grpc 1.35.0 → 1.36.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +60 -57
- data/include/grpc/grpc_security.h +16 -11
- data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
- data/src/core/ext/filters/client_channel/resolver.cc +2 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
- data/src/core/ext/filters/client_channel/server_address.cc +6 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +738 -567
- data/src/core/ext/xds/xds_api.h +46 -84
- data/src/core/ext/xds/xds_bootstrap.cc +59 -40
- data/src/core/ext/xds/xds_bootstrap.h +12 -4
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +13 -11
- data/src/core/ext/xds/xds_client.h +3 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
- data/src/core/lib/channel/handshaker.cc +2 -5
- data/src/core/lib/channel/handshaker.h +1 -1
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/ev_apple.cc +10 -7
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +4 -4
- data/src/core/lib/security/authorization/matchers.cc +339 -0
- data/src/core/lib/security/authorization/matchers.h +158 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
- data/src/core/lib/security/transport/security_handshaker.cc +1 -3
- data/src/core/lib/slice/slice_intern.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/server.cc +3 -3
- data/src/core/lib/surface/server.h +3 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/fake_transport_security.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +725 -723
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- metadata +77 -65
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
@@ -48,7 +48,7 @@ class Activation : public BaseActivation {
|
|
48
48
|
Activation& operator=(const Activation&) = delete;
|
49
49
|
|
50
50
|
// Insert value into Activation.
|
51
|
-
void InsertValue(absl::string_view name
|
51
|
+
void InsertValue(absl::string_view /*name*/, const CelValue& /*value*/) {}
|
52
52
|
};
|
53
53
|
|
54
54
|
} // namespace mock_cel
|
@@ -61,23 +61,25 @@ class CelValue {
|
|
61
61
|
// We rely on copy elision to avoid extra copying.
|
62
62
|
static CelValue CreateNull() { return CelValue(nullptr); }
|
63
63
|
|
64
|
-
static CelValue CreateInt64(int64_t value) { return CreateNull(); }
|
64
|
+
static CelValue CreateInt64(int64_t /*value*/) { return CreateNull(); }
|
65
65
|
|
66
|
-
static CelValue CreateUint64(uint64_t value) { return CreateNull(); }
|
66
|
+
static CelValue CreateUint64(uint64_t /*value*/) { return CreateNull(); }
|
67
67
|
|
68
|
-
static CelValue CreateStringView(absl::string_view value) {
|
68
|
+
static CelValue CreateStringView(absl::string_view /*value*/) {
|
69
69
|
return CreateNull();
|
70
70
|
}
|
71
71
|
|
72
|
-
static CelValue CreateString(const std::string* str) {
|
72
|
+
static CelValue CreateString(const std::string* /*str*/) {
|
73
|
+
return CreateNull();
|
74
|
+
}
|
73
75
|
|
74
|
-
static CelValue CreateMap(const CelMap* value) { return CreateNull(); }
|
76
|
+
static CelValue CreateMap(const CelMap* /*value*/) { return CreateNull(); }
|
75
77
|
|
76
78
|
private:
|
77
79
|
// Constructs CelValue wrapping value supplied as argument.
|
78
80
|
// Value type T should be supported by specification of ValueHolder.
|
79
81
|
template <class T>
|
80
|
-
explicit CelValue(T value) {}
|
82
|
+
explicit CelValue(T /*value*/) {}
|
81
83
|
};
|
82
84
|
|
83
85
|
// CelMap implementation that uses STL map container as backing storage.
