Blame - vendor/google.golang.org/grpc/internal/credentials/spiffe.go - voltha-protos

blob: 25ade623058e3f52ed20c782c8e122c58c6ed522 [file] [log] [blame]

khenaidoo	5fc5cea	2021-08-11 17:39:16 -0400	[diff] [blame^]	1	/*
				2	*
				3	* Copyright 2020 gRPC authors.
				4	*
				5	* Licensed under the Apache License, Version 2.0 (the "License");
				6	* you may not use this file except in compliance with the License.
				7	* You may obtain a copy of the License at
				8	*
				9	* http://www.apache.org/licenses/LICENSE-2.0
				10	*
				11	* Unless required by applicable law or agreed to in writing, software
				12	* distributed under the License is distributed on an "AS IS" BASIS,
				13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				14	* See the License for the specific language governing permissions and
				15	* limitations under the License.
				16	*
				17	*/
				18
				19	// Package credentials defines APIs for parsing SPIFFE ID.
				20	//
				21	// All APIs in this package are experimental.
				22	package credentials
				23
				24	import (
				25	"crypto/tls"
				26	"crypto/x509"
				27	"net/url"
				28
				29	"google.golang.org/grpc/grpclog"
				30	)
				31
				32	var logger = grpclog.Component("credentials")
				33
				34	// SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format
				35	// is invalid, return nil with warning.
				36	func SPIFFEIDFromState(state tls.ConnectionState) *url.URL {
				37	if len(state.PeerCertificates) == 0 \|\| len(state.PeerCertificates[0].URIs) == 0 {
				38	return nil
				39	}
				40	return SPIFFEIDFromCert(state.PeerCertificates[0])
				41	}
				42
				43	// SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE
				44	// ID format is invalid, return nil with warning.
				45	func SPIFFEIDFromCert(cert x509.Certificate) url.URL {
				46	if cert == nil \|\| cert.URIs == nil {
				47	return nil
				48	}
				49	var spiffeID *url.URL
				50	for _, uri := range cert.URIs {
				51	if uri == nil \|\| uri.Scheme != "spiffe" \|\| uri.Opaque != "" \|\| (uri.User != nil && uri.User.Username() != "") {
				52	continue
				53	}
				54	// From this point, we assume the uri is intended for a SPIFFE ID.
				55	if len(uri.String()) > 2048 {
				56	logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
				57	return nil
				58	}
				59	if len(uri.Host) == 0 \|\| len(uri.Path) == 0 {
				60	logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
				61	return nil
				62	}
				63	if len(uri.Host) > 255 {
				64	logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
				65	return nil
				66	}
				67	// A valid SPIFFE certificate can only have exactly one URI SAN field.
				68	if len(cert.URIs) > 1 {
				69	logger.Warning("invalid SPIFFE ID: multiple URI SANs")
				70	return nil
				71	}
				72	spiffeID = uri
				73	}
				74	return spiffeID
				75	}