GRPC C++  1.39.1
xds_certificate_provider.h
Go to the documentation of this file.
1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H
20 #define GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H
21 
23 
26 
27 #define GRPC_ARG_XDS_CERTIFICATE_PROVIDER \
28  "grpc.internal.xds_certificate_provider"
29 
30 namespace grpc_core {
31 
33  public:
35  ~XdsCertificateProvider() override;
36 
38  const override {
39  return distributor_;
40  }
41 
42  bool ProvidesRootCerts(const std::string& cert_name);
44  const std::string& cert_name, absl::string_view root_cert_name,
46 
47  bool ProvidesIdentityCerts(const std::string& cert_name);
49  const std::string& cert_name, absl::string_view identity_cert_name,
51  identity_cert_distributor);
52 
53  bool GetRequireClientCertificate(const std::string& cert_name);
54  // Updating \a require_client_certificate for a non-existing \a cert_name has
55  // no effect.
56  void UpdateRequireClientCertificate(const std::string& cert_name,
57  bool require_client_certificate);
58 
59  std::vector<StringMatcher> GetSanMatchers(const std::string& cluster);
61  const std::string& cluster, std::vector<StringMatcher> matchers);
62 
63  grpc_arg MakeChannelArg() const;
64 
66  const grpc_channel_args* args);
67 
68  private:
69  class ClusterCertificateState {
70  public:
71  explicit ClusterCertificateState(
72  XdsCertificateProvider* xds_certificate_provider)
73  : xds_certificate_provider_(xds_certificate_provider) {}
74 
75  ~ClusterCertificateState();
76 
77  // Returns true if the certs aren't being watched and there are no
78  // distributors configured.
79  bool IsSafeToRemove() const;
80 
81  bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; }
82  bool ProvidesIdentityCerts() const {
83  return identity_cert_distributor_ != nullptr;
84  }
85 
87  const std::string& cert_name, absl::string_view root_cert_name,
88  RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
90  const std::string& cert_name, absl::string_view identity_cert_name,
91  RefCountedPtr<grpc_tls_certificate_distributor>
92  identity_cert_distributor);
93 
94  void UpdateRootCertWatcher(
95  const std::string& cert_name,
96  grpc_tls_certificate_distributor* root_cert_distributor);
97  void UpdateIdentityCertWatcher(
98  const std::string& cert_name,
99  grpc_tls_certificate_distributor* identity_cert_distributor);
100 
101  bool require_client_certificate() const {
102  return require_client_certificate_;
103  }
104  void set_require_client_certificate(bool require_client_certificate) {
105  require_client_certificate_ = require_client_certificate;
106  }
107 
108  void WatchStatusCallback(const std::string& cert_name,
109  bool root_being_watched,
110  bool identity_being_watched);
111 
112  private:
113  XdsCertificateProvider* xds_certificate_provider_;
114  bool watching_root_certs_ = false;
115  bool watching_identity_certs_ = false;
116  std::string root_cert_name_;
117  std::string identity_cert_name_;
118  RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
119  RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
121  root_cert_watcher_ = nullptr;
123  identity_cert_watcher_ = nullptr;
124  bool require_client_certificate_ = false;
125  };
126 
127  void WatchStatusCallback(std::string cert_name, bool root_being_watched,
128  bool identity_being_watched);
129 
130  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
131 
132  Mutex mu_;
133  std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>>
134  certificate_state_map_ ABSL_GUARDED_BY(mu_);
135 
136  // Use a separate mutex for san_matchers_ to avoid deadlocks since
137  // san_matchers_ needs to be accessed when a handshake is being done and we
138  // run into a possible deadlock scenario if using the same mutex. The mutex
139  // deadlock cycle is formed as -
140  // WatchStatusCallback() -> SetKeyMaterials() ->
141  // TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnCertificatesChanged()
142  // -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() ->
143  // subject_alternative_names_matchers()
144  Mutex san_matchers_mu_;
145  std::map<std::string /*cluster_name*/, std::vector<StringMatcher>>
146  san_matcher_map_ ABSL_GUARDED_BY(san_matchers_mu_);
147 };
148 
149 } // namespace grpc_core
150 
151 #endif // GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H
Definition: xds_certificate_provider.h:32
static RefCountedPtr< XdsCertificateProvider > GetFromChannelArgs(const grpc_channel_args *args)
Definition: xds_certificate_provider.cc:397
bool ProvidesIdentityCerts(const std::string &cert_name)
Definition: xds_certificate_provider.cc:292
bool ProvidesRootCerts(const std::string &cert_name)
Definition: xds_certificate_provider.cc:268
grpc_core::RefCountedPtr< grpc_tls_certificate_distributor > distributor() const override
Definition: xds_certificate_provider.h:37
grpc_arg MakeChannelArg() const
Definition: xds_certificate_provider.cc:390
std::vector< StringMatcher > GetSanMatchers(const std::string &cluster)
Definition: xds_certificate_provider.cc:333
void UpdateRootCertNameAndDistributor(const std::string &cert_name, absl::string_view root_cert_name, RefCountedPtr< grpc_tls_certificate_distributor > root_cert_distributor)
Definition: xds_certificate_provider.cc:275
~XdsCertificateProvider() override
Definition: xds_certificate_provider.cc:264
void UpdateRequireClientCertificate(const std::string &cert_name, bool require_client_certificate)
Definition: xds_certificate_provider.cc:325
void UpdateIdentityCertNameAndDistributor(const std::string &cert_name, absl::string_view identity_cert_name, RefCountedPtr< grpc_tls_certificate_distributor > identity_cert_distributor)
Definition: xds_certificate_provider.cc:300
void UpdateSubjectAlternativeNameMatchers(const std::string &cluster, std::vector< StringMatcher > matchers)
Definition: xds_certificate_provider.cc:341
bool GetRequireClientCertificate(const std::string &cert_name)
Definition: xds_certificate_provider.cc:317
XdsCertificateProvider()
Definition: xds_certificate_provider.cc:258
Definition: grpc_tls_certificate_distributor.h:40
Round Robin Policy.
Definition: backend_metric.cc:26
A single argument...
Definition: grpc_types.h:103
An array of arguments that can be passed around.
Definition: grpc_types.h:132
Definition: grpc_tls_certificate_distributor.h:37
Definition: grpc_tls_certificate_provider.h:45
absl::string_view cluster
Definition: xds_resolver.cc:177