aboutsummaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorGravatar Yihua Zhang <yihuaz@google.com>2018-07-02 13:29:27 -0700
committerGravatar Yihua Zhang <yihuaz@google.com>2018-07-02 13:29:27 -0700
commitc5f1eda10f7c04368450b757bda7fe4b58d62844 (patch)
treee5f7671750ff2b6de327cd1f9384015fc9bf8412 /src
parent6eb6c845aa419f0c3a3e6be69a7e74e72a306f90 (diff)
implement loca credentials
Diffstat (limited to 'src')
-rw-r--r--src/core/lib/security/credentials/local/local_credentials.cc77
-rw-r--r--src/core/lib/security/credentials/local/local_credentials.h40
-rw-r--r--src/core/lib/security/security_connector/local_security_connector.cc239
-rw-r--r--src/core/lib/security/security_connector/local_security_connector.h58
-rw-r--r--src/core/tsi/local_transport_security.cc222
-rw-r--r--src/core/tsi/local_transport_security.h51
-rw-r--r--src/python/grpcio/grpc_core_dependencies.py3
-rw-r--r--src/ruby/ext/grpc/rb_grpc_imports.generated.c4
-rw-r--r--src/ruby/ext/grpc/rb_grpc_imports.generated.h6
9 files changed, 700 insertions, 0 deletions
diff --git a/src/core/lib/security/credentials/local/local_credentials.cc b/src/core/lib/security/credentials/local/local_credentials.cc
new file mode 100644
index 0000000000..9a2f646ba5
--- /dev/null
+++ b/src/core/lib/security/credentials/local/local_credentials.cc
@@ -0,0 +1,77 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/local/local_credentials.h"
+
+#include <grpc/grpc.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/security_connector/local_security_connector.h"
+
+#define GRPC_CREDENTIALS_TYPE_LOCAL "Local"
+
+static void local_credentials_destruct(grpc_channel_credentials* creds) {}
+
+static void local_server_credentials_destruct(grpc_server_credentials* creds) {}
+
+static grpc_security_status local_create_security_connector(
+ grpc_channel_credentials* creds,
+ grpc_call_credentials* request_metadata_creds, const char* target_name,
+ const grpc_channel_args* args, grpc_channel_security_connector** sc,
+ grpc_channel_args** new_args) {
+ return grpc_local_channel_security_connector_create(
+ creds, request_metadata_creds, args, target_name, sc);
+}
+
+static grpc_security_status local_server_create_security_connector(
+ grpc_server_credentials* creds, grpc_server_security_connector** sc) {
+ return grpc_local_server_security_connector_create(creds, sc);
+}
+
+static const grpc_channel_credentials_vtable local_credentials_vtable = {
+ local_credentials_destruct, local_create_security_connector,
+ /*duplicate_without_call_credentials=*/nullptr};
+
+static const grpc_server_credentials_vtable local_server_credentials_vtable = {
+ local_server_credentials_destruct, local_server_create_security_connector};
+
+grpc_channel_credentials* grpc_local_credentials_create(
+ grpc_local_connect_type connect_type) {
+ auto creds = static_cast<grpc_local_credentials*>(
+ gpr_zalloc(sizeof(grpc_local_credentials)));
+ creds->connect_type = connect_type;
+ creds->base.type = GRPC_CREDENTIALS_TYPE_LOCAL;
+ creds->base.vtable = &local_credentials_vtable;
+ gpr_ref_init(&creds->base.refcount, 1);
+ return &creds->base;
+}
+
+grpc_server_credentials* grpc_local_server_credentials_create(
+ grpc_local_connect_type connect_type) {
+ auto creds = static_cast<grpc_local_server_credentials*>(
+ gpr_zalloc(sizeof(grpc_local_server_credentials)));
+ creds->connect_type = connect_type;
+ creds->base.type = GRPC_CREDENTIALS_TYPE_LOCAL;
+ creds->base.vtable = &local_server_credentials_vtable;
+ gpr_ref_init(&creds->base.refcount, 1);
+ return &creds->base;
+}
diff --git a/src/core/lib/security/credentials/local/local_credentials.h b/src/core/lib/security/credentials/local/local_credentials.h
new file mode 100644
index 0000000000..47358b04bc
--- /dev/null
+++ b/src/core/lib/security/credentials/local/local_credentials.h
@@ -0,0 +1,40 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_LOCAL_LOCAL_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_LOCAL_LOCAL_CREDENTIALS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+
+/* Main struct for grpc local channel credential. */
+typedef struct grpc_local_credentials {
+ grpc_channel_credentials base;
+ grpc_local_connect_type connect_type;
+} grpc_local_credentials;
+
+/* Main struct for grpc local server credential. */
+typedef struct grpc_local_server_credentials {
+ grpc_server_credentials base;
+ grpc_local_connect_type connect_type;
+} grpc_local_server_credentials;
+
+#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_LOCAL_LOCAL_CREDENTIALS_H */
diff --git a/src/core/lib/security/security_connector/local_security_connector.cc b/src/core/lib/security/security_connector/local_security_connector.cc
new file mode 100644
index 0000000000..3fe72013bd
--- /dev/null
+++ b/src/core/lib/security/security_connector/local_security_connector.cc
@@ -0,0 +1,239 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/local_security_connector.h"
+
+#include <stdbool.h>
+#include <string.h>
+
