grpc 1.17.1 → 1.18.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +1228 -988
- data/etc/roots.pem +242 -30
- data/include/grpc/grpc.h +2 -1
- data/include/grpc/grpc_security_constants.h +3 -3
- data/include/grpc/impl/codegen/atm_gcc_sync.h +2 -0
- data/include/grpc/impl/codegen/atm_windows.h +2 -0
- data/include/grpc/impl/codegen/compression_types.h +2 -1
- data/include/grpc/impl/codegen/grpc_types.h +1 -1
- data/include/grpc/impl/codegen/port_platform.h +9 -0
- data/src/core/ext/filters/client_channel/client_channel.cc +163 -882
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +2 -4
- data/src/core/ext/filters/client_channel/health/health_check_client.h +2 -3
- data/src/core/ext/filters/client_channel/lb_policy.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy.h +8 -17
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +176 -216
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +20 -23
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +49 -52
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +13 -35
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +31 -30
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +69 -225
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc +20 -23
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +2 -84
- data/src/core/ext/filters/client_channel/request_routing.cc +936 -0
- data/src/core/ext/filters/client_channel/request_routing.h +177 -0
- data/src/core/ext/filters/client_channel/resolver.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +37 -26
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +30 -18
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +119 -100
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +8 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +5 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_posix.cc +2 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +12 -14
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +5 -9
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +2 -1
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +17 -17
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +45 -52
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +13 -17
- data/src/core/ext/filters/client_channel/server_address.cc +103 -0
- data/src/core/ext/filters/client_channel/server_address.h +108 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +10 -8
- data/src/core/ext/filters/client_channel/subchannel.h +9 -6
- data/src/core/ext/filters/client_channel/subchannel_index.cc +20 -27
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -2
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +8 -9
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +1 -1
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +8 -11
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +24 -54
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +3 -1
- data/src/core/ext/transport/chttp2/transport/context_list.cc +67 -0
- data/src/core/ext/transport/chttp2/transport/context_list.h +53 -0
- data/src/core/ext/transport/chttp2/transport/internal.h +38 -11
- data/src/core/ext/transport/chttp2/transport/writing.cc +5 -0
- data/src/core/ext/transport/inproc/inproc_transport.cc +1 -1
- data/src/core/lib/channel/channelz.cc +19 -18
- data/src/core/lib/channel/channelz.h +7 -1
- data/src/core/lib/channel/channelz_registry.cc +3 -2
- data/src/core/lib/debug/trace.cc +3 -0
- data/src/core/lib/debug/trace.h +5 -3
- data/src/core/lib/gpr/sync_posix.cc +96 -4
- data/src/core/lib/gprpp/inlined_vector.h +25 -19
- data/src/core/lib/gprpp/memory.h +2 -11
- data/src/core/lib/gprpp/orphanable.h +18 -82
- data/src/core/lib/gprpp/ref_counted.h +75 -84
- data/src/core/lib/gprpp/ref_counted_ptr.h +22 -17
- data/src/core/lib/http/httpcli_security_connector.cc +101 -94
- data/src/core/lib/http/parser.h +5 -5
- data/src/core/lib/iomgr/buffer_list.cc +16 -5
