package credentials

Import Path
	google.golang.org/grpc/credentials (on go.dev)

Dependency Relation
	imports 11 packages, and imported by 7 packages


Involved Source Files

	
		Package credentials implements various credentials supported by gRPC library,
		which encapsulate all the state needed by a client to authenticate with a
		server and make various assertions, e.g., about the client's identity, role,
		or whether it is authorized to make a particular call.

	      tls.go


Package-Level Type Names (total 15, in which 14 are exported)


	/* sort exporteds by:  |  */
	
		AuthInfo defines the common interface for the auth information the users are interested in.
		A struct that implements AuthInfo should embed CommonAuthInfo by including additional
		information about the credentials in it.

		
			( AuthInfo) AuthType() string
		
			 TLSInfo
			
		
			func TransportCredentials.ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error)
			func TransportCredentials.ServerHandshake(net.Conn) (net.Conn, AuthInfo, error)
		
			func CheckSecurityLevel(ai AuthInfo, level SecurityLevel) error


	
		Bundle is a combination of TransportCredentials and PerRPCCredentials.

		It also contains a mode switching method, so it can be used as a combination
		of different credential policies.

		Bundle cannot be used together with individual TransportCredentials.
		PerRPCCredentials from Bundle will be appended to other PerRPCCredentials.

		This API is experimental.

		
			
				NewWithMode should make a copy of Bundle, and switch mode. Modifying the
				existing Bundle may cause races.

				NewWithMode returns nil if the requested mode is not supported.

			
				PerRPCCredentials returns the per-RPC credentials from the Bundle.

				May be nil if per-RPC credentials are not needed.

			
				TransportCredentials returns the transport credentials from the Bundle.

				Implementations must return non-nil transport credentials. If transport
				security is not needed by the Bundle, implementations may choose to
				return insecure.NewCredentials().

		
			
		
			func Bundle.NewWithMode(mode string) (Bundle, error)
			func google.golang.org/grpc/credentials/insecure.NewBundle() Bundle
		
			func google.golang.org/grpc.WithCredentialsBundle(b Bundle) grpc.DialOption


	
		ChannelzSecurityInfo defines the interface that security protocols should implement
		in order to provide security info to channelz.

		This API is experimental.

		
			( ChannelzSecurityInfo) GetSecurityValue() ChannelzSecurityValue
		
			 TLSInfo


	
		ChannelzSecurityValue defines the interface that GetSecurityValue() return value
		should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue
		and *OtherChannelzSecurityValue.

		This API is experimental.

		
			
		
			 OtherChannelzSecurityValue
			 TLSChannelzSecurityValue
		
			func ChannelzSecurityInfo.GetSecurityValue() ChannelzSecurityValue
			func TLSInfo.GetSecurityValue() ChannelzSecurityValue


	
		ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
		it possible to pass arbitrary data to the handshaker from gRPC, resolver,
		balancer etc. Individual credential implementations control the actual
		format of the data that they are willing to receive.

		This API is experimental.

		
			
				Attributes contains the attributes for the address. It could be provided
				by the gRPC, resolver, balancer etc.

		
			func ClientHandshakeInfoFromContext(ctx context.Context) ClientHandshakeInfo


	
		CommonAuthInfo contains authenticated information common to AuthInfo implementations.
		It should be embedded in a struct implementing AuthInfo to provide additional information
		about the credentials.

		This API is experimental.

		
			SecurityLevel SecurityLevel
		
			
				GetCommonAuthInfo returns the pointer to CommonAuthInfo struct.

		
			func CommonAuthInfo.GetCommonAuthInfo() CommonAuthInfo


	
		OtherChannelzSecurityValue defines the struct that non-TLS protocol should return
		from GetSecurityValue(), which contains protocol specific security info. Note
		the Value field will be sent to users of channelz requesting channel info, and
		thus sensitive info should better be avoided.

		This API is experimental.

		
			ChannelzSecurityValue ChannelzSecurityValue
			Name string
			Value proto.Message
		
			
		
			 OtherChannelzSecurityValue : ChannelzSecurityValue


	
		PerRPCCredentials defines the common interface for the credentials which need to
		attach security information to every RPC (e.g., oauth2).

