1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include <string.h>
22
23 #include "src/core/lib/channel/channel_args.h"
24 #include "src/core/lib/gpr/arena.h"
25 #include "src/core/lib/gpr/string.h"
26 #include "src/core/lib/security/context/security_context.h"
27 #include "src/core/lib/surface/api_trace.h"
28 #include "src/core/lib/surface/call.h"
29
30 #include <grpc/grpc_security.h>
31 #include <grpc/support/alloc.h>
32 #include <grpc/support/log.h>
33 #include <grpc/support/string_util.h>
34
35 grpc_core::DebugOnlyTraceFlag grpc_trace_auth_context_refcount(
36 false, "auth_context_refcount");
37
38 /* --- grpc_call --- */
39
grpc_call_set_credentials(grpc_call * call,grpc_call_credentials * creds)40 grpc_call_error grpc_call_set_credentials(grpc_call* call,
41 grpc_call_credentials* creds) {
42 grpc_core::ExecCtx exec_ctx;
43 grpc_client_security_context* ctx = nullptr;
44 GRPC_API_TRACE("grpc_call_set_credentials(call=%p, creds=%p)", 2,
45 (call, creds));
46 if (!grpc_call_is_client(call)) {
47 gpr_log(GPR_ERROR, "Method is client-side only.");
48 return GRPC_CALL_ERROR_NOT_ON_SERVER;
49 }
50 ctx = static_cast<grpc_client_security_context*>(
51 grpc_call_context_get(call, GRPC_CONTEXT_SECURITY));
52 if (ctx == nullptr) {
53 ctx = grpc_client_security_context_create(grpc_call_get_arena(call));
54 ctx->creds = grpc_call_credentials_ref(creds);
55 grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx,
56 grpc_client_security_context_destroy);
57 } else {
58 grpc_call_credentials_unref(ctx->creds);
59 ctx->creds = grpc_call_credentials_ref(creds);
60 }
61
62 return GRPC_CALL_OK;
63 }
64
grpc_call_auth_context(grpc_call * call)65 grpc_auth_context* grpc_call_auth_context(grpc_call* call) {
66 void* sec_ctx = grpc_call_context_get(call, GRPC_CONTEXT_SECURITY);
67 GRPC_API_TRACE("grpc_call_auth_context(call=%p)", 1, (call));
68 if (sec_ctx == nullptr) return nullptr;
69 return grpc_call_is_client(call)
70 ? GRPC_AUTH_CONTEXT_REF(
71 ((grpc_client_security_context*)sec_ctx)->auth_context,
72 "grpc_call_auth_context client")
73 : GRPC_AUTH_CONTEXT_REF(
74 ((grpc_server_security_context*)sec_ctx)->auth_context,
75 "grpc_call_auth_context server");
76 }
77
grpc_auth_context_release(grpc_auth_context * context)78 void grpc_auth_context_release(grpc_auth_context* context) {
79 GRPC_API_TRACE("grpc_auth_context_release(context=%p)", 1, (context));
80 GRPC_AUTH_CONTEXT_UNREF(context, "grpc_auth_context_unref");
81 }
82
83 /* --- grpc_client_security_context --- */
84
grpc_client_security_context_create(gpr_arena * arena)85 grpc_client_security_context* grpc_client_security_context_create(
86 gpr_arena* arena) {
87 return static_cast<grpc_client_security_context*>(
88 gpr_arena_alloc(arena, sizeof(grpc_client_security_context)));
89 }
90
grpc_client_security_context_destroy(void * ctx)91 void grpc_client_security_context_destroy(void* ctx) {
92 grpc_core::ExecCtx exec_ctx;
93 grpc_client_security_context* c =
94 static_cast<grpc_client_security_context*>(ctx);
95 grpc_call_credentials_unref(c->creds);
96 GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "client_security_context");
97 if (c->extension.instance != nullptr && c->extension.destroy != nullptr) {
98 c->extension.destroy(c->extension.instance);
99 }
100 }
101
102 /* --- grpc_server_security_context --- */
grpc_server_security_context_create(gpr_arena * arena)103 grpc_server_security_context* grpc_server_security_context_create(
104 gpr_arena* arena) {
105 return static_cast<grpc_server_security_context*>(
106 gpr_arena_alloc(arena, sizeof(grpc_server_security_context)));
107 }
108
grpc_server_security_context_destroy(void * ctx)109 void grpc_server_security_context_destroy(void* ctx) {
110 grpc_server_security_context* c =
111 static_cast<grpc_server_security_context*>(ctx);
112 GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "server_security_context");
113 if (c->extension.instance != nullptr && c->extension.destroy != nullptr) {
114 c->extension.destroy(c->extension.instance);
115 }
116 }
117
118 /* --- grpc_auth_context --- */
119
120 static grpc_auth_property_iterator empty_iterator = {nullptr, 0, nullptr};
121