- data/src/core/lib/iomgr/buffer_list.h +10 -3
- data/src/core/lib/iomgr/call_combiner.cc +50 -2
- data/src/core/lib/iomgr/call_combiner.h +29 -2
- data/src/core/lib/iomgr/dynamic_annotations.h +67 -0
- data/src/core/lib/iomgr/endpoint.cc +4 -0
- data/src/core/lib/iomgr/endpoint.h +3 -0
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +4 -0
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -0
- data/src/core/lib/iomgr/ev_poll_posix.cc +4 -0
- data/src/core/lib/iomgr/ev_posix.cc +15 -7
- data/src/core/lib/iomgr/ev_posix.h +10 -0
- data/src/core/lib/iomgr/exec_ctx.cc +13 -0
- data/src/core/lib/iomgr/fork_posix.cc +1 -1
- data/src/core/lib/iomgr/internal_errqueue.cc +36 -3
- data/src/core/lib/iomgr/internal_errqueue.h +7 -1
- data/src/core/lib/iomgr/iomgr.cc +7 -0
- data/src/core/lib/iomgr/iomgr.h +4 -0
- data/src/core/lib/iomgr/iomgr_custom.cc +3 -1
- data/src/core/lib/iomgr/iomgr_internal.cc +4 -0
- data/src/core/lib/iomgr/iomgr_internal.h +4 -0
- data/src/core/lib/iomgr/iomgr_posix.cc +6 -1
- data/src/core/lib/iomgr/iomgr_windows.cc +4 -1
- data/src/core/lib/iomgr/port.h +1 -2
- data/src/core/lib/iomgr/resource_quota.cc +1 -0
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -0
- data/src/core/lib/iomgr/tcp_custom.cc +4 -1
- data/src/core/lib/iomgr/tcp_posix.cc +95 -35
- data/src/core/lib/iomgr/tcp_windows.cc +4 -1
- data/src/core/lib/iomgr/timer_manager.cc +6 -0
- data/src/core/lib/security/context/security_context.cc +75 -108
- data/src/core/lib/security/context/security_context.h +59 -35
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +36 -48
- data/src/core/lib/security/credentials/alts/alts_credentials.h +37 -10
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +97 -157
- data/src/core/lib/security/credentials/composite/composite_credentials.h +60 -24
- data/src/core/lib/security/credentials/credentials.cc +18 -142
- data/src/core/lib/security/credentials/credentials.h +119 -95
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +46 -71
- data/src/core/lib/security/credentials/fake/fake_credentials.h +23 -5
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +144 -51
- data/src/core/lib/security/credentials/google_default/google_default_credentials.h +28 -5
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +27 -35
- data/src/core/lib/security/credentials/iam/iam_credentials.h +18 -4
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +60 -69
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +29 -10
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +2 -0
- data/src/core/lib/security/credentials/local/local_credentials.cc +19 -32
- data/src/core/lib/security/credentials/local/local_credentials.h +32 -11
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +130 -149
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +74 -29
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +59 -77
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +40 -17
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +66 -83
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +58 -15
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +152 -177
- data/src/core/lib/security/security_connector/alts/alts_security_connector.h +12 -10
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +210 -215
- data/src/core/lib/security/security_connector/fake/fake_security_connector.h +9 -6
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +176 -169
- data/src/core/lib/security/security_connector/local/local_security_connector.h +10 -9
- data/src/core/lib/security/security_connector/security_connector.cc +41 -124
- data/src/core/lib/security/security_connector/security_connector.h +102 -105
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +348 -370
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +14 -12
- data/src/core/lib/security/security_connector/ssl_utils.cc +13 -9
- data/src/core/lib/security/security_connector/ssl_utils.h +3 -1
