credentials/alts: ClientAuthorizationCheck to case-fold compare of pe…

…er SA (#3792)
grpc · Sep 1, 2020 · 48bf772 · 48bf772
1 parent d8ef479
commit 48bf772
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/credentials/alts/utils.go b/credentials/alts/utils.go
@@ -152,12 +152,13 @@ func AuthInfoFromPeer(p *peer.Peer) (AuthInfo, error) {
 func ClientAuthorizationCheck(ctx context.Context, expectedServiceAccounts []string) error {
 	authInfo, err := AuthInfoFromContext(ctx)
 	if err != nil {
-		return status.Newf(codes.PermissionDenied, "The context is not an ALTS-compatible context: %v", err).Err()
+		return status.Errorf(codes.PermissionDenied, "The context is not an ALTS-compatible context: %v", err)
 	}
+	peer := authInfo.PeerServiceAccount()
 	for _, sa := range expectedServiceAccounts {
-		if authInfo.PeerServiceAccount() == sa {
+		if strings.EqualFold(peer, sa) {
 			return nil
 		}
 	}
-	return status.Newf(codes.PermissionDenied, "Client %v is not authorized", authInfo.PeerServiceAccount()).Err()
+	return status.Errorf(codes.PermissionDenied, "Client %v is not authorized", peer)
 }
diff --git a/credentials/alts/utils_test.go b/credentials/alts/utils_test.go
@@ -175,6 +175,13 @@ func (s) TestClientAuthorizationCheck(t *testing.T) {
 			true,
 			codes.OK, // err is nil, code is OK.
 		},
+		{
+			"working case (case ignored)",
+			peer.NewContext(ctx, p),
+			[]string{strings.ToUpper(testServiceAccount1), testServiceAccount2},
+			true,
+			codes.OK, // err is nil, code is OK.
+		},
 		{
 			"context does not have AuthInfo",
 			ctx,