grpc 1.26.0 → 1.27.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +1654 -1519
- data/etc/roots.pem +44 -0
- data/include/grpc/grpc_security.h +37 -15
- data/include/grpc/grpc_security_constants.h +27 -0
- data/include/grpc/impl/codegen/grpc_types.h +14 -0
- data/include/grpc/impl/codegen/port_platform.h +1 -1
- data/src/core/ext/filters/client_channel/client_channel.cc +0 -20
- data/src/core/ext/filters/client_channel/http_proxy.cc +4 -4
- data/src/core/ext/filters/client_channel/lb_policy.cc +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +191 -201
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +89 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +40 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +88 -121
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +28 -57
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +0 -7
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +8 -9
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +53 -34
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +18 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +24 -19
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +2 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +4 -2
- data/src/core/ext/filters/client_channel/server_address.cc +6 -9
- data/src/core/ext/filters/client_channel/server_address.h +3 -10
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +394 -150
- data/src/core/ext/filters/client_channel/xds/xds_api.h +75 -35
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +59 -22
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +13 -9
- data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +8 -6
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +456 -175
- data/src/core/ext/filters/client_channel/xds/xds_client.h +33 -21
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +5 -8
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +18 -24
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +2 -2
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +13 -5
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +34 -0
- data/src/core/lib/channel/channelz.h +11 -1
- data/src/core/lib/gpr/time_precise.cc +1 -1
- data/src/core/lib/gprpp/optional.h +26 -0
- data/src/core/lib/gprpp/string_view.h +14 -10
- data/src/core/lib/iomgr/executor.cc +1 -1
- data/src/core/lib/iomgr/fork_posix.cc +4 -0
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +87 -0
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +88 -0
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +14 -0
- data/src/core/lib/iomgr/socket_utils_posix.h +12 -0
- data/src/core/lib/iomgr/tcp_custom.h +3 -0
- data/src/core/lib/iomgr/tcp_posix.cc +607 -56
- data/src/core/lib/iomgr/tcp_server_custom.cc +15 -2
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +8 -0
- data/src/core/lib/json/json.h +11 -1
- data/src/core/lib/json/json_reader.cc +206 -28
- data/src/core/lib/json/json_writer.cc +111 -24
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +7 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.h +5 -1
- data/src/core/lib/security/credentials/credentials.h +10 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -1
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -1
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +6 -4
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +20 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +8 -0
- data/src/core/lib/security/credentials/tls/{spiffe_credentials.cc → tls_credentials.cc} +23 -24
- data/src/core/lib/security/credentials/tls/{spiffe_credentials.h → tls_credentials.h} +9 -9
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +13 -0
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +22 -2
- data/src/core/lib/security/security_connector/load_system_roots_fallback.cc +2 -2
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -2
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +30 -3
- data/src/core/lib/security/security_connector/ssl_utils.cc +45 -3
- data/src/core/lib/security/security_connector/ssl_utils.h +12 -0
- data/src/core/lib/security/security_connector/tls/{spiffe_security_connector.cc → tls_security_connector.cc} +82 -69
