mirror of https://github.com/grpc/grpc.git
Merge pull request #19778 from matthewstevenson88/spiffe1
Add C++ wrapper for SPIFFE credentials v2pull/20277/head
matthewstevenson88
5 years ago
committed by
GitHub
commit
0362df725f
25 changed files with 1549 additions and 18 deletions
@ -0,0 +1,330 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#ifndef GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H |
||||
#define GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H |
||||
|
||||
#include <memory> |
||||
#include <vector> |
||||
|
||||
#include <grpc/grpc_security_constants.h> |
||||
#include <grpc/status.h> |
||||
#include <grpc/support/log.h> |
||||
#include <grpcpp/support/config.h> |
||||
|
||||
typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg; |
||||
typedef struct grpc_tls_credential_reload_config |
||||
grpc_tls_credential_reload_config; |
||||
typedef struct grpc_tls_server_authorization_check_arg |
||||
grpc_tls_server_authorization_check_arg; |
||||
typedef struct grpc_tls_server_authorization_check_config |
||||
grpc_tls_server_authorization_check_config; |
||||
typedef struct grpc_tls_credentials_options grpc_tls_credentials_options; |
||||
|
||||
namespace grpc_impl { |
||||
namespace experimental { |
||||
|
||||
/** TLS key materials config, wrapper for grpc_tls_key_materials_config. It is
|
||||
* used for experimental purposes for now and subject to change. **/ |
||||
class TlsKeyMaterialsConfig { |
||||
public: |
||||
struct PemKeyCertPair { |
||||
grpc::string private_key; |
||||
grpc::string cert_chain; |
||||
}; |
||||
|
||||
/** Getters for member fields. **/ |
||||
const grpc::string pem_root_certs() const { return pem_root_certs_; } |
||||
const std::vector<PemKeyCertPair>& pem_key_cert_pair_list() const { |
||||
return pem_key_cert_pair_list_; |
||||
} |
||||
int version() const { return version_; } |
||||
|
||||
/** Setter for key materials that will be called by the user. The setter
|
||||
* transfers ownership of the arguments to the config. **/ |
||||
void set_pem_root_certs(grpc::string pem_root_certs); |
||||
void add_pem_key_cert_pair(const PemKeyCertPair& pem_key_cert_pair); |
||||
void set_key_materials(grpc::string pem_root_certs, |
||||
std::vector<PemKeyCertPair> pem_key_cert_pair_list); |
||||
void set_version(int version) { version_ = version; }; |
||||
|
||||
private: |
||||
int version_ = 0; |
||||
std::vector<PemKeyCertPair> pem_key_cert_pair_list_; |
||||
grpc::string pem_root_certs_; |
||||
}; |
||||
|
||||
/** TLS credential reload arguments, wraps grpc_tls_credential_reload_arg. It is
|
||||
* used for experimental purposes for now and it is subject to change. |
||||
* |
||||
* The credential reload arg contains all the info necessary to schedule/cancel |
||||
* a credential reload request. The callback function must be called after |
||||
* finishing the schedule operation. See the description of the |
||||
* grpc_tls_credential_reload_arg struct in grpc_security.h for more details. |
||||
* **/ |
||||
class TlsCredentialReloadArg { |
||||
public: |
||||
/** TlsCredentialReloadArg does not take ownership of the C arg that is passed
|
||||
* to the constructor. One must remember to free any memory allocated to the C |
||||
* arg after using the setter functions below. **/ |
||||
TlsCredentialReloadArg(grpc_tls_credential_reload_arg* arg); |
||||
~TlsCredentialReloadArg(); |
||||
|
||||
/** Getters for member fields. The callback function is not exposed.
|
||||
* They return the corresponding fields of the underlying C arg. In the case |
||||
* of the key materials config, it creates a new instance of the C++ key |
||||
* materials config from the underlying C grpc_tls_key_materials_config. **/ |
||||
void* cb_user_data() const; |
||||
bool is_pem_key_cert_pair_list_empty() const; |
||||
grpc_ssl_certificate_config_reload_status status() const; |
||||
grpc::string error_details() const; |
||||
|
||||
/** Setters for member fields. They modify the fields of the underlying C arg.
