1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/fake/fake_security_connector.h"
22
23 #include <stdbool.h>
24
25 #include "absl/strings/str_cat.h"
26
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30
31 #include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
32 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
33 #include "src/core/ext/xds/xds_channel_args.h"
34 #include "src/core/lib/channel/channel_args.h"
35 #include "src/core/lib/channel/handshaker.h"
36 #include "src/core/lib/gpr/string.h"
37 #include "src/core/lib/gprpp/host_port.h"
38 #include "src/core/lib/gprpp/ref_counted_ptr.h"
39 #include "src/core/lib/security/context/security_context.h"
40 #include "src/core/lib/security/credentials/credentials.h"
41 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
42 #include "src/core/lib/security/transport/security_handshaker.h"
43 #include "src/core/tsi/fake_transport_security.h"
44
45 namespace {
46 class grpc_fake_channel_security_connector final
47 : public grpc_channel_security_connector {
48 public:
grpc_fake_channel_security_connector(grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,const char * target,const grpc_channel_args * args)49 grpc_fake_channel_security_connector(
50 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
51 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
52 const char* target, const grpc_channel_args* args)
53 : grpc_channel_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
54 std::move(channel_creds),
55 std::move(request_metadata_creds)),
56 target_(gpr_strdup(target)),
57 expected_targets_(
58 gpr_strdup(grpc_fake_transport_get_expected_targets(args))),
59 is_lb_channel_(grpc_channel_args_find(
60 args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER) !=
61 nullptr) {
62 const grpc_arg* target_name_override_arg =
63 grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
64 if (target_name_override_arg != nullptr) {
65 target_name_override_ =
66 gpr_strdup(grpc_channel_arg_get_string(target_name_override_arg));
67 } else {
68 target_name_override_ = nullptr;
69 }
70 }
71
~grpc_fake_channel_security_connector()72 ~grpc_fake_channel_security_connector() override {
73 gpr_free(target_);
74 gpr_free(expected_targets_);
75 if (target_name_override_ != nullptr) gpr_free(target_name_override_);
76 }
77
78 void check_peer(tsi_peer peer, grpc_endpoint* ep,
79 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
80 grpc_closure* on_peer_checked) override;
81
cancel_check_peer(grpc_closure *,grpc_error_handle error)82 void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
83 grpc_error_handle error) override {
84 GRPC_ERROR_UNREF(error);
85 }
86
cmp(const grpc_security_connector * other_sc) const87 int cmp(const grpc_security_connector* other_sc) const override {
88 auto* other =
89 reinterpret_cast<const grpc_fake_channel_security_connector*>(other_sc);
90 int c = channel_security_connector_cmp(other);
91 if (c != 0) return c;
92 c = strcmp(target_, other->target_);
93 if (c != 0) return c;
94 if (expected_targets_ == nullptr || other->expected_targets_ == nullptr) {
95 c = GPR_ICMP(expected_targets_, other->expected_targets_);
96 } else {
97 c = strcmp(expected_targets_, other->expected_targets_);
98 }
99 if (c != 0) return c;
100 return GPR_ICMP(is_lb_channel_, other->is_lb_channel_);
101 }
102
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,grpc_core::HandshakeManager * handshake_mgr)103 void add_handshakers(const grpc_channel_args* args,
104 grpc_pollset_set* /*interested_parties*/,
105 grpc_core::HandshakeManager* handshake_mgr) override {
106 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
107 tsi_create_fake_handshaker(/*is_client=*/true), this, args));
108 }
109
check_call_host(absl::string_view host,grpc_auth_context *,grpc_closure *,grpc_error_handle *)110 bool check_call_host(absl::string_view host,
111 grpc_auth_context* /*auth_context*/,
112 grpc_closure* /*on_call_host_checked*/,
113 grpc_error_handle* /*error*/) override {
114 absl::string_view authority_hostname;
115 absl::string_view authority_ignored_port;
116 absl::string_view target_hostname;
117 absl::string_view target_ignored_port;
118 grpc_core::SplitHostPort(host, &authority_hostname,
119 &authority_ignored_port);
120 grpc_core::SplitHostPort(target_, &target_hostname, &target_ignored_port);
