1 // Copyright 2020 Google LLC.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4 5 // cba.go (certificate-based access) contains utils for implementing Device Certificate
6 // Authentication according to https://google.aip.dev/auth/4114 and Default Credentials
7 // for Google Cloud Virtual Environments according to https://google.aip.dev/auth/4115.
8 //
9 // The overall logic for DCA is as follows:
10 // 1. If both endpoint override and client certificate are specified, use them as is.
11 // 2. If user does not specify client certificate, we will attempt to use default
12 // client certificate.
13 // 3. If user does not specify endpoint override, we will use defaultMtlsEndpoint if
14 // client certificate is available and defaultEndpoint otherwise.
15 //
16 // Implications of the above logic:
17 // 1. If the user specifies a non-mTLS endpoint override but client certificate is
18 // available, we will pass along the cert anyway and let the server decide what to do.
19 // 2. If the user specifies an mTLS endpoint override but client certificate is not
20 // available, we will not fail-fast, but let backend throw error when connecting.
21 //
22 // If running within Google's cloud environment, and client certificate is not specified
23 // and not available through DCA, we will try mTLS with credentials held by
24 // the Secure Session Agent, which is part of Google's cloud infrastructure.
25 //
26 // We would like to avoid introducing client-side logic that parses whether the
27 // endpoint override is an mTLS url, since the url pattern may change at anytime.
28 //
29 // This package is not intended for use by end developers. Use the
30 // google.golang.org/api/option package to configure API clients.
31 32 // Package internal supports the options and transport packages.
33 package internal
34 35 import (
36 "context"
37 "crypto/tls"
38 "errors"
39 "net"
40 "net/url"
41 "os"
42 "strings"
43 44 "github.com/google/s2a-go"
45 "google.golang.org/api/internal/cert"
46 "google.golang.org/grpc/credentials"
47 )
48 49 const (
50 mTLSModeAlways = "always"
51 mTLSModeNever = "never"
52 mTLSModeAuto = "auto"
53 54 // Experimental: if true, the code will try MTLS with S2A as the default for transport security. Default value is false.
55 googleAPIUseS2AEnv = "EXPERIMENTAL_GOOGLE_API_USE_S2A"
56 57 universeDomainPlaceholder = "UNIVERSE_DOMAIN"
58 )
59 60 var (
61 errUniverseNotSupportedMTLS = errors.New("mTLS is not supported in any universe other than googleapis.com")
62 )
63 64 // getClientCertificateSourceAndEndpoint is a convenience function that invokes
65 // getClientCertificateSource and getEndpoint sequentially and returns the client
66 // cert source and endpoint as a tuple.
67 func getClientCertificateSourceAndEndpoint(settings *DialSettings) (cert.Source, string, error) {
68 clientCertSource, err := getClientCertificateSource(settings)
69 if err != nil {
70 return nil, "", err
71 }
72 endpoint, err := getEndpoint(settings, clientCertSource)
73 if err != nil {
74 return nil, "", err
75 }
76 // TODO(chrisdsmith): https://github.com/googleapis/google-api-go-client/issues/2359
77 if settings.Endpoint == "" && !settings.IsUniverseDomainGDU() && settings.DefaultEndpointTemplate != "" {
78 // TODO(chrisdsmith): https://github.com/googleapis/google-api-go-client/issues/2359
79 // if settings.DefaultEndpointTemplate == "" {
80 // return nil, "", errors.New("internaloption.WithDefaultEndpointTemplate is required if option.WithUniverseDomain is not googleapis.com")
81 // }
82 endpoint = resolvedDefaultEndpoint(settings)
83 }
84 return clientCertSource, endpoint, nil
85 }
86 87 type transportConfig struct {
88 clientCertSource cert.Source // The client certificate source.
89 endpoint string // The corresponding endpoint to use based on client certificate source.
90 s2aAddress string // The S2A address if it can be used, otherwise an empty string.
91 s2aMTLSEndpoint string // The MTLS endpoint to use with S2A.