- data/src/core/lib/security/security_connector/tls/{spiffe_security_connector.h → tls_security_connector.h} +17 -18
- data/src/core/lib/security/transport/client_auth_filter.cc +33 -0
- data/src/core/lib/surface/completion_queue.cc +22 -1
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +11 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +1 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +3 -3
- data/src/core/tsi/fake_transport_security.cc +7 -3
- data/src/core/tsi/fake_transport_security.h +2 -0
- data/src/core/tsi/ssl_transport_security.cc +144 -8
- data/src/core/tsi/ssl_transport_security.h +15 -1
- data/src/core/tsi/transport_security.cc +13 -0
- data/src/core/tsi/transport_security_grpc.cc +2 -2
- data/src/core/tsi/transport_security_grpc.h +2 -2
- data/src/core/tsi/transport_security_interface.h +12 -0
- data/src/ruby/bin/math_pb.rb +5 -5
- data/src/ruby/ext/grpc/rb_call_credentials.c +4 -1
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +4 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/grpc/health/v1/health_pb.rb +3 -3
- data/src/ruby/pb/src/proto/grpc/testing/empty_pb.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +23 -13
- data/third_party/abseil-cpp/absl/algorithm/algorithm.h +159 -0
- data/third_party/abseil-cpp/absl/base/attributes.h +609 -0
- data/third_party/abseil-cpp/absl/base/call_once.h +226 -0
- data/third_party/abseil-cpp/absl/base/casts.h +184 -0
- data/third_party/abseil-cpp/absl/base/config.h +622 -0
- data/third_party/abseil-cpp/absl/base/const_init.h +76 -0
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.cc +129 -0
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +389 -0
- data/third_party/abseil-cpp/absl/base/internal/atomic_hook.h +179 -0
- data/third_party/abseil-cpp/absl/base/internal/bits.h +218 -0
- data/third_party/abseil-cpp/absl/base/internal/cycleclock.cc +107 -0
- data/third_party/abseil-cpp/absl/base/internal/cycleclock.h +94 -0
- data/third_party/abseil-cpp/absl/base/internal/endian.h +266 -0
- data/third_party/abseil-cpp/absl/base/internal/hide_ptr.h +51 -0
- data/third_party/abseil-cpp/absl/base/internal/identity.h +37 -0
- data/third_party/abseil-cpp/absl/base/internal/inline_variable.h +107 -0
- data/third_party/abseil-cpp/absl/base/internal/invoke.h +187 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +107 -0
- data/third_party/abseil-cpp/absl/base/internal/per_thread_tls.h +52 -0
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +237 -0
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +179 -0
- data/third_party/abseil-cpp/absl/base/internal/scheduling_mode.h +58 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +233 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +243 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +35 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +67 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +46 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.cc +81 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +93 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +37 -0
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +414 -0
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.h +66 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_annotations.h +271 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +140 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +250 -0
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +108 -0
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.h +75 -0
- data/third_party/abseil-cpp/absl/base/internal/tsan_mutex_interface.h +66 -0
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +158 -0
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +103 -0
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.h +124 -0
- data/third_party/abseil-cpp/absl/base/log_severity.cc +27 -0
- data/third_party/abseil-cpp/absl/base/log_severity.h +121 -0
- data/third_party/abseil-cpp/absl/base/macros.h +220 -0
- data/third_party/abseil-cpp/absl/base/optimization.h +181 -0
- data/third_party/abseil-cpp/absl/base/options.h +214 -0
- data/third_party/abseil-cpp/absl/base/policy_checks.h +111 -0
- data/third_party/abseil-cpp/absl/base/port.h +26 -0
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +280 -0
