grpc 1.37.1 → 1.39.0

data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc

@@ -0,0 +1,46 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc.h>
+
+#include "src/core/lib/security/authorization/authorization_policy_provider.h"
+
+namespace {
+
+void* ProviderArgCopy(void* p) {
+  grpc_authorization_policy_provider* provider =
+      static_cast<grpc_authorization_policy_provider*>(p);
+  provider->Ref().release();
+  return provider;
+}
+
+void ProviderArgDestroy(void* p) {
+  grpc_authorization_policy_provider* provider =
+      static_cast<grpc_authorization_policy_provider*>(p);
+  provider->Unref();
+}
+
+int ProviderArgCmp(void* p, void* q) { return GPR_ICMP(p, q); }
+
+}  // namespace
+
+// Wrapper API declared in grpc.h
+
+const grpc_arg_pointer_vtable* grpc_authorization_policy_provider_arg_vtable() {
+  static const grpc_arg_pointer_vtable vtable = {
+      ProviderArgCopy, ProviderArgDestroy, ProviderArgCmp};
+  return &vtable;
+}

data/src/core/lib/security/authorization/evaluate_args.cc

@@ -0,0 +1,209 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/evaluate_args.h"
+
+#include "src/core/lib/address_utils/parse_address.h"
+#include "src/core/lib/address_utils/sockaddr_utils.h"
+#include "src/core/lib/gprpp/host_port.h"
+#include "src/core/lib/security/credentials/tls/tls_utils.h"
+#include "src/core/lib/slice/slice_utils.h"
+
+namespace grpc_core {
+
+namespace {
+
+EvaluateArgs::PerChannelArgs::Address ParseEndpointUri(
+    absl::string_view uri_text) {
+  EvaluateArgs::PerChannelArgs::Address address;
+  absl::StatusOr<URI> uri = URI::Parse(uri_text);
+  if (!uri.ok()) {
+    gpr_log(GPR_DEBUG, "Failed to parse uri.");
+    return address;
+  }
+  absl::string_view host_view;
+  absl::string_view port_view;
+  if (!SplitHostPort(uri->path(), &host_view, &port_view)) {
+    gpr_log(GPR_DEBUG, "Failed to split %s into host and port.",
+            uri->path().c_str());
+    return address;
+  }
+  if (!absl::SimpleAtoi(port_view, &address.port)) {
+    gpr_log(GPR_DEBUG, "Port %s is out of range or null.",
+            std::string(port_view).c_str());
+  }
+  address.address_str = std::string(host_view);
+  grpc_error_handle error = grpc_string_to_sockaddr(
+      &address.address, address.address_str.c_str(), address.port);
+  if (error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_DEBUG, "Address %s is not IPv4/IPv6. Error: %s",
+            address.address_str.c_str(), grpc_error_std_string(error).c_str());
+  }
+  GRPC_ERROR_UNREF(error);
+  return address;
+}
+
+}  // namespace
+
+EvaluateArgs::PerChannelArgs::PerChannelArgs(grpc_auth_context* auth_context,
+                                             grpc_endpoint* endpoint) {
+  if (auth_context != nullptr) {
+    transport_security_type = GetAuthPropertyValue(
+        auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME);
+    spiffe_id =
+        GetAuthPropertyValue(auth_context, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME);
+    uri_sans = GetAuthPropertyArray(auth_context, GRPC_PEER_URI_PROPERTY_NAME);
+    dns_sans = GetAuthPropertyArray(auth_context, GRPC_PEER_DNS_PROPERTY_NAME);
+    common_name =
+        GetAuthPropertyValue(auth_context, GRPC_X509_CN_PROPERTY_NAME);
+  }
+  if (endpoint != nullptr) {
+    local_address = ParseEndpointUri(grpc_endpoint_get_local_address(endpoint));
+    peer_address = ParseEndpointUri(grpc_endpoint_get_peer(endpoint));
+  }
+}
+
+absl::string_view EvaluateArgs::GetPath() const {
+  absl::string_view path;