|
||||
* The setters for the key_materials_config and the error_details allocate |
||||
* memory when modifying c_arg_, so one must remember to free c_arg_'s |
||||
* original key_materials_config or error_details after using the appropriate |
||||
* setter function. |
||||
* **/ |
||||
void set_cb_user_data(void* cb_user_data); |
||||
void set_pem_root_certs(const grpc::string& pem_root_certs); |
||||
void add_pem_key_cert_pair( |
||||
TlsKeyMaterialsConfig::PemKeyCertPair pem_key_cert_pair); |
||||
void set_key_materials_config( |
||||
const std::shared_ptr<TlsKeyMaterialsConfig>& key_materials_config); |
||||
void set_status(grpc_ssl_certificate_config_reload_status status); |
||||
void set_error_details(const grpc::string& error_details); |
||||
|
||||
/** Calls the C arg's callback function. **/ |
||||
void OnCredentialReloadDoneCallback(); |
||||
|
||||
private: |
||||
grpc_tls_credential_reload_arg* c_arg_; |
||||
}; |
||||
|
||||
/** An interface that the application derives and uses to instantiate a
|
||||
* TlsCredentialReloadConfig instance. Refer to the definition of the |
||||
* grpc_tls_credential_reload_config in grpc_tls_credentials_options.h for more |
||||
* details on the expectations of the member functions of the interface. **/ |
||||
struct TlsCredentialReloadInterface { |
||||
virtual ~TlsCredentialReloadInterface() = default; |
||||
/** A callback that invokes the credential reload. **/ |
||||
virtual int Schedule(TlsCredentialReloadArg* arg) = 0; |
||||
/** A callback that cancels a credential reload request. **/ |
||||
virtual void Cancel(TlsCredentialReloadArg* arg) {} |
||||
}; |
||||
|
||||
/** TLS credential reloag config, wraps grpc_tls_credential_reload_config. It is
|
||||
* used for experimental purposes for now and it is subject to change. **/ |
||||
class TlsCredentialReloadConfig { |
||||
public: |
||||
TlsCredentialReloadConfig(std::shared_ptr<TlsCredentialReloadInterface> |
||||
credential_reload_interface); |
||||
~TlsCredentialReloadConfig(); |
||||
|
||||
int Schedule(TlsCredentialReloadArg* arg) const { |
||||
if (credential_reload_interface_ == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload interface is nullptr"); |
||||
if (arg != nullptr) { |
||||
arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL); |
||||
arg->set_error_details( |
||||
"the interface of the credential reload config is nullptr"); |
||||
} |
||||
return 1; |
||||
} |
||||
return credential_reload_interface_->Schedule(arg); |
||||
} |
||||
|
||||
void Cancel(TlsCredentialReloadArg* arg) const { |
||||
if (credential_reload_interface_ == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload interface is nullptr"); |
||||
if (arg != nullptr) { |
||||
arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL); |
||||
arg->set_error_details( |
||||
"the interface of the credential reload config is nullptr"); |
||||
} |
||||
return; |
||||
} |
||||
credential_reload_interface_->Cancel(arg); |
||||
} |
||||
|
||||
/** Returns a C struct for the credential reload config. **/ |
||||
grpc_tls_credential_reload_config* c_config() const { return c_config_; } |
||||
|
||||
private: |
||||
grpc_tls_credential_reload_config* c_config_; |
||||
std::shared_ptr<TlsCredentialReloadInterface> credential_reload_interface_; |
||||
}; |
||||
|
||||
/** TLS server authorization check arguments, wraps
|
||||
* grpc_tls_server_authorization_check_arg. It is used for experimental |
||||
* purposes for now and it is subject to change. |
||||
* |
||||
* The server authorization check arg contains all the info necessary to |
||||
* schedule/cancel a server authorization check request. The callback function |
||||
* must be called after finishing the schedule operation. See the description |
||||
* of the grpc_tls_server_authorization_check_arg struct in grpc_security.h for |
||||
* more details. **/ |
||||
class TlsServerAuthorizationCheckArg { |
||||
public: |
||||
/** TlsServerAuthorizationCheckArg does not take ownership of the C arg passed
|
||||
* to the constructor. One must remember to free any memory allocated to the |
||||
* C arg after using the setter functions below. **/ |
||||
TlsServerAuthorizationCheckArg(grpc_tls_server_authorization_check_arg* arg); |
||||
~TlsServerAuthorizationCheckArg(); |
||||
|
||||
/** Getters for member fields. They return the corresponding fields of the
|
||||
* underlying C arg.**/ |
||||
void* cb_user_data() const; |
||||
int success() const; |
||||
grpc::string target_name() const; |
||||
grpc::string peer_cert() const; |
||||
grpc_status_code status() const; |
||||
grpc::string error_details() const; |
||||
|
||||
/** Setters for member fields. They modify the fields of the underlying C arg.
