security/pkg/server/ca/authenticate/cert_authenticator.go - dubbo-go-pixiu - Git at Google

 // Copyright 2017 Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package authenticate

 import (
 	"fmt"
 	"net/http"
 )

 import (
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/pkg/security"
 	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/util"
 )

 const (
 	ClientCertAuthenticatorType = "ClientCertAuthenticator"
 )

 // ClientCertAuthenticator extracts identities from client certificate.
 type ClientCertAuthenticator struct{}

 var _ security.Authenticator = &ClientCertAuthenticator{}

 func (cca *ClientCertAuthenticator) AuthenticatorType() string {
 	return ClientCertAuthenticatorType
 }

 // Authenticate extracts identities from presented client certificates. This
 // method assumes that certificate chain has been properly validated before
 // this method is called. In other words, this method does not do certificate
 // chain validation itself.
 func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*security.Caller, error) {
 	peer, ok := peer.FromContext(ctx)
 	if !ok || peer.AuthInfo == nil {
 		return nil, fmt.Errorf("no client certificate is presented")
 	}

 	if authType := peer.AuthInfo.AuthType(); authType != "tls" {
 		return nil, fmt.Errorf("unsupported auth type: %q", authType)
 	}

 	tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
 	chains := tlsInfo.State.VerifiedChains
 	if len(chains) == 0 || len(chains[0]) == 0 {
 		return nil, fmt.Errorf("no verified chain is found")
 	}

 	ids, err := util.ExtractIDs(chains[0][0].Extensions)
 	if err != nil {
 		return nil, err
 	}

 	return &security.Caller{
 		AuthSource: security.AuthSourceClientCertificate,
 		Identities: ids,
 	}, nil
 }

 // AuthenticateRequest performs mTLS authentication for http requests. Requires having the endpoints on a listener
 // with proper TLS configuration.
 func (cca *ClientCertAuthenticator) AuthenticateRequest(req *http.Request) (*security.Caller, error) {
 	if req.TLS == nil || req.TLS.VerifiedChains == nil {
 		return nil, fmt.Errorf("no client certificate is presented")
 	}

 	chains := req.TLS.VerifiedChains
 	if len(chains) == 0 || len(chains[0]) == 0 {
 		return nil, fmt.Errorf("no verified chain is found")
 	}

 	ids, err := util.ExtractIDs(chains[0][0].Extensions)
 	if err != nil {
 		return nil, err
 	}

 	return &security.Caller{
 		AuthSource: security.AuthSourceClientCertificate,
 		Identities: ids,
 	}, nil
 }
	// Copyright 2017 Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package authenticate

	import (
	"fmt"
	"net/http"
	)

	import (
	"golang.org/x/net/context"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/peer"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/pkg/security"
	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/util"
	)

	const (
	ClientCertAuthenticatorType = "ClientCertAuthenticator"
	)

	// ClientCertAuthenticator extracts identities from client certificate.
	type ClientCertAuthenticator struct{}

	var _ security.Authenticator = &ClientCertAuthenticator{}

	func (cca *ClientCertAuthenticator) AuthenticatorType() string {
	return ClientCertAuthenticatorType
	}

	// Authenticate extracts identities from presented client certificates. This
	// method assumes that certificate chain has been properly validated before
	// this method is called. In other words, this method does not do certificate
	// chain validation itself.
	func (cca ClientCertAuthenticator) Authenticate(ctx context.Context) (security.Caller, error) {
	peer, ok := peer.FromContext(ctx)
	if !ok \|\| peer.AuthInfo == nil {
	return nil, fmt.Errorf("no client certificate is presented")
	}

	if authType := peer.AuthInfo.AuthType(); authType != "tls" {
	return nil, fmt.Errorf("unsupported auth type: %q", authType)
	}

	tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
	chains := tlsInfo.State.VerifiedChains
	if len(chains) == 0 \|\| len(chains[0]) == 0 {
	return nil, fmt.Errorf("no verified chain is found")
	}

	ids, err := util.ExtractIDs(chains[0][0].Extensions)
	if err != nil {
	return nil, err
	}

	return &security.Caller{
	AuthSource: security.AuthSourceClientCertificate,
	Identities: ids,
	}, nil
	}

	// AuthenticateRequest performs mTLS authentication for http requests. Requires having the endpoints on a listener
	// with proper TLS configuration.
	func (cca ClientCertAuthenticator) AuthenticateRequest(req http.Request) (*security.Caller, error) {
	if req.TLS == nil \|\| req.TLS.VerifiedChains == nil {
	return nil, fmt.Errorf("no client certificate is presented")
	}

	chains := req.TLS.VerifiedChains
	if len(chains) == 0 \|\| len(chains[0]) == 0 {
	return nil, fmt.Errorf("no verified chain is found")
	}

	ids, err := util.ExtractIDs(chains[0][0].Extensions)
	if err != nil {
	return nil, err
	}

	return &security.Caller{
	AuthSource: security.AuthSourceClientCertificate,
	Identities: ids,
	}, nil
	}