+#include <grpc/grpc.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/ext/filters/client_channel/client_channel.h"
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/credentials/local/local_credentials.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/local_transport_security.h"
+
+#define GRPC_UDS_URL_SCHEME "unix"
+#define GRPC_LOCAL_TRANSPORT_SECURITY_TYPE "local"
+
+typedef struct {
+ grpc_channel_security_connector base;
+ char* target_name;
+} grpc_local_channel_security_connector;
+
+typedef struct {
+ grpc_server_security_connector base;
+} grpc_local_server_security_connector;
+
+static void local_channel_destroy(grpc_security_connector* sc) {
+ if (sc == nullptr) {
+ return;
+ }
+ auto c = reinterpret_cast<grpc_local_channel_security_connector*>(sc);
+ grpc_call_credentials_unref(c->base.request_metadata_creds);
+ grpc_channel_credentials_unref(c->base.channel_creds);
+ gpr_free(c->target_name);
+ gpr_free(sc);
+}
+
+static void local_server_destroy(grpc_security_connector* sc) {
+ if (sc == nullptr) {
+ return;
+ }
+ auto c = reinterpret_cast<grpc_local_server_security_connector*>(sc);
+ grpc_server_credentials_unref(c->base.server_creds);
+ gpr_free(sc);
+}
+
+static void local_channel_add_handshakers(
+ grpc_channel_security_connector* sc,
+ grpc_handshake_manager* handshake_manager) {
+ tsi_handshaker* handshaker = nullptr;
+ GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) ==
+ TSI_OK);
+ grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
+ handshaker, &sc->base));
+}
+
+static void local_server_add_handshakers(
+ grpc_server_security_connector* sc,
+ grpc_handshake_manager* handshake_manager) {
+ tsi_handshaker* handshaker = nullptr;
+ GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */, &handshaker) ==
+ TSI_OK);
+ grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
+ handshaker, &sc->base));
+}
+
+static int local_channel_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_local_channel_security_connector* c1 =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc1);
+ grpc_local_channel_security_connector* c2 =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc2);
+ int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
+ if (c != 0) return c;
+ return strcmp(c1->target_name, c2->target_name);
+}
+
+static int local_server_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_local_server_security_connector* c1 =
+ reinterpret_cast<grpc_local_server_security_connector*>(sc1);
+ grpc_local_server_security_connector* c2 =
+ reinterpret_cast<grpc_local_server_security_connector*>(sc2);
+ return grpc_server_security_connector_cmp(&c1->base, &c2->base);
+}
+
+static grpc_security_status local_auth_context_create(grpc_auth_context** ctx) {
+ if (ctx == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid arguments to local_auth_context_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ /* Create auth context. */
+ *ctx = grpc_auth_context_create(nullptr);
+ grpc_auth_context_add_cstring_property(
+ *ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+ GRPC_LOCAL_TRANSPORT_SECURITY_TYPE);
+ GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+ *ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
+ return GRPC_SECURITY_OK;
+}
+
+static void local_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ grpc_security_status status;
+ status = local_auth_context_create(auth_context);
+ grpc_error* error = status == GRPC_SECURITY_OK
+ ? GRPC_ERROR_NONE
+ : GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Could not create local auth context");
+ GRPC_CLOSURE_SCHED(on_peer_checked, error);
+}
+
+static grpc_security_connector_vtable local_channel_vtable = {
+ local_channel_destroy, local_check_peer, local_channel_cmp};
+
+static grpc_security_connector_vtable local_server_vtable = {
+ local_server_destroy, local_check_peer, local_server_cmp};
+
+static bool local_check_call_host(grpc_channel_security_connector* sc,
+ const char* host,
+ grpc_auth_context* auth_context,
+ grpc_closure* on_call_host_checked,
+ grpc_error** error) {
+ grpc_local_channel_security_connector* local_sc =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc);
+ if (host == nullptr || local_sc == nullptr ||
+ strcmp(host, local_sc->target_name) != 0) {
+ *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "local call host does not match target name");
+ }
+ return true;
+}
+
+static void local_cancel_check_call_host(grpc_channel_security_connector* sc,
+ grpc_closure* on_call_host_checked,
+ grpc_error* error) {
+ GRPC_ERROR_UNREF(error);
+}
+
+grpc_security_status grpc_local_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds,
+ const grpc_channel_args* args, const char* target_name,
+ grpc_channel_security_connector** sc) {
+ if (channel_creds == nullptr || sc == nullptr || target_name == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid arguments to grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if local_connect_type is UDS. Only UDS is supported for now.
