Addressing comments.

The new API is now actually useful...
9 years ago · a50da4757a
parent 373debd5c0
commit a50da4757a
3 changed files with 16 additions and 30 deletions
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@ -143,15 +143,14 @@ grpc_channel_credentials *grpc_google_default_credentials_create(void);
 #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \
  "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"

-/* Overrides the default path for TLS/SSL roots.
-   The path must point to a PEM encoded file with all the roots such as the one
-   that can be downloaded from https://pki.google.com/roots.pem.
+/* Overrides the default TLS/SSL roots.
+   The roots must be encoded as PEM and NULL-terminated.
   This function is not thread-safe and must be called at initialization time
   before any ssl credentials are created to have the desired side effect.
-   It also does not do any checks about the validity or contents of the path.
-   If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set, it will override
-   the roots_path specified in this function. */
-void grpc_override_ssl_default_roots_file_path(const char *roots_path);
+   It also does not do any checks about the validity of the encoding.
+   If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path,
+   it will override the roots specified in this function. */
+void grpc_override_ssl_default_roots(const char *roots_pem);

 /* Object that holds a private key / certificate chain pair in PEM format. */
 typedef struct {
@ -169,10 +168,9 @@ typedef struct {
     of the server root certificates. If this parameter is NULL, the
     implementation will first try to dereference the file pointed by the
     GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails,
-     try to get the roots from the path specified in the function
-     grpc_override_ssl_default_roots_file_path. Eventually, if all these fail,
-     it will try to get the roots from a well-known place on disk (in the grpc
-     install directory).
+     try to get the roots set by grpc_override_ssl_default_roots. Eventually,
+     if all these fail, it will try to get the roots from a well-known place on
+     disk (in the grpc install directory).
   - pem_key_cert_pair is a pointer on the object containing client's private
     key and certificate chain. This parameter can be NULL if the client does
     not have such a key/cert pair. */
--- a/src/core/security/security_connector.c
+++ b/src/core/security/security_connector.c
@ -61,12 +61,12 @@ static const char *installed_roots_path =
    INSTALL_PREFIX "/share/grpc/roots.pem";
 #endif

-/* -- Overridden default roots file path. -- */
+/* -- Overridden default roots. -- */

-static const char *overridden_default_roots_file_path = NULL;
+static gpr_slice overridden_default_roots;

-void grpc_override_ssl_default_roots_file_path(const char *roots_path) {
-  overridden_default_roots_file_path = roots_path;
+void grpc_override_ssl_default_roots(const char *roots_pem) {
+  overridden_default_roots = gpr_slice_from_copied_string(roots_pem);
 }

 /* -- Cipher suites. -- */
@ -616,8 +616,8 @@ static gpr_slice compute_default_pem_root_certs_once(void) {

  /* Try overridden roots path if needed. */
  if (GPR_SLICE_IS_EMPTY(result) &&
-      overridden_default_roots_file_path != NULL) {
-    result = gpr_load_file(overridden_default_roots_file_path, 0, NULL);
+      !GPR_SLICE_IS_EMPTY(overridden_default_roots)) {
+    result = gpr_slice_ref(overridden_default_roots);
  }

  /* Fall back to installed certs if needed. */
--- a/test/core/security/security_connector_test.c
+++ b/test/core/security/security_connector_test.c
@ -304,13 +304,6 @@ static void test_default_ssl_roots(void) {
  const char *roots_for_override_api = "roots for override api";
  const char *roots_for_env_var = "roots for env var";

-  char *roots_api_file_path;
-  FILE *roots_api_file =
-      gpr_tmpfile("test_roots_for_api_override", &roots_api_file_path);
-  fwrite(roots_for_override_api, 1, strlen(roots_for_override_api),
-         roots_api_file);
-  fclose(roots_api_file);
-
  char *roots_env_var_file_path;
  FILE *roots_env_var_file =
      gpr_tmpfile("test_roots_for_env_var", &roots_env_var_file_path);
@ -318,7 +311,7 @@ static void test_default_ssl_roots(void) {
  fclose(roots_env_var_file);

  /* First let's get the root through the override (no env are set). */
-  grpc_override_ssl_default_roots_file_path(roots_api_file_path);
+  grpc_override_ssl_default_roots(roots_for_override_api);
  gpr_slice roots = grpc_get_default_ssl_roots_for_testing();
  char *roots_contents = gpr_dump_slice(roots, GPR_DUMP_ASCII);
  gpr_slice_unref(roots);
@ -344,15 +337,10 @@ static void test_default_ssl_roots(void) {
  gpr_free(roots_contents);

  /* Cleanup. */
-  remove(roots_api_file_path);
  remove(roots_env_var_file_path);
-  gpr_free(roots_api_file_path);
  gpr_free(roots_env_var_file_path);
-
 }

-/* TODO(jboeuf): Unit-test tsi_shallow_peer_from_auth_context. */
-
 int main(int argc, char **argv) {
  grpc_test_init(argc, argv);
  grpc_init();