aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/lib/security/security_connector/local_security_connector.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/lib/security/security_connector/local_security_connector.cc')
-rw-r--r--src/core/lib/security/security_connector/local_security_connector.cc245
1 files changed, 245 insertions, 0 deletions
diff --git a/src/core/lib/security/security_connector/local_security_connector.cc b/src/core/lib/security/security_connector/local_security_connector.cc
new file mode 100644
index 0000000000..c436a7906b
--- /dev/null
+++ b/src/core/lib/security/security_connector/local_security_connector.cc
@@ -0,0 +1,245 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/local_security_connector.h"
+
+#include <stdbool.h>
+#include <string.h>
+
+#include <grpc/grpc.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/ext/filters/client_channel/client_channel.h"
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/credentials/local/local_credentials.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/local_transport_security.h"
+
+#define GRPC_UDS_URI_PATTERN "unix:"
+#define GRPC_UDS_URL_SCHEME "unix"
+#define GRPC_LOCAL_TRANSPORT_SECURITY_TYPE "local"
+
+typedef struct {
+ grpc_channel_security_connector base;
+ char* target_name;
+} grpc_local_channel_security_connector;
+
+typedef struct {
+ grpc_server_security_connector base;
+} grpc_local_server_security_connector;
+
+static void local_channel_destroy(grpc_security_connector* sc) {
+ if (sc == nullptr) {
+ return;
+ }
+ auto c = reinterpret_cast<grpc_local_channel_security_connector*>(sc);
+ grpc_call_credentials_unref(c->base.request_metadata_creds);
+ grpc_channel_credentials_unref(c->base.channel_creds);
+ gpr_free(c->target_name);
+ gpr_free(sc);
+}
+
+static void local_server_destroy(grpc_security_connector* sc) {
+ if (sc == nullptr) {
+ return;
+ }
+ auto c = reinterpret_cast<grpc_local_server_security_connector*>(sc);
+ grpc_server_credentials_unref(c->base.server_creds);
+ gpr_free(sc);
+}
+
+static void local_channel_add_handshakers(
+ grpc_channel_security_connector* sc,
+ grpc_handshake_manager* handshake_manager) {
+ tsi_handshaker* handshaker = nullptr;
+ GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) ==
+ TSI_OK);
+ grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
+ handshaker, &sc->base));
+}
+
+static void local_server_add_handshakers(
+ grpc_server_security_connector* sc,
+ grpc_handshake_manager* handshake_manager) {
+ tsi_handshaker* handshaker = nullptr;
+ GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */, &handshaker) ==
+ TSI_OK);
+ grpc_handshake_manager_add(handshake_manager, grpc_security_handshaker_create(
+ handshaker, &sc->base));
+}
+
+static int local_channel_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_local_channel_security_connector* c1 =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc1);
+ grpc_local_channel_security_connector* c2 =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc2);
+ int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
+ if (c != 0) return c;
+ return strcmp(c1->target_name, c2->target_name);
+}
+
+static int local_server_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_local_server_security_connector* c1 =
+ reinterpret_cast<grpc_local_server_security_connector*>(sc1);
+ grpc_local_server_security_connector* c2 =
+ reinterpret_cast<grpc_local_server_security_connector*>(sc2);
+ return grpc_server_security_connector_cmp(&c1->base, &c2->base);
+}
+
+static grpc_security_status local_auth_context_create(grpc_auth_context** ctx) {
+ if (ctx == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid arguments to local_auth_context_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ /* Create auth context. */
+ *ctx = grpc_auth_context_create(nullptr);
+ grpc_auth_context_add_cstring_property(
+ *ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+ GRPC_LOCAL_TRANSPORT_SECURITY_TYPE);
+ GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+ *ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
+ return GRPC_SECURITY_OK;
+}
+
+static void local_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ grpc_security_status status;
+ /* Create an auth context which is necessary to pass the santiy check in
+ * {client, server}_auth_filter that verifies if the peer's auth context is
+ * obtained during handshakes. The auth context is only checked for its
+ * existence and not actually used.
