aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/objective-c/GRPCClient
diff options
context:
space:
mode:
authorGravatar Paul Querna <pquerna@apache.org>2016-03-03 23:09:06 -0800
committerGravatar Paul Querna <pquerna@apache.org>2016-04-29 08:19:44 -0700
commit40f11aa5dc706892d1a5b848ac9f9d85a0cf12cd (patch)
treecfd4c3586988638025b311041ec3bc13405238d3 /src/objective-c/GRPCClient
parent5e6cc81842184386271e3429b9958477ad2899ba (diff)
Objective-C: Add ChannelCredentials to gRPC Call.
GRPCHost now has a property channelCreds which is used when creating a GRPCChannel.
Diffstat (limited to 'src/objective-c/GRPCClient')
-rw-r--r--src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.h56
-rw-r--r--src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.m66
-rw-r--r--src/objective-c/GRPCClient/GRPCCall+Tests.m12
-rw-r--r--src/objective-c/GRPCClient/private/GRPCChannel.h12
-rw-r--r--src/objective-c/GRPCClient/private/GRPCChannel.m52
-rw-r--r--src/objective-c/GRPCClient/private/GRPCHost.h7
-rw-r--r--src/objective-c/GRPCClient/private/GRPCHost.m92
7 files changed, 224 insertions, 73 deletions
diff --git a/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.h b/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.h
new file mode 100644
index 0000000000..343dd48a14
--- /dev/null
+++ b/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.h
@@ -0,0 +1,56 @@
+/*
+ *
+ * Copyright 2016, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#import "GRPCCall.h"
+
+/** Helpers for setting TLS Trusted Roots, Client Certificates, and Private Key */
+@interface GRPCCall (ChannelCredentials)
+
+/**
+ * Use the provided @c pemRootCert as the set of trusted root Certificate Authorities for @c host.
+ */
++ (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCert
+ forHost:(nonnull NSString *)host
+ error:(NSError **)errorPtr;
+/**
+ * Configures @c host with TLS/SSL Client Credentials and optionally trusted root Certificate
+ * Authorities. If @c pemRootCerts is nil, the default CA Certificates bundled with gRPC will be
+ * used.
+ */
++ (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCerts
+ withPrivateKey:(nullable NSString *)pemPrivateKey
+ withCertChain:(nullable NSString *)pemCertChain
+ forHost:(nonnull NSString *)host
+ error:(NSError **)errorPtr;
+
+@end
diff --git a/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.m b/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.m
new file mode 100644
index 0000000000..a8bcd0aab4
--- /dev/null
+++ b/src/objective-c/GRPCClient/GRPCCall+ChannelCredentials.m
@@ -0,0 +1,66 @@
+/*
+ *
+ * Copyright 2016, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#import "GRPCCall+ChannelCredentials.h"
+
+#import "private/GRPCHost.h"
+
+@implementation GRPCCall (ChannelCredentials)
+
++ (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCerts
+ withPrivateKey:(nullable NSString *)pemPrivateKey
+ withCertChain:(nullable NSString *)pemCertChain
+ forHost:(nonnull NSString *)host
+ error:(NSError **)errorPtr {
+ if (!host) {
+ [NSException raise:NSInvalidArgumentException
+ format:@"host must be provided."];
+ }
+ GRPCHost *hostConfig = [GRPCHost hostWithAddress:host];
+ return [hostConfig setTLSPEMRootCerts:pemRootCerts
+ withPrivateKey:pemPrivateKey
+ withCertChain:pemCertChain
+ error:errorPtr];
+}
+
++ (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCerts
+ forHost:(nonnull NSString *)host
+ error:(NSError **)errorPtr {
+ return [GRPCCall setTLSPEMRootCerts:pemRootCerts
+ withPrivateKey:nil
+ withCertChain:nil
+ forHost:host
+ error:errorPtr];
+}
+
+@end
diff --git a/src/objective-c/GRPCClient/GRPCCall+Tests.m b/src/objective-c/GRPCClient/GRPCCall+Tests.m
index c8e8133703..b9456691bd 100644
--- a/src/objective-c/GRPCClient/GRPCCall+Tests.m
+++ b/src/objective-c/GRPCClient/GRPCCall+Tests.m
@@ -1,6 +1,6 @@
/*
*
- * Copyright 2015, Google Inc.
