diff options
| author |  Julien Boeuf <jboeuf@google.com> | 2015-08-26 11:19:10 -0700 |
|---|---|---|
| committer | Julien Boeuf <jboeuf@google.com> | 2015-08-26 11:19:10 -0700 |
| commit | 5b3516e2c5c3c6878d28cd19db73d5572851e6b9 (patch) | |
| tree | a34bde8ab374f35f5a6a6a4cdbdf741076dbd3fa /src/core/security | |
| parent | 9a8d0d3eaf8ccd1c3a6e27f1f8bbeeee85e64345 (diff) | |
| parent | 1f1919c8cfc61cd9af288cd1585b38b9c3511e1f (diff) | |
Merge branch 'master' of github.com:grpc/grpc into cpp_auth_md_processor
Diffstat (limited to 'src/core/security')
| -rw-r--r-- | src/core/security/auth_filters.h | 2 | ||||
| -rw-r--r-- | src/core/security/base64.h | 2 | ||||
| -rw-r--r-- | src/core/security/client_auth_filter.c | 8 | ||||
| -rw-r--r-- | src/core/security/credentials.c | 20 | ||||
| -rw-r--r-- | src/core/security/credentials.h | 5 | ||||
| -rw-r--r-- | src/core/security/credentials_metadata.c | 4 | ||||
| -rw-r--r-- | src/core/security/google_default_credentials.c | 6 | ||||
| -rw-r--r-- | src/core/security/json_token.h | 2 | ||||
| -rw-r--r-- | src/core/security/jwt_verifier.h | 1 | ||||
| -rw-r--r-- | src/core/security/secure_endpoint.c | 2 | ||||
| -rw-r--r-- | src/core/security/secure_endpoint.h | 2 | ||||
| -rw-r--r-- | src/core/security/secure_transport_setup.h | 2 | ||||
| -rw-r--r-- | src/core/security/security_connector.c | 20 | ||||
| -rw-r--r-- | src/core/security/security_context.c | 4 | ||||
| -rw-r--r-- | src/core/security/security_context.h | 3 | ||||
| -rw-r--r-- | src/core/security/server_auth_filter.c | 31 |
16 files changed, 61 insertions, 53 deletions
diff --git a/src/core/security/auth_filters.h b/src/core/security/auth_filters.h index ff921690e0..c179b54bec 100644 --- a/src/core/security/auth_filters.h +++ b/src/core/security/auth_filters.h @@ -39,4 +39,4 @@ extern const grpc_channel_filter grpc_client_auth_filter; extern const grpc_channel_filter grpc_server_auth_filter; -#endif /* GRPC_INTERNAL_CORE_SECURITY_AUTH_FILTERS_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_AUTH_FILTERS_H */ diff --git a/src/core/security/base64.h b/src/core/security/base64.h index b9abc07b52..31ae982691 100644 --- a/src/core/security/base64.h +++ b/src/core/security/base64.h @@ -49,4 +49,4 @@ gpr_slice grpc_base64_decode(const char *b64, int url_safe); gpr_slice grpc_base64_decode_with_len(const char *b64, size_t b64_len, int url_safe); -#endif /* GRPC_INTERNAL_CORE_SECURITY_BASE64_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_BASE64_H */ diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c index 410852da52..8e63978b82 100644 --- a/src/core/security/client_auth_filter.c +++ b/src/core/security/client_auth_filter.c @@ -200,7 +200,7 @@ static void auth_start_transport_op(grpc_call_element *elem, channel_data *chand = elem->channel_data; grpc_linked_mdelem *l; size_t i; - grpc_client_security_context* sec_ctx = NULL; + grpc_client_security_context *sec_ctx = NULL; if (calld->security_context_set == 0) { calld->security_context_set = 1; @@ -316,9 +316,11 @@ static void init_channel_elem(grpc_channel_element *elem, grpc_channel *master, (grpc_channel_security_connector *)GRPC_SECURITY_CONNECTOR_REF( sc, "client_auth_filter"); chand->md_ctx = metadata_context; - chand->authority_string = grpc_mdstr_from_string(chand->md_ctx, ":authority", 0); + chand->authority_string = + grpc_mdstr_from_string(chand->md_ctx, ":authority", 0); chand->path_string = grpc_mdstr_from_string(chand->md_ctx, ":path", 0); - chand->error_msg_key = grpc_mdstr_from_string(chand->md_ctx, "grpc-message", 0); + chand->error_msg_key = + grpc_mdstr_from_string(chand->md_ctx, "grpc-message", 0); chand->status_key = grpc_mdstr_from_string(chand->md_ctx, "grpc-status", 0); } diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index 6421ce673d..8852cab3e7 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -793,16 +793,16 @@ void on_simulated_token_fetch_done(void *user_data, int success) { (grpc_credentials_metadata_request *)user_data; grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)r->creds; GPR_ASSERT(success); - r->cb(r->user_data, c->md_store->entries, - c->md_store->num_entries, GRPC_CREDENTIALS_OK); + r->cb(r->user_data, c->md_store->entries, c->md_store->num_entries, + GRPC_CREDENTIALS_OK); grpc_credentials_metadata_request_destroy(r); } static void md_only_test_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data) { + grpc_pollset *pollset, + const char *service_url, + grpc_credentials_metadata_cb cb, + void *user_data) { grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; if (c->is_async) { @@ -854,10 +854,10 @@ static int access_token_has_request_metadata_only( } static void access_token_get_request_metadata(grpc_credentials *creds, - grpc_pollset *pollset, - const char *service_url, - grpc_credentials_metadata_cb cb, - void *user_data) { + grpc_pollset *pollset, + const char *service_url, + grpc_credentials_metadata_cb cb, + void *user_data) { grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; cb(user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK); } diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 04736525dc..29cd1ac87f 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -192,8 +192,9 @@ void grpc_flush_cached_google_default_credentials(void); /* Metadata-only credentials with the specified key and value where asynchronicity can be simulated for testing. */ -grpc_credentials *grpc_md_only_test_credentials_create( - const char *md_key, const char *md_value, int is_async); +grpc_credentials *grpc_md_only_test_credentials_create(const char *md_key, + const char *md_value, + int is_async); /* Private constructor for jwt credentials from an already parsed json key. Takes ownership of the key. */ diff --git a/src/core/security/credentials_metadata.c b/src/core/security/credentials_metadata.c index 22c786be56..b8a132f1ea 100644 --- a/src/core/security/credentials_metadata.c +++ b/src/core/security/credentials_metadata.c @@ -47,7 +47,8 @@ static void store_ensure_capacity(grpc_credentials_md_store *store) { grpc_credentials_md_store *grpc_credentials_md_store_create( size_t initial_capacity) { - grpc_credentials_md_store *store = gpr_malloc(sizeof(grpc_credentials_md_store)); + grpc_credentials_md_store *store = + gpr_malloc(sizeof(grpc_credentials_md_store)); memset(store, 0, sizeof(grpc_credentials_md_store)); if (initial_capacity > 0) { store->entries = gpr_malloc(initial_capacity * sizeof(grpc_credentials_md)); @@ -98,4 +99,3 @@ void grpc_credentials_md_store_unref(grpc_credentials_md_store *store) { gpr_free(store); } } - diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index d1f228665f..3631de867a 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -115,7 +115,7 @@ static int is_stack_running_on_compute_engine(void) { gpr_mu_lock(GRPC_POLLSET_MU(&detector.pollset)); while (!detector.is_done) { grpc_pollset_worker worker; - grpc_pollset_work(&detector.pollset, &worker, + grpc_pollset_work(&detector.pollset, &worker, gpr_now(GPR_CLOCK_MONOTONIC), gpr_inf_future(GPR_CLOCK_MONOTONIC)); } gpr_mu_unlock(GRPC_POLLSET_MU(&detector.pollset)); @@ -203,8 +203,8 @@ end: /* Blend with default ssl credentials and add a global reference so that it can be cached and re-served. */ grpc_credentials *ssl_creds = grpc_ssl_credentials_create(NULL, NULL); - default_credentials = grpc_credentials_ref(grpc_composite_credentials_create( - ssl_creds, result)); + default_credentials = grpc_credentials_ref( + grpc_composite_credentials_create(ssl_creds, result)); GPR_ASSERT(default_credentials != NULL); grpc_credentials_unref(ssl_creds); grpc_credentials_unref(result); diff --git a/src/core/security/json_token.h b/src/core/security/json_token.h index 091dfefb6e..7e06864ff3 100644 --- a/src/core/security/json_token.h +++ b/src/core/security/json_token.h @@ -115,4 +115,4 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( /* Destructs the object. */ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token); -#endif /* GRPC_INTERNAL_CORE_SECURITY_JSON_TOKEN_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_JSON_TOKEN_H */ diff --git a/src/core/security/jwt_verifier.h b/src/core/security/jwt_verifier.h index 8077e24883..7a32debfcb 100644 --- a/src/core/security/jwt_verifier.h +++ b/src/core/security/jwt_verifier.h @@ -133,4 +133,3 @@ grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims, const char *audience); #endif /* GRPC_INTERNAL_CORE_SECURITY_JWT_VERIFIER_H */ - diff --git a/src/core/security/secure_endpoint.c b/src/core/security/secure_endpoint.c index 95fbf71f3d..81b3e33cb2 100644 --- a/src/core/security/secure_endpoint.c +++ b/src/core/security/secure_endpoint.c @@ -332,7 +332,7 @@ static void endpoint_add_to_pollset(grpc_endpoint *secure_ep, } static void endpoint_add_to_pollset_set(grpc_endpoint *secure_ep, - grpc_pollset_set *pollset_set) { + grpc_pollset_set *pollset_set) { secure_endpoint *ep = (secure_endpoint *)secure_ep; grpc_endpoint_add_to_pollset_set(ep->wrapped_ep, pollset_set); } diff --git a/src/core/security/secure_endpoint.h b/src/core/security/secure_endpoint.h index 93c29b5111..c563bdd9c5 100644 --- a/src/core/security/secure_endpoint.h +++ b/src/core/security/secure_endpoint.h @@ -46,4 +46,4 @@ grpc_endpoint *grpc_secure_endpoint_create( struct tsi_frame_protector *protector, grpc_endpoint *to_wrap, gpr_slice *leftover_slices, size_t leftover_nslices); -#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURE_ENDPOINT_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURE_ENDPOINT_H */ diff --git a/src/core/security/secure_transport_setup.h b/src/core/security/secure_transport_setup.h index 29025f5236..d9b802556d 100644 --- a/src/core/security/secure_transport_setup.h +++ b/src/core/security/secure_transport_setup.h @@ -50,4 +50,4 @@ void grpc_setup_secure_transport(grpc_security_connector *connector, grpc_secure_transport_setup_done_cb cb, void *user_data); -#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURE_TRANSPORT_SETUP_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURE_TRANSPORT_SETUP_H */ diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c index a354536dcd..ba9ac68c5f 100644 --- a/src/core/security/security_connector.c +++ b/src/core/security/security_connector.c @@ -575,6 +575,16 @@ grpc_security_status grpc_ssl_channel_security_connector_create( if (!check_request_metadata_creds(request_metadata_creds)) { goto error; } + if (config->pem_root_certs == NULL) { + pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); + if (pem_root_certs == NULL || pem_root_certs_size == 0) { + gpr_log(GPR_ERROR, "Could not get default pem root certs."); + goto error; + } + } else { + pem_root_certs = config->pem_root_certs; + pem_root_certs_size = config->pem_root_certs_size; + } c = gpr_malloc(sizeof(grpc_ssl_channel_security_connector)); memset(c, 0, sizeof(grpc_ssl_channel_security_connector)); @@ -590,16 +600,6 @@ grpc_security_status grpc_ssl_channel_security_connector_create( if (overridden_target_name != NULL) { c->overridden_target_name = gpr_strdup(overridden_target_name); } - if (config->pem_root_certs == NULL) { - pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); - if (pem_root_certs == NULL || pem_root_certs_size == 0) { - gpr_log(GPR_ERROR, "Could not get default pem root certs."); - goto error; - } - } else { - pem_root_certs = config->pem_root_certs; - pem_root_certs_size = config->pem_root_certs_size; - } result = tsi_create_ssl_client_handshaker_factory( config->pem_private_key, config->pem_private_key_size, config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c index 1ef0fc9255..c1b434f302 100644 --- a/src/core/security/security_context.c +++ b/src/core/security/security_context.c @@ -204,8 +204,7 @@ int grpc_auth_context_set_peer_identity_property_name(grpc_auth_context *ctx, return 1; } -int grpc_auth_context_peer_is_authenticated( - const grpc_auth_context *ctx) { +int grpc_auth_context_peer_is_authenticated(const grpc_auth_context *ctx) { return ctx->peer_identity_property_name == NULL ? 0 : 1; } @@ -326,4 +325,3 @@ grpc_auth_metadata_processor *grpc_find_auth_metadata_processor_in_args( } return NULL; } - diff --git a/src/core/security/security_context.h b/src/core/security/security_context.h index 7fcd438cf6..a9a0306410 100644 --- a/src/core/security/security_context.h +++ b/src/core/security/security_context.h @@ -112,5 +112,4 @@ grpc_auth_metadata_processor *grpc_auth_metadata_processor_from_arg( grpc_auth_metadata_processor *grpc_find_auth_metadata_processor_in_args( const grpc_channel_args *args); -#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURITY_CONTEXT_H */ - +#endif /* GRPC_INTERNAL_CORE_SECURITY_SECURITY_CONTEXT_H */ diff --git a/src/core/security/server_auth_filter.c b/src/core/security/server_auth_filter.c index 98d7788c83..57729be32c 100644 --- a/src/core/security/server_auth_filter.c +++ b/src/core/security/server_auth_filter.c @@ -105,24 +105,34 @@ static grpc_mdelem *remove_consumed_md(void *user_data, grpc_mdelem *md) { return md; } -static void on_md_processing_done(void *user_data, - const grpc_metadata *consumed_md, - size_t num_consumed_md, int success) { +static void on_md_processing_done( + void *user_data, const grpc_metadata *consumed_md, size_t num_consumed_md, + const grpc_metadata *response_md, size_t num_response_md, + grpc_status_code status, const char *error_details) { grpc_call_element *elem = user_data; call_data *calld = elem->call_data; - if (success) { + /* TODO(jboeuf): Implement support for response_md. */ + if (response_md != NULL && num_response_md > 0) { + gpr_log(GPR_INFO, + "response_md in auth metadata processing not supported for now. " + "Ignoring..."); + } + + if (status == GRPC_STATUS_OK) { calld->consumed_md = consumed_md; calld->num_consumed_md = num_consumed_md; grpc_metadata_batch_filter(&calld->md_op->data.metadata, remove_consumed_md, elem); - calld->on_done_recv->cb(calld->on_done_recv->cb_arg, success); + calld->on_done_recv->cb(calld->on_done_recv->cb_arg, 1); } else { - gpr_slice message = gpr_slice_from_copied_string( - "Authentication metadata processing failed."); + gpr_slice message; + error_details = error_details != NULL + ? error_details + : "Authentication metadata processing failed."; + message = gpr_slice_from_copied_string(error_details); grpc_sopb_reset(calld->recv_ops); - grpc_transport_stream_op_add_close(&calld->transport_op, - GRPC_STATUS_UNAUTHENTICATED, &message); + grpc_transport_stream_op_add_close(&calld->transport_op, status, &message); grpc_call_next_op(elem, &calld->transport_op); } grpc_metadata_array_destroy(&calld->md); @@ -212,8 +222,7 @@ static void init_call_elem(grpc_call_element *elem, } /* Destructor for call_data */ -static void destroy_call_elem(grpc_call_element *elem) { -} +static void destroy_call_elem(grpc_call_element *elem) {} /* Constructor for channel_data */ static void init_channel_elem(grpc_channel_element *elem, grpc_channel *master, |