RubyGems - grpc - Versions diffs - 1.42.0 → 1.43.1 - Mend

grpc 1.42.0 → 1.43.1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (739) hide show

data/src/core/lib/security/credentials/xds/xds_credentials.cc CHANGED Viewed

@@ -61,41 +61,39 @@ bool XdsVerifySubjectAlternativeNames(
   return false;
 }
-class ServerAuthCheck {
+class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
  public:
-  ServerAuthCheck(
+  XdsCertificateVerifier(
       RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
       std::string cluster_name)
       : xds_certificate_provider_(std::move(xds_certificate_provider)),
         cluster_name_(std::move(cluster_name)) {}
-  static int Schedule(void* config_user_data,
-                      grpc_tls_server_authorization_check_arg* arg) {
-    return static_cast<ServerAuthCheck*>(config_user_data)->ScheduleImpl(arg);
-  }
-  static void Destroy(void* config_user_data) {
-    delete static_cast<ServerAuthCheck*>(config_user_data);
-  }
- private:
-  int ScheduleImpl(grpc_tls_server_authorization_check_arg* arg) {
-    if (XdsVerifySubjectAlternativeNames(
-            arg->subject_alternative_names, arg->subject_alternative_names_size,
+  bool Verify(grpc_tls_custom_verification_check_request* request,
+              std::function<void(absl::Status)>,
+              absl::Status* sync_status) override {
+    GPR_ASSERT(request != nullptr);
+    if (!XdsVerifySubjectAlternativeNames(
+            request->peer_info.san_names.uri_names,
+            request->peer_info.san_names.uri_names_size,
+            xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+        !XdsVerifySubjectAlternativeNames(
+            request->peer_info.san_names.ip_names,
+            request->peer_info.san_names.ip_names_size,
+            xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+        !XdsVerifySubjectAlternativeNames(
+            request->peer_info.san_names.dns_names,
+            request->peer_info.san_names.dns_names_size,
             xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
-      arg->success = 1;
-      arg->status = GRPC_STATUS_OK;
-    } else {
-      arg->success = 0;
-      arg->status = GRPC_STATUS_UNAUTHENTICATED;
-      if (arg->error_details) {
-        arg->error_details->set_error_details(
-            "SANs from certificate did not match SANs from xDS control plane");
-      }
+      *sync_status = absl::Status(
+          absl::StatusCode::kUnauthenticated,
+          "SANs from certificate did not match SANs from xDS control plane");
     }
-    return 0; /* synchronous check */
+    return true; /* synchronous check */
   }
+  void Cancel(grpc_tls_custom_verification_check_request*) override {}
+ private:
   RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
   std::string cluster_name_;
 };
@@ -161,14 +159,11 @@ XdsCredentials::create_security_connector(
         tls_credentials_options->set_watch_identity_pair(true);
         tls_credentials_options->set_identity_cert_name(cluster_name);
       }
-      tls_credentials_options->set_server_verification_option(
-          GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
-      auto* server_auth_check = new ServerAuthCheck(xds_certificate_provider,
-                                                    std::move(cluster_name));
-      tls_credentials_options->set_server_authorization_check_config(
-          MakeRefCounted<grpc_tls_server_authorization_check_config>(
-              server_auth_check, ServerAuthCheck::Schedule, nullptr,
-              ServerAuthCheck::Destroy));
+      tls_credentials_options->set_verify_server_cert(true);
+      tls_credentials_options->set_certificate_verifier(
+          MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
+                                                 std::move(cluster_name)));
+      tls_credentials_options->set_check_call_host(false);
       // TODO(yashkt): Creating a new TlsCreds object each time we create a
       // security connector means that the security connector's cmp() method
       // returns unequal for each instance, which means that every time an LB

data/src/core/lib/security/security_connector/alts/alts_security_connector.cc CHANGED Viewed

@@ -187,8 +187,8 @@ class grpc_alts_server_security_connector final
 namespace grpc_core {
 namespace internal {
-grpc_core::RefCountedPtr<grpc_auth_context>
-grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer) {
+RefCountedPtr<grpc_auth_context> grpc_alts_auth_context_from_tsi_peer(
+    const tsi_peer* peer) {
   if (peer == nullptr) {
     gpr_log(GPR_ERROR,
             "Invalid arguments to grpc_alts_auth_context_from_tsi_peer()");
@@ -243,7 +243,7 @@ grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer) {
     return nullptr;
   }
   /* Create auth context. */
-  auto ctx = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
+  auto ctx = MakeRefCounted<grpc_auth_context>(nullptr);
   grpc_auth_context_add_cstring_property(
       ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
       GRPC_ALTS_TRANSPORT_SECURITY_TYPE);

data/src/core/lib/security/security_connector/alts/alts_security_connector.h CHANGED Viewed

