grpc · ZhenLian · Jul 16, 2020 · May 18, 2020 · May 20, 2020 · May 21, 2020
diff --git a/credentials/credentials.go b/credentials/credentials.go
@@ -27,6 +27,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/url"
 
 	"github.com/golang/protobuf/proto"
 	"google.golang.org/grpc/attributes"
@@ -87,6 +88,7 @@ func (s SecurityLevel) String() string {
 // This API is experimental.
 type CommonAuthInfo struct {
 	SecurityLevel SecurityLevel
+	SPIFFEID      *url.URL
 }
 
 // GetCommonAuthInfo returns the pointer to CommonAuthInfo struct.

diff --git a/credentials/tls.go b/credentials/tls.go
@@ -27,6 +27,7 @@ import (
 	"net"
 
 	"google.golang.org/grpc/credentials/internal"
+	credinternal "google.golang.org/grpc/internal/credentials"
 )
 
 // TLSInfo contains the auth information for a TLS authenticated connection.
@@ -94,7 +95,20 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon
 		conn.Close()
 		return nil, nil, ctx.Err()
 	}
-	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState(), CommonAuthInfo{PrivacyAndIntegrity}}, nil
+	tlsInfo := TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: CommonAuthInfo{
+			SecurityLevel: PrivacyAndIntegrity,
+		},
+	}
+	id, err := credinternal.SPIFFEIDFromState(conn.ConnectionState())
+	if err != nil {
+		return nil, nil, err
+	}
+	if id != nil {
+		tlsInfo.SPIFFEID = id
+	}
+	return internal.WrapSyscallConn(rawConn, conn), tlsInfo, nil
 }
 
 func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) {
@@ -103,7 +117,20 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error)
 		conn.Close()
 		return nil, nil, err
 	}
-	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState(), CommonAuthInfo{PrivacyAndIntegrity}}, nil
+	tlsInfo := TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: CommonAuthInfo{
+			SecurityLevel: PrivacyAndIntegrity,
+		},
+	}
+	id, err := credinternal.SPIFFEIDFromState(conn.ConnectionState())
+	if err != nil {
+		return nil, nil, err
+	}
+	if id != nil {
+		tlsInfo.SPIFFEID = id
+	}
+	return internal.WrapSyscallConn(rawConn, conn), tlsInfo, nil
 }
 
