diff options
Diffstat (limited to 'src/core/security')
| -rw-r--r-- | src/core/security/client_auth_filter.c | 26 | ||||
| -rw-r--r-- | src/core/security/credentials.c | 64 | ||||
| -rw-r--r-- | src/core/security/credentials.h | 11 | ||||
| -rw-r--r-- | src/core/security/google_default_credentials.c | 33 | ||||
| -rw-r--r-- | src/core/security/server_secure_chttp2.c | 14 |
5 files changed, 86 insertions, 62 deletions
diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c index 0867bd7053..d11706ece0 100644 --- a/src/core/security/client_auth_filter.c +++ b/src/core/security/client_auth_filter.c @@ -53,6 +53,7 @@ typedef struct { grpc_credentials *creds; grpc_mdstr *host; grpc_mdstr *method; + grpc_pollset *pollset; grpc_transport_op op; size_t op_md_idx; int sent_initial_metadata; @@ -161,8 +162,9 @@ static void send_security_metadata(grpc_call_element *elem, service_url = build_service_url(chand->security_connector->base.url_scheme, calld); calld->op = *op; /* Copy op (originates from the caller's stack). */ - grpc_credentials_get_request_metadata(calld->creds, service_url, - on_credentials_metadata, elem); + GPR_ASSERT(calld->pollset); + grpc_credentials_get_request_metadata( + calld->creds, calld->pollset, service_url, on_credentials_metadata, elem); gpr_free(service_url); } @@ -196,6 +198,10 @@ static void auth_start_transport_op(grpc_call_element *elem, /* TODO(jboeuf): write the call auth context. */ + if (op->bind_pollset) { + calld->pollset = op->bind_pollset; + } + if (op->send_ops && !calld->sent_initial_metadata) { size_t nops = op->send_ops->nops; grpc_stream_op *ops = op->send_ops->ops; @@ -258,6 +264,7 @@ static void init_call_elem(grpc_call_element *elem, calld->creds = NULL; calld->host = NULL; calld->method = NULL; + calld->pollset = NULL; calld->sent_initial_metadata = 0; GPR_ASSERT(!initial_op || !initial_op->send_ops); @@ -296,13 +303,10 @@ static void init_channel_elem(grpc_channel_element *elem, chand->security_connector = (grpc_channel_security_connector *)grpc_security_connector_ref(sc); chand->md_ctx = metadata_context; - chand->authority_string = - grpc_mdstr_from_string(chand->md_ctx, ":authority"); + chand->authority_string = grpc_mdstr_from_string(chand->md_ctx, ":authority"); chand->path_string = grpc_mdstr_from_string(chand->md_ctx, ":path"); - chand->error_msg_key = - grpc_mdstr_from_string(chand->md_ctx, "grpc-message"); - chand->status_key = - grpc_mdstr_from_string(chand->md_ctx, "grpc-status"); + chand->error_msg_key = grpc_mdstr_from_string(chand->md_ctx, "grpc-message"); + chand->status_key = grpc_mdstr_from_string(chand->md_ctx, "grpc-status"); } /* Destructor for channel data */ @@ -326,6 +330,6 @@ static void destroy_channel_elem(grpc_channel_element *elem) { } const grpc_channel_filter grpc_client_auth_filter = { - auth_start_transport_op, channel_op, sizeof(call_data), init_call_elem, - destroy_call_elem, sizeof(channel_data), init_channel_elem, - destroy_channel_elem, "client-auth"}; + auth_start_transport_op, channel_op, sizeof(call_data), + init_call_elem, destroy_call_elem, sizeof(channel_data), + init_channel_elem, destroy_channel_elem, "client-auth"}; diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index f1ae6cecbc..cf663faf2d 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -106,6 +106,7 @@ int grpc_credentials_has_request_metadata_only(grpc_credentials *creds) { } void grpc_credentials_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { @@ -116,7 +117,8 @@ void grpc_credentials_get_request_metadata(grpc_credentials *creds, } return; } - creds->vtable->get_request_metadata(creds, service_url, cb, user_data); + creds->vtable->get_request_metadata(creds, pollset, service_url, cb, + user_data); } grpc_security_status grpc_credentials_create_security_connector( @@ -191,9 +193,7 @@ static void ssl_server_destroy(grpc_server_credentials *creds) { gpr_free(creds); } -static int ssl_has_request_metadata(const grpc_credentials *creds) { - return 0; -} +static int ssl_has_request_metadata(const grpc_credentials *creds) { return 0; } static int ssl_has_request_metadata_only(const grpc_credentials *creds) { return 0; @@ -368,8 +368,8 @@ static int jwt_has_request_metadata_only(const grpc_credentials *creds) { return 1; } - static void jwt_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { @@ -450,6 +450,8 @@ grpc_credentials *grpc_jwt_credentials_create(const char *json_key, from an http service. */ typedef void (*grpc_fetch_oauth2_func)(grpc_credentials_metadata_request *req, + grpc_httpcli_context *http_context, + grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline); @@ -458,6 +460,8 @@ typedef struct { gpr_mu mu; grpc_credentials_md_store *access_token_md; gpr_timespec token_expiration; + grpc_httpcli_context httpcli_context; + grpc_pollset_set pollset_set; grpc_fetch_oauth2_func fetch_func; } grpc_oauth2_token_fetcher_credentials; @@ -466,6 +470,7 @@ static void oauth2_token_fetcher_destroy(grpc_credentials *creds) { (grpc_oauth2_token_fetcher_credentials *)creds; grpc_credentials_md_store_unref(c->access_token_md); gpr_mu_destroy(&c->mu); + grpc_httpcli_context_destroy(&c->httpcli_context); gpr_free(c); } @@ -481,8 +486,8 @@ static int oauth2_token_fetcher_has_request_metadata_only( grpc_credentials_status grpc_oauth2_token_fetcher_credentials_parse_server_response( - const grpc_httpcli_response *response, - grpc_credentials_md_store **token_md, gpr_timespec *token_lifetime) { + const grpc_httpcli_response *response, grpc_credentials_md_store **token_md, + gpr_timespec *token_lifetime) { char *null_terminated_body = NULL; char *new_access_token = NULL; grpc_credentials_status status = GRPC_CREDENTIALS_OK; @@ -593,7 +598,7 @@ static void on_oauth2_token_fetcher_http_response( } static void oauth2_token_fetcher_get_request_metadata( - grpc_credentials *creds, const char *service_url, + grpc_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *)creds; @@ -605,7 +610,8 @@ static void oauth2_token_fetcher_get_request_metadata( if (c->access_token_md != NULL && (gpr_time_cmp(gpr_time_sub(c->token_expiration, gpr_now()), refresh_threshold) > 0)) { - cached_access_token_md = grpc_credentials_md_store_ref(c->access_token_md); + cached_access_token_md = + grpc_credentials_md_store_ref(c->access_token_md); } gpr_mu_unlock(&c->mu); } @@ -616,7 +622,7 @@ static void oauth2_token_fetcher_get_request_metadata( } else { c->fetch_func( grpc_credentials_metadata_request_create(creds, cb, user_data), - on_oauth2_token_fetcher_http_response, + &c->httpcli_context, pollset, on_oauth2_token_fetcher_http_response, gpr_time_add(gpr_now(), refresh_threshold)); } } @@ -629,6 +635,7 @@ static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c, gpr_mu_init(&c->mu); c->token_expiration = gpr_inf_past; c->fetch_func = fetch_func; + grpc_pollset_set_init(&c->pollset_set); } /* -- ComputeEngine credentials. -- */ @@ -640,6 +647,7 @@ static grpc_credentials_vtable compute_engine_vtable = { static void compute_engine_fetch_oauth2( grpc_credentials_metadata_request *metadata_req, + grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { grpc_httpcli_header header = {"Metadata-Flavor", "Google"}; grpc_httpcli_request request; @@ -648,7 +656,8 @@ static void compute_engine_fetch_oauth2( request.path = GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH; request.hdr_count = 1; request.hdrs = &header; - grpc_httpcli_get(&request, deadline, response_cb, metadata_req); + grpc_httpcli_get(httpcli_context, pollset, &request, deadline, response_cb, + metadata_req); } grpc_credentials *grpc_compute_engine_credentials_create(void) { @@ -683,6 +692,7 @@ static grpc_credentials_vtable service_account_vtable = { static void service_account_fetch_oauth2( grpc_credentials_metadata_request *metadata_req, + grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { grpc_service_account_credentials *c = (grpc_service_account_credentials *)metadata_req->creds; @@ -708,8 +718,8 @@ static void service_account_fetch_oauth2( request.hdr_count = 1; request.hdrs = &header; request.use_ssl = 1; - grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb, - metadata_req); + grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body), + deadline, response_cb, metadata_req); gpr_free(body); gpr_free(jwt); } @@ -743,8 +753,7 @@ typedef struct { } grpc_refresh_token_credentials; static void refresh_token_destroy(grpc_credentials *creds) { - grpc_refresh_token_credentials *c = - (grpc_refresh_token_credentials *)creds; + grpc_refresh_token_credentials *c = (grpc_refresh_token_credentials *)creds; grpc_auth_refresh_token_destruct(&c->refresh_token); oauth2_token_fetcher_destroy(&c->base.base); } @@ -756,6 +765,7 @@ static grpc_credentials_vtable refresh_token_vtable = { static void refresh_token_fetch_oauth2( grpc_credentials_metadata_request *metadata_req, + grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { grpc_refresh_token_credentials *c = (grpc_refresh_token_credentials *)metadata_req->creds; @@ -772,8 +782,8 @@ static void