makeX509AuthFunc(v X509Validator) grpc_auth.AuthFunc {
return func(ctx context.Context) (context.Context, error) {
p, ok := peer.FromContext(ctx)
if !ok {
return ctx, errors.Internalf("peer not found")
}
i, ok := p.AuthInfo.(credentials.TLSInfo)
if !ok {
return ctx, errors.Unauthenticatedf("no TLS credentials")
}
if !i.State.HandshakeComplete {
return ctx, errors.Unauthenticatedf("handshake not complete")
}
var sans []string
for _, v := range i.State.VerifiedChains {
if len(v) == 0 {
continue
}
sans = append(sans, v[0].PermittedDNSDomains...)
}
return v(ctx, sans)
}
}