credentials/alts/utils.go - third_party/grpc/grpc-go - Git at Google

 /*
  *
  * Copyright 2018 gRPC authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  */

 package alts

 import (
 	"context"
 	"errors"
 	"strings"

 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 )

 // AuthInfoFromContext extracts the alts.AuthInfo object from the given context,
 // if it exists. This API should be used by gRPC server RPC handlers to get
 // information about the communicating peer. For client-side, use grpc.Peer()
 // CallOption.
 func AuthInfoFromContext(ctx context.Context) (AuthInfo, error) {
 	p, ok := peer.FromContext(ctx)
 	if !ok {
 		return nil, errors.New("no Peer found in Context")
 	}
 	return AuthInfoFromPeer(p)
 }

 // AuthInfoFromPeer extracts the alts.AuthInfo object from the given peer, if it
 // exists. This API should be used by gRPC clients after obtaining a peer object
 // using the grpc.Peer() CallOption.
 func AuthInfoFromPeer(p *peer.Peer) (AuthInfo, error) {
 	altsAuthInfo, ok := p.AuthInfo.(AuthInfo)
 	if !ok {
 		return nil, errors.New("no alts.AuthInfo found in Peer")
 	}
 	return altsAuthInfo, nil
 }

 // ClientAuthorizationCheck checks whether the client is authorized to access
 // the requested resources based on the given expected client service accounts.
 // This API should be used by gRPC server RPC handlers. This API should not be
 // used by clients.
 func ClientAuthorizationCheck(ctx context.Context, expectedServiceAccounts []string) error {
 	authInfo, err := AuthInfoFromContext(ctx)
 	if err != nil {
 		return status.Errorf(codes.PermissionDenied, "The context is not an ALTS-compatible context: %v", err)
 	}
 	peer := authInfo.PeerServiceAccount()
 	for _, sa := range expectedServiceAccounts {
 		if strings.EqualFold(peer, sa) {
 			return nil
 		}
 	}
 	return status.Errorf(codes.PermissionDenied, "Client %v is not authorized", peer)
 }
	/*
	*
	* Copyright 2018 gRPC authors.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*
	*/

	package alts

	import (
	"context"
	"errors"
	"strings"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/peer"
	"google.golang.org/grpc/status"
	)

	// AuthInfoFromContext extracts the alts.AuthInfo object from the given context,
	// if it exists. This API should be used by gRPC server RPC handlers to get
	// information about the communicating peer. For client-side, use grpc.Peer()
	// CallOption.
	func AuthInfoFromContext(ctx context.Context) (AuthInfo, error) {
	p, ok := peer.FromContext(ctx)
	if !ok {
	return nil, errors.New("no Peer found in Context")
	}
	return AuthInfoFromPeer(p)
	}

	// AuthInfoFromPeer extracts the alts.AuthInfo object from the given peer, if it
	// exists. This API should be used by gRPC clients after obtaining a peer object
	// using the grpc.Peer() CallOption.
	func AuthInfoFromPeer(p *peer.Peer) (AuthInfo, error) {
	altsAuthInfo, ok := p.AuthInfo.(AuthInfo)
	if !ok {
	return nil, errors.New("no alts.AuthInfo found in Peer")
	}
	return altsAuthInfo, nil
	}

	// ClientAuthorizationCheck checks whether the client is authorized to access
	// the requested resources based on the given expected client service accounts.
	// This API should be used by gRPC server RPC handlers. This API should not be
	// used by clients.
	func ClientAuthorizationCheck(ctx context.Context, expectedServiceAccounts []string) error {
	authInfo, err := AuthInfoFromContext(ctx)
	if err != nil {
	return status.Errorf(codes.PermissionDenied, "The context is not an ALTS-compatible context: %v", err)
	}
	peer := authInfo.PeerServiceAccount()
	for _, sa := range expectedServiceAccounts {
	if strings.EqualFold(peer, sa) {
	return nil
	}
	}
	return status.Errorf(codes.PermissionDenied, "Client %v is not authorized", peer)
	}