Adding a way to inject a request ID (#1046)

* Adding a way to inject a request ID

It is very useful to associate a request ID to each incoming request,
this change allows to provide a function to do that via Server Option.
The change comes with a default function which will generate a new
request ID. The request ID is put in the request context along with a
common logger which always logs the request-id

We add gRPC interceptors to the server so it can get the request ID out
of the gRPC metadata and put it in the common logger stored in the
context so as all the log lines using the common logger from the context
will have the request ID logged

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/DOC.md

@@ -0,0 +1,148 @@
+# grpc_auth
+`import "github.com/grpc-ecosystem/go-grpc-middleware/auth"`
+
+* [Overview](#pkg-overview)
+* [Imported Packages](#pkg-imports)
+* [Index](#pkg-index)
+* [Examples](#pkg-examples)
+
+## <a name="pkg-overview">Overview</a>
+`grpc_auth` a generic server-side auth middleware for gRPC.
+
+### Server Side Auth Middleware
+It allows for easy assertion of `:authorization` headers in gRPC calls, be it HTTP Basic auth, or
+OAuth2 Bearer tokens.
+
+The middleware takes a user-customizable `AuthFunc`, which can be customized to verify and extract
+auth information from the request. The extracted information can be put in the `context.Context` of
+handlers downstream for retrieval.
+
+It also allows for per-service implementation overrides of `AuthFunc`. See `ServiceAuthFuncOverride`.
+
+Please see examples for simple examples of use.
+
+#### Example:
+
+<details>
+<summary>Click to expand code.</summary>
+
+```go
+package grpc_auth_test
+
+import (
+    "github.com/grpc-ecosystem/go-grpc-middleware/auth"
+    "github.com/grpc-ecosystem/go-grpc-middleware/tags"
+    "golang.org/x/net/context"
+    "google.golang.org/grpc"
+    "google.golang.org/grpc/codes"
+)
+
+var (
+    cc *grpc.ClientConn
+)
+
+func parseToken(token string) (struct{}, error) {
+    return struct{}{}, nil
+}
+
+func userClaimFromToken(struct{}) string {
+    return "foobar"
+}
+
+// Simple example of server initialization code.
+func Example_serverConfig() {
+    exampleAuthFunc := func(ctx context.Context) (context.Context, error) {
+        token, err := grpc_auth.AuthFromMD(ctx, "bearer")
+        if err != nil {
+            return nil, err
+        }
+        tokenInfo, err := parseToken(token)
+        if err != nil {
+            return nil, grpc.Errorf(codes.Unauthenticated, "invalid auth token: %v", err)
+        }
+        grpc_ctxtags.Extract(ctx).Set("auth.sub", userClaimFromToken(tokenInfo))
+        newCtx := context.WithValue(ctx, "tokenInfo", tokenInfo)
+        return newCtx, nil
+    }
+
+    _ = grpc.NewServer(
+        grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(exampleAuthFunc)),
+        grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(exampleAuthFunc)),
+    )
+}
+```
+
+</details>
+
+## <a name="pkg-imports">Imported Packages</a>
+
+- [github.com/grpc-ecosystem/go-grpc-middleware](./..)
+- [github.com/grpc-ecosystem/go-grpc-middleware/util/metautils](./../util/metautils)
+- [golang.org/x/net/context](https://godoc.org/golang.org/x/net/context)
+- [google.golang.org/grpc](https://godoc.org/google.golang.org/grpc)
+- [google.golang.org/grpc/codes](https://godoc.org/google.golang.org/grpc/codes)
+
+## <a name="pkg-index">Index</a>
+* [func AuthFromMD(ctx context.Context, expectedScheme string) (string, error)](#AuthFromMD)
+* [func StreamServerInterceptor(authFunc AuthFunc) grpc.StreamServerInterceptor](#StreamServerInterceptor)
+* [func UnaryServerInterceptor(authFunc AuthFunc) grpc.UnaryServerInterceptor](#UnaryServerInterceptor)
+* [type AuthFunc](#AuthFunc)
+* [type ServiceAuthFuncOverride](#ServiceAuthFuncOverride)
+
+#### <a name="pkg-examples">Examples</a>
+* [Package (ServerConfig)](#example__serverConfig)
+
+#### <a name="pkg-files">Package files</a>
+[auth.go](./auth.go) [doc.go](./doc.go) [metadata.go](./metadata.go) 
+
+## <a name="AuthFromMD">func</a> [AuthFromMD](./metadata.go#L24)
+``` go
+func AuthFromMD(ctx context.Context, expectedScheme string) (string, error)
+```
+AuthFromMD is a helper function for extracting the :authorization header from the gRPC metadata of the request.
+
+It expects the `:authorization` header to be of a certain scheme (e.g. `basic`, `bearer`), in a
+case-insensitive format (see rfc2617, sec 1.2). If no such authorization is found, or the token
+is of wrong scheme, an error with gRPC status `Unauthenticated` is returned.
+
+## <a name="StreamServerInterceptor">func</a> [StreamServerInterceptor](./auth.go#L51)
+``` go
+func StreamServerInterceptor(authFunc AuthFunc) grpc.StreamServerInterceptor
+```
+StreamServerInterceptor returns a new unary server interceptors that performs per-request auth.
+
+## <a name="UnaryServerInterceptor">func</a> [UnaryServerInterceptor](./auth.go#L34)
+``` go
+func UnaryServerInterceptor(authFunc AuthFunc) grpc.UnaryServerInterceptor
+```
+UnaryServerInterceptor returns a new unary server interceptors that performs per-request auth.
+
+## <a name="AuthFunc">type</a> [AuthFunc](./auth.go#L23)
+``` go
+type AuthFunc func(ctx context.Context) (context.Context, error)
+```
+AuthFunc is the pluggable function that performs authentication.
+
+The passed in `Context` will contain the gRPC metadata.MD object (for header-based authentication) and
+the peer.Peer information that can contain transport-based credentials (e.g. `credentials.AuthInfo`).
+
+The returned context will be propagated to handlers, allowing user changes to `Context`. However,
+please make sure that the `Context` returned is a child `Context` of the one passed in.
+
+If error is returned, its `grpc.Code()` will be returned to the user as well as the verbatim message.
+Please make sure you use `codes.Unauthenticated` (lacking auth) and `codes.PermissionDenied`
+(authed, but lacking perms) appropriately.
+
+## <a name="ServiceAuthFuncOverride">type</a> [ServiceAuthFuncOverride](./auth.go#L29-L31)
+``` go
+type ServiceAuthFuncOverride interface {
+    AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)
+}
+```
+ServiceAuthFuncOverride allows a given gRPC service implementation to override the global `AuthFunc`.
+
+If a service implements the AuthFuncOverride method, it takes precedence over the `AuthFunc` method,
+and will be called instead of AuthFunc for all method invocations within that service.
+
+- - -
+Generated by [godoc2ghmd](https://github.com/GandalfUK/godoc2ghmd)

