Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

[security] Refactor credentials types to remove special handling for insecure creds (#36176)

Browse Source 
Forked from #35957

This PR refactors the credentials types to remove Secure and Insecure Channel and Call credentials types. We standardize on a `c_creds()` accessor method for all credentials types, which can now be treated uniformly. This notably removes special-case handling of insecure credentials.

The special code-paths for insecure creds are no longer necessary in the wake of #25586.

Closes #36176

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36176 from drfloob:fork/35957/creds-API fd64d59c23
PiperOrigin-RevId: 621008166
pull/36217/head
AJ Heller 8 months ago committed by Copybara-Service
parent adf6c7b644
commit 822311c0d9
37 changed files with 559 additions and 586 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      BUILD
  2. 33
      CMakeLists.txt
  3. 35
      build_autogenerated.yaml
  4. 4
      gRPC-C++.podspec
  5. 62
      include/grpcpp/security/credentials.h
  6. 32
      include/grpcpp/security/server_credentials.h
  7. 4
      include/grpcpp/support/channel_arguments.h
  8. 9
      src/core/ext/transport/binder/server/binder_server_credentials.cc
  9. 39
      src/cpp/client/call_credentials.cc
  10. 47
      src/cpp/client/channel_credentials.cc
  11. 14
      src/cpp/client/cronet_credentials.cc
  12. 31
      src/cpp/client/insecure_credentials.cc
  13. 372
      src/cpp/client/secure_credentials.cc
  14. 99
      src/cpp/client/secure_credentials.h
  15. 23
      src/cpp/client/xds_credentials.cc
  16. 13
      src/cpp/common/channel_arguments.cc
  17. 41
      src/cpp/common/secure_channel_arguments.cc
  18. 19
      src/cpp/ext/chaotic_good.cc
  19. 21
      src/cpp/server/insecure_server_credentials.cc
  20. 13
      src/cpp/server/secure_server_credentials.cc
  21. 23
      src/cpp/server/secure_server_credentials.h
  22. 39
      src/cpp/server/server_credentials.cc
  23. 16
      src/cpp/server/xds_server_credentials.cc
  24. 10
      test/core/transport/binder/end2end/binder_server_test.cc
  25. 5
      test/cpp/end2end/client_lb_end2end_test.cc
  26. 25
      test/cpp/end2end/end2end_test.cc
  27. 7
      test/cpp/end2end/grpclb_end2end_test.cc
  28. 6
      test/cpp/end2end/resource_quota_end2end_stress_test.cc
  29. 9
      test/cpp/end2end/rls_end2end_test.cc
  30. 5
      test/cpp/end2end/service_config_end2end_test.cc
  31. 5
      test/cpp/end2end/xds/xds_csds_end2end_test.cc
  32. 6
      test/cpp/end2end/xds/xds_end2end_test_lib.cc
  33. 2
      test/cpp/ext/BUILD
  34. 8
      test/cpp/interop/client_helper.cc
  35. 1
      test/cpp/util/BUILD
  36. 41
      test/cpp/util/credentials.h
  37. 4
      tools/doxygen/Doxyfile.c++.internal

22
BUILD
Unescape View File

@ -324,7 +324,9 @@ GRPC_PUBLIC_EVENT_ENGINE_HDRS = [
]
GRPCXX_SRCS = [
"src/cpp/client/call_credentials.cc",
"src/cpp/client/channel_cc.cc",
"src/cpp/client/channel_credentials.cc",
"src/cpp/client/client_callback.cc",
"src/cpp/client/client_context.cc",
"src/cpp/client/client_interceptor.cc",
@ -350,6 +352,7 @@ GRPCXX_SRCS = [
"src/cpp/server/server_callback.cc",
"src/cpp/server/server_cc.cc",
"src/cpp/server/server_context.cc",
"src/cpp/server/server_credentials.cc",
"src/cpp/server/server_posix.cc",
"src/cpp/thread_manager/thread_manager.cc",
"src/cpp/util/byte_buffer_cc.cc",
@ -938,9 +941,7 @@ grpc_cc_library(
},
],
tags = ["nofixdeps"],
visibility = [
"@grpc:public",
],
visibility = ["@grpc:public"],
deps = [
"grpc++_base",
"//src/core:gpr_atm",
@ -1213,6 +1214,9 @@ grpc_cc_library(
],
)
# TODO(hork): restructure the grpc++_unsecure and grpc++ build targets in a
# similar way to how the grpc_unsecure and grpc targets were restructured in
# #25586
grpc_cc_library(
name = "grpc++_unsecure",
srcs = [
@ -1220,18 +1224,26 @@ grpc_cc_library(
"src/cpp/common/insecure_create_auth_context.cc",
"src/cpp/server/insecure_server_credentials.cc",
],
external_deps = [
"absl/strings",
"absl/synchronization",
],
language = "c++",
public_hdrs = GRPCXX_PUBLIC_HDRS,
tags = [
"avoid_dep",
"nofixdeps",
],
visibility = ["@grpc:public"],
deps = [
"channel_arg_names",
"gpr",
"grpc++_base_unsecure",
"grpc++_codegen_proto",
"grpc_public_hdrs",
"grpc_security_base",
"grpc_unsecure",
"//src/core:gpr_atm",
"//src/core:grpc_insecure_credentials",
],
)
@ -2370,7 +2382,6 @@ grpc_cc_library(
"src/cpp/client/secure_credentials.cc",
"src/cpp/common/auth_property_iterator.cc",
"src/cpp/common/secure_auth_context.cc",
"src/cpp/common/secure_channel_arguments.cc",
"src/cpp/common/secure_create_auth_context.cc",
"src/cpp/common/tls_certificate_provider.cc",
"src/cpp/common/tls_certificate_verifier.cc",
@ -2494,6 +2505,7 @@ grpc_cc_library(
"grpc_base",
"grpc_health_upb",
"grpc_public_hdrs",
"grpc_security_base",
"grpc_service_config_impl",
"grpc_trace",
"grpc_unsecure",
@ -4700,7 +4712,7 @@ grpc_cc_library(
visibility = ["@grpc:chaotic_good"],
deps = [
"gpr",
"grpc++_public_hdrs",
"grpc++_base_unsecure",
"grpc_public_hdrs",
"//src/core:chaotic_good_connector",
"//src/core:chaotic_good_server",

33
CMakeLists.txt generated
Unescape View File

@ -4041,7 +4041,9 @@ add_library(grpc++
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -4059,7 +4061,6 @@ add_library(grpc++
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -4080,6 +4081,7 @@ add_library(grpc++
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/server/xds_server_builder.cc
src/cpp/server/xds_server_credentials.cc
@ -4789,7 +4791,9 @@ target_link_libraries(grpc++_test_util
endif()
add_library(grpc++_unsecure
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -4819,6 +4823,7 @@ add_library(grpc++_unsecure
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -8146,7 +8151,9 @@ add_executable(binder_transport_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -8163,7 +8170,6 @@ add_executable(binder_transport_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -8184,6 +8190,7 @@ add_executable(binder_transport_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -12658,7 +12665,9 @@ add_executable(endpoint_binder_pool_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -12675,7 +12684,6 @@ add_executable(endpoint_binder_pool_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -12696,6 +12704,7 @@ add_executable(endpoint_binder_pool_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -13513,7 +13522,9 @@ add_executable(fake_binder_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -13530,7 +13541,6 @@ add_executable(fake_binder_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -13551,6 +13561,7 @@ add_executable(fake_binder_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -30162,7 +30173,7 @@ target_include_directories(test_cpp_ext_chaotic_good_test
target_link_libraries(test_cpp_ext_chaotic_good_test
${_gRPC_ALLTARGETS_LIBRARIES}
gtest
grpc++
grpc++_unsecure
grpc_test_util
)
@ -31346,7 +31357,9 @@ add_executable(transport_stream_receiver_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -31363,7 +31376,6 @@ add_executable(transport_stream_receiver_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -31384,6 +31396,7 @@ add_executable(transport_stream_receiver_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -32178,7 +32191,9 @@ add_executable(wire_reader_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -32195,7 +32210,6 @@ add_executable(wire_reader_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -32216,6 +32230,7 @@ add_executable(wire_reader_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc
@ -32284,7 +32299,9 @@ add_executable(wire_writer_test
src/core/ext/transport/binder/wire_format/transaction.cc
src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
src/core/ext/transport/binder/wire_format/wire_writer.cc
src/cpp/client/call_credentials.cc
src/cpp/client/channel_cc.cc
src/cpp/client/channel_credentials.cc
src/cpp/client/client_callback.cc
src/cpp/client/client_context.cc
src/cpp/client/client_interceptor.cc
@ -32301,7 +32318,6 @@ add_executable(wire_writer_test
src/cpp/common/resource_quota_cc.cc
src/cpp/common/rpc_method.cc
src/cpp/common/secure_auth_context.cc
src/cpp/common/secure_channel_arguments.cc
src/cpp/common/secure_create_auth_context.cc
src/cpp/common/tls_certificate_provider.cc
src/cpp/common/tls_certificate_verifier.cc
@ -32322,6 +32338,7 @@ add_executable(wire_writer_test
src/cpp/server/server_callback.cc
src/cpp/server/server_cc.cc
src/cpp/server/server_context.cc
src/cpp/server/server_credentials.cc
src/cpp/server/server_posix.cc
src/cpp/thread_manager/thread_manager.cc
src/cpp/util/byte_buffer_cc.cc