		
			
				GetRequestMetadata gets the current request metadata, refreshing tokens
				if required. This should be called by the transport layer on each
				request, and the data should be populated in headers or other
				context. If a status code is returned, it will be used as the status for
				the RPC (restricted to an allowable set of codes as defined by gRFC
				A54). uri is the URI of the entry point for the request.  When supported
				by the underlying implementation, ctx can be used for timeout and
				cancellation. Additionally, RequestInfo data will be available via ctx
				to this call.  TODO(zhaoq): Define the set of the qualified keys instead
				of leaving it as an arbitrary string.

			
				RequireTransportSecurity indicates whether the credentials requires
				transport security.

		
			func Bundle.PerRPCCredentials() PerRPCCredentials
		
			func google.golang.org/grpc.PerRPCCredentials(creds PerRPCCredentials) grpc.CallOption
			func google.golang.org/grpc.WithPerRPCCredentials(creds PerRPCCredentials) grpc.DialOption


	
		ProtocolInfo provides information regarding the gRPC wire protocol version,
		security protocol, security protocol version in use, server name, etc.

		
			
				ProtocolVersion is the gRPC wire protocol version.

			
				SecurityProtocol is the security protocol in use.

			
				SecurityVersion is the security protocol version.  It is a static version string from the
				credentials, not a value that reflects per-connection protocol negotiation.  To retrieve
				details about the credentials used for a connection, use the Peer's AuthInfo field instead.

				Deprecated: please use Peer.AuthInfo.

			
				ServerName is the user-configured server name.

		
			func TransportCredentials.Info() ProtocolInfo


	
		RequestInfo contains request data attached to the context passed to GetRequestMetadata calls.

		This API is experimental.

		
			
				AuthInfo contains the information from a security handshake (TransportCredentials.ClientHandshake, TransportCredentials.ServerHandshake)

			
				The method passed to Invoke or NewStream for this RPC. (For proto methods, this has the format "/some.Service/Method")

		
			func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool)


	
		SecurityLevel defines the protection level on an established connection.

		This API is experimental.

		
			
				String returns SecurityLevel in a string format.

		
			 SecurityLevel : expvar.Var
			 SecurityLevel : fmt.Stringer
			
		
			func CheckSecurityLevel(ai AuthInfo, level SecurityLevel) error
		
			const IntegrityOnly
			const InvalidSecurityLevel
			const NoSecurity
			const PrivacyAndIntegrity


	
		TLSChannelzSecurityValue defines the struct that TLS protocol should return
		from GetSecurityValue(), containing security info like cipher and certificate used.

		# Experimental

		Notice: This type is EXPERIMENTAL and may be changed or removed in a
		later release.

		
			ChannelzSecurityValue ChannelzSecurityValue
			LocalCertificate []byte
			RemoteCertificate []byte
			StandardName string
		
			
		
			 TLSChannelzSecurityValue : ChannelzSecurityValue


	
		TLSInfo contains the auth information for a TLS authenticated connection.
		It implements the AuthInfo interface.

		
			CommonAuthInfo CommonAuthInfo
			CommonAuthInfo.SecurityLevel SecurityLevel
			
				This API is experimental.

			State tls.ConnectionState
		
			
				AuthType returns the type of TLSInfo as a string.

			
				GetCommonAuthInfo returns the pointer to CommonAuthInfo struct.

			
				GetSecurityValue returns security info requested by channelz.

		
			 TLSInfo : AuthInfo
			 TLSInfo : ChannelzSecurityInfo


	
		TransportCredentials defines the common interface for all the live gRPC wire
		protocols and supported transport security protocols (e.g., TLS, SSL).

		
			
				ClientHandshake does the authentication handshake specified by the
				corresponding authentication protocol on rawConn for clients. It returns
				the authenticated connection and the corresponding auth information
				about the connection.  The auth information should embed CommonAuthInfo
				to return additional information about the credentials. Implementations
				must use the provided context to implement timely cancellation.  gRPC
				will try to reconnect if the error returned is a temporary error
				(io.EOF, context.DeadlineExceeded or err.Temporary() == true).  If the
				returned error is a wrapper error, implementations should make sure that
				the error implements Temporary() to have the correct retry behaviors.
				Additionally, ClientHandshakeInfo data will be available via the context
				passed to this call.

