1 /* 2 * 3 * Copyright 2018 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H 20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <grpc/grpc_security.h> 25 26 #include "absl/container/inlined_vector.h" 27 28 #include "src/core/lib/gprpp/ref_counted.h" 29 #include "src/core/lib/security/security_connector/ssl_utils.h" 30 31 struct grpc_tls_error_details 32 : public grpc_core::RefCounted<grpc_tls_error_details> { 33 public: grpc_tls_error_detailsgrpc_tls_error_details34 grpc_tls_error_details() : error_details_("") {} set_error_detailsgrpc_tls_error_details35 void set_error_details(const char* err_details) { 36 error_details_ = err_details; 37 } error_detailsgrpc_tls_error_details38 const std::string& error_details() { return error_details_; } 39 40 private: 41 std::string error_details_; 42 }; 43 44 /** TLS key materials config. **/ 45 struct grpc_tls_key_materials_config 46 : public grpc_core::RefCounted<grpc_tls_key_materials_config> { 47 public: 48 typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList; 49 50 /** Getters for member fields. **/ pem_root_certsgrpc_tls_key_materials_config51 const char* pem_root_certs() const { return pem_root_certs_.get(); } pem_key_cert_pair_listgrpc_tls_key_materials_config52 const PemKeyCertPairList& pem_key_cert_pair_list() const { 53 return pem_key_cert_pair_list_; 54 } versiongrpc_tls_key_materials_config55 int version() const { return version_; } 56 57 /** Setters for member fields. **/ 58 // TODO(ZhenLian): Remove this function set_pem_root_certsgrpc_tls_key_materials_config59 void set_pem_root_certs(grpc_core::UniquePtr<char> pem_root_certs) { 60 pem_root_certs_ = std::move(pem_root_certs); 61 } 62 // The ownerships of |pem_root_certs| remain with the caller. set_pem_root_certsgrpc_tls_key_materials_config63 void set_pem_root_certs(const char* pem_root_certs) { 64 // make a copy of pem_root_certs. 65 grpc_core::UniquePtr<char> pem_root_ptr(gpr_strdup(pem_root_certs)); 66 pem_root_certs_ = std::move(pem_root_ptr); 67 } add_pem_key_cert_pairgrpc_tls_key_materials_config68 void add_pem_key_cert_pair(grpc_core::PemKeyCertPair pem_key_cert_pair) { 69 pem_key_cert_pair_list_.push_back(pem_key_cert_pair); 70 } 71 // The ownerships of |pem_root_certs| and |pem_key_cert_pairs| remain with the 72 // caller. 73 void set_key_materials(const char* pem_root_certs, 74 const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs, 75 size_t num_key_cert_pairs); 76 // The ownerships of |pem_root_certs| and |pem_key_cert_pair_list| remain with 77 // the caller. 78 void set_key_materials(const char* pem_root_certs, 79 const PemKeyCertPairList& pem_key_cert_pair_list); set_versiongrpc_tls_key_materials_config80 void set_version(int version) { version_ = version; } 81 82 private: 83 int version_ = 0; 84 PemKeyCertPairList pem_key_cert_pair_list_; 85 grpc_core::UniquePtr<char> pem_root_certs_; 86 }; 87 88 /** TLS credential reload config. **/ 89 struct grpc_tls_credential_reload_config 90 : public grpc_core::RefCounted<grpc_tls_credential_reload_config> { 91 public: 92 grpc_tls_credential_reload_config( 93 const void* config_user_data, 94 int (*schedule)(void* config_user_data, 95 grpc_tls_credential_reload_arg* arg), 96 void (*cancel)(void* config_user_data, 97 grpc_tls_credential_reload_arg* arg), 98 void (*destruct)(void* config_user_data)); 99 ~grpc_tls_credential_reload_config(); 100 contextgrpc_tls_credential_reload_config101 void* context() const { return context_; } set_contextgrpc_tls_credential_reload_config102 void set_context(void* context) { context_ = context; } 103 Schedulegrpc_tls_credential_reload_config104 int Schedule(grpc_tls_credential_reload_arg* arg) const { 105 if (schedule_ == nullptr) { 106 gpr_log(GPR_ERROR, "schedule API is nullptr"); 107 if (arg != nullptr) { 108 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL; 109 arg->error_details->set_error_details( 110 "schedule API in credential reload config is nullptr"); 111 } 112 return 1; 113 } 114 if (arg != nullptr) { 115 arg->config = const_cast<grpc_tls_credential_reload_config*>(this); 116 } 117 return schedule_(config_user_data_, arg); 118 } Cancelgrpc_tls_credential_reload_config119 void Cancel(grpc_tls_credential_reload_arg* arg) const { 120 if (cancel_ == nullptr) { 121 gpr_log(GPR_ERROR, "cancel API is nullptr."); 122 if (arg != nullptr) { 123 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL; 124 arg->error_details->set_error_details( 125 "cancel API in credential reload config is nullptr"); 