|
|
|
|
@ -46,7 +46,7 @@ namespace grpc_core { |
|
|
|
|
namespace { |
|
|
|
|
|
|
|
|
|
tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair( |
|
|
|
|
const grpc_core::PemKeyCertPairList& cert_pair_list) { |
|
|
|
|
const PemKeyCertPairList& cert_pair_list) { |
|
|
|
|
tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr; |
|
|
|
|
size_t num_key_cert_pairs = cert_pair_list.size(); |
|
|
|
|
if (num_key_cert_pairs > 0) { |
|
|
|
|
@ -68,11 +68,11 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair( |
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
|
|
// -------------------channel security connector-------------------
|
|
|
|
|
grpc_core::RefCountedPtr<grpc_channel_security_connector> |
|
|
|
|
RefCountedPtr<grpc_channel_security_connector> |
|
|
|
|
TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector( |
|
|
|
|
grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, |
|
|
|
|
RefCountedPtr<grpc_channel_credentials> channel_creds, |
|
|
|
|
RefCountedPtr<grpc_tls_credentials_options> options, |
|
|
|
|
RefCountedPtr<grpc_call_credentials> request_metadata_creds, |
|
|
|
|
const char* target_name, const char* overridden_target_name, |
|
|
|
|
tsi_ssl_session_cache* ssl_session_cache) { |
|
|
|
|
if (channel_creds == nullptr) { |
|
|
|
|
@ -93,18 +93,16 @@ TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector( |
|
|
|
|
"TlsChannelSecurityConnectorCreate()"); |
|
|
|
|
return nullptr; |
|
|
|
|
} |
|
|
|
|
grpc_core::RefCountedPtr<TlsChannelSecurityConnector> c = |
|
|
|
|
grpc_core::MakeRefCounted<TlsChannelSecurityConnector>( |
|
|
|
|
return MakeRefCounted<TlsChannelSecurityConnector>( |
|
|
|
|
std::move(channel_creds), std::move(options), |
|
|
|
|
std::move(request_metadata_creds), target_name, |
|
|
|
|
overridden_target_name, ssl_session_cache); |
|
|
|
|
return c; |
|
|
|
|
std::move(request_metadata_creds), target_name, overridden_target_name, |
|
|
|
|
ssl_session_cache); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
TlsChannelSecurityConnector::TlsChannelSecurityConnector( |
|
|
|
|
grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, |
|
|
|
|
RefCountedPtr<grpc_channel_credentials> channel_creds, |
|
|
|
|
RefCountedPtr<grpc_tls_credentials_options> options, |
|
|
|
|
RefCountedPtr<grpc_call_credentials> request_metadata_creds, |
|
|
|
|
const char* target_name, const char* overridden_target_name, |
|
|
|
|
tsi_ssl_session_cache* ssl_session_cache) |
|
|
|
|
: grpc_channel_security_connector(GRPC_SSL_URL_SCHEME, |
|
|
|
|
@ -120,7 +118,7 @@ TlsChannelSecurityConnector::TlsChannelSecurityConnector( |
|
|
|
|
check_arg_ = ServerAuthorizationCheckArgCreate(this); |
|
|
|
|
absl::string_view host; |
|
|
|
|
absl::string_view port; |
|
|
|
|
grpc_core::SplitHostPort(target_name, &host, &port); |
|
|
|
|
SplitHostPort(target_name, &host, &port); |
|
|
|
|
target_name_ = std::string(host); |
|
|
|
|
// Create a watcher.
|
|
|
|
|
auto watcher_ptr = absl::make_unique<TlsChannelCertificateWatcher>(this); |
|
|
|
|
@ -172,8 +170,8 @@ TlsChannelSecurityConnector::~TlsChannelSecurityConnector() { |
|
|
|
|
|
|
|
|
|
void TlsChannelSecurityConnector::add_handshakers( |
|
|
|
|
const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/, |
|
|
|
|
grpc_core::HandshakeManager* handshake_mgr) { |
|
|
|
|
grpc_core::MutexLock lock(&mu_); |
|
|
|
|
HandshakeManager* handshake_mgr) { |
|
|
|
|
MutexLock lock(&mu_); |
|
|
|
|
if (client_handshaker_factory_ != nullptr) { |
|
|
|
|
// Instantiate TSI handshaker.