|
@@ -86,7 +88,7 @@ class ContainerBackedMapImpl : public CelMap {
|
|
86
88
|
ContainerBackedMapImpl() = default;
|
87
89
|
|
88
90
|
static std::unique_ptr<CelMap> Create(
|
89
|
-
absl::Span<std::pair<CelValue, CelValue>> key_values) {
|
91
|
+
absl::Span<std::pair<CelValue, CelValue>> /*key_values*/) {
|
90
92
|
return absl::make_unique<ContainerBackedMapImpl>();
|
91
93
|
}
|
92
94
|
};
|
@@ -70,7 +70,8 @@ grpc_alts_server_credentials::grpc_alts_server_credentials(
|
|
70
70
|
}
|
71
71
|
|
72
72
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
73
|
-
grpc_alts_server_credentials::create_security_connector(
|
73
|
+
grpc_alts_server_credentials::create_security_connector(
|
74
|
+
const grpc_channel_args* /* args */) {
|
74
75
|
return grpc_alts_server_security_connector_create(this->Ref());
|
75
76
|
}
|
76
77
|
|
@@ -56,7 +56,7 @@ class grpc_alts_server_credentials final : public grpc_server_credentials {
|
|
56
56
|
~grpc_alts_server_credentials() override;
|
57
57
|
|
58
58
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
59
|
-
create_security_connector() override;
|
59
|
+
create_security_connector(const grpc_channel_args* /* args */) override;
|
60
60
|
|
61
61
|
const grpc_alts_credentials_options* options() const { return options_; }
|
62
62
|
grpc_alts_credentials_options* mutable_options() { return options_; }
|
@@ -227,8 +227,9 @@ struct grpc_server_credentials
|
|
227
227
|
|
228
228
|
~grpc_server_credentials() override { DestroyProcessor(); }
|
229
229
|
|
230
|
+
// Ownership of \a args is not passed.
|
230
231
|
virtual grpc_core::RefCountedPtr<grpc_server_security_connector>
|
231
|
-
create_security_connector() = 0;
|
232
|
+
create_security_connector(const grpc_channel_args* args) = 0;
|
232
233
|
|
233
234
|
const char* type() const { return type_; }
|
234
235
|
|
@@ -120,7 +120,7 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
|
|
120
120
|
}
|
121
121
|
|
122
122
|
void AwsExternalAccountCredentials::RetrieveSubjectToken(
|
123
|
-
HTTPRequestContext* ctx, const Options& options
|
123
|
+
HTTPRequestContext* ctx, const Options& /*options*/,
|
124
124
|
std::function<void(std::string, grpc_error*)> cb) {
|
125
125
|
if (ctx == nullptr) {
|
126
126
|
FinishRetrieveSubjectToken(
|
@@ -316,7 +316,7 @@ void ExternalAccountCredentials::OnExchangeTokenInternal(grpc_error* error) {
|
|
316
316
|
std::string(ctx_->response.body, ctx_->response.body_length).c_str());
|
317
317
|
metadata_req_->response.hdrs = static_cast<grpc_http_header*>(
|
318
318
|
gpr_malloc(sizeof(grpc_http_header) * ctx_->response.hdr_count));
|
319
|
-
for (
|
319
|
+
for (size_t i = 0; i < ctx_->response.hdr_count; i++) {
|
320
320
|
metadata_req_->response.hdrs[i].key =
|
321
321
|
gpr_strdup(ctx_->response.hdrs[i].key);
|
322
322
|
metadata_req_->response.hdrs[i].value =
|
@@ -443,7 +443,7 @@ void ExternalAccountCredentials::OnImpersenateServiceAccountInternal(
|
|
443
443
|
metadata_req_->response.body_length = body.length();
|
444
444
|
metadata_req_->response.hdrs = static_cast<grpc_http_header*>(
|
445
445
|
gpr_malloc(sizeof(grpc_http_header) * ctx_->response.hdr_count));
|
446
|
-
for (
|
446
|
+
for (size_t i = 0; i < ctx_->response.hdr_count; i++) {
|
447
447
|
metadata_req_->response.hdrs[i].key =
|
448
448
|
gpr_strdup(ctx_->response.hdrs[i].key);
|
449
449
|
metadata_req_->response.hdrs[i].value =
|
@@ -91,7 +91,7 @@ FileExternalAccountCredentials::FileExternalAccountCredentials(
|
|
91
91
|
}
|
92
92
|
|
93
93
|
void FileExternalAccountCredentials::RetrieveSubjectToken(
|
94
|
-
HTTPRequestContext* ctx
|
94
|
+
HTTPRequestContext* /*ctx*/, const Options& /*options*/,
|
95
95
|
std::function<void(std::string, grpc_error*)> cb) {
|
96
96
|
struct SliceWrapper {
|
97
97
|
~SliceWrapper() { grpc_slice_unref_internal(slice); }
|