+ grpc_local_credentials* creds =
+ reinterpret_cast<grpc_local_credentials*>(channel_creds);
+ if (creds->connect_type != UDS) {
+ gpr_log(GPR_ERROR,
+ "Invalid local channel type to "
+ "grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if target_name is a valid UDS address.
+ const grpc_arg* server_uri_arg =
+ grpc_channel_args_find(args, GRPC_ARG_SERVER_URI);
+ const char* server_uri_str = grpc_channel_arg_get_string(server_uri_arg);
+ if (strncmp(GRPC_UDS_URL_SCHEME, server_uri_str,
+ strlen(GRPC_UDS_URL_SCHEME)) != 0) {
+ gpr_log(GPR_ERROR,
+ "Invalid target_name to "
+ "grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ auto c = static_cast<grpc_local_channel_security_connector*>(
+ gpr_zalloc(sizeof(grpc_local_channel_security_connector)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.vtable = &local_channel_vtable;
+ c->base.add_handshakers = local_channel_add_handshakers;
+ c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
+ c->base.request_metadata_creds =
+ grpc_call_credentials_ref(request_metadata_creds);
+ c->base.check_call_host = local_check_call_host;
+ c->base.cancel_check_call_host = local_cancel_check_call_host;
+ c->base.base.url_scheme =
+ creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr;
+ c->target_name = gpr_strdup(target_name);
+ *sc = &c->base;
+ return GRPC_SECURITY_OK;
+}
+
+grpc_security_status grpc_local_server_security_connector_create(
+ grpc_server_credentials* server_creds,
+ grpc_server_security_connector** sc) {
+ if (server_creds == nullptr || sc == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid arguments to grpc_local_server_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if local_connect_type is UDS. Only UDS is supported for now.
+ grpc_local_server_credentials* creds =
+ reinterpret_cast<grpc_local_server_credentials*>(server_creds);
+ if (creds->connect_type != UDS) {
+ gpr_log(GPR_ERROR,
+ "Invalid local server type to "
+ "grpc_local_server_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ auto c = static_cast<grpc_local_server_security_connector*>(
+ gpr_zalloc(sizeof(grpc_local_server_security_connector)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.vtable = &local_server_vtable;
+ c->base.server_creds = grpc_server_credentials_ref(server_creds);
+ c->base.base.url_scheme =
+ creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr;
+ c->base.add_handshakers = local_server_add_handshakers;
+ *sc = &c->base;
+ return GRPC_SECURITY_OK;
+}
diff --git a/src/core/lib/security/security_connector/local_security_connector.h b/src/core/lib/security/security_connector/local_security_connector.h
new file mode 100644
index 0000000000..a970a74788
--- /dev/null
+++ b/src/core/lib/security/security_connector/local_security_connector.h
@@ -0,0 +1,58 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/context/security_context.h"
+
+/**
+ * This method creates a local channel security connector.
+ *
+ * - channel_creds: channel credential instance.
+ * - request_metadata_creds: credential object which will be sent with each
+ * request. This parameter can be nullptr.
+ * - target_name: the name of the endpoint that the channel is connecting to.
+ * - args: channel args passed from the caller.
+ * - sc: address of local channel security connector instance to be returned
+ * from the method.
+ *
+ * It returns GRPC_SECURITY_OK on success, and an error stauts code on failure.
