aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/lib/security/credentials
diff options
context:
space:
mode:
authorGravatar Craig Tiller <ctiller@google.com>2017-01-03 09:23:09 -0800
committerGravatar Craig Tiller <ctiller@google.com>2017-01-03 09:23:09 -0800
commit36d374681ae254a4269fec3aa7e5dc7dbb43a768 (patch)
treee1c623279678c4db4a9324f4b8720822cffe18f0 /src/core/lib/security/credentials
parent702f93d3645055bd77181935c18f41a9de272c1e (diff)
parentf2a66434e2e3f84830b4a26cc5e2badb5d943dfa (diff)
Merge github.com:grpc/grpc into slice_with_exec_ctx
Diffstat (limited to 'src/core/lib/security/credentials')
-rw-r--r--src/core/lib/security/credentials/jwt/jwt_verifier.c38
-rw-r--r--src/core/lib/security/credentials/jwt/jwt_verifier.h5
2 files changed, 34 insertions, 9 deletions
diff --git a/src/core/lib/security/credentials/jwt/jwt_verifier.c b/src/core/lib/security/credentials/jwt/jwt_verifier.c
index 71febc248a..044c89c54d 100644
--- a/src/core/lib/security/credentials/jwt/jwt_verifier.c
+++ b/src/core/lib/security/credentials/jwt/jwt_verifier.c
@@ -47,6 +47,7 @@
#include "src/core/lib/iomgr/polling_entity.h"
#include "src/core/lib/security/util/b64.h"
#include "src/core/lib/slice/slice_internal.h"
+#include "src/core/lib/support/string.h"
#include "src/core/lib/tsi/ssl_types.h"
/* --- Utils. --- */
@@ -309,6 +310,17 @@ grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims,
return GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE;
}
+ /* This should be probably up to the upper layer to decide but let's harcode
+ the 99% use case here for email issuers, where the JWT must be self
+ issued. */
+ if (grpc_jwt_issuer_email_domain(claims->iss) != NULL &&
+ claims->sub != NULL && strcmp(claims->iss, claims->sub) != 0) {
+ gpr_log(GPR_ERROR,
+ "Email issuer (%s) cannot assert another subject (%s) than itself.",
+ claims->iss, claims->sub);
+ return GRPC_JWT_VERIFIER_BAD_SUBJECT;
+ }
+
if (audience == NULL) {
audience_ok = claims->aud == NULL;
} else {
@@ -714,10 +726,26 @@ static void verifier_put_mapping(grpc_jwt_verifier *v, const char *email_domain,
GPR_ASSERT(v->num_mappings <= v->allocated_mappings);
}
+/* Very non-sophisticated way to detect an email address. Should be good
+ enough for now... */
+const char *grpc_jwt_issuer_email_domain(const char *issuer) {
+ const char *at_sign = strchr(issuer, '@');
+ if (at_sign == NULL) return NULL;
+ const char *email_domain = at_sign + 1;
+ if (*email_domain == '\0') return NULL;
+ const char *dot = strrchr(email_domain, '.');
+ if (dot == NULL || dot == email_domain) return email_domain;
+ GPR_ASSERT(dot > email_domain);
+ /* There may be a subdomain, we just want the domain. */
+ dot = gpr_memrchr(email_domain, '.', (size_t)(dot - email_domain));
+ if (dot == NULL) return email_domain;
+ return dot + 1;
+}
+
/* Takes ownership of ctx. */
static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
verifier_cb_ctx *ctx) {
- const char *at_sign;
+ const char *email_domain;
grpc_closure *http_cb;
char *path_prefix = NULL;
const char *iss;
@@ -742,13 +770,9 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
Nobody seems to implement the account/email/webfinger part 2. of the spec
so we will rely instead on email/url mappings if we detect such an issuer.
Part 4, on the other hand is implemented by both google and salesforce. */
-
- /* Very non-sophisticated way to detect an email address. Should be good
- enough for now... */
- at_sign = strchr(iss, '@');
- if (at_sign != NULL) {
+ email_domain = grpc_jwt_issuer_email_domain(iss);
+ if (email_domain != NULL) {
email_key_mapping *mapping;
- const char *email_domain = at_sign + 1;
GPR_ASSERT(ctx->verifier != NULL);
mapping = verifier_get_mapping(ctx->verifier, email_domain);
if (mapping == NULL) {
diff --git a/src/core/lib/security/credentials/jwt/jwt_verifier.h b/src/core/lib/security/credentials/jwt/jwt_verifier.h
index b79f411903..4fa320a415 100644
--- a/src/core/lib/security/credentials/jwt/jwt_verifier.h
+++ b/src/core/lib/security/credentials/jwt/jwt_verifier.h
@@ -43,8 +43,7 @@
/* --- Constants. --- */
#define GRPC_OPENID_CONFIG_URL_SUFFIX "/.well-known/openid-configuration"
-#define GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN \
- "developer.gserviceaccount.com"
+#define GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN "gserviceaccount.com"
#define GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX \
"www.googleapis.com/robot/v1/metadata/x509"
@@ -57,6 +56,7 @@ typedef enum {
GRPC_JWT_VERIFIER_BAD_AUDIENCE,
GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR,
GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE,
+ GRPC_JWT_VERIFIER_BAD_SUBJECT,
GRPC_JWT_VERIFIER_GENERIC_ERROR
} grpc_jwt_verifier_status;
@@ -134,5 +134,6 @@ grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_exec_ctx *exec_ctx,
grpc_json *json, grpc_slice buffer);
grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims,
const char *audience);
+const char *grpc_jwt_issuer_email_domain(const char *issuer);
#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_VERIFIER_H */