First Spiffe1 commit

BUILD

@@ -260,6 +260,7 @@ GRPCXX_PUBLIC_HDRS = [
     "include/grpcpp/security/credentials_impl.h",
     "include/grpcpp/security/server_credentials.h",
     "include/grpcpp/security/server_credentials_impl.h",
+    "include/grpcpp/security/tls_credentials_options.h",
     "include/grpcpp/server.h",
     "include/grpcpp/server_impl.h",
     "include/grpcpp/server_builder.h",
@@ -357,6 +358,7 @@ grpc_cc_library(
         "src/cpp/common/secure_auth_context.cc",
         "src/cpp/common/secure_channel_arguments.cc",
         "src/cpp/common/secure_create_auth_context.cc",
+        "src/cpp/common/tls_credentials_options.cc",
         "src/cpp/server/insecure_server_credentials.cc",
         "src/cpp/server/secure_server_credentials.cc",
     ],

build.yaml

@@ -1457,6 +1457,7 @@ filegroups:
   - include/grpcpp/security/credentials_impl.h
   - include/grpcpp/security/server_credentials.h
   - include/grpcpp/security/server_credentials_impl.h
+  - include/grpcpp/security/tls_credentials_options.h
   - include/grpcpp/server.h
   - include/grpcpp/server_builder.h
   - include/grpcpp/server_builder_impl.h
@@ -1798,6 +1799,7 @@ libs:
   - src/cpp/common/secure_auth_context.cc
   - src/cpp/common/secure_channel_arguments.cc
   - src/cpp/common/secure_create_auth_context.cc
+  - src/cpp/common/tls_credentials_options.cc
   - src/cpp/server/insecure_server_credentials.cc
   - src/cpp/server/secure_server_credentials.cc
   deps:

include/grpcpp/security/credentials.h

@@ -132,6 +132,11 @@ static inline std::shared_ptr<grpc_impl::ChannelCredentials> LocalCredentials(
   return ::grpc_impl::experimental::LocalCredentials(type);
 }
 
+static inline std::shared_ptr<grpc_impl::ChannelCredentials> SpiffeCredentials(
+    const TlsCredentialsOptions& options) {
+  return ::grpc_impl::experimental::SpiffeCredentials(options);
+}
+
 }  // namespace experimental
 }  // namespace grpc
 

include/grpcpp/security/credentials_impl.h

@@ -31,6 +31,7 @@
 #include <grpcpp/support/channel_arguments_impl.h>
 #include <grpcpp/support/status.h>
 #include <grpcpp/support/string_ref.h>
+#include <grpcpp/security/tls_credentials_options.h>
 
 struct grpc_call;
 
@@ -336,6 +337,10 @@ std::shared_ptr<ChannelCredentials> AltsCredentials(
 std::shared_ptr<ChannelCredentials> LocalCredentials(
     grpc_local_connect_type type);
 
+/// Builds SPIFFE Credentials given TLS options.
+std::shared_ptr<ChannelCredentials> SpiffeCredentials(
+    const TlsCredentialsOptions& options);
+
 }  // namespace experimental
 }  // namespace grpc_impl
 

include/grpcpp/security/server_credentials.h

@@ -79,6 +79,12 @@ static inline std::shared_ptr<ServerCredentials> LocalServerCredentials(
   return ::grpc_impl::experimental::LocalServerCredentials(type);
 }
 
+/// Builds SPIFFE ServerCredentials given TLS options.
+static inline std::shared_ptr<ServerCredentials> SpiffeServerCredentials(
+    const TlsCredentialsOptions& options) {
+  return ::grpc_impl::experimental::SpiffeServerCredentials(options);
+}
+
 }  // namespace experimental
 }  // namespace grpc
 

include/grpcpp/security/server_credentials_impl.h

@@ -25,6 +25,7 @@
 #include <grpc/grpc_security_constants.h>
 #include <grpcpp/security/auth_metadata_processor.h>
 #include <grpcpp/support/config.h>
+#include <grpcpp/security/tls_credentials_options.h>
 
 struct grpc_server;
 
@@ -79,6 +80,10 @@ std::shared_ptr<ServerCredentials> AltsServerCredentials(
 std::shared_ptr<ServerCredentials> LocalServerCredentials(
     grpc_local_connect_type type);
 
+/// Builds SPIFFE ServerCredentials given TLS options.
+std::shared_ptr<ServerCredentials> SpiffeServerCredentials(
+    const TlsCredentialsOptions& options);
+
 }  // namespace experimental
 }  // namespace grpc_impl
 

