diff options
author | Nathan Dench <ndenc2@gmail.com> | 2019-05-24 15:16:44 +1000 |
---|---|---|
committer | Nathan Dench <ndenc2@gmail.com> | 2019-05-24 15:16:44 +1000 |
commit | 107c1cdb09c575aa2f61d97f48d8587eb6bada4c (patch) | |
tree | ca7d008643efc555c388baeaf1d986e0b6b3e28c /vendor/google.golang.org/grpc/credentials/credentials.go | |
parent | 844b5a68d8af4791755b8f0ad293cc99f5959183 (diff) | |
download | terraform-provider-statuscake-107c1cdb09c575aa2f61d97f48d8587eb6bada4c.tar.gz terraform-provider-statuscake-107c1cdb09c575aa2f61d97f48d8587eb6bada4c.tar.zst terraform-provider-statuscake-107c1cdb09c575aa2f61d97f48d8587eb6bada4c.zip |
Upgrade to 0.12
Diffstat (limited to 'vendor/google.golang.org/grpc/credentials/credentials.go')
-rw-r--r-- | vendor/google.golang.org/grpc/credentials/credentials.go | 145 |
1 files changed, 127 insertions, 18 deletions
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go index 2475fe8..a851560 100644 --- a/vendor/google.golang.org/grpc/credentials/credentials.go +++ b/vendor/google.golang.org/grpc/credentials/credentials.go | |||
@@ -23,6 +23,7 @@ | |||
23 | package credentials // import "google.golang.org/grpc/credentials" | 23 | package credentials // import "google.golang.org/grpc/credentials" |
24 | 24 | ||
25 | import ( | 25 | import ( |
26 | "context" | ||
26 | "crypto/tls" | 27 | "crypto/tls" |
27 | "crypto/x509" | 28 | "crypto/x509" |
28 | "errors" | 29 | "errors" |
@@ -31,13 +32,12 @@ import ( | |||
31 | "net" | 32 | "net" |
32 | "strings" | 33 | "strings" |
33 | 34 | ||
34 | "golang.org/x/net/context" | 35 | "github.com/golang/protobuf/proto" |
36 | "google.golang.org/grpc/credentials/internal" | ||
35 | ) | 37 | ) |
36 | 38 | ||
37 | var ( | 39 | // alpnProtoStr are the specified application level protocols for gRPC. |
38 | // alpnProtoStr are the specified application level protocols for gRPC. | 40 | var alpnProtoStr = []string{"h2"} |
39 | alpnProtoStr = []string{"h2"} | ||
40 | ) | ||
41 | 41 | ||
42 | // PerRPCCredentials defines the common interface for the credentials which need to | 42 | // PerRPCCredentials defines the common interface for the credentials which need to |
43 | // attach security information to every RPC (e.g., oauth2). | 43 | // attach security information to every RPC (e.g., oauth2). |
@@ -45,8 +45,9 @@ type PerRPCCredentials interface { | |||
45 | // GetRequestMetadata gets the current request metadata, refreshing | 45 | // GetRequestMetadata gets the current request metadata, refreshing |
46 | // tokens if required. This should be called by the transport layer on | 46 | // tokens if required. This should be called by the transport layer on |
47 | // each request, and the data should be populated in headers or other | 47 | // each request, and the data should be populated in headers or other |
48 | // context. uri is the URI of the entry point for the request. When | 48 | // context. If a status code is returned, it will be used as the status |
49 | // supported by the underlying implementation, ctx can be used for | 49 | // for the RPC. uri is the URI of the entry point for the request. |
50 | // When supported by the underlying implementation, ctx can be used for | ||
50 | // timeout and cancellation. | 51 | // timeout and cancellation. |
51 | // TODO(zhaoq): Define the set of the qualified keys instead of leaving | 52 | // TODO(zhaoq): Define the set of the qualified keys instead of leaving |
52 | // it as an arbitrary string. | 53 | // it as an arbitrary string. |
@@ -74,11 +75,9 @@ type AuthInfo interface { | |||
74 | AuthType() string | 75 | AuthType() string |
75 | } | 76 | } |
76 | 77 | ||
77 | var ( | 78 | // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC |
78 | // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC | 79 | // and the caller should not close rawConn. |
79 | // and the caller should not close rawConn. | 80 | var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC") |
80 | ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC") | ||
81 | ) | ||
82 | 81 | ||
83 | // TransportCredentials defines the common interface for all the live gRPC wire | 82 | // TransportCredentials defines the common interface for all the live gRPC wire |
84 | // protocols and supported transport security protocols (e.g., TLS, SSL). | 83 | // protocols and supported transport security protocols (e.g., TLS, SSL). |
@@ -91,10 +90,14 @@ type TransportCredentials interface { | |||
91 | // (io.EOF, context.DeadlineExceeded or err.Temporary() == true). | 90 | // (io.EOF, context.DeadlineExceeded or err.Temporary() == true). |
92 | // If the returned error is a wrapper error, implementations should make sure that | 91 | // If the returned error is a wrapper error, implementations should make sure that |
93 | // the error implements Temporary() to have the correct retry behaviors. | 92 | // the error implements Temporary() to have the correct retry behaviors. |
