Line data    Source code

       1             : #include "source/extensions/grpc_credentials/file_based_metadata/config.h"
       2             : 
       3             : #include "envoy/config/core/v3/grpc_service.pb.h"
       4             : #include "envoy/config/grpc_credential/v3/file_based_metadata.pb.h"
       5             : #include "envoy/config/grpc_credential/v3/file_based_metadata.pb.validate.h"
       6             : #include "envoy/grpc/google_grpc_creds.h"
       7             : #include "envoy/registry/registry.h"
       8             : 
       9             : #include "source/common/config/datasource.h"
      10             : #include "source/common/config/utility.h"
      11             : #include "source/common/grpc/google_grpc_creds_impl.h"
      12             : #include "source/common/protobuf/message_validator_impl.h"
      13             : #include "source/common/protobuf/utility.h"
      14             : 
      15             : namespace Envoy {
      16             : namespace Extensions {
      17             : namespace GrpcCredentials {
      18             : namespace FileBasedMetadata {
      19             : 
      20             : std::shared_ptr<grpc::ChannelCredentials>
      21             : FileBasedMetadataGrpcCredentialsFactory::getChannelCredentials(
      22           0 :     const envoy::config::core::v3::GrpcService& grpc_service_config, Api::Api& api) {
      23           0 :   const auto& google_grpc = grpc_service_config.google_grpc();
      24           0 :   std::shared_ptr<grpc::ChannelCredentials> creds =
      25           0 :       Grpc::CredsUtility::defaultSslChannelCredentials(grpc_service_config, api);
      26           0 :   std::shared_ptr<grpc::CallCredentials> call_creds = nullptr;
      27           0 :   for (const auto& credential : google_grpc.call_credentials()) {
      28           0 :     switch (credential.credential_specifier_case()) {
      29           0 :     case envoy::config::core::v3::GrpcService::GoogleGrpc::CallCredentials::
      30           0 :         CredentialSpecifierCase::kFromPlugin: {
      31           0 :       if (credential.from_plugin().name() == "envoy.grpc_credentials.file_based_metadata") {
      32           0 :         FileBasedMetadataGrpcCredentialsFactory file_based_metadata_credentials_factory;
      33             :         // We don't deal with validation failures here at runtime today, see
      34             :         // https://github.com/envoyproxy/envoy/issues/8010.
      35           0 :         const Envoy::ProtobufTypes::MessagePtr file_based_metadata_config_message =
      36           0 :             Envoy::Config::Utility::translateToFactoryConfig(
      37           0 :                 credential.from_plugin(), ProtobufMessage::getNullValidationVisitor(),
      38           0 :                 file_based_metadata_credentials_factory);
      39           0 :         const auto& file_based_metadata_config = Envoy::MessageUtil::downcastAndValidate<
      40           0 :             const envoy::config::grpc_credential::v3::FileBasedMetadataConfig&>(
      41           0 :             *file_based_metadata_config_message, ProtobufMessage::getNullValidationVisitor());
      42           0 :         std::shared_ptr<grpc::CallCredentials> new_call_creds = grpc::MetadataCredentialsFromPlugin(
      43           0 :             std::make_unique<FileBasedMetadataAuthenticator>(file_based_metadata_config, api));
      44           0 :         if (call_creds == nullptr) {
      45           0 :           call_creds = new_call_creds;
      46           0 :         } else {
      47           0 :           call_creds = grpc::CompositeCallCredentials(call_creds, new_call_creds);
      48           0 :         }
      49           0 :       }
      50           0 :       break;
      51           0 :     }
      52           0 :     default:
      53             :       // unused credential types
      54           0 :       continue;
      55           0 :     }
      56           0 :   }
      57           0 :   if (call_creds != nullptr) {
      58           0 :     return grpc::CompositeChannelCredentials(creds, call_creds);
      59           0 :   }
      60           0 :   return creds;
      61           0 : }
      62             : 
      63             : grpc::Status
      64             : FileBasedMetadataAuthenticator::GetMetadata(grpc::string_ref, grpc::string_ref,
      65             :                                             const grpc::AuthContext&,
      66           0 :                                             std::multimap<grpc::string, grpc::string>* metadata) {
      67           0 :   std::string header_key = "authorization";
      68           0 :   std::string header_prefix = config_.header_prefix();
      69           0 :   if (!config_.header_key().empty()) {
      70           0 :     header_key = config_.header_key();
      71           0 :   }
      72             :   // TODO(#14320): avoid using an exception here or find some way of doing this
      73             :   // in the main thread.
      74           0 :   TRY_NEEDS_AUDIT {
      75           0 :     std::string header_value = Envoy::Config::DataSource::read(config_.secret_data(), true, api_);
      76           0 :     metadata->insert(std::make_pair(header_key, header_prefix + header_value));
      77           0 :   }
      78           0 :   END_TRY
      79           0 :   catch (const EnvoyException& e) {
      80           0 :     return {grpc::StatusCode::NOT_FOUND, e.what()};
      81           0 :   }
      82           0 :   return grpc::Status::OK;
      83           0 : }
      84             : 
      85             : /**
      86             :  * Static registration for the file based metadata Google gRPC credentials factory. @see
      87             :  * RegisterFactory.
      88             :  */
      89             : REGISTER_FACTORY(FileBasedMetadataGrpcCredentialsFactory, Grpc::GoogleGrpcCredentialsFactory);
      90             : 
      91             : } // namespace FileBasedMetadata
      92             : } // namespace GrpcCredentials
      93             : } // namespace Extensions
      94             : } // namespace Envoy