aboutsummaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorGravatar jboeuf <jboeuf@users.noreply.github.com>2017-11-03 21:22:14 -0700
committerGravatar GitHub <noreply@github.com>2017-11-03 21:22:14 -0700
commite5bca395f9bd9e6c017db3fd318ec608b5289341 (patch)
tree8e1d2ca65c9d5f07a0fc81049a94e25bfbcb1b6a /src
parent6da4f51e06f4077af5beb057ec5316c4ed5229ee (diff)
parenta274f341d545c88c68178227b3be40ac4c03e77e (diff)
Merge pull request #13235 from jboeuf/jwt_audience
Removing port 443 for the service name (used as jwt audience) for https
Diffstat (limited to 'src')
-rw-r--r--src/core/lib/security/transport/auth_filters.h8
-rw-r--r--src/core/lib/security/transport/client_auth_filter.cc48
2 files changed, 36 insertions, 20 deletions
diff --git a/src/core/lib/security/transport/auth_filters.h b/src/core/lib/security/transport/auth_filters.h
index ba5df7fe70..b49bd554de 100644
--- a/src/core/lib/security/transport/auth_filters.h
+++ b/src/core/lib/security/transport/auth_filters.h
@@ -19,6 +19,7 @@
#ifndef GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H
#define GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H
+#include <grpc/grpc_security.h>
#include "src/core/lib/channel/channel_stack.h"
#ifdef __cplusplus
@@ -28,6 +29,13 @@ extern "C" {
extern const grpc_channel_filter grpc_client_auth_filter;
extern const grpc_channel_filter grpc_server_auth_filter;
+void grpc_auth_metadata_context_build(
+ const char *url_scheme, grpc_slice call_host, grpc_slice call_method,
+ grpc_auth_context *auth_context,
+ grpc_auth_metadata_context *auth_md_context);
+
+void grpc_auth_metadata_context_reset(grpc_auth_metadata_context *context);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/core/lib/security/transport/client_auth_filter.cc b/src/core/lib/security/transport/client_auth_filter.cc
index a8464dbf9e..0bbfa471d2 100644
--- a/src/core/lib/security/transport/client_auth_filter.cc
+++ b/src/core/lib/security/transport/client_auth_filter.cc
@@ -65,7 +65,7 @@ typedef struct {
grpc_auth_context *auth_context;
} channel_data;
-static void reset_auth_metadata_context(
+void grpc_auth_metadata_context_reset(
grpc_auth_metadata_context *auth_md_context) {
if (auth_md_context->service_url != NULL) {
gpr_free((char *)auth_md_context->service_url);
@@ -96,7 +96,7 @@ static void on_credentials_metadata(grpc_exec_ctx *exec_ctx, void *arg,
grpc_call_element *elem =
(grpc_call_element *)batch->handler_private.extra_arg;
call_data *calld = (call_data *)elem->call_data;
- reset_auth_metadata_context(&calld->auth_md_context);
+ grpc_auth_metadata_context_reset(&calld->auth_md_context);
grpc_error *error = GRPC_ERROR_REF(input_error);
if (error == GRPC_ERROR_NONE) {
GPR_ASSERT(calld->md_array.size <= MAX_CREDENTIALS_METADATA_COUNT);
@@ -119,34 +119,41 @@ static void on_credentials_metadata(grpc_exec_ctx *exec_ctx, void *arg,
}
}
-void build_auth_metadata_context(grpc_security_connector *sc,
- grpc_auth_context *auth_context,
- call_data *calld) {
- char *service = grpc_slice_to_c_string(calld->method);
+void grpc_auth_metadata_context_build(
+ const char *url_scheme, grpc_slice call_host, grpc_slice call_method,
+ grpc_auth_context *auth_context,
+ grpc_auth_metadata_context *auth_md_context) {
+ char *service = grpc_slice_to_c_string(call_method);
char *last_slash = strrchr(service, '/');
char *method_name = NULL;
char *service_url = NULL;
- reset_auth_metadata_context(&calld->auth_md_context);
+ grpc_auth_metadata_context_reset(auth_md_context);
if (last_slash == NULL) {
gpr_log(GPR_ERROR, "No '/' found in fully qualified method name");
service[0] = '\0';
+ method_name = gpr_strdup("");
} else if (last_slash == service) {
- /* No service part in fully qualified method name: will just be "/". */
- service[1] = '\0';
+ method_name = gpr_strdup("");
} else {
*last_slash = '\0';
method_name = gpr_strdup(last_slash + 1);
}
- if (method_name == NULL) method_name = gpr_strdup("");
- char *host = grpc_slice_to_c_string(calld->host);
- gpr_asprintf(&service_url, "%s://%s%s",
- sc->url_scheme == NULL ? "" : sc->url_scheme, host, service);
- calld->auth_md_context.service_url = service_url;
- calld->auth_md_context.method_name = method_name;
- calld->auth_md_context.channel_auth_context =
+ char *host_and_port = grpc_slice_to_c_string(call_host);
+ if (strcmp(url_scheme, GRPC_SSL_URL_SCHEME) == 0) {
+ /* Remove the port if it is 443. */
+ char *port_delimiter = strrchr(host_and_port, ':');
+ if (port_delimiter != NULL && strcmp(port_delimiter + 1, "443") == 0) {
+ *port_delimiter = '\0';
+ }
+ }
+ gpr_asprintf(&service_url, "%s://%s%s", url_scheme == NULL ? "" : url_scheme,
+ host_and_port, service);
+ auth_md_context->service_url = service_url;
+ auth_md_context->method_name = method_name;
+ auth_md_context->channel_auth_context =
GRPC_AUTH_CONTEXT_REF(auth_context, "grpc_auth_metadata_context");
gpr_free(service);
- gpr_free(host);
+ gpr_free(host_and_port);
}
static void cancel_get_request_metadata(grpc_exec_ctx *exec_ctx, void *arg,
@@ -198,8 +205,9 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx,
call_creds_has_md ? ctx->creds : channel_call_creds);
}
- build_auth_metadata_context(&chand->security_connector->base,
- chand->auth_context, calld);
+ grpc_auth_metadata_context_build(
+ chand->security_connector->base.url_scheme, calld->host, calld->method,
+ chand->auth_context, &calld->auth_md_context);
GPR_ASSERT(calld->pollent != NULL);
@@ -369,7 +377,7 @@ static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem,
if (calld->have_method) {
grpc_slice_unref_internal(exec_ctx, calld->method);
}
- reset_auth_metadata_context(&calld->auth_md_context);
+ grpc_auth_metadata_context_reset(&calld->auth_md_context);
}
/* Constructor for channel_data */