35
build_autogenerated.yaml generated
Unescape View File

@ -3884,7 +3884,9 @@ libs:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -3902,7 +3904,6 @@ libs:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -3923,6 +3924,7 @@ libs:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/server/xds_server_builder.cc
- src/cpp/server/xds_server_credentials.cc
@ -4022,6 +4024,7 @@ libs:
- test/core/util/tracer_util.h
- test/cpp/util/byte_buffer_proto_helper.h
- test/cpp/util/create_test_channel.h
- test/cpp/util/credentials.h
- test/cpp/util/string_ref_helper.h
- test/cpp/util/subprocess.h
- test/cpp/util/test_credentials_provider.h
@ -4264,7 +4267,9 @@ libs:
- src/cpp/server/thread_pool_interface.h
- src/cpp/thread_manager/thread_manager.h
src:
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -4294,6 +4299,7 @@ libs:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -5275,6 +5281,7 @@ targets:
- test/core/util/slice_splitter.h
- test/core/util/tracer_util.h
- test/cpp/util/byte_buffer_proto_helper.h
- test/cpp/util/credentials.h
- test/cpp/util/string_ref_helper.h
- test/cpp/util/subprocess.h
src:
@ -6163,7 +6170,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -6180,7 +6189,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -6201,6 +6209,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -8848,7 +8857,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -8865,7 +8876,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -8886,6 +8896,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -9338,7 +9349,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -9355,7 +9368,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -9376,6 +9388,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -19012,7 +19025,7 @@ targets:
- test/cpp/ext/chaotic_good_test.cc
deps:
- gtest
- grpc++
- grpc++_unsecure
- grpc_test_util
- name: test_cpp_server_credentials_test
gtest: true
@ -19528,7 +19541,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -19545,7 +19560,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -19566,6 +19580,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -19903,7 +19918,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -19920,7 +19937,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -19941,6 +19957,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc
@ -20010,7 +20027,9 @@ targets:
- src/core/ext/transport/binder/wire_format/transaction.cc
- src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
- src/core/ext/transport/binder/wire_format/wire_writer.cc
- src/cpp/client/call_credentials.cc
- src/cpp/client/channel_cc.cc
- src/cpp/client/channel_credentials.cc
- src/cpp/client/client_callback.cc
- src/cpp/client/client_context.cc
- src/cpp/client/client_interceptor.cc
@ -20027,7 +20046,6 @@ targets:
- src/cpp/common/resource_quota_cc.cc
- src/cpp/common/rpc_method.cc
- src/cpp/common/secure_auth_context.cc
- src/cpp/common/secure_channel_arguments.cc
- src/cpp/common/secure_create_auth_context.cc
- src/cpp/common/tls_certificate_provider.cc
- src/cpp/common/tls_certificate_verifier.cc
@ -20048,6 +20066,7 @@ targets:
- src/cpp/server/server_callback.cc
- src/cpp/server/server_cc.cc
- src/cpp/server/server_context.cc
- src/cpp/server/server_credentials.cc
- src/cpp/server/server_posix.cc
- src/cpp/thread_manager/thread_manager.cc
- src/cpp/util/byte_buffer_cc.cc

4
gRPC-C++.podspec generated
Unescape View File

@ -1345,7 +1345,9 @@ Pod::Spec.new do |s|
'src/core/tsi/transport_security.h',
'src/core/tsi/transport_security_grpc.h',
'src/core/tsi/transport_security_interface.h',
'src/cpp/client/call_credentials.cc',
'src/cpp/client/channel_cc.cc',
'src/cpp/client/channel_credentials.cc',
'src/cpp/client/client_callback.cc',
'src/cpp/client/client_context.cc',
'src/cpp/client/client_interceptor.cc',
@ -1367,7 +1369,6 @@ Pod::Spec.new do |s|
'src/cpp/common/rpc_method.cc',
'src/cpp/common/secure_auth_context.cc',
'src/cpp/common/secure_auth_context.h',
'src/cpp/common/secure_channel_arguments.cc',
'src/cpp/common/secure_create_auth_context.cc',
'src/cpp/common/tls_certificate_provider.cc',
'src/cpp/common/tls_certificate_verifier.cc',
@ -1393,6 +1394,7 @@ Pod::Spec.new do |s|
'src/cpp/server/server_callback.cc',
'src/cpp/server/server_cc.cc',
'src/cpp/server/server_context.cc',
'src/cpp/server/server_credentials.cc',
'src/cpp/server/server_posix.cc',
'src/cpp/server/thread_pool_interface.h',
'src/cpp/server/xds_server_builder.cc',

62
include/grpcpp/security/credentials.h
Unescape View File

@ -37,9 +37,10 @@ struct grpc_call;
namespace grpc {
class CallCredentials;
class SecureCallCredentials;
class SecureChannelCredentials;
class ChannelCredentials;
namespace testing {
std::string GetOauth2AccessToken();
}
std::shared_ptr<Channel> CreateCustomChannel(
const grpc::string& target,
@ -68,26 +69,18 @@ std::shared_ptr<ChannelCredentials> XdsCredentials(
/// \see https://grpc.io/docs/guides/auth.html
class ChannelCredentials : private grpc::internal::GrpcLibrary {
public:
protected:
friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
const std::shared_ptr<ChannelCredentials>& channel_creds,
const std::shared_ptr<CallCredentials>& call_creds);
~ChannelCredentials() override;
// TODO(yashykt): We need this friend declaration mainly for access to
// AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
// (and also internal dependencies on the indirect method of creating a
// channel through credentials), we would be able to remove this.
friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
const std::shared_ptr<ChannelCredentials>& fallback_creds);
protected:
explicit ChannelCredentials(grpc_channel_credentials* creds);
virtual SecureChannelCredentials* AsSecureCredentials() = 0;
grpc_channel_credentials* c_creds() { return c_creds_; }
private:
friend std::shared_ptr<grpc::Channel> CreateCustomChannel(
const grpc::string& target,
const std::shared_ptr<grpc::ChannelCredentials>& creds,
const grpc::ChannelArguments& args);
friend std::shared_ptr<grpc::Channel>
grpc::experimental::CreateCustomChannelWithInterceptors(
const grpc::string& target,
@ -96,24 +89,23 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary {
std::vector<std::unique_ptr<
grpc::experimental::ClientInterceptorFactoryInterface>>
interceptor_creators);
friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
const std::shared_ptr<ChannelCredentials>& channel_creds,
const std::shared_ptr<CallCredentials>& call_creds);
friend class XdsChannelCredentialsImpl;
virtual std::shared_ptr<Channel> CreateChannelImpl(
const grpc::string& target, const ChannelArguments& args) = 0;
const grpc::string& target, const ChannelArguments& args) {
return CreateChannelWithInterceptors(target, args, {});
}
// This function should have been a pure virtual function, but it is
// implemented as a virtual function so that it does not break API.
virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
const grpc::string& /*target*/, const ChannelArguments& /*args*/,
const grpc::string& target, const ChannelArguments& args,
std::vector<std::unique_ptr<
grpc::experimental::ClientInterceptorFactoryInterface>>
/*interceptor_creators*/) {
return nullptr;
}
interceptor_creators);
// TODO(yashkt): This is a hack that is needed since InsecureCredentials can
// not use grpc_channel_credentials internally and should be removed after
// insecure builds are removed from gRPC.
virtual bool IsInsecure() const { return false; }
grpc_channel_credentials* const c_creds_;
};
/// A call credentials object encapsulates the state needed by a client to
@ -122,22 +114,24 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary {
/// \see https://grpc.io/docs/guides/auth.html
class CallCredentials : private grpc::internal::GrpcLibrary {
public:
~CallCredentials() override;
/// Apply this instance's credentials to \a call.
virtual bool ApplyToCall(grpc_call* call) = 0;
virtual grpc::string DebugString() {
return "CallCredentials did not provide a debug string";
}
bool ApplyToCall(grpc_call* call);
grpc::string DebugString();
protected:
explicit CallCredentials(grpc_call_credentials* creds);
private:
friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
const std::shared_ptr<ChannelCredentials>& channel_creds,
const std::shared_ptr<CallCredentials>& call_creds);
friend class CompositeCallCredentialsImpl;
friend std::string grpc::testing::GetOauth2AccessToken();
friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
const std::shared_ptr<CallCredentials>& creds1,
const std::shared_ptr<CallCredentials>& creds2);
virtual SecureCallCredentials* AsSecureCredentials() = 0;
grpc_call_credentials* c_creds_ = nullptr;
};
/// Options used to build SslCredentials.