+  if (metadata_ != nullptr && metadata_->idx.named.path != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.path;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    path = StringViewFromSlice(val);
+  }
+  return path;
+}
+
+absl::string_view EvaluateArgs::GetHost() const {
+  absl::string_view host;
+  if (metadata_ != nullptr && metadata_->idx.named.host != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.host;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    host = StringViewFromSlice(val);
+  }
+  return host;
+}
+
+absl::string_view EvaluateArgs::GetMethod() const {
+  absl::string_view method;
+  if (metadata_ != nullptr && metadata_->idx.named.method != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.method;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    method = StringViewFromSlice(val);
+  }
+  return method;
+}
+
+std::multimap<absl::string_view, absl::string_view> EvaluateArgs::GetHeaders()
+    const {
+  std::multimap<absl::string_view, absl::string_view> headers;
+  if (metadata_ == nullptr) {
+    return headers;
+  }
+  for (grpc_linked_mdelem* elem = metadata_->list.head; elem != nullptr;
+       elem = elem->next) {
+    const grpc_slice& key = GRPC_MDKEY(elem->md);
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    headers.emplace(StringViewFromSlice(key), StringViewFromSlice(val));
+  }
+  return headers;
+}
+
+absl::optional<absl::string_view> EvaluateArgs::GetHeaderValue(
+    absl::string_view key, std::string* concatenated_value) const {
+  if (metadata_ == nullptr) {
+    return absl::nullopt;
+  }
+  return grpc_metadata_batch_get_value(metadata_, key, concatenated_value);
+}
+
+grpc_resolved_address EvaluateArgs::GetLocalAddress() const {
+  if (channel_args_ == nullptr) {
+    return {};
+  }
+  return channel_args_->local_address.address;
+}
+
+absl::string_view EvaluateArgs::GetLocalAddressString() const {
+  if (channel_args_ == nullptr) {
+    return "";
+  }
+  return channel_args_->local_address.address_str;
+}
+
+int EvaluateArgs::GetLocalPort() const {
+  if (channel_args_ == nullptr) {
+    return 0;
+  }
+  return channel_args_->local_address.port;
+}
+
+grpc_resolved_address EvaluateArgs::GetPeerAddress() const {
+  if (channel_args_ == nullptr) {
+    return {};
+  }
+  return channel_args_->peer_address.address;
+}
+
+absl::string_view EvaluateArgs::GetPeerAddressString() const {
+  if (channel_args_ == nullptr) {
+    return "";
+  }
+  return channel_args_->peer_address.address_str;
+}
+
+int EvaluateArgs::GetPeerPort() const {
+  if (channel_args_ == nullptr) {
+    return 0;
+  }
+  return channel_args_->peer_address.port;
+}
+
+absl::string_view EvaluateArgs::GetTransportSecurityType() const {
+  if (channel_args_ == nullptr) {
+    return "";
+  }
+  return channel_args_->transport_security_type;
+}
+
+absl::string_view EvaluateArgs::GetSpiffeId() const {
+  if (channel_args_ == nullptr) {
+    return "";
+  }
+  return channel_args_->spiffe_id;
+}
+
+std::vector<absl::string_view> EvaluateArgs::GetUriSans() const {
+  if (channel_args_ == nullptr) {
+    return {};
+  }
+  return channel_args_->uri_sans;
+}
+
+std::vector<absl::string_view> EvaluateArgs::GetDnsSans() const {
+  if (channel_args_ == nullptr) {
+    return {};
+  }
+  return channel_args_->dns_sans;
+}
+
+absl::string_view EvaluateArgs::GetCommonName() const {
+  if (channel_args_ == nullptr) {
+    return "";
+  }
+  return channel_args_->common_name;
+}
+
+}  // namespace grpc_core

