grpc 1.28.0 → 1.30.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +7694 -11190
- data/include/grpc/grpc.h +2 -2
- data/include/grpc/grpc_security.h +30 -9
- data/include/grpc/grpc_security_constants.h +1 -0
- data/include/grpc/impl/codegen/grpc_types.h +19 -21
- data/include/grpc/impl/codegen/port_platform.h +6 -2
- data/include/grpc/module.modulemap +24 -39
- data/src/core/ext/filters/client_channel/backend_metric.cc +7 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +212 -241
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +3 -2
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +7 -22
- data/src/core/ext/filters/client_channel/health/health_check_client.h +3 -3
- data/src/core/ext/filters/client_channel/http_proxy.cc +17 -10
- data/src/core/ext/filters/client_channel/lb_policy.cc +19 -18
- data/src/core/ext/filters/client_channel/lb_policy.h +42 -33
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +83 -0
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +99 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +10 -4
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +240 -301
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +89 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +40 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +11 -9
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +871 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +5 -11
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +734 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +84 -37
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +938 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +528 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +834 -0
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +6 -2
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +2 -1
- data/src/core/ext/filters/client_channel/parse_address.cc +22 -21
- data/src/core/ext/filters/client_channel/resolver.cc +5 -8
- data/src/core/ext/filters/client_channel/resolver.h +12 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +73 -59
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +35 -35
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +8 -7
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +16 -20
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +72 -117
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +184 -133
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +5 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +7 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +93 -102
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +0 -4
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +32 -5
- data/src/core/ext/filters/client_channel/resolver_factory.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_registry.cc +6 -3
- data/src/core/ext/filters/client_channel/resolver_registry.h +8 -8
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +16 -16
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +19 -16
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +20 -31
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +4 -3
- data/src/core/ext/filters/client_channel/server_address.cc +6 -9
- data/src/core/ext/filters/client_channel/server_address.h +6 -12
- data/src/core/ext/filters/client_channel/service_config.cc +104 -144
- data/src/core/ext/filters/client_channel/service_config.h +28 -98
- data/src/core/ext/filters/client_channel/service_config_call_data.h +68 -0
- data/src/core/ext/filters/client_channel/service_config_parser.cc +87 -0
- data/src/core/ext/filters/client_channel/service_config_parser.h +89 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +54 -24
- data/src/core/ext/filters/client_channel/subchannel.h +35 -11
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +348 -221
- data/src/core/ext/filters/client_channel/xds/xds_api.h +37 -37
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +44 -49
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +4 -3
- data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +4 -2
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +532 -339
- data/src/core/ext/filters/client_channel/xds/xds_client.h +57 -22
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +11 -12
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +31 -19
- data/src/core/ext/filters/http/client/http_client_filter.cc +23 -28
- data/src/core/ext/filters/http/client_authority_filter.cc +4 -4
- data/src/core/ext/filters/http/http_filters_plugin.cc +27 -12
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +258 -221
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +358 -0
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +29 -0
- data/src/core/ext/filters/message_size/message_size_filter.cc +7 -10
- data/src/core/ext/filters/message_size/message_size_filter.h +4 -4
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +4 -4
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +23 -22
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +1 -0
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +29 -16
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +2 -2
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
- data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +14 -21
- data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
- data/src/core/ext/transport/chttp2/transport/writing.cc +15 -8
- data/src/core/ext/transport/inproc/inproc_transport.cc +19 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.c +4 -229
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +5 -875
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.c +114 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.h +418 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.c +72 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.h +197 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.c +105 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.h +378 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +21 -8
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +43 -7
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.h +78 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +47 -26
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +115 -65
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.h +72 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.c +24 -20
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.c +38 -18
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +88 -6
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.h +89 -0
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.c +9 -6
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +12 -4
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.c +15 -10
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +16 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +63 -41
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +173 -77
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.c +48 -28
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +90 -30
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.c +51 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.h +125 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.c +4 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +4 -0
- data/src/core/ext/upb-generated/envoy/type/http.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.c +16 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/percent.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/range.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.c +1 -0
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +9 -8
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +30 -24
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +65 -0
- data/src/core/ext/upb-generated/validate/validate.upb.c +21 -20
