Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added alts credential option #341

Merged
merged 6 commits into from
Sep 25, 2023
Merged

Added alts credential option #341

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6a7c474
Added alts credential option
derpferd Oct 22, 2022
cc08c63
Added ALTS client options as cmd arguments.
derpferd Oct 24, 2022
119b8c9
Update target service accounts docs
derpferd Oct 25, 2022
d9ca7fb
Applied feedback
derpferd Sep 25, 2023
9e8449f
Merge branch 'fullstorydev:master' into master
derpferd Sep 25, 2023
62dd924
Small fix: removed indirection on usetls
derpferd Sep 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions cmd/grpcurl/grpcurl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ var (
Use plain-text HTTP/2 when connecting to server (no TLS).`))
usealts = flags.Bool("alts", false, prettify(`
Use Application Layer Transport Security (ALTS) when connecting to server.`))
insecure = flags.Bool("insecure", false, prettify(`
altsHandshakerServiceAddress = flags.String("alts-handshaker-service", "", prettify(`If set, this server will be used to do the ATLS handshaking.`))
altsTargetServiceAccounts multiString
insecure = flags.Bool("insecure", false, prettify(`
Skip server certificate and domain verification. (NOT SECURE!) Not
valid with -plaintext option.`))
cacert = flags.String("cacert", "", prettify(`
Expand Down Expand Up @@ -203,6 +205,12 @@ func init() {
-use-reflection is used in combination with a -proto or -protoset flag,
the provided descriptor sources will be used in addition to server
reflection to resolve messages and extensions.`))
flags.Var(&altsTargetServiceAccounts, "alts-target-service-account", prettify(`
A list of expected target service accounts. If the service is running as
any of the provided service account the connection and request will be
made else the connection will fail to connect. If not target service
accounts are provided, no client side authorization will be done and any
connection will be allowed.`))
derpferd marked this conversation as resolved.
Show resolved Hide resolved
}

type multiString []string
Expand Down Expand Up @@ -305,6 +313,12 @@ func main() {
if *usealts && *key != "" {
fail(nil, "The -alts and -key arguments are mutually exclusive.")
}
if *altsHandshakerServiceAddress != "" && !*usealts {
fail(nil, "The -alts-handshaker-service argument must be used with the -alts argument.")
}
if len(altsTargetServiceAccounts) > 0 && !*usealts {
fail(nil, "The -alts-target-service-account argument must be used with the -alts argument.")
}
derpferd marked this conversation as resolved.
Show resolved Hide resolved
if (*key == "") != (*cert == "") {
fail(nil, "The -cert and -key arguments must be used together and both be present.")
}
Expand Down Expand Up @@ -427,7 +441,14 @@ func main() {
opts = append(opts, grpc.WithAuthority(*authority))
}
} else if *usealts {
creds = alts.NewClientCreds(alts.DefaultClientOptions())
clientOptions := alts.DefaultClientOptions()
if len(altsTargetServiceAccounts) > 0 {
clientOptions.TargetServiceAccounts = altsTargetServiceAccounts
}
if *altsHandshakerServiceAddress != "" {
clientOptions.HandshakerServiceAddress = *altsHandshakerServiceAddress
}
creds = alts.NewClientCreds(clientOptions)
} else {
// Use TLS
tlsConf, err := grpcurl.ClientTLSConfig(*insecure, *cacert, *cert, *key)
Expand Down