From c52cb09f4734cf32dbf6daa83cc1cd9be3ed649e Mon Sep 17 00:00:00 2001 From: Yash Tibrewal Date: Thu, 8 Oct 2020 20:37:47 -0700 Subject: [PATCH] Add experimental XdsCredentials with support for insecure channel_credentials and security_connector --- BUILD | 3 + BUILD.gn | 3 + CMakeLists.txt | 97 +++++++++++++++++++ Makefile | 4 + build_autogenerated.yaml | 36 +++++++ config.m4 | 4 + config.w32 | 4 + gRPC-C++.podspec | 2 + gRPC-Core.podspec | 4 + grpc.gemspec | 3 + grpc.gyp | 2 + include/grpc/grpc_security.h | 7 ++ include/grpcpp/security/credentials.h | 18 +++- package.xml | 3 + .../insecure/insecure_credentials.cc | 51 ++++++++++ .../insecure/insecure_security_connector.cc | 88 +++++++++++++++++ .../insecure/insecure_security_connector.h | 70 +++++++++++++ .../local/local_security_connector.cc | 4 +- src/core/tsi/local_transport_security.cc | 6 +- src/core/tsi/local_transport_security.h | 13 ++- src/cpp/client/insecure_credentials.cc | 3 + src/cpp/client/secure_credentials.cc | 17 ++++ src/cpp/client/secure_credentials.h | 1 + src/python/grpcio/grpc_core_dependencies.py | 2 + test/core/security/BUILD | 14 +++ .../insecure_security_connector_test.cc | 59 +++++++++++ test/cpp/end2end/BUILD | 18 ++++ .../end2end/xds_credentials_end2end_test.cc | 86 ++++++++++++++++ tools/doxygen/Doxyfile.c++.internal | 3 + tools/doxygen/Doxyfile.core.internal | 3 + tools/run_tests/generated/tests.json | 48 +++++++++ 31 files changed, 665 insertions(+), 11 deletions(-) create mode 100644 src/core/lib/security/credentials/insecure/insecure_credentials.cc create mode 100644 src/core/lib/security/security_connector/insecure/insecure_security_connector.cc create mode 100644 src/core/lib/security/security_connector/insecure/insecure_security_connector.h create mode 100644 test/core/security/insecure_security_connector_test.cc create mode 100644 test/cpp/end2end/xds_credentials_end2end_test.cc diff --git a/BUILD b/BUILD index f59d60fc5e4..c4f964488fb 100644 --- a/BUILD +++ b/BUILD @@ -1747,6 +1747,7 @@ grpc_cc_library( "src/core/lib/security/credentials/google_default/credentials_generic.cc", "src/core/lib/security/credentials/google_default/google_default_credentials.cc", "src/core/lib/security/credentials/iam/iam_credentials.cc", + "src/core/lib/security/credentials/insecure/insecure_credentials.cc", "src/core/lib/security/credentials/jwt/json_token.cc", "src/core/lib/security/credentials/jwt/jwt_credentials.cc", "src/core/lib/security/credentials/jwt/jwt_verifier.cc", @@ -1759,6 +1760,7 @@ grpc_cc_library( "src/core/lib/security/credentials/tls/tls_credentials.cc", "src/core/lib/security/security_connector/alts/alts_security_connector.cc", "src/core/lib/security/security_connector/fake/fake_security_connector.cc", + "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc", "src/core/lib/security/security_connector/load_system_roots_fallback.cc", "src/core/lib/security/security_connector/load_system_roots_linux.cc", "src/core/lib/security/security_connector/local/local_security_connector.cc", @@ -1801,6 +1803,7 @@ grpc_cc_library( "src/core/lib/security/credentials/tls/tls_credentials.h", "src/core/lib/security/security_connector/alts/alts_security_connector.h", "src/core/lib/security/security_connector/fake/fake_security_connector.h", + "src/core/lib/security/security_connector/insecure/insecure_security_connector.h", "src/core/lib/security/security_connector/load_system_roots.h", "src/core/lib/security/security_connector/load_system_roots_linux.h", "src/core/lib/security/security_connector/local/local_security_connector.h", diff --git a/BUILD.gn b/BUILD.gn index c6c51de7d49..90e58297f4f 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -851,6 +851,7 @@ config("grpc_config") { "src/core/lib/security/credentials/google_default/google_default_credentials.h", "src/core/lib/security/credentials/iam/iam_credentials.cc", "src/core/lib/security/credentials/iam/iam_credentials.h", + "src/core/lib/security/credentials/insecure/insecure_credentials.cc", "src/core/lib/security/credentials/jwt/json_token.cc", "src/core/lib/security/credentials/jwt/json_token.h", "src/core/lib/security/credentials/jwt/jwt_credentials.cc", @@ -877,6 +878,8 @@ config("grpc_config") { "src/core/lib/security/security_connector/alts/alts_security_connector.h", "src/core/lib/security/security_connector/fake/fake_security_connector.cc", "src/core/lib/security/security_connector/fake/fake_security_connector.h", + "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc", + "src/core/lib/security/security_connector/insecure/insecure_security_connector.h", "src/core/lib/security/security_connector/load_system_roots.h", "src/core/lib/security/security_connector/load_system_roots_fallback.cc", "src/core/lib/security/security_connector/load_system_roots_linux.cc", diff --git a/CMakeLists.txt b/CMakeLists.txt index 5b99019af54..cd8777f4c48 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -841,6 +841,7 @@ if(gRPC_BUILD_TESTS) add_dependencies(buildtests_cxx hybrid_end2end_test) add_dependencies(buildtests_cxx init_test) add_dependencies(buildtests_cxx initial_settings_frame_bad_client_test) + add_dependencies(buildtests_cxx insecure_security_connector_test) add_dependencies(buildtests_cxx interop_client) add_dependencies(buildtests_cxx interop_server) if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) @@ -924,6 +925,7 @@ if(gRPC_BUILD_TESTS) add_dependencies(buildtests_cxx writes_per_rpc_test) endif() add_dependencies(buildtests_cxx xds_bootstrap_test) + add_dependencies(buildtests_cxx xds_credentials_end2end_test) if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) add_dependencies(buildtests_cxx xds_end2end_test) endif() @@ -1757,6 +1759,7 @@ add_library(grpc src/core/lib/security/credentials/google_default/credentials_generic.cc