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +848 -0
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +265 -0
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +892 -0
- data/third_party/abseil-cpp/absl/memory/memory.h +695 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +759 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +404 -0
- data/third_party/abseil-cpp/absl/numeric/int128.h +1091 -0
- data/third_party/abseil-cpp/absl/numeric/int128_have_intrinsic.inc +302 -0
- data/third_party/abseil-cpp/absl/numeric/int128_no_intrinsic.inc +308 -0
- data/third_party/abseil-cpp/absl/strings/ascii.cc +200 -0
- data/third_party/abseil-cpp/absl/strings/ascii.h +241 -0
- data/third_party/abseil-cpp/absl/strings/charconv.cc +985 -0
- data/third_party/abseil-cpp/absl/strings/charconv.h +119 -0
- data/third_party/abseil-cpp/absl/strings/escaping.cc +949 -0
- data/third_party/abseil-cpp/absl/strings/escaping.h +164 -0
- data/third_party/abseil-cpp/absl/strings/internal/char_map.h +156 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.cc +359 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.h +421 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +504 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.h +99 -0
- data/third_party/abseil-cpp/absl/strings/internal/escaping.cc +180 -0
- data/third_party/abseil-cpp/absl/strings/internal/escaping.h +58 -0
- data/third_party/abseil-cpp/absl/strings/internal/memutil.cc +112 -0
- data/third_party/abseil-cpp/absl/strings/internal/memutil.h +148 -0
- data/third_party/abseil-cpp/absl/strings/internal/ostringstream.cc +36 -0
- data/third_party/abseil-cpp/absl/strings/internal/ostringstream.h +89 -0
- data/third_party/abseil-cpp/absl/strings/internal/resize_uninitialized.h +73 -0
- data/third_party/abseil-cpp/absl/strings/internal/stl_type_traits.h +248 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_join_internal.h +314 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +455 -0
- data/third_party/abseil-cpp/absl/strings/internal/utf8.cc +53 -0
- data/third_party/abseil-cpp/absl/strings/internal/utf8.h +50 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +40 -0
- data/third_party/abseil-cpp/absl/strings/match.h +90 -0
- data/third_party/abseil-cpp/absl/strings/numbers.cc +916 -0
- data/third_party/abseil-cpp/absl/strings/numbers.h +263 -0
- data/third_party/abseil-cpp/absl/strings/str_cat.cc +246 -0
- data/third_party/abseil-cpp/absl/strings/str_cat.h +408 -0
- data/third_party/abseil-cpp/absl/strings/str_join.h +293 -0
- data/third_party/abseil-cpp/absl/strings/str_replace.cc +82 -0
- data/third_party/abseil-cpp/absl/strings/str_replace.h +219 -0
- data/third_party/abseil-cpp/absl/strings/str_split.cc +139 -0
- data/third_party/abseil-cpp/absl/strings/str_split.h +513 -0
- data/third_party/abseil-cpp/absl/strings/string_view.cc +235 -0
- data/third_party/abseil-cpp/absl/strings/string_view.h +615 -0
- data/third_party/abseil-cpp/absl/strings/strip.h +91 -0
- data/third_party/abseil-cpp/absl/strings/substitute.cc +171 -0
- data/third_party/abseil-cpp/absl/strings/substitute.h +693 -0
- data/third_party/abseil-cpp/absl/types/bad_optional_access.cc +48 -0
- data/third_party/abseil-cpp/absl/types/bad_optional_access.h +78 -0
- data/third_party/abseil-cpp/absl/types/internal/optional.h +396 -0
- data/third_party/abseil-cpp/absl/types/internal/span.h +128 -0
- data/third_party/abseil-cpp/absl/types/optional.h +776 -0
- data/third_party/abseil-cpp/absl/types/span.h +713 -0
- data/third_party/abseil-cpp/absl/utility/utility.h +350 -0
- data/third_party/upb/upb/decode.c +4 -0
- data/third_party/upb/upb/port.c +0 -1
- data/third_party/upb/upb/port_def.inc +1 -3
- data/third_party/upb/upb/table.c +2 -1
- metadata +147 -43
- data/src/core/lib/json/json_common.h +0 -34
- data/src/core/lib/json/json_reader.h +0 -146
- data/src/core/lib/json/json_string.cc +0 -367
- data/src/core/lib/json/json_writer.h +0 -84
@@ -151,6 +151,13 @@ grpc_composite_call_credentials::grpc_composite_call_credentials(
|
|
151
151
|
inner_.reserve(size);
|
152
152
|
push_to_inner(std::move(creds1), creds1_is_composite);
|
153
153
|
push_to_inner(std::move(creds2), creds2_is_composite);
|