@@ -112,7 +112,7 @@ UrlExternalAccountCredentials::UrlExternalAccountCredentials(
|
|
112
112
|
}
|
113
113
|
|
114
114
|
void UrlExternalAccountCredentials::RetrieveSubjectToken(
|
115
|
-
HTTPRequestContext* ctx, const Options& options
|
115
|
+
HTTPRequestContext* ctx, const Options& /*options*/,
|
116
116
|
std::function<void(std::string, grpc_error*)> cb) {
|
117
117
|
if (ctx == nullptr) {
|
118
118
|
FinishRetrieveSubjectToken(
|
@@ -59,7 +59,7 @@ class grpc_fake_server_credentials final : public grpc_server_credentials {
|
|
59
59
|
~grpc_fake_server_credentials() override = default;
|
60
60
|
|
61
61
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
62
|
-
create_security_connector() override {
|
62
|
+
create_security_connector(const grpc_channel_args* /*args*/) override {
|
63
63
|
return grpc_fake_server_security_connector_create(this->Ref());
|
64
64
|
}
|
65
65
|
};
|
@@ -61,7 +61,7 @@ using grpc_core::Json;
|
|
61
61
|
* means the detection is done via network test that is unreliable and the
|
62
62
|
* unreliable result should not be referred by successive calls. */
|
63
63
|
static int g_metadata_server_available = 0;
|
64
|
-
static
|
64
|
+
static grpc_core::Mutex* g_state_mu;
|
65
65
|
/* Protect a metadata_server_detector instance that can be modified by more than
|
66
66
|
* one gRPC threads */
|
67
67
|
static gpr_mu* g_polling_mu;
|
@@ -69,7 +69,9 @@ static gpr_once g_once = GPR_ONCE_INIT;
|
|
69
69
|
static grpc_core::internal::grpc_gce_tenancy_checker g_gce_tenancy_checker =
|
70
70
|
grpc_alts_is_running_on_gcp;
|
71
71
|
|
72
|
-
static void init_default_credentials(void) {
|
72
|
+
static void init_default_credentials(void) {
|
73
|
+
g_state_mu = new grpc_core::Mutex();
|
74
|
+
}
|
73
75
|
|
74
76
|
struct metadata_server_detector {
|
75
77
|
grpc_polling_entity pollent;
|
@@ -282,7 +284,7 @@ end:
|
|
282
284
|
|
283
285
|
static void update_tenancy() {
|
284
286
|
gpr_once_init(&g_once, init_default_credentials);
|
285
|
-
grpc_core::MutexLock lock(
|
287
|
+
grpc_core::MutexLock lock(g_state_mu);
|
286
288
|
|
287
289
|
/* Try a platform-provided hint for GCE. */
|
288
290
|
if (!g_metadata_server_available) {
|
@@ -297,7 +299,7 @@ static void update_tenancy() {
|
|
297
299
|
}
|
298
300
|
|
299
301
|
static bool metadata_server_available() {
|
300
|
-
grpc_core::MutexLock lock(
|
302
|
+
grpc_core::MutexLock lock(g_state_mu);
|
301
303
|
return static_cast<bool>(g_metadata_server_available);
|
302
304
|
}
|
303
305
|
|
@@ -387,9 +389,8 @@ void set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker) {
|
|
387
389
|
void grpc_flush_cached_google_default_credentials(void) {
|
388
390
|
grpc_core::ExecCtx exec_ctx;
|
389
391
|
gpr_once_init(&g_once, init_default_credentials);
|
390
|
-
|
392
|
+
grpc_core::MutexLock lock(g_state_mu);
|
391
393
|
g_metadata_server_available = 0;
|
392
|
-
gpr_mu_unlock(&g_state_mu);
|
393
394
|
}
|
394
395
|
|
395
396
|
} // namespace internal
|
@@ -46,8 +46,8 @@ class InsecureServerCredentials final : public grpc_server_credentials {
|
|
46
46
|
InsecureServerCredentials()
|
47
47
|
: grpc_server_credentials(kCredentialsTypeInsecure) {}
|
48
48
|
|
49
|
-
RefCountedPtr<grpc_server_security_connector> create_security_connector(
|
50
|
-
override {
|
49
|
+
RefCountedPtr<grpc_server_security_connector> create_security_connector(
|
50
|
+
const grpc_channel_args* /* args */) override {
|
51
51
|
return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
|
52
52
|
}
|
53
53
|
};
|
@@ -33,14 +33,11 @@
|
|
33
33
|
#include "src/core/lib/security/util/json_util.h"
|
34
34
|
#include "src/core/lib/slice/b64.h"
|
35
35
|
|
36
|
-
#pragma clang diagnostic push
|
37
|
-
#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
|
38
36
|
extern "C" {
|
39
37
|
#include <openssl/bio.h>
|
40
38
|
