RubyGems - grpc - Versions diffs - 1.34.0 → 1.35.0.pre1 - Mend

grpc 1.34.0 → 1.35.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (458) hide show

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h CHANGED

@@ -26,6 +26,8 @@
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/thd.h"
+#include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/iomgr/pollset_set.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
@@ -59,14 +61,76 @@ class StaticDataCertificateProvider final
       std::string root_certificate,
       grpc_core::PemKeyCertPairList pem_key_cert_pairs);
+  ~StaticDataCertificateProvider() override;
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
+    return distributor_;
+  }
+ private:
+  struct WatcherInfo {
+    bool root_being_watched = false;
+    bool identity_being_watched = false;
+  };
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
+  std::string root_certificate_;
+  grpc_core::PemKeyCertPairList pem_key_cert_pairs_;
+  // Guards members below.
+  grpc_core::Mutex mu_;
+  // Stores each cert_name we get from the distributor callback and its watcher
+  // information.
+  std::map<std::string, WatcherInfo> watcher_info_;
+};
+// A provider class that will watch the credential changes on the file system.
+class FileWatcherCertificateProvider final
+    : public grpc_tls_certificate_provider {
+ public:
+  FileWatcherCertificateProvider(std::string private_key_path,
+                                 std::string identity_certificate_path,
+                                 std::string root_cert_path,
+                                 unsigned int refresh_interval_sec);
+  ~FileWatcherCertificateProvider() override;
   RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
     return distributor_;
   }
  private:
+  struct WatcherInfo {
+    bool root_being_watched = false;
+    bool identity_being_watched = false;
+  };
+  // Force an update from the file system regardless of the interval.
+  void ForceUpdate();
+  // Read the root certificates from files and update the distributor.
+  absl::optional<std::string> ReadRootCertificatesFromFile(
+      const std::string& root_cert_full_path);
+  // Read the root certificates from files and update the distributor.
+  absl::optional<PemKeyCertPairList> ReadIdentityKeyCertPairFromFiles(
+      const std::string& private_key_path,
+      const std::string& identity_certificate_path);
+  // Information that is used by the refreshing thread.
+  std::string private_key_path_;
+  std::string identity_certificate_path_;
+  std::string root_cert_path_;
+  unsigned int refresh_interval_sec_ = 0;
   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
+  grpc_core::Thread refresh_thread_;
+  gpr_event shutdown_event_;
+  // Guards members below.
+  grpc_core::Mutex mu_;
+  // The most-recent credential data. It will be empty if the most recent read
+  // attempt failed.
   std::string root_certificate_;
   grpc_core::PemKeyCertPairList pem_key_cert_pairs_;
+  // Stores each cert_name we get from the distributor callback and its watcher
+  // information.
+  std::map<std::string, WatcherInfo> watcher_info_;
 };
 }  // namespace grpc_core

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc CHANGED

@@ -46,7 +46,7 @@ grpc_tls_server_authorization_check_config::
 grpc_tls_server_authorization_check_config::
     ~grpc_tls_server_authorization_check_config() {
   if (destruct_ != nullptr) {
-    destruct_((void*)config_user_data_);
+    destruct_(config_user_data_);
   }
 }

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h CHANGED

@@ -147,7 +147,6 @@ struct grpc_tls_credentials_options
     server_authorization_check_config_ = std::move(config);
   }
   // Sets the provider in the options.
-  // This should only be used by C-core API for Tls*Creds case.
   void set_certificate_provider(
       grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
     provider_ = std::move(provider);

data/src/core/lib/security/credentials/tls/tls_credentials.cc CHANGED

@@ -92,7 +92,7 @@ TlsCredentials::create_security_connector(
   }
   if (args != nullptr) {
     grpc_arg new_arg = grpc_channel_arg_string_create(
-        (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
+        const_cast<char*>(GRPC_ARG_HTTP2_SCHEME), const_cast<char*>("https"));
     *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
   }
   return sc;

