advancedtls: Rename custom verification function APIs #7140
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,10 +35,10 @@ import ( | |
| credinternal "google.golang.org/grpc/internal/credentials" | ||
| ) | ||
|
|
||
| // HandshakeVerificationInfo contains information about a handshake needed for | ||
| // verification for use when implementing the `PostHandshakeVerificationFunc` | ||
| // The fields in this struct are read-only. | ||
| type HandshakeVerificationInfo struct { | ||
| // The target server name that the client connects to when establishing the | ||
| // connection. This field is only meaningful for client side. On server side, | ||
| // this field would be an empty string. | ||
|
|
@@ -54,17 +54,36 @@ type VerificationFuncParams struct { | |
| Leaf *x509.Certificate | ||
| } | ||
|
|
||
| // VerificationFuncParams contains parameters available to users when | ||
| // implementing CustomVerificationFunc. | ||
| // The fields in this struct are read-only. | ||
| // | ||
| // Deprecated: use HandshakeVerificationInfo instead. | ||
| type VerificationFuncParams = HandshakeVerificationInfo | ||
|
|
||
| // PostHandshakeVerificationResults contains the information about results of | ||
| // PostHandshakeVerificationFunc. | ||
| // PostHandshakeVerificationResults is an empty struct for now. It may be extended in the | ||
| // future to include more information. | ||
| type PostHandshakeVerificationResults struct{} | ||
|
|
||
| // Deprecated: use PostHandshakeVerificationResults instead. | ||
| type VerificationResults = PostHandshakeVerificationResults | ||
|
|
||
| // PostHandshakeVerificationFunc is the function defined by users to perform | ||
| // custom verification checks after chain building and regular handshake | ||
| // verification has been completed. | ||
| // PostHandshakeVerificationFunc should return (nil, error) if the authorization | ||
| // should fail, with the error containing information on why it failed. | ||
| type PostHandshakeVerificationFunc func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) | ||
|
There was a problem hiding this comment. Suggestion: There was a problem hiding this comment. We want to make sure that we are differentiating between verification happening after the normal chain building and verification that happens by default (which this is), and overriding the base chain building and verification itself. There was a problem hiding this comment. I'm not sure I follow all this. What is "post handshake verification" exactly? And you're saying this can be used to replace the default behavior? What is the default behavior? Do you have any examples of what users would want to do with this? There was a problem hiding this comment. There's two main different ways users could desire to customize verification behavior.
A concrete example of (2) is doing additional check on the hostname of the peer's cert. There was a problem hiding this comment. What's the API for (2)? So is it the case that if you specify this callback then There was a problem hiding this comment. Yes the API for (2) is grpc-go/security/advancedtls/advancedtls.go Lines 581 to 582 in 34de5cf And VerifyPeer is of type PostHandshakeVerificationFunc, I think renaming this option from VerifyPeer to something more clear is probably belongs in this PR as well
There was a problem hiding this comment. Renamed |
||
|
|
||
| // CustomVerificationFunc is the function defined by users to perform custom | ||
| // verification check. | ||
| // CustomVerificationFunc returns nil if the authorization fails; otherwise | ||
| // returns an empty struct. | ||
| // | ||
| // Deprecated: use PostHandshakeVerificationFunc instead. | ||
| type CustomVerificationFunc = PostHandshakeVerificationFunc | ||
|
|
||
| // GetRootCAsParams contains the parameters available to users when | ||
| // implementing GetRootCAs. | ||
|
|
@@ -167,11 +186,18 @@ type ClientOptions struct { | |
| // IdentityOptions is OPTIONAL on client side. This field only needs to be | ||
| // set if mutual authentication is required on server side. | ||
| IdentityOptions IdentityCertificateOptions | ||
| // AdditionalPeerVerification is a custom verification check after certificate signature | ||
| // check. | ||
| // If this is set, we will perform this customized check after doing the | ||
| // normal check(s) indicated by setting VerificationType. | ||
| AdditionalPeerVerification PostHandshakeVerificationFunc | ||
| // VerifyPeer is a custom verification check after certificate signature | ||
| // check. | ||
| // If this is set, we will perform this customized check after doing the | ||
| // normal check(s) indicated by setting VerificationType. | ||
| // | ||
| // Deprecated: use AdditionalPeerVerification instead. | ||
| VerifyPeer PostHandshakeVerificationFunc | ||
| // RootOptions is OPTIONAL on client side. If not set, we will try to use the | ||
| // default trust certificates in users' OS system. | ||
| RootOptions RootCertificateOptions | ||
|
|
@@ -206,11 +232,18 @@ type ClientOptions struct { | |
| type ServerOptions struct { | ||
| // IdentityOptions is REQUIRED on server side. | ||
| IdentityOptions IdentityCertificateOptions | ||
| // AdditionalPeerVerification is a custom verification check after certificate signature | ||
| // check. | ||
| // If this is set, we will perform this customized check after doing the | ||
| // normal check(s) indicated by setting VerificationType. | ||
| AdditionalPeerVerification PostHandshakeVerificationFunc | ||
| // VerifyPeer is a custom verification check after certificate signature | ||
| // check. | ||
| // If this is set, we will perform this customized check after doing the | ||
| // normal check(s) indicated by setting VerificationType. | ||
| // | ||
| // Deprecated: use AdditionalPeerVerification instead. | ||
| VerifyPeer PostHandshakeVerificationFunc | ||
| // RootOptions is OPTIONAL on server side. This field only needs to be set if | ||
| // mutual authentication is required(RequireClientCert is true). | ||
| RootOptions RootCertificateOptions | ||
|
|
@@ -239,13 +272,18 @@ type ServerOptions struct { | |
| } | ||
|
|
||
| func (o *ClientOptions) config() (*tls.Config, error) { | ||
| // TODO(gtcooke94) Remove this block when o.VerifyPeer is remoed. | ||
| // VerifyPeer is deprecated, but do this to aid the transitory migration time. | ||
| if o.AdditionalPeerVerification == nil { | ||
| o.AdditionalPeerVerification = o.VerifyPeer | ||
|
There was a problem hiding this comment.