32
include/grpcpp/security/server_credentials.h
Unescape View File

@ -34,7 +34,7 @@ namespace grpc {
class Server;
class ServerCredentials;
class SecureServerCredentials;
/// Options to create ServerCredentials with SSL
struct SslServerCredentialsOptions {
/// \warning Deprecated
@ -68,17 +68,22 @@ std::shared_ptr<ServerCredentials> XdsServerCredentials(
/// Wrapper around \a grpc_server_credentials, a way to authenticate a server.
class ServerCredentials : private grpc::internal::GrpcLibrary {
public:
~ServerCredentials() override;
/// This method is not thread-safe and has to be called before the server is
/// started. The last call to this function wins.
virtual void SetAuthMetadataProcessor(
const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) = 0;
const std::shared_ptr<grpc::AuthMetadataProcessor>& processor);
protected:
explicit ServerCredentials(grpc_server_credentials* creds);
grpc_server_credentials* c_creds() const { return c_creds_; }
private:
// Needed for access to AddPortToServer.
friend class Server;
// We need this friend declaration for access to Insecure() and
// AsSecureServerCredentials(). When these two functions are no longer
// necessary, this friend declaration can be removed too.
// Needed for access to c_creds_.
friend std::shared_ptr<ServerCredentials> grpc::XdsServerCredentials(
const std::shared_ptr<ServerCredentials>& fallback_credentials);
@ -87,18 +92,9 @@ class ServerCredentials : private grpc::internal::GrpcLibrary {
///
/// \return bound port number on success, 0 on failure.
// TODO(dgq): the "port" part seems to be a misnomer.
virtual int AddPortToServer(const std::string& addr, grpc_server* server) = 0;
// TODO(yashykt): This is a hack since InsecureServerCredentials() cannot use
// grpc_insecure_server_credentials_create() and should be removed after
// insecure builds are removed from gRPC.
virtual bool IsInsecure() const { return false; }
// TODO(yashkt): This is a hack that should be removed once we remove insecure
// builds and the indirect method of adding ports to a server.
virtual SecureServerCredentials* AsSecureServerCredentials() {
return nullptr;
}
virtual int AddPortToServer(const std::string& addr, grpc_server* server);
grpc_server_credentials* c_creds_;
};
/// Builds SSL ServerCredentials given SSL specific options

4
include/grpcpp/support/channel_arguments.h
Unescape View File

@ -28,7 +28,7 @@
#include <grpcpp/support/config.h>
namespace grpc {
class SecureChannelCredentials;
class ChannelCredentials;
namespace testing {
class ChannelArgumentsTest;
} // namespace testing
@ -120,7 +120,7 @@ class ChannelArguments {
}
private:
friend class grpc::SecureChannelCredentials;
friend class grpc::ChannelCredentials;
friend class grpc::testing::ChannelArgumentsTest;
/// Default pointer argument operations.

9
src/core/ext/transport/binder/server/binder_server_credentials.cc
Unescape View File

@ -32,7 +32,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
explicit BinderServerCredentialsImpl(
std::shared_ptr<grpc::experimental::binder::SecurityPolicy>
security_policy)
: security_policy_(security_policy) {}
: ServerCredentials(nullptr), security_policy_(security_policy) {}
#ifdef GPR_SUPPORT_BINDER_TRANSPORT
int AddPortToServer(const std::string& addr, grpc_server* server) override {
return grpc_core::AddBinderPort(
@ -50,14 +50,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
}
#endif // GPR_SUPPORT_BINDER_TRANSPORT
void SetAuthMetadataProcessor(
const std::shared_ptr<AuthMetadataProcessor>& /*processor*/) override {
grpc_core::Crash("unreachable");
}
private:
bool IsInsecure() const override { return true; }
std::shared_ptr<grpc::experimental::binder::SecurityPolicy> security_policy_;
};

39
src/cpp/client/call_credentials.cc
Unescape View File

@ -0,0 +1,39 @@
// Copyright 2024 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <grpc/support/port_platform.h>
#include "absl/strings/str_cat.h"
#include <grpcpp/security/credentials.h>
#include "src/core/lib/security/credentials/credentials.h"
namespace grpc {
CallCredentials::CallCredentials(grpc_call_credentials* c_creds)
: c_creds_(c_creds) {
GPR_ASSERT(c_creds != nullptr);
}
CallCredentials::~CallCredentials() { grpc_call_credentials_release(c_creds_); }
grpc::string CallCredentials::DebugString() {
return absl::StrCat("CallCredentials{", c_creds_->debug_string(), "}");
}
bool CallCredentials::ApplyToCall(grpc_call* call) {
return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK;
}
} // namespace grpc

47
src/cpp/client/channel_credentials.cc
Unescape View File

@ -0,0 +1,47 @@
// Copyright 2024 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <grpc/support/port_platform.h>
#include <memory>
#include <string>
#include <vector>
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
#include <grpcpp/security/credentials.h>
#include <grpcpp/support/channel_arguments.h>
namespace grpc {
ChannelCredentials::ChannelCredentials(grpc_channel_credentials* c_creds)
: c_creds_(c_creds) {}
ChannelCredentials::~ChannelCredentials() {
grpc_channel_credentials_release(c_creds_);
}
std::shared_ptr<Channel> ChannelCredentials::CreateChannelWithInterceptors(
const std::string& target, const ChannelArguments& args,
std::vector<
std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
interceptor_creators) {
grpc_channel_args channel_args;
args.SetChannelArgs(&channel_args);
return grpc::CreateChannelInternal(
args.GetSslTargetNameOverride(),
grpc_channel_create(target.c_str(), c_creds_, &channel_args),
std::move(interceptor_creators));
}
} // namespace grpc

14
src/cpp/client/cronet_credentials.cc
Unescape View File

@ -35,17 +35,8 @@ namespace grpc {
class CronetChannelCredentialsImpl final : public ChannelCredentials {
public:
explicit CronetChannelCredentialsImpl(void* engine) : engine_(engine) {}
std::shared_ptr<grpc::Channel> CreateChannelImpl(
const string& target, const grpc::ChannelArguments& args) override {
return CreateChannelWithInterceptors(
target, args,
std::vector<std::unique_ptr<
experimental::ClientInterceptorFactoryInterface>>());
}
SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
explicit CronetChannelCredentialsImpl(void* engine)
: ChannelCredentials(nullptr), engine_(engine) {}
private:
std::shared_ptr<grpc::Channel> CreateChannelWithInterceptors(
@ -61,6 +52,7 @@ class CronetChannelCredentialsImpl final : public ChannelCredentials {
&channel_args, nullptr),
std::move(interceptor_creators));
}
void* engine_;
};

31
src/cpp/client/insecure_credentials.cc
Unescape View File

@ -16,9 +16,6 @@
//
//
#include <memory>
#include <string>
#include <utility>
#include <vector>
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
@ -27,21 +24,14 @@
#include <grpcpp/support/channel_arguments.h>
#include <grpcpp/support/client_interceptor.h>
#include "src/cpp/client/create_channel_internal.h"
namespace grpc {
namespace {
class InsecureChannelCredentialsImpl final : public ChannelCredentials {
public:
std::shared_ptr<Channel> CreateChannelImpl(
const std::string& target, const ChannelArguments& args) override {
return CreateChannelWithInterceptors(
target, args,
std::vector<std::unique_ptr<
grpc::experimental::ClientInterceptorFactoryInterface>>());
}
InsecureChannelCredentialsImpl()
: ChannelCredentials(grpc_insecure_credentials_create()) {}
private:
std::shared_ptr<Channel> CreateChannelWithInterceptors(
const std::string& target, const ChannelArguments& args,
std::vector<std::unique_ptr<
@ -49,24 +39,15 @@ class InsecureChannelCredentialsImpl final : public ChannelCredentials {
interceptor_creators) override {
grpc_channel_args channel_args;
args.SetChannelArgs(&channel_args);
grpc_channel_credentials* creds = grpc_insecure_credentials_create();
std::shared_ptr<Channel> channel = grpc::CreateChannelInternal(
"", grpc_channel_create(target.c_str(), creds, &channel_args),
return grpc::CreateChannelInternal(
"", grpc_channel_create(target.c_str(), c_creds(), &channel_args),
std::move(interceptor_creators));
grpc_channel_credentials_release(creds);
return channel;
}
SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
private:
bool IsInsecure() const override { return true; }
};
} // namespace
std::shared_ptr<ChannelCredentials> InsecureChannelCredentials() {
return std::shared_ptr<ChannelCredentials>(
new InsecureChannelCredentialsImpl());
return std::make_shared<InsecureChannelCredentialsImpl>();
}
} // namespace grpc

