diff options
Diffstat (limited to 'src/core/lib/security')
21 files changed, 420 insertions, 189 deletions
diff --git a/src/core/lib/security/credentials/composite/composite_credentials.c b/src/core/lib/security/credentials/composite/composite_credentials.c index 18189a8fb8..07db8bfd75 100644 --- a/src/core/lib/security/credentials/composite/composite_credentials.c +++ b/src/core/lib/security/credentials/composite/composite_credentials.c @@ -1,6 +1,6 @@ /* * - * Copyright 2015, Google Inc. + * Copyright 2015-2016, Google Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,6 +35,7 @@ #include <string.h> +#include "src/core/lib/iomgr/polling_entity.h" #include "src/core/lib/surface/api_trace.h" #include <grpc/support/alloc.h> @@ -49,7 +50,7 @@ typedef struct { grpc_credentials_md_store *md_elems; grpc_auth_metadata_context auth_md_context; void *user_data; - grpc_pollset *pollset; + grpc_polling_entity *pollent; grpc_credentials_metadata_cb cb; } grpc_composite_call_credentials_metadata_context; @@ -93,7 +94,7 @@ static void composite_call_metadata_cb(grpc_exec_ctx *exec_ctx, void *user_data, grpc_call_credentials *inner_creds = ctx->composite_creds->inner.creds_array[ctx->creds_index++]; grpc_call_credentials_get_request_metadata( - exec_ctx, inner_creds, ctx->pollset, ctx->auth_md_context, + exec_ctx, inner_creds, ctx->pollent, ctx->auth_md_context, composite_call_metadata_cb, ctx); return; } @@ -106,7 +107,7 @@ static void composite_call_metadata_cb(grpc_exec_ctx *exec_ctx, void *user_data, static void composite_call_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context auth_md_context, + grpc_polling_entity *pollent, grpc_auth_metadata_context auth_md_context, grpc_credentials_metadata_cb cb, void *user_data) { grpc_composite_call_credentials *c = (grpc_composite_call_credentials *)creds; grpc_composite_call_credentials_metadata_context *ctx; @@ -117,10 +118,10 @@ static void composite_call_get_request_metadata( ctx->user_data = user_data; ctx->cb = cb; ctx->composite_creds = c; - ctx->pollset = pollset; + ctx->pollent = pollent; ctx->md_elems = grpc_credentials_md_store_create(c->inner.num_creds); grpc_call_credentials_get_request_metadata( - exec_ctx, c->inner.creds_array[ctx->creds_index++], pollset, + exec_ctx, c->inner.creds_array[ctx->creds_index++], ctx->pollent, auth_md_context, composite_call_metadata_cb, ctx); } diff --git a/src/core/lib/security/credentials/credentials.c b/src/core/lib/security/credentials/credentials.c index 3dde6e587d..0eadaec191 100644 --- a/src/core/lib/security/credentials/credentials.c +++ b/src/core/lib/security/credentials/credentials.c @@ -58,6 +58,7 @@ grpc_credentials_metadata_request *grpc_credentials_metadata_request_create( void *user_data) { grpc_credentials_metadata_request *r = gpr_malloc(sizeof(grpc_credentials_metadata_request)); + memset(&r->response, 0, sizeof(r->response)); r->creds = grpc_call_credentials_ref(creds); r->cb = cb; r->user_data = user_data; @@ -67,6 +68,7 @@ grpc_credentials_metadata_request *grpc_credentials_metadata_request_create( void grpc_credentials_metadata_request_destroy( grpc_credentials_metadata_request *r) { grpc_call_credentials_unref(r->creds); + grpc_http_response_destroy(&r->response); gpr_free(r); } @@ -111,7 +113,7 @@ void grpc_call_credentials_release(grpc_call_credentials *creds) { void grpc_call_credentials_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context context, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { if (creds == NULL || creds->vtable->get_request_metadata == NULL) { if (cb != NULL) { @@ -119,7 +121,7 @@ void grpc_call_credentials_get_request_metadata( } return; } - creds->vtable->get_request_metadata(exec_ctx, creds, pollset, context, cb, + creds->vtable->get_request_metadata(exec_ctx, creds, pollent, context, cb, user_data); } diff --git a/src/core/lib/security/credentials/credentials.h b/src/core/lib/security/credentials/credentials.h index 5f44c7c3e3..ce235e3a1d 100644 --- a/src/core/lib/security/credentials/credentials.h +++ b/src/core/lib/security/credentials/credentials.h @@ -41,6 +41,7 @@ #include "src/core/lib/http/httpcli.h" #include "src/core/lib/http/parser.h" +#include "src/core/lib/iomgr/polling_entity.h" #include "src/core/lib/security/transport/security_connector.h" struct grpc_http_response; @@ -164,7 +165,8 @@ typedef void (*grpc_credentials_metadata_cb)(grpc_exec_ctx *exec_ctx, typedef struct { void (*destruct)(grpc_call_credentials *c); void (*get_request_metadata)(grpc_exec_ctx *exec_ctx, - grpc_call_credentials *c, grpc_pollset *pollset, + grpc_call_credentials *c, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data); @@ -180,7 +182,7 @@ grpc_call_credentials *grpc_call_credentials_ref(grpc_call_credentials *creds); void grpc_call_credentials_unref(grpc_call_credentials *creds); void grpc_call_credentials_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context context, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data); /* Metadata-only credentials with the specified key and value where @@ -223,6 +225,7 @@ grpc_server_credentials *grpc_find_server_credentials_in_args( typedef struct { grpc_call_credentials *creds; grpc_credentials_metadata_cb cb; + grpc_http_response response; void *user_data; } grpc_credentials_metadata_request; diff --git a/src/core/lib/security/credentials/fake/fake_credentials.c b/src/core/lib/security/credentials/fake/fake_credentials.c index 54d7cf2581..ee6d964de1 100644 --- a/src/core/lib/security/credentials/fake/fake_credentials.c +++ b/src/core/lib/security/credentials/fake/fake_credentials.c @@ -95,7 +95,7 @@ static void md_only_test_destruct(grpc_call_credentials *creds) { } static void on_simulated_token_fetch_done(grpc_exec_ctx *exec_ctx, - void *user_data, bool success) { + void *user_data, grpc_error *error) { grpc_credentials_metadata_request *r = (grpc_credentials_metadata_request *)user_data; grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)r->creds; @@ -106,15 +106,16 @@ static void on_simulated_token_fetch_done(grpc_exec_ctx *exec_ctx, static void md_only_test_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context context, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; if (c->is_async) { grpc_credentials_metadata_request *cb_arg = grpc_credentials_metadata_request_create(creds, cb, user_data); - grpc_executor_enqueue( - grpc_closure_create(on_simulated_token_fetch_done, cb_arg), true); + grpc_executor_push( + grpc_closure_create(on_simulated_token_fetch_done, cb_arg), + GRPC_ERROR_NONE); } else { cb(exec_ctx, user_data, c->md_store->entries, 1, GRPC_CREDENTIALS_OK); } diff --git a/src/core/lib/security/credentials/google_default/credentials_win32.c b/src/core/lib/security/credentials/google_default/credentials_windows.c index cd8b48080a..208b8fd9ad 100644 --- a/src/core/lib/security/credentials/google_default/credentials_win32.c +++ b/src/core/lib/security/credentials/google_default/credentials_windows.c @@ -33,7 +33,7 @@ #include <grpc/support/port_platform.h> -#ifdef GPR_WIN32 +#ifdef GPR_WINDOWS #include "src/core/lib/security/credentials/google_default/google_default_credentials.h" @@ -58,4 +58,4 @@ char *grpc_get_well_known_google_credentials_file_path_impl(void) { return result; } -#endif /* GPR_WIN32 */ +#endif /* GPR_WINDOWS */ diff --git a/src/core/lib/security/credentials/google_default/google_default_credentials.c b/src/core/lib/security/credentials/google_default/google_default_credentials.c index a521d95abc..312a3d4f90 100644 --- a/src/core/lib/security/credentials/google_default/google_default_credentials.c +++ b/src/core/lib/security/credentials/google_default/google_default_credentials.c @@ -41,10 +41,12 @@ #include "src/core/lib/http/httpcli.h" #include "src/core/lib/http/parser.h" +#include "src/core/lib/iomgr/load_file.h" +#include "src/core/lib/iomgr/polling_entity.h" #include "src/core/lib/security/credentials/jwt/jwt_credentials.h" #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h" #include "src/core/lib/support/env.h" -#include "src/core/lib/support/load_file.h" +#include "src/core/lib/support/string.h" #include "src/core/lib/surface/api_trace.h" /* -- Constants. -- */ @@ -62,21 +64,23 @@ static gpr_once g_once = GPR_ONCE_INIT; static void init_default_credentials(void) { gpr_mu_init(&g_state_mu); } typedef struct { - grpc_pollset *pollset; + grpc_polling_entity pollent; int is_done; int success; + grpc_http_response response; } compute_engine_detector; -static void on_compute_engine_detection_http_response( - grpc_exec_ctx *exec_ctx, void *user_data, - const grpc_http_response *response) { +static void on_compute_engine_detection_http_response(grpc_exec_ctx *exec_ctx, + void *user_data, + grpc_error *error) { compute_engine_detector *detector = (compute_engine_detector *)user_data; - if (response != NULL && response->status == 200 && response->hdr_count > 0) { + if (error == GRPC_ERROR_NONE && detector->response.status == 200 && + detector->response.hdr_count > 0) { /* Internet providers can return a generic response to all requests, so it is necessary to check that metadata header is present also. */ size_t i; - for (i = 0; i < response->hdr_count; i++) { - grpc_http_header *header = &response->hdrs[i]; + for (i = 0; i < detector->response.hdr_count; i++) { + grpc_http_header *header = &detector->response.hdrs[i]; if (strcmp(header->key, "Metadata-Flavor") == 0 && strcmp(header->value, "Google") == 0) { detector->success = 1; @@ -86,11 +90,13 @@ static void on_compute_engine_detection_http_response( } gpr_mu_lock(g_polling_mu); detector->is_done = 1; - grpc_pollset_kick(detector->pollset, NULL); + GRPC_LOG_IF_ERROR( + "Pollset kick", + grpc_pollset_kick(grpc_polling_entity_pollset(&detector->pollent), NULL)); gpr_mu_unlock(g_polling_mu); } -static void destroy_pollset(grpc_exec_ctx *exec_ctx, void *p, bool s) { +static void destroy_pollset(grpc_exec_ctx *exec_ctx, void *p, grpc_error *e) { grpc_pollset_destroy(p); } @@ -105,11 +111,13 @@ static int is_stack_running_on_compute_engine(void) { on compute engine. */ gpr_timespec max_detection_delay = gpr_time_from_seconds(1, GPR_TIMESPAN); - detector.pollset = gpr_malloc(grpc_pollset_size()); - grpc_pollset_init(detector.pollset, &g_polling_mu); + grpc_pollset *pollset = gpr_malloc(grpc_pollset_size()); + grpc_pollset_init(pollset, &g_polling_mu); + detector.pollent = grpc_polling_entity_create_from_pollset(pollset); detector.is_done = 0; detector.success = 0; + memset(&detector.response, 0, sizeof(detector.response)); memset(&request, 0, sizeof(grpc_httpcli_request)); request.host = GRPC_COMPUTE_ENGINE_DETECTION_HOST; request.http.path = "/"; @@ -117,48 +125,71 @@ static int is_stack_running_on_compute_engine(void) { grpc_httpcli_context_init(&context); grpc_httpcli_get( - &exec_ctx, &context, detector.pollset, &request, + &exec_ctx, &context, &detector.pollent, &request, gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), max_detection_delay), - on_compute_engine_detection_http_response, &detector); + grpc_closure_create(on_compute_engine_detection_http_response, &detector), + &detector.response); - grpc_exec_ctx_finish(&exec_ctx); + grpc_exec_ctx_flush(&exec_ctx); /* Block until we get the response. This is not ideal but this should only be called once for the lifetime of the process by the default credentials. */ gpr_mu_lock(g_polling_mu); while (!detector.is_done) { grpc_pollset_worker *worker = NULL; - grpc_pollset_work(&exec_ctx, detector.pollset, &worker, - gpr_now(GPR_CLOCK_MONOTONIC), - gpr_inf_future(GPR_CLOCK_MONOTONIC)); + if (!GRPC_LOG_IF_ERROR( + "pollset_work", + grpc_pollset_work(&exec_ctx, + grpc_polling_entity_pollset(&detector.pollent), + &worker, gpr_now(GPR_CLOCK_MONOTONIC), + gpr_inf_future(GPR_CLOCK_MONOTONIC)))) { + detector.is_done = 1; + detector.success = 0; + } } gpr_mu_unlock(g_polling_mu); grpc_httpcli_context_destroy(&context); - grpc_closure_init(&destroy_closure, destroy_pollset, detector.pollset); - grpc_pollset_shutdown(&exec_ctx, detector.pollset, &destroy_closure); + grpc_closure_init(&destroy_closure, destroy_pollset, + grpc_polling_entity_pollset(&detector.pollent)); + grpc_pollset_shutdown(&exec_ctx, + grpc_polling_entity_pollset(&detector.pollent), + &destroy_closure); grpc_exec_ctx_finish(&exec_ctx); g_polling_mu = NULL; - gpr_free(detector.pollset); + gpr_free(grpc_polling_entity_pollset(&detector.pollent)); + grpc_http_response_destroy(&detector.response); return detector.success; } /* Takes ownership of creds_path if not NULL. */ -static grpc_call_credentials *create_default_creds_from_path(char *creds_path) { +static grpc_error *create_default_creds_from_path( + char *creds_path, grpc_call_credentials **creds) { grpc_json *json = NULL; grpc_auth_json_key key; grpc_auth_refresh_token token; grpc_call_credentials *result = NULL; gpr_slice creds_data = gpr_empty_slice(); - int file_ok = 0; - if (creds_path == NULL) goto end; - creds_data = gpr_load_file(creds_path, 0, &file_ok); - if (!file_ok) goto end; + grpc_error *error = GRPC_ERROR_NONE; + if (creds_path == NULL) { + error = GRPC_ERROR_CREATE("creds_path unset"); + goto end; + } + error = grpc_load_file(creds_path, 0, &creds_data); + if (error != GRPC_ERROR_NONE) { + goto end; + } json = grpc_json_parse_string_with_len( (char *)GPR_SLICE_START_PTR(creds_data), GPR_SLICE_LENGTH(creds_data)); - if (json == NULL) goto end; + if (json == NULL) { + char *dump = gpr_dump_slice(creds_data, GPR_DUMP_HEX | GPR_DUMP_ASCII); + error = grpc_error_set_str(GRPC_ERROR_CREATE("Failed to parse JSON"), + GRPC_ERROR_STR_RAW_BYTES, dump); + gpr_free(dump); + goto end; + } /* First, try an auth json key. */ key = grpc_auth_json_key_create_from_json(json); @@ -166,6 +197,11 @@ static grpc_call_credentials *create_default_creds_from_path(char *creds_path) { result = grpc_service_account_jwt_access_credentials_create_from_auth_json_key( key, grpc_max_auth_token_lifetime()); + if (result == NULL) { + error = GRPC_ERROR_CREATE( + "grpc_service_account_jwt_access_credentials_create_from_auth_json_" + "key failed"); + } goto end; } @@ -174,19 +210,28 @@ static grpc_call_credentials *create_default_creds_from_path(char *creds_path) { if (grpc_auth_refresh_token_is_valid(&token)) { result = grpc_refresh_token_credentials_create_from_auth_refresh_token(token); + if (result == NULL) { + error = GRPC_ERROR_CREATE( + "grpc_refresh_token_credentials_create_from_auth_refresh_token " + "failed"); + } goto end; } end: + GPR_ASSERT((result == NULL) + (error == GRPC_ERROR_NONE) == 1); if (creds_path != NULL) gpr_free(creds_path); gpr_slice_unref(creds_data); if (json != NULL) grpc_json_destroy(json); - return result; + *creds = result; + return error; } grpc_channel_credentials *grpc_google_default_credentials_create(void) { grpc_channel_credentials *result = NULL; grpc_call_credentials *call_creds = NULL; + grpc_error *error = GRPC_ERROR_CREATE("Failed to create Google credentials"); + grpc_error *err; GRPC_API_TRACE("grpc_google_default_credentials_create(void)", 0, ()); @@ -200,14 +245,16 @@ grpc_channel_credentials *grpc_google_default_credentials_create(void) { } /* First, try the environment variable. */ - call_creds = create_default_creds_from_path( - gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR)); - if (call_creds != NULL) goto end; + err = create_default_creds_from_path( + gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR), &call_creds); + if (err == GRPC_ERROR_NONE) goto end; + error = grpc_error_add_child(error, err); /* Then the well-known file. */ - call_creds = create_default_creds_from_path( - grpc_get_well_known_google_credentials_file_path()); - if (call_creds != NULL) goto end; + err = create_default_creds_from_path( + grpc_get_well_known_google_credentials_file_path(), &call_creds); + if (err == GRPC_ERROR_NONE) goto end; + error = grpc_error_add_child(error, err); /* At last try to see if we're on compute engine (do the detection only once since it requires a network test). */ @@ -216,6 +263,10 @@ grpc_channel_credentials *grpc_google_default_credentials_create(void) { compute_engine_detection_done = 1; if (need_compute_engine_creds) { call_creds = grpc_google_compute_engine_credentials_create(NULL); + if (call_creds == NULL) { + error = grpc_error_add_child( + error, GRPC_ERROR_CREATE("Failed to get credentials from network")); + } } } @@ -239,6 +290,11 @@ end: } } gpr_mu_unlock(&g_state_mu); + if (result == NULL) { + GRPC_LOG_IF_ERROR("grpc_google_default_credentials_create", error); + } else { + GRPC_ERROR_UNREF(error); + } return result; } diff --git a/src/core/lib/security/credentials/iam/iam_credentials.c b/src/core/lib/security/credentials/iam/iam_credentials.c index 89defa7c60..64d5871844 100644 --- a/src/core/lib/security/credentials/iam/iam_credentials.c +++ b/src/core/lib/security/credentials/iam/iam_credentials.c @@ -49,7 +49,7 @@ static void iam_destruct(grpc_call_credentials *creds) { static void iam_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.c b/src/core/lib/security/credentials/jwt/jwt_credentials.c index 8755a96af4..973fb75eaa 100644 --- a/src/core/lib/security/credentials/jwt/jwt_credentials.c +++ b/src/core/lib/security/credentials/jwt/jwt_credentials.c @@ -64,7 +64,7 @@ static void jwt_destruct(grpc_call_credentials *creds) { static void jwt_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { diff --git a/src/core/lib/security/credentials/jwt/jwt_verifier.c b/src/core/lib/security/credentials/jwt/jwt_verifier.c index cd6c7ce392..73eb2e3258 100644 --- a/src/core/lib/security/credentials/jwt/jwt_verifier.c +++ b/src/core/lib/security/credentials/jwt/jwt_verifier.c @@ -37,6 +37,7 @@ #include <string.h> #include "src/core/lib/http/httpcli.h" +#include "src/core/lib/iomgr/polling_entity.h" #include "src/core/lib/security/util/b64.h" #include "src/core/lib/tsi/ssl_types.h" @@ -44,6 +45,7 @@ #include <grpc/support/log.h> #include <grpc/support/string_util.h> #include <grpc/support/sync.h> +#include <grpc/support/useful.h> #include <openssl/pem.h> /* --- Utils. --- */ @@ -319,9 +321,15 @@ grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims, /* --- verifier_cb_ctx object. --- */ +typedef enum { + HTTP_RESPONSE_OPENID = 0, + HTTP_RESPONSE_KEYS, + HTTP_RESPONSE_COUNT /* must be last */ +} http_response_index; + typedef struct { grpc_jwt_verifier *verifier; - grpc_pollset *pollset; + grpc_polling_entity pollent; jose_header *header; grpc_jwt_claims *claims; char *audience; @@ -329,6 +337,7 @@ typedef struct { gpr_slice signed_data; void *user_data; grpc_jwt_verification_done_cb user_cb; + grpc_http_response responses[HTTP_RESPONSE_COUNT]; } verifier_cb_ctx; /* Takes ownership of the header, claims and signature. */ @@ -337,10 +346,11 @@ static verifier_cb_ctx *verifier_cb_ctx_create( grpc_jwt_claims *claims, const char *audience, gpr_slice signature, const char *signed_jwt, size_t signed_jwt_len, void *user_data, grpc_jwt_verification_done_cb cb) { + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; verifier_cb_ctx *ctx = gpr_malloc(sizeof(verifier_cb_ctx)); memset(ctx, 0, sizeof(verifier_cb_ctx)); ctx->verifier = verifier; - ctx->pollset = pollset; + ctx->pollent = grpc_polling_entity_create_from_pollset(pollset); ctx->header = header; ctx->audience = gpr_strdup(audience); ctx->claims = claims; @@ -348,6 +358,7 @@ static verifier_cb_ctx *verifier_cb_ctx_create( ctx->signed_data = gpr_slice_from_copied_buffer(signed_jwt, signed_jwt_len); ctx->user_data = user_data; ctx->user_cb = cb; + grpc_exec_ctx_finish(&exec_ctx); return ctx; } @@ -357,6 +368,9 @@ void verifier_cb_ctx_destroy(verifier_cb_ctx *ctx) { gpr_slice_unref(ctx->signature); gpr_slice_unref(ctx->signed_data); jose_header_destroy(ctx->header); + for (size_t i = 0; i < HTTP_RESPONSE_COUNT; i++) { + grpc_http_response_destroy(&ctx->responses[i]); + } /* TODO: see what to do with claims... */ gpr_free(ctx); } @@ -571,9 +585,9 @@ end: } static void on_keys_retrieved(grpc_exec_ctx *exec_ctx, void *user_data, - const grpc_httpcli_response *response) { - grpc_json *json = json_from_http(response); + grpc_error *error) { verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data; + grpc_json *json = json_from_http(&ctx->responses[HTTP_RESPONSE_KEYS]); EVP_PKEY *verification_key = NULL; grpc_jwt_verifier_status status = GRPC_JWT_VERIFIER_GENERIC_ERROR; grpc_jwt_claims *claims = NULL; @@ -612,10 +626,11 @@ end: } static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data, - const grpc_httpcli_response *response) { + grpc_error *error) { const grpc_json *cur; - grpc_json *json = json_from_http(response); verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data; + const grpc_http_response *response = &ctx->responses[HTTP_RESPONSE_OPENID]; + grpc_json *json = json_from_http(response); grpc_httpcli_request req; const char *jwks_uri; @@ -641,10 +656,12 @@ static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data, } else { *(req.host + (req.http.path - jwks_uri)) = '\0'; } + grpc_httpcli_get( - exec_ctx, &ctx->verifier->http_ctx, ctx->pollset, &req, + exec_ctx, &ctx->verifier->http_ctx, &ctx->pollent, &req, gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), - on_keys_retrieved, ctx); + grpc_closure_create(on_keys_retrieved, ctx), + &ctx->responses[HTTP_RESPONSE_KEYS]); grpc_json_destroy(json); gpr_free(req.host); return; @@ -686,12 +703,13 @@ static void verifier_put_mapping(grpc_jwt_verifier *v, const char *email_domain, static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx, verifier_cb_ctx *ctx) { const char *at_sign; - grpc_httpcli_response_cb http_cb; + grpc_closure *http_cb; char *path_prefix = NULL; const char *iss; grpc_httpcli_request req; memset(&req, 0, sizeof(grpc_httpcli_request)); req.handshaker = &grpc_httpcli_ssl; + http_response_index rsp_idx; GPR_ASSERT(ctx != NULL && ctx->header != NULL && ctx->claims != NULL); iss = ctx->claims->iss; @@ -730,7 +748,8 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx, *(path_prefix++) = '\0'; gpr_asprintf(&req.http.path, "/%s/%s", path_prefix, iss); } - http_cb = on_keys_retrieved; + http_cb = grpc_closure_create(on_keys_retrieved, ctx); + rsp_idx = HTTP_RESPONSE_KEYS; } else { req.host = gpr_strdup(strstr(iss, "https://") == iss ? iss + 8 : iss); path_prefix = strchr(req.host, '/'); @@ -741,13 +760,14 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx, gpr_asprintf(&req.http.path, "/%s%s", path_prefix, GRPC_OPENID_CONFIG_URL_SUFFIX); } - http_cb = on_openid_config_retrieved; + http_cb = grpc_closure_create(on_openid_config_retrieved, ctx); + rsp_idx = HTTP_RESPONSE_OPENID; } grpc_httpcli_get( - exec_ctx, &ctx->verifier->http_ctx, ctx->pollset, &req, + exec_ctx, &ctx->verifier->http_ctx, &ctx->pollent, &req, gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay), - http_cb, ctx); + http_cb, &ctx->responses[rsp_idx]); gpr_free(req.host); gpr_free(req.http.path); return; diff --git a/src/core/lib/security/credentials/oauth2/oauth2_credentials.c b/src/core/lib/security/credentials/oauth2/oauth2_credentials.c index 973c6e1d17..1102553dd3 100644 --- a/src/core/lib/security/credentials/oauth2/oauth2_credentials.c +++ b/src/core/lib/security/credentials/oauth2/oauth2_credentials.c @@ -216,9 +216,9 @@ end: return status; } -static void on_oauth2_token_fetcher_http_response( - grpc_exec_ctx *exec_ctx, void *user_data, - const grpc_http_response *response) { +static void on_oauth2_token_fetcher_http_response(grpc_exec_ctx *exec_ctx, + void *user_data, + grpc_error *error) { grpc_credentials_metadata_request *r = (grpc_credentials_metadata_request *)user_data; grpc_oauth2_token_fetcher_credentials *c = @@ -226,9 +226,11 @@ static void on_oauth2_token_fetcher_http_response( gpr_timespec token_lifetime; grpc_credentials_status status; + GRPC_LOG_IF_ERROR("oauth_fetch", GRPC_ERROR_REF(error)); + gpr_mu_lock(&c->mu); status = grpc_oauth2_token_fetcher_credentials_parse_server_response( - response, &c->access_token_md, &token_lifetime); + &r->response, &c->access_token_md, &token_lifetime); if (status == GRPC_CREDENTIALS_OK) { c->token_expiration = gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), token_lifetime); @@ -244,7 +246,7 @@ static void on_oauth2_token_fetcher_http_response( static void oauth2_token_fetcher_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context context, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *)creds; @@ -270,7 +272,7 @@ static void oauth2_token_fetcher_get_request_metadata( c->fetch_func( exec_ctx, grpc_credentials_metadata_request_create(creds, cb, user_data), - &c->httpcli_context, pollset, on_oauth2_token_fetcher_http_response, + &c->httpcli_context, pollent, on_oauth2_token_fetcher_http_response, gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), refresh_threshold)); } } @@ -295,8 +297,8 @@ static grpc_call_credentials_vtable compute_engine_vtable = { static void compute_engine_fetch_oauth2( grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_request *metadata_req, - grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { + grpc_httpcli_context *httpcli_context, grpc_polling_entity *pollent, + grpc_iomgr_cb_func response_cb, gpr_timespec deadline) { grpc_http_header header = {"Metadata-Flavor", "Google"}; grpc_httpcli_request request; memset(&request, 0, sizeof(grpc_httpcli_request)); @@ -304,8 +306,9 @@ static void compute_engine_fetch_oauth2( request.http.path = GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH; request.http.hdr_count = 1; request.http.hdrs = &header; - grpc_httpcli_get(exec_ctx, httpcli_context, pollset, &request, deadline, - response_cb, metadata_req); + grpc_httpcli_get(exec_ctx, httpcli_context, pollent, &request, deadline, + grpc_closure_create(response_cb, metadata_req), + &metadata_req->response); } grpc_call_credentials *grpc_google_compute_engine_credentials_create( @@ -336,8 +339,8 @@ static grpc_call_credentials_vtable refresh_token_vtable = { static void refresh_token_fetch_oauth2( grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_request *metadata_req, - grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { + grpc_httpcli_context *httpcli_context, grpc_polling_entity *pollent, + grpc_iomgr_cb_func response_cb, gpr_timespec deadline) { grpc_google_refresh_token_credentials *c = (grpc_google_refresh_token_credentials *)metadata_req->creds; grpc_http_header header = {"Content-Type", @@ -353,8 +356,10 @@ static void refresh_token_fetch_oauth2( request.http.hdr_count = 1; request.http.hdrs = &header; request.handshaker = &grpc_httpcli_ssl; - grpc_httpcli_post(exec_ctx, httpcli_context, pollset, &request, body, - strlen(body), deadline, response_cb, metadata_req); + grpc_httpcli_post(exec_ctx, httpcli_context, pollent, &request, body, + strlen(body), deadline, + grpc_closure_create(response_cb, metadata_req), + &metadata_req->response); gpr_free(body); } @@ -396,7 +401,7 @@ static void access_token_destruct(grpc_call_credentials *creds) { static void access_token_get_request_metadata( grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, grpc_auth_metadata_context context, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; cb(exec_ctx, user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK); diff --git a/src/core/lib/security/credentials/oauth2/oauth2_credentials.h b/src/core/lib/security/credentials/oauth2/oauth2_credentials.h index 04915b333f..7f6f205c22 100644 --- a/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +++ b/src/core/lib/security/credentials/oauth2/oauth2_credentials.h @@ -70,8 +70,8 @@ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token); typedef void (*grpc_fetch_oauth2_func)(grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_request *req, grpc_httpcli_context *http_context, - grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, + grpc_polling_entity *pollent, + grpc_iomgr_cb_func cb, gpr_timespec deadline); typedef struct { grpc_call_credentials base; diff --git a/src/core/lib/security/credentials/plugin/plugin_credentials.c b/src/core/lib/security/credentials/plugin/plugin_credentials.c index bae357321e..9fb55e8466 100644 --- a/src/core/lib/security/credentials/plugin/plugin_credentials.c +++ b/src/core/lib/security/credentials/plugin/plugin_credentials.c @@ -94,7 +94,7 @@ static void plugin_md_request_metadata_ready(void *request, static void plugin_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, - grpc_pollset *pollset, + grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { diff --git a/src/core/lib/security/transport/client_auth_filter.c b/src/core/lib/security/transport/client_auth_filter.c index e3cbcb4433..76be2acd72 100644 --- a/src/core/lib/security/transport/client_auth_filter.c +++ b/src/core/lib/security/transport/client_auth_filter.c @@ -54,11 +54,11 @@ typedef struct { grpc_call_credentials *creds; grpc_mdstr *host; grpc_mdstr *method; - /* pollset bound to this call; if we need to make external - network requests, they should be done under this pollset - so that work can progress when this call wants work to - progress */ - grpc_pollset *pollset; + /* pollset{_set} bound to this call; if we need to make external + network requests, they should be done under a pollset added to this + pollset_set so that work can progress when this call wants work to progress + */ + grpc_polling_entity *pollent; grpc_transport_stream_op op; uint8_t security_context_set; grpc_linked_mdelem md_links[MAX_CREDENTIALS_METADATA_COUNT]; @@ -184,9 +184,9 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx, build_auth_metadata_context(&chand->security_connector->base, chand->auth_context, calld); calld->op = *op; /* Copy op (originates from the caller's stack). */ - GPR_ASSERT(calld->pollset); + GPR_ASSERT(calld->pollent != NULL); grpc_call_credentials_get_request_metadata( - exec_ctx, calld->creds, calld->pollset, calld->auth_md_context, + exec_ctx, calld->creds, calld->pollent, calld->auth_md_context, on_credentials_metadata, elem); } @@ -270,15 +270,16 @@ static void init_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, memset(calld, 0, sizeof(*calld)); } -static void set_pollset(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - grpc_pollset *pollset) { +static void set_pollset_or_pollset_set(grpc_exec_ctx *exec_ctx, + grpc_call_element *elem, + grpc_polling_entity *pollent) { call_data *calld = elem->call_data; - calld->pollset = pollset; + calld->pollent = pollent; } /* Destructor for call_data */ static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - void *ignored) { + const grpc_call_stats *stats, void *ignored) { call_data *calld = elem->call_data; grpc_call_credentials_unref(calld->creds); if (calld->host != NULL) { @@ -329,8 +330,14 @@ static void destroy_channel_elem(grpc_exec_ctx *exec_ctx, GRPC_AUTH_CONTEXT_UNREF(chand->auth_context, "client_auth_filter"); } -const grpc_channel_filter grpc_client_auth_filter = { - auth_start_transport_op, grpc_channel_next_op, sizeof(call_data), - init_call_elem, set_pollset, destroy_call_elem, - sizeof(channel_data), init_channel_elem, destroy_channel_elem, - grpc_call_next_get_peer, "client-auth"}; +const grpc_channel_filter grpc_client_auth_filter = {auth_start_transport_op, + grpc_channel_next_op, + sizeof(call_data), + init_call_elem, + set_pollset_or_pollset_set, + destroy_call_elem, + sizeof(channel_data), + init_channel_elem, + destroy_channel_elem, + grpc_call_next_get_peer, + "client-auth"}; diff --git a/src/core/lib/security/transport/handshake.c b/src/core/lib/security/transport/handshake.c index 6561f4b47d..b374ca7633 100644 --- a/src/core/lib/security/transport/handshake.c +++ b/src/core/lib/security/transport/handshake.c @@ -39,8 +39,10 @@ #include <grpc/support/alloc.h> #include <grpc/support/log.h> #include <grpc/support/slice_buffer.h> +#include "src/core/lib/iomgr/timer.h" #include "src/core/lib/security/context/security_context.h" #include "src/core/lib/security/transport/secure_endpoint.h" +#include "src/core/lib/security/transport/tsi_error.h" #define GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE 256 @@ -60,13 +62,16 @@ typedef struct { grpc_closure on_handshake_data_sent_to_peer; grpc_closure on_handshake_data_received_from_peer; grpc_auth_context *auth_context; + grpc_timer timer; + gpr_refcount refs; } grpc_security_handshake; static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, - void *setup, bool success); + void *setup, + grpc_error *error); static void on_handshake_data_sent_to_peer(grpc_exec_ctx *exec_ctx, void *setup, - bool success); + grpc_error *error); static void security_connector_remove_handshake(grpc_security_handshake *h) { GPR_ASSERT(!h->is_client_side); @@ -95,16 +100,34 @@ static void security_connector_remove_handshake(grpc_security_handshake *h) { gpr_mu_unlock(&sc->mu); } +static void unref_handshake(grpc_security_handshake *h) { + if (gpr_unref(&h->refs)) { + if (h->handshaker != NULL) tsi_handshaker_destroy(h->handshaker); + if (h->handshake_buffer != NULL) gpr_free(h->handshake_buffer); + gpr_slice_buffer_destroy(&h->left_overs); + gpr_slice_buffer_destroy(&h->outgoing); + gpr_slice_buffer_destroy(&h->incoming); + GRPC_AUTH_CONTEXT_UNREF(h->auth_context, "handshake"); + GRPC_SECURITY_CONNECTOR_UNREF(h->connector, "handshake"); + gpr_free(h); + } +} + static void security_handshake_done(grpc_exec_ctx *exec_ctx, grpc_security_handshake *h, - int is_success) { + grpc_error *error) { + grpc_timer_cancel(exec_ctx, &h->timer); if (!h->is_client_side) { security_connector_remove_handshake(h); } - if (is_success) { + if (error == GRPC_ERROR_NONE) { h->cb(exec_ctx, h->user_data, GRPC_SECURITY_OK, h->secure_endpoint, h->auth_context); } else { + const char *msg = grpc_error_string(error); + gpr_log(GPR_ERROR, "Security handshake failed: %s", msg); + grpc_error_free_string(msg); + if (h->secure_endpoint != NULL) { grpc_endpoint_shutdown(exec_ctx, h->secure_endpoint); grpc_endpoint_destroy(exec_ctx, h->secure_endpoint); @@ -113,14 +136,8 @@ static void security_handshake_done(grpc_exec_ctx *exec_ctx, } h->cb(exec_ctx, h->user_data, GRPC_SECURITY_ERROR, NULL, NULL); } - if (h->handshaker != NULL) tsi_handshaker_destroy(h->handshaker); - if (h->handshake_buffer != NULL) gpr_free(h->handshake_buffer); - gpr_slice_buffer_destroy(&h->left_overs); - gpr_slice_buffer_destroy(&h->outgoing); - gpr_slice_buffer_destroy(&h->incoming); - GRPC_AUTH_CONTEXT_UNREF(h->auth_context, "handshake"); - GRPC_SECURITY_CONNECTOR_UNREF(h->connector, "handshake"); - gpr_free(h); + unref_handshake(h); + GRPC_ERROR_UNREF(error); } static void on_peer_checked(grpc_exec_ctx *exec_ctx, void *user_data, @@ -130,17 +147,20 @@ static void on_peer_checked(grpc_exec_ctx *exec_ctx, void *user_data, tsi_frame_protector *protector; tsi_result result; if (status != GRPC_SECURITY_OK) { - gpr_log(GPR_ERROR, "Error checking peer."); - security_handshake_done(exec_ctx, h, 0); + security_handshake_done( + exec_ctx, h, + grpc_error_set_int(GRPC_ERROR_CREATE("Error checking peer."), + GRPC_ERROR_INT_SECURITY_STATUS, status)); return; } h->auth_context = GRPC_AUTH_CONTEXT_REF(auth_context, "handshake"); result = tsi_handshaker_create_frame_protector(h->handshaker, NULL, &protector); if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Frame protector creation failed with error %s.", - tsi_result_to_string(result)); - security_handshake_done(exec_ctx, h, 0); + security_handshake_done( + exec_ctx, h, + grpc_set_tsi_error_result( + GRPC_ERROR_CREATE("Frame protector creation failed"), result)); return; } h->secure_endpoint = @@ -148,7 +168,7 @@ static void on_peer_checked(grpc_exec_ctx *exec_ctx, void *user_data, h->left_overs.slices, h->left_overs.count); h->left_overs.count = 0; h->left_overs.length = 0; - security_handshake_done(exec_ctx, h, 1); + security_handshake_done(exec_ctx, h, GRPC_ERROR_NONE); return; } @@ -157,9 +177,9 @@ static void check_peer(grpc_exec_ctx *exec_ctx, grpc_security_handshake *h) { tsi_result result = tsi_handshaker_extract_peer(h->handshaker, &peer); if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Peer extraction failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(exec_ctx, h, 0); + security_handshake_done( + exec_ctx, h, grpc_set_tsi_error_result( + GRPC_ERROR_CREATE("Peer extraction failed"), result)); return; } grpc_security_connector_check_peer(exec_ctx, h->connector, peer, @@ -185,9 +205,9 @@ static void send_handshake_bytes_to_peer(grpc_exec_ctx *exec_ctx, } while (result == TSI_INCOMPLETE_DATA); if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshake failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(exec_ctx, h, 0); + security_handshake_done(exec_ctx, h, + grpc_set_tsi_error_result( + GRPC_ERROR_CREATE("Handshake failed"), result)); return; } @@ -203,7 +223,7 @@ static void send_handshake_bytes_to_peer(grpc_exec_ctx *exec_ctx, static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, void *handshake, - bool success) { + grpc_error *error) { grpc_security_handshake *h = handshake; size_t consumed_slice_size = 0; tsi_result result = TSI_OK; @@ -211,9 +231,10 @@ static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, size_t num_left_overs; int has_left_overs_in_current_slice = 0; - if (!success) { - gpr_log(GPR_ERROR, "Read failed."); - security_handshake_done(exec_ctx, h, 0); + if (error != GRPC_ERROR_NONE) { + security_handshake_done( + exec_ctx, h, + GRPC_ERROR_CREATE_REFERENCING("Handshake read failed", &error, 1)); return; } @@ -238,9 +259,9 @@ static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, } if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshake failed with error %s", - tsi_result_to_string(result)); - security_handshake_done(exec_ctx, h, 0); + security_handshake_done(exec_ctx, h, + grpc_set_tsi_error_result( + GRPC_ERROR_CREATE("Handshake failed"), result)); return; } @@ -270,13 +291,15 @@ static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, /* If handshake is NULL, the handshake is done. */ static void on_handshake_data_sent_to_peer(grpc_exec_ctx *exec_ctx, - void *handshake, bool success) { + void *handshake, grpc_error *error) { grpc_security_handshake *h = handshake; /* Make sure that write is OK. */ - if (!success) { - gpr_log(GPR_ERROR, "Write failed."); - if (handshake != NULL) security_handshake_done(exec_ctx, h, 0); + if (error != GRPC_ERROR_NONE) { + if (handshake != NULL) + security_handshake_done( + exec_ctx, h, + GRPC_ERROR_CREATE_REFERENCING("Handshake write failed", &error, 1)); return; } @@ -291,13 +314,19 @@ static void on_handshake_data_sent_to_peer(grpc_exec_ctx *exec_ctx, } } -void grpc_do_security_handshake(grpc_exec_ctx *exec_ctx, - tsi_handshaker *handshaker, - grpc_security_connector *connector, - bool is_client_side, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data) { +static void on_timeout(grpc_exec_ctx *exec_ctx, void *arg, grpc_error *error) { + grpc_security_handshake *h = arg; + if (error == GRPC_ERROR_NONE) { + grpc_endpoint_shutdown(exec_ctx, h->wrapped_endpoint); + } + unref_handshake(h); +} + +void grpc_do_security_handshake( + grpc_exec_ctx *exec_ctx, tsi_handshaker *handshaker, + grpc_security_connector *connector, bool is_client_side, + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, + grpc_security_handshake_done_cb cb, void *user_data) { grpc_security_connector_handshake_list *handshake_node; grpc_security_handshake *h = gpr_malloc(sizeof(grpc_security_handshake)); memset(h, 0, sizeof(grpc_security_handshake)); @@ -309,6 +338,7 @@ void grpc_do_security_handshake(grpc_exec_ctx *exec_ctx, h->wrapped_endpoint = nonsecure_endpoint; h->user_data = user_data; h->cb = cb; + gpr_ref_init(&h->refs, 2); /* timer and handshake proper each get a ref */ grpc_closure_init(&h->on_handshake_data_sent_to_peer, on_handshake_data_sent_to_peer, h); grpc_closure_init(&h->on_handshake_data_received_from_peer, @@ -327,6 +357,8 @@ void grpc_do_security_handshake(grpc_exec_ctx *exec_ctx, gpr_mu_unlock(&server_connector->mu); } send_handshake_bytes_to_peer(exec_ctx, h); + grpc_timer_init(exec_ctx, &h->timer, deadline, on_timeout, h, + gpr_now(deadline.clock_type)); } void grpc_security_handshake_shutdown(grpc_exec_ctx *exec_ctx, diff --git a/src/core/lib/security/transport/handshake.h b/src/core/lib/security/transport/handshake.h index 6ed850b315..c0906dd6af 100644 --- a/src/core/lib/security/transport/handshake.h +++ b/src/core/lib/security/transport/handshake.h @@ -38,13 +38,11 @@ #include "src/core/lib/security/transport/security_connector.h" /* Calls the callback upon completion. Takes owership of handshaker. */ -void grpc_do_security_handshake(grpc_exec_ctx *exec_ctx, - tsi_handshaker *handshaker, - grpc_security_connector *connector, - bool is_client_side, - grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, - void *user_data); +void grpc_do_security_handshake( + grpc_exec_ctx *exec_ctx, tsi_handshaker *handshaker, + grpc_security_connector *connector, bool is_client_side, + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, + grpc_security_handshake_done_cb cb, void *user_data); void grpc_security_handshake_shutdown(grpc_exec_ctx *exec_ctx, void *handshake); diff --git a/src/core/lib/security/transport/secure_endpoint.c b/src/core/lib/security/transport/secure_endpoint.c index 4438c8e559..7650d68e89 100644 --- a/src/core/lib/security/transport/secure_endpoint.c +++ b/src/core/lib/security/transport/secure_endpoint.c @@ -38,6 +38,7 @@ #include <grpc/support/slice_buffer.h> #include <grpc/support/sync.h> #include "src/core/lib/debug/trace.h" +#include "src/core/lib/security/transport/tsi_error.h" #include "src/core/lib/support/string.h" #include "src/core/lib/tsi/transport_security_interface.h" @@ -126,8 +127,8 @@ static void flush_read_staging_buffer(secure_endpoint *ep, uint8_t **cur, } static void call_read_cb(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, - bool success) { - if (grpc_trace_secure_endpoint) { + grpc_error *error) { + if (false && grpc_trace_secure_endpoint) { size_t i; for (i = 0; i < ep->read_buffer->count; i++) { char *data = gpr_dump_slice(ep->read_buffer->slices[i], @@ -137,11 +138,12 @@ static void call_read_cb(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, } } ep->read_buffer = NULL; - grpc_exec_ctx_enqueue(exec_ctx, ep->read_cb, success, NULL); + grpc_exec_ctx_sched(exec_ctx, ep->read_cb, error, NULL); SECURE_ENDPOINT_UNREF(exec_ctx, ep, "read"); } -static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, bool success) { +static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, + grpc_error *error) { unsigned i; uint8_t keep_looping = 0; tsi_result result = TSI_OK; @@ -149,9 +151,10 @@ static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, bool success) { uint8_t *cur = GPR_SLICE_START_PTR(ep->read_staging_buffer); uint8_t *end = GPR_SLICE_END_PTR(ep->read_staging_buffer); - if (!success) { + if (error != GRPC_ERROR_NONE) { gpr_slice_buffer_reset_and_unref(ep->read_buffer); - call_read_cb(exec_ctx, ep, 0); + call_read_cb(exec_ctx, ep, GRPC_ERROR_CREATE_REFERENCING( + "Secure read failed", &error, 1)); return; } @@ -208,11 +211,12 @@ static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, bool success) { if (result != TSI_OK) { gpr_slice_buffer_reset_and_unref(ep->read_buffer); - call_read_cb(exec_ctx, ep, 0); + call_read_cb(exec_ctx, ep, grpc_set_tsi_error_result( + GRPC_ERROR_CREATE("Unwrap failed"), result)); return; } - call_read_cb(exec_ctx, ep, 1); + call_read_cb(exec_ctx, ep, GRPC_ERROR_NONE); } static void endpoint_read(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, @@ -226,7 +230,7 @@ static void endpoint_read(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, if (ep->leftover_bytes.count) { gpr_slice_buffer_swap(&ep->leftover_bytes, &ep->source_buffer); GPR_ASSERT(ep->leftover_bytes.count == 0); - on_read(exec_ctx, ep, 1); + on_read(exec_ctx, ep, GRPC_ERROR_NONE); return; } @@ -252,7 +256,7 @@ static void endpoint_write(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, gpr_slice_buffer_reset_and_unref(&ep->output_buffer); - if (grpc_trace_secure_endpoint) { + if (false && grpc_trace_secure_endpoint) { for (i = 0; i < slices->count; i++) { char *data = gpr_dump_slice(slices->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII); @@ -315,7 +319,10 @@ static void endpoint_write(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, if (result != TSI_OK) { /* TODO(yangg) do different things according to the error type? */ gpr_slice_buffer_reset_and_unref(&ep->output_buffer); - grpc_exec_ctx_enqueue(exec_ctx, cb, false, NULL); + grpc_exec_ctx_sched( + exec_ctx, cb, + grpc_set_tsi_error_result(GRPC_ERROR_CREATE("Wrap failed"), result), + NULL); return; } diff --git a/src/core/lib/security/transport/security_connector.c b/src/core/lib/security/transport/security_connector.c index 72173e7c9d..f0ee6770e5 100644 --- a/src/core/lib/security/transport/security_connector.c +++ b/src/core/lib/security/transport/security_connector.c @@ -43,12 +43,12 @@ #include <grpc/support/string_util.h> #include "src/core/ext/transport/chttp2/alpn/alpn.h" +#include "src/core/lib/iomgr/load_file.h" #include "src/core/lib/security/context/security_context.h" #include "src/core/lib/security/credentials/credentials.h" #include "src/core/lib/security/transport/handshake.h" #include "src/core/lib/security/transport/secure_endpoint.h" #include "src/core/lib/support/env.h" -#include "src/core/lib/support/load_file.h" #include "src/core/lib/support/string.h" #include "src/core/lib/tsi/fake_transport_security.h" #include "src/core/lib/tsi/ssl_transport_security.h" @@ -127,23 +127,25 @@ void grpc_server_security_connector_shutdown( void grpc_channel_security_connector_do_handshake( grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, grpc_security_handshake_done_cb cb, - void *user_data) { + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, + grpc_security_handshake_done_cb cb, void *user_data) { if (sc == NULL || nonsecure_endpoint == NULL) { cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, NULL, NULL); } else { - sc->do_handshake(exec_ctx, sc, nonsecure_endpoint, cb, user_data); + sc->do_handshake(exec_ctx, sc, nonsecure_endpoint, deadline, cb, user_data); } } void grpc_server_security_connector_do_handshake( grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, void *user_data) { + gpr_timespec deadline, grpc_security_handshake_done_cb cb, + void *user_data) { if (sc == NULL || nonsecure_endpoint == NULL) { cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, NULL, NULL); } else { - sc->do_handshake(exec_ctx, sc, acceptor, nonsecure_endpoint, cb, user_data); + sc->do_handshake(exec_ctx, sc, acceptor, nonsecure_endpoint, deadline, cb, + user_data); } } @@ -310,20 +312,23 @@ static void fake_channel_check_call_host(grpc_exec_ctx *exec_ctx, static void fake_channel_do_handshake(grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, grpc_endpoint *nonsecure_endpoint, + gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data) { grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(1), &sc->base, - true, nonsecure_endpoint, cb, user_data); + true, nonsecure_endpoint, deadline, cb, user_data); } static void fake_server_do_handshake(grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, + gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data) { grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(0), &sc->base, - false, nonsecure_endpoint, cb, user_data); + false, nonsecure_endpoint, deadline, cb, + user_data); } static grpc_security_connector_vtable fake_channel_vtable = { @@ -413,6 +418,7 @@ static grpc_security_status ssl_create_handshaker( static void ssl_channel_do_handshake(grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, grpc_endpoint *nonsecure_endpoint, + gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data) { grpc_ssl_channel_security_connector *c = @@ -427,7 +433,7 @@ static void ssl_channel_do_handshake(grpc_exec_ctx *exec_ctx, cb(exec_ctx, user_data, status, NULL, NULL); } else { grpc_do_security_handshake(exec_ctx, handshaker, &sc->base, true, - nonsecure_endpoint, cb, user_data); + nonsecure_endpoint, deadline, cb, user_data); } } @@ -435,6 +441,7 @@ static void ssl_server_do_handshake(grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, + gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data) { grpc_ssl_server_security_connector *c = @@ -446,7 +453,7 @@ static void ssl_server_do_handshake(grpc_exec_ctx *exec_ctx, cb(exec_ctx, user_data, status, NULL, NULL); } else { grpc_do_security_handshake(exec_ctx, handshaker, &sc->base, false, - nonsecure_endpoint, cb, user_data); + nonsecure_endpoint, deadline, cb, user_data); } } @@ -635,7 +642,8 @@ static gpr_slice compute_default_pem_root_certs_once(void) { char *default_root_certs_path = gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); if (default_root_certs_path != NULL) { - result = gpr_load_file(default_root_certs_path, 0, NULL); + GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(default_root_certs_path, 0, &result)); gpr_free(default_root_certs_path); } @@ -653,7 +661,8 @@ static gpr_slice compute_default_pem_root_certs_once(void) { /* Fall back to installed certs if needed. */ if (GPR_SLICE_IS_EMPTY(result) && ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) { - result = gpr_load_file(installed_roots_path, 0, NULL); + GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(installed_roots_path, 0, &result)); } return result; } diff --git a/src/core/lib/security/transport/security_connector.h b/src/core/lib/security/transport/security_connector.h index 84e586deaa..c2ddf5ee1e 100644 --- a/src/core/lib/security/transport/security_connector.h +++ b/src/core/lib/security/transport/security_connector.h @@ -143,7 +143,7 @@ struct grpc_channel_security_connector { grpc_security_call_host_check_cb cb, void *user_data); void (*do_handshake)(grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_endpoint *nonsecure_endpoint, + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data); }; @@ -156,8 +156,8 @@ void grpc_channel_security_connector_check_call_host( /* Handshake. */ void grpc_channel_security_connector_do_handshake( grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *connector, - grpc_endpoint *nonsecure_endpoint, grpc_security_handshake_done_cb cb, - void *user_data); + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, + grpc_security_handshake_done_cb cb, void *user_data); /* --- server_security_connector object. --- @@ -174,14 +174,14 @@ struct grpc_server_security_connector { void (*do_handshake)(grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, grpc_tcp_server_acceptor *acceptor, - grpc_endpoint *nonsecure_endpoint, + grpc_endpoint *nonsecure_endpoint, gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data); }; void grpc_server_security_connector_do_handshake( grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, - grpc_security_handshake_done_cb cb, void *user_data); + gpr_timespec deadline, grpc_security_handshake_done_cb cb, void *user_data); void grpc_server_security_connector_shutdown( grpc_exec_ctx *exec_ctx, grpc_server_security_connector *connector); diff --git a/src/core/lib/security/transport/server_auth_filter.c b/src/core/lib/security/transport/server_auth_filter.c index 006a30f0c6..12e789bde9 100644 --- a/src/core/lib/security/transport/server_auth_filter.c +++ b/src/core/lib/security/transport/server_auth_filter.c @@ -128,7 +128,7 @@ static void on_md_processing_done( grpc_metadata_batch_filter(calld->recv_initial_metadata, remove_consumed_md, elem); grpc_metadata_array_destroy(&calld->md); - calld->on_done_recv->cb(&exec_ctx, calld->on_done_recv->cb_arg, 1); + grpc_exec_ctx_sched(&exec_ctx, calld->on_done_recv, GRPC_ERROR_NONE, NULL); } else { gpr_slice message; grpc_transport_stream_op close_op; @@ -146,18 +146,21 @@ static void on_md_processing_done( calld->transport_op.send_trailing_metadata = NULL; grpc_transport_stream_op_add_close(&close_op, status, &message); grpc_call_next_op(&exec_ctx, elem, &close_op); - calld->on_done_recv->cb(&exec_ctx, calld->on_done_recv->cb_arg, 0); + grpc_exec_ctx_sched(&exec_ctx, calld->on_done_recv, + grpc_error_set_int(GRPC_ERROR_CREATE(error_details), + GRPC_ERROR_INT_GRPC_STATUS, status), + NULL); } grpc_exec_ctx_finish(&exec_ctx); } static void auth_on_recv(grpc_exec_ctx *exec_ctx, void *user_data, - bool success) { + grpc_error *error) { grpc_call_element *elem = user_data; call_data *calld = elem->call_data; channel_data *chand = elem->channel_data; - if (success) { + if (error == GRPC_ERROR_NONE) { if (chand->creds->processor.process != NULL) { calld->md = metadata_batch_to_md_array(calld->recv_initial_metadata); chand->creds->processor.process( @@ -166,7 +169,8 @@ static void auth_on_recv(grpc_exec_ctx *exec_ctx, void *user_data, return; } } - calld->on_done_recv->cb(exec_ctx, calld->on_done_recv->cb_arg, success); + grpc_exec_ctx_sched(exec_ctx, calld->on_done_recv, GRPC_ERROR_REF(error), + NULL); } static void set_recv_ops_md_callbacks(grpc_call_element *elem, @@ -220,12 +224,9 @@ static void init_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, grpc_server_security_context_destroy; } -static void set_pollset(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - grpc_pollset *pollset) {} - /* Destructor for call_data */ static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - void *ignored) {} + const grpc_call_stats *stats, void *ignored) {} /* Constructor for channel_data */ static void init_channel_elem(grpc_exec_ctx *exec_ctx, @@ -258,7 +259,14 @@ static void destroy_channel_elem(grpc_exec_ctx *exec_ctx, } const grpc_channel_filter grpc_server_auth_filter = { - auth_start_transport_op, grpc_channel_next_op, sizeof(call_data), - init_call_elem, set_pollset, destroy_call_elem, - sizeof(channel_data), init_channel_elem, destroy_channel_elem, - grpc_call_next_get_peer, "server-auth"}; + auth_start_transport_op, + grpc_channel_next_op, + sizeof(call_data), + init_call_elem, + grpc_call_stack_ignore_set_pollset_or_pollset_set, + destroy_call_elem, + sizeof(channel_data), + init_channel_elem, + destroy_channel_elem, + grpc_call_next_get_peer, + "server-auth"}; diff --git a/src/core/lib/security/transport/tsi_error.c b/src/core/lib/security/transport/tsi_error.c new file mode 100644 index 0000000000..afc1733567 --- /dev/null +++ b/src/core/lib/security/transport/tsi_error.c @@ -0,0 +1,40 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "src/core/lib/security/transport/tsi_error.h" + +grpc_error *grpc_set_tsi_error_result(grpc_error *error, tsi_result result) { + return grpc_error_set_int(grpc_error_set_str(error, GRPC_ERROR_STR_TSI_ERROR, + tsi_result_to_string(result)), + GRPC_ERROR_INT_TSI_CODE, result); +} diff --git a/src/core/lib/security/transport/tsi_error.h b/src/core/lib/security/transport/tsi_error.h new file mode 100644 index 0000000000..636fbb89cf --- /dev/null +++ b/src/core/lib/security/transport/tsi_error.h @@ -0,0 +1,42 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPC_CORE_LIB_SECURITY_TRANSPORT_TSI_ERROR_H +#define GRPC_CORE_LIB_SECURITY_TRANSPORT_TSI_ERROR_H + +#include "src/core/lib/iomgr/error.h" +#include "src/core/lib/tsi/transport_security_interface.h" + +grpc_error *grpc_set_tsi_error_result(grpc_error *error, tsi_result result); + +#endif /* GRPC_CORE_LIB_SECURITY_TRANSPORT_TSI_ERROR_H */ |