diff options
| author |  Craig Tiller <ctiller@google.com> | 2015-09-22 10:42:19 -0700 |
|---|---|---|
| committer | Craig Tiller <ctiller@google.com> | 2015-09-22 10:42:19 -0700 |
| commit | 45724b35e411fef7c5da66a74c78428c11d56843 (patch) | |
| tree | 9264034aca675c89444e02f72ef58e67d7043604 /src/core/security | |
| parent | 298751c1195523ef6228595043b583c3a6270e08 (diff) | |
indent pass to get logical source lines on one physical line
Diffstat (limited to 'src/core/security')
23 files changed, 4166 insertions, 3721 deletions
diff --git a/src/core/security/base64.c b/src/core/security/base64.c index 5226d2c578..4d86da9453 100644 --- a/src/core/security/base64.c +++ b/src/core/security/base64.c @@ -42,22 +42,21 @@ /* --- Constants. --- */ static const char base64_bytes[] = { - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, 0x3E, -1, -1, -1, 0x3F, - 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, -1, -1, - -1, 0x7F, -1, -1, -1, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, - 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, -1, -1, -1, -1, -1, - -1, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, - 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, - 0x31, 0x32, 0x33, -1, -1, -1, -1, -1}; - -static const char base64_url_unsafe_chars[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; -static const char base64_url_safe_chars[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, 0x3E, -1, -1, -1, 0x3F, + 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, -1, -1, + -1, 0x7F, -1, -1, -1, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, + 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, -1, -1, -1, -1, -1, + -1, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, + 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, + 0x31, 0x32, 0x33, -1, -1, -1, -1, -1 +}; + +static const char base64_url_unsafe_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char base64_url_safe_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; #define GRPC_BASE64_PAD_CHAR '=' #define GRPC_BASE64_PAD_BYTE 0x7F @@ -66,168 +65,194 @@ static const char base64_url_safe_chars[] = /* --- base64 functions. --- */ -char *grpc_base64_encode(const void *vdata, size_t data_size, int url_safe, - int multiline) { +char * +grpc_base64_encode (const void *vdata, size_t data_size, int url_safe, int multiline) +{ const unsigned char *data = vdata; - const char *base64_chars = - url_safe ? base64_url_safe_chars : base64_url_unsafe_chars; - size_t result_projected_size = - 4 * ((data_size + 3) / 3) + - 2 * (multiline ? (data_size / (3 * GRPC_BASE64_MULTILINE_NUM_BLOCKS)) - : 0) + - 1; - char *result = gpr_malloc(result_projected_size); + const char *base64_chars = url_safe ? base64_url_safe_chars : base64_url_unsafe_chars; + size_t result_projected_size = 4 * ((data_size + 3) / 3) + 2 * (multiline ? (data_size / (3 * GRPC_BASE64_MULTILINE_NUM_BLOCKS)) : 0) + 1; + char *result = gpr_malloc (result_projected_size); char *current = result; size_t num_blocks = 0; size_t i = 0; /* Encode each block. */ - while (data_size >= 3) { - *current++ = base64_chars[(data[i] >> 2) & 0x3F]; - *current++ = - base64_chars[((data[i] & 0x03) << 4) | ((data[i + 1] >> 4) & 0x0F)]; - *current++ = - base64_chars[((data[i + 1] & 0x0F) << 2) | ((data[i + 2] >> 6) & 0x03)]; - *current++ = base64_chars[data[i + 2] & 0x3F]; - - data_size -= 3; - i += 3; - if (multiline && (++num_blocks == GRPC_BASE64_MULTILINE_NUM_BLOCKS)) { - *current++ = '\r'; - *current++ = '\n'; - num_blocks = 0; + while (data_size >= 3) + { + *current++ = base64_chars[(data[i] >> 2) & 0x3F]; + *current++ = base64_chars[((data[i] & 0x03) << 4) | ((data[i + 1] >> 4) & 0x0F)]; + *current++ = base64_chars[((data[i + 1] & 0x0F) << 2) | ((data[i + 2] >> 6) & 0x03)]; + *current++ = base64_chars[data[i + 2] & 0x3F]; + + data_size -= 3; + i += 3; + if (multiline && (++num_blocks == GRPC_BASE64_MULTILINE_NUM_BLOCKS)) + { + *current++ = '\r'; + *current++ = '\n'; + num_blocks = 0; + } } - } /* Take care of the tail. */ - if (data_size == 2) { - *current++ = base64_chars[(data[i] >> 2) & 0x3F]; - *current++ = - base64_chars[((data[i] & 0x03) << 4) | ((data[i + 1] >> 4) & 0x0F)]; - *current++ = base64_chars[(data[i + 1] & 0x0F) << 2]; - *current++ = GRPC_BASE64_PAD_CHAR; - } else if (data_size == 1) { - *current++ = base64_chars[(data[i] >> 2) & 0x3F]; - *current++ = base64_chars[(data[i] & 0x03) << 4]; - *current++ = GRPC_BASE64_PAD_CHAR; - *current++ = GRPC_BASE64_PAD_CHAR; - } - - GPR_ASSERT(current >= result); - GPR_ASSERT((gpr_uintptr)(current - result) < result_projected_size); + if (data_size == 2) + { + *current++ = base64_chars[(data[i] >> 2) & 0x3F]; + *current++ = base64_chars[((data[i] & 0x03) << 4) | ((data[i + 1] >> 4) & 0x0F)]; + *current++ = base64_chars[(data[i + 1] & 0x0F) << 2]; + *current++ = GRPC_BASE64_PAD_CHAR; + } + else if (data_size == 1) + { + *current++ = base64_chars[(data[i] >> 2) & 0x3F]; + *current++ = base64_chars[(data[i] & 0x03) << 4]; + *current++ = GRPC_BASE64_PAD_CHAR; + *current++ = GRPC_BASE64_PAD_CHAR; + } + + GPR_ASSERT (current >= result); + GPR_ASSERT ((gpr_uintptr) (current - result) < result_projected_size); result[current - result] = '\0'; return result; } -gpr_slice grpc_base64_decode(const char *b64, int url_safe) { - return grpc_base64_decode_with_len(b64, strlen(b64), url_safe); +gpr_slice +grpc_base64_decode (const char *b64, int url_safe) +{ + return grpc_base64_decode_with_len (b64, strlen (b64), url_safe); } -static void decode_one_char(const unsigned char *codes, unsigned char *result, - size_t *result_offset) { - gpr_uint32 packed = ((gpr_uint32)codes[0] << 2) | ((gpr_uint32)codes[1] >> 4); - result[(*result_offset)++] = (unsigned char)packed; +static void +decode_one_char (const unsigned char *codes, unsigned char *result, size_t * result_offset) +{ + gpr_uint32 packed = ((gpr_uint32) codes[0] << 2) | ((gpr_uint32) codes[1] >> 4); + result[(*result_offset)++] = (unsigned char) packed; } -static void decode_two_chars(const unsigned char *codes, unsigned char *result, - size_t *result_offset) { - gpr_uint32 packed = ((gpr_uint32)codes[0] << 10) | - ((gpr_uint32)codes[1] << 4) | ((gpr_uint32)codes[2] >> 2); - result[(*result_offset)++] = (unsigned char)(packed >> 8); - result[(*result_offset)++] = (unsigned char)(packed); +static void +decode_two_chars (const unsigned char *codes, unsigned char *result, size_t * result_offset) +{ + gpr_uint32 packed = ((gpr_uint32) codes[0] << 10) | ((gpr_uint32) codes[1] << 4) | ((gpr_uint32) codes[2] >> 2); + result[(*result_offset)++] = (unsigned char) (packed >> 8); + result[(*result_offset)++] = (unsigned char) (packed); } -static int decode_group(const unsigned char *codes, size_t num_codes, - unsigned char *result, size_t *result_offset) { - GPR_ASSERT(num_codes <= 4); +static int +decode_group (const unsigned char *codes, size_t num_codes, unsigned char *result, size_t * result_offset) +{ + GPR_ASSERT (num_codes <= 4); /* Short end groups that may not have padding. */ - if (num_codes == 1) { - gpr_log(GPR_ERROR, "Invalid group. Must be at least 2 bytes."); - return 0; - } - if (num_codes == 2) { - decode_one_char(codes, result, result_offset); - return 1; - } - if (num_codes == 3) { - decode_two_chars(codes, result, result_offset); - return 1; - } + if (num_codes == 1) + { + gpr_log (GPR_ERROR, "Invalid group. Must be at least 2 bytes."); + return 0; + } + if (num_codes == 2) + { + decode_one_char (codes, result, result_offset); + return 1; + } + if (num_codes == 3) + { + decode_two_chars (codes, result, result_offset); + return 1; + } /* Regular 4 byte groups with padding or not. */ - GPR_ASSERT(num_codes == 4); - if (codes[0] == GRPC_BASE64_PAD_BYTE || codes[1] == GRPC_BASE64_PAD_BYTE) { - gpr_log(GPR_ERROR, "Invalid padding detected."); - return 0; - } - if (codes[2] == GRPC_BASE64_PAD_BYTE) { - if (codes[3] == GRPC_BASE64_PAD_BYTE) { - decode_one_char(codes, result, result_offset); - } else { - gpr_log(GPR_ERROR, "Invalid padding detected."); + GPR_ASSERT (num_codes == 4); + if (codes[0] == GRPC_BASE64_PAD_BYTE || codes[1] == GRPC_BASE64_PAD_BYTE) + { + gpr_log (GPR_ERROR, "Invalid padding detected."); return 0; } - } else if (codes[3] == GRPC_BASE64_PAD_BYTE) { - decode_two_chars(codes, result, result_offset); - } else { - /* No padding. */ - gpr_uint32 packed = ((gpr_uint32)codes[0] << 18) | - ((gpr_uint32)codes[1] << 12) | - ((gpr_uint32)codes[2] << 6) | codes[3]; - result[(*result_offset)++] = (unsigned char)(packed >> 16); - result[(*result_offset)++] = (unsigned char)(packed >> 8); - result[(*result_offset)++] = (unsigned char)(packed); - } + if (codes[2] == GRPC_BASE64_PAD_BYTE) + { + if (codes[3] == GRPC_BASE64_PAD_BYTE) + { + decode_one_char (codes, result, result_offset); + } + else + { + gpr_log (GPR_ERROR, "Invalid padding detected."); + return 0; + } + } + else if (codes[3] == GRPC_BASE64_PAD_BYTE) + { + decode_two_chars (codes, result, result_offset); + } + else + { + /* No padding. */ + gpr_uint32 packed = ((gpr_uint32) codes[0] << 18) | ((gpr_uint32) codes[1] << 12) | ((gpr_uint32) codes[2] << 6) | codes[3]; + result[(*result_offset)++] = (unsigned char) (packed >> 16); + result[(*result_offset)++] = (unsigned char) (packed >> 8); + result[(*result_offset)++] = (unsigned char) (packed); + } return 1; } -gpr_slice grpc_base64_decode_with_len(const char *b64, size_t b64_len, - int url_safe) { - gpr_slice result = gpr_slice_malloc(b64_len); - unsigned char *current = GPR_SLICE_START_PTR(result); +gpr_slice +grpc_base64_decode_with_len (const char *b64, size_t b64_len, int url_safe) +{ + gpr_slice result = gpr_slice_malloc (b64_len); + unsigned char *current = GPR_SLICE_START_PTR (result); size_t result_size = 0; unsigned char codes[4]; size_t num_codes = 0; - while (b64_len--) { - unsigned char c = (unsigned char)(*b64++); - signed char code; - if (c >= GPR_ARRAY_SIZE(base64_bytes)) continue; - if (url_safe) { - if (c == '+' || c == '/') { - gpr_log(GPR_ERROR, "Invalid character for url safe base64 %c", c); - goto fail; - } - if (c == '-') { - c = '+'; - } else if (c == '_') { - c = '/'; - } - } - code = base64_bytes[c]; - if (code == -1) { - if (c != '\r' && c != '\n') { - gpr_log(GPR_ERROR, "Invalid character %c", c); - goto fail; - } - } else { - codes[num_codes++] = (unsigned char)code; - if (num_codes == 4) { - if (!decode_group(codes, num_codes, current, &result_size)) goto fail; - num_codes = 0; - } + while (b64_len--) + { + unsigned char c = (unsigned char) (*b64++); + signed char code; + if (c >= GPR_ARRAY_SIZE (base64_bytes)) + continue; + if (url_safe) + { + if (c == '+' || c == '/') + { + gpr_log (GPR_ERROR, "Invalid character for url safe base64 %c", c); + goto fail; + } + if (c == '-') + { + c = '+'; + } + else if (c == '_') + { + c = '/'; + } + } + code = base64_bytes[c]; + if (code == -1) + { + if (c != '\r' && c != '\n') + { + gpr_log (GPR_ERROR, "Invalid character %c", c); + goto fail; + } + } + else + { + codes[num_codes++] = (unsigned char) code; + if (num_codes == 4) + { + if (!decode_group (codes, num_codes, current, &result_size)) + goto fail; + num_codes = 0; + } + } } - } - if (num_codes != 0 && - !decode_group(codes, num_codes, current, &result_size)) { - goto fail; - } - GPR_SLICE_SET_LENGTH(result, result_size); + if (num_codes != 0 && !decode_group (codes, num_codes, current, &result_size)) + { + goto fail; + } + GPR_SLICE_SET_LENGTH (result, result_size); return result; fail: - gpr_slice_unref(result); - return gpr_empty_slice(); + gpr_slice_unref (result); + return gpr_empty_slice (); } diff --git a/src/core/security/base64.h b/src/core/security/base64.h index 31ae982691..9d4b44c4b0 100644 --- a/src/core/security/base64.h +++ b/src/core/security/base64.h @@ -38,15 +38,13 @@ /* Encodes data using base64. It is the caller's responsability to free the returned char * using gpr_free. Returns NULL on NULL input. */ -char *grpc_base64_encode(const void *data, size_t data_size, int url_safe, - int multiline); +char *grpc_base64_encode (const void *data, size_t data_size, int url_safe, int multiline); /* Decodes data according to the base64 specification. Returns an empty slice in case of failure. */ -gpr_slice grpc_base64_decode(const char *b64, int url_safe); +gpr_slice grpc_base64_decode (const char *b64, int url_safe); /* Same as above except that the length is provided by the caller. */ -gpr_slice grpc_base64_decode_with_len(const char *b64, size_t b64_len, - int url_safe); +gpr_slice grpc_base64_decode_with_len (const char *b64, size_t b64_len, int url_safe); #endif /* GRPC_INTERNAL_CORE_SECURITY_BASE64_H */ diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c index 5955b84962..660ef713fa 100644 --- a/src/core/security/client_auth_filter.c +++ b/src/core/security/client_auth_filter.c @@ -49,7 +49,8 @@ #define MAX_CREDENTIALS_METADATA_COUNT 4 /* We can have a per-call credentials. */ -typedef struct { +typedef struct +{ grpc_credentials *creds; grpc_mdstr *host; grpc_mdstr *method; @@ -67,7 +68,8 @@ typedef struct { } call_data; /* We can have a per-channel credentials. */ -typedef struct { +typedef struct +{ grpc_channel_security_connector *security_connector; grpc_mdctx *md_ctx; grpc_mdstr *authority_string; @@ -76,129 +78,130 @@ typedef struct { grpc_mdstr *status_key; } channel_data; -static void reset_service_url(call_data *calld) { - if (calld->service_url != NULL) { - gpr_free(calld->service_url); - calld->service_url = NULL; - } +static void +reset_service_url (call_data * calld) +{ + if (calld->service_url != NULL) + { + gpr_free (calld->service_url); + calld->service_url = NULL; + } } -static void bubble_up_error(grpc_call_element *elem, grpc_status_code status, - const char *error_msg, - grpc_closure_list *closure_list) { +static void +bubble_up_error (grpc_call_element * elem, grpc_status_code status, const char *error_msg, grpc_closure_list * closure_list) +{ call_data *calld = elem->call_data; - gpr_log(GPR_ERROR, "Client side authentication failure: %s", error_msg); - grpc_transport_stream_op_add_cancellation(&calld->op, status); - grpc_call_next_op(elem, &calld->op, closure_list); + gpr_log (GPR_ERROR, "Client side authentication failure: %s", error_msg); + grpc_transport_stream_op_add_cancellation (&calld->op, status); + grpc_call_next_op (elem, &calld->op, closure_list); } -static void on_credentials_metadata(void *user_data, - grpc_credentials_md *md_elems, - size_t num_md, - grpc_credentials_status status, - grpc_closure_list *closure_list) { - grpc_call_element *elem = (grpc_call_element *)user_data; +static void +on_credentials_metadata (void *user_data, grpc_credentials_md * md_elems, size_t num_md, grpc_credentials_status status, grpc_closure_list * closure_list) +{ + grpc_call_element *elem = (grpc_call_element *) user_data; call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; grpc_transport_stream_op *op = &calld->op; grpc_metadata_batch *mdb; size_t i; - reset_service_url(calld); - if (status != GRPC_CREDENTIALS_OK) { - bubble_up_error(elem, GRPC_STATUS_UNAUTHENTICATED, - "Credentials failed to get metadata.", closure_list); - return; - } - GPR_ASSERT(num_md <= MAX_CREDENTIALS_METADATA_COUNT); - GPR_ASSERT(op->send_ops && op->send_ops->nops > calld->op_md_idx && - op->send_ops->ops[calld->op_md_idx].type == GRPC_OP_METADATA); + reset_service_url (calld); + if (status != GRPC_CREDENTIALS_OK) + { + bubble_up_error (elem, GRPC_STATUS_UNAUTHENTICATED, "Credentials failed to get metadata.", closure_list); + return; + } + GPR_ASSERT (num_md <= MAX_CREDENTIALS_METADATA_COUNT); + GPR_ASSERT (op->send_ops && op->send_ops->nops > calld->op_md_idx && op->send_ops->ops[calld->op_md_idx].type == GRPC_OP_METADATA); mdb = &op->send_ops->ops[calld->op_md_idx].data.metadata; - for (i = 0; i < num_md; i++) { - grpc_metadata_batch_add_tail( - mdb, &calld->md_links[i], - grpc_mdelem_from_slices(chand->md_ctx, gpr_slice_ref(md_elems[i].key), - gpr_slice_ref(md_elems[i].value))); - } - grpc_call_next_op(elem, op, closure_list); + for (i = 0; i < num_md; i++) + { + grpc_metadata_batch_add_tail (mdb, &calld->md_links[i], grpc_mdelem_from_slices (chand->md_ctx, gpr_slice_ref (md_elems[i].key), gpr_slice_ref (md_elems[i].value))); + } + grpc_call_next_op (elem, op, closure_list); } -void build_service_url(const char *url_scheme, call_data *calld) { - char *service = gpr_strdup(grpc_mdstr_as_c_string(calld->method)); - char *last_slash = strrchr(service, '/'); - if (last_slash == NULL) { - gpr_log(GPR_ERROR, "No '/' found in fully qualified method name"); - service[0] = '\0'; - } else if (last_slash == service) { - /* No service part in fully qualified method name: will just be "/". */ - service[1] = '\0'; - } else { - *last_slash = '\0'; - } - if (url_scheme == NULL) url_scheme = ""; - reset_service_url(calld); - gpr_asprintf(&calld->service_url, "%s://%s%s", url_scheme, - grpc_mdstr_as_c_string(calld->host), service); - gpr_free(service); +void +build_service_url (const char *url_scheme, call_data * calld) +{ + char *service = gpr_strdup (grpc_mdstr_as_c_string (calld->method)); + char *last_slash = strrchr (service, '/'); + if (last_slash == NULL) + { + gpr_log (GPR_ERROR, "No '/' found in fully qualified method name"); + service[0] = '\0'; + } + else if (last_slash == service) + { + /* No service part in fully qualified method name: will just be "/". */ + service[1] = '\0'; + } + else + { + *last_slash = '\0'; + } + if (url_scheme == NULL) + url_scheme = ""; + reset_service_url (calld); + gpr_asprintf (&calld->service_url, "%s://%s%s", url_scheme, grpc_mdstr_as_c_string (calld->host), service); + gpr_free (service); } -static void send_security_metadata(grpc_call_element *elem, - grpc_transport_stream_op *op, - grpc_closure_list *closure_list) { +static void +send_security_metadata (grpc_call_element * elem, grpc_transport_stream_op * op, grpc_closure_list * closure_list) +{ call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; - grpc_client_security_context *ctx = - (grpc_client_security_context *)op->context[GRPC_CONTEXT_SECURITY].value; - grpc_credentials *channel_creds = - chand->security_connector->request_metadata_creds; - int channel_creds_has_md = - (channel_creds != NULL) && - grpc_credentials_has_request_metadata(channel_creds); - int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL) && - grpc_credentials_has_request_metadata(ctx->creds); - - if (!channel_creds_has_md && !call_creds_has_md) { - /* Skip sending metadata altogether. */ - grpc_call_next_op(elem, op, closure_list); - return; - } + grpc_client_security_context *ctx = (grpc_client_security_context *) op->context[GRPC_CONTEXT_SECURITY].value; + grpc_credentials *channel_creds = chand->security_connector->request_metadata_creds; + int channel_creds_has_md = (channel_creds != NULL) && grpc_credentials_has_request_metadata (channel_creds); + int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL) && grpc_credentials_has_request_metadata (ctx->creds); - if (channel_creds_has_md && call_creds_has_md) { - calld->creds = - grpc_composite_credentials_create(channel_creds, ctx->creds, NULL); - if (calld->creds == NULL) { - bubble_up_error(elem, GRPC_STATUS_INVALID_ARGUMENT, - "Incompatible credentials set on channel and call.", - closure_list); + if (!channel_creds_has_md && !call_creds_has_md) + { + /* Skip sending metadata altogether. */ + grpc_call_next_op (elem, op, closure_list); return; } - } else { - calld->creds = - grpc_credentials_ref(call_creds_has_md ? ctx->creds : channel_creds); - } - build_service_url(chand->security_connector->base.url_scheme, calld); - calld->op = *op; /* Copy op (originates from the caller's stack). */ - GPR_ASSERT(calld->pollset); - grpc_credentials_get_request_metadata( - calld->creds, calld->pollset, calld->service_url, on_credentials_metadata, - elem, closure_list); + if (channel_creds_has_md && call_creds_has_md) + { + calld->creds = grpc_composite_credentials_create (channel_creds, ctx->creds, NULL); + if (calld->creds == NULL) + { + bubble_up_error (elem, GRPC_STATUS_INVALID_ARGUMENT, "Incompatible credentials set on channel and call.", closure_list); + return; + } + } + else + { + calld->creds = grpc_credentials_ref (call_creds_has_md ? ctx->creds : channel_creds); + } + + build_service_url (chand->security_connector->base.url_scheme, calld); + calld->op = *op; /* Copy op (originates from the caller's stack). */ + GPR_ASSERT (calld->pollset); + grpc_credentials_get_request_metadata (calld->creds, calld->pollset, calld->service_url, on_credentials_metadata, elem, closure_list); } -static void on_host_checked(void *user_data, grpc_security_status status, - grpc_closure_list *closure_list) { - grpc_call_element *elem = (grpc_call_element *)user_data; +static void +on_host_checked (void *user_data, grpc_security_status status, grpc_closure_list * closure_list) +{ + grpc_call_element *elem = (grpc_call_element *) user_data; call_data *calld = elem->call_data; - if (status == GRPC_SECURITY_OK) { - send_security_metadata(elem, &calld->op, closure_list); - } else { - char *error_msg; - gpr_asprintf(&error_msg, "Invalid host %s set in :authority metadata.", - grpc_mdstr_as_c_string(calld->host)); - bubble_up_error(elem, GRPC_STATUS_INVALID_ARGUMENT, error_msg, - closure_list); - gpr_free(error_msg); - } + if (status == GRPC_SECURITY_OK) + { + send_security_metadata (elem, &calld->op, closure_list); + } + else + { + char *error_msg; + gpr_asprintf (&error_msg, "Invalid host %s set in :authority metadata.", grpc_mdstr_as_c_string (calld->host)); + bubble_up_error (elem, GRPC_STATUS_INVALID_ARGUMENT, error_msg, closure_list); + gpr_free (error_msg); + } } /* Called either: @@ -206,9 +209,9 @@ static void on_host_checked(void *user_data, grpc_security_status status, - a network event (or similar) from below, to receive something op contains type and call direction information, in addition to the data that is being sent or received. */ -static void auth_start_transport_op(grpc_call_element *elem, - grpc_transport_stream_op *op, - grpc_closure_list *closure_list) { +static void +auth_start_transport_op (grpc_call_element * elem, grpc_transport_stream_op * op, grpc_closure_list * closure_list) +{ /* grab pointers to our data from the call element */ call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; @@ -216,152 +219,162 @@ static void auth_start_transport_op(grpc_call_element *elem, size_t i; grpc_client_security_context *sec_ctx = NULL; - if (calld->security_context_set == 0) { - calld->security_context_set = 1; - GPR_ASSERT(op->context); - if (op->context[GRPC_CONTEXT_SECURITY].value == NULL) { - op->context[GRPC_CONTEXT_SECURITY].value = - grpc_client_security_context_create(); - op->context[GRPC_CONTEXT_SECURITY].destroy = - grpc_client_security_context_destroy; + if (calld->security_context_set == 0) + { + calld->security_context_set = 1; + GPR_ASSERT (op->context); + if (op->context[GRPC_CONTEXT_SECURITY].value == NULL) + { + op->context[GRPC_CONTEXT_SECURITY].value = grpc_client_security_context_create (); + op->context[GRPC_CONTEXT_SECURITY].destroy = grpc_client_security_context_destroy; + } + sec_ctx = op->context[GRPC_CONTEXT_SECURITY].value; + GRPC_AUTH_CONTEXT_UNREF (sec_ctx->auth_context, "client auth filter"); + sec_ctx->auth_context = GRPC_AUTH_CONTEXT_REF (chand->security_connector->base.auth_context, "client_auth_filter"); } - sec_ctx = op->context[GRPC_CONTEXT_SECURITY].value; - GRPC_AUTH_CONTEXT_UNREF(sec_ctx->auth_context, "client auth filter"); - sec_ctx->auth_context = GRPC_AUTH_CONTEXT_REF( - chand->security_connector->base.auth_context, "client_auth_filter"); - } - if (op->bind_pollset) { - calld->pollset = op->bind_pollset; - } + if (op->bind_pollset) + { + calld->pollset = op->bind_pollset; + } - if (op->send_ops && !calld->sent_initial_metadata) { - size_t nops = op->send_ops->nops; - grpc_stream_op *ops = op->send_ops->ops; - for (i = 0; i < nops; i++) { - grpc_stream_op *sop = &ops[i]; - if (sop->type != GRPC_OP_METADATA) continue; - calld->op_md_idx = i; - calld->sent_initial_metadata = 1; - for (l = sop->data.metadata.list.head; l != NULL; l = l->next) { - grpc_mdelem *md = l->md; - /* Pointer comparison is OK for md_elems created from the same context. - */ - if (md->key == chand->authority_string) { - if (calld->host != NULL) GRPC_MDSTR_UNREF(calld->host); - calld->host = GRPC_MDSTR_REF(md->value); - } else if (md->key == chand->path_string) { - if (calld->method != NULL) GRPC_MDSTR_UNREF(calld->method); - calld->method = GRPC_MDSTR_REF(md->value); - } - } - if (calld->host != NULL) { - grpc_security_status status; - const char *call_host = grpc_mdstr_as_c_string(calld->host); - calld->op = *op; /* Copy op (originates from the caller's stack). */ - status = grpc_channel_security_connector_check_call_host( - chand->security_connector, call_host, on_host_checked, elem, - closure_list); - if (status != GRPC_SECURITY_OK) { - if (status == GRPC_SECURITY_ERROR) { - char *error_msg; - gpr_asprintf(&error_msg, - "Invalid host %s set in :authority metadata.", - call_host); - bubble_up_error(elem, GRPC_STATUS_INVALID_ARGUMENT, error_msg, - closure_list); - gpr_free(error_msg); - } - return; /* early exit */ - } - } - send_security_metadata(elem, op, closure_list); - return; /* early exit */ + if (op->send_ops && !calld->sent_initial_metadata) + { + size_t nops = op->send_ops->nops; + grpc_stream_op *ops = op->send_ops->ops; + for (i = 0; i < nops; i++) + { + grpc_stream_op *sop = &ops[i]; + if (sop->type != GRPC_OP_METADATA) + continue; + calld->op_md_idx = i; + calld->sent_initial_metadata = 1; + for (l = sop->data.metadata.list.head; l != NULL; l = l->next) + { + grpc_mdelem *md = l->md; + /* Pointer comparison is OK for md_elems created from the same context. + */ + if (md->key == chand->authority_string) + { + if (calld->host != NULL) + GRPC_MDSTR_UNREF (calld->host); + calld->host = GRPC_MDSTR_REF (md->value); + } + else if (md->key == chand->path_string) + { + if (calld->method != NULL) + GRPC_MDSTR_UNREF (calld->method); + calld->method = GRPC_MDSTR_REF (md->value); + } + } + if (calld->host != NULL) + { + grpc_security_status status; + const char *call_host = grpc_mdstr_as_c_string (calld->host); + calld->op = *op; /* Copy op (originates from the caller's stack). */ + status = grpc_channel_security_connector_check_call_host (chand->security_connector, call_host, on_host_checked, elem, closure_list); + if (status != GRPC_SECURITY_OK) + { + if (status == GRPC_SECURITY_ERROR) + { + char *error_msg; + gpr_asprintf (&error_msg, "Invalid host %s set in :authority metadata.", call_host); + bubble_up_error (elem, GRPC_STATUS_INVALID_ARGUMENT, error_msg, closure_list); + gpr_free (error_msg); + } + return; /* early exit */ + } + } + send_security_metadata (elem, op, closure_list); + return; /* early exit */ + } } - } /* pass control down the stack */ - grpc_call_next_op(elem, op, closure_list); + grpc_call_next_op (elem, op, closure_list); } /* Constructor for call_data */ -static void init_call_elem(grpc_call_element *elem, - const void *server_transport_data, - grpc_transport_stream_op *initial_op, - grpc_closure_list *closure_list) { +static void +init_call_elem (grpc_call_element * elem, const void *server_transport_data, grpc_transport_stream_op * initial_op, grpc_closure_list * closure_list) +{ call_data *calld = elem->call_data; - memset(calld, 0, sizeof(*calld)); - GPR_ASSERT(!initial_op || !initial_op->send_ops); + memset (calld, 0, sizeof (*calld)); + GPR_ASSERT (!initial_op || !initial_op->send_ops); } /* Destructor for call_data */ -static void destroy_call_elem(grpc_call_element *elem, - grpc_closure_list *closure_list) { +static void +destroy_call_elem (grpc_call_element * elem, grpc_closure_list * closure_list) +{ call_data *calld = elem->call_data; - grpc_credentials_unref(calld->creds); - if (calld->host != NULL) { - GRPC_MDSTR_UNREF(calld->host); - } - if (calld->method != NULL) { - GRPC_MDSTR_UNREF(calld->method); - } - reset_service_url(calld); + grpc_credentials_unref (calld->creds); + if (calld->host != NULL) + { + GRPC_MDSTR_UNREF (calld->host); + } + if (calld->method != NULL) + { + GRPC_MDSTR_UNREF (calld->method); + } + reset_service_url (calld); } /* Constructor for channel_data */ -static void init_channel_elem(grpc_channel_element *elem, grpc_channel *master, - const grpc_channel_args *args, - grpc_mdctx *metadata_context, int is_first, - int is_last, grpc_closure_list *closure_list) { - grpc_security_connector *sc = grpc_find_security_connector_in_args(args); +static void +init_channel_elem (grpc_channel_element * elem, grpc_channel * master, const grpc_channel_args * args, grpc_mdctx * metadata_context, int is_first, int is_last, grpc_closure_list * closure_list) +{ + grpc_security_connector *sc = grpc_find_security_connector_in_args (args); /* grab pointers to our data from the channel element */ channel_data *chand = elem->channel_data; /* The first and the last filters tend to be implemented differently to handle the case that there's no 'next' filter to call on the up or down path */ - GPR_ASSERT(!is_last); - GPR_ASSERT(sc != NULL); + GPR_ASSERT (!is_last); + GPR_ASSERT (sc != NULL); /* initialize members */ - GPR_ASSERT(sc->is_client_side); - chand->security_connector = - (grpc_channel_security_connector *)GRPC_SECURITY_CONNECTOR_REF( - sc, "client_auth_filter"); + GPR_ASSERT (sc->is_client_side); + chand->security_connector = (grpc_channel_security_connector *) GRPC_SECURITY_CONNECTOR_REF (sc, "client_auth_filter"); chand->md_ctx = metadata_context; - chand->authority_string = - grpc_mdstr_from_string(chand->md_ctx, ":authority", 0); - chand->path_string = grpc_mdstr_from_string(chand->md_ctx, ":path", 0); - chand->error_msg_key = - grpc_mdstr_from_string(chand->md_ctx, "grpc-message", 0); - chand->status_key = grpc_mdstr_from_string(chand->md_ctx, "grpc-status", 0); + chand->authority_string = grpc_mdstr_from_string (chand->md_ctx, ":authority", 0); + chand->path_string = grpc_mdstr_from_string (chand->md_ctx, ":path", 0); + chand->error_msg_key = grpc_mdstr_from_string (chand->md_ctx, "grpc-message", 0); + chand->status_key = grpc_mdstr_from_string (chand->md_ctx, "grpc-status", 0); } /* Destructor for channel data */ -static void destroy_channel_elem(grpc_channel_element *elem, - grpc_closure_list *closure_list) { +static void +destroy_channel_elem (grpc_channel_element * elem, grpc_closure_list * closure_list) +{ /* grab pointers to our data from the channel element */ channel_data *chand = elem->channel_data; grpc_channel_security_connector *ctx = chand->security_connector; if (ctx != NULL) - GRPC_SECURITY_CONNECTOR_UNREF(&ctx->base, "client_auth_filter"); - if (chand->authority_string != NULL) { - GRPC_MDSTR_UNREF(chand->authority_string); - } - if (chand->error_msg_key != NULL) { - GRPC_MDSTR_UNREF(chand->error_msg_key); - } - if (chand->status_key != NULL) { - GRPC_MDSTR_UNREF(chand->status_key); - } - if (chand->path_string != NULL) { - GRPC_MDSTR_UNREF(chand->path_string); - } + GRPC_SECURITY_CONNECTOR_UNREF (&ctx->base, "client_auth_filter"); + if (chand->authority_string != NULL) + { + GRPC_MDSTR_UNREF (chand->authority_string); + } + if (chand->error_msg_key != NULL) + { + GRPC_MDSTR_UNREF (chand->error_msg_key); + } + if (chand->status_key != NULL) + { + GRPC_MDSTR_UNREF (chand->status_key); + } + if (chand->path_string != NULL) + { + GRPC_MDSTR_UNREF (chand->path_string); + } } const grpc_channel_filter grpc_client_auth_filter = { - auth_start_transport_op, grpc_channel_next_op, - sizeof(call_data), init_call_elem, - destroy_call_elem, sizeof(channel_data), - init_channel_elem, destroy_channel_elem, - grpc_call_next_get_peer, "client-auth"}; + auth_start_transport_op, grpc_channel_next_op, + sizeof (call_data), init_call_elem, + destroy_call_elem, sizeof (channel_data), + init_channel_elem, destroy_channel_elem, + grpc_call_next_get_peer, "client-auth" +}; diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index abfaa5eb18..ade70dddbc 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -52,873 +52,935 @@ /* -- Common. -- */ -struct grpc_credentials_metadata_request { +struct grpc_credentials_metadata_request +{ grpc_credentials *creds; grpc_credentials_metadata_cb cb; void *user_data; }; static grpc_credentials_metadata_request * -grpc_credentials_metadata_request_create(grpc_credentials *creds, - grpc_credentials_metadata_cb cb, - void *user_data) { - grpc_credentials_metadata_request *r = - gpr_malloc(sizeof(grpc_credentials_metadata_request)); - r->creds = grpc_credentials_ref(creds); +grpc_credentials_metadata_request_create (grpc_credentials * creds, grpc_credentials_metadata_cb cb, void *user_data) +{ + grpc_credentials_metadata_request *r = gpr_malloc (sizeof (grpc_credentials_metadata_request)); + r->creds = grpc_credentials_ref (creds); r->cb = cb; r->user_data = user_data; return r; } -static void grpc_credentials_metadata_request_destroy( - grpc_credentials_metadata_request *r) { - grpc_credentials_unref(r->creds); - gpr_free(r); +static void +grpc_credentials_metadata_request_destroy (grpc_credentials_metadata_request * r) +{ + grpc_credentials_unref (r->creds); + gpr_free (r); } -grpc_credentials *grpc_credentials_ref(grpc_credentials *creds) { - if (creds == NULL) return NULL; - gpr_ref(&creds->refcount); +grpc_credentials * +grpc_credentials_ref (grpc_credentials * creds) +{ + if (creds == NULL) + return NULL; + gpr_ref (&creds->refcount); return creds; } -void grpc_credentials_unref(grpc_credentials *creds) { - if (creds == NULL) return; - if (gpr_unref(&creds->refcount)) { - creds->vtable->destruct(creds); - gpr_free(creds); - } +void +grpc_credentials_unref (grpc_credentials * creds) +{ + if (creds == NULL) + return; + if (gpr_unref (&creds->refcount)) + { + creds->vtable->destruct (creds); + gpr_free (creds); + } } -void grpc_credentials_release(grpc_credentials *creds) { - grpc_credentials_unref(creds); +void +grpc_credentials_release (grpc_credentials * creds) +{ + grpc_credentials_unref (creds); } -int grpc_credentials_has_request_metadata(grpc_credentials *creds) { - if (creds == NULL) return 0; - return creds->vtable->has_request_metadata(creds); +int +grpc_credentials_has_request_metadata (grpc_credentials * creds) +{ + if (creds == NULL) + return 0; + return creds->vtable->has_request_metadata (creds); } -int grpc_credentials_has_request_metadata_only(grpc_credentials *creds) { - if (creds == NULL) return 0; - return creds->vtable->has_request_metadata_only(creds); +int +grpc_credentials_has_request_metadata_only (grpc_credentials * creds) +{ + if (creds == NULL) + return 0; + return creds->vtable->has_request_metadata_only (creds); } -void grpc_credentials_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - if (creds == NULL || !grpc_credentials_has_request_metadata(creds) || - creds->vtable->get_request_metadata == NULL) { - if (cb != NULL) { - cb(user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); +void +grpc_credentials_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + if (creds == NULL || !grpc_credentials_has_request_metadata (creds) || creds->vtable->get_request_metadata == NULL) + { + if (cb != NULL) + { + cb (user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); + } + return; } - return; - } - creds->vtable->get_request_metadata(creds, pollset, service_url, cb, - user_data, closure_list); + creds->vtable->get_request_metadata (creds, pollset, service_url, cb, user_data, closure_list); } -grpc_security_status grpc_credentials_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { +grpc_security_status +grpc_credentials_create_security_connector (grpc_credentials * creds, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args) +{ *new_args = NULL; - if (creds == NULL || creds->vtable->create_security_connector == NULL || - grpc_credentials_has_request_metadata_only(creds)) { - gpr_log(GPR_ERROR, - "Invalid credentials for creating a security connector."); - return GRPC_SECURITY_ERROR; - } - return creds->vtable->create_security_connector( - creds, target, args, request_metadata_creds, sc, new_args); + if (creds == NULL || creds->vtable->create_security_connector == NULL || grpc_credentials_has_request_metadata_only (creds)) + { + gpr_log (GPR_ERROR, "Invalid credentials for creating a security connector."); + return GRPC_SECURITY_ERROR; + } + return creds->vtable->create_security_connector (creds, target, args, request_metadata_creds, sc, new_args); } -grpc_server_credentials *grpc_server_credentials_ref( - grpc_server_credentials *creds) { - if (creds == NULL) return NULL; - gpr_ref(&creds->refcount); +grpc_server_credentials * +grpc_server_credentials_ref (grpc_server_credentials * creds) +{ + if (creds == NULL) + return NULL; + gpr_ref (&creds->refcount); return creds; } -void grpc_server_credentials_unref(grpc_server_credentials *creds) { - if (creds == NULL) return; - if (gpr_unref(&creds->refcount)) { - creds->vtable->destruct(creds); - if (creds->processor.destroy != NULL && creds->processor.state != NULL) { - creds->processor.destroy(creds->processor.state); +void +grpc_server_credentials_unref (grpc_server_credentials * creds) +{ + if (creds == NULL) + return; + if (gpr_unref (&creds->refcount)) + { + creds->vtable->destruct (creds); + if (creds->processor.destroy != NULL && creds->processor.state != NULL) + { + creds->processor.destroy (creds->processor.state); + } + gpr_free (creds); } - gpr_free(creds); - } } -void grpc_server_credentials_release(grpc_server_credentials *creds) { - grpc_server_credentials_unref(creds); +void +grpc_server_credentials_release (grpc_server_credentials * creds) +{ + grpc_server_credentials_unref (creds); } -grpc_security_status grpc_server_credentials_create_security_connector( - grpc_server_credentials *creds, grpc_security_connector **sc) { - if (creds == NULL || creds->vtable->create_security_connector == NULL) { - gpr_log(GPR_ERROR, "Server credentials cannot create security context."); - return GRPC_SECURITY_ERROR; - } - return creds->vtable->create_security_connector(creds, sc); +grpc_security_status +grpc_server_credentials_create_security_connector (grpc_server_credentials * creds, grpc_security_connector ** sc) +{ + if (creds == NULL || creds->vtable->create_security_connector == NULL) + { + gpr_log (GPR_ERROR, "Server credentials cannot create security context."); + return GRPC_SECURITY_ERROR; + } + return creds->vtable->create_security_connector (creds, sc); } -void grpc_server_credentials_set_auth_metadata_processor( - grpc_server_credentials *creds, grpc_auth_metadata_processor processor) { - if (creds == NULL) return; - if (creds->processor.destroy != NULL && creds->processor.state != NULL) { - creds->processor.destroy(creds->processor.state); - } +void +grpc_server_credentials_set_auth_metadata_processor (grpc_server_credentials * creds, grpc_auth_metadata_processor processor) +{ + if (creds == NULL) + return; + if (creds->processor.destroy != NULL && creds->processor.state != NULL) + { + creds->processor.destroy (creds->processor.state); + } creds->processor = processor; } /* -- Ssl credentials. -- */ -static void ssl_destruct(grpc_credentials *creds) { - grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds; - if (c->config.pem_root_certs != NULL) gpr_free(c->config.pem_root_certs); - if (c->config.pem_private_key != NULL) gpr_free(c->config.pem_private_key); - if (c->config.pem_cert_chain != NULL) gpr_free(c->config.pem_cert_chain); -} - -static void ssl_server_destruct(grpc_server_credentials *creds) { - grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds; +static void +ssl_destruct (grpc_credentials * creds) +{ + grpc_ssl_credentials *c = (grpc_ssl_credentials *) creds; + if (c->config.pem_root_certs != NULL) + gpr_free (c->config.pem_root_certs); + if (c->config.pem_private_key != NULL) + gpr_free (c->config.pem_private_key); + if (c->config.pem_cert_chain != NULL) + gpr_free (c->config.pem_cert_chain); +} + +static void +ssl_server_destruct (grpc_server_credentials * creds) +{ + grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *) creds; size_t i; - for (i = 0; i < c->config.num_key_cert_pairs; i++) { - if (c->config.pem_private_keys[i] != NULL) { - gpr_free(c->config.pem_private_keys[i]); + for (i = 0; i < c->config.num_key_cert_pairs; i++) + { + if (c->config.pem_private_keys[i] != NULL) + { + gpr_free (c->config.pem_private_keys[i]); + } + if (c->config.pem_cert_chains[i] != NULL) + { + gpr_free (c->config.pem_cert_chains[i]); + } } - if (c->config.pem_cert_chains[i] != NULL) { - gpr_free(c->config.pem_cert_chains[i]); + if (c->config.pem_private_keys != NULL) + gpr_free (c->config.pem_private_keys); + if (c->config.pem_private_keys_sizes != NULL) + { + gpr_free (c->config.pem_private_keys_sizes); } - } - if (c->config.pem_private_keys != NULL) gpr_free(c->config.pem_private_keys); - if (c->config.pem_private_keys_sizes != NULL) { - gpr_free(c->config.pem_private_keys_sizes); - } - if (c->config.pem_cert_chains != NULL) gpr_free(c->config.pem_cert_chains); - if (c->config.pem_cert_chains_sizes != NULL) { - gpr_free(c->config.pem_cert_chains_sizes); - } - if (c->config.pem_root_certs != NULL) gpr_free(c->config.pem_root_certs); + if (c->config.pem_cert_chains != NULL) + gpr_free (c->config.pem_cert_chains); + if (c->config.pem_cert_chains_sizes != NULL) + { + gpr_free (c->config.pem_cert_chains_sizes); + } + if (c->config.pem_root_certs != NULL) + gpr_free (c->config.pem_root_certs); } -static int ssl_has_request_metadata(const grpc_credentials *creds) { return 0; } +static int +ssl_has_request_metadata (const grpc_credentials * creds) +{ + return 0; +} -static int ssl_has_request_metadata_only(const grpc_credentials *creds) { +static int +ssl_has_request_metadata_only (const grpc_credentials * creds) +{ return 0; } -static grpc_security_status ssl_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { - grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds; +static grpc_security_status +ssl_create_security_connector (grpc_credentials * creds, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args) +{ + grpc_ssl_credentials *c = (grpc_ssl_credentials *) creds; grpc_security_status status = GRPC_SECURITY_OK; size_t i = 0; const char *overridden_target_name = NULL; grpc_arg arg; - for (i = 0; args && i < args->num_args; i++) { - grpc_arg *arg = &args->args[i]; - if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 && - arg->type == GRPC_ARG_STRING) { - overridden_target_name = arg->value.string; - break; + for (i = 0; args && i < args->num_args; i++) + { + grpc_arg *arg = &args->args[i]; + if (strcmp (arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 && arg->type == GRPC_ARG_STRING) + { + overridden_target_name = arg->value.string; + break; + } + } + status = grpc_ssl_channel_security_connector_create (request_metadata_creds, &c->config, target, overridden_target_name, sc); + if (status != GRPC_SECURITY_OK) + { + return status; } - } - status = grpc_ssl_channel_security_connector_create( - request_metadata_creds, &c->config, target, overridden_target_name, sc); - if (status != GRPC_SECURITY_OK) { - return status; - } arg.type = GRPC_ARG_STRING; arg.key = GRPC_ARG_HTTP2_SCHEME; arg.value.string = "https"; - *new_args = grpc_channel_args_copy_and_add(args, &arg, 1); + *new_args = grpc_channel_args_copy_and_add (args, &arg, 1); return status; } -static grpc_security_status ssl_server_create_security_connector( - grpc_server_credentials *creds, grpc_security_connector **sc) { - grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds; - return grpc_ssl_server_security_connector_create(&c->config, sc); +static grpc_security_status +ssl_server_create_security_connector (grpc_server_credentials * creds, grpc_security_connector ** sc) +{ + grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *) creds; + return grpc_ssl_server_security_connector_create (&c->config, sc); } static grpc_credentials_vtable ssl_vtable = { - ssl_destruct, ssl_has_request_metadata, ssl_has_request_metadata_only, NULL, - ssl_create_security_connector}; + ssl_destruct, ssl_has_request_metadata, ssl_has_request_metadata_only, NULL, + ssl_create_security_connector +}; static grpc_server_credentials_vtable ssl_server_vtable = { - ssl_server_destruct, ssl_server_create_security_connector}; + ssl_server_destruct, ssl_server_create_security_connector +}; -static void ssl_copy_key_material(const char *input, unsigned char **output, - size_t *output_size) { - *output_size = strlen(input); - *output = gpr_malloc(*output_size); - memcpy(*output, input, *output_size); +static void +ssl_copy_key_material (const char *input, unsigned char **output, size_t * output_size) +{ + *output_size = strlen (input); + *output = gpr_malloc (*output_size); + memcpy (*output, input, *output_size); } -static void ssl_build_config(const char *pem_root_certs, - grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, - grpc_ssl_config *config) { - if (pem_root_certs != NULL) { - ssl_copy_key_material(pem_root_certs, &config->pem_root_certs, - &config->pem_root_certs_size); - } - if (pem_key_cert_pair != NULL) { - GPR_ASSERT(pem_key_cert_pair->private_key != NULL); - GPR_ASSERT(pem_key_cert_pair->cert_chain != NULL); - ssl_copy_key_material(pem_key_cert_pair->private_key, - &config->pem_private_key, - &config->pem_private_key_size); - ssl_copy_key_material(pem_key_cert_pair->cert_chain, - &config->pem_cert_chain, - &config->pem_cert_chain_size); - } +static void +ssl_build_config (const char *pem_root_certs, grpc_ssl_pem_key_cert_pair * pem_key_cert_pair, grpc_ssl_config * config) +{ + if (pem_root_certs != NULL) + { + ssl_copy_key_material (pem_root_certs, &config->pem_root_certs, &config->pem_root_certs_size); + } + if (pem_key_cert_pair != NULL) + { + GPR_ASSERT (pem_key_cert_pair->private_key != NULL); + GPR_ASSERT (pem_key_cert_pair->cert_chain != NULL); + ssl_copy_key_material (pem_key_cert_pair->private_key, &config->pem_private_key, &config->pem_private_key_size); + ssl_copy_key_material (pem_key_cert_pair->cert_chain, &config->pem_cert_chain, &config->pem_cert_chain_size); + } } -static void ssl_build_server_config( - const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, - size_t num_key_cert_pairs, int force_client_auth, - grpc_ssl_server_config *config) { +static void +ssl_build_server_config (const char *pem_root_certs, grpc_ssl_pem_key_cert_pair * pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, grpc_ssl_server_config * config) +{ size_t i; config->force_client_auth = force_client_auth; - if (pem_root_certs != NULL) { - ssl_copy_key_material(pem_root_certs, &config->pem_root_certs, - &config->pem_root_certs_size); - } - if (num_key_cert_pairs > 0) { - GPR_ASSERT(pem_key_cert_pairs != NULL); - config->pem_private_keys = - gpr_malloc(num_key_cert_pairs * sizeof(unsigned char *)); - config->pem_cert_chains = - gpr_malloc(num_key_cert_pairs * sizeof(unsigned char *)); - config->pem_private_keys_sizes = - gpr_malloc(num_key_cert_pairs * sizeof(size_t)); - config->pem_cert_chains_sizes = - gpr_malloc(num_key_cert_pairs * sizeof(size_t)); - } + if (pem_root_certs != NULL) + { + ssl_copy_key_material (pem_root_certs, &config->pem_root_certs, &config->pem_root_certs_size); + } + if (num_key_cert_pairs > 0) + { + GPR_ASSERT (pem_key_cert_pairs != NULL); + config->pem_private_keys = gpr_malloc (num_key_cert_pairs * sizeof (unsigned char *)); + config->pem_cert_chains = gpr_malloc (num_key_cert_pairs * sizeof (unsigned char *)); + config->pem_private_keys_sizes = gpr_malloc (num_key_cert_pairs * sizeof (size_t)); + config->pem_cert_chains_sizes = gpr_malloc (num_key_cert_pairs * sizeof (size_t)); + } config->num_key_cert_pairs = num_key_cert_pairs; - for (i = 0; i < num_key_cert_pairs; i++) { - GPR_ASSERT(pem_key_cert_pairs[i].private_key != NULL); - GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != NULL); - ssl_copy_key_material(pem_key_cert_pairs[i].private_key, - &config->pem_private_keys[i], - &config->pem_private_keys_sizes[i]); - ssl_copy_key_material(pem_key_cert_pairs[i].cert_chain, - &config->pem_cert_chains[i], - &config->pem_cert_chains_sizes[i]); - } + for (i = 0; i < num_key_cert_pairs; i++) + { + GPR_ASSERT (pem_key_cert_pairs[i].private_key != NULL); + GPR_ASSERT (pem_key_cert_pairs[i].cert_chain != NULL); + ssl_copy_key_material (pem_key_cert_pairs[i].private_key, &config->pem_private_keys[i], &config->pem_private_keys_sizes[i]); + ssl_copy_key_material (pem_key_cert_pairs[i].cert_chain, &config->pem_cert_chains[i], &config->pem_cert_chains_sizes[i]); + } } -grpc_credentials *grpc_ssl_credentials_create( - const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, - void *reserved) { - grpc_ssl_credentials *c = gpr_malloc(sizeof(grpc_ssl_credentials)); - GPR_ASSERT(reserved == NULL); - memset(c, 0, sizeof(grpc_ssl_credentials)); +grpc_credentials * +grpc_ssl_credentials_create (const char *pem_root_certs, grpc_ssl_pem_key_cert_pair * pem_key_cert_pair, void *reserved) +{ + grpc_ssl_credentials *c = gpr_malloc (sizeof (grpc_ssl_credentials)); + GPR_ASSERT (reserved == NULL); + memset (c, 0, sizeof (grpc_ssl_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_SSL; c->base.vtable = &ssl_vtable; - gpr_ref_init(&c->base.refcount, 1); - ssl_build_config(pem_root_certs, pem_key_cert_pair, &c->config); + gpr_ref_init (&c->base.refcount, 1); + ssl_build_config (pem_root_certs, pem_key_cert_pair, &c->config); return &c->base; } -grpc_server_credentials *grpc_ssl_server_credentials_create( - const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, - size_t num_key_cert_pairs, int force_client_auth, void *reserved) { - grpc_ssl_server_credentials *c = - gpr_malloc(sizeof(grpc_ssl_server_credentials)); - GPR_ASSERT(reserved == NULL); - memset(c, 0, sizeof(grpc_ssl_server_credentials)); +grpc_server_credentials * +grpc_ssl_server_credentials_create (const char *pem_root_certs, grpc_ssl_pem_key_cert_pair * pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, void *reserved) +{ + grpc_ssl_server_credentials *c = gpr_malloc (sizeof (grpc_ssl_server_credentials)); + GPR_ASSERT (reserved == NULL); + memset (c, 0, sizeof (grpc_ssl_server_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_SSL; - gpr_ref_init(&c->base.refcount, 1); + gpr_ref_init (&c->base.refcount, 1); c->base.vtable = &ssl_server_vtable; - ssl_build_server_config(pem_root_certs, pem_key_cert_pairs, - num_key_cert_pairs, force_client_auth, &c->config); + ssl_build_server_config (pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs, force_client_auth, &c->config); return &c->base; } /* -- Jwt credentials -- */ -static void jwt_reset_cache(grpc_service_account_jwt_access_credentials *c) { - if (c->cached.jwt_md != NULL) { - grpc_credentials_md_store_unref(c->cached.jwt_md); - c->cached.jwt_md = NULL; - } - if (c->cached.service_url != NULL) { - gpr_free(c->cached.service_url); - c->cached.service_url = NULL; - } - c->cached.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); +static void +jwt_reset_cache (grpc_service_account_jwt_access_credentials * c) +{ + if (c->cached.jwt_md != NULL) + { + grpc_credentials_md_store_unref (c->cached.jwt_md); + c->cached.jwt_md = NULL; + } + if (c->cached.service_url != NULL) + { + gpr_free (c->cached.service_url); + c->cached.service_url = NULL; + } + c->cached.jwt_expiration = gpr_inf_past (GPR_CLOCK_REALTIME); } -static void jwt_destruct(grpc_credentials *creds) { - grpc_service_account_jwt_access_credentials *c = - (grpc_service_account_jwt_access_credentials *)creds; - grpc_auth_json_key_destruct(&c->key); - jwt_reset_cache(c); - gpr_mu_destroy(&c->cache_mu); +static void +jwt_destruct (grpc_credentials * creds) +{ + grpc_service_account_jwt_access_credentials *c = (grpc_service_account_jwt_access_credentials *) creds; + grpc_auth_json_key_destruct (&c->key); + jwt_reset_cache (c); + gpr_mu_destroy (&c->cache_mu); } -static int jwt_has_request_metadata(const grpc_credentials *creds) { return 1; } +static int +jwt_has_request_metadata (const grpc_credentials * creds) +{ + return 1; +} -static int jwt_has_request_metadata_only(const grpc_credentials *creds) { +static int +jwt_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } -static void jwt_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_service_account_jwt_access_credentials *c = - (grpc_service_account_jwt_access_credentials *)creds; - gpr_timespec refresh_threshold = gpr_time_from_seconds( - GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); +static void +jwt_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_service_account_jwt_access_credentials *c = (grpc_service_account_jwt_access_credentials *) creds; + gpr_timespec refresh_threshold = gpr_time_from_seconds (GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); /* See if we can return a cached jwt. */ grpc_credentials_md_store *jwt_md = NULL; { - gpr_mu_lock(&c->cache_mu); - if (c->cached.service_url != NULL && - strcmp(c->cached.service_url, service_url) == 0 && - c->cached.jwt_md != NULL && - (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration, - gpr_now(GPR_CLOCK_REALTIME)), - refresh_threshold) > 0)) { - jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); - } - gpr_mu_unlock(&c->cache_mu); + gpr_mu_lock (&c->cache_mu); + if (c->cached.service_url != NULL && strcmp (c->cached.service_url, service_url) == 0 && c->cached.jwt_md != NULL && (gpr_time_cmp (gpr_time_sub (c->cached.jwt_expiration, gpr_now (GPR_CLOCK_REALTIME)), refresh_threshold) > 0)) + { + jwt_md = grpc_credentials_md_store_ref (c->cached.jwt_md); + } + gpr_mu_unlock (&c->cache_mu); } - if (jwt_md == NULL) { - char *jwt = NULL; - /* Generate a new jwt. */ - gpr_mu_lock(&c->cache_mu); - jwt_reset_cache(c); - jwt = grpc_jwt_encode_and_sign(&c->key, service_url, c->jwt_lifetime, NULL); - if (jwt != NULL) { - char *md_value; - gpr_asprintf(&md_value, "Bearer %s", jwt); - gpr_free(jwt); - c->cached.jwt_expiration = - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), c->jwt_lifetime); - c->cached.service_url = gpr_strdup(service_url); - c->cached.jwt_md = grpc_credentials_md_store_create(1); - grpc_credentials_md_store_add_cstrings( - c->cached.jwt_md, GRPC_AUTHORIZATION_METADATA_KEY, md_value); - gpr_free(md_value); - jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); + if (jwt_md == NULL) + { + char *jwt = NULL; + /* Generate a new jwt. */ + gpr_mu_lock (&c->cache_mu); + jwt_reset_cache (c); + jwt = grpc_jwt_encode_and_sign (&c->key, service_url, c->jwt_lifetime, NULL); + if (jwt != NULL) + { + char *md_value; + gpr_asprintf (&md_value, "Bearer %s", jwt); + gpr_free (jwt); + c->cached.jwt_expiration = gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), c->jwt_lifetime); + c->cached.service_url = gpr_strdup (service_url); + c->cached.jwt_md = grpc_credentials_md_store_create (1); + grpc_credentials_md_store_add_cstrings (c->cached.jwt_md, GRPC_AUTHORIZATION_METADATA_KEY, md_value); + gpr_free (md_value); + jwt_md = grpc_credentials_md_store_ref (c->cached.jwt_md); + } + gpr_mu_unlock (&c->cache_mu); } - gpr_mu_unlock(&c->cache_mu); - } - if (jwt_md != NULL) { - cb(user_data, jwt_md->entries, jwt_md->num_entries, GRPC_CREDENTIALS_OK, - closure_list); - grpc_credentials_md_store_unref(jwt_md); - } else { - cb(user_data, NULL, 0, GRPC_CREDENTIALS_ERROR, closure_list); - } + if (jwt_md != NULL) + { + cb (user_data, jwt_md->entries, jwt_md->num_entries, GRPC_CREDENTIALS_OK, closure_list); + grpc_credentials_md_store_unref (jwt_md); + } + else + { + cb (user_data, NULL, 0, GRPC_CREDENTIALS_ERROR, closure_list); + } } static grpc_credentials_vtable jwt_vtable = { - jwt_destruct, jwt_has_request_metadata, jwt_has_request_metadata_only, - jwt_get_request_metadata, NULL}; + jwt_destruct, jwt_has_request_metadata, jwt_has_request_metadata_only, + jwt_get_request_metadata, NULL +}; grpc_credentials * -grpc_service_account_jwt_access_credentials_create_from_auth_json_key( - grpc_auth_json_key key, gpr_timespec token_lifetime) { +grpc_service_account_jwt_access_credentials_create_from_auth_json_key (grpc_auth_json_key key, gpr_timespec token_lifetime) +{ grpc_service_account_jwt_access_credentials *c; - if (!grpc_auth_json_key_is_valid(&key)) { - gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation"); - return NULL; - } - c = gpr_malloc(sizeof(grpc_service_account_jwt_access_credentials)); - memset(c, 0, sizeof(grpc_service_account_jwt_access_credentials)); + if (!grpc_auth_json_key_is_valid (&key)) + { + gpr_log (GPR_ERROR, "Invalid input for jwt credentials creation"); + return NULL; + } + c = gpr_malloc (sizeof (grpc_service_account_jwt_access_credentials)); + memset (c, 0, sizeof (grpc_service_account_jwt_access_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_JWT; - gpr_ref_init(&c->base.refcount, 1); + gpr_ref_init (&c->base.refcount, 1); c->base.vtable = &jwt_vtable; c->key = key; c->jwt_lifetime = token_lifetime; - gpr_mu_init(&c->cache_mu); - jwt_reset_cache(c); + gpr_mu_init (&c->cache_mu); + jwt_reset_cache (c); return &c->base; } -grpc_credentials *grpc_service_account_jwt_access_credentials_create( - const char *json_key, gpr_timespec token_lifetime, void *reserved) { - GPR_ASSERT(reserved == NULL); - return grpc_service_account_jwt_access_credentials_create_from_auth_json_key( - grpc_auth_json_key_create_from_string(json_key), token_lifetime); +grpc_credentials * +grpc_service_account_jwt_access_credentials_create (const char *json_key, gpr_timespec token_lifetime, void *reserved) +{ + GPR_ASSERT (reserved == NULL); + return grpc_service_account_jwt_access_credentials_create_from_auth_json_key (grpc_auth_json_key_create_from_string (json_key), token_lifetime); } /* -- Oauth2TokenFetcher credentials -- */ -static void oauth2_token_fetcher_destruct(grpc_credentials *creds) { - grpc_oauth2_token_fetcher_credentials *c = - (grpc_oauth2_token_fetcher_credentials *)creds; - grpc_credentials_md_store_unref(c->access_token_md); - gpr_mu_destroy(&c->mu); - grpc_httpcli_context_destroy(&c->httpcli_context); +static void +oauth2_token_fetcher_destruct (grpc_credentials * creds) +{ + grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *) creds; + grpc_credentials_md_store_unref (c->access_token_md); + gpr_mu_destroy (&c->mu); + grpc_httpcli_context_destroy (&c->httpcli_context); } -static int oauth2_token_fetcher_has_request_metadata( - const grpc_credentials *creds) { +static int +oauth2_token_fetcher_has_request_metadata (const grpc_credentials * creds) +{ return 1; } -static int oauth2_token_fetcher_has_request_metadata_only( - const grpc_credentials *creds) { +static int +oauth2_token_fetcher_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } grpc_credentials_status -grpc_oauth2_token_fetcher_credentials_parse_server_response( - const grpc_httpcli_response *response, grpc_credentials_md_store **token_md, - gpr_timespec *token_lifetime) { +grpc_oauth2_token_fetcher_credentials_parse_server_response (const grpc_httpcli_response * response, grpc_credentials_md_store ** token_md, gpr_timespec * token_lifetime) +{ char *null_terminated_body = NULL; char *new_access_token = NULL; grpc_credentials_status status = GRPC_CREDENTIALS_OK; grpc_json *json = NULL; - if (response == NULL) { - gpr_log(GPR_ERROR, "Received NULL response."); - status = GRPC_CREDENTIALS_ERROR; - goto end; - } - - if (response->body_length > 0) { - null_terminated_body = gpr_malloc(response->body_length + 1); - null_terminated_body[response->body_length] = '\0'; - memcpy(null_terminated_body, response->body, response->body_length); - } - - if (response->status != 200) { - gpr_log(GPR_ERROR, "Call to http server ended with error %d [%s].", - response->status, - null_terminated_body != NULL ? null_terminated_body : ""); - status = GRPC_CREDENTIALS_ERROR; - goto end; - } else { - grpc_json *access_token = NULL; - grpc_json *token_type = NULL; - grpc_json *expires_in = NULL; - grpc_json *ptr; - json = grpc_json_parse_string(null_terminated_body); - if (json == NULL) { - gpr_log(GPR_ERROR, "Could not parse JSON from %s", null_terminated_body); - status = GRPC_CREDENTIALS_ERROR; - goto end; - } - if (json->type != GRPC_JSON_OBJECT) { - gpr_log(GPR_ERROR, "Response should be a JSON object"); + if (response == NULL) + { + gpr_log (GPR_ERROR, "Received NULL response."); status = GRPC_CREDENTIALS_ERROR; goto end; } - for (ptr = json->child; ptr; ptr = ptr->next) { - if (strcmp(ptr->key, "access_token") == 0) { - access_token = ptr; - } else if (strcmp(ptr->key, "token_type") == 0) { - token_type = ptr; - } else if (strcmp(ptr->key, "expires_in") == 0) { - expires_in = ptr; - } + + if (response->body_length > 0) + { + null_terminated_body = gpr_malloc (response->body_length + 1); + null_terminated_body[response->body_length] = '\0'; + memcpy (null_terminated_body, response->body, response->body_length); } - if (access_token == NULL || access_token->type != GRPC_JSON_STRING) { - gpr_log(GPR_ERROR, "Missing or invalid access_token in JSON."); + + if (response->status != 200) + { + gpr_log (GPR_ERROR, "Call to http server ended with error %d [%s].", response->status, null_terminated_body != NULL ? null_terminated_body : ""); status = GRPC_CREDENTIALS_ERROR; goto end; } - if (token_type == NULL || token_type->type != GRPC_JSON_STRING) { - gpr_log(GPR_ERROR, "Missing or invalid token_type in JSON."); - status = GRPC_CREDENTIALS_ERROR; - goto end; + else + { + grpc_json *access_token = NULL; + grpc_json *token_type = NULL; + grpc_json *expires_in = NULL; + grpc_json *ptr; + json = grpc_json_parse_string (null_terminated_body); + if (json == NULL) + { + gpr_log (GPR_ERROR, "Could not parse JSON from %s", null_terminated_body); + status = GRPC_CREDENTIALS_ERROR; + goto end; + } + if (json->type != GRPC_JSON_OBJECT) + { + gpr_log (GPR_ERROR, "Response should be a JSON object"); + status = GRPC_CREDENTIALS_ERROR; + goto end; + } + for (ptr = json->child; ptr; ptr = ptr->next) + { + if (strcmp (ptr->key, "access_token") == 0) + { + access_token = ptr; + } + else if (strcmp (ptr->key, "token_type") == 0) + { + token_type = ptr; + } + else if (strcmp (ptr->key, "expires_in") == 0) + { + expires_in = ptr; + } + } + if (access_token == NULL || access_token->type != GRPC_JSON_STRING) + { + gpr_log (GPR_ERROR, "Missing or invalid access_token in JSON."); + status = GRPC_CREDENTIALS_ERROR; + goto end; + } + if (token_type == NULL || token_type->type != GRPC_JSON_STRING) + { + gpr_log (GPR_ERROR, "Missing or invalid token_type in JSON."); + status = GRPC_CREDENTIALS_ERROR; + goto end; + } + if (expires_in == NULL || expires_in->type != GRPC_JSON_NUMBER) + { + gpr_log (GPR_ERROR, "Missing or invalid expires_in in JSON."); + status = GRPC_CREDENTIALS_ERROR; + goto end; + } + gpr_asprintf (&new_access_token, "%s %s", token_type->value, access_token->value); + token_lifetime->tv_sec = strtol (expires_in->value, NULL, 10); + token_lifetime->tv_nsec = 0; + token_lifetime->clock_type = GPR_TIMESPAN; + if (*token_md != NULL) + grpc_credentials_md_store_unref (*token_md); + *token_md = grpc_credentials_md_store_create (1); + grpc_credentials_md_store_add_cstrings (*token_md, GRPC_AUTHORIZATION_METADATA_KEY, new_access_token); + status = GRPC_CREDENTIALS_OK; } - if (expires_in == NULL || expires_in->type != GRPC_JSON_NUMBER) { - gpr_log(GPR_ERROR, "Missing or invalid expires_in in JSON."); - status = GRPC_CREDENTIALS_ERROR; - goto end; - } - gpr_asprintf(&new_access_token, "%s %s", token_type->value, - access_token->value); - token_lifetime->tv_sec = strtol(expires_in->value, NULL, 10); - token_lifetime->tv_nsec = 0; - token_lifetime->clock_type = GPR_TIMESPAN; - if (*token_md != NULL) grpc_credentials_md_store_unref(*token_md); - *token_md = grpc_credentials_md_store_create(1); - grpc_credentials_md_store_add_cstrings( - *token_md, GRPC_AUTHORIZATION_METADATA_KEY, new_access_token); - status = GRPC_CREDENTIALS_OK; - } end: - if (status != GRPC_CREDENTIALS_OK && (*token_md != NULL)) { - grpc_credentials_md_store_unref(*token_md); - *token_md = NULL; - } - if (null_terminated_body != NULL) gpr_free(null_terminated_body); - if (new_access_token != NULL) gpr_free(new_access_token); - if (json != NULL) grpc_json_destroy(json); + if (status != GRPC_CREDENTIALS_OK && (*token_md != NULL)) + { + grpc_credentials_md_store_unref (*token_md); + *token_md = NULL; + } + if (null_terminated_body != NULL) + gpr_free (null_terminated_body); + if (new_access_token != NULL) + gpr_free (new_access_token); + if (json != NULL) + grpc_json_destroy (json); return status; } -static void on_oauth2_token_fetcher_http_response( - void *user_data, const grpc_httpcli_response *response, - grpc_closure_list *closure_list) { - grpc_credentials_metadata_request *r = - (grpc_credentials_metadata_request *)user_data; - grpc_oauth2_token_fetcher_credentials *c = - (grpc_oauth2_token_fetcher_credentials *)r->creds; +static void +on_oauth2_token_fetcher_http_response (void *user_data, const grpc_httpcli_response * response, grpc_closure_list * closure_list) +{ + grpc_credentials_metadata_request *r = (grpc_credentials_metadata_request *) user_data; + grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *) r->creds; gpr_timespec token_lifetime; grpc_credentials_status status; - gpr_mu_lock(&c->mu); - status = grpc_oauth2_token_fetcher_credentials_parse_server_response( - response, &c->access_token_md, &token_lifetime); - if (status == GRPC_CREDENTIALS_OK) { - c->token_expiration = - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), token_lifetime); - r->cb(r->user_data, c->access_token_md->entries, - c->access_token_md->num_entries, status, closure_list); - } else { - c->token_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); - r->cb(r->user_data, NULL, 0, status, closure_list); - } - gpr_mu_unlock(&c->mu); - grpc_credentials_metadata_request_destroy(r); -} - -static void oauth2_token_fetcher_get_request_metadata( - grpc_credentials *creds, grpc_pollset *pollset, const char *service_url, - grpc_credentials_metadata_cb cb, void *user_data, - grpc_closure_list *closure_list) { - grpc_oauth2_token_fetcher_credentials *c = - (grpc_oauth2_token_fetcher_credentials *)creds; - gpr_timespec refresh_threshold = gpr_time_from_seconds( - GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); + gpr_mu_lock (&c->mu); + status = grpc_oauth2_token_fetcher_credentials_parse_server_response (response, &c->access_token_md, &token_lifetime); + if (status == GRPC_CREDENTIALS_OK) + { + c->token_expiration = gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), token_lifetime); + r->cb (r->user_data, c->access_token_md->entries, c->access_token_md->num_entries, status, closure_list); + } + else + { + c->token_expiration = gpr_inf_past (GPR_CLOCK_REALTIME); + r->cb (r->user_data, NULL, 0, status, closure_list); + } + gpr_mu_unlock (&c->mu); + grpc_credentials_metadata_request_destroy (r); +} + +static void +oauth2_token_fetcher_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *) creds; + gpr_timespec refresh_threshold = gpr_time_from_seconds (GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); grpc_credentials_md_store *cached_access_token_md = NULL; { - gpr_mu_lock(&c->mu); - if (c->access_token_md != NULL && - (gpr_time_cmp( - gpr_time_sub(c->token_expiration, gpr_now(GPR_CLOCK_REALTIME)), - refresh_threshold) > 0)) { - cached_access_token_md = - grpc_credentials_md_store_ref(c->access_token_md); - } - gpr_mu_unlock(&c->mu); - } - if (cached_access_token_md != NULL) { - cb(user_data, cached_access_token_md->entries, - cached_access_token_md->num_entries, GRPC_CREDENTIALS_OK, closure_list); - grpc_credentials_md_store_unref(cached_access_token_md); - } else { - c->fetch_func( - grpc_credentials_metadata_request_create(creds, cb, user_data), - &c->httpcli_context, pollset, on_oauth2_token_fetcher_http_response, - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), refresh_threshold), - closure_list); + gpr_mu_lock (&c->mu); + if (c->access_token_md != NULL && (gpr_time_cmp (gpr_time_sub (c->token_expiration, gpr_now (GPR_CLOCK_REALTIME)), refresh_threshold) > 0)) + { + cached_access_token_md = grpc_credentials_md_store_ref (c->access_token_md); + } + gpr_mu_unlock (&c->mu); } + if (cached_access_token_md != NULL) + { + cb (user_data, cached_access_token_md->entries, cached_access_token_md->num_entries, GRPC_CREDENTIALS_OK, closure_list); + grpc_credentials_md_store_unref (cached_access_token_md); + } + else + { + c->fetch_func (grpc_credentials_metadata_request_create (creds, cb, user_data), &c->httpcli_context, pollset, on_oauth2_token_fetcher_http_response, gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), refresh_threshold), closure_list); + } } -static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c, - grpc_fetch_oauth2_func fetch_func) { - memset(c, 0, sizeof(grpc_oauth2_token_fetcher_credentials)); +static void +init_oauth2_token_fetcher (grpc_oauth2_token_fetcher_credentials * c, grpc_fetch_oauth2_func fetch_func) +{ + memset (c, 0, sizeof (grpc_oauth2_token_fetcher_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; - gpr_ref_init(&c->base.refcount, 1); - gpr_mu_init(&c->mu); - c->token_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); + gpr_ref_init (&c->base.refcount, 1); + gpr_mu_init (&c->mu); + c->token_expiration = gpr_inf_past (GPR_CLOCK_REALTIME); c->fetch_func = fetch_func; - grpc_httpcli_context_init(&c->httpcli_context); + grpc_httpcli_context_init (&c->httpcli_context); } /* -- GoogleComputeEngine credentials. -- */ static grpc_credentials_vtable compute_engine_vtable = { - oauth2_token_fetcher_destruct, oauth2_token_fetcher_has_request_metadata, - oauth2_token_fetcher_has_request_metadata_only, - oauth2_token_fetcher_get_request_metadata, NULL}; - -static void compute_engine_fetch_oauth2( - grpc_credentials_metadata_request *metadata_req, - grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, gpr_timespec deadline, - grpc_closure_list *closure_list) { - grpc_httpcli_header header = {"Metadata-Flavor", "Google"}; + oauth2_token_fetcher_destruct, oauth2_token_fetcher_has_request_metadata, + oauth2_token_fetcher_has_request_metadata_only, + oauth2_token_fetcher_get_request_metadata, NULL +}; + +static void +compute_engine_fetch_oauth2 (grpc_credentials_metadata_request * metadata_req, grpc_httpcli_context * httpcli_context, grpc_pollset * pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline, grpc_closure_list * closure_list) +{ + grpc_httpcli_header header = { "Metadata-Flavor", "Google" }; grpc_httpcli_request request; - memset(&request, 0, sizeof(grpc_httpcli_request)); + memset (&request, 0, sizeof (grpc_httpcli_request)); request.host = GRPC_COMPUTE_ENGINE_METADATA_HOST; request.path = GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH; request.hdr_count = 1; request.hdrs = &header; - grpc_httpcli_get(httpcli_context, pollset, &request, deadline, response_cb, - metadata_req, closure_list); + grpc_httpcli_get (httpcli_context, pollset, &request, deadline, response_cb, metadata_req, closure_list); } -grpc_credentials *grpc_google_compute_engine_credentials_create( - void *reserved) { - grpc_oauth2_token_fetcher_credentials *c = - gpr_malloc(sizeof(grpc_oauth2_token_fetcher_credentials)); - GPR_ASSERT(reserved == NULL); - init_oauth2_token_fetcher(c, compute_engine_fetch_oauth2); +grpc_credentials * +grpc_google_compute_engine_credentials_create (void *reserved) +{ + grpc_oauth2_token_fetcher_credentials *c = gpr_malloc (sizeof (grpc_oauth2_token_fetcher_credentials)); + GPR_ASSERT (reserved == NULL); + init_oauth2_token_fetcher (c, compute_engine_fetch_oauth2); c->base.vtable = &compute_engine_vtable; return &c->base; } /* -- GoogleRefreshToken credentials. -- */ -static void refresh_token_destruct(grpc_credentials *creds) { - grpc_google_refresh_token_credentials *c = - (grpc_google_refresh_token_credentials *)creds; - grpc_auth_refresh_token_destruct(&c->refresh_token); - oauth2_token_fetcher_destruct(&c->base.base); +static void +refresh_token_destruct (grpc_credentials * creds) +{ + grpc_google_refresh_token_credentials *c = (grpc_google_refresh_token_credentials *) creds; + grpc_auth_refresh_token_destruct (&c->refresh_token); + oauth2_token_fetcher_destruct (&c->base.base); } static grpc_credentials_vtable refresh_token_vtable = { - refresh_token_destruct, oauth2_token_fetcher_has_request_metadata, - oauth2_token_fetcher_has_request_metadata_only, - oauth2_token_fetcher_get_request_metadata, NULL}; - -static void refresh_token_fetch_oauth2( - grpc_credentials_metadata_request *metadata_req, - grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, gpr_timespec deadline, - grpc_closure_list *closure_list) { - grpc_google_refresh_token_credentials *c = - (grpc_google_refresh_token_credentials *)metadata_req->creds; - grpc_httpcli_header header = {"Content-Type", - "application/x-www-form-urlencoded"}; + refresh_token_destruct, oauth2_token_fetcher_has_request_metadata, + oauth2_token_fetcher_has_request_metadata_only, + oauth2_token_fetcher_get_request_metadata, NULL +}; + +static void +refresh_token_fetch_oauth2 (grpc_credentials_metadata_request * metadata_req, grpc_httpcli_context * httpcli_context, grpc_pollset * pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline, grpc_closure_list * closure_list) +{ + grpc_google_refresh_token_credentials *c = (grpc_google_refresh_token_credentials *) metadata_req->creds; + grpc_httpcli_header header = { "Content-Type", + "application/x-www-form-urlencoded" + }; grpc_httpcli_request request; char *body = NULL; - gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, - c->refresh_token.client_id, c->refresh_token.client_secret, - c->refresh_token.refresh_token); - memset(&request, 0, sizeof(grpc_httpcli_request)); + gpr_asprintf (&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, c->refresh_token.client_id, c->refresh_token.client_secret, c->refresh_token.refresh_token); + memset (&request, 0, sizeof (grpc_httpcli_request)); request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST; request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH; request.hdr_count = 1; request.hdrs = &header; request.handshaker = &grpc_httpcli_ssl; - grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body), - deadline, response_cb, metadata_req, closure_list); - gpr_free(body); + grpc_httpcli_post (httpcli_context, pollset, &request, body, strlen (body), deadline, response_cb, metadata_req, closure_list); + gpr_free (body); } -grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token( - grpc_auth_refresh_token refresh_token) { +grpc_credentials * +grpc_refresh_token_credentials_create_from_auth_refresh_token (grpc_auth_refresh_token refresh_token) +{ grpc_google_refresh_token_credentials *c; - if (!grpc_auth_refresh_token_is_valid(&refresh_token)) { - gpr_log(GPR_ERROR, "Invalid input for refresh token credentials creation"); - return NULL; - } - c = gpr_malloc(sizeof(grpc_google_refresh_token_credentials)); - memset(c, 0, sizeof(grpc_google_refresh_token_credentials)); - init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2); + if (!grpc_auth_refresh_token_is_valid (&refresh_token)) + { + gpr_log (GPR_ERROR, "Invalid input for refresh token credentials creation"); + return NULL; + } + c = gpr_malloc (sizeof (grpc_google_refresh_token_credentials)); + memset (c, 0, sizeof (grpc_google_refresh_token_credentials)); + init_oauth2_token_fetcher (&c->base, refresh_token_fetch_oauth2); c->base.base.vtable = &refresh_token_vtable; c->refresh_token = refresh_token; return &c->base.base; } -grpc_credentials *grpc_google_refresh_token_credentials_create( - const char *json_refresh_token, void *reserved) { - GPR_ASSERT(reserved == NULL); - return grpc_refresh_token_credentials_create_from_auth_refresh_token( - grpc_auth_refresh_token_create_from_string(json_refresh_token)); +grpc_credentials * +grpc_google_refresh_token_credentials_create (const char *json_refresh_token, void *reserved) +{ + GPR_ASSERT (reserved == NULL); + return grpc_refresh_token_credentials_create_from_auth_refresh_token (grpc_auth_refresh_token_create_from_string (json_refresh_token)); } /* -- Metadata-only credentials. -- */ -static void md_only_test_destruct(grpc_credentials *creds) { - grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; - grpc_credentials_md_store_unref(c->md_store); +static void +md_only_test_destruct (grpc_credentials * creds) +{ + grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *) creds; + grpc_credentials_md_store_unref (c->md_store); } -static int md_only_test_has_request_metadata(const grpc_credentials *creds) { +static int +md_only_test_has_request_metadata (const grpc_credentials * creds) +{ return 1; } -static int md_only_test_has_request_metadata_only( - const grpc_credentials *creds) { +static int +md_only_test_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } -static void on_simulated_token_fetch_done(void *user_data) { - grpc_credentials_metadata_request *r = - (grpc_credentials_metadata_request *)user_data; - grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)r->creds; +static void +on_simulated_token_fetch_done (void *user_data) +{ + grpc_credentials_metadata_request *r = (grpc_credentials_metadata_request *) user_data; + grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *) r->creds; grpc_closure_list closure_list = GRPC_CLOSURE_LIST_INIT; - r->cb(r->user_data, c->md_store->entries, c->md_store->num_entries, - GRPC_CREDENTIALS_OK, &closure_list); - grpc_credentials_metadata_request_destroy(r); - grpc_closure_list_run(&closure_list); -} - -static void md_only_test_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; - - if (c->is_async) { - gpr_thd_id thd_id; - grpc_credentials_metadata_request *cb_arg = - grpc_credentials_metadata_request_create(creds, cb, user_data); - gpr_thd_new(&thd_id, on_simulated_token_fetch_done, cb_arg, NULL); - } else { - cb(user_data, c->md_store->entries, 1, GRPC_CREDENTIALS_OK, closure_list); - } + r->cb (r->user_data, c->md_store->entries, c->md_store->num_entries, GRPC_CREDENTIALS_OK, &closure_list); + grpc_credentials_metadata_request_destroy (r); + grpc_closure_list_run (&closure_list); +} + +static void +md_only_test_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *) creds; + + if (c->is_async) + { + gpr_thd_id thd_id; + grpc_credentials_metadata_request *cb_arg = grpc_credentials_metadata_request_create (creds, cb, user_data); + gpr_thd_new (&thd_id, on_simulated_token_fetch_done, cb_arg, NULL); + } + else + { + cb (user_data, c->md_store->entries, 1, GRPC_CREDENTIALS_OK, closure_list); + } } static grpc_credentials_vtable md_only_test_vtable = { - md_only_test_destruct, md_only_test_has_request_metadata, - md_only_test_has_request_metadata_only, md_only_test_get_request_metadata, - NULL}; - -grpc_credentials *grpc_md_only_test_credentials_create(const char *md_key, - const char *md_value, - int is_async) { - grpc_md_only_test_credentials *c = - gpr_malloc(sizeof(grpc_md_only_test_credentials)); - memset(c, 0, sizeof(grpc_md_only_test_credentials)); + md_only_test_destruct, md_only_test_has_request_metadata, + md_only_test_has_request_metadata_only, md_only_test_get_request_metadata, + NULL +}; + +grpc_credentials * +grpc_md_only_test_credentials_create (const char *md_key, const char *md_value, int is_async) +{ + grpc_md_only_test_credentials *c = gpr_malloc (sizeof (grpc_md_only_test_credentials)); + memset (c, 0, sizeof (grpc_md_only_test_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; c->base.vtable = &md_only_test_vtable; - gpr_ref_init(&c->base.refcount, 1); - c->md_store = grpc_credentials_md_store_create(1); - grpc_credentials_md_store_add_cstrings(c->md_store, md_key, md_value); + gpr_ref_init (&c->base.refcount, 1); + c->md_store = grpc_credentials_md_store_create (1); + grpc_credentials_md_store_add_cstrings (c->md_store, md_key, md_value); c->is_async = is_async; return &c->base; } /* -- Oauth2 Access Token credentials. -- */ -static void access_token_destruct(grpc_credentials *creds) { - grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; - grpc_credentials_md_store_unref(c->access_token_md); +static void +access_token_destruct (grpc_credentials * creds) +{ + grpc_access_token_credentials *c = (grpc_access_token_credentials *) creds; + grpc_credentials_md_store_unref (c->access_token_md); } -static int access_token_has_request_metadata(const grpc_credentials *creds) { +static int +access_token_has_request_metadata (const grpc_credentials * creds) +{ return 1; } -static int access_token_has_request_metadata_only( - const grpc_credentials *creds) { +static int +access_token_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } -static void access_token_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; - cb(user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK, - closure_list); +static void +access_token_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_access_token_credentials *c = (grpc_access_token_credentials *) creds; + cb (user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK, closure_list); } static grpc_credentials_vtable access_token_vtable = { - access_token_destruct, access_token_has_request_metadata, - access_token_has_request_metadata_only, access_token_get_request_metadata, - NULL}; - -grpc_credentials *grpc_access_token_credentials_create(const char *access_token, - void *reserved) { - grpc_access_token_credentials *c = - gpr_malloc(sizeof(grpc_access_token_credentials)); + access_token_destruct, access_token_has_request_metadata, + access_token_has_request_metadata_only, access_token_get_request_metadata, + NULL +}; + +grpc_credentials * +grpc_access_token_credentials_create (const char *access_token, void *reserved) +{ + grpc_access_token_credentials *c = gpr_malloc (sizeof (grpc_access_token_credentials)); char *token_md_value; - GPR_ASSERT(reserved == NULL); - memset(c, 0, sizeof(grpc_access_token_credentials)); + GPR_ASSERT (reserved == NULL); + memset (c, 0, sizeof (grpc_access_token_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; c->base.vtable = &access_token_vtable; - gpr_ref_init(&c->base.refcount, 1); - c->access_token_md = grpc_credentials_md_store_create(1); - gpr_asprintf(&token_md_value, "Bearer %s", access_token); - grpc_credentials_md_store_add_cstrings( - c->access_token_md, GRPC_AUTHORIZATION_METADATA_KEY, token_md_value); - gpr_free(token_md_value); + gpr_ref_init (&c->base.refcount, 1); + c->access_token_md = grpc_credentials_md_store_create (1); + gpr_asprintf (&token_md_value, "Bearer %s", access_token); + grpc_credentials_md_store_add_cstrings (c->access_token_md, GRPC_AUTHORIZATION_METADATA_KEY, token_md_value); + gpr_free (token_md_value); return &c->base; } /* -- Fake transport security credentials. -- */ -static void fake_transport_security_credentials_destruct( - grpc_credentials *creds) { +static void +fake_transport_security_credentials_destruct (grpc_credentials * creds) +{ /* Nothing to do here. */ } -static void fake_transport_security_server_credentials_destruct( - grpc_server_credentials *creds) { +static void +fake_transport_security_server_credentials_destruct (grpc_server_credentials * creds) +{ /* Nothing to do here. */ } -static int fake_transport_security_has_request_metadata( - const grpc_credentials *creds) { +static int +fake_transport_security_has_request_metadata (const grpc_credentials * creds) +{ return 0; } -static int fake_transport_security_has_request_metadata_only( - const grpc_credentials *creds) { +static int +fake_transport_security_has_request_metadata_only (const grpc_credentials * creds) +{ return 0; } -static grpc_security_status fake_transport_security_create_security_connector( - grpc_credentials *c, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { - *sc = grpc_fake_channel_security_connector_create(request_metadata_creds, 1); +static grpc_security_status +fake_transport_security_create_security_connector (grpc_credentials * c, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args) +{ + *sc = grpc_fake_channel_security_connector_create (request_metadata_creds, 1); return GRPC_SECURITY_OK; } static grpc_security_status -fake_transport_security_server_create_security_connector( - grpc_server_credentials *c, grpc_security_connector **sc) { - *sc = grpc_fake_server_security_connector_create(); +fake_transport_security_server_create_security_connector (grpc_server_credentials * c, grpc_security_connector ** sc) +{ + *sc = grpc_fake_server_security_connector_create (); return GRPC_SECURITY_OK; } static grpc_credentials_vtable fake_transport_security_credentials_vtable = { - fake_transport_security_credentials_destruct, - fake_transport_security_has_request_metadata, - fake_transport_security_has_request_metadata_only, NULL, - fake_transport_security_create_security_connector}; - -static grpc_server_credentials_vtable - fake_transport_security_server_credentials_vtable = { - fake_transport_security_server_credentials_destruct, - fake_transport_security_server_create_security_connector}; - -grpc_credentials *grpc_fake_transport_security_credentials_create(void) { - grpc_credentials *c = gpr_malloc(sizeof(grpc_credentials)); - memset(c, 0, sizeof(grpc_credentials)); + fake_transport_security_credentials_destruct, + fake_transport_security_has_request_metadata, + fake_transport_security_has_request_metadata_only, NULL, + fake_transport_security_create_security_connector +}; + +static grpc_server_credentials_vtable fake_transport_security_server_credentials_vtable = { + fake_transport_security_server_credentials_destruct, + fake_transport_security_server_create_security_connector +}; + +grpc_credentials * +grpc_fake_transport_security_credentials_create (void) +{ + grpc_credentials *c = gpr_malloc (sizeof (grpc_credentials)); + memset (c, 0, sizeof (grpc_credentials)); c->type = GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; c->vtable = &fake_transport_security_credentials_vtable; - gpr_ref_init(&c->refcount, 1); + gpr_ref_init (&c->refcount, 1); return c; } -grpc_server_credentials *grpc_fake_transport_security_server_credentials_create( - void) { - grpc_server_credentials *c = gpr_malloc(sizeof(grpc_server_credentials)); - memset(c, 0, sizeof(grpc_server_credentials)); +grpc_server_credentials * +grpc_fake_transport_security_server_credentials_create (void) +{ + grpc_server_credentials *c = gpr_malloc (sizeof (grpc_server_credentials)); + memset (c, 0, sizeof (grpc_server_credentials)); c->type = GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; - gpr_ref_init(&c->refcount, 1); + gpr_ref_init (&c->refcount, 1); c->vtable = &fake_transport_security_server_credentials_vtable; return c; } /* -- Composite credentials. -- */ -typedef struct { +typedef struct +{ grpc_composite_credentials *composite_creds; size_t creds_index; grpc_credentials_md_store *md_elems; @@ -928,366 +990,407 @@ typedef struct { grpc_credentials_metadata_cb cb; } grpc_composite_credentials_metadata_context; -static void composite_destruct(grpc_credentials *creds) { - grpc_composite_credentials *c = (grpc_composite_credentials *)creds; +static void +composite_destruct (grpc_credentials * creds) +{ + grpc_composite_credentials *c = (grpc_composite_credentials *) creds; size_t i; - for (i = 0; i < c->inner.num_creds; i++) { - grpc_credentials_unref(c->inner.creds_array[i]); - } - gpr_free(c->inner.creds_array); + for (i = 0; i < c->inner.num_creds; i++) + { + grpc_credentials_unref (c->inner.creds_array[i]); + } + gpr_free (c->inner.creds_array); } -static int composite_has_request_metadata(const grpc_credentials *creds) { - const grpc_composite_credentials *c = - (const grpc_composite_credentials *)creds; +static int +composite_has_request_metadata (const grpc_credentials * creds) +{ + const grpc_composite_credentials *c = (const grpc_composite_credentials *) creds; size_t i; - for (i = 0; i < c->inner.num_creds; i++) { - if (grpc_credentials_has_request_metadata(c->inner.creds_array[i])) { - return 1; + for (i = 0; i < c->inner.num_creds; i++) + { + if (grpc_credentials_has_request_metadata (c->inner.creds_array[i])) + { + return 1; + } } - } return 0; } -static int composite_has_request_metadata_only(const grpc_credentials *creds) { - const grpc_composite_credentials *c = - (const grpc_composite_credentials *)creds; +static int +composite_has_request_metadata_only (const grpc_credentials * creds) +{ + const grpc_composite_credentials *c = (const grpc_composite_credentials *) creds; size_t i; - for (i = 0; i < c->inner.num_creds; i++) { - if (!grpc_credentials_has_request_metadata_only(c->inner.creds_array[i])) { - return 0; + for (i = 0; i < c->inner.num_creds; i++) + { + if (!grpc_credentials_has_request_metadata_only (c->inner.creds_array[i])) + { + return 0; + } } - } return 1; } -static void composite_md_context_destroy( - grpc_composite_credentials_metadata_context *ctx) { - grpc_credentials_md_store_unref(ctx->md_elems); - if (ctx->service_url != NULL) gpr_free(ctx->service_url); - gpr_free(ctx); +static void +composite_md_context_destroy (grpc_composite_credentials_metadata_context * ctx) +{ + grpc_credentials_md_store_unref (ctx->md_elems); + if (ctx->service_url != NULL) + gpr_free (ctx->service_url); + gpr_free (ctx); } -static void composite_metadata_cb(void *user_data, - grpc_credentials_md *md_elems, size_t num_md, - grpc_credentials_status status, - grpc_closure_list *closure_list) { - grpc_composite_credentials_metadata_context *ctx = - (grpc_composite_credentials_metadata_context *)user_data; - if (status != GRPC_CREDENTIALS_OK) { - ctx->cb(ctx->user_data, NULL, 0, status, closure_list); - return; - } +static void +composite_metadata_cb (void *user_data, grpc_credentials_md * md_elems, size_t num_md, grpc_credentials_status status, grpc_closure_list * closure_list) +{ + grpc_composite_credentials_metadata_context *ctx = (grpc_composite_credentials_metadata_context *) user_data; + if (status != GRPC_CREDENTIALS_OK) + { + ctx->cb (ctx->user_data, NULL, 0, status, closure_list); + return; + } /* Copy the metadata in the context. */ - if (num_md > 0) { - size_t i; - for (i = 0; i < num_md; i++) { - grpc_credentials_md_store_add(ctx->md_elems, md_elems[i].key, - md_elems[i].value); + if (num_md > 0) + { + size_t i; + for (i = 0; i < num_md; i++) + { + grpc_credentials_md_store_add (ctx->md_elems, md_elems[i].key, md_elems[i].value); + } } - } /* See if we need to get some more metadata. */ - while (ctx->creds_index < ctx->composite_creds->inner.num_creds) { - grpc_credentials *inner_creds = - ctx->composite_creds->inner.creds_array[ctx->creds_index++]; - if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata( - inner_creds, ctx->pollset, ctx->service_url, composite_metadata_cb, - ctx, closure_list); - return; + while (ctx->creds_index < ctx->composite_creds->inner.num_creds) + { + grpc_credentials *inner_creds = ctx->composite_creds->inner.creds_array[ctx->creds_index++]; + if (grpc_credentials_has_request_metadata (inner_creds)) + { + grpc_credentials_get_request_metadata (inner_creds, ctx->pollset, ctx->service_url, composite_metadata_cb, ctx, closure_list); + return; + } } - } /* We're done!. */ - ctx->cb(ctx->user_data, ctx->md_elems->entries, ctx->md_elems->num_entries, - GRPC_CREDENTIALS_OK, closure_list); - composite_md_context_destroy(ctx); - grpc_closure_list_run(closure_list); -} - -static void composite_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_composite_credentials *c = (grpc_composite_credentials *)creds; + ctx->cb (ctx->user_data, ctx->md_elems->entries, ctx->md_elems->num_entries, GRPC_CREDENTIALS_OK, closure_list); + composite_md_context_destroy (ctx); + grpc_closure_list_run (closure_list); +} + +static void +composite_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_composite_credentials *c = (grpc_composite_credentials *) creds; grpc_composite_credentials_metadata_context *ctx; - if (!grpc_credentials_has_request_metadata(creds)) { - cb(user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); - return; - } - ctx = gpr_malloc(sizeof(grpc_composite_credentials_metadata_context)); - memset(ctx, 0, sizeof(grpc_composite_credentials_metadata_context)); - ctx->service_url = gpr_strdup(service_url); + if (!grpc_credentials_has_request_metadata (creds)) + { + cb (user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); + return; + } + ctx = gpr_malloc (sizeof (grpc_composite_credentials_metadata_context)); + memset (ctx, 0, sizeof (grpc_composite_credentials_metadata_context)); + ctx->service_url = gpr_strdup (service_url); ctx->user_data = user_data; ctx->cb = cb; ctx->composite_creds = c; ctx->pollset = pollset; - ctx->md_elems = grpc_credentials_md_store_create(c->inner.num_creds); - while (ctx->creds_index < c->inner.num_creds) { - grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++]; - if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(inner_creds, pollset, service_url, - composite_metadata_cb, ctx, - closure_list); - return; + ctx->md_elems = grpc_credentials_md_store_create (c->inner.num_creds); + while (ctx->creds_index < c->inner.num_creds) + { + grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++]; + if (grpc_credentials_has_request_metadata (inner_creds)) + { + grpc_credentials_get_request_metadata (inner_creds, pollset, service_url, composite_metadata_cb, ctx, closure_list); + return; + } } - } - GPR_ASSERT(0); /* Should have exited before. */ -} - -static grpc_security_status composite_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { - grpc_composite_credentials *c = (grpc_composite_credentials *)creds; - if (c->connector_creds == NULL) { - gpr_log(GPR_ERROR, - "Cannot create security connector, missing connector credentials."); - return GRPC_SECURITY_ERROR; - } - return grpc_credentials_create_security_connector(c->connector_creds, target, - args, creds, sc, new_args); + GPR_ASSERT (0); /* Should have exited before. */ +} + +static grpc_security_status +composite_create_security_connector (grpc_credentials * creds, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args) +{ + grpc_composite_credentials *c = (grpc_composite_credentials *) creds; + if (c->connector_creds == NULL) + { + gpr_log (GPR_ERROR, "Cannot create security connector, missing connector credentials."); + return GRPC_SECURITY_ERROR; + } + return grpc_credentials_create_security_connector (c->connector_creds, target, args, creds, sc, new_args); } static grpc_credentials_vtable composite_credentials_vtable = { - composite_destruct, composite_has_request_metadata, - composite_has_request_metadata_only, composite_get_request_metadata, - composite_create_security_connector}; + composite_destruct, composite_has_request_metadata, + composite_has_request_metadata_only, composite_get_request_metadata, + composite_create_security_connector +}; -static grpc_credentials_array get_creds_array(grpc_credentials **creds_addr) { +static grpc_credentials_array +get_creds_array (grpc_credentials ** creds_addr) +{ grpc_credentials_array result; grpc_credentials *creds = *creds_addr; result.creds_array = creds_addr; result.num_creds = 1; - if (strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) { - result = *grpc_composite_credentials_get_credentials(creds); - } + if (strcmp (creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) + { + result = *grpc_composite_credentials_get_credentials (creds); + } return result; } -grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1, - grpc_credentials *creds2, - void *reserved) { +grpc_credentials * +grpc_composite_credentials_create (grpc_credentials * creds1, grpc_credentials * creds2, void *reserved) +{ size_t i; size_t creds_array_byte_size; grpc_credentials_array creds1_array; grpc_credentials_array creds2_array; grpc_composite_credentials *c; - GPR_ASSERT(reserved == NULL); - GPR_ASSERT(creds1 != NULL); - GPR_ASSERT(creds2 != NULL); - c = gpr_malloc(sizeof(grpc_composite_credentials)); - memset(c, 0, sizeof(grpc_composite_credentials)); + GPR_ASSERT (reserved == NULL); + GPR_ASSERT (creds1 != NULL); + GPR_ASSERT (creds2 != NULL); + c = gpr_malloc (sizeof (grpc_composite_credentials)); + memset (c, 0, sizeof (grpc_composite_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_COMPOSITE; c->base.vtable = &composite_credentials_vtable; - gpr_ref_init(&c->base.refcount, 1); - creds1_array = get_creds_array(&creds1); - creds2_array = get_creds_array(&creds2); + gpr_ref_init (&c->base.refcount, 1); + creds1_array = get_creds_array (&creds1); + creds2_array = get_creds_array (&creds2); c->inner.num_creds = creds1_array.num_creds + creds2_array.num_creds; - creds_array_byte_size = c->inner.num_creds * sizeof(grpc_credentials *); - c->inner.creds_array = gpr_malloc(creds_array_byte_size); - memset(c->inner.creds_array, 0, creds_array_byte_size); - for (i = 0; i < creds1_array.num_creds; i++) { - grpc_credentials *cur_creds = creds1_array.creds_array[i]; - if (!grpc_credentials_has_request_metadata_only(cur_creds)) { - if (c->connector_creds == NULL) { - c->connector_creds = cur_creds; - } else { - gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials."); - goto fail; - } + creds_array_byte_size = c->inner.num_creds * sizeof (grpc_credentials *); + c->inner.creds_array = gpr_malloc (creds_array_byte_size); + memset (c->inner.creds_array, 0, creds_array_byte_size); + for (i = 0; i < creds1_array.num_creds; i++) + { + grpc_credentials *cur_creds = creds1_array.creds_array[i]; + if (!grpc_credentials_has_request_metadata_only (cur_creds)) + { + if (c->connector_creds == NULL) + { + c->connector_creds = cur_creds; + } + else + { + gpr_log (GPR_ERROR, "Cannot compose multiple connector credentials."); + goto fail; + } + } + c->inner.creds_array[i] = grpc_credentials_ref (cur_creds); } - c->inner.creds_array[i] = grpc_credentials_ref(cur_creds); - } - for (i = 0; i < creds2_array.num_creds; i++) { - grpc_credentials *cur_creds = creds2_array.creds_array[i]; - if (!grpc_credentials_has_request_metadata_only(cur_creds)) { - if (c->connector_creds == NULL) { - c->connector_creds = cur_creds; - } else { - gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials."); - goto fail; - } + for (i = 0; i < creds2_array.num_creds; i++) + { + grpc_credentials *cur_creds = creds2_array.creds_array[i]; + if (!grpc_credentials_has_request_metadata_only (cur_creds)) + { + if (c->connector_creds == NULL) + { + c->connector_creds = cur_creds; + } + else + { + gpr_log (GPR_ERROR, "Cannot compose multiple connector credentials."); + goto fail; + } + } + c->inner.creds_array[i + creds1_array.num_creds] = grpc_credentials_ref (cur_creds); } - c->inner.creds_array[i + creds1_array.num_creds] = - grpc_credentials_ref(cur_creds); - } return &c->base; fail: - grpc_credentials_unref(&c->base); + grpc_credentials_unref (&c->base); return NULL; } -const grpc_credentials_array *grpc_composite_credentials_get_credentials( - grpc_credentials *creds) { - const grpc_composite_credentials *c = - (const grpc_composite_credentials *)creds; - GPR_ASSERT(strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); +const grpc_credentials_array * +grpc_composite_credentials_get_credentials (grpc_credentials * creds) +{ + const grpc_composite_credentials *c = (const grpc_composite_credentials *) creds; + GPR_ASSERT (strcmp (creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); return &c->inner; } -grpc_credentials *grpc_credentials_contains_type( - grpc_credentials *creds, const char *type, - grpc_credentials **composite_creds) { +grpc_credentials * +grpc_credentials_contains_type (grpc_credentials * creds, const char *type, grpc_credentials ** composite_creds) +{ size_t i; - if (strcmp(creds->type, type) == 0) { - if (composite_creds != NULL) *composite_creds = NULL; - return creds; - } else if (strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) { - const grpc_credentials_array *inner_creds_array = - grpc_composite_credentials_get_credentials(creds); - for (i = 0; i < inner_creds_array->num_creds; i++) { - if (strcmp(type, inner_creds_array->creds_array[i]->type) == 0) { - if (composite_creds != NULL) *composite_creds = creds; - return inner_creds_array->creds_array[i]; - } + if (strcmp (creds->type, type) == 0) + { + if (composite_creds != NULL) + *composite_creds = NULL; + return creds; + } + else if (strcmp (creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) + { + const grpc_credentials_array *inner_creds_array = grpc_composite_credentials_get_credentials (creds); + for (i = 0; i < inner_creds_array->num_creds; i++) + { + if (strcmp (type, inner_creds_array->creds_array[i]->type) == 0) + { + if (composite_creds != NULL) + *composite_creds = creds; + return inner_creds_array->creds_array[i]; + } + } } - } return NULL; } /* -- IAM credentials. -- */ -static void iam_destruct(grpc_credentials *creds) { - grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; - grpc_credentials_md_store_unref(c->iam_md); +static void +iam_destruct (grpc_credentials * creds) +{ + grpc_google_iam_credentials *c = (grpc_google_iam_credentials *) creds; + grpc_credentials_md_store_unref (c->iam_md); } -static int iam_has_request_metadata(const grpc_credentials *creds) { return 1; } +static int +iam_has_request_metadata (const grpc_credentials * creds) +{ + return 1; +} -static int iam_has_request_metadata_only(const grpc_credentials *creds) { +static int +iam_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } -static void iam_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; - cb(user_data, c->iam_md->entries, c->iam_md->num_entries, GRPC_CREDENTIALS_OK, - closure_list); +static void +iam_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_google_iam_credentials *c = (grpc_google_iam_credentials *) creds; + cb (user_data, c->iam_md->entries, c->iam_md->num_entries, GRPC_CREDENTIALS_OK, closure_list); } static grpc_credentials_vtable iam_vtable = { - iam_destruct, iam_has_request_metadata, iam_has_request_metadata_only, - iam_get_request_metadata, NULL}; + iam_destruct, iam_has_request_metadata, iam_has_request_metadata_only, + iam_get_request_metadata, NULL +}; -grpc_credentials *grpc_google_iam_credentials_create( - const char *token, const char *authority_selector, void *reserved) { +grpc_credentials * +grpc_google_iam_credentials_create (const char *token, const char *authority_selector, void *reserved) +{ grpc_google_iam_credentials *c; - GPR_ASSERT(reserved == NULL); - GPR_ASSERT(token != NULL); - GPR_ASSERT(authority_selector != NULL); - c = gpr_malloc(sizeof(grpc_google_iam_credentials)); - memset(c, 0, sizeof(grpc_google_iam_credentials)); + GPR_ASSERT (reserved == NULL); + GPR_ASSERT (token != NULL); + GPR_ASSERT (authority_selector != NULL); + c = gpr_malloc (sizeof (grpc_google_iam_credentials)); + memset (c, 0, sizeof (grpc_google_iam_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_IAM; c->base.vtable = &iam_vtable; - gpr_ref_init(&c->base.refcount, 1); - c->iam_md = grpc_credentials_md_store_create(2); - grpc_credentials_md_store_add_cstrings( - c->iam_md, GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, token); - grpc_credentials_md_store_add_cstrings( - c->iam_md, GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, authority_selector); + gpr_ref_init (&c->base.refcount, 1); + c->iam_md = grpc_credentials_md_store_create (2); + grpc_credentials_md_store_add_cstrings (c->iam_md, GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, token); + grpc_credentials_md_store_add_cstrings (c->iam_md, GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, authority_selector); return &c->base; } /* -- Plugin credentials. -- */ -typedef struct { +typedef struct +{ void *user_data; grpc_credentials_metadata_cb cb; } grpc_metadata_plugin_request; -static void plugin_destruct(grpc_credentials *creds) { - grpc_plugin_credentials *c = (grpc_plugin_credentials *)creds; - if (c->plugin.state != NULL && c->plugin.destroy != NULL) { - c->plugin.destroy(c->plugin.state); - } +static void +plugin_destruct (grpc_credentials * creds) +{ + grpc_plugin_credentials *c = (grpc_plugin_credentials *) creds; + if (c->plugin.state != NULL && c->plugin.destroy != NULL) + { + c->plugin.destroy (c->plugin.state); + } } -static int plugin_has_request_metadata(const grpc_credentials *creds) { +static int +plugin_has_request_metadata (const grpc_credentials * creds) +{ return 1; } -static int plugin_has_request_metadata_only(const grpc_credentials *creds) { +static int +plugin_has_request_metadata_only (const grpc_credentials * creds) +{ return 1; } -static void plugin_md_request_metadata_ready(void *request, - const grpc_metadata *md, - size_t num_md, - grpc_status_code status, - const char *error_details) { +static void +plugin_md_request_metadata_ready (void *request, const grpc_metadata * md, size_t num_md, grpc_status_code status, const char *error_details) +{ /* called from application code */ grpc_closure_list closure_list = GRPC_CLOSURE_LIST_INIT; - grpc_metadata_plugin_request *r = (grpc_metadata_plugin_request *)request; - if (status != GRPC_STATUS_OK) { - if (error_details != NULL) { - gpr_log(GPR_ERROR, "Getting metadata from plugin failed with error: %s", - error_details); + grpc_metadata_plugin_request *r = (grpc_metadata_plugin_request *) request; + if (status != GRPC_STATUS_OK) + { + if (error_details != NULL) + { + gpr_log (GPR_ERROR, "Getting metadata from plugin failed with error: %s", error_details); + } + r->cb (r->user_data, NULL, 0, GRPC_CREDENTIALS_ERROR, &closure_list); } - r->cb(r->user_data, NULL, 0, GRPC_CREDENTIALS_ERROR, &closure_list); - } else { - size_t i; - grpc_credentials_md *md_array = NULL; - if (num_md > 0) { - md_array = gpr_malloc(num_md * sizeof(grpc_credentials_md)); - for (i = 0; i < num_md; i++) { - md_array[i].key = gpr_slice_from_copied_string(md[i].key); - md_array[i].value = - gpr_slice_from_copied_buffer(md[i].value, md[i].value_length); - } + else + { + size_t i; + grpc_credentials_md *md_array = NULL; + if (num_md > 0) + { + md_array = gpr_malloc (num_md * sizeof (grpc_credentials_md)); + for (i = 0; i < num_md; i++) + { + md_array[i].key = gpr_slice_from_copied_string (md[i].key); + md_array[i].value = gpr_slice_from_copied_buffer (md[i].value, md[i].value_length); + } + } + r->cb (r->user_data, md_array, num_md, GRPC_CREDENTIALS_OK, &closure_list); + if (md_array != NULL) + { + for (i = 0; i < num_md; i++) + { + gpr_slice_unref (md_array[i].key); + gpr_slice_unref (md_array[i].value); + } + gpr_free (md_array); + } } - r->cb(r->user_data, md_array, num_md, GRPC_CREDENTIALS_OK, &closure_list); - if (md_array != NULL) { - for (i = 0; i < num_md; i++) { - gpr_slice_unref(md_array[i].key); - gpr_slice_unref(md_array[i].value); - } - gpr_free(md_array); + gpr_free (r); +} + +static void +plugin_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_plugin_credentials *c = (grpc_plugin_credentials *) creds; + if (c->plugin.get_metadata != NULL) + { + grpc_metadata_plugin_request *request = gpr_malloc (sizeof (*request)); + memset (request, 0, sizeof (*request)); + request->user_data = user_data; + request->cb = cb; + c->plugin.get_metadata (c->plugin.state, service_url, plugin_md_request_metadata_ready, request); + } + else + { + cb (user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); } - } - gpr_free(r); -} - -static void plugin_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_plugin_credentials *c = (grpc_plugin_credentials *)creds; - if (c->plugin.get_metadata != NULL) { - grpc_metadata_plugin_request *request = gpr_malloc(sizeof(*request)); - memset(request, 0, sizeof(*request)); - request->user_data = user_data; - request->cb = cb; - c->plugin.get_metadata(c->plugin.state, service_url, - plugin_md_request_metadata_ready, request); - } else { - cb(user_data, NULL, 0, GRPC_CREDENTIALS_OK, closure_list); - } } static grpc_credentials_vtable plugin_vtable = { - plugin_destruct, plugin_has_request_metadata, - plugin_has_request_metadata_only, plugin_get_request_metadata, NULL}; - -grpc_credentials *grpc_metadata_credentials_create_from_plugin( - grpc_metadata_credentials_plugin plugin, void *reserved) { - grpc_plugin_credentials *c = gpr_malloc(sizeof(*c)); - GPR_ASSERT(reserved == NULL); - memset(c, 0, sizeof(*c)); + plugin_destruct, plugin_has_request_metadata, + plugin_has_request_metadata_only, plugin_get_request_metadata, NULL +}; + +grpc_credentials * +grpc_metadata_credentials_create_from_plugin (grpc_metadata_credentials_plugin plugin, void *reserved) +{ + grpc_plugin_credentials *c = gpr_malloc (sizeof (*c)); + GPR_ASSERT (reserved == NULL); + memset (c, 0, sizeof (*c)); c->base.type = GRPC_CREDENTIALS_TYPE_METADATA_PLUGIN; c->base.vtable = &plugin_vtable; - gpr_ref_init(&c->base.refcount, 1); + gpr_ref_init (&c->base.refcount, 1); c->plugin = plugin; return &c->base; } diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 09b32132ed..2de67e40c8 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -47,7 +47,8 @@ struct grpc_httpcli_response; /* --- Constants. --- */ -typedef enum { +typedef enum +{ GRPC_CREDENTIALS_OK = 0, GRPC_CREDENTIALS_ERROR } grpc_credentials_status; @@ -89,172 +90,146 @@ typedef enum { /* --- grpc_credentials_md. --- */ -typedef struct { +typedef struct +{ gpr_slice key; gpr_slice value; } grpc_credentials_md; -typedef struct { +typedef struct +{ grpc_credentials_md *entries; size_t num_entries; size_t allocated; gpr_refcount refcount; } grpc_credentials_md_store; -grpc_credentials_md_store *grpc_credentials_md_store_create( - size_t initial_capacity); +grpc_credentials_md_store *grpc_credentials_md_store_create (size_t initial_capacity); /* Will ref key and value. */ -void grpc_credentials_md_store_add(grpc_credentials_md_store *store, - gpr_slice key, gpr_slice value); -void grpc_credentials_md_store_add_cstrings(grpc_credentials_md_store *store, - const char *key, const char *value); -grpc_credentials_md_store *grpc_credentials_md_store_ref( - grpc_credentials_md_store *store); -void grpc_credentials_md_store_unref(grpc_credentials_md_store *store); +void grpc_credentials_md_store_add (grpc_credentials_md_store * store, gpr_slice key, gpr_slice value); +void grpc_credentials_md_store_add_cstrings (grpc_credentials_md_store * store, const char *key, const char *value); +grpc_credentials_md_store *grpc_credentials_md_store_ref (grpc_credentials_md_store * store); +void grpc_credentials_md_store_unref (grpc_credentials_md_store * store); /* --- grpc_credentials. --- */ /* Creates a fake transport security credentials object for testing. */ -grpc_credentials *grpc_fake_transport_security_credentials_create(void); +grpc_credentials *grpc_fake_transport_security_credentials_create (void); /* Creates a fake server transport security credentials object for testing. */ -grpc_server_credentials *grpc_fake_transport_security_server_credentials_create( - void); +grpc_server_credentials *grpc_fake_transport_security_server_credentials_create (void); /* It is the caller's responsibility to gpr_free the result if not NULL. */ -char *grpc_get_well_known_google_credentials_file_path(void); - -typedef void (*grpc_credentials_metadata_cb)(void *user_data, - grpc_credentials_md *md_elems, - size_t num_md, - grpc_credentials_status status, - grpc_closure_list *closure_list); - -typedef struct { - void (*destruct)(grpc_credentials *c); - int (*has_request_metadata)(const grpc_credentials *c); - int (*has_request_metadata_only)(const grpc_credentials *c); - void (*get_request_metadata)(grpc_credentials *c, grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, void *user_data, - grpc_closure_list *closure_list); - grpc_security_status (*create_security_connector)( - grpc_credentials *c, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args); +char *grpc_get_well_known_google_credentials_file_path (void); + +typedef void (*grpc_credentials_metadata_cb) (void *user_data, grpc_credentials_md * md_elems, size_t num_md, grpc_credentials_status status, grpc_closure_list * closure_list); + +typedef struct +{ + void (*destruct) (grpc_credentials * c); + int (*has_request_metadata) (const grpc_credentials * c); + int (*has_request_metadata_only) (const grpc_credentials * c); + void (*get_request_metadata) (grpc_credentials * c, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list); + grpc_security_status (*create_security_connector) (grpc_credentials * c, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args); } grpc_credentials_vtable; -struct grpc_credentials { +struct grpc_credentials +{ const grpc_credentials_vtable *vtable; const char *type; gpr_refcount refcount; }; -grpc_credentials *grpc_credentials_ref(grpc_credentials *creds); -void grpc_credentials_unref(grpc_credentials *creds); -int grpc_credentials_has_request_metadata(grpc_credentials *creds); -int grpc_credentials_has_request_metadata_only(grpc_credentials *creds); -void grpc_credentials_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data, - grpc_closure_list *closure_list); +grpc_credentials *grpc_credentials_ref (grpc_credentials * creds); +void grpc_credentials_unref (grpc_credentials * creds); +int grpc_credentials_has_request_metadata (grpc_credentials * creds); +int grpc_credentials_has_request_metadata_only (grpc_credentials * creds); +void grpc_credentials_get_request_metadata (grpc_credentials * creds, grpc_pollset * pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data, grpc_closure_list * closure_list); /* Creates a security connector for the channel. May also create new channel args for the channel to be used in place of the passed in const args if returned non NULL. In that case the caller is responsible for destroying new_args after channel creation. */ -grpc_security_status grpc_credentials_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args); +grpc_security_status grpc_credentials_create_security_connector (grpc_credentials * creds, const char *target, const grpc_channel_args * args, grpc_credentials * request_metadata_creds, grpc_channel_security_connector ** sc, grpc_channel_args ** new_args); -typedef struct { +typedef struct +{ grpc_credentials **creds_array; size_t num_creds; } grpc_credentials_array; -const grpc_credentials_array *grpc_composite_credentials_get_credentials( - grpc_credentials *composite_creds); +const grpc_credentials_array *grpc_composite_credentials_get_credentials (grpc_credentials * composite_creds); /* Returns creds if creds is of the specified type or the inner creds of the specified type (if found), if the creds is of type COMPOSITE. If composite_creds is not NULL, *composite_creds will point to creds if of type COMPOSITE in case of success. */ -grpc_credentials *grpc_credentials_contains_type( - grpc_credentials *creds, const char *type, - grpc_credentials **composite_creds); +grpc_credentials *grpc_credentials_contains_type (grpc_credentials * creds, const char *type, grpc_credentials ** composite_creds); /* Exposed for testing only. */ -grpc_credentials_status -grpc_oauth2_token_fetcher_credentials_parse_server_response( - const struct grpc_httpcli_response *response, - grpc_credentials_md_store **token_md, gpr_timespec *token_lifetime); -void grpc_flush_cached_google_default_credentials(void); +grpc_credentials_status grpc_oauth2_token_fetcher_credentials_parse_server_response (const struct grpc_httpcli_response *response, grpc_credentials_md_store ** token_md, gpr_timespec * token_lifetime); +void grpc_flush_cached_google_default_credentials (void); /* Metadata-only credentials with the specified key and value where asynchronicity can be simulated for testing. */ -grpc_credentials *grpc_md_only_test_credentials_create(const char *md_key, - const char *md_value, - int is_async); +grpc_credentials *grpc_md_only_test_credentials_create (const char *md_key, const char *md_value, int is_async); /* Private constructor for jwt credentials from an already parsed json key. Takes ownership of the key. */ -grpc_credentials * -grpc_service_account_jwt_access_credentials_create_from_auth_json_key( - grpc_auth_json_key key, gpr_timespec token_lifetime); +grpc_credentials *grpc_service_account_jwt_access_credentials_create_from_auth_json_key (grpc_auth_json_key key, gpr_timespec token_lifetime); /* Private constructor for refresh token credentials from an already parsed refresh token. Takes ownership of the refresh token. */ -grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token( - grpc_auth_refresh_token token); +grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token (grpc_auth_refresh_token token); /* --- grpc_server_credentials. --- */ -typedef struct { - void (*destruct)(grpc_server_credentials *c); - grpc_security_status (*create_security_connector)( - grpc_server_credentials *c, grpc_security_connector **sc); +typedef struct +{ + void (*destruct) (grpc_server_credentials * c); + grpc_security_status (*create_security_connector) (grpc_server_credentials * c, grpc_security_connector ** sc); } grpc_server_credentials_vtable; /* TODO(jboeuf): Add a refcount. */ -struct grpc_server_credentials { +struct grpc_server_credentials +{ const grpc_server_credentials_vtable *vtable; const char *type; gpr_refcount refcount; grpc_auth_metadata_processor processor; }; -grpc_security_status grpc_server_credentials_create_security_connector( - grpc_server_credentials *creds, grpc_security_connector **sc); +grpc_security_status grpc_server_credentials_create_security_connector (grpc_server_credentials * creds, grpc_security_connector ** sc); -grpc_server_credentials *grpc_server_credentials_ref( - grpc_server_credentials *creds); +grpc_server_credentials *grpc_server_credentials_ref (grpc_server_credentials * creds); -void grpc_server_credentials_unref(grpc_server_credentials *creds); +void grpc_server_credentials_unref (grpc_server_credentials * creds); /* -- Ssl credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_ssl_config config; } grpc_ssl_credentials; -typedef struct { +typedef struct +{ grpc_server_credentials base; grpc_ssl_server_config config; } grpc_ssl_server_credentials; /* -- Jwt credentials -- */ -typedef struct { +typedef struct +{ grpc_credentials base; /* Have a simple cache for now with just 1 entry. We could have a map based on the service_url for a more sophisticated one. */ gpr_mu cache_mu; - struct { + struct + { grpc_credentials_md_store *jwt_md; char *service_url; gpr_timespec jwt_expiration; @@ -269,17 +244,12 @@ typedef struct { This object is a base for credentials that need to acquire an oauth2 token from an http service. */ -typedef struct grpc_credentials_metadata_request - grpc_credentials_metadata_request; +typedef struct grpc_credentials_metadata_request grpc_credentials_metadata_request; -typedef void (*grpc_fetch_oauth2_func)(grpc_credentials_metadata_request *req, - grpc_httpcli_context *http_context, - grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, - gpr_timespec deadline, - grpc_closure_list *closure_list); +typedef void (*grpc_fetch_oauth2_func) (grpc_credentials_metadata_request * req, grpc_httpcli_context * http_context, grpc_pollset * pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline, grpc_closure_list * closure_list); -typedef struct { +typedef struct +{ grpc_credentials base; gpr_mu mu; grpc_credentials_md_store *access_token_md; @@ -290,21 +260,24 @@ typedef struct { /* -- GoogleRefreshToken credentials. -- */ -typedef struct { +typedef struct +{ grpc_oauth2_token_fetcher_credentials base; grpc_auth_refresh_token refresh_token; } grpc_google_refresh_token_credentials; /* -- Oauth2 Access Token credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_credentials_md_store *access_token_md; } grpc_access_token_credentials; /* -- Metadata-only Test credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_credentials_md_store *md_store; int is_async; @@ -312,14 +285,16 @@ typedef struct { /* -- GoogleIAM credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_credentials_md_store *iam_md; } grpc_google_iam_credentials; /* -- Composite credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_credentials_array inner; grpc_credentials *connector_creds; @@ -327,7 +302,8 @@ typedef struct { /* -- Plugin credentials. -- */ -typedef struct { +typedef struct +{ grpc_credentials base; grpc_metadata_credentials_plugin plugin; grpc_credentials_md_store *plugin_md; diff --git a/src/core/security/credentials_metadata.c b/src/core/security/credentials_metadata.c index b8a132f1ea..f9a5f5fd4f 100644 --- a/src/core/security/credentials_metadata.c +++ b/src/core/security/credentials_metadata.c @@ -37,65 +37,78 @@ #include <string.h> -static void store_ensure_capacity(grpc_credentials_md_store *store) { - if (store->num_entries == store->allocated) { - store->allocated = (store->allocated == 0) ? 1 : store->allocated * 2; - store->entries = gpr_realloc( - store->entries, store->allocated * sizeof(grpc_credentials_md)); - } +static void +store_ensure_capacity (grpc_credentials_md_store * store) +{ + if (store->num_entries == store->allocated) + { + store->allocated = (store->allocated == 0) ? 1 : store->allocated * 2; + store->entries = gpr_realloc (store->entries, store->allocated * sizeof (grpc_credentials_md)); + } } -grpc_credentials_md_store *grpc_credentials_md_store_create( - size_t initial_capacity) { - grpc_credentials_md_store *store = - gpr_malloc(sizeof(grpc_credentials_md_store)); - memset(store, 0, sizeof(grpc_credentials_md_store)); - if (initial_capacity > 0) { - store->entries = gpr_malloc(initial_capacity * sizeof(grpc_credentials_md)); - store->allocated = initial_capacity; - } - gpr_ref_init(&store->refcount, 1); +grpc_credentials_md_store * +grpc_credentials_md_store_create (size_t initial_capacity) +{ + grpc_credentials_md_store *store = gpr_malloc (sizeof (grpc_credentials_md_store)); + memset (store, 0, sizeof (grpc_credentials_md_store)); + if (initial_capacity > 0) + { + store->entries = gpr_malloc (initial_capacity * sizeof (grpc_credentials_md)); + store->allocated = initial_capacity; + } + gpr_ref_init (&store->refcount, 1); return store; } -void grpc_credentials_md_store_add(grpc_credentials_md_store *store, - gpr_slice key, gpr_slice value) { - if (store == NULL) return; - store_ensure_capacity(store); - store->entries[store->num_entries].key = gpr_slice_ref(key); - store->entries[store->num_entries].value = gpr_slice_ref(value); +void +grpc_credentials_md_store_add (grpc_credentials_md_store * store, gpr_slice key, gpr_slice value) +{ + if (store == NULL) + return; + store_ensure_capacity (store); + store->entries[store->num_entries].key = gpr_slice_ref (key); + store->entries[store->num_entries].value = gpr_slice_ref (value); store->num_entries++; } -void grpc_credentials_md_store_add_cstrings(grpc_credentials_md_store *store, - const char *key, - const char *value) { - if (store == NULL) return; - store_ensure_capacity(store); - store->entries[store->num_entries].key = gpr_slice_from_copied_string(key); - store->entries[store->num_entries].value = - gpr_slice_from_copied_string(value); +void +grpc_credentials_md_store_add_cstrings (grpc_credentials_md_store * store, const char *key, const char *value) +{ + if (store == NULL) + return; + store_ensure_capacity (store); + store->entries[store->num_entries].key = gpr_slice_from_copied_string (key); + store->entries[store->num_entries].value = gpr_slice_from_copied_string (value); store->num_entries++; } -grpc_credentials_md_store *grpc_credentials_md_store_ref( - grpc_credentials_md_store *store) { - if (store == NULL) return NULL; - gpr_ref(&store->refcount); +grpc_credentials_md_store * +grpc_credentials_md_store_ref (grpc_credentials_md_store * store) +{ + if (store == NULL) + return NULL; + gpr_ref (&store->refcount); return store; } -void grpc_credentials_md_store_unref(grpc_credentials_md_store *store) { - if (store == NULL) return; - if (gpr_unref(&store->refcount)) { - if (store->entries != NULL) { - size_t i; - for (i = 0; i < store->num_entries; i++) { - gpr_slice_unref(store->entries[i].key); - gpr_slice_unref(store->entries[i].value); - } - gpr_free(store->entries); +void +grpc_credentials_md_store_unref (grpc_credentials_md_store * store) +{ + if (store == NULL) + return; + if (gpr_unref (&store->refcount)) + { + if (store->entries != NULL) + { + size_t i; + for (i = 0; i < store->num_entries; i++) + { + gpr_slice_unref (store->entries[i].key); + gpr_slice_unref (store->entries[i].value); + } + gpr_free (store->entries); + } + gpr_free (store); } - gpr_free(store); - } } diff --git a/src/core/security/credentials_posix.c b/src/core/security/credentials_posix.c index 20f67a7f14..ba897bd7c5 100644 --- a/src/core/security/credentials_posix.c +++ b/src/core/security/credentials_posix.c @@ -44,17 +44,18 @@ #include "src/core/support/env.h" #include "src/core/support/string.h" -char *grpc_get_well_known_google_credentials_file_path(void) { +char * +grpc_get_well_known_google_credentials_file_path (void) +{ char *result = NULL; - char *home = gpr_getenv("HOME"); - if (home == NULL) { - gpr_log(GPR_ERROR, "Could not get HOME environment variable."); - return NULL; - } - gpr_asprintf(&result, "%s/.config/%s/%s", home, - GRPC_GOOGLE_CLOUD_SDK_CONFIG_DIRECTORY, - GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE); - gpr_free(home); + char *home = gpr_getenv ("HOME"); + if (home == NULL) + { + gpr_log (GPR_ERROR, "Could not get HOME environment variable."); + return NULL; + } + gpr_asprintf (&result, "%s/.config/%s/%s", home, GRPC_GOOGLE_CLOUD_SDK_CONFIG_DIRECTORY, GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE); + gpr_free (home); return result; } diff --git a/src/core/security/credentials_win32.c b/src/core/security/credentials_win32.c index 92dfd9bdfe..2630647121 100644 --- a/src/core/security/credentials_win32.c +++ b/src/core/security/credentials_win32.c @@ -44,17 +44,18 @@ #include "src/core/support/env.h" #include "src/core/support/string.h" -char *grpc_get_well_known_google_credentials_file_path(void) { +char * +grpc_get_well_known_google_credentials_file_path (void) +{ char *result = NULL; - char *appdata_path = gpr_getenv("APPDATA"); - if (appdata_path == NULL) { - gpr_log(GPR_ERROR, "Could not get APPDATA environment variable."); - return NULL; - } - gpr_asprintf(&result, "%s/%s/%s", appdata_path, - GRPC_GOOGLE_CLOUD_SDK_CONFIG_DIRECTORY, - GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE); - gpr_free(appdata_path); + char *appdata_path = gpr_getenv ("APPDATA"); + if (appdata_path == NULL) + { + gpr_log (GPR_ERROR, "Could not get APPDATA environment variable."); + return NULL; + } + gpr_asprintf (&result, "%s/%s/%s", appdata_path, GRPC_GOOGLE_CLOUD_SDK_CONFIG_DIRECTORY, GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE); + gpr_free (appdata_path); return result; } diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index 4a7ab53c1e..308f9a39f6 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -54,42 +54,53 @@ static int compute_engine_detection_done = 0; static gpr_mu g_mu; static gpr_once g_once = GPR_ONCE_INIT; -static void init_default_credentials(void) { gpr_mu_init(&g_mu); } +static void +init_default_credentials (void) +{ + gpr_mu_init (&g_mu); +} -typedef struct { +typedef struct +{ grpc_pollset pollset; int is_done; int success; } compute_engine_detector; -static void on_compute_engine_detection_http_response( - void *user_data, const grpc_httpcli_response *response, - grpc_closure_list *closure_list) { - compute_engine_detector *detector = (compute_engine_detector *)user_data; - if (response != NULL && response->status == 200 && response->hdr_count > 0) { - /* Internet providers can return a generic response to all requests, so - it is necessary to check that metadata header is present also. */ - size_t i; - for (i = 0; i < response->hdr_count; i++) { - grpc_httpcli_header *header = &response->hdrs[i]; - if (strcmp(header->key, "Metadata-Flavor") == 0 && - strcmp(header->value, "Google") == 0) { - detector->success = 1; - break; - } +static void +on_compute_engine_detection_http_response (void *user_data, const grpc_httpcli_response * response, grpc_closure_list * closure_list) +{ + compute_engine_detector *detector = (compute_engine_detector *) user_data; + if (response != NULL && response->status == 200 && response->hdr_count > 0) + { + /* Internet providers can return a generic response to all requests, so + it is necessary to check that metadata header is present also. */ + size_t i; + for (i = 0; i < response->hdr_count; i++) + { + grpc_httpcli_header *header = &response->hdrs[i]; + if (strcmp (header->key, "Metadata-Flavor") == 0 && strcmp (header->value, "Google") == 0) + { + detector->success = 1; + break; + } + } } - } - gpr_mu_lock(GRPC_POLLSET_MU(&detector->pollset)); + gpr_mu_lock (GRPC_POLLSET_MU (&detector->pollset)); detector->is_done = 1; - grpc_pollset_kick(&detector->pollset, NULL); - gpr_mu_unlock(GRPC_POLLSET_MU(&detector->pollset)); + grpc_pollset_kick (&detector->pollset, NULL); + gpr_mu_unlock (GRPC_POLLSET_MU (&detector->pollset)); } -static void destroy_pollset(void *p, int s, grpc_closure_list *closure_list) { - grpc_pollset_destroy(p); +static void +destroy_pollset (void *p, int s, grpc_closure_list * closure_list) +{ + grpc_pollset_destroy (p); } -static int is_stack_running_on_compute_engine(void) { +static int +is_stack_running_on_compute_engine (void) +{ compute_engine_detector detector; grpc_httpcli_request request; grpc_httpcli_context context; @@ -98,137 +109,147 @@ static int is_stack_running_on_compute_engine(void) { /* The http call is local. If it takes more than one sec, it is for sure not on compute engine. */ - gpr_timespec max_detection_delay = gpr_time_from_seconds(1, GPR_TIMESPAN); + gpr_timespec max_detection_delay = gpr_time_from_seconds (1, GPR_TIMESPAN); - grpc_pollset_init(&detector.pollset); + grpc_pollset_init (&detector.pollset); detector.is_done = 0; detector.success = 0; - memset(&request, 0, sizeof(grpc_httpcli_request)); + memset (&request, 0, sizeof (grpc_httpcli_request)); request.host = GRPC_COMPUTE_ENGINE_DETECTION_HOST; request.path = "/"; - grpc_httpcli_context_init(&context); + grpc_httpcli_context_init (&context); - grpc_httpcli_get( - &context, &detector.pollset, &request, - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), max_detection_delay), - on_compute_engine_detection_http_response, &detector, &closure_list); + grpc_httpcli_get (&context, &detector.pollset, &request, gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), max_detection_delay), on_compute_engine_detection_http_response, &detector, &closure_list); - grpc_closure_list_run(&closure_list); + grpc_closure_list_run (&closure_list); /* Block until we get the response. This is not ideal but this should only be called once for the lifetime of the process by the default credentials. */ - gpr_mu_lock(GRPC_POLLSET_MU(&detector.pollset)); - while (!detector.is_done) { - grpc_pollset_worker worker; - grpc_pollset_work(&detector.pollset, &worker, gpr_now(GPR_CLOCK_MONOTONIC), - gpr_inf_future(GPR_CLOCK_MONOTONIC), &closure_list); - } - gpr_mu_unlock(GRPC_POLLSET_MU(&detector.pollset)); - - grpc_httpcli_context_destroy(&context); - grpc_closure_init(&destroy_closure, destroy_pollset, &detector.pollset); - grpc_pollset_shutdown(&detector.pollset, &destroy_closure, &closure_list); - grpc_closure_list_run(&closure_list); + gpr_mu_lock (GRPC_POLLSET_MU (&detector.pollset)); + while (!detector.is_done) + { + grpc_pollset_worker worker; + grpc_pollset_work (&detector.pollset, &worker, gpr_now (GPR_CLOCK_MONOTONIC), gpr_inf_future (GPR_CLOCK_MONOTONIC), &closure_list); + } + gpr_mu_unlock (GRPC_POLLSET_MU (&detector.pollset)); + + grpc_httpcli_context_destroy (&context); + grpc_closure_init (&destroy_closure, destroy_pollset, &detector.pollset); + grpc_pollset_shutdown (&detector.pollset, &destroy_closure, &closure_list); + grpc_closure_list_run (&closure_list); return detector.success; } /* Takes ownership of creds_path if not NULL. */ -static grpc_credentials *create_default_creds_from_path(char *creds_path) { +static grpc_credentials * +create_default_creds_from_path (char *creds_path) +{ grpc_json *json = NULL; grpc_auth_json_key key; grpc_auth_refresh_token token; grpc_credentials *result = NULL; - gpr_slice creds_data = gpr_empty_slice(); + gpr_slice creds_data = gpr_empty_slice (); int file_ok = 0; - if (creds_path == NULL) goto end; - creds_data = gpr_load_file(creds_path, 0, &file_ok); - if (!file_ok) goto end; - json = grpc_json_parse_string_with_len( - (char *)GPR_SLICE_START_PTR(creds_data), GPR_SLICE_LENGTH(creds_data)); - if (json == NULL) goto end; + if (creds_path == NULL) + goto end; + creds_data = gpr_load_file (creds_path, 0, &file_ok); + if (!file_ok) + goto end; + json = grpc_json_parse_string_with_len ((char *) GPR_SLICE_START_PTR (creds_data), GPR_SLICE_LENGTH (creds_data)); + if (json == NULL) + goto end; /* First, try an auth json key. */ - key = grpc_auth_json_key_create_from_json(json); - if (grpc_auth_json_key_is_valid(&key)) { - result = - grpc_service_account_jwt_access_credentials_create_from_auth_json_key( - key, grpc_max_auth_token_lifetime); - goto end; - } + key = grpc_auth_json_key_create_from_json (json); + if (grpc_auth_json_key_is_valid (&key)) + { + result = grpc_service_account_jwt_access_credentials_create_from_auth_json_key (key, grpc_max_auth_token_lifetime); + goto end; + } /* Then try a refresh token if the auth json key was invalid. */ - token = grpc_auth_refresh_token_create_from_json(json); - if (grpc_auth_refresh_token_is_valid(&token)) { - result = - grpc_refresh_token_credentials_create_from_auth_refresh_token(token); - goto end; - } + token = grpc_auth_refresh_token_create_from_json (json); + if (grpc_auth_refresh_token_is_valid (&token)) + { + result = grpc_refresh_token_credentials_create_from_auth_refresh_token (token); + goto end; + } end: - if (creds_path != NULL) gpr_free(creds_path); - gpr_slice_unref(creds_data); - if (json != NULL) grpc_json_destroy(json); + if (creds_path != NULL) + gpr_free (creds_path); + gpr_slice_unref (creds_data); + if (json != NULL) + grpc_json_destroy (json); return result; } -grpc_credentials *grpc_google_default_credentials_create(void) { +grpc_credentials * +grpc_google_default_credentials_create (void) +{ grpc_credentials *result = NULL; int serving_cached_credentials = 0; - gpr_once_init(&g_once, init_default_credentials); + gpr_once_init (&g_once, init_default_credentials); - gpr_mu_lock(&g_mu); + gpr_mu_lock (&g_mu); - if (default_credentials != NULL) { - result = grpc_credentials_ref(default_credentials); - serving_cached_credentials = 1; - goto end; - } + if (default_credentials != NULL) + { + result = grpc_credentials_ref (default_credentials); + serving_cached_credentials = 1; + goto end; + } /* First, try the environment variable. */ - result = create_default_creds_from_path( - gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR)); - if (result != NULL) goto end; + result = create_default_creds_from_path (gpr_getenv (GRPC_GOOGLE_CREDENTIALS_ENV_VAR)); + if (result != NULL) + goto end; /* Then the well-known file. */ - result = create_default_creds_from_path( - grpc_get_well_known_google_credentials_file_path()); - if (result != NULL) goto end; + result = create_default_creds_from_path (grpc_get_well_known_google_credentials_file_path ()); + if (result != NULL) + goto end; /* At last try to see if we're on compute engine (do the detection only once since it requires a network test). */ - if (!compute_engine_detection_done) { - int need_compute_engine_creds = is_stack_running_on_compute_engine(); - compute_engine_detection_done = 1; - if (need_compute_engine_creds) { - result = grpc_google_compute_engine_credentials_create(NULL); + if (!compute_engine_detection_done) + { + int need_compute_engine_creds = is_stack_running_on_compute_engine (); + compute_engine_detection_done = 1; + if (need_compute_engine_creds) + { + result = grpc_google_compute_engine_credentials_create (NULL); + } } - } end: - if (!serving_cached_credentials && result != NULL) { - /* Blend with default ssl credentials and add a global reference so that it - can be cached and re-served. */ - grpc_credentials *ssl_creds = grpc_ssl_credentials_create(NULL, NULL, NULL); - default_credentials = grpc_credentials_ref( - grpc_composite_credentials_create(ssl_creds, result, NULL)); - GPR_ASSERT(default_credentials != NULL); - grpc_credentials_unref(ssl_creds); - grpc_credentials_unref(result); - result = default_credentials; - } - gpr_mu_unlock(&g_mu); + if (!serving_cached_credentials && result != NULL) + { + /* Blend with default ssl credentials and add a global reference so that it + can be cached and re-served. */ + grpc_credentials *ssl_creds = grpc_ssl_credentials_create (NULL, NULL, NULL); + default_credentials = grpc_credentials_ref (grpc_composite_credentials_create (ssl_creds, result, NULL)); + GPR_ASSERT (default_credentials != NULL); + grpc_credentials_unref (ssl_creds); + grpc_credentials_unref (result); + result = default_credentials; + } + gpr_mu_unlock (&g_mu); return result; } -void grpc_flush_cached_google_default_credentials(void) { - gpr_once_init(&g_once, init_default_credentials); - gpr_mu_lock(&g_mu); - if (default_credentials != NULL) { - grpc_credentials_unref(default_credentials); - default_credentials = NULL; - } - gpr_mu_unlock(&g_mu); +void +grpc_flush_cached_google_default_credentials (void) +{ + gpr_once_init (&g_once, init_default_credentials); + gpr_mu_lock (&g_mu); + if (default_credentials != NULL) + { + grpc_credentials_unref (default_credentials); + default_credentials = NULL; + } + gpr_mu_unlock (&g_mu); } diff --git a/src/core/security/handshake.c b/src/core/security/handshake.c index caad12a653..85f84ac963 100644 --- a/src/core/security/handshake.c +++ b/src/core/security/handshake.c @@ -42,7 +42,8 @@ #define GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE 256 -typedef struct { +typedef struct +{ grpc_security_connector *connector; tsi_handshaker *handshaker; unsigned char *handshake_buffer; @@ -58,123 +59,131 @@ typedef struct { grpc_closure on_handshake_data_received_from_peer; } grpc_security_handshake; -static void on_handshake_data_received_from_peer( - void *setup, int success, grpc_closure_list *closure_list); +static void on_handshake_data_received_from_peer (void *setup, int success, grpc_closure_list * closure_list); -static void on_handshake_data_sent_to_peer(void *setup, int success, - grpc_closure_list *closure_list); +static void on_handshake_data_sent_to_peer (void *setup, int success, grpc_closure_list * closure_list); -static void security_handshake_done(grpc_security_handshake *h, int is_success, - grpc_closure_list *closure_list) { - if (is_success) { - h->cb(h->user_data, GRPC_SECURITY_OK, h->wrapped_endpoint, - h->secure_endpoint, closure_list); - } else { - if (h->secure_endpoint != NULL) { - grpc_endpoint_shutdown(h->secure_endpoint, closure_list); - grpc_endpoint_destroy(h->secure_endpoint, closure_list); - } else { - grpc_endpoint_destroy(h->wrapped_endpoint, closure_list); +static void +security_handshake_done (grpc_security_handshake * h, int is_success, grpc_closure_list * closure_list) +{ + if (is_success) + { + h->cb (h->user_data, GRPC_SECURITY_OK, h->wrapped_endpoint, h->secure_endpoint, closure_list); } - h->cb(h->user_data, GRPC_SECURITY_ERROR, h->wrapped_endpoint, NULL, - closure_list); - } - if (h->handshaker != NULL) tsi_handshaker_destroy(h->handshaker); - if (h->handshake_buffer != NULL) gpr_free(h->handshake_buffer); - gpr_slice_buffer_destroy(&h->left_overs); - gpr_slice_buffer_destroy(&h->outgoing); - gpr_slice_buffer_destroy(&h->incoming); - GRPC_SECURITY_CONNECTOR_UNREF(h->connector, "handshake"); - gpr_free(h); + else + { + if (h->secure_endpoint != NULL) + { + grpc_endpoint_shutdown (h->secure_endpoint, closure_list); + grpc_endpoint_destroy (h->secure_endpoint, closure_list); + } + else + { + grpc_endpoint_destroy (h->wrapped_endpoint, closure_list); + } + h->cb (h->user_data, GRPC_SECURITY_ERROR, h->wrapped_endpoint, NULL, closure_list); + } + if (h->handshaker != NULL) + tsi_handshaker_destroy (h->handshaker); + if (h->handshake_buffer != NULL) + gpr_free (h->handshake_buffer); + gpr_slice_buffer_destroy (&h->left_overs); + gpr_slice_buffer_destroy (&h->outgoing); + gpr_slice_buffer_destroy (&h->incoming); + GRPC_SECURITY_CONNECTOR_UNREF (h->connector, "handshake"); + gpr_free (h); } -static void on_peer_checked(void *user_data, grpc_security_status status, - grpc_closure_list *closure_list) { +static void +on_peer_checked (void *user_data, grpc_security_status status, grpc_closure_list * closure_list) +{ grpc_security_handshake *h = user_data; tsi_frame_protector *protector; tsi_result result; - if (status != GRPC_SECURITY_OK) { - gpr_log(GPR_ERROR, "Error checking peer."); - security_handshake_done(h, 0, closure_list); - return; - } - result = - tsi_handshaker_create_frame_protector(h->handshaker, NULL, &protector); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Frame protector creation failed with error %s.", - tsi_result_to_string(result)); - security_handshake_done(h, 0, closure_list); - return; - } - h->secure_endpoint = - grpc_secure_endpoint_create(protector, h->wrapped_endpoint, - h->left_overs.slices, h->left_overs.count); + if (status != GRPC_SECURITY_OK) + { + gpr_log (GPR_ERROR, "Error checking peer."); + security_handshake_done (h, 0, closure_list); + return; + } + result = tsi_handshaker_create_frame_protector (h->handshaker, NULL, &protector); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Frame protector creation failed with error %s.", tsi_result_to_string (result)); + security_handshake_done (h, 0, closure_list); + return; + } + h->secure_endpoint = grpc_secure_endpoint_create (protector, h->wrapped_endpoint, h->left_overs.slices, h->left_overs.count); h->left_overs.count = 0; h->left_overs.length = 0; - security_handshake_done(h, 1, closure_list); + security_handshake_done (h, 1, closure_list); return; } -static void check_peer(grpc_security_handshake *h, - grpc_closure_list *closure_list) { +static void +check_peer (grpc_security_handshake * h, grpc_closure_list * closure_list) +{ grpc_security_status peer_status; tsi_peer peer; - tsi_result result = tsi_handshaker_extract_peer(h->handshaker, &peer); + tsi_result result = tsi_handshaker_extract_peer (h->handshaker, &peer); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Peer extraction failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(h, 0, closure_list); - return; - } - peer_status = grpc_security_connector_check_peer(h->connector, peer, - on_peer_checked, h); - if (peer_status == GRPC_SECURITY_ERROR) { - gpr_log(GPR_ERROR, "Peer check failed."); - security_handshake_done(h, 0, closure_list); - return; - } else if (peer_status == GRPC_SECURITY_OK) { - on_peer_checked(h, peer_status, closure_list); - } + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Peer extraction failed with error %s", tsi_result_to_string (result)); + security_handshake_done (h, 0, closure_list); + return; + } + peer_status = grpc_security_connector_check_peer (h->connector, peer, on_peer_checked, h); + if (peer_status == GRPC_SECURITY_ERROR) + { + gpr_log (GPR_ERROR, "Peer check failed."); + security_handshake_done (h, 0, closure_list); + return; + } + else if (peer_status == GRPC_SECURITY_OK) + { + on_peer_checked (h, peer_status, closure_list); + } } -static void send_handshake_bytes_to_peer(grpc_security_handshake *h, - grpc_closure_list *closure_list) { +static void +send_handshake_bytes_to_peer (grpc_security_handshake * h, grpc_closure_list * closure_list) +{ size_t offset = 0; tsi_result result = TSI_OK; gpr_slice to_send; - do { - size_t to_send_size = h->handshake_buffer_size - offset; - result = tsi_handshaker_get_bytes_to_send_to_peer( - h->handshaker, h->handshake_buffer + offset, &to_send_size); - offset += to_send_size; - if (result == TSI_INCOMPLETE_DATA) { - h->handshake_buffer_size *= 2; - h->handshake_buffer = - gpr_realloc(h->handshake_buffer, h->handshake_buffer_size); + do + { + size_t to_send_size = h->handshake_buffer_size - offset; + result = tsi_handshaker_get_bytes_to_send_to_peer (h->handshaker, h->handshake_buffer + offset, &to_send_size); + offset += to_send_size; + if (result == TSI_INCOMPLETE_DATA) + { + h->handshake_buffer_size *= 2; + h->handshake_buffer = gpr_realloc (h->handshake_buffer, h->handshake_buffer_size); + } } - } while (result == TSI_INCOMPLETE_DATA); + while (result == TSI_INCOMPLETE_DATA); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshake failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(h, 0, closure_list); - return; - } + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Handshake failed with error %s", tsi_result_to_string (result)); + security_handshake_done (h, 0, closure_list); + return; + } - to_send = - gpr_slice_from_copied_buffer((const char *)h->handshake_buffer, offset); - gpr_slice_buffer_reset_and_unref(&h->outgoing); - gpr_slice_buffer_add(&h->outgoing, to_send); + to_send = gpr_slice_from_copied_buffer ((const char *) h->handshake_buffer, offset); + gpr_slice_buffer_reset_and_unref (&h->outgoing); + gpr_slice_buffer_add (&h->outgoing, to_send); /* TODO(klempner,jboeuf): This should probably use the client setup - deadline */ - grpc_endpoint_write(h->wrapped_endpoint, &h->outgoing, - &h->on_handshake_data_sent_to_peer, closure_list); + deadline */ + grpc_endpoint_write (h->wrapped_endpoint, &h->outgoing, &h->on_handshake_data_sent_to_peer, closure_list); } -static void on_handshake_data_received_from_peer( - void *handshake, int success, grpc_closure_list *closure_list) { +static void +on_handshake_data_received_from_peer (void *handshake, int success, grpc_closure_list * closure_list) +{ grpc_security_handshake *h = handshake; size_t consumed_slice_size = 0; tsi_result result = TSI_OK; @@ -182,108 +191,106 @@ static void on_handshake_data_received_from_peer( size_t num_left_overs; int has_left_overs_in_current_slice = 0; - if (!success) { - gpr_log(GPR_ERROR, "Read failed."); - security_handshake_done(h, 0, closure_list); - return; - } + if (!success) + { + gpr_log (GPR_ERROR, "Read failed."); + security_handshake_done (h, 0, closure_list); + return; + } + + for (i = 0; i < h->incoming.count; i++) + { + consumed_slice_size = GPR_SLICE_LENGTH (h->incoming.slices[i]); + result = tsi_handshaker_process_bytes_from_peer (h->handshaker, GPR_SLICE_START_PTR (h->incoming.slices[i]), &consumed_slice_size); + if (!tsi_handshaker_is_in_progress (h->handshaker)) + break; + } - for (i = 0; i < h->incoming.count; i++) { - consumed_slice_size = GPR_SLICE_LENGTH(h->incoming.slices[i]); - result = tsi_handshaker_process_bytes_from_peer( - h->handshaker, GPR_SLICE_START_PTR(h->incoming.slices[i]), - &consumed_slice_size); - if (!tsi_handshaker_is_in_progress(h->handshaker)) break; - } + if (tsi_handshaker_is_in_progress (h->handshaker)) + { + /* We may need more data. */ + if (result == TSI_INCOMPLETE_DATA) + { + grpc_endpoint_read (h->wrapped_endpoint, &h->incoming, &h->on_handshake_data_received_from_peer, closure_list); + return; + } + else + { + send_handshake_bytes_to_peer (h, closure_list); + return; + } + } - if (tsi_handshaker_is_in_progress(h->handshaker)) { - /* We may need more data. */ - if (result == TSI_INCOMPLETE_DATA) { - grpc_endpoint_read(h->wrapped_endpoint, &h->incoming, - &h->on_handshake_data_received_from_peer, - closure_list); - return; - } else { - send_handshake_bytes_to_peer(h, closure_list); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Handshake failed with error %s", tsi_result_to_string (result)); + security_handshake_done (h, 0, closure_list); return; } - } - - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshake failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(h, 0, closure_list); - return; - } /* Handshake is done and successful this point. */ - has_left_overs_in_current_slice = - (consumed_slice_size < GPR_SLICE_LENGTH(h->incoming.slices[i])); - num_left_overs = - (has_left_overs_in_current_slice ? 1 : 0) + h->incoming.count - i - 1; - if (num_left_overs == 0) { - check_peer(h, closure_list); - return; - } + has_left_overs_in_current_slice = (consumed_slice_size < GPR_SLICE_LENGTH (h->incoming.slices[i])); + num_left_overs = (has_left_overs_in_current_slice ? 1 : 0) + h->incoming.count - i - 1; + if (num_left_overs == 0) + { + check_peer (h, closure_list); + return; + } /* Put the leftovers in our buffer (ownership transfered). */ - if (has_left_overs_in_current_slice) { - gpr_slice_buffer_add( - &h->left_overs, - gpr_slice_split_tail(&h->incoming.slices[i], consumed_slice_size)); - gpr_slice_unref( - h->incoming.slices[i]); /* split_tail above increments refcount. */ - } - gpr_slice_buffer_addn( - &h->left_overs, &h->incoming.slices[i + 1], - num_left_overs - (size_t)has_left_overs_in_current_slice); - check_peer(h, closure_list); + if (has_left_overs_in_current_slice) + { + gpr_slice_buffer_add (&h->left_overs, gpr_slice_split_tail (&h->incoming.slices[i], consumed_slice_size)); + gpr_slice_unref (h->incoming.slices[i]); /* split_tail above increments refcount. */ + } + gpr_slice_buffer_addn (&h->left_overs, &h->incoming.slices[i + 1], num_left_overs - (size_t) has_left_overs_in_current_slice); + check_peer (h, closure_list); } /* If handshake is NULL, the handshake is done. */ -static void on_handshake_data_sent_to_peer(void *handshake, int success, - grpc_closure_list *closure_list) { +static void +on_handshake_data_sent_to_peer (void *handshake, int success, grpc_closure_list * closure_list) +{ grpc_security_handshake *h = handshake; /* Make sure that write is OK. */ - if (!success) { - gpr_log(GPR_ERROR, "Write failed."); - if (handshake != NULL) security_handshake_done(h, 0, closure_list); - return; - } + if (!success) + { + gpr_log (GPR_ERROR, "Write failed."); + if (handshake != NULL) + security_handshake_done (h, 0, closure_list); + return; + } /* We may be done. */ - if (tsi_handshaker_is_in_progress(h->handshaker)) { - /* TODO(klempner,jboeuf): This should probably use the client setup - deadline */ - grpc_endpoint_read(h->wrapped_endpoint, &h->incoming, - &h->on_handshake_data_received_from_peer, closure_list); - } else { - check_peer(h, closure_list); - } + if (tsi_handshaker_is_in_progress (h->handshaker)) + { + /* TODO(klempner,jboeuf): This should probably use the client setup + deadline */ + grpc_endpoint_read (h->wrapped_endpoint, &h->incoming, &h->on_handshake_data_received_from_peer, closure_list); + } + else + { + check_peer (h, closure_list); + } } -void grpc_do_security_handshake(tsi_handshaker *handshaker, - grpc_security_connector *connector, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_security_handshake *h = gpr_malloc(sizeof(grpc_security_handshake)); - memset(h, 0, sizeof(grpc_security_handshake)); +void +grpc_do_security_handshake (tsi_handshaker * handshaker, grpc_security_connector * connector, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_security_handshake *h = gpr_malloc (sizeof (grpc_security_handshake)); + memset (h, 0, sizeof (grpc_security_handshake)); h->handshaker = handshaker; - h->connector = GRPC_SECURITY_CONNECTOR_REF(connector, "handshake"); + h->connector = GRPC_SECURITY_CONNECTOR_REF (connector, "handshake"); h->handshake_buffer_size = GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE; - h->handshake_buffer = gpr_malloc(h->handshake_buffer_size); + h->handshake_buffer = gpr_malloc (h->handshake_buffer_size); h->wrapped_endpoint = nonsecure_endpoint; h->user_data = user_data; h->cb = cb; - grpc_closure_init(&h->on_handshake_data_sent_to_peer, - on_handshake_data_sent_to_peer, h); - grpc_closure_init(&h->on_handshake_data_received_from_peer, - on_handshake_data_received_from_peer, h); - gpr_slice_buffer_init(&h->left_overs); - gpr_slice_buffer_init(&h->outgoing); - gpr_slice_buffer_init(&h->incoming); - send_handshake_bytes_to_peer(h, closure_list); + grpc_closure_init (&h->on_handshake_data_sent_to_peer, on_handshake_data_sent_to_peer, h); + grpc_closure_init (&h->on_handshake_data_received_from_peer, on_handshake_data_received_from_peer, h); + gpr_slice_buffer_init (&h->left_overs); + gpr_slice_buffer_init (&h->outgoing); + gpr_slice_buffer_init (&h->incoming); + send_handshake_bytes_to_peer (h, closure_list); } diff --git a/src/core/security/handshake.h b/src/core/security/handshake.h index 368e8bf5e1..4d518e7edf 100644 --- a/src/core/security/handshake.h +++ b/src/core/security/handshake.h @@ -38,11 +38,6 @@ #include "src/core/security/security_connector.h" /* Calls the callback upon completion. Takes owership of handshaker. */ -void grpc_do_security_handshake(tsi_handshaker *handshaker, - grpc_security_connector *connector, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list); +void grpc_do_security_handshake (tsi_handshaker * handshaker, grpc_security_connector * connector, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list); #endif /* GRPC_INTERNAL_CORE_SECURITY_HANDSHAKE_H */ diff --git a/src/core/security/json_token.c b/src/core/security/json_token.c index 021912f333..cf9b25bdc6 100644 --- a/src/core/security/json_token.c +++ b/src/core/security/json_token.c @@ -49,7 +49,7 @@ /* --- Constants. --- */ /* 1 hour max. */ -const gpr_timespec grpc_max_auth_token_lifetime = {3600, 0, GPR_TIMESPAN}; +const gpr_timespec grpc_max_auth_token_lifetime = { 3600, 0, GPR_TIMESPAN }; #define GRPC_JWT_RSA_SHA256_ALGORITHM "RS256" #define GRPC_JWT_TYPE "JWT" @@ -60,346 +60,398 @@ static grpc_jwt_encode_and_sign_override g_jwt_encode_and_sign_override = NULL; /* --- grpc_auth_json_key. --- */ -static const char *json_get_string_property(const grpc_json *json, - const char *prop_name) { +static const char * +json_get_string_property (const grpc_json * json, const char *prop_name) +{ grpc_json *child; - for (child = json->child; child != NULL; child = child->next) { - if (strcmp(child->key, prop_name) == 0) break; - } - if (child == NULL || child->type != GRPC_JSON_STRING) { - gpr_log(GPR_ERROR, "Invalid or missing %s property.", prop_name); - return NULL; - } + for (child = json->child; child != NULL; child = child->next) + { + if (strcmp (child->key, prop_name) == 0) + break; + } + if (child == NULL || child->type != GRPC_JSON_STRING) + { + gpr_log (GPR_ERROR, "Invalid or missing %s property.", prop_name); + return NULL; + } return child->value; } -static int set_json_key_string_property(const grpc_json *json, - const char *prop_name, - char **json_key_field) { - const char *prop_value = json_get_string_property(json, prop_name); - if (prop_value == NULL) return 0; - *json_key_field = gpr_strdup(prop_value); +static int +set_json_key_string_property (const grpc_json * json, const char *prop_name, char **json_key_field) +{ + const char *prop_value = json_get_string_property (json, prop_name); + if (prop_value == NULL) + return 0; + *json_key_field = gpr_strdup (prop_value); return 1; } -int grpc_auth_json_key_is_valid(const grpc_auth_json_key *json_key) { - return (json_key != NULL) && - strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID); +int +grpc_auth_json_key_is_valid (const grpc_auth_json_key * json_key) +{ + return (json_key != NULL) && strcmp (json_key->type, GRPC_AUTH_JSON_TYPE_INVALID); } -grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json *json) { +grpc_auth_json_key +grpc_auth_json_key_create_from_json (const grpc_json * json) +{ grpc_auth_json_key result; BIO *bio = NULL; const char *prop_value; int success = 0; - memset(&result, 0, sizeof(grpc_auth_json_key)); + memset (&result, 0, sizeof (grpc_auth_json_key)); result.type = GRPC_AUTH_JSON_TYPE_INVALID; - if (json == NULL) { - gpr_log(GPR_ERROR, "Invalid json."); - goto end; - } - - prop_value = json_get_string_property(json, "type"); - if (prop_value == NULL || - strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) { - goto end; - } + if (json == NULL) + { + gpr_log (GPR_ERROR, "Invalid json."); + goto end; + } + + prop_value = json_get_string_property (json, "type"); + if (prop_value == NULL || strcmp (prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) + { + goto end; + } result.type = GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT; - if (!set_json_key_string_property(json, "private_key_id", - &result.private_key_id) || - !set_json_key_string_property(json, "client_id", &result.client_id) || - !set_json_key_string_property(json, "client_email", - &result.client_email)) { - goto end; - } - - prop_value = json_get_string_property(json, "private_key"); - if (prop_value == NULL) { - goto end; - } - bio = BIO_new(BIO_s_mem()); - success = BIO_puts(bio, prop_value); - if ((success < 0) || ((size_t)success != strlen(prop_value))) { - gpr_log(GPR_ERROR, "Could not write into openssl BIO."); - goto end; - } - result.private_key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, ""); - if (result.private_key == NULL) { - gpr_log(GPR_ERROR, "Could not deserialize private key."); - goto end; - } + if (!set_json_key_string_property (json, "private_key_id", &result.private_key_id) || !set_json_key_string_property (json, "client_id", &result.client_id) || !set_json_key_string_property (json, "client_email", &result.client_email)) + { + goto end; + } + + prop_value = json_get_string_property (json, "private_key"); + if (prop_value == NULL) + { + goto end; + } + bio = BIO_new (BIO_s_mem ()); + success = BIO_puts (bio, prop_value); + if ((success < 0) || ((size_t) success != strlen (prop_value))) + { + gpr_log (GPR_ERROR, "Could not write into openssl BIO."); + goto end; + } + result.private_key = PEM_read_bio_RSAPrivateKey (bio, NULL, NULL, ""); + if (result.private_key == NULL) + { + gpr_log (GPR_ERROR, "Could not deserialize private key."); + goto end; + } success = 1; end: - if (bio != NULL) BIO_free(bio); - if (!success) grpc_auth_json_key_destruct(&result); + if (bio != NULL) + BIO_free (bio); + if (!success) + grpc_auth_json_key_destruct (&result); return result; } -grpc_auth_json_key grpc_auth_json_key_create_from_string( - const char *json_string) { - char *scratchpad = gpr_strdup(json_string); - grpc_json *json = grpc_json_parse_string(scratchpad); - grpc_auth_json_key result = grpc_auth_json_key_create_from_json(json); - if (json != NULL) grpc_json_destroy(json); - gpr_free(scratchpad); +grpc_auth_json_key +grpc_auth_json_key_create_from_string (const char *json_string) +{ + char *scratchpad = gpr_strdup (json_string); + grpc_json *json = grpc_json_parse_string (scratchpad); + grpc_auth_json_key result = grpc_auth_json_key_create_from_json (json); + if (json != NULL) + grpc_json_destroy (json); + gpr_free (scratchpad); return result; } -void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key) { - if (json_key == NULL) return; +void +grpc_auth_json_key_destruct (grpc_auth_json_key * json_key) +{ + if (json_key == NULL) + return; json_key->type = GRPC_AUTH_JSON_TYPE_INVALID; - if (json_key->client_id != NULL) { - gpr_free(json_key->client_id); - json_key->client_id = NULL; - } - if (json_key->private_key_id != NULL) { - gpr_free(json_key->private_key_id); - json_key->private_key_id = NULL; - } - if (json_key->client_email != NULL) { - gpr_free(json_key->client_email); - json_key->client_email = NULL; - } - if (json_key->private_key != NULL) { - RSA_free(json_key->private_key); - json_key->private_key = NULL; - } + if (json_key->client_id != NULL) + { + gpr_free (json_key->client_id); + json_key->client_id = NULL; + } + if (json_key->private_key_id != NULL) + { + gpr_free (json_key->private_key_id); + json_key->private_key_id = NULL; + } + if (json_key->client_email != NULL) + { + gpr_free (json_key->client_email); + json_key->client_email = NULL; + } + if (json_key->private_key != NULL) + { + RSA_free (json_key->private_key); + json_key->private_key = NULL; + } } /* --- jwt encoding and signature. --- */ -static grpc_json *create_child(grpc_json *brother, grpc_json *parent, - const char *key, const char *value, - grpc_json_type type) { - grpc_json *child = grpc_json_create(type); - if (brother) brother->next = child; - if (!parent->child) parent->child = child; +static grpc_json * +create_child (grpc_json * brother, grpc_json * parent, const char *key, const char *value, grpc_json_type type) +{ + grpc_json *child = grpc_json_create (type); + if (brother) + brother->next = child; + if (!parent->child) + parent->child = child; child->parent = parent; child->value = value; child->key = key; return child; } -static char *encoded_jwt_header(const char *key_id, const char *algorithm) { - grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT); +static char * +encoded_jwt_header (const char *key_id, const char *algorithm) +{ + grpc_json *json = grpc_json_create (GRPC_JSON_OBJECT); grpc_json *child = NULL; char *json_str = NULL; char *result = NULL; - child = create_child(NULL, json, "alg", algorithm, GRPC_JSON_STRING); - child = create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING); - create_child(child, json, "kid", key_id, GRPC_JSON_STRING); + child = create_child (NULL, json, "alg", algorithm, GRPC_JSON_STRING); + child = create_child (child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING); + create_child (child, json, "kid", key_id, GRPC_JSON_STRING); - json_str = grpc_json_dump_to_string(json, 0); - result = grpc_base64_encode(json_str, strlen(json_str), 1, 0); - gpr_free(json_str); - grpc_json_destroy(json); + json_str = grpc_json_dump_to_string (json, 0); + result = grpc_base64_encode (json_str, strlen (json_str), 1, 0); + gpr_free (json_str); + grpc_json_destroy (json); return result; } -static char *encoded_jwt_claim(const grpc_auth_json_key *json_key, - const char *audience, - gpr_timespec token_lifetime, const char *scope) { - grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT); +static char * +encoded_jwt_claim (const grpc_auth_json_key * json_key, const char *audience, gpr_timespec token_lifetime, const char *scope) +{ + grpc_json *json = grpc_json_create (GRPC_JSON_OBJECT); grpc_json *child = NULL; char *json_str = NULL; char *result = NULL; - gpr_timespec now = gpr_now(GPR_CLOCK_REALTIME); - gpr_timespec expiration = gpr_time_add(now, token_lifetime); + gpr_timespec now = gpr_now (GPR_CLOCK_REALTIME); + gpr_timespec expiration = gpr_time_add (now, token_lifetime); char now_str[GPR_LTOA_MIN_BUFSIZE]; char expiration_str[GPR_LTOA_MIN_BUFSIZE]; - if (gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime) > 0) { - gpr_log(GPR_INFO, "Cropping token lifetime to maximum allowed value."); - expiration = gpr_time_add(now, grpc_max_auth_token_lifetime); - } - gpr_ltoa(now.tv_sec, now_str); - gpr_ltoa(expiration.tv_sec, expiration_str); - - child = - create_child(NULL, json, "iss", json_key->client_email, GRPC_JSON_STRING); - if (scope != NULL) { - child = create_child(child, json, "scope", scope, GRPC_JSON_STRING); - } else { - /* Unscoped JWTs need a sub field. */ - child = create_child(child, json, "sub", json_key->client_email, - GRPC_JSON_STRING); - } - - child = create_child(child, json, "aud", audience, GRPC_JSON_STRING); - child = create_child(child, json, "iat", now_str, GRPC_JSON_NUMBER); - create_child(child, json, "exp", expiration_str, GRPC_JSON_NUMBER); - - json_str = grpc_json_dump_to_string(json, 0); - result = grpc_base64_encode(json_str, strlen(json_str), 1, 0); - gpr_free(json_str); - grpc_json_destroy(json); + if (gpr_time_cmp (token_lifetime, grpc_max_auth_token_lifetime) > 0) + { + gpr_log (GPR_INFO, "Cropping token lifetime to maximum allowed value."); + expiration = gpr_time_add (now, grpc_max_auth_token_lifetime); + } + gpr_ltoa (now.tv_sec, now_str); + gpr_ltoa (expiration.tv_sec, expiration_str); + + child = create_child (NULL, json, "iss", json_key->client_email, GRPC_JSON_STRING); + if (scope != NULL) + { + child = create_child (child, json, "scope", scope, GRPC_JSON_STRING); + } + else + { + /* Unscoped JWTs need a sub field. */ + child = create_child (child, json, "sub", json_key->client_email, GRPC_JSON_STRING); + } + + child = create_child (child, json, "aud", audience, GRPC_JSON_STRING); + child = create_child (child, json, "iat", now_str, GRPC_JSON_NUMBER); + create_child (child, json, "exp", expiration_str, GRPC_JSON_NUMBER); + + json_str = grpc_json_dump_to_string (json, 0); + result = grpc_base64_encode (json_str, strlen (json_str), 1, 0); + gpr_free (json_str); + grpc_json_destroy (json); return result; } -static char *dot_concat_and_free_strings(char *str1, char *str2) { - size_t str1_len = strlen(str1); - size_t str2_len = strlen(str2); - size_t result_len = str1_len + 1 /* dot */ + str2_len; - char *result = gpr_malloc(result_len + 1 /* NULL terminated */); +static char * +dot_concat_and_free_strings (char *str1, char *str2) +{ + size_t str1_len = strlen (str1); + size_t str2_len = strlen (str2); + size_t result_len = str1_len + 1 /* dot */ + str2_len; + char *result = gpr_malloc (result_len + 1 /* NULL terminated */ ); char *current = result; - memcpy(current, str1, str1_len); + memcpy (current, str1, str1_len); current += str1_len; *(current++) = '.'; - memcpy(current, str2, str2_len); + memcpy (current, str2, str2_len); current += str2_len; - GPR_ASSERT(current >= result); - GPR_ASSERT((gpr_uintptr)(current - result) == result_len); + GPR_ASSERT (current >= result); + GPR_ASSERT ((gpr_uintptr) (current - result) == result_len); *current = '\0'; - gpr_free(str1); - gpr_free(str2); + gpr_free (str1); + gpr_free (str2); return result; } -const EVP_MD *openssl_digest_from_algorithm(const char *algorithm) { - if (strcmp(algorithm, GRPC_JWT_RSA_SHA256_ALGORITHM) == 0) { - return EVP_sha256(); - } else { - gpr_log(GPR_ERROR, "Unknown algorithm %s.", algorithm); - return NULL; - } +const EVP_MD * +openssl_digest_from_algorithm (const char *algorithm) +{ + if (strcmp (algorithm, GRPC_JWT_RSA_SHA256_ALGORITHM) == 0) + { + return EVP_sha256 (); + } + else + { + gpr_log (GPR_ERROR, "Unknown algorithm %s.", algorithm); + return NULL; + } } -char *compute_and_encode_signature(const grpc_auth_json_key *json_key, - const char *signature_algorithm, - const char *to_sign) { - const EVP_MD *md = openssl_digest_from_algorithm(signature_algorithm); +char * +compute_and_encode_signature (const grpc_auth_json_key * json_key, const char *signature_algorithm, const char *to_sign) +{ + const EVP_MD *md = openssl_digest_from_algorithm (signature_algorithm); EVP_MD_CTX *md_ctx = NULL; - EVP_PKEY *key = EVP_PKEY_new(); + EVP_PKEY *key = EVP_PKEY_new (); size_t sig_len = 0; unsigned char *sig = NULL; char *result = NULL; - if (md == NULL) return NULL; - md_ctx = EVP_MD_CTX_create(); - if (md_ctx == NULL) { - gpr_log(GPR_ERROR, "Could not create MD_CTX"); - goto end; - } - EVP_PKEY_set1_RSA(key, json_key->private_key); - if (EVP_DigestSignInit(md_ctx, NULL, md, NULL, key) != 1) { - gpr_log(GPR_ERROR, "DigestInit failed."); - goto end; - } - if (EVP_DigestSignUpdate(md_ctx, to_sign, strlen(to_sign)) != 1) { - gpr_log(GPR_ERROR, "DigestUpdate failed."); - goto end; - } - if (EVP_DigestSignFinal(md_ctx, NULL, &sig_len) != 1) { - gpr_log(GPR_ERROR, "DigestFinal (get signature length) failed."); - goto end; - } - sig = gpr_malloc(sig_len); - if (EVP_DigestSignFinal(md_ctx, sig, &sig_len) != 1) { - gpr_log(GPR_ERROR, "DigestFinal (signature compute) failed."); - goto end; - } - result = grpc_base64_encode(sig, sig_len, 1, 0); + if (md == NULL) + return NULL; + md_ctx = EVP_MD_CTX_create (); + if (md_ctx == NULL) + { + gpr_log (GPR_ERROR, "Could not create MD_CTX"); + goto end; + } + EVP_PKEY_set1_RSA (key, json_key->private_key); + if (EVP_DigestSignInit (md_ctx, NULL, md, NULL, key) != 1) + { + gpr_log (GPR_ERROR, "DigestInit failed."); + goto end; + } + if (EVP_DigestSignUpdate (md_ctx, to_sign, strlen (to_sign)) != 1) + { + gpr_log (GPR_ERROR, "DigestUpdate failed."); + goto end; + } + if (EVP_DigestSignFinal (md_ctx, NULL, &sig_len) != 1) + { + gpr_log (GPR_ERROR, "DigestFinal (get signature length) failed."); + goto end; + } + sig = gpr_malloc (sig_len); + if (EVP_DigestSignFinal (md_ctx, sig, &sig_len) != 1) + { + gpr_log (GPR_ERROR, "DigestFinal (signature compute) failed."); + goto end; + } + result = grpc_base64_encode (sig, sig_len, 1, 0); end: - if (key != NULL) EVP_PKEY_free(key); - if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx); - if (sig != NULL) gpr_free(sig); + if (key != NULL) + EVP_PKEY_free (key); + if (md_ctx != NULL) + EVP_MD_CTX_destroy (md_ctx); + if (sig != NULL) + gpr_free (sig); return result; } -char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key, - const char *audience, - gpr_timespec token_lifetime, const char *scope) { - if (g_jwt_encode_and_sign_override != NULL) { - return g_jwt_encode_and_sign_override(json_key, audience, token_lifetime, - scope); - } else { - const char *sig_algo = GRPC_JWT_RSA_SHA256_ALGORITHM; - char *to_sign = dot_concat_and_free_strings( - encoded_jwt_header(json_key->private_key_id, sig_algo), - encoded_jwt_claim(json_key, audience, token_lifetime, scope)); - char *sig = compute_and_encode_signature(json_key, sig_algo, to_sign); - if (sig == NULL) { - gpr_free(to_sign); - return NULL; +char * +grpc_jwt_encode_and_sign (const grpc_auth_json_key * json_key, const char *audience, gpr_timespec token_lifetime, const char *scope) +{ + if (g_jwt_encode_and_sign_override != NULL) + { + return g_jwt_encode_and_sign_override (json_key, audience, token_lifetime, scope); + } + else + { + const char *sig_algo = GRPC_JWT_RSA_SHA256_ALGORITHM; + char *to_sign = dot_concat_and_free_strings (encoded_jwt_header (json_key->private_key_id, sig_algo), + encoded_jwt_claim (json_key, audience, token_lifetime, scope)); + char *sig = compute_and_encode_signature (json_key, sig_algo, to_sign); + if (sig == NULL) + { + gpr_free (to_sign); + return NULL; + } + return dot_concat_and_free_strings (to_sign, sig); } - return dot_concat_and_free_strings(to_sign, sig); - } } -void grpc_jwt_encode_and_sign_set_override( - grpc_jwt_encode_and_sign_override func) { +void +grpc_jwt_encode_and_sign_set_override (grpc_jwt_encode_and_sign_override func) +{ g_jwt_encode_and_sign_override = func; } /* --- grpc_auth_refresh_token --- */ -int grpc_auth_refresh_token_is_valid( - const grpc_auth_refresh_token *refresh_token) { - return (refresh_token != NULL) && - strcmp(refresh_token->type, GRPC_AUTH_JSON_TYPE_INVALID); +int +grpc_auth_refresh_token_is_valid (const grpc_auth_refresh_token * refresh_token) +{ + return (refresh_token != NULL) && strcmp (refresh_token->type, GRPC_AUTH_JSON_TYPE_INVALID); } -grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( - const grpc_json *json) { +grpc_auth_refresh_token +grpc_auth_refresh_token_create_from_json (const grpc_json * json) +{ grpc_auth_refresh_token result; const char *prop_value; int success = 0; - memset(&result, 0, sizeof(grpc_auth_refresh_token)); + memset (&result, 0, sizeof (grpc_auth_refresh_token)); result.type = GRPC_AUTH_JSON_TYPE_INVALID; - if (json == NULL) { - gpr_log(GPR_ERROR, "Invalid json."); - goto end; - } - - prop_value = json_get_string_property(json, "type"); - if (prop_value == NULL || - strcmp(prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER)) { - goto end; - } + if (json == NULL) + { + gpr_log (GPR_ERROR, "Invalid json."); + goto end; + } + + prop_value = json_get_string_property (json, "type"); + if (prop_value == NULL || strcmp (prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER)) + { + goto end; + } result.type = GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER; - if (!set_json_key_string_property(json, "client_secret", - &result.client_secret) || - !set_json_key_string_property(json, "client_id", &result.client_id) || - !set_json_key_string_property(json, "refresh_token", - &result.refresh_token)) { - goto end; - } + if (!set_json_key_string_property (json, "client_secret", &result.client_secret) || !set_json_key_string_property (json, "client_id", &result.client_id) || !set_json_key_string_property (json, "refresh_token", &result.refresh_token)) + { + goto end; + } success = 1; end: - if (!success) grpc_auth_refresh_token_destruct(&result); + if (!success) + grpc_auth_refresh_token_destruct (&result); return