salesforce
diff --git a/‎grpc-contrib/src/main/antlr4/com/salesforce/grpc/contrib/Xfcc.g4‎ renamed to ‎grpc-contrib/src/main/antlr4/com/salesforce/grpc/contrib/xfcc/Xfcc.g4‎ b/‎grpc-contrib/src/main/antlr4/com/salesforce/grpc/contrib/Xfcc.g4‎ renamed to ‎grpc-contrib/src/main/antlr4/com/salesforce/grpc/contrib/xfcc/Xfcc.g4‎
diff --git a/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/interceptor/XfccServerInterceptor.java‎
Lines changed: 0 additions & 156 deletions b/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/interceptor/XfccServerInterceptor.java‎
Lines changed: 0 additions & 156 deletions
diff --git a/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XForwardedClientCert.java‎
Lines changed: 97 additions & 0 deletions b/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XForwardedClientCert.java‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccMarshaller.java‎
Lines changed: 84 additions & 0 deletions b/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccMarshaller.java‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccServerInterceptor.java‎
Lines changed: 46 additions & 0 deletions b/‎grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccServerInterceptor.java‎
Lines changed: 46 additions & 0 deletions
@@ -0,0 +1,97 @@
+/*
+ *  Copyright (c) 2017, salesforce.com, inc.
+ *  All rights reserved.
+ *  Licensed under the BSD 3-Clause license.
+ *  For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+package com.salesforce.grpc.contrib.xfcc;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * x-forwarded-client-cert (XFCC) is a proxy header which indicates certificate information of part or all of the
+ * clients or proxies that a request has flowed through, on its way from the client to the server.
+ */
+public class XForwardedClientCert {
+    private String by = "";
+    private String hash = "";
+    private String san = "";
+    private String subject = "";
+
+    void setBy(String by) {
+        this.by = by;
+    }
+
+    void setHash(String hash) {
+        this.hash = hash;
+    }
+
+    void setSan(String san) {
+        this.san = san;
+    }
+
+    void setSubject(String subject) {
+        this.subject = subject;
+    }
+
+    /**
+     * @return The Subject Alternative Name (SAN) of the current proxy’s certificate.
+     */
+    public String getBy() {
+        return by;
+    }
+
+    /**
+     * @return The SHA 256 diguest of the current client certificate.
+     */
+    public String getHash() {
+        return hash;
+    }
+
+    /**
+     * @return The SAN field (URI type) of the current client certificate.
+     */
+    public String getSan() {
+        return san;
+    }
+
+    /**
+     * @return The Subject field of the current client certificate.
+     */
+    public String getSubject() {
+        return subject;
+    }
+
+    @Override
+    public String toString() {
+        List<String> kvp = new ArrayList<>();
+        if (!by.isEmpty()) {
+            kvp.add("By=" + enquote(by));
+        }
+        if (!hash.isEmpty()) {
+            kvp.add("Hash=" + enquote(hash));
+        }
+        if (!san.isEmpty()) {
+            kvp.add("SAN=" + enquote(san));
+        }
+        if (!subject.isEmpty()) {
+            kvp.add("Subject=" + enquote(subject));
+        }
+
+        return String.join(";", kvp);
+    }
+
+    private String enquote(String value) {
+        // Escape inner quotes with \"
+        value = value.replace("\"", "\\\"");
+
+        // Wrap in quotes if ,;= is present
+        if (value.contains(",") || value.contains(";") || value.contains("=")) {
+            value = "\"" + value + "\"";
+        }
+
+        return value;
+    }
+}
@@ -0,0 +1,84 @@
+/*
+ *  Copyright (c) 2017, salesforce.com, inc.
+ *  All rights reserved.
+ *  Licensed under the BSD 3-Clause license.
+ *  For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+package com.salesforce.grpc.contrib.xfcc;
+
+import io.grpc.Metadata;
+import org.antlr.v4.runtime.CharStreams;
+import org.antlr.v4.runtime.CommonTokenStream;
+import org.antlr.v4.runtime.tree.ParseTreeWalker;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * {@code XfccMarshaller} parses the {@code x-forwarded-client-cert} (XFCC) header populated by TLS-terminating
+ * reverse proxies. For example, Istio and Linkerd.