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/README.md

@@ -0,0 +1 @@
+DOC.md

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/auth.go

@@ -0,0 +1,67 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package grpc_auth
+
+import (
+	"github.com/grpc-ecosystem/go-grpc-middleware"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+)
+
+// AuthFunc is the pluggable function that performs authentication.
+//
+// The passed in `Context` will contain the gRPC metadata.MD object (for header-based authentication) and
+// the peer.Peer information that can contain transport-based credentials (e.g. `credentials.AuthInfo`).
+//
+// The returned context will be propagated to handlers, allowing user changes to `Context`. However,
+// please make sure that the `Context` returned is a child `Context` of the one passed in.
+//
+// If error is returned, its `grpc.Code()` will be returned to the user as well as the verbatim message.
+// Please make sure you use `codes.Unauthenticated` (lacking auth) and `codes.PermissionDenied`
+// (authed, but lacking perms) appropriately.
+type AuthFunc func(ctx context.Context) (context.Context, error)
+
+// ServiceAuthFuncOverride allows a given gRPC service implementation to override the global `AuthFunc`.
+//
+// If a service implements the AuthFuncOverride method, it takes precedence over the `AuthFunc` method,
+// and will be called instead of AuthFunc for all method invocations within that service.
+type ServiceAuthFuncOverride interface {
+	AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)
+}
+
+// UnaryServerInterceptor returns a new unary server interceptors that performs per-request auth.
+func UnaryServerInterceptor(authFunc AuthFunc) grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		var newCtx context.Context
+		var err error
+		if overrideSrv, ok := info.Server.(ServiceAuthFuncOverride); ok {
+			newCtx, err = overrideSrv.AuthFuncOverride(ctx, info.FullMethod)
+		} else {
+			newCtx, err = authFunc(ctx)
+		}
+		if err != nil {
+			return nil, err
+		}
+		return handler(newCtx, req)
+	}
+}
+
+// StreamServerInterceptor returns a new unary server interceptors that performs per-request auth.
+func StreamServerInterceptor(authFunc AuthFunc) grpc.StreamServerInterceptor {
+	return func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		var newCtx context.Context
+		var err error
+		if overrideSrv, ok := srv.(ServiceAuthFuncOverride); ok {
+			newCtx, err = overrideSrv.AuthFuncOverride(stream.Context(), info.FullMethod)
+		} else {
+			newCtx, err = authFunc(stream.Context())
+		}
+		if err != nil {
+			return err
+		}
+		wrapped := grpc_middleware.WrapServerStream(stream)
+		wrapped.WrappedContext = newCtx
+		return handler(srv, wrapped)
+	}
+}