92 }
93 94 func getTransportConfig(settings *DialSettings) (*transportConfig, error) {
95 clientCertSource, endpoint, err := getClientCertificateSourceAndEndpoint(settings)
96 if err != nil {
97 return nil, err
98 }
99 defaultTransportConfig := transportConfig{
100 clientCertSource: clientCertSource,
101 endpoint: endpoint,
102 s2aAddress: "",
103 s2aMTLSEndpoint: "",
104 }
105 106 if !shouldUseS2A(clientCertSource, settings) {
107 return &defaultTransportConfig, nil
108 }
109 if !settings.IsUniverseDomainGDU() {
110 return nil, errUniverseNotSupportedMTLS
111 }
112 113 s2aAddress := GetS2AAddress()
114 if s2aAddress == "" {
115 return &defaultTransportConfig, nil
116 }
117 return &transportConfig{
118 clientCertSource: clientCertSource,
119 endpoint: endpoint,
120 s2aAddress: s2aAddress,
121 s2aMTLSEndpoint: settings.DefaultMTLSEndpoint,
122 }, nil
123 }
124 125 // getClientCertificateSource returns a default client certificate source, if
126 // not provided by the user.
127 //
128 // A nil default source can be returned if the source does not exist. Any exceptions
129 // encountered while initializing the default source will be reported as client
130 // error (ex. corrupt metadata file).
131 //
132 // Important Note: For now, the environment variable GOOGLE_API_USE_CLIENT_CERTIFICATE
133 // must be set to "true" to allow certificate to be used (including user provided
134 // certificates). For details, see AIP-4114.
135 func getClientCertificateSource(settings *DialSettings) (cert.Source, error) {
136 if !isClientCertificateEnabled() {
137 return nil, nil
138 } else if settings.ClientCertSource != nil {
139 return settings.ClientCertSource, nil
140 } else {
141 return cert.DefaultSource()
142 }
143 }
144 145 func isClientCertificateEnabled() bool {
146 useClientCert := os.Getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE")
147 // TODO(andyrzhao): Update default to return "true" after DCA feature is fully released.
148 return strings.ToLower(useClientCert) == "true"
149 }
150 151 // getEndpoint returns the endpoint for the service, taking into account the
152 // user-provided endpoint override "settings.Endpoint".
153 //
154 // If no endpoint override is specified, we will either return the default endpoint or
155 // the default mTLS endpoint if a client certificate is available.
156 //
157 // You can override the default endpoint choice (mtls vs. regular) by setting the
158 // GOOGLE_API_USE_MTLS_ENDPOINT environment variable.
159 //
160 // If the endpoint override is an address (host:port) rather than full base
161 // URL (ex. https://...), then the user-provided address will be merged into
162 // the default endpoint. For example, WithEndpoint("myhost:8000") and
163 // WithDefaultEndpoint("https://foo.com/bar/baz") will return "https://myhost:8080/bar/baz"
164 func getEndpoint(settings *DialSettings, clientCertSource cert.Source) (string, error) {
165 if settings.Endpoint == "" {
166 if isMTLS(clientCertSource) {
167 if !settings.IsUniverseDomainGDU() {
168 return "", errUniverseNotSupportedMTLS
169 }
170 return settings.DefaultMTLSEndpoint, nil
171 }
172 return resolvedDefaultEndpoint(settings), nil
173 }
174 if strings.Contains(settings.Endpoint, "://") {
175 // User passed in a full URL path, use it verbatim.
176 return settings.Endpoint, nil
177 }
178 if resolvedDefaultEndpoint(settings) == "" {
179 // If DefaultEndpoint is not configured, use the user provided endpoint verbatim.
180 // This allows a naked "host[:port]" URL to be used with GRPC Direct Path.
181 return settings.Endpoint, nil
182 }
183 184 // Assume user-provided endpoint is host[:port], merge it with the default endpoint.
185 return mergeEndpoints(resolvedDefaultEndpoint(settings), settings.Endpoint)
186 }
187 188 func isMTLS(clientCertSource cert.Source) bool {
189 mtlsMode := getMTLSMode()
190 return mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto)
191 }
192 193 // resolvedDefaultEndpoint returns the DefaultEndpointTemplate merged with the
194 // Universe Domain if the DefaultEndpointTemplate is set, otherwise returns the
195 // deprecated DefaultEndpoint value.
