grpc 1.33.0.pre1 → 1.34.0

data/src/core/lib/security/credentials/external/url_external_account_credentials.h

@@ -0,0 +1,59 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/external/external_account_credentials.h"
+
+namespace grpc_core {
+
+class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
+ public:
+  static RefCountedPtr<UrlExternalAccountCredentials> Create(
+      ExternalAccountCredentialsOptions options,
+      std::vector<std::string> scopes, grpc_error** error);
+
+  UrlExternalAccountCredentials(ExternalAccountCredentialsOptions options,
+                                std::vector<std::string> scopes,
+                                grpc_error** error);
+  ~UrlExternalAccountCredentials() override;
+
+ private:
+  void RetrieveSubjectToken(
+      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      std::function<void(std::string, grpc_error*)> cb) override;
+
+  static void OnRetrieveSubjectToken(void* arg, grpc_error* error);
+  void OnRetrieveSubjectTokenInternal(grpc_error* error);
+
+  void FinishRetrieveSubjectToken(std::string subject_token, grpc_error* error);
+
+  // Fields of credential source
+  grpc_uri* url_ = nullptr;
+  std::map<std::string, std::string> headers_;
+  std::string format_type_;
+  std::string format_subject_token_field_name_;
+
+  HTTPRequestContext* ctx_ = nullptr;
+  std::function<void(std::string, grpc_error*)> cb_ = nullptr;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H

data/src/core/lib/security/credentials/insecure/insecure_credentials.cc

@@ -0,0 +1,51 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+namespace grpc_core {
+namespace {
+
+constexpr char kCredentialsTypeInsecure[] = "insecure";
+
+class InsecureCredentials final : public grpc_channel_credentials {
+ public:
+  explicit InsecureCredentials()
+      : grpc_channel_credentials(kCredentialsTypeInsecure) {}
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+  create_security_connector(
+      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+      const char* /* target_name */, const grpc_channel_args* /* args */,
+      grpc_channel_args** /* new_args */) override {
+    return MakeRefCounted<InsecureChannelSecurityConnector>(
+        Ref(), std::move(call_creds));
+  }
+};
+
+}  // namespace
+}  // namespace grpc_core
+
+grpc_channel_credentials* grpc_insecure_credentials_create() {
+  return new grpc_core::InsecureCredentials();
+}

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -33,11 +33,14 @@
 #include "src/core/lib/security/util/json_util.h"
 #include "src/core/lib/slice/b64.h"
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
 extern "C" {
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 }
+#pragma clang diagnostic pop
 
 using grpc_core::Json;
 
@@ -64,7 +67,7 @@ static grpc_jwt_encode_and_sign_override g_jwt_encode_and_sign_override =
 
 int grpc_auth_json_key_is_valid(const grpc_auth_json_key* json_key) {
   return (json_key != nullptr) &&
-         strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID);
+         strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID) != 0;
 }
 
 grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) {
@@ -84,7 +87,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) {
   prop_value = grpc_json_get_string_property(json, "type", &error);
   GRPC_LOG_IF_ERROR("JSON key parsing", error);
   if (prop_value == nullptr ||
-      strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) {
+      strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT) != 0) {
     goto end;
   }
   result.type = GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT;

data/src/core/lib/security/credentials/jwt/jwt_credentials.h

@@ -50,9 +50,10 @@ class grpc_service_account_jwt_access_credentials
   const grpc_auth_json_key& key() const { return key_; }
 
   std::string debug_string() override {
-    return absl::StrFormat("JWTAccessCredentials{ExpirationTime:%s}",
-                           absl::FormatTime(absl::FromUnixMicros(
-                               gpr_timespec_to_micros(jwt_lifetime_))));
+    return absl::StrFormat(
+        "JWTAccessCredentials{ExpirationTime:%s}",
+        absl::FormatTime(absl::FromUnixMicros(
+            static_cast<int64_t>(gpr_timespec_to_micros(jwt_lifetime_)))));
   };
 
  private:

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -28,11 +28,14 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
 extern "C" {
 #include <openssl/bn.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 }
+#pragma clang diagnostic pop
 