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/auth_test.go

@@ -0,0 +1,206 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package grpc_auth_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"google.golang.org/grpc"
+
+	"fmt"
+
+	"time"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/auth"
+	"github.com/grpc-ecosystem/go-grpc-middleware/testing"
+	pb_testproto "github.com/grpc-ecosystem/go-grpc-middleware/testing/testproto"
+	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/oauth"
+	"google.golang.org/grpc/metadata"
+)
+
+var (
+	commonAuthToken   = "some_good_token"
+	overrideAuthToken = "override_token"
+
+	authedMarker = "some_context_marker"
+	goodPing     = &pb_testproto.PingRequest{Value: "something", SleepTimeMs: 9999}
+)
+
+// TODO(mwitkow): Add auth from metadata client dialer, which requires TLS.
+
+func buildDummyAuthFunction(expectedScheme string, expectedToken string) func(ctx context.Context) (context.Context, error) {
+	return func(ctx context.Context) (context.Context, error) {
+		token, err := grpc_auth.AuthFromMD(ctx, expectedScheme)
+		if err != nil {
+			return nil, err
+		}
+		if token != expectedToken {
+			return nil, grpc.Errorf(codes.PermissionDenied, "buildDummyAuthFunction bad token")
+		}
+		return context.WithValue(ctx, authedMarker, "marker_exists"), nil
+	}
+}
+
+func assertAuthMarkerExists(t *testing.T, ctx context.Context) {
+	assert.Equal(t, "marker_exists", ctx.Value(authedMarker).(string), "auth marker from buildDummyAuthFunction must be passed around")
+}
+
+type assertingPingService struct {
+	pb_testproto.TestServiceServer
+	T *testing.T
+}
+
+func (s *assertingPingService) PingError(ctx context.Context, ping *pb_testproto.PingRequest) (*pb_testproto.Empty, error) {
+	assertAuthMarkerExists(s.T, ctx)
+	return s.TestServiceServer.PingError(ctx, ping)
+}
+
+func (s *assertingPingService) PingList(ping *pb_testproto.PingRequest, stream pb_testproto.TestService_PingListServer) error {
+	assertAuthMarkerExists(s.T, stream.Context())
+	return s.TestServiceServer.PingList(ping, stream)
+}
+
+func ctxWithToken(ctx context.Context, scheme string, token string) context.Context {
+	md := metadata.Pairs("authorization", fmt.Sprintf("%s %v", scheme, token))
+	nCtx := metautils.NiceMD(md).ToOutgoing(ctx)
+	return nCtx
+}
+
+func TestAuthTestSuite(t *testing.T) {
+	authFunc := buildDummyAuthFunction("bearer", commonAuthToken)
+	s := &AuthTestSuite{
+		InterceptorTestSuite: &grpc_testing.InterceptorTestSuite{
+			TestService: &assertingPingService{&grpc_testing.TestPingService{T: t}, t},
+			ServerOpts: []grpc.ServerOption{
+				grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(authFunc)),
+				grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(authFunc)),
+			},
+		},
+	}
+	suite.Run(t, s)
+}
+
+type AuthTestSuite struct {
+	*grpc_testing.InterceptorTestSuite
+}
+
+func (s *AuthTestSuite) TestUnary_NoAuth() {
+	_, err := s.Client.Ping(s.SimpleCtx(), goodPing)
+	assert.Error(s.T(), err, "there must be an error")
+	assert.Equal(s.T(), codes.Unauthenticated, grpc.Code(err), "must error with unauthenticated")
+}
+
+func (s *AuthTestSuite) TestUnary_BadAuth() {
+	_, err := s.Client.Ping(ctxWithToken(s.SimpleCtx(), "bearer", "bad_token"), goodPing)
+	assert.Error(s.T(), err, "there must be an error")
+	assert.Equal(s.T(), codes.PermissionDenied, grpc.Code(err), "must error with permission denied")
+}
+
+func (s *AuthTestSuite) TestUnary_PassesAuth() {
+	_, err := s.Client.Ping(ctxWithToken(s.SimpleCtx(), "bearer", commonAuthToken), goodPing)
+	require.NoError(s.T(), err, "no error must occur")
+}
+
+func (s *AuthTestSuite) TestUnary_PassesWithPerRpcCredentials() {
+	grpcCreds := oauth.TokenSource{TokenSource: &fakeOAuth2TokenSource{accessToken: commonAuthToken}}