data/src/core/lib/security/credentials/tls/tls_utils.cc ADDED

@@ -0,0 +1,91 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/tls/tls_utils.h"
+#include "absl/strings/ascii.h"
+#include "absl/strings/match.h"
+#include "absl/strings/str_cat.h"
+namespace grpc_core {
+// Based on
+// https://github.com/grpc/grpc-java/blob/ca12e7a339add0ef48202fb72434b9dc0df41756/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java#L62
+bool VerifySubjectAlternativeName(absl::string_view subject_alternative_name,
+                                  const std::string& matcher) {
+  if (subject_alternative_name.empty() ||
+      absl::StartsWith(subject_alternative_name, ".")) {
+    // Illegal pattern/domain name
+    return false;
+  }
+  if (matcher.empty() || absl::StartsWith(matcher, ".")) {
+    // Illegal domain name
+    return false;
+  }
+  // Normalize \a subject_alternative_name and \a matcher by turning them into
+  // absolute domain names if they are not yet absolute. This is needed because
+  // server certificates do not normally contain absolute names or patterns, but
+  // they should be treated as absolute. At the same time, any
+  // subject_alternative_name presented to this method should also be treated as
+  // absolute for the purposes of matching to the server certificate.
+  std::string normalized_san =
+      absl::EndsWith(subject_alternative_name, ".")
+          ? std::string(subject_alternative_name)
+          : absl::StrCat(subject_alternative_name, ".");
+  std::string normalized_matcher =
+      absl::EndsWith(matcher, ".") ? matcher : absl::StrCat(matcher, ".");
+  absl::AsciiStrToLower(&normalized_san);
+  absl::AsciiStrToLower(&normalized_matcher);
+  if (!absl::StrContains(normalized_san, "*")) {
+    return normalized_san == normalized_matcher;
+  }
+  // WILDCARD PATTERN RULES:
+  // 1. Asterisk (*) is only permitted in the left-most domain name label and
+  //    must be the only character in that label (i.e., must match the whole
+  //    left-most label). For example, *.example.com is permitted, while
+  //    *a.example.com, a*.example.com, a*b.example.com, a.*.example.com are
+  //    not permitted.
+  // 2. Asterisk (*) cannot match across domain name labels.
+  //    For example, *.example.com matches test.example.com but does not match
+  //    sub.test.example.com.
+  // 3. Wildcard patterns for single-label domain names are not permitted.
+  if (!absl::StartsWith(normalized_san, "*.")) {
+    // Asterisk (*) is only permitted in the left-most domain name label and
+    // must be the only character in that label
+    return false;
+  }
+  if (normalized_san == "*.") {
+    // Wildcard pattern for single-label domain name -- not permitted.
+    return false;
+  }
+  absl::string_view suffix = absl::string_view(normalized_san).substr(1);
+  if (absl::StrContains(suffix, "*")) {
+    // Asterisk (*) is not permitted in the suffix
+    return false;
+  }
+  if (!absl::EndsWith(normalized_matcher, suffix)) return false;
+  int suffix_start_index = normalized_matcher.length() - suffix.length();
+  // Asterisk matching across domain labels is not permitted.
+  return suffix_start_index <= 0 /* should not happen */ ||
+         normalized_matcher.find_last_of('.', suffix_start_index - 1) ==
+             std::string::npos;
+}
+}  // namespace grpc_core

data/src/core/lib/security/credentials/tls/tls_utils.h ADDED

@@ -0,0 +1,38 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_UTILS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_UTILS_H
+#include <grpc/support/port_platform.h>
+#include <string>
+#include <vector>
+#include "absl/strings/string_view.h"
+namespace grpc_core {
+// Matches \a subject_alternative_name with \a matcher. Returns true if there
+// is a match, false otherwise.
+bool VerifySubjectAlternativeName(absl::string_view subject_alternative_name,
+                                  const std::string& matcher);
+}  // namespace grpc_core
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_TLS_UTILS_H