#include <openssl/evp.h>
|
41
39
|
#include <openssl/pem.h>
|
42
40
|
}
|
43
|
-
#pragma clang diagnostic pop
|
44
41
|
|
45
42
|
using grpc_core::Json;
|
46
43
|
|
@@ -28,14 +28,11 @@
|
|
28
28
|
#include <grpc/support/string_util.h>
|
29
29
|
#include <grpc/support/sync.h>
|
30
30
|
|
31
|
-
#pragma clang diagnostic push
|
32
|
-
#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
|
33
31
|
extern "C" {
|
34
32
|
#include <openssl/bn.h>
|
35
33
|
#include <openssl/pem.h>
|
36
34
|
#include <openssl/rsa.h>
|
37
35
|
}
|
38
|
-
#pragma clang diagnostic pop
|
39
36
|
|
40
37
|
#include "src/core/lib/gpr/string.h"
|
41
38
|
#include "src/core/lib/gprpp/manual_constructor.h"
|
@@ -39,7 +39,8 @@ grpc_local_credentials::create_security_connector(
|
|
39
39
|
}
|
40
40
|
|
41
41
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
42
|
-
grpc_local_server_credentials::create_security_connector(
|
42
|
+
grpc_local_server_credentials::create_security_connector(
|
43
|
+
const grpc_channel_args* /* args */) {
|
43
44
|
return grpc_local_server_security_connector_create(this->Ref());
|
44
45
|
}
|
45
46
|
|
@@ -50,7 +50,7 @@ class grpc_local_server_credentials final : public grpc_server_credentials {
|
|
50
50
|
~grpc_local_server_credentials() override = default;
|
51
51
|
|
52
52
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
53
|
-
create_security_connector() override;
|
53
|
+
create_security_connector(const grpc_channel_args* /* args */) override;
|
54
54
|
|
55
55
|
grpc_local_connect_type connect_type() const { return connect_type_; }
|
56
56
|
|
@@ -190,7 +190,8 @@ grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
|
|
190
190
|
gpr_free(config_.pem_root_certs);
|
191
191
|
}
|
192
192
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
193
|
-
grpc_ssl_server_credentials::create_security_connector(
|
193
|
+
grpc_ssl_server_credentials::create_security_connector(
|
194
|
+
const grpc_channel_args* /* args */) {
|
194
195
|
return grpc_ssl_server_security_connector_create(this->Ref());
|
195
196
|
}
|
196
197
|
|
@@ -69,7 +69,7 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
|
|
69
69
|
~grpc_ssl_server_credentials() override;
|
70
70
|
|
71
71
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
72
|
-
create_security_connector() override;
|
72
|
+
create_security_connector(const grpc_channel_args* /* args */) override;
|
73
73
|
|
74
74
|
bool has_cert_config_fetcher() const {
|
75
75
|
return certificate_config_fetcher_.cb != nullptr;
|
@@ -106,7 +106,8 @@ TlsServerCredentials::TlsServerCredentials(
|
|
106
106
|
TlsServerCredentials::~TlsServerCredentials() {}
|
107
107
|
|
108
108
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
109
|
-
TlsServerCredentials::create_security_connector(
|
109
|
+
TlsServerCredentials::create_security_connector(
|
110
|
+
const grpc_channel_args* /* args */) {
|
110
111
|
return grpc_core::TlsServerSecurityConnector::
|
111
112
|
CreateTlsServerSecurityConnector(this->Ref(), options_);
|
112
113
|
}
|
@@ -51,7 +51,7 @@ class TlsServerCredentials final : public grpc_server_credentials {
|
|
51
51
|
~TlsServerCredentials() override;
|
52
52
|
|
53
53
|
grpc_core::RefCountedPtr<grpc_server_security_connector>
|
54
|
-
create_security_connector() override;
|
54
|
+
create_security_connector(const grpc_channel_args* /* args */) override;
|
55
55
|
|
56
56
|
grpc_tls_credentials_options* options() const { return options_.get(); }
|
57
57
|
|
@@ -20,6 +20,7 @@
|
|
20
20
|
|
21
21
|
#include "src/core/lib/security/credentials/xds/xds_credentials.h"
|
22
22
|
|
23
|
+
#include "src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h"
|
23
24
|
#include "src/core/ext/xds/xds_certificate_provider.h"
|
24
25
|
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
|
25
26
|
#include "src/core/lib/security/credentials/tls/tls_credentials.h"