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/manual_constructor.h"
@@ -149,7 +152,8 @@ static jose_header* jose_header_from_json(Json json) {
      https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
    */
   alg_value = it->second.string_value().c_str();
-  if (it->second.type() != Json::Type::STRING || strncmp(alg_value, "RS", 2) ||
+  if (it->second.type() != Json::Type::STRING ||
+      strncmp(alg_value, "RS", 2) != 0 ||
       evp_md_from_alg(alg_value) == nullptr) {
     gpr_log(GPR_ERROR, "Invalid alg field");
     goto error;

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -53,7 +53,7 @@ using grpc_core::Json;
 int grpc_auth_refresh_token_is_valid(
     const grpc_auth_refresh_token* refresh_token) {
   return (refresh_token != nullptr) &&
-         strcmp(refresh_token->type, GRPC_AUTH_JSON_TYPE_INVALID);
+         strcmp(refresh_token->type, GRPC_AUTH_JSON_TYPE_INVALID) != 0;
 }
 
 grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
@@ -73,7 +73,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
   prop_value = grpc_json_get_string_property(json, "type", &error);
   GRPC_LOG_IF_ERROR("Parsing refresh token", error);
   if (prop_value == nullptr ||
-      strcmp(prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER)) {
+      strcmp(prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER) != 0) {
     goto end;
   }
   result.type = GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER;

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc

@@ -26,7 +26,7 @@
 
 void grpc_tls_certificate_distributor::SetKeyMaterials(
     const std::string& cert_name, absl::optional<std::string> pem_root_certs,
-    absl::optional<PemKeyCertPairList> pem_key_cert_pairs) {
+    absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs) {
   GPR_ASSERT(pem_root_certs.has_value() || pem_key_cert_pairs.has_value());
   grpc_core::MutexLock lock(&mu_);
   auto& cert_info = certificate_info_map_[cert_name];
@@ -38,14 +38,17 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
       const auto watcher_it = watchers_.find(watcher_ptr);
       GPR_ASSERT(watcher_it != watchers_.end());
       GPR_ASSERT(watcher_it->second.root_cert_name.has_value());
-      absl::optional<PemKeyCertPairList> pem_key_cert_pairs_to_report;
+      absl::optional<grpc_core::PemKeyCertPairList>
+          pem_key_cert_pairs_to_report;
       if (pem_key_cert_pairs.has_value() &&
           watcher_it->second.identity_cert_name == cert_name) {
         pem_key_cert_pairs_to_report = pem_key_cert_pairs;
       } else if (watcher_it->second.identity_cert_name.has_value()) {
         auto& identity_cert_info =
             certificate_info_map_[*watcher_it->second.identity_cert_name];
-        pem_key_cert_pairs_to_report = identity_cert_info.pem_key_cert_pairs;
+        if (!identity_cert_info.pem_key_cert_pairs.empty()) {
+          pem_key_cert_pairs_to_report = identity_cert_info.pem_key_cert_pairs;
+        }
       }
       watcher_ptr->OnCertificatesChanged(
           pem_root_certs, std::move(pem_key_cert_pairs_to_report));
@@ -69,7 +72,9 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
       } else if (watcher_it->second.root_cert_name.has_value()) {
         auto& root_cert_info =
             certificate_info_map_[*watcher_it->second.root_cert_name];
-        pem_root_certs_to_report = root_cert_info.pem_root_certs;
+        if (!root_cert_info.pem_root_certs.empty()) {
+          pem_root_certs_to_report = root_cert_info.pem_root_certs;
+        }
       }
       watcher_ptr->OnCertificatesChanged(pem_root_certs_to_report,
                                          pem_key_cert_pairs);
@@ -188,7 +193,7 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
     watchers_[watcher_ptr] = {std::move(watcher), root_cert_name,
                               identity_cert_name};
     absl::optional<absl::string_view> updated_root_certs;
-    absl::optional<PemKeyCertPairList> updated_identity_pairs;
+    absl::optional<grpc_core::PemKeyCertPairList> updated_identity_pairs;
     grpc_error* root_error = GRPC_ERROR_NONE;
     grpc_error* identity_error = GRPC_ERROR_NONE;
     if (root_cert_name.has_value()) {
@@ -319,3 +324,28 @@ void grpc_tls_certificate_distributor::CancelTlsCertificatesWatch(
     }
   }
 };
+
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+
+grpc_tls_identity_pairs* grpc_tls_identity_pairs_create() {
+  return new grpc_tls_identity_pairs();
+}
+
+void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs,
+                                      const char* private_key,
+                                      const char* cert_chain) {
+  GPR_ASSERT(pairs != nullptr);
+  GPR_ASSERT(private_key != nullptr);
+  GPR_ASSERT(cert_chain != nullptr);
+  grpc_ssl_pem_key_cert_pair* ssl_pair =
+      static_cast<grpc_ssl_pem_key_cert_pair*>(
+          gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
+  ssl_pair->private_key = gpr_strdup(private_key);
+  ssl_pair->cert_chain = gpr_strdup(cert_chain);
+  pairs->pem_key_cert_pairs.emplace_back(ssl_pair);
+}
+
+void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs) {
+  GPR_ASSERT(pairs != nullptr);
+  delete pairs;
+}

