1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include <string.h>
22
23 #include "src/core/lib/channel/channel_args.h"
24 #include "src/core/lib/gpr/string.h"
25 #include "src/core/lib/gprpp/arena.h"
26 #include "src/core/lib/gprpp/ref_counted.h"
27 #include "src/core/lib/gprpp/ref_counted_ptr.h"
28 #include "src/core/lib/security/context/security_context.h"
29 #include "src/core/lib/surface/api_trace.h"
30 #include "src/core/lib/surface/call.h"
31
32 #include <grpc/grpc_security.h>
33 #include <grpc/support/alloc.h>
34 #include <grpc/support/log.h>
35 #include <grpc/support/string_util.h>
36
37 grpc_core::DebugOnlyTraceFlag grpc_trace_auth_context_refcount(
38 false, "auth_context_refcount");
39
40 /* --- grpc_call --- */
41
grpc_call_set_credentials(grpc_call * call,grpc_call_credentials * creds)42 grpc_call_error grpc_call_set_credentials(grpc_call* call,
43 grpc_call_credentials* creds) {
44 grpc_core::ExecCtx exec_ctx;
45 grpc_client_security_context* ctx = nullptr;
46 GRPC_API_TRACE("grpc_call_set_credentials(call=%p, creds=%p)", 2,
47 (call, creds));
48 if (!grpc_call_is_client(call)) {
49 gpr_log(GPR_ERROR, "Method is client-side only.");
50 return GRPC_CALL_ERROR_NOT_ON_SERVER;
51 }
52 ctx = static_cast<grpc_client_security_context*>(
53 grpc_call_context_get(call, GRPC_CONTEXT_SECURITY));
54 if (ctx == nullptr) {
55 ctx = grpc_client_security_context_create(grpc_call_get_arena(call), creds);
56 grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx,
57 grpc_client_security_context_destroy);
58 } else {
59 ctx->creds = creds != nullptr ? creds->Ref() : nullptr;
60 }
61
62 return GRPC_CALL_OK;
63 }
64
grpc_call_auth_context(grpc_call * call)65 grpc_auth_context* grpc_call_auth_context(grpc_call* call) {
66 void* sec_ctx = grpc_call_context_get(call, GRPC_CONTEXT_SECURITY);
67 GRPC_API_TRACE("grpc_call_auth_context(call=%p)", 1, (call));
68 if (sec_ctx == nullptr) return nullptr;
69 if (grpc_call_is_client(call)) {
70 auto* sc = static_cast<grpc_client_security_context*>(sec_ctx);
71 if (sc->auth_context == nullptr) {
72 return nullptr;
73 } else {
74 return sc->auth_context
75 ->Ref(DEBUG_LOCATION, "grpc_call_auth_context client")
76 .release();
77 }
78 } else {
79 auto* sc = static_cast<grpc_server_security_context*>(sec_ctx);
80 if (sc->auth_context == nullptr) {
81 return nullptr;
82 } else {
83 return sc->auth_context
84 ->Ref(DEBUG_LOCATION, "grpc_call_auth_context server")
85 .release();
86 }
87 }
88 }
89
grpc_auth_context_release(grpc_auth_context * context)90 void grpc_auth_context_release(grpc_auth_context* context) {
91 GRPC_API_TRACE("grpc_auth_context_release(context=%p)", 1, (context));
92 if (context == nullptr) return;
93 context->Unref(DEBUG_LOCATION, "grpc_auth_context_unref");
94 }
95
96 /* --- grpc_client_security_context --- */
~grpc_client_security_context()97 grpc_client_security_context::~grpc_client_security_context() {
98 auth_context.reset(DEBUG_LOCATION, "client_security_context");
99 if (extension.instance != nullptr && extension.destroy != nullptr) {
100 extension.destroy(extension.instance);
101 }
102 }
103
grpc_client_security_context_create(grpc_core::Arena * arena,grpc_call_credentials * creds)104 grpc_client_security_context* grpc_client_security_context_create(
105 grpc_core::Arena* arena, grpc_call_credentials* creds) {
106 return arena->New<grpc_client_security_context>(
107 creds != nullptr ? creds->Ref() : nullptr);
108 }
109
grpc_client_security_context_destroy(void * ctx)110 void grpc_client_security_context_destroy(void* ctx) {
111 grpc_core::ExecCtx exec_ctx;
112 grpc_client_security_context* c =
113 static_cast<grpc_client_security_context*>(ctx);
114 c->~grpc_client_security_context();
115 }
116
117 /* --- grpc_server_security_context --- */
~grpc_server_security_context()118 grpc_server_security_context::~grpc_server_security_context() {
119 auth_context.reset(DEBUG_LOCATION, "server_security_context");
120 if (extension.instance != nullptr && extension.destroy != nullptr) {
121 extension.destroy(extension.instance);
122 }
123 }
124
grpc_server_security_context_create(grpc_core::Arena * arena)125 grpc_server_security_context* grpc_server_security_context_create(
