d4983e717b
Because ttrpc can be used with abstract sockets, it is critical to ensure that only certain users can connect to the unix socket. This is of particular interest in the primary use case of containerd, where a shim may run as root and any user can connection. With this, we get a few nice features. The first is the concept of a `Handshaker` that allows one to intercept each connection and replace it with one of their own. The enables credential checks and other measures, such as tls. The second is that servers now support configuration. This allows one to inject a handshaker for each connection. Other options will be added in the future. Signed-off-by: Stephen J Day <stephen.day@docker.com>
25 lines
808 B
Go
25 lines
808 B
Go
package ttrpc
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
)
|
|
|
|
// Handshaker defines the interface for connection handshakes performed on the
|
|
// server or client when first connecting.
|
|
type Handshaker interface {
|
|
// Handshake should confirm or decorate a connection that may be incoming
|
|
// to a server or outgoing from a client.
|
|
//
|
|
// If this returns without an error, the caller should use the connection
|
|
// in place of the original connection.
|
|
//
|
|
// The second return value can contain credential specific data, such as
|
|
// unix socket credentials or TLS information.
|
|
//
|
|
// While we currently only have implementations on the server-side, this
|
|
// interface should be sufficient to implement similar handshakes on the
|
|
// client-side.
|
|
Handshake(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error)
|
|
}
|