Documentation ¶
Overview ¶
Package credentials implements various credentials supported by gRPC library, which encapsulate all the state needed by a client to authenticate with a server and make various assertions, e.g., about the client's identity, role, or whether it is authorized to make a particular call.
Index ¶
- Variables
- func CheckSecurityLevel(ctx context.Context, level SecurityLevel) error
- type AuthInfo
- type Bundle
- type ChannelzSecurityInfo
- type ChannelzSecurityValue
- type CommonAuthInfo
- type OtherChannelzSecurityValue
- type PerRPCCredentials
- type ProtocolInfo
- type RequestInfo
- type SecurityLevel
- type TLSChannelzSecurityValue
- type TLSInfo
- type TransportCredentials
- func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials
- func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error)
- func NewServerTLSFromCert(cert *tls.Certificate) TransportCredentials
- func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error)
- func NewTLS(c *tls.Config) TransportCredentials
Constants ¶
This section is empty.
Variables ¶
var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
ErrConnDispatched indicates that rawConn has been dispatched out of gRPC and the caller should not close rawConn.
Functions ¶
func CheckSecurityLevel ¶
func CheckSecurityLevel(ctx context.Context, level SecurityLevel) error
CheckSecurityLevel checks if a connection's security level is greater than or equal to the specified one. It returns success if 1) the condition is satisified or 2) AuthInfo struct does not implement GetCommonAuthInfo() method or 3) CommonAuthInfo.SecurityLevel has an invalid zero value. For 2) and 3), it is for the purpose of backward-compatibility.
This API is experimental.
Types ¶
type AuthInfo ¶
type AuthInfo interface {
AuthType() string
}
AuthInfo defines the common interface for the auth information the users are interested in. A struct that implements AuthInfo should embed CommonAuthInfo by including additional information about the credentials in it.
type Bundle ¶
type Bundle interface { TransportCredentials() TransportCredentials PerRPCCredentials() PerRPCCredentials // NewWithMode should make a copy of Bundle, and switch mode. Modifying the // existing Bundle may cause races. // // NewWithMode returns nil if the requested mode is not supported. NewWithMode(mode string) (Bundle, error) }
Bundle is a combination of TransportCredentials and PerRPCCredentials.
It also contains a mode switching method, so it can be used as a combination of different credential policies.
Bundle cannot be used together with individual TransportCredentials. PerRPCCredentials from Bundle will be appended to other PerRPCCredentials.
This API is experimental.
type ChannelzSecurityInfo ¶
type ChannelzSecurityInfo interface {
GetSecurityValue() ChannelzSecurityValue
}
ChannelzSecurityInfo defines the interface that security protocols should implement in order to provide security info to channelz.
This API is experimental.
type ChannelzSecurityValue ¶
type ChannelzSecurityValue interface {
// contains filtered or unexported methods
}
ChannelzSecurityValue defines the interface that GetSecurityValue() return value should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue and *OtherChannelzSecurityValue.
This API is experimental.
type CommonAuthInfo ¶
type CommonAuthInfo struct {
SecurityLevel SecurityLevel
}
CommonAuthInfo contains authenticated information common to AuthInfo implementations. It should be embedded in a struct implementing AuthInfo to provide additional information about the credentials.
This API is experimental.
func (*CommonAuthInfo) GetCommonAuthInfo ¶
func (c *CommonAuthInfo) GetCommonAuthInfo() *CommonAuthInfo
GetCommonAuthInfo returns the pointer to CommonAuthInfo struct.
type OtherChannelzSecurityValue ¶
type OtherChannelzSecurityValue struct { ChannelzSecurityValue Name string Value proto.Message }
OtherChannelzSecurityValue defines the struct that non-TLS protocol should return from GetSecurityValue(), which contains protocol specific security info. Note the Value field will be sent to users of channelz requesting channel info, and thus sensitive info should better be avoided.
This API is experimental.
type PerRPCCredentials ¶
type PerRPCCredentials interface { // GetRequestMetadata gets the current request metadata, refreshing // tokens if required. This should be called by the transport layer on // each request, and the data should be populated in headers or other // context. If a status code is returned, it will be used as the status // for the RPC. uri is the URI of the entry point for the request. // When supported by the underlying implementation, ctx can be used for // timeout and cancellation. Additionally, RequestInfo data will be // available via ctx to this call. // TODO(zhaoq): Define the set of the qualified keys instead of leaving // it as an arbitrary string. GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) // RequireTransportSecurity indicates whether the credentials requires // transport security. RequireTransportSecurity() bool }
PerRPCCredentials defines the common interface for the credentials which need to attach security information to every RPC (e.g., oauth2).
type ProtocolInfo ¶
type ProtocolInfo struct { // ProtocolVersion is the gRPC wire protocol version. ProtocolVersion string // SecurityProtocol is the security protocol in use. SecurityProtocol string // SecurityVersion is the security protocol version. It is a static version string from the // credentials, not a value that reflects per-connection protocol negotiation. To retrieve // details about the credentials used for a connection, use the Peer's AuthInfo field instead. // // Deprecated: please use Peer.AuthInfo. SecurityVersion string // ServerName is the user-configured server name. ServerName string }
ProtocolInfo provides information regarding the gRPC wire protocol version, security protocol, security protocol version in use, server name, etc.
type RequestInfo ¶
type RequestInfo struct { // The method passed to Invoke or NewStream for this RPC. (For proto methods, this has the format "/some.Service/Method") Method string // AuthInfo contains the information from a security handshake (TransportCredentials.ClientHandshake, TransportCredentials.ServerHandshake) AuthInfo AuthInfo }
RequestInfo contains request data attached to the context passed to GetRequestMetadata calls.