result; } -grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string( - const char *json_string) { - char *scratchpad = gpr_strdup(json_string); - grpc_json *json = grpc_json_parse_string(scratchpad); - grpc_auth_refresh_token result = - grpc_auth_refresh_token_create_from_json(json); - if (json != NULL) grpc_json_destroy(json); - gpr_free(scratchpad); +grpc_auth_refresh_token +grpc_auth_refresh_token_create_from_string (const char *json_string) +{ + char *scratchpad = gpr_strdup (json_string); + grpc_json *json = grpc_json_parse_string (scratchpad); + grpc_auth_refresh_token result = grpc_auth_refresh_token_create_from_json (json); + if (json != NULL) + grpc_json_destroy (json); + gpr_free (scratchpad); return result; } -void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token) { - if (refresh_token == NULL) return; +void +grpc_auth_refresh_token_destruct (grpc_auth_refresh_token * refresh_token) +{ + if (refresh_token == NULL) + return; refresh_token->type = GRPC_AUTH_JSON_TYPE_INVALID; - if (refresh_token->client_id != NULL) { - gpr_free(refresh_token->client_id); - refresh_token->client_id = NULL; - } - if (refresh_token->client_secret != NULL) { - gpr_free(refresh_token->client_secret); - refresh_token->client_secret = NULL; - } - if (refresh_token->refresh_token != NULL) { - gpr_free(refresh_token->refresh_token); - refresh_token->refresh_token = NULL; - } + if (refresh_token->client_id != NULL) + { + gpr_free (refresh_token->client_id); + refresh_token->client_id = NULL; + } + if (refresh_token->client_secret != NULL) + { + gpr_free (refresh_token->client_secret); + refresh_token->client_secret = NULL; + } + if (refresh_token->refresh_token != NULL) + { + gpr_free (refresh_token->refresh_token); + refresh_token->refresh_token = NULL; + } } diff --git a/src/core/security/json_token.h b/src/core/security/json_token.h index 7e06864ff3..1955bd5b89 100644 --- a/src/core/security/json_token.h +++ b/src/core/security/json_token.h @@ -49,7 +49,8 @@ /* --- auth_json_key parsing. --- */ -typedef struct { +typedef struct +{ const char *type; char *private_key_id; char *client_id; @@ -58,40 +59,35 @@ typedef struct { } grpc_auth_json_key; /* Returns 1 if the object is valid, 0 otherwise. */ -int grpc_auth_json_key_is_valid(const grpc_auth_json_key *json_key); +int grpc_auth_json_key_is_valid (const grpc_auth_json_key * json_key); /* Creates a json_key object from string. Returns an invalid object if a parsing error has been encountered. */ -grpc_auth_json_key grpc_auth_json_key_create_from_string( - const char *json_string); +grpc_auth_json_key grpc_auth_json_key_create_from_string (const char *json_string); /* Creates a json_key object from parsed json. Returns an invalid object if a parsing error has been encountered. */ -grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json *json); +grpc_auth_json_key grpc_auth_json_key_create_from_json (const grpc_json * json); /* Destructs the object. */ -void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key); +void grpc_auth_json_key_destruct (grpc_auth_json_key * json_key); /* --- json token encoding and signing. --- */ /* Caller is responsible for calling gpr_free on the returned value. May return NULL on invalid input. The scope parameter may be NULL. */ -char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key, - const char *audience, - gpr_timespec token_lifetime, const char *scope); +char *grpc_jwt_encode_and_sign (const grpc_auth_json_key * json_key, const char *audience, gpr_timespec token_lifetime, const char *scope); /* Override encode_and_sign function for testing. */ -typedef char *(*grpc_jwt_encode_and_sign_override)( - const grpc_auth_json_key *json_key, const char *audience, - gpr_timespec token_lifetime, const char *scope); +typedef char *(*grpc_jwt_encode_and_sign_override) (const grpc_auth_json_key * json_key, const char *audience, gpr_timespec token_lifetime, const char *scope); /* Set a custom encode_and_sign override for testing. */ -void grpc_jwt_encode_and_sign_set_override( - grpc_jwt_encode_and_sign_override func); +void grpc_jwt_encode_and_sign_set_override (grpc_jwt_encode_and_sign_override func); /* --- auth_refresh_token parsing. --- */ -typedef struct { +typedef struct +{ const char *type; char *client_id; char *client_secret; @@ -99,20 +95,17 @@ typedef struct { } grpc_auth_refresh_token; /* Returns 1 if the object is valid, 0 otherwise. */ -int grpc_auth_refresh_token_is_valid( - const grpc_auth_refresh_token *refresh_token); +int grpc_auth_refresh_token_is_valid (const grpc_auth_refresh_token * refresh_token); /* Creates a refresh token object from string. Returns an invalid object if a parsing error has been encountered. */ -grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string( - const char *json_string); +grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string (const char *json_string); /* Creates a refresh token object from parsed json. Returns an invalid object if a parsing error has been encountered. */ -grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( - const grpc_json *json); +grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json (const grpc_json * json); /* Destructs the object. */ -void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token); +void grpc_auth_refresh_token_destruct (grpc_auth_refresh_token * refresh_token); #endif /* GRPC_INTERNAL_CORE_SECURITY_JSON_TOKEN_H */ diff --git a/src/core/security/jwt_verifier.c b/src/core/security/jwt_verifier.c index be86169346..f7c9c7f4d1 100644 --- a/src/core/security/jwt_verifier.c +++ b/src/core/security/jwt_verifier.c @@ -47,9 +47,11 @@ /* --- Utils. --- */ -const char *grpc_jwt_verifier_status_to_string( - grpc_jwt_verifier_status status) { - switch (status) { +const char * +grpc_jwt_verifier_status_to_string (grpc_jwt_verifier_status status) +{ + switch (status) + { case GRPC_JWT_VERIFIER_OK: return "OK"; case GRPC_JWT_VERIFIER_BAD_SIGNATURE: @@ -66,62 +68,78 @@ const char *grpc_jwt_verifier_status_to_string( return "GENERIC_ERROR"; default: return "UNKNOWN"; - } + } } -static const EVP_MD *evp_md_from_alg(const char *alg) { - if (strcmp(alg, "RS256") == 0) { - return EVP_sha256(); - } else if (strcmp(alg, "RS384") == 0) { - return EVP_sha384(); - } else if (strcmp(alg, "RS512") == 0) { - return EVP_sha512(); - } else { - return NULL; - } +static const EVP_MD * +evp_md_from_alg (const char *alg) +{ + if (strcmp (alg, "RS256") == 0) + { + return EVP_sha256 (); + } + else if (strcmp (alg, "RS384") == 0) + { + return EVP_sha384 (); + } + else if (strcmp (alg, "RS512") == 0) + { + return EVP_sha512 (); + } + else + { + return NULL; + } } -static grpc_json *parse_json_part_from_jwt(const char *str, size_t len, - gpr_slice *buffer) { +static grpc_json * +parse_json_part_from_jwt (const char *str, size_t len, gpr_slice * buffer) +{ grpc_json *json; - *buffer = grpc_base64_decode_with_len(str, len, 1); - if (GPR_SLICE_IS_EMPTY(*buffer)) { - gpr_log(GPR_ERROR, "Invalid base64."); - return NULL; - } - json = grpc_json_parse_string_with_len((char *)GPR_SLICE_START_PTR(*buffer), - GPR_SLICE_LENGTH(*buffer)); - if (json == NULL) { - gpr_slice_unref(*buffer); - gpr_log(GPR_ERROR, "JSON parsing error."); - } + *buffer = grpc_base64_decode_with_len (str, len, 1); + if (GPR_SLICE_IS_EMPTY (*buffer)) + { + gpr_log (GPR_ERROR, "Invalid base64."); + return NULL; + } + json = grpc_json_parse_string_with_len ((char *) GPR_SLICE_START_PTR (*buffer), GPR_SLICE_LENGTH (*buffer)); + if (json == NULL) + { + gpr_slice_unref (*buffer); + gpr_log (GPR_ERROR, "JSON parsing error."); + } return json; } -static const char *validate_string_field(const grpc_json *json, - const char *key) { - if (json->type != GRPC_JSON_STRING) { - gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value); - return NULL; - } +static const char * +validate_string_field (const grpc_json * json, const char *key) +{ + if (json->type != GRPC_JSON_STRING) + { + gpr_log (GPR_ERROR, "Invalid %s field [%s]", key, json->value); + return NULL; + } return json->value; } -static gpr_timespec validate_time_field(const grpc_json *json, - const char *key) { - gpr_timespec result = gpr_time_0(GPR_CLOCK_REALTIME); - if (json->type != GRPC_JSON_NUMBER) { - gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value); - return result; - } - result.tv_sec = strtol(json->value, NULL, 10); +static gpr_timespec +validate_time_field (const grpc_json * json, const char *key) +{ + gpr_timespec result = gpr_time_0 (GPR_CLOCK_REALTIME); + if (json->type != GRPC_JSON_NUMBER) + { + gpr_log (GPR_ERROR, "Invalid %s field [%s]", key, json->value); + return result; + } + result.tv_sec = strtol (json->value, NULL, 10); return result; } /* --- JOSE header. see http://tools.ietf.org/html/rfc7515#section-4 --- */ -typedef struct { +typedef struct +{ const char *alg; const char *kid; const char *typ; @@ -129,54 +147,68 @@ typedef struct { gpr_slice buffer; } jose_header; -static void jose_header_destroy(jose_header *h) { - gpr_slice_unref(h->buffer); - gpr_free(h); +static void +jose_header_destroy (jose_header * h) +{ + gpr_slice_unref (h->buffer); + gpr_free (h); } /* Takes ownership of json and buffer. */ -static jose_header *jose_header_from_json(grpc_json *json, gpr_slice buffer) { +static jose_header * +jose_header_from_json (grpc_json * json, gpr_slice buffer) +{ grpc_json *cur; - jose_header *h = gpr_malloc(sizeof(jose_header)); - memset(h, 0, sizeof(jose_header)); + jose_header *h = gpr_malloc (sizeof (jose_header)); + memset (h, 0, sizeof (jose_header)); h->buffer = buffer; - for (cur = json->child; cur != NULL; cur = cur->next) { - if (strcmp(cur->key, "alg") == 0) { - /* We only support RSA-1.5 signatures for now. - Beware of this if we add HMAC support: - https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ - */ - if (cur->type != GRPC_JSON_STRING || strncmp(cur->value, "RS", 2) || - evp_md_from_alg(cur->value) == NULL) { - gpr_log(GPR_ERROR, "Invalid alg field [%s]", cur->value); - goto error; - } - h->alg = cur->value; - } else if (strcmp(cur->key, "typ") == 0) { - h->typ = validate_string_field(cur, "typ"); - if (h->typ == NULL) goto error; - } else if (strcmp(cur->key, "kid") == 0) { - h->kid = validate_string_field(cur, "kid"); - if (h->kid == NULL) goto error; - } - } - if (h->alg == NULL) { - gpr_log(GPR_ERROR, "Missing alg field."); - goto error; - } - grpc_json_destroy(json); + for (cur = json->child; cur != NULL; cur = cur->next) + { + if (strcmp (cur->key, "alg") == 0) + { + /* We only support RSA-1.5 signatures for now. + Beware of this if we add HMAC support: + https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ + */ + if (cur->type != GRPC_JSON_STRING || strncmp (cur->value, "RS", 2) || evp_md_from_alg (cur->value) == NULL) + { + gpr_log (GPR_ERROR, "Invalid alg field [%s]", cur->value); + goto error; + } + h->alg = cur->value; + } + else if (strcmp (cur->key, "typ") == 0) + { + h->typ = validate_string_field (cur, "typ"); + if (h->typ == NULL) + goto error; + } + else if (strcmp (cur->key, "kid") == 0) + { + h->kid = validate_string_field (cur, "kid"); + if (h->kid == NULL) + goto error; + } + } + if (h->alg == NULL) + { + gpr_log (GPR_ERROR, "Missing alg field."); + goto error; + } + grpc_json_destroy (json); h->buffer = buffer; return h; error: - grpc_json_destroy(json); - jose_header_destroy(h); + grpc_json_destroy (json); + jose_header_destroy (h); return NULL; } /* --- JWT claims. see http://tools.ietf.org/html/rfc7519#section-4.1 */ -struct grpc_jwt_claims { +struct grpc_jwt_claims +{ /* Well known properties already parsed. */ const char *sub; const char *iss; @@ -190,135 +222,185 @@ struct grpc_jwt_claims { gpr_slice buffer; }; -void grpc_jwt_claims_destroy(grpc_jwt_claims *claims) { - grpc_json_destroy(claims->json); - gpr_slice_unref(claims->buffer); - gpr_free(claims); +void +grpc_jwt_claims_destroy (grpc_jwt_claims * claims) +{ + grpc_json_destroy (claims->json); + gpr_slice_unref (claims->buffer); + gpr_free (claims); } -const grpc_json *grpc_jwt_claims_json(const grpc_jwt_claims *claims) { - if (claims == NULL) return NULL; +const grpc_json * +grpc_jwt_claims_json (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return NULL; return claims->json; } -const char *grpc_jwt_claims_subject(const grpc_jwt_claims *claims) { - if (claims == NULL) return NULL; +const char * +grpc_jwt_claims_subject (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return NULL; return claims->sub; } -const char *grpc_jwt_claims_issuer(const grpc_jwt_claims *claims) { - if (claims == NULL) return NULL; +const char * +grpc_jwt_claims_issuer (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return NULL; return claims->iss; } -const char *grpc_jwt_claims_id(const grpc_jwt_claims *claims) { - if (claims == NULL) return NULL; +const char * +grpc_jwt_claims_id (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return NULL; return claims->jti; } -const char *grpc_jwt_claims_audience(const grpc_jwt_claims *claims) { - if (claims == NULL) return NULL; +const char * +grpc_jwt_claims_audience (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return NULL; return claims->aud; } -gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims *claims) { - if (claims == NULL) return gpr_inf_past(GPR_CLOCK_REALTIME); +gpr_timespec +grpc_jwt_claims_issued_at (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return gpr_inf_past (GPR_CLOCK_REALTIME); return claims->iat; } -gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims *claims) { - if (claims == NULL) return gpr_inf_future(GPR_CLOCK_REALTIME); +gpr_timespec +grpc_jwt_claims_expires_at (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return gpr_inf_future (GPR_CLOCK_REALTIME); return claims->exp; } -gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims *claims) { - if (claims == NULL) return gpr_inf_past(GPR_CLOCK_REALTIME); +gpr_timespec +grpc_jwt_claims_not_before (const grpc_jwt_claims * claims) +{ + if (claims == NULL) + return gpr_inf_past (GPR_CLOCK_REALTIME); return claims->nbf; } /* Takes ownership of json and buffer even in case of failure. */ -grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_json *json, gpr_slice buffer) { +grpc_jwt_claims * +grpc_jwt_claims_from_json (grpc_json * json, gpr_slice buffer) +{ grpc_json *cur; - grpc_jwt_claims *claims = gpr_malloc(sizeof(grpc_jwt_claims)); - memset(claims, 0, sizeof(grpc_jwt_claims)); + grpc_jwt_claims *claims = gpr_malloc (sizeof (grpc_jwt_claims)); + memset (claims, 0, sizeof (grpc_jwt_claims)); claims->json = json; claims->buffer = buffer; - claims->iat = gpr_inf_past(GPR_CLOCK_REALTIME); - claims->nbf = gpr_inf_past(GPR_CLOCK_REALTIME); - claims->exp = gpr_inf_future(GPR_CLOCK_REALTIME); + claims->iat = gpr_inf_past (GPR_CLOCK_REALTIME); + claims->nbf = gpr_inf_past (GPR_CLOCK_REALTIME); + claims->exp = gpr_inf_future (GPR_CLOCK_REALTIME); /* Per the spec, all fields are optional. */ - for (cur = json->child; cur != NULL; cur = cur->next) { - if (strcmp(cur->key, "sub") == 0) { - claims->sub = validate_string_field(cur, "sub"); - if (claims->sub == NULL) goto error; - } else if (strcmp(cur->key, "iss") == 0) { - claims->iss = validate_string_field(cur, "iss"); - if (claims->iss == NULL) goto error; - } else if (strcmp(cur->key, "aud") == 0) { - claims->aud = validate_string_field(cur, "aud"); - if (claims->aud == NULL) goto error; - } else if (strcmp(cur->key, "jti") == 0) { - claims->jti = validate_string_field(cur, "jti"); - if (claims->jti == NULL) goto error; - } else if (strcmp(cur->key, "iat") == 0) { - claims->iat = validate_time_field(cur, "iat"); - if (gpr_time_cmp(claims->iat, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) - goto error; - } else if (strcmp(cur->key, "exp") == 0) { - claims->exp = validate_time_field(cur, "exp"); - if (gpr_time_cmp(claims->exp, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) - goto error; - } else if (strcmp(cur->key, "nbf") == 0) { - claims->nbf = validate_time_field(cur, "nbf"); - if (gpr_time_cmp(claims->nbf, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) - goto error; - } - } + for (cur = json->child; cur != NULL; cur = cur->next) + { + if (strcmp (cur->key, "sub") == 0) + { + claims->sub = validate_string_field (cur, "sub"); + if (claims->sub == NULL) + goto error; + } + else if (strcmp (cur->key, "iss") == 0) + { + claims->iss = validate_string_field (cur, "iss"); + if (claims->iss == NULL) + goto error; + } + else if (strcmp (cur->key, "aud") == 0) + { + claims->aud = validate_string_field (cur, "aud"); + if (claims->aud == NULL) + goto error; + } + else if (strcmp (cur->key, "jti") == 0) + { + claims->jti = validate_string_field (cur, "jti"); + if (claims->jti == NULL) + goto error; + } + else if (strcmp (cur->key, "iat") == 0) + { + claims->iat = validate_time_field (cur, "iat"); + if (gpr_time_cmp (claims->iat, gpr_time_0 (GPR_CLOCK_REALTIME)) == 0) + goto error; + } + else if (strcmp (cur->key, "exp") == 0) + { + claims->exp = validate_time_field (cur, "exp"); + if (gpr_time_cmp (claims->exp, gpr_time_0 (GPR_CLOCK_REALTIME)) == 0) + goto error; + } + else if (strcmp (cur->key, "nbf") == 0) + { + claims->nbf = validate_time_field (cur, "nbf"); + if (gpr_time_cmp (claims->nbf, gpr_time_0 (GPR_CLOCK_REALTIME)) == 0) + goto error; + } + } return claims; error: - grpc_jwt_claims_destroy(claims); + grpc_jwt_claims_destroy (claims); return NULL; } -grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims, - const char *audience) { +grpc_jwt_verifier_status +grpc_jwt_claims_check (const grpc_jwt_claims * claims, const char *audience) +{ gpr_timespec skewed_now; int audience_ok; - GPR_ASSERT(claims != NULL); - - skewed_now = - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew); - if (gpr_time_cmp(skewed_now, claims->nbf) < 0) { - gpr_log(GPR_ERROR, "JWT is not valid yet."); - return GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE; - } - skewed_now = - gpr_time_sub(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew); - if (gpr_time_cmp(skewed_now, claims->exp) > 0) { - gpr_log(GPR_ERROR, "JWT is expired."); - return GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE; - } - - if (audience == NULL) { - audience_ok = claims->aud == NULL; - } else { - audience_ok = claims->aud != NULL && strcmp(audience, claims->aud) == 0; - } - if (!audience_ok) { - gpr_log(GPR_ERROR, "Audience mismatch: expected %s and found %s.", - audience == NULL ? "NULL" : audience, - claims->aud == NULL ? "NULL" : claims->aud); - return GRPC_JWT_VERIFIER_BAD_AUDIENCE; - } + GPR_ASSERT (claims != NULL); + + skewed_now = gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew); + if (gpr_time_cmp (skewed_now, claims->nbf) < 0) + { + gpr_log (GPR_ERROR, "JWT is not valid yet."); + return GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE; + } + skewed_now = gpr_time_sub (gpr_now (GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew); + if (gpr_time_cmp (skewed_now, claims->exp) > 0) + { + gpr_log (GPR_ERROR, "JWT is expired."); + return GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE; + } + + if (audience == NULL) + { + audience_ok = claims->aud == NULL; + } + else + { + audience_ok = claims->aud != NULL && strcmp (audience, claims->aud) == 0; + } + if (!audience_ok) + { + gpr_log (GPR_ERROR, "Audience mismatch: expected %s and found %s.", audience == NULL ? "NULL" : audience, claims->aud == NULL ? "NULL" : claims->aud); + return GRPC_JWT_VERIFIER_BAD_AUDIENCE; + } return GRPC_JWT_VERIFIER_OK; } /* --- verifier_cb_ctx object. --- */ -typedef struct { +typedef struct +{ grpc_jwt_verifier *verifier; grpc_pollset *pollset; jose_header *header; @@ -331,379 +413,436 @@ typedef struct { } verifier_cb_ctx; /* Takes ownership of the header, claims and signature. */ -static verifier_cb_ctx *verifier_cb_ctx_create( - grpc_jwt_verifier *verifier, grpc_pollset *pollset, jose_header *header, - grpc_jwt_claims *claims, const char *audience, gpr_slice signature, - const char *signed_jwt, size_t signed_jwt_len, void *user_data, - grpc_jwt_verification_done_cb cb) { - verifier_cb_ctx *ctx = gpr_malloc(sizeof(verifier_cb_ctx)); - memset(ctx, 0, sizeof(verifier_cb_ctx)); +static verifier_cb_ctx * +verifier_cb_ctx_create (grpc_jwt_verifier * verifier, grpc_pollset * pollset, jose_header * header, grpc_jwt_claims * claims, const char *audience, gpr_slice signature, const char *signed_jwt, size_t signed_jwt_len, void *user_data, grpc_jwt_verification_done_cb cb) +{ + verifier_cb_ctx *ctx = gpr_malloc (sizeof (verifier_cb_ctx)); + memset (ctx, 0, sizeof (verifier_cb_ctx)); ctx->verifier = verifier; ctx->pollset = pollset; ctx->header = header; - ctx->audience = gpr_strdup(audience); + ctx->audience = gpr_strdup (audience); ctx->claims = claims; ctx->signature = signature; - ctx->signed_data = gpr_slice_from_copied_buffer(signed_jwt, signed_jwt_len); + ctx->signed_data = gpr_slice_from_copied_buffer (signed_jwt, signed_jwt_len); ctx->user_data = user_data; ctx->user_cb = cb; return ctx; } -void verifier_cb_ctx_destroy(verifier_cb_ctx *ctx) { - if (ctx->audience != NULL) gpr_free(ctx->audience); - if (ctx->claims != NULL) grpc_jwt_claims_destroy(ctx->claims); - gpr_slice_unref(ctx->signature); - gpr_slice_unref(ctx->signed_data); - jose_header_destroy(ctx->header); +void +verifier_cb_ctx_destroy (verifier_cb_ctx * ctx) +{ + if (ctx->audience != NULL) + gpr_free (ctx->audience); + if (ctx->claims != NULL) + grpc_jwt_claims_destroy (ctx->claims); + gpr_slice_unref (ctx->signature); + gpr_slice_unref (ctx->signed_data); + jose_header_destroy (ctx->header); /* TODO: see what to do with claims... */ - gpr_free(ctx); + gpr_free (ctx); } /* --- grpc_jwt_verifier object. --- */ /* Clock skew defaults to one minute. */ -gpr_timespec grpc_jwt_verifier_clock_skew = {60, 0, GPR_TIMESPAN}; +gpr_timespec grpc_jwt_verifier_clock_skew = { 60, 0, GPR_TIMESPAN }; /* Max delay defaults to one minute. */ -gpr_timespec grpc_jwt_verifier_max_delay = {60, 0, GPR_TIMESPAN}; +gpr_timespec grpc_jwt_verifier_max_delay = { 60, 0, GPR_TIMESPAN }; -typedef struct { +typedef struct +{ char *email_domain; char *key_url_prefix; } email_key_mapping; -struct grpc_jwt_verifier { +struct grpc_jwt_verifier +{ email_key_mapping *mappings; - size_t num_mappings; /* Should be very few, linear search ok. */ + size_t num_mappings; /* Should be very few, linear search ok. */ size_t allocated_mappings; grpc_httpcli_context http_ctx; }; -static grpc_json *json_from_http(const grpc_httpcli_response *response) { +static grpc_json * +json_from_http (const grpc_httpcli_response * response) +{ grpc_json *json = NULL; - if (response == NULL) { - gpr_log(GPR_ERROR, "HTTP response is NULL."); - return NULL; - } - if (response->status != 200) { - gpr_log(GPR_ERROR, "Call to http server failed with error %d.", - response->status); - return NULL; - } + if (response == NULL) + { + gpr_log (GPR_ERROR, "HTTP response is NULL."); + return NULL; + } + if (response->status != 200) + { + gpr_log (GPR_ERROR, "Call to http server failed with error %d.", response->status); + return NULL; + } - json = grpc_json_parse_string_with_len(response->body, response->body_length); - if (json == NULL) { - gpr_log(GPR_ERROR, "Invalid JSON found in response."); - } + json = grpc_json_parse_string_with_len (response->body, response->body_length); + if (json == NULL) + { + gpr_log (GPR_ERROR, "Invalid JSON found in response."); + } return json; } -static const grpc_json *find_property_by_name(const grpc_json *json, - const char *name) { +static const grpc_json * +find_property_by_name (const grpc_json * json, const char *name) +{ const grpc_json *cur; - for (cur = json->child; cur != NULL; cur = cur->next) { - if (strcmp(cur->key, name) == 0) return cur; - } + for (cur = json->child; cur != NULL; cur = cur->next) + { + if (strcmp (cur->key, name) == 0) + return cur; + } return NULL; } -static EVP_PKEY *extract_pkey_from_x509(const char *x509_str) { +static EVP_PKEY * +extract_pkey_from_x509 (const char *x509_str) +{ X509 *x509 = NULL; EVP_PKEY *result = NULL; - BIO *bio = BIO_new(BIO_s_mem()); - size_t len = strlen(x509_str); - GPR_ASSERT(len < INT_MAX); - BIO_write(bio, x509_str, (int)len); - x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (x509 == NULL) { - gpr_log(GPR_ERROR, "Unable to parse x509 cert."); - goto end; - } - result = X509_get_pubkey(x509); - if (result == NULL) { - gpr_log(GPR_ERROR, "Cannot find public key in X509 cert."); - } + BIO *bio = BIO_new (BIO_s_mem ()); + size_t len = strlen (x509_str); + GPR_ASSERT (len < INT_MAX); + BIO_write (bio, x509_str, (int) len); + x509 = PEM_read_bio_X509 (bio, NULL, NULL, NULL); + if (x509 == NULL) + { + gpr_log (GPR_ERROR, "Unable to parse x509 cert."); + goto end; + } + result = X509_get_pubkey (x509); + if (result == NULL) + { + gpr_log (GPR_ERROR, "Cannot find public key in X509 cert."); + } end: - BIO_free(bio); - if (x509 != NULL) X509_free(x509); + BIO_free (bio); + if (x509 != NULL) + X509_free (x509); return result; } -static BIGNUM *bignum_from_base64(const char *b64) { +static BIGNUM * +bignum_from_base64 (const char *b64) +{ BIGNUM *result = NULL; gpr_slice bin; - if (b64 == NULL) return NULL; - bin = grpc_base64_decode(b64, 1); - if (GPR_SLICE_IS_EMPTY(bin)) { - gpr_log(GPR_ERROR, "Invalid base64 for big num."); + if (b64 == NULL) return NULL; - } - result = - BN_bin2bn(GPR_SLICE_START_PTR(bin), (int)GPR_SLICE_LENGTH(bin), NULL); - gpr_slice_unref(bin); + bin = grpc_base64_decode (b64, 1); + if (GPR_SLICE_IS_EMPTY (bin)) + { + gpr_log (GPR_ERROR, "Invalid base64 for big num."); + return NULL; + } + result = BN_bin2bn (GPR_SLICE_START_PTR (bin), (int) GPR_SLICE_LENGTH (bin), NULL); + gpr_slice_unref (bin); return result; } -static EVP_PKEY *pkey_from_jwk(const grpc_json *json, const char *kty) { +static EVP_PKEY * +pkey_from_jwk (const grpc_json * json, const char *kty) +{ const grpc_json *key_prop; RSA *rsa = NULL; EVP_PKEY *result = NULL; - GPR_ASSERT(kty != NULL && json != NULL); - if (strcmp(kty, "RSA") != 0) { - gpr_log(GPR_ERROR, "Unsupported key type %s.", kty); - goto end; - } - rsa = RSA_new(); - if (rsa == NULL) { - gpr_log(GPR_ERROR, "Could not create rsa key."); - goto end; - } - for (key_prop = json->child; key_prop != NULL; key_prop = key_prop->next) { - if (strcmp(key_prop->key, "n") == 0) { - rsa->n = bignum_from_base64(validate_string_field(key_prop, "n")); - if (rsa->n == NULL) goto end; - } else if (strcmp(key_prop->key, "e") == 0) { - rsa->e = bignum_from_base64(validate_string_field(key_prop, "e")); - if (rsa->e == NULL) goto end; - } - } - if (rsa->e == NULL || rsa->n == NULL) { - gpr_log(GPR_ERROR, "Missing RSA public key field."); - goto end; - } - result = EVP_PKEY_new(); - EVP_PKEY_set1_RSA(result, rsa); /* uprefs rsa. */ + GPR_ASSERT (kty != NULL && json != NULL); + if (strcmp (kty, "RSA") != 0) + { + gpr_log (GPR_ERROR, "Unsupported key type %s.", kty); + goto end; + } + rsa = RSA_new (); + if (rsa == NULL) + { + gpr_log (GPR_ERROR, "Could not create rsa key."); + goto end; + } + for (key_prop = json->child; key_prop != NULL; key_prop = key_prop->next) + { + if (strcmp (key_prop->key, "n") == 0) + { + rsa->n = bignum_from_base64 (validate_string_field (key_prop, "n")); + if (rsa->n == NULL) + goto end; + } + else if (strcmp (key_prop->key, "e") == 0) + { + rsa->e = bignum_from_base64 (validate_string_field (key_prop, "e")); + if (rsa->e == NULL) + goto end; + } + } + if (rsa->e == NULL || rsa->n == NULL) + { + gpr_log (GPR_ERROR, "Missing RSA public key field."); + goto end; + } + result = EVP_PKEY_new (); + EVP_PKEY_set1_RSA (result, rsa); /* uprefs rsa. */ end: - if (rsa != NULL) RSA_free(rsa); + if (rsa != NULL) + RSA_free (rsa); return result; } -static EVP_PKEY *find_verification_key(const grpc_json *json, - const char *header_alg, - const char *header_kid) { +static EVP_PKEY * +find_verification_key (const grpc_json * json, const char *header_alg, const char *header_kid) +{ const grpc_json *jkey; const grpc_json *jwk_keys; /* Try to parse the json as a JWK set: https://tools.ietf.org/html/rfc7517#section-5. */ - jwk_keys = find_property_by_name(json, "keys"); - if (jwk_keys == NULL) { - /* Use the google proprietary format which is: - { <kid1>: <x5091>, <kid2>: <x5092>, ... } */ - const grpc_json *cur = find_property_by_name(json, header_kid); - if (cur == NULL) return NULL; - return extract_pkey_from_x509(cur->value); - } - - if (jwk_keys->type != GRPC_JSON_ARRAY) { - gpr_log(GPR_ERROR, - "Unexpected value type of keys property in jwks key set."); - return NULL; - } + jwk_keys = find_property_by_name (json, "keys"); + if (jwk_keys == NULL) + { + /* Use the google proprietary format which is: + { <kid1>: <x5091>, <kid2>: <x5092>, ... } */ + const grpc_json *cur = find_property_by_name (json, header_kid); + if (cur == NULL) + return NULL; + return extract_pkey_from_x509 (cur->value); + } + + if (jwk_keys->type != GRPC_JSON_ARRAY) + { + gpr_log (GPR_ERROR, "Unexpected value type of keys property in jwks key set."); + return NULL; + } /* Key format is specified in: https://tools.ietf.org/html/rfc7518#section-6. */ - for (jkey = jwk_keys->child; jkey != NULL; jkey = jkey->next) { - grpc_json *key_prop; - const char *alg = NULL; - const char *kid = NULL; - const char *kty = NULL; - - if (jkey->type != GRPC_JSON_OBJECT) continue; - for (key_prop = jkey->child; key_prop != NULL; key_prop = key_prop->next) { - if (strcmp(key_prop->key, "alg") == 0 && - key_prop->type == GRPC_JSON_STRING) { - alg = key_prop->value; - } else if (strcmp(key_prop->key, "kid") == 0 && - key_prop->type == GRPC_JSON_STRING) { - kid = key_prop->value; - } else if (strcmp(key_prop->key, "kty") == 0 && - key_prop->type == GRPC_JSON_STRING) { - kty = key_prop->value; - } - } - if (alg != NULL && kid != NULL && kty != NULL && - strcmp(kid, header_kid) == 0 && strcmp(alg, header_alg) == 0) { - return pkey_from_jwk(jkey, kty); - } - } - gpr_log(GPR_ERROR, - "Could not find matching key in key set for kid=%s and alg=%s", - header_kid, header_alg); + for (jkey = jwk_keys->child; jkey != NULL; jkey = jkey->next) + { + grpc_json *key_prop; + const char *alg = NULL; + const char *kid = NULL; + const char *kty = NULL; + + if (jkey->type != GRPC_JSON_OBJECT) + continue; + for (key_prop = jkey->child; key_prop != NULL; key_prop = key_prop->next) + { + if (strcmp (key_prop->key, "alg") == 0 && key_prop->type == GRPC_JSON_STRING) + { + alg = key_prop->value; + } + else if (strcmp (key_prop->key, "kid") == 0 && key_prop->type == GRPC_JSON_STRING) + { + kid = key_prop->value; + } + else if (strcmp (key_prop->key, "kty") == 0 && key_prop->type == GRPC_JSON_STRING) + { + kty = key_prop->value; + } + } + if (alg != NULL && kid != NULL && kty != NULL && strcmp (kid, header_kid) == 0 && strcmp (alg, header_alg) == 0) + { + return pkey_from_jwk (jkey, kty); + } + } + gpr_log (GPR_ERROR, "Could not find matching key in key set for kid=%s and alg=%s", header_kid, header_alg); return NULL; } -static int verify_jwt_signature(EVP_PKEY *key, const char *alg, - gpr_slice signature, gpr_slice signed_data) { - EVP_MD_CTX *md_ctx = EVP_MD_CTX_create(); - const EVP_MD *md = evp_md_from_alg(alg); +static int +verify_jwt_signature (EVP_PKEY * key, const char *alg, gpr_slice signature, gpr_slice signed_data) +{ + EVP_MD_CTX *md_ctx = EVP_MD_CTX_create (); + const EVP_MD *md = evp_md_from_alg (alg); int result = 0; - GPR_ASSERT(md != NULL); /* Checked before. */ - if (md_ctx == NULL) { - gpr_log(GPR_ERROR, "Could not create EVP_MD_CTX."); - goto end; - } - if (EVP_DigestVerifyInit(md_ctx, NULL, md, NULL, key) != 1) { - gpr_log(GPR_ERROR, "EVP_DigestVerifyInit failed."); - goto end; - } - if (EVP_DigestVerifyUpdate(md_ctx, GPR_SLICE_START_PTR(signed_data), - GPR_SLICE_LENGTH(signed_data)) != 1) { - gpr_log(GPR_ERROR, "EVP_DigestVerifyUpdate failed."); - goto end; - } - if (EVP_DigestVerifyFinal(md_ctx, GPR_SLICE_START_PTR(signature), - GPR_SLICE_LENGTH(signature)) != 1) { - gpr_log(GPR_ERROR, "JWT signature verification failed."); - goto end; - } + GPR_ASSERT (md != NULL); /* Checked before. */ + if (md_ctx == NULL) + { + gpr_log (GPR_ERROR, "Could not create EVP_MD_CTX."); + goto end; + } + if (EVP_DigestVerifyInit (md_ctx, NULL, md, NULL, key) != 1) + { + gpr_log (GPR_ERROR, "EVP_DigestVerifyInit failed."); + goto end; + } + if (EVP_DigestVerifyUpdate (md_ctx, GPR_SLICE_START_PTR (signed_data), GPR_SLICE_LENGTH (signed_data)) != 1) + { + gpr_log (GPR_ERROR, "EVP_DigestVerifyUpdate failed."); + goto end; + } + if (EVP_DigestVerifyFinal (md_ctx, GPR_SLICE_START_PTR (signature), GPR_SLICE_LENGTH (signature)) != 1) + { + gpr_log (GPR_ERROR, "JWT signature verification failed."); + goto end; + } result = 1; end: - if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx); + if (md_ctx != NULL) + EVP_MD_CTX_destroy (md_ctx); return result; } -static void on_keys_retrieved(void *user_data, - const grpc_httpcli_response *response, - grpc_closure_list *closure_list) { - grpc_json *json = json_from_http(response); - verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data; +static void +on_keys_retrieved (void *user_data, const grpc_httpcli_response * response, grpc_closure_list * closure_list) +{ + grpc_json *json = json_from_http (response); + verifier_cb_ctx *ctx = (verifier_cb_ctx *) user_data; EVP_PKEY *verification_key = NULL; grpc_jwt_verifier_status status = GRPC_JWT_VERIFIER_GENERIC_ERROR; grpc_jwt_claims *claims = NULL; - if (json == NULL) { - status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR; - goto end; - } - verification_key = - find_verification_key(json, ctx->header->alg, ctx->header->kid); - if (verification_key == NULL) { - gpr_log(GPR_ERROR, "Could not find verification key with kid %s.", - ctx->header->kid); - status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR; - goto end; - } - - if (!verify_jwt_signature(verification_key, ctx->header->alg, ctx->signature, - ctx->signed_data)) { - status = GRPC_JWT_VERIFIER_BAD_SIGNATURE; - goto end; - } - - status = grpc_jwt_claims_check(ctx->claims, ctx->audience); - if (status == GRPC_JWT_VERIFIER_OK) { - /* Pass ownership. */ - claims = ctx->claims; - ctx->claims = NULL; - } + if (json == NULL) + { + status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR; + goto end; + } + verification_key = find_verification_key (json, ctx->header->alg, ctx->header->kid); + if (verification_key == NULL) + { + gpr_log (GPR_ERROR, "Could not find verification key with kid %s.", ctx->header->kid); + status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR; + goto end; + } + + if (!verify_jwt_signature (verification_key, ctx->header->alg, ctx->signature, ctx->signed_data)) + { + status = GRPC_JWT_VERIFIER_BAD_SIGNATURE; + goto end; + } + + status = grpc_jwt_claims_check (ctx->claims, ctx->audience); + if (status == GRPC_JWT_VERIFIER_OK) + { + /* Pass ownership. */ + claims = ctx->claims; + ctx->claims = NULL; + } end: - if (json != NULL) grpc_json_destroy(json); - if (verification_key != NULL) EVP_PKEY_free(verification_key); - ctx->user_cb(ctx->user_data, status, claims); - verifier_cb_ctx_destroy(ctx); + if (json != NULL) + grpc_json_destroy (json); + if (verification_key != NULL) + EVP_PKEY_free (verification_key); + ctx->user_cb (ctx->user_data, status, claims); + verifier_cb_ctx_destroy (ctx); } -static void on_openid_config_retrieved(void *user_data, - const grpc_httpcli_response *response, - grpc_closure_list *closure_list) { +static void +on_openid_config_retrieved (void *user_data, const grpc_httpcli_response * response, grpc_closure_list * closure_list) +{ const grpc_json *cur; - grpc_json *json = json_from_http(response); - verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data; + grpc_json *json = json_from_http (response); + verifier_cb_ctx *ctx = (verifier_cb_ctx *) user_data; grpc_httpcli_request req; const char *jwks_uri; - /* TODO(jboeuf): Cache the jwks_uri in order to avoid this hop next time.*/ - if (json == NULL) goto error; - cur = find_property_by_name(json, "jwks_uri"); - if (cur == NULL) { - gpr_log(GPR_ERROR, "Could not find jwks_uri in openid config."); + /* TODO(jboeuf): Cache the jwks_uri in order to avoid this hop next time. */ + if (json == NULL) goto error; - } - jwks_uri = validate_string_field(cur, "jwks_uri"); - if (jwks_uri == NULL) goto error; - if (strstr(jwks_uri, "https://") != jwks_uri) { - gpr_log(GPR_ERROR, "Invalid non https jwks_uri: %s.", jwks_uri); + cur = find_property_by_name (json, "jwks_uri"); + if (cur == NULL) + { + gpr_log (GPR_ERROR, "Could not find jwks_uri in openid config."); + goto error; + } + jwks_uri = validate_string_field (cur, "jwks_uri"); + if (jwks_uri == NULL) goto error; - } + if (strstr (jwks_uri, "https://") != jwks_uri) + { + gpr_log (GPR_ERROR, "Invalid non https jwks_uri: %s.", jwks_uri); + goto error; + } jwks_uri += 8; req.handshaker = &grpc_httpcli_ssl; - req.host = gpr_strdup(jwks_uri); - req.path = strchr(jwks_uri, '/'); - if (req.path == NULL) { - req.path = ""; - } else { - *(req.host + (req.path - jwks_uri)) = '\0'; - } - grpc_httpcli_get( - &ctx->verifier->http_ctx, ctx->pollset, &req, - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), - on_keys_retrieved, ctx, closure_list); - grpc_json_destroy(json); - gpr_free(req.host); + req.host = gpr_strdup (jwks_uri); + req.path = strchr (jwks_uri, '/'); + if (req.path == NULL) + { + req.path = ""; + } + else + { + *(req.host + (req.path - jwks_uri)) = '\0'; + } + grpc_httpcli_get (&ctx->verifier->http_ctx, ctx->pollset, &req, gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), on_keys_retrieved, ctx, closure_list); + grpc_json_destroy (json); + gpr_free (req.host); return; error: - if (json != NULL) grpc_json_destroy(json); - ctx->user_cb(ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, NULL); - verifier_cb_ctx_destroy(ctx); + if (json != NULL) + grpc_json_destroy (json); + ctx->user_cb (ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, NULL); + verifier_cb_ctx_destroy (ctx); } -static email_key_mapping *verifier_get_mapping(grpc_jwt_verifier *v, - const char *email_domain) { +static email_key_mapping * +verifier_get_mapping (grpc_jwt_verifier * v, const char *email_domain) +{ size_t i; - if (v->mappings == NULL) return NULL; - for (i = 0; i < v->num_mappings; i++) { - if (strcmp(email_domain, v->mappings[i].email_domain) == 0) { - return &v->mappings[i]; + if (v->mappings == NULL) + return NULL; + for (i = 0; i < v->num_mappings; i++) + { + if (strcmp (email_domain, v->mappings[i].email_domain) == 0) + { + return &v->mappings[i]; + } } - } return NULL; } -static void verifier_put_mapping(grpc_jwt_verifier *v, const char *email_domain, - const char *key_url_prefix) { - email_key_mapping *mapping = verifier_get_mapping(v, email_domain); - GPR_ASSERT(v->num_mappings < v->allocated_mappings); - if (mapping != NULL) { - gpr_free(mapping->key_url_prefix); - mapping->key_url_prefix = gpr_strdup(key_url_prefix); - return; - } - v->mappings[v->num_mappings].email_domain = gpr_strdup(email_domain); - v->mappings[v->num_mappings].key_url_prefix = gpr_strdup(key_url_prefix); +static void +verifier_put_mapping (grpc_jwt_verifier * v, const char *email_domain, const char *key_url_prefix) +{ + email_key_mapping *mapping = verifier_get_mapping (v, email_domain); + GPR_ASSERT (v->num_mappings < v->allocated_mappings); + if (mapping != NULL) + { + gpr_free (mapping->key_url_prefix); + mapping->key_url_prefix = gpr_strdup (key_url_prefix); + return; + } + v->mappings[v->num_mappings].email_domain = gpr_strdup (email_domain); + v->mappings[v->num_mappings].key_url_prefix = gpr_strdup (key_url_prefix); v->num_mappings++; - GPR_ASSERT(v->num_mappings <= v->allocated_mappings); + GPR_ASSERT (v->num_mappings <= v->allocated_mappings); } /* Takes ownership of ctx. */ -static void retrieve_key_and_verify(verifier_cb_ctx *ctx, - grpc_closure_list *closure_list) { +static void +retrieve_key_and_verify (verifier_cb_ctx * ctx, grpc_closure_list * closure_list) +{ const char *at_sign; grpc_httpcli_response_cb http_cb; char *path_prefix = NULL; const char *iss; grpc_httpcli_request req; - memset(&req, 0, sizeof(grpc_httpcli_request)); + memset (&req, 0, sizeof (grpc_httpcli_request)); req.handshaker = &grpc_httpcli_ssl; - GPR_ASSERT(ctx != NULL && ctx->header != NULL && ctx->claims != NULL); + GPR_ASSERT (ctx != NULL && ctx->header != NULL && ctx->claims != NULL); iss = ctx->claims->iss; - if (ctx->header->kid == NULL) { - gpr_log(GPR_ERROR, "Missing kid in jose header."); - goto error; - } - if (iss == NULL) { - gpr_log(GPR_ERROR, "Missing iss in claims."); - goto error; - } + if (ctx->header->kid == NULL) + { + gpr_log (GPR_ERROR, "Missing kid in jose header."); + goto error; + } + if (iss == NULL) + { + gpr_log (GPR_ERROR, "Missing iss in claims."); + goto error; + } /* This code relies on: https://openid.net/specs/openid-connect-discovery-1_0.html @@ -713,56 +852,60 @@ static void retrieve_key_and_verify(verifier_cb_ctx *ctx, /* Very non-sophisticated way to detect an email address. Should be good enough for now... */ - at_sign = strchr(iss, '@'); - if (at_sign != NULL) { - email_key_mapping *mapping; - const char *email_domain = at_sign + 1; - GPR_ASSERT(ctx->verifier != NULL); - mapping = verifier_get_mapping(ctx->verifier, email_domain); - if (mapping == NULL) { - gpr_log(GPR_ERROR, "Missing mapping for issuer email."); - goto error; + at_sign = strchr (iss, '@'); + if (at_sign != NULL) + { + email_key_mapping *mapping; + const char *email_domain = at_sign + 1; + GPR_ASSERT (ctx->verifier != NULL); + mapping = verifier_get_mapping (ctx->verifier, email_domain); + if (mapping == NULL) + { + gpr_log (GPR_ERROR, "Missing mapping for issuer email."); + goto error; + } + req.host = gpr_strdup (mapping->key_url_prefix); + path_prefix = strchr (req.host, '/'); + if (path_prefix == NULL) + { + gpr_asprintf (&req.path, "/%s", iss); + } + else + { + *(path_prefix++) = '\0'; + gpr_asprintf (&req.path, "/%s/%s", path_prefix, iss); + } + http_cb = on_keys_retrieved; } - req.host = gpr_strdup(mapping->key_url_prefix); - path_prefix = strchr(req.host, '/'); - if (path_prefix == NULL) { - gpr_asprintf(&req.path, "/%s", iss); - } else { - *(path_prefix++) = '\0'; - gpr_asprintf(&req.path, "/%s/%s", path_prefix, iss); - } - http_cb = on_keys_retrieved; - } else { - req.host = gpr_strdup(strstr(iss, "https://") == iss ? iss + 8 : iss); - path_prefix = strchr(req.host, '/'); - if (path_prefix == NULL) { - req.path = gpr_strdup(GRPC_OPENID_CONFIG_URL_SUFFIX); - } else { - *(path_prefix++) = 0; - gpr_asprintf(&req.path, "/%s%s", path_prefix, - GRPC_OPENID_CONFIG_URL_SUFFIX); - } - http_cb = on_openid_config_retrieved; - } - - grpc_httpcli_get( - &ctx->verifier->http_ctx, ctx->pollset, &req, - gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), - http_cb, ctx, closure_list); - gpr_free(req.host); - gpr_free(req.path); + else + { + req.host = gpr_strdup (strstr (iss, "https://") == iss ? iss + 8 : iss); + path_prefix = strchr (req.host, '/'); + if (path_prefix == NULL) + { + req.path = gpr_strdup (GRPC_OPENID_CONFIG_URL_SUFFIX); + } + else + { + *(path_prefix++) = 0; + gpr_asprintf (&req.path, "/%s%s", path_prefix, GRPC_OPENID_CONFIG_URL_SUFFIX); + } + http_cb = on_openid_config_retrieved; + } + + grpc_httpcli_get (&ctx->verifier->http_ctx, ctx->pollset, &req, gpr_time_add (gpr_now (GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), http_cb, ctx, closure_list); + gpr_free (req.host); + gpr_free (req.path); return; error: - ctx->user_cb(ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, NULL); - verifier_cb_ctx_destroy(ctx); + ctx->user_cb (ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, NULL); + verifier_cb_ctx_destroy (ctx); } -void grpc_jwt_verifier_verify(grpc_jwt_verifier *verifier, - grpc_pollset *pollset, const char *jwt, - const char *audience, - grpc_jwt_verification_done_cb cb, void *user_data, - grpc_closure_list *closure_list) { +void +grpc_jwt_verifier_verify (grpc_jwt_verifier * verifier, grpc_pollset * pollset, const char *jwt, const char *audience, grpc_jwt_verification_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ const char *dot = NULL; grpc_json *json; jose_header *header = NULL; @@ -773,71 +916,82 @@ void grpc_jwt_verifier_verify(grpc_jwt_verifier *verifier, size_t signed_jwt_len; const char *cur = jwt; - GPR_ASSERT(verifier != NULL && jwt != NULL && audience != NULL && cb != NULL); - dot = strchr(cur, '.'); - if (dot == NULL) goto error; - json = parse_json_part_from_jwt(cur, (size_t)(dot - cur), &header_buffer); - if (json == NULL) goto error; - header = jose_header_from_json(json, header_buffer); - if (header == NULL) goto error; + GPR_ASSERT (verifier != NULL && jwt != NULL && audience != NULL && cb != NULL); + dot = strchr (cur, '.'); + if (dot == NULL) + goto error; + json = parse_json_part_from_jwt (cur, (size_t) (dot - cur), &header_buffer); + if (json == NULL) + goto error; + header = jose_header_from_json (json, header_buffer); + if (header == NULL) + goto error; cur = dot + 1; - dot = strchr(cur, '.'); - if (dot == NULL) goto error; - json = parse_json_part_from_jwt(cur, (size_t)(dot - cur), &claims_buffer); - if (json == NULL) goto error; - claims = grpc_jwt_claims_from_json(json, claims_buffer); - if (claims == NULL) goto error; - - signed_jwt_len = (size_t)(dot - jwt); + dot = strchr (cur, '.'); + if (dot == NULL) + goto error; + json = parse_json_part_from_jwt (cur, (size_t) (dot - cur), &claims_buffer); + if (json == NULL) + goto error; + claims = grpc_jwt_claims_from_json (json, claims_buffer); + if (claims == NULL) + goto error; + + signed_jwt_len = (size_t) (dot - jwt); cur = dot + 1; - signature = grpc_base64_decode(cur, 1); - if (GPR_SLICE_IS_EMPTY(signature)) goto error; - retrieve_key_and_verify( - verifier_cb_ctx_create(verifier, pollset, header, claims, audience, - signature, jwt, signed_jwt_len, user_data, cb), - closure_list); + signature = grpc_base64_decode (cur, 1); + if (GPR_SLICE_IS_EMPTY (signature)) + goto error; + retrieve_key_and_verify (verifier_cb_ctx_create (verifier, pollset, header, claims, audience, signature, jwt, signed_jwt_len, user_data, cb), closure_list); return; error: - if (header != NULL) jose_header_destroy(header); - if (claims != NULL) grpc_jwt_claims_destroy(claims); - cb(user_data, GRPC_JWT_VERIFIER_BAD_FORMAT, NULL); + if (header != NULL) + jose_header_destroy (header); + if (claims != NULL) + grpc_jwt_claims_destroy (claims); + cb (user_data, GRPC_JWT_VERIFIER_BAD_FORMAT, NULL); } -grpc_jwt_verifier *grpc_jwt_verifier_create( - const grpc_jwt_verifier_email_domain_key_url_mapping *mappings, - size_t num_mappings) { - grpc_jwt_verifier *v = gpr_malloc(sizeof(grpc_jwt_verifier)); - memset(v, 0, sizeof(grpc_jwt_verifier)); - grpc_httpcli_context_init(&v->http_ctx); +grpc_jwt_verifier * +grpc_jwt_verifier_create (const grpc_jwt_verifier_email_domain_key_url_mapping * mappings, size_t num_mappings) +{ + grpc_jwt_verifier *v = gpr_malloc (sizeof (grpc_jwt_verifier)); + memset (v, 0, sizeof (grpc_jwt_verifier)); + grpc_httpcli_context_init (&v->http_ctx); /* We know at least of one mapping. */ v->allocated_mappings = 1 + num_mappings; - v->mappings = gpr_malloc(v->allocated_mappings * sizeof(email_key_mapping)); - verifier_put_mapping(v, GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN, - GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX); + v->mappings = gpr_malloc (v->allocated_mappings * sizeof (email_key_mapping)); + verifier_put_mapping (v, GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN, GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX); /* User-Provided mappings. */ - if (mappings != NULL) { - size_t i; - for (i = 0; i < num_mappings; i++) { - verifier_put_mapping(v, mappings[i].email_domain, - mappings[i].key_url_prefix); + if (mappings != NULL) + { + size_t i; + for (i = 0; i < num_mappings; i++) + { + verifier_put_mapping (v, mappings[i].email_domain, mappings[i].key_url_prefix); + } } - } return v; } -void grpc_jwt_verifier_destroy(grpc_jwt_verifier *v) { +void +grpc_jwt_verifier_destroy (grpc_jwt_verifier * v) +{ size_t i; - if (v == NULL) return; - grpc_httpcli_context_destroy(&v->http_ctx); - if (v->mappings != NULL) { - for (i = 0; i < v->num_mappings; i++) { - gpr_free(v->mappings[i].email_domain); - gpr_free(v->mappings[i].key_url_prefix); - } - gpr_free(v->mappings); - } - gpr_free(v); + if (v == NULL) + return; + grpc_httpcli_context_destroy (&v->http_ctx); + if (v->mappings != NULL) + { + for (i = 0; i < v->num_mappings; i++) + { + gpr_free (v->mappings[i].email_domain); + gpr_free (v->mappings[i].key_url_prefix); + } + gpr_free (v->mappings); + } + gpr_free (v); } diff --git a/src/core/security/jwt_verifier.h b/src/core/security/jwt_verifier.h index b270280cc1..4a1748898e 100644 --- a/src/core/security/jwt_verifier.h +++ b/src/core/security/jwt_verifier.h @@ -50,7 +50,8 @@ /* --- grpc_jwt_verifier_status. --- */ -typedef enum { +typedef enum +{ GRPC_JWT_VERIFIER_OK = 0, GRPC_JWT_VERIFIER_BAD_SIGNATURE, GRPC_JWT_VERIFIER_BAD_FORMAT, @@ -60,31 +61,32 @@ typedef enum { GRPC_JWT_VERIFIER_GENERIC_ERROR } grpc_jwt_verifier_status; -const char *grpc_jwt_verifier_status_to_string(grpc_jwt_verifier_status status); +const char *grpc_jwt_verifier_status_to_string (grpc_jwt_verifier_status status); /* --- grpc_jwt_claims. --- */ typedef struct grpc_jwt_claims grpc_jwt_claims; -void grpc_jwt_claims_destroy(grpc_jwt_claims *claims); +void grpc_jwt_claims_destroy (grpc_jwt_claims * claims); /* Returns the whole JSON tree of the claims. */ -const grpc_json *grpc_jwt_claims_json(const grpc_jwt_claims *claims); +const grpc_json *grpc_jwt_claims_json (const grpc_jwt_claims * claims); /* Access to registered claims in https://tools.ietf.org/html/rfc7519#page-9 */ -const char *grpc_jwt_claims_subject(const grpc_jwt_claims *claims); -const char *grpc_jwt_claims_issuer(const grpc_jwt_claims *claims); -const char *grpc_jwt_claims_id(const grpc_jwt_claims *claims); -const char *grpc_jwt_claims_audience(const grpc_jwt_claims *claims); -gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims *claims); -gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims *claims); -gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims *claims); +const char *grpc_jwt_claims_subject (const grpc_jwt_claims * claims); +const char *grpc_jwt_claims_issuer (const grpc_jwt_claims * claims); +const char *grpc_jwt_claims_id (const grpc_jwt_claims * claims); +const char *grpc_jwt_claims_audience (const grpc_jwt_claims * claims); +gpr_timespec grpc_jwt_claims_issued_at (const grpc_jwt_claims * claims); +gpr_timespec grpc_jwt_claims_expires_at (const grpc_jwt_claims * claims); +gpr_timespec grpc_jwt_claims_not_before (const grpc_jwt_claims * claims); /* --- grpc_jwt_verifier. --- */ typedef struct grpc_jwt_verifier grpc_jwt_verifier; -typedef struct { +typedef struct +{ /* The email domain is the part after the @ sign. */ const char *email_domain; @@ -104,32 +106,23 @@ extern gpr_timespec grpc_jwt_verifier_max_delay; A verifier object has one built-in mapping (unless overridden): GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN -> GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX.*/ -grpc_jwt_verifier *grpc_jwt_verifier_create( - const grpc_jwt_verifier_email_domain_key_url_mapping *mappings, - size_t num_mappings); +grpc_jwt_verifier *grpc_jwt_verifier_create (const grpc_jwt_verifier_email_domain_key_url_mapping * mappings, size_t num_mappings); /*The verifier must not be destroyed if there are still outstanding callbacks.*/ -void grpc_jwt_verifier_destroy(grpc_jwt_verifier *verifier); +void grpc_jwt_verifier_destroy (grpc_jwt_verifier * verifier); /* User provided callback that will be called when the verification of the JWT is done (maybe in another thread). It is the responsibility of the callee to call grpc_jwt_claims_destroy on the claims. */ -typedef void (*grpc_jwt_verification_done_cb)(void *user_data, - grpc_jwt_verifier_status status, - grpc_jwt_claims *claims); +typedef void (*grpc_jwt_verification_done_cb) (void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims * claims); /* Verifies for the JWT for the given expected audience. */ -void grpc_jwt_verifier_verify(grpc_jwt_verifier *verifier, - grpc_pollset *pollset, const char *jwt, - const char *audience, - grpc_jwt_verification_done_cb cb, void *user_data, - grpc_closure_list *closure_list); +void grpc_jwt_verifier_verify (grpc_jwt_verifier * verifier, grpc_pollset * pollset, const char *jwt, const char *audience, grpc_jwt_verification_done_cb cb, void *user_data, grpc_closure_list * closure_list); /* --- TESTING ONLY exposed functions. --- */ -grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_json *json, gpr_slice buffer); -grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims, - const char *audience); +grpc_jwt_claims *grpc_jwt_claims_from_json (grpc_json * json, gpr_slice buffer); +grpc_jwt_verifier_status grpc_jwt_claims_check (const grpc_jwt_claims * claims, const char *audience); #endif /* GRPC_INTERNAL_CORE_SECURITY_JWT_VERIFIER_H */ diff --git a/src/core/security/secure_endpoint.c b/src/core/security/secure_endpoint.c index a6fc7e94a0..64c501860f 100644 --- a/src/core/security/secure_endpoint.c +++ b/src/core/security/secure_endpoint.c @@ -43,7 +43,8 @@ #define STAGING_BUFFER_SIZE 8192 -typedef struct { +typedef struct +{ grpc_endpoint base; grpc_endpoint *wrapped_ep; struct tsi_frame_protector *protector; @@ -67,18 +68,19 @@ typedef struct { int grpc_trace_secure_endpoint = 0; -static void destroy(secure_endpoint *secure_ep, - grpc_closure_list *closure_list) { +static void +destroy (secure_endpoint * secure_ep, grpc_closure_list * closure_list) +{ secure_endpoint *ep = secure_ep; - grpc_endpoint_destroy(ep->wrapped_ep, closure_list); - tsi_frame_protector_destroy(ep->protector); - gpr_slice_buffer_destroy(&ep->leftover_bytes); - gpr_slice_unref(ep->read_staging_buffer); - gpr_slice_unref(ep->write_staging_buffer); - gpr_slice_buffer_destroy(&ep->output_buffer); - gpr_slice_buffer_destroy(&ep->source_buffer); - gpr_mu_destroy(&ep->protector_mu); - gpr_free(ep); + grpc_endpoint_destroy (ep->wrapped_ep, closure_list); + tsi_frame_protector_destroy (ep->protector); + gpr_slice_buffer_destroy (&ep->leftover_bytes); + gpr_slice_unref (ep->read_staging_buffer); + gpr_slice_unref (ep->write_staging_buffer); + gpr_slice_buffer_destroy (&ep->output_buffer); + gpr_slice_buffer_destroy (&ep->source_buffer); + gpr_mu_destroy (&ep->protector_mu); + gpr_free (ep); } /*#define GRPC_SECURE_ENDPOINT_REFCOUNT_DEBUG*/ @@ -87,299 +89,326 @@ static void destroy(secure_endpoint *secure_ep, secure_endpoint_unref((ep), (cl), (reason), __FILE__, __LINE__) #define SECURE_ENDPOINT_REF(ep, reason) \ secure_endpoint_ref((ep), (reason), __FILE__, __LINE__) -static void secure_endpoint_unref(secure_endpoint *ep, - grpc_closure_list *closure_list, - const char *reason, const char *file, - int line) { - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, "SECENDP unref %p : %s %d -> %d", - ep, reason, ep->ref.count, ep->ref.count - 1); - if (gpr_unref(&ep->ref)) { - destroy(ep, closure_list); - } +static void +secure_endpoint_unref (secure_endpoint * ep, grpc_closure_list * closure_list, const char *reason, const char *file, int line) +{ + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "SECENDP unref %p : %s %d -> %d", ep, reason, ep->ref.count, ep->ref.count - 1); + if (gpr_unref (&ep->ref)) + { + destroy (ep, closure_list); + } } -static void secure_endpoint_ref(secure_endpoint *ep, const char *reason, - const char *file, int line) { - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, "SECENDP ref %p : %s %d -> %d", - ep, reason, ep->ref.count, ep->ref.count + 1); - gpr_ref(&ep->ref); +static void +secure_endpoint_ref (secure_endpoint * ep, const char *reason, const char *file, int line) +{ + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "SECENDP ref %p : %s %d -> %d", ep, reason, ep->ref.count, ep->ref.count + 1); + gpr_ref (&ep->ref); } #else #define SECURE_ENDPOINT_UNREF(ep, reason, cl) secure_endpoint_unref((ep), (cl)) #define SECURE_ENDPOINT_REF(ep, reason) secure_endpoint_ref((ep)) -static void secure_endpoint_unref(secure_endpoint *ep, - grpc_closure_list *closure_list) { - if (gpr_unref(&ep->ref)) { - destroy(ep, closure_list); - } +static void +secure_endpoint_unref (secure_endpoint * ep, grpc_closure_list * closure_list) +{ + if (gpr_unref (&ep->ref)) + { + destroy (ep, closure_list); + } } -static void secure_endpoint_ref(secure_endpoint *ep) { gpr_ref(&ep->ref); } +static void +secure_endpoint_ref (secure_endpoint * ep) +{ + gpr_ref (&ep->ref); +} #endif -static void flush_read_staging_buffer(secure_endpoint *ep, gpr_uint8 **cur, - gpr_uint8 **end) { - gpr_slice_buffer_add(ep->read_buffer, ep->read_staging_buffer); - ep->read_staging_buffer = gpr_slice_malloc(STAGING_BUFFER_SIZE); - *cur = GPR_SLICE_START_PTR(ep->read_staging_buffer); - *end = GPR_SLICE_END_PTR(ep->read_staging_buffer); +static void +flush_read_staging_buffer (secure_endpoint * ep, gpr_uint8 ** cur, gpr_uint8 ** end) +{ + gpr_slice_buffer_add (ep->read_buffer, ep->read_staging_buffer); + ep->read_staging_buffer = gpr_slice_malloc (STAGING_BUFFER_SIZE); + *cur = GPR_SLICE_START_PTR (ep->read_staging_buffer); + *end = GPR_SLICE_END_PTR (ep->read_staging_buffer); } -static void call_read_cb(secure_endpoint *ep, int success, - grpc_closure_list *closure_list) { - if (grpc_trace_secure_endpoint) { - size_t i; - for (i = 0; i < ep->read_buffer->count; i++) { - char *data = gpr_dump_slice(ep->read_buffer->slices[i], - GPR_DUMP_HEX | GPR_DUMP_ASCII); - gpr_log(GPR_DEBUG, "READ %p: %s", ep, data); - gpr_free(data); +static void +call_read_cb (secure_endpoint * ep, int success, grpc_closure_list * closure_list) +{ + if (grpc_trace_secure_endpoint) + { + size_t i; + for (i = 0; i < ep->read_buffer->count; i++) + { + char *data = gpr_dump_slice (ep->read_buffer->slices[i], + GPR_DUMP_HEX | GPR_DUMP_ASCII); + gpr_log (GPR_DEBUG, "READ %p: %s", ep, data); + gpr_free (data); + } } - } ep->read_buffer = NULL; - grpc_closure_list_add(closure_list, ep->read_cb, success); - SECURE_ENDPOINT_UNREF(ep, "read", closure_list); + grpc_closure_list_add (closure_list, ep->read_cb, success); + SECURE_ENDPOINT_UNREF (ep, "read", closure_list); } -static void on_read(void *user_data, int success, - grpc_closure_list *closure_list) { +static void +on_read (void *user_data, int success, grpc_closure_list * closure_list) +{ unsigned i; gpr_uint8 keep_looping = 0; tsi_result result = TSI_OK; - secure_endpoint *ep = (secure_endpoint *)user_data; - gpr_uint8 *cur = GPR_SLICE_START_PTR(ep->read_staging_buffer); - gpr_uint8 *end = GPR_SLICE_END_PTR(ep->read_staging_buffer); - - if (!success) { - gpr_slice_buffer_reset_and_unref(ep->read_buffer); - call_read_cb(ep, 0, closure_list); - return; - } + secure_endpoint *ep = (secure_endpoint *) user_data; + gpr_uint8 *cur = GPR_SLICE_START_PTR (ep->read_staging_buffer); + gpr_uint8 *end = GPR_SLICE_END_PTR (ep->read_staging_buffer); + + if (!success) + { + gpr_slice_buffer_reset_and_unref (ep->read_buffer); + call_read_cb (ep, 0, closure_list); + return; + } /* TODO(yangg) check error, maybe bail out early */ - for (i = 0; i < ep->source_buffer.count; i++) { - gpr_slice encrypted = ep->source_buffer.slices[i]; - gpr_uint8 *message_bytes = GPR_SLICE_START_PTR(encrypted); - size_t message_size = GPR_SLICE_LENGTH(encrypted); - - while (message_size > 0 || keep_looping) { - size_t unprotected_buffer_size_written = (size_t)(end - cur); - size_t processed_message_size = message_size; - gpr_mu_lock(&ep->protector_mu); - result = tsi_frame_protector_unprotect(ep->protector, message_bytes, - &processed_message_size, cur, - &unprotected_buffer_size_written); - gpr_mu_unlock(&ep->protector_mu); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Decryption error: %s", - tsi_result_to_string(result)); - break; - } - message_bytes += processed_message_size; - message_size -= processed_message_size; - cur += unprotected_buffer_size_written; - - if (cur == end) { - flush_read_staging_buffer(ep, &cur, &end); - /* Force to enter the loop again to extract buffered bytes in protector. - The bytes could be buffered because of running out of staging_buffer. - If this happens at the end of all slices, doing another unprotect - avoids leaving data in the protector. */ - keep_looping = 1; - } else if (unprotected_buffer_size_written > 0) { - keep_looping = 1; - } else { - keep_looping = 0; - } + for (i = 0; i < ep->source_buffer.count; i++) + { + gpr_slice encrypted = ep->source_buffer.slices[i]; + gpr_uint8 *message_bytes = GPR_SLICE_START_PTR (encrypted); + size_t message_size = GPR_SLICE_LENGTH (encrypted); + + while (message_size > 0 || keep_looping) + { + size_t unprotected_buffer_size_written = (size_t) (end - cur); + size_t processed_message_size = message_size; + gpr_mu_lock (&ep->protector_mu); + result = tsi_frame_protector_unprotect (ep->protector, message_bytes, &processed_message_size, cur, &unprotected_buffer_size_written); + gpr_mu_unlock (&ep->protector_mu); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Decryption error: %s", tsi_result_to_string (result)); + break; + } + message_bytes += processed_message_size; + message_size -= processed_message_size; + cur += unprotected_buffer_size_written; + + if (cur == end) + { + flush_read_staging_buffer (ep, &cur, &end); + /* Force to enter the loop again to extract buffered bytes in protector. + The bytes could be buffered because of running out of staging_buffer. + If this happens at the end of all slices, doing another unprotect + avoids leaving data in the protector. */ + keep_looping = 1; + } + else if (unprotected_buffer_size_written > 0) + { + keep_looping = 1; + } + else + { + keep_looping = 0; + } + } + if (result != TSI_OK) + break; } - if (result != TSI_OK) break; - } - if (cur != GPR_SLICE_START_PTR(ep->read_staging_buffer)) { - gpr_slice_buffer_add( - ep->read_buffer, - gpr_slice_split_head( - &ep->read_staging_buffer, - (size_t)(cur - GPR_SLICE_START_PTR(ep->read_staging_buffer)))); - } + if (cur != GPR_SLICE_START_PTR (ep->read_staging_buffer)) + { + gpr_slice_buffer_add (ep->read_buffer, gpr_slice_split_head (&ep->read_staging_buffer, (size_t) (cur - GPR_SLICE_START_PTR (ep->read_staging_buffer)))); + } /* TODO(yangg) experiment with moving this block after read_cb to see if it helps latency */ - gpr_slice_buffer_reset_and_unref(&ep->source_buffer); + gpr_slice_buffer_reset_and_unref (&ep->source_buffer); - if (result != TSI_OK) { - gpr_slice_buffer_reset_and_unref(ep->read_buffer); - call_read_cb(ep, 0, closure_list); - return; - } + if (result != TSI_OK) + { + gpr_slice_buffer_reset_and_unref (ep->read_buffer); + call_read_cb (ep, 0, closure_list); + return; + } - call_read_cb(ep, 1, closure_list); + call_read_cb (ep, 1, closure_list); } -static void endpoint_read(grpc_endpoint *secure_ep, gpr_slice_buffer *slices, - grpc_closure *cb, grpc_closure_list *closure_list) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void +endpoint_read (grpc_endpoint * secure_ep, gpr_slice_buffer * slices, grpc_closure * cb, grpc_closure_list * closure_list) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; ep->read_cb = cb; ep->read_buffer = slices; - gpr_slice_buffer_reset_and_unref(ep->read_buffer); - - SECURE_ENDPOINT_REF(ep, "read"); - if (ep->leftover_bytes.count) { - gpr_slice_buffer_swap(&ep->leftover_bytes, &ep->source_buffer); - GPR_ASSERT(ep->leftover_bytes.count == 0); - on_read(ep, 1, closure_list); - return; - } - - grpc_endpoint_read(ep->wrapped_ep, &ep->source_buffer, &ep->on_read, - closure_list); + gpr_slice_buffer_reset_and_unref (ep->read_buffer); + + SECURE_ENDPOINT_REF (ep, "read"); + if (ep->leftover_bytes.count) + { + gpr_slice_buffer_swap (&ep->leftover_bytes, &ep->source_buffer); + GPR_ASSERT (ep->leftover_bytes.count == 0); + on_read (ep, 1, closure_list); + return; + } + + grpc_endpoint_read (ep->wrapped_ep, &ep->source_buffer, &ep->on_read, closure_list); } -static void flush_write_staging_buffer(secure_endpoint *ep, gpr_uint8 **cur, - gpr_uint8 **end) { - gpr_slice_buffer_add(&ep->output_buffer, ep->write_staging_buffer); - ep->write_staging_buffer = gpr_slice_malloc(STAGING_BUFFER_SIZE); - *cur = GPR_SLICE_START_PTR(ep->write_staging_buffer); - *end = GPR_SLICE_END_PTR(ep->write_staging_buffer); +static void +flush_write_staging_buffer (secure_endpoint * ep, gpr_uint8 ** cur, gpr_uint8 ** end) +{ + gpr_slice_buffer_add (&ep->output_buffer, ep->write_staging_buffer); + ep->write_staging_buffer = gpr_slice_malloc (STAGING_BUFFER_SIZE); + *cur = GPR_SLICE_START_PTR (ep->write_staging_buffer); + *end = GPR_SLICE_END_PTR (ep->write_staging_buffer); } -static void endpoint_write(grpc_endpoint *secure_ep, gpr_slice_buffer *slices, - grpc_closure *cb, grpc_closure_list *closure_list) { +static void +endpoint_write (grpc_endpoint * secure_ep, gpr_slice_buffer * slices, grpc_closure * cb, grpc_closure_list * closure_list) +{ unsigned i; tsi_result result = TSI_OK; - secure_endpoint *ep = (secure_endpoint *)secure_ep; - gpr_uint8 *cur = GPR_SLICE_START_PTR(ep->write_staging_buffer); - gpr_uint8 *end = GPR_SLICE_END_PTR(ep->write_staging_buffer); - - gpr_slice_buffer_reset_and_unref(&ep->output_buffer); - - if (grpc_trace_secure_endpoint) { - for (i = 0; i < slices->count; i++) { - char *data = - gpr_dump_slice(slices->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII); - gpr_log(GPR_DEBUG, "WRITE %p: %s", ep, data); - gpr_free(data); + secure_endpoint *ep = (secure_endpoint *) secure_ep; + gpr_uint8 *cur = GPR_SLICE_START_PTR (ep->write_staging_buffer); + gpr_uint8 *end = GPR_SLICE_END_PTR (ep->write_staging_buffer); + + gpr_slice_buffer_reset_and_unref (&ep->output_buffer); + + if (grpc_trace_secure_endpoint) + { + for (i = 0; i < slices->count; i++) + { + char *data = gpr_dump_slice (slices->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII); + gpr_log (GPR_DEBUG, "WRITE %p: %s", ep, data); + gpr_free (data); + } } - } - - for (i = 0; i < slices->count; i++) { - gpr_slice plain = slices->slices[i]; - gpr_uint8 *message_bytes = GPR_SLICE_START_PTR(plain); - size_t message_size = GPR_SLICE_LENGTH(plain); - while (message_size > 0) { - size_t protected_buffer_size_to_send = (size_t)(end - cur); - size_t processed_message_size = message_size; - gpr_mu_lock(&ep->protector_mu); - result = tsi_frame_protector_protect(ep->protector, message_bytes, - &processed_message_size, cur, - &protected_buffer_size_to_send); - gpr_mu_unlock(&ep->protector_mu); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Encryption error: %s", - tsi_result_to_string(result)); - break; - } - message_bytes += processed_message_size; - message_size -= processed_message_size; - cur += protected_buffer_size_to_send; - - if (cur == end) { - flush_write_staging_buffer(ep, &cur, &end); - } + + for (i = 0; i < slices->count; i++) + { + gpr_slice plain = slices->slices[i]; + gpr_uint8 *message_bytes = GPR_SLICE_START_PTR (plain); + size_t message_size = GPR_SLICE_LENGTH (plain); + while (message_size > 0) + { + size_t protected_buffer_size_to_send = (size_t) (end - cur); + size_t processed_message_size = message_size; + gpr_mu_lock (&ep->protector_mu); + result = tsi_frame_protector_protect (ep->protector, message_bytes, &processed_message_size, cur, &protected_buffer_size_to_send); + gpr_mu_unlock (&ep->protector_mu); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Encryption error: %s", tsi_result_to_string (result)); + break; + } + message_bytes += processed_message_size; + message_size -= processed_message_size; + cur += protected_buffer_size_to_send; + + if (cur == end) + { + flush_write_staging_buffer (ep, &cur, &end); + } + } + if (result != TSI_OK) + break; } - if (result != TSI_OK) break; - } - if (result == TSI_OK) { - size_t still_pending_size; - do { - size_t protected_buffer_size_to_send = (size_t)(end - cur); - gpr_mu_lock(&ep->protector_mu); - result = tsi_frame_protector_protect_flush(ep->protector, cur, - &protected_buffer_size_to_send, - &still_pending_size); - gpr_mu_unlock(&ep->protector_mu); - if (result != TSI_OK) break; - cur += protected_buffer_size_to_send; - if (cur == end) { - flush_write_staging_buffer(ep, &cur, &end); - } - } while (still_pending_size > 0); - if (cur != GPR_SLICE_START_PTR(ep->write_staging_buffer)) { - gpr_slice_buffer_add( - &ep->output_buffer, - gpr_slice_split_head( - &ep->write_staging_buffer, - (size_t)(cur - GPR_SLICE_START_PTR(ep->write_staging_buffer)))); + if (result == TSI_OK) + { + size_t still_pending_size; + do + { + size_t protected_buffer_size_to_send = (size_t) (end - cur); + gpr_mu_lock (&ep->protector_mu); + result = tsi_frame_protector_protect_flush (ep->protector, cur, &protected_buffer_size_to_send, &still_pending_size); + gpr_mu_unlock (&ep->protector_mu); + if (result != TSI_OK) + break; + cur += protected_buffer_size_to_send; + if (cur == end) + { + flush_write_staging_buffer (ep, &cur, &end); + } + } + while (still_pending_size > 0); + if (cur != GPR_SLICE_START_PTR (ep->write_staging_buffer)) + { + gpr_slice_buffer_add (&ep->output_buffer, gpr_slice_split_head (&ep->write_staging_buffer, (size_t) (cur - GPR_SLICE_START_PTR (ep->write_staging_buffer)))); + } } - } - if (result != TSI_OK) { - /* TODO(yangg) do different things according to the error type? */ - gpr_slice_buffer_reset_and_unref(&ep->output_buffer); - grpc_closure_list_add(closure_list, cb, 0); - return; - } + if (result != TSI_OK) + { + /* TODO(yangg) do different things according to the error type? */ + gpr_slice_buffer_reset_and_unref (&ep->output_buffer); + grpc_closure_list_add (closure_list, cb, 0); + return; + } - grpc_endpoint_write(ep->wrapped_ep, &ep->output_buffer, cb, closure_list); + grpc_endpoint_write (ep->wrapped_ep, &ep->output_buffer, cb, closure_list); } -static void endpoint_shutdown(grpc_endpoint *secure_ep, - grpc_closure_list *closure_list) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; - grpc_endpoint_shutdown(ep->wrapped_ep, closure_list); +static void +endpoint_shutdown (grpc_endpoint * secure_ep, grpc_closure_list * closure_list) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; + grpc_endpoint_shutdown (ep->wrapped_ep, closure_list); } -static void endpoint_destroy(grpc_endpoint *secure_ep, - grpc_closure_list *closure_list) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; - SECURE_ENDPOINT_UNREF(ep, "destroy", closure_list); +static void +endpoint_destroy (grpc_endpoint * secure_ep, grpc_closure_list * closure_list) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; + SECURE_ENDPOINT_UNREF (ep, "destroy", closure_list); } -static void endpoint_add_to_pollset(grpc_endpoint *secure_ep, - grpc_pollset *pollset, - grpc_closure_list *closure_list) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; - grpc_endpoint_add_to_pollset(ep->wrapped_ep, pollset, closure_list); +static void +endpoint_add_to_pollset (grpc_endpoint * secure_ep, grpc_pollset * pollset, grpc_closure_list * closure_list) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; + grpc_endpoint_add_to_pollset (ep->wrapped_ep, pollset, closure_list); } -static void endpoint_add_to_pollset_set(grpc_endpoint *secure_ep, - grpc_pollset_set *pollset_set, - grpc_closure_list *closure_list) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; - grpc_endpoint_add_to_pollset_set(ep->wrapped_ep, pollset_set, closure_list); +static void +endpoint_add_to_pollset_set (grpc_endpoint * secure_ep, grpc_pollset_set * pollset_set, grpc_closure_list * closure_list) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; + grpc_endpoint_add_to_pollset_set (ep->wrapped_ep, pollset_set, closure_list); } -static char *endpoint_get_peer(grpc_endpoint *secure_ep) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; - return grpc_endpoint_get_peer(ep->wrapped_ep); +static char * +endpoint_get_peer (grpc_endpoint * secure_ep) +{ + secure_endpoint *ep = (secure_endpoint *) secure_ep; + return grpc_endpoint_get_peer (ep->wrapped_ep); } static const grpc_endpoint_vtable vtable = { - endpoint_read, endpoint_write, - endpoint_add_to_pollset, endpoint_add_to_pollset_set, - endpoint_shutdown, endpoint_destroy, - endpoint_get_peer}; - -grpc_endpoint *grpc_secure_endpoint_create( - struct tsi_frame_protector *protector, grpc_endpoint *transport, - gpr_slice *leftover_slices, size_t leftover_nslices) { + endpoint_read, endpoint_write, + endpoint_add_to_pollset, endpoint_add_to_pollset_set, + endpoint_shutdown, endpoint_destroy, + endpoint_get_peer +}; + +grpc_endpoint * +grpc_secure_endpoint_create (struct tsi_frame_protector *protector, grpc_endpoint * transport, gpr_slice * leftover_slices, size_t leftover_nslices) +{ size_t i; - secure_endpoint *ep = (secure_endpoint *)gpr_malloc(sizeof(secure_endpoint)); + secure_endpoint *ep = (secure_endpoint *) gpr_malloc (sizeof (secure_endpoint)); ep->base.vtable = &vtable; ep->wrapped_ep = transport; ep->protector = protector; - gpr_slice_buffer_init(&ep->leftover_bytes); - for (i = 0; i < leftover_nslices; i++) { - gpr_slice_buffer_add(&ep->leftover_bytes, - gpr_slice_ref(leftover_slices[i])); - } - ep->write_staging_buffer = gpr_slice_malloc(STAGING_BUFFER_SIZE); - ep->read_staging_buffer = gpr_slice_malloc(STAGING_BUFFER_SIZE); - gpr_slice_buffer_init(&ep->output_buffer); - gpr_slice_buffer_init(&ep->source_buffer); + gpr_slice_buffer_init (&ep->leftover_bytes); + for (i = 0; i < leftover_nslices; i++) + { + gpr_slice_buffer_add (&ep->leftover_bytes, gpr_slice_ref (leftover_slices[i])); + } + ep->write_staging_buffer = gpr_slice_malloc (STAGING_BUFFER_SIZE); + ep->read_staging_buffer = gpr_slice_malloc (STAGING_BUFFER_SIZE); + gpr_slice_buffer_init (&ep->output_buffer); + gpr_slice_buffer_init (&ep->source_buffer); ep->read_buffer = NULL; - grpc_closure_init(&ep->on_read, on_read, ep); - gpr_mu_init(&ep->protector_mu); - gpr_ref_init(&ep->ref, 1); + grpc_closure_init (&ep->on_read, on_read, ep); + gpr_mu_init (&ep->protector_mu); + gpr_ref_init (&ep->ref, 1); return &ep->base; } diff --git a/src/core/security/secure_endpoint.h b/src/core/security/secure_endpoint.h index c563bdd9c5..e80a177dd5 100644 --- a/src/core/security/secure_endpoint.h +++ b/src/core/security/secure_endpoint.h @@ -42,8 +42,6 @@ struct tsi_frame_protector; extern int grpc_trace_secure_endpoint; /* Takes ownership of protector and to_wrap, and refs leftover_slices. */ -grpc_endpoint *grpc_secure_endpoint_create( - struct tsi_frame_protector *protector, grpc_endpoint *to_wrap, - gpr_slice *leftover_slices, size_t leftover_nslices); +grpc_endpoint *grpc_secure_endpoint_create (struct tsi_frame_protector *protector, grpc_endpoint * to_wrap, gpr_slice * leftover_slices, size_t leftover_nslices); #endif /* GRPC_INTERNAL_CORE_SECURITY_SECURE_ENDPOINT_H */ diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c index 280036bc0e..694004e4e0 100644 --- a/src/core/security/security_connector.c +++ b/src/core/security/security_connector.c @@ -57,8 +57,7 @@ #ifndef INSTALL_PREFIX static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; #else -static const char *installed_roots_path = - INSTALL_PREFIX "/share/grpc/roots.pem"; +static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; #endif /* -- Cipher suites. -- */ @@ -72,108 +71,127 @@ static const char *installed_roots_path = static gpr_once cipher_suites_once = GPR_ONCE_INIT; static const char *cipher_suites = NULL; -static void init_cipher_suites(void) { - char *overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES"); +static void +init_cipher_suites (void) +{ + char *overridden = gpr_getenv ("GRPC_SSL_CIPHER_SUITES"); cipher_suites = overridden != NULL ? overridden : GRPC_SSL_CIPHER_SUITES; } -static const char *ssl_cipher_suites(void) { - gpr_once_init(&cipher_suites_once, init_cipher_suites); +static const char * +ssl_cipher_suites (void) +{ + gpr_once_init (&cipher_suites_once, init_cipher_suites); return cipher_suites; } /* -- Common methods. -- */ /* Returns the first property with that name. */ -const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, - const char *name) { +const tsi_peer_property * +tsi_peer_get_property_by_name (const tsi_peer * peer, const char *name) +{ size_t i; - if (peer == NULL) return NULL; - for (i = 0; i < peer->property_count; i++) { - const tsi_peer_property *property = &peer->properties[i]; - if (name == NULL && property->name == NULL) { - return property; - } - if (name != NULL && property->name != NULL && - strcmp(property->name, name) == 0) { - return property; + if (peer == NULL) + return NULL; + for (i = 0; i < peer->property_count; i++) + { + const tsi_peer_property *property = &peer->properties[i]; + if (name == NULL && property->name == NULL) + { + return property; + } + if (name != NULL && property->name != NULL && strcmp (property->name, name) == 0) + { + return property; + } } - } return NULL; } -void grpc_security_connector_do_handshake(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - if (sc == NULL || nonsecure_endpoint == NULL) { - cb(user_data, GRPC_SECURITY_ERROR, nonsecure_endpoint, NULL, closure_list); - } else { - sc->vtable->do_handshake(sc, nonsecure_endpoint, cb, user_data, - closure_list); - } -} - -grpc_security_status grpc_security_connector_check_peer( - grpc_security_connector *sc, tsi_peer peer, grpc_security_check_cb cb, - void *user_data) { - if (sc == NULL) { - tsi_peer_destruct(&peer); - return GRPC_SECURITY_ERROR; - } - return sc->vtable->check_peer(sc, peer, cb, user_data); +void +grpc_security_connector_do_handshake (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + if (sc == NULL || nonsecure_endpoint == NULL) + { + cb (user_data, GRPC_SECURITY_ERROR, nonsecure_endpoint, NULL, closure_list); + } + else + { + sc->vtable->do_handshake (sc, nonsecure_endpoint, cb, user_data, closure_list); + } } -grpc_security_status grpc_channel_security_connector_check_call_host( - grpc_channel_security_connector *sc, const char *host, - grpc_security_check_cb cb, void *user_data, - grpc_closure_list *closure_list) { - if (sc == NULL || sc->check_call_host == NULL) return GRPC_SECURITY_ERROR; - return sc->check_call_host(sc, host, cb, user_data, closure_list); +grpc_security_status +grpc_security_connector_check_peer (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data) +{ + if (sc == NULL) + { + tsi_peer_destruct (&peer); + return GRPC_SECURITY_ERROR; + } + return sc->vtable->check_peer (sc, peer, cb, user_data); +} + +grpc_security_status +grpc_channel_security_connector_check_call_host (grpc_channel_security_connector * sc, const char *host, grpc_security_check_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + if (sc == NULL || sc->check_call_host == NULL) + return GRPC_SECURITY_ERROR; + return sc->check_call_host (sc, host, cb, user_data, closure_list); } #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *sc, const char *file, int line, - const char *reason) { - if (sc == NULL) return NULL; - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, - "SECURITY_CONNECTOR:%p ref %d -> %d %s", sc, - (int)sc->refcount.count, (int)sc->refcount.count + 1, reason); +grpc_security_connector * +grpc_security_connector_ref (grpc_security_connector * sc, const char *file, int line, const char *reason) +{ + if (sc == NULL) + return NULL; + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "SECURITY_CONNECTOR:%p ref %d -> %d %s", sc, (int) sc->refcount.count, (int) sc->refcount.count + 1, reason); #else -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *sc) { - if (sc == NULL) return NULL; +grpc_security_connector * +grpc_security_connector_ref (grpc_security_connector * sc) +{ + if (sc == NULL) + return NULL; #endif - gpr_ref(&sc->refcount); + gpr_ref (&sc->refcount); return sc; } #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG -void grpc_security_connector_unref(grpc_security_connector *sc, - const char *file, int line, - const char *reason) { - if (sc == NULL) return; - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, - "SECURITY_CONNECTOR:%p unref %d -> %d %s", sc, - (int)sc->refcount.count, (int)sc->refcount.count - 1, reason); +void +grpc_security_connector_unref (grpc_security_connector * sc, const char *file, int line, const char *reason) +{ + if (sc == NULL) + return; + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "SECURITY_CONNECTOR:%p unref %d -> %d %s", sc, (int) sc->refcount.count, (int) sc->refcount.count - 1, reason); #else -void grpc_security_connector_unref(grpc_security_connector *sc) { - if (sc == NULL) return; +void +grpc_security_connector_unref (grpc_security_connector * sc) +{ + if (sc == NULL) + return; #endif - if (gpr_unref(&sc->refcount)) sc->vtable->destroy(sc); + if (gpr_unref (&sc->refcount)) + sc->vtable->destroy (sc); } -static void connector_pointer_arg_destroy(void *p) { - GRPC_SECURITY_CONNECTOR_UNREF(p, "connector_pointer_arg"); +static void +connector_pointer_arg_destroy (void *p) +{ + GRPC_SECURITY_CONNECTOR_UNREF (p, "connector_pointer_arg"); } -static void *connector_pointer_arg_copy(void *p) { - return GRPC_SECURITY_CONNECTOR_REF(p, "connector_pointer_arg"); +static void * +connector_pointer_arg_copy (void *p) +{ + return GRPC_SECURITY_CONNECTOR_REF (p, "connector_pointer_arg"); } -grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc) { +grpc_arg +grpc_security_connector_to_arg (grpc_security_connector * sc) +{ grpc_arg result; result.type = GRPC_ARG_POINTER; result.key = GRPC_SECURITY_CONNECTOR_ARG; @@ -183,151 +201,159 @@ grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc) { return result; } -grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg) { - if (strcmp(arg->key, GRPC_SECURITY_CONNECTOR_ARG)) return NULL; - if (arg->type != GRPC_ARG_POINTER) { - gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type, - GRPC_SECURITY_CONNECTOR_ARG); +grpc_security_connector * +grpc_security_connector_from_arg (const grpc_arg * arg) +{ + if (strcmp (arg->key, GRPC_SECURITY_CONNECTOR_ARG)) return NULL; - } + if (arg->type != GRPC_ARG_POINTER) + { + gpr_log (GPR_ERROR, "Invalid type %d for arg %s", arg->type, GRPC_SECURITY_CONNECTOR_ARG); + return NULL; + } return arg->value.pointer.p; } -grpc_security_connector *grpc_find_security_connector_in_args( - const grpc_channel_args *args) { +grpc_security_connector * +grpc_find_security_connector_in_args (const grpc_channel_args * args) +{ size_t i; - if (args == NULL) return NULL; - for (i = 0; i < args->num_args; i++) { - grpc_security_connector *sc = - grpc_security_connector_from_arg(&args->args[i]); - if (sc != NULL) return sc; - } + if (args == NULL) + return NULL; + for (i = 0; i < args->num_args; i++) + { + grpc_security_connector *sc = grpc_security_connector_from_arg (&args->args[i]); + if (sc != NULL) + return sc; + } return NULL; } -static int check_request_metadata_creds(grpc_credentials *creds) { - if (creds != NULL && !grpc_credentials_has_request_metadata(creds)) { - gpr_log(GPR_ERROR, - "Incompatible credentials for channel security connector: needs to " - "set request metadata."); - return 0; - } +static int +check_request_metadata_creds (grpc_credentials * creds) +{ + if (creds != NULL && !grpc_credentials_has_request_metadata (creds)) + { + gpr_log (GPR_ERROR, "Incompatible credentials for channel security connector: needs to " "set request metadata."); + return 0; + } return 1; } /* -- Fake implementation. -- */ -typedef struct { +typedef struct +{ grpc_channel_security_connector base; int call_host_check_is_async; } grpc_fake_channel_security_connector; -static void fake_channel_destroy(grpc_security_connector *sc) { - grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc; - grpc_credentials_unref(c->request_metadata_creds); - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - gpr_free(sc); +static void +fake_channel_destroy (grpc_security_connector * sc) +{ + grpc_channel_security_connector *c = (grpc_channel_security_connector *) sc; + grpc_credentials_unref (c->request_metadata_creds); + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + gpr_free (sc); } -static void fake_server_destroy(grpc_security_connector *sc) { - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - gpr_free(sc); +static void +fake_server_destroy (grpc_security_connector * sc) +{ + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + gpr_free (sc); } -static grpc_security_status fake_check_peer(grpc_security_connector *sc, - tsi_peer peer, - grpc_security_check_cb cb, - void *user_data) { +static grpc_security_status +fake_check_peer (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data) +{ const char *prop_name; grpc_security_status status = GRPC_SECURITY_OK; - if (peer.property_count != 1) { - gpr_log(GPR_ERROR, "Fake peers should only have 1 property."); - status = GRPC_SECURITY_ERROR; - goto end; - } + if (peer.property_count != 1) + { + gpr_log (GPR_ERROR, "Fake peers should only have 1 property."); + status = GRPC_SECURITY_ERROR; + goto end; + } prop_name = peer.properties[0].name; - if (prop_name == NULL || - strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) { - gpr_log(GPR_ERROR, "Unexpected property in fake peer: %s.", - prop_name == NULL ? "<EMPTY>" : prop_name); - status = GRPC_SECURITY_ERROR; - goto end; - } - if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE, - peer.properties[0].value.length)) { - gpr_log(GPR_ERROR, "Invalid value for cert type property."); - status = GRPC_SECURITY_ERROR; - goto end; - } - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - sc->auth_context = grpc_auth_context_create(NULL); - grpc_auth_context_add_cstring_property( - sc->auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, - GRPC_FAKE_TRANSPORT_SECURITY_TYPE); + if (prop_name == NULL || strcmp (prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) + { + gpr_log (GPR_ERROR, "Unexpected property in fake peer: %s.", prop_name == NULL ? "<EMPTY>" : prop_name); + status = GRPC_SECURITY_ERROR; + goto end; + } + if (strncmp (peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE, peer.properties[0].value.length)) + { + gpr_log (GPR_ERROR, "Invalid value for cert type property."); + status = GRPC_SECURITY_ERROR; + goto end; + } + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + sc->auth_context = grpc_auth_context_create (NULL); + grpc_auth_context_add_cstring_property (sc->auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, GRPC_FAKE_TRANSPORT_SECURITY_TYPE); end: - tsi_peer_destruct(&peer); + tsi_peer_destruct (&peer); return status; } -static grpc_security_status fake_channel_check_call_host( - grpc_channel_security_connector *sc, const char *host, - grpc_security_check_cb cb, void *user_data, - grpc_closure_list *closure_list) { - grpc_fake_channel_security_connector *c = - (grpc_fake_channel_security_connector *)sc; - if (c->call_host_check_is_async) { - cb(user_data, GRPC_SECURITY_OK, closure_list); - return GRPC_SECURITY_PENDING; - } else { - return GRPC_SECURITY_OK; - } +static grpc_security_status +fake_channel_check_call_host (grpc_channel_security_connector * sc, const char *host, grpc_security_check_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_fake_channel_security_connector *c = (grpc_fake_channel_security_connector *) sc; + if (c->call_host_check_is_async) + { + cb (user_data, GRPC_SECURITY_OK, closure_list); + return GRPC_SECURITY_PENDING; + } + else + { + return GRPC_SECURITY_OK; + } } -static void fake_channel_do_handshake(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_do_security_handshake(tsi_create_fake_handshaker(1), sc, - nonsecure_endpoint, cb, user_data, closure_list); +static void +fake_channel_do_handshake (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_do_security_handshake (tsi_create_fake_handshaker (1), sc, nonsecure_endpoint, cb, user_data, closure_list); } -static void fake_server_do_handshake(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_do_security_handshake(tsi_create_fake_handshaker(0), sc, - nonsecure_endpoint, cb, user_data, closure_list); +static void +fake_server_do_handshake (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_do_security_handshake (tsi_create_fake_handshaker (0), sc, nonsecure_endpoint, cb, user_data, closure_list); } static grpc_security_connector_vtable fake_channel_vtable = { - fake_channel_destroy, fake_channel_do_handshake, fake_check_peer}; + fake_channel_destroy, fake_channel_do_handshake, fake_check_peer +}; static grpc_security_connector_vtable fake_server_vtable = { - fake_server_destroy, fake_server_do_handshake, fake_check_peer}; - -grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_credentials *request_metadata_creds, int call_host_check_is_async) { - grpc_fake_channel_security_connector *c = - gpr_malloc(sizeof(grpc_fake_channel_security_connector)); - memset(c, 0, sizeof(grpc_fake_channel_security_connector)); - gpr_ref_init(&c->base.base.refcount, 1); + fake_server_destroy, fake_server_do_handshake, fake_check_peer +}; + +grpc_channel_security_connector * +grpc_fake_channel_security_connector_create (grpc_credentials * request_metadata_creds, int call_host_check_is_async) +{ + grpc_fake_channel_security_connector *c = gpr_malloc (sizeof (grpc_fake_channel_security_connector)); + memset (c, 0, sizeof (grpc_fake_channel_security_connector)); + gpr_ref_init (&c->base.base.refcount, 1); c->base.base.is_client_side = 1; c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; c->base.base.vtable = &fake_channel_vtable; - GPR_ASSERT(check_request_metadata_creds(request_metadata_creds)); - c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); + GPR_ASSERT (check_request_metadata_creds (request_metadata_creds)); + c->base.request_metadata_creds = grpc_credentials_ref (request_metadata_creds); c->base.check_call_host = fake_channel_check_call_host; c->call_host_check_is_async = call_host_check_is_async; return &c->base; } -grpc_security_connector *grpc_fake_server_security_connector_create(void) { - grpc_security_connector *c = gpr_malloc(sizeof(grpc_security_connector)); - memset(c, 0, sizeof(grpc_security_connector)); - gpr_ref_init(&c->refcount, 1); +grpc_security_connector * +grpc_fake_server_security_connector_create (void) +{ + grpc_security_connector *c = gpr_malloc (sizeof (grpc_security_connector)); + memset (c, 0, sizeof (grpc_security_connector)); + gpr_ref_init (&c->refcount, 1); c->is_client_side = 0; c->vtable = &fake_server_vtable; c->url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; @@ -336,7 +362,8 @@ grpc_security_connector *grpc_fake_server_security_connector_create(void) { /* --- Ssl implementation. --- */ -typedef struct { +typedef struct +{ grpc_channel_security_connector base; tsi_ssl_handshaker_factory *handshaker_factory; char *target_name; @@ -344,254 +371,268 @@ typedef struct { tsi_peer peer; } grpc_ssl_channel_security_connector; -typedef struct { +typedef struct +{ grpc_security_connector base; tsi_ssl_handshaker_factory *handshaker_factory; } grpc_ssl_server_security_connector; -static void ssl_channel_destroy(grpc_security_connector *sc) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; - grpc_credentials_unref(c->base.request_metadata_creds); - if (c->handshaker_factory != NULL) { - tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); - } - if (c->target_name != NULL) gpr_free(c->target_name); - if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name); - tsi_peer_destruct(&c->peer); - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - gpr_free(sc); -} - -static void ssl_server_destroy(grpc_security_connector *sc) { - grpc_ssl_server_security_connector *c = - (grpc_ssl_server_security_connector *)sc; - if (c->handshaker_factory != NULL) { - tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); - } - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - gpr_free(sc); -} - -static grpc_security_status ssl_create_handshaker( - tsi_ssl_handshaker_factory *handshaker_factory, int is_client, - const char *peer_name, tsi_handshaker **handshaker) { +static void +ssl_channel_destroy (grpc_security_connector * sc) +{ + grpc_ssl_channel_security_connector *c = (grpc_ssl_channel_security_connector *) sc; + grpc_credentials_unref (c->base.request_metadata_creds); + if (c->handshaker_factory != NULL) + { + tsi_ssl_handshaker_factory_destroy (c->handshaker_factory); + } + if (c->target_name != NULL) + gpr_free (c->target_name); + if (c->overridden_target_name != NULL) + gpr_free (c->overridden_target_name); + tsi_peer_destruct (&c->peer); + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + gpr_free (sc); +} + +static void +ssl_server_destroy (grpc_security_connector * sc) +{ + grpc_ssl_server_security_connector *c = (grpc_ssl_server_security_connector *) sc; + if (c->handshaker_factory != NULL) + { + tsi_ssl_handshaker_factory_destroy (c->handshaker_factory); + } + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + gpr_free (sc); +} + +static grpc_security_status +ssl_create_handshaker (tsi_ssl_handshaker_factory * handshaker_factory, int is_client, const char *peer_name, tsi_handshaker ** handshaker) +{ tsi_result result = TSI_OK; - if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR; - result = tsi_ssl_handshaker_factory_create_handshaker( - handshaker_factory, is_client ? peer_name : NULL, handshaker); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.", - tsi_result_to_string(result)); + if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR; - } + result = tsi_ssl_handshaker_factory_create_handshaker (handshaker_factory, is_client ? peer_name : NULL, handshaker); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Handshaker creation failed with error %s.", tsi_result_to_string (result)); + return GRPC_SECURITY_ERROR; + } return GRPC_SECURITY_OK; } -static void ssl_channel_do_handshake(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static void +ssl_channel_do_handshake (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_ssl_channel_security_connector *c = (grpc_ssl_channel_security_connector *) sc; tsi_handshaker *handshaker; - grpc_security_status status = ssl_create_handshaker( - c->handshaker_factory, 1, - c->overridden_target_name != NULL ? c->overridden_target_name - : c->target_name, - &handshaker); - if (status != GRPC_SECURITY_OK) { - cb(user_data, status, nonsecure_endpoint, NULL, closure_list); - } else { - grpc_do_security_handshake(handshaker, sc, nonsecure_endpoint, cb, - user_data, closure_list); - } -} - -static void ssl_server_do_handshake(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list) { - grpc_ssl_server_security_connector *c = - (grpc_ssl_server_security_connector *)sc; + grpc_security_status status = ssl_create_handshaker (c->handshaker_factory, 1, + c->overridden_target_name != NULL ? c->overridden_target_name : c->target_name, + &handshaker); + if (status != GRPC_SECURITY_OK) + { + cb (user_data, status, nonsecure_endpoint, NULL, closure_list); + } + else + { + grpc_do_security_handshake (handshaker, sc, nonsecure_endpoint, cb, user_data, closure_list); + } +} + +static void +ssl_server_do_handshake (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_ssl_server_security_connector *c = (grpc_ssl_server_security_connector *) sc; tsi_handshaker *handshaker; - grpc_security_status status = - ssl_create_handshaker(c->handshaker_factory, 0, NULL, &handshaker); - if (status != GRPC_SECURITY_OK) { - cb(user_data, status, nonsecure_endpoint, NULL, closure_list); - } else { - grpc_do_security_handshake(handshaker, sc, nonsecure_endpoint, cb, - user_data, closure_list); - } + grpc_security_status status = ssl_create_handshaker (c->handshaker_factory, 0, NULL, &handshaker); + if (status != GRPC_SECURITY_OK) + { + cb (user_data, status, nonsecure_endpoint, NULL, closure_list); + } + else + { + grpc_do_security_handshake (handshaker, sc, nonsecure_endpoint, cb, user_data, closure_list); + } } -static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) { +static int +ssl_host_matches_name (const tsi_peer * peer, const char *peer_name) +{ char *allocated_name = NULL; int r; - if (strchr(peer_name, ':') != NULL) { - char *ignored_port; - gpr_split_host_port(peer_name, &allocated_name, &ignored_port); - gpr_free(ignored_port); - peer_name = allocated_name; - if (!peer_name) return 0; - } - r = tsi_ssl_peer_matches_name(peer, peer_name); - gpr_free(allocated_name); + if (strchr (peer_name, ':') != NULL) + { + char *ignored_port; + gpr_split_host_port (peer_name, &allocated_name, &ignored_port); + gpr_free (ignored_port); + peer_name = allocated_name; + if (!peer_name) + return 0; + } + r = tsi_ssl_peer_matches_name (peer, peer_name); + gpr_free (allocated_name); return r; } -grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { +grpc_auth_context * +tsi_ssl_peer_to_auth_context (const tsi_peer * peer) +{ size_t i; grpc_auth_context *ctx = NULL; const char *peer_identity_property_name = NULL; /* The caller has checked the certificate type property. */ - GPR_ASSERT(peer->property_count >= 1); - ctx = grpc_auth_context_create(NULL); - grpc_auth_context_add_cstring_property( - ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, - GRPC_SSL_TRANSPORT_SECURITY_TYPE); - for (i = 0; i < peer->property_count; i++) { - const tsi_peer_property *prop = &peer->properties[i]; - if (prop->name == NULL) continue; - if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { - /* If there is no subject alt name, have the CN as the identity. */ - if (peer_identity_property_name == NULL) { - peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME; - } - grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME, - prop->value.data, prop->value.length); - } else if (strcmp(prop->name, - TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { - peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME; - grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME, - prop->value.data, prop->value.length); - } - } - if (peer_identity_property_name != NULL) { - GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name( - ctx, peer_identity_property_name) == 1); - } + GPR_ASSERT (peer->property_count >= 1); + ctx = grpc_auth_context_create (NULL); + grpc_auth_context_add_cstring_property (ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, GRPC_SSL_TRANSPORT_SECURITY_TYPE); + for (i = 0; i < peer->property_count; i++) + { + const tsi_peer_property *prop = &peer->properties[i]; + if (prop->name == NULL) + continue; + if (strcmp (prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) + { + /* If there is no subject alt name, have the CN as the identity. */ + if (peer_identity_property_name == NULL) + { + peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME; + } + grpc_auth_context_add_property (ctx, GRPC_X509_CN_PROPERTY_NAME, prop->value.data, prop->value.length); + } + else if (strcmp (prop->name, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) + { + peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME; + grpc_auth_context_add_property (ctx, GRPC_X509_SAN_PROPERTY_NAME, prop->value.data, prop->value.length); + } + } + if (peer_identity_property_name != NULL) + { + GPR_ASSERT (grpc_auth_context_set_peer_identity_property_name (ctx, peer_identity_property_name) == 1); + } return ctx; } -static grpc_security_status ssl_check_peer(grpc_security_connector *sc, - const char *peer_name, - const tsi_peer *peer) { +static grpc_security_status +ssl_check_peer (grpc_security_connector * sc, const char *peer_name, const tsi_peer * peer) +{ /* Check the ALPN. */ - const tsi_peer_property *p = - tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL); - if (p == NULL) { - gpr_log(GPR_ERROR, "Missing selected ALPN property."); - return GRPC_SECURITY_ERROR; - } - if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) { - gpr_log(GPR_ERROR, "Invalid ALPN value."); - return GRPC_SECURITY_ERROR; - } + const tsi_peer_property *p = tsi_peer_get_property_by_name (peer, TSI_SSL_ALPN_SELECTED_PROTOCOL); + if (p == NULL) + { + gpr_log (GPR_ERROR, "Missing selected ALPN property."); + return GRPC_SECURITY_ERROR; + } + if (!grpc_chttp2_is_alpn_version_supported (p->value.data, p->value.length)) + { + gpr_log (GPR_ERROR, "Invalid ALPN value."); + return GRPC_SECURITY_ERROR; + } /* Check the peer name if specified. */ - if (peer_name != NULL && !ssl_host_matches_name(peer, peer_name)) { - gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate", peer_name); - return GRPC_SECURITY_ERROR; - } - if (sc->auth_context != NULL) { - GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); - } - sc->auth_context = tsi_ssl_peer_to_auth_context(peer); + if (peer_name != NULL && !ssl_host_matches_name (peer, peer_name)) + { + gpr_log (GPR_ERROR, "Peer name %s is not in peer certificate", peer_name); + return GRPC_SECURITY_ERROR; + } + if (sc->auth_context != NULL) + { + GRPC_AUTH_CONTEXT_UNREF (sc->auth_context, "connector"); + } + sc->auth_context = tsi_ssl_peer_to_auth_context (peer); return GRPC_SECURITY_OK; } -static grpc_security_status ssl_channel_check_peer(grpc_security_connector *sc, - tsi_peer peer, - grpc_security_check_cb cb, - void *user_data) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static grpc_security_status +ssl_channel_check_peer (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data) +{ + grpc_ssl_channel_security_connector *c = (grpc_ssl_channel_security_connector *) sc; grpc_security_status status; - tsi_peer_destruct(&c->peer); + tsi_peer_destruct (&c->peer); c->peer = peer; - status = ssl_check_peer(sc, c->overridden_target_name != NULL - ? c->overridden_target_name - : c->target_name, - &peer); + status = ssl_check_peer (sc, c->overridden_target_name != NULL ? c->overridden_target_name : c->target_name, &peer); return status; } -static grpc_security_status ssl_server_check_peer(grpc_security_connector *sc, - tsi_peer peer, - grpc_security_check_cb cb, - void *user_data) { - grpc_security_status status = ssl_check_peer(sc, NULL, &peer); - tsi_peer_destruct(&peer); +static grpc_security_status +ssl_server_check_peer (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data) +{ + grpc_security_status status = ssl_check_peer (sc, NULL, &peer); + tsi_peer_destruct (&peer); return status; } -static grpc_security_status ssl_channel_check_call_host( - grpc_channel_security_connector *sc, const char *host, - grpc_security_check_cb cb, void *user_data, - grpc_closure_list *closure_list) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static grpc_security_status +ssl_channel_check_call_host (grpc_channel_security_connector * sc, const char *host, grpc_security_check_cb cb, void *user_data, grpc_closure_list * closure_list) +{ + grpc_ssl_channel_security_connector *c = (grpc_ssl_channel_security_connector *) sc; - if (ssl_host_matches_name(&c->peer, host)) return GRPC_SECURITY_OK; + if (ssl_host_matches_name (&c->peer, host)) + return GRPC_SECURITY_OK; /* If the target name was overridden, then the original target_name was 'checked' transitively during the previous peer check at the end of the handshake. */ - if (c->overridden_target_name != NULL && strcmp(host, c->target_name) == 0) { - return GRPC_SECURITY_OK; - } else { - return GRPC_SECURITY_ERROR; - } + if (c->overridden_target_name != NULL && strcmp (host, c->target_name) == 0) + { + return GRPC_SECURITY_OK; + } + else + { + return GRPC_SECURITY_ERROR; + } } static grpc_security_connector_vtable ssl_channel_vtable = { - ssl_channel_destroy, ssl_channel_do_handshake, ssl_channel_check_peer}; + ssl_channel_destroy, ssl_channel_do_handshake, ssl_channel_check_peer +}; static grpc_security_connector_vtable ssl_server_vtable = { - ssl_server_destroy, ssl_server_do_handshake, ssl_server_check_peer}; + ssl_server_destroy, ssl_server_do_handshake, ssl_server_check_peer +}; static gpr_slice default_pem_root_certs; -static void init_default_pem_root_certs(void) { +static void +init_default_pem_root_certs (void) +{ /* First try to load the roots from the environment. */ - char *default_root_certs_path = - gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); - if (default_root_certs_path == NULL) { - default_pem_root_certs = gpr_empty_slice(); - } else { - default_pem_root_certs = gpr_load_file(default_root_certs_path, 0, NULL); - gpr_free(default_root_certs_path); - } + char *default_root_certs_path = gpr_getenv (GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); + if (default_root_certs_path == NULL) + { + default_pem_root_certs = gpr_empty_slice (); + } + else + { + default_pem_root_certs = gpr_load_file (default_root_certs_path, 0, NULL); + gpr_free (default_root_certs_path); + } /* Fall back to installed certs if needed. */ - if (GPR_SLICE_IS_EMPTY(default_pem_root_certs)) { - default_pem_root_certs = gpr_load_file(installed_roots_path, 0, NULL); - } + if (GPR_SLICE_IS_EMPTY (default_pem_root_certs)) + { + default_pem_root_certs = gpr_load_file (installed_roots_path, 0, NULL); + } } -size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) { +size_t +grpc_get_default_ssl_roots (const unsigned char **pem_root_certs) +{ /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in loading all the roots once for the lifetime of the process. */ static gpr_once once = GPR_ONCE_INIT; - gpr_once_init(&once, init_default_pem_root_certs); - *pem_root_certs = GPR_SLICE_START_PTR(default_pem_root_certs); - return GPR_SLICE_LENGTH(default_pem_root_certs); -} - -grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_credentials *request_metadata_creds, const grpc_ssl_config *config, - const char *target_name, const char *overridden_target_name, - grpc_channel_security_connector **sc) { - size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); - const unsigned char **alpn_protocol_strings = - gpr_malloc(sizeof(const char *) * num_alpn_protocols); - unsigned char *alpn_protocol_string_lengths = - gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); + gpr_once_init (&once, init_default_pem_root_certs); + *pem_root_certs = GPR_SLICE_START_PTR (default_pem_root_certs); + return GPR_SLICE_LENGTH (default_pem_root_certs); +} + +grpc_security_status +grpc_ssl_channel_security_connector_create (grpc_credentials * request_metadata_creds, const grpc_ssl_config * config, const char *target_name, const char *overridden_target_name, grpc_channel_security_connector ** sc) +{ + size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions (); + const unsigned char **alpn_protocol_strings = gpr_malloc (sizeof (const char *) * num_alpn_protocols); + unsigned char *alpn_protocol_string_lengths = gpr_malloc (sizeof (unsigned char) * num_alpn_protocols); tsi_result result = TSI_OK; grpc_ssl_channel_security_connector *c; size_t i; @@ -599,120 +640,112 @@ grpc_security_status grpc_ssl_channel_security_connector_create( size_t pem_root_certs_size; char *port; - for (i = 0; i < num_alpn_protocols; i++) { - alpn_protocol_strings[i] = - (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); - alpn_protocol_string_lengths[i] = - (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i)); - } - - if (config == NULL || target_name == NULL) { - gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name."); - goto error; - } - if (!check_request_metadata_creds(request_metadata_creds)) { - goto error; - } - if (config->pem_root_certs == NULL) { - pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); - if (pem_root_certs == NULL || pem_root_certs_size == 0) { - gpr_log(GPR_ERROR, "Could not get default pem root certs."); + for (i = 0; i < num_alpn_protocols; i++) + { + alpn_protocol_strings[i] = (const unsigned char *) grpc_chttp2_get_alpn_version_index (i); + alpn_protocol_string_lengths[i] = (unsigned char) strlen (grpc_chttp2_get_alpn_version_index (i)); + } + + if (config == NULL || target_name == NULL) + { + gpr_log (GPR_ERROR, "An ssl channel needs a config and a target name."); + goto error; + } + if (!check_request_metadata_creds (request_metadata_creds)) + { goto error; } - } else { - pem_root_certs = config->pem_root_certs; - pem_root_certs_size = config->pem_root_certs_size; - } + if (config->pem_root_certs == NULL) + { + pem_root_certs_size = grpc_get_default_ssl_roots (&pem_root_certs); + if (pem_root_certs == NULL || pem_root_certs_size == 0) + { + gpr_log (GPR_ERROR, "Could not get default pem root certs."); + goto error; + } + } + else + { + pem_root_certs = config->pem_root_certs; + pem_root_certs_size = config->pem_root_certs_size; + } - c = gpr_malloc(sizeof(grpc_ssl_channel_security_connector)); - memset(c, 0, sizeof(grpc_ssl_channel_security_connector)); + c = gpr_malloc (sizeof (grpc_ssl_channel_security_connector)); + memset (c, 0, sizeof (grpc_ssl_channel_security_connector)); - gpr_ref_init(&c->base.base.refcount, 1); + gpr_ref_init (&c->base.base.refcount, 1); c->base.base.vtable = &ssl_channel_vtable; c->base.base.is_client_side = 1; c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; - c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); + c->base.request_metadata_creds = grpc_credentials_ref (request_metadata_creds); c->base.check_call_host = ssl_channel_check_call_host; - gpr_split_host_port(target_name, &c->target_name, &port); - gpr_free(port); - if (overridden_target_name != NULL) { - c->overridden_target_name = gpr_strdup(overridden_target_name); - } - result = tsi_create_ssl_client_handshaker_factory( - config->pem_private_key, config->pem_private_key_size, - config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, - pem_root_certs_size, ssl_cipher_suites(), alpn_protocol_strings, - alpn_protocol_string_lengths, (uint16_t)num_alpn_protocols, - &c->handshaker_factory); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", - tsi_result_to_string(result)); - ssl_channel_destroy(&c->base.base); - *sc = NULL; - goto error; - } + gpr_split_host_port (target_name, &c->target_name, &port); + gpr_free (port); + if (overridden_target_name != NULL) + { + c->overridden_target_name = gpr_strdup (overridden_target_name); + } + result = tsi_create_ssl_client_handshaker_factory (config->pem_private_key, config->pem_private_key_size, config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, pem_root_certs_size, ssl_cipher_suites (), alpn_protocol_strings, alpn_protocol_string_lengths, (uint16_t) num_alpn_protocols, &c->handshaker_factory); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Handshaker factory creation failed with %s.", tsi_result_to_string (result)); + ssl_channel_destroy (&c->base.base); + *sc = NULL; + goto error; + } *sc = &c->base; - gpr_free(alpn_protocol_strings); - gpr_free(alpn_protocol_string_lengths); + gpr_free (alpn_protocol_strings); + gpr_free (alpn_protocol_string_lengths); return GRPC_SECURITY_OK; error: - gpr_free(alpn_protocol_strings); - gpr_free(alpn_protocol_string_lengths); + gpr_free (alpn_protocol_strings); + gpr_free (alpn_protocol_string_lengths); return GRPC_SECURITY_ERROR; } -grpc_security_status grpc_ssl_server_security_connector_create( - const grpc_ssl_server_config *config, grpc_security_connector **sc) { - size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); - const unsigned char **alpn_protocol_strings = - gpr_malloc(sizeof(const char *) * num_alpn_protocols); - unsigned char *alpn_protocol_string_lengths = - gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); +grpc_security_status +grpc_ssl_server_security_connector_create (const grpc_ssl_server_config * config, grpc_security_connector ** sc) +{ + size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions (); + const unsigned char **alpn_protocol_strings = gpr_malloc (sizeof (const char *) * num_alpn_protocols); + unsigned char *alpn_protocol_string_lengths = gpr_malloc (sizeof (unsigned char) * num_alpn_protocols); tsi_result result = TSI_OK; grpc_ssl_server_security_connector *c; size_t i; - for (i = 0; i < num_alpn_protocols; i++) { - alpn_protocol_strings[i] = - (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); - alpn_protocol_string_lengths[i] = - (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i)); - } - - if (config == NULL || config->num_key_cert_pairs == 0) { - gpr_log(GPR_ERROR, "An SSL server needs a key and a cert."); - goto error; - } - c = gpr_malloc(sizeof(grpc_ssl_server_security_connector)); - memset(c, 0, sizeof(grpc_ssl_server_security_connector)); - - gpr_ref_init(&c->base.refcount, 1); + for (i = 0; i < num_alpn_protocols; i++) + { + alpn_protocol_strings[i] = (const unsigned char *) grpc_chttp2_get_alpn_version_index (i); + alpn_protocol_string_lengths[i] = (unsigned char) strlen (grpc_chttp2_get_alpn_version_index (i)); + } + + if (config == NULL || config->num_key_cert_pairs == 0) + { + gpr_log (GPR_ERROR, "An SSL server needs a key and a cert."); + goto error; + } + c = gpr_malloc (sizeof (grpc_ssl_server_security_connector)); + memset (c, 0, sizeof (grpc_ssl_server_security_connector)); + + gpr_ref_init (&c->base.refcount, 1); c->base.url_scheme = GRPC_SSL_URL_SCHEME; c->base.vtable = &ssl_server_vtable; - result = tsi_create_ssl_server_handshaker_factory( - (const unsigned char **)config->pem_private_keys, - config->pem_private_keys_sizes, - (const unsigned char **)config->pem_cert_chains, - config->pem_cert_chains_sizes, config->num_key_cert_pairs, - config->pem_root_certs, config->pem_root_certs_size, - config->force_client_auth, ssl_cipher_suites(), alpn_protocol_strings, - alpn_protocol_string_lengths, (uint16_t)num_alpn_protocols, - &c->handshaker_factory); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", - tsi_result_to_string(result)); - ssl_server_destroy(&c->base); - *sc = NULL; - goto error; - } + result = tsi_create_ssl_server_handshaker_factory ((const unsigned char **) config->pem_private_keys, config->pem_private_keys_sizes, (const unsigned char **) config->pem_cert_chains, config->pem_cert_chains_sizes, config->num_key_cert_pairs, config->pem_root_certs, config->pem_root_certs_size, config->force_client_auth, ssl_cipher_suites (), alpn_protocol_strings, alpn_protocol_string_lengths, (uint16_t) num_alpn_protocols, &c->handshaker_factory); + if (result != TSI_OK) + { + gpr_log (GPR_ERROR, "Handshaker factory creation failed with %s.", tsi_result_to_string (result)); + ssl_server_destroy (&c->base); + *sc = NULL; + goto error; + } *sc = &c->base; - gpr_free(alpn_protocol_strings); - gpr_free(alpn_protocol_string_lengths); + gpr_free (alpn_protocol_strings); + gpr_free (alpn_protocol_string_lengths); return GRPC_SECURITY_OK; error: - gpr_free(alpn_protocol_strings); - gpr_free(alpn_protocol_string_lengths); + gpr_free (alpn_protocol_strings); + gpr_free (alpn_protocol_string_lengths); return GRPC_SECURITY_ERROR; } diff --git a/src/core/security/security_connector.h b/src/core/security/security_connector.h index 0f161d0e37..913e01978d 100644 --- a/src/core/security/security_connector.h +++ b/src/core/security/security_connector.h @@ -40,7 +40,8 @@ /* --- status enum. --- */ -typedef enum { +typedef enum +{ GRPC_SECURITY_OK = 0, GRPC_SECURITY_PENDING, GRPC_SECURITY_ERROR @@ -60,33 +61,25 @@ typedef struct grpc_security_connector grpc_security_connector; #define GRPC_SECURITY_CONNECTOR_ARG "grpc.security_connector" -typedef void (*grpc_security_check_cb)(void *user_data, - grpc_security_status status, - grpc_closure_list *closure_list); +typedef void (*grpc_security_check_cb) (void *user_data, grpc_security_status status, grpc_closure_list * closure_list); /* Ownership of the secure_endpoint is transfered. */ -typedef void (*grpc_security_handshake_done_cb)( - void *user_data, grpc_security_status status, - grpc_endpoint *wrapped_endpoint, grpc_endpoint *secure_endpoint, - grpc_closure_list *closure_list); - -typedef struct { - void (*destroy)(grpc_security_connector *sc); - void (*do_handshake)(grpc_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, void *user_data, - grpc_closure_list *closure_list); - grpc_security_status (*check_peer)(grpc_security_connector *sc, tsi_peer peer, - grpc_security_check_cb cb, - void *user_data); +typedef void (*grpc_security_handshake_done_cb) (void *user_data, grpc_security_status status, grpc_endpoint * wrapped_endpoint, grpc_endpoint * secure_endpoint, grpc_closure_list * closure_list); + +typedef struct +{ + void (*destroy) (grpc_security_connector * sc); + void (*do_handshake) (grpc_security_connector * sc, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list); + grpc_security_status (*check_peer) (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data); } grpc_security_connector_vtable; -struct grpc_security_connector { +struct grpc_security_connector +{ const grpc_security_connector_vtable *vtable; gpr_refcount refcount; int is_client_side; const char *url_scheme; - grpc_auth_context *auth_context; /* Populated after the peer is checked. */ + grpc_auth_context *auth_context; /* Populated after the peer is checked. */ }; /* Refcounting. */ @@ -95,26 +88,17 @@ struct grpc_security_connector { grpc_security_connector_ref((p), __FILE__, __LINE__, (r)) #define GRPC_SECURITY_CONNECTOR_UNREF(p, r) \ grpc_security_connector_unref((p), __FILE__, __LINE__, (r)) -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *policy, const char *file, int line, - const char *reason); -void grpc_security_connector_unref(grpc_security_connector *policy, - const char *file, int line, - const char *reason); +grpc_security_connector *grpc_security_connector_ref (grpc_security_connector * policy, const char *file, int line, const char *reason); +void grpc_security_connector_unref (grpc_security_connector * policy, const char *file, int line, const char *reason); #else #define GRPC_SECURITY_CONNECTOR_REF(p, r) grpc_security_connector_ref((p)) #define GRPC_SECURITY_CONNECTOR_UNREF(p, r) grpc_security_connector_unref((p)) -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *policy); -void grpc_security_connector_unref(grpc_security_connector *policy); +grpc_security_connector *grpc_security_connector_ref (grpc_security_connector * policy); +void grpc_security_connector_unref (grpc_security_connector * policy); #endif /* Handshake. */ -void grpc_security_connector_do_handshake(grpc_security_connector *connector, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data, - grpc_closure_list *closure_list); +void grpc_security_connector_do_handshake (grpc_security_connector * connector, grpc_endpoint * nonsecure_endpoint, grpc_security_handshake_done_cb cb, void *user_data, grpc_closure_list * closure_list); /* Check the peer. Implementations can choose to check the peer either synchronously or @@ -123,19 +107,16 @@ void grpc_security_connector_do_handshake(grpc_security_connector *connector, GRPC_SECURITY_PENDING unless an error is detected early on. Ownership of the peer is transfered. */ -grpc_security_status grpc_security_connector_check_peer( - grpc_security_connector *sc, tsi_peer peer, grpc_security_check_cb cb, - void *user_data); +grpc_security_status grpc_security_connector_check_peer (grpc_security_connector * sc, tsi_peer peer, grpc_security_check_cb cb, void *user_data); /* Util to encapsulate the connector in a channel arg. */ -grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc); +grpc_arg grpc_security_connector_to_arg (grpc_security_connector * sc); /* Util to get the connector from a channel arg. */ -grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg); +grpc_security_connector *grpc_security_connector_from_arg (const grpc_arg * arg); /* Util to find the connector from channel args. */ -grpc_security_connector *grpc_find_security_connector_in_args( - const grpc_channel_args *args); +grpc_security_connector *grpc_find_security_connector_in_args (const grpc_channel_args * args); /* --- channel_security_connector object. --- @@ -144,14 +125,11 @@ grpc_security_connector *grpc_find_security_connector_in_args( typedef struct grpc_channel_security_connector grpc_channel_security_connector; -struct grpc_channel_security_connector { - grpc_security_connector base; /* requires is_client_side to be non 0. */ +struct grpc_channel_security_connector +{ + grpc_security_connector base; /* requires is_client_side to be non 0. */ grpc_credentials *request_metadata_creds; - grpc_security_status (*check_call_host)(grpc_channel_security_connector *sc, - const char *host, - grpc_security_check_cb cb, - void *user_data, - grpc_closure_list *closure_list); + grpc_security_status (*check_call_host) (grpc_channel_security_connector * sc, const char *host, grpc_security_check_cb cb, void *user_data, grpc_closure_list * closure_list); }; /* Checks that the host that will be set for a call is acceptable. @@ -159,24 +137,21 @@ struct grpc_channel_security_connector { asynchronously. In the first case, a successful call will return GRPC_SECURITY_OK. In the asynchronous case, the call will return GRPC_SECURITY_PENDING unless an error is detected early on. */ -grpc_security_status grpc_channel_security_connector_check_call_host( - grpc_channel_security_connector *sc, const char *host, - grpc_security_check_cb cb, void *user_data, - grpc_closure_list *closure_list); +grpc_security_status grpc_channel_security_connector_check_call_host (grpc_channel_security_connector * sc, const char *host, grpc_security_check_cb cb, void *user_data, grpc_closure_list * closure_list); /* --- Creation security connectors. --- */ /* For TESTING ONLY! Creates a fake connector that emulates real channel security. */ -grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_credentials *request_metadata_creds, int call_host_check_is_async); +grpc_channel_security_connector *grpc_fake_channel_security_connector_create (grpc_credentials * request_metadata_creds, int call_host_check_is_async); /* For TESTING ONLY! Creates a fake connector that emulates real server security. */ -grpc_security_connector *grpc_fake_server_security_connector_create(void); +grpc_security_connector *grpc_fake_server_security_connector_create (void); /* Config for ssl clients. */ -typedef struct { +typedef struct +{ unsigned char *pem_private_key; size_t pem_private_key_size; unsigned char *pem_cert_chain; @@ -198,16 +173,14 @@ typedef struct { This function returns GRPC_SECURITY_OK in case of success or a specific error code otherwise. */ -grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_credentials *request_metadata_creds, const grpc_ssl_config *config, - const char *target_name, const char *overridden_target_name, - grpc_channel_security_connector **sc); +grpc_security_status grpc_ssl_channel_security_connector_create (grpc_credentials * request_metadata_creds, const grpc_ssl_config * config, const char *target_name, const char *overridden_target_name, grpc_channel_security_connector ** sc); /* Gets the default ssl roots. */ -size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs); +size_t grpc_get_default_ssl_roots (const unsigned char **pem_root_certs); /* Config for ssl servers. */ -typedef struct { +typedef struct +{ unsigned char **pem_private_keys; size_t *pem_private_keys_sizes; unsigned char **pem_cert_chains; @@ -224,14 +197,12 @@ typedef struct { This function returns GRPC_SECURITY_OK in case of success or a specific error code otherwise. */ -grpc_security_status grpc_ssl_server_security_connector_create( - const grpc_ssl_server_config *config, grpc_security_connector **sc); +grpc_security_status grpc_ssl_server_security_connector_create (const grpc_ssl_server_config * config, grpc_security_connector ** sc); /* Util. */ -const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, - const char *name); +const tsi_peer_property *tsi_peer_get_property_by_name (const tsi_peer * peer, const char *name); /* Exposed for testing only. */ -grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer); +grpc_auth_context *tsi_ssl_peer_to_auth_context (const tsi_peer * peer); #endif /* GRPC_INTERNAL_CORE_SECURITY_SECURITY_CONNECTOR_H */ diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c index 95d80ba122..5b3326d341 100644 --- a/src/core/security/security_context.c +++ b/src/core/security/security_context.c @@ -44,271 +44,317 @@ /* --- grpc_call --- */ -grpc_call_error grpc_call_set_credentials(grpc_call *call, - grpc_credentials *creds) { +grpc_call_error +grpc_call_set_credentials (grpc_call * call, grpc_credentials * creds) +{ grpc_client_security_context *ctx = NULL; - if (!grpc_call_is_client(call)) { - gpr_log(GPR_ERROR, "Method is client-side only."); - return GRPC_CALL_ERROR_NOT_ON_SERVER; - } - if (creds != NULL && !grpc_credentials_has_request_metadata_only(creds)) { - gpr_log(GPR_ERROR, "Incompatible credentials to set on a call."); - return GRPC_CALL_ERROR; - } - ctx = (grpc_client_security_context *)grpc_call_context_get( - call, GRPC_CONTEXT_SECURITY); - if (ctx == NULL) { - ctx = grpc_client_security_context_create(); - ctx->creds = grpc_credentials_ref(creds); - grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx, - grpc_client_security_context_destroy); - } else { - grpc_credentials_unref(ctx->creds); - ctx->creds = grpc_credentials_ref(creds); - } + if (!grpc_call_is_client (call)) + { + gpr_log (GPR_ERROR, "Method is client-side only."); + return GRPC_CALL_ERROR_NOT_ON_SERVER; + } + if (creds != NULL && !grpc_credentials_has_request_metadata_only (creds)) + { + gpr_log (GPR_ERROR, "Incompatible credentials to set on a call."); + return GRPC_CALL_ERROR; + } + ctx = (grpc_client_security_context *) grpc_call_context_get (call, GRPC_CONTEXT_SECURITY); + if (ctx == NULL) + { + ctx = grpc_client_security_context_create (); + ctx->creds = grpc_credentials_ref (creds); + grpc_call_context_set (call, GRPC_CONTEXT_SECURITY, ctx, grpc_client_security_context_destroy); + } + else + { + grpc_credentials_unref (ctx->creds); + ctx->creds = grpc_credentials_ref (creds); + } return GRPC_CALL_OK; } -grpc_auth_context *grpc_call_auth_context(grpc_call *call) { - void *sec_ctx = grpc_call_context_get(call, GRPC_CONTEXT_SECURITY); - if (sec_ctx == NULL) return NULL; - return grpc_call_is_client(call) - ? GRPC_AUTH_CONTEXT_REF( - ((grpc_client_security_context *)sec_ctx)->auth_context, - "grpc_call_auth_context client") - : GRPC_AUTH_CONTEXT_REF( - ((grpc_server_security_context *)sec_ctx)->auth_context, - "grpc_call_auth_context server"); +grpc_auth_context * +grpc_call_auth_context (grpc_call * call) +{ + void *sec_ctx = grpc_call_context_get (call, GRPC_CONTEXT_SECURITY); + if (sec_ctx == NULL) + return NULL; + return grpc_call_is_client (call) ? GRPC_AUTH_CONTEXT_REF (((grpc_client_security_context *) sec_ctx)->auth_context, "grpc_call_auth_context client") : GRPC_AUTH_CONTEXT_REF (((grpc_server_security_context *) sec_ctx)->auth_context, "grpc_call_auth_context server"); } -void grpc_auth_context_release(grpc_auth_context *context) { - GRPC_AUTH_CONTEXT_UNREF(context, "grpc_auth_context_unref"); +void +grpc_auth_context_release (grpc_auth_context * context) +{ + GRPC_AUTH_CONTEXT_UNREF (context, "grpc_auth_context_unref"); } /* --- grpc_client_security_context --- */ -grpc_client_security_context *grpc_client_security_context_create(void) { - grpc_client_security_context *ctx = - gpr_malloc(sizeof(grpc_client_security_context)); - memset(ctx, 0, sizeof(grpc_client_security_context)); +grpc_client_security_context * +grpc_client_security_context_create (void) +{ + grpc_client_security_context *ctx = gpr_malloc (sizeof (grpc_client_security_context)); + memset (ctx, 0, sizeof (grpc_client_security_context)); return ctx; } -void grpc_client_security_context_destroy(void *ctx) { - grpc_client_security_context *c = (grpc_client_security_context *)ctx; - grpc_credentials_unref(c->creds); - GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "client_security_context"); - gpr_free(ctx); +void +grpc_client_security_context_destroy (void *ctx) +{ + grpc_client_security_context *c = (grpc_client_security_context *) ctx; + grpc_credentials_unref (c->creds); + GRPC_AUTH_CONTEXT_UNREF (c->auth_context, "client_security_context"); + gpr_free (ctx); } /* --- grpc_server_security_context --- */ -grpc_server_security_context *grpc_server_security_context_create(void) { - grpc_server_security_context *ctx = - gpr_malloc(sizeof(grpc_server_security_context)); - memset(ctx, 0, sizeof(grpc_server_security_context)); +grpc_server_security_context * +grpc_server_security_context_create (void) +{ + grpc_server_security_context *ctx = gpr_malloc (sizeof (grpc_server_security_context)); + memset (ctx, 0, sizeof (grpc_server_security_context)); return ctx; } -void grpc_server_security_context_destroy(void *ctx) { - grpc_server_security_context *c = (grpc_server_security_context *)ctx; - GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "server_security_context"); - gpr_free(ctx); +void +grpc_server_security_context_destroy (void *ctx) +{ + grpc_server_security_context *c = (grpc_server_security_context *) ctx; + GRPC_AUTH_CONTEXT_UNREF (c->auth_context, "server_security_context"); + gpr_free (ctx); } /* --- grpc_auth_context --- */ -static grpc_auth_property_iterator empty_iterator = {NULL, 0, NULL}; - -grpc_auth_context *grpc_auth_context_create(grpc_auth_context *chained) { - grpc_auth_context *ctx = gpr_malloc(sizeof(grpc_auth_context)); - memset(ctx, 0, sizeof(grpc_auth_context)); - gpr_ref_init(&ctx->refcount, 1); - if (chained != NULL) { - ctx->chained = GRPC_AUTH_CONTEXT_REF(chained, "chained"); - ctx->peer_identity_property_name = - ctx->chained->peer_identity_property_name; - } +static grpc_auth_property_iterator empty_iterator = { NULL, 0, NULL }; + +grpc_auth_context * +grpc_auth_context_create (grpc_auth_context * chained) +{ + grpc_auth_context *ctx = gpr_malloc (sizeof (grpc_auth_context)); + memset (ctx, 0, sizeof (grpc_auth_context)); + gpr_ref_init (&ctx->refcount, 1); + if (chained != NULL) + { + ctx->chained = GRPC_AUTH_CONTEXT_REF (chained, "chained"); + ctx->peer_identity_property_name = ctx->chained->peer_identity_property_name; + } return ctx; } #ifdef GRPC_AUTH_CONTEXT_REFCOUNT_DEBUG -grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *ctx, - const char *file, int line, - const char *reason) { - if (ctx == NULL) return NULL; - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, - "AUTH_CONTEXT:%p ref %d -> %d %s", ctx, (int)ctx->refcount.count, - (int)ctx->refcount.count + 1, reason); +grpc_auth_context * +grpc_auth_context_ref (grpc_auth_context * ctx, const char *file, int line, const char *reason) +{ + if (ctx == NULL) + return NULL; + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "AUTH_CONTEXT:%p ref %d -> %d %s", ctx, (int) ctx->refcount.count, (int) ctx->refcount.count + 1, reason); #else -grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *ctx) { - if (ctx == NULL) return NULL; +grpc_auth_context * +grpc_auth_context_ref (grpc_auth_context * ctx) +{ + if (ctx == NULL) + return NULL; #endif - gpr_ref(&ctx->refcount); + gpr_ref (&ctx->refcount); return ctx; } #ifdef GRPC_AUTH_CONTEXT_REFCOUNT_DEBUG -void grpc_auth_context_unref(grpc_auth_context *ctx, const char *file, int line, - const char *reason) { - if (ctx == NULL) return; - gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, - "AUTH_CONTEXT:%p unref %d -> %d %s", ctx, (int)ctx->refcount.count, - (int)ctx->refcount.count - 1, reason); +void +grpc_auth_context_unref (grpc_auth_context * ctx, const char *file, int line, const char *reason) +{ + if (ctx == NULL) + return; + gpr_log (file, line, GPR_LOG_SEVERITY_DEBUG, "AUTH_CONTEXT:%p unref %d -> %d %s", ctx, (int) ctx->refcount.count, (int) ctx->refcount.count - 1, reason); #else -void grpc_auth_context_unref(grpc_auth_context *ctx) { - if (ctx == NULL) return; +void +grpc_auth_context_unref (grpc_auth_context * ctx) +{ + if (ctx == NULL) + return; #endif - if (gpr_unref(&ctx->refcount)) { - size_t i; - GRPC_AUTH_CONTEXT_UNREF(ctx->chained, "chained"); - if (ctx->properties.array != NULL) { - for (i = 0; i < ctx->properties.count; i++) { - grpc_auth_property_reset(&ctx->properties.array[i]); - } - gpr_free(ctx->properties.array); + if (gpr_unref (&ctx->refcount)) + { + size_t i; + GRPC_AUTH_CONTEXT_UNREF (ctx->chained, "chained"); + if (ctx->properties.array != NULL) + { + for (i = 0; i < ctx->properties.count; i++) + { + grpc_auth_property_reset (&ctx->properties.array[i]); + } + gpr_free (ctx->properties.array); + } + gpr_free (ctx); } - gpr_free(ctx); - } } -const char *grpc_auth_context_peer_identity_property_name( - const grpc_auth_context *ctx) { +const char * +grpc_auth_context_peer_identity_property_name (const grpc_auth_context * ctx) +{ return ctx->peer_identity_property_name; } -int grpc_auth_context_set_peer_identity_property_name(grpc_auth_context *ctx, - const char *name) { - grpc_auth_property_iterator it = - grpc_auth_context_find_properties_by_name(ctx, name); - const grpc_auth_property *prop = grpc_auth_property_iterator_next(&it); - if (prop == NULL) { - gpr_log(GPR_ERROR, "Property name %s not found in auth context.", - name != NULL ? name : "NULL"); - return 0; - } +int +grpc_auth_context_set_peer_identity_property_name (grpc_auth_context * ctx, const char *name) +{ + grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name (ctx, name); + const grpc_auth_property *prop = grpc_auth_property_iterator_next (&it); + if (prop == NULL) + { + gpr_log (GPR_ERROR, "Property name %s not found in auth context.", name != NULL ? name : "NULL"); + return 0; + } ctx->peer_identity_property_name = prop->name; return 1; } -int grpc_auth_context_peer_is_authenticated(const grpc_auth_context *ctx) { +int +grpc_auth_context_peer_is_authenticated (const grpc_auth_context * ctx) +{ return ctx->peer_identity_property_name == NULL ? 