mirror of https://github.com/grpc/grpc-go.git
113 lines
3.5 KiB
Go
113 lines
3.5 KiB
Go
/*
|
|
*
|
|
* Copyright 2018 gRPC authors.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
*/
|
|
|
|
// The server demonstrates how to consume and validate OAuth2 tokens provided by
|
|
// clients for each RPC.
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"net"
|
|
"strings"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/credentials"
|
|
"google.golang.org/grpc/examples/data"
|
|
"google.golang.org/grpc/metadata"
|
|
"google.golang.org/grpc/status"
|
|
|
|
pb "google.golang.org/grpc/examples/features/proto/echo"
|
|
)
|
|
|
|
var (
|
|
errMissingMetadata = status.Errorf(codes.InvalidArgument, "missing metadata")
|
|
errInvalidToken = status.Errorf(codes.Unauthenticated, "invalid token")
|
|
)
|
|
|
|
var port = flag.Int("port", 50051, "the port to serve on")
|
|
|
|
func main() {
|
|
flag.Parse()
|
|
fmt.Printf("server starting on port %d...\n", *port)
|
|
|
|
cert, err := tls.LoadX509KeyPair(data.Path("x509/server_cert.pem"), data.Path("x509/server_key.pem"))
|
|
if err != nil {
|
|
log.Fatalf("failed to load key pair: %s", err)
|
|
}
|
|
opts := []grpc.ServerOption{
|
|
// The following grpc.ServerOption adds an interceptor for all unary
|
|
// RPCs. To configure an interceptor for streaming RPCs, see:
|
|
// https://godoc.org/google.golang.org/grpc#StreamInterceptor
|
|
grpc.UnaryInterceptor(ensureValidToken),
|
|
// Enable TLS for all incoming connections.
|
|
grpc.Creds(credentials.NewServerTLSFromCert(&cert)),
|
|
}
|
|
s := grpc.NewServer(opts...)
|
|
pb.RegisterEchoServer(s, &ecServer{})
|
|
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
|
|
if err != nil {
|
|
log.Fatalf("failed to listen: %v", err)
|
|
}
|
|
if err := s.Serve(lis); err != nil {
|
|
log.Fatalf("failed to serve: %v", err)
|
|
}
|
|
}
|
|
|
|
type ecServer struct {
|
|
pb.UnimplementedEchoServer
|
|
}
|
|
|
|
func (s *ecServer) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
|
|
return &pb.EchoResponse{Message: req.Message}, nil
|
|
}
|
|
|
|
// valid validates the authorization.
|
|
func valid(authorization []string) bool {
|
|
if len(authorization) < 1 {
|
|
return false
|
|
}
|
|
token := strings.TrimPrefix(authorization[0], "Bearer ")
|
|
// Perform the token validation here. For the sake of this example, the code
|
|
// here forgoes any of the usual OAuth2 token validation and instead checks
|
|
// for a token matching an arbitrary string.
|
|
return token == "some-secret-token"
|
|
}
|
|
|
|
// ensureValidToken ensures a valid token exists within a request's metadata. If
|
|
// the token is missing or invalid, the interceptor blocks execution of the
|
|
// handler and returns an error. Otherwise, the interceptor invokes the unary
|
|
// handler.
|
|
func ensureValidToken(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
|
if !ok {
|
|
return nil, errMissingMetadata
|
|
}
|
|
// The keys within metadata.MD are normalized to lowercase.
|
|
// See: https://godoc.org/google.golang.org/grpc/metadata#New
|
|
if !valid(md["authorization"]) {
|
|
return nil, errInvalidToken
|
|
}
|
|
// Continue execution of handler after ensuring a valid token.
|
|
return handler(ctx, req)
|
|
}
|