From 8d709043ab46b5d712be77aa99eb6fb26c57177d Mon Sep 17 00:00:00 2001 From: ZhenLian Date: Wed, 20 May 2020 16:21:11 -0700 Subject: [PATCH] add build constraints to not support <= go 1.9 --- credentials/go10.go | 69 +++++++++++++++++++++++++++++++++++++++ credentials/gobefore10.go | 30 +++++++++++++++++ credentials/tls.go | 36 -------------------- 3 files changed, 99 insertions(+), 36 deletions(-) create mode 100644 credentials/go10.go create mode 100644 credentials/gobefore10.go diff --git a/credentials/go10.go b/credentials/go10.go new file mode 100644 index 00000000000..11ad95ff7a4 --- /dev/null +++ b/credentials/go10.go @@ -0,0 +1,69 @@ +// +build go1.10 + +/* + * + * Copyright 2020 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package credentials + +import ( + "fmt" + "net/url" + + "google.golang.org/grpc/grpclog" +) + +// ParseSpiffeID parses the Spiffe ID from State and fill it into SpiffeID. +// An error is returned only when we are sure Spiffe ID is used but the format +// is wrong. +// This function can only be used with go version 1.10 and onwards. When used +// with a prior version, no error will be returned, but the field +// TLSInfo.SpiffeID wouldn't be plumbed. +func (t *TLSInfo) ParseSpiffeID() error { + if len(t.State.PeerCertificates) == 0 || len(t.State.PeerCertificates[0].URIs) == 0 { + return nil + } + spiffeIDCnt := 0 + var spiffeID url.URL + for _, uri := range t.State.PeerCertificates[0].URIs { + if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") { + continue + } + // From this point, we assume the uri is intended for a Spiffe ID. + if len(uri.Host)+len(uri.Scheme)+len(uri.RawPath)+4 > 2048 || + len(uri.Host)+len(uri.Scheme)+len(uri.Path)+4 > 2048 { + return fmt.Errorf("invalid SPIFFE ID: total ID length larger than 2048 bytes") + } + if len(uri.Host) == 0 || len(uri.RawPath) == 0 || len(uri.Path) == 0 { + return fmt.Errorf("invalid SPIFFE ID: domain or workload ID is empty") + } + if len(uri.Host) > 255 { + return fmt.Errorf("invalid SPIFFE ID: domain length larger than 255 characters") + } + // We use a default deep copy since we know the User field of a SPIFFE ID is empty. + spiffeID = *uri + spiffeIDCnt++ + } + if spiffeIDCnt == 1 { + t.SpiffeID = &spiffeID + } else { + // A standard SPIFFE ID should be unique. If there are more, we log this + // mis-behavior and not plumb any of them. + grpclog.Info("invalid SPIFFE ID: multiple SPIFFE IDs") + } + return nil +} diff --git a/credentials/gobefore10.go b/credentials/gobefore10.go new file mode 100644 index 00000000000..69f9b3bf042 --- /dev/null +++ b/credentials/gobefore10.go @@ -0,0 +1,30 @@ +// +build !go1.10 + +/* + * + * Copyright 2020 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package credentials + +import ( + "google.golang.org/grpc/grpclog" +) + +func (t *TLSInfo) ParseSpiffeID() error { + grpclog.Info("go version prior to 1.10 doesn't support parsing URIs in certificates. Please consider a newer version") + return nil +} diff --git a/credentials/tls.go b/credentials/tls.go index 005fba93a6d..4691ec8eadb 100644 --- a/credentials/tls.go +++ b/credentials/tls.go @@ -55,42 +55,6 @@ func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue { return v } -// ParseSpiffeID parses the Spiffe ID from State and fill it into SpiffeID. -// An error is returned only when we are sure Spiffe ID is used but the format -// is wrong. -func (t *TLSInfo) ParseSpiffeID() error { - if len(t.State.PeerCertificates) == 0 || len(t.State.PeerCertificates[0].URIs) == 0 { - return nil - } - spiffeIDCnt := 0 - var spiffeID url.URL - for _, uri := range t.State.PeerCertificates[0].URIs { - if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") { - continue - } - // From this point, we assume the uri is intended for a Spiffe ID. - if len(uri.Host)+len(uri.Scheme)+len(uri.RawPath)+4 > 2048 || - len(uri.Host)+len(uri.Scheme)+len(uri.Path)+4 > 2048 { - return fmt.Errorf("invalid SPIFFE ID: total ID length larger than 2048 bytes") - } - if len(uri.Host) == 0 || len(uri.RawPath) == 0 || len(uri.Path) == 0 { - return fmt.Errorf("invalid SPIFFE ID: domain or workload ID is empty") - } - if len(uri.Host) > 255 { - return fmt.Errorf("invalid SPIFFE ID: domain length larger than 255 characters") - } - // We use a default deep copy since we know the User field of a SPIFFE ID is empty. - spiffeID = *uri - spiffeIDCnt++ - } - // A standard SPIFFE ID should be unique. If there are more, we don't raise - // any errors but simply not plumbing any of them. - if spiffeIDCnt == 1 { - t.SpiffeID = &spiffeID - } - return nil -} - // tlsCreds is the credentials required for authenticating a connection using TLS. type tlsCreds struct { // TLS configuration