- data/src/core/lib/security/transport/client_auth_filter.cc +50 -50
- data/src/core/lib/security/transport/secure_endpoint.cc +7 -1
- data/src/core/lib/security/transport/security_handshaker.cc +82 -66
- data/src/core/lib/security/transport/server_auth_filter.cc +15 -13
- data/src/core/lib/surface/init.cc +1 -0
- data/src/core/lib/surface/server.cc +13 -11
- data/src/core/lib/surface/server.h +6 -6
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +1 -0
- data/src/core/lib/transport/static_metadata.cc +228 -221
- data/src/core/lib/transport/static_metadata.h +75 -71
- data/src/core/lib/transport/transport.cc +2 -1
- data/src/core/lib/transport/transport.h +5 -1
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +9 -2
- data/src/core/tsi/ssl_transport_security.cc +35 -24
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +1 -1
- data/src/ruby/lib/grpc/generic/rpc_server.rb +61 -0
- data/src/ruby/lib/grpc/generic/service.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/grpc/health/checker.rb +2 -3
- data/src/ruby/spec/generic/rpc_server_spec.rb +22 -0
- data/src/ruby/spec/support/services.rb +1 -0
- metadata +37 -32
- data/src/core/ext/filters/client_channel/lb_policy_factory.cc +0 -163
|
@@ -24,27 +24,70 @@
|
|
|
24
24
|
|
|
25
25
|
#include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
|
|
26
26
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
27
|
+
class grpc_ssl_credentials : public grpc_channel_credentials {
|
|
28
|
+
public:
|
|
29
|
+
grpc_ssl_credentials(const char* pem_root_certs,
|
|
30
|
+
grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
|
|
31
|
+
const verify_peer_options* verify_options);
|
|
32
|
+
|
|
33
|
+
~grpc_ssl_credentials() override;
|
|
34
|
+
|
|
35
|
+
grpc_core::RefCountedPtr<grpc_channel_security_connector>
|
|
36
|
+
create_security_connector(
|
|
37
|
+
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
|
|
38
|
+
const char* target, const grpc_channel_args* args,
|
|
39
|
+
grpc_channel_args** new_args) override;
|
|
40
|
+
|
|
41
|
+
private:
|
|
42
|
+
void build_config(const char* pem_root_certs,
|
|
43
|
+
grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
|
|
44
|
+
const verify_peer_options* verify_options);
|
|
45
|
+
|
|
46
|
+
grpc_ssl_config config_;
|
|
47
|
+
};
|
|
31
48
|
|
|
32
49
|
struct grpc_ssl_server_certificate_config {
|
|
33
|
-
grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs;
|
|
34
|
-
size_t num_key_cert_pairs;
|
|
35
|
-
char* pem_root_certs;
|
|
50
|
+
grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
|
|
51
|
+
size_t num_key_cert_pairs = 0;
|
|
52
|
+
char* pem_root_certs = nullptr;
|
|
36
53
|
};
|
|
37
54
|
|
|
38
|
-
|
|
39
|
-
grpc_ssl_server_certificate_config_callback cb;
|
|
55
|
+
struct grpc_ssl_server_certificate_config_fetcher {
|
|
56
|
+
grpc_ssl_server_certificate_config_callback cb = nullptr;
|
|
40
57
|
void* user_data;
|
|
41
|
-
}
|
|
58
|
+
};
|
|
59
|
+
|
|
60
|
+
class grpc_ssl_server_credentials final : public grpc_server_credentials {
|
|
61
|
+
public:
|
|
62
|
+
grpc_ssl_server_credentials(
|
|
63
|
+
const grpc_ssl_server_credentials_options& options);
|
|
64
|
+
~grpc_ssl_server_credentials() override;
|
|
42
65
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
66
|
+
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
|
67
|
+
create_security_connector() override;
|
|
68
|
+
|
|
69
|
+
bool has_cert_config_fetcher() const {
|
|
70
|
+
return certificate_config_fetcher_.cb != nullptr;
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
grpc_ssl_certificate_config_reload_status FetchCertConfig(
|
|
74
|
+
grpc_ssl_server_certificate_config** config) {
|
|
75
|
+
GPR_DEBUG_ASSERT(has_cert_config_fetcher());
|
|
76
|
+
return certificate_config_fetcher_.cb(certificate_config_fetcher_.user_data,
|
|
77
|
+
config);
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