grpc_auth_context_create(grpc_auth_context * chained)122 grpc_auth_context* grpc_auth_context_create(grpc_auth_context* chained) {
123 grpc_auth_context* ctx =
124 static_cast<grpc_auth_context*>(gpr_zalloc(sizeof(grpc_auth_context)));
125 gpr_ref_init(&ctx->refcount, 1);
126 if (chained != nullptr) {
127 ctx->chained = GRPC_AUTH_CONTEXT_REF(chained, "chained");
128 ctx->peer_identity_property_name =
129 ctx->chained->peer_identity_property_name;
130 }
131 return ctx;
132 }
133
134 #ifndef NDEBUG
grpc_auth_context_ref(grpc_auth_context * ctx,const char * file,int line,const char * reason)135 grpc_auth_context* grpc_auth_context_ref(grpc_auth_context* ctx,
136 const char* file, int line,
137 const char* reason) {
138 if (ctx == nullptr) return nullptr;
139 if (grpc_trace_auth_context_refcount.enabled()) {
140 gpr_atm val = gpr_atm_no_barrier_load(&ctx->refcount.count);
141 gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
142 "AUTH_CONTEXT:%p ref %" PRIdPTR " -> %" PRIdPTR " %s", ctx, val,
143 val + 1, reason);
144 }
145 #else
146 grpc_auth_context* grpc_auth_context_ref(grpc_auth_context* ctx) {
147 if (ctx == nullptr) return nullptr;
148 #endif
149 gpr_ref(&ctx->refcount);
150 return ctx;
151 }
152
153 #ifndef NDEBUG
154 void grpc_auth_context_unref(grpc_auth_context* ctx, const char* file, int line,
155 const char* reason) {
156 if (ctx == nullptr) return;
157 if (grpc_trace_auth_context_refcount.enabled()) {
158 gpr_atm val = gpr_atm_no_barrier_load(&ctx->refcount.count);
159 gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
160 "AUTH_CONTEXT:%p unref %" PRIdPTR " -> %" PRIdPTR " %s", ctx, val,
161 val - 1, reason);
162 }
163 #else
164 void grpc_auth_context_unref(grpc_auth_context* ctx) {
165 if (ctx == nullptr) return;
166 #endif
167 if (gpr_unref(&ctx->refcount)) {
168 size_t i;
169 GRPC_AUTH_CONTEXT_UNREF(ctx->chained, "chained");
170 if (ctx->properties.array != nullptr) {
171 for (i = 0; i < ctx->properties.count; i++) {
172 grpc_auth_property_reset(&ctx->properties.array[i]);
173 }
174 gpr_free(ctx->properties.array);
175 }
176 gpr_free(ctx);
177 }
178 }
179
180 const char* grpc_auth_context_peer_identity_property_name(
181 const grpc_auth_context* ctx) {
182 GRPC_API_TRACE("grpc_auth_context_peer_identity_property_name(ctx=%p)", 1,
183 (ctx));
184 return ctx->peer_identity_property_name;
185 }
186
187 int grpc_auth_context_set_peer_identity_property_name(grpc_auth_context* ctx,
188 const char* name) {
189 grpc_auth_property_iterator it =
190 grpc_auth_context_find_properties_by_name(ctx, name);
191 const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
192 GRPC_API_TRACE(
193 "grpc_auth_context_set_peer_identity_property_name(ctx=%p, name=%s)", 2,
194 (ctx, name));
195 if (prop == nullptr) {
196 gpr_log(GPR_ERROR, "Property name %s not found in auth context.",
197 name != nullptr ? name : "NULL");
198 return 0;
199 }
200 ctx->peer_identity_property_name = prop->name;
201 return 1;
202 }
203
204 int grpc_auth_context_peer_is_authenticated(const grpc_auth_context* ctx) {
205 GRPC_API_TRACE("grpc_auth_context_peer_is_authenticated(ctx=%p)", 1, (ctx));
206 return ctx->peer_identity_property_name == nullptr ? 0 : 1;
207 }
208
209 grpc_auth_property_iterator grpc_auth_context_property_iterator(
210 const grpc_auth_context* ctx) {
211 grpc_auth_property_iterator it = empty_iterator;
212 GRPC_API_TRACE("grpc_auth_context_property_iterator(ctx=%p)", 1, (ctx));
213 if (ctx == nullptr) return it;
214 it.ctx = ctx;
215 return it;
216 }
217
218 const grpc_auth_property* grpc_auth_property_iterator_next(
219 grpc_auth_property_iterator* it) {
220 GRPC_API_TRACE("grpc_auth_property_iterator_next(it=%p)", 1, (it));
221 if (it == nullptr || it->ctx == nullptr) return nullptr;
222 while (it->index == it->ctx->properties.count) {
223 if (it->ctx->chained == nullptr) return nullptr;
224 it->ctx = it->ctx->chained;
225 it->index = 0;
226 }
227 if (it->name == nullptr) {
228 return &it->ctx->properties.array[it->index++];
229 } else {
230 while (it->index < it->ctx->properties.count) {
231 const grpc_auth_property* prop = &it->ctx->properties.array[it->index++];
232 GPR_ASSERT(prop->name != nullptr);