+	client := s.NewClient(grpc.WithPerRPCCredentials(grpcCreds))
+	_, err := client.Ping(s.SimpleCtx(), goodPing)
+	require.NoError(s.T(), err, "no error must occur")
+}
+
+func (s *AuthTestSuite) TestStream_NoAuth() {
+	stream, err := s.Client.PingList(s.SimpleCtx(), goodPing)
+	require.NoError(s.T(), err, "should not fail on establishing the stream")
+	_, err = stream.Recv()
+	assert.Error(s.T(), err, "there must be an error")
+	assert.Equal(s.T(), codes.Unauthenticated, grpc.Code(err), "must error with unauthenticated")
+}
+
+func (s *AuthTestSuite) TestStream_BadAuth() {
+	stream, err := s.Client.PingList(ctxWithToken(s.SimpleCtx(), "bearer", "bad_token"), goodPing)
+	require.NoError(s.T(), err, "should not fail on establishing the stream")
+	_, err = stream.Recv()
+	assert.Error(s.T(), err, "there must be an error")
+	assert.Equal(s.T(), codes.PermissionDenied, grpc.Code(err), "must error with permission denied")
+}
+
+func (s *AuthTestSuite) TestStream_PassesAuth() {
+	stream, err := s.Client.PingList(ctxWithToken(s.SimpleCtx(), "Bearer", commonAuthToken), goodPing)
+	require.NoError(s.T(), err, "should not fail on establishing the stream")
+	pong, err := stream.Recv()
+	require.NoError(s.T(), err, "no error must occur")
+	require.NotNil(s.T(), pong, "pong must not be nil")
+}
+
+func (s *AuthTestSuite) TestStream_PassesWithPerRpcCredentials() {
+	grpcCreds := oauth.TokenSource{TokenSource: &fakeOAuth2TokenSource{accessToken: commonAuthToken}}
+	client := s.NewClient(grpc.WithPerRPCCredentials(grpcCreds))
+	stream, err := client.PingList(s.SimpleCtx(), goodPing)
+	require.NoError(s.T(), err, "should not fail on establishing the stream")
+	pong, err := stream.Recv()
+	require.NoError(s.T(), err, "no error must occur")
+	require.NotNil(s.T(), pong, "pong must not be nil")
+}
+
+type authOverrideTestService struct {
+	pb_testproto.TestServiceServer
+	T *testing.T
+}
+
+func (s *authOverrideTestService) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error) {
+	assert.NotEmpty(s.T, fullMethodName, "method name of caller is passed around")
+	return buildDummyAuthFunction("bearer", overrideAuthToken)(ctx)
+}
+
+func TestAuthOverrideTestSuite(t *testing.T) {
+	authFunc := buildDummyAuthFunction("bearer", commonAuthToken)
+	s := &AuthOverrideTestSuite{
+		InterceptorTestSuite: &grpc_testing.InterceptorTestSuite{
+			TestService: &authOverrideTestService{&assertingPingService{&grpc_testing.TestPingService{T: t}, t}, t},
+			ServerOpts: []grpc.ServerOption{
+				grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(authFunc)),
+				grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(authFunc)),
+			},
+		},
+	}
+	suite.Run(t, s)
+}
+
+type AuthOverrideTestSuite struct {
+	*grpc_testing.InterceptorTestSuite
+}
+
+func (s *AuthOverrideTestSuite) TestUnary_PassesAuth() {
+	_, err := s.Client.Ping(ctxWithToken(s.SimpleCtx(), "bearer", overrideAuthToken), goodPing)
+	require.NoError(s.T(), err, "no error must occur")
+}
+
+func (s *AuthOverrideTestSuite) TestStream_PassesAuth() {
+	stream, err := s.Client.PingList(ctxWithToken(s.SimpleCtx(), "Bearer", overrideAuthToken), goodPing)
+	require.NoError(s.T(), err, "should not fail on establishing the stream")
+	pong, err := stream.Recv()
+	require.NoError(s.T(), err, "no error must occur")
+	require.NotNil(s.T(), pong, "pong must not be nil")
+}
+
+// fakeOAuth2TokenSource implements a fake oauth2.TokenSource for the purpose of credentials test.
+type fakeOAuth2TokenSource struct {
+	accessToken string
+}
+
+func (ts *fakeOAuth2TokenSource) Token() (*oauth2.Token, error) {
+	t := &oauth2.Token{
+		AccessToken: ts.accessToken,
+		Expiry:      time.Now().Add(1 * time.Minute),
+		TokenType:   "bearer",
+	}
+	return t, nil
+}