154
|
+
min_security_level_ = GRPC_SECURITY_NONE;
|
155
|
+
for (size_t i = 0; i < inner_.size(); ++i) {
|
156
|
+
if (static_cast<int>(min_security_level_) <
|
157
|
+
static_cast<int>(inner_[i]->min_security_level())) {
|
158
|
+
min_security_level_ = inner_[i]->min_security_level();
|
159
|
+
}
|
160
|
+
}
|
154
161
|
}
|
155
162
|
|
156
163
|
static grpc_core::RefCountedPtr<grpc_call_credentials>
|
@@ -86,12 +86,16 @@ class grpc_composite_call_credentials : public grpc_call_credentials {
|
|
86
86
|
void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
|
87
87
|
grpc_error* error) override;
|
88
88
|
|
89
|
+
grpc_security_level min_security_level() const override {
|
90
|
+
return min_security_level_;
|
91
|
+
}
|
92
|
+
|
89
93
|
const CallCredentialsList& inner() const { return inner_; }
|
90
94
|
|
91
95
|
private:
|
92
96
|
void push_to_inner(grpc_core::RefCountedPtr<grpc_call_credentials> creds,
|
93
97
|
bool is_composite);
|
94
|
-
|
98
|
+
grpc_security_level min_security_level_;
|
95
99
|
CallCredentialsList inner_;
|
96
100
|
};
|
97
101
|
|
@@ -225,7 +225,11 @@ void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array* list);
|
|
225
225
|
struct grpc_call_credentials
|
226
226
|
: public grpc_core::RefCounted<grpc_call_credentials> {
|
227
227
|
public:
|
228
|
-
explicit grpc_call_credentials(
|
228
|
+
explicit grpc_call_credentials(
|
229
|
+
const char* type,
|
230
|
+
grpc_security_level min_security_level = GRPC_PRIVACY_AND_INTEGRITY)
|
231
|
+
: type_(type), min_security_level_(min_security_level) {}
|
232
|
+
|
229
233
|
virtual ~grpc_call_credentials() = default;
|
230
234
|
|
231
235
|
// Returns true if completed synchronously, in which case \a error will
|
@@ -244,10 +248,15 @@ struct grpc_call_credentials
|
|
244
248
|
virtual void cancel_get_request_metadata(
|
245
249
|
grpc_credentials_mdelem_array* md_array, grpc_error* error) = 0;
|
246
250
|
|
251
|
+
virtual grpc_security_level min_security_level() const {
|
252
|
+
return min_security_level_;
|
253
|
+
}
|
254
|
+
|
247
255
|
const char* type() const { return type_; }
|
248
256
|
|
249
257
|
private:
|
250
258
|
const char* type_;
|
259
|
+
const grpc_security_level min_security_level_;
|
251
260
|
};
|
252
261
|
|
253
262
|
/* Metadata-only credentials with the specified key and value where
|
@@ -59,7 +59,8 @@ class grpc_md_only_test_credentials : public grpc_call_credentials {
|
|
59
59
|
public:
|
60
60
|
grpc_md_only_test_credentials(const char* md_key, const char* md_value,
|
61
61
|
bool is_async)
|
62
|
-
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2
|
62
|
+
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2,
|
63
|
+
GRPC_SECURITY_NONE),
|
63
64
|
md_(grpc_mdelem_from_slices(grpc_slice_from_copied_string(md_key),
|
64
65
|
grpc_slice_from_copied_string(md_value))),
|
65
66
|
is_async_(is_async) {}
|
@@ -611,7 +611,7 @@ class StsTokenFetcherCredentials
|
|
611
611
|
MaybeAddToBody(&body_strvec, "scope", scope_.get());
|
612
612
|
MaybeAddToBody(&body_strvec, "requested_token_type",
|
613
613
|
requested_token_type_.get());
|
614
|
-
if (actor_token_path_ != nullptr) {
|
614
|
+
if ((actor_token_path_ != nullptr) && *actor_token_path_ != '\0') {
|
615
615
|
err = LoadTokenFile(actor_token_path_.get(), &actor_token);
|
616
616
|
if (err != GRPC_ERROR_NONE) return cleanup();
|
617
617
|
MaybeAddToBody(
|
@@ -240,15 +240,17 @@ void grpc_plugin_credentials::cancel_get_request_metadata(
|
|
240
240
|
}
|
241
241
|
|
242
242
|
grpc_plugin_credentials::grpc_plugin_credentials(
|
243
|
-
grpc_metadata_credentials_plugin plugin
|
244
|
-
|
243
|
+
grpc_metadata_credentials_plugin plugin,
|
244
|
+
grpc_security_level min_security_level)
|
245
|
+
: grpc_call_credentials(plugin.type, min_security_level), plugin_(plugin) {
|
245
246
|
gpr_mu_init(&mu_);
|
246
247
|
}
|
247
248
|
|
248
249
|
grpc_call_credentials* grpc_metadata_credentials_create_from_plugin(
|
249
|
-
grpc_metadata_credentials_plugin plugin,
|
250
|
+
grpc_metadata_credentials_plugin plugin,
|
251
|
+
grpc_security_level min_security_level, void* reserved) {
|
250
252
|
GRPC_API_TRACE("grpc_metadata_credentials_create_from_plugin(reserved=%p)", 1,
|
251
253
|