				The second argument to this method is the `:authority` header value used
				while creating new streams on this connection after authentication
				succeeds. Implementations must use this as the server name during the
				authentication handshake.

				If the returned net.Conn is closed, it MUST close the net.Conn provided.

			
				Clone makes a copy of this TransportCredentials.

			
				Info provides the ProtocolInfo of this TransportCredentials.

			
				OverrideServerName specifies the value used for the following:
				- verifying the hostname on the returned certificates
				- as SNI in the client's handshake to support virtual hosting
				- as the value for `:authority` header at stream creation time

				Deprecated: use grpc.WithAuthority instead. Will be supported
				throughout 1.x.

			
				ServerHandshake does the authentication handshake for servers. It returns
				the authenticated connection and the corresponding auth information about
				the connection. The auth information should embed CommonAuthInfo to return additional information
				about the credentials.

				If the returned net.Conn is closed, it MUST close the net.Conn provided.

		
			
		
			func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials
			func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error)
			func NewServerTLSFromCert(cert *tls.Certificate) TransportCredentials
			func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error)
			func NewTLS(c *tls.Config) TransportCredentials
			func Bundle.TransportCredentials() TransportCredentials
			func TransportCredentials.Clone() TransportCredentials
			func google.golang.org/grpc/credentials/insecure.NewCredentials() TransportCredentials
		
			func google.golang.org/grpc.Creds(c TransportCredentials) grpc.ServerOption
			func google.golang.org/grpc.WithTransportCredentials(creds TransportCredentials) grpc.DialOption


	


Package-Level Functions (total 8, all are exported)


	
		CheckSecurityLevel checks if a connection's security level is greater than or equal to the specified one.
		It returns success if 1) the condition is satisified or 2) AuthInfo struct does not implement GetCommonAuthInfo() method
		or 3) CommonAuthInfo.SecurityLevel has an invalid zero value. For 2) and 3), it is for the purpose of backward-compatibility.

		This API is experimental.


	
		ClientHandshakeInfoFromContext returns the ClientHandshakeInfo struct stored
		in ctx.

		This API is experimental.


	
		NewClientTLSFromCert constructs TLS credentials from the provided root
		certificate authority certificate(s) to validate server connections. If
		certificates to establish the identity of the client need to be included in
		the credentials (eg: for mTLS), use NewTLS instead, where a complete
		tls.Config can be specified.
		serverNameOverride is for testing only. If set to a non empty string,
		it will override the virtual host name of authority (e.g. :authority header
		field) in requests.


	
		NewClientTLSFromFile constructs TLS credentials from the provided root
		certificate authority certificate file(s) to validate server connections. If
		certificates to establish the identity of the client need to be included in
		the credentials (eg: for mTLS), use NewTLS instead, where a complete
		tls.Config can be specified.
		serverNameOverride is for testing only. If set to a non empty string,
		it will override the virtual host name of authority (e.g. :authority header
		field) in requests.


	
		NewServerTLSFromCert constructs TLS credentials from the input certificate for server.


	
		NewServerTLSFromFile constructs TLS credentials from the input certificate file and key
		file for server.


	
		NewTLS uses c to construct a TransportCredentials based on TLS.


	
		RequestInfoFromContext extracts the RequestInfo from the context if it exists.

		This API is experimental.




Package-Level Variables (total 2, in which 1 are exported)


	
		ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
		and the caller should not close rawConn.


	


Package-Level Constants (total 4, all are exported)


	
		IntegrityOnly indicates a connection only provides integrity protection.


	
		InvalidSecurityLevel indicates an invalid security level.
		The zero SecurityLevel value is invalid for backward compatibility.


	
		NoSecurity indicates a connection is insecure.


	
		PrivacyAndIntegrity indicates a connection provides both privacy and integrity protection.