iSulad/src/connect/service/grpc/grpc_server_tls_auth.cc

/******************************************************************************
 * Copyright (c) Huawei Technologies Co., Ltd. 2019-2019. All rights reserved.
 * iSulad licensed under the Mulan PSL v1.
 * You can use this software according to the terms and conditions of the Mulan PSL v1.
 * You may obtain a copy of Mulan PSL v1 at:
 *     http://license.coscl.org.cn/MulanPSL
 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
 * PURPOSE.
 * See the Mulan PSL v1 for more details.
 * Author: zhangsong
 * Create: 2019-04-26
 * Description: provide grpc tls request authorization
 ******************************************************************************/

#include "grpc_server_tls_auth.h"
#include <map>
#include <stdlib.h>
#include "http.h"

namespace AuthorizationPluginConfig {
std::string auth_plugin = "";
};

namespace GrpcServerTlsAuth {
Status auth(ServerContext *context, std::string action)
{
    const std::multimap<grpc::string_ref, grpc::string_ref> init_metadata = context->client_metadata();
    auto tls_mode_kv = init_metadata.find("tls_mode");
    if (tls_mode_kv == init_metadata.end()) {
        return Status(StatusCode::UNKNOWN, "unkown error");
    }
    std::string tls_mode = std::string(tls_mode_kv->second.data(), tls_mode_kv->second.length());
    if (tls_mode == "0") {
        return Status::OK;
    }
    if (AuthorizationPluginConfig::auth_plugin.empty()) {
        return Status::OK;
    } else if (AuthorizationPluginConfig::auth_plugin == "authz-broker") {
        auto username_kv = init_metadata.find("username");
        if (username_kv == init_metadata.end()) {
            return Status(StatusCode::UNKNOWN, "unkown error");
        }
        std::string username = std::string(username_kv->second.data(), username_kv->second.length());
        char *errmsg = nullptr;
        if (authz_http_request(username.c_str(), action.c_str(), &errmsg)) {
            std::string err = errmsg;
            free(errmsg);
            return Status(StatusCode::PERMISSION_DENIED, err);
        } else {
            if (errmsg != nullptr) {
                free(errmsg);
            }
        }
    } else {
        return Status(StatusCode::UNIMPLEMENTED, "authorization plugin invalid");
    }
    return Status::OK;
}
} // namespace GrpcServerTlsAuth
Package init 2019-09-30 10:53:41 -04:00			`/******************************************************************************`
			`* Copyright (c) Huawei Technologies Co., Ltd. 2019-2019. All rights reserved.`
			`* iSulad licensed under the Mulan PSL v1.`
			`* You can use this software according to the terms and conditions of the Mulan PSL v1.`
			`* You may obtain a copy of Mulan PSL v1 at:`
			`* http://license.coscl.org.cn/MulanPSL`
			`* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR`
			`* IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR`
			`* PURPOSE.`
			`* See the Mulan PSL v1 for more details.`
			`* Author: zhangsong`
			`* Create: 2019-04-26`
			`* Description: provide grpc tls request authorization`
			`******************************************************************************/`

			`#include "grpc_server_tls_auth.h"`
			`#include <map>`
			`#include <stdlib.h>`
			`#include "http.h"`

			`namespace AuthorizationPluginConfig {`
			`std::string auth_plugin = "";`
			`};`

			`namespace GrpcServerTlsAuth {`
			`Status auth(ServerContext *context, std::string action)`
			`{`
			`const std::multimap<grpc::string_ref, grpc::string_ref> init_metadata = context->client_metadata();`
			`auto tls_mode_kv = init_metadata.find("tls_mode");`
			`if (tls_mode_kv == init_metadata.end()) {`
			`return Status(StatusCode::UNKNOWN, "unkown error");`
			`}`
			`std::string tls_mode = std::string(tls_mode_kv->second.data(), tls_mode_kv->second.length());`
			`if (tls_mode == "0") {`
			`return Status::OK;`
			`}`
			`if (AuthorizationPluginConfig::auth_plugin.empty()) {`
			`return Status::OK;`
			`} else if (AuthorizationPluginConfig::auth_plugin == "authz-broker") {`
			`auto username_kv = init_metadata.find("username");`
			`if (username_kv == init_metadata.end()) {`
			`return Status(StatusCode::UNKNOWN, "unkown error");`
			`}`
			`std::string username = std::string(username_kv->second.data(), username_kv->second.length());`
			`char *errmsg = nullptr;`
			`if (authz_http_request(username.c_str(), action.c_str(), &errmsg)) {`
			`std::string err = errmsg;`
			`free(errmsg);`
			`return Status(StatusCode::PERMISSION_DENIED, err);`
			`} else {`
			`if (errmsg != nullptr) {`
			`free(errmsg);`
			`}`
			`}`
			`} else {`
			`return Status(StatusCode::UNIMPLEMENTED, "authorization plugin invalid");`
			`}`
			`return Status::OK;`
			`}`
			`} // namespace GrpcServerTlsAuth`