| //! API for authenticating peer |
| //! Based on https://grpc.github.io/grpc/core/md_doc_server_side_auth.html |
| |
| use std::ffi::CStr; |
| use std::marker::PhantomData; |
| use std::ptr::NonNull; |
| |
| use crate::grpc_sys::{ |
| self, grpc_auth_context, grpc_auth_property, grpc_auth_property_iterator, grpc_call, |
| }; |
| |
| /// To perform server-side authentication, gRPC exposes the authentication context |
| /// for each call. The context exposes important authentication-related information |
| /// about the RPC such as the type of security/authentication type being used and |
| /// the peer identity. |
| /// |
| /// The authentication context is structured as a multi-map of key-value pairs - |
| /// the auth properties. In addition to that, for authenticated RPCs, the set of |
| /// properties corresponding to a selected key will represent the verified identity |
| /// of the caller - the peer identity. |
| /// |
| /// The contents of the auth properties are populated by an auth interceptor within |
| /// gRPC Core. The interceptor also chooses which property key will act as the peer |
| /// identity (e.g. for client certificate authentication this property will be |
| /// `x509_common_name` or `x509_subject_alternative_name`). |
| pub struct AuthContext { |
| ctx: NonNull<grpc_auth_context>, |
| } |
| |
| /// Binding to gRPC Core AuthContext |
| impl AuthContext { |
| pub(crate) unsafe fn from_call_ptr(call: *mut grpc_call) -> Option<Self> { |
| NonNull::new(grpc_sys::grpc_call_auth_context(call)).map(|ctx| AuthContext { ctx }) |
| } |
| |
| /// The name of the property gRPC Core has chosen as main peer identity property, |
| /// if any. |
| pub fn peer_identity_property_name(&self) -> Option<&str> { |
| unsafe { |
| let p = grpc_sys::grpc_auth_context_peer_identity_property_name(self.ctx.as_ref()); |
| if p.is_null() { |
| None |
| } else { |
| Some(CStr::from_ptr(p).to_str().expect("valid UTF-8 data")) |
| } |
| } |
| } |
| |
| /// `true` if the client has provided a valid certificate (or other auth method |
| /// considered valid by gRPC). |
| /// `false` in non-secure scenarios. |
| pub fn peer_is_authenticated(&self) -> bool { |
| unsafe { grpc_sys::grpc_auth_context_peer_is_authenticated(self.ctx.as_ref()) != 0 } |
| } |
| |
| /// `AuthContext[peer_identity_property_name()]` |
| /// |
| /// There may be several of them (for instance if `x509_subject_alternative_name` is selected) |
| pub fn peer_identity(&self) -> AuthPropertyIter { |
| unsafe { |
| // grpc_auth_context_peer_identity returns empty_iterator when self.ctx is NULL |
| let iter = grpc_sys::grpc_auth_context_peer_identity(self.ctx.as_ref()); |
| AuthPropertyIter { |
| iter, |
| _lifetime: PhantomData, |
| } |
| } |
| } |
| } |
| |
| impl<'a> IntoIterator for &'a AuthContext { |
| type Item = AuthProperty<'a>; |
| type IntoIter = AuthPropertyIter<'a>; |
| |
| /// Iterate over the AuthContext properties |
| fn into_iter(self) -> Self::IntoIter { |
| unsafe { |
| // grpc_auth_context_property_iterator returns empty_iterator when self.ctx is NULL |
| let iter = grpc_sys::grpc_auth_context_property_iterator(self.ctx.as_ref()); |
| AuthPropertyIter { |
| iter, |
| _lifetime: PhantomData, |
| } |
| } |
| } |
| } |
| |
| impl Drop for AuthContext { |
| fn drop(&mut self) { |
| unsafe { grpc_sys::grpc_auth_context_release(self.ctx.as_ptr()) } |
| } |
| } |
| |
| pub struct AuthPropertyIter<'a> { |
| iter: grpc_auth_property_iterator, |
| _lifetime: PhantomData<&'a grpc_auth_property_iterator>, |
| } |
| |
| impl<'a> Iterator for AuthPropertyIter<'a> { |
| type Item = AuthProperty<'a>; |
| |
| fn next(&mut self) -> Option<Self::Item> { |
| // grpc_auth_property_iterator_next returns empty_iterator when self.iter is NULL |
| let prop = unsafe { grpc_sys::grpc_auth_property_iterator_next(&mut self.iter) }; |
| if prop.is_null() { |
| None |
| } else { |
| Some(AuthProperty { |
| prop, |
| _lifetime: PhantomData, |
| }) |
| } |
| } |
| } |
| |
| /// Auth properties are elements of the AuthContext. They have a name |
| /// (a key of type string) and a value which can be a string or binary data. |
| pub struct AuthProperty<'a> { |
| prop: *const grpc_auth_property, |
| _lifetime: PhantomData<&'a grpc_auth_property>, |
| } |
| |
| impl<'a> AuthProperty<'a> { |
| pub fn name(&self) -> &'a str { |
| unsafe { CStr::from_ptr((*self.prop).name) } |
| .to_str() |
| .expect("Auth property name should be valid UTF-8 data") |
| } |
| |
| pub fn value(&self) -> &'a [u8] { |
| unsafe { |
| std::slice::from_raw_parts((*self.prop).value as *const u8, (*self.prop).value_length) |
| } |
| } |
| |
| pub fn value_str(&self) -> Result<&'a str, std::str::Utf8Error> { |
| std::str::from_utf8(self.value()) |
| } |
| } |