372
src/cpp/client/secure_credentials.cc
Unescape View File

@ -20,8 +20,8 @@
#include <string.h>
#include <algorithm>
#include <map>
#include <memory>
#include <utility>
#include "absl/status/status.h"
@ -30,6 +30,7 @@
#include "absl/types/optional.h"
#include <grpc/event_engine/event_engine.h>
#include <grpc/grpc.h>
#include <grpc/grpc_security_constants.h>
#include <grpc/slice.h>
#include <grpc/support/json.h>
@ -47,73 +48,44 @@
#include "src/core/lib/event_engine/default_event_engine.h"
#include "src/core/lib/gprpp/env.h"
#include "src/core/lib/gprpp/load_file.h"
#include "src/core/lib/gprpp/status_helper.h"
#include "src/core/lib/iomgr/error.h"
#include "src/core/lib/json/json.h"
#include "src/core/lib/json/json_reader.h"
#include "src/core/lib/security/util/json_util.h"
#include "src/cpp/client/create_channel_internal.h"
#include "src/cpp/common/secure_auth_context.h"
#include "src/cpp/server/thread_pool_interface.h"
namespace grpc {
SecureChannelCredentials::SecureChannelCredentials(
grpc_channel_credentials* c_creds)
: c_creds_(c_creds) {}
std::shared_ptr<Channel> SecureChannelCredentials::CreateChannelImpl(
const std::string& target, const ChannelArguments& args) {
return CreateChannelWithInterceptors(
target, args,
std::vector<std::unique_ptr<
grpc::experimental::ClientInterceptorFactoryInterface>>());
}
std::shared_ptr<Channel>
SecureChannelCredentials::CreateChannelWithInterceptors(
const std::string& target, const ChannelArguments& args,
std::vector<
std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
interceptor_creators) {
grpc_channel_args channel_args;
args.SetChannelArgs(&channel_args);
return grpc::CreateChannelInternal(
args.GetSslTargetNameOverride(),
grpc_channel_create(target.c_str(), c_creds_, &channel_args),
std::move(interceptor_creators));
}
SecureCallCredentials::SecureCallCredentials(grpc_call_credentials* c_creds)
: c_creds_(c_creds) {}
namespace {
class WrappedCallCredentials : public CallCredentials {
public:
explicit WrappedCallCredentials(grpc_call_credentials* creds)
: CallCredentials(creds) {}
};
bool SecureCallCredentials::ApplyToCall(grpc_call* call) {
return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK;
std::shared_ptr<WrappedCallCredentials> WrapCallCredentials(
grpc_call_credentials* creds) {
return creds == nullptr ? nullptr
: std::make_shared<WrappedCallCredentials>(creds);
}
namespace internal {
class WrappedChannelCredentials final : public ChannelCredentials {
public:
explicit WrappedChannelCredentials(grpc_channel_credentials* c_creds)
: ChannelCredentials(c_creds) {}
};
std::shared_ptr<ChannelCredentials> WrapChannelCredentials(
std::shared_ptr<WrappedChannelCredentials> WrapChannelCredentials(
grpc_channel_credentials* creds) {
return creds == nullptr ? nullptr
: std::shared_ptr<ChannelCredentials>(
new SecureChannelCredentials(creds));
: std::make_shared<WrappedChannelCredentials>(creds);
}
} // namespace internal
namespace {
std::shared_ptr<CallCredentials> WrapCallCredentials(
grpc_call_credentials* creds) {
return creds == nullptr ? nullptr
: std::shared_ptr<CallCredentials>(
new SecureCallCredentials(creds));
}
} // namespace
std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
grpc::internal::GrpcLibrary init; // To call grpc_init().
return internal::WrapChannelCredentials(
return WrapChannelCredentials(
grpc_google_default_credentials_create(nullptr));
}
@ -130,12 +102,10 @@ std::shared_ptr<ChannelCredentials> SslCredentials(
grpc::internal::GrpcLibrary init; // To call grpc_init().
grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
grpc_channel_credentials* c_creds = grpc_ssl_credentials_create(
return WrapChannelCredentials(grpc_ssl_credentials_create(
options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr,
nullptr);
return internal::WrapChannelCredentials(c_creds);
nullptr));
}
namespace experimental {
@ -259,21 +229,6 @@ std::shared_ptr<CallCredentials> StsCredentials(
return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr));
}
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
std::unique_ptr<MetadataCredentialsPlugin> plugin,
grpc_security_level min_security_level) {
grpc::internal::GrpcLibrary init; // To call grpc_init().
const char* type = plugin->GetType();
grpc::MetadataCredentialsPluginWrapper* wrapper =
new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
grpc_metadata_credentials_plugin c_plugin = {
grpc::MetadataCredentialsPluginWrapper::GetMetadata,
grpc::MetadataCredentialsPluginWrapper::DebugString,
grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
c_plugin, min_security_level, nullptr));
}
// Builds ALTS Credentials given ALTS specific options
std::shared_ptr<ChannelCredentials> AltsCredentials(
const AltsCredentialsOptions& options) {
@ -286,20 +241,20 @@ std::shared_ptr<ChannelCredentials> AltsCredentials(
}
grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
grpc_alts_credentials_options_destroy(c_options);
return internal::WrapChannelCredentials(c_creds);
return WrapChannelCredentials(c_creds);
}
// Builds Local Credentials
std::shared_ptr<ChannelCredentials> LocalCredentials(
grpc_local_connect_type type) {
grpc::internal::GrpcLibrary init; // To call grpc_init().
return internal::WrapChannelCredentials(grpc_local_credentials_create(type));
return WrapChannelCredentials(grpc_local_credentials_create(type));
}
// Builds TLS Credentials given TLS options.
std::shared_ptr<ChannelCredentials> TlsCredentials(
const TlsChannelCredentialsOptions& options) {
return internal::WrapChannelCredentials(
return WrapChannelCredentials(
grpc_tls_credentials_create(options.c_credentials_options()));
}
@ -361,93 +316,24 @@ std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
// here. This is OK because the underlying C objects (i.e., channel_creds and
// call_creds) into grpc_composite_credentials_create will see their refcounts
// incremented.
SecureChannelCredentials* s_channel_creds =
channel_creds->AsSecureCredentials();
SecureCallCredentials* s_call_creds = call_creds->AsSecureCredentials();
if (s_channel_creds && s_call_creds) {
return internal::WrapChannelCredentials(
grpc_composite_channel_credentials_create(
s_channel_creds->GetRawCreds(), s_call_creds->GetRawCreds(),
nullptr));
}
return nullptr;
return channel_creds->c_creds_ == nullptr
? nullptr
: WrapChannelCredentials(grpc_composite_channel_credentials_create(
channel_creds->c_creds_, call_creds->c_creds_, nullptr));
}
class CompositeCallCredentialsImpl : public CallCredentials {
public:
CompositeCallCredentialsImpl(const std::shared_ptr<CallCredentials>& creds1,
const std::shared_ptr<CallCredentials>& creds2)
: CallCredentials(grpc_composite_call_credentials_create(
creds1->c_creds_, creds2->c_creds_, nullptr)) {}
};
std::shared_ptr<CallCredentials> CompositeCallCredentials(
const std::shared_ptr<CallCredentials>& creds1,
const std::shared_ptr<CallCredentials>& creds2) {
SecureCallCredentials* s_creds1 = creds1->AsSecureCredentials();
SecureCallCredentials* s_creds2 = creds2->AsSecureCredentials();
if (s_creds1 != nullptr && s_creds2 != nullptr) {
return WrapCallCredentials(grpc_composite_call_credentials_create(
s_creds1->GetRawCreds(), s_creds2->GetRawCreds(), nullptr));
}
return nullptr;
}
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
std::unique_ptr<MetadataCredentialsPlugin> plugin) {
grpc::internal::GrpcLibrary init; // To call grpc_init().
const char* type = plugin->GetType();
grpc::MetadataCredentialsPluginWrapper* wrapper =
new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
grpc_metadata_credentials_plugin c_plugin = {
grpc::MetadataCredentialsPluginWrapper::GetMetadata,
grpc::MetadataCredentialsPluginWrapper::DebugString,
grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
c_plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr));
}
char* MetadataCredentialsPluginWrapper::DebugString(void* wrapper) {
GPR_ASSERT(wrapper);
MetadataCredentialsPluginWrapper* w =
static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
return gpr_strdup(w->plugin_->DebugString().c_str());
}
void MetadataCredentialsPluginWrapper::Destroy(void* wrapper) {
if (wrapper == nullptr) return;
grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
grpc_core::ExecCtx exec_ctx;
delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
});
}
int MetadataCredentialsPluginWrapper::GetMetadata(
void* wrapper, grpc_auth_metadata_context context,
grpc_credentials_plugin_metadata_cb cb, void* user_data,
grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
size_t* num_creds_md, grpc_status_code* status,
const char** error_details) {
GPR_ASSERT(wrapper);
MetadataCredentialsPluginWrapper* w =
static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
if (!w->plugin_) {
*num_creds_md = 0;
*status = GRPC_STATUS_OK;
*error_details = nullptr;
return 1;
}
if (w->plugin_->IsBlocking()) {
// The internals of context may be destroyed if GetMetadata is cancelled.
// Make a copy for InvokePlugin.
grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
grpc_auth_metadata_context_copy(&context, &context_copy);
// Asynchronous return.
w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
w->MetadataCredentialsPluginWrapper::InvokePlugin(
context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
grpc_auth_metadata_context_reset(&context_copy);
});
return 0;
} else {
// Synchronous return.
w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
error_details);
return 1;
}
return std::make_shared<CompositeCallCredentialsImpl>(creds1, creds2);
}
namespace {
@ -459,61 +345,147 @@ void UnrefMetadata(const std::vector<grpc_metadata>& md) {
}
}
} // namespace
void MetadataCredentialsPluginWrapper::InvokePlugin(
grpc_auth_metadata_context context, grpc_credentials_plugin_metadata_cb cb,
void* user_data, grpc_metadata creds_md[4], size_t* num_creds_md,
grpc_status_code* status_code, const char** error_details) {
std::multimap<std::string, std::string> metadata;
// const_cast is safe since the SecureAuthContext only inc/dec the refcount
// and the object is passed as a const ref to plugin_->GetMetadata.
SecureAuthContext cpp_channel_auth_context(
const_cast<grpc_auth_context*>(context.channel_auth_context));
Status status = plugin_->GetMetadata(context.service_url, context.method_name,
cpp_channel_auth_context, &metadata);
std::vector<grpc_metadata> md;
for (auto& metadatum : metadata) {
grpc_metadata md_entry;
md_entry.key = SliceFromCopiedString(metadatum.first);
md_entry.value = SliceFromCopiedString(metadatum.second);
md.push_back(md_entry);
class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
public:
static void Destroy(void* wrapper) {
if (wrapper == nullptr) return;
grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
grpc_core::ExecCtx exec_ctx;
delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
});
}
if (creds_md != nullptr) {
// Synchronous return.
if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
static int GetMetadata(
void* wrapper, grpc_auth_metadata_context context,
grpc_credentials_plugin_metadata_cb cb, void* user_data,
grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
size_t* num_creds_md, grpc_status_code* status,
const char** error_details) {
GPR_ASSERT(wrapper);
MetadataCredentialsPluginWrapper* w =
static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
if (!w->plugin_) {
*num_creds_md = 0;
*status_code = GRPC_STATUS_INTERNAL;
*error_details = gpr_strdup(
"blocking plugin credentials returned too many metadata keys");
UnrefMetadata(md);
*status = GRPC_STATUS_OK;
*error_details = nullptr;
return 1;
}
if (w->plugin_->IsBlocking()) {
// The internals of context may be destroyed if GetMetadata is cancelled.
// Make a copy for InvokePlugin.
grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
grpc_auth_metadata_context_copy(&context, &context_copy);
// Asynchronous return.
// TODO(hork): replace with EventEngine::Run
w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
w->MetadataCredentialsPluginWrapper::InvokePlugin(
context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
grpc_auth_metadata_context_reset(&context_copy);
});
return 0;
} else {
for (const auto& elem : md) {
creds_md[*num_creds_md].key = elem.key;
creds_md[*num_creds_md].value = elem.value;
++(*num_creds_md);
// Synchronous return.
w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
error_details);
return 1;
}
}
static char* DebugString(void* wrapper) {
GPR_ASSERT(wrapper);
MetadataCredentialsPluginWrapper* w =
static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
return gpr_strdup(w->plugin_->DebugString().c_str());
}
explicit MetadataCredentialsPluginWrapper(
std::unique_ptr<MetadataCredentialsPlugin> plugin)
: plugin_(std::move(plugin)) {
if (plugin_->IsBlocking()) {
thread_pool_.reset(CreateDefaultThreadPool());
}
}
private:
void InvokePlugin(
grpc_auth_metadata_context context,
grpc_credentials_plugin_metadata_cb cb, void* user_data,
grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
size_t* num_creds_md, grpc_status_code* status_code,
const char** error_details) {
std::multimap<std::string, std::string> metadata;
// const_cast is safe since the SecureAuthContext only inc/dec the refcount
// and the object is passed as a const ref to plugin_->GetMetadata.
SecureAuthContext cpp_channel_auth_context(
const_cast<grpc_auth_context*>(context.channel_auth_context));
Status status =
plugin_->GetMetadata(context.service_url, context.method_name,
cpp_channel_auth_context, &metadata);
std::vector<grpc_metadata> md;
for (auto& metadatum : metadata) {
grpc_metadata md_entry;
md_entry.key = SliceFromCopiedString(metadatum.first);
md_entry.value = SliceFromCopiedString(metadatum.second);
md.push_back(md_entry);
}
if (creds_md != nullptr) {
// Synchronous return.
if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
*num_creds_md = 0;
*status_code = GRPC_STATUS_INTERNAL;
*error_details = gpr_strdup(
"blocking plugin credentials returned too many metadata keys");
UnrefMetadata(md);
} else {
for (const auto& elem : md) {
creds_md[*num_creds_md].key = elem.key;
creds_md[*num_creds_md].value = elem.value;
++(*num_creds_md);
}
*status_code = static_cast<grpc_status_code>(status.error_code());
*error_details =
status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
}
*status_code = static_cast<grpc_status_code>(status.error_code());
*error_details =
status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
} else {
// Asynchronous return.
cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
static_cast<grpc_status_code>(status.error_code()),
status.error_message().c_str());
UnrefMetadata(md);
}
} else {
// Asynchronous return.
cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
static_cast<grpc_status_code>(status.error_code()),
status.error_message().c_str());
UnrefMetadata(md);
}
std::unique_ptr<ThreadPoolInterface> thread_pool_;
std::unique_ptr<MetadataCredentialsPlugin> plugin_;
};
} // namespace
namespace experimental {
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
std::unique_ptr<MetadataCredentialsPlugin> plugin,
grpc_security_level min_security_level) {
grpc::internal::GrpcLibrary init; // To call grpc_init().
const char* type = plugin->GetType();
MetadataCredentialsPluginWrapper* wrapper =
new MetadataCredentialsPluginWrapper(std::move(plugin));
grpc_metadata_credentials_plugin c_plugin = {
MetadataCredentialsPluginWrapper::GetMetadata,
MetadataCredentialsPluginWrapper::DebugString,
MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
c_plugin, min_security_level, nullptr));
}
MetadataCredentialsPluginWrapper::MetadataCredentialsPluginWrapper(
std::unique_ptr<MetadataCredentialsPlugin> plugin)
: plugin_(std::move(plugin)) {
if (plugin_->IsBlocking()) {
thread_pool_.reset(CreateDefaultThreadPool());
}
} // namespace experimental
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
std::unique_ptr<MetadataCredentialsPlugin> plugin) {
return experimental::MetadataCredentialsFromPlugin(
std::move(plugin), GRPC_PRIVACY_AND_INTEGRITY);
}
} // namespace grpc

