1/*
  2 *
  3 * Copyright 2021 Google LLC
  4 *
  5 * Licensed under the Apache License, Version 2.0 (the "License");
  6 * you may not use this file except in compliance with the License.
  7 * You may obtain a copy of the License at
  8 *
  9 *     https://www.apache.org/licenses/LICENSE-2.0
 10 *
 11 * Unless required by applicable law or agreed to in writing, software
 12 * distributed under the License is distributed on an "AS IS" BASIS,
 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 14 * See the License for the specific language governing permissions and
 15 * limitations under the License.
 16 *
 17 */
 18
 19// Package authinfo provides authentication and authorization information that
 20// results from the TLS handshake.
 21package authinfo
 22
 23import (
 24	"errors"
 25
 26	commonpb "github.com/google/s2a-go/internal/proto/common_go_proto"
 27	contextpb "github.com/google/s2a-go/internal/proto/s2a_context_go_proto"
 28	grpcpb "github.com/google/s2a-go/internal/proto/s2a_go_proto"
 29	"google.golang.org/grpc/credentials"
 30)
 31
 32var _ credentials.AuthInfo = (*S2AAuthInfo)(nil)
 33
 34const s2aAuthType = "s2a"
 35
 36// S2AAuthInfo exposes authentication and authorization information from the
 37// S2A session result to the gRPC stack.
 38type S2AAuthInfo struct {
 39	s2aContext     *contextpb.S2AContext
 40	commonAuthInfo credentials.CommonAuthInfo
 41}
 42
 43// NewS2AAuthInfo returns a new S2AAuthInfo object from the S2A session result.
 44func NewS2AAuthInfo(result *grpcpb.SessionResult) (credentials.AuthInfo, error) {
 45	return newS2AAuthInfo(result)
 46}
 47
 48func newS2AAuthInfo(result *grpcpb.SessionResult) (*S2AAuthInfo, error) {
 49	if result == nil {
 50		return nil, errors.New("NewS2aAuthInfo given nil session result")
 51	}
 52	return &S2AAuthInfo{
 53		s2aContext: &contextpb.S2AContext{
 54			ApplicationProtocol:  result.GetApplicationProtocol(),
 55			TlsVersion:           result.GetState().GetTlsVersion(),
 56			Ciphersuite:          result.GetState().GetTlsCiphersuite(),
 57			PeerIdentity:         result.GetPeerIdentity(),
 58			LocalIdentity:        result.GetLocalIdentity(),
 59			PeerCertFingerprint:  result.GetPeerCertFingerprint(),
 60			LocalCertFingerprint: result.GetLocalCertFingerprint(),
 61			IsHandshakeResumed:   result.GetState().GetIsHandshakeResumed(),
 62		},
 63		commonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.PrivacyAndIntegrity},
 64	}, nil
 65}
 66
 67// AuthType returns the authentication type.
 68func (s *S2AAuthInfo) AuthType() string {
 69	return s2aAuthType
 70}
 71
 72// ApplicationProtocol returns the application protocol, e.g. "grpc".
 73func (s *S2AAuthInfo) ApplicationProtocol() string {
 74	return s.s2aContext.GetApplicationProtocol()
 75}
 76
 77// TLSVersion returns the TLS version negotiated during the handshake.
 78func (s *S2AAuthInfo) TLSVersion() commonpb.TLSVersion {
 79	return s.s2aContext.GetTlsVersion()
 80}
 81
 82// Ciphersuite returns the ciphersuite negotiated during the handshake.
 83func (s *S2AAuthInfo) Ciphersuite() commonpb.Ciphersuite {
 84	return s.s2aContext.GetCiphersuite()
 85}
 86
 87// PeerIdentity returns the authenticated identity of the peer.
 88func (s *S2AAuthInfo) PeerIdentity() *commonpb.Identity {
 89	return s.s2aContext.GetPeerIdentity()
 90}
 91
 92// LocalIdentity returns the local identity of the application used during
 93// session setup.
 94func (s *S2AAuthInfo) LocalIdentity() *commonpb.Identity {
 95	return s.s2aContext.GetLocalIdentity()
 96}
 97
 98// PeerCertFingerprint returns the SHA256 hash of the peer certificate used in
 99// the S2A handshake.
100func (s *S2AAuthInfo) PeerCertFingerprint() []byte {
101	return s.s2aContext.GetPeerCertFingerprint()
102}
103
104// LocalCertFingerprint returns the SHA256 hash of the local certificate used
105// in the S2A handshake.
106func (s *S2AAuthInfo) LocalCertFingerprint() []byte {
107	return s.s2aContext.GetLocalCertFingerprint()
108}
109
110// IsHandshakeResumed returns true if a cached session was used to resume
111// the handshake.
112func (s *S2AAuthInfo) IsHandshakeResumed() bool {
113	return s.s2aContext.GetIsHandshakeResumed()
114}
115
116// SecurityLevel returns the security level of the connection.
117func (s *S2AAuthInfo) SecurityLevel() credentials.SecurityLevel {
118	return s.commonAuthInfo.SecurityLevel
119}