const grpc_ssl_server_config& config() const { return config_; }
|
|
81
|
+
|
|
82
|
+
private:
|
|
83
|
+
void build_config(
|
|
84
|
+
const char* pem_root_certs,
|
|
85
|
+
grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
|
|
86
|
+
grpc_ssl_client_certificate_request_type client_certificate_request);
|
|
87
|
+
|
|
88
|
+
grpc_ssl_server_config config_;
|
|
89
|
+
grpc_ssl_server_certificate_config_fetcher certificate_config_fetcher_;
|
|
90
|
+
};
|
|
48
91
|
|
|
49
92
|
tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
|
|
50
93
|
const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
|
|
@@ -28,6 +28,7 @@
|
|
|
28
28
|
#include <grpc/support/log.h>
|
|
29
29
|
#include <grpc/support/string_util.h>
|
|
30
30
|
|
|
31
|
+
#include "src/core/lib/gprpp/ref_counted_ptr.h"
|
|
31
32
|
#include "src/core/lib/security/credentials/alts/alts_credentials.h"
|
|
32
33
|
#include "src/core/lib/security/transport/security_handshaker.h"
|
|
33
34
|
#include "src/core/lib/slice/slice_internal.h"
|
|
@@ -35,64 +36,9 @@
|
|
|
35
36
|
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
|
|
36
37
|
#include "src/core/tsi/transport_security.h"
|
|
37
38
|
|
|
38
|
-
|
|
39
|
-
grpc_channel_security_connector base;
|
|
40
|
-
char* target_name;
|
|
41
|
-
} grpc_alts_channel_security_connector;
|
|
39
|
+
namespace {
|
|
42
40
|
|
|
43
|
-
|
|
44
|
-
grpc_server_security_connector base;
|
|
45
|
-
} grpc_alts_server_security_connector;
|
|
46
|
-
|
|
47
|
-
static void alts_channel_destroy(grpc_security_connector* sc) {
|
|
48
|
-
if (sc == nullptr) {
|
|
49
|
-
return;
|
|
50
|
-
}
|
|
51
|
-
auto c = reinterpret_cast<grpc_alts_channel_security_connector*>(sc);
|
|
52
|
-
grpc_call_credentials_unref(c->base.request_metadata_creds);
|
|
53
|
-
grpc_channel_credentials_unref(c->base.channel_creds);
|
|
54
|
-
gpr_free(c->target_name);
|
|
55
|
-
gpr_free(sc);
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
static void alts_server_destroy(grpc_security_connector* sc) {
|
|
59
|
-
if (sc == nullptr) {
|
|
60
|
-
return;
|
|
61
|
-
}
|
|
62
|
-
auto c = reinterpret_cast<grpc_alts_server_security_connector*>(sc);
|
|
63
|
-
grpc_server_credentials_unref(c->base.server_creds);
|
|
64
|
-
gpr_free(sc);
|
|
65
|
-
}
|
|
66
|
-
|
|
67
|
-
static void alts_channel_add_handshakers(
|
|
68
|
-
grpc_channel_security_connector* sc, grpc_pollset_set* interested_parties,
|
|
69
|
-
grpc_handshake_manager* handshake_manager) {
|
|
70
|
-
tsi_handshaker* handshaker = nullptr;
|
|
71
|
-
auto c = reinterpret_cast<grpc_alts_channel_security_connector*>(sc);
|
|
72
|
-
grpc_alts_credentials* creds =
|
|
73
|
-
reinterpret_cast<grpc_alts_credentials*>(c->base.channel_creds);
|
|
74
|
-
GPR_ASSERT(alts_tsi_handshaker_create(
|
|
75
|
-
creds->options, c->target_name, creds->handshaker_service_url,
|
|
76
|
-
true, interested_parties, &handshaker) == TSI_OK);
|
|
77
|
-
grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
|
|
78
|
-
handshaker, &sc->base));
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
static void alts_server_add_handshakers(
|
|
82
|
-
grpc_server_security_connector* sc, grpc_pollset_set* interested_parties,
|
|
83
|
-
grpc_handshake_manager* handshake_manager) {
|
|
84
|
-
tsi_handshaker* handshaker = nullptr;
|
|
85
|
-
auto c = reinterpret_cast<grpc_alts_server_security_connector*>(sc);
|
|
86
|
-
grpc_alts_server_credentials* creds =
|
|
87
|
-
reinterpret_cast<grpc_alts_server_credentials*>(c->base.server_creds);
|
|
88
|
-
GPR_ASSERT(alts_tsi_handshaker_create(
|
|
89
|
-
creds->options, nullptr, creds->handshaker_service_url, false,
|
|
90
|
-
interested_parties, &handshaker) == TSI_OK);
|
|
91
|
-
grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
|
|
92
|
-
handshaker, &sc->base));
|
|
93
|
-
}
|
|
94
|
-
|
|
95
|
-
static void alts_set_rpc_protocol_versions(
|
|
41
|
+
