Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

TlsCredentials: Comparator implementation (#28940)

Browse Source 
* TlsCredentials: Comparator implementation

* Update tests

* Redundant namespace qualifiers

* clang-tidy

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Add generator for grpc_tls_credentials_options.h

* Generator script modifications for tests

* Sanity

* Reviewer comments

* Reviewer comments

* Add a common place to look-up known types

* Formatting

* Script fix

* Reviewer comments

* Add test mode to script

* Add to sanitize.sh

* clang-tidy

* Fix

* Fix

* Reviewer comments

* Clang-format
pull/29125/head^2
Yash Tibrewal 3 years ago committed by GitHub
parent 3e5a5bba59
commit 01f333a1c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
65 changed files with 1361 additions and 331 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitattributes
  2. 3
      BUILD
  3. 42
      CMakeLists.txt
  4. 6
      Makefile
  5. 21
      build_autogenerated.yaml
  6. 2
      gRPC-C++.podspec
  7. 2
      gRPC-Core.podspec
  8. 1
      grpc.gemspec
  9. 6
      grpc.gyp
  10. 1
      package.xml
  11. 2
      src/core/ext/filters/client_channel/lb_policy/xds/cds.cc
  12. 3
      src/core/ext/transport/chttp2/client/chttp2_connector.cc
  13. 3
      src/core/ext/transport/chttp2/server/chttp2_server.cc
  14. 8
      src/core/ext/xds/certificate_provider_store.cc
  15. 9
      src/core/ext/xds/certificate_provider_store.h
  16. 2
      src/core/ext/xds/xds_certificate_provider.cc
  17. 8
      src/core/ext/xds/xds_certificate_provider.h
  18. 3
      src/core/ext/xds/xds_server_config_fetcher.cc
  19. 5
      src/core/lib/http/httpcli_security_connector.cc
  20. 11
      src/core/lib/security/credentials/alts/alts_credentials.cc
  21. 4
      src/core/lib/security/credentials/alts/alts_credentials.h
  22. 19
      src/core/lib/security/credentials/composite/composite_credentials.cc
  23. 13
      src/core/lib/security/credentials/composite/composite_credentials.h
  24. 45
      src/core/lib/security/credentials/credentials.h
  25. 16
      src/core/lib/security/credentials/fake/fake_credentials.cc
  26. 9
      src/core/lib/security/credentials/fake/fake_credentials.h
  27. 4
      src/core/lib/security/credentials/google_default/google_default_credentials.cc
  28. 6
      src/core/lib/security/credentials/google_default/google_default_credentials.h
  29. 5
      src/core/lib/security/credentials/iam/iam_credentials.cc
  30. 4
      src/core/lib/security/credentials/iam/iam_credentials.h
  31. 51
      src/core/lib/security/credentials/insecure/insecure_credentials.cc
  32. 57
      src/core/lib/security/credentials/insecure/insecure_credentials.h
  33. 6
      src/core/lib/security/credentials/jwt/jwt_credentials.cc
  34. 4
      src/core/lib/security/credentials/jwt/jwt_credentials.h
  35. 12
      src/core/lib/security/credentials/local/local_credentials.cc
  36. 4
      src/core/lib/security/credentials/local/local_credentials.h
  37. 16
      src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
  38. 8
      src/core/lib/security/credentials/oauth2/oauth2_credentials.h
  39. 4
      src/core/lib/security/credentials/plugin/plugin_credentials.cc
  40. 2
      src/core/lib/security/credentials/plugin/plugin_credentials.h
  41. 10
      src/core/lib/security/credentials/ssl/ssl_credentials.cc
  42. 8
      src/core/lib/security/credentials/ssl/ssl_credentials.h
  43. 49
      src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
  44. 8
      src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc
  45. 45
      src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h
  46. 161
      src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
  47. 15
      src/core/lib/security/credentials/tls/tls_credentials.cc
  48. 10
      src/core/lib/security/credentials/tls/tls_credentials.h
  49. 98
      src/core/lib/security/credentials/xds/xds_credentials.cc
  50. 36
      src/core/lib/security/credentials/xds/xds_credentials.h
  51. 13
      test/core/security/BUILD
  52. 106
      test/core/security/credentials_test.cc
  53. 40
      test/core/security/grpc_tls_certificate_verifier_test.cc
  54. 175
      test/core/security/grpc_tls_credentials_options_comparator_test.cc
  55. 15
      test/core/security/tls_security_connector_test.cc
  56. 23
      test/core/security/xds_credentials_test.cc
  57. 9
      test/core/xds/certificate_provider_store_test.cc
  58. 18
      test/cpp/end2end/xds/xds_end2end_test.cc
  59. 394
      tools/codegen/core/gen_grpc_tls_credentials_options.py
  60. 1
      tools/distrib/sanitize.sh
  61. 2
      tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh
  62. 1
      tools/doxygen/Doxyfile.c++.internal
  63. 1
      tools/doxygen/Doxyfile.core.internal
  64. 24
      tools/run_tests/generated/tests.json
  65. 1
      tools/run_tests/sanity/sanity_tests.yaml

2
.gitattributes vendored
Unescape View File

@ -20,6 +20,7 @@ src/python/grpcio/grpc_core_dependencies.py linguist-generated=true
src/ruby/ext/grpc/rb_grpc_imports.generated.h linguist-generated=true
src/ruby/ext/grpc/rb_grpc_imports.generated.c linguist-generated=true
test/core/end2end/end2end_tests.cc linguist-generated=true
test/core/security/grpc_tls_credentials_options_comparator_test.cc linguist-generated=true
test/core/surface/public_headers_must_be_c89.c linguist-generated=true
tools/doxygen/Doxyfile.c++.internal linguist-generated=true
tools/doxygen/Doxyfile.core.internal linguist-generated=true
@ -27,5 +28,6 @@ tools/run_tests/sources_and_headers.json linguist-generated=true
tools/run_tests/tests.json linguist-generated=true
tools/run_tests/generated/tests.json linguist-generated=true
tools/run_tests/generated/sources_and_headers.json linguist-generated=true
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h linguist-generated=true
src/core/lib/transport/static_metadata.h linguist-generated=true
src/core/lib/transport/static_metadata.cc linguist-generated=true

3
BUILD
Unescape View File

@ -3797,6 +3797,7 @@ grpc_cc_library(
"src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
],
hdrs = [
"src/core/lib/security/credentials/insecure/insecure_credentials.h",
"src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
],
language = "c++",
@ -4627,6 +4628,7 @@ grpc_cc_library(
"gpr_base",
"grpc_base",
"grpc_client_channel",
"grpc_insecure_credentials",
"grpc_resolver",
"grpc_security_base",
"grpc_transport_chttp2",
@ -4655,6 +4657,7 @@ grpc_cc_library(
"grpc_base",
"grpc_codegen",
"grpc_http_filters",
"grpc_insecure_credentials",
"grpc_security_base",
"grpc_transport_chttp2",
"memory_quota",

42
CMakeLists.txt generated
Unescape View File

@ -875,6 +875,7 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx grpc_tls_certificate_distributor_test)
add_dependencies(buildtests_cxx grpc_tls_certificate_provider_test)
add_dependencies(buildtests_cxx grpc_tls_certificate_verifier_test)
add_dependencies(buildtests_cxx grpc_tls_credentials_options_comparator_test)
add_dependencies(buildtests_cxx grpc_tls_credentials_options_test)
if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_POSIX)
add_dependencies(buildtests_cxx grpc_tool_test)
@ -2621,9 +2622,11 @@ add_library(grpc_unsecure
src/core/lib/security/credentials/composite/composite_credentials.cc
src/core/lib/security/credentials/credentials.cc
src/core/lib/security/credentials/fake/fake_credentials.cc
src/core/lib/security/credentials/insecure/insecure_credentials.cc
src/core/lib/security/credentials/plugin/plugin_credentials.cc
src/core/lib/security/credentials/tls/tls_utils.cc
src/core/lib/security/security_connector/fake/fake_security_connector.cc
src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
src/core/lib/security/security_connector/load_system_roots_fallback.cc
src/core/lib/security/security_connector/load_system_roots_linux.cc
src/core/lib/security/security_connector/security_connector.cc
@ -2677,6 +2680,7 @@ add_library(grpc_unsecure
src/core/plugin_registry/grpc_plugin_registry.cc
src/core/plugin_registry/grpc_plugin_registry_noextra.cc
src/core/tsi/fake_transport_security.cc
src/core/tsi/local_transport_security.cc
src/core/tsi/transport_security.cc
src/core/tsi/transport_security_grpc.cc
)
@ -3524,9 +3528,6 @@ target_link_libraries(grpc++_test_util
endif()
add_library(grpc++_unsecure
src/core/lib/security/credentials/insecure/insecure_credentials.cc
src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
src/core/tsi/local_transport_security.cc
src/cpp/client/channel_cc.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
@ -11307,6 +11308,41 @@ target_link_libraries(grpc_tls_certificate_verifier_test
)
endif()
if(gRPC_BUILD_TESTS)
add_executable(grpc_tls_credentials_options_comparator_test
test/core/security/grpc_tls_credentials_options_comparator_test.cc
third_party/googletest/googletest/src/gtest-all.cc
third_party/googletest/googlemock/src/gmock-all.cc
)
target_include_directories(grpc_tls_credentials_options_comparator_test
PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/include
${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
${_gRPC_RE2_INCLUDE_DIR}
${_gRPC_SSL_INCLUDE_DIR}
${_gRPC_UPB_GENERATED_DIR}
${_gRPC_UPB_GRPC_GENERATED_DIR}
${_gRPC_UPB_INCLUDE_DIR}
${_gRPC_XXHASH_INCLUDE_DIR}
${_gRPC_ZLIB_INCLUDE_DIR}
third_party/googletest/googletest/include
third_party/googletest/googletest
third_party/googletest/googlemock/include
third_party/googletest/googlemock
${_gRPC_PROTO_GENS_DIR}
)
target_link_libraries(grpc_tls_credentials_options_comparator_test
${_gRPC_PROTOBUF_LIBRARIES}
${_gRPC_ALLTARGETS_LIBRARIES}
grpc_test_util
)
endif()
if(gRPC_BUILD_TESTS)

6
Makefile generated
Unescape View File

@ -2056,9 +2056,11 @@ LIBGRPC_UNSECURE_SRC = \
src/core/lib/security/credentials/composite/composite_credentials.cc \
src/core/lib/security/credentials/credentials.cc \
src/core/lib/security/credentials/fake/fake_credentials.cc \
src/core/lib/security/credentials/insecure/insecure_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/tls/tls_utils.cc \
src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
src/core/lib/security/security_connector/load_system_roots_linux.cc \
src/core/lib/security/security_connector/security_connector.cc \
@ -2112,6 +2114,7 @@ LIBGRPC_UNSECURE_SRC = \
src/core/plugin_registry/grpc_plugin_registry.cc \
src/core/plugin_registry/grpc_plugin_registry_noextra.cc \
src/core/tsi/fake_transport_security.cc \
src/core/tsi/local_transport_security.cc \
src/core/tsi/transport_security.cc \
src/core/tsi/transport_security_grpc.cc \
@ -3139,7 +3142,6 @@ src/core/lib/security/credentials/external/url_external_account_credentials.cc:
src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/iam/iam_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/insecure/insecure_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/jwt/json_token.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/jwt/jwt_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/jwt/jwt_verifier.cc: $(OPENSSL_DEP)
@ -3153,7 +3155,6 @@ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL
src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/insecure/insecure_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/ssl/ssl_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/ssl_utils.cc: $(OPENSSL_DEP)
@ -3179,7 +3180,6 @@ src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_p
src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc: $(OPENSSL_DEP)
src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc: $(OPENSSL_DEP)
src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc: $(OPENSSL_DEP)
src/core/tsi/local_transport_security.cc: $(OPENSSL_DEP)
src/core/tsi/ssl/key_logging/ssl_key_logging.cc: $(OPENSSL_DEP)
src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc: $(OPENSSL_DEP)
src/core/tsi/ssl/session_cache/ssl_session_cache.cc: $(OPENSSL_DEP)

