GRPC C++  1.39.1
tls_security_connector.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
21 
23 
28 
29 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls"
30 
31 namespace grpc_core {
32 
33 // Channel security connector using TLS as transport security protocol.
36  public:
37  // static factory method to create a TLS channel security connector.
43  const char* target_name, const char* overridden_target_name,
44  tsi_ssl_session_cache* ssl_session_cache);
45 
50  const char* target_name, const char* overridden_target_name,
51  tsi_ssl_session_cache* ssl_session_cache);
52 
54 
55  void add_handshakers(const grpc_channel_args* args,
56  grpc_pollset_set* interested_parties,
57  HandshakeManager* handshake_mgr) override;
58 
59  void check_peer(tsi_peer peer, grpc_endpoint* ep,
61  grpc_closure* on_peer_checked) override;
62 
63  void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
64  grpc_error_handle error) override {
65  // TODO(ZhenLian): call verifier->cancel() once the verifier is ready.
67  }
68 
69  int cmp(const grpc_security_connector* other_sc) const override;
70 
71  bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
72  grpc_closure* on_call_host_checked,
73  grpc_error_handle* error) override;
74 
75  void cancel_check_call_host(grpc_closure* on_call_host_checked,
76  grpc_error_handle error) override;
77 
79  MutexLock lock(&mu_);
80  return client_handshaker_factory_;
81  };
82 
83  absl::optional<absl::string_view> RootCertsForTesting() {
84  MutexLock lock(&mu_);
85  return pem_root_certs_;
86  }
87 
88  absl::optional<PemKeyCertPairList> KeyCertPairListForTesting() {
89  MutexLock lock(&mu_);
90  return pem_key_cert_pair_list_;
91  }
92 
93  private:
94  // A watcher that watches certificate updates from
95  // grpc_tls_certificate_distributor. It will never outlive
96  // |security_connector_|.
97  class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor::
98  TlsCertificatesWatcherInterface {
99  public:
100  explicit TlsChannelCertificateWatcher(
101  TlsChannelSecurityConnector* security_connector)
102  : security_connector_(security_connector) {}
103  void OnCertificatesChanged(
104  absl::optional<absl::string_view> root_certs,
105  absl::optional<PemKeyCertPairList> key_cert_pairs) override;
106  void OnError(grpc_error_handle root_cert_error,
107  grpc_error_handle identity_cert_error) override;
108 
109  private:
110  TlsChannelSecurityConnector* security_connector_ = nullptr;
111  };
112 
113  // Updates |client_handshaker_factory_| when the certificates that
114  // |certificate_watcher_| is watching get updated.
115  grpc_security_status UpdateHandshakerFactoryLocked()
116  ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_);
117 
118  // gRPC-provided callback executed by application, which servers to bring the
119  // control back to gRPC core.
120  static void ServerAuthorizationCheckDone(
122 
123  // A util function to process server authorization check result.
124  static grpc_error_handle ProcessServerAuthorizationCheckResult(
126 
127  // A util function to create a server authorization check arg instance.
129  ServerAuthorizationCheckArgCreate(void* user_data);
130 
131  // A util function to destroy a server authorization check arg instance.
132  static void ServerAuthorizationCheckArgDestroy(
134 
136  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
137  certificate_watcher_ = nullptr;
138  grpc_closure* on_peer_checked_ = nullptr;
139  std::string target_name_;
140  std::string overridden_target_name_;
141  grpc_tls_server_authorization_check_arg* check_arg_ = nullptr;
142 
143  Mutex mu_;
144  tsi_ssl_client_handshaker_factory* client_handshaker_factory_
145  ABSL_GUARDED_BY(mu_) = nullptr;
146  tsi_ssl_session_cache* ssl_session_cache_ ABSL_GUARDED_BY(mu_) = nullptr;
147  absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_);
148  absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_
149  ABSL_GUARDED_BY(mu_);
150 };
151 
152 // Server security connector using TLS as transport security protocol.
154  public:
155  // static factory method to create a TLS server security connector.
157  CreateTlsServerSecurityConnector(
160 
164  ~TlsServerSecurityConnector() override;
165 
166  void add_handshakers(const grpc_channel_args* args,
167  grpc_pollset_set* interested_parties,
168  HandshakeManager* handshake_mgr) override;
169 
170  void check_peer(tsi_peer peer, grpc_endpoint* ep,
171  RefCountedPtr<grpc_auth_context>* auth_context,
172  grpc_closure* on_peer_checked) override;
173 
174  void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
175  grpc_error_handle error) override {
176  // TODO(ZhenLian): call verifier->cancel() once the verifier is ready.
178  }
179 
180  int cmp(const grpc_security_connector* other) const override;
181 
183  MutexLock lock(&mu_);
184  return server_handshaker_factory_;
185  };
186 
187  const absl::optional<absl::string_view>& RootCertsForTesting() {
188  MutexLock lock(&mu_);
189  return pem_root_certs_;
190  }
191 
192  const absl::optional<PemKeyCertPairList>& KeyCertPairListForTesting() {
193  MutexLock lock(&mu_);
194  return pem_key_cert_pair_list_;
195  }
196 
197  private:
198  // A watcher that watches certificate updates from
199  // grpc_tls_certificate_distributor. It will never outlive
200  // |security_connector_|.