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h

@@ -21,17 +21,21 @@
 
 #include <grpc/grpc_security.h>
 
+#include <utility>
+
 #include "absl/container/inlined_vector.h"
 #include "absl/types/optional.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 
+struct grpc_tls_identity_pairs {
+  grpc_core::PemKeyCertPairList pem_key_cert_pairs;
+};
+
 // TLS certificate distributor.
 struct grpc_tls_certificate_distributor
     : public grpc_core::RefCounted<grpc_tls_certificate_distributor> {
  public:
-  typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
-
   // Interface for watching TLS certificates update.
   class TlsCertificatesWatcherInterface {
    public:
@@ -48,7 +52,7 @@ struct grpc_tls_certificate_distributor
     // pairs.
     virtual void OnCertificatesChanged(
         absl::optional<absl::string_view> root_certs,
-        absl::optional<PemKeyCertPairList> key_cert_pairs) = 0;
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) = 0;
 
     // Handles an error that occurs while attempting to fetch certificate data.
     // Note that if a watcher sees an error, it simply means the Provider is
@@ -78,9 +82,9 @@ struct grpc_tls_certificate_distributor
   // @param cert_name The name of the certificates being updated.
   // @param pem_root_certs The content of root certificates.
   // @param pem_key_cert_pairs The content of identity key-cert pairs.
-  void SetKeyMaterials(const std::string& cert_name,
-                       absl::optional<std::string> pem_root_certs,
-                       absl::optional<PemKeyCertPairList> pem_key_cert_pairs);
+  void SetKeyMaterials(
+      const std::string& cert_name, absl::optional<std::string> pem_root_certs,
+      absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs);
 
   bool HasRootCerts(const std::string& root_cert_name);
 
@@ -127,7 +131,7 @@ struct grpc_tls_certificate_distributor
   void SetWatchStatusCallback(
       std::function<void(std::string, bool, bool)> callback) {
     grpc_core::MutexLock lock(&mu_);
-    watch_status_callback_ = callback;
+    watch_status_callback_ = std::move(callback);
   };
 
   // Registers a watcher. The caller may keep a raw pointer to the watcher,
@@ -168,7 +172,7 @@ struct grpc_tls_certificate_distributor
     // The contents of the root certificates.
     std::string pem_root_certs;
     // The contents of the identity key-certificate pairs.
-    PemKeyCertPairList pem_key_cert_pairs;
+    grpc_core::PemKeyCertPairList pem_key_cert_pairs;
     // The root cert reloading error propagated by the caller.
     grpc_error* root_cert_error = GRPC_ERROR_NONE;
     // The identity cert reloading error propagated by the caller.

