credentials: create API for transport security level information

[yihuazhang]

This PR does the following:

1. Define a tri-state security level (SecurityNone, IntegrityOnly and PrivacyAndIntegrity) indicating the protection level of an established channel.
2. Create ConnAuthInfo type struct that is a wrapper of credentials.AuthInfo and also contains the security level of an established channel. Existing TransportCredentials implementations are modified to return ConnAuthInfo upon finishing the handshake.
3. Associate a security level to each credentials.PerRPCCredentials implementations (JWT, Oauth2).
4. Enforce the security level check when attempting to send PerRPCCredentials on a channel. For backward-compatibility we sill preserve the original checking behavior (i.e., using RequreTransportSecurity()).

[yihuazhang]

Friendly ping :)

[dfawley]

Please make sure travis is green. From the error it seems like gofmt wasn't run on grpclb_test. You can run vet.sh locally before pushing updates. (I'd recommend running via VET_SKIP_PROTO=1 vet.sh to skip some slower checks that shouldn't affect you.)

[jiangtaoli2016]

Overall looks good. One question:

In clientconn.go, it checks if any PerRPCCredentials require transport security, and fails early.
Do we also want to check SecurityLevel there as well?

[jiangtaoli2016]

ShouldCheckSecurityLevel maybe a better name?

[yihuazhang]

Hi Jiangtao, we decided not to do a centralized check, but let each PerRPCCredentials to implement its own check in GetRequestMetadata().

[yihuazhang]

@dfawley The PR is updated per our off-line discussion. Could you please take a look?

[dfawley]

Nit: SecurityLevel SecurityLevel. IMO "Level" by itself is not distinct enough.

[yihuazhang]

@dfawley The comment is addressed. PTAL. Also, the failed tests do not seem to relate to my PR.

[dfawley]

Please use table-style tests:

testCases := []struct{
  authLevel SecurityLevel
  testLevel SecurityLevel
  want      bool
}{{
   authLevel: PrivacyAndIntegrity,
   testLevel: PrivacyAndIntegrity,
   want: true
 }, {
   authLevel: IntegrityOnly,
   testLevel: PrivacyAndIntegrity,
   want: false
 }
....
}

for _, tc := range testCases {
  // make testAuthInfo, call CheckSecurityLevel, check result
}

This doesn't have to be exhaustive, but should check a few different cases.

[dfawley]

My mistake: s/CommonInfo/CommonAuthInfo/g please. CommonInfo() doesn't seem sufficient.

[yihuazhang]

Done.

[yihuazhang]

Per our offline discussion, the name is changed to commonAuthInfo()

[yihuazhang]

Thanks Doug for the comments and I am currently working on addressing them. I will let you know once it's ready.

[yihuazhang]

All comments are addressed, PTAL. @dfawley

[dfawley]

Sorry, bad suggestion on my part. I think it will make sense to allow users to access this in an AuthInfo, if present. GetCommonAuthInfo should be fine. It seems the accessor-style name is unavoidable here.

[yihuazhang]

No worries. Renaming is done in the next commit.

[dfawley]

fmt.Sprintf("invalid SecurityLevel: %v", int(s))

[yihuazhang]

Done in the next commit.

[dfawley]

Throughout: please don't use "channel". gRPC-Go does not use that term. You can use "connection" for an individual connection or "ClientConn" for a grpc.ClientConn connected to potentially many backends.

[yihuazhang]

Done in the next commit.

[yihuazhang]

All comments are addressed (again :) PTAL.

[dfawley]

FYI: travis is red:

+misspell -error .
credentials/credentials.go:189:114: "compatability" is a misspelling of "compatibility"

[dfawley]

A few more small things, then I think this should be good to go.

[dfawley]

s/resulted//.

[yihuazhang]

Done.

[dfawley]

Hmmmm.. ideally this would show more information, namely the SecurityLevel of the connection.

CheckSecurityLevel could return an error instead of bool to facilitate this.

Maybe something like fmt.Errorf("requires SecurityLevel %v; connection has %v", requiredLevel, hasLevel)? And this can wrap: fmt.Errorf("unable to transfer TokenSource PerRPCCredentials: %v", err)?

[yihuazhang]

Good point. CheckSecurityLevel now returns error instead of bool, and more complete error messages are printed in oauth.go.

[dfawley]

I think the only real way to get here is if ctx does not contain a RequestInfo (i.e. it was called with the wrong context). I would say "unable to obtain SecurityLevel from context".

[yihuazhang]

Done.

[yihuazhang]

Thanks much @dfawley for detailed reviews!

[yihuazhang]

@dfawley Do you have any other comments on the PR?

[dfawley]

Please add "experimental" comments on SecurityLevel and CommonAuthInfo, otherwise LGTM.