data/src/core/lib/security/authorization/evaluate_args.h

@@ -0,0 +1,91 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <map>
+
+#include "absl/types/optional.h"
+
+#include "src/core/lib/iomgr/endpoint.h"
+#include "src/core/lib/iomgr/resolve_address.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/transport/metadata_batch.h"
+
+namespace grpc_core {
+
+class EvaluateArgs {
+ public:
+  // Caller is responsible for ensuring auth_context outlives PerChannelArgs
+  // struct.
+  struct PerChannelArgs {
+    struct Address {
+      // The address in sockaddr form.
+      grpc_resolved_address address;
+      // The same address with only the host part.
+      std::string address_str;
+      int port = 0;
+    };
+
+    PerChannelArgs(grpc_auth_context* auth_context, grpc_endpoint* endpoint);
+
+    absl::string_view transport_security_type;
+    absl::string_view spiffe_id;
+    std::vector<absl::string_view> uri_sans;
+    std::vector<absl::string_view> dns_sans;
+    absl::string_view common_name;
+    Address local_address;
+    Address peer_address;
+  };
+
+  EvaluateArgs(grpc_metadata_batch* metadata, PerChannelArgs* channel_args)
+      : metadata_(metadata), channel_args_(channel_args) {}
+
+  absl::string_view GetPath() const;
+  absl::string_view GetHost() const;
+  absl::string_view GetMethod() const;
+  std::multimap<absl::string_view, absl::string_view> GetHeaders() const;
+  // Returns metadata value(s) for the specified key.
+  // If the key is not present in the batch, returns absl::nullopt.
+  // If the key is present exactly once in the batch, returns a string_view of
+  // that value.
+  // If the key is present more than once in the batch, constructs a
+  // comma-concatenated string of all values in concatenated_value and returns a
+  // string_view of that string.
+  absl::optional<absl::string_view> GetHeaderValue(
+      absl::string_view key, std::string* concatenated_value) const;
+
+  grpc_resolved_address GetLocalAddress() const;
+  absl::string_view GetLocalAddressString() const;
+  int GetLocalPort() const;
+  grpc_resolved_address GetPeerAddress() const;
+  absl::string_view GetPeerAddressString() const;
+  int GetPeerPort() const;
+  absl::string_view GetTransportSecurityType() const;
+  absl::string_view GetSpiffeId() const;
+  std::vector<absl::string_view> GetUriSans() const;
+  std::vector<absl::string_view> GetDnsSans() const;
+  absl::string_view GetCommonName() const;
+
+ private:
+  grpc_metadata_batch* metadata_;
+  PerChannelArgs* channel_args_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H

data/src/core/lib/security/credentials/composite/composite_credentials.cc

@@ -36,7 +36,7 @@
 
 /* -- Composite call credentials. -- */
 
-static void composite_call_metadata_cb(void* arg, grpc_error* error);
+static void composite_call_metadata_cb(void* arg, grpc_error_handle error);
 
 namespace {
 struct grpc_composite_call_credentials_metadata_context {
@@ -64,7 +64,7 @@ struct grpc_composite_call_credentials_metadata_context {
 };
 }  // namespace
 
-static void composite_call_metadata_cb(void* arg, grpc_error* error) {
+static void composite_call_metadata_cb(void* arg, grpc_error_handle error) {
   grpc_composite_call_credentials_metadata_context* ctx =
       static_cast<grpc_composite_call_credentials_metadata_context*>(arg);
   if (error == GRPC_ERROR_NONE) {
@@ -91,7 +91,7 @@ static void composite_call_metadata_cb(void* arg, grpc_error* error) {
 bool grpc_composite_call_credentials::get_request_metadata(
     grpc_polling_entity* pollent, grpc_auth_metadata_context auth_md_context,
     grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
-    grpc_error** error) {
+    grpc_error_handle* error) {
   grpc_composite_call_credentials_metadata_context* ctx;
   ctx = new grpc_composite_call_credentials_metadata_context(
       this, pollent, auth_md_context, md_array, on_request_metadata);
@@ -112,7 +112,7 @@ bool grpc_composite_call_credentials::get_request_metadata(
 }
 