|
||||
* The setters for target_name, peer_cert, and error_details allocate memory |
||||
* when modifying c_arg_, so one must remember to free c_arg_'s original |
||||
* target_name, peer_cert, or error_details after using the appropriate setter |
||||
* function. |
||||
* **/ |
||||
void set_cb_user_data(void* cb_user_data); |
||||
void set_success(int success); |
||||
void set_target_name(const grpc::string& target_name); |
||||
void set_peer_cert(const grpc::string& peer_cert); |
||||
void set_status(grpc_status_code status); |
||||
void set_error_details(const grpc::string& error_details); |
||||
|
||||
/** Calls the C arg's callback function. **/ |
||||
void OnServerAuthorizationCheckDoneCallback(); |
||||
|
||||
private: |
||||
grpc_tls_server_authorization_check_arg* c_arg_; |
||||
}; |
||||
|
||||
/** An interface that the application derives and uses to instantiate a
|
||||
* TlsServerAuthorizationCheckConfig instance. Refer to the definition of the |
||||
* grpc_tls_server_authorization_check_config in grpc_tls_credentials_options.h |
||||
* for more details on the expectations of the member functions of the |
||||
* interface. |
||||
* **/ |
||||
struct TlsServerAuthorizationCheckInterface { |
||||
virtual ~TlsServerAuthorizationCheckInterface() = default; |
||||
/** A callback that invokes the server authorization check. **/ |
||||
virtual int Schedule(TlsServerAuthorizationCheckArg* arg) = 0; |
||||
/** A callback that cancels a server authorization check request. **/ |
||||
virtual void Cancel(TlsServerAuthorizationCheckArg* arg) {} |
||||
}; |
||||
|
||||
/** TLS server authorization check config, wraps
|
||||
* grps_tls_server_authorization_check_config. It is used for experimental |
||||
* purposes for now and it is subject to change. **/ |
||||
class TlsServerAuthorizationCheckConfig { |
||||
public: |
||||
TlsServerAuthorizationCheckConfig( |
||||
std::shared_ptr<TlsServerAuthorizationCheckInterface> |
||||
server_authorization_check_interface); |
||||
~TlsServerAuthorizationCheckConfig(); |
||||
|
||||
int Schedule(TlsServerAuthorizationCheckArg* arg) const { |
||||
if (server_authorization_check_interface_ == nullptr) { |
||||
gpr_log(GPR_ERROR, "server authorization check interface is nullptr"); |
||||
if (arg != nullptr) { |
||||
arg->set_status(GRPC_STATUS_NOT_FOUND); |
||||
arg->set_error_details( |
||||
"the interface of the server authorization check config is " |
||||
"nullptr"); |
||||
} |
||||
return 1; |
||||
} |
||||
return server_authorization_check_interface_->Schedule(arg); |
||||
} |
||||
|
||||
void Cancel(TlsServerAuthorizationCheckArg* arg) const { |
||||
if (server_authorization_check_interface_ == nullptr) { |
||||
gpr_log(GPR_ERROR, "server authorization check interface is nullptr"); |
||||
if (arg != nullptr) { |
||||
arg->set_status(GRPC_STATUS_NOT_FOUND); |
||||
arg->set_error_details( |
||||
"the interface of the server authorization check config is " |
||||
"nullptr"); |
||||
} |
||||
return; |
||||
} |
||||
server_authorization_check_interface_->Cancel(arg); |
||||
} |
||||
|
||||
/** Returns C struct for the server authorization check config. **/ |
||||
grpc_tls_server_authorization_check_config* c_config() const { |
||||
return c_config_; |
||||
} |
||||
|
||||
private: |
||||
grpc_tls_server_authorization_check_config* c_config_; |
||||
std::shared_ptr<TlsServerAuthorizationCheckInterface> |
||||
server_authorization_check_interface_; |
||||
}; |
||||
|
||||
/** TLS credentials options, wrapper for grpc_tls_credentials_options. It is
|
||||
* used for experimental purposes for now and it is subject to change. See the |
||||
* description of the grpc_tls_credentials_options struct in grpc_security.h for |
||||
* more details. **/ |
||||
class TlsCredentialsOptions { |
||||
public: |
||||
TlsCredentialsOptions( |
||||
grpc_ssl_client_certificate_request_type cert_request_type, |
||||
std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config, |
||||
std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config, |
||||
std::shared_ptr<TlsServerAuthorizationCheckConfig> |
