1 // 2 // 3 // Copyright 2015 gRPC authors. 4 // 5 // Licensed under the Apache License, Version 2.0 (the "License"); 6 // you may not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, software 12 // distributed under the License is distributed on an "AS IS" BASIS, 13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 // See the License for the specific language governing permissions and 15 // limitations under the License. 16 // 17 // 18 19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H 20 #define GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H 21 22 #include <grpc/credentials.h> 23 #include <grpc/grpc.h> 24 #include <grpc/grpc_security.h> 25 #include <grpc/support/port_platform.h> 26 27 #include <memory> 28 29 #include "absl/status/status.h" 30 #include "absl/strings/string_view.h" 31 #include "src/core/handshaker/handshaker.h" 32 #include "src/core/lib/channel/channel_args.h" 33 #include "src/core/lib/debug/trace.h" 34 #include "src/core/lib/iomgr/closure.h" 35 #include "src/core/lib/iomgr/endpoint.h" 36 #include "src/core/lib/iomgr/error.h" 37 #include "src/core/lib/iomgr/iomgr_fwd.h" 38 #include "src/core/lib/promise/arena_promise.h" 39 #include "src/core/tsi/transport_security_interface.h" 40 #include "src/core/util/ref_counted.h" 41 #include "src/core/util/ref_counted_ptr.h" 42 #include "src/core/util/unique_type_name.h" 43 44 // --- URL schemes. --- 45 46 #define GRPC_SSL_URL_SCHEME "https" 47 #define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security" 48 49 typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status; 50 51 // --- security_connector object. --- 52 53 // A security connector object represents away to configure the underlying 54 // transport security mechanism and check the resulting trusted peer. 55 56 #define GRPC_ARG_SECURITY_CONNECTOR "grpc.internal.security_connector" 57 58 class grpc_security_connector 59 : public grpc_core::RefCounted<grpc_security_connector> { 60 public: grpc_security_connector(absl::string_view url_scheme)61 explicit grpc_security_connector(absl::string_view url_scheme) 62 : grpc_core::RefCounted<grpc_security_connector>( 63 GRPC_TRACE_FLAG_ENABLED(security_connector_refcount) 64 ? "security_connector_refcount" 65 : nullptr), 66 url_scheme_(url_scheme) {} 67 ChannelArgName()68 static absl::string_view ChannelArgName() { 69 return GRPC_ARG_SECURITY_CONNECTOR; 70 } 71 72 // Checks the peer. Callee takes ownership of the peer object. 73 // The channel args represent the args after the handshaking is performed. 74 // When done, sets *auth_context and invokes on_peer_checked. 75 virtual void check_peer( 76 tsi_peer peer, grpc_endpoint* ep, const grpc_core::ChannelArgs& args, 77 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, 78 grpc_closure* on_peer_checked) = 0; 79 80 // Cancels the pending check_peer() request associated with on_peer_checked. 81 // If there is no such request pending, this is a no-op. 82 virtual void cancel_check_peer(grpc_closure* on_peer_checked, 83 grpc_error_handle error) = 0; 84 85 // Compares two security connectors. 86 virtual int cmp(const grpc_security_connector* other) const = 0; 87 ChannelArgsCompare(const grpc_security_connector * a,const grpc_security_connector * b)88 static int ChannelArgsCompare(const grpc_security_connector* a, 89 const grpc_security_connector* b) { 90 return a->cmp(b); 91 } 92 url_scheme()93 absl::string_view url_scheme() const { return url_scheme_; } 94 95 virtual grpc_core::UniqueTypeName type() const = 0; 96 97 private: 98 absl::string_view url_scheme_; 99 }; 100 101 // Util to encapsulate the connector in a channel arg. 102 grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc); 103 104 // Util to get the connector from a channel arg. 105 grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg); 106 107 // Util to find the connector from channel args. 108 grpc_security_connector* grpc_security_connector_find_in_args( 109 const grpc_channel_args* args); 110 111 // --- channel_security_connector object. --- 112 113 // A channel security connector object represents a way to configure the 114 // underlying transport security mechanism on the client side. 115 116 class grpc_channel_security_connector : public grpc_security_connector { 117 public: 118 grpc_channel_security_connector( 119 absl::string_view url_scheme, 120 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, 121 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds); 122 123 /// Checks that the host that will be set for a call is acceptable. 124 /// Returns ok if the host is acceptable, otherwise returns an error. 125 virtual grpc_core::ArenaPromise<absl::Status> CheckCallHost( 126 absl::string_view host, grpc_auth_context* auth_context) = 0; 127 128 /// Registers handshakers with \a handshake_mgr. 129 virtual void add_handshakers(const grpc_core::ChannelArgs& args, 130 grpc_pollset_set* interested_parties, 131 grpc_core::HandshakeManager* handshake_mgr) = 0; 132 channel_creds()133 const grpc_channel_credentials* channel_creds() const { 134 return channel_creds_.get(); 135 } mutable_channel_creds()136 grpc_channel_credentials* mutable_channel_creds() { 137 return channel_creds_.get(); 138 } request_metadata_creds()139 const grpc_call_credentials* request_metadata_creds() const { 140 return request_metadata_creds_.get(); 141 } mutable_request_metadata_creds()142 grpc_call_credentials* mutable_request_metadata_creds() { 143 return request_metadata_creds_.get(); 144 } 145 146 grpc_core::UniqueTypeName type() const override; 147 148 protected: 149 // Helper methods to be used in subclasses. 150 int channel_security_connector_cmp( 151 const grpc_channel_security_connector* other) const; 152 153 // grpc_channel_args* channel_args() const { return channel_args_.get(); } 154 //// Should be called as soon as the channel args are not needed to reduce 155 //// memory usage. 156 // void clear_channel_arg() { channel_args_.reset(); } 157 158 private: 159 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds_; 160 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds_; 161 std::unique_ptr<grpc_channel_args> channel_args_; 162 }; 163 164 // --- server_security_connector object. --- 165 166 // A server security connector object represents a way to configure the 167 // underlying transport security mechanism on the server side. 168 169 class grpc_server_security_connector : public grpc_security_connector { 170 public: 171 grpc_server_security_connector( 172 absl::string_view url_scheme, 173 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds); 174 175 virtual void add_handshakers(const grpc_core::ChannelArgs& args, 176 grpc_pollset_set* interested_parties, 177 grpc_core::HandshakeManager* handshake_mgr) = 0; 178 server_creds()179 const grpc_server_credentials* server_creds() const { 180 return server_creds_.get(); 181 } mutable_server_creds()182 grpc_server_credentials* mutable_server_creds() { 183 return server_creds_.get(); 184 } 185 186 grpc_core::UniqueTypeName type() const override; 187 188 protected: 189 // Helper methods to be used in subclasses. 190 int server_security_connector_cmp( 191 const grpc_server_security_connector* other) const; 192 193 private: 194 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds_; 195 }; 196 197 #endif // GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H 198