+ * Copyright 2015-2016, Google Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -43,8 +43,16 @@
if (!host || !certsPath || !testName) {
[NSException raise:NSInvalidArgumentException format:@"host, path and name must be provided."];
}
+ NSError *error = nil;
+ NSString *certs = [NSString stringWithContentsOfFile:certsPath
+ encoding:NSUTF8StringEncoding
+ error:&error];
+ if (error != nil) {
+ [NSException raise:[error localizedDescription] format:@"failed to load certs"];
+ }
+
GRPCHost *hostConfig = [GRPCHost hostWithAddress:host];
- hostConfig.pathToCertificates = certsPath;
+ [hostConfig setTLSPEMRootCerts:certs withPrivateKey:nil withCertChain:nil error:nil];
hostConfig.hostNameOverride = testName;
}
diff --git a/src/objective-c/GRPCClient/private/GRPCChannel.h b/src/objective-c/GRPCClient/private/GRPCChannel.h
index 73bf8d95e7..70d1a9bd2f 100644
--- a/src/objective-c/GRPCClient/private/GRPCChannel.h
+++ b/src/objective-c/GRPCClient/private/GRPCChannel.h
@@ -56,18 +56,6 @@ struct grpc_channel_credentials;
+ (nullable GRPCChannel *)secureChannelWithHost:(nonnull NSString *)host;
/**
- * Creates a secure channel to the specified @c host using the specified @c pathToCertificates and
- * @c channelArgs. Only in tests should @c pathToCertificates be nil or
- * @c GRPC_SSL_TARGET_NAME_OVERRIDE_ARG channel arg be set. Passing nil for @c pathToCertificates
- * results in using the default root certificates distributed with the library. If certificates
- * could not be found in any case, then @c nil is returned.
- */
-+ (nullable GRPCChannel *)secureChannelWithHost:(nonnull NSString *)host
- pathToCertificates:(nullable NSString *)pathToCertificates
- channelArgs:(nullable NSDictionary *)channelArgs;
-
-
-/**
* Creates a secure channel to the specified @c host using the specified @c credentials and
* @c channelArgs. Only in tests should @c GRPC_SSL_TARGET_NAME_OVERRIDE_ARG channel arg be set.
*/
diff --git a/src/objective-c/GRPCClient/private/GRPCChannel.m b/src/objective-c/GRPCClient/private/GRPCChannel.m
index 926f55048d..203ef58c0d 100644
--- a/src/objective-c/GRPCClient/private/GRPCChannel.m
+++ b/src/objective-c/GRPCClient/private/GRPCChannel.m
@@ -40,26 +40,6 @@
#import "GRPCCompletionQueue.h"
-/**
- * Returns @c grpc_channel_credentials from the specified @c path. If the file at the path could not
- * be read then NULL is returned. If NULL is returned, @c errorPtr may not be NULL if there are
- * details available describing what went wrong.
- */
-static grpc_channel_credentials *CertificatesAtPath(NSString *path, NSError **errorPtr) {
- // Files in PEM format can have non-ASCII characters in their comments (e.g. for the name of the
- // issuer). Load them as UTF8 and produce an ASCII equivalent.
- NSString *contentInUTF8 = [NSString stringWithContentsOfFile:path
- encoding:NSUTF8StringEncoding
- error:errorPtr];
- NSData *contentInASCII = [contentInUTF8 dataUsingEncoding:NSASCIIStringEncoding
- allowLossyConversion:YES];
- if (!contentInASCII.bytes) {
- // Passing NULL to grpc_ssl_credentials_create produces behavior we don't want, so return.
- return NULL;
- }
- return grpc_ssl_credentials_create(contentInASCII.bytes, NULL, NULL);
-}
-
void freeChannelArgs(grpc_channel_args *channel_args) {
for (size_t i = 0; i < channel_args->num_args; ++i) {
grpc_arg *arg = &channel_args->args[i];
@@ -158,38 +138,6 @@ grpc_channel_args * buildChannelArgs(NSDictionary *dictionary) {
}
+ (GRPCChannel *)secureChannelWithHost:(NSString *)host
- pathToCertificates:(NSString *)path
- channelArgs:(NSDictionary *)channelArgs {
- // Load default SSL certificates once.
- static grpc_channel_credentials *kDefaultCertificates;
- static dispatch_once_t loading;
- dispatch_once(&loading, ^{
- NSString *defaultPath = @"gRPCCertificates.bundle/roots"; // .pem
- // Do not use NSBundle.mainBundle, as it's nil for tests of library projects.