refresh_token_fetch_oauth2( request.hdr_count = 1; request.hdrs = &header; request.use_ssl = 1; - grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb, - metadata_req); + grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body), + deadline, response_cb, metadata_req); gpr_free(body); } @@ -784,8 +794,7 @@ grpc_credentials *grpc_refresh_token_credentials_create( grpc_auth_refresh_token_create_from_string(json_refresh_token); if (!grpc_auth_refresh_token_is_valid(&refresh_token)) { - gpr_log(GPR_ERROR, - "Invalid input for refresh token credentials creation"); + gpr_log(GPR_ERROR, "Invalid input for refresh token credentials creation"); return NULL; } c = gpr_malloc(sizeof(grpc_refresh_token_credentials)); @@ -830,6 +839,7 @@ void on_simulated_token_fetch_done(void *user_data, int success) { } static void fake_oauth2_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { @@ -888,8 +898,7 @@ static int fake_transport_security_has_request_metadata_only( return 0; } -static grpc_security_status -fake_transport_security_create_security_connector( +static grpc_security_status fake_transport_security_create_security_connector( grpc_credentials *c, const char *target, const grpc_channel_args *args, grpc_credentials *request_metadata_creds, grpc_channel_security_connector **sc, grpc_channel_args **new_args) { @@ -947,6 +956,7 @@ typedef struct { grpc_credentials_md_store *md_elems; char *service_url; void *user_data; + grpc_pollset *pollset; grpc_credentials_metadata_cb cb; } grpc_composite_credentials_metadata_context; @@ -1015,7 +1025,8 @@ static void composite_metadata_cb(void *user_data, grpc_credentials *inner_creds = ctx->composite_creds->inner.creds_array[ctx->creds_index++]; if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(inner_creds, ctx->service_url, + grpc_credentials_get_request_metadata(inner_creds, ctx->pollset, + ctx->service_url, composite_metadata_cb, ctx); return; } @@ -1028,6 +1039,7 @@ static void composite_metadata_cb(void *user_data, } static void composite_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { @@ -1043,11 +1055,12 @@ static void composite_get_request_metadata(grpc_credentials *creds, ctx->user_data = user_data; ctx->cb = cb; ctx->composite_creds = c; + ctx->pollset = pollset; ctx->md_elems = grpc_credentials_md_store_create(c->inner.num_creds); while (ctx->creds_index < c->inner.num_creds) { grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++]; if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(inner_creds, service_url, + grpc_credentials_get_request_metadata(inner_creds, pollset, service_url, composite_metadata_cb, ctx); return; } @@ -1178,15 +1191,14 @@ static void iam_destroy(grpc_credentials *creds) { gpr_free(c); } -static int iam_has_request_metadata(const grpc_credentials *creds) { - return 1; -} +static int iam_has_request_metadata(const grpc_credentials *creds) { return 1; } static int iam_has_request_metadata_only(const grpc_credentials *creds) { return 1; } static void iam_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 4768ce6990..75af73a0c6 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -108,7 +108,6 @@ grpc_credentials_md_store *grpc_credentials_md_store_ref( grpc_credentials_md_store *store); void grpc_credentials_md_store_unref(grpc_credentials_md_store *store); - /* --- grpc_credentials. --- */ /* It is the caller's responsibility to gpr_free the result if not NULL. */ @@ -123,7 +122,7 @@ typedef struct { void (*destroy)(grpc_credentials *c); int (*has_request_metadata)(const grpc_credentials *c); int (*has_request_metadata_only)(const grpc_credentials *c); - void (*get_request_metadata)(grpc_credentials *c, + void (*get_request_metadata)(grpc_credentials *c, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data); @@ -131,7 +130,6 @@ typedef struct { grpc_credentials *c, const char *target, const grpc_channel_args *args, grpc_credentials *request_metadata_creds, grpc_channel_security_connector **sc, grpc_channel_args **new_args); - } grpc_credentials_vtable; struct grpc_credentials { @@ -145,6 +143,7 @@ void grpc_credentials_unref(grpc_credentials *creds); int grpc_credentials_has_request_metadata(grpc_credentials *creds); int grpc_credentials_has_request_metadata_only(grpc_credentials *creds); void grpc_credentials_get_request_metadata(grpc_credentials *creds, + grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data); @@ -177,8 +176,8 @@ grpc_credentials *grpc_credentials_contains_type( /* Exposed for testing only. */ grpc_credentials_status