* * Copyright 2020 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http:www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. *
Package credentials defines APIs for parsing SPIFFE ID. All APIs in this package are experimental.
package credentials

import (
	
	

	
)

var logger = grpclog.Component("credentials")
SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format is invalid, return nil with warning.
func ( tls.ConnectionState) *url.URL {
	if len(.PeerCertificates) == 0 || len(.PeerCertificates[0].URIs) == 0 {
		return nil
	}
	var  *url.URL
	for ,  := range .PeerCertificates[0].URIs {
		if  == nil || .Scheme != "spiffe" || .Opaque != "" || (.User != nil && .User.Username() != "") {
			continue
From this point, we assume the uri is intended for a SPIFFE ID.
		if len(.String()) > 2048 {
			logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
			return nil
		}
		if len(.Host) == 0 || len(.RawPath) == 0 || len(.Path) == 0 {
			logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
			return nil
		}
		if len(.Host) > 255 {
			logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
			return nil
A valid SPIFFE certificate can only have exactly one URI SAN field.
		if len(.PeerCertificates[0].URIs) > 1 {
			logger.Warning("invalid SPIFFE ID: multiple URI SANs")
			return nil
		}
		 = 
	}
	return