- NSBundle *bundle = [NSBundle bundleForClass:self.class];
- NSString *path = [bundle pathForResource:defaultPath ofType:@"pem"];
- NSError *error;
- kDefaultCertificates = CertificatesAtPath(path, &error);
- NSAssert(kDefaultCertificates, @"Could not read %@/%@.pem. This file, with the root "
- "certificates, is needed to establish secure (TLS) connections. Because the file is "
- "distributed with the gRPC library, this error is usually a sign that the library "
- "wasn't configured correctly for your project. Error: %@",
- bundle.bundlePath, defaultPath, error);
- });
-
- //TODO(jcanizales): Add NSError** parameter to the initializer.
- grpc_channel_credentials *certificates = path
- ? CertificatesAtPath(path, NULL)
- : kDefaultCertificates;
-
- return [[GRPCChannel alloc] initWithHost:host
- secure:YES
- credentials:certificates
- channelArgs:channelArgs];
-}
-
-
-+ (GRPCChannel *)secureChannelWithHost:(NSString *)host
credentials:(struct grpc_channel_credentials *)credentials
channelArgs:(NSDictionary *)channelArgs {
return [[GRPCChannel alloc] initWithHost:host
diff --git a/src/objective-c/GRPCClient/private/GRPCHost.h b/src/objective-c/GRPCClient/private/GRPCHost.h
index e58bb7a2d9..9220e2a33d 100644
--- a/src/objective-c/GRPCClient/private/GRPCHost.h
+++ b/src/objective-c/GRPCClient/private/GRPCHost.h
@@ -37,23 +37,28 @@ NS_ASSUME_NONNULL_BEGIN
@class GRPCCompletionQueue;
struct grpc_call;
+struct grpc_channel_credentials;
@interface GRPCHost : NSObject
@property(nonatomic, readonly) NSString *address;
@property(nonatomic, copy, nullable) NSString *userAgentPrefix;
+@property(nonatomic, nullable) struct grpc_channel_credentials *channelCreds;
/** The following properties should only be modified for testing: */
@property(nonatomic, getter=isSecure) BOOL secure;
-@property(nonatomic, copy, nullable) NSString *pathToCertificates;
@property(nonatomic, copy, nullable) NSString *hostNameOverride;
- (nullable instancetype)init NS_UNAVAILABLE;
/** Host objects initialized with the same address are the same. */
+ (nullable instancetype)hostWithAddress:(NSString *)address;
- (nullable instancetype)initWithAddress:(NSString *)address NS_DESIGNATED_INITIALIZER;
+- (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCerts
+ withPrivateKey:(nullable NSString *)pemPrivateKey
+ withCertChain:(nullable NSString *)pemCertChain
+ error:(NSError **)errorPtr;
/** Create a grpc_call object to the provided path on this host. */
- (nullable struct grpc_call *)unmanagedCallWithPath:(NSString *)path
diff --git a/src/objective-c/GRPCClient/private/GRPCHost.m b/src/objective-c/GRPCClient/private/GRPCHost.m
index 739d808c53..43166cbb52 100644
--- a/src/objective-c/GRPCClient/private/GRPCHost.m
+++ b/src/objective-c/GRPCClient/private/GRPCHost.m
@@ -34,6 +34,7 @@
#import "GRPCHost.h"
#include <grpc/grpc.h>
+#include <grpc/grpc_security.h>
#import <GRPCClient/GRPCCall.h>
#import <GRPCClient/GRPCCall+ChannelArg.h>
@@ -56,6 +57,12 @@ NS_ASSUME_NONNULL_BEGIN
return [[self alloc] initWithAddress:address];
}
+- (void)dealloc {
+ if (_channelCreds != nil) {
+ grpc_channel_credentials_release(_channelCreds);
+ }
+}
+
// Default initializer.
- (nullable instancetype)initWithAddress:(NSString *)address {
if (!address) {
@@ -105,6 +112,75 @@ NS_ASSUME_NONNULL_BEGIN
return [channel unmanagedCallWithPath:path completionQueue:queue];
}
+- (BOOL)setTLSPEMRootCerts:(nullable NSString *)pemRootCerts
+ withPrivateKey:(nullable NSString *)pemPrivateKey
+ withCertChain:(nullable NSString *)pemCertChain
+ error:(NSError **)errorPtr {
+ static NSData *kDefaultRootsASCII;
+ static NSError *kDefaultRootsError;
+ static dispatch_once_t loading;
+ dispatch_once(&loading, ^{
+ NSString *defaultPath = @"gRPCCertificates.bundle/roots"; // .pem
+ // Do not use NSBundle.mainBundle, as it's nil for tests of library projects.