||||
server_authorization_check_config); |
||||
~TlsCredentialsOptions(); |
||||
|
||||
/** Getters for member fields. **/ |
||||
grpc_ssl_client_certificate_request_type cert_request_type() const { |
||||
return cert_request_type_; |
||||
} |
||||
std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config() const { |
||||
return key_materials_config_; |
||||
} |
||||
std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config() const { |
||||
return credential_reload_config_; |
||||
} |
||||
std::shared_ptr<TlsServerAuthorizationCheckConfig> |
||||
server_authorization_check_config() const { |
||||
return server_authorization_check_config_; |
||||
} |
||||
grpc_tls_credentials_options* c_credentials_options() const { |
||||
return c_credentials_options_; |
||||
} |
||||
|
||||
private: |
||||
/** The cert_request_type_ flag is only relevant when the
|
||||
* TlsCredentialsOptions are used to instantiate server credentials; the flag |
||||
* goes unused when creating channel credentials, and the user can set it to |
||||
* GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE. **/ |
||||
grpc_ssl_client_certificate_request_type cert_request_type_; |
||||
std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config_; |
||||
std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config_; |
||||
std::shared_ptr<TlsServerAuthorizationCheckConfig> |
||||
server_authorization_check_config_; |
||||
grpc_tls_credentials_options* c_credentials_options_; |
||||
}; |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_impl
|
||||
|
||||
#endif // GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
|
||||
@ -0,0 +1,282 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#include <grpcpp/security/tls_credentials_options.h> |
||||
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" |
||||
|
||||
#include <grpc/support/alloc.h> |
||||
|
||||
#include "src/cpp/common/tls_credentials_options_util.h" |
||||
|
||||
namespace grpc_impl { |
||||
namespace experimental { |
||||
|
||||
/** TLS key materials config API implementation **/ |
||||
void TlsKeyMaterialsConfig::set_pem_root_certs(grpc::string pem_root_certs) { |
||||
pem_root_certs_ = std::move(pem_root_certs); |
||||
} |
||||
|
||||
void TlsKeyMaterialsConfig::add_pem_key_cert_pair( |
||||
const PemKeyCertPair& pem_key_cert_pair) { |
||||
pem_key_cert_pair_list_.push_back(pem_key_cert_pair); |
||||
} |
||||
|
||||
void TlsKeyMaterialsConfig::set_key_materials( |
||||
grpc::string pem_root_certs, |
||||
std::vector<PemKeyCertPair> pem_key_cert_pair_list) { |
||||
pem_key_cert_pair_list_ = std::move(pem_key_cert_pair_list); |
||||
pem_root_certs_ = std::move(pem_root_certs); |
||||
} |
||||
|
||||
/** TLS credential reload arg API implementation **/ |
||||
TlsCredentialReloadArg::TlsCredentialReloadArg( |
||||
grpc_tls_credential_reload_arg* arg) |
||||
: c_arg_(arg) { |
||||
if (c_arg_ != nullptr && c_arg_->context != nullptr) { |
||||
gpr_log(GPR_ERROR, "c_arg context has already been set"); |
||||
} |
||||
c_arg_->context = static_cast<void*>(this); |
||||
c_arg_->destroy_context = &TlsCredentialReloadArgDestroyContext; |
||||
} |
||||
|
||||
TlsCredentialReloadArg::~TlsCredentialReloadArg() {} |
||||
|
||||
void* TlsCredentialReloadArg::cb_user_data() const { |
||||
return c_arg_->cb_user_data; |
||||
} |
||||
|
||||
bool TlsCredentialReloadArg::is_pem_key_cert_pair_list_empty() const { |
||||
return c_arg_->key_materials_config->pem_key_cert_pair_list().empty(); |
||||
} |
||||
|
||||
grpc_ssl_certificate_config_reload_status TlsCredentialReloadArg::status() |
||||
const { |
||||
return c_arg_->status; |
||||
} |
||||
|
||||
grpc::string TlsCredentialReloadArg::error_details() const { |
||||
grpc::string cpp_error_details(c_arg_->error_details); |
||||
return cpp_error_details; |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::set_cb_user_data(void* cb_user_data) { |
||||
c_arg_->cb_user_data = cb_user_data; |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::set_pem_root_certs( |
||||
const grpc::string& pem_root_certs) { |