21
build_autogenerated.yaml generated
Unescape View File

@ -868,6 +868,7 @@ libs:
- src/core/lib/security/credentials/fake/fake_credentials.h
- src/core/lib/security/credentials/google_default/google_default_credentials.h
- src/core/lib/security/credentials/iam/iam_credentials.h
- src/core/lib/security/credentials/insecure/insecure_credentials.h
- src/core/lib/security/credentials/jwt/json_token.h
- src/core/lib/security/credentials/jwt/jwt_credentials.h
- src/core/lib/security/credentials/jwt/jwt_verifier.h
@ -2034,9 +2035,11 @@ libs:
- src/core/lib/security/credentials/composite/composite_credentials.h
- src/core/lib/security/credentials/credentials.h
- src/core/lib/security/credentials/fake/fake_credentials.h
- src/core/lib/security/credentials/insecure/insecure_credentials.h
- src/core/lib/security/credentials/plugin/plugin_credentials.h
- src/core/lib/security/credentials/tls/tls_utils.h
- src/core/lib/security/security_connector/fake/fake_security_connector.h
- src/core/lib/security/security_connector/insecure/insecure_security_connector.h
- src/core/lib/security/security_connector/load_system_roots.h
- src/core/lib/security/security_connector/load_system_roots_linux.h
- src/core/lib/security/security_connector/security_connector.h
@ -2085,6 +2088,7 @@ libs:
- src/core/lib/transport/transport_impl.h
- src/core/lib/uri/uri_parser.h
- src/core/tsi/fake_transport_security.h
- src/core/tsi/local_transport_security.h
- src/core/tsi/transport_security.h
- src/core/tsi/transport_security_grpc.h
- src/core/tsi/transport_security_interface.h
@ -2340,9 +2344,11 @@ libs:
- src/core/lib/security/credentials/composite/composite_credentials.cc
- src/core/lib/security/credentials/credentials.cc
- src/core/lib/security/credentials/fake/fake_credentials.cc
- src/core/lib/security/credentials/insecure/insecure_credentials.cc
- src/core/lib/security/credentials/plugin/plugin_credentials.cc
- src/core/lib/security/credentials/tls/tls_utils.cc
- src/core/lib/security/security_connector/fake/fake_security_connector.cc
- src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
- src/core/lib/security/security_connector/load_system_roots_fallback.cc
- src/core/lib/security/security_connector/load_system_roots_linux.cc
- src/core/lib/security/security_connector/security_connector.cc
@ -2396,6 +2402,7 @@ libs:
- src/core/plugin_registry/grpc_plugin_registry.cc
- src/core/plugin_registry/grpc_plugin_registry_noextra.cc
- src/core/tsi/fake_transport_security.cc
- src/core/tsi/local_transport_security.cc
- src/core/tsi/transport_security.cc
- src/core/tsi/transport_security_grpc.cc
deps:
@ -3007,8 +3014,6 @@ libs:
- include/grpcpp/support/time.h
- include/grpcpp/support/validate_service_config.h
headers:
- src/core/lib/security/security_connector/insecure/insecure_security_connector.h
- src/core/tsi/local_transport_security.h
- src/cpp/client/create_channel_internal.h
- src/cpp/common/channel_filter.h
- src/cpp/server/dynamic_thread_pool.h
@ -3017,9 +3022,6 @@ libs:
- src/cpp/server/thread_pool_interface.h
- src/cpp/thread_manager/thread_manager.h
src:
- src/core/lib/security/credentials/insecure/insecure_credentials.cc
- src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
- src/core/tsi/local_transport_security.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
@ -5995,6 +5997,15 @@ targets:
- test/core/security/grpc_tls_certificate_verifier_test.cc
deps:
- grpc_test_util
- name: grpc_tls_credentials_options_comparator_test
gtest: true
build: test
language: c++
headers: []
src:
- test/core/security/grpc_tls_credentials_options_comparator_test.cc
deps:
- grpc_test_util
- name: grpc_tls_credentials_options_test
gtest: true
build: test

2
gRPC-C++.podspec generated
Unescape View File

@ -836,6 +836,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',
'src/core/lib/security/credentials/insecure/insecure_credentials.h',
'src/core/lib/security/credentials/jwt/json_token.h',
'src/core/lib/security/credentials/jwt/jwt_credentials.h',
'src/core/lib/security/credentials/jwt/jwt_verifier.h',
@ -1643,6 +1644,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',
'src/core/lib/security/credentials/insecure/insecure_credentials.h',
'src/core/lib/security/credentials/jwt/json_token.h',
'src/core/lib/security/credentials/jwt/jwt_credentials.h',
'src/core/lib/security/credentials/jwt/jwt_verifier.h',

2
gRPC-Core.podspec generated
Unescape View File

@ -1380,6 +1380,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/iam/iam_credentials.cc',
'src/core/lib/security/credentials/iam/iam_credentials.h',
'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
'src/core/lib/security/credentials/insecure/insecure_credentials.h',
'src/core/lib/security/credentials/jwt/json_token.cc',
'src/core/lib/security/credentials/jwt/json_token.h',
'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
@ -2243,6 +2244,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',
'src/core/lib/security/credentials/insecure/insecure_credentials.h',
'src/core/lib/security/credentials/jwt/json_token.h',
'src/core/lib/security/credentials/jwt/jwt_credentials.h',
'src/core/lib/security/credentials/jwt/jwt_verifier.h',

1
grpc.gemspec generated
Unescape View File

@ -1299,6 +1299,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.cc )
s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.h )
s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.cc )
s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.h )
s.files += %w( src/core/lib/security/credentials/jwt/json_token.cc )
s.files += %w( src/core/lib/security/credentials/jwt/json_token.h )
s.files += %w( src/core/lib/security/credentials/jwt/jwt_credentials.cc )

6
grpc.gyp generated
Unescape View File

@ -1375,9 +1375,11 @@
'src/core/lib/security/credentials/composite/composite_credentials.cc',
'src/core/lib/security/credentials/credentials.cc',
'src/core/lib/security/credentials/fake/fake_credentials.cc',
'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/tls/tls_utils.cc',
'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
'src/core/lib/security/security_connector/load_system_roots_linux.cc',
'src/core/lib/security/security_connector/security_connector.cc',
@ -1431,6 +1433,7 @@
'src/core/plugin_registry/grpc_plugin_registry.cc',
'src/core/plugin_registry/grpc_plugin_registry_noextra.cc',
'src/core/tsi/fake_transport_security.cc',
'src/core/tsi/local_transport_security.cc',
'src/core/tsi/transport_security.cc',
'src/core/tsi/transport_security_grpc.cc',
],
@ -1609,9 +1612,6 @@
'grpc_unsecure',
],
'sources': [
'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
'src/core/tsi/local_transport_security.cc',
'src/cpp/client/channel_cc.cc',
'src/cpp/client/client_callback.cc',
'src/cpp/client/client_context.cc',

1
package.xml generated
Unescape View File

@ -1279,6 +1279,7 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/jwt_credentials.cc" role="src" />

2
src/core/ext/filters/client_channel/lb_policy/xds/cds.cc
Unescape View File

@ -523,7 +523,7 @@ grpc_error_handle CdsLb::UpdateXdsCertificateProvider(
grpc_channel_credentials* channel_credentials =
grpc_channel_credentials_find_in_args(args_);
if (channel_credentials == nullptr ||
channel_credentials->type() != kCredentialsTypeXds) {
channel_credentials->type() != XdsCredentials::Type()) {
xds_certificate_provider_ = nullptr;
return GRPC_ERROR_NONE;
}

3
src/core/ext/transport/chttp2/client/chttp2_connector.cc
Unescape View File

@ -41,6 +41,7 @@
#include "src/core/lib/resolver/resolver_registry.h"
#include "src/core/lib/resource_quota/api.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
#include "src/core/lib/security/security_connector/security_connector.h"
#include "src/core/lib/slice/slice_internal.h"
#include "src/core/lib/surface/api_trace.h"
@ -438,7 +439,7 @@ grpc_channel* grpc_channel_create_from_fd(const char* target, int fd,
(target, fd, creds, args));
// For now, we only support insecure channel credentials.
if (creds == nullptr ||
strcmp(creds->type(), GRPC_CREDENTIALS_TYPE_INSECURE) != 0) {
creds->type() != grpc_core::InsecureServerCredentials::Type()) {
return grpc_lame_client_channel_create(
target, GRPC_STATUS_INTERNAL,
"Failed to create client channel due to invalid creds");

3
src/core/ext/transport/chttp2/server/chttp2_server.cc
Unescape View File

@ -55,6 +55,7 @@
#include "src/core/lib/resource_quota/memory_quota.h"
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
#include "src/core/lib/slice/slice_internal.h"
#include "src/core/lib/surface/api_trace.h"
#include "src/core/lib/surface/server.h"
@ -1059,7 +1060,7 @@ void grpc_server_add_channel_from_fd(grpc_server* server, int fd,
grpc_server_credentials* creds) {
// For now, we only support insecure server credentials
if (creds == nullptr ||
strcmp(creds->type(), GRPC_CREDENTIALS_TYPE_INSECURE) != 0) {
creds->type() != grpc_core::InsecureServerCredentials::Type()) {
gpr_log(GPR_ERROR, "Failed to create channel due to invalid creds");
return;
}

8
src/core/ext/xds/certificate_provider_store.cc
Unescape View File

@ -24,6 +24,14 @@
namespace grpc_core {
//
// CertificateProviderStore::CertificateProviderWrapper
//
const char* CertificateProviderStore::CertificateProviderWrapper::type() const {
return "Wrapper";
}
// If a certificate provider is created, the CertificateProviderStore
// maintains a raw pointer to the created CertificateProviderWrapper so that
// future calls to `CreateOrGetCertificateProvider()` with the same key result

9
src/core/ext/xds/certificate_provider_store.h
Unescape View File

@ -83,6 +83,15 @@ class CertificateProviderStore
return certificate_provider_->interested_parties();
}
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): This should probably delegate to the `Compare` method of
// the wrapped certificate_provider_ object.
return QsortCompare(
static_cast<const grpc_tls_certificate_provider*>(this), other);
}
const char* type() const override;
absl::string_view key() const { return key_; }
private:

2
src/core/ext/xds/xds_certificate_provider.cc
Unescape View File

@ -263,6 +263,8 @@ XdsCertificateProvider::~XdsCertificateProvider() {
distributor_->SetWatchStatusCallback(nullptr);
}
const char* XdsCertificateProvider::type() const { return "Xds"; }
bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
MutexLock lock(&mu_);
auto it = certificate_state_map_.find(cert_name);

8
src/core/ext/xds/xds_certificate_provider.h
Unescape View File

@ -39,6 +39,8 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
return distributor_;
}
const char* type() const override;
bool ProvidesRootCerts(const std::string& cert_name);
void UpdateRootCertNameAndDistributor(
const std::string& cert_name, absl::string_view root_cert_name,
@ -124,6 +126,12 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
bool require_client_certificate_ = false;
};
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
other);
}
void WatchStatusCallback(std::string cert_name, bool root_being_watched,
bool identity_being_watched);

3
src/core/ext/xds/xds_server_config_fetcher.cc
Unescape View File

@ -1051,7 +1051,8 @@ absl::StatusOr<grpc_channel_args*> XdsServerConfigFetcher::ListenerWatcher::
// Add XdsCertificateProvider if credentials are xDS.
grpc_server_credentials* server_creds =
grpc_find_server_credentials_in_args(args);
if (server_creds != nullptr && server_creds->type() == kCredentialsTypeXds) {
if (server_creds != nullptr &&
server_creds->type() == XdsServerCredentials::Type()) {
absl::StatusOr<RefCountedPtr<XdsCertificateProvider>> result =
CreateOrGetXdsCertificateProviderFromFilterChainData(filter_chain);
if (!result.ok()) {

5
src/core/lib/http/httpcli_security_connector.cc
Unescape View File

@ -152,9 +152,6 @@ httpcli_ssl_channel_security_connector_create(
class HttpRequestSSLCredentials : public grpc_channel_credentials {
public:
HttpRequestSSLCredentials() : grpc_channel_credentials("HttpRequestSSL") {}
~HttpRequestSSLCredentials() override {}
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> /*call_creds*/, const char* target,
const grpc_channel_args* args,
@ -184,6 +181,8 @@ class HttpRequestSSLCredentials : public grpc_channel_credentials {
return args;
}
const char* type() const override { return "HttpRequestSSL"; }
private:
int cmp_impl(const grpc_channel_credentials* /* other */) const override {
// There's no differentiating factor between two HttpRequestSSLCredentials