126 } 127 return; 128 } 129 if (arg != nullptr) { 130 arg->config = const_cast<grpc_tls_credential_reload_config*>(this); 131 } 132 cancel_(config_user_data_, arg); 133 } 134 135 private: 136 /** This is a pointer to the wrapped language implementation of 137 * grpc_tls_credential_reload_config. It is necessary to implement the C 138 * schedule and cancel functions, given the schedule or cancel function in a 139 * wrapped language. **/ 140 void* context_ = nullptr; 141 /** config-specific, read-only user data that works for all channels created 142 with a credential using the config. */ 143 void* config_user_data_; 144 /** callback function for invoking credential reload API. The implementation 145 of this method has to be non-blocking, but can be performed synchronously 146 or asynchronously. 147 If processing occurs synchronously, it populates \a arg->key_materials, \a 148 arg->status, and \a arg->error_details and returns zero. 149 If processing occurs asynchronously, it returns a non-zero value. 150 Application then invokes \a arg->cb when processing is completed. Note that 151 \a arg->cb cannot be invoked before \a schedule returns. 152 */ 153 int (*schedule_)(void* config_user_data, grpc_tls_credential_reload_arg* arg); 154 /** callback function for cancelling a credential reload request scheduled via 155 an asynchronous \a schedule. \a arg is used to pinpoint an exact reloading 156 request to be cancelled, and the operation may not have any effect if the 157 request has already been processed. */ 158 void (*cancel_)(void* config_user_data, grpc_tls_credential_reload_arg* arg); 159 /** callback function for cleaning up any data associated with credential 160 reload config. */ 161 void (*destruct_)(void* config_user_data); 162 }; 163 164 /** TLS server authorization check config. **/ 165 struct grpc_tls_server_authorization_check_config 166 : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> { 167 public: 168 grpc_tls_server_authorization_check_config( 169 const void* config_user_data, 170 int (*schedule)(void* config_user_data, 171 grpc_tls_server_authorization_check_arg* arg), 172 void (*cancel)(void* config_user_data, 173 grpc_tls_server_authorization_check_arg* arg), 174 void (*destruct)(void* config_user_data)); 175 ~grpc_tls_server_authorization_check_config(); 176 contextgrpc_tls_server_authorization_check_config177 void* context() const { return context_; } set_contextgrpc_tls_server_authorization_check_config178 void set_context(void* context) { context_ = context; } 179 Schedulegrpc_tls_server_authorization_check_config180 int Schedule(grpc_tls_server_authorization_check_arg* arg) const { 181 if (schedule_ == nullptr) { 182 gpr_log(GPR_ERROR, "schedule API is nullptr"); 183 if (arg != nullptr) { 184 arg->status = GRPC_STATUS_NOT_FOUND; 185 arg->error_details->set_error_details( 186 "schedule API in server authorization check config is nullptr"); 187 } 188 return 1; 189 } 190 if (arg != nullptr && context_ != nullptr) { 191 arg->config = 192 const_cast<grpc_tls_server_authorization_check_config*>(this); 193 } 194 return schedule_(config_user_data_, arg); 195 } Cancelgrpc_tls_server_authorization_check_config196 void Cancel(grpc_tls_server_authorization_check_arg* arg) const { 197 if (cancel_ == nullptr) { 198 gpr_log(GPR_ERROR, "cancel API is nullptr."); 199 if (arg != nullptr) { 200 arg->status = GRPC_STATUS_NOT_FOUND; 201 arg->error_details->set_error_details( 202 "schedule API in server authorization check config is nullptr"); 203 } 204 return; 205 } 206 if (arg != nullptr) { 207 arg->config = 208 const_cast<grpc_tls_server_authorization_check_config*>(this); 209 } 210 cancel_(config_user_data_, arg); 211 } 212 213 private: 214 /** This is a pointer to the wrapped language implementation of 215 * grpc_tls_server_authorization_check_config. It is necessary to implement 216 * the C schedule and cancel functions, given the schedule or cancel function 217 * in a wrapped language. **/ 218 void* context_ = nullptr; 219 /** config-specific, read-only user data that works for all channels created 220 with a Credential using the config. */ 221 void* config_user_data_; 222 223 /** callback function for invoking server authorization check. The 224 implementation of this method has to be non-blocking, but can be performed 225 synchronously or asynchronously. 226 If processing occurs synchronously, it populates \a arg->result, \a 227 arg->status, and \a arg->error_details, and returns zero. 228 If processing occurs asynchronously, it returns a non-zero value. 