• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H
20 #define GRPC_SRC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H
21 
22 #include <grpc/credentials.h>
23 #include <grpc/grpc_security.h>
24 #include <grpc/grpc_security_constants.h>
25 #include <grpc/support/port_platform.h>
26 
27 #include "absl/status/statusor.h"
28 #include "src/core/lib/channel/channel_args.h"
29 #include "src/core/lib/channel/channel_fwd.h"
30 #include "src/core/lib/channel/channel_stack.h"
31 #include "src/core/lib/channel/promise_based_filter.h"
32 #include "src/core/lib/promise/arena_promise.h"
33 #include "src/core/lib/security/credentials/credentials.h"
34 #include "src/core/lib/security/security_connector/security_connector.h"
35 #include "src/core/lib/transport/transport.h"
36 #include "src/core/util/ref_counted_ptr.h"
37 
38 namespace grpc_core {
39 
40 // Handles calling out to credentials to fill in metadata per call.
41 class ClientAuthFilter final : public ChannelFilter {
42  public:
43   static const grpc_channel_filter kFilter;
44 
TypeName()45   static absl::string_view TypeName() { return "client-auth-filter"; }
46 
47   ClientAuthFilter(
48       RefCountedPtr<grpc_channel_security_connector> security_connector,
49       RefCountedPtr<grpc_auth_context> auth_context);
50 
51   static absl::StatusOr<std::unique_ptr<ClientAuthFilter>> Create(
52       const ChannelArgs& args, ChannelFilter::Args);
53 
54   // Construct a promise for one call.
55   ArenaPromise<ServerMetadataHandle> MakeCallPromise(
56       CallArgs call_args, NextPromiseFactory next_promise_factory) override;
57 
58  private:
59   ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
60       CallArgs call_args);
61 
62   // Contains refs to security connector and auth context.
63   grpc_call_credentials::GetRequestMetadataArgs args_;
64 };
65 
66 class ServerAuthFilter final : public ImplementChannelFilter<ServerAuthFilter> {
67  private:
68   class RunApplicationCode {
69    public:
70     RunApplicationCode(ServerAuthFilter* filter, ClientMetadata& metadata);
71 
72     RunApplicationCode(const RunApplicationCode&) = delete;
73     RunApplicationCode& operator=(const RunApplicationCode&) = delete;
RunApplicationCode(RunApplicationCode && other)74     RunApplicationCode(RunApplicationCode&& other) noexcept
75         : state_(std::exchange(other.state_, nullptr)) {}
76     RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
77       state_ = std::exchange(other.state_, nullptr);
78       return *this;
79     }
80 
81     Poll<absl::Status> operator()();
82 
83    private:
84     // Called from application code.
85     static void OnMdProcessingDone(void* user_data,
86                                    const grpc_metadata* consumed_md,
87                                    size_t num_consumed_md,
88                                    const grpc_metadata* response_md,
89                                    size_t num_response_md,
90                                    grpc_status_code status,
91                                    const char* error_details);
92 
93     struct State;
94     State* state_;
95   };
96 
97  public:
98   static const grpc_channel_filter kFilter;
99 
TypeName()100   static absl::string_view TypeName() { return "server-auth"; }
101 
102   ServerAuthFilter(RefCountedPtr<grpc_server_credentials> server_credentials,
103                    RefCountedPtr<grpc_auth_context> auth_context);
104 
105   static absl::StatusOr<std::unique_ptr<ServerAuthFilter>> Create(
106       const ChannelArgs& args, ChannelFilter::Args);
107 
108   class Call {
109    public:
110     explicit Call(ServerAuthFilter* filter);
OnClientInitialMetadata(ClientMetadata & md,ServerAuthFilter * filter)111     auto OnClientInitialMetadata(ClientMetadata& md, ServerAuthFilter* filter) {
112       return If(
113           filter->server_credentials_ == nullptr ||
114               filter->server_credentials_->auth_metadata_processor().process ==
115                   nullptr,
116           ImmediateOkStatus(),
117           [filter, md = &md]() { return RunApplicationCode(filter, *md); });
118     }
119     static const NoInterceptor OnServerInitialMetadata;
120     static const NoInterceptor OnClientToServerMessage;
121     static const NoInterceptor OnClientToServerHalfClose;
122     static const NoInterceptor OnServerToClientMessage;
123     static const NoInterceptor OnServerTrailingMetadata;
124     static const NoInterceptor OnFinalize;
125   };
126 
127  private:
128   ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
129       CallArgs call_args);
130 
131   RefCountedPtr<grpc_server_credentials> server_credentials_;
132   RefCountedPtr<grpc_auth_context> auth_context_;
133 };
134 
135 }  // namespace grpc_core
136 
137 // Exposed for testing purposes only.
138 // Check if the channel's security level is higher or equal to
139 // that of call credentials to make a decision whether the transfer
140 // of call credentials should be allowed or not.
141 bool grpc_check_security_level(grpc_security_level channel_level,
142                                grpc_security_level call_cred_level);
143 
144 #endif  // GRPC_SRC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H
145