 void grpc_composite_call_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* md_array, grpc_error* error) {
+    grpc_credentials_mdelem_array* md_array, grpc_error_handle error) {
   for (size_t i = 0; i < inner_.size(); ++i) {
     inner_[i]->cancel_get_request_metadata(md_array, GRPC_ERROR_REF(error));
   }

data/src/core/lib/security/credentials/composite/composite_credentials.h

@@ -83,10 +83,10 @@ class grpc_composite_call_credentials : public grpc_call_credentials {
                             grpc_auth_metadata_context context,
                             grpc_credentials_mdelem_array* md_array,
                             grpc_closure* on_request_metadata,
-                            grpc_error** error) override;
+                            grpc_error_handle* error) override;
 
   void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error* error) override;
+                                   grpc_error_handle error) override;
 
   grpc_security_level min_security_level() const override {
     return min_security_level_;

data/src/core/lib/security/credentials/credentials.h

@@ -187,13 +187,13 @@ struct grpc_call_credentials
                                     grpc_auth_metadata_context context,
                                     grpc_credentials_mdelem_array* md_array,
                                     grpc_closure* on_request_metadata,
-                                    grpc_error** error) = 0;
+                                    grpc_error_handle* error) = 0;
 
   // Cancels a pending asynchronous operation started by
   // grpc_call_credentials_get_request_metadata() with the corresponding
   // value of \a md_array.
   virtual void cancel_get_request_metadata(
-      grpc_credentials_mdelem_array* md_array, grpc_error* error) = 0;
+      grpc_credentials_mdelem_array* md_array, grpc_error_handle error) = 0;
 
   virtual grpc_security_level min_security_level() const {
     return min_security_level_;

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc

@@ -30,6 +30,7 @@ namespace {
 const char* kExpectedEnvironmentId = "aws1";
 
 const char* kRegionEnvVar = "AWS_REGION";
+const char* kDefaultRegionEnvVar = "AWS_DEFAULT_REGION";
 const char* kAccessKeyIdEnvVar = "AWS_ACCESS_KEY_ID";
 const char* kSecretAccessKeyEnvVar = "AWS_SECRET_ACCESS_KEY";
 const char* kSessionTokenEnvVar = "AWS_SESSION_TOKEN";
@@ -57,7 +58,7 @@ std::string UrlEncode(const absl::string_view& s) {
 RefCountedPtr<AwsExternalAccountCredentials>
 AwsExternalAccountCredentials::Create(Options options,
                                       std::vector<std::string> scopes,
-                                      grpc_error** error) {
+                                      grpc_error_handle* error) {
   auto creds = MakeRefCounted<AwsExternalAccountCredentials>(
       std::move(options), std::move(scopes), error);
   if (*error == GRPC_ERROR_NONE) {
@@ -68,7 +69,7 @@ AwsExternalAccountCredentials::Create(Options options,
 }
 
 AwsExternalAccountCredentials::AwsExternalAccountCredentials(
-    Options options, std::vector<std::string> scopes, grpc_error** error)
+    Options options, std::vector<std::string> scopes, grpc_error_handle* error)
     : ExternalAccountCredentials(options, std::move(scopes)) {
   audience_ = options.audience;
   auto it = options.credential_source.object_value().find("environment_id");
@@ -121,7 +122,7 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
 
 void AwsExternalAccountCredentials::RetrieveSubjectToken(
     HTTPRequestContext* ctx, const Options& /*options*/,
-    std::function<void(std::string, grpc_error*)> cb) {
+    std::function<void(std::string, grpc_error_handle)> cb) {
   if (ctx == nullptr) {
     FinishRetrieveSubjectToken(
         "",
@@ -140,6 +141,9 @@ void AwsExternalAccountCredentials::RetrieveSubjectToken(
 
