1 /* 2 * 3 * Copyright 2018 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H 20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <grpc/grpc_security.h> 25 26 #include "absl/container/inlined_vector.h" 27 28 #include "src/core/lib/gprpp/ref_counted.h" 29 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h" 30 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h" 31 #include "src/core/lib/security/security_connector/ssl_utils.h" 32 33 struct grpc_tls_error_details 34 : public grpc_core::RefCounted<grpc_tls_error_details> { 35 public: grpc_tls_error_detailsgrpc_tls_error_details36 grpc_tls_error_details() : error_details_("") {} set_error_detailsgrpc_tls_error_details37 void set_error_details(const char* err_details) { 38 error_details_ = err_details; 39 } error_detailsgrpc_tls_error_details40 const std::string& error_details() { return error_details_; } 41 42 private: 43 std::string error_details_; 44 }; 45 46 /** TLS server authorization check config. **/ 47 struct grpc_tls_server_authorization_check_config 48 : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> { 49 public: 50 grpc_tls_server_authorization_check_config( 51 const void* config_user_data, 52 int (*schedule)(void* config_user_data, 53 grpc_tls_server_authorization_check_arg* arg), 54 void (*cancel)(void* config_user_data, 55 grpc_tls_server_authorization_check_arg* arg), 56 void (*destruct)(void* config_user_data)); 57 ~grpc_tls_server_authorization_check_config() override; 58 contextgrpc_tls_server_authorization_check_config59 void* context() const { return context_; } 60 set_contextgrpc_tls_server_authorization_check_config61 void set_context(void* context) { context_ = context; } 62 63 int Schedule(grpc_tls_server_authorization_check_arg* arg) const; 64 65 void Cancel(grpc_tls_server_authorization_check_arg* arg) const; 66 67 private: 68 /** This is a pointer to the wrapped language implementation of 69 * grpc_tls_server_authorization_check_config. It is necessary to implement 70 * the C schedule and cancel functions, given the schedule or cancel function 71 * in a wrapped language. **/ 72 void* context_ = nullptr; 73 /** config-specific, read-only user data that works for all channels created 74 with a Credential using the config. */ 75 void* config_user_data_; 76 77 /** callback function for invoking server authorization check. The 78 implementation of this method has to be non-blocking, but can be performed 79 synchronously or asynchronously. 80 If processing occurs synchronously, it populates \a arg->result, \a 81 arg->status, and \a arg->error_details, and returns zero. 82 If processing occurs asynchronously, it returns a non-zero value. 83 Application then invokes \a arg->cb when processing is completed. Note that 84 \a arg->cb cannot be invoked before \a schedule() returns. 85 */ 86 int (*schedule_)(void* config_user_data, 87 grpc_tls_server_authorization_check_arg* arg); 88 89 /** callback function for canceling a server authorization check request. */ 90 void (*cancel_)(void* config_user_data, 91 grpc_tls_server_authorization_check_arg* arg); 92 93 /** callback function for cleaning up any data associated with server 94 authorization check config. */ 95 void (*destruct_)(void* config_user_data); 96 }; 97 98 // Contains configurable options specified by callers to configure their certain 99 // security features supported in TLS. 100 // TODO(ZhenLian): consider making this not ref-counted. 101 struct grpc_tls_credentials_options 102 : public grpc_core::RefCounted<grpc_tls_credentials_options> { 103 public: 104 ~grpc_tls_credentials_options() override = default; 105 106 // Getters for member fields. cert_request_typegrpc_tls_credentials_options107 grpc_ssl_client_certificate_request_type cert_request_type() const { 108 return cert_request_type_; 109 } server_verification_optiongrpc_tls_credentials_options110 grpc_tls_server_verification_option server_verification_option() const { 111 return server_verification_option_; 112 } min_tls_versiongrpc_tls_credentials_options113 grpc_tls_version min_tls_version() const { return min_tls_version_; } max_tls_versiongrpc_tls_credentials_options114 grpc_tls_version max_tls_version() const { return max_tls_version_; } 115 grpc_tls_server_authorization_check_config* server_authorization_check_configgrpc_tls_credentials_options116 