229 Application then invokes \a arg->cb when processing is completed. Note that 230 \a arg->cb cannot be invoked before \a schedule() returns. 231 */ 232 int (*schedule_)(void* config_user_data, 233 grpc_tls_server_authorization_check_arg* arg); 234 235 /** callback function for canceling a server authorization check request. */ 236 void (*cancel_)(void* config_user_data, 237 grpc_tls_server_authorization_check_arg* arg); 238 239 /** callback function for cleaning up any data associated with server 240 authorization check config. */ 241 void (*destruct_)(void* config_user_data); 242 }; 243 244 /* TLS credentials options. */ 245 struct grpc_tls_credentials_options 246 : public grpc_core::RefCounted<grpc_tls_credentials_options> { 247 public: ~grpc_tls_credentials_optionsgrpc_tls_credentials_options248 ~grpc_tls_credentials_options() { 249 if (key_materials_config_.get() != nullptr) { 250 key_materials_config_.get()->Unref(); 251 } 252 if (credential_reload_config_.get() != nullptr) { 253 credential_reload_config_.get()->Unref(); 254 } 255 if (server_authorization_check_config_.get() != nullptr) { 256 server_authorization_check_config_.get()->Unref(); 257 } 258 } 259 260 /* Getters for member fields. */ cert_request_typegrpc_tls_credentials_options261 grpc_ssl_client_certificate_request_type cert_request_type() const { 262 return cert_request_type_; 263 } server_verification_optiongrpc_tls_credentials_options264 grpc_tls_server_verification_option server_verification_option() const { 265 return server_verification_option_; 266 } min_tls_versiongrpc_tls_credentials_options267 grpc_tls_version min_tls_version() const { return min_tls_version_; } max_tls_versiongrpc_tls_credentials_options268 grpc_tls_version max_tls_version() const { return max_tls_version_; } key_materials_configgrpc_tls_credentials_options269 grpc_tls_key_materials_config* key_materials_config() const { 270 return key_materials_config_.get(); 271 } credential_reload_configgrpc_tls_credentials_options272 grpc_tls_credential_reload_config* credential_reload_config() const { 273 return credential_reload_config_.get(); 274 } 275 grpc_tls_server_authorization_check_config* server_authorization_check_configgrpc_tls_credentials_options276 server_authorization_check_config() const { 277 return server_authorization_check_config_.get(); 278 } 279 280 /* Setters for member fields. */ set_cert_request_typegrpc_tls_credentials_options281 void set_cert_request_type( 282 const grpc_ssl_client_certificate_request_type type) { 283 cert_request_type_ = type; 284 } set_server_verification_optiongrpc_tls_credentials_options285 void set_server_verification_option( 286 const grpc_tls_server_verification_option server_verification_option) { 287 server_verification_option_ = server_verification_option; 288 } set_min_tls_versiongrpc_tls_credentials_options289 void set_min_tls_version(grpc_tls_version min_tls_version) { 290 min_tls_version_ = min_tls_version; 291 } set_max_tls_versiongrpc_tls_credentials_options292 void set_max_tls_version(grpc_tls_version max_tls_version) { 293 max_tls_version_ = max_tls_version; 294 } set_key_materials_configgrpc_tls_credentials_options295 void set_key_materials_config( 296 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) { 297 key_materials_config_ = std::move(config); 298 } set_credential_reload_configgrpc_tls_credentials_options299 void set_credential_reload_config( 300 grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> config) { 301 credential_reload_config_ = std::move(config); 302 } set_server_authorization_check_configgrpc_tls_credentials_options303 void set_server_authorization_check_config( 304 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config> 305 config) { 306 server_authorization_check_config_ = std::move(config); 307 } 308 309 private: 310 grpc_ssl_client_certificate_request_type cert_request_type_; 311 grpc_tls_server_verification_option server_verification_option_ = 312 GRPC_TLS_SERVER_VERIFICATION; 313 grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2; 314 grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3; 315 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_; 316 grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> 317 credential_reload_config_; 318 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config> 319 server_authorization_check_config_; 320 }; 321 322 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H \ 323 */ 324