diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/grpc++/impl/codegen/client_context.h | 8 | ||||
| -rw-r--r-- | include/grpc++/impl/codegen/create_auth_context.h | 48 | ||||
| -rw-r--r-- | include/grpc++/impl/codegen/server_context.h | 10 | ||||
| -rw-r--r-- | include/grpc++/security/server_credentials.h | 15 | ||||
| -rw-r--r-- | include/grpc/grpc_security.h | 38 | ||||
| -rw-r--r-- | include/grpc/grpc_security_constants.h | 114 | ||||
| -rw-r--r-- | include/grpc/impl/codegen/log.h | 7 | ||||
| -rw-r--r-- | include/grpc/impl/codegen/port_platform.h | 39 |
8 files changed, 234 insertions, 45 deletions
diff --git a/include/grpc++/impl/codegen/client_context.h b/include/grpc++/impl/codegen/client_context.h index aed12767a7..e23fd4eda3 100644 --- a/include/grpc++/impl/codegen/client_context.h +++ b/include/grpc++/impl/codegen/client_context.h @@ -55,6 +55,7 @@ #include <grpc++/impl/codegen/config.h> #include <grpc++/impl/codegen/core_codegen_interface.h> +#include <grpc++/impl/codegen/create_auth_context.h> #include <grpc++/impl/codegen/security/auth_context.h> #include <grpc++/impl/codegen/status.h> #include <grpc++/impl/codegen/string_ref.h> @@ -244,7 +245,12 @@ class ClientContext { /// Return the authentication context for this client call. /// /// \see grpc::AuthContext. - std::shared_ptr<const AuthContext> auth_context() const; + std::shared_ptr<const AuthContext> auth_context() const { + if (auth_context_.get() == nullptr) { + auth_context_ = CreateAuthContext(call_); + } + return auth_context_; + } /// Set credentials for the client call. /// diff --git a/include/grpc++/impl/codegen/create_auth_context.h b/include/grpc++/impl/codegen/create_auth_context.h new file mode 100644 index 0000000000..a386a368cd --- /dev/null +++ b/include/grpc++/impl/codegen/create_auth_context.h @@ -0,0 +1,48 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_IMPL_CODEGEN_CREATE_AUTH_CONTEXT_H +#define GRPCXX_IMPL_CODEGEN_CREATE_AUTH_CONTEXT_H + +#include <memory> + +#include <grpc++/impl/codegen/security/auth_context.h> +#include <grpc/impl/codegen/grpc_types.h> + +namespace grpc { + +std::shared_ptr<const AuthContext> CreateAuthContext(grpc_call* call); + +} // namespace grpc + +#endif // GRPCXX_IMPL_CODEGEN_CREATE_AUTH_CONTEXT_H diff --git a/include/grpc++/impl/codegen/server_context.h b/include/grpc++/impl/codegen/server_context.h index 7fa0235ca9..a1e1ed176f 100644 --- a/include/grpc++/impl/codegen/server_context.h +++ b/include/grpc++/impl/codegen/server_context.h @@ -38,6 +38,7 @@ #include <memory> #include <grpc++/impl/codegen/config.h> +#include <grpc++/impl/codegen/create_auth_context.h> #include <grpc++/impl/codegen/security/auth_context.h> #include <grpc++/impl/codegen/string_ref.h> #include <grpc++/impl/codegen/time.h> @@ -135,7 +136,12 @@ class ServerContext { } void set_compression_algorithm(grpc_compression_algorithm algorithm); - std::shared_ptr<const AuthContext> auth_context() const; + std::shared_ptr<const AuthContext> auth_context() const { + if (auth_context_.get() == nullptr) { + auth_context_ = CreateAuthContext(call_); + } + return auth_context_; + } // Return the peer uri in a string. // WARNING: this value is never authenticated or subject to any security @@ -193,7 +199,7 @@ class ServerContext { ServerContext(gpr_timespec deadline, grpc_metadata* metadata, size_t metadata_count); - void set_call(grpc_call* call); + void set_call(grpc_call* call) { call_ = call; } uint32_t initial_metadata_flags() const { return 0; } diff --git a/include/grpc++/security/server_credentials.h b/include/grpc++/security/server_credentials.h index 5a9f8a42e2..229bab8d84 100644 --- a/include/grpc++/security/server_credentials.h +++ b/include/grpc++/security/server_credentials.h @@ -39,6 +39,7 @@ #include <grpc++/security/auth_metadata_processor.h> #include <grpc++/support/config.h> +#include <grpc/grpc_security_constants.h> struct grpc_server; @@ -69,7 +70,13 @@ class ServerCredentials { /// Options to create ServerCredentials with SSL struct SslServerCredentialsOptions { - SslServerCredentialsOptions() : force_client_auth(false) {} + // Deprecated + SslServerCredentialsOptions() + : force_client_auth(false), + client_certificate_request(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {} + SslServerCredentialsOptions( + grpc_ssl_client_certificate_request_type request_type) + : force_client_auth(false), client_certificate_request(request_type) {} struct PemKeyCertPair { grpc::string private_key; @@ -77,7 +84,13 @@ struct SslServerCredentialsOptions { }; grpc::string pem_root_certs; std::vector<PemKeyCertPair> pem_key_cert_pairs; + // Deprecated bool force_client_auth; + + // If both force_client_auth and client_certificate_request fields are set, + // force_client_auth takes effect i.e + // REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY will be enforced. + grpc_ssl_client_certificate_request_type client_certificate_request; }; /// Builds SSL ServerCredentials given SSL specific options diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index a36926b23e..79199cc5d6 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -35,6 +35,7 @@ #define GRPC_GRPC_SECURITY_H #include <grpc/grpc.h> +#include <grpc/grpc_security_constants.h> #include <grpc/status.h> #ifdef __cplusplus @@ -43,13 +44,6 @@ extern "C" { /* --- Authentication Context. --- */ -#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" -#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" - -#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" -#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" -#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" - typedef struct grpc_auth_context grpc_auth_context; typedef struct grpc_auth_property_iterator { @@ -130,29 +124,11 @@ typedef struct grpc_channel_credentials grpc_channel_credentials; The creator of the credentials object is responsible for its release. */ GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials *creds); -/* Environment variable that points to the google default application - credentials json key or refresh token. Used in the - grpc_google_default_credentials_create function. */ -#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" - /* Creates default credentials to connect to a google gRPC service. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. */ GRPCAPI grpc_channel_credentials *grpc_google_default_credentials_create(void); -/* Environment variable that points to the default SSL roots file. This file - must be a PEM encoded file with all the roots such as the one that can be - downloaded from https://pki.google.com/roots.pem. */ -#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ - "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" - -/* Results for the SSL roots override callback. */ -typedef enum { - GRPC_SSL_ROOTS_OVERRIDE_OK, - GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */ - GRPC_SSL_ROOTS_OVERRIDE_FAIL -} grpc_ssl_roots_override_result; - /* Callback for getting the SSL roots override from the application. In case of success, *pem_roots_certs must be set to a NULL terminated string containing the list of PEM encoded root certificates. The ownership is passed @@ -334,7 +310,8 @@ typedef struct grpc_server_credentials grpc_server_credentials; */ GRPCAPI void grpc_server_credentials_release(grpc_server_credentials *creds); -/* Creates an SSL server_credentials object. +/* Deprecated in favor of grpc_ssl_server_credentials_create_ex. + Creates an SSL server_credentials object. - pem_roots_cert is the NULL-terminated string containing the PEM encoding of the client root certificates. This parameter may be NULL if the server does not want the client to be authenticated with SSL. @@ -349,6 +326,15 @@ GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create( const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, void *reserved); +/* Same as grpc_ssl_server_credentials_create method except uses + grpc_ssl_client_certificate_request_type enum to support more ways to + authenticate client cerificates.