MCPcopy
hub / github.com/grpc/grpc-go / NewBundle

Function NewBundle

internal/xds/bootstrap/tlscreds/bundle.go:54–96  ·  view source on GitHub ↗

NewBundle returns a credentials.Bundle which implements mTLS Credentials in xDS Bootstrap File. It delegates certificate loading to a file_watcher provider if either client certificates or server root CA is specified. The second return value is a close func that should be called when the caller no l

(jd json.RawMessage)

Source from the content-addressed store, hash-verified

52// needs this bundle.
53// See gRFC A65: github.com/grpc/proposal/blob/master/A65-xds-mtls-creds-in-bootstrap.md
54func NewBundle(jd json.RawMessage) (credentials.Bundle, func(), error) {
55 cfg := &struct {
56 CertificateFile string `json:"certificate_file"`
57 CACertificateFile string `json:"ca_certificate_file"`
58 PrivateKeyFile string `json:"private_key_file"`
59 SPIFFETrustBundleMapFile string `json:"spiffe_trust_bundle_map_file"`
60 }{}
61
62 if jd != nil {
63 if err := json.Unmarshal(jd, cfg); err != nil {
64 return nil, nil, fmt.Errorf("failed to unmarshal config: %v", err)
65 }
66 } // Else the config field is absent. Treat it as an empty config.
67
68 if !envconfig.XDSSPIFFEEnabled {
69 cfg.SPIFFETrustBundleMapFile = ""
70 }
71 if cfg.CACertificateFile == "" && cfg.CertificateFile == "" && cfg.PrivateKeyFile == "" && cfg.SPIFFETrustBundleMapFile == "" {
72 // We cannot use (and do not need) a file_watcher provider in this case,
73 // and can simply directly use the TLS transport credentials.
74 // Quoting A65:
75 //
76 // > The only difference between the file-watcher certificate provider
77 // > config and this one is that in the file-watcher certificate
78 // > provider, at least one of the "certificate_file" or
79 // > "ca_certificate_file" fields must be specified, whereas in this
80 // > configuration, it is acceptable to specify neither one.
81 // Further, with the introduction of SPIFFE Trust Map support, we also
82 // check for this value.
83 return &bundle{transportCredentials: credentials.NewTLS(&tls.Config{})}, func() {}, nil
84 }
85 // Otherwise we need to use a file_watcher provider to watch the CA,
86 // private and public keys.
87
88 // The pemfile plugin (file_watcher) currently ignores BuildOptions.
89 provider, err := certprovider.GetProvider(pemfile.PluginName, jd, certprovider.BuildOptions{})
90 if err != nil {
91 return nil, nil, err
92 }
93 return &bundle{
94 transportCredentials: &reloadingCreds{provider: provider},
95 }, sync.OnceFunc(func() { provider.Close() }), nil
96}
97
98func (t *bundle) TransportCredentials() credentials.TransportCredentials {
99 return t.transportCredentials

Callers 10

TestValidTlsBuilderMethod · 0.92
TestInvalidTlsBuilderMethod · 0.92
TestCaReloadingMethod · 0.92
Test_SPIFFE_ReloadingMethod · 0.92
TestMTLSMethod · 0.92
Test_MTLS_SPIFFEMethod · 0.92
BuildMethod · 0.92
TestFailingProviderMethod · 0.70

Calls 5

NewTLSFunction · 0.92
GetProviderFunction · 0.92
UnmarshalMethod · 0.65
ErrorfMethod · 0.65
CloseMethod · 0.65

Tested by 9

TestValidTlsBuilderMethod · 0.74
TestInvalidTlsBuilderMethod · 0.74
TestCaReloadingMethod · 0.74
Test_SPIFFE_ReloadingMethod · 0.74
TestMTLSMethod · 0.74
Test_MTLS_SPIFFEMethod · 0.74
TestFailingProviderMethod · 0.56