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc

@@ -0,0 +1,78 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/lib/surface/api_trace.h"
+
+namespace grpc_core {
+
+StaticDataCertificateProvider::StaticDataCertificateProvider(
+    std::string root_certificate,
+    grpc_core::PemKeyCertPairList pem_key_cert_pairs)
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
+      root_certificate_(std::move(root_certificate)),
+      pem_key_cert_pairs_(std::move(pem_key_cert_pairs)) {
+  distributor_->SetWatchStatusCallback([this](std::string cert_name,
+                                              bool root_being_watched,
+                                              bool identity_being_watched) {
+    if (!root_being_watched && !identity_being_watched) return;
+    absl::optional<std::string> root_certificate;
+    absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs;
+    if (root_being_watched) {
+      root_certificate = root_certificate_;
+    }
+    if (identity_being_watched) {
+      pem_key_cert_pairs = pem_key_cert_pairs_;
+    }
+    distributor_->SetKeyMaterials(cert_name, std::move(root_certificate),
+                                  std::move(pem_key_cert_pairs));
+  });
+}
+
+}  // namespace grpc_core
+
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+
+grpc_tls_certificate_provider* grpc_tls_certificate_provider_static_data_create(
+    const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs) {
+  GPR_ASSERT(root_certificate != nullptr || pem_key_cert_pairs != nullptr);
+  grpc_core::PemKeyCertPairList identity_pairs_core;
+  if (pem_key_cert_pairs != nullptr) {
+    identity_pairs_core = std::move(pem_key_cert_pairs->pem_key_cert_pairs);
+    delete pem_key_cert_pairs;
+  }
+  std::string root_cert_core;
+  if (root_certificate != nullptr) {
+    root_cert_core = root_certificate;
+  }
+  return new grpc_core::StaticDataCertificateProvider(
+      std::move(root_cert_core), std::move(identity_pairs_core));
+}
+
+void grpc_tls_certificate_provider_release(
+    grpc_tls_certificate_provider* provider) {
+  GRPC_API_TRACE("grpc_tls_certificate_provider_release(provider=%p)", 1,
+                 (provider));
+  grpc_core::ExecCtx exec_ctx;
+  if (provider != nullptr) provider->Unref();
+}

data/src/core/lib/security/{certificate_provider.h → credentials/tls/grpc_tls_certificate_provider.h}

@@ -1,5 +1,4 @@
 //
-//
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,20 +13,22 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
-//
 
-#ifndef GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
-#define GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H
 
 #include <grpc/support/port_platform.h>
 
+#include <grpc/grpc_security.h>
+#include <string.h>
+
+#include "absl/container/inlined_vector.h"
+
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/pollset_set.h"
-
-// TODO(yashkt): After https://github.com/grpc/grpc/pull/23572, remove this
-// forward declaration and include the header for the distributor instead.
-struct grpc_tls_certificate_distributor;
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
 
 // Interface for a grpc_tls_certificate_provider that handles the process to
 // fetch credentials and validation contexts. Implementations are free to rely
@@ -41,20 +42,33 @@ struct grpc_tls_certificate_distributor;
 struct grpc_tls_certificate_provider
     : public grpc_core::RefCounted<grpc_tls_certificate_provider> {
  public:
-  grpc_tls_certificate_provider()
-      : interested_parties_(grpc_pollset_set_create()) {}
-
-  virtual ~grpc_tls_certificate_provider() {
-    grpc_pollset_set_destroy(interested_parties_);
-  }
-
-  grpc_pollset_set* interested_parties() const { return interested_parties_; }
+  virtual grpc_pollset_set* interested_parties() const { return nullptr; }
 
   virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
   distributor() const = 0;
+};
+
+namespace grpc_core {
+
+// A basic provider class that will get credentials from string during
+// initialization.
+class StaticDataCertificateProvider final
+    : public grpc_tls_certificate_provider {
+ public:
+  StaticDataCertificateProvider(
+      std::string root_certificate,
+      grpc_core::PemKeyCertPairList pem_key_cert_pairs);
+
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
+    return distributor_;
+  }
 
  private:
-  grpc_pollset_set* interested_parties_;
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
+  std::string root_certificate_;
+  grpc_core::PemKeyCertPairList pem_key_cert_pairs_;
 };
 
-#endif  // GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H