diff --git a/BUILD b/BUILD index d6e6b596f80..1fbe1d44c47 100644 --- a/BUILD +++ b/BUILD @@ -537,9 +537,7 @@ grpc_cc_library( "grpc++_codegen_proto", "grpc_base", "grpc_codegen", - "grpc_credentials_util", "grpc_secure", - "grpc_security_base", "json", "ref_counted_ptr", "slice", @@ -719,7 +717,6 @@ grpc_cc_library( "gpr_base", "grpc++", "tsi", - "tsi_alts_credentials", ], ) @@ -2499,7 +2496,6 @@ grpc_cc_library( "grpc_lb_upb", "grpc_resolver_fake", "grpc_secure", - "grpc_security_base", "grpc_transport_chttp2_client_secure", "orphanable", "protobuf_duration_upb", @@ -2535,7 +2531,6 @@ grpc_cc_library( "grpc_client_channel", "grpc_codegen", "grpc_secure", - "grpc_security_base", "json", "json_util", "orphanable", @@ -2602,13 +2597,10 @@ grpc_cc_library( "grpc_base", "grpc_client_channel", "grpc_codegen", - "grpc_credentials_util", "grpc_fault_injection_filter", "grpc_lb_xds_channel_args", "grpc_matchers", "grpc_secure", - "grpc_security_base", - "grpc_tls_credentials", "grpc_transport_chttp2_client_secure", "json", "json_util", @@ -2940,7 +2932,6 @@ grpc_cc_library( "grpc++_base", "grpc_base", "grpc_secure", - "grpc_security_base", "slice", ], alwayslink = 1, @@ -3219,31 +3210,18 @@ grpc_cc_library( ], ) -grpc_cc_library( - name = "grpc_httpcli_security_connector", - srcs = [ - "src/core/lib/http/httpcli_security_connector.cc", - ], - external_deps = [ - "absl/strings", - ], - language = "c++", - deps = [ - "config", - "gpr_base", - "grpc_base", - "grpc_security_base", - "ref_counted_ptr", - "tsi_ssl_credentials", - ], -) - grpc_cc_library( name = "grpc_secure", srcs = [ + "src/core/lib/http/httpcli_security_connector.cc", "src/core/lib/security/authorization/authorization_policy_provider_vtable.cc", "src/core/lib/security/authorization/evaluate_args.cc", "src/core/lib/security/authorization/sdk_server_authz_filter.cc", + "src/core/lib/security/context/security_context.cc", + "src/core/lib/security/credentials/alts/alts_credentials.cc", + "src/core/lib/security/credentials/composite/composite_credentials.cc", + "src/core/lib/security/credentials/credentials.cc", + "src/core/lib/security/credentials/credentials_metadata.cc", "src/core/lib/security/credentials/external/aws_external_account_credentials.cc", "src/core/lib/security/credentials/external/aws_request_signer.cc", "src/core/lib/security/credentials/external/external_account_credentials.cc", @@ -3254,11 +3232,36 @@ grpc_cc_library( "src/core/lib/security/credentials/google_default/google_default_credentials.cc", "src/core/lib/security/credentials/iam/iam_credentials.cc", "src/core/lib/security/credentials/insecure/insecure_credentials.cc", + "src/core/lib/security/credentials/jwt/json_token.cc", + "src/core/lib/security/credentials/jwt/jwt_credentials.cc", + "src/core/lib/security/credentials/jwt/jwt_verifier.cc", "src/core/lib/security/credentials/local/local_credentials.cc", "src/core/lib/security/credentials/oauth2/oauth2_credentials.cc", + "src/core/lib/security/credentials/plugin/plugin_credentials.cc", + "src/core/lib/security/credentials/ssl/ssl_credentials.cc", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc", + "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc", + "src/core/lib/security/credentials/tls/tls_credentials.cc", + "src/core/lib/security/credentials/tls/tls_utils.cc", + "src/core/lib/security/security_connector/alts/alts_security_connector.cc", "src/core/lib/security/security_connector/fake/fake_security_connector.cc", "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc", + "src/core/lib/security/security_connector/load_system_roots_fallback.cc", + "src/core/lib/security/security_connector/load_system_roots_linux.cc", "src/core/lib/security/security_connector/local/local_security_connector.cc", + "src/core/lib/security/security_connector/security_connector.cc", + "src/core/lib/security/security_connector/ssl/ssl_security_connector.cc", + "src/core/lib/security/security_connector/ssl_utils.cc", + "src/core/lib/security/security_connector/ssl_utils_config.cc", + "src/core/lib/security/security_connector/tls/tls_security_connector.cc", + "src/core/lib/security/transport/client_auth_filter.cc", + "src/core/lib/security/transport/secure_endpoint.cc", + "src/core/lib/security/transport/security_handshaker.cc", + "src/core/lib/security/transport/server_auth_filter.cc", + "src/core/lib/security/transport/tsi_error.cc", + "src/core/lib/security/util/json_util.cc", "src/core/lib/surface/init_secure.cc", ], hdrs = [ @@ -3268,6 +3271,10 @@ grpc_cc_library( "src/core/lib/security/authorization/authorization_policy_provider.h", "src/core/lib/security/authorization/evaluate_args.h", "src/core/lib/security/authorization/sdk_server_authz_filter.h", + "src/core/lib/security/context/security_context.h", + "src/core/lib/security/credentials/alts/alts_credentials.h", + "src/core/lib/security/credentials/composite/composite_credentials.h", + "src/core/lib/security/credentials/credentials.h", "src/core/lib/security/credentials/external/aws_external_account_credentials.h", "src/core/lib/security/credentials/external/aws_request_signer.h", "src/core/lib/security/credentials/external/external_account_credentials.h", @@ -3276,11 +3283,35 @@ grpc_cc_library( "src/core/lib/security/credentials/fake/fake_credentials.h", "src/core/lib/security/credentials/google_default/google_default_credentials.h", "src/core/lib/security/credentials/iam/iam_credentials.h", + "src/core/lib/security/credentials/jwt/json_token.h", + "src/core/lib/security/credentials/jwt/jwt_credentials.h", + "src/core/lib/security/credentials/jwt/jwt_verifier.h", "src/core/lib/security/credentials/local/local_credentials.h", "src/core/lib/security/credentials/oauth2/oauth2_credentials.h", + "src/core/lib/security/credentials/plugin/plugin_credentials.h", + "src/core/lib/security/credentials/ssl/ssl_credentials.h", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h", + "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h", + "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h", + "src/core/lib/security/credentials/tls/tls_credentials.h", + "src/core/lib/security/credentials/tls/tls_utils.h", + "src/core/lib/security/security_connector/alts/alts_security_connector.h", "src/core/lib/security/security_connector/fake/fake_security_connector.h", "src/core/lib/security/security_connector/insecure/insecure_security_connector.h", + "src/core/lib/security/security_connector/load_system_roots.h", + "src/core/lib/security/security_connector/load_system_roots_linux.h", "src/core/lib/security/security_connector/local/local_security_connector.h", + "src/core/lib/security/security_connector/security_connector.h", + "src/core/lib/security/security_connector/ssl/ssl_security_connector.h", + "src/core/lib/security/security_connector/ssl_utils.h", + "src/core/lib/security/security_connector/ssl_utils_config.h", + "src/core/lib/security/security_connector/tls/tls_security_connector.h", + "src/core/lib/security/transport/auth_filters.h", + "src/core/lib/security/transport/secure_endpoint.h", + "src/core/lib/security/transport/security_handshaker.h", + "src/core/lib/security/transport/tsi_error.h", + "src/core/lib/security/util/json_util.h", ], external_deps = [ "absl/container:inlined_vector", @@ -3299,17 +3330,10 @@ grpc_cc_library( "config", "error", "gpr_base", - "grpc_alts_credentials", "grpc_base", "grpc_client_channel", "grpc_codegen", - "grpc_credentials_util", - "grpc_httpcli_security_connector", - "grpc_jwt_credentials", "grpc_lb_xds_channel_args", - "grpc_security_base", - "grpc_ssl_credentials", - "grpc_tls_credentials", "grpc_trace", "grpc_transport_chttp2_alpn", "json", @@ -3318,331 +3342,11 @@ grpc_cc_library( "slice", "slice_refcount", "tsi", - "tsi_base", - "useful", - ], -) - -grpc_cc_library( - name = "tsi_ssl_types", - hdrs = [ - "src/core/tsi/ssl_types.h", - ], - external_deps = [ - "libssl", - ], - language = "c++", -) - -grpc_cc_library( - name = "tsi_base", - srcs = [ - "src/core/tsi/transport_security.cc", - "src/core/tsi/transport_security_grpc.cc", - ], - hdrs = [ - "src/core/tsi/transport_security.h", - "src/core/tsi/transport_security_grpc.h", - "src/core/tsi/transport_security_interface.h", - ], - language = "c++", - visibility = ["@grpc:tsi_interface"], - deps = [ - "gpr", - "grpc_trace", - ], -) - -grpc_cc_library( - name = "grpc_security_base", - srcs = [ - "src/core/lib/security/context/security_context.cc", - "src/core/lib/security/credentials/composite/composite_credentials.cc", - "src/core/lib/security/credentials/credentials.cc", - "src/core/lib/security/credentials/credentials_metadata.cc", - "src/core/lib/security/credentials/plugin/plugin_credentials.cc", - "src/core/lib/security/security_connector/security_connector.cc", - "src/core/lib/security/transport/client_auth_filter.cc", - "src/core/lib/security/transport/secure_endpoint.cc", - "src/core/lib/security/transport/security_handshaker.cc", - "src/core/lib/security/transport/server_auth_filter.cc", - "src/core/lib/security/transport/tsi_error.cc", - ], - hdrs = [ - "src/core/lib/security/context/security_context.h", - "src/core/lib/security/credentials/composite/composite_credentials.h", - "src/core/lib/security/credentials/credentials.h", - "src/core/lib/security/credentials/plugin/plugin_credentials.h", - "src/core/lib/security/security_connector/security_connector.h", - "src/core/lib/security/transport/auth_filters.h", - "src/core/lib/security/transport/secure_endpoint.h", - "src/core/lib/security/transport/security_handshaker.h", - "src/core/lib/security/transport/tsi_error.h", - ], - external_deps = [ - "absl/strings", - "absl/strings:str_format", - "absl/time", - ], - language = "c++", - public_hdrs = GRPC_SECURE_PUBLIC_HDRS, - visibility = ["@grpc:public"], - deps = [ - "config", - "gpr_base", - "grpc_base", - "grpc_trace", - "json", - "ref_counted", - "ref_counted_ptr", - "tsi_base", - ], -) - -grpc_cc_library( - name = "grpc_credentials_util", - srcs = [ - "src/core/lib/security/credentials/tls/tls_utils.cc", - "src/core/lib/security/security_connector/load_system_roots_fallback.cc", - "src/core/lib/security/security_connector/load_system_roots_linux.cc", - "src/core/lib/security/util/json_util.cc", - ], - hdrs = [ - "src/core/lib/security/credentials/tls/tls_utils.h", - "src/core/lib/security/security_connector/load_system_roots.h", - "src/core/lib/security/security_connector/load_system_roots_linux.h", - "src/core/lib/security/util/json_util.h", - ], - external_deps = [ - "absl/container:inlined_vector", - "absl/strings", - ], - language = "c++", - visibility = ["@grpc:public"], - deps = [ - "gpr_base", - "grpc_base", - "grpc_security_base", + "tsi_interface", "useful", ], ) -grpc_cc_library( - name = "tsi_alts_credentials", - srcs = [ - "src/core/tsi/alts/crypt/aes_gcm.cc", - "src/core/tsi/alts/crypt/gsec.cc", - "src/core/tsi/alts/frame_protector/alts_counter.cc", - "src/core/tsi/alts/frame_protector/alts_crypter.cc", - "src/core/tsi/alts/frame_protector/alts_frame_protector.cc", - "src/core/tsi/alts/frame_protector/alts_record_protocol_crypter_common.cc", - "src/core/tsi/alts/frame_protector/alts_seal_privacy_integrity_crypter.cc", - "src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc", - "src/core/tsi/alts/frame_protector/frame_handler.cc", - "src/core/tsi/alts/handshaker/alts_handshaker_client.cc", - "src/core/tsi/alts/handshaker/alts_shared_resource.cc", - "src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc", - "src/core/tsi/alts/handshaker/alts_tsi_utils.cc", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_protocol.cc", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc", - "src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc", - "src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc", - ], - hdrs = [ - "src/core/tsi/alts/crypt/gsec.h", - "src/core/tsi/alts/frame_protector/alts_counter.h", - "src/core/tsi/alts/frame_protector/alts_crypter.h", - "src/core/tsi/alts/frame_protector/alts_frame_protector.h", - "src/core/tsi/alts/frame_protector/alts_record_protocol_crypter_common.h", - "src/core/tsi/alts/frame_protector/frame_handler.h", - "src/core/tsi/alts/handshaker/alts_handshaker_client.h", - "src/core/tsi/alts/handshaker/alts_shared_resource.h", - "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h", - "src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h", - "src/core/tsi/alts/handshaker/alts_tsi_utils.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_protocol.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h", - "src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h", - ], - external_deps = [ - "libssl", - "libcrypto", - "upb_lib", - ], - language = "c++", - visibility = ["@grpc:public"], - deps = [ - "alts_util", - "config", - "error", - "gpr_base", - "grpc_base", - "tsi_base", - "useful", - ], -) - -grpc_cc_library( - name = "tsi_ssl_credentials", - srcs = [ - "src/core/lib/security/security_connector/ssl_utils.cc", - "src/core/lib/security/security_connector/ssl_utils_config.cc", - "src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc", - "src/core/tsi/ssl/session_cache/ssl_session_cache.cc", - "src/core/tsi/ssl/session_cache/ssl_session_openssl.cc", - "src/core/tsi/ssl_transport_security.cc", - ], - hdrs = [ - "src/core/lib/security/security_connector/ssl_utils.h", - "src/core/lib/security/security_connector/ssl_utils_config.h", - "src/core/tsi/ssl/session_cache/ssl_session.h", - "src/core/tsi/ssl/session_cache/ssl_session_cache.h", - "src/core/tsi/ssl_transport_security.h", - ], - external_deps = [ - "absl/strings", - "libssl", - "libcrypto", - ], - language = "c++", - visibility = ["@grpc:public"], - deps = [ - "gpr_base", - "grpc_base", - "grpc_credentials_util", - "grpc_security_base", - "grpc_transport_chttp2_alpn", - "ref_counted_ptr", - "tsi_base", - "tsi_ssl_types", - "useful", - ], -) - -grpc_cc_library( - name = "grpc_jwt_credentials", - srcs = [ - "src/core/lib/security/credentials/jwt/json_token.cc", - "src/core/lib/security/credentials/jwt/jwt_credentials.cc", - "src/core/lib/security/credentials/jwt/jwt_verifier.cc", - ], - hdrs = [ - "src/core/lib/security/credentials/jwt/json_token.h", - "src/core/lib/security/credentials/jwt/jwt_credentials.h", - "src/core/lib/security/credentials/jwt/jwt_verifier.h", - ], - external_deps = [ - "absl/strings", - "libcrypto", - "libssl", - ], - language = "c++", - visibility = ["@grpc:public"], - deps = [ - "gpr_base", - "grpc_base", - "grpc_credentials_util", - "grpc_security_base", - "json", - "ref_counted", - "ref_counted_ptr", - "tsi_ssl_types", - ], -) - -grpc_cc_library( - name = "grpc_alts_credentials", - srcs = [ - "src/core/lib/security/credentials/alts/alts_credentials.cc", - "src/core/lib/security/security_connector/alts/alts_security_connector.cc", - ], - hdrs = [ - "src/core/lib/security/credentials/alts/alts_credentials.h", - "src/core/lib/security/security_connector/alts/alts_security_connector.h", - ], - external_deps = [ - "libssl", - "upb_lib", - "upb_lib_descriptor", - ], - language = "c++", - visibility = ["@grpc:public"], - deps = [ - "alts_util", - "gpr_base", - "grpc_base", - "grpc_security_base", - "ref_counted_ptr", - "tsi_alts_credentials", - "tsi_base", - ], -) - -grpc_cc_library( - name = "grpc_ssl_credentials", - srcs = [ - "src/core/lib/security/credentials/ssl/ssl_credentials.cc", - "src/core/lib/security/security_connector/ssl/ssl_security_connector.cc", - ], - hdrs = [ - "src/core/lib/security/credentials/ssl/ssl_credentials.h", - "src/core/lib/security/security_connector/ssl/ssl_security_connector.h", - ], - external_deps = [ - "absl/strings", - "absl/strings:str_format", - ], - language = "c++", - deps = [ - "gpr_base", - "grpc_base", - "grpc_credentials_util", - "grpc_security_base", - "grpc_transport_chttp2_alpn", - "ref_counted_ptr", - "tsi_base", - "tsi_ssl_credentials", - ], -) - -grpc_cc_library( - name = "grpc_tls_credentials", - srcs = [ - "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc", - "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc", - "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc", - "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc", - "src/core/lib/security/credentials/tls/tls_credentials.cc", - "src/core/lib/security/security_connector/tls/tls_security_connector.cc", - ], - hdrs = [ - "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h", - "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h", - "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h", - "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h", - "src/core/lib/security/credentials/tls/tls_credentials.h", - "src/core/lib/security/security_connector/tls/tls_security_connector.h", - ], - external_deps = [ - "absl/functional:bind_front", - "absl/strings", - "libssl", - ], - language = "c++", - deps = [ - "gpr_base", - "grpc_base", - "grpc_credentials_util", - "grpc_security_base", - "tsi_base", - "tsi_ssl_credentials", - ], -) - grpc_cc_library( name = "grpc_mock_cel", hdrs = [ @@ -3970,7 +3674,6 @@ grpc_cc_library( "grpc_base", "grpc_client_channel", "grpc_secure", - "grpc_security_base", "grpc_transport_chttp2", "grpc_transport_chttp2_client_connector", "slice", @@ -4035,7 +3738,6 @@ grpc_cc_library( "gpr_base", "grpc_base", "grpc_secure", - "grpc_security_base", "grpc_transport_chttp2", "grpc_transport_chttp2_server", "ref_counted_ptr", @@ -4062,12 +3764,66 @@ grpc_cc_library( grpc_cc_library( name = "tsi_interface", + srcs = [ + "src/core/tsi/transport_security.cc", + ], + hdrs = [ + "src/core/tsi/transport_security.h", + "src/core/tsi/transport_security_interface.h", + ], language = "c++", visibility = ["@grpc:tsi_interface"], deps = [ "gpr", "grpc_trace", - "tsi_base", + ], +) + +grpc_cc_library( + name = "alts_frame_protector", + srcs = [ + "src/core/tsi/alts/crypt/aes_gcm.cc", + "src/core/tsi/alts/crypt/gsec.cc", + "src/core/tsi/alts/frame_protector/alts_counter.cc", + "src/core/tsi/alts/frame_protector/alts_crypter.cc", + "src/core/tsi/alts/frame_protector/alts_frame_protector.cc", + "src/core/tsi/alts/frame_protector/alts_record_protocol_crypter_common.cc", + "src/core/tsi/alts/frame_protector/alts_seal_privacy_integrity_crypter.cc", + "src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc", + "src/core/tsi/alts/frame_protector/frame_handler.cc", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_protocol.cc", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc", + "src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc", + "src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc", + ], + hdrs = [ + "src/core/tsi/alts/crypt/gsec.h", + "src/core/tsi/alts/frame_protector/alts_counter.h", + "src/core/tsi/alts/frame_protector/alts_crypter.h", + "src/core/tsi/alts/frame_protector/alts_frame_protector.h", + "src/core/tsi/alts/frame_protector/alts_record_protocol_crypter_common.h", + "src/core/tsi/alts/frame_protector/frame_handler.