@@ -66,8 +66,8 @@ namespace grpc_core {
 namespace internal {
 /* Exposed only for testing. */
-grpc_core::RefCountedPtr<grpc_auth_context>
-grpc_alts_auth_context_from_tsi_peer(const tsi_peer* peer);
+RefCountedPtr<grpc_auth_context> grpc_alts_auth_context_from_tsi_peer(
+    const tsi_peer* peer);
 }  // namespace internal
 }  // namespace grpc_core

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc CHANGED Viewed

@@ -214,10 +214,9 @@ class grpc_fake_channel_security_connector final
   char* target_name_override_;
 };
-static void fake_check_peer(
-    grpc_security_connector* /*sc*/, tsi_peer peer,
-    grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
-    grpc_closure* on_peer_checked) {
+void fake_check_peer(grpc_security_connector* /*sc*/, tsi_peer peer,
+                     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                     grpc_closure* on_peer_checked) {
   const char* prop_name;
   grpc_error_handle error = GRPC_ERROR_NONE;
   *auth_context = nullptr;

data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc CHANGED Viewed

@@ -95,7 +95,7 @@ int InsecureChannelSecurityConnector::cmp(
 // created with the security level of TSI_SECURITY_NONE.
 void InsecureServerSecurityConnector::add_handshakers(
     const grpc_channel_args* args, grpc_pollset_set* /* interested_parties */,
-    grpc_core::HandshakeManager* handshake_manager) {
+    HandshakeManager* handshake_manager) {
   tsi_handshaker* handshaker = nullptr;
   // Re-use local_tsi_handshaker_create as a minimalist handshaker.
   GPR_ASSERT(tsi_local_handshaker_create(false /* is_client */, &handshaker) ==
@@ -105,7 +105,7 @@ void InsecureServerSecurityConnector::add_handshakers(
 void InsecureServerSecurityConnector::check_peer(
     tsi_peer peer, grpc_endpoint* /*ep*/,
-    grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+    RefCountedPtr<grpc_auth_context>* auth_context,
     grpc_closure* on_peer_checked) {
   *auth_context = MakeAuthContext();
   tsi_peer_destruct(&peer);

data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h CHANGED Viewed

@@ -39,8 +39,8 @@ class InsecureChannelSecurityConnector
     : public grpc_channel_security_connector {
  public:
   InsecureChannelSecurityConnector(
-      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
-      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds)
+      RefCountedPtr<grpc_channel_credentials> channel_creds,
+      RefCountedPtr<grpc_call_credentials> request_metadata_creds)
       : grpc_channel_security_connector(/* url_scheme */ nullptr,
                                         std::move(channel_creds),
                                         std::move(request_metadata_creds)) {}
@@ -54,10 +54,10 @@ class InsecureChannelSecurityConnector
   void add_handshakers(const grpc_channel_args* args,
                        grpc_pollset_set* /* interested_parties */,
-                       grpc_core::HandshakeManager* handshake_manager) override;
+                       HandshakeManager* handshake_manager) override;
   void check_peer(tsi_peer peer, grpc_endpoint* ep,
-                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  RefCountedPtr<grpc_auth_context>* auth_context,
                   grpc_closure* on_peer_checked) override;
   void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
@@ -71,16 +71,16 @@ class InsecureChannelSecurityConnector
 class InsecureServerSecurityConnector : public grpc_server_security_connector {
  public:
   explicit InsecureServerSecurityConnector(
-      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
+      RefCountedPtr<grpc_server_credentials> server_creds)
       : grpc_server_security_connector(nullptr /* url_scheme */,
                                        std::move(server_creds)) {}
   void add_handshakers(const grpc_channel_args* args,
                        grpc_pollset_set* /* interested_parties */,
-                       grpc_core::HandshakeManager* handshake_manager) override;
+                       HandshakeManager* handshake_manager) override;
   void check_peer(tsi_peer peer, grpc_endpoint* ep,
-                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  RefCountedPtr<grpc_auth_context>* auth_context,
                   grpc_closure* on_peer_checked) override;
   void cancel_check_peer(grpc_closure* /*on_peer_checked*/,

data/src/core/lib/security/security_connector/load_system_roots_linux.cc CHANGED Viewed