99
src/cpp/client/secure_credentials.h
Unescape View File

@ -19,14 +19,6 @@
#ifndef GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H
#define GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H
#include <stddef.h>
#include <memory>
#include <string>
#include <vector>
#include "absl/strings/str_cat.h"
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
#include <grpc/status.h>
@ -35,65 +27,9 @@
#include <grpcpp/security/credentials.h>
#include <grpcpp/support/channel_arguments.h>
#include <grpcpp/support/client_interceptor.h>
// TODO(yashykt): We shouldn't be including "src/core" headers.
#include "src/core/lib/iomgr/exec_ctx.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/cpp/server/thread_pool_interface.h"
namespace grpc {
class Channel;
class SecureChannelCredentials final : public ChannelCredentials {
public:
explicit SecureChannelCredentials(grpc_channel_credentials* c_creds);
~SecureChannelCredentials() override {
grpc_core::ExecCtx exec_ctx;
if (c_creds_ != nullptr) c_creds_->Unref();
}
grpc_channel_credentials* GetRawCreds() { return c_creds_; }
std::shared_ptr<Channel> CreateChannelImpl(
const std::string& target, const ChannelArguments& args) override;
SecureChannelCredentials* AsSecureCredentials() override { return this; }
private:
std::shared_ptr<Channel> CreateChannelWithInterceptors(
const std::string& target, const ChannelArguments& args,
std::vector<std::unique_ptr<
grpc::experimental::ClientInterceptorFactoryInterface>>
interceptor_creators) override;
grpc_channel_credentials* const c_creds_;
};
class SecureCallCredentials final : public CallCredentials {
public:
explicit SecureCallCredentials(grpc_call_credentials* c_creds);
~SecureCallCredentials() override {
grpc_core::ExecCtx exec_ctx;
if (c_creds_ != nullptr) c_creds_->Unref();
}
grpc_call_credentials* GetRawCreds() { return c_creds_; }
bool ApplyToCall(grpc_call* call) override;
SecureCallCredentials* AsSecureCredentials() override { return this; }
std::string DebugString() override {
return absl::StrCat("SecureCallCredentials{",
std::string(c_creds_->debug_string()), "}");
}
private:
grpc_call_credentials* const c_creds_;
};
namespace internal {
std::shared_ptr<ChannelCredentials> WrapChannelCredentials(
grpc_channel_credentials* creds);
} // namespace internal
namespace experimental {
// Transforms C++ STS Credentials options to core options. The pointers of the
@ -104,29 +40,22 @@ grpc_sts_credentials_options StsCredentialsCppToCoreOptions(
} // namespace experimental
class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
/// ---- DEPRECATED ----
/// This type is going away. Prefer creating a subclass of
/// grpc::ChannelCredentials.
class SecureChannelCredentials final : public grpc::ChannelCredentials {
public:
static void Destroy(void* wrapper);
static int GetMetadata(
void* wrapper, grpc_auth_metadata_context context,
grpc_credentials_plugin_metadata_cb cb, void* user_data,
grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
size_t* num_creds_md, grpc_status_code* status,
const char** error_details);
static char* DebugString(void* wrapper);
explicit MetadataCredentialsPluginWrapper(
std::unique_ptr<MetadataCredentialsPlugin> plugin);
SecureChannelCredentials(grpc_channel_credentials* c_creds)
: ChannelCredentials(c_creds) {}
};
private:
void InvokePlugin(
grpc_auth_metadata_context context,
grpc_credentials_plugin_metadata_cb cb, void* user_data,
grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
size_t* num_creds_md, grpc_status_code* status_code,
const char** error_details);
std::unique_ptr<ThreadPoolInterface> thread_pool_;
std::unique_ptr<MetadataCredentialsPlugin> plugin_;
/// ---- DEPRECATED ----
/// This type is going away. Prefer creating a subclass of
/// grpc::CallCredentials.
class SecureCallCredentials final : public grpc::CallCredentials {
public:
SecureCallCredentials(grpc_call_credentials* c_creds)
: CallCredentials(c_creds) {}
};
} // namespace grpc