- data/src/core/ext/upb-generated/validate/validate.upb.h +69 -63
- data/src/core/lib/channel/channel_args.cc +15 -14
- data/src/core/lib/channel/channel_args.h +3 -1
- data/src/core/lib/channel/channel_stack.h +20 -13
- data/src/core/lib/channel/channelz.cc +5 -6
- data/src/core/lib/channel/channelz.h +3 -2
- data/src/core/lib/channel/channelz_registry.cc +5 -3
- data/src/core/lib/channel/connected_channel.cc +7 -5
- data/src/core/lib/channel/context.h +1 -1
- data/src/core/lib/channel/handshaker.cc +11 -13
- data/src/core/lib/channel/handshaker.h +4 -2
- data/src/core/lib/channel/handshaker_registry.cc +5 -17
- data/src/core/lib/channel/status_util.cc +2 -3
- data/src/core/lib/compression/message_compress.cc +5 -1
- data/src/core/lib/debug/stats.cc +21 -27
- data/src/core/lib/debug/stats.h +3 -1
- data/src/core/lib/gpr/spinlock.h +2 -3
- data/src/core/lib/gpr/string.cc +2 -26
- data/src/core/lib/gpr/string.h +0 -16
- data/src/core/lib/gpr/sync_abseil.cc +2 -0
- data/src/core/lib/gpr/time.cc +4 -0
- data/src/core/lib/gpr/time_posix.cc +1 -1
- data/src/core/lib/gprpp/atomic.h +6 -6
- data/src/core/lib/gprpp/fork.cc +1 -1
- data/src/core/lib/gprpp/host_port.cc +29 -35
- data/src/core/lib/gprpp/host_port.h +14 -17
- data/src/core/lib/gprpp/map.h +5 -11
- data/src/core/lib/gprpp/ref_counted_ptr.h +5 -0
- data/src/core/lib/http/format_request.cc +46 -65
- data/src/core/lib/http/httpcli.cc +2 -3
- data/src/core/lib/http/httpcli.h +2 -3
- data/src/core/lib/http/httpcli_security_connector.cc +5 -5
- data/src/core/lib/http/parser.h +2 -3
- data/src/core/lib/iomgr/buffer_list.h +22 -21
- data/src/core/lib/iomgr/call_combiner.h +3 -2
- data/src/core/lib/iomgr/cfstream_handle.cc +3 -2
- data/src/core/lib/iomgr/closure.h +2 -3
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +47 -0
- data/src/core/lib/iomgr/endpoint_cfstream.cc +2 -3
- data/src/core/lib/iomgr/endpoint_pair.h +2 -3
- data/src/core/lib/iomgr/error.cc +6 -9
- data/src/core/lib/iomgr/error.h +0 -1
- data/src/core/lib/iomgr/ev_apple.cc +356 -0
- data/src/core/lib/iomgr/ev_apple.h +43 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +20 -23
- data/src/core/lib/iomgr/ev_epollex_linux.cc +2 -3
- data/src/core/lib/iomgr/ev_poll_posix.cc +3 -3
- data/src/core/lib/iomgr/ev_posix.cc +2 -3
- data/src/core/lib/iomgr/exec_ctx.h +14 -2
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +84 -20
- data/src/core/lib/iomgr/pollset_set_custom.cc +10 -10
- data/src/core/lib/{gprpp/optional.h → iomgr/pollset_uv.h} +11 -12
- data/src/core/lib/iomgr/port.h +1 -0
- data/src/core/lib/iomgr/python_util.h +46 -0
- data/src/core/lib/iomgr/resolve_address.h +4 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +29 -39
- data/src/core/lib/iomgr/resolve_address_custom.h +4 -2
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -11
- data/src/core/lib/iomgr/resolve_address_windows.cc +8 -17
- data/src/core/lib/iomgr/resource_quota.cc +4 -6
- data/src/core/lib/iomgr/sockaddr_utils.cc +23 -29
- data/src/core/lib/iomgr/sockaddr_utils.h +9 -14
- data/src/core/lib/iomgr/socket_factory_posix.h +2 -3
- data/src/core/lib/iomgr/socket_mutator.h +2 -3
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +7 -26
- data/src/core/lib/iomgr/socket_utils_posix.h +3 -0
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +5 -7
- data/src/core/lib/iomgr/tcp_client_posix.cc +8 -5
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -3
- data/src/core/lib/iomgr/tcp_custom.cc +2 -3
- data/src/core/lib/iomgr/tcp_server_custom.cc +5 -9
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +5 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +8 -11
- data/src/core/lib/iomgr/tcp_uv.cc +3 -2
- data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
- data/src/core/lib/iomgr/timer_generic.cc +2 -3
- data/src/core/lib/{gprpp/inlined_vector.h → iomgr/timer_generic.h} +19 -17
- data/src/core/lib/iomgr/timer_heap.h +2 -3
- data/src/core/lib/iomgr/udp_server.cc +9 -14
- data/src/core/lib/json/json.h +3 -2
- data/src/core/lib/json/json_reader.cc +5 -5
- data/src/core/lib/json/json_writer.cc +13 -12
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +12 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.h +6 -3
- data/src/core/lib/security/credentials/credentials.cc +0 -84
- data/src/core/lib/security/credentials/credentials.h +8 -59
- data/src/core/lib/security/credentials/fake/fake_credentials.h +4 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +3 -8
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +8 -6
- data/src/core/lib/security/credentials/iam/iam_credentials.h +4 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +1 -1
- data/src/core/lib/security/credentials/jwt/json_token.h +2 -5
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +12 -0
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +8 -15
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +2 -3
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +55 -27
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +9 -3
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +13 -0
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +23 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +38 -11
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +21 -6
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +7 -7
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +3 -2
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +1 -1
- data/src/core/lib/security/security_connector/security_connector.h +1 -1
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +20 -25
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +4 -6
- data/src/core/lib/security/security_connector/ssl_utils.cc +59 -12
- data/src/core/lib/security/security_connector/ssl_utils.h +12 -10
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +77 -51
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +27 -5
- data/src/core/lib/security/transport/auth_filters.h +0 -5
- data/src/core/lib/security/transport/client_auth_filter.cc +1 -2
- data/src/core/lib/slice/slice_intern.cc +2 -3
- data/src/core/lib/slice/slice_internal.h +14 -0
- data/src/core/lib/slice/slice_utils.h +9 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +2 -47
- data/src/core/lib/surface/call.cc +2 -3
- data/src/core/lib/surface/call_log_batch.cc +50 -58
- data/src/core/lib/surface/channel.cc +53 -31
- data/src/core/lib/surface/channel.h +35 -4
- data/src/core/lib/surface/channel_ping.cc +2 -3
- data/src/core/lib/surface/completion_queue.cc +33 -33
- data/src/core/lib/surface/event_string.cc +18 -25
- data/src/core/lib/surface/event_string.h +3 -1
- data/src/core/lib/surface/init_secure.cc +1 -4
- data/src/core/lib/surface/server.cc +570 -369
- data/src/core/lib/surface/server.h +32 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/byte_stream.h +7 -2
- data/src/core/lib/transport/connectivity_state.cc +7 -6
- data/src/core/lib/transport/connectivity_state.h +5 -3
- data/src/core/lib/transport/metadata.cc +3 -3
- data/src/core/lib/transport/metadata_batch.h +2 -3
- data/src/core/lib/transport/static_metadata.h +1 -1
- data/src/core/lib/transport/status_conversion.cc +6 -14
- data/src/core/lib/transport/transport.cc +2 -3
- data/src/core/lib/transport/transport.h +3 -2
- data/src/core/lib/transport/transport_op_string.cc +61 -102
- data/src/core/lib/uri/uri_parser.h +2 -3
- data/src/core/plugin_registry/grpc_plugin_registry.cc +20 -4
- data/src/core/tsi/alts/crypt/aes_gcm.cc +0 -2
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +8 -1
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +8 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +32 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +9 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
- data/src/core/tsi/fake_transport_security.cc +10 -15