||||
::grpc_core::UniquePtr<char> c_pem_root_certs( |
||||
gpr_strdup(pem_root_certs.c_str())); |
||||
c_arg_->key_materials_config->set_pem_root_certs(std::move(c_pem_root_certs)); |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::add_pem_key_cert_pair( |
||||
TlsKeyMaterialsConfig::PemKeyCertPair pem_key_cert_pair) { |
||||
grpc_ssl_pem_key_cert_pair* ssl_pair = |
||||
(grpc_ssl_pem_key_cert_pair*)gpr_malloc( |
||||
sizeof(grpc_ssl_pem_key_cert_pair)); |
||||
ssl_pair->private_key = gpr_strdup(pem_key_cert_pair.private_key.c_str()); |
||||
ssl_pair->cert_chain = gpr_strdup(pem_key_cert_pair.cert_chain.c_str()); |
||||
::grpc_core::PemKeyCertPair c_pem_key_cert_pair = |
||||
::grpc_core::PemKeyCertPair(ssl_pair); |
||||
c_arg_->key_materials_config->add_pem_key_cert_pair( |
||||
std::move(c_pem_key_cert_pair)); |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::set_key_materials_config( |
||||
const std::shared_ptr<TlsKeyMaterialsConfig>& key_materials_config) { |
||||
if (key_materials_config == nullptr) { |
||||
c_arg_->key_materials_config = nullptr; |
||||
return; |
||||
} |
||||
::grpc_core::InlinedVector<::grpc_core::PemKeyCertPair, 1> |
||||
c_pem_key_cert_pair_list; |
||||
for (auto key_cert_pair = |
||||
key_materials_config->pem_key_cert_pair_list().begin(); |
||||
key_cert_pair != key_materials_config->pem_key_cert_pair_list().end(); |
||||
key_cert_pair++) { |
||||
grpc_ssl_pem_key_cert_pair* ssl_pair = |
||||
(grpc_ssl_pem_key_cert_pair*)gpr_malloc( |
||||
sizeof(grpc_ssl_pem_key_cert_pair)); |
||||
ssl_pair->private_key = gpr_strdup(key_cert_pair->private_key.c_str()); |
||||
ssl_pair->cert_chain = gpr_strdup(key_cert_pair->cert_chain.c_str()); |
||||
::grpc_core::PemKeyCertPair c_pem_key_cert_pair = |
||||
::grpc_core::PemKeyCertPair(ssl_pair); |
||||
c_pem_key_cert_pair_list.emplace_back(std::move(c_pem_key_cert_pair)); |
||||
} |
||||
::grpc_core::UniquePtr<char> c_pem_root_certs( |
||||
gpr_strdup(key_materials_config->pem_root_certs().c_str())); |
||||
if (c_arg_->key_materials_config == nullptr) { |
||||
c_arg_->key_materials_config = grpc_tls_key_materials_config_create(); |
||||
} |
||||
c_arg_->key_materials_config->set_key_materials( |
||||
std::move(c_pem_root_certs), std::move(c_pem_key_cert_pair_list)); |
||||
c_arg_->key_materials_config->set_version(key_materials_config->version()); |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::set_status( |
||||
grpc_ssl_certificate_config_reload_status status) { |
||||
c_arg_->status = status; |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::set_error_details( |
||||
const grpc::string& error_details) { |
||||
c_arg_->error_details = gpr_strdup(error_details.c_str()); |
||||
} |
||||
|
||||
void TlsCredentialReloadArg::OnCredentialReloadDoneCallback() { |
||||
if (c_arg_->cb == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload arg callback API is nullptr"); |
||||
return; |
||||
} |
||||
c_arg_->cb(c_arg_); |
||||
} |
||||
|
||||
/** gRPC TLS credential reload config API implementation **/ |
||||
TlsCredentialReloadConfig::TlsCredentialReloadConfig( |
||||
std::shared_ptr<TlsCredentialReloadInterface> credential_reload_interface) |
||||
: credential_reload_interface_(std::move(credential_reload_interface)) { |
||||
c_config_ = grpc_tls_credential_reload_config_create( |
||||
nullptr, &TlsCredentialReloadConfigCSchedule, |
||||
&TlsCredentialReloadConfigCCancel, nullptr); |
||||
c_config_->set_context(static_cast<void*>(this)); |
||||
} |
||||
|
||||
TlsCredentialReloadConfig::~TlsCredentialReloadConfig() {} |
||||
|
||||
/** gRPC TLS server authorization check arg API implementation **/ |
||||
TlsServerAuthorizationCheckArg::TlsServerAuthorizationCheckArg( |
||||
grpc_tls_server_authorization_check_arg* arg) |
||||
: c_arg_(arg) { |
||||
if (c_arg_ != nullptr && c_arg_->context != nullptr) { |
||||
gpr_log(GPR_ERROR, "c_arg context has already been set"); |
||||
} |
||||
c_arg_->context = static_cast<void*>(this); |
||||
c_arg_->destroy_context = &TlsServerAuthorizationCheckArgDestroyContext; |