126 grpc_core::Arena* arena) {
127 return arena->New<grpc_server_security_context>();
128 }
129
grpc_server_security_context_destroy(void * ctx)130 void grpc_server_security_context_destroy(void* ctx) {
131 grpc_server_security_context* c =
132 static_cast<grpc_server_security_context*>(ctx);
133 c->~grpc_server_security_context();
134 }
135
136 /* --- grpc_auth_context --- */
137
138 static grpc_auth_property_iterator empty_iterator = {nullptr, 0, nullptr};
139
grpc_auth_context_peer_identity_property_name(const grpc_auth_context * ctx)140 const char* grpc_auth_context_peer_identity_property_name(
141 const grpc_auth_context* ctx) {
142 GRPC_API_TRACE("grpc_auth_context_peer_identity_property_name(ctx=%p)", 1,
143 (ctx));
144 return ctx->peer_identity_property_name();
145 }
146
grpc_auth_context_set_peer_identity_property_name(grpc_auth_context * ctx,const char * name)147 int grpc_auth_context_set_peer_identity_property_name(grpc_auth_context* ctx,
148 const char* name) {
149 grpc_auth_property_iterator it =
150 grpc_auth_context_find_properties_by_name(ctx, name);
151 const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
152 GRPC_API_TRACE(
153 "grpc_auth_context_set_peer_identity_property_name(ctx=%p, name=%s)", 2,
154 (ctx, name));
155 if (prop == nullptr) {
156 gpr_log(GPR_ERROR, "Property name %s not found in auth context.",
157 name != nullptr ? name : "NULL");
158 return 0;
159 }
160 ctx->set_peer_identity_property_name(prop->name);
161 return 1;
162 }
163
grpc_auth_context_peer_is_authenticated(const grpc_auth_context * ctx)164 int grpc_auth_context_peer_is_authenticated(const grpc_auth_context* ctx) {
165 GRPC_API_TRACE("grpc_auth_context_peer_is_authenticated(ctx=%p)", 1, (ctx));
166 return ctx->is_authenticated();
167 }
168
grpc_auth_context_property_iterator(const grpc_auth_context * ctx)169 grpc_auth_property_iterator grpc_auth_context_property_iterator(
170 const grpc_auth_context* ctx) {
171 grpc_auth_property_iterator it = empty_iterator;
172 GRPC_API_TRACE("grpc_auth_context_property_iterator(ctx=%p)", 1, (ctx));
173 if (ctx == nullptr) return it;
174 it.ctx = ctx;
175 return it;
176 }
177
grpc_auth_property_iterator_next(grpc_auth_property_iterator * it)178 const grpc_auth_property* grpc_auth_property_iterator_next(
179 grpc_auth_property_iterator* it) {
180 GRPC_API_TRACE("grpc_auth_property_iterator_next(it=%p)", 1, (it));
181 if (it == nullptr || it->ctx == nullptr) return nullptr;
182 while (it->index == it->ctx->properties().count) {
183 if (it->ctx->chained() == nullptr) return nullptr;
184 it->ctx = it->ctx->chained();
185 it->index = 0;
186 }
187 if (it->name == nullptr) {
188 return &it->ctx->properties().array[it->index++];
189 } else {
190 while (it->index < it->ctx->properties().count) {
191 const grpc_auth_property* prop =
192 &it->ctx->properties().array[it->index++];
193 GPR_ASSERT(prop->name != nullptr);
194 if (strcmp(it->name, prop->name) == 0) {
195 return prop;
196 }
197 }
198 /* We could not find the name, try another round. */
199 return grpc_auth_property_iterator_next(it);
200 }
201 }
202
grpc_auth_context_find_properties_by_name(const grpc_auth_context * ctx,const char * name)203 grpc_auth_property_iterator grpc_auth_context_find_properties_by_name(
204 const grpc_auth_context* ctx, const char* name) {
205 grpc_auth_property_iterator it = empty_iterator;
206 GRPC_API_TRACE("grpc_auth_context_find_properties_by_name(ctx=%p, name=%s)",
207 2, (ctx, name));
208 if (ctx == nullptr || name == nullptr) return empty_iterator;
209 it.ctx = ctx;
210 it.name = name;
211 return it;
212 }
213
grpc_auth_context_peer_identity(const grpc_auth_context * ctx)214 grpc_auth_property_iterator grpc_auth_context_peer_identity(
215 const grpc_auth_context* ctx) {
216 GRPC_API_TRACE("grpc_auth_context_peer_identity(ctx=%p)", 1, (ctx));
217 if (ctx == nullptr) return empty_iterator;
218 return grpc_auth_context_find_properties_by_name(
219 ctx, ctx->peer_identity_property_name());
220 }
221
ensure_capacity()222 void grpc_auth_context::ensure_capacity() {
223 if (properties_.count == properties_.capacity) {
