• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPCPP_SECURITY_SERVER_CREDENTIALS_H
20 #define GRPCPP_SECURITY_SERVER_CREDENTIALS_H
21 
22 #include <memory>
23 #include <vector>
24 
25 #include <grpc/grpc_security_constants.h>
26 #include <grpcpp/security/auth_metadata_processor.h>
27 #include <grpcpp/security/tls_credentials_options.h>
28 #include <grpcpp/support/config.h>
29 
30 struct grpc_server;
31 
32 namespace grpc {
33 
34 class Server;
35 class ServerCredentials;
36 class SecureServerCredentials;
37 /// Options to create ServerCredentials with SSL
38 struct SslServerCredentialsOptions {
39   /// \warning Deprecated
SslServerCredentialsOptionsSslServerCredentialsOptions40   SslServerCredentialsOptions()
41       : force_client_auth(false),
42         client_certificate_request(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {}
SslServerCredentialsOptionsSslServerCredentialsOptions43   explicit SslServerCredentialsOptions(
44       grpc_ssl_client_certificate_request_type request_type)
45       : force_client_auth(false), client_certificate_request(request_type) {}
46 
47   struct PemKeyCertPair {
48     std::string private_key;
49     std::string cert_chain;
50   };
51   std::string pem_root_certs;
52   std::vector<PemKeyCertPair> pem_key_cert_pairs;
53   /// \warning Deprecated
54   bool force_client_auth;
55 
56   /// If both \a force_client_auth and \a client_certificate_request
57   /// fields are set, \a force_client_auth takes effect, i.e.
58   /// \a REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
59   /// will be enforced.
60   grpc_ssl_client_certificate_request_type client_certificate_request;
61 };
62 
63 namespace experimental {
64 /// Builds Xds ServerCredentials given fallback credentials
65 std::shared_ptr<ServerCredentials> XdsServerCredentials(
66     const std::shared_ptr<ServerCredentials>& fallback_credentials);
67 }  // namespace experimental
68 
69 /// Wrapper around \a grpc_server_credentials, a way to authenticate a server.
70 class ServerCredentials : private grpc::GrpcLibraryCodegen {
71  public:
72   ServerCredentials();
73   ~ServerCredentials() override;
74 
75   /// This method is not thread-safe and has to be called before the server is
76   /// started. The last call to this function wins.
77   virtual void SetAuthMetadataProcessor(
78       const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) = 0;
79 
80  private:
81   friend class Server;
82 
83   // We need this friend declaration for access to Insecure() and
84   // AsSecureServerCredentials(). When these two functions are no longer
85   // necessary, this friend declaration can be removed too.
86   friend std::shared_ptr<ServerCredentials>
87   grpc::experimental::XdsServerCredentials(
88       const std::shared_ptr<ServerCredentials>& fallback_credentials);
89 
90   /// Tries to bind \a server to the given \a addr (eg, localhost:1234,
91   /// 192.168.1.1:31416, [::1]:27182, etc.)
92   ///
93   /// \return bound port number on success, 0 on failure.
94   // TODO(dgq): the "port" part seems to be a misnomer.
95   virtual int AddPortToServer(const std::string& addr, grpc_server* server) = 0;
96 
97   // TODO(yashykt): This is a hack since InsecureServerCredentials() cannot use
98   // grpc_insecure_server_credentials_create() and should be removed after
99   // insecure builds are removed from gRPC.
IsInsecure()100   virtual bool IsInsecure() const { return false; }
101 
102   // TODO(yashkt): This is a hack that should be removed once we remove insecure
103   // builds and the indirect method of adding ports to a server.
AsSecureServerCredentials()104   virtual SecureServerCredentials* AsSecureServerCredentials() {
105     return nullptr;
106   }
107 };
108 
109 /// Builds SSL ServerCredentials given SSL specific options
110 std::shared_ptr<ServerCredentials> SslServerCredentials(
111     const grpc::SslServerCredentialsOptions& options);
112 
113 std::shared_ptr<ServerCredentials> InsecureServerCredentials();
114 
115 namespace experimental {
116 
117 /// Options to create ServerCredentials with ALTS
118 struct AltsServerCredentialsOptions {
119   /// Add fields if needed.
120 };
121 
122 /// Builds ALTS ServerCredentials given ALTS specific options
123 std::shared_ptr<ServerCredentials> AltsServerCredentials(
124     const AltsServerCredentialsOptions& options);
125 
126 /// Builds Local ServerCredentials.
127 std::shared_ptr<ServerCredentials> AltsServerCredentials(
128     const AltsServerCredentialsOptions& options);
129 
130 std::shared_ptr<ServerCredentials> LocalServerCredentials(
131     grpc_local_connect_type type);
132 
133 /// Builds TLS ServerCredentials given TLS options.
134 std::shared_ptr<ServerCredentials> TlsServerCredentials(
135     const experimental::TlsServerCredentialsOptions& options);
136 
137 }  // namespace experimental
138 }  // namespace grpc
139 
140 #endif  // GRPCPP_SECURITY_SERVER_CREDENTIALS_H
141