||||
} |
||||
|
||||
TlsServerAuthorizationCheckArg::~TlsServerAuthorizationCheckArg() {} |
||||
|
||||
void* TlsServerAuthorizationCheckArg::cb_user_data() const { |
||||
return c_arg_->cb_user_data; |
||||
} |
||||
|
||||
int TlsServerAuthorizationCheckArg::success() const { return c_arg_->success; } |
||||
|
||||
grpc::string TlsServerAuthorizationCheckArg::target_name() const { |
||||
grpc::string cpp_target_name(c_arg_->target_name); |
||||
return cpp_target_name; |
||||
} |
||||
|
||||
grpc::string TlsServerAuthorizationCheckArg::peer_cert() const { |
||||
grpc::string cpp_peer_cert(c_arg_->peer_cert); |
||||
return cpp_peer_cert; |
||||
} |
||||
|
||||
grpc_status_code TlsServerAuthorizationCheckArg::status() const { |
||||
return c_arg_->status; |
||||
} |
||||
|
||||
grpc::string TlsServerAuthorizationCheckArg::error_details() const { |
||||
grpc::string cpp_error_details(c_arg_->error_details); |
||||
return cpp_error_details; |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_cb_user_data(void* cb_user_data) { |
||||
c_arg_->cb_user_data = cb_user_data; |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_success(int success) { |
||||
c_arg_->success = success; |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_target_name( |
||||
const grpc::string& target_name) { |
||||
c_arg_->target_name = gpr_strdup(target_name.c_str()); |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_peer_cert( |
||||
const grpc::string& peer_cert) { |
||||
c_arg_->peer_cert = gpr_strdup(peer_cert.c_str()); |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_status(grpc_status_code status) { |
||||
c_arg_->status = status; |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::set_error_details( |
||||
const grpc::string& error_details) { |
||||
c_arg_->error_details = gpr_strdup(error_details.c_str()); |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArg::OnServerAuthorizationCheckDoneCallback() { |
||||
if (c_arg_->cb == nullptr) { |
||||
gpr_log(GPR_ERROR, "server authorizaton check arg callback API is nullptr"); |
||||
return; |
||||
} |
||||
c_arg_->cb(c_arg_); |
||||
} |
||||
|
||||
/** gRPC TLS server authorization check config API implementation. **/ |
||||
TlsServerAuthorizationCheckConfig::TlsServerAuthorizationCheckConfig( |
||||
std::shared_ptr<TlsServerAuthorizationCheckInterface> |
||||
server_authorization_check_interface) |
||||
: server_authorization_check_interface_( |
||||
std::move(server_authorization_check_interface)) { |
||||
c_config_ = grpc_tls_server_authorization_check_config_create( |
||||
nullptr, &TlsServerAuthorizationCheckConfigCSchedule, |
||||
&TlsServerAuthorizationCheckConfigCCancel, nullptr); |
||||
c_config_->set_context(static_cast<void*>(this)); |
||||
} |
||||
|
||||
TlsServerAuthorizationCheckConfig::~TlsServerAuthorizationCheckConfig() {} |
||||
|
||||
/** gRPC TLS credential options API implementation **/ |
||||
TlsCredentialsOptions::TlsCredentialsOptions( |
||||
grpc_ssl_client_certificate_request_type cert_request_type, |
||||
std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config, |
||||
std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config, |
||||
std::shared_ptr<TlsServerAuthorizationCheckConfig> |
||||
server_authorization_check_config) |
||||
: cert_request_type_(cert_request_type), |
||||
key_materials_config_(std::move(key_materials_config)), |
||||
credential_reload_config_(std::move(credential_reload_config)), |
||||
server_authorization_check_config_( |
||||
std::move(server_authorization_check_config)) { |
||||
c_credentials_options_ = grpc_tls_credentials_options_create(); |
||||
grpc_tls_credentials_options_set_cert_request_type(c_credentials_options_, |
||||
cert_request_type_); |
||||
if (key_materials_config_ != nullptr) { |
||||
grpc_tls_credentials_options_set_key_materials_config( |
||||
c_credentials_options_, |
||||
ConvertToCKeyMaterialsConfig(key_materials_config_)); |
||||
} |
||||
if (credential_reload_config_ != nullptr) { |
||||
grpc_tls_credentials_options_set_credential_reload_config( |
||||