include/grpcpp/security/tls_credentials_options.h

@@ -0,0 +1,94 @@
+/*
+ *
+ * Copyright 2019 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPCPP_TLS_CREDENTIALS_OPTIONS_H
+#define GRPCPP_TLS_CREDENTIALS_OPTIONS_H
+
+#include <vector>
+#include <memory>
+
+#include <grpcpp/support/config.h>
+#include <grpc/grpc_security_constants.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+
+namespace grpc_impl {
+namespace experimental {
+
+/** TLS key materials config, wrapper for grpc_tls_key_materials_config. **/
+class TlsKeyMaterialsConfig {
+ public:
+  struct PemKeyCertPair {
+    ::grpc::string private_key;
+    ::grpc::string cert_chain;
+  };
+
+  /** Getters for member fields. **/
+  const ::grpc::string pem_root_certs() const {
+    return pem_root_certs_;
+  }
+  const ::std::vector<PemKeyCertPair>& pem_key_cert_pair_list() const {
+    return pem_key_cert_pair_list_;
+  }
+
+  /**Setter for member fields. **/
+  void set_key_materials(::grpc::string pem_root_certs,
+                         ::std::vector<PemKeyCertPair> pem_key_cert_pair_list);
+
+  /** Creates C struct for key materials. **/
+  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> c_key_materials() const;
+
+ private:
+  ::std::vector<PemKeyCertPair> pem_key_cert_pair_list_;
+  ::grpc::string pem_root_certs_;
+};
+
+/** TLS credentials options, wrapper for grpc_tls_credentials_options. **/
+class TlsCredentialsOptions {
+ public:
+  /** Getters for member fields. **/
+  grpc_ssl_client_certificate_request_type cert_request_type() const{
+    return cert_request_type_;
+  }
+  std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config() const {
+    return key_materials_config_;
+  }
+
+  /** Setters for member fields. **/
+  void set_cert_request_type(
+      const grpc_ssl_client_certificate_request_type type) {
+    cert_request_type_ = type;
+  }
+
+  void set_key_materials_config(
+      std::shared_ptr<TlsKeyMaterialsConfig> config) {
+    key_materials_config_ = config;
+  }
+
+  /** Creates C struct for TLS credential options. **/
+  grpc_tls_credentials_options* c_credentials_options() const;
+
+ private:
+  grpc_ssl_client_certificate_request_type cert_request_type_;
+  std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config_;
+};
+
+} // namespace experimental
+} // namespace grpc_impl
+#endif /** GRPCPP_TLS_CREDENTIALS_OPTIONS_H **/
+

src/cpp/client/secure_credentials.cc

@@ -280,6 +280,13 @@ std::shared_ptr<ChannelCredentials> LocalCredentials(
   return WrapChannelCredentials(grpc_local_credentials_create(type));
 }
 
+// Builds SPIFFE Credentials given TLS options.
+std::shared_ptr<ChannelCredentials> SpiffeCredentials(
+    const TlsCredentialsOptions& options) {
+  return WrapChannelCredentials(grpc_tls_spiffe_credentials_create(
+      options.c_credentials_options()));
+}
+
 }  // namespace experimental
 
 // Builds credentials for use when running in GCE

src/cpp/client/secure_credentials.h

@@ -24,6 +24,7 @@
 #include <grpcpp/security/credentials.h>
 #include <grpcpp/security/credentials_impl.h>
 #include <grpcpp/support/config.h>
+#include <grpcpp/security/tls_credentials_options.h>
 
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/cpp/server/thread_pool_interface.h"

src/cpp/common/tls_credentials_options.cc

@@ -0,0 +1,45 @@
+/*
+ *
+ * Copyright 2019 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpcpp/security/tls_credentials_options.h>
+
+namespace grpc_impl {
+namespace experimental {
+
+/** gRPC TLS key materials config API implementation **/
+void TlsKeyMaterialsConfig::set_key_materials(
+    ::grpc::string pem_root_certs,
+    ::std::vector<PemKeyCertPair> pem_key_cert_pair_list) {
+  pem_key_cert_pair_list_ = ::std::move(pem_key_cert_pair_list);
+  pem_root_certs_ = ::std::move(pem_root_certs);
+}
+
+/** gRPC TLS credential options API implementation **/
+grpc_tls_credentials_options* TlsCredentialsOptions::c_credentials_options() const {
+  grpc_tls_credentials_options* c_options = grpc_tls_credentials_options_create();
+  c_options->set_cert_request_type(cert_request_type_);
+  // TODO: put in C configs into functions below.
+  c_options->set_key_materials_config(nullptr);
+  c_options->set_credential_reload_config(nullptr);
+  c_options->set_server_authorization_check_config(nullptr);
+  return c_options;
+}
+
+} // namespace experimental
+} // namespace grpc_impl
+

src/cpp/server/secure_server_credentials.cc

@@ -150,5 +150,12 @@ std::shared_ptr<ServerCredentials> LocalServerCredentials(
       new SecureServerCredentials(grpc_local_server_credentials_create(type)));
 }
 
+std::shared_ptr<ServerCredentials> SpiffeServerCredentials(
+    const TlsCredentialsOptions& options) {
+  return std::shared_ptr<ServerCredentials>(
+      new SecureServerCredentials(grpc_tls_spiffe_server_credentials_create(
+          options.c_credentials_options())));
+}
+
 }  // namespace experimental
 }  // namespace grpc_impl

src/cpp/server/secure_server_credentials.h

@@ -22,6 +22,7 @@
 #include <memory>
 
 #include <grpcpp/security/server_credentials.h>
+#include <grpcpp/security/tls_credentials_options.h>
 
 #include <grpc/grpc_security.h>