(reserved));
|
252
254
|
GPR_ASSERT(reserved == nullptr);
|
253
|
-
return new grpc_plugin_credentials(plugin);
|
255
|
+
return new grpc_plugin_credentials(plugin, min_security_level);
|
254
256
|
}
|
@@ -39,7 +39,8 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
|
|
39
39
|
struct pending_request* next;
|
40
40
|
};
|
41
41
|
|
42
|
-
explicit grpc_plugin_credentials(grpc_metadata_credentials_plugin plugin
|
42
|
+
explicit grpc_plugin_credentials(grpc_metadata_credentials_plugin plugin,
|
43
|
+
grpc_security_level min_security_level);
|
43
44
|
~grpc_plugin_credentials() override;
|
44
45
|
|
45
46
|
bool get_request_metadata(grpc_polling_entity* pollent,
|
@@ -92,6 +92,26 @@ int grpc_tls_credentials_options_set_cert_request_type(
|
|
92
92
|
return 1;
|
93
93
|
}
|
94
94
|
|
95
|
+
int grpc_tls_credentials_options_set_server_verification_option(
|
96
|
+
grpc_tls_credentials_options* options,
|
97
|
+
grpc_tls_server_verification_option server_verification_option) {
|
98
|
+
if (options == nullptr) {
|
99
|
+
gpr_log(GPR_ERROR,
|
100
|
+
"Invalid nullptr arguments to "
|
101
|
+
"grpc_tls_credentials_options_set_server_verification_option()");
|
102
|
+
return 0;
|
103
|
+
}
|
104
|
+
if (server_verification_option != GRPC_TLS_SERVER_VERIFICATION &&
|
105
|
+
options->server_authorization_check_config() == nullptr) {
|
106
|
+
gpr_log(GPR_ERROR,
|
107
|
+
"server_authorization_check_config needs to be specified when"
|
108
|
+
"server_verification_option is not GRPC_TLS_SERVER_VERIFICATION");
|
109
|
+
return 0;
|
110
|
+
}
|
111
|
+
options->set_server_verification_option(server_verification_option);
|
112
|
+
return 1;
|
113
|
+
}
|
114
|
+
|
95
115
|
int grpc_tls_credentials_options_set_key_materials_config(
|
96
116
|
grpc_tls_credentials_options* options,
|
97
117
|
grpc_tls_key_materials_config* config) {
|
@@ -234,6 +234,9 @@ struct grpc_tls_credentials_options
|
|
234
234
|
grpc_ssl_client_certificate_request_type cert_request_type() const {
|
235
235
|
return cert_request_type_;
|
236
236
|
}
|
237
|
+
grpc_tls_server_verification_option server_verification_option() const {
|
238
|
+
return server_verification_option_;
|
239
|
+
}
|
237
240
|
grpc_tls_key_materials_config* key_materials_config() const {
|
238
241
|
return key_materials_config_.get();
|
239
242
|
}
|
@@ -250,6 +253,10 @@ struct grpc_tls_credentials_options
|
|
250
253
|
const grpc_ssl_client_certificate_request_type type) {
|
251
254
|
cert_request_type_ = type;
|
252
255
|
}
|
256
|
+
void set_server_verification_option(
|
257
|
+
const grpc_tls_server_verification_option server_verification_option) {
|
258
|
+
server_verification_option_ = server_verification_option;
|
259
|
+
}
|
253
260
|
void set_key_materials_config(
|
254
261
|
grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
|
255
262
|
key_materials_config_ = std::move(config);
|
@@ -266,6 +273,7 @@ struct grpc_tls_credentials_options
|
|
266
273
|
|
267
274
|
private:
|
268
275
|
grpc_ssl_client_certificate_request_type cert_request_type_;
|
276
|
+
grpc_tls_server_verification_option server_verification_option_;
|
269
277
|
grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
|
270
278
|
grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
|
271
279
|
credential_reload_config_;
|
@@ -18,7 +18,7 @@
|
|
18
18
|
|
19
19
|
#include <grpc/support/port_platform.h>
|
20
20
|
|
21
|
-
#include "src/core/lib/security/credentials/tls/
|
21
|
+
#include "src/core/lib/security/credentials/tls/tls_credentials.h"
|
22
22
|
|
23
23
|
#include <cstring>
|
24
24
|
|
@@ -28,24 +28,23 @@
|
|
28
28
|
#include <grpc/support/string_util.h>
|
29
29
|
|
30
30
|
#include "src/core/lib/channel/channel_args.h"
|
31
|
-
#include "src/core/lib/security/security_connector/tls/
|
31
|
+
#include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
|
32
32
|
|
33
|
-
#define
|
33
|
+
#define GRPC_CREDENTIALS_TYPE_TLS "Tls"
|
34
34
|
|
35
35
|
namespace {
|
36
36
|
|
37
37
|
bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
|
38
38
|
bool is_client) {
|
39
39
|
if (options == nullptr) {
|
40
|
-
gpr_log(GPR_ERROR, "
|
40
|
+
gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
|
41
41
|
return false;