11
src/core/lib/security/credentials/alts/alts_credentials.cc
Unescape View File

@ -30,14 +30,12 @@
#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
#include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
#define GRPC_CREDENTIALS_TYPE_ALTS "Alts"
#define GRPC_ALTS_HANDSHAKER_SERVICE_URL "metadata.google.internal.:8080"
grpc_alts_credentials::grpc_alts_credentials(
const grpc_alts_credentials_options* options,
const char* handshaker_service_url)
: grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_ALTS),
options_(grpc_alts_credentials_options_copy(options)),
: options_(grpc_alts_credentials_options_copy(options)),
handshaker_service_url_(handshaker_service_url == nullptr
? gpr_strdup(GRPC_ALTS_HANDSHAKER_SERVICE_URL)
: gpr_strdup(handshaker_service_url)) {
@ -58,11 +56,12 @@ grpc_alts_credentials::create_security_connector(
this->Ref(), std::move(call_creds), target_name);
}
const char* grpc_alts_credentials::type() const { return "Alts"; }
grpc_alts_server_credentials::grpc_alts_server_credentials(
const grpc_alts_credentials_options* options,
const char* handshaker_service_url)
: grpc_server_credentials(GRPC_CREDENTIALS_TYPE_ALTS),
options_(grpc_alts_credentials_options_copy(options)),
: options_(grpc_alts_credentials_options_copy(options)),
handshaker_service_url_(handshaker_service_url == nullptr
? gpr_strdup(GRPC_ALTS_HANDSHAKER_SERVICE_URL)
: gpr_strdup(handshaker_service_url)) {
@ -80,6 +79,8 @@ grpc_alts_server_credentials::~grpc_alts_server_credentials() {
gpr_free(handshaker_service_url_);
}
const char* grpc_alts_server_credentials::type() const { return "Alts"; }
grpc_channel_credentials* grpc_alts_credentials_create_customized(
const grpc_alts_credentials_options* options,
const char* handshaker_service_url, bool enable_untrusted_alts) {

4
src/core/lib/security/credentials/alts/alts_credentials.h
Unescape View File

@ -39,6 +39,8 @@ class grpc_alts_credentials final : public grpc_channel_credentials {
const char* target_name, const grpc_channel_args* args,
grpc_channel_args** new_args) override;
const char* type() const override;
const grpc_alts_credentials_options* options() const { return options_; }
grpc_alts_credentials_options* mutable_options() { return options_; }
const char* handshaker_service_url() const { return handshaker_service_url_; }
@ -64,6 +66,8 @@ class grpc_alts_server_credentials final : public grpc_server_credentials {
grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* /* args */) override;
const char* type() const override;
const grpc_alts_credentials_options* options() const { return options_; }
grpc_alts_credentials_options* mutable_options() { return options_; }
const char* handshaker_service_url() const { return handshaker_service_url_; }

19
src/core/lib/security/credentials/composite/composite_credentials.cc
Unescape View File

@ -37,9 +37,13 @@
#include "src/core/lib/surface/api_trace.h"
#include "src/core/lib/transport/transport.h"
namespace grpc_core {
const char kCredentialsTypeComposite[] = "composite";
} // namespace grpc_core
//
// grpc_composite_channel_credentials
//
const char* grpc_composite_channel_credentials::type() const {
return "Composite";
}
/* -- Composite call credentials. -- */
@ -56,6 +60,8 @@ grpc_composite_call_credentials::GetRequestMetadata(
});
}
const char* grpc_composite_call_credentials::Type() { return "Composite"; }
std::string grpc_composite_call_credentials::debug_string() {
std::vector<std::string> outputs;
for (auto& inner_cred : inner_) {
@ -89,12 +95,11 @@ void grpc_composite_call_credentials::push_to_inner(
grpc_composite_call_credentials::grpc_composite_call_credentials(
grpc_core::RefCountedPtr<grpc_call_credentials> creds1,
grpc_core::RefCountedPtr<grpc_call_credentials> creds2)
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) {
grpc_core::RefCountedPtr<grpc_call_credentials> creds2) {
const bool creds1_is_composite =
strcmp(creds1->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0;
creds1->type() == grpc_composite_call_credentials::Type();
const bool creds2_is_composite =
strcmp(creds2->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0;
creds2->type() == grpc_composite_call_credentials::Type();
const size_t size = get_creds_array_size(creds1.get(), creds1_is_composite) +
get_creds_array_size(creds2.get(), creds2_is_composite);
inner_.reserve(size);

13
src/core/lib/security/credentials/composite/composite_credentials.h
Unescape View File

@ -30,17 +30,12 @@
/* -- Composite channel credentials. -- */
namespace grpc_core {
extern const char kCredentialsTypeComposite[];
}
class grpc_composite_channel_credentials : public grpc_channel_credentials {
public:
grpc_composite_channel_credentials(
grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds)
: grpc_channel_credentials(grpc_core::kCredentialsTypeComposite),
inner_creds_(std::move(channel_creds)),
: inner_creds_(std::move(channel_creds)),
call_creds_(std::move(call_creds)) {}
~grpc_composite_channel_credentials() override = default;
@ -60,6 +55,8 @@ class grpc_composite_channel_credentials : public grpc_channel_credentials {
return inner_creds_->update_arguments(args);
}
const char* type() const override;
const grpc_channel_credentials* inner_creds() const {
return inner_creds_.get();
}
@ -101,6 +98,10 @@ class grpc_composite_call_credentials : public grpc_call_credentials {
const CallCredentialsList& inner() const { return inner_; }
std::string debug_string() override;
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_call_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here

45
src/core/lib/security/credentials/credentials.h
Unescape View File

@ -48,17 +48,6 @@ typedef enum {
#define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake"
#define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl"
#define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \
"FakeTransportSecurity"
#define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault"
#define GRPC_CREDENTIALS_TYPE_INSECURE "insecure"
#define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
#define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt"
#define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam"
#define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite"
#define GRPC_AUTHORIZATION_METADATA_KEY "authorization"
#define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \
"x-goog-iam-authorization-token"
@ -103,13 +92,6 @@ void grpc_override_well_known_credentials_path_getter(
struct grpc_channel_credentials
: grpc_core::RefCounted<grpc_channel_credentials> {
public:
// The pointer value \a type is used to uniquely identify a creds
// implementation for down-casting purposes. Every creds implementation should
// use a unique string instance, which should be returned by all instances of
// that creds implementation.
explicit grpc_channel_credentials(const char* type) : type_(type) {}
~grpc_channel_credentials() override = default;
// Creates a security connector for the channel. May also create new channel
// args for the channel to be used in place of the passed in const args if
// returned non NULL. In that case the caller is responsible for destroying
@ -154,14 +136,16 @@ struct grpc_channel_credentials
return cmp_impl(other);
}
const char* type() const { return type_; }
// The pointer value \a type is used to uniquely identify a creds
// implementation for down-casting purposes. Every creds implementation should
// use a unique string instance, which should be returned by all instances of
// that creds implementation.
virtual const char* type() const = 0;
private:
// Implementation for `cmp` method intended to be overridden by subclasses.
// Only invoked if `type()` and `other->type()` compare equal as strings.
// Only invoked if `type()` and `other->type()` point to the same string.
virtual int cmp_impl(const grpc_channel_credentials* other) const = 0;
const char* type_;
};
// TODO(roth): Once we eliminate insecure builds, find a better way to
@ -209,9 +193,8 @@ struct grpc_call_credentials
// use a unique string instance, which should be returned by all instances of
// that creds implementation.
explicit grpc_call_credentials(
const char* type,
grpc_security_level min_security_level = GRPC_PRIVACY_AND_INTEGRITY)
: type_(type), min_security_level_(min_security_level) {}
: min_security_level_(min_security_level) {}
~grpc_call_credentials() override = default;
@ -240,14 +223,17 @@ struct grpc_call_credentials
return "grpc_call_credentials did not provide debug string";
}
const char* type() const { return type_; }
// The pointer value \a type is used to uniquely identify a creds
// implementation for down-casting purposes. Every creds implementation should
// use a unique string instance, which should be returned by all instances of
// that creds implementation.
virtual const char* type() const = 0;
private:
// Implementation for `cmp` method intended to be overridden by subclasses.
// Only invoked if `type()` and `other->type()` compare equal as strings.
// Only invoked if `type()` and `other->type()` point to the same string.
virtual int cmp_impl(const grpc_call_credentials* other) const = 0;
const char* type_;
const grpc_security_level min_security_level_;
};
@ -264,15 +250,13 @@ grpc_call_credentials* grpc_md_only_test_credentials_create(
struct grpc_server_credentials
: public grpc_core::RefCounted<grpc_server_credentials> {
public:
explicit grpc_server_credentials(const char* type) : type_(type) {}
~grpc_server_credentials() override { DestroyProcessor(); }
// Ownership of \a args is not passed.
virtual grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* args) = 0;
const char* type() const { return type_; }
virtual const char* type() const = 0;
const grpc_auth_metadata_processor& auth_metadata_processor() const {
return processor_;
@ -287,7 +271,6 @@ struct grpc_server_credentials
}
}
const char* type_;
grpc_auth_metadata_processor processor_ =
grpc_auth_metadata_processor(); // Zero-initialize the C struct.
};

16
src/core/lib/security/credentials/fake/fake_credentials.cc
Unescape View File

@ -37,11 +37,6 @@
namespace {
class grpc_fake_channel_credentials final : public grpc_channel_credentials {
public:
grpc_fake_channel_credentials()
: grpc_channel_credentials(
GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY) {}
~grpc_fake_channel_credentials() override = default;
grpc_core::RefCountedPtr<grpc_channel_security_connector>
create_security_connector(
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
@ -51,6 +46,8 @@ class grpc_fake_channel_credentials final : public grpc_channel_credentials {
this->Ref(), std::move(call_creds), target, args);
}
const char* type() const override { return "Fake"; }
private:
int cmp_impl(const grpc_channel_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here
@ -61,15 +58,12 @@ class grpc_fake_channel_credentials final : public grpc_channel_credentials {
class grpc_fake_server_credentials final : public grpc_server_credentials {
public:
grpc_fake_server_credentials()
: grpc_server_credentials(
GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY) {}
~grpc_fake_server_credentials() override = default;
grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* /*args*/) override {
return grpc_fake_server_security_connector_create(this->Ref());
}
const char* type() const override { return "Fake"; }
};
} // namespace
@ -107,6 +101,8 @@ grpc_md_only_test_credentials::GetRequestMetadata(
return grpc_core::Immediate(std::move(initial_metadata));
}
const char* grpc_md_only_test_credentials::Type() { return "MdOnlyTest"; }
grpc_call_credentials* grpc_md_only_test_credentials_create(
const char* md_key, const char* md_value) {
return new grpc_md_only_test_credentials(md_key, md_value);

9
src/core/lib/security/credentials/fake/fake_credentials.h
Unescape View File

@ -60,8 +60,7 @@ const char* grpc_fake_transport_get_expected_targets(
class grpc_md_only_test_credentials : public grpc_call_credentials {
public:
grpc_md_only_test_credentials(const char* md_key, const char* md_value)
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2,
GRPC_SECURITY_NONE),
: grpc_call_credentials(GRPC_SECURITY_NONE),
key_(grpc_core::Slice::FromCopiedString(md_key)),
value_(grpc_core::Slice::FromCopiedString(md_value)) {}
@ -69,7 +68,11 @@ class grpc_md_only_test_credentials : public grpc_call_credentials {
GetRequestMetadata(grpc_core::ClientMetadataHandle initial_metadata,
const GetRequestMetadataArgs* args) override;
std::string debug_string() override { return "MD only Test Credentials"; };
std::string debug_string() override { return "MD only Test Credentials"; }
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_call_credentials* other) const override {

4
src/core/lib/security/credentials/google_default/google_default_credentials.cc
Unescape View File

@ -138,6 +138,10 @@ grpc_channel_args* grpc_google_default_channel_credentials::update_arguments(
return updated;
}
const char* grpc_google_default_channel_credentials::type() const {
return "GoogleDefault";
}
static void on_metadata_server_detection_http_response(
void* user_data, grpc_error_handle error) {
metadata_server_detector* detector =

6
src/core/lib/security/credentials/google_default/google_default_credentials.h
Unescape View File

@ -46,9 +46,7 @@ class grpc_google_default_channel_credentials
grpc_google_default_channel_credentials(
grpc_core::RefCountedPtr<grpc_channel_credentials> alts_creds,
grpc_core::RefCountedPtr<grpc_channel_credentials> ssl_creds)
: grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT),
alts_creds_(std::move(alts_creds)),
ssl_creds_(std::move(ssl_creds)) {}
: alts_creds_(std::move(alts_creds)), ssl_creds_(std::move(ssl_creds)) {}
~grpc_google_default_channel_credentials() override = default;
@ -60,6 +58,8 @@ class grpc_google_default_channel_credentials
grpc_channel_args* update_arguments(grpc_channel_args* args) override;
const char* type() const override;
const grpc_channel_credentials* alts_creds() const {
return alts_creds_.get();
}

5
src/core/lib/security/credentials/iam/iam_credentials.cc
Unescape View File

@ -48,8 +48,7 @@ grpc_google_iam_credentials::GetRequestMetadata(
grpc_google_iam_credentials::grpc_google_iam_credentials(
const char* token, const char* authority_selector)
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_IAM),
token_(token == nullptr ? absl::optional<grpc_core::Slice>()
: token_(token == nullptr ? absl::optional<grpc_core::Slice>()
: grpc_core::Slice::FromCopiedString(token)),
authority_selector_(
grpc_core::Slice::FromCopiedString(authority_selector)),
@ -57,6 +56,8 @@ grpc_google_iam_credentials::grpc_google_iam_credentials(
"GoogleIAMCredentials{Token:%s,AuthoritySelector:%s}",
token != nullptr ? "present" : "absent", authority_selector)) {}
const char* grpc_google_iam_credentials::Type() { return "Iam"; }
grpc_call_credentials* grpc_google_iam_credentials_create(
const char* token, const char* authority_selector, void* reserved) {
grpc_core::ExecCtx exec_ctx;