src/core/lib/security/credentials/google_default/google_default_credentials.cc src/core/lib/security/credentials/iam/iam_credentials.cc + src/core/lib/security/credentials/insecure/insecure_credentials.cc src/core/lib/security/credentials/jwt/json_token.cc src/core/lib/security/credentials/jwt/jwt_credentials.cc src/core/lib/security/credentials/jwt/jwt_verifier.cc @@ -1770,6 +1773,7 @@ add_library(grpc src/core/lib/security/credentials/xds/xds_credentials.cc src/core/lib/security/security_connector/alts/alts_security_connector.cc src/core/lib/security/security_connector/fake/fake_security_connector.cc + src/core/lib/security/security_connector/insecure/insecure_security_connector.cc src/core/lib/security/security_connector/load_system_roots_fallback.cc src/core/lib/security/security_connector/load_system_roots_linux.cc src/core/lib/security/security_connector/local/local_security_connector.cc @@ -12109,6 +12113,45 @@ target_link_libraries(initial_settings_frame_bad_client_test ) +endif() +if(gRPC_BUILD_TESTS) + +add_executable(insecure_security_connector_test + test/core/security/insecure_security_connector_test.cc + third_party/googletest/googletest/src/gtest-all.cc + third_party/googletest/googlemock/src/gmock-all.cc +) + +target_include_directories(insecure_security_connector_test + PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/include + ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR} + ${_gRPC_RE2_INCLUDE_DIR} + ${_gRPC_SSL_INCLUDE_DIR} + ${_gRPC_UPB_GENERATED_DIR} + ${_gRPC_UPB_GRPC_GENERATED_DIR} + ${_gRPC_UPB_INCLUDE_DIR} + ${_gRPC_ZLIB_INCLUDE_DIR} + third_party/googletest/googletest/include + third_party/googletest/googletest + third_party/googletest/googlemock/include + third_party/googletest/googlemock + ${_gRPC_PROTO_GENS_DIR} +) + +target_link_libraries(insecure_security_connector_test + ${_gRPC_PROTOBUF_LIBRARIES} + ${_gRPC_ALLTARGETS_LIBRARIES} + grpc_test_util + grpc + gpr + address_sorting + upb + ${_gRPC_GFLAGS_LIBRARIES} +) + + endif() if(gRPC_BUILD_TESTS) @@ -14981,6 +15024,60 @@ target_link_libraries(xds_bootstrap_test ) +endif() +if(gRPC_BUILD_TESTS) + +add_executable(xds_credentials_end2end_test + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h + test/cpp/end2end/test_service_impl.cc + test/cpp/end2end/xds_credentials_end2end_test.cc + third_party/googletest/googletest/src/gtest-all.cc + third_party/googletest/googlemock/src/gmock-all.cc +) + +target_include_directories(xds_credentials_end2end_test + PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/include + ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR} + ${_gRPC_RE2_INCLUDE_DIR} + ${_gRPC_SSL_INCLUDE_DIR} + ${_gRPC_UPB_GENERATED_DIR} + ${_gRPC_UPB_GRPC_GENERATED_DIR} + ${_gRPC_UPB_INCLUDE_DIR} + ${_gRPC_ZLIB_INCLUDE_DIR} + third_party/googletest/googletest/include + third_party/googletest/googletest + third_party/googletest/googlemock/include + third_party/googletest/googlemock + ${_gRPC_PROTO_GENS_DIR} +) + +target_link_libraries(xds_credentials_end2end_test + ${_gRPC_PROTOBUF_LIBRARIES} + ${_gRPC_ALLTARGETS_LIBRARIES} + grpc++_test_util + grpc_test_util + grpc++ + grpc + gpr + address_sorting + upb + ${_gRPC_GFLAGS_LIBRARIES} +) + + endif() if(gRPC_BUILD_TESTS) if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) diff --git a/Makefile b/Makefile index 8596bf0ba1c..4f4b9ea9f29 100644 --- a/Makefile +++ b/Makefile @@ -2160,6 +2160,7 @@ LIBGRPC_SRC = \ src/core/lib/security/credentials/google_default/credentials_generic.cc \ src/core/lib/security/credentials/google_default/google_default_credentials.cc \ src/core/lib/security/credentials/iam/iam_credentials.cc \ + src/core/lib/security/credentials/insecure/insecure_credentials.cc \ src/core/lib/security/credentials/jwt/json_token.cc \ src/core/lib/security/credentials/jwt/jwt_credentials.cc \ src/core/lib/security/credentials/jwt/jwt_verifier.cc \ @@ -2173,6 +2174,7 @@ LIBGRPC_SRC = \ src/core/lib/security/credentials/xds/xds_credentials.cc \ src/core/lib/security/security_connector/alts/alts_security_connector.cc \ src/core/lib/security/security_connector/fake/fake_security_connector.cc \ + src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \ src/core/lib/security/security_connector/load_system_roots_fallback.cc \ src/core/lib/security/security_connector/load_system_roots_linux.cc \ src/core/lib/security/security_connector/local/local_security_connector.cc \ @@ -4611,6 +4613,7 @@ src/core/lib/security/credentials/fake/fake_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/iam/iam_credentials.cc: $(OPENSSL_DEP) +src/core/lib/security/credentials/insecure/insecure_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/jwt/json_token.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/jwt/jwt_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/jwt/jwt_verifier.cc: $(OPENSSL_DEP) @@ -4624,6 +4627,7 @@ src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP) src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP) +src/core/lib/security/security_connector/insecure/insecure_security_connector.cc: $(OPENSSL_DEP) src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP) src/core/lib/security/security_connector/load_system_roots_linux.cc: $(OPENSSL_DEP) src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP) diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml index a9e7699bf21..0336ebc4a96 100644 --- a/build_autogenerated.yaml +++ b/build_autogenerated.yaml @@ -698,6 +698,7 @@ libs: - src/core/lib/security/credentials/xds/xds_credentials.h - src/core/lib/security/security_connector/alts/alts_security_connector.h - src/core/lib/security/security_connector/fake/fake_security_connector.h + - src/core/lib/security/security_connector/insecure/insecure_security_connector.h - src/core/lib/security/security_connector/load_system_roots.h - src/core/lib/security/security_connector/load_system_roots_linux.h - src/core/lib/security/security_connector/local/local_security_connector.h @@ -1115,6 +1116,7 @@ libs: - src/core/lib/security/credentials/google_default/credentials_generic.cc - src/core/lib/security/credentials/google_default/google_default_credentials.cc - src/core/lib/security/credentials/iam/iam_credentials.cc + - src/core/lib/security/credentials/insecure/insecure_credentials.cc - src/core/lib/security/credentials/jwt/json_token.cc - src/core/lib/security/credentials/jwt/jwt_credentials.cc - src/core/lib/security/credentials/jwt/jwt_verifier.cc @@ -1128,6 +1130,7 @@ libs: - src/core/lib/security/credentials/xds/xds_credentials.cc - src/core/lib/security/security_connector/alts/alts_security_connector.cc - src/core/lib/security/security_connector/fake/fake_security_connector.cc + - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc - src/core/lib/security/security_connector/load_system_roots_fallback.cc - src/core/lib/security/security_connector/load_system_roots_linux.cc - src/core/lib/security/security_connector/local/local_security_connector.cc @@ -6261,6 +6264,19 @@ targets: - gpr - address_sorting - upb +- name: insecure_security_connector_test + gtest: true + build: test + language: c++ + headers: [] + src: + - test/core/security/insecure_security_connector_test.cc + deps: + - grpc_test_util + - grpc + - gpr + - address_sorting + - upb - name: interop_client build: test run: false @@ -7550,6 +7566,26 @@ targets: - gpr - address_sorting - upb +- name: xds_credentials_end2end_test + gtest: true + build: test + language: c++ + headers: + - test/cpp/end2end/test_service_impl.h + src: + - src/proto/grpc/testing/echo.proto + - src/proto/grpc/testing/echo_messages.proto + - src/proto/grpc/testing/simple_messages.proto + - test/cpp/end2end/test_service_impl.cc + - test/cpp/end2end/xds_credentials_end2end_test.cc + deps: + - grpc++_test_util + - grpc_test_util + - grpc++ + - grpc + - gpr + - address_sorting + - upb - name: xds_end2end_test gtest: true build: test diff --git a/config.m4 b/config.m4 index 7a65203ad30..6ace72cd08a 100644 --- a/config.m4 +++ b/config.m4 @@ -422,6 +422,7 @@ if test "$PHP_GRPC" != "no"; then src/core/lib/security/credentials/google_default/credentials_generic.cc \ src/core/lib/security/credentials/google_default/google_default_credentials.cc \ src/core/lib/security/credentials/iam/iam_credentials.cc \ + src/core/lib/security/credentials/insecure/insecure_credentials.cc \ src/core/lib/security/credentials/jwt/json_token.cc \ src/core/lib/security/credentials/jwt/jwt_credentials.cc \ src/core/lib/security/credentials/jwt/jwt_verifier.cc \ @@ -435,6 +436,7 @@ if test "$PHP_GRPC" != "no"; then src/core/lib/security/credentials/xds/xds_credentials.cc \ src/core/lib/security/security_connector/alts/alts_security_connector.cc \ src/core/lib/security/security_connector/fake/fake_security_connector.cc \ + src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \ src/core/lib/security/security_connector/load_system_roots_fallback.cc \ src/core/lib/security/security_connector/load_system_roots_linux.cc \ src/core/lib/security/security_connector/local/local_security_connector.cc \ @@ -993,6 +995,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/fake) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/google_default) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/iam) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/insecure) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/jwt) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/local) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/oauth2) @@ -1003,6 +1006,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/insecure) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/local) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/ssl) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/tls) diff --git a/config.w32 b/config.w32 index 8c32a7d2ba9..66bfada67e5 100644 --- a/config.w32 +++ b/config.w32 @@ -389,6 +389,7 @@ if (PHP_GRPC != "no") { "src\\core\\lib\\security\\credentials\\google_default\\credentials_generic.cc " + "src\\core\\lib\\security\\credentials\\google_default\\google_default_credentials.cc " + "src\\core\\lib\\security\\credentials\\iam\\iam_credentials.cc " + + "src\\core\\lib\\security\\credentials\\insecure\\insecure_credentials.cc " + "src\\core\\lib\\security\\credentials\\jwt\\json_token.cc " + "src\\core\\lib\\security\\credentials\\jwt\\jwt_credentials.cc " + "src\\core\\lib\\security\\credentials\\jwt\\jwt_verifier.cc " + @@ -402,6 +403,7 @@ if (PHP_GRPC != "no") { "src\\core\\lib\\security\\credentials\\xds\\xds_credentials.cc " + "src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " + "src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " + + "src\\core\\lib\\security\\security_connector\\insecure\\insecure_security_connector.cc " + "src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " + "src\\core\\lib\\security\\security_connector\\load_system_roots_linux.cc " + "src\\core\\lib\\security\\security_connector\\local\\local_security_connector.cc " + @@ -1036,6 +1038,7 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\fake"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\google_default"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\iam"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\insecure"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\jwt"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\local"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\oauth2"); @@ -1046,6 +1049,7 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\insecure"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\local"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\ssl"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\tls"); diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec index 6149d9b15d6..d93e4190e56 100644 --- a/gRPC-C++.podspec +++ b/gRPC-C++.podspec @@ -548,6 +548,7 @@ Pod::Spec.new do |s| 'src/core/lib/security/credentials/xds/xds_credentials.h', 'src/core/lib/security/security_connector/alts/alts_security_connector.h', 'src/core/lib/security/security_connector/fake/fake_security_connector.h', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.h', 'src/core/lib/security/security_connector/load_system_roots.h', 'src/core/lib/security/security_connector/load_system_roots_linux.h', 'src/core/lib/security/security_connector/local/local_security_connector.h', @@ -1065,6 +1066,7 @@ Pod::Spec.new do |s| 'src/core/lib/security/credentials/xds/xds_credentials.h', 'src/core/lib/security/security_connector/alts/alts_security_connector.h', 'src/core/lib/security/security_connector/fake/fake_security_connector.h', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.h', 'src/core/lib/security/security_connector/load_system_roots.h', 'src/core/lib/security/security_connector/load_system_roots_linux.h', 'src/core/lib/security/security_connector/local/local_security_connector.h', diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec index cac4780827c..ec222fc8def 100644 --- a/gRPC-Core.podspec +++ b/gRPC-Core.podspec @@ -906,6 +906,7 @@ Pod::Spec.new do |s| 'src/core/lib/security/credentials/google_default/google_default_credentials.h', 'src/core/lib/security/credentials/iam/iam_credentials.cc', 'src/core/lib/security/credentials/iam/iam_credentials.h', + 'src/core/lib/security/credentials/insecure/insecure_credentials.cc', 'src/core/lib/security/credentials/jwt/json_token.cc', 'src/core/lib/security/credentials/jwt/json_token.h', 'src/core/lib/security/credentials/jwt/jwt_credentials.cc', @@ -932,6 +933,8 @@ Pod::Spec.new do |s| 'src/core/lib/security/security_connector/alts/alts_security_connector.h', 'src/core/lib/security/security_connector/fake/fake_security_connector.cc', 'src/core/lib/security/security_connector/fake/fake_security_connector.h', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.h', 'src/core/lib/security/security_connector/load_system_roots.h', 'src/core/lib/security/security_connector/load_system_roots_fallback.cc', 'src/core/lib/security/security_connector/load_system_roots_linux.cc', @@ -1502,6 +1505,7 @@ Pod::Spec.new do |s| 'src/core/lib/security/credentials/xds/xds_credentials.h', 'src/core/lib/security/security_connector/alts/alts_security_connector.h', 'src/core/lib/security/security_connector/fake/fake_security_connector.h', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.h', 'src/core/lib/security/security_connector/load_system_roots.h', 'src/core/lib/security/security_connector/load_system_roots_linux.h', 'src/core/lib/security/security_connector/local/local_security_connector.h', diff --git a/grpc.gemspec b/grpc.gemspec index a438fc4fd83..0c50f0b5ff2 100644 --- a/grpc.gemspec +++ b/grpc.gemspec @@ -824,6 +824,7 @@ Gem::Specification.new do |s| s.files += %w( src/core/lib/security/credentials/google_default/google_default_credentials.h ) s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.cc ) s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.h ) + s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.cc ) s.files += %w( src/core/lib/security/credentials/jwt/json_token.cc ) s.files += %w( src/core/lib/security/credentials/jwt/json_token.h ) s.files += %w( src/core/lib/security/credentials/jwt/jwt_credentials.cc ) @@ -850,6 +851,8 @@ Gem::Specification.new do |s| s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h ) s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc ) s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h ) + s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.cc ) + s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.h ) s.files += %w( src/core/lib/security/security_connector/load_system_roots.h ) s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc ) s.files += %w( src/core/lib/security/security_connector/load_system_roots_linux.cc ) diff --git a/grpc.gyp b/grpc.gyp index d20036863ec..d615edb3be3 100644 --- a/grpc.gyp +++ b/grpc.gyp @@ -786,6 +786,7 @@ 'src/core/lib/security/credentials/google_default/credentials_generic.cc', 'src/core/lib/security/credentials/google_default/google_default_credentials.cc', 'src/core/lib/security/credentials/iam/iam_credentials.cc', + 'src/core/lib/security/credentials/insecure/insecure_credentials.cc', 'src/core/lib/security/credentials/jwt/json_token.cc', 'src/core/lib/security/credentials/jwt/jwt_credentials.cc', 'src/core/lib/security/credentials/jwt/jwt_verifier.cc', @@ -799,6 +800,7 @@ 'src/core/lib/security/credentials/xds/xds_credentials.cc', 'src/core/lib/security/security_connector/alts/alts_security_connector.cc', 'src/core/lib/security/security_connector/fake/fake_security_connector.cc', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc', 'src/core/lib/security/security_connector/load_system_roots_fallback.cc', 'src/core/lib/security/security_connector/load_system_roots_linux.cc', 'src/core/lib/security/security_connector/local/local_security_connector.cc', diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index e1dda08e3df..997764eed07 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -1029,6 +1029,13 @@ grpc_channel_credentials* grpc_tls_credentials_create( grpc_server_credentials* grpc_tls_server_credentials_create( grpc_tls_credentials_options* options); +/** + * EXPERIMENTAL API - Subject to change + * + * This method creates an insecure channel credentials object. + */ +grpc_channel_credentials* grpc_insecure_credentials_create(); + /** * EXPERIMENTAL API - Subject to change * diff --git a/include/grpcpp/security/credentials.h b/include/grpcpp/security/credentials.h