|
|
|
|
|
tsi_handshaker* tsi_hs = nullptr; |
|
|
|
|
@ -188,7 +186,7 @@ void TlsChannelSecurityConnector::add_handshakers( |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
// Create handshakers.
|
|
|
|
|
handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args)); |
|
|
|
|
handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args)); |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
// TODO(ZhenLian): Implement the logic(delegation to
|
|
|
|
|
@ -199,14 +197,14 @@ void TlsChannelSecurityConnector::add_handshakers( |
|
|
|
|
|
|
|
|
|
void TlsChannelSecurityConnector::check_peer( |
|
|
|
|
tsi_peer peer, grpc_endpoint* /*ep*/, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, |
|
|
|
|
RefCountedPtr<grpc_auth_context>* auth_context, |
|
|
|
|
grpc_closure* on_peer_checked) { |
|
|
|
|
const char* target_name = overridden_target_name_.empty() |
|
|
|
|
? target_name_.c_str() |
|
|
|
|
: overridden_target_name_.c_str(); |
|
|
|
|
grpc_error* error = grpc_ssl_check_alpn(&peer); |
|
|
|
|
if (error != GRPC_ERROR_NONE) { |
|
|
|
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
tsi_peer_destruct(&peer); |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
@ -216,7 +214,7 @@ void TlsChannelSecurityConnector::check_peer( |
|
|
|
|
/* Do the default host name check if specifying the target name. */ |
|
|
|
|
error = internal::TlsCheckHostName(target_name, &peer); |
|
|
|
|
if (error != GRPC_ERROR_NONE) { |
|
|
|
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
tsi_peer_destruct(&peer); |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
@ -299,7 +297,7 @@ void TlsChannelSecurityConnector::check_peer( |
|
|
|
|
error = ProcessServerAuthorizationCheckResult(check_arg_); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
tsi_peer_destruct(&peer); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -335,11 +333,10 @@ void TlsChannelSecurityConnector::cancel_check_call_host( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
void TlsChannelSecurityConnector::TlsChannelCertificateWatcher:: |
|
|
|
|
OnCertificatesChanged( |
|
|
|
|
absl::optional<absl::string_view> root_certs, |
|
|
|
|
absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) { |
|
|
|
|
OnCertificatesChanged(absl::optional<absl::string_view> root_certs, |
|
|
|
|
absl::optional<PemKeyCertPairList> key_cert_pairs) { |
|
|
|
|
GPR_ASSERT(security_connector_ != nullptr); |
|
|
|
|
grpc_core::MutexLock lock(&security_connector_->mu_); |
|
|
|
|
MutexLock lock(&security_connector_->mu_); |
|
|
|
|
if (root_certs.has_value()) { |
|
|
|
|
security_connector_->pem_root_certs_ = root_certs; |
|
|
|
|
} |
|
|
|
|
@ -417,11 +414,11 @@ TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() { |
|
|
|
|
void TlsChannelSecurityConnector::ServerAuthorizationCheckDone( |
|
|
|
|
grpc_tls_server_authorization_check_arg* arg) { |
|
|
|
|
GPR_ASSERT(arg != nullptr); |
|
|
|
|
grpc_core::ExecCtx exec_ctx; |
|
|
|
|
ExecCtx exec_ctx; |
|
|
|
|
grpc_error* error = ProcessServerAuthorizationCheckResult(arg); |
|
|
|
|
TlsChannelSecurityConnector* connector = |
|
|
|
|
static_cast<TlsChannelSecurityConnector*>(arg->cb_user_data); |
|
|
|
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, connector->on_peer_checked_, error); |
|
|
|
|
ExecCtx::Run(DEBUG_LOCATION, connector->on_peer_checked_, error); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
grpc_error* TlsChannelSecurityConnector::ProcessServerAuthorizationCheckResult( |
|
|
|
|
@ -491,10 +488,10 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// -------------------server security connector-------------------
|
|
|
|
|
grpc_core::RefCountedPtr<grpc_server_security_connector> |
|
|
|
|
RefCountedPtr<grpc_server_security_connector> |
|
|
|
|
TlsServerSecurityConnector::CreateTlsServerSecurityConnector( |
|