+ */
+grpc_security_status grpc_local_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds,
+ const grpc_channel_args* args, const char* target_name,
+ grpc_channel_security_connector** sc);
+
+/**
+ * This method creates a local server security connector.
+ *
+ * - server_creds: server credential instance.
+ * - sc: address of local server security connector instance to be returned from
+ * the method.
+ *
+ * It returns GRPC_SECURITY_OK on success, and an error status code on failure.
+ */
+grpc_security_status grpc_local_server_security_connector_create(
+ grpc_server_credentials* server_creds, grpc_server_security_connector** sc);
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H \
+ */
diff --git a/src/core/tsi/local_transport_security.cc b/src/core/tsi/local_transport_security.cc
new file mode 100644
index 0000000000..2799098108
--- /dev/null
+++ b/src/core/tsi/local_transport_security.cc
@@ -0,0 +1,222 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/tsi/local_transport_security.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/lib/iomgr/exec_ctx.h"
+#include "src/core/tsi/transport_security_grpc.h"
+
+#define TSI_LOCAL_PEER_IDENTITY "local"
+
+/* Main struct for local TSI zero-copy frame protector. */
+typedef struct local_zero_copy_grpc_protector {
+ tsi_zero_copy_grpc_protector base;
+} local_zero_copy_grpc_protector;
+
+/* Main struct for local TSI handshaker result. */
+typedef struct local_tsi_handshaker_result {
+ tsi_handshaker_result base;
+ char* peer_identity;
+ bool is_client;
+} local_tsi_handshaker_result;
+
+/* Main struct for local TSI handshaker. */
+typedef struct local_tsi_handshaker {
+ tsi_handshaker base;
+ bool is_client;
+} local_tsi_handshaker;
+
+/* --- tsi_zero_copy_grpc_protector methods implementation. --- */
+
+static tsi_result local_zero_copy_grpc_protector_protect(
+ tsi_zero_copy_grpc_protector* self, grpc_slice_buffer* unprotected_slices,
+ grpc_slice_buffer* protected_slices) {
+ if (self == nullptr || unprotected_slices == nullptr ||
+ protected_slices == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid nullptr arguments to zero-copy grpc protect.");
+ return TSI_INVALID_ARGUMENT;
+ }
+ grpc_slice_buffer_move_into(unprotected_slices, protected_slices);
+ return TSI_OK;
+}
+
+static tsi_result local_zero_copy_grpc_protector_unprotect(
+ tsi_zero_copy_grpc_protector* self, grpc_slice_buffer* protected_slices,
+ grpc_slice_buffer* unprotected_slices) {
+ if (self == nullptr || unprotected_slices == nullptr ||
+ protected_slices == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid nullptr arguments to zero-copy grpc unprotect.");
+ return TSI_INVALID_ARGUMENT;
+ }
+ grpc_slice_buffer_move_into(protected_slices, unprotected_slices);
+ return TSI_OK;
+}
+
+static void local_zero_copy_grpc_protector_destroy(
+ tsi_zero_copy_grpc_protector* self) {
+ gpr_free(self);
+}
+
+static const tsi_zero_copy_grpc_protector_vtable
+ local_zero_copy_grpc_protector_vtable = {
+ local_zero_copy_grpc_protector_protect,
+ local_zero_copy_grpc_protector_unprotect,
+ local_zero_copy_grpc_protector_destroy};
+
+tsi_result local_zero_copy_grpc_protector_create(
+ tsi_zero_copy_grpc_protector** protector) {
+ if (grpc_core::ExecCtx::Get() == nullptr || protector == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid nullptr arguments to local_zero_copy_grpc_protector create.");
+ return TSI_INVALID_ARGUMENT;
+ }
+ local_zero_copy_grpc_protector* impl =
+ static_cast<local_zero_copy_grpc_protector*>(gpr_zalloc(sizeof(*impl)));
+ impl->base.vtable = &local_zero_copy_grpc_protector_vtable;
+ *protector = &impl->base;
+ return TSI_OK;
+}
+
+/* --- tsi_handshaker_result methods implementation. --- */
+
+static tsi_result handshaker_result_extract_peer(
+ const tsi_handshaker_result* self, tsi_peer* peer) {
+ return TSI_OK;
+}
+
+static tsi_result handshaker_result_create_zero_copy_grpc_protector(
+ const tsi_handshaker_result* self, size_t* max_output_protected_frame_size,
+ tsi_zero_copy_grpc_protector** protector) {
+ if (self == nullptr || protector == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid arguments to create_zero_copy_grpc_protector()");
+ return TSI_INVALID_ARGUMENT;
+ }
+ tsi_result ok = local_zero_copy_grpc_protector_create(protector);