201  class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor::
202  TlsCertificatesWatcherInterface {
203  public:
204  explicit TlsServerCertificateWatcher(
205  TlsServerSecurityConnector* security_connector)
206  : security_connector_(security_connector) {}
207  void OnCertificatesChanged(
208  absl::optional<absl::string_view> root_certs,
209  absl::optional<PemKeyCertPairList> key_cert_pairs) override;
210  void OnError(grpc_error_handle root_cert_error,
211  grpc_error_handle identity_cert_error) override;
212 
213  private:
214  TlsServerSecurityConnector* security_connector_ = nullptr;
215  };
216 
217  // Updates |server_handshaker_factory_| when the certificates that
218  // |certificate_watcher_| is watching get updated.
219  grpc_security_status UpdateHandshakerFactoryLocked()
220  ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_);
221 
223  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
224  certificate_watcher_ = nullptr;
225 
226  Mutex mu_;
227  tsi_ssl_server_handshaker_factory* server_handshaker_factory_
228  ABSL_GUARDED_BY(mu_) = nullptr;
229  absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_);
230  absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_
231  ABSL_GUARDED_BY(mu_);
232 };
233 
234 // ---- Functions below are exposed for testing only -----------------------
235 namespace internal {
236 
237 // TlsCheckHostName checks if |peer_name| matches the identity information
238 // contained in |peer|. This is AKA hostname check.
239 grpc_error_handle TlsCheckHostName(const char* peer_name, const tsi_peer* peer);
240 
241 } // namespace internal
242 
243 } // namespace grpc_core
244 
245 #endif // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
Definition: security_connector.h:94
const grpc_call_credentials * request_metadata_creds() const
Definition: security_connector.h:128
const grpc_channel_credentials * channel_creds() const
Definition: security_connector.h:122
Definition: handshaker.h:92
Definition: sync.h:85
friend class RefCountedPtr
Definition: ref_counted.h:337
Definition: ref_counted_ptr.h:35
Definition: tls_security_connector.h:35
void add_handshakers(const grpc_channel_args *args, grpc_pollset_set *interested_parties, HandshakeManager *handshake_mgr) override
Registers handshakers with handshake_mgr.
Definition: tls_security_connector.cc:171
void cancel_check_peer(grpc_closure *, grpc_error_handle error) override
Definition: tls_security_connector.h:63
int cmp(const grpc_security_connector *other_sc) const override
Definition: tls_security_connector.cc:304
static RefCountedPtr< grpc_channel_security_connector > CreateTlsChannelSecurityConnector(RefCountedPtr< grpc_channel_credentials > channel_creds, RefCountedPtr< grpc_tls_credentials_options > options, RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: tls_security_connector.cc:72
absl::optional< absl::string_view > RootCertsForTesting()
Definition: tls_security_connector.h:83
void check_peer(tsi_peer peer, grpc_endpoint *ep, RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: tls_security_connector.cc:198
tsi_ssl_client_handshaker_factory * ClientHandshakerFactoryForTesting()
Definition: tls_security_connector.h:78
bool check_call_host(absl::string_view host, grpc_auth_context *auth_context, grpc_closure *on_call_host_checked, grpc_error_handle *error) override
Checks that the host that will be set for a call is acceptable.
Definition: tls_security_connector.cc:316
~TlsChannelSecurityConnector() override
Definition: tls_security_connector.cc:153
absl::optional< PemKeyCertPairList > KeyCertPairListForTesting()
Definition: tls_security_connector.h:88
TlsChannelSecurityConnector(RefCountedPtr< grpc_channel_credentials > channel_creds, RefCountedPtr< grpc_tls_credentials_options > options, RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: tls_security_connector.cc:102
void cancel_check_call_host(grpc_closure *on_call_host_checked, grpc_error_handle error) override
Cancels a pending asynchronous call to grpc_channel_security_connector_check_call_host() with on_call...
Definition: tls_security_connector.cc:330
Definition: tls_security_connector.h:153
void cancel_check_peer(grpc_closure *, grpc_error_handle error) override
Definition: tls_security_connector.h:174
const absl::optional< PemKeyCertPairList > & KeyCertPairListForTesting()
Definition: tls_security_connector.h:192
tsi_ssl_server_handshaker_factory * ServerHandshakerFactoryForTesting()
Definition: tls_security_connector.h:182
const absl::optional< absl::string_view > & RootCertsForTesting()
Definition: tls_security_connector.h:187
Definition: security_connector.h:48
Definition: security_connector.h:156
#define GRPC_ERROR_UNREF(err)
Definition: error.h:254
grpc_error_handle error
Definition: lame_client.cc:54
grpc_error_handle TlsCheckHostName(const char *peer_name, const tsi_peer *peer)
Definition: tls_security_connector.cc:670
Round Robin Policy.
Definition: backend_metric.cc:26
absl::InlinedVector< grpc_core::PemKeyCertPair, 1 > PemKeyCertPairList
Definition: ssl_utils.h:184
Definition: async_unary_call.h:398
struct grpc_pollset_set grpc_pollset_set
Definition: pollset_set.h:31
grpc_security_status
Definition: security_connector.h:38
struct tsi_ssl_session_cache tsi_ssl_session_cache
Definition: ssl_transport_security.h:66
Definition: security_context.h:51
An array of arguments that can be passed around.
Definition: grpc_types.h:132
A closure over a grpc_iomgr_cb_func.
Definition: closure.h:56
Definition: endpoint.h:106
Definition: error_internal.h:41
Definition: grpc_tls_certificate_distributor.h:37
Definition: grpc_tls_credentials_options.h:102
A struct containing all information necessary to schedule/cancel a server authorization check request...
Definition: grpc_security.h:972
Definition: transport_security_interface.h:216
Definition: ssl_transport_security.cc:92
Definition: ssl_transport_security.cc:100