|
42
42
|
}
|
43
43
|
if (options->key_materials_config() == nullptr &&
|
44
44
|
options->credential_reload_config() == nullptr) {
|
45
|
-
gpr_log(
|
46
|
-
|
47
|
-
|
48
|
-
"credential reload config.");
|
45
|
+
gpr_log(GPR_ERROR,
|
46
|
+
"TLS credentials options must specify either key materials or "
|
47
|
+
"credential reload config.");
|
49
48
|
return false;
|
50
49
|
}
|
51
50
|
if (!is_client && options->server_authorization_check_config() != nullptr) {
|
@@ -58,15 +57,15 @@ bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
|
|
58
57
|
|
59
58
|
} // namespace
|
60
59
|
|
61
|
-
|
60
|
+
TlsCredentials::TlsCredentials(
|
62
61
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
|
63
|
-
: grpc_channel_credentials(
|
62
|
+
: grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS),
|
64
63
|
options_(std::move(options)) {}
|
65
64
|
|
66
|
-
|
65
|
+
TlsCredentials::~TlsCredentials() {}
|
67
66
|
|
68
67
|
grpc_core::RefCountedPtr<grpc_channel_security_connector>
|
69
|
-
|
68
|
+
TlsCredentials::create_security_connector(
|
70
69
|
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
|
71
70
|
const char* target_name, const grpc_channel_args* args,
|
72
71
|
grpc_channel_args** new_args) {
|
@@ -84,8 +83,8 @@ SpiffeCredentials::create_security_connector(
|
|
84
83
|
static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
|
85
84
|
}
|
86
85
|
}
|
87
|
-
grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
|
88
|
-
|
86
|
+
grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
|
87
|
+
grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
|
89
88
|
this->Ref(), std::move(call_creds), target_name,
|
90
89
|
overridden_target_name, ssl_session_cache);
|
91
90
|
if (sc == nullptr) {
|
@@ -97,33 +96,33 @@ SpiffeCredentials::create_security_connector(
|
|
97
96
|
return sc;
|
98
97
|
}
|
99
98
|
|
100
|
-
|
99
|
+
TlsServerCredentials::TlsServerCredentials(
|
101
100
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
|
102
|
-
: grpc_server_credentials(
|
101
|
+
: grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS),
|
103
102
|
options_(std::move(options)) {}
|
104
103
|
|
105
|
-
|
104
|
+
TlsServerCredentials::~TlsServerCredentials() {}
|
106
105
|
|
107
106
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
108
|
-
|
109
|
-
return grpc_core::
|
110
|
-
|
107
|
+
TlsServerCredentials::create_security_connector() {
|
108
|
+
return grpc_core::TlsServerSecurityConnector::
|
109
|
+
CreateTlsServerSecurityConnector(this->Ref());
|
111
110
|
}
|
112
111
|
|
113
|
-
grpc_channel_credentials*
|
112
|
+
grpc_channel_credentials* grpc_tls_credentials_create(
|
114
113
|
grpc_tls_credentials_options* options) {
|
115
114
|
if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
|
116
115
|
return nullptr;
|
117
116
|
}
|
118
|
-
return new
|
117
|
+
return new TlsCredentials(
|
119
118
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
|
120
119
|
}
|
121
120
|
|
122
|
-
grpc_server_credentials*
|
121
|
+
grpc_server_credentials* grpc_tls_server_credentials_create(
|
123
122
|
grpc_tls_credentials_options* options) {
|
124
123
|
if (!CredentialOptionSanityCheck(options, false /* is_client */)) {
|
125
124
|
return nullptr;
|
126
125
|
}
|
127
|
-
return new
|
126
|
+
return new TlsServerCredentials(
|
128
127
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
|
129
128
|
}
|
@@ -16,8 +16,8 @@
|
|
16
16
|
*
|
17
17
|
*/
|
18
18
|
|
19
|
-
#ifndef
|
20
|
-
#define
|
19
|
+
#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_CREDENTIALS_H
|
20
|
+
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_CREDENTIALS_H
|
21
21
|
|
22
22
|
#include <grpc/support/port_platform.h>
|
23
23
|
|
@@ -26,11 +26,11 @@
|
|
26
26
|
#include "src/core/lib/security/credentials/credentials.h"
|
27
27
|
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
|
28
28
|
|
29
|
-
class
|
29
|
+
class TlsCredentials final : public grpc_channel_credentials {
|
30
30
|
public:
|
31
|
-
explicit
|
31
|
+
explicit TlsCredentials(
|
32
32
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
|
33
|
-
~
|
33
|
+
~TlsCredentials() override;
|
34
34
|
|
35
35
|
grpc_core::RefCountedPtr<grpc_channel_security_connector>
|
36