93 | // | ||
94 | // If the returned net.Conn is closed, it MUST close the net.Conn provided. | ||
94 | ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error) | 95 | ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error) |
95 | // ServerHandshake does the authentication handshake for servers. It returns | 96 | // ServerHandshake does the authentication handshake for servers. It returns |
96 | // the authenticated connection and the corresponding auth information about | 97 | // the authenticated connection and the corresponding auth information about |
97 | // the connection. | 98 | // the connection. |
99 | // | ||
100 | // If the returned net.Conn is closed, it MUST close the net.Conn provided. | ||
98 | ServerHandshake(net.Conn) (net.Conn, AuthInfo, error) | 101 | ServerHandshake(net.Conn) (net.Conn, AuthInfo, error) |
99 | // Info provides the ProtocolInfo of this TransportCredentials. | 102 | // Info provides the ProtocolInfo of this TransportCredentials. |
100 | Info() ProtocolInfo | 103 | Info() ProtocolInfo |
@@ -106,6 +109,25 @@ type TransportCredentials interface { | |||
106 | OverrideServerName(string) error | 109 | OverrideServerName(string) error |
107 | } | 110 | } |
108 | 111 | ||
112 | // Bundle is a combination of TransportCredentials and PerRPCCredentials. | ||
113 | // | ||
114 | // It also contains a mode switching method, so it can be used as a combination | ||
115 | // of different credential policies. | ||
116 | // | ||
117 | // Bundle cannot be used together with individual TransportCredentials. | ||
118 | // PerRPCCredentials from Bundle will be appended to other PerRPCCredentials. | ||
119 | // | ||
120 | // This API is experimental. | ||
121 | type Bundle interface { | ||
122 | TransportCredentials() TransportCredentials | ||
123 | PerRPCCredentials() PerRPCCredentials | ||
124 | // NewWithMode should make a copy of Bundle, and switch mode. Modifying the | ||
125 | // existing Bundle may cause races. | ||
126 | // | ||
127 | // NewWithMode returns nil if the requested mode is not supported. | ||
128 | NewWithMode(mode string) (Bundle, error) | ||
129 | } | ||
130 | |||
109 | // TLSInfo contains the auth information for a TLS authenticated connection. | 131 | // TLSInfo contains the auth information for a TLS authenticated connection. |
110 | // It implements the AuthInfo interface. | 132 | // It implements the AuthInfo interface. |
111 | type TLSInfo struct { | 133 | type TLSInfo struct { |
@@ -117,6 +139,18 @@ func (t TLSInfo) AuthType() string { | |||
117 | return "tls" | 139 | return "tls" |
118 | } | 140 | } |
119 | 141 | ||
142 | // GetSecurityValue returns security info requested by channelz. | ||
143 | func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue { | ||
144 | v := &TLSChannelzSecurityValue{ | ||
145 | StandardName: cipherSuiteLookup[t.State.CipherSuite], | ||
146 | } | ||
147 | // Currently there's no way to get LocalCertificate info from tls package. | ||
148 | if len(t.State.PeerCertificates) > 0 { | ||
149 | v.RemoteCertificate = t.State.PeerCertificates[0].Raw | ||
150 | } | ||
151 | return v | ||
152 | } | ||
153 | |||
120 | // tlsCreds is the credentials required for authenticating a connection using TLS. | 154 | // tlsCreds is the credentials required for authenticating a connection using TLS. |
121 | type tlsCreds struct { | 155 | type tlsCreds struct { |
122 | // TLS configuration | 156 | // TLS configuration |
@@ -131,15 +165,15 @@ func (c tlsCreds) Info() ProtocolInfo { | |||
131 | } | 165 | } |
132 | } | 166 | } |
133 | 167 | ||
134 | func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) { | 168 | func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) { |
135 | // use local cfg to avoid clobbering ServerName if using multiple endpoints | 169 | // use local cfg to avoid clobbering ServerName if using multiple endpoints |
136 | cfg := cloneTLSConfig(c.config) | 170 | cfg := cloneTLSConfig(c.config) |
137 | if cfg.ServerName == "" { | 171 | if cfg.ServerName == "" { |
138 | colonPos := strings.LastIndex(addr, ":") | 172 | colonPos := strings.LastIndex(authority, ":") |
139 | if colonPos == -1 { | 173 | if colonPos == -1 { |
140 | colonPos = len(addr) | 174 | colonPos = len(authority) |
141 | } | 175 | } |
142 | cfg.ServerName = addr[:colonPos] | 176 | cfg.ServerName = authority[:colonPos] |
143 | } | 177 | } |
144 | conn := tls.Client(rawConn, cfg) | 178 | conn := tls.Client(rawConn, cfg) |
145 | errChannel := make(chan error, 1) | 179 | errChannel := make(chan error, 1) |
@@ -154,7 +188,7 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net | |||
154 | case <-ctx.Done(): | 188 | case <-ctx.Done(): |
155 | return nil, nil, ctx.Err() | 189 | return nil, nil, ctx.Err() |
156 | } | 190 | } |