23
src/cpp/client/xds_credentials.cc
Unescape View File

@ -23,24 +23,21 @@
#include <grpc/support/log.h>
#include <grpcpp/security/credentials.h>
#include "src/cpp/client/secure_credentials.h"
namespace grpc {
class XdsChannelCredentialsImpl final : public ChannelCredentials {
public:
explicit XdsChannelCredentialsImpl(
const std::shared_ptr<ChannelCredentials>& fallback_creds)
: ChannelCredentials(
grpc_xds_credentials_create(fallback_creds->c_creds_)) {
GPR_ASSERT(fallback_creds->c_creds_ != nullptr);
}
};
std::shared_ptr<ChannelCredentials> XdsCredentials(
const std::shared_ptr<ChannelCredentials>& fallback_creds) {
GPR_ASSERT(fallback_creds != nullptr);
if (fallback_creds->IsInsecure()) {
grpc_channel_credentials* insecure_creds =
grpc_insecure_credentials_create();
auto xds_creds = internal::WrapChannelCredentials(
grpc_xds_credentials_create(insecure_creds));
grpc_channel_credentials_release(insecure_creds);
return xds_creds;
} else {
return internal::WrapChannelCredentials(grpc_xds_credentials_create(
fallback_creds->AsSecureCredentials()->GetRawCreds()));
}
return std::make_shared<XdsChannelCredentialsImpl>(fallback_creds);
}
namespace experimental {

13
src/cpp/common/channel_arguments.cc
Unescape View File

@ -217,4 +217,17 @@ void ChannelArguments::SetChannelArgs(grpc_channel_args* channel_args) const {
}
}
void ChannelArguments::SetSslTargetNameOverride(const std::string& name) {
SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name);
}
std::string ChannelArguments::GetSslTargetNameOverride() const {
for (unsigned int i = 0; i < args_.size(); i++) {
if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) {
return args_[i].value.string;
}
}
return "";
}
} // namespace grpc

41
src/cpp/common/secure_channel_arguments.cc
Unescape View File

@ -1,41 +0,0 @@
//
//
// Copyright 2015 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#include <string>
#include <vector>
#include <grpc/grpc.h>
#include <grpc/impl/channel_arg_names.h>
#include <grpcpp/support/channel_arguments.h>
namespace grpc {
void ChannelArguments::SetSslTargetNameOverride(const std::string& name) {
SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name);
}
std::string ChannelArguments::GetSslTargetNameOverride() const {
for (unsigned int i = 0; i < args_.size(); i++) {
if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) {
return args_[i].value.string;
}
}
return "";
}
} // namespace grpc

19
src/cpp/ext/chaotic_good.cc
Unescape View File

@ -20,7 +20,6 @@
#include "src/core/ext/transport/chaotic_good/client/chaotic_good_connector.h"
#include "src/core/ext/transport/chaotic_good/server/chaotic_good_server.h"
#include "src/core/lib/gprpp/crash.h"
namespace grpc {
@ -29,11 +28,9 @@ namespace {
class ChaoticGoodInsecureChannelCredentialsImpl final
: public ChannelCredentials {
public:
std::shared_ptr<Channel> CreateChannelImpl(
const grpc::string& target, const grpc::ChannelArguments& args) override {
return CreateChannelWithInterceptors(target, args, {});
}
ChaoticGoodInsecureChannelCredentialsImpl() : ChannelCredentials(nullptr) {}
private:
std::shared_ptr<Channel> CreateChannelWithInterceptors(
const grpc::string& target, const grpc::ChannelArguments& args,
std::vector<
@ -46,24 +43,16 @@ class ChaoticGoodInsecureChannelCredentialsImpl final
std::move(interceptor_creators));
return channel;
}
SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
private:
bool IsInsecure() const override { return true; }
};
class ChaoticGoodInsecureServerCredentialsImpl final
: public ServerCredentials {
public:
ChaoticGoodInsecureServerCredentialsImpl() : ServerCredentials(nullptr) {}
int AddPortToServer(const std::string& addr, grpc_server* server) override {
return grpc_server_add_chaotic_good_port(server, addr.c_str());
}
void SetAuthMetadataProcessor(
const std::shared_ptr<AuthMetadataProcessor>&) override {
grpc_core::Crash("Not supported on insecure server credentials");
}
};
} // namespace

21
src/cpp/server/insecure_server_credentials.cc
Unescape View File

@ -17,7 +17,6 @@
//
#include <memory>
#include <string>
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
@ -29,27 +28,13 @@ namespace grpc {
namespace {
class InsecureServerCredentialsImpl final : public ServerCredentials {
public:
int AddPortToServer(const std::string& addr, grpc_server* server) override {
grpc_server_credentials* server_creds =
grpc_insecure_server_credentials_create();
int result = grpc_server_add_http2_port(server, addr.c_str(), server_creds);
grpc_server_credentials_release(server_creds);
return result;
}
void SetAuthMetadataProcessor(
const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) override {
(void)processor;
GPR_ASSERT(0); // Should not be called on InsecureServerCredentials.
}
private:
bool IsInsecure() const override { return true; }
InsecureServerCredentialsImpl()
: ServerCredentials(grpc_insecure_server_credentials_create()) {}
};
} // namespace
std::shared_ptr<ServerCredentials> InsecureServerCredentials() {
return std::shared_ptr<ServerCredentials>(
new InsecureServerCredentialsImpl());
return std::make_shared<InsecureServerCredentialsImpl>();
}
} // namespace grpc

13
src/cpp/server/secure_server_credentials.cc
Unescape View File

@ -18,8 +18,6 @@
#include "src/cpp/server/secure_server_credentials.h"
#include <algorithm>
#include <map>
#include <memory>
#include <utility>
#include <vector>
@ -51,6 +49,7 @@ void AuthMetadataProcessorAsyncWrapper::Process(
return;
}
if (w->processor_->IsBlocking()) {
// TODO(hork): replace with EventEngine::Run
w->thread_pool_->Add([w, context, md, num_md, cb, user_data] {
w->AuthMetadataProcessorAsyncWrapper::InvokeProcessor(context, md, num_md,
cb, user_data);
@ -97,17 +96,15 @@ void AuthMetadataProcessorAsyncWrapper::InvokeProcessor(
status.error_message().c_str());
}
int SecureServerCredentials::AddPortToServer(const std::string& addr,
grpc_server* server) {
return grpc_server_add_http2_port(server, addr.c_str(), creds_);
}
SecureServerCredentials::SecureServerCredentials(grpc_server_credentials* creds)
: ServerCredentials(creds) {}
void SecureServerCredentials::SetAuthMetadataProcessor(
const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) {
auto* wrapper = new grpc::AuthMetadataProcessorAsyncWrapper(processor);
grpc_server_credentials_set_auth_metadata_processor(
creds_, {grpc::AuthMetadataProcessorAsyncWrapper::Process,
grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper});
c_creds(), {grpc::AuthMetadataProcessorAsyncWrapper::Process,
grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper});
}
std::shared_ptr<ServerCredentials> SslServerCredentials(

23
src/cpp/server/secure_server_credentials.h
Unescape View File

@ -19,10 +19,7 @@
#ifndef GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H
#define GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H
#include <stddef.h>
#include <memory>
#include <string>
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
@ -32,9 +29,6 @@
#include "src/cpp/server/thread_pool_interface.h"
namespace grpc {
class SecureServerCredentials;
class AuthMetadataProcessorAsyncWrapper final {
public:
static void Destroy(void* wrapper);
@ -59,25 +53,18 @@ class AuthMetadataProcessorAsyncWrapper final {
std::shared_ptr<AuthMetadataProcessor> processor_;
};
// TODO(hork): Remove this class once we either (a) allow AuthMetadataProcessor
// to be used with any creds type as requested in #21589 or (b) find a way to
// remove AuthMetadataProcessor in favor of some new server-side interception
// API.
class SecureServerCredentials final : public ServerCredentials {
public:
explicit SecureServerCredentials(grpc_server_credentials* creds)
: creds_(creds) {}
~SecureServerCredentials() override {
grpc_server_credentials_release(creds_);
}
int AddPortToServer(const std::string& addr, grpc_server* server) override;
explicit SecureServerCredentials(grpc_server_credentials* creds);
void SetAuthMetadataProcessor(
const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) override;
grpc_server_credentials* c_creds() { return creds_; }
private:
SecureServerCredentials* AsSecureServerCredentials() override { return this; }
grpc_server_credentials* creds_;
std::unique_ptr<grpc::AuthMetadataProcessorAsyncWrapper> processor_;
};

39
src/cpp/server/server_credentials.cc
Unescape View File

@ -0,0 +1,39 @@
// Copyright 2024 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <grpc/support/port_platform.h>
#include <grpcpp/security/server_credentials.h>
#include "src/core/lib/gprpp/crash.h"
namespace grpc {
ServerCredentials::ServerCredentials(grpc_server_credentials* creds)
: c_creds_(creds) {}
ServerCredentials::~ServerCredentials() {
grpc_server_credentials_release(c_creds_);
}
void ServerCredentials::SetAuthMetadataProcessor(
const std::shared_ptr<grpc::AuthMetadataProcessor>& /* processor */) {
grpc_core::Crash("Not Supported");
}
int ServerCredentials::AddPortToServer(const std::string& addr,
grpc_server* server) {
return grpc_server_add_http2_port(server, addr.c_str(), c_creds_);
}
} // namespace grpc