+ if (ok != TSI_OK) {
+ gpr_log(GPR_ERROR, "Failed to create zero-copy grpc protector");
+ }
+ return ok;
+}
+
+static void handshaker_result_destroy(tsi_handshaker_result* self) {
+ if (self == nullptr) {
+ return;
+ }
+ local_tsi_handshaker_result* result =
+ reinterpret_cast<local_tsi_handshaker_result*>(
+ const_cast<tsi_handshaker_result*>(self));
+ gpr_free(result->peer_identity);
+ gpr_free(result);
+}
+
+static const tsi_handshaker_result_vtable result_vtable = {
+ handshaker_result_extract_peer,
+ handshaker_result_create_zero_copy_grpc_protector,
+ nullptr, /* handshaker_result_create_frame_protector */
+ nullptr, /* handshaker_result_get_unused_bytes */
+ handshaker_result_destroy};
+
+static tsi_result create_handshaker_result(bool is_client,
+ tsi_handshaker_result** self) {
+ if (self == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid arguments to create_handshaker_result()");
+ return TSI_INVALID_ARGUMENT;
+ }
+ local_tsi_handshaker_result* result =
+ static_cast<local_tsi_handshaker_result*>(gpr_zalloc(sizeof(*result)));
+ result->is_client = is_client;
+ result->base.vtable = &result_vtable;
+ /* Create a peer identity with random information that will be later converted
+ * to auth context. Without this peer identity, the santiy check in {client,
+ * server}_auth_filter that verifies if the peer's auth context is obtained
+ * during handshakes will fail. Since the peer identity information in auth
+ * context is only checked for its existence (not actually used), we only
+ * populate some random data and later will provision more meaningful peer if
+ * needed (e.g., peer's pid/uid/gid from credentials).
+ */
+ result->peer_identity = gpr_strdup(TSI_LOCAL_PEER_IDENTITY);
+ *self = &result->base;
+ return TSI_OK;
+}
+
+/* --- tsi_handshaker methods implementation. --- */
+
+static tsi_result handshaker_next(
+ tsi_handshaker* self, const unsigned char* received_bytes,
+ size_t received_bytes_size, const unsigned char** bytes_to_send,
+ size_t* bytes_to_send_size, tsi_handshaker_result** result,
+ tsi_handshaker_on_next_done_cb cb, void* user_data) {
+ if (self == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid arguments to handshaker_next()");
+ return TSI_INVALID_ARGUMENT;
+ }
+ /* Note that there is no interaction between TSI peers, and all operations are
+ * local.
+ */
+ local_tsi_handshaker* handshaker =
+ reinterpret_cast<local_tsi_handshaker*>(self);
+ *bytes_to_send_size = 0;
+ create_handshaker_result(handshaker->is_client, result);
+ return TSI_OK;
+}
+
+static void handshaker_destroy(tsi_handshaker* self) {
+ if (self == nullptr) {
+ return;
+ }
+ local_tsi_handshaker* handshaker =
+ reinterpret_cast<local_tsi_handshaker*>(self);
+ gpr_free(handshaker);
+}
+
+static const tsi_handshaker_vtable handshaker_vtable = {
+ nullptr, /* get_bytes_to_send_to_peer -- deprecated */
+ nullptr, /* process_bytes_from_peer -- deprecated */
+ nullptr, /* get_result -- deprecated */
+ nullptr, /* extract_peer -- deprecated */
+ nullptr, /* create_frame_protector -- deprecated */
+ handshaker_destroy,
+ handshaker_next,
+ nullptr, /* shutdown */
+};
+
+tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self) {
+ if (self == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid arguments to local_tsi_handshaker_create()");
+ return TSI_INVALID_ARGUMENT;
+ }
+ local_tsi_handshaker* handshaker =
+ static_cast<local_tsi_handshaker*>(gpr_zalloc(sizeof(*handshaker)));
+ handshaker->is_client = is_client;
+ handshaker->base.vtable = &handshaker_vtable;
+ *self = &handshaker->base;
+ return TSI_OK;
+}
diff --git a/src/core/tsi/local_transport_security.h b/src/core/tsi/local_transport_security.h
new file mode 100644
index 0000000000..17213ecf35
--- /dev/null
+++ b/src/core/tsi/local_transport_security.h
@@ -0,0 +1,51 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H
+#define GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc.h>
+
+#include "src/core/tsi/transport_security.h"
+#include "src/core/tsi/transport_security_interface.h"
+
+#define TSI_LOCAL_NUM_OF_PEER_PROPERTIES 1
+#define TSI_LOCAL_PROCESS_ID_PEER_PROPERTY "process_id"
+
+/**
+ * Main struct for local TSI handshaker. All APIs in the header are
+ * thread-comptabile.
