summaryrefslogtreecommitdiff
path: root/vendor/google.golang.org/grpc/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/google.golang.org/grpc/credentials')
-rw-r--r--vendor/google.golang.org/grpc/credentials/credentials.go34
-rw-r--r--vendor/google.golang.org/grpc/credentials/insecure/insecure.go8
-rw-r--r--vendor/google.golang.org/grpc/credentials/tls.go16
3 files changed, 56 insertions, 2 deletions
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index 665e790bb..a63ab606e 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -120,6 +120,20 @@ type AuthInfo interface {
AuthType() string
}
+// AuthorityValidator validates the authority used to override the `:authority`
+// header. This is an optional interface that implementations of AuthInfo can
+// implement if they support per-RPC authority overrides. It is invoked when the
+// application attempts to override the HTTP/2 `:authority` header using the
+// CallAuthority call option.
+type AuthorityValidator interface {
+ // ValidateAuthority checks the authority value used to override the
+ // `:authority` header. The authority parameter is the override value
+ // provided by the application via the CallAuthority option. This value
+ // typically corresponds to the server hostname or endpoint the RPC is
+ // targeting. It returns non-nil error if the validation fails.
+ ValidateAuthority(authority string) error
+}
+
// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
// and the caller should not close rawConn.
var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
@@ -207,14 +221,32 @@ type RequestInfo struct {
AuthInfo AuthInfo
}
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
// RequestInfoFromContext extracts the RequestInfo from the context if it exists.
//
// This API is experimental.
func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) {
- ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo)
+ ri, ok = ctx.Value(requestInfoKey{}).(RequestInfo)
return ri, ok
}
+// NewContextWithRequestInfo creates a new context from ctx and attaches ri to it.
+//
+// This RequestInfo will be accessible via RequestInfoFromContext.
+//
+// Intended to be used from tests for PerRPCCredentials implementations (that
+// often need to check connection's SecurityLevel). Should not be used from
+// non-test code: the gRPC client already prepares a context with the correct
+// RequestInfo attached when calling PerRPCCredentials.GetRequestMetadata.
+//
+// This API is experimental.
+func NewContextWithRequestInfo(ctx context.Context, ri RequestInfo) context.Context {
+ return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
// ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
// it possible to pass arbitrary data to the handshaker from gRPC, resolver,
// balancer etc. Individual credential implementations control the actual
diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
index 4c805c644..93156c0f3 100644
--- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
+++ b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
@@ -30,7 +30,7 @@ import (
// NewCredentials returns a credentials which disables transport security.
//
// Note that using this credentials with per-RPC credentials which require
-// transport security is incompatible and will cause grpc.Dial() to fail.
+// transport security is incompatible and will cause RPCs to fail.
func NewCredentials() credentials.TransportCredentials {
return insecureTC{}
}
@@ -71,6 +71,12 @@ func (info) AuthType() string {
return "insecure"
}
+// ValidateAuthority allows any value to be overridden for the :authority
+// header.
+func (info) ValidateAuthority(string) error {
+ return nil
+}
+
// insecureBundle implements an insecure bundle.
// An insecure bundle provides a thin wrapper around insecureTC to support
// the credentials.Bundle interface.
diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go
index bd5fe22b6..20f65f7bd 100644
--- a/vendor/google.golang.org/grpc/credentials/tls.go
+++ b/vendor/google.golang.org/grpc/credentials/tls.go
@@ -22,6 +22,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
+ "errors"
"fmt"
"net"
"net/url"
@@ -50,6 +51,21 @@ func (t TLSInfo) AuthType() string {
return "tls"
}
+// ValidateAuthority validates the provided authority being used to override the
+// :authority header by verifying it against the peer certificates. It returns a
+// non-nil error if the validation fails.
+func (t TLSInfo) ValidateAuthority(authority string) error {
+ var errs []error
+ for _, cert := range t.State.PeerCertificates {
+ var err error
+ if err = cert.VerifyHostname(authority); err == nil {
+ return nil
+ }
+ errs = append(errs, err)
+ }
+ return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
+}
+
// cipherSuiteLookup returns the string version of a TLS cipher suite ID.
func cipherSuiteLookup(cipherSuiteID uint16) string {
for _, s := range tls.CipherSuites() {
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-02 21:45:12 +0000