4
src/core/lib/security/credentials/iam/iam_credentials.h
Unescape View File

@ -36,6 +36,10 @@ class grpc_google_iam_credentials : public grpc_call_credentials {
std::string debug_string() override { return debug_string_; }
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_call_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here

51
src/core/lib/security/credentials/insecure/insecure_credentials.cc
Unescape View File

@ -18,44 +18,37 @@
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
namespace grpc_core {
namespace {
class InsecureCredentials final : public grpc_channel_credentials {
public:
InsecureCredentials()
: grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_INSECURE) {}
RefCountedPtr<grpc_channel_security_connector>
InsecureCredentials::create_security_connector(
RefCountedPtr<grpc_call_credentials> request_metadata_creds,
const char* /* target_name */, const grpc_channel_args* /* args */,
grpc_channel_args** /* new_args */) {
return MakeRefCounted<InsecureChannelSecurityConnector>(
Ref(), std::move(request_metadata_creds));
}
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> call_creds,
const char* /* target_name */, const grpc_channel_args* /* args */,
grpc_channel_args** /* new_args */) override {
return MakeRefCounted<InsecureChannelSecurityConnector>(
Ref(), std::move(call_creds));
}
const char* InsecureCredentials::Type() { return "Insecure"; }
private:
int cmp_impl(const grpc_channel_credentials* /* other */) const override {
// All insecure credentials objects should compare equal.
return 0;
}
};
int InsecureCredentials::cmp_impl(
const grpc_channel_credentials* /* other */) const {
// All insecure credentials objects should compare equal.
return 0;
}
class InsecureServerCredentials final : public grpc_server_credentials {
public:
InsecureServerCredentials()
: grpc_server_credentials(GRPC_CREDENTIALS_TYPE_INSECURE) {}
RefCountedPtr<grpc_server_security_connector>
InsecureServerCredentials::create_security_connector(
const grpc_channel_args* /* args */) {
return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
}
RefCountedPtr<grpc_server_security_connector> create_security_connector(
const grpc_channel_args* /* args */) override {
return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
}
};
const char* InsecureServerCredentials::Type() { return "Insecure"; }
} // namespace
} // namespace grpc_core
grpc_channel_credentials* grpc_insecure_credentials_create() {

57
src/core/lib/security/credentials/insecure/insecure_credentials.h
Unescape View File

@ -0,0 +1,57 @@
//
//
// Copyright 2022 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H
#include <grpc/support/port_platform.h>
#include <grpc/grpc_security.h>
#include "src/core/lib/security/credentials/credentials.h"
namespace grpc_core {
class InsecureCredentials final : public grpc_channel_credentials {
public:
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> request_metadata_creds,
const char* /* target_name */, const grpc_channel_args* /* args */,
grpc_channel_args** /* new_args */) override;
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_channel_credentials* other) const override;
};
class InsecureServerCredentials final : public grpc_server_credentials {
public:
RefCountedPtr<grpc_server_security_connector> create_security_connector(
const grpc_channel_args* /* args */) override;
static const char* Type();
const char* type() const override { return Type(); }
};
} // namespace grpc_core
#endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H

6
src/core/lib/security/credentials/jwt/jwt_credentials.cc
Unescape View File

@ -106,7 +106,7 @@ grpc_service_account_jwt_access_credentials::GetRequestMetadata(
grpc_service_account_jwt_access_credentials::
grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
gpr_timespec token_lifetime)
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT), key_(key) {
: key_(key) {
gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
gpr_log(GPR_INFO,
@ -118,6 +118,10 @@ grpc_service_account_jwt_access_credentials::
gpr_mu_init(&cache_mu_);
}
const char* grpc_service_account_jwt_access_credentials::Type() {
return "Jwt";
}
grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
grpc_auth_json_key key, gpr_timespec token_lifetime) {

4
src/core/lib/security/credentials/jwt/jwt_credentials.h
Unescape View File

@ -52,6 +52,10 @@ class grpc_service_account_jwt_access_credentials
static_cast<int64_t>(gpr_timespec_to_micros(jwt_lifetime_)))));
};
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_call_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here

12
src/core/lib/security/credentials/local/local_credentials.cc
Unescape View File

@ -27,8 +27,6 @@
#include "src/core/lib/channel/channel_args.h"
#include "src/core/lib/security/security_connector/local/local_security_connector.h"
#define GRPC_CREDENTIALS_TYPE_LOCAL "Local"
grpc_core::RefCountedPtr<grpc_channel_security_connector>
grpc_local_credentials::create_security_connector(
grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
@ -38,16 +36,19 @@ grpc_local_credentials::create_security_connector(
this->Ref(), std::move(request_metadata_creds), args, target_name);
}
const char* grpc_local_credentials::type() const { return "Local"; }
grpc_core::RefCountedPtr<grpc_server_security_connector>
grpc_local_server_credentials::create_security_connector(
const grpc_channel_args* /* args */) {
return grpc_local_server_security_connector_create(this->Ref());
}
const char* grpc_local_server_credentials::type() const { return "Local"; }
grpc_local_credentials::grpc_local_credentials(
grpc_local_connect_type connect_type)
: grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
connect_type_(connect_type) {}
: connect_type_(connect_type) {}
grpc_channel_credentials* grpc_local_credentials_create(
grpc_local_connect_type connect_type) {
@ -56,8 +57,7 @@ grpc_channel_credentials* grpc_local_credentials_create(
grpc_local_server_credentials::grpc_local_server_credentials(
grpc_local_connect_type connect_type)
: grpc_server_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
connect_type_(connect_type) {}
: connect_type_(connect_type) {}
grpc_server_credentials* grpc_local_server_credentials_create(
grpc_local_connect_type connect_type) {

4
src/core/lib/security/credentials/local/local_credentials.h
Unescape View File

@ -37,6 +37,8 @@ class grpc_local_credentials final : public grpc_channel_credentials {
const char* target_name, const grpc_channel_args* args,
grpc_channel_args** new_args) override;
const char* type() const override;
grpc_local_connect_type connect_type() const { return connect_type_; }
private:
@ -58,6 +60,8 @@ class grpc_local_server_credentials final : public grpc_server_credentials {
grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* /* args */) override;
const char* type() const override;
grpc_local_connect_type connect_type() const { return connect_type_; }
private:

16
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
Unescape View File

@ -337,8 +337,7 @@ grpc_oauth2_token_fetcher_credentials::GetRequestMetadata(
}
grpc_oauth2_token_fetcher_credentials::grpc_oauth2_token_fetcher_credentials()
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
token_expiration_(gpr_inf_past(GPR_CLOCK_MONOTONIC)),
: token_expiration_(gpr_inf_past(GPR_CLOCK_MONOTONIC)),
pollent_(grpc_polling_entity_create_from_pollset_set(
grpc_pollset_set_create())) {
gpr_mu_init(&mu_);
@ -348,6 +347,10 @@ std::string grpc_oauth2_token_fetcher_credentials::debug_string() {
return "OAuth2TokenFetcherCredentials";
}
const char* grpc_oauth2_token_fetcher_credentials::type() const {
return "Oauth2";
}
//
// Google Compute Engine credentials.
//
@ -473,6 +476,10 @@ std::string grpc_google_refresh_token_credentials::debug_string() {
grpc_oauth2_token_fetcher_credentials::debug_string());
}
const char* grpc_google_refresh_token_credentials::type() const {
return "GoogleRefreshToken";
}
static std::string create_loggable_refresh_token(
grpc_auth_refresh_token* token) {
if (strcmp(token->type, GRPC_AUTH_JSON_TYPE_INVALID) == 0) {
@ -706,10 +713,11 @@ grpc_access_token_credentials::GetRequestMetadata(
return grpc_core::Immediate(std::move(initial_metadata));
}
const char* grpc_access_token_credentials::Type() { return "AccessToken"; }
grpc_access_token_credentials::grpc_access_token_credentials(
const char* access_token)
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
access_token_value_(grpc_core::Slice::FromCopiedString(
: access_token_value_(grpc_core::Slice::FromCopiedString(
absl::StrCat("Bearer ", access_token))) {}
std::string grpc_access_token_credentials::debug_string() {

8
src/core/lib/security/credentials/oauth2/oauth2_credentials.h
Unescape View File

@ -102,6 +102,8 @@ class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials {
grpc_error_handle error);
std::string debug_string() override;
const char* type() const override;
protected:
virtual void fetch_oauth2(grpc_credentials_metadata_request* req,
grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
@ -136,6 +138,8 @@ class grpc_google_refresh_token_credentials final
std::string debug_string() override;
const char* type() const override;
protected:
void fetch_oauth2(grpc_credentials_metadata_request* req,
grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
@ -158,6 +162,10 @@ class grpc_access_token_credentials final : public grpc_call_credentials {
std::string debug_string() override;
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_call_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here

4
src/core/lib/security/credentials/plugin/plugin_credentials.cc
Unescape View File

@ -60,6 +60,8 @@ std::string grpc_plugin_credentials::debug_string() {
return debug_str;
}
const char* grpc_plugin_credentials::type() const { return "Plugin"; }
absl::StatusOr<grpc_core::ClientMetadataHandle>
grpc_plugin_credentials::PendingRequest::ProcessPluginResult(
const grpc_metadata* md, size_t num_md, grpc_status_code status,
@ -197,7 +199,7 @@ grpc_plugin_credentials::GetRequestMetadata(
grpc_plugin_credentials::grpc_plugin_credentials(
grpc_metadata_credentials_plugin plugin,
grpc_security_level min_security_level)
: grpc_call_credentials(plugin.type, min_security_level), plugin_(plugin) {}
: grpc_call_credentials(min_security_level), plugin_(plugin) {}
grpc_call_credentials* grpc_metadata_credentials_create_from_plugin(
grpc_metadata_credentials_plugin plugin,

2
src/core/lib/security/credentials/plugin/plugin_credentials.h
Unescape View File

@ -41,6 +41,8 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
std::string debug_string() override;
const char* type() const override;
private:
class PendingRequest : public grpc_core::RefCounted<PendingRequest> {
public:

10
src/core/lib/security/credentials/ssl/ssl_credentials.cc
Unescape View File

@ -37,8 +37,7 @@
grpc_ssl_credentials::grpc_ssl_credentials(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
const grpc_ssl_verify_peer_options* verify_options)
: grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
const grpc_ssl_verify_peer_options* verify_options) {
build_config(pem_root_certs, pem_key_cert_pair, verify_options);
}
@ -83,6 +82,8 @@ grpc_ssl_credentials::create_security_connector(
return sc;
}
const char* grpc_ssl_credentials::Type() { return "Ssl"; }
void grpc_ssl_credentials::build_config(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
const grpc_ssl_verify_peer_options* verify_options) {
@ -162,8 +163,7 @@ struct grpc_ssl_server_credentials_options {
};
grpc_ssl_server_credentials::grpc_ssl_server_credentials(
const grpc_ssl_server_credentials_options& options)
: grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
const grpc_ssl_server_credentials_options& options) {
if (options.certificate_config_fetcher != nullptr) {
config_.client_certificate_request = options.client_certificate_request;
certificate_config_fetcher_ = *options.certificate_config_fetcher;
@ -186,6 +186,8 @@ grpc_ssl_server_credentials::create_security_connector(
return grpc_ssl_server_security_connector_create(this->Ref());
}
const char* grpc_ssl_server_credentials::Type() { return "Ssl"; }
tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs) {

8
src/core/lib/security/credentials/ssl/ssl_credentials.h
Unescape View File

@ -37,6 +37,10 @@ class grpc_ssl_credentials : public grpc_channel_credentials {
const char* target, const grpc_channel_args* args,
grpc_channel_args** new_args) override;
static const char* Type();
const char* type() const override { return Type(); }
// TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
// version should be done for testing purposes only.
void set_min_tls_version(grpc_tls_version min_tls_version);
@ -76,6 +80,10 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* /* args */) override;
static const char* Type();
const char* type() const override { return Type(); }
bool has_cert_config_fetcher() const {
return certificate_config_fetcher_.cb != nullptr;
}