16
src/cpp/server/xds_server_credentials.cc
Unescape View File

@ -23,24 +23,14 @@
#include <grpc/support/log.h>
#include <grpcpp/security/server_credentials.h>
#include "src/cpp/server/secure_server_credentials.h"
namespace grpc {
std::shared_ptr<ServerCredentials> XdsServerCredentials(
const std::shared_ptr<ServerCredentials>& fallback_credentials) {
GPR_ASSERT(fallback_credentials != nullptr);
if (fallback_credentials->IsInsecure()) {
grpc_server_credentials* insecure_creds =
grpc_insecure_server_credentials_create();
auto xds_creds = std::make_shared<SecureServerCredentials>(
grpc_xds_server_credentials_create(insecure_creds));
grpc_server_credentials_release(insecure_creds);
return xds_creds;
}
return std::make_shared<SecureServerCredentials>(
grpc_xds_server_credentials_create(
fallback_credentials->AsSecureServerCredentials()->c_creds()));
GPR_ASSERT(fallback_credentials->c_creds_ != nullptr);
return std::shared_ptr<ServerCredentials>(new ServerCredentials(
grpc_xds_server_credentials_create(fallback_credentials->c_creds_)));
}
namespace experimental {

10
test/core/transport/binder/end2end/binder_server_test.cc
Unescape View File

@ -38,6 +38,8 @@ namespace {
class BinderServerCredentialsImpl final : public ServerCredentials {
public:
BinderServerCredentialsImpl() : ServerCredentials(nullptr) {}
int AddPortToServer(const std::string& addr, grpc_server* server) override {
return grpc_core::AddBinderPort(
addr, server,
@ -49,14 +51,6 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
std::make_shared<
grpc::experimental::binder::UntrustedSecurityPolicy>());
}
void SetAuthMetadataProcessor(
const std::shared_ptr<AuthMetadataProcessor>& /*processor*/) override {
grpc_core::Crash("unreachable");
}
private:
bool IsInsecure() const override { return true; }
};
} // namespace

5
test/cpp/end2end/client_lb_end2end_test.cc
Unescape View File

@ -70,7 +70,6 @@
#include "src/core/resolver/fake/fake_resolver.h"
#include "src/core/service_config/service_config.h"
#include "src/core/service_config/service_config_impl.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/cpp/server/secure_server_credentials.h"
#include "src/proto/grpc/health/v1/health.grpc.pb.h"
#include "src/proto/grpc/testing/echo.grpc.pb.h"
@ -81,6 +80,7 @@
#include "test/core/util/test_lb_policies.h"
#include "test/cpp/end2end/connection_attempt_injector.h"
#include "test/cpp/end2end/test_service_impl.h"
#include "test/cpp/util/credentials.h"
namespace grpc {
namespace testing {
@ -262,8 +262,7 @@ class ClientLbEnd2endTest : public ::testing::Test {
protected:
ClientLbEnd2endTest()
: server_host_("localhost"),
creds_(new SecureChannelCredentials(
grpc_fake_transport_security_credentials_create())) {}
creds_(std::make_shared<FakeTransportSecurityChannelCredentials>()) {}
void SetUp() override { grpc_init(); }

25
test/cpp/end2end/end2end_test.cc
Unescape View File

@ -84,52 +84,53 @@ const char kTestCredsPluginErrorMsg[] = "Could not find plugin metadata.";
const char kFakeToken[] = "fake_token";
const char kFakeSelector[] = "fake_selector";
const char kExpectedFakeCredsDebugString[] =
"SecureCallCredentials{GoogleIAMCredentials{Token:present,"
"CallCredentials{GoogleIAMCredentials{Token:present,"
"AuthoritySelector:fake_selector}}";
const char kWrongToken[] = "wrong_token";
const char kWrongSelector[] = "wrong_selector";
const char kExpectedWrongCredsDebugString[] =
"SecureCallCredentials{GoogleIAMCredentials{Token:present,"
"CallCredentials{GoogleIAMCredentials{Token:present,"
"AuthoritySelector:wrong_selector}}";
const char kFakeToken1[] = "fake_token1";
const char kFakeSelector1[] = "fake_selector1";
const char kExpectedFakeCreds1DebugString[] =
"SecureCallCredentials{GoogleIAMCredentials{Token:present,"
"CallCredentials{GoogleIAMCredentials{Token:present,"
"AuthoritySelector:fake_selector1}}";
const char kFakeToken2[] = "fake_token2";
const char kFakeSelector2[] = "fake_selector2";
const char kExpectedFakeCreds2DebugString[] =
"SecureCallCredentials{GoogleIAMCredentials{Token:present,"
"CallCredentials{GoogleIAMCredentials{Token:present,"
"AuthoritySelector:fake_selector2}}";
const char kExpectedAuthMetadataPluginKeyFailureCredsDebugString[] =
"SecureCallCredentials{TestMetadataCredentials{key:TestPluginMetadata,"
"CallCredentials{TestMetadataCredentials{key:TestPluginMetadata,"
"value:Does not matter, will fail the key is invalid.}}";
const char kExpectedAuthMetadataPluginValueFailureCredsDebugString[] =
"SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"value:With illegal \n value.}}";
const char kExpectedAuthMetadataPluginWithDeadlineCredsDebugString[] =
"SecureCallCredentials{TestMetadataCredentials{key:meta_key,value:Does not "
"CallCredentials{TestMetadataCredentials{key:meta_key,value:Does "
"not "
"matter}}";
const char kExpectedNonBlockingAuthMetadataPluginFailureCredsDebugString[] =
"SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"value:Does not matter, will fail anyway (see 3rd param)}}";
const char
kExpectedNonBlockingAuthMetadataPluginAndProcessorSuccessCredsDebugString
[] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-"
[] = "CallCredentials{TestMetadataCredentials{key:test-plugin-"
"metadata,value:Dr Jekyll}}";
const char
kExpectedNonBlockingAuthMetadataPluginAndProcessorFailureCredsDebugString
[] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-"
[] = "CallCredentials{TestMetadataCredentials{key:test-plugin-"
"metadata,value:Mr Hyde}}";
const char kExpectedBlockingAuthMetadataPluginFailureCredsDebugString[] =
"SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
"value:Does not matter, will fail anyway (see 3rd param)}}";
const char kExpectedCompositeCallCredsDebugString[] =
"SecureCallCredentials{CompositeCallCredentials{TestMetadataCredentials{"
"CallCredentials{CompositeCallCredentials{TestMetadataCredentials{"
"key:call-creds-key1,value:call-creds-val1},TestMetadataCredentials{key:"
"call-creds-key2,value:call-creds-val2}}}";

7
test/cpp/end2end/grpclb_end2end_test.cc
Unescape View File

@ -58,7 +58,6 @@
#include "src/core/resolver/endpoint_addresses.h"
#include "src/core/resolver/fake/fake_resolver.h"
#include "src/core/service_config/service_config_impl.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/cpp/server/secure_server_credentials.h"
#include "src/proto/grpc/lb/v1/load_balancer.grpc.pb.h"
#include "src/proto/grpc/testing/echo.grpc.pb.h"
@ -67,6 +66,7 @@
#include "test/core/util/test_config.h"
#include "test/cpp/end2end/counted_service.h"
#include "test/cpp/end2end/test_service_impl.h"
#include "test/cpp/util/credentials.h"
#include "test/cpp/util/test_config.h"
// TODO(dgq): Other scenarios in need of testing:
@ -605,9 +605,8 @@ class GrpclbEnd2endTest : public ::testing::Test {
grpc_fake_transport_security_credentials_create();
grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create(
kCallCredsMdKey, kCallCredsMdValue);
std::shared_ptr<ChannelCredentials> creds(
new SecureChannelCredentials(grpc_composite_channel_credentials_create(
channel_creds, call_creds, nullptr)));
auto creds = std::make_shared<TestCompositeChannelCredentials>(
channel_creds, call_creds);
call_creds->Unref();
channel_creds->Unref();
channel_ = grpc::CreateCustomChannel(

6
test/cpp/end2end/resource_quota_end2end_stress_test.cc
Unescape View File

@ -34,11 +34,11 @@
#include "src/core/lib/experiments/config.h"
#include "src/core/lib/gprpp/notification.h"
#include "src/core/lib/security/credentials/fake/fake_credentials.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/cpp/server/secure_server_credentials.h"
#include "src/proto/grpc/testing/echo.grpc.pb.h"
#include "test/core/util/port.h"
#include "test/core/util/test_config.h"
#include "test/cpp/util/credentials.h"
// IWYU pragma: no_include <sys/socket.h>
@ -186,9 +186,7 @@ class End2EndConnectionQuotaTest : public ::testing::TestWithParam<int> {
return EchoTestService::NewStub(CreateCustomChannel(
connect_address_,
std::make_shared<SecureChannelCredentials>(
grpc_fake_transport_security_credentials_create()),
args));
std::make_shared<FakeTransportSecurityChannelCredentials>(), args));
}
void TestExceedingConnectionQuota() {