+ */
+ status = local_auth_context_create(auth_context);
+ grpc_error* error = status == GRPC_SECURITY_OK
+ ? GRPC_ERROR_NONE
+ : GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Could not create local auth context");
+ GRPC_CLOSURE_SCHED(on_peer_checked, error);
+}
+
+static grpc_security_connector_vtable local_channel_vtable = {
+ local_channel_destroy, local_check_peer, local_channel_cmp};
+
+static grpc_security_connector_vtable local_server_vtable = {
+ local_server_destroy, local_check_peer, local_server_cmp};
+
+static bool local_check_call_host(grpc_channel_security_connector* sc,
+ const char* host,
+ grpc_auth_context* auth_context,
+ grpc_closure* on_call_host_checked,
+ grpc_error** error) {
+ grpc_local_channel_security_connector* local_sc =
+ reinterpret_cast<grpc_local_channel_security_connector*>(sc);
+ if (host == nullptr || local_sc == nullptr ||
+ strcmp(host, local_sc->target_name) != 0) {
+ *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "local call host does not match target name");
+ }
+ return true;
+}
+
+static void local_cancel_check_call_host(grpc_channel_security_connector* sc,
+ grpc_closure* on_call_host_checked,
+ grpc_error* error) {
+ GRPC_ERROR_UNREF(error);
+}
+
+grpc_security_status grpc_local_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds,
+ const grpc_channel_args* args, const char* target_name,
+ grpc_channel_security_connector** sc) {
+ if (channel_creds == nullptr || sc == nullptr || target_name == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid arguments to grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if local_connect_type is UDS. Only UDS is supported for now.
+ grpc_local_credentials* creds =
+ reinterpret_cast<grpc_local_credentials*>(channel_creds);
+ if (creds->connect_type != UDS) {
+ gpr_log(GPR_ERROR,
+ "Invalid local channel type to "
+ "grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if target_name is a valid UDS address.
+ const grpc_arg* server_uri_arg =
+ grpc_channel_args_find(args, GRPC_ARG_SERVER_URI);
+ const char* server_uri_str = grpc_channel_arg_get_string(server_uri_arg);
+ if (strncmp(GRPC_UDS_URI_PATTERN, server_uri_str,
+ strlen(GRPC_UDS_URI_PATTERN)) != 0) {
+ gpr_log(GPR_ERROR,
+ "Invalid target_name to "
+ "grpc_local_channel_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ auto c = static_cast<grpc_local_channel_security_connector*>(
+ gpr_zalloc(sizeof(grpc_local_channel_security_connector)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.vtable = &local_channel_vtable;
+ c->base.add_handshakers = local_channel_add_handshakers;
+ c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
+ c->base.request_metadata_creds =
+ grpc_call_credentials_ref(request_metadata_creds);
+ c->base.check_call_host = local_check_call_host;
+ c->base.cancel_check_call_host = local_cancel_check_call_host;
+ c->base.base.url_scheme =
+ creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr;
+ c->target_name = gpr_strdup(target_name);
+ *sc = &c->base;
+ return GRPC_SECURITY_OK;
+}
+
+grpc_security_status grpc_local_server_security_connector_create(
+ grpc_server_credentials* server_creds,
+ grpc_server_security_connector** sc) {
+ if (server_creds == nullptr || sc == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid arguments to grpc_local_server_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ // Check if local_connect_type is UDS. Only UDS is supported for now.
+ grpc_local_server_credentials* creds =
+ reinterpret_cast<grpc_local_server_credentials*>(server_creds);
+ if (creds->connect_type != UDS) {
+ gpr_log(GPR_ERROR,
+ "Invalid local server type to "
+ "grpc_local_server_security_connector_create()");
+ return GRPC_SECURITY_ERROR;
+ }
+ auto c = static_cast<grpc_local_server_security_connector*>(
+ gpr_zalloc(sizeof(grpc_local_server_security_connector)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.vtable = &local_server_vtable;
+ c->base.server_creds = grpc_server_credentials_ref(server_creds);
+ c->base.base.url_scheme =
+ creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr;
+ c->base.add_handshakers = local_server_add_handshakers;
+ *sc = &c->base;
+ return GRPC_SECURITY_OK;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-29 10:21:53 +0000