36
|
create_security_connector(
|
@@ -44,11 +44,11 @@ class SpiffeCredentials final : public grpc_channel_credentials {
|
|
44
44
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
|
45
45
|
};
|
46
46
|
|
47
|
-
class
|
47
|
+
class TlsServerCredentials final : public grpc_server_credentials {
|
48
48
|
public:
|
49
|
-
explicit
|
49
|
+
explicit TlsServerCredentials(
|
50
50
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
|
51
|
-
~
|
51
|
+
~TlsServerCredentials() override;
|
52
52
|
|
53
53
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
54
54
|
create_security_connector() override;
|
@@ -59,4 +59,4 @@ class SpiffeServerCredentials final : public grpc_server_credentials {
|
|
59
59
|
grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
|
60
60
|
};
|
61
61
|
|
62
|
-
#endif /*
|
62
|
+
#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_CREDENTIALS_H */
|
@@ -178,6 +178,13 @@ grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer) {
|
|
178
178
|
gpr_log(GPR_ERROR, "Invalid or missing certificate type property.");
|
179
179
|
return nullptr;
|
180
180
|
}
|
181
|
+
/* Check if security level exists. */
|
182
|
+
const tsi_peer_property* security_level_prop =
|
183
|
+
tsi_peer_get_property_by_name(peer, TSI_SECURITY_LEVEL_PEER_PROPERTY);
|
184
|
+
if (security_level_prop == nullptr) {
|
185
|
+
gpr_log(GPR_ERROR, "Missing security level property.");
|
186
|
+
return nullptr;
|
187
|
+
}
|
181
188
|
/* Validate RPC protocol versions. */
|
182
189
|
const tsi_peer_property* rpc_versions_prop =
|
183
190
|
tsi_peer_get_property_by_name(peer, TSI_ALTS_RPC_VERSIONS);
|
@@ -232,6 +239,12 @@ grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer) {
|
|
232
239
|
tsi_prop->value.data,
|
233
240
|
tsi_prop->value.length);
|
234
241
|
}
|
242
|
+
/* Add security level to auth context. */
|
243
|
+
if (strcmp(tsi_prop->name, TSI_SECURITY_LEVEL_PEER_PROPERTY) == 0) {
|
244
|
+
grpc_auth_context_add_property(
|
245
|
+
ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
|
246
|
+
tsi_prop->value.data, tsi_prop->value.length);
|
247
|
+
}
|
235
248
|
}
|
236
249
|
if (!grpc_auth_context_peer_is_authenticated(ctx.get())) {
|
237
250
|
gpr_log(GPR_ERROR, "Invalid unauthenticated peer.");
|
@@ -219,9 +219,9 @@ static void fake_check_peer(
|
|
219
219
|
const char* prop_name;
|
220
220
|
grpc_error* error = GRPC_ERROR_NONE;
|
221
221
|
*auth_context = nullptr;
|
222
|
-
if (peer.property_count !=
|
222
|
+
if (peer.property_count != 2) {
|
223
223
|
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
224
|
-
"Fake peers should only have
|
224
|
+
"Fake peers should only have 2 properties.");
|
225
225
|
goto end;
|
226
226
|
}
|
227
227
|
prop_name = peer.properties[0].name;
|
@@ -240,10 +240,30 @@ static void fake_check_peer(
|
|
240
240
|
"Invalid value for cert type property.");
|
241
241
|
goto end;
|
242
242
|
}
|
243
|
+
prop_name = peer.properties[1].name;
|
244
|
+
if (prop_name == nullptr ||
|
245
|
+
strcmp(prop_name, TSI_SECURITY_LEVEL_PEER_PROPERTY) != 0) {
|
246
|
+
char* msg;
|
247
|
+
gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
|
248
|
+
prop_name == nullptr ? "<EMPTY>" : prop_name);
|
249
|
+
error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
|
250
|
+
gpr_free(msg);
|
251
|
+
goto end;
|
252
|
+
}
|
253
|
+
if (strncmp(peer.properties[1].value.data, TSI_FAKE_SECURITY_LEVEL,
|
254
|
+
peer.properties[1].value.length) != 0) {
|
255
|
+
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
256
|
+
"Invalid value for security level property.");
|
257
|
+
goto end;
|
258
|
+
}
|
259
|
+
|
243
260
|
*auth_context = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
|
244
261
|
grpc_auth_context_add_cstring_property(
|
245
262
|
auth_context->get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
|
246
263
|
GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
|
264
|
+
grpc_auth_context_add_cstring_property(
|
265
|
+
auth_context->get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
|
266
|
+
TSI_FAKE_SECURITY_LEVEL);
|
247
267
|
end:
|
248
268
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
|
249
269
|
tsi_peer_destruct(&peer);
|
@@ -21,7 +21,7 @@
|
|
21
21
|