|
@@ -35,11 +36,11 @@ namespace {
|
|
35
36
|
bool XdsVerifySubjectAlternativeNames(
|
36
37
|
const char* const* subject_alternative_names,
|
37
38
|
size_t subject_alternative_names_size,
|
38
|
-
const std::vector<
|
39
|
+
const std::vector<StringMatcher>& matchers) {
|
39
40
|
if (matchers.empty()) return true;
|
40
41
|
for (size_t i = 0; i < subject_alternative_names_size; ++i) {
|
41
42
|
for (const auto& matcher : matchers) {
|
42
|
-
if (matcher.type() ==
|
43
|
+
if (matcher.type() == StringMatcher::Type::EXACT) {
|
43
44
|
// For EXACT match, use DNS rules for verifying SANs
|
44
45
|
// TODO(zhenlian): Right now, the SSL layer does not save the type of
|
45
46
|
// the SAN, so we are doing a DNS style verification for all SANs when
|
@@ -60,39 +61,51 @@ bool XdsVerifySubjectAlternativeNames(
|
|
60
61
|
return false;
|
61
62
|
}
|
62
63
|
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
arg
|
74
|
-
arg->status = GRPC_STATUS_UNAUTHENTICATED;
|
75
|
-
if (arg->error_details) {
|
76
|
-
arg->error_details->set_error_details(
|
77
|
-
"SANs from certificate did not match SANs from xDS control plane");
|
78
|
-
}
|
64
|
+
class ServerAuthCheck {
|
65
|
+
public:
|
66
|
+
ServerAuthCheck(
|
67
|
+
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
|
68
|
+
std::string cluster_name)
|
69
|
+
: xds_certificate_provider_(std::move(xds_certificate_provider)),
|
70
|
+
cluster_name_(std::move(cluster_name)) {}
|
71
|
+
|
72
|
+
static int Schedule(void* config_user_data,
|
73
|
+
grpc_tls_server_authorization_check_arg* arg) {
|
74
|
+
return static_cast<ServerAuthCheck*>(config_user_data)->ScheduleImpl(arg);
|
79
75
|
}
|
80
76
|
|
81
|
-
|
82
|
-
|
77
|
+
static void Destroy(void* config_user_data) {
|
78
|
+
delete static_cast<ServerAuthCheck*>(config_user_data);
|
79
|
+
}
|
83
80
|
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
81
|
+
private:
|
82
|
+
int ScheduleImpl(grpc_tls_server_authorization_check_arg* arg) {
|
83
|
+
if (XdsVerifySubjectAlternativeNames(
|
84
|
+
arg->subject_alternative_names, arg->subject_alternative_names_size,
|
85
|
+
xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
|
86
|
+
arg->success = 1;
|
87
|
+
arg->status = GRPC_STATUS_OK;
|
88
|
+
} else {
|
89
|
+
arg->success = 0;
|
90
|
+
arg->status = GRPC_STATUS_UNAUTHENTICATED;
|
91
|
+
if (arg->error_details) {
|
92
|
+
arg->error_details->set_error_details(
|
93
|
+
"SANs from certificate did not match SANs from xDS control plane");
|
94
|
+
}
|
95
|
+
}
|
96
|
+
return 0; /* synchronous check */
|
97
|
+
}
|
98
|
+
|
99
|
+
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
|
100
|
+
std::string cluster_name_;
|
101
|
+
};
|
89
102
|
|
90
103
|
} // namespace
|
91
104
|
|
92
105
|
bool TestOnlyXdsVerifySubjectAlternativeNames(
|
93
106
|
const char* const* subject_alternative_names,
|
94
107
|
size_t subject_alternative_names_size,
|
95
|
-
const std::vector<
|
108
|
+
const std::vector<StringMatcher>& matchers) {
|
96
109
|
return XdsVerifySubjectAlternativeNames(
|
97
110
|
subject_alternative_names, subject_alternative_names_size, matchers);
|
98
111
|
}
|
@@ -105,49 +118,79 @@ RefCountedPtr<grpc_channel_security_connector>
|
|
105
118
|
XdsCredentials::create_security_connector(
|
106
119
|
RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
|
107
120
|
const grpc_channel_args* args, grpc_channel_args** new_args) {
|
108
|
-
|
109
|
-
|
121
|
+
struct ChannelArgsDeleter {
|
122
|
+
const grpc_channel_args* args;
|
123
|
+
bool owned;
|
124
|
+
~ChannelArgsDeleter() {
|
125
|
+
if (owned) grpc_channel_args_destroy(args);
|
126
|
+
}
|
127
|
+
};
|
128
|
+
ChannelArgsDeleter temp_args{args, false};
|
110
129
|
// TODO(yashykt): This arg will no longer need to be added after b/173119596
|
111
130
|
// is fixed.