 func (c *tlsCreds) Clone() TransportCredentials {

diff --git a/internal/credentials/go110.go b/internal/credentials/go110.go
@@ -0,0 +1,72 @@
+// +build go1.10
+
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package credentials defines APIs for parsing SPIFFE ID.
+//
+// All APIs in this package are experimental.
+package credentials
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/url"
+
+	"google.golang.org/grpc/grpclog"
+)
+
+// SPIFFEIDFromState parses the SPIFFE ID from State. An error is returned only
+// when we are sure SPIFFE ID is used but the format is wrong.
+func SPIFFEIDFromState(state tls.ConnectionState) (*url.URL, error) {
+	if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 {
+		return nil, nil
+	}
+	spiffeIDCnt := 0
+	var spiffeID url.URL
+	for _, uri := range state.PeerCertificates[0].URIs {
+		if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
+			continue
+		}
+		// From this point, we assume the uri is intended for a SPIFFE ID.
+		if len(uri.Host)+len(uri.Scheme)+len(uri.RawPath)+4 > 2048 ||
+			len(uri.Host)+len(uri.Scheme)+len(uri.Path)+4 > 2048 {
+			return nil, fmt.Errorf("invalid SPIFFE ID: total ID length larger than 2048 bytes")
+		}
+		if len(uri.Host) == 0 || len(uri.RawPath) == 0 || len(uri.Path) == 0 {
+			return nil, fmt.Errorf("invalid SPIFFE ID: domain or workload ID is empty")
+		}
+		if len(uri.Host) > 255 {
+			return nil, fmt.Errorf("invalid SPIFFE ID: domain length larger than 255 characters")
+		}
+		// We use a default deep copy since we know the User field of a SPIFFE ID
+		// is empty.
+		spiffeID = *uri
+		spiffeIDCnt++
+	}
+	if spiffeIDCnt == 1 {
+		return &spiffeID, nil
+	} else if spiffeIDCnt > 1 {
+		// A standard SPIFFE ID should be unique. If there are more than one ID, we
+		// should log this error but shouldn't halt the application.
+		grpclog.Warning("invalid SPIFFE ID: multiple SPIFFE IDs")
+		return nil, nil
+	}
+	// SPIFFE ID is not used.
+	return nil, nil
+}
diff --git a/internal/credentials/go110_test.go b/internal/credentials/go110_test.go
@@ -0,0 +1,158 @@
+// +build go1.10
+
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package credentials
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"net/url"
+	"testing"
+
+	"google.golang.org/grpc/internal/grpctest"
+)
+
+type s struct {
+	grpctest.Tester
+}
+
+func Test(t *testing.T) {
+	grpctest.RunSubTests(t, s{})
+}
+
+func (s) TestSPIFFEIDFromState(t *testing.T) {
+	tests := []struct {
+		name string
+		urls []*url.URL
+		// If we expect SPIFFEIDFromState to return an error.
+		expectError bool
+		// If we expect a SPIFFE ID to be returned.
+		expectID bool
+	}{
+		{
+			name:        "empty URIs",
+			urls:        []*url.URL{},
+			expectError: false,
+			expectID:    false,
+		},
+		{
+			name: "good SPIFFE ID",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    "foo.bar.com",
+					Path:    "workload/wl1",
+					RawPath: "workload/wl1",
+				},
+				{
+					Scheme:  "https",
+					Host:    "foo.bar.com",
+					Path:    "workload/wl1",
+					RawPath: "workload/wl1",
+				},
+			},
+			expectError: false,
+			expectID:    true,
+		},
+		{
+			name: "invalid host",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    "",
+					Path:    "workload/wl1",
+					RawPath: "workload/wl1",
+				},
+			},
+			expectError: true,
+			expectID:    false,
+		},
+		{
+			name: "invalid path",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    "foo.bar.com",
+					Path:    "",
+					RawPath: "",
+				},
+			},
+			expectError: true,
+			expectID:    false,
+		},
+		{
+			name: "large path",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    "foo.bar.com",
+					Path:    string(make([]byte, 2050)),
+					RawPath: string(make([]byte, 2050)),
+				},
+			},
+			expectError: true,
+			expectID:    false,
+		},
+		{
+			name: "large host",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    string(make([]byte, 256)),
+					Path:    "workload/wl1",
+					RawPath: "workload/wl1",
+				},
+			},
+			expectError: true,
+			expectID:    false,
+		},
+		{
+			name: "multiple SPIFFE IDs",
+			urls: []*url.URL{
+				{
+					Scheme:  "spiffe",
+					Host:    "foo.bar.com",
+					Path:    "workload/wl1",
+					RawPath: "workload/wl1",
+				},
+				{
+					Scheme:  "spiffe",
+					Host:    "bar.baz.com",
+					Path:    "workload/wl2",
+					RawPath: "workload/wl2",
+				},
+			},
+			expectError: false,
+			expectID:    false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			state := tls.ConnectionState{PeerCertificates: []*x509.Certificate{{URIs: tt.urls}}}
+			id, err := SPIFFEIDFromState(state)
+			if got, want := err != nil, tt.expectError; got != want {
+				t.Errorf("want expectError = %v, but got expectError = %v, with error %v", want, got, err)
+			}
+			if got, want := id != nil, tt.expectID; got != want {
+				t.Errorf("want expectID = %v, but SPIFFE ID is %v", want, id)
+			}
+		})
+	}
+}
diff --git a/internal/credentials/gobefore110.go b/internal/credentials/gobefore110.go
@@ -0,0 +1,31 @@
+// +build !go1.10
+
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package credentials
+
+import (
+	"crypto/tls"
+	"net/url"
+)
+
+//TODO(ZhenLian): delete this file when we remove Go 1.9 tests.
+func SPIFFEIDFromState(state tls.ConnectionState) (*url.URL, error) {
+	return nil, nil
+}