GRPC C++  1.39.1
tls_credentials_options.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2019 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
20 #define GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
21 
23 #include <grpc/status.h>
24 #include <grpc/support/log.h>
26 #include <grpcpp/support/config.h>
27 
28 #include <memory>
29 #include <vector>
30 
31 // TODO(yihuazhang): remove the forward declaration here and include
32 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
39 
40 namespace grpc {
41 namespace experimental {
42 
53  public:
60 
62  void* cb_user_data() const;
63  int success() const;
64  std::string target_name() const;
65  std::string peer_cert() const;
66  std::string peer_cert_full_chain() const;
67  grpc_status_code status() const;
68  std::string error_details() const;
69 
71  void set_cb_user_data(void* cb_user_data);
72  void set_success(int success);
73  void set_target_name(const std::string& target_name);
74  void set_peer_cert(const std::string& peer_cert);
75  void set_peer_cert_full_chain(const std::string& peer_cert_full_chain);
77  void set_error_details(const std::string& error_details);
78 
81 
82  private:
84 };
85 
97  virtual void Cancel(TlsServerAuthorizationCheckArg* /* arg */) {}
98 };
99 
104  public:
106  std::shared_ptr<TlsServerAuthorizationCheckInterface>
107  server_authorization_check_interface);
109 
111  if (server_authorization_check_interface_ == nullptr) {
112  gpr_log(GPR_ERROR, "server authorization check interface is nullptr");
113  if (arg != nullptr) {
115  arg->set_error_details(
116  "the interface of the server authorization check config is "
117  "nullptr");
118  }
119  return 1;
120  }
121  return server_authorization_check_interface_->Schedule(arg);
122  }
123 
125  if (server_authorization_check_interface_ == nullptr) {
126  gpr_log(GPR_ERROR, "server authorization check interface is nullptr");
127  if (arg != nullptr) {
129  arg->set_error_details(
130  "the interface of the server authorization check config is "
131  "nullptr");
132  }
133  return;
134  }
135  server_authorization_check_interface_->Cancel(arg);
136  }
137 
140  return c_config_;
141  }
142 
143  private:
145  std::shared_ptr<TlsServerAuthorizationCheckInterface>
146  server_authorization_check_interface_;
147 };
148 
149 // Base class of configurable options specified by users to configure their
150 // certain security features supported in TLS. It is used for experimental
151 // purposes for now and it is subject to change.
153  public:
154  // Constructor for base class TlsCredentialsOptions.
155  //
156  // @param certificate_provider the provider which fetches TLS credentials that
157  // will be used in the TLS handshake
159  // ---- Setters for member fields ----
160  // Sets the certificate provider used to store root certs and identity certs.
162  std::shared_ptr<CertificateProviderInterface> certificate_provider);
163  // Watches the updates of root certificates with name |root_cert_name|.
164  // If used in TLS credentials, setting this field is optional for both the
165  // client side and the server side.
166  // If this is not set on the client side, we will use the root certificates
167  // stored in the default system location, since client side must provide root
168  // certificates in TLS(no matter single-side TLS or mutual TLS).
169  // If this is not set on the server side, we will not watch any root
170  // certificate updates, and assume no root certificates needed for the server
171  // (in the one-side TLS scenario, the server is not required to provide root
172  // certs). We don't support default root certs on server side.
173  void watch_root_certs();
174  // Sets the name of root certificates being watched, if |watch_root_certs| is
175  // called. If not set, an empty string will be used as the name.
176  //
177  // @param root_cert_name the name of root certs being set.
178  void set_root_cert_name(const std::string& root_cert_name);
179  // Watches the updates of identity key-cert pairs with name
180  // |identity_cert_name|. If used in TLS credentials, it is required to be set
181  // on the server side, and optional for the client side(in the one-side
182  // TLS scenario, the client is not required to provide identity certs).
184  // Sets the name of identity key-cert pairs being watched, if
185  // |watch_identity_key_cert_pairs| is called. If not set, an empty string will
186  // be used as the name.
187  //
188  // @param identity_cert_name the name of identity key-cert pairs being set.
189  void set_identity_cert_name(const std::string& identity_cert_name);
190 
191  // ----- Getters for member fields ----
192  // Get the internal c options. This function shall be used only internally.
194  return c_credentials_options_;
195  }
196 
197  private:
198  std::shared_ptr<CertificateProviderInterface> certificate_provider_;
199  grpc_tls_credentials_options* c_credentials_options_ = nullptr;
200 };
201 
202 // Contains configurable options on the client side.
203 // Client side doesn't need to always use certificate provider. When the
204 // certificate provider is not set, we will use the root certificates stored
205 // in the system default locations, and assume client won't provide any
206 // identity certificates(single side TLS).
207 // It is used for experimental purposes for now and it is subject to change.
209  public:
210  // Sets the option to verify the server.
211  // The default is GRPC_TLS_SERVER_VERIFICATION.
213  grpc_tls_server_verification_option server_verification_option);
214  // Sets the custom authorization config.
216  std::shared_ptr<TlsServerAuthorizationCheckConfig>
217  authorization_check_config);
218 
219  private:
220 };
221 
222 // Contains configurable options on the server side.
223 // It is used for experimental purposes for now and it is subject to change.
225  public:
226  // Server side is required to use a provider, because server always needs to
227  // use identity certs.
229  std::shared_ptr<CertificateProviderInterface> certificate_provider)
231  set_certificate_provider(certificate_provider);
232  }
233 
234  // Sets option to request the certificates from the client.