9
test/cpp/end2end/rls_end2end_test.cc
Unescape View File

@ -52,7 +52,6 @@
#include "src/core/load_balancing/rls/rls.h"
#include "src/core/resolver/fake/fake_resolver.h"
#include "src/core/service_config/service_config_impl.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/cpp/server/secure_server_credentials.h"
#include "src/proto/grpc/lookup/v1/rls.grpc.pb.h"
#include "src/proto/grpc/lookup/v1/rls.pb.h"
@ -65,6 +64,7 @@
#include "test/cpp/end2end/counted_service.h"
#include "test/cpp/end2end/rls_server.h"
#include "test/cpp/end2end/test_service_impl.h"
#include "test/cpp/util/credentials.h"
#include "test/cpp/util/test_config.h"
using ::grpc::lookup::v1::RouteLookupRequest;
@ -198,13 +198,12 @@ class RlsEnd2endTest : public ::testing::Test {
grpc_fake_transport_security_credentials_create();
grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create(
kCallCredsMdKey, kCallCredsMdValue);
auto creds = std::make_shared<SecureChannelCredentials>(
grpc_composite_channel_credentials_create(channel_creds, call_creds,
nullptr));
auto creds = std::make_shared<TestCompositeChannelCredentials>(
channel_creds, call_creds);
call_creds->Unref();
channel_creds->Unref();
target_uri_ = absl::StrCat("fake:///", kServerName);
channel_ = grpc::CreateCustomChannel(target_uri_, std::move(creds), args);
channel_ = grpc::CreateCustomChannel(target_uri_, creds, args);
stub_ = grpc::testing::EchoTestService::NewStub(channel_);
}

5
test/cpp/end2end/service_config_end2end_test.cc
Unescape View File

@ -59,13 +59,13 @@
#include "src/core/resolver/endpoint_addresses.h"
#include "src/core/resolver/fake/fake_resolver.h"
#include "src/core/service_config/service_config_impl.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/cpp/server/secure_server_credentials.h"
#include "src/proto/grpc/testing/echo.grpc.pb.h"
#include "test/core/util/port.h"
#include "test/core/util/resolve_localhost_ip46.h"
#include "test/core/util/test_config.h"
#include "test/cpp/end2end/test_service_impl.h"
#include "test/cpp/util/credentials.h"
namespace grpc {
namespace testing {
@ -119,8 +119,7 @@ class ServiceConfigEnd2endTest : public ::testing::Test {
ServiceConfigEnd2endTest()
: server_host_("localhost"),
kRequestMessage_("Live long and prosper."),
creds_(new SecureChannelCredentials(
grpc_fake_transport_security_credentials_create())) {}
creds_(std::make_shared<FakeTransportSecurityChannelCredentials>()) {}
static void SetUpTestSuite() {
// Make the backup poller poll very frequently in order to pick up

5
test/cpp/end2end/xds/xds_csds_end2end_test.cc
Unescape View File

@ -29,7 +29,6 @@
#include "src/core/client_channel/backup_poller.h"
#include "src/core/lib/config/config_vars.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/proto/grpc/testing/xds/v3/cluster.grpc.pb.h"
#include "src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.h"
#include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h"
@ -38,6 +37,7 @@
#include "test/core/util/resolve_localhost_ip46.h"
#include "test/core/util/test_config.h"
#include "test/cpp/end2end/xds/xds_end2end_test_lib.h"
#include "test/cpp/util/credentials.h"
#ifndef DISABLED_XDS_PROTO_IN_CC
@ -246,8 +246,7 @@ class ClientStatusDiscoveryServiceTest : public XdsEnd2endTest {
grpc_core::LocalIpAndPort(admin_server_thread_->port());
admin_channel_ = grpc::CreateChannel(
admin_server_address,
std::make_shared<SecureChannelCredentials>(
grpc_fake_transport_security_credentials_create()));
std::make_shared<FakeTransportSecurityChannelCredentials>());
csds_stub_ =
envoy::service::status::v3::ClientStatusDiscoveryService::NewStub(
admin_channel_);

6
test/cpp/end2end/xds/xds_end2end_test_lib.cc
Unescape View File

@ -30,7 +30,6 @@
#include "absl/strings/str_cat.h"
#include "absl/strings/str_format.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_replace.h"
#include "absl/strings/string_view.h"
#include "absl/types/optional.h"
@ -42,10 +41,10 @@
#include "src/core/lib/gpr/tmpfile.h"
#include "src/core/lib/gprpp/env.h"
#include "src/core/lib/surface/server.h"
#include "src/cpp/client/secure_credentials.h"
#include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h"
#include "test/core/util/resolve_localhost_ip46.h"
#include "test/core/util/tls_utils.h"
#include "test/cpp/util/credentials.h"
#include "test/cpp/util/tls_test_utils.h"
namespace grpc {
@ -572,8 +571,7 @@ std::shared_ptr<Channel> XdsEnd2endTest::CreateChannel(
std::shared_ptr<ChannelCredentials> channel_creds =
GetParam().use_xds_credentials()
? XdsCredentials(CreateTlsFallbackCredentials())
: std::make_shared<SecureChannelCredentials>(
grpc_fake_transport_security_credentials_create());
: std::make_shared<FakeTransportSecurityChannelCredentials>();
return grpc::CreateCustomChannel(uri, channel_creds, *args);
}

2
test/cpp/ext/BUILD
Unescape View File

@ -32,7 +32,7 @@ grpc_cc_test(
language = "C++",
tags = [],
deps = [
"//:grpc++",
"//:grpc++_unsecure",
"//:grpcpp_chaotic_good",
"//test/core/util:grpc_test_util",
],

8
test/cpp/interop/client_helper.cc
Unescape View File

@ -34,8 +34,6 @@
#include <grpcpp/create_channel.h>
#include <grpcpp/security/credentials.h>
#include "src/core/lib/gprpp/crash.h"
#include "src/cpp/client/secure_credentials.h"
#include "test/core/security/oauth2_utils.h"
#include "test/cpp/util/create_test_channel.h"
#include "test/cpp/util/test_credentials_provider.h"
@ -68,11 +66,7 @@ std::string GetServiceAccountJsonKey() {
std::string GetOauth2AccessToken() {
std::shared_ptr<CallCredentials> creds = GoogleComputeEngineCredentials();
SecureCallCredentials* secure_creds =
dynamic_cast<SecureCallCredentials*>(creds.get());
GPR_ASSERT(secure_creds != nullptr);
grpc_call_credentials* c_creds = secure_creds->GetRawCreds();
char* token = grpc_test_fetch_oauth2_token_with_credentials(c_creds);
char* token = grpc_test_fetch_oauth2_token_with_credentials(creds->c_creds_);
GPR_ASSERT(token != nullptr);
gpr_log(GPR_INFO, "Get raw oauth2 access token: %s", token);
std::string access_token(token + sizeof("Bearer ") - 1);

1
test/cpp/util/BUILD
Unescape View File

@ -60,6 +60,7 @@ GRPCXX_TESTUTIL_SRCS = [
GRPCXX_TESTUTIL_HDRS = [
"byte_buffer_proto_helper.h",
"credentials.h",
"string_ref_helper.h",
"subprocess.h",
]

41
test/cpp/util/credentials.h
Unescape View File

@ -0,0 +1,41 @@
// Copyright 2024 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef GRPC_TEST_CPP_UTIL_CREDENTIALS_H
#define GRPC_TEST_CPP_UTIL_CREDENTIALS_H
#include <grpcpp/security/credentials.h>
#include "src/core/lib/security/credentials/fake/fake_credentials.h"
namespace grpc {
namespace testing {
class FakeTransportSecurityChannelCredentials : public ChannelCredentials {
public:
FakeTransportSecurityChannelCredentials()
: ChannelCredentials(grpc_fake_transport_security_credentials_create()) {}
};
class TestCompositeChannelCredentials : public ChannelCredentials {
public:
TestCompositeChannelCredentials(grpc_channel_credentials* channel_creds,
grpc_call_credentials* call_creds)
: ChannelCredentials(grpc_composite_channel_credentials_create(
channel_creds, call_creds, nullptr)) {}
};
} // namespace testing
} // namespace grpc
#endif // GRPC_TEST_CPP_UTIL_CREDENTIALS_H

4
tools/doxygen/Doxyfile.c++.internal generated
Unescape View File

@ -3011,7 +3011,9 @@ src/core/tsi/transport_security_grpc.cc \
src/core/tsi/transport_security_grpc.h \
src/core/tsi/transport_security_interface.h \
src/cpp/README.md \
src/cpp/client/call_credentials.cc \
src/cpp/client/channel_cc.cc \
src/cpp/client/channel_credentials.cc \
src/cpp/client/client_callback.cc \
src/cpp/client/client_context.cc \
src/cpp/client/client_interceptor.cc \
@ -3033,7 +3035,6 @@ src/cpp/common/resource_quota_cc.cc \
src/cpp/common/rpc_method.cc \
src/cpp/common/secure_auth_context.cc \
src/cpp/common/secure_auth_context.h \
src/cpp/common/secure_channel_arguments.cc \
src/cpp/common/secure_create_auth_context.cc \
src/cpp/common/tls_certificate_provider.cc \
src/cpp/common/tls_certificate_verifier.cc \
@ -3059,6 +3060,7 @@ src/cpp/server/server_builder.cc \
src/cpp/server/server_callback.cc \
src/cpp/server/server_cc.cc \
src/cpp/server/server_context.cc \
src/cpp/server/server_credentials.cc \
src/cpp/server/server_posix.cc \
src/cpp/server/thread_pool_interface.h \
src/cpp/server/xds_server_builder.cc \

Write Preview
Loading…
Cancel
Save