index b0da6650b6b..1cbf6ebdc16 100644 --- a/include/grpcpp/security/credentials.h +++ b/include/grpcpp/security/credentials.h @@ -54,7 +54,11 @@ std::shared_ptr CreateCustomChannelWithInterceptors( std::vector< std::unique_ptr> interceptor_creators); -} + +/// Builds XDS Credentials. +std::shared_ptr XdsCredentials( + const std::shared_ptr& fallback_creds); +} // namespace experimental /// A channel credentials object encapsulates all the state needed by a client /// to authenticate with a server for a given channel. @@ -72,6 +76,13 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen { const std::shared_ptr& channel_creds, const std::shared_ptr& call_creds); + // TODO(yashykt): We need this friend declaration mainly for access to + // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC + // (and also internal dependencies on the indirect method of creating a + // channel through credentials), we would be able to remove this. + friend std::shared_ptr grpc::experimental::XdsCredentials( + const std::shared_ptr& fallback_creds); + virtual SecureChannelCredentials* AsSecureCredentials() = 0; private: @@ -101,6 +112,11 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen { /*interceptor_creators*/) { return nullptr; } + + // TODO(yashkt): This is a hack that is needed since InsecureCredentials can + // not use grpc_channel_credentials internally and should be removed after + // insecure builds are removed from gRPC. + virtual bool IsInsecure() const { return false; } }; /// A call credentials object encapsulates the state needed by a client to diff --git a/package.xml b/package.xml index fc2d104ac74..cd3074823c8 100644 --- a/package.xml +++ b/package.xml @@ -804,6 +804,7 @@ + @@ -830,6 +831,8 @@ + + diff --git a/src/core/lib/security/credentials/insecure/insecure_credentials.cc b/src/core/lib/security/credentials/insecure/insecure_credentials.cc new file mode 100644 index 00000000000..820fc4704ef --- /dev/null +++ b/src/core/lib/security/credentials/insecure/insecure_credentials.cc @@ -0,0 +1,51 @@ +// +// +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#include + +#include + +#include "src/core/lib/security/credentials/credentials.h" +#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h" + +namespace grpc_core { +namespace { + +constexpr char kCredentialsTypeInsecure[] = "insecure"; + +class InsecureCredentials final : public grpc_channel_credentials { + public: + explicit InsecureCredentials() + : grpc_channel_credentials(kCredentialsTypeInsecure) {} + + grpc_core::RefCountedPtr + create_security_connector( + grpc_core::RefCountedPtr call_creds, + const char* /* target_name */, const grpc_channel_args* /* args */, + grpc_channel_args** /* new_args */) override { + return MakeRefCounted( + Ref(), std::move(call_creds)); + } +}; + +} // namespace +} // namespace grpc_core + +grpc_channel_credentials* grpc_insecure_credentials_create() { + return new grpc_core::InsecureCredentials(); +} diff --git a/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc b/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc new file mode 100644 index 00000000000..a621ff974dd --- /dev/null +++ b/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc @@ -0,0 +1,88 @@ +// +// +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#include + +#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h" + +#include "src/core/lib/gprpp/ref_counted_ptr.h" +#include "src/core/lib/security/transport/security_handshaker.h" +#include "src/core/tsi/local_transport_security.h" + +namespace grpc_core { + +const char kInsecureTransportSecurityType[] = "insecure"; + +// check_call_host and cancel_check_call_host are no-ops since we want to +// provide an insecure channel. +bool InsecureChannelSecurityConnector::check_call_host( + absl::string_view host, grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, grpc_error** error) { + *error = GRPC_ERROR_NONE; + return true; +} + +void InsecureChannelSecurityConnector::cancel_check_call_host( + grpc_closure* on_call_host_checked, grpc_error* error) { + GRPC_ERROR_UNREF(error); +} + +// add_handshakers should have been a no-op but we need to add a minimalist +// security handshaker so that check_peer is invoked and an auth_context is +// created with the security level of TSI_SECURITY_NONE. +void InsecureChannelSecurityConnector::add_handshakers( + const grpc_channel_args* args, grpc_pollset_set* /* interested_parties */, + HandshakeManager* handshake_manager) { + tsi_handshaker* handshaker = nullptr; + // Re-use local_tsi_handshaker_create as a minimalist handshaker. + GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) == + TSI_OK); + handshake_manager->Add(SecurityHandshakerCreate(handshaker, this, args)); +} + +void InsecureChannelSecurityConnector::check_peer( + tsi_peer peer, grpc_endpoint* ep, + RefCountedPtr* auth_context, + grpc_closure* on_peer_checked) { + *auth_context = MakeAuthContext(); + tsi_peer_destruct(&peer); + ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, GRPC_ERROR_NONE); +} + +int InsecureChannelSecurityConnector::cmp( + const grpc_security_connector* other_sc) const { + return channel_security_connector_cmp( + static_cast(other_sc)); +} + +RefCountedPtr +InsecureChannelSecurityConnector::MakeAuthContext() { + auto ctx = MakeRefCounted(nullptr); + grpc_auth_context_add_cstring_property( + ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, + kInsecureTransportSecurityType); + GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name( + ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1); + const char* security_level = tsi_security_level_to_string(TSI_SECURITY_NONE); + grpc_auth_context_add_property(ctx.get(), + GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME, + security_level, strlen(security_level)); + return ctx; +} + +} // namespace