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +0 -2
- data/src/core/tsi/ssl_transport_security.cc +52 -39
- data/src/core/tsi/ssl_transport_security.h +8 -8
- data/src/core/tsi/ssl_types.h +0 -2
- data/src/core/tsi/transport_security.h +6 -9
- data/src/core/tsi/transport_security_grpc.h +2 -3
- data/src/core/tsi/transport_security_interface.h +3 -3
- data/src/ruby/ext/grpc/rb_call.c +9 -1
- data/src/ruby/ext/grpc/rb_call_credentials.c +3 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
- data/src/ruby/lib/grpc/errors.rb +103 -42
- data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
- data/src/ruby/lib/grpc/generic/interceptors.rb +4 -4
- data/src/ruby/lib/grpc/generic/rpc_server.rb +9 -10
- data/src/ruby/lib/grpc/generic/service.rb +5 -4
- data/src/ruby/lib/grpc/structs.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/generate_proto_ruby.sh +5 -3
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +11 -0
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +16 -0
- data/src/ruby/spec/debug_message_spec.rb +134 -0
- data/src/ruby/spec/generic/service_spec.rb +2 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto +23 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +7 -0
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +7 -1
- data/src/ruby/spec/support/services.rb +10 -4
- data/src/ruby/spec/testdata/ca.pem +18 -13
- data/src/ruby/spec/testdata/client.key +26 -14
- data/src/ruby/spec/testdata/client.pem +18 -12
- data/src/ruby/spec/testdata/server1.key +26 -14
- data/src/ruby/spec/testdata/server1.pem +20 -14
- data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
- data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
- data/third_party/abseil-cpp/absl/time/clock.cc +569 -0
- data/third_party/abseil-cpp/absl/time/clock.h +74 -0
- data/third_party/abseil-cpp/absl/time/duration.cc +922 -0
- data/third_party/abseil-cpp/absl/time/format.cc +153 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +622 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +384 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +922 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +121 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +958 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +138 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +308 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +115 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
- data/third_party/abseil-cpp/absl/time/time.cc +499 -0
- data/third_party/abseil-cpp/absl/time/time.h +1584 -0
- data/third_party/boringssl-with-bazel/err_data.c +329 -297
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +7 -5
- data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +11 -0
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519.c +18 -26
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519_tables.h +13 -21
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/internal.h +14 -22
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh/dh.c +15 -0
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +425 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +78 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +33 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +30 -154
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +289 -117
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +13 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +96 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +25 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +432 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +63 -71
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +5 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9481 -9485
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +80 -99
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +736 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +90 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +125 -148
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +189 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +61 -18
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +20 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +41 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +32 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +24 -114
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +51 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +44 -35
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +29 -12
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +278 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1474 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +720 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +4 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +9 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +20 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +16 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +2 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +31 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +26 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +172 -77
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +291 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +0 -4
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +3 -3
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +13 -4
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +146 -57
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +14 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +28 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +12 -4
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +64 -47
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +10 -10
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +21 -21
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +29 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +6 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +13 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +64 -5
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +6 -0
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +6 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +47 -53
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +23 -75
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +50 -20
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +63 -25
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +245 -175
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +135 -75
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +1593 -1672
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +512 -503
- metadata +115 -39
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -1754
- data/src/core/lib/gprpp/string_view.h +0 -60
- data/src/core/tsi/grpc_shadow_boringssl.h +0 -3311
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256.c +0 -1063
|
@@ -42,6 +42,19 @@ grpc_plugin_credentials::~grpc_plugin_credentials() {
|
|
|
42
42
|
}
|
|
43
43
|
}
|
|
44
44
|
|
|
45
|
+
std::string grpc_plugin_credentials::debug_string() {
|
|
46
|
+
char* debug_c_str = nullptr;
|
|
47
|
+
if (plugin_.debug_string != nullptr) {
|
|
48
|
+
debug_c_str = plugin_.debug_string(plugin_.state);
|
|
49
|
+
}
|
|
50
|
+
std::string debug_str(
|
|
51
|
+
debug_c_str != nullptr
|
|
52
|
+
? debug_c_str
|
|
53
|
+
: "grpc_plugin_credentials did not provide a debug string");
|
|
54
|
+
gpr_free(debug_c_str);
|
|
55
|
+
return debug_str;
|
|
56
|
+
}
|
|
57
|
+
|
|
45
58
|
void grpc_plugin_credentials::pending_request_remove_locked(
|
|
46
59
|
pending_request* pending_request) {
|
|
47
60
|
if (pending_request->prev == nullptr) {
|
|
@@ -59,6 +59,8 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
|
|
|
59
59
|
// cancelled before completion.
