cubefs

spiffe.go
77 строк · 2.3 Кб
Перенос по словам
1
// +build !appengine
2

3
/*
4
 *
5
 * Copyright 2020 gRPC authors.
6
 *
7
 * Licensed under the Apache License, Version 2.0 (the "License");
8
 * you may not use this file except in compliance with the License.
9
 * You may obtain a copy of the License at
10
 *
11
 *     http://www.apache.org/licenses/LICENSE-2.0
12
 *
13
 * Unless required by applicable law or agreed to in writing, software
14
 * distributed under the License is distributed on an "AS IS" BASIS,
15
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16
 * See the License for the specific language governing permissions and
17
 * limitations under the License.
18
 *
19
 */
20

21
// Package credentials defines APIs for parsing SPIFFE ID.
22
//
23
// All APIs in this package are experimental.
24
package credentials
25

26
import (
27
	"crypto/tls"
28
	"crypto/x509"
29
	"net/url"
30

31
	"google.golang.org/grpc/grpclog"
32
)
33

34
var logger = grpclog.Component("credentials")
35

36
// SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format
37
// is invalid, return nil with warning.
38
func SPIFFEIDFromState(state tls.ConnectionState) *url.URL {
39
	if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 {
40
		return nil
41
	}
42
	return SPIFFEIDFromCert(state.PeerCertificates[0])
43
}
44

45
// SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE
46
// ID format is invalid, return nil with warning.
47
func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL {
48
	if cert == nil || cert.URIs == nil {
49
		return nil
50
	}
51
	var spiffeID *url.URL
52
	for _, uri := range cert.URIs {
53
		if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
54
			continue
55
		}
56
		// From this point, we assume the uri is intended for a SPIFFE ID.
57
		if len(uri.String()) > 2048 {
58
			logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
59
			return nil
60
		}
61
		if len(uri.Host) == 0 || len(uri.Path) == 0 {
62
			logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
63
			return nil
64
		}
65
		if len(uri.Host) > 255 {
66
			logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
67
			return nil
68
		}
69
		// A valid SPIFFE certificate can only have exactly one URI SAN field.
70
		if len(cert.URIs) > 1 {
71
			logger.Warning("invalid SPIFFE ID: multiple URI SANs")
72
			return nil
73
		}
74
		spiffeID = uri
75
	}
76
	return spiffeID
77
}
78
cubefs

Использование cookies