grpc_core diff --git a/src/core/lib/security/security_connector/insecure/insecure_security_connector.h b/src/core/lib/security/security_connector/insecure/insecure_security_connector.h new file mode 100644 index 00000000000..5dd640c1859 --- /dev/null +++ b/src/core/lib/security/security_connector/insecure/insecure_security_connector.h @@ -0,0 +1,70 @@ +// +// +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H +#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H + +#include + +#include "src/core/lib/security/context/security_context.h" +#include "src/core/lib/security/credentials/credentials.h" +#include "src/core/lib/security/security_connector/security_connector.h" + +namespace grpc_core { + +extern const char kInsecureTransportSecurityType[]; + +class InsecureChannelSecurityConnector + : public grpc_channel_security_connector { + public: + InsecureChannelSecurityConnector( + grpc_core::RefCountedPtr channel_creds, + grpc_core::RefCountedPtr request_metadata_creds) + : grpc_channel_security_connector(/* url_scheme */ nullptr, + std::move(channel_creds), + std::move(request_metadata_creds)) {} + + bool check_call_host(absl::string_view host, grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, + grpc_error** error) override; + + void cancel_check_call_host(grpc_closure* on_call_host_checked, + grpc_error* error) override; + + void add_handshakers(const grpc_channel_args* args, + grpc_pollset_set* /* interested_parties */, + grpc_core::HandshakeManager* handshake_manager) override; + + void check_peer(tsi_peer peer, grpc_endpoint* ep, + grpc_core::RefCountedPtr* auth_context, + grpc_closure* on_peer_checked) override; + + int cmp(const grpc_security_connector* other_sc) const override; + + // Exposed for testing purposes only. + // Create an auth context which is necessary to pass the santiy check in + // client_auth_filter that verifies if the peer's auth context is obtained + // during handshakes. The auth context is only checked for its existence and + // not actually used. + static RefCountedPtr MakeAuthContext(); +}; + +} // namespace grpc_core + +#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H \ + */ diff --git a/src/core/lib/security/security_connector/local/local_security_connector.cc b/src/core/lib/security/security_connector/local/local_security_connector.cc index 585c170e937..3313fd01247 100644 --- a/src/core/lib/security/security_connector/local/local_security_connector.cc +++ b/src/core/lib/security/security_connector/local/local_security_connector.cc @@ -157,7 +157,7 @@ class grpc_local_channel_security_connector final const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/, grpc_core::HandshakeManager* handshake_manager) override { tsi_handshaker* handshaker = nullptr; - GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) == + GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) == TSI_OK); handshake_manager->Add( grpc_core::SecurityHandshakerCreate(handshaker, this, args)); @@ -215,7 +215,7 @@ class grpc_local_server_security_connector final const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/, grpc_core::HandshakeManager* handshake_manager) override { tsi_handshaker* handshaker = nullptr; - GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */, + GPR_ASSERT(tsi_local_handshaker_create(false /* is_client */, &handshaker) == TSI_OK); handshake_manager->Add( grpc_core::SecurityHandshakerCreate(handshaker, this, args)); diff --git a/src/core/tsi/local_transport_security.cc b/src/core/tsi/local_transport_security.cc index f7e004f4a7c..19043cd1a9a 100644 --- a/src/core/tsi/local_transport_security.cc +++ b/src/core/tsi/local_transport_security.cc @@ -31,6 +31,8 @@ #include "src/core/lib/iomgr/exec_ctx.h" #include "src/core/tsi/transport_security_grpc.h" +namespace { + /* Main struct for local TSI zero-copy frame protector. */ typedef struct local_zero_copy_grpc_protector { tsi_zero_copy_grpc_protector base; @@ -197,7 +199,9 @@ static const tsi_handshaker_vtable handshaker_vtable = { nullptr, /* shutdown */ }; -tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self) { +} // namespace + +tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self) { if (self == nullptr) { gpr_log(GPR_ERROR, "Invalid arguments to local_tsi_handshaker_create()"); return TSI_INVALID_ARGUMENT; diff --git a/src/core/tsi/local_transport_security.h b/src/core/tsi/local_transport_security.h index 17213ecf35a..fb46c1ea892 100644 --- a/src/core/tsi/local_transport_security.h +++ b/src/core/tsi/local_transport_security.h @@ -29,12 +29,6 @@ #define TSI_LOCAL_NUM_OF_PEER_PROPERTIES 1 #define TSI_LOCAL_PROCESS_ID_PEER_PROPERTY "process_id" -/** - * Main struct for local TSI handshaker. All APIs in the header are - * thread-comptabile. - */ -typedef struct local_tsi_handshaker local_tsi_handshaker; - /** * This method creates a local TSI handshaker instance. * @@ -45,7 +39,12 @@ typedef struct local_tsi_handshaker local_tsi_handshaker; * method. * * It returns TSI_OK on success and an error status code on failure. + * + * This handshaker is also being used as a minimalist handshaker for insecure + * security connector. If this handshaker ever needs to do anything more that + * does not fit with an insecure connector, we would need to add a separate + * handshaker for insecure connectors. */ -tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self); +tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self); #endif /* GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H */ diff --git a/src/cpp/client/insecure_credentials.cc b/src/cpp/client/insecure_credentials.cc index a9be08d5a10..98e8cb75574 100644 --- a/src/cpp/client/insecure_credentials.cc +++ b/src/cpp/client/insecure_credentials.cc @@ -51,6 +51,9 @@ class InsecureChannelCredentialsImpl final : public ChannelCredentials { } SecureChannelCredentials* AsSecureCredentials() override { return nullptr; } + + private: + bool IsInsecure() const override { return true; } }; } // namespace diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc index 378cceaa114..5c81a1b9143 100644 --- a/src/cpp/client/secure_credentials.cc +++ b/src/cpp/client/secure_credentials.cc @@ -28,6 +28,7 @@ #include #include +// TODO(yashykt): We shouldn't be including "src/core" headers. #include "src/core/lib/gpr/env.h" #include "src/core/lib/iomgr/error.h" #include "src/core/lib/iomgr/executor.h" @@ -294,6 +295,22 @@ std::shared_ptr TlsCredentials( grpc_tls_credentials_create(options.c_credentials_options())); } +// Builds XDS Credentials +std::shared_ptr XdsCredentials( + const std::shared_ptr& fallback_creds) { + if (fallback_creds->IsInsecure()) { + grpc_channel_credentials* insecure_creds = + grpc_insecure_credentials_create(); + auto xds_creds = + WrapChannelCredentials(grpc_xds_credentials_create(insecure_creds)); + grpc_channel_credentials_release(insecure_creds); + return xds_creds; + } else { + return WrapChannelCredentials(grpc_xds_credentials_create( + fallback_creds->AsSecureCredentials()->GetRawCreds())); + } +} + } // namespace experimental // Builds credentials for use when running in GCE diff --git a/src/cpp/client/secure_credentials.h b/src/cpp/client/secure_credentials.h index fe56b1577e3..0c47701ec3c 100644 --- a/src/cpp/client/secure_credentials.h +++ b/src/cpp/client/secure_credentials.h @@ -26,6 +26,7 @@ #include #include "absl/strings/str_cat.h" +// TODO(yashykt): We shouldn't be including "src/core" headers. #include "src/core/lib/security/credentials/credentials.h" #include "src/cpp/server/thread_pool_interface.h" diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py index 587490dfcdb..74cbc4235b6 100644 --- a/src/python/grpcio/grpc_core_dependencies.py +++ b/src/python/grpcio/grpc_core_dependencies.py @@ -398,6 +398,7 @@ CORE_SOURCE_FILES = [ 'src/core/lib/security/credentials/google_default/credentials_generic.cc', 'src/core/lib/security/credentials/google_default/google_default_credentials.cc', 'src/core/lib/security/credentials/iam/iam_credentials.cc', + 'src/core/lib/security/credentials/insecure/insecure_credentials.cc', 'src/core/lib/security/credentials/jwt/json_token.cc', 'src/core/lib/security/credentials/jwt/jwt_credentials.cc', 'src/core/lib/security/credentials/jwt/jwt_verifier.cc', @@ -411,6 +412,7 @@ CORE_SOURCE_FILES = [ 'src/core/lib/security/credentials/xds/xds_credentials.cc', 'src/core/lib/security/security_connector/alts/alts_security_connector.cc', 'src/core/lib/security/security_connector/fake/fake_security_connector.cc', + 'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc', 'src/core/lib/security/security_connector/load_system_roots_fallback.cc', 'src/core/lib/security/security_connector/load_system_roots_linux.cc', 'src/core/lib/security/security_connector/local/local_security_connector.cc', diff --git a/test/core/security/BUILD b/test/core/security/BUILD index 2987738bb5b..17653e6e4c0 100644 --- a/test/core/security/BUILD +++ b/test/core/security/BUILD @@ -326,3 +326,17 @@ grpc_cc_test( "//test/core/util:grpc_test_util", ], ) + +grpc_cc_test( + name = "insecure_security_connector_test", + srcs = ["insecure_security_connector_test.cc"], + external_deps = [ + "gtest", + ], + deps = [ + "//:gpr", + "//:grpc", + "//:grpc_secure", + "//test/core/util:grpc_test_util", + ], +) diff --git a/test/core/security/insecure_security_connector_test.cc b/test/core/security/insecure_security_connector_test.cc new file mode 100644 index 00000000000..faa1b2803c8 --- /dev/null +++ b/test/core/security/insecure_security_connector_test.cc @@ -0,0 +1,59 @@ +// +// +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#include +#include + +#include + +#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h" +#include "src/core/lib/security/security_connector/ssl_utils.h" +#include "src/core/tsi/transport_security.h" +#include "test/core/util/test_config.h" + +namespace grpc_core { +namespace testing { +namespace { + +TEST(InsecureSecurityConnector, MakeAuthContextTest) { + auto auth_context = InsecureChannelSecurityConnector::MakeAuthContext(); + // Verify that peer identity is set + auto it = grpc_auth_context_peer_identity(auth_context.get()); + const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it); + ASSERT_NE(prop, nullptr); + EXPECT_STREQ(prop->name, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME); + EXPECT_STREQ(prop->value, kInsecureTransportSecurityType); + // Verify that security level is set to none + it = grpc_auth_context_find_properties_by_name( + auth_context.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME); + prop = grpc_auth_property_iterator_next(&it); + ASSERT_NE(prop, nullptr); + EXPECT_EQ(grpc_tsi_security_level_string_to_enum(prop->value), + GRPC_SECURITY_NONE); +} + +} // namespace +} // namespace testing +} // namespace grpc_core + +int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + grpc::testing::TestEnvironment env(argc, argv); + const auto result = RUN_ALL_TESTS(); + return result; +} diff --git a/test/cpp/end2end/BUILD b/test/cpp/end2end/BUILD index 1ad1ddd2d19..27e73fc145b 100644 --- a/test/cpp/end2end/BUILD +++ b/test/cpp/end2end/BUILD @@ -811,3 +811,21 @@ grpc_cc_test( "//test/cpp/util:test_util", ], ) + +grpc_cc_test( + name = "xds_credentials_end2end_test", + srcs = ["xds_credentials_end2end_test.cc"], + external_deps = [ + "gtest", + ], + deps = [ + ":test_service_impl", + "//:gpr", + "//:grpc", + "//:grpc++", + "//src/proto/grpc/testing:echo_messages_proto", + "//src/proto/grpc/testing:echo_proto", + "//test/core/util:grpc_test_util", + "//test/cpp/util:test_util", + ], +) diff --git a/test/cpp/end2end/xds_credentials_end2end_test.cc