• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H
21 
22 #include <grpc/support/port_platform.h>
23 
24 #include <stdbool.h>
25 
26 #include <grpc/grpc_security.h>
27 
28 #include "src/core/lib/channel/handshaker.h"
29 #include "src/core/lib/gprpp/ref_counted.h"
30 #include "src/core/lib/iomgr/endpoint.h"
31 #include "src/core/lib/iomgr/pollset.h"
32 #include "src/core/lib/iomgr/tcp_server.h"
33 #include "src/core/tsi/ssl_transport_security.h"
34 #include "src/core/tsi/transport_security_interface.h"
35 
36 extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount;
37 
38 typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status;
39 
40 /* --- security_connector object. ---
41 
42     A security connector object represents away to configure the underlying
43     transport security mechanism and check the resulting trusted peer.  */
44 
45 #define GRPC_ARG_SECURITY_CONNECTOR "grpc.security_connector"
46 
47 class grpc_security_connector
48     : public grpc_core::RefCounted<grpc_security_connector> {
49  public:
grpc_security_connector(const char * url_scheme)50   explicit grpc_security_connector(const char* url_scheme)
51       : grpc_core::RefCounted<grpc_security_connector>(
52             GRPC_TRACE_FLAG_ENABLED(grpc_trace_security_connector_refcount)
53                 ? "security_connector_refcount"
54                 : nullptr),
55         url_scheme_(url_scheme) {}
56   ~grpc_security_connector() override = default;
57 
58   // Checks the peer. Callee takes ownership of the peer object.
59   // When done, sets *auth_context and invokes on_peer_checked.
60   virtual void check_peer(
61       tsi_peer peer, grpc_endpoint* ep,
62       grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
63       grpc_closure* on_peer_checked) = 0;
64 
65   // Cancels the pending check_peer() request associated with on_peer_checked.
66   // If there is no such request pending, this is a no-op.
67   virtual void cancel_check_peer(grpc_closure* on_peer_checked,
68                                  grpc_error_handle error) = 0;
69 
70   /* Compares two security connectors. */
71   virtual int cmp(const grpc_security_connector* other) const = 0;
72 
url_scheme()73   const char* url_scheme() const { return url_scheme_; }
74 
75  private:
76   const char* url_scheme_;
77 };
78 
79 /* Util to encapsulate the connector in a channel arg. */
80 grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc);
81 
82 /* Util to get the connector from a channel arg. */
83 grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg);
84 
85 /* Util to find the connector from channel args. */
86 grpc_security_connector* grpc_security_connector_find_in_args(
87     const grpc_channel_args* args);
88 
89 /* --- channel_security_connector object. ---
90 
91     A channel security connector object represents a way to configure the
92     underlying transport security mechanism on the client side.  */
93 
94 class grpc_channel_security_connector : public grpc_security_connector {
95  public:
96   grpc_channel_security_connector(
97       const char* url_scheme,
98       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
99       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds
100       /*,
101       grpc_channel_args* channel_args = nullptr*/);
102   ~grpc_channel_security_connector() override;
103 
104   /// Checks that the host that will be set for a call is acceptable.
105   /// Returns true if completed synchronously, in which case \a error will
106   /// be set to indicate the result.  Otherwise, \a on_call_host_checked
107   /// will be invoked when complete.
108   virtual bool check_call_host(absl::string_view host,
109                                grpc_auth_context* auth_context,
110                                grpc_closure* on_call_host_checked,
111                                grpc_error_handle* error) = 0;
112   /// Cancels a pending asynchronous call to
113   /// grpc_channel_security_connector_check_call_host() with
114   /// \a on_call_host_checked as its callback.
115   virtual void cancel_check_call_host(grpc_closure* on_call_host_checked,
116                                       grpc_error_handle error) = 0;
117   /// Registers handshakers with \a handshake_mgr.
118   virtual void add_handshakers(const grpc_channel_args* args,
119                                grpc_pollset_set* interested_parties,
120                                grpc_core::HandshakeManager* handshake_mgr) = 0;
121 
channel_creds()122   const grpc_channel_credentials* channel_creds() const {
123     return channel_creds_.get();
124   }
mutable_channel_creds()125   grpc_channel_credentials* mutable_channel_creds() {
126     return channel_creds_.get();
127   }
request_metadata_creds()128   const grpc_call_credentials* request_metadata_creds() const {
129     return request_metadata_creds_.get();
130   }
mutable_request_metadata_creds()131   grpc_call_credentials* mutable_request_metadata_creds() {
132     return request_metadata_creds_.get();
133   }
134 
135  protected:
136   // Helper methods to be used in subclasses.
137   int channel_security_connector_cmp(
138       const grpc_channel_security_connector* other) const;
139 
140   // grpc_channel_args* channel_args() const { return channel_args_.get(); }
141   //// Should be called as soon as the channel args are not needed to reduce
142   //// memory usage.
143   // void clear_channel_arg() { channel_args_.reset(); }
144 
145  private:
146   grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds_;
147   grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds_;
148   std::unique_ptr<grpc_channel_args> channel_args_;
149 };
150 
151 /* --- server_security_connector object. ---
152 
153     A server security connector object represents a way to configure the
154     underlying transport security mechanism on the server side.  */
155 
156 class grpc_server_security_connector : public grpc_security_connector {
157  public:
158   grpc_server_security_connector(
159       const char* url_scheme,
160       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
161   ~grpc_server_security_connector() override;
162 
163   virtual void add_handshakers(const grpc_channel_args* args,
164                                grpc_pollset_set* interested_parties,
165                                grpc_core::HandshakeManager* handshake_mgr) = 0;
166 
server_creds()167   const grpc_server_credentials* server_creds() const {
168     return server_creds_.get();
169   }
mutable_server_creds()170   grpc_server_credentials* mutable_server_creds() {
171     return server_creds_.get();
172   }
173 
174  protected:
175   // Helper methods to be used in subclasses.
176   int server_security_connector_cmp(
177       const grpc_server_security_connector* other) const;
178 
179  private:
180   grpc_core::RefCountedPtr<grpc_server_credentials> server_creds_;
181 };
182 
183 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H */
184