From 044a53dc87a63789a9fc65bfdbb61960f9dae703 Mon Sep 17 00:00:00 2001 From: jiangtaoli2016 Date: Mon, 16 Dec 2019 21:10:52 -0800 Subject: [PATCH 1/2] alts: add client authorization util library --- .../java/io/grpc/alts/AuthorizationUtil.java | 48 ++++++++ .../io/grpc/alts/AuthorizationUtilTest.java | 114 ++++++++++++++++++ 2 files changed, 162 insertions(+) create mode 100644 alts/src/main/java/io/grpc/alts/AuthorizationUtil.java create mode 100644 alts/src/test/java/io/grpc/alts/AuthorizationUtilTest.java diff --git a/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java b/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java new file mode 100644 index 00000000000..fae9d30bf1d --- /dev/null +++ b/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java @@ -0,0 +1,48 @@ +/* + * Copyright 2019 The gRPC Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package io.grpc.alts; + +import io.grpc.ServerCall; +import io.grpc.Status; +import io.grpc.alts.internal.AltsAuthContext; +import io.grpc.alts.internal.AltsProtocolNegotiator; +import java.util.List; + +/** Utility class for ALTS client authorization. */ +public final class AuthorizationUtil { + + private AuthorizationUtil() {} + + /** + * Given a server call, performs client authorization check, i.e., checks if the client service + * account matches one of the expected service accounts. It returns OK if client is authorized and + * an error otherwise. + */ + public static Status clientAuthorizationCheck( + ServerCall call, List expectedServiceAccounts) { + AltsAuthContext altsContext = + (AltsAuthContext) call.getAttributes().get(AltsProtocolNegotiator.AUTH_CONTEXT_KEY); + if (altsContext == null) { + return Status.NOT_FOUND.withDescription("Peer ALTS AuthContext not found"); + } + if (expectedServiceAccounts.contains(altsContext.getPeerServiceAccount())) { + return Status.OK; + } + return Status.PERMISSION_DENIED.withDescription( + "Client " + altsContext.getPeerServiceAccount() + " is not authorized"); + } +} diff --git a/alts/src/test/java/io/grpc/alts/AuthorizationUtilTest.java b/alts/src/test/java/io/grpc/alts/AuthorizationUtilTest.java new file mode 100644 index 00000000000..a045675defe --- /dev/null +++ b/alts/src/test/java/io/grpc/alts/AuthorizationUtilTest.java @@ -0,0 +1,114 @@ +/* + * Copyright 2019 The gRPC Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package io.grpc.alts; + +import static com.google.common.truth.Truth.assertThat; + +import com.google.common.collect.Lists; +import io.grpc.Attributes; +import io.grpc.Metadata; +import io.grpc.MethodDescriptor; +import io.grpc.ServerCall; +import io.grpc.Status; +import io.grpc.alts.internal.AltsAuthContext; +import io.grpc.alts.internal.AltsProtocolNegotiator; +import io.grpc.alts.internal.HandshakerResult; +import io.grpc.alts.internal.Identity; +import javax.annotation.Nullable; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link AuthorizationUtil}. */ +@RunWith(JUnit4.class) +public final class AuthorizationUtilTest { + + @Test + public void altsAuthorizationCheck() throws Exception { + Status status = + AuthorizationUtil.clientAuthorizationCheck( + new FakeServerCall(null), Lists.newArrayList("Alice")); + assertThat(status.getCode()).isEqualTo(Status.Code.NOT_FOUND); + assertThat(status.getDescription()).startsWith("Peer ALTS AuthContext not found"); + status = + AuthorizationUtil.clientAuthorizationCheck( + new FakeServerCall("Alice"), Lists.newArrayList("Alice", "Bob")); + assertThat(status.getCode()).isEqualTo(Status.Code.OK); + status = + AuthorizationUtil.clientAuthorizationCheck( + new FakeServerCall("Alice"), Lists.newArrayList("Bob", "Joe")); + assertThat(status.getCode()).isEqualTo(Status.Code.PERMISSION_DENIED); + assertThat(status.getDescription()).endsWith("not authorized"); + } + + private static class FakeServerCall extends ServerCall { + final Attributes attrs; + + FakeServerCall(@Nullable String peerServiceAccount) { + Attributes.Builder attrsBuilder = Attributes.newBuilder(); + if (peerServiceAccount != null) { + HandshakerResult handshakerResult = + HandshakerResult.newBuilder() + .setPeerIdentity(Identity.newBuilder().setServiceAccount(peerServiceAccount)) + .build(); + AltsAuthContext altsAuthContext = new AltsAuthContext(handshakerResult); + attrsBuilder.set(AltsProtocolNegotiator.AUTH_CONTEXT_KEY, altsAuthContext); + } + attrs = attrsBuilder.build(); + } + + @Override + public void request(int numMessages) { + throw new AssertionError("Should not be called"); + } + + @Override + public void sendHeaders(Metadata headers) { + throw new AssertionError("Should not be called"); + } + + @Override + public void sendMessage(String message) { + throw new AssertionError("Should not be called"); + } + + @Override + public void close(Status status, Metadata trailers) { + throw new AssertionError("Should not be called"); + } + + @Override + public boolean isCancelled() { + throw new AssertionError("Should not be called"); + } + + @Override + public Attributes getAttributes() { + return attrs; + } + + @Override + public String getAuthority() { + throw new AssertionError("Should not be called"); + } + + @Override + public MethodDescriptor getMethodDescriptor() { + throw new AssertionError("Should not be called"); + } + } +} From 2e0b417ed8ac5d26f5c73a96fcd78c4ab183c325 Mon Sep 17 00:00:00 2001 From: jiangtaoli2016 Date: Wed, 18 Dec 2019 10:25:52 -0800 Subject: [PATCH 2/2] alts: use Collection instead of List --- alts/src/main/java/io/grpc/alts/AuthorizationUtil.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java b/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java index fae9d30bf1d..ac7e2f03320 100644 --- a/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java +++ b/alts/src/main/java/io/grpc/alts/AuthorizationUtil.java @@ -20,7 +20,7 @@ import io.grpc.Status; import io.grpc.alts.internal.AltsAuthContext; import io.grpc.alts.internal.AltsProtocolNegotiator; -import java.util.List; +import java.util.Collection; /** Utility class for ALTS client authorization. */ public final class AuthorizationUtil { @@ -33,7 +33,7 @@ private AuthorizationUtil() {} * an error otherwise. */ public static Status clientAuthorizationCheck( - ServerCall call, List expectedServiceAccounts) { + ServerCall call, Collection expectedServiceAccounts) { AltsAuthContext altsContext = (AltsAuthContext) call.getAttributes().get(AltsProtocolNegotiator.AUTH_CONTEXT_KEY); if (altsContext == null) {