|
|
60
60
|
void pending_request_complete(pending_request* r);
|
|
61
61
|
|
|
62
|
+
std::string debug_string() override;
|
|
63
|
+
|
|
62
64
|
private:
|
|
63
65
|
void pending_request_remove_locked(pending_request* pending_request);
|
|
64
66
|
|
|
@@ -29,10 +29,28 @@
|
|
|
29
29
|
|
|
30
30
|
/** -- gRPC TLS key materials config API implementation. -- **/
|
|
31
31
|
void grpc_tls_key_materials_config::set_key_materials(
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
32
|
+
const char* pem_root_certs,
|
|
33
|
+
const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
|
|
34
|
+
size_t num_key_cert_pairs) {
|
|
35
|
+
this->set_pem_root_certs(pem_root_certs);
|
|
36
|
+
grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
|
|
37
|
+
for (size_t i = 0; i < num_key_cert_pairs; i++) {
|
|
38
|
+
auto current_pair = static_cast<grpc_ssl_pem_key_cert_pair*>(
|
|
39
|
+
gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
|
|
40
|
+
current_pair->cert_chain = gpr_strdup(pem_key_cert_pairs[i]->cert_chain);
|
|
41
|
+
current_pair->private_key = gpr_strdup(pem_key_cert_pairs[i]->private_key);
|
|
42
|
+
cert_pair_list.emplace_back(grpc_core::PemKeyCertPair(current_pair));
|
|
43
|
+
}
|
|
44
|
+
pem_key_cert_pair_list_ = std::move(cert_pair_list);
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
void grpc_tls_key_materials_config::set_key_materials(
|
|
48
|
+
const char* pem_root_certs,
|
|
49
|
+
const PemKeyCertPairList& pem_key_cert_pair_list) {
|
|
50
|
+
this->set_pem_root_certs(pem_root_certs);
|
|
51
|
+
grpc_tls_key_materials_config::PemKeyCertPairList dup_list(
|
|
52
|
+
pem_key_cert_pair_list);
|
|
53
|
+
pem_key_cert_pair_list_ = std::move(dup_list);
|
|
36
54
|
}
|
|
37
55
|
|
|
38
56
|
/** -- gRPC TLS credential reload config API implementation. -- **/
|
|
@@ -165,15 +183,7 @@ int grpc_tls_key_materials_config_set_key_materials(
|
|
|
165
183
|
"grpc_tls_key_materials_config_set_key_materials()");
|
|
166
184
|
return 0;
|
|
167
185
|
}
|
|
168
|
-
|
|
169
|
-
grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
|
|
170
|
-
for (size_t i = 0; i < num; i++) {
|
|
171
|
-
grpc_core::PemKeyCertPair key_cert_pair(
|
|
172
|
-
const_cast<grpc_ssl_pem_key_cert_pair*>(key_cert_pairs[i]));
|
|
173
|
-
cert_pair_list.emplace_back(std::move(key_cert_pair));
|
|
174
|
-
}
|
|
175
|
-
config->set_key_materials(std::move(pem_root), std::move(cert_pair_list));
|
|
176
|
-
gpr_free(key_cert_pairs);
|
|
186
|
+
config->set_key_materials(root_certs, key_cert_pairs, num);
|
|
177
187
|
return 1;
|
|
178
188
|
}
|
|
179
189
|
|
|
@@ -23,16 +23,29 @@
|
|
|
23
23
|
|
|
24
24
|
#include <grpc/grpc_security.h>
|
|
25
25
|
|
|
26
|
-
#include "
|
|
26
|
+
#include "absl/container/inlined_vector.h"
|
|
27
|
+
|
|
27
28
|
#include "src/core/lib/gprpp/ref_counted.h"
|
|
28
29
|
#include "src/core/lib/security/security_connector/ssl_utils.h"
|
|
29
30
|
|
|
31
|
+
struct grpc_tls_error_details
|
|
32
|
+
: public grpc_core::RefCounted<grpc_tls_error_details> {
|
|
33
|
+
public:
|
|
34
|
+
grpc_tls_error_details() : error_details_("") {}
|
|
35
|
+
void set_error_details(const char* err_details) {
|
|
36
|
+
error_details_ = err_details;
|
|
37
|
+
}
|
|
38
|
+
const std::string& error_details() { return error_details_; }
|
|
39
|
+
|
|
40
|
+
private:
|
|
41
|
+
std::string error_details_;
|
|
42
|
+
};
|
|
43
|
+
|
|
30
44
|
/** TLS key materials config. **/
|
|
31
45
|
struct grpc_tls_key_materials_config
|
|
32
46
|
: public grpc_core::RefCounted<grpc_tls_key_materials_config> {
|
|
33
47
|
public:
|
|
34
|
-
typedef
|
|
35
|
-
PemKeyCertPairList;
|
|
48
|
+
typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
|
|
36
49
|
|
|
37
50
|
/** Getters for member fields. **/
|
|
38
51
|
const char* pem_root_certs() const { return pem_root_certs_.get(); }
|
|
@@ -42,14 +55,28 @@ struct grpc_tls_key_materials_config
|
|
|
42
55
|
int version() const { return version_; }
|
|
43
56
|
|
|
44
57
|
/** Setters for member fields. **/
|
|
58
|
+
// TODO(ZhenLian): Remove this function
|
|
45
59
|
void set_pem_root_certs(grpc_core::UniquePtr<char> pem_root_certs) {
|
|
46
60
|
pem_root_certs_ = std::move(pem_root_certs);
|
|
47
61
|
}
|
|
62
|
+
// The ownerships of |pem_root_certs| remain with the caller.
|
|
63
|
+
void set_pem_root_certs(const char* pem_root_certs) {
|
|
64
|
+
// make a copy of pem_root_certs.
|
|
65
|
+
grpc_core::UniquePtr<char> pem_root_ptr(gpr_strdup(pem_root_certs));
|
|
66
|
+
pem_root_certs_ = std::move(pem_root_ptr);
|
|
67
|
+
}
|
|
48
68
|
void add_pem_key_cert_pair(grpc_core::PemKeyCertPair pem_key_cert_pair) {
|
|
49
69
|
pem_key_cert_pair_list_.push_back(pem_key_cert_pair);
|
|
50
70
|
}
|
|
51
|
-
|
|
52
|
-
|
|
71
|
+
// The ownerships of |pem_root_certs| and |pem_key_cert_pairs| remain with the
|
|
72
|
+
// caller.
|
|
73
|
+
void set_key_materials(const char* pem_root_certs,
|
|
74
|
+
const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
|
|
75
|
+
size_t num_key_cert_pairs);
|
|
76
|
+
// The ownerships of |pem_root_certs| and |pem_key_cert_pair_list| remain with
|
|
77
|
+
// the caller.