c_credentials_options_, credential_reload_config_->c_config()); |
||||
} |
||||
if (server_authorization_check_config_ != nullptr) { |
||||
grpc_tls_credentials_options_set_server_authorization_check_config( |
||||
c_credentials_options_, server_authorization_check_config_->c_config()); |
||||
} |
||||
} |
||||
|
||||
TlsCredentialsOptions::~TlsCredentialsOptions() {} |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_impl
|
||||
@ -0,0 +1,150 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#include "src/cpp/common/tls_credentials_options_util.h" |
||||
#include <grpcpp/security/tls_credentials_options.h> |
||||
|
||||
namespace grpc_impl { |
||||
namespace experimental { |
||||
|
||||
/** Converts the Cpp key materials to C key materials; this allocates memory for
|
||||
* the C key materials. Note that the user must free |
||||
* the underlying pointer to private key and cert chain duplicates; they are not |
||||
* freed when the UniquePtr<char> member variables of PemKeyCertPair are unused. |
||||
* Similarly, the user must free the underlying pointer to c_pem_root_certs. **/ |
||||
grpc_tls_key_materials_config* ConvertToCKeyMaterialsConfig( |
||||
const std::shared_ptr<TlsKeyMaterialsConfig>& config) { |
||||
if (config == nullptr) { |
||||
return nullptr; |
||||
} |
||||
grpc_tls_key_materials_config* c_config = |
||||
grpc_tls_key_materials_config_create(); |
||||
::grpc_core::InlinedVector<::grpc_core::PemKeyCertPair, 1> |
||||
c_pem_key_cert_pair_list; |
||||
for (auto key_cert_pair = config->pem_key_cert_pair_list().begin(); |
||||
key_cert_pair != config->pem_key_cert_pair_list().end(); |
||||
key_cert_pair++) { |
||||
grpc_ssl_pem_key_cert_pair* ssl_pair = |
||||
(grpc_ssl_pem_key_cert_pair*)gpr_malloc( |
||||
sizeof(grpc_ssl_pem_key_cert_pair)); |
||||
ssl_pair->private_key = gpr_strdup(key_cert_pair->private_key.c_str()); |
||||
ssl_pair->cert_chain = gpr_strdup(key_cert_pair->cert_chain.c_str()); |
||||
::grpc_core::PemKeyCertPair c_pem_key_cert_pair = |
||||
::grpc_core::PemKeyCertPair(ssl_pair); |
||||
c_pem_key_cert_pair_list.push_back(::std::move(c_pem_key_cert_pair)); |
||||
} |
||||
::grpc_core::UniquePtr<char> c_pem_root_certs( |
||||
gpr_strdup(config->pem_root_certs().c_str())); |
||||
c_config->set_key_materials(std::move(c_pem_root_certs), |
||||
std::move(c_pem_key_cert_pair_list)); |
||||
c_config->set_version(config->version()); |
||||
return c_config; |
||||
} |
||||
|
||||
/** The C schedule and cancel functions for the credential reload config.
|
||||
* They populate a C credential reload arg with the result of a C++ credential |
||||
* reload schedule/cancel API. **/ |
||||
int TlsCredentialReloadConfigCSchedule(void* config_user_data, |
||||
grpc_tls_credential_reload_arg* arg) { |
||||
if (arg == nullptr || arg->config == nullptr || |
||||
arg->config->context() == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload arg was not properly initialized"); |
||||
return 1; |
||||
} |
||||
TlsCredentialReloadConfig* cpp_config = |
||||
static_cast<TlsCredentialReloadConfig*>(arg->config->context()); |
||||
TlsCredentialReloadArg* cpp_arg = new TlsCredentialReloadArg(arg); |
||||
int schedule_result = cpp_config->Schedule(cpp_arg); |
||||
return schedule_result; |
||||
} |
||||
|
||||
void TlsCredentialReloadConfigCCancel(void* config_user_data, |
||||
grpc_tls_credential_reload_arg* arg) { |
||||
if (arg == nullptr || arg->config == nullptr || |
||||
arg->config->context() == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload arg was not properly initialized"); |
||||
return; |
||||
} |
||||
if (arg->context == nullptr) { |
||||
gpr_log(GPR_ERROR, "credential reload arg schedule has already completed"); |
||||
return; |
||||
} |
||||
TlsCredentialReloadConfig* cpp_config = |
||||
static_cast<TlsCredentialReloadConfig*>(arg->config->context()); |
||||
TlsCredentialReloadArg* cpp_arg = |
||||
static_cast<TlsCredentialReloadArg*>(arg->context); |
||||
cpp_config->Cancel(cpp_arg); |
||||
} |
||||
|
||||
void TlsCredentialReloadArgDestroyContext(void* context) { |
||||