 void AwsExternalAccountCredentials::RetrieveRegion() {
   UniquePtr<char> region_from_env(gpr_getenv(kRegionEnvVar));
+  if (region_from_env == nullptr) {
+    region_from_env = UniquePtr<char>(gpr_getenv(kDefaultRegionEnvVar));
+  }
   if (region_from_env != nullptr) {
     region_ = std::string(region_from_env.get());
     if (url_.empty()) {
@@ -175,14 +179,14 @@ void AwsExternalAccountCredentials::RetrieveRegion() {
 }
 
 void AwsExternalAccountCredentials::OnRetrieveRegion(void* arg,
-                                                     grpc_error* error) {
+                                                     grpc_error_handle error) {
   AwsExternalAccountCredentials* self =
       static_cast<AwsExternalAccountCredentials*>(arg);
   self->OnRetrieveRegionInternal(GRPC_ERROR_REF(error));
 }
 
 void AwsExternalAccountCredentials::OnRetrieveRegionInternal(
-    grpc_error* error) {
+    grpc_error_handle error) {
   if (error != GRPC_ERROR_NONE) {
     FinishRetrieveSubjectToken("", error);
     return;
@@ -224,15 +228,15 @@ void AwsExternalAccountCredentials::RetrieveRoleName() {
   grpc_http_request_destroy(&request.http);
 }
 
-void AwsExternalAccountCredentials::OnRetrieveRoleName(void* arg,
-                                                       grpc_error* error) {
+void AwsExternalAccountCredentials::OnRetrieveRoleName(
+    void* arg, grpc_error_handle error) {
   AwsExternalAccountCredentials* self =
       static_cast<AwsExternalAccountCredentials*>(arg);
   self->OnRetrieveRoleNameInternal(GRPC_ERROR_REF(error));
 }
 
 void AwsExternalAccountCredentials::OnRetrieveRoleNameInternal(
-    grpc_error* error) {
+    grpc_error_handle error) {
   if (error != GRPC_ERROR_NONE) {
     FinishRetrieveSubjectToken("", error);
     return;
@@ -287,15 +291,15 @@ void AwsExternalAccountCredentials::RetrieveSigningKeys() {
   grpc_http_request_destroy(&request.http);
 }
 
-void AwsExternalAccountCredentials::OnRetrieveSigningKeys(void* arg,
-                                                          grpc_error* error) {
+void AwsExternalAccountCredentials::OnRetrieveSigningKeys(
+    void* arg, grpc_error_handle error) {
   AwsExternalAccountCredentials* self =
       static_cast<AwsExternalAccountCredentials*>(arg);
   self->OnRetrieveSigningKeysInternal(GRPC_ERROR_REF(error));
 }
 
 void AwsExternalAccountCredentials::OnRetrieveSigningKeysInternal(
-    grpc_error* error) {
+    grpc_error_handle error) {
   if (error != GRPC_ERROR_NONE) {
     FinishRetrieveSubjectToken("", error);
     return;
@@ -350,7 +354,7 @@ void AwsExternalAccountCredentials::OnRetrieveSigningKeysInternal(
 }
 
 void AwsExternalAccountCredentials::BuildSubjectToken() {
-  grpc_error* error = GRPC_ERROR_NONE;
+  grpc_error_handle error = GRPC_ERROR_NONE;
   if (signer_ == nullptr) {
     cred_verification_url_ = absl::StrReplaceAll(
         regional_cred_verification_url_, {{"{region}", region_}});
@@ -396,7 +400,7 @@ void AwsExternalAccountCredentials::BuildSubjectToken() {
 }
 
 void AwsExternalAccountCredentials::FinishRetrieveSubjectToken(
-    std::string subject_token, grpc_error* error) {
+    std::string subject_token, grpc_error_handle error) {
   // Reset context
   ctx_ = nullptr;
   // Move object state into local variables.