+ *
+ * @see <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#config-http-conn-man-headers-x-forwarded-client-cert">Envoy XFCC Header</a>
+ * @see <a href="https://github.com/linkerd/linkerd/issues/1153">Linkerd XFCC Header</a>
+ */
+public class XfccMarshaller implements Metadata.AsciiMarshaller<List<XForwardedClientCert>> {
+    @Override
+    public String toAsciiString(List<XForwardedClientCert> value) {
+        return value.stream().map(XForwardedClientCert::toString).collect(Collectors.joining(","));
+    }
+
+    @Override
+    public List<XForwardedClientCert> parseAsciiString(String serialized) {
+        try {
+            List<XForwardedClientCert> clientCerts = new ArrayList<>();
+
+            XfccLexer lexer = new XfccLexer(CharStreams.fromString(serialized));
+            CommonTokenStream tokens = new CommonTokenStream(lexer);
+            XfccParser parser = new XfccParser(tokens);
+
+            XfccParser.HeaderContext headerContext = parser.header();
+            ParseTreeWalker walker = new ParseTreeWalker();
+
+            XfccListener listener = new XfccBaseListener() {
+                private XForwardedClientCert clientCert;
+
+                @Override
+                public void enterElement(XfccParser.ElementContext ctx) {
+                    clientCert = new XForwardedClientCert();
+                }
+
+                @Override
+                public void enterKvp(XfccParser.KvpContext ctx) {
+                    XfccParser.KeyContext key = ctx.key();
+                    XfccParser.ValueContext value = ctx.value();
+
+                    if (key.BY() != null) {
+                        clientCert.setBy(value.getText());
+                    }
+                    if (key.HASH() != null) {
+                        clientCert.setHash(value.getText());
+                    }
+                    if (key.SAN() != null) {
+                        clientCert.setSan(value.getText());
+                    }
+                    if (key.SUBJECT() != null) {
+                        clientCert.setSubject(value.getText());
+                    }
+                }
+
+                @Override
+                public void exitElement(XfccParser.ElementContext ctx) {
+                    clientCerts.add(clientCert);
+                    clientCert = null;
+                }
+            };
+
+            walker.walk(listener, headerContext);
+            return clientCerts;
+        } catch (NoClassDefFoundError err) {
+            throw new RuntimeException("Likely missing optional dependency on org.antlr:antlr4-runtime:4.7", err);
+        }
+    }
+}
@@ -0,0 +1,46 @@
+/*
+ *  Copyright (c) 2017, salesforce.com, inc.
+ *  All rights reserved.
+ *  Licensed under the BSD 3-Clause license.
+ *  For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+package com.salesforce.grpc.contrib.xfcc;
+
+import io.grpc.*;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * {@code XfccServerInterceptor} parses the {@code x-forwarded-client-cert} (XFCC) header populated by TLS-terminating
+ * reverse proxies. For example, Istio and Linkerd. If present, the parsed XFCC header is appended to the
+ * gRPC {@code Context}.
+ *
+ * @see <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#config-http-conn-man-headers-x-forwarded-client-cert">Envoy XFCC Header</a>
+ * @see <a href="https://github.com/linkerd/linkerd/issues/1153">Linkerd XFCC Header</a>
+ */
+public class XfccServerInterceptor implements ServerInterceptor {
+    /**
+     * The metadata key used to access any present {@link XForwardedClientCert} objects.
+     */
+    public static final Context.Key<List<XForwardedClientCert>> XFCC_CONTEXT_KEY = Context.key("x-forwarded-client-cert");
+
+    private static final Metadata.Key<List<XForwardedClientCert>> XFCC_METADATA_KEY = Metadata.Key.of("x-forwarded-client-cert", new XfccMarshaller());
+
+    @Override
+    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
+        Iterable<List<XForwardedClientCert>> values = headers.getAll(XFCC_METADATA_KEY);
+        if (values != null) {
+            List<XForwardedClientCert> xfccs = new ArrayList<>();
+            for (List<XForwardedClientCert> value : values) {
+                xfccs.addAll(value);
+            }
+
+            Context xfccContext = Context.current().withValue(XFCC_CONTEXT_KEY, xfccs);
+            return Contexts.interceptCall(xfccContext, call, headers, next);
+        } else {
+            return next.startCall(call, headers);
+        }
+    }
+}