#include <grpc/slice_buffer.h>
|
22
22
|
#include "src/core/lib/security/security_connector/load_system_roots.h"
|
23
23
|
|
24
|
-
#
|
24
|
+
#if !defined(GPR_LINUX) && !defined(GPR_ANDROID)
|
25
25
|
|
26
26
|
namespace grpc_core {
|
27
27
|
|
@@ -29,4 +29,4 @@ grpc_slice LoadSystemRootCerts() { return grpc_empty_slice(); }
|
|
29
29
|
|
30
30
|
} // namespace grpc_core
|
31
31
|
|
32
|
-
#endif /* GPR_LINUX */
|
32
|
+
#endif /* !(GPR_LINUX || GPR_ANDROID) */
|
@@ -21,7 +21,7 @@
|
|
21
21
|
#include <grpc/slice_buffer.h>
|
22
22
|
#include "src/core/lib/security/security_connector/load_system_roots_linux.h"
|
23
23
|
|
24
|
-
#
|
24
|
+
#if defined(GPR_LINUX) || defined(GPR_ANDROID)
|
25
25
|
|
26
26
|
#include "src/core/lib/security/security_connector/load_system_roots.h"
|
27
27
|
|
@@ -167,4 +167,4 @@ grpc_slice LoadSystemRootCerts() {
|
|
167
167
|
|
168
168
|
} // namespace grpc_core
|
169
169
|
|
170
|
-
#endif /* GPR_LINUX */
|
170
|
+
#endif /* GPR_LINUX || GPR_ANDROID */
|
@@ -46,7 +46,8 @@
|
|
46
46
|
|
47
47
|
namespace {
|
48
48
|
|
49
|
-
grpc_core::RefCountedPtr<grpc_auth_context> local_auth_context_create(
|
49
|
+
grpc_core::RefCountedPtr<grpc_auth_context> local_auth_context_create(
|
50
|
+
const tsi_peer* peer) {
|
50
51
|
/* Create auth context. */
|
51
52
|
grpc_core::RefCountedPtr<grpc_auth_context> ctx =
|
52
53
|
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
|
@@ -55,10 +56,17 @@ grpc_core::RefCountedPtr<grpc_auth_context> local_auth_context_create() {
|
|
55
56
|
GRPC_LOCAL_TRANSPORT_SECURITY_TYPE);
|
56
57
|
GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
|
57
58
|
ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
|
59
|
+
GPR_ASSERT(peer->property_count == 1);
|
60
|
+
const tsi_peer_property* prop = &peer->properties[0];
|
61
|
+
GPR_ASSERT(prop != nullptr);
|
62
|
+
GPR_ASSERT(strcmp(prop->name, TSI_SECURITY_LEVEL_PEER_PROPERTY) == 0);
|
63
|
+
grpc_auth_context_add_property(ctx.get(),
|
64
|
+
GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
|
65
|
+
prop->value.data, prop->value.length);
|
58
66
|
return ctx;
|
59
67
|
}
|
60
68
|
|
61
|
-
void local_check_peer(grpc_security_connector*
|
69
|
+
void local_check_peer(grpc_security_connector* sc, tsi_peer peer,
|
62
70
|
grpc_endpoint* ep,
|
63
71
|
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
|
64
72
|
grpc_closure* on_peer_checked,
|
@@ -103,12 +111,31 @@ void local_check_peer(grpc_security_connector* /*sc*/, tsi_peer /*peer*/,
|
|
103
111
|
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
|
104
112
|
return;
|
105
113
|
}
|
114
|
+
// Add TSI_SECURITY_LEVEL_PEER_PROPERTY type peer property.
|
115
|
+
size_t new_property_count = peer.property_count + 1;
|
116
|
+
tsi_peer_property* new_properties = static_cast<tsi_peer_property*>(
|
117
|
+
gpr_zalloc(sizeof(*new_properties) * new_property_count));
|
118
|
+
for (size_t i = 0; i < peer.property_count; i++) {
|
119
|
+
new_properties[i] = peer.properties[i];
|
120
|
+
}
|
121
|
+
if (peer.properties != nullptr) gpr_free(peer.properties);
|
122
|
+
peer.properties = new_properties;
|
123
|
+
const char* security_level =
|
124
|
+
type == LOCAL_TCP
|
125
|
+
? tsi_security_level_to_string(TSI_SECURITY_NONE)
|
126
|
+
: tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY);
|
127
|
+
tsi_result result = tsi_construct_string_peer_property_from_cstring(
|
128
|
+
TSI_SECURITY_LEVEL_PEER_PROPERTY, security_level,
|
129
|
+
&peer.properties[peer.property_count]);
|
130
|
+
if (result != TSI_OK) return;
|
131
|
+
peer.property_count++;
|
106
132
|
/* Create an auth context which is necessary to pass the santiy check in
|
107
133
|
* {client, server}_auth_filter that verifies if the peer's auth context is
|
108
134
|
* obtained during handshakes. The auth context is only checked for its
|
109
135
|
* existence and not actually used.
|
110
136
|
*/
|
111
|
-
*auth_context = local_auth_context_create();
|
137
|
+
*auth_context = local_auth_context_create(&peer);
|
138
|
+
tsi_peer_destruct(&peer);
|
112
139
|
error = *auth_context != nullptr ? GRPC_ERROR_NONE
|
113
140
|
: GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
114
141
|
"Could not create local auth context");
|