+ NSBundle *bundle = [NSBundle bundleForClass:self.class];
+ NSString *path = [bundle pathForResource:defaultPath ofType:@"pem"];
+ NSError *error;
+ // Files in PEM format can have non-ASCII characters in their comments (e.g. for the name of the
+ // issuer). Load them as UTF8 and produce an ASCII equivalent.
+ NSString *contentInUTF8 = [NSString stringWithContentsOfFile:path
+ encoding:NSUTF8StringEncoding
+ error:&error];
+ if (contentInUTF8 == nil) {
+ kDefaultRootsError = error;
+ return;
+ }
+ kDefaultRootsASCII = [contentInUTF8 dataUsingEncoding:NSASCIIStringEncoding
+ allowLossyConversion:YES];
+ });
+
+ NSData *rootsASCII;
+ if (pemRootCerts != nil) {
+ rootsASCII = [pemRootCerts dataUsingEncoding:NSASCIIStringEncoding
+ allowLossyConversion:YES];
+ } else {
+ if (kDefaultRootsASCII == nil) {
+ if (errorPtr) {
+ *errorPtr = kDefaultRootsError;
+ }
+ NSAssert(kDefaultRootsASCII, @"Could not read gRPCCertificates.bundle/roots.pem. This file, "
+ "with the root certificates, is needed to establish secure (TLS) connections. "
+ "Because the file is distributed with the gRPC library, this error is usually a sign "
+ "that the library wasn't configured correctly for your project. Error: %@",
+ kDefaultRootsError);
+ return NO;
+ }
+ rootsASCII = kDefaultRootsASCII;
+ }
+
+ grpc_channel_credentials *creds;
+ if (pemPrivateKey == nil && pemCertChain == nil) {
+ creds = grpc_ssl_credentials_create(rootsASCII.bytes, NULL, NULL);
+ } else {
+ grpc_ssl_pem_key_cert_pair key_cert_pair;
+ NSData *privateKeyASCII = [pemPrivateKey dataUsingEncoding:NSASCIIStringEncoding
+ allowLossyConversion:YES];
+ NSData *certChainASCII = [pemCertChain dataUsingEncoding:NSASCIIStringEncoding
+ allowLossyConversion:YES];
+ key_cert_pair.private_key = privateKeyASCII.bytes;
+ key_cert_pair.cert_chain = certChainASCII.bytes;
+ creds = grpc_ssl_credentials_create(rootsASCII.bytes, &key_cert_pair, NULL);
+ }
+
+ @synchronized(self) {
+ if (_channelCreds != nil) {
+ grpc_channel_credentials_release(_channelCreds);
+ }
+ _channelCreds = creds;
+ }
+
+ return YES;
+}
+
- (NSDictionary *)channelArgs {
NSMutableDictionary *args = [NSMutableDictionary dictionary];
@@ -125,9 +201,16 @@ NS_ASSUME_NONNULL_BEGIN
- (GRPCChannel *)newChannel {
NSDictionary *args = [self channelArgs];
if (_secure) {
- return [GRPCChannel secureChannelWithHost:_address
- pathToCertificates:_pathToCertificates
- channelArgs:args];
+ GRPCChannel *channel;
+ @synchronized(self) {
+ if (_channelCreds == nil) {
+ [self setTLSPEMRootCerts:nil withPrivateKey:nil withCertChain:nil error:nil];
+ }
+ channel = [GRPCChannel secureChannelWithHost:_address
+ credentials:_channelCreds
+ channelArgs:args];
+ }
+ return channel;
} else {
return [GRPCChannel insecureChannelWithHost:_address channelArgs:args];
}
@@ -145,9 +228,6 @@ NS_ASSUME_NONNULL_BEGIN
}
}
-// TODO(jcanizales): Don't let set |secure| to |NO| if |pathToCertificates| or |hostNameOverride|
-// have been set. Don't let set either of the latter if |secure| has been set to |NO|.
-
@end
NS_ASSUME_NONNULL_END