|
|
78
|
+
void set_key_materials(const char* pem_root_certs,
|
|
79
|
+
const PemKeyCertPairList& pem_key_cert_pair_list);
|
|
53
80
|
void set_version(int version) { version_ = version; }
|
|
54
81
|
|
|
55
82
|
private:
|
|
@@ -79,8 +106,8 @@ struct grpc_tls_credential_reload_config
|
|
|
79
106
|
gpr_log(GPR_ERROR, "schedule API is nullptr");
|
|
80
107
|
if (arg != nullptr) {
|
|
81
108
|
arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL;
|
|
82
|
-
arg->error_details
|
|
83
|
-
|
|
109
|
+
arg->error_details->set_error_details(
|
|
110
|
+
"schedule API in credential reload config is nullptr");
|
|
84
111
|
}
|
|
85
112
|
return 1;
|
|
86
113
|
}
|
|
@@ -94,8 +121,8 @@ struct grpc_tls_credential_reload_config
|
|
|
94
121
|
gpr_log(GPR_ERROR, "cancel API is nullptr.");
|
|
95
122
|
if (arg != nullptr) {
|
|
96
123
|
arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL;
|
|
97
|
-
arg->error_details
|
|
98
|
-
|
|
124
|
+
arg->error_details->set_error_details(
|
|
125
|
+
"cancel API in credential reload config is nullptr");
|
|
99
126
|
}
|
|
100
127
|
return;
|
|
101
128
|
}
|
|
@@ -155,7 +182,7 @@ struct grpc_tls_server_authorization_check_config
|
|
|
155
182
|
gpr_log(GPR_ERROR, "schedule API is nullptr");
|
|
156
183
|
if (arg != nullptr) {
|
|
157
184
|
arg->status = GRPC_STATUS_NOT_FOUND;
|
|
158
|
-
arg->error_details
|
|
185
|
+
arg->error_details->set_error_details(
|
|
159
186
|
"schedule API in server authorization check config is nullptr");
|
|
160
187
|
}
|
|
161
188
|
return 1;
|
|
@@ -171,7 +198,7 @@ struct grpc_tls_server_authorization_check_config
|
|
|
171
198
|
gpr_log(GPR_ERROR, "cancel API is nullptr.");
|
|
172
199
|
if (arg != nullptr) {
|
|
173
200
|
arg->status = GRPC_STATUS_NOT_FOUND;
|
|
174
|
-
arg->error_details
|
|
201
|
+
arg->error_details->set_error_details(
|
|
175
202
|
"schedule API in server authorization check config is nullptr");
|
|
176
203
|
}
|
|
177
204
|
return;
|
|
@@ -82,10 +82,17 @@ class grpc_alts_channel_security_connector final
|
|
|
82
82
|
tsi_handshaker* handshaker = nullptr;
|
|
83
83
|
const grpc_alts_credentials* creds =
|
|
84
84
|
static_cast<const grpc_alts_credentials*>(channel_creds());
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
85
|
+
size_t user_specified_max_frame_size = 0;
|
|
86
|
+
const grpc_arg* arg =
|
|
87
|
+
grpc_channel_args_find(args, GRPC_ARG_TSI_MAX_FRAME_SIZE);
|
|
88
|
+
if (arg != nullptr && arg->type == GRPC_ARG_INTEGER) {
|
|
89
|
+
user_specified_max_frame_size = grpc_channel_arg_get_integer(
|
|
90
|
+
arg, {0, 0, std::numeric_limits<int>::max()});
|
|
91
|
+
}
|
|
92
|
+
GPR_ASSERT(alts_tsi_handshaker_create(
|
|
93
|
+
creds->options(), target_name_,
|
|
94
|
+
creds->handshaker_service_url(), true, interested_parties,
|
|
95
|
+
&handshaker, user_specified_max_frame_size) == TSI_OK);
|
|
89
96
|
handshake_manager->Add(
|
|
90
97
|
grpc_core::SecurityHandshakerCreate(handshaker, this, args));
|
|
91
98
|
}
|
|
@@ -104,7 +111,7 @@ class grpc_alts_channel_security_connector final
|
|
|
104
111
|
return strcmp(target_name_, other->target_name_);
|
|
105
112
|
}
|
|
106
113
|
|
|
107
|
-
bool check_call_host(
|
|
114
|
+
bool check_call_host(absl::string_view host,
|
|
108
115
|
grpc_auth_context* /*auth_context*/,
|
|
109
116
|
grpc_closure* /*on_call_host_checked*/,
|
|
110
117
|
grpc_error** error) override {
|
|
@@ -140,9 +147,17 @@ class grpc_alts_server_security_connector final
|
|
|
140
147
|
tsi_handshaker* handshaker = nullptr;
|
|
141
148
|
const grpc_alts_server_credentials* creds =
|
|
142
149
|
static_cast<const grpc_alts_server_credentials*>(server_creds());
|
|
150
|
+
size_t user_specified_max_frame_size = 0;
|
|
151
|
+
const grpc_arg* arg =
|
|
152
|
+
grpc_channel_args_find(args, GRPC_ARG_TSI_MAX_FRAME_SIZE);
|
|
153
|
+
if (arg != nullptr && arg->type == GRPC_ARG_INTEGER) {
|
|
154
|
+
user_specified_max_frame_size = grpc_channel_arg_get_integer(
|
|
155
|
+
arg, {0, 0, std::numeric_limits<int>::max()});
|
|
156
|
+
}
|
|
143
157
|
GPR_ASSERT(alts_tsi_handshaker_create(
|
|
144
158
|
creds->options(), nullptr, creds->handshaker_service_url(),
|
|
145
|
-
false, interested_parties, &handshaker
|
|
159
|
+
false, interested_parties, &handshaker,
|
|
160
|
+
user_specified_max_frame_size) == TSI_OK);
|
|
146
161
|
handshake_manager->Add(
|
|
147
162
|
grpc_core::SecurityHandshakerCreate(handshaker, this, args));
|
|
148
163
|
}
|
|
@@ -103,20 +103,20 @@ class grpc_fake_channel_security_connector final
|
|
|
103
103
|
tsi_create_fake_handshaker(/*is_client=*/true), this, args));
|
|
104
104
|
}
|
|
105
105
|
|
|
106
|
-
bool check_call_host(
|
|
106
|
+
bool check_call_host(absl::string_view host,
|
|
107
107
|
grpc_auth_context* /*auth_context*/,
|
|
108
108
|
grpc_closure* /*on_call_host_checked*/,
|
|
109
109
|
grpc_error** /*error*/) override {
