credentials/google/xds.go - third_party/github.com/grpc/grpc-go - Git at Google

 /*
  *
  * Copyright 2021 gRPC authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  */

 package google

 import (
 	"context"
 	"net"

 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/internal"
 )

 const cfeClusterName = "google-cfe"

 // clusterTransportCreds is a combo of TLS + ALTS.
 //
 // On the client, ClientHandshake picks TLS or ALTS based on address attributes.
 // - if attributes has cluster name
 //   - if cluster name is "google_cfe", use TLS
 //   - otherwise, use ALTS
 // - else, do TLS
 //
 // On the server, ServerHandshake always does TLS.
 type clusterTransportCreds struct {
 	tls  credentials.TransportCredentials
 	alts credentials.TransportCredentials
 }

 func newClusterTransportCreds(tls, alts credentials.TransportCredentials) *clusterTransportCreds {
 	return &clusterTransportCreds{
 		tls:  tls,
 		alts: alts,
 	}
 }

 func (c *clusterTransportCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	chi := credentials.ClientHandshakeInfoFromContext(ctx)
 	if chi.Attributes == nil {
 		return c.tls.ClientHandshake(ctx, authority, rawConn)
 	}
 	cn, ok := internal.GetXDSHandshakeClusterName(chi.Attributes)
 	if !ok || cn == cfeClusterName {
 		return c.tls.ClientHandshake(ctx, authority, rawConn)
 	}
 	// If attributes have cluster name, and cluster name is not cfe, it's a
 	// backend address, use ALTS.
 	return c.alts.ClientHandshake(ctx, authority, rawConn)
 }

 func (c *clusterTransportCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	return c.tls.ServerHandshake(conn)
 }

 func (c *clusterTransportCreds) Info() credentials.ProtocolInfo {
 	// TODO: this always returns tls.Info now, because we don't have a cluster
 	// name to check when this method is called. This method doesn't affect
 	// anything important now. We may want to revisit this if it becomes more
 	// important later.
 	return c.tls.Info()
 }

 func (c *clusterTransportCreds) Clone() credentials.TransportCredentials {
 	return &clusterTransportCreds{
 		tls:  c.tls.Clone(),
 		alts: c.alts.Clone(),
 	}
 }

 func (c *clusterTransportCreds) OverrideServerName(s string) error {
 	if err := c.tls.OverrideServerName(s); err != nil {
 		return err
 	}
 	return c.alts.OverrideServerName(s)
 }
	/*
	*
	* Copyright 2021 gRPC authors.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*
	*/

	package google

	import (
	"context"
	"net"

	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/internal"
	)

	const cfeClusterName = "google-cfe"

	// clusterTransportCreds is a combo of TLS + ALTS.
	//
	// On the client, ClientHandshake picks TLS or ALTS based on address attributes.
	// - if attributes has cluster name
	// - if cluster name is "google_cfe", use TLS
	// - otherwise, use ALTS
	// - else, do TLS
	//
	// On the server, ServerHandshake always does TLS.
	type clusterTransportCreds struct {
	tls credentials.TransportCredentials
	alts credentials.TransportCredentials
	}

	func newClusterTransportCreds(tls, alts credentials.TransportCredentials) *clusterTransportCreds {
	return &clusterTransportCreds{
	tls: tls,
	alts: alts,
	}
	}

	func (c *clusterTransportCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
	chi := credentials.ClientHandshakeInfoFromContext(ctx)
	if chi.Attributes == nil {
	return c.tls.ClientHandshake(ctx, authority, rawConn)
	}
	cn, ok := internal.GetXDSHandshakeClusterName(chi.Attributes)
	if !ok \|\| cn == cfeClusterName {
	return c.tls.ClientHandshake(ctx, authority, rawConn)
	}
	// If attributes have cluster name, and cluster name is not cfe, it's a
	// backend address, use ALTS.
	return c.alts.ClientHandshake(ctx, authority, rawConn)
	}

	func (c *clusterTransportCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
	return c.tls.ServerHandshake(conn)
	}

	func (c *clusterTransportCreds) Info() credentials.ProtocolInfo {
	// TODO: this always returns tls.Info now, because we don't have a cluster
	// name to check when this method is called. This method doesn't affect
	// anything important now. We may want to revisit this if it becomes more
	// important later.
	return c.tls.Info()
	}

	func (c *clusterTransportCreds) Clone() credentials.TransportCredentials {
	return &clusterTransportCreds{
	tls: c.tls.Clone(),
	alts: c.alts.Clone(),
	}
	}

	func (c *clusterTransportCreds) OverrideServerName(s string) error {
	if err := c.tls.OverrideServerName(s); err != nil {
	return err
	}
	return c.alts.OverrideServerName(s)
	}