157 | return conn, TLSInfo{conn.ConnectionState()}, nil | 191 | return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil |
158 | } | 192 | } |
159 | 193 | ||
160 | func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) { | 194 | func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) { |
@@ -162,7 +196,7 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) | |||
162 | if err := conn.Handshake(); err != nil { | 196 | if err := conn.Handshake(); err != nil { |
163 | return nil, nil, err | 197 | return nil, nil, err |
164 | } | 198 | } |
165 | return conn, TLSInfo{conn.ConnectionState()}, nil | 199 | return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil |
166 | } | 200 | } |
167 | 201 | ||
168 | func (c *tlsCreds) Clone() TransportCredentials { | 202 | func (c *tlsCreds) Clone() TransportCredentials { |
@@ -217,3 +251,78 @@ func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error | |||
217 | } | 251 | } |
218 | return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil | 252 | return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil |
219 | } | 253 | } |
254 | |||
255 | // ChannelzSecurityInfo defines the interface that security protocols should implement | ||
256 | // in order to provide security info to channelz. | ||
257 | type ChannelzSecurityInfo interface { | ||
258 | GetSecurityValue() ChannelzSecurityValue | ||
259 | } | ||
260 | |||
261 | // ChannelzSecurityValue defines the interface that GetSecurityValue() return value | ||
262 | // should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue | ||
263 | // and *OtherChannelzSecurityValue. | ||
264 | type ChannelzSecurityValue interface { | ||
265 | isChannelzSecurityValue() | ||
266 | } | ||
267 | |||
268 | // TLSChannelzSecurityValue defines the struct that TLS protocol should return | ||
269 | // from GetSecurityValue(), containing security info like cipher and certificate used. | ||
270 | type TLSChannelzSecurityValue struct { | ||
271 | StandardName string | ||
272 | LocalCertificate []byte | ||
273 | RemoteCertificate []byte | ||
274 | } | ||
275 | |||
276 | func (*TLSChannelzSecurityValue) isChannelzSecurityValue() {} | ||
277 | |||
278 | // OtherChannelzSecurityValue defines the struct that non-TLS protocol should return | ||
279 | // from GetSecurityValue(), which contains protocol specific security info. Note | ||
280 | // the Value field will be sent to users of channelz requesting channel info, and | ||
281 | // thus sensitive info should better be avoided. | ||
282 | type OtherChannelzSecurityValue struct { | ||
283 | Name string | ||
284 | Value proto.Message | ||
285 | } | ||
286 | |||
287 | func (*OtherChannelzSecurityValue) isChannelzSecurityValue() {} | ||
288 | |||
289 | var cipherSuiteLookup = map[uint16]string{ | ||
290 | tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA", | ||
291 | tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA", | ||
292 | tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA", | ||
293 | tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA", | ||
294 | tls.TLS_RSA_WITH_AES_128_GCM_SHA256: "TLS_RSA_WITH_AES_128_GCM_SHA256", | ||
295 | tls.TLS_RSA_WITH_AES_256_GCM_SHA384: "TLS_RSA_WITH_AES_256_GCM_SHA384", | ||
296 | tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", | ||
297 | tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", | ||
298 | tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", | ||
299 | tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA", | ||
300 | tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", | ||
301 | tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", | ||
302 | tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", | ||
303 | tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", | ||
304 | tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", | ||
305 | tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | ||
306 | tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", | ||
307 | tls.TLS_FALLBACK_SCSV: "TLS_FALLBACK_SCSV", | ||
308 | tls.TLS_RSA_WITH_AES_128_CBC_SHA256: "TLS_RSA_WITH_AES_128_CBC_SHA256", | ||
309 | tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", | ||
310 | tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", | ||
311 | tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", | ||
312 | tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", | ||
313 | } | ||
314 | |||
315 | // cloneTLSConfig returns a shallow clone of the exported | ||
316 | // fields of cfg, ignoring the unexported sync.Once, which | ||
317 | // contains a mutex and must not be copied. | ||
318 | // | ||
319 | // If cfg is nil, a new zero tls.Config is returned. | ||
320 | // | ||
321 | // TODO: inline this function if possible. | ||
322 | func cloneTLSConfig(cfg *tls.Config) *tls.Config { | ||
323 | if cfg == nil { | ||
324 | return &tls.Config{} | ||
325 | } | ||
326 | |||
327 | return cfg.Clone() | ||
328 | } | ||