data/src/core/lib/security/credentials/xds/xds_credentials.cc CHANGED

@@ -20,26 +20,156 @@
 #include "src/core/lib/security/credentials/xds/xds_credentials.h"
+#include "src/core/ext/xds/xds_certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+#include "src/core/lib/security/credentials/tls/tls_credentials.h"
+#include "src/core/lib/security/credentials/tls/tls_utils.h"
+#include "src/core/lib/uri/uri_parser.h"
 namespace grpc_core {
-constexpr const char XdsCredentials::kCredentialsTypeXds[];
+const char kCredentialsTypeXds[] = "Xds";
+namespace {
+bool XdsVerifySubjectAlternativeNames(
+    const char* const* subject_alternative_names,
+    size_t subject_alternative_names_size,
+    const std::vector<XdsApi::StringMatcher>& matchers) {
+  if (matchers.empty()) return true;
+  for (size_t i = 0; i < subject_alternative_names_size; ++i) {
+    for (const auto& matcher : matchers) {
+      if (matcher.type() == XdsApi::StringMatcher::StringMatcherType::EXACT) {
+        // For EXACT match, use DNS rules for verifying SANs
+        // TODO(zhenlian): Right now, the SSL layer does not save the type of
+        // the SAN, so we are doing a DNS style verification for all SANs when
+        // the type is EXACT. When we expose the SAN type, change this to only
+        // do this verification when the SAN type is DNS and match type is
+        // EXACT. For all other cases, we should use matcher.Match().
+        if (VerifySubjectAlternativeName(subject_alternative_names[i],
+                                         matcher.string_matcher())) {
+          return true;
+        }
+      } else {
+        if (matcher.Match(subject_alternative_names[i])) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+int ServerAuthCheckSchedule(void* config_user_data,
+                            grpc_tls_server_authorization_check_arg* arg) {
+  XdsCertificateProvider* xds_certificate_provider =
+      static_cast<XdsCertificateProvider*>(config_user_data);
+  if (XdsVerifySubjectAlternativeNames(
+          arg->subject_alternative_names, arg->subject_alternative_names_size,
+          xds_certificate_provider->subject_alternative_name_matchers())) {
+    arg->success = 1;
+    arg->status = GRPC_STATUS_OK;
+  } else {
+    arg->success = 0;
+    arg->status = GRPC_STATUS_UNAUTHENTICATED;
+    if (arg->error_details) {
+      arg->error_details->set_error_details(
+          "SANs from certificate did not match SANs from xDS control plane");
+    }
+  }
+  return 0; /* synchronous check */
+}
+void ServerAuthCheckDestroy(void* config_user_data) {
+  XdsCertificateProvider* xds_certificate_provider =
+      static_cast<XdsCertificateProvider*>(config_user_data);
+  xds_certificate_provider->Unref();
+}
+}  // namespace
+bool TestOnlyXdsVerifySubjectAlternativeNames(
+    const char* const* subject_alternative_names,
+    size_t subject_alternative_names_size,
+    const std::vector<XdsApi::StringMatcher>& matchers) {
+  return XdsVerifySubjectAlternativeNames(
+      subject_alternative_names, subject_alternative_names_size, matchers);
+}
+//
+// XdsCredentials
+//
-grpc_core::RefCountedPtr<grpc_channel_security_connector>
+RefCountedPtr<grpc_channel_security_connector>
 XdsCredentials::create_security_connector(
-    grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
-    const char* target_name, const grpc_channel_args* args,
-    grpc_channel_args** new_args) {
-  /* TODO(yashkt) : To be filled */
-  if (fallback_credentials_ != nullptr) {
-    return fallback_credentials_->create_security_connector(
-        std::move(call_creds), target_name, args, new_args);
+    RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
+    const grpc_channel_args* args, grpc_channel_args** new_args) {
+  auto xds_certificate_provider =
+      XdsCertificateProvider::GetFromChannelArgs(args);
+  // TODO(yashykt): This arg will no longer need to be added after b/173119596
+  // is fixed.
+  grpc_arg override_arg = grpc_channel_arg_string_create(
+      const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
+      const_cast<char*>(target_name));
+  const char* override_arg_name = GRPC_SSL_TARGET_NAME_OVERRIDE_ARG;
+  const grpc_channel_args* temp_args = args;
+  if (grpc_channel_args_find(args, override_arg_name) == nullptr) {
+    temp_args = grpc_channel_args_copy_and_add_and_remove(
+        args, &override_arg_name, 1, &override_arg, 1);
   }
-  return nullptr;
+  RefCountedPtr<grpc_channel_security_connector> security_connector;
+  if (xds_certificate_provider != nullptr) {
+    auto tls_credentials_options =
+        MakeRefCounted<grpc_tls_credentials_options>();
+    tls_credentials_options->set_certificate_provider(xds_certificate_provider);
+    if (xds_certificate_provider->ProvidesRootCerts()) {
+      tls_credentials_options->set_watch_root_cert(true);
+    }
+    if (xds_certificate_provider->ProvidesIdentityCerts()) {
+      tls_credentials_options->set_watch_identity_pair(true);
+    }
+    tls_credentials_options->set_server_verification_option(
+        GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
+    tls_credentials_options->set_server_authorization_check_config(
+        MakeRefCounted<grpc_tls_server_authorization_check_config>(
+            xds_certificate_provider->Ref().release(), ServerAuthCheckSchedule,
+            nullptr, ServerAuthCheckDestroy));
+    auto tls_credentials =
+        MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
+    security_connector = tls_credentials->create_security_connector(
+        std::move(call_creds), target_name, temp_args, new_args);
+  } else {
+    GPR_ASSERT(fallback_credentials_ != nullptr);
+    security_connector = fallback_credentials_->create_security_connector(
+        std::move(call_creds), target_name, temp_args, new_args);
+  }
+  if (temp_args != args) {
+    grpc_channel_args_destroy(temp_args);
+  }
+  return security_connector;
+}
+//
+// XdsServerCredentials
+//
+RefCountedPtr<grpc_server_security_connector>
+XdsServerCredentials::create_security_connector() {
+  // TODO(yashkt): Fill this
+  return fallback_credentials_->create_security_connector();
 }
 }  // namespace grpc_core
 grpc_channel_credentials* grpc_xds_credentials_create(
     grpc_channel_credentials* fallback_credentials) {
+  GPR_ASSERT(fallback_credentials != nullptr);
   return new grpc_core::XdsCredentials(fallback_credentials->Ref());
 }
+grpc_server_credentials* grpc_xds_server_credentials_create(
+    grpc_server_credentials* fallback_credentials) {
+  GPR_ASSERT(fallback_credentials != nullptr);
+  return new grpc_core::XdsServerCredentials(fallback_credentials->Ref());
+}

