From f238e5399cc344b4c19e3fcda58a1b225218c44b Mon Sep 17 00:00:00 2001 From: AJ Heller Date: Thu, 4 Apr 2024 09:17:18 -0700 Subject: [PATCH] [security] Reland: Refactor credentials types to remove special handling for insecure creds (#36242) See #36176. The only difference is a temporary shim for Secure credentials types, which was already discussed and approved separately. Closes #36242 COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36242 from drfloob:reland/36176 f07bebe289b334b0dbf090bc67264e77c0821e9d PiperOrigin-RevId: 621879911 --- BUILD | 22 +- CMakeLists.txt | 31 +- build_autogenerated.yaml | 33 +- gRPC-C++.podspec | 4 +- include/grpcpp/security/credentials.h | 62 ++- include/grpcpp/security/server_credentials.h | 32 +- include/grpcpp/support/channel_arguments.h | 4 +- .../server/binder_server_credentials.cc | 9 +- src/cpp/client/call_credentials.cc | 39 ++ src/cpp/client/channel_credentials.cc | 47 +++ src/cpp/client/cronet_credentials.cc | 14 +- src/cpp/client/insecure_credentials.cc | 31 +- src/cpp/client/secure_credentials.cc | 372 ++++++++---------- src/cpp/client/secure_credentials.h | 99 +---- src/cpp/client/xds_credentials.cc | 23 +- src/cpp/common/channel_arguments.cc | 13 + src/cpp/common/secure_channel_arguments.cc | 41 -- src/cpp/ext/chaotic_good.cc | 19 +- src/cpp/server/insecure_server_credentials.cc | 21 +- src/cpp/server/secure_server_credentials.cc | 13 +- src/cpp/server/secure_server_credentials.h | 23 +- src/cpp/server/server_credentials.cc | 39 ++ src/cpp/server/xds_server_credentials.cc | 16 +- .../binder/end2end/binder_server_test.cc | 10 +- test/cpp/end2end/client_lb_end2end_test.cc | 5 +- test/cpp/end2end/end2end_test.cc | 25 +- test/cpp/end2end/grpclb_end2end_test.cc | 7 +- .../resource_quota_end2end_stress_test.cc | 6 +- test/cpp/end2end/rls_end2end_test.cc | 9 +- .../end2end/service_config_end2end_test.cc | 5 +- test/cpp/end2end/xds/xds_csds_end2end_test.cc | 5 +- test/cpp/end2end/xds/xds_end2end_test_lib.cc | 6 +- test/cpp/interop/client_helper.cc | 8 +- test/cpp/microbenchmarks/BUILD | 4 +- test/cpp/util/BUILD | 1 + test/cpp/util/credentials.h | 41 ++ tools/doxygen/Doxyfile.c++.internal | 4 +- 37 files changed, 558 insertions(+), 585 deletions(-) create mode 100644 src/cpp/client/call_credentials.cc create mode 100644 src/cpp/client/channel_credentials.cc delete mode 100644 src/cpp/common/secure_channel_arguments.cc create mode 100644 src/cpp/server/server_credentials.cc create mode 100644 test/cpp/util/credentials.h diff --git a/BUILD b/BUILD index ce66e2beaf1..400845350a2 100644 --- a/BUILD +++ b/BUILD @@ -325,7 +325,9 @@ GRPC_PUBLIC_EVENT_ENGINE_HDRS = [ ] GRPCXX_SRCS = [ + "src/cpp/client/call_credentials.cc", "src/cpp/client/channel_cc.cc", + "src/cpp/client/channel_credentials.cc", "src/cpp/client/client_callback.cc", "src/cpp/client/client_context.cc", "src/cpp/client/client_interceptor.cc", @@ -351,6 +353,7 @@ GRPCXX_SRCS = [ "src/cpp/server/server_callback.cc", "src/cpp/server/server_cc.cc", "src/cpp/server/server_context.cc", + "src/cpp/server/server_credentials.cc", "src/cpp/server/server_posix.cc", "src/cpp/thread_manager/thread_manager.cc", "src/cpp/util/byte_buffer_cc.cc", @@ -941,9 +944,7 @@ grpc_cc_library( }, ], tags = ["nofixdeps"], - visibility = [ - "@grpc:public", - ], + visibility = ["@grpc:public"], deps = [ "grpc++_base", "//src/core:gpr_atm", @@ -1216,6 +1217,9 @@ grpc_cc_library( ], ) +# TODO(hork): restructure the grpc++_unsecure and grpc++ build targets in a +# similar way to how the grpc_unsecure and grpc targets were restructured in +# #25586 grpc_cc_library( name = "grpc++_unsecure", srcs = [ @@ -1223,18 +1227,26 @@ grpc_cc_library( "src/cpp/common/insecure_create_auth_context.cc", "src/cpp/server/insecure_server_credentials.cc", ], + external_deps = [ + "absl/strings", + "absl/synchronization", + ], language = "c++", + public_hdrs = GRPCXX_PUBLIC_HDRS, tags = [ "avoid_dep", "nofixdeps", ], visibility = ["@grpc:public"], deps = [ + "channel_arg_names", "gpr", "grpc++_base_unsecure", "grpc++_codegen_proto", "grpc_public_hdrs", + "grpc_security_base", "grpc_unsecure", + "//src/core:gpr_atm", "//src/core:grpc_insecure_credentials", ], ) @@ -2374,7 +2386,6 @@ grpc_cc_library( "src/cpp/client/secure_credentials.cc", "src/cpp/common/auth_property_iterator.cc", "src/cpp/common/secure_auth_context.cc", - "src/cpp/common/secure_channel_arguments.cc", "src/cpp/common/secure_create_auth_context.cc", "src/cpp/common/tls_certificate_provider.cc", "src/cpp/common/tls_certificate_verifier.cc", @@ -2498,6 +2509,7 @@ grpc_cc_library( "grpc_base", "grpc_health_upb", "grpc_public_hdrs", + "grpc_security_base", "grpc_service_config_impl", "grpc_trace", "grpc_unsecure", @@ -4704,7 +4716,7 @@ grpc_cc_library( visibility = ["@grpc:chaotic_good"], deps = [ "gpr", - "grpc++_public_hdrs", + "grpc++_base", "grpc_public_hdrs", "//src/core:chaotic_good_connector", "//src/core:chaotic_good_server", diff --git a/CMakeLists.txt b/CMakeLists.txt index 170647a145a..2a84283030b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4045,7 +4045,9 @@ add_library(grpc++ src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -4063,7 +4065,6 @@ add_library(grpc++ src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -4084,6 +4085,7 @@ add_library(grpc++ src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/server/xds_server_builder.cc src/cpp/server/xds_server_credentials.cc @@ -4793,7 +4795,9 @@ target_link_libraries(grpc++_test_util endif() add_library(grpc++_unsecure + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -4823,6 +4827,7 @@ add_library(grpc++_unsecure src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -8154,7 +8159,9 @@ add_executable(binder_transport_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -8171,7 +8178,6 @@ add_executable(binder_transport_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -8192,6 +8198,7 @@ add_executable(binder_transport_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -12670,7 +12677,9 @@ add_executable(endpoint_binder_pool_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -12687,7 +12696,6 @@ add_executable(endpoint_binder_pool_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -12708,6 +12716,7 @@ add_executable(endpoint_binder_pool_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -13527,7 +13536,9 @@ add_executable(fake_binder_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -13544,7 +13555,6 @@ add_executable(fake_binder_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -13565,6 +13575,7 @@ add_executable(fake_binder_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -31370,7 +31381,9 @@ add_executable(transport_stream_receiver_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -31387,7 +31400,6 @@ add_executable(transport_stream_receiver_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -31408,6 +31420,7 @@ add_executable(transport_stream_receiver_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -32202,7 +32215,9 @@ add_executable(wire_reader_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -32219,7 +32234,6 @@ add_executable(wire_reader_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -32240,6 +32254,7 @@ add_executable(wire_reader_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc @@ -32308,7 +32323,9 @@ add_executable(wire_writer_test src/core/ext/transport/binder/wire_format/transaction.cc src/core/ext/transport/binder/wire_format/wire_reader_impl.cc src/core/ext/transport/binder/wire_format/wire_writer.cc + src/cpp/client/call_credentials.cc src/cpp/client/channel_cc.cc + src/cpp/client/channel_credentials.cc src/cpp/client/client_callback.cc src/cpp/client/client_context.cc src/cpp/client/client_interceptor.cc @@ -32325,7 +32342,6 @@ add_executable(wire_writer_test src/cpp/common/resource_quota_cc.cc src/cpp/common/rpc_method.cc src/cpp/common/secure_auth_context.cc - src/cpp/common/secure_channel_arguments.cc src/cpp/common/secure_create_auth_context.cc src/cpp/common/tls_certificate_provider.cc src/cpp/common/tls_certificate_verifier.cc @@ -32346,6 +32362,7 @@ add_executable(wire_writer_test src/cpp/server/server_callback.cc src/cpp/server/server_cc.cc src/cpp/server/server_context.cc + src/cpp/server/server_credentials.cc src/cpp/server/server_posix.cc src/cpp/thread_manager/thread_manager.cc src/cpp/util/byte_buffer_cc.cc diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml index f120f9e2607..0c8d3fc408a 100644 --- a/build_autogenerated.yaml +++ b/build_autogenerated.yaml @@ -3886,7 +3886,9 @@ libs: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -3904,7 +3906,6 @@ libs: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -3925,6 +3926,7 @@ libs: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/server/xds_server_builder.cc - src/cpp/server/xds_server_credentials.cc @@ -4024,6 +4026,7 @@ libs: - test/core/util/tracer_util.h - test/cpp/util/byte_buffer_proto_helper.h - test/cpp/util/create_test_channel.h + - test/cpp/util/credentials.h - test/cpp/util/string_ref_helper.h - test/cpp/util/subprocess.h - test/cpp/util/test_credentials_provider.h @@ -4266,7 +4269,9 @@ libs: - src/cpp/server/thread_pool_interface.h - src/cpp/thread_manager/thread_manager.h src: + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -4296,6 +4301,7 @@ libs: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -5285,6 +5291,7 @@ targets: - test/core/util/slice_splitter.h - test/core/util/tracer_util.h - test/cpp/util/byte_buffer_proto_helper.h + - test/cpp/util/credentials.h - test/cpp/util/string_ref_helper.h - test/cpp/util/subprocess.h src: @@ -6173,7 +6180,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -6190,7 +6199,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -6211,6 +6219,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -8868,7 +8877,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -8885,7 +8896,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -8906,6 +8916,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -9363,7 +9374,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -9380,7 +9393,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -9401,6 +9413,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -19578,7 +19591,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -19595,7 +19610,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -19616,6 +19630,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -19953,7 +19968,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -19970,7 +19987,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -19991,6 +20007,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc @@ -20060,7 +20077,9 @@ targets: - src/core/ext/transport/binder/wire_format/transaction.cc - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc - src/core/ext/transport/binder/wire_format/wire_writer.cc + - src/cpp/client/call_credentials.cc - src/cpp/client/channel_cc.cc + - src/cpp/client/channel_credentials.cc - src/cpp/client/client_callback.cc - src/cpp/client/client_context.cc - src/cpp/client/client_interceptor.cc @@ -20077,7 +20096,6 @@ targets: - src/cpp/common/resource_quota_cc.cc - src/cpp/common/rpc_method.cc - src/cpp/common/secure_auth_context.cc - - src/cpp/common/secure_channel_arguments.cc - src/cpp/common/secure_create_auth_context.cc - src/cpp/common/tls_certificate_provider.cc - src/cpp/common/tls_certificate_verifier.cc @@ -20098,6 +20116,7 @@ targets: - src/cpp/server/server_callback.cc - src/cpp/server/server_cc.cc - src/cpp/server/server_context.cc + - src/cpp/server/server_credentials.cc - src/cpp/server/server_posix.cc - src/cpp/thread_manager/thread_manager.cc - src/cpp/util/byte_buffer_cc.cc diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec index 26f0d5ff40f..f527925e000 100644 --- a/gRPC-C++.podspec +++ b/gRPC-C++.podspec @@ -1345,7 +1345,9 @@ Pod::Spec.new do |s| 'src/core/tsi/transport_security.h', 'src/core/tsi/transport_security_grpc.h', 'src/core/tsi/transport_security_interface.h', + 'src/cpp/client/call_credentials.cc', 'src/cpp/client/channel_cc.cc', + 'src/cpp/client/channel_credentials.cc', 'src/cpp/client/client_callback.cc', 'src/cpp/client/client_context.cc', 'src/cpp/client/client_interceptor.cc', @@ -1367,7 +1369,6 @@ Pod::Spec.new do |s| 'src/cpp/common/rpc_method.cc', 'src/cpp/common/secure_auth_context.cc', 'src/cpp/common/secure_auth_context.h', - 'src/cpp/common/secure_channel_arguments.cc', 'src/cpp/common/secure_create_auth_context.cc', 'src/cpp/common/tls_certificate_provider.cc', 'src/cpp/common/tls_certificate_verifier.cc', @@ -1393,6 +1394,7 @@ Pod::Spec.new do |s| 'src/cpp/server/server_callback.cc', 'src/cpp/server/server_cc.cc', 'src/cpp/server/server_context.cc', + 'src/cpp/server/server_credentials.cc', 'src/cpp/server/server_posix.cc', 'src/cpp/server/thread_pool_interface.h', 'src/cpp/server/xds_server_builder.cc', diff --git a/include/grpcpp/security/credentials.h b/include/grpcpp/security/credentials.h index cdbdbaf396e..402dd9edb23 100644 --- a/include/grpcpp/security/credentials.h +++ b/include/grpcpp/security/credentials.h @@ -37,9 +37,10 @@ struct grpc_call; namespace grpc { class CallCredentials; -class SecureCallCredentials; -class SecureChannelCredentials; class ChannelCredentials; +namespace testing { +std::string GetOauth2AccessToken(); +} std::shared_ptr CreateCustomChannel( const grpc::string& target, @@ -68,26 +69,18 @@ std::shared_ptr XdsCredentials( /// \see https://grpc.io/docs/guides/auth.html class ChannelCredentials : private grpc::internal::GrpcLibrary { public: - protected: - friend std::shared_ptr CompositeChannelCredentials( - const std::shared_ptr& channel_creds, - const std::shared_ptr& call_creds); + ~ChannelCredentials() override; - // TODO(yashykt): We need this friend declaration mainly for access to - // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC - // (and also internal dependencies on the indirect method of creating a - // channel through credentials), we would be able to remove this. - friend std::shared_ptr grpc::XdsCredentials( - const std::shared_ptr& fallback_creds); + protected: + explicit ChannelCredentials(grpc_channel_credentials* creds); - virtual SecureChannelCredentials* AsSecureCredentials() = 0; + grpc_channel_credentials* c_creds() { return c_creds_; } private: friend std::shared_ptr CreateCustomChannel( const grpc::string& target, const std::shared_ptr& creds, const grpc::ChannelArguments& args); - friend std::shared_ptr grpc::experimental::CreateCustomChannelWithInterceptors( const grpc::string& target, @@ -96,24 +89,23 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary { std::vector> interceptor_creators); + friend std::shared_ptr CompositeChannelCredentials( + const std::shared_ptr& channel_creds, + const std::shared_ptr& call_creds); + friend class XdsChannelCredentialsImpl; virtual std::shared_ptr CreateChannelImpl( - const grpc::string& target, const ChannelArguments& args) = 0; + const grpc::string& target, const ChannelArguments& args) { + return CreateChannelWithInterceptors(target, args, {}); + } - // This function should have been a pure virtual function, but it is - // implemented as a virtual function so that it does not break API. virtual std::shared_ptr CreateChannelWithInterceptors( - const grpc::string& /*target*/, const ChannelArguments& /*args*/, + const grpc::string& target, const ChannelArguments& args, std::vector> - /*interceptor_creators*/) { - return nullptr; - } + interceptor_creators); - // TODO(yashkt): This is a hack that is needed since InsecureCredentials can - // not use grpc_channel_credentials internally and should be removed after - // insecure builds are removed from gRPC. - virtual bool IsInsecure() const { return false; } + grpc_channel_credentials* const c_creds_; }; /// A call credentials object encapsulates the state needed by a client to @@ -122,22 +114,24 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary { /// \see https://grpc.io/docs/guides/auth.html class CallCredentials : private grpc::internal::GrpcLibrary { public: + ~CallCredentials() override; + /// Apply this instance's credentials to \a call. - virtual bool ApplyToCall(grpc_call* call) = 0; - virtual grpc::string DebugString() { - return "CallCredentials did not provide a debug string"; - } + bool ApplyToCall(grpc_call* call); + + grpc::string DebugString(); protected: + explicit CallCredentials(grpc_call_credentials* creds); + + private: friend std::shared_ptr CompositeChannelCredentials( const std::shared_ptr& channel_creds, const std::shared_ptr& call_creds); + friend class CompositeCallCredentialsImpl; + friend std::string grpc::testing::GetOauth2AccessToken(); - friend std::shared_ptr CompositeCallCredentials( - const std::shared_ptr& creds1, - const std::shared_ptr& creds2); - - virtual SecureCallCredentials* AsSecureCredentials() = 0; + grpc_call_credentials* c_creds_ = nullptr; }; /// Options used to build SslCredentials. diff --git a/include/grpcpp/security/server_credentials.h b/include/grpcpp/security/server_credentials.h index 850dd2b4880..fe8c546190d 100644 --- a/include/grpcpp/security/server_credentials.h +++ b/include/grpcpp/security/server_credentials.h @@ -34,7 +34,7 @@ namespace grpc { class Server; class ServerCredentials; -class SecureServerCredentials; + /// Options to create ServerCredentials with SSL struct SslServerCredentialsOptions { /// \warning Deprecated @@ -68,17 +68,22 @@ std::shared_ptr XdsServerCredentials( /// Wrapper around \a grpc_server_credentials, a way to authenticate a server. class ServerCredentials : private grpc::internal::GrpcLibrary { public: + ~ServerCredentials() override; + /// This method is not thread-safe and has to be called before the server is /// started. The last call to this function wins. virtual void SetAuthMetadataProcessor( - const std::shared_ptr& processor) = 0; + const std::shared_ptr& processor); + + protected: + explicit ServerCredentials(grpc_server_credentials* creds); + + grpc_server_credentials* c_creds() const { return c_creds_; } private: + // Needed for access to AddPortToServer. friend class Server; - - // We need this friend declaration for access to Insecure() and - // AsSecureServerCredentials(). When these two functions are no longer - // necessary, this friend declaration can be removed too. + // Needed for access to c_creds_. friend std::shared_ptr grpc::XdsServerCredentials( const std::shared_ptr& fallback_credentials); @@ -87,18 +92,9 @@ class ServerCredentials : private grpc::internal::GrpcLibrary { /// /// \return bound port number on success, 0 on failure. // TODO(dgq): the "port" part seems to be a misnomer. - virtual int AddPortToServer(const std::string& addr, grpc_server* server) = 0; - - // TODO(yashykt): This is a hack since InsecureServerCredentials() cannot use - // grpc_insecure_server_credentials_create() and should be removed after - // insecure builds are removed from gRPC. - virtual bool IsInsecure() const { return false; } - - // TODO(yashkt): This is a hack that should be removed once we remove insecure - // builds and the indirect method of adding ports to a server. - virtual SecureServerCredentials* AsSecureServerCredentials() { - return nullptr; - } + virtual int AddPortToServer(const std::string& addr, grpc_server* server); + + grpc_server_credentials* c_creds_; }; /// Builds SSL ServerCredentials given SSL specific options diff --git a/include/grpcpp/support/channel_arguments.h b/include/grpcpp/support/channel_arguments.h index bfda5a69760..a149a6d72ba 100644 --- a/include/grpcpp/support/channel_arguments.h +++ b/include/grpcpp/support/channel_arguments.h @@ -28,7 +28,7 @@ #include namespace grpc { -class SecureChannelCredentials; +class ChannelCredentials; namespace testing { class ChannelArgumentsTest; } // namespace testing @@ -120,7 +120,7 @@ class ChannelArguments { } private: - friend class grpc::SecureChannelCredentials; + friend class grpc::ChannelCredentials; friend class grpc::testing::ChannelArgumentsTest; /// Default pointer argument operations. diff --git a/src/core/ext/transport/binder/server/binder_server_credentials.cc b/src/core/ext/transport/binder/server/binder_server_credentials.cc index 56440f9d27e..03bbe6229e1 100644 --- a/src/core/ext/transport/binder/server/binder_server_credentials.cc +++ b/src/core/ext/transport/binder/server/binder_server_credentials.cc @@ -32,7 +32,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials { explicit BinderServerCredentialsImpl( std::shared_ptr security_policy) - : security_policy_(security_policy) {} + : ServerCredentials(nullptr), security_policy_(security_policy) {} #ifdef GPR_SUPPORT_BINDER_TRANSPORT int AddPortToServer(const std::string& addr, grpc_server* server) override { return grpc_core::AddBinderPort( @@ -50,14 +50,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials { } #endif // GPR_SUPPORT_BINDER_TRANSPORT - void SetAuthMetadataProcessor( - const std::shared_ptr& /*processor*/) override { - grpc_core::Crash("unreachable"); - } - private: - bool IsInsecure() const override { return true; } - std::shared_ptr security_policy_; }; diff --git a/src/cpp/client/call_credentials.cc b/src/cpp/client/call_credentials.cc new file mode 100644 index 00000000000..0badb7a7efc --- /dev/null +++ b/src/cpp/client/call_credentials.cc @@ -0,0 +1,39 @@ +// Copyright 2024 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +#include + +#include "absl/strings/str_cat.h" + +#include + +#include "src/core/lib/security/credentials/credentials.h" + +namespace grpc { + +CallCredentials::CallCredentials(grpc_call_credentials* c_creds) + : c_creds_(c_creds) { + GPR_ASSERT(c_creds != nullptr); +} + +CallCredentials::~CallCredentials() { grpc_call_credentials_release(c_creds_); } + +grpc::string CallCredentials::DebugString() { + return absl::StrCat("CallCredentials{", c_creds_->debug_string(), "}"); +} + +bool CallCredentials::ApplyToCall(grpc_call* call) { + return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK; +} + +} // namespace grpc diff --git a/src/cpp/client/channel_credentials.cc b/src/cpp/client/channel_credentials.cc new file mode 100644 index 00000000000..aa3deffa1d4 --- /dev/null +++ b/src/cpp/client/channel_credentials.cc @@ -0,0 +1,47 @@ +// Copyright 2024 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +#include + +#include +#include +#include + +#include +#include +#include +#include + +namespace grpc { + +ChannelCredentials::ChannelCredentials(grpc_channel_credentials* c_creds) + : c_creds_(c_creds) {} + +ChannelCredentials::~ChannelCredentials() { + grpc_channel_credentials_release(c_creds_); +} + +std::shared_ptr ChannelCredentials::CreateChannelWithInterceptors( + const std::string& target, const ChannelArguments& args, + std::vector< + std::unique_ptr> + interceptor_creators) { + grpc_channel_args channel_args; + args.SetChannelArgs(&channel_args); + return grpc::CreateChannelInternal( + args.GetSslTargetNameOverride(), + grpc_channel_create(target.c_str(), c_creds_, &channel_args), + std::move(interceptor_creators)); +} + +} // namespace grpc diff --git a/src/cpp/client/cronet_credentials.cc b/src/cpp/client/cronet_credentials.cc index feba455278f..da133a62f9c 100644 --- a/src/cpp/client/cronet_credentials.cc +++ b/src/cpp/client/cronet_credentials.cc @@ -35,17 +35,8 @@ namespace grpc { class CronetChannelCredentialsImpl final : public ChannelCredentials { public: - explicit CronetChannelCredentialsImpl(void* engine) : engine_(engine) {} - - std::shared_ptr CreateChannelImpl( - const string& target, const grpc::ChannelArguments& args) override { - return CreateChannelWithInterceptors( - target, args, - std::vector>()); - } - - SecureChannelCredentials* AsSecureCredentials() override { return nullptr; } + explicit CronetChannelCredentialsImpl(void* engine) + : ChannelCredentials(nullptr), engine_(engine) {} private: std::shared_ptr CreateChannelWithInterceptors( @@ -61,6 +52,7 @@ class CronetChannelCredentialsImpl final : public ChannelCredentials { &channel_args, nullptr), std::move(interceptor_creators)); } + void* engine_; }; diff --git a/src/cpp/client/insecure_credentials.cc b/src/cpp/client/insecure_credentials.cc index 3916f1ca0be..0f3d000bd29 100644 --- a/src/cpp/client/insecure_credentials.cc +++ b/src/cpp/client/insecure_credentials.cc @@ -16,9 +16,6 @@ // // #include -#include -#include -#include #include #include @@ -27,21 +24,14 @@ #include #include -#include "src/cpp/client/create_channel_internal.h" - namespace grpc { - namespace { class InsecureChannelCredentialsImpl final : public ChannelCredentials { public: - std::shared_ptr CreateChannelImpl( - const std::string& target, const ChannelArguments& args) override { - return CreateChannelWithInterceptors( - target, args, - std::vector>()); - } + InsecureChannelCredentialsImpl() + : ChannelCredentials(grpc_insecure_credentials_create()) {} + private: std::shared_ptr CreateChannelWithInterceptors( const std::string& target, const ChannelArguments& args, std::vector channel = grpc::CreateChannelInternal( - "", grpc_channel_create(target.c_str(), creds, &channel_args), + return grpc::CreateChannelInternal( + "", grpc_channel_create(target.c_str(), c_creds(), &channel_args), std::move(interceptor_creators)); - grpc_channel_credentials_release(creds); - return channel; } - - SecureChannelCredentials* AsSecureCredentials() override { return nullptr; } - - private: - bool IsInsecure() const override { return true; } }; } // namespace std::shared_ptr InsecureChannelCredentials() { - return std::shared_ptr( - new InsecureChannelCredentialsImpl()); + return std::make_shared(); } } // namespace grpc diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc index 00b3ee266ab..913378a2ee9 100644 --- a/src/cpp/client/secure_credentials.cc +++ b/src/cpp/client/secure_credentials.cc @@ -20,8 +20,8 @@ #include -#include #include +#include #include #include "absl/status/status.h" @@ -30,6 +30,7 @@ #include "absl/types/optional.h" #include +#include #include #include #include @@ -47,73 +48,44 @@ #include "src/core/lib/event_engine/default_event_engine.h" #include "src/core/lib/gprpp/env.h" #include "src/core/lib/gprpp/load_file.h" -#include "src/core/lib/gprpp/status_helper.h" -#include "src/core/lib/iomgr/error.h" #include "src/core/lib/json/json.h" #include "src/core/lib/json/json_reader.h" #include "src/core/lib/security/util/json_util.h" -#include "src/cpp/client/create_channel_internal.h" #include "src/cpp/common/secure_auth_context.h" +#include "src/cpp/server/thread_pool_interface.h" namespace grpc { -SecureChannelCredentials::SecureChannelCredentials( - grpc_channel_credentials* c_creds) - : c_creds_(c_creds) {} - -std::shared_ptr SecureChannelCredentials::CreateChannelImpl( - const std::string& target, const ChannelArguments& args) { - return CreateChannelWithInterceptors( - target, args, - std::vector>()); -} - -std::shared_ptr -SecureChannelCredentials::CreateChannelWithInterceptors( - const std::string& target, const ChannelArguments& args, - std::vector< - std::unique_ptr> - interceptor_creators) { - grpc_channel_args channel_args; - args.SetChannelArgs(&channel_args); - return grpc::CreateChannelInternal( - args.GetSslTargetNameOverride(), - grpc_channel_create(target.c_str(), c_creds_, &channel_args), - std::move(interceptor_creators)); -} - -SecureCallCredentials::SecureCallCredentials(grpc_call_credentials* c_creds) - : c_creds_(c_creds) {} +namespace { +class WrappedCallCredentials : public CallCredentials { + public: + explicit WrappedCallCredentials(grpc_call_credentials* creds) + : CallCredentials(creds) {} +}; -bool SecureCallCredentials::ApplyToCall(grpc_call* call) { - return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK; +std::shared_ptr WrapCallCredentials( + grpc_call_credentials* creds) { + return