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
110
|
+
absl::string_view authority_hostname;
|
|
111
|
+
absl::string_view authority_ignored_port;
|
|
112
|
+
absl::string_view target_hostname;
|
|
113
|
+
absl::string_view target_ignored_port;
|
|
114
114
|
grpc_core::SplitHostPort(host, &authority_hostname,
|
|
115
115
|
&authority_ignored_port);
|
|
116
116
|
grpc_core::SplitHostPort(target_, &target_hostname, &target_ignored_port);
|
|
117
117
|
if (target_name_override_ != nullptr) {
|
|
118
|
-
|
|
119
|
-
|
|
118
|
+
absl::string_view fake_security_target_name_override_hostname;
|
|
119
|
+
absl::string_view fake_security_target_name_override_ignored_port;
|
|
120
120
|
grpc_core::SplitHostPort(
|
|
121
121
|
target_name_override_, &fake_security_target_name_override_hostname,
|
|
122
122
|
&fake_security_target_name_override_ignored_port);
|
|
@@ -34,6 +34,8 @@
|
|
|
34
34
|
#include <sys/types.h>
|
|
35
35
|
#include <unistd.h>
|
|
36
36
|
|
|
37
|
+
#include "absl/container/inlined_vector.h"
|
|
38
|
+
|
|
37
39
|
#include <grpc/support/alloc.h>
|
|
38
40
|
#include <grpc/support/log.h>
|
|
39
41
|
#include <grpc/support/string_util.h>
|
|
@@ -41,7 +43,6 @@
|
|
|
41
43
|
#include "src/core/lib/gpr/string.h"
|
|
42
44
|
#include "src/core/lib/gpr/useful.h"
|
|
43
45
|
#include "src/core/lib/gprpp/global_config.h"
|
|
44
|
-
#include "src/core/lib/gprpp/inlined_vector.h"
|
|
45
46
|
#include "src/core/lib/iomgr/load_file.h"
|
|
46
47
|
|
|
47
48
|
GPR_GLOBAL_CONFIG_DEFINE_STRING(grpc_system_ssl_roots_dir, "",
|
|
@@ -100,7 +101,7 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
|
|
|
100
101
|
char path[MAXPATHLEN];
|
|
101
102
|
off_t size;
|
|
102
103
|
};
|
|
103
|
-
InlinedVector<FileData, 2> roots_filenames;
|
|
104
|
+
absl::InlinedVector<FileData, 2> roots_filenames;
|
|
104
105
|
size_t total_bundle_size = 0;
|
|
105
106
|
struct dirent* directory_entry;
|
|
106
107
|
while ((directory_entry = readdir(ca_directory)) != nullptr) {
|
|
@@ -181,7 +181,7 @@ class grpc_local_channel_security_connector final
|
|
|
181
181
|
creds->connect_type());
|
|
182
182
|
}
|
|
183
183
|
|
|
184
|
-
bool check_call_host(
|
|
184
|
+
bool check_call_host(absl::string_view host,
|
|
185
185
|
grpc_auth_context* /*auth_context*/,
|
|
186
186
|
grpc_closure* /*on_call_host_checked*/,
|
|
187
187
|
grpc_error** error) override {
|
|
@@ -98,7 +98,7 @@ class grpc_channel_security_connector : public grpc_security_connector {
|
|
|
98
98
|
/// Returns true if completed synchronously, in which case \a error will
|
|
99
99
|
/// be set to indicate the result. Otherwise, \a on_call_host_checked
|
|
100
100
|
/// will be invoked when complete.
|
|
101
|
-
virtual bool check_call_host(
|
|
101
|
+
virtual bool check_call_host(absl::string_view host,
|
|
102
102
|
grpc_auth_context* auth_context,
|
|
103
103
|
grpc_closure* on_call_host_checked,
|
|
104
104
|
grpc_error** error) = 0;
|
|
@@ -22,6 +22,8 @@
|
|
|
22
22
|
|
|
23
23
|
#include <stdbool.h>
|
|
24
24
|
|
|
25
|
+
#include "absl/strings/string_view.h"
|
|
26
|
+
|
|
25
27
|
#include <grpc/support/alloc.h>
|
|
26
28
|
#include <grpc/support/log.h>
|
|
27
29
|
#include <grpc/support/string_util.h>
|
|
@@ -72,14 +74,13 @@ class grpc_ssl_channel_security_connector final
|
|
|
72
74
|
: grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
|
|
73
75
|
std::move(channel_creds),
|
|
74
76
|
std::move(request_metadata_creds)),
|
|
75
|
-
overridden_target_name_(
|
|
76
|
-
|
|
77
|
-
: gpr_strdup(overridden_target_name)),
|
|
77
|
+
overridden_target_name_(
|
|
78
|
+
overridden_target_name == nullptr ? "" : overridden_target_name),
|
|
78
79
|
verify_options_(&config->verify_options) {
|
|
79
|
-
|
|
80
|
-
|
|
80
|
+
absl::string_view host;
|
|
81
|
+
absl::string_view port;
|
|
81
82
|
grpc_core::SplitHostPort(target_name, &host, &port);
|
|
82
|
-
target_name_ =
|
|
83
|
+
target_name_ = std::string(host);
|
|
83
84
|
}
|
|
84
85
|
|
|
85
86
|
~grpc_ssl_channel_security_connector() override {
|
|
@@ -124,8 +125,8 @@ class grpc_ssl_channel_security_connector final
|
|
|
124
125
|
tsi_handshaker* tsi_hs = nullptr;
|
|
125
126
|
tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
|
|
126
127
|
client_handshaker_factory_,
|
|
127
|
-
overridden_target_name_
|
|
128
|
-
|
|
128
|
+
overridden_target_name_.empty() ? target_name_.c_str()
|
|
129
|
+
: overridden_target_name_.c_str(),
|
|
129
130
|
&tsi_hs);
|
|
130
131
|
if (result != TSI_OK) {
|
|
131
132
|
gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
|
|
@@ -139,9 +140,9 @@ class grpc_ssl_channel_security_connector final
|
|
|
139
140
|
void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
|
|
140
141
|
grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
|
|
141
142
|
grpc_closure* on_peer_checked) override {
|
|
142
|
-
const char* target_name = overridden_target_name_
|
|
143
|
-
?