|
|
|
grpc_core::RefCountedPtr<grpc_server_credentials> server_creds, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options) { |
|
|
|
|
RefCountedPtr<grpc_server_credentials> server_creds, |
|
|
|
|
RefCountedPtr<grpc_tls_credentials_options> options) { |
|
|
|
|
if (server_creds == nullptr) { |
|
|
|
|
gpr_log(GPR_ERROR, |
|
|
|
|
"server_creds is nullptr in " |
|
|
|
|
@ -507,15 +504,13 @@ TlsServerSecurityConnector::CreateTlsServerSecurityConnector( |
|
|
|
|
"TlsServerSecurityConnectorCreate()"); |
|
|
|
|
return nullptr; |
|
|
|
|
} |
|
|
|
|
grpc_core::RefCountedPtr<TlsServerSecurityConnector> c = |
|
|
|
|
grpc_core::MakeRefCounted<TlsServerSecurityConnector>( |
|
|
|
|
std::move(server_creds), std::move(options)); |
|
|
|
|
return c; |
|
|
|
|
return MakeRefCounted<TlsServerSecurityConnector>(std::move(server_creds), |
|
|
|
|
std::move(options)); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
TlsServerSecurityConnector::TlsServerSecurityConnector( |
|
|
|
|
grpc_core::RefCountedPtr<grpc_server_credentials> server_creds, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options) |
|
|
|
|
RefCountedPtr<grpc_server_credentials> server_creds, |
|
|
|
|
RefCountedPtr<grpc_tls_credentials_options> options) |
|
|
|
|
: grpc_server_security_connector(GRPC_SSL_URL_SCHEME, |
|
|
|
|
std::move(server_creds)), |
|
|
|
|
options_(std::move(options)) { |
|
|
|
|
@ -551,8 +546,8 @@ TlsServerSecurityConnector::~TlsServerSecurityConnector() { |
|
|
|
|
|
|
|
|
|
void TlsServerSecurityConnector::add_handshakers( |
|
|
|
|
const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/, |
|
|
|
|
grpc_core::HandshakeManager* handshake_mgr) { |
|
|
|
|
grpc_core::MutexLock lock(&mu_); |
|
|
|
|
HandshakeManager* handshake_mgr) { |
|
|
|
|
MutexLock lock(&mu_); |
|
|
|
|
if (server_handshaker_factory_ != nullptr) { |
|
|
|
|
// Instantiate TSI handshaker.
|
|
|
|
|
tsi_handshaker* tsi_hs = nullptr; |
|
|
|
|
@ -564,7 +559,7 @@ void TlsServerSecurityConnector::add_handshakers( |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
// Create handshakers.
|
|
|
|
|
handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args)); |
|
|
|
|
handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args)); |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
// TODO(ZhenLian): Implement the logic(delegation to
|
|
|
|
|
@ -575,13 +570,13 @@ void TlsServerSecurityConnector::add_handshakers( |
|
|
|
|
|
|
|
|
|
void TlsServerSecurityConnector::check_peer( |
|
|
|
|
tsi_peer peer, grpc_endpoint* /*ep*/, |
|
|
|
|
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, |
|
|
|
|
RefCountedPtr<grpc_auth_context>* auth_context, |
|
|
|
|
grpc_closure* on_peer_checked) { |
|
|
|
|
grpc_error* error = grpc_ssl_check_alpn(&peer); |
|
|
|
|
*auth_context = |
|
|
|
|
grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE); |
|
|
|
|
tsi_peer_destruct(&peer); |
|
|
|
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
int TlsServerSecurityConnector::cmp( |
|
|
|
|
@ -591,11 +586,10 @@ int TlsServerSecurityConnector::cmp( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
void TlsServerSecurityConnector::TlsServerCertificateWatcher:: |
|
|
|
|
OnCertificatesChanged( |
|
|
|
|
absl::optional<absl::string_view> root_certs, |
|
|
|
|
absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) { |
|
|
|
|
OnCertificatesChanged(absl::optional<absl::string_view> root_certs, |
|
|
|
|
absl::optional<PemKeyCertPairList> key_cert_pairs) { |
|
|
|
|
GPR_ASSERT(security_connector_ != nullptr); |
|
|
|
|
grpc_core::MutexLock lock(&security_connector_->mu_); |
|
|
|
|
MutexLock lock(&security_connector_->mu_); |
|
|
|
|
if (root_certs.has_value()) { |
|
|
|
|
security_connector_->pem_root_certs_ = root_certs; |
|
|
|
|
} |
|
|
|
|
|
Mark D. Roth
4 years ago
committed by
GitHub