bmc/auth_loas3.h - gPowerD - Git at Google

 #ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_
 #define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_

 // THIS FILE IS NOT SUPPORTED BY THE gbmc-docker UT ENVIRONMENT
 #include "absl/types/span.h"
 #ifdef LOAS3_AUTH

 #include <cstddef>
 #include <functional>
 #include <ostream>
 #include <vector>

 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "grpcpp/support/status.h"
 #include "grpcpp/support/string_ref.h"

 // this file is not supported by the gBMC unit test framework,
 // but it is supported by the bitbake firmware builds
 #include <gpowerd_build_config.h>

 #include "grpcpp/security/tls_certificate_verifier.h"
 #include "absl/log/log.h"

 // This header does not exist in the gBMC unit test framework ut environment
 #include "security/zatar/loas3_validation/validation/validation.h"

 namespace auth {

 using ::grpc::experimental::ExternalCertificateVerifier;
 using ::grpc::experimental::TlsCustomVerificationCheckRequest;

 static inline void SetupLoas3() {
   LOG(INFO) << "Setting up LOAS3";
   security::SetCertificateAuthorityPolicyFilePath(
       "/var/google/loas3/policy.pb");
 }

 static std::vector<absl::string_view> ToStringViewVector(
     absl::Span<const grpc::string_ref> string_refs) {
   std::vector<absl::string_view> strs(string_refs.size());
   for (size_t i = 0; i < string_refs.size(); ++i) {
     strs[i] = absl::string_view(string_refs[i].data(), string_refs[i].size());
   }
   return strs;
 }

 class PeerVerifier : public ExternalCertificateVerifier {
  public:
   PeerVerifier() = default;
   ~PeerVerifier() override = default;
   bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request,
               std::function<void(grpc::Status)>,
               grpc::Status* sync_status) override {
     std::vector<absl::string_view> peer_uri_names =
         ToStringViewVector(request->uri_names());
     std::vector<absl::string_view> peer_dns_names =
         ToStringViewVector(request->dns_names());
     absl::Status status =
         security::ValidatePeer(peer_uri_names, peer_dns_names,
                                request->verified_root_cert_subject().data());
     if (!status.ok()) {
       *sync_status = grpc::Status(
           grpc::StatusCode::PERMISSION_DENIED,
           // This is from Federation policy check
           absl::StrCat("From Federation policy check: ", status.message()));
       LOG(ERROR) << status.message() << std::endl;
     }
     return true;
   }
   void Cancel(TlsCustomVerificationCheckRequest*) override {}
 };

 }  // namespace auth

 #endif  // LOAS3_AUTH

 #endif  // PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_
	#ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_
	#define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_

	// THIS FILE IS NOT SUPPORTED BY THE gbmc-docker UT ENVIRONMENT
	#include "absl/types/span.h"
	#ifdef LOAS3_AUTH

	#include <cstddef>
	#include <functional>
	#include <ostream>
	#include <vector>

	#include "absl/strings/str_cat.h"
	#include "absl/strings/string_view.h"
	#include "grpcpp/support/status.h"
	#include "grpcpp/support/string_ref.h"

	// this file is not supported by the gBMC unit test framework,
	// but it is supported by the bitbake firmware builds
	#include <gpowerd_build_config.h>

	#include "grpcpp/security/tls_certificate_verifier.h"
	#include "absl/log/log.h"

	// This header does not exist in the gBMC unit test framework ut environment
	#include "security/zatar/loas3_validation/validation/validation.h"

	namespace auth {

	using ::grpc::experimental::ExternalCertificateVerifier;
	using ::grpc::experimental::TlsCustomVerificationCheckRequest;

	static inline void SetupLoas3() {
	LOG(INFO) << "Setting up LOAS3";
	security::SetCertificateAuthorityPolicyFilePath(
	"/var/google/loas3/policy.pb");
	}

	static std::vector<absl::string_view> ToStringViewVector(
	absl::Span<const grpc::string_ref> string_refs) {
	std::vector<absl::string_view> strs(string_refs.size());
	for (size_t i = 0; i < string_refs.size(); ++i) {
	strs[i] = absl::string_view(string_refs[i].data(), string_refs[i].size());
	}
	return strs;
	}

	class PeerVerifier : public ExternalCertificateVerifier {
	public:
	PeerVerifier() = default;
	~PeerVerifier() override = default;
	bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request,
	std::function<void(grpc::Status)>,
	grpc::Status* sync_status) override {
	std::vector<absl::string_view> peer_uri_names =
	ToStringViewVector(request->uri_names());
	std::vector<absl::string_view> peer_dns_names =
	ToStringViewVector(request->dns_names());
	absl::Status status =
	security::ValidatePeer(peer_uri_names, peer_dns_names,
	request->verified_root_cert_subject().data());
	if (!status.ok()) {
	*sync_status = grpc::Status(
	grpc::StatusCode::PERMISSION_DENIED,
	// This is from Federation policy check
	absl::StrCat("From Federation policy check: ", status.message()));
	LOG(ERROR) << status.message() << std::endl;
	}
	return true;
	}
	void Cancel(TlsCustomVerificationCheckRequest*) override {}
	};

	} // namespace auth

	#endif // LOAS3_AUTH

	#endif // PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_