2021-12-13 11:08:10 +00:00
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
|
2024-10-17 15:15:05 +00:00
|
|
|
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
|
2021-12-13 11:08:10 +00:00
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
"google.golang.org/grpc/peer"
|
|
|
|
|
2023-07-07 23:33:10 +00:00
|
|
|
"go.linka.cloud/grpc-toolkit/errors"
|
2021-12-13 11:08:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type X509Validator func(ctx context.Context, sans []string) (context.Context, error)
|
|
|
|
|
|
|
|
// func _(ctx context.Context) {
|
|
|
|
// p, ok := peer.FromContext(ctx)
|
|
|
|
// if !ok {
|
|
|
|
// return
|
|
|
|
// }
|
|
|
|
// i, ok := p.AuthInfo.(credentials.TLSInfo)
|
|
|
|
// if !ok {
|
|
|
|
// return
|
|
|
|
// }
|
|
|
|
// i.State.VerifiedChains
|
|
|
|
// }
|
|
|
|
|
|
|
|
func makeX509AuthFunc(v X509Validator) grpc_auth.AuthFunc {
|
|
|
|
return func(ctx context.Context) (context.Context, error) {
|
|
|
|
p, ok := peer.FromContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return ctx, errors.Internalf("peer not found")
|
|
|
|
}
|
|
|
|
i, ok := p.AuthInfo.(credentials.TLSInfo)
|
|
|
|
if !ok {
|
|
|
|
return ctx, errors.Unauthenticatedf("no TLS credentials")
|
|
|
|
}
|
|
|
|
if !i.State.HandshakeComplete {
|
|
|
|
return ctx, errors.Unauthenticatedf("handshake not complete")
|
|
|
|
}
|
|
|
|
var sans []string
|
|
|
|
for _, v := range i.State.VerifiedChains {
|
|
|
|
if len(v) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
sans = append(sans, v[0].PermittedDNSDomains...)
|
|
|
|
}
|
|
|
|
return v(ctx, sans)
|
|
|
|
}
|
|
|
|
}
|