Or ignore the old deprecated field if o.AdditionalPeerVerification == nil {
o.AdditionalPeerVerification = o.VerifyPeer
}There was a problem hiding this comment. It's not required, so the error return I think doesn't make the most sense. The reverse works too, I guess it just matters for the precedence - I was going with "if the old field is set they probably haven't migrated", but the bottom is good too as a "if the new field isn't set take whatever is in the old field" There was a problem hiding this comment. The error would be "you set two fields that mean the same thing, one of which is deprecated: what were you thinking?" 😆 |
||
| } | ||
| // TODO(gtcooke94). VType is deprecated, eventually remove this block. This | ||
| // will ensure that users still explicitly setting `VType` will get the | ||
| // setting to the right place. | ||
| if o.VType != CertAndHostVerification { | ||
| o.VerificationType = o.VType | ||
| } | ||
| if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { | ||
| return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification") | ||
| } | ||
| // Make sure users didn't specify more than one fields in | ||
|
|
@@ -321,13 +359,18 @@ func (o *ClientOptions) config() (*tls.Config, error) { | |
| } | ||
|
|
||
| func (o *ServerOptions) config() (*tls.Config, error) { | ||
| // TODO(gtcooke94) Remove this block when o.VerifyPeer is remoed. | ||
| // VerifyPeer is deprecated, but do this to aid the transitory migration time. | ||
| if o.AdditionalPeerVerification == nil { | ||
| o.AdditionalPeerVerification = o.VerifyPeer | ||
| } | ||
| // TODO(gtcooke94). VType is deprecated, eventually remove this block. This | ||
| // will ensure that users still explicitly setting `VType` will get the | ||
| // setting to the right place. | ||
| if o.VType != CertAndHostVerification { | ||
| o.VerificationType = o.VType | ||
| } | ||
| if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { | ||
| return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)") | ||
| } | ||
| // Make sure users didn't specify more than one fields in | ||
|
|
@@ -416,7 +459,7 @@ func (o *ServerOptions) config() (*tls.Config, error) { | |
| // using TLS. | ||
| type advancedTLSCreds struct { | ||
| config *tls.Config | ||
| verifyFunc PostHandshakeVerificationFunc | ||
| getRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error) | ||
| isClient bool | ||
| verificationType VerificationType | ||
|
|
@@ -579,7 +622,7 @@ func buildVerifyFunc(c *advancedTLSCreds, | |
| } | ||
| // Perform custom verification check if specified. | ||
| if c.verifyFunc != nil { | ||
| _, err := c.verifyFunc(&HandshakeVerificationInfo{ | ||
| ServerName: serverName, | ||
| RawCerts: rawCerts, | ||
| VerifiedChains: chains, | ||
|
|
@@ -602,7 +645,7 @@ func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error) | |
| config: conf, | ||
| isClient: true, | ||
| getRootCAs: o.RootOptions.GetRootCertificates, | ||
| verifyFunc: o.AdditionalPeerVerification, | ||
| verificationType: o.VerificationType, | ||
| revocationConfig: o.RevocationConfig, | ||
| } | ||
|
|
@@ -621,7 +664,7 @@ func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error) | |
| config: conf, | ||
| isClient: false, | ||
| getRootCAs: o.RootOptions.GetRootCertificates, | ||
| verifyFunc: o.AdditionalPeerVerification, | ||
| verificationType: o.VerificationType, | ||
| revocationConfig: o.RevocationConfig, | ||
| } | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.