121 if (target_name_override_ != nullptr) {
122 absl::string_view fake_security_target_name_override_hostname;
123 absl::string_view fake_security_target_name_override_ignored_port;
124 grpc_core::SplitHostPort(
125 target_name_override_, &fake_security_target_name_override_hostname,
126 &fake_security_target_name_override_ignored_port);
127 if (authority_hostname != fake_security_target_name_override_hostname) {
128 gpr_log(GPR_ERROR,
129 "Authority (host) '%s' != Fake Security Target override '%s'",
130 host.data(),
131 fake_security_target_name_override_hostname.data());
132 abort();
133 }
134 } else if (authority_hostname != target_hostname) {
135 gpr_log(GPR_ERROR, "Authority (host) '%s' != Target '%s'", host.data(),
136 target_);
137 abort();
138 }
139 return true;
140 }
141
cancel_check_call_host(grpc_closure *,grpc_error_handle error)142 void cancel_check_call_host(grpc_closure* /*on_call_host_checked*/,
143 grpc_error_handle error) override {
144 GRPC_ERROR_UNREF(error);
145 }
146
target() const147 char* target() const { return target_; }
expected_targets() const148 char* expected_targets() const { return expected_targets_; }
is_lb_channel() const149 bool is_lb_channel() const { return is_lb_channel_; }
target_name_override() const150 char* target_name_override() const { return target_name_override_; }
151
152 private:
fake_check_target(const char * target,const char * set_str) const153 bool fake_check_target(const char* target, const char* set_str) const {
154 GPR_ASSERT(target != nullptr);
155 char** set = nullptr;
156 size_t set_size = 0;
157 gpr_string_split(set_str, ",", &set, &set_size);
158 bool found = false;
159 for (size_t i = 0; i < set_size; ++i) {
160 if (set[i] != nullptr && strcmp(target, set[i]) == 0) found = true;
161 }
162 for (size_t i = 0; i < set_size; ++i) {
163 gpr_free(set[i]);
164 }
165 gpr_free(set);
166 return found;
167 }
168
fake_secure_name_check() const169 void fake_secure_name_check() const {
170 if (expected_targets_ == nullptr) return;
171 char** lbs_and_backends = nullptr;
172 size_t lbs_and_backends_size = 0;
173 bool success = false;
174 gpr_string_split(expected_targets_, ";", &lbs_and_backends,
175 &lbs_and_backends_size);
176 if (lbs_and_backends_size > 2 || lbs_and_backends_size == 0) {
177 gpr_log(GPR_ERROR, "Invalid expected targets arg value: '%s'",
178 expected_targets_);
179 goto done;
180 }
181 if (is_lb_channel_) {
182 if (lbs_and_backends_size != 2) {
183 gpr_log(GPR_ERROR,
184 "Invalid expected targets arg value: '%s'. Expectations for LB "
185 "channels must be of the form 'be1,be2,be3,...;lb1,lb2,...",
186 expected_targets_);
187 goto done;
188 }
189 if (!fake_check_target(target_, lbs_and_backends[1])) {
190 gpr_log(GPR_ERROR, "LB target '%s' not found in expected set '%s'",
191 target_, lbs_and_backends[1]);
192 goto done;
193 }
194 success = true;
195 } else {
196 if (!fake_check_target(target_, lbs_and_backends[0])) {
197 gpr_log(GPR_ERROR, "Backend target '%s' not found in expected set '%s'",
198 target_, lbs_and_backends[0]);
199 goto done;
200 }
201 success = true;
202 }
203 done:
204 for (size_t i = 0; i < lbs_and_backends_size; ++i) {
205 gpr_free(lbs_and_backends[i]);
206 }
207 gpr_free(lbs_and_backends);
208 if (!success) abort();
209 }
210
211 char* target_;
212 char* expected_targets_;
213 bool is_lb_channel_;
214 char* target_name_override_;
215 };
216
fake_check_peer(grpc_security_connector *,tsi_peer peer,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)217 static void fake_check_peer(
218 grpc_security_connector* /*sc*/, tsi_peer peer,
219 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
220 grpc_closure* on_peer_checked) {
221 const char* prop_name;
222 grpc_error_handle error = GRPC_ERROR_NONE;
223 *auth_context = nullptr;
224 if (peer.property_count != 2) {
225 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
226 "Fake peers should only have 2 properties.");
227 goto end;
228 }
229 prop_name = peer.properties[0].name;
230 if (prop_name == nullptr ||
231 strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY) != 0) {
232 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
233 absl::StrCat("Unexpected property in fake peer: ",
234 prop_name == nullptr ? "<EMPTY>" : prop_name)
235 .c_str());
236 goto end;
237 }
238 if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
