-
Notifications
You must be signed in to change notification settings - Fork 488
/
basic.go
110 lines (91 loc) · 2.69 KB
/
basic.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package basic
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"log"
"time"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/metadata"
)
// Credentials implements credentials.PerRPCCredentials. It uses a basic
// username and password lookup to authenticate users.
type Credentials struct {
Crt []byte
Username, Password string
}
// NewCredentials initializes ClientCredentials with the username, password and
// path to the required CA.
func NewCredentials(crt []byte, username, password string) (creds *Credentials) {
creds = &Credentials{
Crt: crt,
Username: username,
Password: password,
}
return creds
}
// NewConnection initializes a grpc.ClientConn configured for basic
// authentication.
func NewConnection(address string, port int, creds *Credentials) (conn *grpc.ClientConn, err error) {
grpcOpts := []grpc.DialOption{}
certPool := x509.NewCertPool()
if err != nil {
return nil, fmt.Errorf("could not read ca certificate: %s", err)
}
if ok := certPool.AppendCertsFromPEM(creds.Crt); !ok {
return nil, fmt.Errorf("failed to append client certs")
}
grpcOpts = append(
grpcOpts,
grpc.WithTransportCredentials(
credentials.NewTLS(&tls.Config{
RootCAs: certPool,
})),
grpc.WithPerRPCCredentials(creds),
)
conn, err = grpc.Dial(fmt.Sprintf("%s:%d", address, port), grpcOpts...)
if err != nil {
return
}
return conn, nil
}
// GetRequestMetadata sets the value for the "username" and "password" keys.
func (b *Credentials) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
return map[string]string{
"username": b.Username,
"password": b.Password,
}, nil
}
// RequireTransportSecurity is set to true in order to encrypt the
// communication.
func (b *Credentials) RequireTransportSecurity() bool {
return true
}
func (b *Credentials) authorize(ctx context.Context) error {
if md, ok := metadata.FromIncomingContext(ctx); ok {
if len(md["username"]) > 0 && md["username"][0] == b.Username &&
len(md["password"]) > 0 && md["password"][0] == b.Password {
return nil
}
return fmt.Errorf("%s", codes.Unauthenticated.String())
}
return nil
}
// UnaryInterceptor sets the UnaryServerInterceptor for the server and enforces
// basic authentication.
func (b *Credentials) UnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
start := time.Now()
if err := b.authorize(ctx); err != nil {
return nil, err
}
h, err := handler(ctx, req)
log.Printf("request - Method:%s\tDuration:%s\tError:%v\n",
info.FullMethod,
time.Since(start),
err,
)
return h, err
}