GRPC C++  1.39.1
tls_certificate_provider.h
Go to the documentation of this file.
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
18 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
19 
21 #include <grpc/status.h>
22 #include <grpc/support/log.h>
24 #include <grpcpp/support/config.h>
25 
26 #include <memory>
27 #include <vector>
28 
29 // TODO(yihuazhang): remove the forward declaration here and include
30 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
32 
33 namespace grpc {
34 namespace experimental {
35 
36 // Interface for a class that handles the process to fetch credential data.
37 // Implementations should be a wrapper class of an internal provider
38 // implementation.
40  public:
41  virtual ~CertificateProviderInterface() = default;
43 };
44 
45 // A struct that stores the credential data presented to the peer in handshake
46 // to show local identity. The private_key and certificate_chain should always
47 // match.
49  std::string private_key;
50  std::string certificate_chain;
51 };
52 
53 // A basic CertificateProviderInterface implementation that will load credential
54 // data from static string during initialization. This provider will always
55 // return the same cert data for all cert names, and reloading is not supported.
57  public:
59  const std::string& root_certificate,
60  const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs);
61 
62  explicit StaticDataCertificateProvider(const std::string& root_certificate)
63  : StaticDataCertificateProvider(root_certificate, {}) {}
64 
66  const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs)
67  : StaticDataCertificateProvider("", identity_key_cert_pairs) {}
68 
70 
71  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
72 
73  private:
74  grpc_tls_certificate_provider* c_provider_ = nullptr;
75 };
76 
77 // A CertificateProviderInterface implementation that will watch the credential
78 // changes on the file system. This provider will always return the up-to-date
79 // cert data for all the cert names callers set through |TlsCredentialsOptions|.
80 // Several things to note:
81 // 1. This API only supports one key-cert file and hence one set of identity
82 // key-cert pair, so SNI(Server Name Indication) is not supported.
83 // 2. The private key and identity certificate should always match. This API
84 // guarantees atomic read, and it is the callers' responsibility to do atomic
85 // updates. There are many ways to atomically update the key and certs in the
86 // file system. To name a few:
87 // 1) creating a new directory, renaming the old directory to a new name, and
88 // then renaming the new directory to the original name of the old directory.
89 // 2) using a symlink for the directory. When need to change, put new
90 // credential data in a new directory, and change symlink.
93  public:
94  // Constructor to get credential updates from root and identity file paths.
95  //
96  // @param private_key_path is the file path of the private key.
97  // @param identity_certificate_path is the file path of the identity
98  // certificate chain.
99  // @param root_cert_path is the file path to the root certificate bundle.
100  // @param refresh_interval_sec is the refreshing interval that we will check
101  // the files for updates.
102  FileWatcherCertificateProvider(const std::string& private_key_path,
103  const std::string& identity_certificate_path,
104  const std::string& root_cert_path,
105  unsigned int refresh_interval_sec);
106  // Constructor to get credential updates from identity file paths only.
107  FileWatcherCertificateProvider(const std::string& private_key_path,
108  const std::string& identity_certificate_path,
109  unsigned int refresh_interval_sec)
110  : FileWatcherCertificateProvider(private_key_path,
111  identity_certificate_path, "",
112  refresh_interval_sec) {}
113  // Constructor to get credential updates from root file path only.
114  FileWatcherCertificateProvider(const std::string& root_cert_path,
115  unsigned int refresh_interval_sec)
116  : FileWatcherCertificateProvider("", "", root_cert_path,
117  refresh_interval_sec) {}
118 
120 
121  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
122 
123  private:
124  grpc_tls_certificate_provider* c_provider_ = nullptr;
125 };
126 
127 } // namespace experimental
128 } // namespace grpc
129 
130 #endif // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
Definition: tls_certificate_provider.h:39
virtual grpc_tls_certificate_provider * c_provider()=0
Definition: tls_certificate_provider.h:92
grpc_tls_certificate_provider * c_provider() override
Definition: tls_certificate_provider.h:121
~FileWatcherCertificateProvider() override
Definition: tls_certificate_provider.cc:54
FileWatcherCertificateProvider(const std::string &private_key_path, const std::string &identity_certificate_path, const std::string &root_cert_path, unsigned int refresh_interval_sec)
Definition: tls_certificate_provider.cc:44
FileWatcherCertificateProvider(const std::string &private_key_path, const std::string &identity_certificate_path, unsigned int refresh_interval_sec)
Definition: tls_certificate_provider.h:107
FileWatcherCertificateProvider(const std::string &root_cert_path, unsigned int refresh_interval_sec)
Definition: tls_certificate_provider.h:114
Definition: tls_certificate_provider.h:56
StaticDataCertificateProvider(const std::string &root_certificate, const std::vector< IdentityKeyCertPair > &identity_key_cert_pairs)
Definition: tls_certificate_provider.cc:26
grpc_tls_certificate_provider * c_provider() override
Definition: tls_certificate_provider.h:71
StaticDataCertificateProvider(const std::string &root_certificate)
Definition: tls_certificate_provider.h:62
StaticDataCertificateProvider(const std::vector< IdentityKeyCertPair > &identity_key_cert_pairs)
Definition: tls_certificate_provider.h:65
~StaticDataCertificateProvider() override
Definition: tls_certificate_provider.cc:40
An Alarm posts the user-provided tag to its associated completion queue or invokes the user-provided ...
Definition: alarm.h:33
Definition: tls_certificate_provider.h:48
std::string certificate_chain
Definition: tls_certificate_provider.h:50
std::string private_key
Definition: tls_certificate_provider.h:49
Definition: grpc_tls_certificate_provider.h:45