b/test/cpp/end2end/xds_credentials_end2end_test.cc new file mode 100644 index 00000000000..a5ea1bdfdff --- /dev/null +++ b/test/cpp/end2end/xds_credentials_end2end_test.cc @@ -0,0 +1,86 @@ +// +// +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#include +#include + +#include +#include + +#include "test/core/util/port.h" +#include "test/core/util/test_config.h" +#include "test/cpp/end2end/test_service_impl.h" +#include "test/cpp/util/test_credentials_provider.h" + +namespace grpc { +namespace testing { +namespace { + +class XdsCredentialsEnd2EndFallbackTest + : public ::testing::TestWithParam { + protected: + XdsCredentialsEnd2EndFallbackTest() { + int port = grpc_pick_unused_port_or_die(); + ServerBuilder builder; + server_address_ = "localhost:" + std::to_string(port); + builder.AddListeningPort( + server_address_, + GetCredentialsProvider()->GetServerCredentials(GetParam())); + builder.RegisterService(&service_); + server_ = builder.BuildAndStart(); + } + + std::string server_address_; + TestServiceImpl service_; + std::unique_ptr server_; +}; + +TEST_P(XdsCredentialsEnd2EndFallbackTest, NoXdsSchemeInTarget) { + // Target does not use 'xds:///' scheme and should result in using fallback + // credentials. + ChannelArguments args; + auto channel = grpc::CreateCustomChannel( + server_address_, + grpc::experimental::XdsCredentials( + GetCredentialsProvider()->GetChannelCredentials(GetParam(), &args)), + args); + auto stub = grpc::testing::EchoTestService::NewStub(channel); + ClientContext ctx; + EchoRequest req; + req.set_message("Hello"); + EchoResponse resp; + Status s = stub->Echo(&ctx, req, &resp); + EXPECT_EQ(s.ok(), true); + EXPECT_EQ(resp.message(), "Hello"); +} + +INSTANTIATE_TEST_SUITE_P(XdsCredentialsEnd2EndFallback, + XdsCredentialsEnd2EndFallbackTest, + ::testing::ValuesIn(std::vector( + {kInsecureCredentialsType, kTlsCredentialsType}))); + +} // namespace +} // namespace testing +} // namespace grpc + +int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + grpc::testing::TestEnvironment env(argc, argv); + const auto result = RUN_ALL_TESTS(); + return result; +} diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal index b6b21760c51..3e72dc35af0 100644 --- a/tools/doxygen/Doxyfile.c++.internal +++ b/tools/doxygen/Doxyfile.c++.internal @@ -1760,6 +1760,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \ src/core/lib/security/credentials/google_default/google_default_credentials.h \ src/core/lib/security/credentials/iam/iam_credentials.cc \ src/core/lib/security/credentials/iam/iam_credentials.h \ +src/core/lib/security/credentials/insecure/insecure_credentials.cc \ src/core/lib/security/credentials/jwt/json_token.cc \ src/core/lib/security/credentials/jwt/json_token.h \ src/core/lib/security/credentials/jwt/jwt_credentials.cc \ @@ -1786,6 +1787,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \ src/core/lib/security/security_connector/alts/alts_security_connector.h \ src/core/lib/security/security_connector/fake/fake_security_connector.cc \ src/core/lib/security/security_connector/fake/fake_security_connector.h \ +src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \ +src/core/lib/security/security_connector/insecure/insecure_security_connector.h \ src/core/lib/security/security_connector/load_system_roots.h \ src/core/lib/security/security_connector/load_system_roots_fallback.cc \ src/core/lib/security/security_connector/load_system_roots_linux.cc \ diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal index d175f922014..6c5630a6423 100644 --- a/tools/doxygen/Doxyfile.core.internal +++ b/tools/doxygen/Doxyfile.core.internal @@ -1600,6 +1600,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \ src/core/lib/security/credentials/google_default/google_default_credentials.h \ src/core/lib/security/credentials/iam/iam_credentials.cc \ src/core/lib/security/credentials/iam/iam_credentials.h \ +src/core/lib/security/credentials/insecure/insecure_credentials.cc \ src/core/lib/security/credentials/jwt/json_token.cc \ src/core/lib/security/credentials/jwt/json_token.h \ src/core/lib/security/credentials/jwt/jwt_credentials.cc \ @@ -1626,6 +1627,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \ src/core/lib/security/security_connector/alts/alts_security_connector.h \ src/core/lib/security/security_connector/fake/fake_security_connector.cc \ src/core/lib/security/security_connector/fake/fake_security_connector.h \ +src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \ +src/core/lib/security/security_connector/insecure/insecure_security_connector.h \ src/core/lib/security/security_connector/load_system_roots.h \ src/core/lib/security/security_connector/load_system_roots_fallback.cc \ src/core/lib/security/security_connector/load_system_roots_linux.cc \ diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json index 0d8d3d7c586..035ddce9087 100644 --- a/tools/run_tests/generated/tests.json +++ b/tools/run_tests/generated/tests.json @@ -4789,6 +4789,30 @@ ], "uses_polling": true }, + { + "args": [], + "benchmark": false, + "ci_platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "cpu_cost": 1.0, + "exclude_configs": [], + "exclude_iomgrs": [], + "flaky": false, + "gtest": true, + "language": "c++", + "name": "insecure_security_connector_test", + "platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "uses_polling": true + }, { "args": [], "benchmark": false, @@ -6067,6 +6091,30 @@ ], "uses_polling": true }, + { + "args": [], + "benchmark": false, + "ci_platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "cpu_cost": 1.0, + "exclude_configs": [], + "exclude_iomgrs": [], + "flaky": false, + "gtest": true, + "language": "c++", + "name": "xds_credentials_end2end_test", + "platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "uses_polling": true + }, { "args": [], "boringssl": true,