grpc_oauth2_token_fetcher_credentials_parse_server_response( - const struct grpc_httpcli_response *response, grpc_credentials_md_store **token_md, - gpr_timespec *token_lifetime); + const struct grpc_httpcli_response *response, + grpc_credentials_md_store **token_md, gpr_timespec *token_lifetime); /* Simulates an oauth2 token fetch with the specified value for testing. */ grpc_credentials *grpc_fake_oauth2_credentials_create( @@ -200,4 +199,4 @@ struct grpc_server_credentials { grpc_security_status grpc_server_credentials_create_security_connector( grpc_server_credentials *creds, grpc_security_connector **sc); -#endif /* GRPC_INTERNAL_CORE_SECURITY_CREDENTIALS_H */ +#endif /* GRPC_INTERNAL_CORE_SECURITY_CREDENTIALS_H */ diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index 0e4b9fc9d3..5822ce6337 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -55,13 +55,10 @@ static int compute_engine_detection_done = 0; static gpr_mu g_mu; static gpr_once g_once = GPR_ONCE_INIT; -static void init_default_credentials(void) { - gpr_mu_init(&g_mu); -} +static void init_default_credentials(void) { gpr_mu_init(&g_mu); } typedef struct { - gpr_cv cv; - gpr_mu mu; + grpc_pollset pollset; int is_done; int success; } compute_engine_detector; @@ -82,22 +79,22 @@ static void on_compute_engine_detection_http_response( } } } - gpr_mu_lock(&detector->mu); + gpr_mu_lock(GRPC_POLLSET_MU(&detector->pollset)); detector->is_done = 1; - gpr_mu_unlock(&detector->mu); - gpr_cv_signal(&detector->cv); + grpc_pollset_kick(&detector->pollset); + gpr_mu_unlock(GRPC_POLLSET_MU(&detector->pollset)); } static int is_stack_running_on_compute_engine(void) { compute_engine_detector detector; grpc_httpcli_request request; + grpc_httpcli_context context; /* The http call is local. If it takes more than one sec, it is for sure not on compute engine. */ gpr_timespec max_detection_delay = {1, 0}; - gpr_mu_init(&detector.mu); - gpr_cv_init(&detector.cv); + grpc_pollset_init(&detector.pollset); detector.is_done = 0; detector.success = 0; @@ -105,19 +102,23 @@ static int is_stack_running_on_compute_engine(void) { request.host = GRPC_COMPUTE_ENGINE_DETECTION_HOST; request.path = "/"; - grpc_httpcli_get(&request, gpr_time_add(gpr_now(), max_detection_delay), + grpc_httpcli_context_init(&context); + + grpc_httpcli_get(&context, &detector.pollset, &request, + gpr_time_add(gpr_now(), max_detection_delay), on_compute_engine_detection_http_response, &detector); /* Block until we get the response. This is not ideal but this should only be called once for the lifetime of the process by the default credentials. */ - gpr_mu_lock(&detector.mu); + gpr_mu_lock(GRPC_POLLSET_MU(&detector.pollset)); while (!detector.is_done) { - gpr_cv_wait(&detector.cv, &detector.mu, gpr_inf_future); + grpc_pollset_work(&detector.pollset, gpr_inf_future); } - gpr_mu_unlock(&detector.mu); + gpr_mu_unlock(GRPC_POLLSET_MU(&detector.pollset)); + + grpc_httpcli_context_destroy(&context); + grpc_pollset_destroy(&detector.pollset); - gpr_mu_destroy(&detector.mu); - gpr_cv_destroy(&detector.cv); return detector.success; } diff --git a/src/core/security/server_secure_chttp2.c b/src/core/security/server_secure_chttp2.c index 3519930f38..b312bdd0b6 100644 --- a/src/core/security/server_secure_chttp2.c +++ b/src/core/security/server_secure_chttp2.c @@ -66,6 +66,10 @@ static void state_ref(grpc_server_secure_state *state) { static void state_unref(grpc_server_secure_state *state) { if (gpr_unref(&state->refcount)) { + /* ensure all threads have unlocked */ + gpr_mu_lock(&state->mu); + gpr_mu_unlock(&state->mu); + /* clean up */ grpc_security_connector_unref(state->sc); gpr_free(state); } @@ -124,16 +128,20 @@ static void start(grpc_server *server, void *statep, grpc_pollset **pollsets, grpc_tcp_server_start(state->tcp, pollsets, pollset_count, on_accept, state); } +static void destroy_done(void *statep) { + grpc_server_secure_state *state = statep; + grpc_server_listener_destroy_done(state->server); + state_unref(state); +} + /* Server callback: destroy the tcp listener (so we don't generate further callbacks) */ static void destroy(grpc_server *server, void *statep) { grpc_server_secure_state *state = statep; gpr_mu_lock(&state->mu); state->is_shutdown = 1; - grpc_tcp_server_destroy(state->tcp, grpc_server_listener_destroy_done, - server); + grpc_tcp_server_destroy(state->tcp, destroy_done, state); gpr_mu_unlock(&state->mu); - state_unref(state); } int grpc_server_add_secure_http2_port(grpc_server *server, const char *addr, |