ClientAuthorizationCheck checks whether the client is authorized to access the requested resources based on the given expected client service accounts. This API should be used by gRPC server RPC handlers. This API should not be used by clients.
(ctx context.Context, expectedServiceAccounts []string)
| 56 | // This API should be used by gRPC server RPC handlers. This API should not be |
| 57 | // used by clients. |
| 58 | func ClientAuthorizationCheck(ctx context.Context, expectedServiceAccounts []string) error { |
| 59 | authInfo, err := AuthInfoFromContext(ctx) |
| 60 | if err != nil { |
| 61 | return status.Errorf(codes.PermissionDenied, "The context is not an ALTS-compatible context: %v", err) |
| 62 | } |
| 63 | peer := authInfo.PeerServiceAccount() |
| 64 | for _, sa := range expectedServiceAccounts { |
| 65 | if strings.EqualFold(peer, sa) { |
| 66 | return nil |
| 67 | } |
| 68 | } |
| 69 | return status.Errorf(codes.PermissionDenied, "Client %v is not authorized", peer) |
| 70 | } |