+ */
+typedef struct local_tsi_handshaker local_tsi_handshaker;
+
+/**
+ * This method creates a local TSI handshaker instance.
+ *
+ * - is_client: boolean value indicating if the handshaker is used at the client
+ * (is_client = true) or server (is_client = false) side. The parameter is
+ * added for future extension.
+ * - self: address of local TSI handshaker instance to be returned from the
+ * method.
+ *
+ * It returns TSI_OK on success and an error status code on failure.
+ */
+tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self);
+
+#endif /* GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H */
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
index 05d4786f3f..1746020b72 100644
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@@ -249,10 +249,12 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/credentials/jwt/json_token.cc',
'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
'src/core/lib/security/credentials/jwt/jwt_verifier.cc',
+ 'src/core/lib/security/credentials/local/local_credentials.cc',
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
'src/core/lib/security/security_connector/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/local_security_connector.cc',
'src/core/lib/security/security_connector/security_connector.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
@@ -325,6 +327,7 @@ CORE_SOURCE_FILES = [
'src/core/ext/filters/deadline/deadline_filter.cc',
'src/core/tsi/alts_transport_security.cc',
'src/core/tsi/fake_transport_security.cc',
+ 'src/core/tsi/local_transport_security.cc',
'src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc',
'src/core/tsi/ssl/session_cache/ssl_session_cache.cc',
'src/core/tsi/ssl/session_cache/ssl_session_openssl.cc',
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.c b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
index 031699ce8e..6b1bcf6fcd 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.c
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
@@ -142,6 +142,8 @@ grpc_alts_credentials_client_options_add_target_service_account_type grpc_alts_c
grpc_alts_credentials_options_destroy_type grpc_alts_credentials_options_destroy_import;
grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
+grpc_local_credentials_create_type grpc_local_credentials_create_import;
+grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import;
grpc_byte_buffer_copy_type grpc_byte_buffer_copy_import;
@@ -388,6 +390,8 @@ void grpc_rb_load_imports(HMODULE library) {
grpc_alts_credentials_options_destroy_import = (grpc_alts_credentials_options_destroy_type) GetProcAddress(library, "grpc_alts_credentials_options_destroy");
grpc_alts_credentials_create_import = (grpc_alts_credentials_create_type) GetProcAddress(library, "grpc_alts_credentials_create");
grpc_alts_server_credentials_create_import = (grpc_alts_server_credentials_create_type) GetProcAddress(library, "grpc_alts_server_credentials_create");
+ grpc_local_credentials_create_import = (grpc_local_credentials_create_type) GetProcAddress(library, "grpc_local_credentials_create");
+ grpc_local_server_credentials_create_import = (grpc_local_server_credentials_create_type) GetProcAddress(library, "grpc_local_server_credentials_create");
grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create");
grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create");
grpc_byte_buffer_copy_import = (grpc_byte_buffer_copy_type) GetProcAddress(library, "grpc_byte_buffer_copy");
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.h b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
index 474405ae3f..20052c28a4 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
@@ -401,6 +401,12 @@ extern grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
typedef grpc_server_credentials*(*grpc_alts_server_credentials_create_type)(const grpc_alts_credentials_options* options);
extern grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
#define grpc_alts_server_credentials_create grpc_alts_server_credentials_create_import
+typedef grpc_channel_credentials*(*grpc_local_credentials_create_type)(grpc_local_connect_type type);
+extern grpc_local_credentials_create_type grpc_local_credentials_create_import;
+#define grpc_local_credentials_create grpc_local_credentials_create_import
+typedef grpc_server_credentials*(*grpc_local_server_credentials_create_type)(grpc_local_connect_type type);
+extern grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
+#define grpc_local_server_credentials_create grpc_local_server_credentials_create_import
typedef grpc_byte_buffer*(*grpc_raw_byte_buffer_create_type)(grpc_slice* slices, size_t nslices);
extern grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
#define grpc_raw_byte_buffer_create grpc_raw_byte_buffer_create_import