server_authorization_check_config() const { 117 return server_authorization_check_config_.get(); 118 } 119 // Returns the distributor from provider_ if it is set, nullptr otherwise. certificate_distributorgrpc_tls_credentials_options120 grpc_tls_certificate_distributor* certificate_distributor() { 121 if (provider_ != nullptr) return provider_->distributor().get(); 122 return nullptr; 123 } watch_root_certgrpc_tls_credentials_options124 bool watch_root_cert() { return watch_root_cert_; } root_cert_namegrpc_tls_credentials_options125 const std::string& root_cert_name() { return root_cert_name_; } watch_identity_pairgrpc_tls_credentials_options126 bool watch_identity_pair() { return watch_identity_pair_; } identity_cert_namegrpc_tls_credentials_options127 const std::string& identity_cert_name() { return identity_cert_name_; } 128 129 // Setters for member fields. set_cert_request_typegrpc_tls_credentials_options130 void set_cert_request_type( 131 const grpc_ssl_client_certificate_request_type type) { 132 cert_request_type_ = type; 133 } set_server_verification_optiongrpc_tls_credentials_options134 void set_server_verification_option( 135 const grpc_tls_server_verification_option server_verification_option) { 136 server_verification_option_ = server_verification_option; 137 } set_min_tls_versiongrpc_tls_credentials_options138 void set_min_tls_version(grpc_tls_version min_tls_version) { 139 min_tls_version_ = min_tls_version; 140 } set_max_tls_versiongrpc_tls_credentials_options141 void set_max_tls_version(grpc_tls_version max_tls_version) { 142 max_tls_version_ = max_tls_version; 143 } set_server_authorization_check_configgrpc_tls_credentials_options144 void set_server_authorization_check_config( 145 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config> 146 config) { 147 server_authorization_check_config_ = std::move(config); 148 } 149 // Sets the provider in the options. set_certificate_providergrpc_tls_credentials_options150 void set_certificate_provider( 151 grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) { 152 provider_ = std::move(provider); 153 } 154 // If need to watch the updates of root certificates with name 155 // |root_cert_name|. The default value is false. If used in tls_credentials, 156 // it should always be set to true unless the root certificates are not 157 // needed. set_watch_root_certgrpc_tls_credentials_options158 void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; } 159 // Sets the name of root certificates being watched, if |set_watch_root_cert| 160 // is called. If not set, an empty string will be used as the name. set_root_cert_namegrpc_tls_credentials_options161 void set_root_cert_name(std::string root_cert_name) { 162 root_cert_name_ = std::move(root_cert_name); 163 } 164 // If need to watch the updates of identity certificates with name 165 // |identity_cert_name|. 166 // The default value is false. 167 // If used in tls_credentials, it should always be set to true 168 // unless the identity key-cert pairs are not needed. set_watch_identity_pairgrpc_tls_credentials_options169 void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; } 170 // Sets the name of identity key-cert pairs being watched, if 171 // |set_watch_identity_pair| is called. If not set, an empty string will 172 // be used as the name. set_identity_cert_namegrpc_tls_credentials_options173 void set_identity_cert_name(std::string identity_cert_name) { 174 identity_cert_name_ = std::move(identity_cert_name); 175 } 176 177 private: 178 grpc_ssl_client_certificate_request_type cert_request_type_ = 179 GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE; 180 grpc_tls_server_verification_option server_verification_option_ = 181 GRPC_TLS_SERVER_VERIFICATION; 182 grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2; 183 grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3; 184 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config> 185 server_authorization_check_config_; 186 grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_; 187 bool watch_root_cert_ = false; 188 std::string root_cert_name_; 189 bool watch_identity_pair_ = false; 190 std::string identity_cert_name_; 191 }; 192 193 #endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H 194