*/ +GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create_ex( + const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, + size_t num_key_cert_pairs, + grpc_ssl_client_certificate_request_type client_certificate_request, + void *reserved); + /* --- Server-side secure ports. --- */ /* Add a HTTP2 over an encrypted link over tcp listener. diff --git a/include/grpc/grpc_security_constants.h b/include/grpc/grpc_security_constants.h new file mode 100644 index 0000000000..da05c5a97b --- /dev/null +++ b/include/grpc/grpc_security_constants.h @@ -0,0 +1,114 @@ +/* + * + * Copyright 2016, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPC_GRPC_SECURITY_CONSTANTS_H +#define GRPC_GRPC_SECURITY_CONSTANTS_H + +#ifdef __cplusplus +extern "C" { +#endif + +#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" +#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" + +#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" +#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" +#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" + +/* Environment variable that points to the default SSL roots file. This file + must be a PEM encoded file with all the roots such as the one that can be + downloaded from https://pki.google.com/roots.pem. */ +#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ + "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" + +/* Environment variable that points to the google default application + credentials json key or refresh token. Used in the + grpc_google_default_credentials_create function. */ +#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" + +/* Results for the SSL roots override callback. */ +typedef enum { + GRPC_SSL_ROOTS_OVERRIDE_OK, + GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */ + GRPC_SSL_ROOTS_OVERRIDE_FAIL +} grpc_ssl_roots_override_result; + +typedef enum { + /* Server does not request client certificate. A client can present a self + signed or signed certificates if it wishes to do so and they would be + accepted. */ + GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, + /* Server requests client certificate but does not enforce that the client + presents a certificate. + + If the client presents a certificate, the client authentication is left to + the application based on the metadata like certificate etc. + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, + /* Server requests client certificate but does not enforce that the client + presents a certificate. + + If the client presents a certificate, the client authentication is done by + grpc framework (The client needs to either present a signed cert or skip no + certificate for a successful connection). + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, + /* Server requests client certificate but enforces that the client presents a + certificate. + + If the client presents a certificate, the client authentication is left to + the application based on the metadata like certificate etc. + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, + /* Server requests client certificate but enforces that the client presents a + certificate. + + The cerificate presented by the client is verified by grpc framework (The + client needs to present signed certs for a successful connection). + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY +} grpc_ssl_client_certificate_request_type; + +#ifdef __cplusplus +} +#endif + +#endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ diff --git a/include/grpc/impl/codegen/log.h b/include/grpc/impl/codegen/log.h index 0853350a26..aa86fc4c17 100644 --- a/include/grpc/impl/codegen/log.h +++ b/include/grpc/impl/codegen/log.h @@ -61,6 +61,8 @@ typedef enum gpr_log_severity { GPR_LOG_SEVERITY_ERROR } gpr_log_severity; +#define GPR_LOG_VERBOSITY_UNSET -1 + /* Returns a string representation of the log severity */ const char *gpr_log_severity_string(gpr_log_severity severity); @@ -77,6 +79,11 @@ GPRAPI void gpr_log(const char *file, int line, gpr_log_severity severity, GPRAPI void gpr_log_message(const char *file, int line, gpr_log_severity severity, const char *message); +/* Set global log verbosity */ +GPRAPI void gpr_set_log_verbosity(gpr_log_severity min_severity_to_print); + +GPRAPI void gpr_log_verbosity_init(); + /* Log overrides: applications can use this API to intercept logging calls and use their own implementations */ diff --git a/include/grpc/impl/codegen/port_platform.h b/include/grpc/impl/codegen/port_platform.h index 3242f07599..1229d488ed 100644 --- a/include/grpc/impl/codegen/port_platform.h +++ b/include/grpc/impl/codegen/port_platform.h @@ -82,28 +82,31 @@ things. */ #if !defined(GPR_NO_AUTODETECT_PLATFORM) +#if defined(_WIN64) || defined(WIN64) || defined(_WIN32) || defined(WIN32) #if defined(_WIN64) || defined(WIN64) -#define GPR_PLATFORM_STRING "windows" -#define GPR_WIN32 1 #define GPR_ARCH_64 1 -#define GPR_GETPID_IN_PROCESS_H 1 -#define GPR_WINSOCK_SOCKET 1 -#define GPR_WINDOWS_SUBPROCESS 1 -#ifdef __GNUC__ -#define GPR_GCC_ATOMIC 1 -#define GPR_GCC_TLS 1 #else -#define GPR_WIN32_ATOMIC 1 -#define GPR_MSVC_TLS 1 +#define GPR_ARCH_32 1 #endif -#define GPR_WINDOWS_CRASH_HANDLER 1 -#elif defined(_WIN32) || defined(WIN32) #define GPR_PLATFORM_STRING "windows" -#define GPR_ARCH_32 1 #define GPR_WIN32 1 -#define GPR_GETPID_IN_PROCESS_H 1 #define GPR_WINSOCK_SOCKET 1 #define GPR_WINDOWS_SUBPROCESS 1 +#define GPR_WIN32_ENV +#ifdef __MSYS__ +#define GPR_GETPID_IN_UNISTD_H 1 +#define GPR_MSYS_TMPFILE +#define GPR_POSIX_LOG +#define GPR_POSIX_STRING +#define GPR_POSIX_TIME +#else +#define GPR_GETPID_IN_PROCESS_H 1 +#define GPR_WIN32_TMPFILE +#define GPR_WIN32_LOG +#define GPR_WINDOWS_CRASH_HANDLER 1 +#define GPR_WIN32_STRING +#define GPR_WIN32_TIME +#endif #ifdef __GNUC__ #define GPR_GCC_ATOMIC 1 #define GPR_GCC_TLS 1 @@ -111,7 +114,6 @@ #define GPR_WIN32_ATOMIC 1 #define GPR_MSVC_TLS 1 #endif -#define GPR_WINDOWS_CRASH_HANDLER 1 #elif defined(ANDROID) || defined(__ANDROID__) #define GPR_PLATFORM_STRING "android" #define GPR_ANDROID 1 @@ -127,6 +129,8 @@ #define GPR_POSIX_SOCKETUTILS 1 #define GPR_POSIX_ENV 1 #define GPR_POSIX_FILE 1 +#define GPR_POSIX_TMPFILE 1 +#define GPR_POSIX_LOG #define GPR_POSIX_STRING 1 #define GPR_POSIX_SUBPROCESS 1 #define GPR_POSIX_SYNC 1 @@ -153,6 +157,7 @@ #define GPR_GCC_ATOMIC 1 #define GPR_GCC_TLS 1 #define GPR_LINUX 1 +#define GPR_LINUX_LOG #define GPR_LINUX_MULTIPOLL_WITH_EPOLL 1 #define GPR_POSIX_WAKEUP_FD 1 #define GPR_POSIX_SOCKET 1 @@ -176,6 +181,7 @@ #define GPR_POSIX_SOCKETUTILS #endif #define GPR_POSIX_FILE 1 +#define GPR_POSIX_TMPFILE 1 #define GPR_POSIX_STRING 1 #define GPR_POSIX_SUBPROCESS 1 #define GPR_POSIX_SYNC 1 @@ -214,6 +220,7 @@ #define GPR_POSIX_SOCKETUTILS 1 #define GPR_POSIX_ENV 1 #define GPR_POSIX_FILE 1 +#define GPR_POSIX_TMPFILE 1 #define GPR_POSIX_STRING 1 #define GPR_POSIX_SUBPROCESS 1 #define GPR_POSIX_SYNC 1 @@ -244,6 +251,7 @@ #define GPR_POSIX_SOCKETUTILS 1 #define GPR_POSIX_ENV 1 #define GPR_POSIX_FILE 1 +#define GPR_POSIX_TMPFILE 1 #define GPR_POSIX_STRING 1 #define GPR_POSIX_SUBPROCESS 1 #define GPR_POSIX_SYNC 1 @@ -281,6 +289,7 @@ #define GPR_POSIX_SOCKETUTILS 1 #define GPR_POSIX_ENV 1 #define GPR_POSIX_FILE 1 +#define GPR_POSIX_TMPFILE 1 #define GPR_POSIX_STRING 1 #define GPR_POSIX_SUBPROCESS 1 #define GPR_POSIX_SYNC 1 |