void alts_set_rpc_protocol_versions(
|
|
96
42
|
grpc_gcp_rpc_protocol_versions* rpc_versions) {
|
|
97
43
|
grpc_gcp_rpc_protocol_versions_set_max(rpc_versions,
|
|
98
44
|
GRPC_PROTOCOL_VERSION_MAX_MAJOR,
|
|
@@ -102,17 +48,131 @@ static void alts_set_rpc_protocol_versions(
|
|
|
102
48
|
GRPC_PROTOCOL_VERSION_MIN_MINOR);
|
|
103
49
|
}
|
|
104
50
|
|
|
51
|
+
void alts_check_peer(tsi_peer peer,
|
|
52
|
+
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
|
|
53
|
+
grpc_closure* on_peer_checked) {
|
|
54
|
+
*auth_context =
|
|
55
|
+
grpc_core::internal::grpc_alts_auth_context_from_tsi_peer(&peer);
|
|
56
|
+
tsi_peer_destruct(&peer);
|
|
57
|
+
grpc_error* error =
|
|
58
|
+
*auth_context != nullptr
|
|
59
|
+
? GRPC_ERROR_NONE
|
|
60
|
+
: GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
61
|
+
"Could not get ALTS auth context from TSI peer");
|
|
62
|
+
GRPC_CLOSURE_SCHED(on_peer_checked, error);
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
class grpc_alts_channel_security_connector final
|
|
66
|
+
: public grpc_channel_security_connector {
|
|
67
|
+
public:
|
|
68
|
+
grpc_alts_channel_security_connector(
|
|
69
|
+
grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
|
|
70
|
+
grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
|
|
71
|
+
const char* target_name)
|
|
72
|
+
: grpc_channel_security_connector(/*url_scheme=*/nullptr,
|
|
73
|
+
std::move(channel_creds),
|
|
74
|
+
std::move(request_metadata_creds)),
|
|
75
|
+
target_name_(gpr_strdup(target_name)) {
|
|
76
|
+
grpc_alts_credentials* creds =
|
|
77
|
+
static_cast<grpc_alts_credentials*>(mutable_channel_creds());
|
|
78
|
+
alts_set_rpc_protocol_versions(&creds->mutable_options()->rpc_versions);
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
~grpc_alts_channel_security_connector() override { gpr_free(target_name_); }
|
|
82
|
+
|
|
83
|
+
void add_handshakers(grpc_pollset_set* interested_parties,
|
|
84
|
+
grpc_handshake_manager* handshake_manager) override {
|
|
85
|
+
tsi_handshaker* handshaker = nullptr;
|
|
86
|
+
const grpc_alts_credentials* creds =
|
|
87
|
+
static_cast<const grpc_alts_credentials*>(channel_creds());
|
|
88
|
+
GPR_ASSERT(alts_tsi_handshaker_create(creds->options(), target_name_,
|
|
89
|
+
creds->handshaker_service_url(), true,
|
|
90
|
+
interested_parties,
|
|
91
|
+
&handshaker) == TSI_OK);
|
|
92
|
+
grpc_handshake_manager_add(
|
|
93
|
+
handshake_manager, grpc_security_handshaker_create(handshaker, this));
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
void check_peer(tsi_peer peer, grpc_endpoint* ep,
|
|
97
|
+
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
|
|
98
|
+
grpc_closure* on_peer_checked) override {
|
|
99
|
+
alts_check_peer(peer, auth_context, on_peer_checked);
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
int cmp(const grpc_security_connector* other_sc) const override {
|
|
103
|
+
auto* other =
|
|
104
|
+
reinterpret_cast<const grpc_alts_channel_security_connector*>(other_sc);
|
|
105
|
+
int c = channel_security_connector_cmp(other);
|
|
106
|
+
if (c != 0) return c;
|
|
107
|
+
return strcmp(target_name_, other->target_name_);
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
bool check_call_host(const char* host, grpc_auth_context* auth_context,
|
|
111
|
+
grpc_closure* on_call_host_checked,
|
|
112
|
+
grpc_error** error) override {
|
|
113
|
+
if (host == nullptr || strcmp(host, target_name_) != 0) {
|
|
114
|
+
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
115
|
+
"ALTS call host does not match target name");
|
|
116
|
+
}
|
|
117
|
+
return true;
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
void cancel_check_call_host(grpc_closure* on_call_host_checked,
|
|
121
|
+
grpc_error* error) override {
|
|
122
|
+
GRPC_ERROR_UNREF(error);
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
private:
|
|
126
|
+
char* target_name_;
