Affected by GO-2024-2965 and 1 other vulnerabilities

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

grpcutil

package

v0.18.1 Latest Latest Go to latest Published: May 26, 2023 License: Apache-2.0 Imports: 16 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package grpcutil contains functions for interacting with gRPC.

Index ¶

Constants
func AttachMetadataInterceptors(md metadata.MD) (grpc.UnaryServerInterceptor, grpc.StreamServerInterceptor)
func GetTypeURL(msg proto.Message) string
func JWTFromGRPCRequest(ctx context.Context) (rawjwt string, ok bool)
func NewGRPCClientConn(ctx context.Context, opts *Options, other ...grpc.DialOption) (*grpc.ClientConn, error)
func RequireSignedJWT(ctx context.Context, key []byte) error
func SessionIDFromGRPCRequest(ctx context.Context) (sessionID string, ok bool)
func StreamRequireSignedJWT(key string) grpc.StreamServerInterceptor
func UnaryRequireSignedJWT(key string) grpc.UnaryServerInterceptor
func WithOutgoingJWT(ctx context.Context, rawjwt string) context.Context
func WithOutgoingSessionID(ctx context.Context, sessionID string) context.Context
func WithStreamSignedJWT(getKey func() []byte) grpc.StreamClientInterceptor
func WithUnarySignedJWT(getKey func() []byte) grpc.UnaryClientInterceptor
type Options

Constants ¶

View Source

const JWTMetadataKey = "jwt"

JWTMetadataKey is the key in the metadata.

View Source

const MetadataKeyEnvoyVersion = "x-envoy-version"

MetadataKeyEnvoyVersion is the gRPC metadata key used for the envoy version.

View Source

const MetadataKeyPomeriumVersion = "x-pomerium-version"

MetadataKeyPomeriumVersion is the gRPC metadata key used for the pomerium version.

View Source

const SessionIDMetadataKey = "sessionid"

SessionIDMetadataKey is the key in the metadata.

Variables ¶

This section is empty.

Functions ¶

func AttachMetadataInterceptors ¶ added in v0.11.0

func AttachMetadataInterceptors(md metadata.MD) (grpc.UnaryServerInterceptor, grpc.StreamServerInterceptor)

AttachMetadataInterceptors returns unary and server stream interceptors that attach metadata to the response.

func GetTypeURL ¶ added in v0.14.0

func GetTypeURL(msg proto.Message) string

GetTypeURL gets the TypeURL for a protobuf message.

func JWTFromGRPCRequest ¶

func JWTFromGRPCRequest(ctx context.Context) (rawjwt string, ok bool)

JWTFromGRPCRequest returns the JWT from the gRPC request.

func NewGRPCClientConn ¶ added in v0.16.0

func NewGRPCClientConn(ctx context.Context, opts *Options, other ...grpc.DialOption) (*grpc.ClientConn, error)

NewGRPCClientConn returns a new gRPC pomerium service client connection.

func RequireSignedJWT ¶ added in v0.11.0

func RequireSignedJWT(ctx context.Context, key []byte) error

RequireSignedJWT requires a JWT in the gRPC metadata and that it be signed by the given key.

func SessionIDFromGRPCRequest ¶

func SessionIDFromGRPCRequest(ctx context.Context) (sessionID string, ok bool)

SessionIDFromGRPCRequest returns the session id from the gRPC request.

func StreamRequireSignedJWT ¶ added in v0.11.0

func StreamRequireSignedJWT(key string) grpc.StreamServerInterceptor

StreamRequireSignedJWT requires a JWT in the gRPC metadata and that it be signed by the base64-encoded key.

func UnaryRequireSignedJWT ¶ added in v0.11.0

func UnaryRequireSignedJWT(key string) grpc.UnaryServerInterceptor

UnaryRequireSignedJWT requires a JWT in the gRPC metadata and that it be signed by the base64-encoded key.

func WithOutgoingJWT ¶

func WithOutgoingJWT(ctx context.Context, rawjwt string) context.Context

WithOutgoingJWT appends a metadata header for the JWT to a context.

func WithOutgoingSessionID ¶

func WithOutgoingSessionID(ctx context.Context, sessionID string) context.Context

WithOutgoingSessionID appends a metadata header for the session ID to a context.

func WithStreamSignedJWT ¶ added in v0.11.0

func WithStreamSignedJWT(getKey func() []byte) grpc.StreamClientInterceptor

WithStreamSignedJWT returns a StreamClientInterceptor that adds a JWT to requests.

func WithUnarySignedJWT ¶ added in v0.11.0

func WithUnarySignedJWT(getKey func() []byte) grpc.UnaryClientInterceptor

WithUnarySignedJWT returns a UnaryClientInterceptor that adds a JWT to requests.

Types ¶

type Options ¶ added in v0.16.0

type Options struct {
	// Address is the location of the service.  e.g. "service.corp.example:8443"
	Address *url.URL
	// OverrideCertificateName overrides the server name used to verify the hostname on the
	// returned certificates from the server. gRPC internals also use it to override the virtual
	// hosting name if it is set.
	OverrideCertificateName string
	// CA specifies the base64 encoded TLS certificate authority to use.
	CA string
	// CAFile specifies the TLS certificate authority file to use.
	CAFile string
	// RequestTimeout specifies the timeout for individual RPC calls
	RequestTimeout time.Duration
	// ClientDNSRoundRobin enables or disables DNS resolver based load balancing
	ClientDNSRoundRobin bool

	// InsecureSkipVerify skips destination hostname and ca check
	InsecureSkipVerify bool

	// ServiceName specifies the service name for telemetry exposition
	ServiceName string

	// SignedJWTKey is the JWT key to use for signing a JWT attached to metadata.
	SignedJWTKey []byte
}

Options contains options for connecting to a pomerium rpc service.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL