/* * * Copyright 2019 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #ifndef GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H #define GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H #include #include #include #include #include #include typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg; typedef struct grpc_tls_credential_reload_config grpc_tls_credential_reload_config; typedef struct grpc_tls_server_authorization_check_arg grpc_tls_server_authorization_check_arg; typedef struct grpc_tls_server_authorization_check_config grpc_tls_server_authorization_check_config; typedef struct grpc_tls_credentials_options grpc_tls_credentials_options; namespace grpc_impl { namespace experimental { /** TLS key materials config, wrapper for grpc_tls_key_materials_config. It is * used for experimental purposes for now and subject to change. **/ class TlsKeyMaterialsConfig { public: struct PemKeyCertPair { std::string private_key; std::string cert_chain; }; /** Getters for member fields. **/ const std::string pem_root_certs() const { return pem_root_certs_; } const std::vector& pem_key_cert_pair_list() const { return pem_key_cert_pair_list_; } int version() const { return version_; } /** Setter for key materials that will be called by the user. Ownership of the * arguments will not be transferred. **/ void set_pem_root_certs(const std::string& pem_root_certs); void add_pem_key_cert_pair(const PemKeyCertPair& pem_key_cert_pair); void set_key_materials( const std::string& pem_root_certs, const std::vector& pem_key_cert_pair_list); void set_version(int version) { version_ = version; }; private: int version_ = 0; std::vector pem_key_cert_pair_list_; std::string pem_root_certs_; }; /** TLS credential reload arguments, wraps grpc_tls_credential_reload_arg. It is * used for experimental purposes for now and it is subject to change. * * The credential reload arg contains all the info necessary to schedule/cancel * a credential reload request. The callback function must be called after * finishing the schedule operation. See the description of the * grpc_tls_credential_reload_arg struct in grpc_security.h for more details. * **/ class TlsCredentialReloadArg { public: /** TlsCredentialReloadArg does not take ownership of the C arg that is passed * to the constructor. One must remember to free any memory allocated to the * C arg after using the setter functions below. **/ TlsCredentialReloadArg(grpc_tls_credential_reload_arg* arg); ~TlsCredentialReloadArg(); /** Getters for member fields. **/ void* cb_user_data() const; bool is_pem_key_cert_pair_list_empty() const; grpc_ssl_certificate_config_reload_status status() const; std::string error_details() const; /** Setters for member fields. Ownership of the arguments will not be * transferred. **/ void set_cb_user_data(void* cb_user_data); void set_pem_root_certs(const std::string& pem_root_certs); void add_pem_key_cert_pair( const TlsKeyMaterialsConfig::PemKeyCertPair& pem_key_cert_pair); void set_key_materials(const std::string& pem_root_certs, std::vector pem_key_cert_pair_list); void set_key_materials_config( const std::shared_ptr& key_materials_config); void set_status(grpc_ssl_certificate_config_reload_status status); void set_error_details(const std::string& error_details); /** Calls the C arg's callback function. **/ void OnCredentialReloadDoneCallback(); private: grpc_tls_credential_reload_arg* c_arg_; }; /** An interface that the application derives and uses to instantiate a * TlsCredentialReloadConfig instance. Refer to the definition of the * grpc_tls_credential_reload_config in grpc_tls_credentials_options.h for more * details on the expectations of the member functions of the interface. **/ struct TlsCredentialReloadInterface { virtual ~TlsCredentialReloadInterface() = default; /** A callback that invokes the credential reload. **/ virtual int Schedule(TlsCredentialReloadArg* arg) = 0; /** A callback that cancels a credential reload request. **/ virtual void Cancel(TlsCredentialReloadArg* /* arg */) {} }; /** TLS credential reloag config, wraps grpc_tls_credential_reload_config. It is * used for experimental purposes for now and it is subject to change. **/ class TlsCredentialReloadConfig { public: TlsCredentialReloadConfig(std::shared_ptr credential_reload_interface); ~TlsCredentialReloadConfig(); int Schedule(TlsCredentialReloadArg* arg) const { if (credential_reload_interface_ == nullptr) { gpr_log(GPR_ERROR, "credential reload interface is nullptr"); if (arg != nullptr) { arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL); arg->set_error_details( "the interface of the credential reload config is nullptr"); } return 1; } return credential_reload_interface_->Schedule(arg); } void Cancel(TlsCredentialReloadArg* arg) const { if (credential_reload_interface_ == nullptr) { gpr_log(GPR_ERROR, "credential reload interface is nullptr"); if (arg != nullptr) { arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL); arg->set_error_details( "the interface of the credential reload config is nullptr"); } return; } credential_reload_interface_->Cancel(arg); } /** Returns a C struct for the credential reload config. **/ grpc_tls_credential_reload_config* c_config() const { return c_config_; } private: grpc_tls_credential_reload_config* c_config_; std::shared_ptr credential_reload_interface_; }; /** TLS server authorization check arguments, wraps * grpc_tls_server_authorization_check_arg. It is used for experimental * purposes for now and it is subject to change. * * The server authorization check arg contains all the info necessary to * schedule/cancel a server authorization check request. The callback function * must be called after finishing the schedule operation. See the description * of the grpc_tls_server_authorization_check_arg struct in grpc_security.h for * more details. **/ class TlsServerAuthorizationCheckArg { public: /** TlsServerAuthorizationCheckArg does not take ownership of the C arg passed * to the constructor. One must remember to free any memory allocated to the * C arg after using the setter functions below. **/ TlsServerAuthorizationCheckArg(grpc_tls_server_authorization_check_arg* arg); ~TlsServerAuthorizationCheckArg(); /** Getters for member fields. **/ void* cb_user_data() const; int success() const; std::string target_name() const; std::string peer_cert() const; std::string peer_cert_full_chain() const; grpc_status_code status() const; std::string error_details() const; /** Setters for member fields. **/ void set_cb_user_data(void* cb_user_data); void set_success(int success); void set_target_name(const std::string& target_name); void set_peer_cert(const std::string& peer_cert); void set_peer_cert_full_chain(const std::string& peer_cert_full_chain); void set_status(grpc_status_code status); void set_error_details(const std::string& error_details); /** Calls the C arg's callback function. **/ void OnServerAuthorizationCheckDoneCallback(); private: grpc_tls_server_authorization_check_arg* c_arg_; }; /** An interface that the application derives and uses to instantiate a * TlsServerAuthorizationCheckConfig instance. Refer to the definition of the * grpc_tls_server_authorization_check_config in grpc_tls_credentials_options.h * for more details on the expectations of the member functions of the * interface. * **/ struct TlsServerAuthorizationCheckInterface { virtual ~TlsServerAuthorizationCheckInterface() = default; /** A callback that invokes the server authorization check. **/ virtual int Schedule(TlsServerAuthorizationCheckArg* arg) = 0; /** A callback that cancels a server authorization check request. **/ virtual void Cancel(TlsServerAuthorizationCheckArg* /* arg */) {} }; /** TLS server authorization check config, wraps * grps_tls_server_authorization_check_config. It is used for experimental * purposes for now and it is subject to change. **/ class TlsServerAuthorizationCheckConfig { public: TlsServerAuthorizationCheckConfig( std::shared_ptr server_authorization_check_interface); ~TlsServerAuthorizationCheckConfig(); int Schedule(TlsServerAuthorizationCheckArg* arg) const { if (server_authorization_check_interface_ == nullptr) { gpr_log(GPR_ERROR, "server authorization check interface is nullptr"); if (arg != nullptr) { arg->set_status(GRPC_STATUS_NOT_FOUND); arg->set_error_details( "the interface of the server authorization check config is " "nullptr"); } return 1; } return server_authorization_check_interface_->Schedule(arg); } void Cancel(TlsServerAuthorizationCheckArg* arg) const { if (server_authorization_check_interface_ == nullptr) { gpr_log(GPR_ERROR, "server authorization check interface is nullptr"); if (arg != nullptr) { arg->set_status(GRPC_STATUS_NOT_FOUND); arg->set_error_details( "the interface of the server authorization check config is " "nullptr"); } return; } server_authorization_check_interface_->Cancel(arg); } /** Returns C struct for the server authorization check config. **/ grpc_tls_server_authorization_check_config* c_config() const { return c_config_; } private: grpc_tls_server_authorization_check_config* c_config_; std::shared_ptr server_authorization_check_interface_; }; /** TLS credentials options, wrapper for grpc_tls_credentials_options. It is * used for experimental purposes for now and it is subject to change. See the * description of the grpc_tls_credentials_options struct in grpc_security.h for * more details. **/ class TlsCredentialsOptions { public: // Constructor for client. explicit TlsCredentialsOptions( grpc_tls_server_verification_option server_verification_option, std::shared_ptr key_materials_config, std::shared_ptr credential_reload_config, std::shared_ptr server_authorization_check_config); // Constructor for server. explicit TlsCredentialsOptions( grpc_ssl_client_certificate_request_type cert_request_type, std::shared_ptr key_materials_config, std::shared_ptr credential_reload_config); // This constructor will be deprecated. TlsCredentialsOptions( grpc_ssl_client_certificate_request_type cert_request_type, grpc_tls_server_verification_option server_verification_option, std::shared_ptr key_materials_config, std::shared_ptr credential_reload_config, std::shared_ptr server_authorization_check_config); ~TlsCredentialsOptions(); /** Getters for member fields. **/ grpc_ssl_client_certificate_request_type cert_request_type() const { return cert_request_type_; } grpc_tls_server_verification_option server_verification_option() const { return server_verification_option_; } std::shared_ptr key_materials_config() const { return key_materials_config_; } std::shared_ptr credential_reload_config() const { return credential_reload_config_; } std::shared_ptr server_authorization_check_config() const { return server_authorization_check_config_; } grpc_tls_credentials_options* c_credentials_options() const { return c_credentials_options_; } private: /** The cert_request_type_ flag is only relevant when the * TlsCredentialsOptions are used to instantiate server credentials; the flag * goes unused when creating channel credentials, and the user can set it to * GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE. **/ grpc_ssl_client_certificate_request_type cert_request_type_; /** The server_verification_option_ flag is only relevant when the * TlsCredentialsOptions are used to instantiate client credentials; **/ grpc_tls_server_verification_option server_verification_option_; std::shared_ptr key_materials_config_; std::shared_ptr credential_reload_config_; std::shared_ptr server_authorization_check_config_; grpc_tls_credentials_options* c_credentials_options_; }; } // namespace experimental } // namespace grpc_impl #endif // GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H