|
|
127
|
+
};
|
|
128
|
+
|
|
129
|
+
class grpc_alts_server_security_connector final
|
|
130
|
+
: public grpc_server_security_connector {
|
|
131
|
+
public:
|
|
132
|
+
grpc_alts_server_security_connector(
|
|
133
|
+
grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
|
|
134
|
+
: grpc_server_security_connector(/*url_scheme=*/nullptr,
|
|
135
|
+
std::move(server_creds)) {
|
|
136
|
+
grpc_alts_server_credentials* creds =
|
|
137
|
+
reinterpret_cast<grpc_alts_server_credentials*>(mutable_server_creds());
|
|
138
|
+
alts_set_rpc_protocol_versions(&creds->mutable_options()->rpc_versions);
|
|
139
|
+
}
|
|
140
|
+
~grpc_alts_server_security_connector() override = default;
|
|
141
|
+
|
|
142
|
+
void add_handshakers(grpc_pollset_set* interested_parties,
|
|
143
|
+
grpc_handshake_manager* handshake_manager) override {
|
|
144
|
+
tsi_handshaker* handshaker = nullptr;
|
|
145
|
+
const grpc_alts_server_credentials* creds =
|
|
146
|
+
static_cast<const grpc_alts_server_credentials*>(server_creds());
|
|
147
|
+
GPR_ASSERT(alts_tsi_handshaker_create(
|
|
148
|
+
creds->options(), nullptr, creds->handshaker_service_url(),
|
|
149
|
+
false, interested_parties, &handshaker) == TSI_OK);
|
|
150
|
+
grpc_handshake_manager_add(
|
|
151
|
+
handshake_manager, grpc_security_handshaker_create(handshaker, this));
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
void check_peer(tsi_peer peer, grpc_endpoint* ep,
|
|
155
|
+
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
|
|
156
|
+
grpc_closure* on_peer_checked) override {
|
|
157
|
+
alts_check_peer(peer, auth_context, on_peer_checked);
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
int cmp(const grpc_security_connector* other) const override {
|
|
161
|
+
return server_security_connector_cmp(
|
|
162
|
+
static_cast<const grpc_server_security_connector*>(other));
|
|
163
|
+
}
|
|
164
|
+
};
|
|
165
|
+
} // namespace
|
|
166
|
+
|
|
105
167
|
namespace grpc_core {
|
|
106
168
|
namespace internal {
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
if (peer == nullptr || ctx == nullptr) {
|
|
169
|
+
grpc_core::RefCountedPtr<grpc_auth_context>
|
|
170
|
+
grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer) {
|
|
171
|
+
if (peer == nullptr) {
|
|
111
172
|
gpr_log(GPR_ERROR,
|
|
112
173
|
"Invalid arguments to grpc_alts_auth_context_from_tsi_peer()");
|
|
113
|
-
return
|
|
174
|
+
return nullptr;
|
|
114
175
|
}
|
|
115
|
-
*ctx = nullptr;
|
|
116
176
|
/* Validate certificate type. */
|
|
117
177
|
const tsi_peer_property* cert_type_prop =
|
|
118
178
|
tsi_peer_get_property_by_name(peer, TSI_CERTIFICATE_TYPE_PEER_PROPERTY);
|
|
@@ -120,14 +180,14 @@ grpc_security_status grpc_alts_auth_context_from_tsi_peer(
|
|
|
120
180
|
strncmp(cert_type_prop->value.data, TSI_ALTS_CERTIFICATE_TYPE,
|
|
121
181
|
cert_type_prop->value.length) != 0) {
|
|
122
182
|
gpr_log(GPR_ERROR, "Invalid or missing certificate type property.");
|
|
123
|
-
return
|
|
183
|
+
return nullptr;
|
|
124
184
|
}
|
|
125
185
|
/* Validate RPC protocol versions. */
|
|
126
186
|
const tsi_peer_property* rpc_versions_prop =
|
|
127
187
|
tsi_peer_get_property_by_name(peer, TSI_ALTS_RPC_VERSIONS);
|
|
128
188
|
if (rpc_versions_prop == nullptr) {
|
|
129
189
|
gpr_log(GPR_ERROR, "Missing rpc protocol versions property.");
|
|
130
|
-
return
|
|
190
|
+
return nullptr;
|
|
131
191
|
}
|
|
132
192
|
grpc_gcp_rpc_protocol_versions local_versions, peer_versions;
|
|
133
193
|
alts_set_rpc_protocol_versions(&local_versions);
|
|
@@ -138,19 +198,19 @@ grpc_security_status grpc_alts_auth_context_from_tsi_peer(
|
|
|
138
198
|
grpc_slice_unref_internal(slice);
|
|
139
199
|
if (!decode_result) {
|
|
140
200
|
gpr_log(GPR_ERROR, "Invalid peer rpc protocol versions.");
|
|
141
|
-
return
|
|
201
|
+
return nullptr;
|
|
142
202
|
}
|
|
143
203
|