0 : 1; } -grpc_auth_property_iterator grpc_auth_context_property_iterator( - const grpc_auth_context *ctx) { +grpc_auth_property_iterator +grpc_auth_context_property_iterator (const grpc_auth_context * ctx) +{ grpc_auth_property_iterator it = empty_iterator; - if (ctx == NULL) return it; + if (ctx == NULL) + return it; it.ctx = ctx; return it; } -const grpc_auth_property *grpc_auth_property_iterator_next( - grpc_auth_property_iterator *it) { - if (it == NULL || it->ctx == NULL) return NULL; - while (it->index == it->ctx->properties.count) { - if (it->ctx->chained == NULL) return NULL; - it->ctx = it->ctx->chained; - it->index = 0; - } - if (it->name == NULL) { - return &it->ctx->properties.array[it->index++]; - } else { - while (it->index < it->ctx->properties.count) { - const grpc_auth_property *prop = &it->ctx->properties.array[it->index++]; - GPR_ASSERT(prop->name != NULL); - if (strcmp(it->name, prop->name) == 0) { - return prop; - } +const grpc_auth_property * +grpc_auth_property_iterator_next (grpc_auth_property_iterator * it) +{ + if (it == NULL || it->ctx == NULL) + return NULL; + while (it->index == it->ctx->properties.count) + { + if (it->ctx->chained == NULL) + return NULL; + it->ctx = it->ctx->chained; + it->index = 0; + } + if (it->name == NULL) + { + return &it->ctx->properties.array[it->index++]; + } + else + { + while (it->index < it->ctx->properties.count) + { + const grpc_auth_property *prop = &it->ctx->properties.array[it->index++]; + GPR_ASSERT (prop->name != NULL); + if (strcmp (it->name, prop->name) == 0) + { + return prop; + } + } + /* We could not find the name, try another round. */ + return grpc_auth_property_iterator_next (it); } - /* We could not find the name, try another round. */ - return grpc_auth_property_iterator_next(it); - } } -grpc_auth_property_iterator grpc_auth_context_find_properties_by_name( - const grpc_auth_context *ctx, const char *name) { +grpc_auth_property_iterator +grpc_auth_context_find_properties_by_name (const grpc_auth_context * ctx, const char *name) +{ grpc_auth_property_iterator it = empty_iterator; - if (ctx == NULL || name == NULL) return empty_iterator; + if (ctx == NULL || name == NULL) + return empty_iterator; it.ctx = ctx; it.name = name; return it; } -grpc_auth_property_iterator grpc_auth_context_peer_identity( - const grpc_auth_context *ctx) { - if (ctx == NULL) return empty_iterator; - return grpc_auth_context_find_properties_by_name( - ctx, ctx->peer_identity_property_name); +grpc_auth_property_iterator +grpc_auth_context_peer_identity (const grpc_auth_context * ctx) +{ + if (ctx == NULL) + return empty_iterator; + return grpc_auth_context_find_properties_by_name (ctx, ctx->peer_identity_property_name); } -static void ensure_auth_context_capacity(grpc_auth_context *ctx) { - if (ctx->properties.count == ctx->properties.capacity) { - ctx->properties.capacity = - GPR_MAX(ctx->properties.capacity + 8, ctx->properties.capacity * 2); - ctx->properties.array = - gpr_realloc(ctx->properties.array, - ctx->properties.capacity * sizeof(grpc_auth_property)); - } +static void +ensure_auth_context_capacity (grpc_auth_context * ctx) +{ + if (ctx->properties.count == ctx->properties.capacity) + { + ctx->properties.capacity = GPR_MAX (ctx->properties.capacity + 8, ctx->properties.capacity * 2); + ctx->properties.array = gpr_realloc (ctx->properties.array, ctx->properties.capacity * sizeof (grpc_auth_property)); + } } -void grpc_auth_context_add_property(grpc_auth_context *ctx, const char *name, - const char *value, size_t value_length) { +void +grpc_auth_context_add_property (grpc_auth_context * ctx, const char *name, const char *value, size_t value_length) +{ grpc_auth_property *prop; - ensure_auth_context_capacity(ctx); + ensure_auth_context_capacity (ctx); prop = &ctx->properties.array[ctx->properties.count++]; - prop->name = gpr_strdup(name); - prop->value = gpr_malloc(value_length + 1); - memcpy(prop->value, value, value_length); + prop->name = gpr_strdup (name); + prop->value = gpr_malloc (value_length + 1); + memcpy (prop->value, value, value_length); prop->value[value_length] = '\0'; prop->value_length = value_length; } -void grpc_auth_context_add_cstring_property(grpc_auth_context *ctx, - const char *name, - const char *value) { +void +grpc_auth_context_add_cstring_property (grpc_auth_context * ctx, const char *name, const char *value) +{ grpc_auth_property *prop; - ensure_auth_context_capacity(ctx); + ensure_auth_context_capacity (ctx); prop = &ctx->properties.array[ctx->properties.count++]; - prop->name = gpr_strdup(name); - prop->value = gpr_strdup(value); - prop->value_length = strlen(value); + prop->name = gpr_strdup (name); + prop->value = gpr_strdup (value); + prop->value_length = strlen (value); } -void grpc_auth_property_reset(grpc_auth_property *property) { - gpr_free(property->name); - gpr_free(property->value); - memset(property, 0, sizeof(grpc_auth_property)); +void +grpc_auth_property_reset (grpc_auth_property * property) +{ + gpr_free (property->name); + gpr_free (property->value); + memset (property, 0, sizeof (grpc_auth_property)); } -grpc_arg grpc_auth_metadata_processor_to_arg(grpc_auth_metadata_processor *p) { +grpc_arg +grpc_auth_metadata_processor_to_arg (grpc_auth_metadata_processor * p) +{ grpc_arg arg; - memset(&arg, 0, sizeof(grpc_arg)); + memset (&arg, 0, sizeof (grpc_arg)); arg.type = GRPC_ARG_POINTER; arg.key = GRPC_AUTH_METADATA_PROCESSOR_ARG; arg.value.pointer.p = p; return arg; } -grpc_auth_metadata_processor *grpc_auth_metadata_processor_from_arg( - const grpc_arg *arg) { - if (strcmp(arg->key, GRPC_AUTH_METADATA_PROCESSOR_ARG) != 0) return NULL; - if (arg->type != GRPC_ARG_POINTER) { - gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type, - GRPC_AUTH_METADATA_PROCESSOR_ARG); +grpc_auth_metadata_processor * +grpc_auth_metadata_processor_from_arg (const grpc_arg * arg) +{ + if (strcmp (arg->key, GRPC_AUTH_METADATA_PROCESSOR_ARG) != 0) return NULL; - } + if (arg->type != GRPC_ARG_POINTER) + { + gpr_log (GPR_ERROR, "Invalid type %d for arg %s", arg->type, GRPC_AUTH_METADATA_PROCESSOR_ARG); + return NULL; + } return arg->value.pointer.p; } -grpc_auth_metadata_processor *grpc_find_auth_metadata_processor_in_args( - const grpc_channel_args *args) { +grpc_auth_metadata_processor * +grpc_find_auth_metadata_processor_in_args (const grpc_channel_args * args) +{ size_t i; - if (args == NULL) return NULL; - for (i = 0; i < args->num_args; i++) { - grpc_auth_metadata_processor *p = - grpc_auth_metadata_processor_from_arg(&args->args[i]); - if (p != NULL) return p; - } + if (args == NULL) + return NULL; + for (i = 0; i < args->num_args; i++) + { + grpc_auth_metadata_processor *p = grpc_auth_metadata_processor_from_arg (&args->args[i]); + if (p != NULL) + return p; + } return NULL; } diff --git a/src/core/security/security_context.h b/src/core/security/security_context.h index a9a0306410..93b31f60d6 100644 --- a/src/core/security/security_context.h +++ b/src/core/security/security_context.h @@ -43,13 +43,15 @@ /* Property names are always NULL terminated. */ -typedef struct { +typedef struct +{ grpc_auth_property *array; size_t count; size_t capacity; } grpc_auth_property_array; -struct grpc_auth_context { +struct grpc_auth_context +{ struct grpc_auth_context *chained; grpc_auth_property_array properties; gpr_refcount refcount; @@ -58,7 +60,7 @@ struct grpc_auth_context { }; /* Creation. */ -grpc_auth_context *grpc_auth_context_create(grpc_auth_context *chained); +grpc_auth_context *grpc_auth_context_create (grpc_auth_context * chained); /* Refcounting. */ #ifdef GRPC_AUTH_CONTEXT_REFCOUNT_DEBUG @@ -66,50 +68,47 @@ grpc_auth_context *grpc_auth_context_create(grpc_auth_context *chained); grpc_auth_context_ref((p), __FILE__, __LINE__, (r)) #define GRPC_AUTH_CONTEXT_UNREF(p, r) \ grpc_auth_context_unref((p), __FILE__, __LINE__, (r)) -grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *policy, - const char *file, int line, - const char *reason); -void grpc_auth_context_unref(grpc_auth_context *policy, const char *file, - int line, const char *reason); +grpc_auth_context *grpc_auth_context_ref (grpc_auth_context * policy, const char *file, int line, const char *reason); +void grpc_auth_context_unref (grpc_auth_context * policy, const char *file, int line, const char *reason); #else #define GRPC_AUTH_CONTEXT_REF(p, r) grpc_auth_context_ref((p)) #define GRPC_AUTH_CONTEXT_UNREF(p, r) grpc_auth_context_unref((p)) -grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *policy); -void grpc_auth_context_unref(grpc_auth_context *policy); +grpc_auth_context *grpc_auth_context_ref (grpc_auth_context * policy); +void grpc_auth_context_unref (grpc_auth_context * policy); #endif -void grpc_auth_property_reset(grpc_auth_property *property); +void grpc_auth_property_reset (grpc_auth_property * property); /* --- grpc_client_security_context --- Internal client-side security context. */ -typedef struct { +typedef struct +{ grpc_credentials *creds; grpc_auth_context *auth_context; } grpc_client_security_context; -grpc_client_security_context *grpc_client_security_context_create(void); -void grpc_client_security_context_destroy(void *ctx); +grpc_client_security_context *grpc_client_security_context_create (void); +void grpc_client_security_context_destroy (void *ctx); /* --- grpc_server_security_context --- Internal server-side security context. */ -typedef struct { +typedef struct +{ grpc_auth_context *auth_context; } grpc_server_security_context; -grpc_server_security_context *grpc_server_security_context_create(void); -void grpc_server_security_context_destroy(void *ctx); +grpc_server_security_context *grpc_server_security_context_create (void); +void grpc_server_security_context_destroy (void *ctx); /* --- Auth metadata processing. --- */ #define GRPC_AUTH_METADATA_PROCESSOR_ARG "grpc.auth_metadata_processor" -grpc_arg grpc_auth_metadata_processor_to_arg(grpc_auth_metadata_processor *p); -grpc_auth_metadata_processor *grpc_auth_metadata_processor_from_arg( - const grpc_arg *arg); -grpc_auth_metadata_processor *grpc_find_auth_metadata_processor_in_args( - const grpc_channel_args *args); +grpc_arg grpc_auth_metadata_processor_to_arg (grpc_auth_metadata_processor * p); +grpc_auth_metadata_processor *grpc_auth_metadata_processor_from_arg (const grpc_arg * arg); +grpc_auth_metadata_processor *grpc_find_auth_metadata_processor_in_args (const grpc_channel_args * args); #endif /* GRPC_INTERNAL_CORE_SECURITY_SECURITY_CONTEXT_H */ diff --git a/src/core/security/server_auth_filter.c b/src/core/security/server_auth_filter.c index 0816b5fc22..66316f788e 100644 --- a/src/core/security/server_auth_filter.c +++ b/src/core/security/server_auth_filter.c @@ -40,7 +40,8 @@ #include <grpc/support/alloc.h> #include <grpc/support/log.h> -typedef struct call_data { +typedef struct call_data +{ gpr_uint8 got_client_metadata; grpc_stream_op_buffer *recv_ops; /* Closure to call when finished with the auth_on_recv hook. */ @@ -57,132 +58,139 @@ typedef struct call_data { grpc_auth_context *auth_context; } call_data; -typedef struct channel_data { +typedef struct channel_data +{ grpc_security_connector *security_connector; grpc_auth_metadata_processor processor; grpc_mdctx *mdctx; } channel_data; -static grpc_metadata_array metadata_batch_to_md_array( - const grpc_metadata_batch *batch) { +static grpc_metadata_array +metadata_batch_to_md_array (const grpc_metadata_batch * batch) +{ grpc_linked_mdelem *l; grpc_metadata_array result; - grpc_metadata_array_init(&result); - for (l = batch->list.head; l != NULL; l = l->next) { - grpc_metadata *usr_md = NULL; - grpc_mdelem *md = l->md; - grpc_mdstr *key = md->key; - grpc_mdstr *value = md->value; - if (result.count == result.capacity) { - result.capacity = GPR_MAX(result.capacity + 8, result.capacity * 2); - result.metadata = - gpr_realloc(result.metadata, result.capacity * sizeof(grpc_metadata)); + grpc_metadata_array_init (&result); + for (l = batch->list.head; l != NULL; l = l->next) + { + grpc_metadata *usr_md = NULL; + grpc_mdelem *md = l->md; + grpc_mdstr *key = md->key; + grpc_mdstr *value = md->value; + if (result.count == result.capacity) + { + result.capacity = GPR_MAX (result.capacity + 8, result.capacity * 2); + result.metadata = gpr_realloc (result.metadata, result.capacity * sizeof (grpc_metadata)); + } + usr_md = &result.metadata[result.count++]; + usr_md->key = grpc_mdstr_as_c_string (key); + usr_md->value = grpc_mdstr_as_c_string (value); + usr_md->value_length = GPR_SLICE_LENGTH (value->slice); } - usr_md = &result.metadata[result.count++]; - usr_md->key = grpc_mdstr_as_c_string(key); - usr_md->value = grpc_mdstr_as_c_string(value); - usr_md->value_length = GPR_SLICE_LENGTH(value->slice); - } return result; } -static grpc_mdelem *remove_consumed_md(void *user_data, grpc_mdelem *md) { +static grpc_mdelem * +remove_consumed_md (void *user_data, grpc_mdelem * md) +{ grpc_call_element *elem = user_data; call_data *calld = elem->call_data; size_t i; - for (i = 0; i < calld->num_consumed_md; i++) { - const grpc_metadata *consumed_md = &calld->consumed_md[i]; - /* Maybe we could do a pointer comparison but we do not have any guarantee - that the metadata processor used the same pointers for consumed_md in the - callback. */ - if (GPR_SLICE_LENGTH(md->key->slice) != strlen(consumed_md->key) || - GPR_SLICE_LENGTH(md->value->slice) != consumed_md->value_length) { - continue; + for (i = 0; i < calld->num_consumed_md; i++) + { + const grpc_metadata *consumed_md = &calld->consumed_md[i]; + /* Maybe we could do a pointer comparison but we do not have any guarantee + that the metadata processor used the same pointers for consumed_md in the + callback. */ + if (GPR_SLICE_LENGTH (md->key->slice) != strlen (consumed_md->key) || GPR_SLICE_LENGTH (md->value->slice) != consumed_md->value_length) + { + continue; + } + if (memcmp (GPR_SLICE_START_PTR (md->key->slice), consumed_md->key, GPR_SLICE_LENGTH (md->key->slice)) == 0 && memcmp (GPR_SLICE_START_PTR (md->value->slice), consumed_md->value, GPR_SLICE_LENGTH (md->value->slice)) == 0) + { + return NULL; /* Delete. */ + } } - if (memcmp(GPR_SLICE_START_PTR(md->key->slice), consumed_md->key, - GPR_SLICE_LENGTH(md->key->slice)) == 0 && - memcmp(GPR_SLICE_START_PTR(md->value->slice), consumed_md->value, - GPR_SLICE_LENGTH(md->value->slice)) == 0) { - return NULL; /* Delete. */ - } - } return md; } /* called from application code */ -static void on_md_processing_done( - void *user_data, const grpc_metadata *consumed_md, size_t num_consumed_md, - const grpc_metadata *response_md, size_t num_response_md, - grpc_status_code status, const char *error_details) { +static void +on_md_processing_done (void *user_data, const grpc_metadata * consumed_md, size_t num_consumed_md, const grpc_metadata * response_md, size_t num_response_md, grpc_status_code status, const char *error_details) +{ grpc_call_element *elem = user_data; call_data *calld = elem->call_data; grpc_closure_list closure_list = GRPC_CLOSURE_LIST_INIT; /* TODO(jboeuf): Implement support for response_md. */ - if (response_md != NULL && num_response_md > 0) { - gpr_log(GPR_INFO, - "response_md in auth metadata processing not supported for now. " - "Ignoring..."); - } + if (response_md != NULL && num_response_md > 0) + { + gpr_log (GPR_INFO, "response_md in auth metadata processing not supported for now. " "Ignoring..."); + } - if (status == GRPC_STATUS_OK) { - calld->consumed_md = consumed_md; - calld->num_consumed_md = num_consumed_md; - grpc_metadata_batch_filter(&calld->md_op->data.metadata, remove_consumed_md, - elem); - grpc_metadata_array_destroy(&calld->md); - calld->on_done_recv->cb(calld->on_done_recv->cb_arg, 1, &closure_list); - } else { - gpr_slice message; - grpc_metadata_array_destroy(&calld->md); - error_details = error_details != NULL - ? error_details - : "Authentication metadata processing failed."; - message = gpr_slice_from_copied_string(error_details); - grpc_sopb_reset(calld->recv_ops); - grpc_transport_stream_op_add_close(&calld->transport_op, status, &message); - grpc_call_next_op(elem, &calld->transport_op, &closure_list); - } + if (status == GRPC_STATUS_OK) + { + calld->consumed_md = consumed_md; + calld->num_consumed_md = num_consumed_md; + grpc_metadata_batch_filter (&calld->md_op->data.metadata, remove_consumed_md, elem); + grpc_metadata_array_destroy (&calld->md); + calld->on_done_recv->cb (calld->on_done_recv->cb_arg, 1, &closure_list); + } + else + { + gpr_slice message; + grpc_metadata_array_destroy (&calld->md); + error_details = error_details != NULL ? error_details : "Authentication metadata processing failed."; + message = gpr_slice_from_copied_string (error_details); + grpc_sopb_reset (calld->recv_ops); + grpc_transport_stream_op_add_close (&calld->transport_op, status, &message); + grpc_call_next_op (elem, &calld->transport_op, &closure_list); + } - grpc_closure_list_run(&closure_list); + grpc_closure_list_run (&closure_list); } -static void auth_on_recv(void *user_data, int success, - grpc_closure_list *closure_list) { +static void +auth_on_recv (void *user_data, int success, grpc_closure_list * closure_list) +{ grpc_call_element *elem = user_data; call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; - if (success) { - size_t i; - size_t nops = calld->recv_ops->nops; - grpc_stream_op *ops = calld->recv_ops->ops; - for (i = 0; i < nops; i++) { - grpc_stream_op *op = &ops[i]; - if (op->type != GRPC_OP_METADATA || calld->got_client_metadata) continue; - calld->got_client_metadata = 1; - if (chand->processor.process == NULL) continue; - calld->md_op = op; - calld->md = metadata_batch_to_md_array(&op->data.metadata); - chand->processor.process(chand->processor.state, calld->auth_context, - calld->md.metadata, calld->md.count, - on_md_processing_done, elem); - return; + if (success) + { + size_t i; + size_t nops = calld->recv_ops->nops; + grpc_stream_op *ops = calld->recv_ops->ops; + for (i = 0; i < nops; i++) + { + grpc_stream_op *op = &ops[i]; + if (op->type != GRPC_OP_METADATA || calld->got_client_metadata) + continue; + calld->got_client_metadata = 1; + if (chand->processor.process == NULL) + continue; + calld->md_op = op; + calld->md = metadata_batch_to_md_array (&op->data.metadata); + chand->processor.process (chand->processor.state, calld->auth_context, calld->md.metadata, calld->md.count, on_md_processing_done, elem); + return; + } } - } - calld->on_done_recv->cb(calld->on_done_recv->cb_arg, success, closure_list); + calld->on_done_recv->cb (calld->on_done_recv->cb_arg, success, closure_list); } -static void set_recv_ops_md_callbacks(grpc_call_element *elem, - grpc_transport_stream_op *op) { +static void +set_recv_ops_md_callbacks (grpc_call_element * elem, grpc_transport_stream_op * op) +{ call_data *calld = elem->call_data; - if (op->recv_ops && !calld->got_client_metadata) { - /* substitute our callback for the higher callback */ - calld->recv_ops = op->recv_ops; - calld->on_done_recv = op->on_done_recv; - op->on_done_recv = &calld->auth_on_recv; - calld->transport_op = *op; - } + if (op->recv_ops && !calld->got_client_metadata) + { + /* substitute our callback for the higher callback */ + calld->recv_ops = op->recv_ops; + calld->on_done_recv = op->on_done_recv; + op->on_done_recv = &calld->auth_on_recv; + calld->transport_op = *op; + } } /* Called either: @@ -190,92 +198,88 @@ static void set_recv_ops_md_callbacks(grpc_call_element *elem, - a network event (or similar) from below, to receive something op contains type and call direction information, in addition to the data that is being sent or received. */ -static void auth_start_transport_op(grpc_call_element *elem, - grpc_transport_stream_op *op, - grpc_closure_list *closure_list) { - set_recv_ops_md_callbacks(elem, op); - grpc_call_next_op(elem, op, closure_list); +static void +auth_start_transport_op (grpc_call_element * elem, grpc_transport_stream_op * op, grpc_closure_list * closure_list) +{ + set_recv_ops_md_callbacks (elem, op); + grpc_call_next_op (elem, op, closure_list); } /* Constructor for call_data */ -static void init_call_elem(grpc_call_element *elem, - const void *server_transport_data, - grpc_transport_stream_op *initial_op, - grpc_closure_list *closure_list) { +static void +init_call_elem (grpc_call_element * elem, const void *server_transport_data, grpc_transport_stream_op * initial_op, grpc_closure_list * closure_list) +{ /* grab pointers to our data from the call element */ call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; grpc_server_security_context *server_ctx = NULL; /* initialize members */ - memset(calld, 0, sizeof(*calld)); - grpc_closure_init(&calld->auth_on_recv, auth_on_recv, elem); + memset (calld, 0, sizeof (*calld)); + grpc_closure_init (&calld->auth_on_recv, auth_on_recv, elem); - GPR_ASSERT(initial_op && initial_op->context != NULL && - initial_op->context[GRPC_CONTEXT_SECURITY].value == NULL); + GPR_ASSERT (initial_op && initial_op->context != NULL && initial_op->context[GRPC_CONTEXT_SECURITY].value == NULL); /* Create a security context for the call and reference the auth context from the channel. */ - if (initial_op->context[GRPC_CONTEXT_SECURITY].value != NULL) { - initial_op->context[GRPC_CONTEXT_SECURITY].destroy( - initial_op->context[GRPC_CONTEXT_SECURITY].value); - } - server_ctx = grpc_server_security_context_create(); - server_ctx->auth_context = - grpc_auth_context_create(chand->security_connector->auth_context); + if (initial_op->context[GRPC_CONTEXT_SECURITY].value != NULL) + { + initial_op->context[GRPC_CONTEXT_SECURITY].destroy (initial_op->context[GRPC_CONTEXT_SECURITY].value); + } + server_ctx = grpc_server_security_context_create (); + server_ctx->auth_context = grpc_auth_context_create (chand->security_connector->auth_context); server_ctx->auth_context->pollset = initial_op->bind_pollset; initial_op->context[GRPC_CONTEXT_SECURITY].value = server_ctx; - initial_op->context[GRPC_CONTEXT_SECURITY].destroy = - grpc_server_security_context_destroy; + initial_op->context[GRPC_CONTEXT_SECURITY].destroy = grpc_server_security_context_destroy; calld->auth_context = server_ctx->auth_context; /* Set the metadata callbacks. */ - set_recv_ops_md_callbacks(elem, initial_op); + set_recv_ops_md_callbacks (elem, initial_op); } /* Destructor for call_data */ -static void destroy_call_elem(grpc_call_element *elem, - grpc_closure_list *closure_list) {} +static void +destroy_call_elem (grpc_call_element * elem, grpc_closure_list * closure_list) +{ +} /* Constructor for channel_data */ -static void init_channel_elem(grpc_channel_element *elem, grpc_channel *master, - const grpc_channel_args *args, grpc_mdctx *mdctx, - int is_first, int is_last, - grpc_closure_list *closure_list) { - grpc_security_connector *sc = grpc_find_security_connector_in_args(args); - grpc_auth_metadata_processor *processor = - grpc_find_auth_metadata_processor_in_args(args); +static void +init_channel_elem (grpc_channel_element * elem, grpc_channel * master, const grpc_channel_args * args, grpc_mdctx * mdctx, int is_first, int is_last, grpc_closure_list * closure_list) +{ + grpc_security_connector *sc = grpc_find_security_connector_in_args (args); + grpc_auth_metadata_processor *processor = grpc_find_auth_metadata_processor_in_args (args); /* grab pointers to our data from the channel element */ channel_data *chand = elem->channel_data; /* The first and the last filters tend to be implemented differently to handle the case that there's no 'next' filter to call on the up or down path */ - GPR_ASSERT(!is_first); - GPR_ASSERT(!is_last); - GPR_ASSERT(sc != NULL); - GPR_ASSERT(processor != NULL); + GPR_ASSERT (!is_first); + GPR_ASSERT (!is_last); + GPR_ASSERT (sc != NULL); + GPR_ASSERT (processor != NULL); /* initialize members */ - GPR_ASSERT(!sc->is_client_side); - chand->security_connector = - GRPC_SECURITY_CONNECTOR_REF(sc, "server_auth_filter"); + GPR_ASSERT (!sc->is_client_side); + chand->security_connector = GRPC_SECURITY_CONNECTOR_REF (sc, "server_auth_filter"); chand->mdctx = mdctx; chand->processor = *processor; } /* Destructor for channel data */ -static void destroy_channel_elem(grpc_channel_element *elem, - grpc_closure_list *closure_list) { +static void +destroy_channel_elem (grpc_channel_element * elem, grpc_closure_list * closure_list) +{ /* grab pointers to our data from the channel element */ channel_data *chand = elem->channel_data; - GRPC_SECURITY_CONNECTOR_UNREF(chand->security_connector, - "server_auth_filter"); + GRPC_SECURITY_CONNECTOR_UNREF (chand->security_connector, "server_auth_filter"); } const grpc_channel_filter grpc_server_auth_filter = { - auth_start_transport_op, grpc_channel_next_op, - sizeof(call_data), init_call_elem, - destroy_call_elem, sizeof(channel_data), - init_channel_elem, destroy_channel_elem, - grpc_call_next_get_peer, "server-auth"}; + auth_start_transport_op, grpc_channel_next_op, + sizeof (call_data), init_call_elem, + destroy_call_elem, sizeof (channel_data), + init_channel_elem, destroy_channel_elem, + grpc_call_next_get_peer, "server-auth" +}; diff --git a/src/core/security/server_secure_chttp2.c b/src/core/security/server_secure_chttp2.c index 268ae58280..42c4b63868 100644 --- a/src/core/security/server_secure_chttp2.c +++ b/src/core/security/server_secure_chttp2.c @@ -51,12 +51,14 @@ #include <grpc/support/sync.h> #include <grpc/support/useful.h> -typedef struct tcp_endpoint_list { +typedef struct tcp_endpoint_list +{ grpc_endpoint *tcp_endpoint; struct tcp_endpoint_list *next; } tcp_endpoint_list; -typedef struct grpc_server_secure_state { +typedef struct grpc_server_secure_state +{ grpc_server *server; grpc_tcp_server *tcp; grpc_security_connector *sc; @@ -69,151 +71,160 @@ typedef struct grpc_server_secure_state { grpc_closure *destroy_callback; } grpc_server_secure_state; -static void state_ref(grpc_server_secure_state *state) { - gpr_ref(&state->refcount); +static void +state_ref (grpc_server_secure_state * state) +{ + gpr_ref (&state->refcount); } -static void state_unref(grpc_server_secure_state *state) { - if (gpr_unref(&state->refcount)) { - /* ensure all threads have unlocked */ - gpr_mu_lock(&state->mu); - gpr_mu_unlock(&state->mu); - /* clean up */ - GRPC_SECURITY_CONNECTOR_UNREF(state->sc, "server"); - grpc_server_credentials_unref(state->creds); - gpr_free(state); - } +static void +state_unref (grpc_server_secure_state * state) +{ + if (gpr_unref (&state->refcount)) + { + /* ensure all threads have unlocked */ + gpr_mu_lock (&state->mu); + gpr_mu_unlock (&state->mu); + /* clean up */ + GRPC_SECURITY_CONNECTOR_UNREF (state->sc, "server"); + grpc_server_credentials_unref (state->creds); + gpr_free (state); + } } -static void setup_transport(void *statep, grpc_transport *transport, - grpc_mdctx *mdctx, - grpc_closure_list *closure_list) { +static void +setup_transport (void *statep, grpc_transport * transport, grpc_mdctx * mdctx, grpc_closure_list * closure_list) +{ static grpc_channel_filter const *extra_filters[] = { - &grpc_server_auth_filter, &grpc_http_server_filter}; + &grpc_server_auth_filter, &grpc_http_server_filter + }; grpc_server_secure_state *state = statep; grpc_channel_args *args_copy; grpc_arg args_to_add[2]; - args_to_add[0] = grpc_security_connector_to_arg(state->sc); - args_to_add[1] = - grpc_auth_metadata_processor_to_arg(&state->creds->processor); - args_copy = grpc_channel_args_copy_and_add( - grpc_server_get_channel_args(state->server), args_to_add, - GPR_ARRAY_SIZE(args_to_add)); - grpc_server_setup_transport(state->server, transport, extra_filters, - GPR_ARRAY_SIZE(extra_filters), mdctx, args_copy, - closure_list); - grpc_channel_args_destroy(args_copy); + args_to_add[0] = grpc_security_connector_to_arg (state->sc); + args_to_add[1] = grpc_auth_metadata_processor_to_arg (&state->creds->processor); + args_copy = grpc_channel_args_copy_and_add (grpc_server_get_channel_args (state->server), args_to_add, GPR_ARRAY_SIZE (args_to_add)); + grpc_server_setup_transport (state->server, transport, extra_filters, GPR_ARRAY_SIZE (extra_filters), mdctx, args_copy, closure_list); + grpc_channel_args_destroy (args_copy); } -static int remove_tcp_from_list_locked(grpc_server_secure_state *state, - grpc_endpoint *tcp) { +static int +remove_tcp_from_list_locked (grpc_server_secure_state * state, grpc_endpoint * tcp) +{ tcp_endpoint_list *node = state->handshaking_tcp_endpoints; tcp_endpoint_list *tmp = NULL; - if (node && node->tcp_endpoint == tcp) { - state->handshaking_tcp_endpoints = state->handshaking_tcp_endpoints->next; - gpr_free(node); - return 0; - } - while (node) { - if (node->next->tcp_endpoint == tcp) { - tmp = node->next; - node->next = node->next->next; - gpr_free(tmp); + if (node && node->tcp_endpoint == tcp) + { + state->handshaking_tcp_endpoints = state->handshaking_tcp_endpoints->next; + gpr_free (node); return 0; } - node = node->next; - } + while (node) + { + if (node->next->tcp_endpoint == tcp) + { + tmp = node->next; + node->next = node->next->next; + gpr_free (tmp); + return 0; + } + node = node->next; + } return -1; } -static void on_secure_handshake_done(void *statep, grpc_security_status status, - grpc_endpoint *wrapped_endpoint, - grpc_endpoint *secure_endpoint, - grpc_closure_list *closure_list) { +static void +on_secure_handshake_done (void *statep, grpc_security_status status, grpc_endpoint * wrapped_endpoint, grpc_endpoint * secure_endpoint, grpc_closure_list * closure_list) +{ grpc_server_secure_state *state = statep; grpc_transport *transport; grpc_mdctx *mdctx; - if (status == GRPC_SECURITY_OK) { - gpr_mu_lock(&state->mu); - remove_tcp_from_list_locked(state, wrapped_endpoint); - if (!state->is_shutdown) { - mdctx = grpc_mdctx_create(); - transport = grpc_create_chttp2_transport( - grpc_server_get_channel_args(state->server), secure_endpoint, mdctx, - 0, closure_list); - setup_transport(state, transport, mdctx, closure_list); - grpc_chttp2_transport_start_reading(transport, NULL, 0, closure_list); - } else { - /* We need to consume this here, because the server may already have gone - * away. */ - grpc_endpoint_destroy(secure_endpoint, closure_list); + if (status == GRPC_SECURITY_OK) + { + gpr_mu_lock (&state->mu); + remove_tcp_from_list_locked (state, wrapped_endpoint); + if (!state->is_shutdown) + { + mdctx = grpc_mdctx_create (); + transport = grpc_create_chttp2_transport (grpc_server_get_channel_args (state->server), secure_endpoint, mdctx, 0, closure_list); + setup_transport (state, transport, mdctx, closure_list); + grpc_chttp2_transport_start_reading (transport, NULL, 0, closure_list); + } + else + { + /* We need to consume this here, because the server may already have gone + * away. */ + grpc_endpoint_destroy (secure_endpoint, closure_list); + } + gpr_mu_unlock (&state->mu); } - gpr_mu_unlock(&state->mu); - } else { - gpr_mu_lock(&state->mu); - remove_tcp_from_list_locked(state, wrapped_endpoint); - gpr_mu_unlock(&state->mu); - gpr_log(GPR_ERROR, "Secure transport failed with error %d", status); - } - state_unref(state); + else + { + gpr_mu_lock (&state->mu); + remove_tcp_from_list_locked (state, wrapped_endpoint); + gpr_mu_unlock (&state->mu); + gpr_log (GPR_ERROR, "Secure transport failed with error %d", status); + } + state_unref (state); } -static void on_accept(void *statep, grpc_endpoint *tcp, - grpc_closure_list *closure_list) { +static void +on_accept (void *statep, grpc_endpoint * tcp, grpc_closure_list * closure_list) +{ grpc_server_secure_state *state = statep; tcp_endpoint_list *node; - state_ref(state); - node = gpr_malloc(sizeof(tcp_endpoint_list)); + state_ref (state); + node = gpr_malloc (sizeof (tcp_endpoint_list)); node->tcp_endpoint = tcp; - gpr_mu_lock(&state->mu); + gpr_mu_lock (&state->mu); node->next = state->handshaking_tcp_endpoints; state->handshaking_tcp_endpoints = node; - gpr_mu_unlock(&state->mu); - grpc_security_connector_do_handshake(state->sc, tcp, on_secure_handshake_done, - state, closure_list); + gpr_mu_unlock (&state->mu); + grpc_security_connector_do_handshake (state->sc, tcp, on_secure_handshake_done, state, closure_list); } /* Server callback: start listening on our ports */ -static void start(grpc_server *server, void *statep, grpc_pollset **pollsets, - size_t pollset_count, grpc_closure_list *closure_list) { +static void +start (grpc_server * server, void *statep, grpc_pollset ** pollsets, size_t pollset_count, grpc_closure_list * closure_list) +{ grpc_server_secure_state *state = statep; - grpc_tcp_server_start(state->tcp, pollsets, pollset_count, on_accept, state, - closure_list); + grpc_tcp_server_start (state->tcp, pollsets, pollset_count, on_accept, state, closure_list); } -static void destroy_done(void *statep, int success, - grpc_closure_list *closure_list) { +static void +destroy_done (void *statep, int success, grpc_closure_list * closure_list) +{ grpc_server_secure_state *state = statep; - state->destroy_callback->cb(state->destroy_callback->cb_arg, success, - closure_list); - gpr_mu_lock(&state->mu); - while (state->handshaking_tcp_endpoints != NULL) { - grpc_endpoint_shutdown(state->handshaking_tcp_endpoints->tcp_endpoint, - closure_list); - remove_tcp_from_list_locked(state, - state->handshaking_tcp_endpoints->tcp_endpoint); - } - gpr_mu_unlock(&state->mu); - state_unref(state); + state->destroy_callback->cb (state->destroy_callback->cb_arg, success, closure_list); + gpr_mu_lock (&state->mu); + while (state->handshaking_tcp_endpoints != NULL) + { + grpc_endpoint_shutdown (state->handshaking_tcp_endpoints->tcp_endpoint, closure_list); + remove_tcp_from_list_locked (state, state->handshaking_tcp_endpoints->tcp_endpoint); + } + gpr_mu_unlock (&state->mu); + state_unref (state); } /* Server callback: destroy the tcp listener (so we don't generate further callbacks) */ -static void destroy(grpc_server *server, void *statep, grpc_closure *callback, - grpc_closure_list *closure_list) { +static void +destroy (grpc_server * server, void *statep, grpc_closure * callback, grpc_closure_list * closure_list) +{ grpc_server_secure_state *state = statep; grpc_tcp_server *tcp; - gpr_mu_lock(&state->mu); + gpr_mu_lock (&state->mu); state->is_shutdown = 1; state->destroy_callback = callback; tcp = state->tcp; - gpr_mu_unlock(&state->mu); - grpc_closure_init(&state->destroy_closure, destroy_done, state); - grpc_tcp_server_destroy(tcp, &state->destroy_closure, closure_list); + gpr_mu_unlock (&state->mu); + grpc_closure_init (&state->destroy_closure, destroy_done, state); + grpc_tcp_server_destroy (tcp, &state->destroy_closure, closure_list); } -int grpc_server_add_secure_http2_port(grpc_server *server, const char *addr, - grpc_server_credentials *creds) { +int +grpc_server_add_secure_http2_port (grpc_server * server, const char *addr, grpc_server_credentials * creds) +{ grpc_resolved_addresses *resolved = NULL; grpc_tcp_server *tcp = NULL; grpc_server_secure_state *state = NULL; @@ -226,83 +237,92 @@ int grpc_server_add_secure_http2_port(grpc_server *server, const char *addr, grpc_closure_list closure_list = GRPC_CLOSURE_LIST_INIT; /* create security context */ - if (creds == NULL) goto error; - status = grpc_server_credentials_create_security_connector(creds, &sc); - if (status != GRPC_SECURITY_OK) { - gpr_log(GPR_ERROR, - "Unable to create secure server with credentials of type %s.", - creds->type); + if (creds == NULL) goto error; - } + status = grpc_server_credentials_create_security_connector (creds, &sc); + if (status != GRPC_SECURITY_OK) + { + gpr_log (GPR_ERROR, "Unable to create secure server with credentials of type %s.", creds->type); + goto error; + } /* resolve address */ - resolved = grpc_blocking_resolve_address(addr, "https"); - if (!resolved) { - goto error; - } + resolved = grpc_blocking_resolve_address (addr, "https"); + if (!resolved) + { + goto error; + } - tcp = grpc_tcp_server_create(); - if (!tcp) { - goto error; - } + tcp = grpc_tcp_server_create (); + if (!tcp) + { + goto error; + } - for (i = 0; i < resolved->naddrs; i++) { - port_temp = grpc_tcp_server_add_port( - tcp, (struct sockaddr *)&resolved->addrs[i].addr, - resolved->addrs[i].len); - if (port_temp >= 0) { - if (port_num == -1) { - port_num = port_temp; - } else { - GPR_ASSERT(port_num == port_temp); - } - count++; + for (i = 0; i < resolved->naddrs; i++) + { + port_temp = grpc_tcp_server_add_port (tcp, (struct sockaddr *) &resolved->addrs[i].addr, resolved->addrs[i].len); + if (port_temp >= 0) + { + if (port_num == -1) + { + port_num = port_temp; + } + else + { + GPR_ASSERT (port_num == port_temp); + } + count++; + } } - } - if (count == 0) { - gpr_log(GPR_ERROR, "No address added out of total %d resolved", - resolved->naddrs); - goto error; - } - if (count != resolved->naddrs) { - gpr_log(GPR_ERROR, "Only %d addresses added out of total %d resolved", - count, resolved->naddrs); - /* if it's an error, don't we want to goto error; here ? */ - } - grpc_resolved_addresses_destroy(resolved); + if (count == 0) + { + gpr_log (GPR_ERROR, "No address added out of total %d resolved", resolved->naddrs); + goto error; + } + if (count != resolved->naddrs) + { + gpr_log (GPR_ERROR, "Only %d addresses added out of total %d resolved", count, resolved->naddrs); + /* if it's an error, don't we want to goto error; here ? */ + } + grpc_resolved_addresses_destroy (resolved); - state = gpr_malloc(sizeof(*state)); - memset(state, 0, sizeof(*state)); + state = gpr_malloc (sizeof (*state)); + memset (state, 0, sizeof (*state)); state->server = server; state->tcp = tcp; state->sc = sc; - state->creds = grpc_server_credentials_ref(creds); + state->creds = grpc_server_credentials_ref (creds); state->handshaking_tcp_endpoints = NULL; state->is_shutdown = 0; - gpr_mu_init(&state->mu); - gpr_ref_init(&state->refcount, 1); + gpr_mu_init (&state->mu); + gpr_ref_init (&state->refcount, 1); /* Register with the server only upon success */ - grpc_server_add_listener(server, state, start, destroy, &closure_list); + grpc_server_add_listener (server, state, start, destroy, &closure_list); - grpc_closure_list_run(&closure_list); + grpc_closure_list_run (&closure_list); return port_num; /* Error path: cleanup and return */ error: - if (sc) { - GRPC_SECURITY_CONNECTOR_UNREF(sc, "server"); - } - if (resolved) { - grpc_resolved_addresses_destroy(resolved); - } - if (tcp) { - grpc_tcp_server_destroy(tcp, NULL, &closure_list); - } - if (state) { - gpr_free(state); - } - grpc_closure_list_run(&closure_list); + if (sc) + { + GRPC_SECURITY_CONNECTOR_UNREF (sc, "server"); + } + if (resolved) + { + grpc_resolved_addresses_destroy (resolved); + } + if (tcp) + { + grpc_tcp_server_destroy (tcp, NULL, &closure_list); + } + if (state) + { + gpr_free (state); + } + grpc_closure_list_run (&closure_list); return 0; } |