|
|
144
|
-
:
|
|
143
|
+
const char* target_name = overridden_target_name_.empty()
|
|
144
|
+
? target_name_.c_str()
|
|
145
|
+
: overridden_target_name_.c_str();
|
|
145
146
|
grpc_error* error = ssl_check_peer(target_name, &peer, auth_context);
|
|
146
147
|
if (error == GRPC_ERROR_NONE &&
|
|
147
148
|
verify_options_->verify_peer_callback != nullptr) {
|
|
@@ -176,23 +177,17 @@ class grpc_ssl_channel_security_connector final
|
|
|
176
177
|
reinterpret_cast<const grpc_ssl_channel_security_connector*>(other_sc);
|
|
177
178
|
int c = channel_security_connector_cmp(other);
|
|
178
179
|
if (c != 0) return c;
|
|
179
|
-
c =
|
|
180
|
+
c = target_name_.compare(other->target_name_);
|
|
180
181
|
if (c != 0) return c;
|
|
181
|
-
return (overridden_target_name_
|
|
182
|
-
other->overridden_target_name_ == nullptr)
|
|
183
|
-
? GPR_ICMP(overridden_target_name_.get(),
|
|
184
|
-
other->overridden_target_name_.get())
|
|
185
|
-
: strcmp(overridden_target_name_.get(),
|
|
186
|
-
other->overridden_target_name_.get());
|
|
182
|
+
return overridden_target_name_.compare(other->overridden_target_name_);
|
|
187
183
|
}
|
|
188
184
|
|
|
189
|
-
bool check_call_host(
|
|
190
|
-
grpc_auth_context* auth_context,
|
|
185
|
+
bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
|
|
191
186
|
grpc_closure* /*on_call_host_checked*/,
|
|
192
187
|
grpc_error** error) override {
|
|
193
|
-
return grpc_ssl_check_call_host(host, target_name_.
|
|
194
|
-
overridden_target_name_.
|
|
195
|
-
error);
|
|
188
|
+
return grpc_ssl_check_call_host(host, target_name_.c_str(),
|
|
189
|
+
overridden_target_name_.c_str(),
|
|
190
|
+
auth_context, error);
|
|
196
191
|
}
|
|
197
192
|
|
|
198
193
|
void cancel_check_call_host(grpc_closure* /*on_call_host_checked*/,
|
|
@@ -202,8 +197,8 @@ class grpc_ssl_channel_security_connector final
|
|
|
202
197
|
|
|
203
198
|
private:
|
|
204
199
|
tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
|
|
205
|
-
|
|
206
|
-
|
|
200
|
+
std::string target_name_;
|
|
201
|
+
std::string overridden_target_name_;
|
|
207
202
|
const verify_peer_options* verify_options_;
|
|
208
203
|
};
|
|
209
204
|
|
|
@@ -29,12 +29,11 @@
|
|
|
29
29
|
#include "src/core/tsi/ssl_transport_security.h"
|
|
30
30
|
#include "src/core/tsi/transport_security_interface.h"
|
|
31
31
|
|
|
32
|
-
|
|
32
|
+
struct grpc_ssl_config {
|
|
33
33
|
tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
|
|
34
34
|
char* pem_root_certs;
|
|
35
35
|
verify_peer_options verify_options;
|
|
36
|
-
}
|
|
37
|
-
|
|
36
|
+
};
|
|
38
37
|
/* Creates an SSL channel_security_connector.
|
|
39
38
|
- request_metadata_creds is the credentials object which metadata
|
|
40
39
|
will be sent with each request. This parameter can be NULL.
|
|
@@ -57,14 +56,13 @@ grpc_ssl_channel_security_connector_create(
|
|
|
57
56
|
tsi_ssl_session_cache* ssl_session_cache);
|
|
58
57
|
|
|
59
58
|
/* Config for ssl servers. */
|
|
60
|
-
|
|
59
|
+
struct grpc_ssl_server_config {
|
|
61
60
|
tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
|
|
62
61
|
size_t num_key_cert_pairs = 0;
|
|
63
62
|
char* pem_root_certs = nullptr;
|
|
64
63
|
grpc_ssl_client_certificate_request_type client_certificate_request =
|
|
65
64
|
GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
|
|
66
|
-
}
|
|
67
|
-
|
|
65
|
+
};
|
|
68
66
|
/* Creates an SSL server_security_connector.
|
|
69
67
|
- config is the SSL config to be used for the SSL channel establishment.
|
|
70
68
|
- sc is a pointer on the connector to be created.
|
|
@@ -25,6 +25,8 @@
|
|
|
25
25
|
#include <grpc/support/log.h>
|
|
26
26
|
#include <grpc/support/string_util.h>
|
|
27
27
|
|
|
28
|
+
#include <vector>
|
|
29
|
+
|
|
28
30
|
#include "src/core/ext/transport/chttp2/alpn/alpn.h"
|
|
29
31
|
#include "src/core/lib/channel/channel_args.h"
|
|
30
32
|
#include "src/core/lib/gpr/string.h"
|
|
@@ -149,7 +151,7 @@ grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
|
|
|
149
151
|
return GRPC_ERROR_NONE;
|
|
150
152
|
}
|
|
151
153
|
|
|
152
|
-
grpc_error* grpc_ssl_check_peer_name(
|
|
154
|
+
grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
|
|
153
155
|
const tsi_peer* peer) {
|
|
154
156
|
/* Check the peer name if specified. */
|
|
155
157
|
if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
|
|
@@ -163,9 +165,9 @@ grpc_error* grpc_ssl_check_peer_name(grpc_core::StringView peer_name,
|
|
|
163
165
|
return GRPC_ERROR_NONE;
|
|
164
166
|
}
|
|
165
167
|
|
|
166
|
-
bool grpc_ssl_check_call_host(
|
|
167
|
-
|
|
168
|
-
|
|
168
|
+
bool grpc_ssl_check_call_host(absl::string_view host,
|
|
169
|
+
absl::string_view target_name,
|
|
170
|
+
absl::string_view overridden_target_name,
|
|
169
171
|
grpc_auth_context* auth_context,
|
|
170
172
|
grpc_error** error) {
|
|
171
173
|
grpc_security_status status = GRPC_SECURITY_ERROR;
|
|
@@ -197,29 +199,50 @@ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
|
|
|
197
199
|
}
|
|
198
200
|
|
|
199
201
|
int grpc_ssl_host_matches_name(const tsi_peer* peer,
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
202
|
+
absl::string_view peer_name) {
|
|
203
|
+
absl::string_view allocated_name;
|
|
204
|
+
absl::string_view ignored_port;
|
|
203
205
|
grpc_core::SplitHostPort(peer_name, &allocated_name, &ignored_port);
|
|
204
206
|
if (allocated_name.empty()) return 0;
|
|
205
207
|
|
|
206
208
|
// IPv6 zone-id should not be included in comparisons.