/* TODO: Pass highest common rpc protocol version to grpc caller. */
|
|
144
204
|
bool check_result = grpc_gcp_rpc_protocol_versions_check(
|
|
145
205
|
&local_versions, &peer_versions, nullptr);
|
|
146
206
|
if (!check_result) {
|
|
147
207
|
gpr_log(GPR_ERROR, "Mismatch of local and peer rpc protocol versions.");
|
|
148
|
-
return
|
|
208
|
+
return nullptr;
|
|
149
209
|
}
|
|
150
210
|
/* Create auth context. */
|
|
151
|
-
|
|
211
|
+
auto ctx = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
|
|
152
212
|
grpc_auth_context_add_cstring_property(
|
|
153
|
-
|
|
213
|
+
ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
|
|
154
214
|
GRPC_ALTS_TRANSPORT_SECURITY_TYPE);
|
|
155
215
|
size_t i = 0;
|
|
156
216
|
for (i = 0; i < peer->property_count; i++) {
|
|
@@ -158,132 +218,47 @@ grpc_security_status grpc_alts_auth_context_from_tsi_peer(
|
|
|
158
218
|
/* Add service account to auth context. */
|
|
159
219
|
if (strcmp(tsi_prop->name, TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY) == 0) {
|
|
160
220
|
grpc_auth_context_add_property(
|
|
161
|
-
|
|
162
|
-
tsi_prop->value.length);
|
|
221
|
+
ctx.get(), TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY,
|
|
222
|
+
tsi_prop->value.data, tsi_prop->value.length);
|
|
163
223
|
GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
|
|
164
|
-
|
|
224
|
+
ctx.get(), TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY) == 1);
|
|
165
225
|
}
|
|
166
226
|
}
|
|
167
|
-
if (!grpc_auth_context_peer_is_authenticated(
|
|
227
|
+
if (!grpc_auth_context_peer_is_authenticated(ctx.get())) {
|
|
168
228
|
gpr_log(GPR_ERROR, "Invalid unauthenticated peer.");
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
return GRPC_SECURITY_ERROR;
|
|
229
|
+
ctx.reset(DEBUG_LOCATION, "test");
|
|
230
|
+
return nullptr;
|
|
172
231
|
}
|
|
173
|
-
return
|
|
232
|
+
return ctx;
|
|
174
233
|
}
|
|
175
234
|
|
|
176
235
|
} // namespace internal
|
|
177
236
|
} // namespace grpc_core
|
|
178
237
|
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
tsi_peer_destruct(&peer);
|
|
186
|
-
grpc_error* error =
|
|
187
|
-
status == GRPC_SECURITY_OK
|
|
188
|
-
? GRPC_ERROR_NONE
|
|
189
|
-
: GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
190
|
-
"Could not get ALTS auth context from TSI peer");
|
|
191
|
-
GRPC_CLOSURE_SCHED(on_peer_checked, error);
|
|
192
|
-
}
|
|
193
|
-
|
|
194
|
-
static int alts_channel_cmp(grpc_security_connector* sc1,
|
|
195
|
-
grpc_security_connector* sc2) {
|
|
196
|
-
grpc_alts_channel_security_connector* c1 =
|
|
197
|
-
reinterpret_cast<grpc_alts_channel_security_connector*>(sc1);
|
|
198
|
-
grpc_alts_channel_security_connector* c2 =
|
|
199
|
-
reinterpret_cast<grpc_alts_channel_security_connector*>(sc2);
|
|
200
|
-
int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
|
|
201
|
-
if (c != 0) return c;
|
|
202
|
-
return strcmp(c1->target_name, c2->target_name);
|
|
203
|
-
}
|
|
204
|
-
|
|
205
|
-
static int alts_server_cmp(grpc_security_connector* sc1,
|
|
206
|
-
grpc_security_connector* sc2) {
|
|
207
|
-
grpc_alts_server_security_connector* c1 =
|
|
208
|
-
reinterpret_cast<grpc_alts_server_security_connector*>(sc1);
|
|
209
|
-
grpc_alts_server_security_connector* c2 =
|
|
210
|
-
reinterpret_cast<grpc_alts_server_security_connector*>(sc2);
|
|
211
|
-
return grpc_server_security_connector_cmp(&c1->base, &c2->base);
|
|
212
|
-
}
|
|
213
|
-
|
|
214
|
-
static grpc_security_connector_vtable alts_channel_vtable = {
|
|
215
|
-
alts_channel_destroy, alts_check_peer, alts_channel_cmp};
|
|
216
|
-
|
|
217
|
-
static grpc_security_connector_vtable alts_server_vtable = {
|
|
218
|
-
alts_server_destroy, alts_check_peer, alts_server_cmp};
|
|
219
|
-
|
|
220
|
-
static bool alts_check_call_host(grpc_channel_security_connector* sc,
|
|
221
|
-
const char* host,
|
|
222
|
-
grpc_auth_context* auth_context,
|
|
223
|
-
grpc_closure* on_call_host_checked,