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_protocol.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h", + "src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h", + "src/core/tsi/transport_security_grpc.h", + ], + external_deps = [ + "libssl", + "libcrypto", + ], + language = "c++", + visibility = ["@grpc:alts_frame_protector"], + deps = [ + "gpr_base", + "grpc_base", + "slice", + "tsi_interface", + "useful", ], ) @@ -4104,12 +3860,31 @@ grpc_cc_library( grpc_cc_library( name = "tsi", srcs = [ + "src/core/tsi/alts/handshaker/alts_handshaker_client.cc", + "src/core/tsi/alts/handshaker/alts_shared_resource.cc", + "src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc", + "src/core/tsi/alts/handshaker/alts_tsi_utils.cc", "src/core/tsi/fake_transport_security.cc", "src/core/tsi/local_transport_security.cc", + "src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc", + "src/core/tsi/ssl/session_cache/ssl_session_cache.cc", + "src/core/tsi/ssl/session_cache/ssl_session_openssl.cc", + "src/core/tsi/ssl_transport_security.cc", + "src/core/tsi/transport_security_grpc.cc", ], hdrs = [ + "src/core/tsi/alts/handshaker/alts_handshaker_client.h", + "src/core/tsi/alts/handshaker/alts_shared_resource.h", + "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h", + "src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h", + "src/core/tsi/alts/handshaker/alts_tsi_utils.h", "src/core/tsi/fake_transport_security.h", "src/core/tsi/local_transport_security.h", + "src/core/tsi/ssl/session_cache/ssl_session.h", + "src/core/tsi/ssl/session_cache/ssl_session_cache.h", + "src/core/tsi/ssl_transport_security.h", + "src/core/tsi/ssl_types.h", + "src/core/tsi/transport_security_grpc.h", ], external_deps = [ "libssl", @@ -4120,15 +3895,13 @@ grpc_cc_library( language = "c++", visibility = ["@grpc:tsi"], deps = [ + "alts_frame_protector", "alts_util", "gpr_base", "grpc_base", "grpc_transport_chttp2_client_insecure", "slice", - "tsi_alts_credentials", - "tsi_base", - "tsi_ssl_credentials", - "tsi_ssl_types", + "tsi_interface", "useful", ], ) diff --git a/src/core/lib/security/credentials/ssl/ssl_credentials.cc b/src/core/lib/security/credentials/ssl/ssl_credentials.cc index 1767871fc24..093f1ad0bf5 100644 --- a/src/core/lib/security/credentials/ssl/ssl_credentials.cc +++ b/src/core/lib/security/credentials/ssl/ssl_credentials.cc @@ -27,7 +27,6 @@ #include #include "src/core/lib/channel/channel_args.h" -#include "src/core/lib/security/security_connector/ssl_utils.h" #include "src/core/lib/surface/api_trace.h" #include "src/core/tsi/ssl_transport_security.h" @@ -35,6 +34,16 @@ // SSL Channel Credentials. // +void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp, + size_t num_key_cert_pairs) { + if (kp == nullptr) return; + for (size_t i = 0; i < num_key_cert_pairs; i++) { + gpr_free(const_cast(kp[i].private_key)); + gpr_free(const_cast(kp[i].cert_chain)); + } + gpr_free(kp); +} + grpc_ssl_credentials::grpc_ssl_credentials( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const grpc_ssl_verify_peer_options* verify_options) diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc index 12c843ee9c4..67ce84ac800 100644 --- a/src/core/lib/security/security_connector/security_connector.cc +++ b/src/core/lib/security/security_connector/security_connector.cc @@ -25,11 +25,15 @@ #include #include +#include "src/core/ext/transport/chttp2/alpn/alpn.h" #include "src/core/lib/channel/channel_args.h" #include "src/core/lib/channel/handshaker.h" #include "src/core/lib/gpr/string.h" +#include "src/core/lib/gprpp/host_port.h" +#include "src/core/lib/iomgr/load_file.h" #include "src/core/lib/security/context/security_context.h" #include "src/core/lib/security/credentials/credentials.h" +#include "src/core/lib/security/security_connector/load_system_roots.h" #include "src/core/lib/security/security_connector/security_connector.h" #include "src/core/lib/security/transport/security_handshaker.h" diff --git a/src/core/lib/security/security_connector/security_connector.h b/src/core/lib/security/security_connector/security_connector.h index caccaf3481e..3cfe3410260 100644 --- a/src/core/lib/security/security_connector/security_connector.h +++ b/src/core/lib/security/security_connector/security_connector.h @@ -30,15 +30,11 @@ #include "src/core/lib/iomgr/endpoint.h" #include "src/core/lib/iomgr/pollset.h" #include "src/core/lib/iomgr/tcp_server.h" +#include "src/core/tsi/ssl_transport_security.h" #include "src/core/tsi/transport_security_interface.h" extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount; -/* --- URL schemes. --- */ - -#define GRPC_SSL_URL_SCHEME "https" -#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security" - typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status; /* --- security_connector object. --- diff --git a/src/core/lib/security/security_connector/ssl_utils.cc b/src/core/lib/security/security_connector/ssl_utils.cc index bed17268120..e24d346d209 100644 --- a/src/core/lib/security/security_connector/ssl_utils.cc +++ b/src/core/lib/security/security_connector/ssl_utils.cc @@ -92,6 +92,30 @@ const char* grpc_get_ssl_cipher_suites(void) { return cipher_suites; } +grpc_security_level grpc_tsi_security_level_string_to_enum( + const char* security_level) { + if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) { + return GRPC_INTEGRITY_ONLY; + } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) { + return GRPC_PRIVACY_AND_INTEGRITY; + } + return GRPC_SECURITY_NONE; +} + +const char* grpc_security_level_to_string(grpc_security_level security_level) { + if (security_level == GRPC_PRIVACY_AND_INTEGRITY) { + return "GRPC_PRIVACY_AND_INTEGRITY"; + } else if (security_level == GRPC_INTEGRITY_ONLY) { + return "GRPC_INTEGRITY_ONLY"; + } + return "GRPC_SECURITY_NONE"; +} + +bool grpc_check_security_level(grpc_security_level channel_level, + grpc_security_level call_cred_level) { + return static_cast(channel_level) >= static_cast(call_cred_level); +} + tsi_client_certificate_request_type grpc_get_tsi_client_certificate_request_type( grpc_ssl_client_certificate_request_type grpc_request_type) { @@ -155,16 +179,6 @@ grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name, return GRPC_ERROR_NONE; } -void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp, - size_t num_key_cert_pairs) { - if (kp == nullptr) return; - for (size_t i = 0; i < num_key_cert_pairs; i++) { - gpr_free(const_cast(kp[i].private_key)); - gpr_free(const_cast(kp[i].cert_chain)); - } - gpr_free(kp); -} - bool grpc_ssl_check_call_host(absl::string_view host, absl::string_view target_name, absl::string_view overridden_target_name, diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h index 1ee6493c82b..f7e747c460d 100644 --- a/src/core/lib/security/security_connector/ssl_utils.h +++ b/src/core/lib/security/security_connector/ssl_utils.h @@ -40,6 +40,9 @@ /* --- Util --- */ +/* --- URL schemes. --- */ +#define GRPC_SSL_URL_SCHEME "https" + /* Check ALPN information returned from SSL handshakes. */ grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer); @@ -66,9 +69,20 @@ tsi_client_certificate_request_type grpc_get_tsi_client_certificate_request_type( grpc_ssl_client_certificate_request_type grpc_request_type); +/* Map tsi_security_level string to grpc_security_level enum. */ +grpc_security_level grpc_tsi_security_level_string_to_enum( + const char* security_level); + /* Map grpc_tls_version to tsi_tls_version. */ tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version); +/* Map grpc_security_level enum to a string. */ +const char* grpc_security_level_to_string(grpc_security_level security_level); + +/* Check security level of channel and call credential.*/ +bool grpc_check_security_level(grpc_security_level channel_level, + grpc_security_level call_cred_level); + /* Return an array of strings containing alpn protocols. */ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols); @@ -86,9 +100,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init( tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, tsi_ssl_server_handshaker_factory** handshaker_factory); -/* Free the memory occupied by key cert pairs. */ -void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp, - size_t num_key_cert_pairs); /* Exposed for testing only. */ grpc_core::RefCountedPtr grpc_ssl_peer_to_auth_context( const tsi_peer* peer, const char* transport_security_type); diff --git a/src/core/lib/security/security_connector/tls/tls_security_connector.cc b/src/core/lib/security/security_connector/tls/tls_security_connector.cc index 1a02b5f901f..2f7dd7de870 100644 --- a/src/core/lib/security/security_connector/tls/tls_security_connector.cc +++ b/src/core/lib/security/security_connector/tls/tls_security_connector.cc @@ -34,6 +34,7 @@ #include #include "src/core/lib/gprpp/host_port.h" +#include "src/core/lib/security/credentials/ssl/ssl_credentials.h" #include "src/core/lib/security/credentials/tls/tls_credentials.h" #include "src/core/lib/security/security_connector/ssl_utils.h" #include "src/core/lib/security/transport/security_handshaker.h" diff --git a/src/core/lib/security/transport/auth_filters.h b/src/core/lib/security/transport/auth_filters.h index 9608c1633a0..fc9e59cf5fe 100644 --- a/src/core/lib/security/transport/auth_filters.h +++ b/src/core/lib/security/transport/auth_filters.h @@ -33,11 +33,4 @@ void grpc_auth_metadata_context_build( const grpc_slice& call_method, grpc_auth_context* auth_context, grpc_auth_metadata_context* auth_md_context); -// Exposed for testing purposes only. -// Check if the channel's security level is higher or equal to -// that of call credentials to make a decision whether the transfer -// of call credentials should be allowed or not. -bool grpc_check_security_level(grpc_security_level channel_level, - grpc_security_level call_cred_level); - #endif /* GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H */ diff --git a/src/core/lib/security/transport/client_auth_filter.cc b/src/core/lib/security/transport/client_auth_filter.cc index 13b0abf19bb..fdf10e8f3b7 100644 --- a/src/core/lib/security/transport/client_auth_filter.cc +++ b/src/core/lib/security/transport/client_auth_filter.cc @@ -34,6 +34,7 @@ #include "src/core/lib/security/context/security_context.h" #include "src/core/lib/security/credentials/credentials.h" #include "src/core/lib/security/security_connector/security_connector.h" +#include "src/core/lib/security/security_connector/ssl_utils.h" #include "src/core/lib/security/transport/auth_filters.h" #include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/slice/slice_string_helpers.h" @@ -233,21 +234,6 @@ static void cancel_get_request_metadata(void* arg, grpc_error_handle error) { GRPC_CALL_STACK_UNREF(calld->owning_call, "cancel_get_request_metadata"); } -static grpc_security_level convert_security_level_string_to_enum( - const char* security_level) { - if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) { - return GRPC_INTEGRITY_ONLY; - } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) { - return GRPC_PRIVACY_AND_INTEGRITY; - } - return GRPC_SECURITY_NONE; -} - -bool grpc_check_security_level(grpc_security_level channel_level, - grpc_security_level call_cred_level) { - return static_cast(channel_level) >= static_cast(call_cred_level); -} - static void send_security_metadata(grpc_call_element* elem, grpc_transport_stream_op_batch* batch) { call_data* calld = static_cast(elem->call_data); @@ -303,7 +289,7 @@ static void send_security_metadata(grpc_call_element* elem, grpc_security_level call_cred_security_level = calld->creds->min_security_level(); int is_security_level_ok = grpc_check_security_level( - convert_security_level_string_to_enum(prop->value), + grpc_tsi_security_level_string_to_enum(prop->value), call_cred_security_level); if (!is_security_level_ok) { grpc_transport_stream_op_batch_finish_with_failure( diff --git a/test/core/security/insecure_security_connector_test.cc b/test/core/security/insecure_security_connector_test.cc index 9a4c54b3939..0955eeb8621 100644 --- a/test/core/security/insecure_security_connector_test.cc +++ b/test/core/security/insecure_security_connector_test.cc @@ -47,7 +47,8 @@ TEST(InsecureSecurityConnector, MakeAuthContextTest) { auth_context.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME); prop = grpc_auth_property_iterator_next(&it); ASSERT_NE(prop, nullptr); - EXPECT_STREQ(prop->value, tsi_security_level_to_string(TSI_SECURITY_NONE)); + EXPECT_EQ(grpc_tsi_security_level_string_to_enum(prop->value), + GRPC_SECURITY_NONE); } } // namespace diff --git a/test/core/security/security_connector_test.cc b/test/core/security/security_connector_test.cc index fbd6c9c6ab5..fd0555ba331 100644 --- a/test/core/security/security_connector_test.cc +++ b/test/core/security/security_connector_test.cc @@ -85,6 +85,27 @@ static int check_ssl_peer_equivalence(const tsi_peer* original, return 1; } +static void