224 properties_.capacity =
225 GPR_MAX(properties_.capacity + 8, properties_.capacity * 2);
226 properties_.array = static_cast<grpc_auth_property*>(gpr_realloc(
227 properties_.array, properties_.capacity * sizeof(grpc_auth_property)));
228 }
229 }
230
add_property(const char * name,const char * value,size_t value_length)231 void grpc_auth_context::add_property(const char* name, const char* value,
232 size_t value_length) {
233 ensure_capacity();
234 grpc_auth_property* prop = &properties_.array[properties_.count++];
235 prop->name = gpr_strdup(name);
236 prop->value = static_cast<char*>(gpr_malloc(value_length + 1));
237 memcpy(prop->value, value, value_length);
238 prop->value[value_length] = '\0';
239 prop->value_length = value_length;
240 }
241
grpc_auth_context_add_property(grpc_auth_context * ctx,const char * name,const char * value,size_t value_length)242 void grpc_auth_context_add_property(grpc_auth_context* ctx, const char* name,
243 const char* value, size_t value_length) {
244 GRPC_API_TRACE(
245 "grpc_auth_context_add_property(ctx=%p, name=%s, value=%*.*s, "
246 "value_length=%lu)",
247 6,
248 (ctx, name, (int)value_length, (int)value_length, value,
249 (unsigned long)value_length));
250 ctx->add_property(name, value, value_length);
251 }
252
add_cstring_property(const char * name,const char * value)253 void grpc_auth_context::add_cstring_property(const char* name,
254 const char* value) {
255 ensure_capacity();
256 grpc_auth_property* prop = &properties_.array[properties_.count++];
257 prop->name = gpr_strdup(name);
258 prop->value = gpr_strdup(value);
259 prop->value_length = strlen(value);
260 }
261
grpc_auth_context_add_cstring_property(grpc_auth_context * ctx,const char * name,const char * value)262 void grpc_auth_context_add_cstring_property(grpc_auth_context* ctx,
263 const char* name,
264 const char* value) {
265 GRPC_API_TRACE(
266 "grpc_auth_context_add_cstring_property(ctx=%p, name=%s, value=%s)", 3,
267 (ctx, name, value));
268 ctx->add_cstring_property(name, value);
269 }
270
grpc_auth_property_reset(grpc_auth_property * property)271 void grpc_auth_property_reset(grpc_auth_property* property) {
272 gpr_free(property->name);
273 gpr_free(property->value);
274 memset(property, 0, sizeof(grpc_auth_property));
275 }
276
auth_context_pointer_arg_destroy(void * p)277 static void auth_context_pointer_arg_destroy(void* p) {
278 if (p != nullptr) {
279 static_cast<grpc_auth_context*>(p)->Unref(DEBUG_LOCATION,
280 "auth_context_pointer_arg");
281 }
282 }
283
auth_context_pointer_arg_copy(void * p)284 static void* auth_context_pointer_arg_copy(void* p) {
285 auto* ctx = static_cast<grpc_auth_context*>(p);
286 return ctx == nullptr
287 ? nullptr
288 : ctx->Ref(DEBUG_LOCATION, "auth_context_pointer_arg").release();
289 }
290
auth_context_pointer_cmp(void * a,void * b)291 static int auth_context_pointer_cmp(void* a, void* b) { return GPR_ICMP(a, b); }
292
293 static const grpc_arg_pointer_vtable auth_context_pointer_vtable = {
294 auth_context_pointer_arg_copy, auth_context_pointer_arg_destroy,
295 auth_context_pointer_cmp};
296
grpc_auth_context_to_arg(grpc_auth_context * c)297 grpc_arg grpc_auth_context_to_arg(grpc_auth_context* c) {
298 return grpc_channel_arg_pointer_create(
299 const_cast<char*>(GRPC_AUTH_CONTEXT_ARG), c,
300 &auth_context_pointer_vtable);
301 }
302
grpc_auth_context_from_arg(const grpc_arg * arg)303 grpc_auth_context* grpc_auth_context_from_arg(const grpc_arg* arg) {
304 if (strcmp(arg->key, GRPC_AUTH_CONTEXT_ARG) != 0) return nullptr;
305 if (arg->type != GRPC_ARG_POINTER) {
306 gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type,
307 GRPC_AUTH_CONTEXT_ARG);
308 return nullptr;
309 }
310 return static_cast<grpc_auth_context*>(arg->value.pointer.p);
311 }
312
grpc_find_auth_context_in_args(const grpc_channel_args * args)313 grpc_auth_context* grpc_find_auth_context_in_args(
314 const grpc_channel_args* args) {
315 size_t i;
316 if (args == nullptr) return nullptr;
317 for (i = 0; i < args->num_args; i++) {
318 grpc_auth_context* p = grpc_auth_context_from_arg(&args->args[i]);
319 if (p != nullptr) return p;
320 }
321 return nullptr;
322 }
323