49
src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
Unescape View File

@ -26,6 +26,7 @@
#include <grpc/grpc_security.h>
#include "src/core/lib/gpr/useful.h"
#include "src/core/lib/gprpp/ref_counted.h"
#include "src/core/lib/gprpp/ref_counted_ptr.h"
#include "src/core/lib/gprpp/thd.h"
@ -50,6 +51,36 @@ struct grpc_tls_certificate_provider
virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
distributor() const = 0;
// Compares this grpc_tls_certificate_provider object with \a other.
// If this method returns 0, it means that gRPC can treat the two certificate
// providers as effectively the same. This method is used to compare
// `grpc_tls_certificate_provider` objects when they are present in
// channel_args. One important usage of this is when channel args are used in
// SubchannelKey, which leads to a useful property that allows subchannels to
// be reused when two different `grpc_tls_certificate_provider` objects are
// used but they compare as equal (assuming other channel args match).
int Compare(const grpc_tls_certificate_provider* other) const {
GPR_ASSERT(other != nullptr);
// Intentionally uses grpc_core::QsortCompare instead of strcmp as a safety
// against different grpc_tls_certificate_provider types using the same
// name.
int r = grpc_core::QsortCompare(type(), other->type());
if (r != 0) return r;
return CompareImpl(other);
}
// The pointer value \a type is used to uniquely identify a creds
// implementation for down-casting purposes. Every provider implementation
// should use a unique string instance, which should be returned by all
// instances of that provider implementation.
virtual const char* type() const = 0;
private:
// Implementation for `Compare` method intended to be overridden by
// subclasses. Only invoked if `type()` and `other->type()` point to the same
// string.
virtual int CompareImpl(const grpc_tls_certificate_provider* other) const = 0;
};
namespace grpc_core {
@ -68,11 +99,20 @@ class StaticDataCertificateProvider final
return distributor_;
}
const char* type() const override { return "StaticData"; }
private:
struct WatcherInfo {
bool root_being_watched = false;
bool identity_being_watched = false;
};
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
other);
}
RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
std::string root_certificate_;
PemKeyCertPairList pem_key_cert_pairs_;
@ -98,11 +138,20 @@ class FileWatcherCertificateProvider final
return distributor_;
}
const char* type() const override { return "FileWatcher"; }
private:
struct WatcherInfo {
bool root_being_watched = false;
bool identity_being_watched = false;
};
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
other);
}
// Force an update from the file system regardless of the interval.
void ForceUpdate();
// Read the root certificates from files and update the distributor.

8
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc
Unescape View File

@ -30,6 +30,10 @@
namespace grpc_core {
//
// ExternalCertificateVerifier
//
bool ExternalCertificateVerifier::Verify(
grpc_tls_custom_verification_check_request* request,
std::function<void(absl::Status)> callback, absl::Status* sync_status) {
@ -80,6 +84,10 @@ void ExternalCertificateVerifier::OnVerifyDone(
}
}
//
// HostNameCertificateVerifier
//
bool HostNameCertificateVerifier::Verify(
grpc_tls_custom_verification_check_request* request,
std::function<void(absl::Status)>, absl::Status* sync_status) {

45
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h
Unescape View File

@ -25,6 +25,7 @@
#include <grpc/grpc_security.h>
#include "src/core/lib/gpr/useful.h"
#include "src/core/lib/gprpp/ref_counted.h"
#include "src/core/lib/gprpp/ref_counted_ptr.h"
#include "src/core/lib/gprpp/thd.h"
@ -37,8 +38,6 @@
struct grpc_tls_certificate_verifier
: public grpc_core::RefCounted<grpc_tls_certificate_verifier> {
public:
grpc_tls_certificate_verifier() = default;
~grpc_tls_certificate_verifier() override = default;
// Verifies the specific request. It can be processed in sync or async mode.
// If the caller want it to be processed asynchronously, return false
@ -52,6 +51,28 @@ struct grpc_tls_certificate_verifier
// Operations that will be performed when a request is cancelled.
// This is only needed when in async mode.
virtual void Cancel(grpc_tls_custom_verification_check_request* request) = 0;
// Compares this grpc_tls_certificate_verifier object with \a other.
// If this method returns 0, it means that gRPC can treat the two certificate
// verifiers as effectively the same.
int Compare(const grpc_tls_certificate_verifier* other) const {
GPR_ASSERT(other != nullptr);
int r = grpc_core::QsortCompare(type(), other->type());
if (r != 0) return r;
return CompareImpl(other);
}
// The pointer value \a type is used to uniquely identify a verifier
// implementation for down-casting purposes. Every verifier implementation
// should use a unique string instance, which should be returned by all
// instances of that verifier implementation.
virtual const char* type() const = 0;
private:
// Implementation for `Compare` method intended to be overridden by
// subclasses. Only invoked if `type()` and `other->type()` point to the same
// string.
virtual int CompareImpl(const grpc_tls_certificate_verifier* other) const = 0;
};
namespace grpc_core {
@ -78,12 +99,20 @@ class ExternalCertificateVerifier : public grpc_tls_certificate_verifier {
external_verifier_->cancel(external_verifier_->user_data, request);
}
const char* type() const override { return "External"; }
private:
grpc_tls_certificate_verifier_external* external_verifier_;
int CompareImpl(const grpc_tls_certificate_verifier* other) const override {
const auto* o = static_cast<const ExternalCertificateVerifier*>(other);
return QsortCompare(external_verifier_, o->external_verifier_);
}
static void OnVerifyDone(grpc_tls_custom_verification_check_request* request,
void* callback_arg, grpc_status_code status,
const char* error_details);
grpc_tls_certificate_verifier_external* external_verifier_;
// Guards members below.
Mutex mu_;
// stores each check request and its corresponding callback function.
@ -99,6 +128,16 @@ class HostNameCertificateVerifier : public grpc_tls_certificate_verifier {
std::function<void(absl::Status)> callback,
absl::Status* sync_status) override;
void Cancel(grpc_tls_custom_verification_check_request*) override {}
const char* type() const override { return "Hostname"; }
private:
int CompareImpl(
const grpc_tls_certificate_verifier* /* other */) const override {
// No differentiating factor between different HostNameCertificateVerifier
// objects.
return 0;
}
};
} // namespace grpc_core

161
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h generated
Unescape View File

@ -1,20 +1,22 @@
/*
*
* Copyright 2018 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
//
//
// Copyright 2018 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py
#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
@ -38,103 +40,72 @@ struct grpc_tls_credentials_options
: public grpc_core::RefCounted<grpc_tls_credentials_options> {
public:
~grpc_tls_credentials_options() override = default;
// Getters for member fields.
grpc_ssl_client_certificate_request_type cert_request_type() const {
return cert_request_type_;
}
grpc_ssl_client_certificate_request_type cert_request_type() const { return cert_request_type_; }
bool verify_server_cert() const { return verify_server_cert_; }
grpc_tls_version min_tls_version() const { return min_tls_version_; }
grpc_tls_version max_tls_version() const { return max_tls_version_; }
// Returns the verifier set in the options.
grpc_tls_certificate_verifier* certificate_verifier() {
return verifier_.get();
return certificate_verifier_.get();
}
bool check_call_host() const { return check_call_host_; }
// Returns the distributor from provider_ if it is set, nullptr otherwise.
// Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.
grpc_tls_certificate_distributor* certificate_distributor() {
if (provider_ != nullptr) return provider_->distributor().get();
if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
return nullptr;
}
bool watch_root_cert() { return watch_root_cert_; }
const std::string& root_cert_name() { return root_cert_name_; }
bool watch_identity_pair() { return watch_identity_pair_; }
const std::string& identity_cert_name() { return identity_cert_name_; }
// Returns the previously set tls session key log file path.
const std::string& tls_session_key_log_file_path() {
return tls_session_key_log_file_path_;
}
const std::string& crl_directory() { return crl_directory_; }
bool watch_root_cert() const { return watch_root_cert_; }
const std::string& root_cert_name() const { return root_cert_name_; }
bool watch_identity_pair() const { return watch_identity_pair_; }
const std::string& identity_cert_name() const { return identity_cert_name_; }
const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
const std::string& crl_directory() const { return crl_directory_; }
// Setters for member fields.
void set_cert_request_type(
const grpc_ssl_client_certificate_request_type type) {
cert_request_type_ = type;
}
void set_verify_server_cert(bool verify_server_cert) {
verify_server_cert_ = verify_server_cert;
}
void set_min_tls_version(grpc_tls_version min_tls_version) {
min_tls_version_ = min_tls_version;
}
void set_max_tls_version(grpc_tls_version max_tls_version) {
max_tls_version_ = max_tls_version;
}
// Sets the verifier in the options.
void set_certificate_verifier(
grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier) {
verifier_ = std::move(verifier);
}
// Sets the verifier in the options.
void set_check_call_host(bool check_call_host) {
check_call_host_ = check_call_host;
}
// Sets the provider in the options.
void set_certificate_provider(
grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
provider_ = std::move(provider);
}
// If need to watch the updates of root certificates with name
// |root_cert_name|. The default value is false. If used in tls_credentials,
// it should always be set to true unless the root certificates are not
// needed.
void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; }
// Sets the name of root certificates being watched, if |set_watch_root_cert|
// is called. If not set, an empty string will be used as the name.
void set_root_cert_name(std::string root_cert_name) {
root_cert_name_ = std::move(root_cert_name);
}
// If need to watch the updates of identity certificates with name
// |identity_cert_name|.
// The default value is false.
// If used in tls_credentials, it should always be set to true
// unless the identity key-cert pairs are not needed.
void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; }
// Sets the name of identity key-cert pairs being watched, if
// |set_watch_identity_pair| is called. If not set, an empty string will
// be used as the name.
void set_identity_cert_name(std::string identity_cert_name) {
identity_cert_name_ = std::move(identity_cert_name);
}
// Sets the tls session key log file path.
void set_tls_session_key_log_file_path(
std::string tls_session_key_log_file_path) {
tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path);
}
void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
void set_verify_server_cert(bool verify_server_cert) { verify_server_cert_ = verify_server_cert; }
void set_min_tls_version(grpc_tls_version min_tls_version) { min_tls_version_ = min_tls_version; }
void set_max_tls_version(grpc_tls_version max_tls_version) { max_tls_version_ = max_tls_version; }
void set_certificate_verifier(grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier) { certificate_verifier_ = std::move(certificate_verifier); }
void set_check_call_host(bool check_call_host) { check_call_host_ = check_call_host; }
void set_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider) { certificate_provider_ = std::move(certificate_provider); }
// If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.
void set_watch_root_cert(bool watch_root_cert) { watch_root_cert_ = watch_root_cert; }
// Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.
void set_root_cert_name(std::string root_cert_name) { root_cert_name_ = std::move(root_cert_name); }
// If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.
void set_watch_identity_pair(bool watch_identity_pair) { watch_identity_pair_ = watch_identity_pair; }
// Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.
void set_identity_cert_name(std::string identity_cert_name) { identity_cert_name_ = std::move(identity_cert_name); }
void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
// gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
// gRPC will enforce CRLs on all handshakes from all hashed CRL files inside
// of the crl_directory. If not set, an empty string will be used, which will
// not enable CRL checking. Only supported for OpenSSL version > 1.1.
void set_crl_directory(std::string path) { crl_directory_ = std::move(path); }
bool operator==(const grpc_tls_credentials_options& other) const {
return cert_request_type_ == other.cert_request_type_ &&
verify_server_cert_ == other.verify_server_cert_ &&
min_tls_version_ == other.min_tls_version_ &&
max_tls_version_ == other.max_tls_version_ &&
(certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0)) &&
check_call_host_ == other.check_call_host_ &&
(certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0)) &&
watch_root_cert_ == other.watch_root_cert_ &&
root_cert_name_ == other.root_cert_name_ &&
watch_identity_pair_ == other.watch_identity_pair_ &&
identity_cert_name_ == other.identity_cert_name_ &&
tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
crl_directory_ == other.crl_directory_;
}
private:
grpc_ssl_client_certificate_request_type cert_request_type_ =
GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
grpc_ssl_client_certificate_request_type cert_request_type_ = GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
bool verify_server_cert_ = true;
grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier_;
grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier_;
bool check_call_host_ = true;
grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
bool watch_root_cert_ = false;
std::string root_cert_name_;
bool watch_identity_pair_ = false;

15
src/core/lib/security/credentials/tls/tls_credentials.cc
Unescape View File

@ -31,8 +31,6 @@
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
#include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
#define GRPC_CREDENTIALS_TYPE_TLS "Tls"
namespace {
bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
@ -70,8 +68,7 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
TlsCredentials::TlsCredentials(
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
: grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS),
options_(std::move(options)) {}
: options_(std::move(options)) {}
TlsCredentials::~TlsCredentials() {}
@ -109,10 +106,16 @@ TlsCredentials::create_security_connector(
return sc;
}
int TlsCredentials::cmp_impl(const grpc_channel_credentials* other) const {
const TlsCredentials* o = static_cast<const TlsCredentials*>(other);
if (*options_ == *o->options_) return 0;
return grpc_core::QsortCompare(
static_cast<const grpc_channel_credentials*>(this), other);
}
TlsServerCredentials::TlsServerCredentials(
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
: grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS),
options_(std::move(options)) {}
: options_(std::move(options)) {}
TlsServerCredentials::~TlsServerCredentials() {}

