1 /*
2 *
3 * Copyright 2019 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "upb/upb.hpp"
20
21 #include <grpc/grpc_security.h>
22 #include <grpc/support/log.h>
23 #include <grpcpp/security/alts_context.h>
24 #include <grpcpp/security/alts_util.h>
25
26 #include "src/core/lib/gprpp/memory.h"
27 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
28 #include "src/cpp/common/secure_auth_context.h"
29 #include "src/proto/grpc/gcp/altscontext.upb.h"
30
31 namespace grpc {
32 namespace experimental {
33
GetAltsContextFromAuthContext(const std::shared_ptr<const AuthContext> & auth_context)34 std::unique_ptr<AltsContext> GetAltsContextFromAuthContext(
35 const std::shared_ptr<const AuthContext>& auth_context) {
36 if (auth_context == nullptr) {
37 gpr_log(GPR_ERROR, "auth_context is nullptr.");
38 return nullptr;
39 }
40 std::vector<string_ref> ctx_vector =
41 auth_context->FindPropertyValues(TSI_ALTS_CONTEXT);
42 if (ctx_vector.size() != 1) {
43 gpr_log(GPR_ERROR, "contains zero or more than one ALTS context.");
44 return nullptr;
45 }
46 upb::Arena context_arena;
47 grpc_gcp_AltsContext* ctx = grpc_gcp_AltsContext_parse(
48 ctx_vector[0].data(), ctx_vector[0].size(), context_arena.ptr());
49 if (ctx == nullptr) {
50 gpr_log(GPR_ERROR, "fails to parse ALTS context.");
51 return nullptr;
52 }
53 if (grpc_gcp_AltsContext_security_level(ctx) < GRPC_SECURITY_MIN ||
54 grpc_gcp_AltsContext_security_level(ctx) > GRPC_SECURITY_MAX) {
55 gpr_log(GPR_ERROR, "security_level is invalid.");
56 return nullptr;
57 }
58 return absl::make_unique<AltsContext>(AltsContext(ctx));
59 }
60
AltsClientAuthzCheck(const std::shared_ptr<const AuthContext> & auth_context,const std::vector<std::string> & expected_service_accounts)61 grpc::Status AltsClientAuthzCheck(
62 const std::shared_ptr<const AuthContext>& auth_context,
63 const std::vector<std::string>& expected_service_accounts) {
64 std::unique_ptr<AltsContext> alts_ctx =
65 GetAltsContextFromAuthContext(auth_context);
66 if (alts_ctx == nullptr) {
67 return grpc::Status(grpc::StatusCode::PERMISSION_DENIED,
68 "fails to parse ALTS context.");
69 }
70 if (std::find(expected_service_accounts.begin(),
71 expected_service_accounts.end(),
72 alts_ctx->peer_service_account()) !=
73 expected_service_accounts.end()) {
74 return grpc::Status::OK;
75 }
76 return grpc::Status(
77 grpc::StatusCode::PERMISSION_DENIED,
78 "client " + alts_ctx->peer_service_account() + " is not authorized.");
79 }
80
81 } // namespace experimental
82 } // namespace grpc
83