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/doc.go

@@ -0,0 +1,20 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+/*
+`grpc_auth` a generic server-side auth middleware for gRPC.
+
+Server Side Auth Middleware
+
+It allows for easy assertion of `:authorization` headers in gRPC calls, be it HTTP Basic auth, or
+OAuth2 Bearer tokens.
+
+The middleware takes a user-customizable `AuthFunc`, which can be customized to verify and extract
+auth information from the request. The extracted information can be put in the `context.Context` of
+handlers downstream for retrieval.
+
+It also allows for per-service implementation overrides of `AuthFunc`. See `ServiceAuthFuncOverride`.
+
+Please see examples for simple examples of use.
+*/
+package grpc_auth

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/examples_test.go

@@ -0,0 +1,43 @@
+package grpc_auth_test
+
+import (
+	"github.com/grpc-ecosystem/go-grpc-middleware/auth"
+	"github.com/grpc-ecosystem/go-grpc-middleware/tags"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+)
+
+var (
+	cc *grpc.ClientConn
+)
+
+func parseToken(token string) (struct{}, error) {
+	return struct{}{}, nil
+}
+
+func userClaimFromToken(struct{}) string {
+	return "foobar"
+}
+
+// Simple example of server initialization code.
+func Example_serverConfig() {
+	exampleAuthFunc := func(ctx context.Context) (context.Context, error) {
+		token, err := grpc_auth.AuthFromMD(ctx, "bearer")
+		if err != nil {
+			return nil, err
+		}
+		tokenInfo, err := parseToken(token)
+		if err != nil {
+			return nil, grpc.Errorf(codes.Unauthenticated, "invalid auth token: %v", err)
+		}
+		grpc_ctxtags.Extract(ctx).Set("auth.sub", userClaimFromToken(tokenInfo))
+		newCtx := context.WithValue(ctx, "tokenInfo", tokenInfo)
+		return newCtx, nil
+	}
+
+	_ = grpc.NewServer(
+		grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(exampleAuthFunc)),
+		grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(exampleAuthFunc)),
+	)
+}