creds == nullptr ? nullptr + : std::make_shared(creds); } -namespace internal { +class WrappedChannelCredentials final : public ChannelCredentials { + public: + explicit WrappedChannelCredentials(grpc_channel_credentials* c_creds) + : ChannelCredentials(c_creds) {} +}; -std::shared_ptr WrapChannelCredentials( +std::shared_ptr WrapChannelCredentials( grpc_channel_credentials* creds) { return creds == nullptr ? nullptr - : std::shared_ptr( - new SecureChannelCredentials(creds)); + : std::make_shared(creds); } -} // namespace internal - -namespace { - -std::shared_ptr WrapCallCredentials( - grpc_call_credentials* creds) { - return creds == nullptr ? nullptr - : std::shared_ptr( - new SecureCallCredentials(creds)); -} } // namespace std::shared_ptr GoogleDefaultCredentials() { grpc::internal::GrpcLibrary init; // To call grpc_init(). - return internal::WrapChannelCredentials( + return WrapChannelCredentials( grpc_google_default_credentials_create(nullptr)); } @@ -130,12 +102,10 @@ std::shared_ptr SslCredentials( grpc::internal::GrpcLibrary init; // To call grpc_init(). grpc_ssl_pem_key_cert_pair pem_key_cert_pair = { options.pem_private_key.c_str(), options.pem_cert_chain.c_str()}; - - grpc_channel_credentials* c_creds = grpc_ssl_credentials_create( + return WrapChannelCredentials(grpc_ssl_credentials_create( options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(), options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr, - nullptr); - return internal::WrapChannelCredentials(c_creds); + nullptr)); } namespace experimental { @@ -259,21 +229,6 @@ std::shared_ptr StsCredentials( return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr)); } -std::shared_ptr MetadataCredentialsFromPlugin( - std::unique_ptr plugin, - grpc_security_level min_security_level) { - grpc::internal::GrpcLibrary init; // To call grpc_init(). - const char* type = plugin->GetType(); - grpc::MetadataCredentialsPluginWrapper* wrapper = - new grpc::MetadataCredentialsPluginWrapper(std::move(plugin)); - grpc_metadata_credentials_plugin c_plugin = { - grpc::MetadataCredentialsPluginWrapper::GetMetadata, - grpc::MetadataCredentialsPluginWrapper::DebugString, - grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type}; - return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin( - c_plugin, min_security_level, nullptr)); -} - // Builds ALTS Credentials given ALTS specific options std::shared_ptr AltsCredentials( const AltsCredentialsOptions& options) { @@ -286,20 +241,20 @@ std::shared_ptr AltsCredentials( } grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options); grpc_alts_credentials_options_destroy(c_options); - return internal::WrapChannelCredentials(c_creds); + return WrapChannelCredentials(c_creds); } // Builds Local Credentials std::shared_ptr LocalCredentials( grpc_local_connect_type type) { grpc::internal::GrpcLibrary init; // To call grpc_init(). - return internal::WrapChannelCredentials(grpc_local_credentials_create(type)); + return WrapChannelCredentials(grpc_local_credentials_create(type)); } // Builds TLS Credentials given TLS options. std::shared_ptr TlsCredentials( const TlsChannelCredentialsOptions& options) { - return internal::WrapChannelCredentials( + return WrapChannelCredentials( grpc_tls_credentials_create(options.c_credentials_options())); } @@ -361,93 +316,24 @@ std::shared_ptr CompositeChannelCredentials( // here. This is OK because the underlying C objects (i.e., channel_creds and // call_creds) into grpc_composite_credentials_create will see their refcounts // incremented. - SecureChannelCredentials* s_channel_creds = - channel_creds->AsSecureCredentials(); - SecureCallCredentials* s_call_creds = call_creds->AsSecureCredentials(); - if (s_channel_creds && s_call_creds) { - return internal::WrapChannelCredentials( - grpc_composite_channel_credentials_create( - s_channel_creds->GetRawCreds(), s_call_creds->GetRawCreds(), - nullptr)); - } - return nullptr; + return channel_creds->c_creds_ == nullptr + ? nullptr + : WrapChannelCredentials(grpc_composite_channel_credentials_create( + channel_creds->c_creds_, call_creds->c_creds_, nullptr)); } +class CompositeCallCredentialsImpl : public CallCredentials { + public: + CompositeCallCredentialsImpl(const std::shared_ptr& creds1, + const std::shared_ptr& creds2) + : CallCredentials(grpc_composite_call_credentials_create( + creds1->c_creds_, creds2->c_creds_, nullptr)) {} +}; + std::shared_ptr CompositeCallCredentials( const std::shared_ptr& creds1, const std::shared_ptr& creds2) { - SecureCallCredentials* s_creds1 = creds1->AsSecureCredentials(); - SecureCallCredentials* s_creds2 = creds2->AsSecureCredentials(); - if (s_creds1 != nullptr && s_creds2 != nullptr) { - return WrapCallCredentials(grpc_composite_call_credentials_create( - s_creds1->GetRawCreds(), s_creds2->GetRawCreds(), nullptr)); - } - return nullptr; -} - -std::shared_ptr MetadataCredentialsFromPlugin( - std::unique_ptr plugin) { - grpc::internal::GrpcLibrary init; // To call grpc_init(). - const char* type = plugin->GetType(); - grpc::MetadataCredentialsPluginWrapper* wrapper = - new grpc::MetadataCredentialsPluginWrapper(std::move(plugin)); - grpc_metadata_credentials_plugin c_plugin = { - grpc::MetadataCredentialsPluginWrapper::GetMetadata, - grpc::MetadataCredentialsPluginWrapper::DebugString, - grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type}; - return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin( - c_plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr)); -} - -char* MetadataCredentialsPluginWrapper::DebugString(void* wrapper) { - GPR_ASSERT(wrapper); - MetadataCredentialsPluginWrapper* w = - static_cast(wrapper); - return gpr_strdup(w->plugin_->DebugString().c_str()); -} - -void MetadataCredentialsPluginWrapper::Destroy(void* wrapper) { - if (wrapper == nullptr) return; - grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] { - grpc_core::ApplicationCallbackExecCtx callback_exec_ctx; - grpc_core::ExecCtx exec_ctx; - delete static_cast(wrapper); - }); -} - -int MetadataCredentialsPluginWrapper::GetMetadata( - void* wrapper, grpc_auth_metadata_context context, - grpc_credentials_plugin_metadata_cb cb, void* user_data, - grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], - size_t* num_creds_md, grpc_status_code* status, - const char** error_details) { - GPR_ASSERT(wrapper); - MetadataCredentialsPluginWrapper* w = - static_cast(wrapper); - if (!w->plugin_) { - *num_creds_md = 0; - *status = GRPC_STATUS_OK; - *error_details = nullptr; - return 1; - } - if (w->plugin_->IsBlocking()) { - // The internals of context may be destroyed if GetMetadata is cancelled. - // Make a copy for InvokePlugin. - grpc_auth_metadata_context context_copy = grpc_auth_metadata_context(); - grpc_auth_metadata_context_copy(&context, &context_copy); - // Asynchronous return. - w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable { - w->MetadataCredentialsPluginWrapper::InvokePlugin( - context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr); - grpc_auth_metadata_context_reset(&context_copy); - }); - return 0; - } else { - // Synchronous return. - w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status, - error_details); - return 1; - } + return std::make_shared(creds1, creds2); } namespace { @@ -459,61 +345,147 @@ void UnrefMetadata(const std::vector& md) { } } -} // namespace - -void MetadataCredentialsPluginWrapper::InvokePlugin( - grpc_auth_metadata_context context, grpc_credentials_plugin_metadata_cb cb, - void* user_data, grpc_metadata creds_md[4], size_t* num_creds_md, - grpc_status_code* status_code, const char** error_details) { - std::multimap metadata; - - // const_cast is safe since the SecureAuthContext only inc/dec the refcount - // and the object is passed as a const ref to plugin_->GetMetadata. - SecureAuthContext cpp_channel_auth_context( - const_cast(context.channel_auth_context)); - - Status status = plugin_->GetMetadata(context.service_url, context.method_name, - cpp_channel_auth_context, &metadata); - std::vector md; - for (auto& metadatum : metadata) { - grpc_metadata md_entry; - md_entry.key = SliceFromCopiedString(metadatum.first); - md_entry.value = SliceFromCopiedString(metadatum.second); - md.push_back(md_entry); +class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary { + public: + static void Destroy(void* wrapper) { + if (wrapper == nullptr) return; + grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] { + grpc_core::ApplicationCallbackExecCtx callback_exec_ctx; + grpc_core::ExecCtx exec_ctx; + delete static_cast(wrapper); + }); } - if (creds_md != nullptr) { - // Synchronous return. - if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) { + + static int GetMetadata( + void* wrapper, grpc_auth_metadata_context context, + grpc_credentials_plugin_metadata_cb cb, void* user_data, + grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], + size_t* num_creds_md, grpc_status_code* status, + const char** error_details) { + GPR_ASSERT(wrapper); + MetadataCredentialsPluginWrapper* w = + static_cast(wrapper); + if (!w->plugin_) { *num_creds_md = 0; - *status_code = GRPC_STATUS_INTERNAL; - *error_details = gpr_strdup( - "blocking plugin credentials returned too many metadata