data/src/core/lib/security/credentials/xds/xds_credentials.h CHANGED

@@ -23,29 +23,47 @@
 #include <grpc/grpc_security.h>
+#include "src/core/ext/xds/xds_api.h"
 #include "src/core/lib/security/credentials/credentials.h"
 namespace grpc_core {
+extern const char kCredentialsTypeXds[];
 class XdsCredentials final : public grpc_channel_credentials {
  public:
-  static constexpr const char kCredentialsTypeXds[] = "Xds";
   explicit XdsCredentials(
-      grpc_core::RefCountedPtr<grpc_channel_credentials> fallback_credentials)
+      RefCountedPtr<grpc_channel_credentials> fallback_credentials)
       : grpc_channel_credentials(kCredentialsTypeXds),
         fallback_credentials_(std::move(fallback_credentials)) {}
-  grpc_core::RefCountedPtr<grpc_channel_security_connector>
-  create_security_connector(
-      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
-      const char* target_name, const grpc_channel_args* args,
-      grpc_channel_args** new_args) override;
+  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
+      RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
+      const grpc_channel_args* args, grpc_channel_args** new_args) override;
+ private:
+  RefCountedPtr<grpc_channel_credentials> fallback_credentials_;
+};
+class XdsServerCredentials final : public grpc_server_credentials {
+ public:
+  explicit XdsServerCredentials(
+      RefCountedPtr<grpc_server_credentials> fallback_credentials)
+      : grpc_server_credentials(kCredentialsTypeXds),
+        fallback_credentials_(std::move(fallback_credentials)) {}
+  RefCountedPtr<grpc_server_security_connector> create_security_connector()
+      override;
  private:
-  grpc_core::RefCountedPtr<grpc_channel_credentials> fallback_credentials_;
+  RefCountedPtr<grpc_server_credentials> fallback_credentials_;
 };
+bool TestOnlyXdsVerifySubjectAlternativeNames(
+    const char* const* subject_alternative_names,
+    size_t subject_alternative_names_size,
+    const std::vector<XdsApi::StringMatcher>& matchers);
 }  // namespace grpc_core
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_XDS_XDS_CREDENTIALS_H */