239 peer.properties[0].value.length) != 0) {
240 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
241 "Invalid value for cert type property.");
242 goto end;
243 }
244 prop_name = peer.properties[1].name;
245 if (prop_name == nullptr ||
246 strcmp(prop_name, TSI_SECURITY_LEVEL_PEER_PROPERTY) != 0) {
247 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
248 absl::StrCat("Unexpected property in fake peer: ",
249 prop_name == nullptr ? "<EMPTY>" : prop_name)
250 .c_str());
251 goto end;
252 }
253 if (strncmp(peer.properties[1].value.data, TSI_FAKE_SECURITY_LEVEL,
254 peer.properties[1].value.length) != 0) {
255 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
256 "Invalid value for security level property.");
257 goto end;
258 }
259
260 *auth_context = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
261 grpc_auth_context_add_cstring_property(
262 auth_context->get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
263 GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
264 grpc_auth_context_add_cstring_property(
265 auth_context->get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
266 TSI_FAKE_SECURITY_LEVEL);
267 end:
268 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
269 tsi_peer_destruct(&peer);
270 }
271
check_peer(tsi_peer peer,grpc_endpoint *,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)272 void grpc_fake_channel_security_connector::check_peer(
273 tsi_peer peer, grpc_endpoint* /*ep*/,
274 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
275 grpc_closure* on_peer_checked) {
276 fake_check_peer(this, peer, auth_context, on_peer_checked);
277 fake_secure_name_check();
278 }
279
280 class grpc_fake_server_security_connector
281 : public grpc_server_security_connector {
282 public:
grpc_fake_server_security_connector(grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)283 explicit grpc_fake_server_security_connector(
284 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
285 : grpc_server_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
286 std::move(server_creds)) {}
287 ~grpc_fake_server_security_connector() override = default;
288
check_peer(tsi_peer peer,grpc_endpoint *,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)289 void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
290 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
291 grpc_closure* on_peer_checked) override {
292 fake_check_peer(this, peer, auth_context, on_peer_checked);
293 }
294
cancel_check_peer(grpc_closure *,grpc_error_handle error)295 void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
296 grpc_error_handle error) override {
297 GRPC_ERROR_UNREF(error);
298 }
299
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,grpc_core::HandshakeManager * handshake_mgr)300 void add_handshakers(const grpc_channel_args* args,
301 grpc_pollset_set* /*interested_parties*/,
302 grpc_core::HandshakeManager* handshake_mgr) override {
303 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
304 tsi_create_fake_handshaker(/*=is_client*/ false), this, args));
305 }
306
cmp(const grpc_security_connector * other) const307 int cmp(const grpc_security_connector* other) const override {
308 return server_security_connector_cmp(
309 static_cast<const grpc_server_security_connector*>(other));
310 }
311 };
312 } // namespace
313
314 grpc_core::RefCountedPtr<grpc_channel_security_connector>
grpc_fake_channel_security_connector_create(grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,const char * target,const grpc_channel_args * args)315 grpc_fake_channel_security_connector_create(
316 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
317 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
318 const char* target, const grpc_channel_args* args) {
319 return grpc_core::MakeRefCounted<grpc_fake_channel_security_connector>(
320 std::move(channel_creds), std::move(request_metadata_creds), target,
321 args);
322 }
323
324 grpc_core::RefCountedPtr<grpc_server_security_connector>
grpc_fake_server_security_connector_create(grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)325 grpc_fake_server_security_connector_create(
326 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
327 return grpc_core::MakeRefCounted<grpc_fake_server_security_connector>(
328 std::move(server_creds));
329 }
330