10
src/core/lib/security/credentials/tls/tls_credentials.h
Unescape View File

@ -38,14 +38,12 @@ class TlsCredentials final : public grpc_channel_credentials {
const char* target_name, const grpc_channel_args* args,
grpc_channel_args** new_args) override;
const char* type() const override { return "Tls"; }
grpc_tls_credentials_options* options() const { return options_.get(); }
private:
int cmp_impl(const grpc_channel_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here
return grpc_core::QsortCompare(
static_cast<const grpc_channel_credentials*>(this), other);
}
int cmp_impl(const grpc_channel_credentials* other) const override;
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
};
@ -59,6 +57,8 @@ class TlsServerCredentials final : public grpc_server_credentials {
grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args* /* args */) override;
const char* type() const override { return "Tls"; }
grpc_tls_credentials_options* options() const { return options_.get(); }
private:

98
src/core/lib/security/credentials/xds/xds_credentials.cc
Unescape View File

@ -29,8 +29,6 @@
namespace grpc_core {
const char kCredentialsTypeXds[] = "Xds";
namespace {
bool XdsVerifySubjectAlternativeNames(
@ -61,44 +59,53 @@ bool XdsVerifySubjectAlternativeNames(
return false;
}
class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
public:
XdsCertificateVerifier(
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
std::string cluster_name)
: xds_certificate_provider_(std::move(xds_certificate_provider)),
cluster_name_(std::move(cluster_name)) {}
bool Verify(grpc_tls_custom_verification_check_request* request,
std::function<void(absl::Status)>,
absl::Status* sync_status) override {
GPR_ASSERT(request != nullptr);
if (!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.uri_names,
request->peer_info.san_names.uri_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.ip_names,
request->peer_info.san_names.ip_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.dns_names,
request->peer_info.san_names.dns_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
*sync_status = absl::Status(
absl::StatusCode::kUnauthenticated,
"SANs from certificate did not match SANs from xDS control plane");
}
return true; /* synchronous check */
} // namespace
//
// XdsCertificateVerifier
//
XdsCertificateVerifier::XdsCertificateVerifier(
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
std::string cluster_name)
: xds_certificate_provider_(std::move(xds_certificate_provider)),
cluster_name_(std::move(cluster_name)) {}
bool XdsCertificateVerifier::Verify(
grpc_tls_custom_verification_check_request* request,
std::function<void(absl::Status)>, absl::Status* sync_status) {
GPR_ASSERT(request != nullptr);
if (!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.uri_names,
request->peer_info.san_names.uri_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.ip_names,
request->peer_info.san_names.ip_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
!XdsVerifySubjectAlternativeNames(
request->peer_info.san_names.dns_names,
request->peer_info.san_names.dns_names_size,
xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
*sync_status = absl::Status(
absl::StatusCode::kUnauthenticated,
"SANs from certificate did not match SANs from xDS control plane");
}
void Cancel(grpc_tls_custom_verification_check_request*) override {}
return true; /* synchronous check */
}
private:
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
std::string cluster_name_;
};
void XdsCertificateVerifier::Cancel(
grpc_tls_custom_verification_check_request*) {}
} // namespace
int XdsCertificateVerifier::CompareImpl(
const grpc_tls_certificate_verifier* other) const {
auto* o = static_cast<const XdsCertificateVerifier*>(other);
int r = QsortCompare(xds_certificate_provider_, o->xds_certificate_provider_);
if (r != 0) return r;
return cluster_name_.compare(o->cluster_name_);
}
const char* XdsCertificateVerifier::type() const { return "Xds"; }
bool TestOnlyXdsVerifySubjectAlternativeNames(
const char* const* subject_alternative_names,
@ -164,19 +171,6 @@ XdsCredentials::create_security_connector(
MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
std::move(cluster_name)));
tls_credentials_options->set_check_call_host(false);
// TODO(yashkt): Creating a new TlsCreds object each time we create a
// security connector means that the security connector's cmp() method
// returns unequal for each instance, which means that every time an LB
// policy updates, all the subchannels will be recreated. This is
// going to lead to a lot of connection churn. Instead, we should
// either (a) change the TLS security connector's cmp() method to be
// smarter somehow, so that it compares unequal only when the
// tls_credentials_options have changed, or (b) cache the TlsCreds
// objects in the XdsCredentials object so that we can reuse the
// same one when creating new security connectors, swapping out the
// TlsCreds object only when the tls_credentials_options change.
// Option (a) would probably be better, although it may require some
// structural changes to the security connector API.
auto tls_credentials =
MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
return tls_credentials->create_security_connector(
@ -188,6 +182,8 @@ XdsCredentials::create_security_connector(
std::move(call_creds), target_name, temp_args.args, new_args);
}
const char* XdsCredentials::Type() { return "Xds"; }
//
// XdsServerCredentials
//
@ -224,6 +220,8 @@ XdsServerCredentials::create_security_connector(const grpc_channel_args* args) {
return fallback_credentials_->create_security_connector(args);
}
const char* XdsServerCredentials::Type() { return "Xds"; }
} // namespace grpc_core
grpc_channel_credentials* grpc_xds_credentials_create(

36
src/core/lib/security/credentials/xds/xds_credentials.h
Unescape View File

@ -23,24 +23,47 @@
#include <grpc/grpc_security.h>
#include "src/core/ext/xds/xds_certificate_provider.h"
#include "src/core/lib/matchers/matchers.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
namespace grpc_core {
extern const char kCredentialsTypeXds[];
class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
public:
XdsCertificateVerifier(
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
std::string cluster_name);
bool Verify(grpc_tls_custom_verification_check_request* request,
std::function<void(absl::Status)>,
absl::Status* sync_status) override;
void Cancel(grpc_tls_custom_verification_check_request*) override;
const char* type() const override;
private:
int CompareImpl(const grpc_tls_certificate_verifier* other) const override;
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
std::string cluster_name_;
};
class XdsCredentials final : public grpc_channel_credentials {
public:
explicit XdsCredentials(
RefCountedPtr<grpc_channel_credentials> fallback_credentials)
: grpc_channel_credentials(kCredentialsTypeXds),
fallback_credentials_(std::move(fallback_credentials)) {}
: fallback_credentials_(std::move(fallback_credentials)) {}
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
const grpc_channel_args* args, grpc_channel_args** new_args) override;
static const char* Type();
const char* type() const override { return Type(); }
private:
int cmp_impl(const grpc_channel_credentials* other) const override {
auto* o = static_cast<const XdsCredentials*>(other);
@ -54,12 +77,15 @@ class XdsServerCredentials final : public grpc_server_credentials {
public:
explicit XdsServerCredentials(
RefCountedPtr<grpc_server_credentials> fallback_credentials)
: grpc_server_credentials(kCredentialsTypeXds),
fallback_credentials_(std::move(fallback_credentials)) {}
: fallback_credentials_(std::move(fallback_credentials)) {}
RefCountedPtr<grpc_server_security_connector> create_security_connector(
const grpc_channel_args* /* args */) override;
static const char* Type();
const char* type() const override { return Type(); }
private:
RefCountedPtr<grpc_server_credentials> fallback_credentials_;
};

13
test/core/security/BUILD
Unescape View File

@ -330,6 +330,19 @@ grpc_cc_test(
],
)
grpc_cc_test(
name = "grpc_tls_credentials_options_comparator_test",
srcs = ["grpc_tls_credentials_options_comparator_test.cc"],
external_deps = ["gtest"],
language = "C++",
deps = [
"//:gpr",
"//:grpc",
"//:grpc_secure",
"//test/core/util:grpc_test_util",
],
)
grpc_cc_test(
name = "grpc_tls_certificate_distributor_test",
srcs = ["grpc_tls_certificate_distributor_test.cc"],

106
test/core/security/credentials_test.cc
Unescape View File

@ -59,8 +59,11 @@
#include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
#include "src/core/lib/security/credentials/fake/fake_credentials.h"
#include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
#include "src/core/lib/security/credentials/iam/iam_credentials.h"
#include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
#include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
#include "src/core/lib/security/credentials/xds/xds_credentials.h"
#include "src/core/lib/security/transport/auth_filters.h"
#include "src/core/lib/transport/error_utils.h"
#include "src/core/lib/uri/uri_parser.h"
@ -560,7 +563,7 @@ TEST(CredentialsTest, TestAccessTokenCreds) {
"authorization: Bearer blah");
grpc_call_credentials* creds =
grpc_access_token_credentials_create("blah", nullptr);
GPR_ASSERT(strcmp(creds->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) == 0);
GPR_ASSERT(strcmp(creds->type(), grpc_access_token_credentials::Type()) == 0);
/* Check security level. */
GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
@ -571,20 +574,18 @@ TEST(CredentialsTest, TestAccessTokenCreds) {
namespace {
class check_channel_oauth2 final : public grpc_channel_credentials {
public:
check_channel_oauth2() : grpc_channel_credentials("mock") {}
~check_channel_oauth2() override = default;
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
const grpc_channel_args* /*args*/,
grpc_channel_args** /*new_args*/) override {
GPR_ASSERT(strcmp(type(), "mock") == 0);
GPR_ASSERT(strcmp(type(), "check_channel_oauth2") == 0);
GPR_ASSERT(call_creds != nullptr);
GPR_ASSERT(strcmp(call_creds->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) ==
0);
GPR_ASSERT(call_creds->type() == grpc_access_token_credentials::Type());
return nullptr;
}
const char* type() const override { return "check_channel_oauth2"; }
private:
int cmp_impl(const grpc_channel_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here
@ -638,16 +639,14 @@ TEST(CredentialsTest, TestOauth2GoogleIamCompositeCreds) {
oauth2_creds->Unref();
google_iam_creds->Unref();
GPR_ASSERT(strcmp(composite_creds->type(),
GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0);
GPR_ASSERT(composite_creds->type() ==
grpc_composite_call_credentials::Type());
const grpc_composite_call_credentials::CallCredentialsList& creds_list =
static_cast<const grpc_composite_call_credentials*>(composite_creds)
->inner();
GPR_ASSERT(creds_list.size() == 2);
GPR_ASSERT(strcmp(creds_list[0]->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) ==
0);
GPR_ASSERT(strcmp(creds_list[1]->type(), GRPC_CALL_CREDENTIALS_TYPE_IAM) ==
0);
GPR_ASSERT(creds_list[0]->type() == grpc_md_only_test_credentials::Type());
GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
state->RunRequestMetadataTest(composite_creds, kTestUrlScheme, kTestAuthority,
kTestPath);
composite_creds->Unref();
@ -656,27 +655,25 @@ TEST(CredentialsTest, TestOauth2GoogleIamCompositeCreds) {
namespace {
class check_channel_oauth2_google_iam final : public grpc_channel_credentials {
public:
check_channel_oauth2_google_iam() : grpc_channel_credentials("mock") {}
~check_channel_oauth2_google_iam() override = default;
RefCountedPtr<grpc_channel_security_connector> create_security_connector(
RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
const grpc_channel_args* /*args*/,
grpc_channel_args** /*new_args*/) override {
GPR_ASSERT(strcmp(type(), "mock") == 0);
GPR_ASSERT(strcmp(type(), "check_channel_oauth2_google_iam") == 0);
GPR_ASSERT(call_creds != nullptr);
GPR_ASSERT(
strcmp(call_creds->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0);
GPR_ASSERT(call_creds->type() == grpc_composite_call_credentials::Type());
const grpc_composite_call_credentials::CallCredentialsList& creds_list =
static_cast<const grpc_composite_call_credentials*>(call_creds.get())
->inner();
GPR_ASSERT(
strcmp(creds_list[0]->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) == 0);
GPR_ASSERT(strcmp(creds_list[1]->type(), GRPC_CALL_CREDENTIALS_TYPE_IAM) ==
0);
GPR_ASSERT(creds_list[0]->type() == grpc_access_token_credentials::Type());
GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
return nullptr;
}
const char* type() const override {
return "check_channel_oauth2_google_iam";
}
private:
int cmp_impl(const grpc_channel_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here
@ -1346,7 +1343,8 @@ char* encode_and_sign_jwt_should_not_be_called(
grpc_service_account_jwt_access_credentials* creds_as_jwt(
grpc_call_credentials* creds) {
GPR_ASSERT(creds != nullptr);
GPR_ASSERT(strcmp(creds->type(), GRPC_CALL_CREDENTIALS_TYPE_JWT) == 0);
GPR_ASSERT(creds->type() ==
grpc_service_account_jwt_access_credentials::Type());
return reinterpret_cast<grpc_service_account_jwt_access_credentials*>(creds);
}
@ -1769,8 +1767,6 @@ TEST(CredentialsTest, TestGoogleDefaultCredsCallCredsSpecified) {
struct fake_call_creds : public grpc_call_credentials {
public:
fake_call_creds() : grpc_call_credentials("fake") {}
ArenaPromise<absl::StatusOr<ClientMetadataHandle>> GetRequestMetadata(
ClientMetadataHandle initial_metadata,
const grpc_call_credentials::GetRequestMetadataArgs*) override {
@ -1779,6 +1775,8 @@ struct fake_call_creds : public grpc_call_credentials {
return Immediate(std::move(initial_metadata));
}
const char* type() const override { return "fake"; }
private:
int cmp_impl(const grpc_call_credentials* other) const override {
// TODO(yashykt): Check if we can do something better here
@ -3587,6 +3585,62 @@ TEST(CredentialsTest,
grpc_channel_credentials_release(composite_creds_2);
}
TEST(CredentialsTest, TestTlsCredentialsCompareSuccess) {
auto* tls_creds_1 =
grpc_tls_credentials_create(grpc_tls_credentials_options_create());
auto* tls_creds_2 =
grpc_tls_credentials_create(grpc_tls_credentials_options_create());
EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
grpc_channel_credentials_release(tls_creds_1);
grpc_channel_credentials_release(tls_creds_2);
}
TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareSuccess) {
auto* options_1 = grpc_tls_credentials_options_create();
options_1->set_certificate_verifier(
MakeRefCounted<HostNameCertificateVerifier>());
auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
auto* options_2 = grpc_tls_credentials_options_create();
options_2->set_certificate_verifier(
MakeRefCounted<HostNameCertificateVerifier>());
auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
grpc_channel_credentials_release(tls_creds_1);
grpc_channel_credentials_release(tls_creds_2);
}
TEST(CredentialsTest, TestTlsCredentialsCompareFailure) {
auto* options_1 = grpc_tls_credentials_options_create();
options_1->set_check_call_host(true);
auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
auto* options_2 = grpc_tls_credentials_options_create();
options_2->set_check_call_host(false);
auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
grpc_channel_credentials_release(tls_creds_1);
grpc_channel_credentials_release(tls_creds_2);
}
TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareFailure) {
auto* options_1 = grpc_tls_credentials_options_create();
options_1->set_certificate_verifier(
MakeRefCounted<HostNameCertificateVerifier>());
auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
auto* options_2 = grpc_tls_credentials_options_create();
grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
nullptr};
options_2->set_certificate_verifier(
MakeRefCounted<ExternalCertificateVerifier>(&verifier));
auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
grpc_channel_credentials_release(tls_creds_1);
grpc_channel_credentials_release(tls_creds_2);
}
TEST(CredentialsTest, TestXdsCredentialsCompareSucces) {
auto* insecure_creds = grpc_insecure_credentials_create();
auto* xds_creds_1 = grpc_xds_credentials_create(insecure_creds);