This API is experimental.
func RequestInfoFromContext ¶
func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool)
RequestInfoFromContext extracts the RequestInfo from the context if it exists.
This API is experimental.
type SecurityLevel ¶
type SecurityLevel int
SecurityLevel defines the protection level on an established connection.
This API is experimental.
const ( // NoSecurity indicates a connection is insecure. // The zero SecurityLevel value is invalid for backward compatibility. NoSecurity SecurityLevel = iota + 1 // IntegrityOnly indicates a connection only provides integrity protection. IntegrityOnly // PrivacyAndIntegrity indicates a connection provides both privacy and integrity protection. PrivacyAndIntegrity )
func (SecurityLevel) String ¶
func (s SecurityLevel) String() string
String returns SecurityLevel in a string format.
type TLSChannelzSecurityValue ¶
type TLSChannelzSecurityValue struct { ChannelzSecurityValue StandardName string LocalCertificate []byte RemoteCertificate []byte }
TLSChannelzSecurityValue defines the struct that TLS protocol should return from GetSecurityValue(), containing security info like cipher and certificate used.
This API is EXPERIMENTAL.
type TLSInfo ¶
type TLSInfo struct { State tls.ConnectionState CommonAuthInfo }
TLSInfo contains the auth information for a TLS authenticated connection. It implements the AuthInfo interface.
func (TLSInfo) GetSecurityValue ¶
func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue
GetSecurityValue returns security info requested by channelz.
type TransportCredentials ¶
type TransportCredentials interface { // ClientHandshake does the authentication handshake specified by the corresponding // authentication protocol on rawConn for clients. It returns the authenticated // connection and the corresponding auth information about the connection. // The auth information should embed CommonAuthInfo to return additional information about // the credentials. Implementations must use the provided context to implement timely cancellation. // gRPC will try to reconnect if the error returned is a temporary error // (io.EOF, context.DeadlineExceeded or err.Temporary() == true). // If the returned error is a wrapper error, implementations should make sure that // the error implements Temporary() to have the correct retry behaviors. // // If the returned net.Conn is closed, it MUST close the net.Conn provided. ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error) // ServerHandshake does the authentication handshake for servers. It returns // the authenticated connection and the corresponding auth information about // the connection. The auth information should embed CommonAuthInfo to return additional information // about the credentials. // // If the returned net.Conn is closed, it MUST close the net.Conn provided. ServerHandshake(net.Conn) (net.Conn, AuthInfo, error) // Info provides the ProtocolInfo of this TransportCredentials. Info() ProtocolInfo // Clone makes a copy of this TransportCredentials. Clone() TransportCredentials // OverrideServerName overrides the server name used to verify the hostname on the returned certificates from the server. // gRPC internals also use it to override the virtual hosting name if it is set. // It must be called before dialing. Currently, this is only used by grpclb. OverrideServerName(string) error }
TransportCredentials defines the common interface for all the live gRPC wire protocols and supported transport security protocols (e.g., TLS, SSL).
func NewClientTLSFromCert ¶
func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials
NewClientTLSFromCert constructs TLS credentials from the provided root certificate authority certificate(s) to validate server connections. If certificates to establish the identity of the client need to be included in the credentials (eg: for mTLS), use NewTLS instead, where a complete tls.Config can be specified. serverNameOverride is for testing only. If set to a non empty string, it will override the virtual host name of authority (e.g. :authority header field) in requests.
func NewClientTLSFromFile ¶
func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error)
NewClientTLSFromFile constructs TLS credentials from the provided root certificate authority certificate file(s) to validate server connections. If certificates to establish the identity of the client need to be included in the credentials (eg: for mTLS), use NewTLS instead, where a complete tls.Config can be specified. serverNameOverride is for testing only. If set to a non empty string, it will override the virtual host name of authority (e.g. :authority header field) in requests.
func NewServerTLSFromCert ¶
func NewServerTLSFromCert(cert *tls.Certificate) TransportCredentials
NewServerTLSFromCert constructs TLS credentials from the input certificate for server.
func NewServerTLSFromFile ¶
func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error)
NewServerTLSFromFile constructs TLS credentials from the input certificate file and key file for server.
func NewTLS ¶
func NewTLS(c *tls.Config) TransportCredentials
NewTLS uses c to construct a TransportCredentials based on TLS.