196 func resolvedDefaultEndpoint(settings *DialSettings) string {
197 if settings.DefaultEndpointTemplate == "" {
198 return settings.DefaultEndpoint
199 }
200 return strings.Replace(settings.DefaultEndpointTemplate, universeDomainPlaceholder, settings.GetUniverseDomain(), 1)
201 }
202 203 func getMTLSMode() string {
204 mode := os.Getenv("GOOGLE_API_USE_MTLS_ENDPOINT")
205 if mode == "" {
206 mode = os.Getenv("GOOGLE_API_USE_MTLS") // Deprecated.
207 }
208 if mode == "" {
209 return mTLSModeAuto
210 }
211 return strings.ToLower(mode)
212 }
213 214 func mergeEndpoints(baseURL, newHost string) (string, error) {
215 u, err := url.Parse(fixScheme(baseURL))
216 if err != nil {
217 return "", err
218 }
219 return strings.Replace(baseURL, u.Host, newHost, 1), nil
220 }
221 222 func fixScheme(baseURL string) string {
223 if !strings.Contains(baseURL, "://") {
224 return "https://" + baseURL
225 }
226 return baseURL
227 }
228 229 // GetGRPCTransportConfigAndEndpoint returns an instance of credentials.TransportCredentials, and the
230 // corresponding endpoint to use for GRPC client.
231 func GetGRPCTransportConfigAndEndpoint(settings *DialSettings) (credentials.TransportCredentials, string, error) {
232 config, err := getTransportConfig(settings)
233 if err != nil {
234 return nil, "", err
235 }
236 237 defaultTransportCreds := credentials.NewTLS(&tls.Config{
238 GetClientCertificate: config.clientCertSource,
239 })
240 if config.s2aAddress == "" {
241 return defaultTransportCreds, config.endpoint, nil
242 }
243 244 s2aTransportCreds, err := s2a.NewClientCreds(&s2a.ClientOptions{
245 S2AAddress: config.s2aAddress,
246 })
247 if err != nil {
248 // Use default if we cannot initialize S2A client transport credentials.
249 return defaultTransportCreds, config.endpoint, nil
250 }
251 return s2aTransportCreds, config.s2aMTLSEndpoint, nil
252 }
253 254 // GetHTTPTransportConfigAndEndpoint returns a client certificate source, a function for dialing MTLS with S2A,
255 // and the endpoint to use for HTTP client.
256 func GetHTTPTransportConfigAndEndpoint(settings *DialSettings) (cert.Source, func(context.Context, string, string) (net.Conn, error), string, error) {
257 config, err := getTransportConfig(settings)
258 if err != nil {
259 return nil, nil, "", err
260 }
261 262 if config.s2aAddress == "" {
263 return config.clientCertSource, nil, config.endpoint, nil
264 }
265 266 dialTLSContextFunc := s2a.NewS2ADialTLSContextFunc(&s2a.ClientOptions{
267 S2AAddress: config.s2aAddress,
268 })
269 return nil, dialTLSContextFunc, config.s2aMTLSEndpoint, nil
270 }
271 272 func shouldUseS2A(clientCertSource cert.Source, settings *DialSettings) bool {
273 // If client cert is found, use that over S2A.
274 if clientCertSource != nil {
275 return false
276 }
277 // If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A.
278 if !isGoogleS2AEnabled() {
279 return false
280 }
281 // If DefaultMTLSEndpoint is not set or has endpoint override, skip S2A.
282 if settings.DefaultMTLSEndpoint == "" || settings.Endpoint != "" {
283 return false
284 }
285 // If custom HTTP client is provided, skip S2A.
286 if settings.HTTPClient != nil {
287 return false
288 }
289 return !settings.EnableDirectPath && !settings.EnableDirectPathXds
290 }
291 292 func isGoogleS2AEnabled() bool {
293 return strings.ToLower(os.Getenv(googleAPIUseS2AEnv)) == "true"
294 }
295