|
|
207
209
|
const size_t zone_id = allocated_name.find('%');
|
|
208
|
-
if (zone_id !=
|
|
210
|
+
if (zone_id != absl::string_view::npos) {
|
|
209
211
|
allocated_name.remove_suffix(allocated_name.size() - zone_id);
|
|
210
212
|
}
|
|
211
213
|
return tsi_ssl_peer_matches_name(peer, allocated_name);
|
|
212
214
|
}
|
|
213
215
|
|
|
214
|
-
int grpc_ssl_cmp_target_name(
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
216
|
+
int grpc_ssl_cmp_target_name(absl::string_view target_name,
|
|
217
|
+
absl::string_view other_target_name,
|
|
218
|
+
absl::string_view overridden_target_name,
|
|
219
|
+
absl::string_view other_overridden_target_name) {
|
|
218
220
|
int c = target_name.compare(other_target_name);
|
|
219
221
|
if (c != 0) return c;
|
|
220
222
|
return overridden_target_name.compare(other_overridden_target_name);
|
|
221
223
|
}
|
|
222
224
|
|
|
225
|
+
static bool IsSpiffeId(absl::string_view uri) {
|
|
226
|
+
// Return false without logging for a non-spiffe uri scheme.
|
|
227
|
+
if (!absl::StartsWith(uri, "spiffe://")) {
|
|
228
|
+
return false;
|
|
229
|
+
};
|
|
230
|
+
if (uri.size() > 2048) {
|
|
231
|
+
gpr_log(GPR_INFO, "Invalid SPIFFE ID: ID longer than 2048 bytes.");
|
|
232
|
+
return false;
|
|
233
|
+
}
|
|
234
|
+
std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
|
|
235
|
+
if (splits.size() < 4 || splits[3] == "") {
|
|
236
|
+
gpr_log(GPR_INFO, "Invalid SPIFFE ID: workload id is empty.");
|
|
237
|
+
return false;
|
|
238
|
+
}
|
|
239
|
+
if (splits[2].size() > 255) {
|
|
240
|
+
gpr_log(GPR_INFO, "Invalid SPIFFE ID: domain longer than 255 characters.");
|
|
241
|
+
return false;
|
|
242
|
+
}
|
|
243
|
+
return true;
|
|
244
|
+
}
|
|
245
|
+
|
|
223
246
|
grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
|
|
224
247
|
const tsi_peer* peer, const char* transport_security_type) {
|
|
225
248
|
size_t i;
|
|
@@ -232,6 +255,9 @@ grpc_core::RefCountedPtr
|
|
|
232
255
|
grpc_auth_context_add_cstring_property(
|
|
233
256
|
ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
|
|
234
257
|
transport_security_type);
|
|
258
|
+
const char* spiffe_data = nullptr;
|
|
259
|
+
size_t spiffe_length = 0;
|
|
260
|
+
int spiffe_id_count = 0;
|
|
235
261
|
for (i = 0; i < peer->property_count; i++) {
|
|
236
262
|
const tsi_peer_property* prop = &peer->properties[i];
|
|
237
263
|
if (prop->name == nullptr) continue;
|
|
@@ -263,12 +289,30 @@ grpc_core::RefCountedPtr
|
|
|
263
289
|
grpc_auth_context_add_property(
|
|
264
290
|
ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
|
|
265
291
|
prop->value.data, prop->value.length);
|
|
292
|
+
} else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
|
|
293
|
+
absl::string_view spiffe_id(prop->value.data, prop->value.length);
|
|
294
|
+
if (IsSpiffeId(spiffe_id)) {
|
|
295
|
+
spiffe_data = prop->value.data;
|
|
296
|
+
spiffe_length = prop->value.length;
|
|
297
|
+
spiffe_id_count += 1;
|
|
298
|
+
}
|
|
266
299
|
}
|
|
267
300
|
}
|
|
268
301
|
if (peer_identity_property_name != nullptr) {
|
|
269
302
|
GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
|
|
270
303
|
ctx.get(), peer_identity_property_name) == 1);
|
|
271
304
|
}
|
|
305
|
+
// SPIFFE ID should be unique. If we find more than one SPIFFE IDs, we log
|
|
306
|
+
// the error without returning the error.
|
|
307
|
+
if (spiffe_id_count > 1) {
|
|
308
|
+
gpr_log(GPR_INFO, "Invalid SPIFFE ID: SPIFFE ID should be unique.");
|
|
309
|
+
}
|
|
310
|
+
if (spiffe_id_count == 1) {
|
|
311
|
+
GPR_ASSERT(spiffe_length > 0);
|
|
312
|
+
GPR_ASSERT(spiffe_data != nullptr);
|
|
313
|
+
grpc_auth_context_add_property(ctx.get(), GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
|
|
314
|
+
spiffe_data, spiffe_length);
|
|
315
|
+
}
|
|
272
316
|
return ctx;
|
|
273
317
|
}
|
|
274
318
|
|
|
@@ -314,6 +358,9 @@ tsi_peer grpc_shallow_peer_from_ssl_auth_context(
|
|
|
314
358
|
0) {
|
|
315
359
|
add_shallow_auth_property_to_peer(&peer, prop,
|
|
316
360
|
TSI_X509_PEM_CERT_CHAIN_PROPERTY);
|
|
361
|
+
} else if (strcmp(prop->name, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME) == 0) {
|
|
362
|
+
add_shallow_auth_property_to_peer(&peer, prop,
|
|
363
|
+
TSI_X509_URI_PEER_PROPERTY);
|
|
317
364
|
}
|
|
318
365
|
}
|
|
319
366
|
}
|