40
test/core/security/grpc_tls_certificate_verifier_test.cc
Unescape View File

@ -251,6 +251,46 @@ TEST_F(GrpcTlsCertificateVerifierTest, HostnameVerifierCommonNameCheckFails) {
"UNAUTHENTICATED: Hostname Verification Check failed.");
}
TEST_F(GrpcTlsCertificateVerifierTest, ComparingDifferentObjectTypesFails) {
grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
nullptr};
ExternalCertificateVerifier external_verifier(&verifier);
HostNameCertificateVerifier hostname_certificate_verifier;
EXPECT_NE(external_verifier.Compare(&hostname_certificate_verifier), 0);
EXPECT_NE(hostname_certificate_verifier.Compare(&external_verifier), 0);
}
TEST_F(GrpcTlsCertificateVerifierTest, HostNameCertificateVerifier) {
HostNameCertificateVerifier hostname_certificate_verifier_1;
HostNameCertificateVerifier hostname_certificate_verifier_2;
EXPECT_EQ(
hostname_certificate_verifier_1.Compare(&hostname_certificate_verifier_2),
0);
EXPECT_EQ(
hostname_certificate_verifier_2.Compare(&hostname_certificate_verifier_1),
0);
}
TEST_F(GrpcTlsCertificateVerifierTest, ExternalCertificateVerifierSuccess) {
grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
nullptr};
ExternalCertificateVerifier external_verifier_1(&verifier);
ExternalCertificateVerifier external_verifier_2(&verifier);
EXPECT_EQ(external_verifier_1.Compare(&external_verifier_2), 0);
EXPECT_EQ(external_verifier_2.Compare(&external_verifier_1), 0);
}
TEST_F(GrpcTlsCertificateVerifierTest, ExternalCertificateVerifierFailure) {
grpc_tls_certificate_verifier_external verifier_1 = {nullptr, nullptr,
nullptr, nullptr};
ExternalCertificateVerifier external_verifier_1(&verifier_1);
grpc_tls_certificate_verifier_external verifier_2 = {nullptr, nullptr,
nullptr, nullptr};
ExternalCertificateVerifier external_verifier_2(&verifier_2);
EXPECT_NE(external_verifier_1.Compare(&external_verifier_2), 0);
EXPECT_NE(external_verifier_2.Compare(&external_verifier_1), 0);
}
} // namespace testing
} // namespace grpc_core

175
test/core/security/grpc_tls_credentials_options_comparator_test.cc generated
Unescape View File

@ -0,0 +1,175 @@
//
//
// Copyright 2022 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py
#include <grpc/support/port_platform.h>
#include <string>
#include <gmock/gmock.h>
#include "src/core/lib/security/credentials/xds/xds_credentials.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
#include "test/core/util/test_config.h"
namespace grpc_core {
namespace {
TEST(TlsCredentialsOptionsComparatorTest, DifferentCertRequestType) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
options_2->set_cert_request_type(GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentVerifyServerCert) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_verify_server_cert(false);
options_2->set_verify_server_cert(true);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentMinTlsVersion) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_min_tls_version(grpc_tls_version::TLS1_2);
options_2->set_min_tls_version(grpc_tls_version::TLS1_3);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentMaxTlsVersion) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_max_tls_version(grpc_tls_version::TLS1_2);
options_2->set_max_tls_version(grpc_tls_version::TLS1_3);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentCertificateVerifier) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_certificate_verifier(MakeRefCounted<HostNameCertificateVerifier>());
options_2->set_certificate_verifier(MakeRefCounted<XdsCertificateVerifier>(nullptr, ""));
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentCheckCallHost) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_check_call_host(false);
options_2->set_check_call_host(true);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentCertificateProvider) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_certificate_provider(MakeRefCounted<StaticDataCertificateProvider>("root_cert_1", PemKeyCertPairList()));
options_2->set_certificate_provider(MakeRefCounted<StaticDataCertificateProvider>("root_cert_2", PemKeyCertPairList()));
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentWatchRootCert) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_watch_root_cert(false);
options_2->set_watch_root_cert(true);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentRootCertName) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_root_cert_name("root_cert_name_1");
options_2->set_root_cert_name("root_cert_name_2");
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentWatchIdentityPair) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_watch_identity_pair(false);
options_2->set_watch_identity_pair(true);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentIdentityCertName) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_identity_cert_name("identity_cert_name_1");
options_2->set_identity_cert_name("identity_cert_name_2");
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentTlsSessionKeyLogFilePath) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_tls_session_key_log_file_path("file_path_1");
options_2->set_tls_session_key_log_file_path("file_path_2");
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentCrlDirectory) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_crl_directory("crl_directory_1");
options_2->set_crl_directory("crl_directory_2");
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
} // namespace
} // namespace grpc_core
int main(int argc, char** argv) {
testing::InitGoogleTest(&argc, argv);
grpc::testing::TestEnvironment env(argc, argv);
grpc_init();
auto result = RUN_ALL_TESTS();
grpc_shutdown();
return result;
}

15
test/core/security/tls_security_connector_test.cc
Unescape View File

@ -120,7 +120,15 @@ class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
return distributor_;
}
const char* type() const override { return "tls_test"; }
private:
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
other);
}
RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
};
@ -481,8 +489,13 @@ TEST_F(TlsSecurityConnectorTest,
RefCountedPtr<grpc_channel_security_connector> connector =
credential->create_security_connector(nullptr, kTargetName, nullptr,
nullptr);
auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
other_options->set_certificate_provider(provider);
other_options->set_watch_root_cert(true);
other_options->set_root_cert_name(kRootCertName);
other_options->set_watch_identity_pair(true);
RefCountedPtr<TlsCredentials> other_credential =
MakeRefCounted<TlsCredentials>(options);
MakeRefCounted<TlsCredentials>(other_options);
RefCountedPtr<grpc_channel_security_connector> other_connector =
other_credential->create_security_connector(nullptr, kTargetName, nullptr,
nullptr);

23
test/core/security/xds_credentials_test.cc
Unescape View File

@ -289,6 +289,29 @@ TEST(XdsSanMatchingTest, RegexMatch) {
sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
}
TEST(XdsCertificateVerifierTest, CompareSuccess) {
XdsCertificateVerifier verifier_1(nullptr, "");
XdsCertificateVerifier verifier_2(nullptr, "");
EXPECT_EQ(verifier_1.Compare(&verifier_2), 0);
EXPECT_EQ(verifier_2.Compare(&verifier_1), 0);
}
TEST(XdsCertificateVerifierTest, CompareFailureDifferentCertificateProviders) {
XdsCertificateVerifier verifier_1(MakeRefCounted<XdsCertificateProvider>(),
"");
XdsCertificateVerifier verifier_2(MakeRefCounted<XdsCertificateProvider>(),
"");
EXPECT_NE(verifier_1.Compare(&verifier_2), 0);
EXPECT_NE(verifier_2.Compare(&verifier_1), 0);
}
TEST(XdsCertificateVerifierTest, CompareFailureDifferentClusterNames) {
XdsCertificateVerifier verifier_1(nullptr, "cluster1");
XdsCertificateVerifier verifier_2(nullptr, "cluster2");
EXPECT_NE(verifier_1.Compare(&verifier_2), 0);
EXPECT_NE(verifier_2.Compare(&verifier_1), 0);
}
} // namespace
} // namespace testing

9
test/core/xds/certificate_provider_store_test.cc
Unescape View File

@ -43,6 +43,15 @@ class FakeCertificateProvider : public grpc_tls_certificate_provider {
GPR_ASSERT(0);
return nullptr;
}
const char* type() const override { return "fake"; }
private:
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
other);
}
};
class FakeCertificateProviderFactory1 : public CertificateProviderFactory {

18
test/cpp/end2end/xds/xds_end2end_test.cc
Unescape View File

@ -395,7 +395,15 @@ class FakeCertificateProvider final : public grpc_tls_certificate_provider {
return distributor_;
}
const char* type() const override { return "fake"; }
private:
int CompareImpl(const grpc_tls_certificate_provider* other) const override {
// TODO(yashykt): Maybe do something better here.
return grpc_core::QsortCompare(
static_cast<const grpc_tls_certificate_provider*>(this), other);
}
grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
CertDataMap cert_data_map_;
};
@ -7562,13 +7570,11 @@ class XdsSecurityTest : public BasicTest {
constexpr int kRetryCount = 100;
int num_tries = 0;
for (; num_tries < kRetryCount; num_tries++) {
// Give some time for the updates to propagate.
gpr_sleep_until(grpc_timeout_milliseconds_to_deadline(100));
// Restart the servers to force a reconnection so that previously
// connected subchannels are not used for the RPC.
ShutdownBackend(0);
StartBackend(0);
if (test_expects_failure) {
// Restart the servers to force a reconnection so that previously
// connected subchannels are not used for the RPC.
ShutdownBackend(0);
StartBackend(0);
if (SendRpc().ok()) {
gpr_log(GPR_ERROR, "RPC succeeded. Failure expected. Trying again.");
continue;