|
112
131
|
grpc_arg override_arg = grpc_channel_arg_string_create(
|
113
132
|
const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
|
114
133
|
const_cast<char*>(target_name));
|
115
134
|
const char* override_arg_name = GRPC_SSL_TARGET_NAME_OVERRIDE_ARG;
|
116
|
-
const grpc_channel_args* temp_args = args;
|
117
135
|
if (grpc_channel_args_find(args, override_arg_name) == nullptr) {
|
118
|
-
temp_args = grpc_channel_args_copy_and_add_and_remove(
|
136
|
+
temp_args.args = grpc_channel_args_copy_and_add_and_remove(
|
119
137
|
args, &override_arg_name, 1, &override_arg, 1);
|
138
|
+
temp_args.owned = true;
|
120
139
|
}
|
121
140
|
RefCountedPtr<grpc_channel_security_connector> security_connector;
|
141
|
+
auto xds_certificate_provider =
|
142
|
+
XdsCertificateProvider::GetFromChannelArgs(args);
|
122
143
|
if (xds_certificate_provider != nullptr) {
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
144
|
+
std::string cluster_name =
|
145
|
+
grpc_channel_args_find_string(args, GRPC_ARG_XDS_CLUSTER_NAME);
|
146
|
+
GPR_ASSERT(cluster_name.data() != nullptr);
|
147
|
+
const bool watch_root =
|
148
|
+
xds_certificate_provider->ProvidesRootCerts(cluster_name);
|
149
|
+
const bool watch_identity =
|
150
|
+
xds_certificate_provider->ProvidesIdentityCerts(cluster_name);
|
151
|
+
if (watch_root || watch_identity) {
|
152
|
+
auto tls_credentials_options =
|
153
|
+
MakeRefCounted<grpc_tls_credentials_options>();
|
154
|
+
tls_credentials_options->set_certificate_provider(
|
155
|
+
xds_certificate_provider);
|
156
|
+
if (watch_root) {
|
157
|
+
tls_credentials_options->set_watch_root_cert(true);
|
158
|
+
tls_credentials_options->set_root_cert_name(cluster_name);
|
159
|
+
}
|
160
|
+
if (watch_identity) {
|
161
|
+
tls_credentials_options->set_watch_identity_pair(true);
|
162
|
+
tls_credentials_options->set_identity_cert_name(cluster_name);
|
163
|
+
}
|
164
|
+
tls_credentials_options->set_server_verification_option(
|
165
|
+
GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
|
166
|
+
auto* server_auth_check = new ServerAuthCheck(xds_certificate_provider,
|
167
|
+
std::move(cluster_name));
|
168
|
+
tls_credentials_options->set_server_authorization_check_config(
|
169
|
+
MakeRefCounted<grpc_tls_server_authorization_check_config>(
|
170
|
+
server_auth_check, ServerAuthCheck::Schedule, nullptr,
|
171
|
+
ServerAuthCheck::Destroy));
|
172
|
+
// TODO(yashkt): Creating a new TlsCreds object each time we create a
|
173
|
+
// security connector means that the security connector's cmp() method
|
174
|
+
// returns unequal for each instance, which means that every time an LB
|
175
|
+
// policy updates, all the subchannels will be recreated. This is
|
176
|
+
// going to lead to a lot of connection churn. Instead, we should
|
177
|
+
// either (a) change the TLS security connector's cmp() method to be
|
178
|
+
// smarter somehow, so that it compares unequal only when the
|
179
|
+
// tls_credentials_options have changed, or (b) cache the TlsCreds
|
180
|
+
// objects in the XdsCredentials object so that we can reuse the
|
181
|
+
// same one when creating new security connectors, swapping out the
|
182
|
+
// TlsCreds object only when the tls_credentials_options change.