@@ -145,8 +145,7 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
 grpc_slice LoadSystemRootCerts() {
   grpc_slice result = grpc_empty_slice();
   // Prioritize user-specified custom directory if flag is set.
-  grpc_core::UniquePtr<char> custom_dir =
-      GPR_GLOBAL_CONFIG_GET(grpc_system_ssl_roots_dir);
+  UniquePtr<char> custom_dir = GPR_GLOBAL_CONFIG_GET(grpc_system_ssl_roots_dir);
   if (strlen(custom_dir.get()) > 0) {
     result = CreateRootCertsBundle(custom_dir.get());
   }

data/src/core/lib/security/security_connector/local/local_security_connector.cc CHANGED Viewed

@@ -44,6 +44,7 @@
 #include "src/core/tsi/local_transport_security.h"
 #define GRPC_UDS_URI_PATTERN "unix:"
+#define GRPC_ABSTRACT_UDS_URI_PATTERN "unix-abstract:"
 #define GRPC_LOCAL_TRANSPORT_SECURITY_TYPE "local"
 namespace {
@@ -270,7 +271,9 @@ grpc_local_channel_security_connector_create(
   const char* server_uri_str = grpc_channel_arg_get_string(server_uri_arg);
   if (creds->connect_type() == UDS &&
       strncmp(GRPC_UDS_URI_PATTERN, server_uri_str,
-              strlen(GRPC_UDS_URI_PATTERN)) != 0) {
+              strlen(GRPC_UDS_URI_PATTERN)) != 0 &&
+      strncmp(GRPC_ABSTRACT_UDS_URI_PATTERN, server_uri_str,
+              strlen(GRPC_ABSTRACT_UDS_URI_PATTERN)) != 0) {
     gpr_log(GPR_ERROR,
             "Invalid UDS target name to "
             "grpc_local_channel_security_connector_create()");

data/src/core/lib/security/security_connector/ssl_utils.cc CHANGED Viewed

@@ -196,6 +196,7 @@ bool grpc_ssl_check_call_host(absl::string_view host,
   if (status != GRPC_SECURITY_OK) {
     *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "call host does not match SSL server name");
+    gpr_log(GPR_ERROR, "call host does not match SSL server name");
   }
   grpc_shallow_peer_destruct(&peer);
   return true;
@@ -276,7 +277,11 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
   for (i = 0; i < peer->property_count; i++) {
     const tsi_peer_property* prop = &peer->properties[i];
     if (prop->name == nullptr) continue;
-    if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
+    if (strcmp(prop->name, TSI_X509_SUBJECT_PEER_PROPERTY) == 0) {
+      grpc_auth_context_add_property(ctx.get(), GRPC_X509_SUBJECT_PROPERTY_NAME,
+                                     prop->value.data, prop->value.length);
+    } else if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) ==
+               0) {
       /* If there is no subject alt name, have the CN as the identity. */
       if (peer_identity_property_name == nullptr) {
         peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
@@ -372,6 +377,9 @@ tsi_peer grpc_shallow_peer_from_ssl_auth_context(
       if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
         add_shallow_auth_property_to_peer(
             &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
+      } else if (strcmp(prop->name, GRPC_X509_SUBJECT_PROPERTY_NAME) == 0) {
+        add_shallow_auth_property_to_peer(&peer, prop,
+                                          TSI_X509_SUBJECT_PEER_PROPERTY);
       } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
         add_shallow_auth_property_to_peer(
             &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
@@ -562,7 +570,7 @@ grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
   const bool not_use_system_roots =
       GPR_GLOBAL_CONFIG_GET(grpc_not_use_system_ssl_roots);
   // First try to load the roots from the configuration.
-  grpc_core::UniquePtr<char> default_root_certs_path =
+  UniquePtr<char> default_root_certs_path =
       GPR_GLOBAL_CONFIG_GET(grpc_default_ssl_roots_file_path);
   if (strlen(default_root_certs_path.get()) > 0) {
     GRPC_LOG_IF_ERROR(

data/src/core/lib/security/security_connector/ssl_utils.h CHANGED Viewed

@@ -181,7 +181,7 @@ class PemKeyCertPair {
   std::string cert_chain_;
 };
-typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
+typedef absl::InlinedVector<PemKeyCertPair, 1> PemKeyCertPairList;
 }  // namespace grpc_core