test_check_security_level() { + GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY, + GRPC_PRIVACY_AND_INTEGRITY) == true); + GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY, + GRPC_INTEGRITY_ONLY) == true); + GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY, + GRPC_SECURITY_NONE) == true); + GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY, + GRPC_PRIVACY_AND_INTEGRITY) == false); + GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY, + GRPC_INTEGRITY_ONLY) == true); + GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY, + GRPC_SECURITY_NONE) == true); + GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE, + GRPC_PRIVACY_AND_INTEGRITY) == false); + GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE, + GRPC_INTEGRITY_ONLY) == false); + GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE, + GRPC_SECURITY_NONE) == true); +} + static void test_unauthenticated_ssl_peer(void) { tsi_peer peer; tsi_peer rpeer; @@ -757,6 +778,7 @@ int main(int argc, char** argv) { test_ipv6_address_san(); test_default_ssl_roots(); test_peer_alpn_check(); + test_check_security_level(); grpc_shutdown(); return 0; } diff --git a/test/core/security/ssl_credentials_test.cc b/test/core/security/ssl_credentials_test.cc index 86a676b2584..a9833013f74 100644 --- a/test/core/security/ssl_credentials_test.cc +++ b/test/core/security/ssl_credentials_test.cc @@ -25,7 +25,6 @@ #include #include -#include "src/core/lib/security/security_connector/ssl_utils.h" #include "src/core/tsi/ssl_transport_security.h" #include "test/core/util/test_config.h" diff --git a/test/core/tsi/alts/crypt/BUILD b/test/core/tsi/alts/crypt/BUILD index e2ae53bdffd..1883219392c 100644 --- a/test/core/tsi/alts/crypt/BUILD +++ b/test/core/tsi/alts/crypt/BUILD @@ -27,6 +27,7 @@ grpc_cc_test( language = "C++", deps = [ ":alts_crypt_test_util", + "//:alts_frame_protector", "//:gpr", "//:grpc", "//test/core/util:grpc_test_util", diff --git a/test/core/tsi/alts/frame_protector/BUILD b/test/core/tsi/alts/frame_protector/BUILD index aa6322dc87a..33a1bef3f5c 100644 --- a/test/core/tsi/alts/frame_protector/BUILD +++ b/test/core/tsi/alts/frame_protector/BUILD @@ -23,6 +23,7 @@ grpc_cc_test( srcs = ["alts_counter_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", "//test/core/tsi/alts/crypt:alts_crypt_test_util", @@ -35,6 +36,7 @@ grpc_cc_test( srcs = ["alts_crypter_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", "//test/core/tsi/alts/crypt:alts_crypt_test_util", @@ -47,8 +49,11 @@ grpc_cc_test( srcs = ["alts_frame_protector_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", + "//:tsi", + "//:tsi_interface", "//test/core/tsi:transport_security_test_lib", "//test/core/tsi/alts/crypt:alts_crypt_test_util", "//test/core/util:grpc_test_util", @@ -60,6 +65,7 @@ grpc_cc_test( srcs = ["frame_handler_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:gpr_base", "//:grpc", diff --git a/test/core/tsi/alts/handshaker/BUILD b/test/core/tsi/alts/handshaker/BUILD index de9b762edd0..29a366aa7a6 100644 --- a/test/core/tsi/alts/handshaker/BUILD +++ b/test/core/tsi/alts/handshaker/BUILD @@ -23,6 +23,7 @@ grpc_cc_library( srcs = ["alts_handshaker_service_api_test_lib.cc"], hdrs = ["alts_handshaker_service_api_test_lib.h"], deps = [ + "//:alts_util", "//:grpc", ], ) @@ -34,6 +35,8 @@ grpc_cc_test( deps = [ ":alts_handshaker_service_api_test_lib", "//:grpc", + "//:tsi", + "//:tsi_interface", "//test/core/util:grpc_test_util", ], ) @@ -47,6 +50,7 @@ grpc_cc_test( "//:gpr", "//:gpr_base", "//:grpc", + "//:tsi", "//test/core/util:grpc_test_util", ], ) @@ -58,6 +62,7 @@ grpc_cc_test( deps = [ ":alts_handshaker_service_api_test_lib", "//:grpc", + "//:tsi", "//test/core/util:grpc_test_util", ], ) @@ -67,6 +72,7 @@ grpc_cc_test( srcs = ["transport_security_common_api_test.cc"], language = "C++", deps = [ + "//:alts_util", "//:grpc", "//test/core/util:grpc_test_util", ], @@ -86,6 +92,7 @@ grpc_cc_test( "no_windows", ], deps = [ + "//:alts_util", "//:grpc", "//test/core/end2end:cq_verifier", "//test/core/tsi/alts/fake_handshaker:fake_handshaker_lib", diff --git a/test/core/tsi/alts/zero_copy_frame_protector/BUILD b/test/core/tsi/alts/zero_copy_frame_protector/BUILD index 2a5363bb0a7..6f8cb649055 100644 --- a/test/core/tsi/alts/zero_copy_frame_protector/BUILD +++ b/test/core/tsi/alts/zero_copy_frame_protector/BUILD @@ -23,6 +23,7 @@ grpc_cc_test( srcs = ["alts_grpc_record_protocol_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", "//:grpc_base", @@ -36,6 +37,7 @@ grpc_cc_test( srcs = ["alts_iovec_record_protocol_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", "//test/core/tsi/alts/crypt:alts_crypt_test_util", @@ -48,6 +50,7 @@ grpc_cc_test( srcs = ["alts_zero_copy_grpc_protector_test.cc"], language = "C++", deps = [ + "//:alts_frame_protector", "//:gpr", "//:grpc", "//:grpc_base",