Expose client identity via a new abstract 'PeerUid' type #9952
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| /* | ||
| * Copyright 2023 The gRPC Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package io.grpc.binder; | ||
|
|
||
| import io.grpc.ExperimentalApi; | ||
|
|
||
| /** | ||
| * Identifies a gRPC/binder client or server by Android/Linux UID | ||
| * (https://source.android.com/security/app-sandbox). | ||
| * | ||
| * <p>Use {@link PeerUids#REMOTE_PEER} to obtain the client's {@link PeerUid} from the server's | ||
| * {@link io.grpc.Context} | ||
| * | ||
| * <p>The actual integer uid is intentionally not exposed to prevent misuse. If you want the uid for | ||
| * access control, consider one of the existing {@link SecurityPolicies} instead (or propose a new | ||
| * one). If you want the uid to pass to some other Android API, consider one of the static wrapper | ||
| * methods of {@link PeerUids} instead (or propose a new one). | ||
| */ | ||
| @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8022") | ||
| public final class PeerUid { | ||
|
Member
There was a problem hiding this comment. @markb74, should this have
Contributor
Author
There was a problem hiding this comment. It seems reasonable to me to start with this as experimental and stabilize in the future as needed. Doesn't seem like this would block our initial intended use case as there are other such classes being used without issue for now. I've added it, but let me know if we should revert for any reason. |
||
|
|
||
| private final int uid; | ||
|
|
||
| /** Constructs a new instance. Intentionally non-public to prevent misuse. */ | ||
| PeerUid(int uid) { | ||
| this.uid = uid; | ||
| } | ||
|
|
||
| /** Returns an identifier for the current process. */ | ||
| public static PeerUid forCurrentProcess() { | ||
| return new PeerUid(android.os.Process.myUid()); | ||
| } | ||
|
|
||
| /** | ||
| * Returns this peer's Android/Linux uid. | ||
| * | ||
| * <p>Intentionally non-public to prevent misuse. | ||
| */ | ||
| int getUid() { | ||
| return uid; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean equals(Object otherObj) { | ||
| if (this == otherObj) { | ||
| return true; | ||
| } | ||
| if (otherObj == null || getClass() != otherObj.getClass()) { | ||
| return false; | ||
| } | ||
| PeerUid otherPeerUid = (PeerUid) otherObj; | ||
| return uid == otherPeerUid.uid; | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Integer.valueOf(uid).hashCode(); | ||
| } | ||
|
|
||
| @Override | ||
| public String toString() { | ||
| return "PeerUid{" + uid + '}'; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| /* | ||
| * Copyright 2023 The gRPC Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package io.grpc.binder; | ||
|
|
||
| import static com.google.common.base.Preconditions.checkNotNull; | ||
|
|
||
| import android.content.pm.PackageManager; | ||
| import android.os.Build.VERSION_CODES; | ||
| import android.os.UserHandle; | ||
| import androidx.annotation.RequiresApi; | ||
| import io.grpc.Context; | ||
| import io.grpc.Contexts; | ||
| import io.grpc.ExperimentalApi; | ||
| import io.grpc.Metadata; | ||
| import io.grpc.ServerCall; | ||
| import io.grpc.ServerCallHandler; | ||
| import io.grpc.ServerInterceptor; | ||
| import io.grpc.binder.internal.BinderTransport; | ||
| import javax.annotation.Nullable; | ||
|
|
||
| /** Static methods that operate on {@link PeerUid}. */ | ||
| @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8022") | ||
| public final class PeerUids { | ||
| /** | ||
| * The client's authentic identity will be stored under this key in the server {@link Context}. | ||
| * | ||
| * <p>In order for this key to be populated, the interceptor returned by {@link | ||
| * #newPeerIdentifyingServerInterceptor} must be attached to the service. Note that the Context | ||
| * must be propagated correctly across threads for this key to be populated when read from other | ||
| * threads. | ||
| */ | ||
| public static final Context.Key<PeerUid> REMOTE_PEER = Context.key("remote-peer"); | ||
|
|
||
| /** | ||
| * Returns package names associated with the given peer's uid according to {@link | ||
| * PackageManager#getPackagesForUid(int)}. | ||
| * | ||
| * <p><em>WARNING</em>: Apps installed from untrusted sources can set any package name they want. | ||
| * Don't depend on package names for security -- use {@link SecurityPolicies} instead. | ||
| */ | ||
| public static String[] getInsecurePackagesForUid(PackageManager packageManager, PeerUid who) { | ||
| return packageManager.getPackagesForUid(who.getUid()); | ||
| } | ||
|
|
||
| /** | ||
| * Retrieves the "official name" associated with this uid, as specified by {@link | ||
| * PackageManager#getNameForUid(int)}. | ||
| */ | ||
| @Nullable | ||
| public static String getNameForUid(PackageManager packageManager, PeerUid who) { | ||
| return packageManager.getNameForUid(who.getUid()); | ||
| } | ||
|
|
||
| /** | ||
| * Retrieves the {@link UserHandle} associated with this uid according to {@link | ||
| * UserHandle#getUserHandleForUid}. | ||
| */ | ||
| @RequiresApi(api = VERSION_CODES.N) | ||
| public static UserHandle getUserHandleForUid(PeerUid who) { | ||
| return UserHandle.getUserHandleForUid(who.getUid()); | ||
| } | ||
|
|
||
| /** | ||
| * Creates an interceptor that exposes the client's identity in the {@link Context} under {@link | ||
| * #REMOTE_PEER}. | ||
| * | ||
| * <p>The returned interceptor only works with the Android Binder transport. If installed | ||
| * elsewhere, all intercepted requests will fail without ever reaching application-layer | ||
| * processing. | ||
| */ | ||
| public static ServerInterceptor newPeerIdentifyingServerInterceptor() { | ||
| return new ServerInterceptor() { | ||
| @Override | ||
| public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall( | ||
| ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) { | ||
| Context context = Context.current(); | ||
| PeerUid client = | ||
| new PeerUid( | ||
| checkNotNull( | ||
| call.getAttributes().get(BinderTransport.REMOTE_UID), | ||
| "Expected BinderTransport attribute REMOTE_UID was missing. Is this " | ||
| + "interceptor installed on an unsupported type of Server?")); | ||
| return Contexts.interceptCall(context.withValue(REMOTE_PEER, client), call, headers, next); | ||
| } | ||
| }; | ||
| } | ||
|
|
||
| private PeerUids() {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| /* | ||
| * Copyright 2023 The gRPC Authors | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package io.grpc.binder; | ||
|
|
||
| import com.google.common.testing.EqualsTester; | ||
| import org.junit.Test; | ||
| import org.junit.runner.RunWith; | ||
| import org.junit.runners.JUnit4; | ||
|
|
||
| @RunWith(JUnit4.class) | ||
| public class PeerUidTest { | ||
|
|
||
| @Test | ||
| public void shouldImplementEqualsAndHashCode() { | ||
| new EqualsTester() | ||
| .addEqualityGroup(new PeerUid(123), new PeerUid(123)) | ||
| .addEqualityGroup(new PeerUid(456)) | ||
| .testEquals(); | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.