if (context != nullptr) { |
||||
TlsCredentialReloadArg* cpp_arg = |
||||
static_cast<TlsCredentialReloadArg*>(context); |
||||
delete cpp_arg; |
||||
} |
||||
} |
||||
|
||||
/** The C schedule and cancel functions for the server authorization check
|
||||
* config. They populate a C server authorization check arg with the result |
||||
* of a C++ server authorization check schedule/cancel API. **/ |
||||
int TlsServerAuthorizationCheckConfigCSchedule( |
||||
void* config_user_data, grpc_tls_server_authorization_check_arg* arg) { |
||||
if (arg == nullptr || arg->config == nullptr || |
||||
arg->config->context() == nullptr) { |
||||
gpr_log(GPR_ERROR, |
||||
"server authorization check arg was not properly initialized"); |
||||
return 1; |
||||
} |
||||
TlsServerAuthorizationCheckConfig* cpp_config = |
||||
static_cast<TlsServerAuthorizationCheckConfig*>(arg->config->context()); |
||||
TlsServerAuthorizationCheckArg* cpp_arg = |
||||
new TlsServerAuthorizationCheckArg(arg); |
||||
int schedule_result = cpp_config->Schedule(cpp_arg); |
||||
return schedule_result; |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckConfigCCancel( |
||||
void* config_user_data, grpc_tls_server_authorization_check_arg* arg) { |
||||
if (arg == nullptr || arg->config == nullptr || |
||||
arg->config->context() == nullptr) { |
||||
gpr_log(GPR_ERROR, |
||||
"server authorization check arg was not properly initialized"); |
||||
return; |
||||
} |
||||
if (arg->context == nullptr) { |
||||
gpr_log(GPR_ERROR, |
||||
"server authorization check arg schedule has already completed"); |
||||
return; |
||||
} |
||||
TlsServerAuthorizationCheckConfig* cpp_config = |
||||
static_cast<TlsServerAuthorizationCheckConfig*>(arg->config->context()); |
||||
TlsServerAuthorizationCheckArg* cpp_arg = |
||||
static_cast<TlsServerAuthorizationCheckArg*>(arg->context); |
||||
cpp_config->Cancel(cpp_arg); |
||||
} |
||||
|
||||
void TlsServerAuthorizationCheckArgDestroyContext(void* context) { |
||||
if (context != nullptr) { |
||||
TlsServerAuthorizationCheckArg* cpp_arg = |
||||
static_cast<TlsServerAuthorizationCheckArg*>(context); |
||||
delete cpp_arg; |
||||
} |
||||
} |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_impl
|
||||
@ -0,0 +1,58 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#ifndef GRPC_INTERNAL_CPP_COMMON_TLS_CREDENTIALS_OPTIONS_UTIL_H |
||||
#define GRPC_INTERNAL_CPP_COMMON_TLS_CREDENTIALS_OPTIONS_UTIL_H |
||||
|
||||
#include <grpc/grpc_security.h> |
||||
#include <grpcpp/security/tls_credentials_options.h> |
||||
|
||||
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" |
||||
|
||||
namespace grpc_impl { |
||||
namespace experimental { |
||||
|
||||
/** The following function is exposed for testing purposes. **/ |
||||
grpc_tls_key_materials_config* ConvertToCKeyMaterialsConfig( |
||||
const std::shared_ptr<TlsKeyMaterialsConfig>& config); |
||||
|
||||
/** The following 4 functions convert the user-provided schedule or cancel
|
||||
* functions into C style schedule or cancel functions. These are internal |
||||
* functions, not meant to be accessed by the user. **/ |
||||
int TlsCredentialReloadConfigCSchedule(void* config_user_data, |
||||
grpc_tls_credential_reload_arg* arg); |
||||
|
||||
void TlsCredentialReloadConfigCCancel(void* config_user_data, |
||||
grpc_tls_credential_reload_arg* arg); |
||||
|
||||
int TlsServerAuthorizationCheckConfigCSchedule( |
||||
void* config_user_data, grpc_tls_server_authorization_check_arg* arg); |
||||
|
||||
void TlsServerAuthorizationCheckConfigCCancel( |
||||
void* config_user_data, grpc_tls_server_authorization_check_arg* arg); |
||||
|
||||
/** The following 2 functions cleanup data created in the above C schedule
|
||||
* functions. **/ |
||||
void TlsCredentialReloadArgDestroyContext(void* context); |
||||
|
||||
void TlsServerAuthorizationCheckArgDestroyContext(void* context); |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_impl
|
||||
|
||||
#endif // GRPC_INTERNAL_CPP_COMMON_TLS_CREDENTIALS_OPTIONS_UTIL_H
|
||||
Loading…
Reference in new issue