local.go

Documentation: google.golang.org/grpc/credentials/local

     1  /*
     2   *
     3   * Copyright 2020 gRPC authors.
     4   *
     5   * Licensed under the Apache License, Version 2.0 (the "License");
     6   * you may not use this file except in compliance with the License.
     7   * You may obtain a copy of the License at
     8   *
     9   *     http://www.apache.org/licenses/LICENSE-2.0
    10   *
    11   * Unless required by applicable law or agreed to in writing, software
    12   * distributed under the License is distributed on an "AS IS" BASIS,
    13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14   * See the License for the specific language governing permissions and
    15   * limitations under the License.
    16   *
    17   */
    18  
    19  // Package local implements local transport credentials.
    20  // Local credentials reports the security level based on the type
    21  // of connection. If the connection is local TCP, NoSecurity will be
    22  // reported, and if the connection is UDS, PrivacyAndIntegrity will be
    23  // reported. If local credentials is not used in local connections
    24  // (local TCP or UDS), it will fail.
    25  //
    26  // # Experimental
    27  //
    28  // Notice: This package is EXPERIMENTAL and may be changed or removed in a
    29  // later release.
    30  package local
    31  
    32  import (
    33  	"context"
    34  	"fmt"
    35  	"net"
    36  	"strings"
    37  
    38  	"google.golang.org/grpc/credentials"
    39  )
    40  
    41  // info contains the auth information for a local connection.
    42  // It implements the AuthInfo interface.
    43  type info struct {
    44  	credentials.CommonAuthInfo
    45  }
    46  
    47  // AuthType returns the type of info as a string.
    48  func (info) AuthType() string {
    49  	return "local"
    50  }
    51  
    52  // localTC is the credentials required to establish a local connection.
    53  type localTC struct {
    54  	info credentials.ProtocolInfo
    55  }
    56  
    57  func (c *localTC) Info() credentials.ProtocolInfo {
    58  	return c.info
    59  }
    60  
    61  // getSecurityLevel returns the security level for a local connection.
    62  // It returns an error if a connection is not local.
    63  func getSecurityLevel(network, addr string) (credentials.SecurityLevel, error) {
    64  	switch {
    65  	// Local TCP connection
    66  	case strings.HasPrefix(addr, "127."), strings.HasPrefix(addr, "[::1]:"):
    67  		return credentials.NoSecurity, nil
    68  	// Windows named pipe connection
    69  	case network == "pipe" && strings.HasPrefix(addr, `\\.\pipe\`):
    70  		return credentials.NoSecurity, nil
    71  	// UDS connection
    72  	case network == "unix":
    73  		return credentials.PrivacyAndIntegrity, nil
    74  	// Not a local connection and should fail
    75  	default:
    76  		return credentials.InvalidSecurityLevel, fmt.Errorf("local credentials rejected connection to non-local address %q", addr)
    77  	}
    78  }
    79  
    80  func (*localTC) ClientHandshake(ctx context.Context, authority string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
    81  	secLevel, err := getSecurityLevel(conn.RemoteAddr().Network(), conn.RemoteAddr().String())
    82  	if err != nil {
    83  		return nil, nil, err
    84  	}
    85  	return conn, info{credentials.CommonAuthInfo{SecurityLevel: secLevel}}, nil
    86  }
    87  
    88  func (*localTC) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
    89  	secLevel, err := getSecurityLevel(conn.RemoteAddr().Network(), conn.RemoteAddr().String())
    90  	if err != nil {
    91  		return nil, nil, err
    92  	}
    93  	return conn, info{credentials.CommonAuthInfo{SecurityLevel: secLevel}}, nil
    94  }
    95  
    96  // NewCredentials returns a local credential implementing credentials.TransportCredentials.
    97  func NewCredentials() credentials.TransportCredentials {
    98  	return &localTC{
    99  		info: credentials.ProtocolInfo{
   100  			SecurityProtocol: "local",
   101  		},
   102  	}
   103  }
   104  
   105  // Clone makes a copy of Local credentials.
   106  func (c *localTC) Clone() credentials.TransportCredentials {
   107  	return &localTC{info: c.info}
   108  }
   109  
   110  // OverrideServerName overrides the server name used to verify the hostname on the returned certificates from the server.
   111  // Since this feature is specific to TLS (SNI + hostname verification check), it does not take any effet for local credentials.
   112  func (c *localTC) OverrideServerName(serverNameOverride string) error {
   113  	c.info.ServerName = serverNameOverride
   114  	return nil
   115  }
   116
View as plain text