235  // The default is GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE.
237  grpc_ssl_client_certificate_request_type cert_request_type);
238 
239  private:
240 };
241 
242 } // namespace experimental
243 } // namespace grpc
244 
245 #endif // GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
Definition: tls_credentials_options.h:208
void set_server_authorization_check_config(std::shared_ptr< TlsServerAuthorizationCheckConfig > authorization_check_config)
Definition: tls_credentials_options.cc:169
void set_server_verification_option(grpc_tls_server_verification_option server_verification_option)
Definition: tls_credentials_options.cc:161
Definition: tls_credentials_options.h:152
grpc_tls_credentials_options * c_credentials_options() const
Definition: tls_credentials_options.h:193
void watch_root_certs()
Definition: tls_credentials_options.cc:140
void watch_identity_key_cert_pairs()
Definition: tls_credentials_options.cc:150
void set_identity_cert_name(const std::string &identity_cert_name)
Definition: tls_credentials_options.cc:155
void set_root_cert_name(const std::string &root_cert_name)
Definition: tls_credentials_options.cc:144
TlsCredentialsOptions()
Definition: tls_credentials_options.cc:127
void set_certificate_provider(std::shared_ptr< CertificateProviderInterface > certificate_provider)
Definition: tls_credentials_options.cc:131
TLS server authorization check arguments, wraps grpc_tls_server_authorization_check_arg.
Definition: tls_credentials_options.h:52
grpc_status_code status() const
Definition: tls_credentials_options.cc:64
TlsServerAuthorizationCheckArg(grpc_tls_server_authorization_check_arg *arg)
TlsServerAuthorizationCheckArg does not take ownership of the C arg passed to the constructor.
Definition: tls_credentials_options.cc:30
void set_cb_user_data(void *cb_user_data)
Setters for member fields.
Definition: tls_credentials_options.cc:72
std::string peer_cert() const
Definition: tls_credentials_options.cc:54
std::string target_name() const
Definition: tls_credentials_options.cc:49
void * cb_user_data() const
Getters for member fields.
Definition: tls_credentials_options.cc:43
void set_error_details(const std::string &error_details)
Definition: tls_credentials_options.cc:99
std::string peer_cert_full_chain() const
Definition: tls_credentials_options.cc:59
void set_target_name(const std::string &target_name)
Definition: tls_credentials_options.cc:80
std::string error_details() const
Definition: tls_credentials_options.cc:68
int success() const
Definition: tls_credentials_options.cc:47
void set_success(int success)
Definition: tls_credentials_options.cc:76
~TlsServerAuthorizationCheckArg()
Definition: tls_credentials_options.cc:41
void set_peer_cert(const std::string &peer_cert)
Definition: tls_credentials_options.cc:85
void set_status(grpc_status_code status)
Definition: tls_credentials_options.cc:95
void OnServerAuthorizationCheckDoneCallback()
Calls the C arg's callback function.
Definition: tls_credentials_options.cc:104
void set_peer_cert_full_chain(const std::string &peer_cert_full_chain)
Definition: tls_credentials_options.cc:90
TLS server authorization check config, wraps grps_tls_server_authorization_check_config.
Definition: tls_credentials_options.h:103
void Cancel(TlsServerAuthorizationCheckArg *arg) const
Definition: tls_credentials_options.h:124
TlsServerAuthorizationCheckConfig(std::shared_ptr< TlsServerAuthorizationCheckInterface > server_authorization_check_interface)
Definition: tls_credentials_options.cc:112
~TlsServerAuthorizationCheckConfig()
Definition: tls_credentials_options.cc:123
grpc_tls_server_authorization_check_config * c_config() const
Returns C struct for the server authorization check config.
Definition: tls_credentials_options.h:139
int Schedule(TlsServerAuthorizationCheckArg *arg) const
Definition: tls_credentials_options.h:110
Definition: tls_credentials_options.h:224
TlsServerCredentialsOptions(std::shared_ptr< CertificateProviderInterface > certificate_provider)
Definition: tls_credentials_options.h:228
void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type)
Definition: tls_credentials_options.cc:179
grpc_status_code
Definition: status.h:26
@ GRPC_STATUS_NOT_FOUND
Some requested entity (e.g., file or directory) was not found.
Definition: status.h:54
grpc_ssl_client_certificate_request_type
Definition: grpc_security_constants.h:77
grpc_tls_server_verification_option
Definition: grpc_security_constants.h:137
#define GPR_ERROR
Definition: log.h:55
GPRAPI void gpr_log(const char *file, int line, gpr_log_severity severity, const char *format,...) GPR_PRINT_FORMAT_CHECK(4
Log a message.
An Alarm posts the user-provided tag to its associated completion queue or invokes the user-provided ...
Definition: alarm.h:33
An interface that the application derives and uses to instantiate a TlsServerAuthorizationCheckConfig...
Definition: tls_credentials_options.h:92
virtual int Schedule(TlsServerAuthorizationCheckArg *arg)=0
A callback that invokes the server authorization check.
virtual void Cancel(TlsServerAuthorizationCheckArg *)
A callback that cancels a server authorization check request.
Definition: tls_credentials_options.h:97
Definition: grpc_tls_certificate_provider.h:45
Definition: grpc_tls_credentials_options.h:102
A struct containing all information necessary to schedule/cancel a server authorization check request...
Definition: grpc_security.h:972
TLS server authorization check config.
Definition: grpc_tls_credentials_options.h:48