233 if (strcmp(it->name, prop->name) == 0) {
234 return prop;
235 }
236 }
237 /* We could not find the name, try another round. */
238 return grpc_auth_property_iterator_next(it);
239 }
240 }
241
242 grpc_auth_property_iterator grpc_auth_context_find_properties_by_name(
243 const grpc_auth_context* ctx, const char* name) {
244 grpc_auth_property_iterator it = empty_iterator;
245 GRPC_API_TRACE("grpc_auth_context_find_properties_by_name(ctx=%p, name=%s)",
246 2, (ctx, name));
247 if (ctx == nullptr || name == nullptr) return empty_iterator;
248 it.ctx = ctx;
249 it.name = name;
250 return it;
251 }
252
253 grpc_auth_property_iterator grpc_auth_context_peer_identity(
254 const grpc_auth_context* ctx) {
255 GRPC_API_TRACE("grpc_auth_context_peer_identity(ctx=%p)", 1, (ctx));
256 if (ctx == nullptr) return empty_iterator;
257 return grpc_auth_context_find_properties_by_name(
258 ctx, ctx->peer_identity_property_name);
259 }
260
261 static void ensure_auth_context_capacity(grpc_auth_context* ctx) {
262 if (ctx->properties.count == ctx->properties.capacity) {
263 ctx->properties.capacity =
264 GPR_MAX(ctx->properties.capacity + 8, ctx->properties.capacity * 2);
265 ctx->properties.array = static_cast<grpc_auth_property*>(
266 gpr_realloc(ctx->properties.array,
267 ctx->properties.capacity * sizeof(grpc_auth_property)));
268 }
269 }
270
271 void grpc_auth_context_add_property(grpc_auth_context* ctx, const char* name,
272 const char* value, size_t value_length) {
273 grpc_auth_property* prop;
274 GRPC_API_TRACE(
275 "grpc_auth_context_add_property(ctx=%p, name=%s, value=%*.*s, "
276 "value_length=%lu)",
277 6,
278 (ctx, name, (int)value_length, (int)value_length, value,
279 (unsigned long)value_length));
280 ensure_auth_context_capacity(ctx);
281 prop = &ctx->properties.array[ctx->properties.count++];
282 prop->name = gpr_strdup(name);
283 prop->value = static_cast<char*>(gpr_malloc(value_length + 1));
284 memcpy(prop->value, value, value_length);
285 prop->value[value_length] = '\0';
286 prop->value_length = value_length;
287 }
288
289 void grpc_auth_context_add_cstring_property(grpc_auth_context* ctx,
290 const char* name,
291 const char* value) {
292 grpc_auth_property* prop;
293 GRPC_API_TRACE(
294 "grpc_auth_context_add_cstring_property(ctx=%p, name=%s, value=%s)", 3,
295 (ctx, name, value));
296 ensure_auth_context_capacity(ctx);
297 prop = &ctx->properties.array[ctx->properties.count++];
298 prop->name = gpr_strdup(name);
299 prop->value = gpr_strdup(value);
300 prop->value_length = strlen(value);
301 }
302
303 void grpc_auth_property_reset(grpc_auth_property* property) {
304 gpr_free(property->name);
305 gpr_free(property->value);
306 memset(property, 0, sizeof(grpc_auth_property));
307 }
308
309 static void auth_context_pointer_arg_destroy(void* p) {
310 GRPC_AUTH_CONTEXT_UNREF((grpc_auth_context*)p, "auth_context_pointer_arg");
311 }
312
313 static void* auth_context_pointer_arg_copy(void* p) {
314 return GRPC_AUTH_CONTEXT_REF((grpc_auth_context*)p,
315 "auth_context_pointer_arg");
316 }
317
318 static int auth_context_pointer_cmp(void* a, void* b) { return GPR_ICMP(a, b); }
319
320 static const grpc_arg_pointer_vtable auth_context_pointer_vtable = {
321 auth_context_pointer_arg_copy, auth_context_pointer_arg_destroy,
322 auth_context_pointer_cmp};
323
324 grpc_arg grpc_auth_context_to_arg(grpc_auth_context* p) {
325 return grpc_channel_arg_pointer_create((char*)GRPC_AUTH_CONTEXT_ARG, p,
326 &auth_context_pointer_vtable);
327 }
328
329 grpc_auth_context* grpc_auth_context_from_arg(const grpc_arg* arg) {
330 if (strcmp(arg->key, GRPC_AUTH_CONTEXT_ARG) != 0) return nullptr;
331 if (arg->type != GRPC_ARG_POINTER) {
332 gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type,
333 GRPC_AUTH_CONTEXT_ARG);
334 return nullptr;
335 }
336 return static_cast<grpc_auth_context*>(arg->value.pointer.p);
337 }
338
339 grpc_auth_context* grpc_find_auth_context_in_args(
340 const grpc_channel_args* args) {
341 size_t i;
342 if (args == nullptr) return nullptr;
343 for (i = 0; i < args->num_args; i++) {
344 grpc_auth_context* p = grpc_auth_context_from_arg(&args->args[i]);
345 if (p != nullptr) return p;
346 }
347 return nullptr;
348 }
349