keys"); - UnrefMetadata(md); + *status = GRPC_STATUS_OK; + *error_details = nullptr; + return 1; + } + if (w->plugin_->IsBlocking()) { + // The internals of context may be destroyed if GetMetadata is cancelled. + // Make a copy for InvokePlugin. + grpc_auth_metadata_context context_copy = grpc_auth_metadata_context(); + grpc_auth_metadata_context_copy(&context, &context_copy); + // Asynchronous return. + // TODO(hork): replace with EventEngine::Run + w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable { + w->MetadataCredentialsPluginWrapper::InvokePlugin( + context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr); + grpc_auth_metadata_context_reset(&context_copy); + }); + return 0; } else { - for (const auto& elem : md) { - creds_md[*num_creds_md].key = elem.key; - creds_md[*num_creds_md].value = elem.value; - ++(*num_creds_md); + // Synchronous return. + w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status, + error_details); + return 1; + } + } + + static char* DebugString(void* wrapper) { + GPR_ASSERT(wrapper); + MetadataCredentialsPluginWrapper* w = + static_cast(wrapper); + return gpr_strdup(w->plugin_->DebugString().c_str()); + } + + explicit MetadataCredentialsPluginWrapper( + std::unique_ptr plugin) + : plugin_(std::move(plugin)) { + if (plugin_->IsBlocking()) { + thread_pool_.reset(CreateDefaultThreadPool()); + } + } + + private: + void InvokePlugin( + grpc_auth_metadata_context context, + grpc_credentials_plugin_metadata_cb cb, void* user_data, + grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], + size_t* num_creds_md, grpc_status_code* status_code, + const char** error_details) { + std::multimap metadata; + + // const_cast is safe since the SecureAuthContext only inc/dec the refcount + // and the object is passed as a const ref to plugin_->GetMetadata. + SecureAuthContext cpp_channel_auth_context( + const_cast(context.channel_auth_context)); + + Status status = + plugin_->GetMetadata(context.service_url, context.method_name, + cpp_channel_auth_context, &metadata); + std::vector md; + for (auto& metadatum : metadata) { + grpc_metadata md_entry; + md_entry.key = SliceFromCopiedString(metadatum.first); + md_entry.value = SliceFromCopiedString(metadatum.second); + md.push_back(md_entry); + } + if (creds_md != nullptr) { + // Synchronous return. + if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) { + *num_creds_md = 0; + *status_code = GRPC_STATUS_INTERNAL; + *error_details = gpr_strdup( + "blocking plugin credentials returned too many metadata keys"); + UnrefMetadata(md); + } else { + for (const auto& elem : md) { + creds_md[*num_creds_md].key = elem.key; + creds_md[*num_creds_md].value = elem.value; + ++(*num_creds_md); + } + *status_code = static_cast(status.error_code()); + *error_details = + status.ok() ? nullptr : gpr_strdup(status.error_message().c_str()); } - *status_code = static_cast(status.error_code()); - *error_details = - status.ok() ? nullptr : gpr_strdup(status.error_message().c_str()); + } else { + // Asynchronous return. + cb(user_data, md.empty() ? nullptr : &md[0], md.size(), + static_cast(status.error_code()), + status.error_message().c_str()); + UnrefMetadata(md); } - } else { - // Asynchronous return. - cb(user_data, md.empty() ? nullptr : &md[0], md.size(), - static_cast(status.error_code()), - status.error_message().c_str()); - UnrefMetadata(md); } + + std::unique_ptr thread_pool_; + std::unique_ptr plugin_; +}; + +} // namespace + +namespace experimental { +std::shared_ptr MetadataCredentialsFromPlugin( + std::unique_ptr plugin, + grpc_security_level min_security_level) { + grpc::internal::GrpcLibrary init; // To call grpc_init(). + const char* type = plugin->GetType(); + MetadataCredentialsPluginWrapper* wrapper = + new MetadataCredentialsPluginWrapper(std::move(plugin)); + grpc_metadata_credentials_plugin c_plugin = { + MetadataCredentialsPluginWrapper::GetMetadata, + MetadataCredentialsPluginWrapper::DebugString, + MetadataCredentialsPluginWrapper::Destroy, wrapper, type}; + return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin( + c_plugin, min_security_level, nullptr)); } -MetadataCredentialsPluginWrapper::MetadataCredentialsPluginWrapper( - std::unique_ptr plugin) - : plugin_(std::move(plugin)) { - if (plugin_->IsBlocking()) { - thread_pool_.reset(CreateDefaultThreadPool()); - } +} // namespace experimental + +std::shared_ptr MetadataCredentialsFromPlugin( + std::unique_ptr plugin) { + return experimental::MetadataCredentialsFromPlugin( + std::move(plugin), GRPC_PRIVACY_AND_INTEGRITY); } } // namespace grpc diff --git a/src/cpp/client/secure_credentials.h b/src/cpp/client/secure_credentials.h index e969736f8b7..92460c58457 100644 --- a/src/cpp/client/secure_credentials.h +++ b/src/cpp/client/secure_credentials.h @@ -19,14 +19,6 @@ #ifndef GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H #define GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H -#include - -#include -#include -#include - -#include "absl/strings/str_cat.h" - #include #include #include @@ -35,65 +27,9 @@ #include #include #include -// TODO(yashykt): We shouldn't be including "src/core" headers. -#include "src/core/lib/iomgr/exec_ctx.h" -#include "src/core/lib/security/credentials/credentials.h" -#include "src/cpp/server/thread_pool_interface.h" namespace grpc { -class Channel; - -class SecureChannelCredentials final : public ChannelCredentials { - public: - explicit SecureChannelCredentials(grpc_channel_credentials* c_creds); - ~SecureChannelCredentials() override { - grpc_core::ExecCtx exec_ctx; - if (c_creds_ != nullptr) c_creds_->Unref(); - } - grpc_channel_credentials* GetRawCreds() { return c_creds_; } - - std::shared_ptr CreateChannelImpl( - const std::string& target, const ChannelArguments& args) override; - - SecureChannelCredentials* AsSecureCredentials() override { return this; } - - private: - std::shared_ptr CreateChannelWithInterceptors( - const std::string& target, const ChannelArguments& args, - std::vector> - interceptor_creators) override; - grpc_channel_credentials* const c_creds_; -}; - -class SecureCallCredentials final : public CallCredentials { - public: - explicit SecureCallCredentials(grpc_call_credentials* c_creds); - ~SecureCallCredentials() override { - grpc_core::ExecCtx exec_ctx; - if (c_creds_ != nullptr) c_creds_->Unref(); - } - grpc_call_credentials* GetRawCreds() { return c_creds_; } - - bool ApplyToCall(grpc_call* call) override; - SecureCallCredentials* AsSecureCredentials() override { return this; } - std::string DebugString() override { - return absl::StrCat("SecureCallCredentials{", - std::string(c_creds_->debug_string()), "}"); - } - - private: - grpc_call_credentials* const c_creds_; -}; - -namespace internal { - -std::shared_ptr WrapChannelCredentials( - grpc_channel_credentials* creds); - -} // namespace internal - namespace experimental { // Transforms C++ STS Credentials options to core options. The pointers of the @@ -104,29 +40,22 @@ grpc_sts_credentials_options StsCredentialsCppToCoreOptions( } // namespace experimental -class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary { +/// ---- DEPRECATED ---- +/// This type is going away. Prefer creating a subclass of +/// grpc::ChannelCredentials. +class SecureChannelCredentials final : public grpc::ChannelCredentials { public: - static void Destroy(void* wrapper); - static int GetMetadata( - void* wrapper, grpc_auth_metadata_context context, - grpc_credentials_plugin_metadata_cb cb, void* user_data, - grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], - size_t* num_creds_md, grpc_status_code* status, - const char** error_details); - static char* DebugString(void* wrapper); - - explicit MetadataCredentialsPluginWrapper( - std::unique_ptr plugin); + explicit SecureChannelCredentials(grpc_channel_credentials* c_creds) + : ChannelCredentials(c_creds) {} +}; - private: - void InvokePlugin( - grpc_auth_metadata_context context, - grpc_credentials_plugin_metadata_cb cb, void* user_data, - grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], - size_t* num_creds_md, grpc_status_code* status_code, - const char** error_details); - std::unique_ptr thread_pool_; - std::unique_ptr plugin_; +/// ---- DEPRECATED ---- +/// This type is going away. Prefer creating a subclass of +/// grpc::CallCredentials. +class SecureCallCredentials final : public grpc::CallCredentials { + public: + explicit SecureCallCredentials(grpc_call_credentials* c_creds) + : CallCredentials(c_creds) {} }; } // namespace grpc diff --git a/src/cpp/client/xds_credentials.cc b/src/cpp/client/xds_credentials.cc index 360d44c94b2..43a96108c8c 100644 --- a/src/cpp/client/xds_credentials.cc +++ b/src/cpp/client/xds_credentials.cc @@ -23,24 +23,21 @@ #include #include -#include "src/cpp/client/secure_credentials.h" - namespace grpc { +class XdsChannelCredentialsImpl final : public ChannelCredentials { + public: + explicit XdsChannelCredentialsImpl( + const std::shared_ptr& fallback_creds) + : ChannelCredentials( + grpc_xds_credentials_create(fallback_creds->c_creds_)) { + GPR_ASSERT(fallback_creds->c_creds_ != nullptr); + } +}; std::shared_ptr XdsCredentials( const std::shared_ptr& fallback_creds) { GPR_ASSERT(fallback_creds != nullptr); - if (fallback_creds->IsInsecure()) { - grpc_channel_credentials* insecure_creds = - grpc_insecure_credentials_create(); - auto xds_creds = internal::WrapChannelCredentials( - grpc_xds_credentials_create(insecure_creds)); - grpc_channel_credentials_release(insecure_creds); - return xds_creds; - } else { - return internal::WrapChannelCredentials(grpc_xds_credentials_create( - fallback_creds->AsSecureCredentials()->GetRawCreds())); - } + return std::make_shared(fallback_creds); } namespace experimental { diff --git a/src/cpp/common/channel_arguments.cc b/src/cpp/common/channel_arguments.cc index b975b2e4edd..60f334ce3cf 100644 --- a/src/cpp/common/channel_arguments.cc +++ b/src/cpp/common/channel_arguments.cc @@ -217,4 +217,17 @@ void ChannelArguments::SetChannelArgs(grpc_channel_args* channel_args) const { } } +void ChannelArguments::SetSslTargetNameOverride(const std::string& name) { + SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name); +} + +std::string ChannelArguments::GetSslTargetNameOverride() const { + for (unsigned int i = 0; i < args_.size(); i++) { + if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) { + return args_[i].value.string; + } + } + return ""; +} + } // namespace grpc diff --git a/src/cpp/common/secure_channel_arguments.cc b/src/cpp/common/secure_channel_arguments.cc deleted file mode 100644 index 66e34506ffb..00000000000 --- a/src/cpp/common/secure_channel_arguments.cc +++ /dev/null @@ -1,41 +0,0 @@ -// -// -// Copyright 2015 gRPC authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// - -#include -#include - -#include -#include -#include - -namespace grpc { - -void ChannelArguments::SetSslTargetNameOverride(const std::string& name) { - SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name); -} - -std::string ChannelArguments::GetSslTargetNameOverride() const { - for (unsigned int i = 0; i < args_.size(); i++) { - if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) { - return args_[i].value.string; - } - } - return ""; -} - -} // namespace grpc diff --git a/src/cpp/ext/chaotic_good.cc b/src/cpp/ext/chaotic_good.cc index 4c9beac14e9..7268598118e 100644 --- a/src/cpp/ext/chaotic_good.cc +++ b/src/cpp/ext/chaotic_good.cc @@ -20,7 +20,6 @@ #include "src/core/ext/transport/chaotic_good/client/chaotic_good_connector.h" #include "src/core/ext/transport/chaotic_good/server/chaotic_good_server.h" -#include "src/core/lib/gprpp/crash.h" namespace grpc { @@ -29,11 +28,9 @@ namespace { class ChaoticGoodInsecureChannelCredentialsImpl final : public ChannelCredentials { public: - std::shared_ptr CreateChannelImpl( - const grpc::string& target, const grpc::ChannelArguments& args) override { - return CreateChannelWithInterceptors(target, args, {}); - } + ChaoticGoodInsecureChannelCredentialsImpl() : ChannelCredentials(nullptr) {} + private: std::shared_ptr CreateChannelWithInterceptors( const grpc::string& target, const grpc::ChannelArguments& args, std::vector< @@ -46,24 +43,16 @@ class ChaoticGoodInsecureChannelCredentialsImpl final std::move(interceptor_creators)); return channel; } - - SecureChannelCredentials* AsSecureCredentials() override { return nullptr; } - - private: - bool IsInsecure() const override { return true; } }; class ChaoticGoodInsecureServerCredentialsImpl final : public ServerCredentials { public: + ChaoticGoodInsecureServerCredentialsImpl() : ServerCredentials(nullptr) {} + int AddPortToServer(const std::string& addr, grpc_server* server) override { return grpc_server_add_chaotic_good_port(server, addr.c_str()); } - - void SetAuthMetadataProcessor( - const std::shared_ptr&) override { - grpc_core::Crash("Not supported on insecure server credentials"); - } }; } // namespace diff --git a/src/cpp/server/insecure_server_credentials.cc b/src/cpp/server/insecure_server_credentials.cc index 920fe3a1a55..ed14ac3def9 100644 --- a/src/cpp/server/insecure_server_credentials.cc +++ b/src/cpp/server/insecure_server_credentials.cc @@ -17,7 +17,6 @@ // #include -#include #include #include @@ -29,27 +28,13 @@ namespace grpc { namespace { class InsecureServerCredentialsImpl final : public ServerCredentials { public: - int AddPortToServer(const std::string& addr, grpc_server* server) override { - grpc_server_credentials* server_creds = - grpc_insecure_server_credentials_create(); - int result = grpc_server_add_http2_port(server, addr.c_str(), server_creds); - grpc_server_credentials_release(server_creds); - return result; - } - void SetAuthMetadataProcessor( - const std::shared_ptr& processor) override { - (void)processor; - GPR_ASSERT(0); // Should not be called on InsecureServerCredentials. - } - - private: - bool IsInsecure() const override { return true; } + InsecureServerCredentialsImpl() + : ServerCredentials(grpc_insecure_server_credentials_create()) {} }; } // namespace std::shared_ptr InsecureServerCredentials() { - return std::shared_ptr( - new InsecureServerCredentialsImpl()); + return std::make_shared(); } } // namespace grpc diff --git a/src/cpp/server/secure_server_credentials.cc b/src/cpp/server/secure_server_credentials.cc index fd198898d2f..4a68e8e33c2 100644 --- a/src/cpp/server/secure_server_credentials.cc +++ b/src/cpp/server/secure_server_credentials.cc @@ -18,8 +18,6 @@ #include "src/cpp/server/secure_server_credentials.h" -#include -#include #include #include #include @@ -51,6 +49,7 @@ void AuthMetadataProcessorAsyncWrapper::Process( return; } if (w->processor_->IsBlocking()) { + // TODO(hork): replace with EventEngine::Run w->thread_pool_->Add([w, context, md, num_md, cb, user_data] { w->AuthMetadataProcessorAsyncWrapper::InvokeProcessor(context, md, num_md, cb, user_data); @@ -97,17 +96,15 @@ void AuthMetadataProcessorAsyncWrapper::InvokeProcessor( status.error_message().c_str()); } -int SecureServerCredentials::AddPortToServer(const std::string& addr, - grpc_server* server) { - return grpc_server_add_http2_port(server, addr.c_str(), creds_); -} +SecureServerCredentials::SecureServerCredentials(grpc_server_credentials* creds) + : ServerCredentials(creds) {} void SecureServerCredentials::SetAuthMetadataProcessor( const std::shared_ptr& processor) { auto* wrapper = new grpc::AuthMetadataProcessorAsyncWrapper(processor); grpc_server_credentials_set_auth_metadata_processor( - creds_, {grpc::AuthMetadataProcessorAsyncWrapper::Process, - grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper}); + c_creds(), {grpc::AuthMetadataProcessorAsyncWrapper::Process, + grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper}); } std::shared_ptr SslServerCredentials( diff --git a/src/cpp/server/secure_server_credentials.h b/src/cpp/server/secure_server_credentials.h index a62e51f2c24..3167b257a4b 100644 --- a/src/cpp/server/secure_server_credentials.h +++ b/src/cpp/server/secure_server_credentials.h @@ -19,10 +19,7 @@ #ifndef GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H #define GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H -#include - #include -#include #include #include @@ -32,9 +29,6 @@ #include "src/cpp/server/thread_pool_interface.h" namespace grpc { - -class SecureServerCredentials; - class AuthMetadataProcessorAsyncWrapper final { public: static void Destroy(void* wrapper); @@ -59,25 +53,18 @@ class AuthMetadataProcessorAsyncWrapper final { std::shared_ptr processor_; }; +// TODO(hork): Remove this class once we either (a) allow AuthMetadataProcessor +// to be used with any creds type as requested in #21589 or (b) find a way to +// remove AuthMetadataProcessor in favor of some new server-side interception +// API. class SecureServerCredentials final : public ServerCredentials { public: - explicit SecureServerCredentials(grpc_server_credentials* creds) - : creds_(creds) {} - ~SecureServerCredentials() override { - grpc_server_credentials_release(creds_); - } - - int AddPortToServer(const std::string& addr, grpc_server* server) override; + explicit SecureServerCredentials(grpc_server_credentials* creds); void SetAuthMetadataProcessor( const std::shared_ptr& processor) override; - grpc_server_credentials* c_creds() { return creds_; } - private: - SecureServerCredentials* AsSecureServerCredentials() override { return this; } - - grpc_server_credentials* creds_; std::unique_ptr processor_; }; diff --git a/src/cpp/server/server_credentials.cc b/src/cpp/server/server_credentials.cc new file mode 100644 index 00000000000..68eece06c26 --- /dev/null +++ b/src/cpp/server/server_credentials.cc @@ -0,0 +1,39 @@ +// Copyright 2024 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +#include + +#include + +#include "src/core/lib/gprpp/crash.h" + +namespace grpc { + +ServerCredentials::ServerCredentials(grpc_server_credentials* creds) + : c_creds_(creds) {} + +ServerCredentials::~ServerCredentials() { + grpc_server_credentials_release(c_creds_); +} + +void ServerCredentials::SetAuthMetadataProcessor( + const std::shared_ptr& /* processor */) { + grpc_core::Crash("Not Supported"); +} + +int ServerCredentials::AddPortToServer(const std::string& addr, + grpc_server* server) { + return grpc_server_add_http2_port(server, addr.c_str(), c_creds_); +} + +} // namespace grpc diff --git a/src/cpp/server/xds_server_credentials.cc b/src/cpp/server/xds_server_credentials.cc index 329052488c0..185fbb6ac6d 100644 --- a/src/cpp/server/xds_server_credentials.cc +++ b/src/cpp/server/xds_server_credentials.cc @@ -23,24 +23,14 @@ #include #include -#include "src/cpp/server/secure_server_credentials.h" - namespace grpc { std::shared_ptr XdsServerCredentials( const std::shared_ptr& fallback_credentials) { GPR_ASSERT(fallback_credentials != nullptr); - if (fallback_credentials->IsInsecure()) { - grpc_server_credentials* insecure_creds = - grpc_insecure_server_credentials_create(); - auto xds_creds = std::make_shared( - grpc_xds_server_credentials_create(insecure_creds)); - grpc_server_credentials_release(insecure_creds); - return xds_creds; - } - return std::make_shared( - grpc_xds_server_credentials_create( - fallback_credentials->AsSecureServerCredentials()->c_creds())); + GPR_ASSERT(fallback_credentials->c_creds_ != nullptr); + return std::shared_ptr(new ServerCredentials( + grpc_xds_server_credentials_create(fallback_credentials->c_creds_))); } namespace experimental { diff --git a/test/core/transport/binder/end2end/binder_server_test.cc b/test/core/transport/binder/end2end/binder_server_test.cc index 5f226c84196..37bd246b592 100644 --- a/test/core/transport/binder/end2end/binder_server_test.cc +++ b/test/core/transport/binder/end2end/binder_server_test.cc @@ -38,6 +38,8 @@ namespace { class BinderServerCredentialsImpl final : public ServerCredentials { public: + BinderServerCredentialsImpl() : ServerCredentials(nullptr) {} + int AddPortToServer(const std::string& addr, grpc_server* server) override { return grpc_core::AddBinderPort( addr, server, @@ -49,14 +51,6 @@ class BinderServerCredentialsImpl final : public ServerCredentials { std::make_shared< grpc::experimental::binder::UntrustedSecurityPolicy>()); } - - void SetAuthMetadataProcessor( - const std::shared_ptr& /*processor*/) override { - grpc_core::Crash("unreachable"); - } - - private: - bool IsInsecure() const override { return true; } }; } // namespace diff --git a/test/cpp/end2end/client_lb_end2end_test.cc b/test/cpp/end2end/client_lb_end2end_test.cc index d5ee65ad9d0..366c933dfea 100644 --- a/test/cpp/end2end/client_lb_end2end_test.cc +++ b/test/cpp/end2end/client_lb_end2end_test.cc @@ -70,7 +70,6 @@ #include "src/core/resolver/fake/fake_resolver.h" #include "src/core/service_config/service_config.h" #include "src/core/service_config/service_config_impl.h" -#include "src/cpp/client/secure_credentials.h" #include "src/cpp/server/secure_server_credentials.h" #include "src/proto/grpc/health/v1/health.grpc.pb.h" #include "src/proto/grpc/testing/echo.grpc.pb.h" @@ -81,6 +80,7 @@ #include "test/core/util/test_lb_policies.h" #include "test/cpp/end2end/connection_attempt_injector.h" #include "test/cpp/end2end/test_service_impl.h" +#include "test/cpp/util/credentials.h" namespace grpc { namespace testing { @@ -262,8 +262,7 @@ class ClientLbEnd2endTest : public ::testing::Test { protected: ClientLbEnd2endTest() : server_host_("localhost"), - creds_(new SecureChannelCredentials( - grpc_fake_transport_security_credentials_create())) {} + creds_(std::make_shared()) {} void SetUp() override { grpc_init(); } diff --git a/test/cpp/end2end/end2end_test.cc b/test/cpp/end2end/end2end_test.cc index 6647c331fd9..5e3b44bfaf8 100644 --- a/test/cpp/end2end/end2end_test.cc +++ b/test/cpp/end2end/end2end_test.cc @@ -84,52 +84,53 @@ const char kTestCredsPluginErrorMsg[] = "Could not find plugin metadata."; const char kFakeToken[] = "fake_token"; const char kFakeSelector[] = "fake_selector"; const char kExpectedFakeCredsDebugString[] = - "SecureCallCredentials{GoogleIAMCredentials{Token:present," + "CallCredentials{GoogleIAMCredentials{Token:present," "AuthoritySelector:fake_selector}}"; const char kWrongToken[] = "wrong_token"; const char kWrongSelector[] = "wrong_selector"; const char kExpectedWrongCredsDebugString[] = - "SecureCallCredentials{GoogleIAMCredentials{Token:present," + "CallCredentials{GoogleIAMCredentials{Token:present," "AuthoritySelector:wrong_selector}}"; const char kFakeToken1[] = "fake_token1"; const char kFakeSelector1[] = "fake_selector1"; const char kExpectedFakeCreds1DebugString[] = - "SecureCallCredentials{GoogleIAMCredentials{Token:present," + "CallCredentials{GoogleIAMCredentials{Token:present," "AuthoritySelector:fake_selector1}}"; const char kFakeToken2[] = "fake_token2"; const char kFakeSelector2[] = "fake_selector2"; const char kExpectedFakeCreds2DebugString[] = - "SecureCallCredentials{GoogleIAMCredentials{Token:present," + "CallCredentials{GoogleIAMCredentials{Token:present," "AuthoritySelector:fake_selector2}}"; const char kExpectedAuthMetadataPluginKeyFailureCredsDebugString[] = - "SecureCallCredentials{TestMetadataCredentials{key:TestPluginMetadata," + "CallCredentials{TestMetadataCredentials{key:TestPluginMetadata," "value:Does not matter, will fail the key is invalid.}}"; const char kExpectedAuthMetadataPluginValueFailureCredsDebugString[] = - "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata," + "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata," "value:With illegal \n value.}}"; const char kExpectedAuthMetadataPluginWithDeadlineCredsDebugString[] = - "SecureCallCredentials{TestMetadataCredentials{key:meta_key,value:Does not " + "CallCredentials{TestMetadataCredentials{key:meta_key,value:Does " + "not " "matter}}"; const char kExpectedNonBlockingAuthMetadataPluginFailureCredsDebugString[] = - "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata," + "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata," "value:Does not matter, will fail anyway (see 3rd param)}}"; const char kExpectedNonBlockingAuthMetadataPluginAndProcessorSuccessCredsDebugString - [] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-" + [] = "CallCredentials{TestMetadataCredentials{key:test-plugin-" "metadata,value:Dr Jekyll}}"; const char kExpectedNonBlockingAuthMetadataPluginAndProcessorFailureCredsDebugString - [] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-" + [] = "CallCredentials{TestMetadataCredentials{key:test-plugin-" "metadata,value:Mr Hyde}}"; const char kExpectedBlockingAuthMetadataPluginFailureCredsDebugString[] = - "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata," + "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata," "value:Does not matter, will fail anyway (see 3rd param)}}"; const char kExpectedCompositeCallCredsDebugString[] = - "SecureCallCredentials{CompositeCallCredentials{TestMetadataCredentials{" + "CallCredentials{CompositeCallCredentials{TestMetadataCredentials{" "key:call-creds-key1,value:call-creds-val1},TestMetadataCredentials{key:" "call-creds-key2,value:call-creds-val2}}}"; diff --git a/test/cpp/end2end/grpclb_end2end_test.cc b/test/cpp/end2end/grpclb_end2end_test.cc index 6b95dbf569a..5f90950902e 100644 --- a/test/cpp/end2end/grpclb_end2end_test.cc +++ b/test/cpp/end2end/grpclb_end2end_test.cc @@ -58,7 +58,6 @@ #include "src/core/resolver/endpoint_addresses.h" #include "src/core/resolver/fake/fake_resolver.h" #include "src/core/service_config/service_config_impl.h" -#include "src/cpp/client/secure_credentials.h" #include "src/cpp/server/secure_server_credentials.h" #include "src/proto/grpc/lb/v1/load_balancer.grpc.pb.h" #include "src/proto/grpc/testing/echo.grpc.pb.h" @@ -67,6 +66,7 @@ #include "test/core/util/test_config.h" #include "test/cpp/end2end/counted_service.h" #include "test/cpp/end2end/test_service_impl.h" +#include "test/cpp/util/credentials.h" #include "test/cpp/util/test_config.h" // TODO(dgq): Other scenarios in need of testing: @@ -605,9 +605,8 @@ class GrpclbEnd2endTest : public ::testing::Test { grpc_fake_transport_security_credentials_create(); grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create( kCallCredsMdKey, kCallCredsMdValue); - std::shared_ptr creds( - new SecureChannelCredentials(grpc_composite_channel_credentials_create( - channel_creds, call_creds, nullptr))); + auto creds = std::make_shared( + channel_creds, call_creds); call_creds->Unref(); channel_creds->Unref(); channel_ = grpc::CreateCustomChannel( diff --git a/test/cpp/end2end/resource_quota_end2end_stress_test.cc b/test/cpp/end2end/resource_quota_end2end_stress_test.cc index 19c9a9ad6c6..25231e5e9ce 100644 --- a/test/cpp/end2end/resource_quota_end2end_stress_test.cc +++ b/test/cpp/end2end/resource_quota_end2end_stress_test.cc @@ -34,11 +34,11 @@ #include "src/core/lib/experiments/config.h" #include "src/core/lib/gprpp/notification.h" #include "src/core/lib/security/credentials/fake/fake_credentials.h" -#include "src/cpp/client/secure_credentials.h" #include "src/cpp/server/secure_server_credentials.h" #include "src/proto/grpc/testing/echo.grpc.pb.h" #include "test/core/util/port.h" #include "test/core/util/test_config.h" +#include "test/cpp/util/credentials.h" // IWYU pragma: no_include @@ -186,9 +186,7 @@ class End2EndConnectionQuotaTest : public ::testing::TestWithParam { return EchoTestService::NewStub(CreateCustomChannel( connect_address_, - std::make_shared( - grpc_fake_transport_security_credentials_create()), - args)); + std::make_shared(), args)); } void TestExceedingConnectionQuota() { diff --git a/test/cpp/end2end/rls_end2end_test.cc b/test/cpp/end2end/rls_end2end_test.cc index ec48de736da..07d9359b95b 100644 --- a/test/cpp/end2end/rls_end2end_test.cc +++ b/test/cpp/end2end/rls_end2end_test.cc @@ -52,7 +52,6 @@ #include "src/core/load_balancing/rls/rls.h" #include "src/core/resolver/fake/fake_resolver.h" #include "src/core/service_config/service_config_impl.h" -#include "src/cpp/client/secure_credentials.h" #include "src/cpp/server/secure_server_credentials.h" #include "src/proto/grpc/lookup/v1/rls.grpc.pb.h" #include "src/proto/grpc/lookup/v1/rls.pb.h" @@ -65,6 +64,7 @@ #include "test/cpp/end2end/counted_service.h" #include "test/cpp/end2end/rls_server.h" #include "test/cpp/end2end/test_service_impl.h" +#include "test/cpp/util/credentials.h" #include "test/cpp/util/test_config.h" using ::grpc::lookup::v1::RouteLookupRequest; @@ -198,13 +198,12 @@ class RlsEnd2endTest : public ::testing::Test { grpc_fake_transport_security_credentials_create(); grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create( kCallCredsMdKey, kCallCredsMdValue); - auto creds = std::make_shared( - grpc_composite_channel_credentials_create(channel_creds, call_creds, - nullptr)); + auto creds = std::make_shared( + channel_creds, call_creds); call_creds->Unref(); channel_creds->Unref(); target_uri_ = absl::StrCat("fake:///", kServerName); - channel_ = grpc::CreateCustomChannel(target_uri_, std::move(creds), args); + channel_ = grpc::CreateCustomChannel(target_uri_, creds, args); stub_ = grpc::testing::EchoTestService::NewStub(channel_); } diff --git a/test/cpp/end2end/service_config_end2end_test.cc b/test/cpp/end2end/service_config_end2end_test.cc index 5793117b08b..966097015ac 100644 --- a/test/cpp/end2end/service_config_end2end_test.cc +++ b/test/cpp/end2end/service_config_end2end_test.cc @@ -59,13 +59,13 @@ #include "src/core/resolver/endpoint_addresses.h" #include "src/core/resolver/fake/fake_resolver.h" #include "src/core/service_config/service_config_impl.h" -#include "src/cpp/client/secure_credentials.h" #include "src/cpp/server/secure_server_credentials.h" #include "src/proto/grpc/testing/echo.grpc.pb.h" #include "test/core/util/port.h" #include "test/core/util/resolve_localhost_ip46.h" #include "test/core/util/test_config.h" #include "test/cpp/end2end/test_service_impl.h" +#include "test/cpp/util/credentials.h" namespace grpc { namespace testing { @@ -119,8 +119,7 @@ class ServiceConfigEnd2endTest : public ::testing::Test { ServiceConfigEnd2endTest() : server_host_("localhost"), kRequestMessage_("Live long and prosper."), - creds_(new SecureChannelCredentials( - grpc_fake_transport_security_credentials_create())) {} + creds_(std::make_shared()) {} static void SetUpTestSuite() { // Make the backup poller poll very frequently in order to pick up diff --git a/test/cpp/end2end/xds/xds_csds_end2end_test.cc b/test/cpp/end2end/xds/xds_csds_end2end_test.cc index 2aa0c0645e4..fb7cfd0cc06 100644 --- a/test/cpp/end2end/xds/xds_csds_end2end_test.cc +++ b/test/cpp/end2end/xds/xds_csds_end2end_test.cc @@ -29,7 +29,6 @@ #include "src/core/client_channel/backup_poller.h" #include "src/core/lib/config/config_vars.h" -#include "src/cpp/client/secure_credentials.h" #include "src/proto/grpc/testing/xds/v3/cluster.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h" @@ -38,6 +37,7 @@ #include "test/core/util/resolve_localhost_ip46.h" #include "test/core/util/test_config.h" #include "test/cpp/end2end/xds/xds_end2end_test_lib.h" +#include "test/cpp/util/credentials.h" #ifndef DISABLED_XDS_PROTO_IN_CC @@ -246,8 +246,7 @@ class ClientStatusDiscoveryServiceTest : public XdsEnd2endTest { grpc_core::LocalIpAndPort(admin_server_thread_->port()); admin_channel_ = grpc::CreateChannel( admin_server_address, - std::make_shared( - grpc_fake_transport_security_credentials_create())); + std::make_shared()); csds_stub_ = envoy::service::status::v3::ClientStatusDiscoveryService::NewStub( admin_channel_); diff --git a/test/cpp/end2end/xds/xds_end2end_test_lib.cc b/test/cpp/end2end/xds/xds_end2end_test_lib.cc index 121f92328fc..db2c5a48f4a 100644 --- a/test/cpp/end2end/xds/xds_end2end_test_lib.cc +++ b/test/cpp/end2end/xds/xds_end2end_test_lib.cc @@ -30,7 +30,6 @@ #include "absl/strings/str_cat.h" #include "absl/strings/str_format.h" #include "absl/strings/str_join.h" -#include "absl/strings/str_replace.h" #include "absl/strings/string_view.h" #include "absl/types/optional.h" @@ -42,10 +41,10 @@ #include "src/core/lib/gpr/tmpfile.h" #include "src/core/lib/gprpp/env.h" #include "src/core/lib/surface/server.h" -#include "src/cpp/client/secure_credentials.h" #include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h" #include "test/core/util/resolve_localhost_ip46.h" #include "test/core/util/tls_utils.h" +#include "test/cpp/util/credentials.h" #include "test/cpp/util/tls_test_utils.h" namespace grpc { @@ -572,8 +571,7 @@ std::shared_ptr XdsEnd2endTest::CreateChannel( std::shared_ptr channel_creds = GetParam().use_xds_credentials() ? XdsCredentials(CreateTlsFallbackCredentials()) - : std::make_shared( - grpc_fake_transport_security_credentials_create()); + : std::make_shared(); return grpc::CreateCustomChannel(uri, channel_creds, *args); } diff --git a/test/cpp/interop/client_helper.cc b/test/cpp/interop/client_helper.cc index 374eb4085d3..c88fc495d42 100644 --- a/test/cpp/interop/client_helper.cc +++ b/test/cpp/interop/client_helper.cc @@ -34,8 +34,6 @@ #include #include -#include "src/core/lib/gprpp/crash.h" -#include "src/cpp/client/secure_credentials.h" #include "test/core/security/oauth2_utils.h" #include "test/cpp/util/create_test_channel.h" #include "test/cpp/util/test_credentials_provider.h" @@ -68,11 +66,7 @@ std::string GetServiceAccountJsonKey() { std::string GetOauth2AccessToken() { std::shared_ptr creds = GoogleComputeEngineCredentials(); - SecureCallCredentials* secure_creds = - dynamic_cast(creds.get()); - GPR_ASSERT(secure_creds != nullptr); - grpc_call_credentials* c_creds = secure_creds->GetRawCreds(); - char* token = grpc_test_fetch_oauth2_token_with_credentials(c_creds); + char* token = grpc_test_fetch_oauth2_token_with_credentials(creds->c_creds_); GPR_ASSERT(token != nullptr); gpr_log(GPR_INFO, "Get raw oauth2 access token: %s", token); std::string access_token(token + sizeof("Bearer ") - 1); diff --git a/test/cpp/microbenchmarks/BUILD b/test/cpp/microbenchmarks/BUILD index fde18853890..68f2669c32d 100644 --- a/test/cpp/microbenchmarks/BUILD +++ b/test/cpp/microbenchmarks/BUILD @@ -306,7 +306,7 @@ grpc_cc_library( hdrs = [ "fullstack_unary_ping_pong.h", ], - deps = [":helpers"], + deps = [":helpers_secure"], ) grpc_cc_test( @@ -395,7 +395,7 @@ grpc_cc_library( deps = [ ":helpers", "//src/proto/grpc/testing:echo_proto", - "//test/cpp/util:test_util_unsecure", + "//test/cpp/util:test_util", ], ) diff --git a/test/cpp/util/BUILD b/test/cpp/util/BUILD index e4b98dc1ec2..fe324d5fa78 100644 --- a/test/cpp/util/BUILD +++ b/test/cpp/util/BUILD @@ -60,6 +60,7 @@ GRPCXX_TESTUTIL_SRCS = [ GRPCXX_TESTUTIL_HDRS = [ "byte_buffer_proto_helper.h", + "credentials.h", "string_ref_helper.h", "subprocess.h", ] diff --git a/test/cpp/util/credentials.h b/test/cpp/util/credentials.h new file mode 100644 index 00000000000..b57e293498a --- /dev/null +++ b/test/cpp/util/credentials.h @@ -0,0 +1,41 @@ +// Copyright 2024 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +#ifndef GRPC_TEST_CPP_UTIL_CREDENTIALS_H +#define GRPC_TEST_CPP_UTIL_CREDENTIALS_H + +#include + +#include "src/core/lib/security/credentials/fake/fake_credentials.h" + +namespace grpc { +namespace testing { + +class FakeTransportSecurityChannelCredentials : public ChannelCredentials { + public: + FakeTransportSecurityChannelCredentials() + : ChannelCredentials(grpc_fake_transport_security_credentials_create()) {} +}; + +class TestCompositeChannelCredentials : public ChannelCredentials { + public: + TestCompositeChannelCredentials(grpc_channel_credentials* channel_creds, + grpc_call_credentials* call_creds) + : ChannelCredentials(grpc_composite_channel_credentials_create( + channel_creds, call_creds, nullptr)) {} +}; + +} // namespace testing +} // namespace grpc + +#endif // GRPC_TEST_CPP_UTIL_CREDENTIALS_H diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal index cd8a8ed4048..5a03ce25466 100644 --- a/tools/doxygen/Doxyfile.c++.internal +++ b/tools/doxygen/Doxyfile.c++.internal @@ -3012,7 +3012,9 @@ src/core/tsi/transport_security_grpc.cc \ src/core/tsi/transport_security_grpc.h \ src/core/tsi/transport_security_interface.h \ src/cpp/README.md \ +src/cpp/client/call_credentials.cc \ src/cpp/client/channel_cc.cc \ +src/cpp/client/channel_credentials.cc \ src/cpp/client/client_callback.cc \ src/cpp/client/client_context.cc \ src/cpp/client/client_interceptor.cc \ @@ -3034,7 +3036,6 @@ src/cpp/common/resource_quota_cc.cc \ src/cpp/common/rpc_method.cc \ src/cpp/common/secure_auth_context.cc \ src/cpp/common/secure_auth_context.h \ -src/cpp/common/secure_channel_arguments.cc \ src/cpp/common/secure_create_auth_context.cc \ src/cpp/common/tls_certificate_provider.cc \ src/cpp/common/tls_certificate_verifier.cc \ @@ -3060,6 +3061,7 @@ src/cpp/server/server_builder.cc \ src/cpp/server/server_callback.cc \ src/cpp/server/server_cc.cc \ src/cpp/server/server_context.cc \ +src/cpp/server/server_credentials.cc \ src/cpp/server/server_posix.cc \ src/cpp/server/thread_pool_interface.h \ src/cpp/server/xds_server_builder.cc \