|
|
224
|
-
grpc_error** error) {
|
|
225
|
-
grpc_alts_channel_security_connector* alts_sc =
|
|
226
|
-
reinterpret_cast<grpc_alts_channel_security_connector*>(sc);
|
|
227
|
-
if (host == nullptr || alts_sc == nullptr ||
|
|
228
|
-
strcmp(host, alts_sc->target_name) != 0) {
|
|
229
|
-
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
230
|
-
"ALTS call host does not match target name");
|
|
231
|
-
}
|
|
232
|
-
return true;
|
|
233
|
-
}
|
|
234
|
-
|
|
235
|
-
static void alts_cancel_check_call_host(grpc_channel_security_connector* sc,
|
|
236
|
-
grpc_closure* on_call_host_checked,
|
|
237
|
-
grpc_error* error) {
|
|
238
|
-
GRPC_ERROR_UNREF(error);
|
|
239
|
-
}
|
|
240
|
-
|
|
241
|
-
grpc_security_status grpc_alts_channel_security_connector_create(
|
|
242
|
-
grpc_channel_credentials* channel_creds,
|
|
243
|
-
grpc_call_credentials* request_metadata_creds, const char* target_name,
|
|
244
|
-
grpc_channel_security_connector** sc) {
|
|
245
|
-
if (channel_creds == nullptr || sc == nullptr || target_name == nullptr) {
|
|
238
|
+
grpc_core::RefCountedPtr<grpc_channel_security_connector>
|
|
239
|
+
grpc_alts_channel_security_connector_create(
|
|
240
|
+
grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
|
|
241
|
+
grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
|
|
242
|
+
const char* target_name) {
|
|
243
|
+
if (channel_creds == nullptr || target_name == nullptr) {
|
|
246
244
|
gpr_log(
|
|
247
245
|
GPR_ERROR,
|
|
248
246
|
"Invalid arguments to grpc_alts_channel_security_connector_create()");
|
|
249
|
-
return
|
|
247
|
+
return nullptr;
|
|
250
248
|
}
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
gpr_ref_init(&c->base.base.refcount, 1);
|
|
254
|
-
c->base.base.vtable = &alts_channel_vtable;
|
|
255
|
-
c->base.add_handshakers = alts_channel_add_handshakers;
|
|
256
|
-
c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
|
|
257
|
-
c->base.request_metadata_creds =
|
|
258
|
-
grpc_call_credentials_ref(request_metadata_creds);
|
|
259
|
-
c->base.check_call_host = alts_check_call_host;
|
|
260
|
-
c->base.cancel_check_call_host = alts_cancel_check_call_host;
|
|
261
|
-
grpc_alts_credentials* creds =
|
|
262
|
-
reinterpret_cast<grpc_alts_credentials*>(c->base.channel_creds);
|
|
263
|
-
alts_set_rpc_protocol_versions(&creds->options->rpc_versions);
|
|
264
|
-
c->target_name = gpr_strdup(target_name);
|
|
265
|
-
*sc = &c->base;
|
|
266
|
-
return GRPC_SECURITY_OK;
|
|
249
|
+
return grpc_core::MakeRefCounted<grpc_alts_channel_security_connector>(
|
|
250
|
+
std::move(channel_creds), std::move(request_metadata_creds), target_name);
|
|
267
251
|
}
|
|
268
252
|
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
if (server_creds == nullptr
|
|
253
|
+
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
|
254
|
+
grpc_alts_server_security_connector_create(
|
|
255
|
+
grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
|
|
256
|
+
if (server_creds == nullptr) {
|
|
273
257
|
gpr_log(
|
|
274
258
|
GPR_ERROR,
|
|
275
259
|
"Invalid arguments to grpc_alts_server_security_connector_create()");
|
|
276
|
-
return
|
|
260
|
+
return nullptr;
|
|
277
261
|
}
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
gpr_ref_init(&c->base.base.refcount, 1);
|
|
281
|
-
c->base.base.vtable = &alts_server_vtable;
|
|
282
|
-
c->base.server_creds = grpc_server_credentials_ref(server_creds);
|
|
283
|
-
c->base.add_handshakers = alts_server_add_handshakers;
|
|
284
|
-
grpc_alts_server_credentials* creds =
|
|
285
|
-
reinterpret_cast<grpc_alts_server_credentials*>(c->base.server_creds);
|
|
286
|
-
alts_set_rpc_protocol_versions(&creds->options->rpc_versions);
|
|
287
|
-
*sc = &c->base;
|
|
288
|
-
return GRPC_SECURITY_OK;
|
|
262
|
+
return grpc_core::MakeRefCounted<grpc_alts_server_security_connector>(
|
|
263
|
+
std::move(server_creds));
|
|
289
264
|
}
|