394
tools/codegen/core/gen_grpc_tls_credentials_options.py
Unescape View File

@ -0,0 +1,394 @@
#!/usr/bin/env python3
# Copyright 2022 gRPC authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Generator script for src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h and test/core/security/grpc_tls_credentials_options_comparator_test.cc
# Should be executed from grpc's root directory.
from __future__ import print_function
import collections
from dataclasses import dataclass
import difflib
import filecmp
import os
import sys
import tempfile
@dataclass
class DataMember:
name: str # name of the data member without the trailing '_'
type: str # Type (eg. std::string, bool)
test_name: str # The name to use for the associated test
test_value_1: str # Test-specific value to use for comparison
test_value_2: str # Test-specific value (different from test_value_1)
default_initializer: str = '' # If non-empty, this will be used as the default initialization of this field
getter_comment: str = '' # Comment to add before the getter for this field
special_getter_return_type: str = '' # Override for the return type of getter (eg. const std::string&)
override_getter: str = '' # Override for the entire getter method. Relevant for certificate_verifier and certificate_provider
setter_comment: str = '' # Commend to add before the setter for this field
setter_move_semantics: bool = False # Should the setter use move-semantics
special_comparator: str = '' # If non-empty, this will be used in `operator==`
_DATA_MEMBERS = [
DataMember(name='cert_request_type',
type='grpc_ssl_client_certificate_request_type',
default_initializer='GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE',
test_name="DifferentCertRequestType",
test_value_1="GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE",
test_value_2="GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY"),
DataMember(name='verify_server_cert',
type='bool',
default_initializer='true',
test_name="DifferentVerifyServerCert",
test_value_1="false",
test_value_2="true"),
DataMember(name='min_tls_version',
type='grpc_tls_version',
default_initializer='grpc_tls_version::TLS1_2',
test_name="DifferentMinTlsVersion",
test_value_1="grpc_tls_version::TLS1_2",
test_value_2="grpc_tls_version::TLS1_3"),
DataMember(name='max_tls_version',
type='grpc_tls_version',
default_initializer='grpc_tls_version::TLS1_3',
test_name="DifferentMaxTlsVersion",
test_value_1="grpc_tls_version::TLS1_2",
test_value_2="grpc_tls_version::TLS1_3"),
DataMember(
name='certificate_verifier',
type='grpc_core::RefCountedPtr<grpc_tls_certificate_verifier>',
override_getter="""grpc_tls_certificate_verifier* certificate_verifier() {
return certificate_verifier_.get();
}""",
setter_move_semantics=True,
special_comparator=
'(certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0))',
test_name="DifferentCertificateVerifier",
test_value_1="MakeRefCounted<HostNameCertificateVerifier>()",
test_value_2="MakeRefCounted<XdsCertificateVerifier>(nullptr, \"\")"),
DataMember(name='check_call_host',
type='bool',
default_initializer='true',
test_name="DifferentCheckCallHost",
test_value_1="false",
test_value_2="true"),
DataMember(
name='certificate_provider',
type='grpc_core::RefCountedPtr<grpc_tls_certificate_provider>',
getter_comment=
'Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.',
override_getter=
"""grpc_tls_certificate_distributor* certificate_distributor() {
if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
return nullptr;
}""",
setter_move_semantics=True,
special_comparator=
'(certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0))',
test_name="DifferentCertificateProvider",
test_value_1=
"MakeRefCounted<StaticDataCertificateProvider>(\"root_cert_1\", PemKeyCertPairList())",
test_value_2=
"MakeRefCounted<StaticDataCertificateProvider>(\"root_cert_2\", PemKeyCertPairList())"
),
DataMember(
name='watch_root_cert',
type='bool',
default_initializer='false',
setter_comment=
'If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.',
test_name="DifferentWatchRootCert",
test_value_1="false",
test_value_2="true"),
DataMember(
name='root_cert_name',
type='std::string',
special_getter_return_type='const std::string&',
setter_comment=
'Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.',
setter_move_semantics=True,
test_name="DifferentRootCertName",
test_value_1="\"root_cert_name_1\"",
test_value_2="\"root_cert_name_2\""),
DataMember(
name='watch_identity_pair',
type='bool',
default_initializer='false',
setter_comment=
'If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.',
test_name="DifferentWatchIdentityPair",
test_value_1="false",
test_value_2="true"),
DataMember(
name='identity_cert_name',
type='std::string',
special_getter_return_type='const std::string&',
setter_comment=
'Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.',
setter_move_semantics=True,
test_name="DifferentIdentityCertName",
test_value_1="\"identity_cert_name_1\"",
test_value_2="\"identity_cert_name_2\""),
DataMember(name='tls_session_key_log_file_path',
type='std::string',
special_getter_return_type='const std::string&',
setter_move_semantics=True,
test_name="DifferentTlsSessionKeyLogFilePath",
test_value_1="\"file_path_1\"",
test_value_2="\"file_path_2\""),
DataMember(
name='crl_directory',
type='std::string',
special_getter_return_type='const std::string&',
setter_comment=
' gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.',
setter_move_semantics=True,
test_name="DifferentCrlDirectory",
test_value_1="\"crl_directory_1\"",
test_value_2="\"crl_directory_2\"")
]
# print copyright notice from this file
def put_copyright(f, year):
print("""//
//
// Copyright %s gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
""" % (year),
file=f)
# Prints differences between two files
def get_file_differences(file1, file2):
with open(file1) as f1:
file1_text = f1.readlines()
with open(file2) as f2:
file2_text = f2.readlines()
return difflib.unified_diff(file1_text,
file2_text,
fromfile=file1,
tofile=file2)
# Is this script executed in test mode?
test_mode = False
if len(sys.argv) > 1 and sys.argv[1] == "--test":
test_mode = True
HEADER_FILE_NAME = 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h'
# Generate src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
header_file_name = HEADER_FILE_NAME
if (test_mode):
header_file_name = tempfile.NamedTemporaryFile(delete=False).name
H = open(header_file_name, 'w')
put_copyright(H, '2018')
print(
'// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py\n',
file=H)
print(
"""#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
#include <grpc/support/port_platform.h>
#include "absl/container/inlined_vector.h"
#include <grpc/grpc_security.h>
#include "src/core/lib/gprpp/ref_counted.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
#include "src/core/lib/security/security_connector/ssl_utils.h"
// Contains configurable options specified by callers to configure their certain
// security features supported in TLS.
// TODO(ZhenLian): consider making this not ref-counted.
struct grpc_tls_credentials_options
: public grpc_core::RefCounted<grpc_tls_credentials_options> {
public:
~grpc_tls_credentials_options() override = default;
""",
file=H)
# Print out getters for all data members
print(" // Getters for member fields.", file=H)
for data_member in _DATA_MEMBERS:
if data_member.getter_comment != '':
print(" // " + data_member.getter_comment, file=H)
if data_member.override_getter:
print(" " + data_member.override_getter, file=H)
else:
print(
" %s %s() const { return %s; }" %
(data_member.special_getter_return_type if
data_member.special_getter_return_type != '' else data_member.type,
data_member.name, data_member.name + '_'),
file=H)
# Print out setters for all data members
print("", file=H)
print(" // Setters for member fields.", file=H)
for data_member in _DATA_MEMBERS:
if data_member.setter_comment != '':
print(" // " + data_member.setter_comment, file=H)
if (data_member.setter_move_semantics):
print(" void set_%s(%s %s) { %s_ = std::move(%s); }" %
(data_member.name, data_member.type, data_member.name,
data_member.name, data_member.name),
file=H)
else:
print(" void set_%s(%s %s) { %s_ = %s; }" %
(data_member.name, data_member.type, data_member.name,
data_member.name, data_member.name),
file=H)
# Write out operator==
print("\n bool operator==(const grpc_tls_credentials_options& other) const {",
file=H)
operator_equal_content = " return "
for i in range(len(_DATA_MEMBERS)):
if (i != 0):
operator_equal_content += " "
if (_DATA_MEMBERS[i].special_comparator != ''):
operator_equal_content += _DATA_MEMBERS[i].special_comparator
else:
operator_equal_content += _DATA_MEMBERS[
i].name + "_ == other." + _DATA_MEMBERS[i].name + "_"
if (i != len(_DATA_MEMBERS) - 1):
operator_equal_content += ' &&\n'
print(operator_equal_content + ";\n }", file=H)
#Print out data member declarations
print("\n private:", file=H)
for data_member in _DATA_MEMBERS:
if data_member.default_initializer == '':
print(" %s %s_;" % (
data_member.type,
data_member.name,
), file=H)
else:
print(" %s %s_ = %s;" % (data_member.type, data_member.name,
data_member.default_initializer),
file=H)
# Print out file ending
print("""};
#endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H""",
file=H)
H.close()
# Generate test/core/security/grpc_tls_credentials_options_comparator_test.cc
TEST_FILE_NAME = 'test/core/security/grpc_tls_credentials_options_comparator_test.cc'
test_file_name = TEST_FILE_NAME
if (test_mode):
test_file_name = tempfile.NamedTemporaryFile(delete=False).name
T = open(test_file_name, 'w')
put_copyright(T, '2022')
print('// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py',
file=T)
print("""
#include <grpc/support/port_platform.h>
#include <string>
#include <gmock/gmock.h>
#include "src/core/lib/security/credentials/xds/xds_credentials.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
#include "test/core/util/test_config.h"
namespace grpc_core {
namespace {
""",
file=T)
# Generate negative test for each negative member
for data_member in _DATA_MEMBERS:
print("""TEST(TlsCredentialsOptionsComparatorTest, %s) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_%s(%s);
options_2->set_%s(%s);
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}""" % (data_member.test_name, data_member.name, data_member.test_value_1,
data_member.name, data_member.test_value_2),
file=T)
# Print out file ending
print("""
} // namespace
} // namespace grpc_core
int main(int argc, char** argv) {
testing::InitGoogleTest(&argc, argv);
grpc::testing::TestEnvironment env(argc, argv);
grpc_init();
auto result = RUN_ALL_TESTS();
grpc_shutdown();
return result;
}""",
file=T)
T.close()
if (test_mode):
header_diff = get_file_differences(header_file_name, HEADER_FILE_NAME)
test_diff = get_file_differences(test_file_name, TEST_FILE_NAME)
os.unlink(header_file_name)
os.unlink(test_file_name)
header_error = False
for line in header_diff:
print(line)
header_error = True
if header_error:
print(
HEADER_FILE_NAME +
' should not be manually modified. Please make changes to tools/distrib/gen_grpc_tls_credentials_options.py instead.'
)
test_error = False
for line in test_diff:
print(line)
test_error = True
if test_error:
print(
TEST_FILE_NAME +
' should not be manually modified. Please make changes to tools/distrib/gen_grpc_tls_credentials_options.py instead.'
)
if (header_error or test_error):
sys.exit(1)

1
tools/distrib/sanitize.sh
Unescape View File

@ -31,3 +31,4 @@ tools/distrib/isort_code.sh
tools/distrib/clang_format_code.sh
tools/distrib/buildifier_format_code_strict.sh || true
tools/distrib/check_redundant_namespace_qualifiers.py || true
tools/codegen/core/gen_grpc_tls_credentials_options.py

2
tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh
Unescape View File

@ -32,7 +32,7 @@ for dir in $DIRS
do
for glob in $GLOB
do
files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.upb.h' -and -not -name '*.upb.c' -and -not -name '*.upbdefs.h' -and -not -name '*.upbdefs.c' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name public_headers_must_be_c89.c -and -not -name grpc_shadow_boringssl.h`"
files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.upb.h' -and -not -name '*.upb.c' -and -not -name '*.upbdefs.h' -and -not -name '*.upbdefs.c' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name public_headers_must_be_c89.c -and -not -name grpc_shadow_boringssl.h -and -not -name grpc_tls_credentials_options.h -and -not -name grpc_tls_credentials_options_comparator_test.cc`"
done
done

1
tools/doxygen/Doxyfile.c++.internal generated
Unescape View File

@ -2278,6 +2278,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.h \
src/core/lib/security/credentials/iam/iam_credentials.cc \
src/core/lib/security/credentials/iam/iam_credentials.h \
src/core/lib/security/credentials/insecure/insecure_credentials.cc \
src/core/lib/security/credentials/insecure/insecure_credentials.h \
src/core/lib/security/credentials/jwt/json_token.cc \
src/core/lib/security/credentials/jwt/json_token.h \
src/core/lib/security/credentials/jwt/jwt_credentials.cc \

1
tools/doxygen/Doxyfile.core.internal generated
Unescape View File

@ -2073,6 +2073,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.h \
src/core/lib/security/credentials/iam/iam_credentials.cc \
src/core/lib/security/credentials/iam/iam_credentials.h \
src/core/lib/security/credentials/insecure/insecure_credentials.cc \
src/core/lib/security/credentials/insecure/insecure_credentials.h \
src/core/lib/security/credentials/jwt/json_token.cc \
src/core/lib/security/credentials/jwt/json_token.h \
src/core/lib/security/credentials/jwt/jwt_credentials.cc \

24
tools/run_tests/generated/tests.json generated
Unescape View File

@ -4593,6 +4593,30 @@
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": true,
"language": "c++",
"name": "grpc_tls_credentials_options_comparator_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,

1
tools/run_tests/sanity/sanity_tests.yaml
Unescape View File

@ -27,6 +27,7 @@
- script: tools/distrib/check_trailing_newlines.sh
- script: tools/distrib/check_upb_output.sh
- script: tools/distrib/check_pytype.sh
- script: tools/codegen/core/gen_grpc_tls_credentials_options.py --test
- script: tools/distrib/clang_format_code.sh
- script: tools/distrib/clang_tidy_code.sh
# ClangTidy needs to run exclusively because it uses files under the bazel output

Write Preview
Loading…
Cancel
Save