1 /*
2 *
3 * Copyright 2021 Google LLC
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * https://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18 19 // Package authinfo provides authentication and authorization information that
20 // results from the TLS handshake.
21 package authinfo
22 23 import (
24 "errors"
25 26 commonpb "github.com/google/s2a-go/internal/proto/common_go_proto"
27 contextpb "github.com/google/s2a-go/internal/proto/s2a_context_go_proto"
28 grpcpb "github.com/google/s2a-go/internal/proto/s2a_go_proto"
29 "google.golang.org/grpc/credentials"
30 )
31 32 var _ credentials.AuthInfo = (*S2AAuthInfo)(nil)
33 34 const s2aAuthType = "s2a"
35 36 // S2AAuthInfo exposes authentication and authorization information from the
37 // S2A session result to the gRPC stack.
38 type S2AAuthInfo struct {
39 s2aContext *contextpb.S2AContext
40 commonAuthInfo credentials.CommonAuthInfo
41 }
42 43 // NewS2AAuthInfo returns a new S2AAuthInfo object from the S2A session result.
44 func NewS2AAuthInfo(result *grpcpb.SessionResult) (credentials.AuthInfo, error) {
45 return newS2AAuthInfo(result)
46 }
47 48 func newS2AAuthInfo(result *grpcpb.SessionResult) (*S2AAuthInfo, error) {
49 if result == nil {
50 return nil, errors.New("NewS2aAuthInfo given nil session result")
51 }
52 return &S2AAuthInfo{
53 s2aContext: &contextpb.S2AContext{
54 ApplicationProtocol: result.GetApplicationProtocol(),
55 TlsVersion: result.GetState().GetTlsVersion(),
56 Ciphersuite: result.GetState().GetTlsCiphersuite(),
57 PeerIdentity: result.GetPeerIdentity(),
58 LocalIdentity: result.GetLocalIdentity(),
59 PeerCertFingerprint: result.GetPeerCertFingerprint(),
60 LocalCertFingerprint: result.GetLocalCertFingerprint(),
61 IsHandshakeResumed: result.GetState().GetIsHandshakeResumed(),
62 },
63 commonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.PrivacyAndIntegrity},
64 }, nil
65 }
66 67 // AuthType returns the authentication type.
68 func (s *S2AAuthInfo) AuthType() string {
69 return s2aAuthType
70 }
71 72 // ApplicationProtocol returns the application protocol, e.g. "grpc".
73 func (s *S2AAuthInfo) ApplicationProtocol() string {
74 return s.s2aContext.GetApplicationProtocol()
75 }
76 77 // TLSVersion returns the TLS version negotiated during the handshake.
78 func (s *S2AAuthInfo) TLSVersion() commonpb.TLSVersion {
79 return s.s2aContext.GetTlsVersion()
80 }
81 82 // Ciphersuite returns the ciphersuite negotiated during the handshake.
83 func (s *S2AAuthInfo) Ciphersuite() commonpb.Ciphersuite {
84 return s.s2aContext.GetCiphersuite()
85 }
86 87 // PeerIdentity returns the authenticated identity of the peer.
88 func (s *S2AAuthInfo) PeerIdentity() *commonpb.Identity {
89 return s.s2aContext.GetPeerIdentity()
90 }
91 92 // LocalIdentity returns the local identity of the application used during
93 // session setup.
94 func (s *S2AAuthInfo) LocalIdentity() *commonpb.Identity {
95 return s.s2aContext.GetLocalIdentity()
96 }
97 98 // PeerCertFingerprint returns the SHA256 hash of the peer certificate used in
99 // the S2A handshake.
100 func (s *S2AAuthInfo) PeerCertFingerprint() []byte {
101 return s.s2aContext.GetPeerCertFingerprint()
102 }
103 104 // LocalCertFingerprint returns the SHA256 hash of the local certificate used
105 // in the S2A handshake.
106 func (s *S2AAuthInfo) LocalCertFingerprint() []byte {
107 return s.s2aContext.GetLocalCertFingerprint()
108 }
109 110 // IsHandshakeResumed returns true if a cached session was used to resume
111 // the handshake.
112 func (s *S2AAuthInfo) IsHandshakeResumed() bool {
113 return s.s2aContext.GetIsHandshakeResumed()
114 }
115 116 // SecurityLevel returns the security level of the connection.
117 func (s *S2AAuthInfo) SecurityLevel() credentials.SecurityLevel {
118 return s.commonAuthInfo.SecurityLevel
119 }
120