"//utils/log",
"@com_github_google_certificate_transparency_go//x509",
"@com_github_google_go_attestation//attest",
- "@org_golang_google_grpc//peer",
"@org_golang_google_protobuf//encoding/protojson",
"@org_golang_google_protobuf//reflect/protoreflect",
],
"net/url"
"time"
- "google.golang.org/grpc/peer"
-
"go.fuhry.dev/runtime/grpc"
attest_pb "go.fuhry.dev/runtime/proto/service/attest"
"google.golang.org/protobuf/encoding/protojson"
}
func (s *AttestServer) GetActivationChallenge(ctx context.Context, req *attest_pb.GetActivationChallengeRequest) (*attest_pb.GetActivationChallengeResponse, error) {
- peer, ok := peer.FromContext(ctx)
- if !ok {
- return nil, fmt.Errorf("provided context did not contain peer anything")
- }
-
- spiffe, err := grpc.PeerIdentity(peer)
+ spiffe, err := grpc.PeerIdentity(ctx)
if err != nil {
return nil, err
}
}
func (s *AttestServer) AttestPlatform(ctx context.Context, req *attest_pb.AttestPlatformRequest) (*attest_pb.AttestPlatformResponse, error) {
- peer, ok := peer.FromContext(ctx)
- if !ok {
- return nil, fmt.Errorf("provided context did not contain peer anything")
- }
-
- spiffe, err := grpc.PeerIdentity(peer)
+ spiffe, err := grpc.PeerIdentity(ctx)
if err != nil {
return nil, err
}
deps = [
"//grpc",
"//proto/service/echo",
- "@org_golang_google_grpc//peer",
"@org_golang_x_text//cases",
"@org_golang_x_text//language",
],
"golang.org/x/text/cases"
"golang.org/x/text/language"
- "google.golang.org/grpc/peer"
grpc_lib "go.fuhry.dev/runtime/grpc"
echo_pb "go.fuhry.dev/runtime/proto/service/echo"
}
func (s *EchoServer) Greet(ctx context.Context, req *echo_pb.GreetRequest) (*echo_pb.GreetReply, error) {
- peer, ok := peer.FromContext(ctx)
- if !ok {
- return nil, fmt.Errorf("provided context did not contain peer anything")
- }
-
- spiffe, err := grpc_lib.PeerIdentity(peer)
+ spiffe, err := grpc_lib.PeerIdentity(ctx)
if err != nil {
return nil, err
}
return "", status.Error(codes.Unauthenticated, "who are you??")
}
- ident, err := grpc.PeerIdentity(peer)
+ ident, err := grpc.PeerIdentity(ctx)
if err != nil {
return "", status.Errorf(codes.PermissionDenied, "cannot determine your identity from peer info: %v", peer.AuthInfo)
}
var RandomPort = server.RandomPort
var NewGrpcServer = server.NewGrpcServer
var NewGrpcServerWithPort = server.NewGrpcServerWithPort
+var PeerCertificate = server.PeerCertificate
var PeerIdentity = server.PeerIdentity
var NewHealthCheckServicer = server.NewHealthCheckServicer
return nil
}
- if peerSpiffe, err := PeerIdentity(peer); err == nil {
+ if peerSpiffe, err := PeerIdentity(ctx); err == nil {
sessionKey := fmt.Sprintf("%s:%s:%s", peerSpiffe.String(), peer.Addr.Network(), peer.Addr.String())
log.Default().V(3).Debugf("peer session key: %s", sessionKey)
server := ctx.Value(kServer).(*Server)
return handler(ctx, req)
}
- peer, ok := peer.FromContext(ctx)
- if !ok {
- return nil, status.Errorf(codes.PermissionDenied, "client did not authenticate")
- }
- spiffe, err := PeerIdentity(peer)
+ spiffe, err := PeerIdentity(ctx)
if err != nil {
return nil, err
}
}
ctx := ss.Context()
- peer, ok := peer.FromContext(ctx)
- if !ok {
- return status.Errorf(codes.PermissionDenied, "client did not authenticate")
- }
- spiffe, err := PeerIdentity(peer)
+ spiffe, err := PeerIdentity(ctx)
if err != nil {
return err
}
return handler(srv, ss)
}
-func PeerIdentity(peer *peer.Peer) (*url.URL, error) {
+func PeerCertificate(ctx context.Context) (*x509.Certificate, error) {
+ peer, ok := peer.FromContext(ctx)
+ if !ok {
+ return nil, status.Errorf(codes.PermissionDenied, "client did not authenticate")
+ }
+
+ if peer.AuthInfo == nil {
+ return nil, status.Errorf(codes.PermissionDenied, "no AuthInfo present in peer information")
+ }
+
+ var tlsState tls.ConnectionState
+
+ switch ai := peer.AuthInfo.(type) {
+ case credentials.TLSInfo:
+ tlsState = ai.State
+ case *grpc_quic.Info:
+ conn := ai.Conn()
+ tlsState = conn.(*grpc_quic.Conn).TLSState()
+ default:
+ return nil, status.Errorf(codes.PermissionDenied, "unhandled type of peer.AuthInfo: %T", peer.AuthInfo)
+ }
+
+ if len(tlsState.PeerCertificates) == 0 {
+ return nil, errors.New("no peer certificate provided")
+ }
+
+ return tlsState.PeerCertificates[0], nil
+}
+
+func PeerIdentity(ctx context.Context) (*url.URL, error) {
+ peer, ok := peer.FromContext(ctx)
+ if !ok {
+ return nil, status.Errorf(codes.PermissionDenied, "client did not authenticate")
+ }
+
if peer.AuthInfo == nil {
return nil, status.Errorf(codes.PermissionDenied, "no AuthInfo present in peer information")
}
projects / runtime.git / commitdiff