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/metadata.go

@@ -0,0 +1,38 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package grpc_auth
+
+import (
+	"strings"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+)
+
+var (
+	headerAuthorize = "authorization"
+)
+
+// AuthFromMD is a helper function for extracting the :authorization header from the gRPC metadata of the request.
+//
+// It expects the `:authorization` header to be of a certain scheme (e.g. `basic`, `bearer`), in a
+// case-insensitive format (see rfc2617, sec 1.2). If no such authorization is found, or the token
+// is of wrong scheme, an error with gRPC status `Unauthenticated` is returned.
+func AuthFromMD(ctx context.Context, expectedScheme string) (string, error) {
+	val := metautils.ExtractIncoming(ctx).Get(headerAuthorize)
+	if val == "" {
+		return "", grpc.Errorf(codes.Unauthenticated, "Request unauthenticated with "+expectedScheme)
+
+	}
+	splits := strings.SplitN(val, " ", 2)
+	if len(splits) < 2 {
+		return "", grpc.Errorf(codes.Unauthenticated, "Bad authorization string")
+	}
+	if strings.ToLower(splits[0]) != strings.ToLower(expectedScheme) {
+		return "", grpc.Errorf(codes.Unauthenticated, "Request unauthenticated with "+expectedScheme)
+	}
+	return splits[1], nil
+}

vendor/github.com/grpc-ecosystem/go-grpc-middleware/auth/metadata_test.go

@@ -0,0 +1,74 @@
+// Copyright 2016 Michal Witkowski. All Rights Reserved.
+// See LICENSE for licensing terms.
+
+package grpc_auth
+
+import (
+	"testing"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+)
+
+func TestAuthFromMD(t *testing.T) {
+	for _, run := range []struct {
+		md      metadata.MD
+		value   string
+		errCode codes.Code
+		msg     string
+	}{
+		{
+			md:    metadata.Pairs("authorization", "bearer some_token"),
+			value: "some_token",
+			msg:   "must extract simple bearer tokens without case checking",
+		},
+		{
+			md:    metadata.Pairs("authorization", "Bearer some_token"),
+			value: "some_token",
+			msg:   "must extract simple bearer tokens with case checking",
+		},
+		{
+			md:    metadata.Pairs("authorization", "Bearer some multi string bearer"),
+			value: "some multi string bearer",
+			msg:   "must handle string based bearers",
+		},
+		{
+			md:      metadata.Pairs("authorization", "Basic login:passwd"),
+			value:   "",
+			errCode: codes.Unauthenticated,
+			msg:     "must check authentication type",
+		},
+		{
+			md:      metadata.Pairs("authorization", "Basic login:passwd", "authorization", "bearer some_token"),
+			value:   "",
+			errCode: codes.Unauthenticated,
+			msg:     "must not allow multiple authentication methods",
+		},
+		{
+			md:      metadata.Pairs("authorization", ""),
+			value:   "",
+			errCode: codes.Unauthenticated,
+			msg:     "authorization string must not be empty",
+		},
+		{
+			md:      metadata.Pairs("authorization", "Bearer"),
+			value:   "",
+			errCode: codes.Unauthenticated,
+			msg:     "bearer token must not be empty",
+		},
+	} {
+		ctx := metautils.NiceMD(run.md).ToIncoming(context.TODO())
+		out, err := AuthFromMD(ctx, "bearer")
+		if run.errCode != codes.OK {
+			assert.Equal(t, run.errCode, grpc.Code(err), run.msg)
+		} else {
+			assert.NoError(t, err, run.msg)
+		}
+		assert.Equal(t, run.value, out, run.msg)
+	}
+
+}