|
183
|
+
// Option (a) would probably be better, although it may require some
|
184
|
+
// structural changes to the security connector API.
|
185
|
+
auto tls_credentials =
|
186
|
+
MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
|
187
|
+
return tls_credentials->create_security_connector(
|
188
|
+
std::move(call_creds), target_name, temp_args.args, new_args);
|
131
189
|
}
|
132
|
-
tls_credentials_options->set_server_verification_option(
|
133
|
-
GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
|
134
|
-
tls_credentials_options->set_server_authorization_check_config(
|
135
|
-
MakeRefCounted<grpc_tls_server_authorization_check_config>(
|
136
|
-
xds_certificate_provider->Ref().release(), ServerAuthCheckSchedule,
|
137
|
-
nullptr, ServerAuthCheckDestroy));
|
138
|
-
auto tls_credentials =
|
139
|
-
MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
|
140
|
-
security_connector = tls_credentials->create_security_connector(
|
141
|
-
std::move(call_creds), target_name, temp_args, new_args);
|
142
|
-
} else {
|
143
|
-
GPR_ASSERT(fallback_credentials_ != nullptr);
|
144
|
-
security_connector = fallback_credentials_->create_security_connector(
|
145
|
-
std::move(call_creds), target_name, temp_args, new_args);
|
146
190
|
}
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
return security_connector;
|
191
|
+
GPR_ASSERT(fallback_credentials_ != nullptr);
|
192
|
+
return fallback_credentials_->create_security_connector(
|
193
|
+
std::move(call_creds), target_name, temp_args.args, new_args);
|
151
194
|
}
|
152
195
|
|
153
196
|
//
|
@@ -155,9 +198,35 @@ XdsCredentials::create_security_connector(
|
|
155
198
|
//
|
156
199
|
|
157
200
|
RefCountedPtr<grpc_server_security_connector>
|
158
|
-
XdsServerCredentials::create_security_connector() {
|
159
|
-
|
160
|
-
|
201
|
+
XdsServerCredentials::create_security_connector(const grpc_channel_args* args) {
|
202
|
+
auto xds_certificate_provider =
|
203
|
+
XdsCertificateProvider::GetFromChannelArgs(args);
|
204
|
+
// Identity certs are a must for TLS.
|
205
|
+
if (xds_certificate_provider != nullptr &&
|
206
|
+
xds_certificate_provider->ProvidesIdentityCerts("")) {
|
207
|
+
auto tls_credentials_options =
|
208
|
+
MakeRefCounted<grpc_tls_credentials_options>();
|
209
|
+
tls_credentials_options->set_watch_identity_pair(true);
|
210
|
+
tls_credentials_options->set_certificate_provider(xds_certificate_provider);
|
211
|
+
if (xds_certificate_provider->ProvidesRootCerts("")) {
|
212
|
+
tls_credentials_options->set_watch_root_cert(true);
|
213
|
+
if (xds_certificate_provider->GetRequireClientCertificate("")) {
|
214
|
+
tls_credentials_options->set_cert_request_type(
|
215
|
+
GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
|
216
|
+
} else {
|
217
|
+
tls_credentials_options->set_cert_request_type(
|
218
|
+
GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
|
219
|
+
}
|
220
|
+
} else {
|
221
|
+
// Do not request client certificate if there is no way to verify.
|
222
|
+
tls_credentials_options->set_cert_request_type(
|
223
|
+
GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
|
224
|
+
}
|
225
|
+
auto tls_credentials = MakeRefCounted<TlsServerCredentials>(
|
226
|
+
std::move(tls_credentials_options));
|
227
|
+
return tls_credentials->create_security_connector(args);
|
228
|
+
}
|
229
|
+
return fallback_credentials_->create_security_connector(args);
|
161
230
|
}
|
162
231
|
|
163
232
|
} // namespace grpc_core
|