diff options
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/security/client_auth_filter.c | 30 | ||||
-rw-r--r-- | src/core/security/credentials.c | 441 | ||||
-rw-r--r-- | src/core/security/credentials.h | 16 | ||||
-rw-r--r-- | src/core/security/google_default_credentials.c | 53 | ||||
-rw-r--r-- | src/core/security/security_connector.c | 29 | ||||
-rw-r--r-- | src/core/security/security_connector.h | 11 | ||||
-rw-r--r-- | src/core/security/security_context.c | 14 | ||||
-rw-r--r-- | src/core/security/security_context.h | 2 | ||||
-rw-r--r-- | src/core/surface/secure_channel_create.c | 8 |
9 files changed, 229 insertions, 375 deletions
diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c index 635982b252..f257502a98 100644 --- a/src/core/security/client_auth_filter.c +++ b/src/core/security/client_auth_filter.c @@ -50,7 +50,7 @@ /* We can have a per-call credentials. */ typedef struct { - grpc_credentials *creds; + grpc_call_credentials *creds; grpc_mdstr *host; grpc_mdstr *method; /* pollset bound to this call; if we need to make external @@ -146,39 +146,35 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx, channel_data *chand = elem->channel_data; grpc_client_security_context *ctx = (grpc_client_security_context *)op->context[GRPC_CONTEXT_SECURITY].value; - grpc_credentials *channel_creds = + grpc_call_credentials *channel_call_creds = chand->security_connector->request_metadata_creds; - int channel_creds_has_md = - (channel_creds != NULL) && - grpc_credentials_has_request_metadata(channel_creds); - int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL) && - grpc_credentials_has_request_metadata(ctx->creds); + int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL); - if (!channel_creds_has_md && !call_creds_has_md) { + if (channel_call_creds == NULL && !call_creds_has_md) { /* Skip sending metadata altogether. */ grpc_call_next_op(exec_ctx, elem, op); return; } - if (channel_creds_has_md && call_creds_has_md) { - calld->creds = - grpc_composite_credentials_create(channel_creds, ctx->creds, NULL); + if (channel_call_creds != NULL && call_creds_has_md) { + calld->creds = grpc_composite_call_credentials_create(channel_call_creds, + ctx->creds, NULL); if (calld->creds == NULL) { bubble_up_error(exec_ctx, elem, GRPC_STATUS_INVALID_ARGUMENT, "Incompatible credentials set on channel and call."); return; } } else { - calld->creds = - grpc_credentials_ref(call_creds_has_md ? ctx->creds : channel_creds); + calld->creds = grpc_call_credentials_ref( + call_creds_has_md ? ctx->creds : channel_call_creds); } build_service_url(chand->security_connector->base.url_scheme, calld); calld->op = *op; /* Copy op (originates from the caller's stack). */ GPR_ASSERT(calld->pollset); - grpc_credentials_get_request_metadata(exec_ctx, calld->creds, calld->pollset, - calld->service_url, - on_credentials_metadata, elem); + grpc_call_credentials_get_request_metadata(exec_ctx, calld->creds, + calld->pollset, calld->service_url, + on_credentials_metadata, elem); } static void on_host_checked(grpc_exec_ctx *exec_ctx, void *user_data, @@ -294,7 +290,7 @@ static void init_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem) { call_data *calld = elem->call_data; - grpc_credentials_unref(calld->creds); + grpc_call_credentials_unref(calld->creds); if (calld->host != NULL) { GRPC_MDSTR_UNREF(calld->host); } diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index 5e155d83b9..a1fa457d1a 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -54,18 +54,18 @@ /* -- Common. -- */ struct grpc_credentials_metadata_request { - grpc_credentials *creds; + grpc_call_credentials *creds; grpc_credentials_metadata_cb cb; void *user_data; }; static grpc_credentials_metadata_request * -grpc_credentials_metadata_request_create(grpc_credentials *creds, +grpc_credentials_metadata_request_create(grpc_call_credentials *creds, grpc_credentials_metadata_cb cb, void *user_data) { grpc_credentials_metadata_request *r = gpr_malloc(sizeof(grpc_credentials_metadata_request)); - r->creds = grpc_credentials_ref(creds); + r->creds = grpc_call_credentials_ref(creds); r->cb = cb; r->user_data = user_data; return r; @@ -73,17 +73,18 @@ grpc_credentials_metadata_request_create(grpc_credentials *creds, static void grpc_credentials_metadata_request_destroy( grpc_credentials_metadata_request *r) { - grpc_credentials_unref(r->creds); + grpc_call_credentials_unref(r->creds); gpr_free(r); } -grpc_credentials *grpc_credentials_ref(grpc_credentials *creds) { +grpc_channel_credentials *grpc_channel_credentials_ref( + grpc_channel_credentials *creds) { if (creds == NULL) return NULL; gpr_ref(&creds->refcount); return creds; } -void grpc_credentials_unref(grpc_credentials *creds) { +void grpc_channel_credentials_unref(grpc_channel_credentials *creds) { if (creds == NULL) return; if (gpr_unref(&creds->refcount)) { creds->vtable->destruct(creds); @@ -91,26 +92,34 @@ void grpc_credentials_unref(grpc_credentials *creds) { } } -void grpc_credentials_release(grpc_credentials *creds) { - GRPC_API_TRACE("grpc_credentials_release(creds=%p)", 1, (creds)); - grpc_credentials_unref(creds); +void grpc_channel_credentials_release(grpc_channel_credentials *creds) { + GRPC_API_TRACE("grpc_channel_credentials_release(creds=%p)", 1, (creds)); + grpc_channel_credentials_unref(creds); } -int grpc_credentials_has_request_metadata(grpc_credentials *creds) { - if (creds == NULL) return 0; - return creds->vtable->has_request_metadata(creds); +grpc_call_credentials *grpc_call_credentials_ref(grpc_call_credentials *creds) { + if (creds == NULL) return NULL; + gpr_ref(&creds->refcount); + return creds; } -int grpc_credentials_has_request_metadata_only(grpc_credentials *creds) { - if (creds == NULL) return 0; - return creds->vtable->has_request_metadata_only(creds); +void grpc_call_credentials_unref(grpc_call_credentials *creds) { + if (creds == NULL) return; + if (gpr_unref(&creds->refcount)) { + creds->vtable->destruct(creds); + gpr_free(creds); + } +} + +void grpc_call_credentials_release(grpc_call_credentials *creds) { + GRPC_API_TRACE("grpc_call_credentials_release(creds=%p)", 1, (creds)); + grpc_call_credentials_unref(creds); } void grpc_credentials_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { - if (creds == NULL || !grpc_credentials_has_request_metadata(creds) || - creds->vtable->get_request_metadata == NULL) { + if (creds == NULL || creds->vtable->get_request_metadata == NULL) { if (cb != NULL) { cb(exec_ctx, user_data, NULL, 0, GRPC_CREDENTIALS_OK); } @@ -120,19 +129,19 @@ void grpc_credentials_get_request_metadata( user_data); } -grpc_security_status grpc_credentials_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { +grpc_security_status grpc_channel_credentials_create_security_connector( + grpc_channel_credentials *channel_creds, const char *target, + const grpc_channel_args *args, grpc_channel_security_connector **sc, + grpc_channel_args **new_args) { *new_args = NULL; - if (creds == NULL || creds->vtable->create_security_connector == NULL || - grpc_credentials_has_request_metadata_only(creds)) { + if (channel_creds == NULL || + channel_creds->vtable->create_security_connector == NULL) { gpr_log(GPR_ERROR, "Invalid credentials for creating a security connector."); return GRPC_SECURITY_ERROR; } - return creds->vtable->create_security_connector( - creds, target, args, request_metadata_creds, sc, new_args); + return channel_creds->vtable->create_security_connector(channel_creds, target, + args, sc, new_args); } grpc_server_credentials *grpc_server_credentials_ref( @@ -225,7 +234,7 @@ grpc_server_credentials *grpc_find_server_credentials_in_args( /* -- Ssl credentials. -- */ -static void ssl_destruct(grpc_credentials *creds) { +static void ssl_destruct(grpc_channel_credentials *creds) { grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds; if (c->config.pem_root_certs != NULL) gpr_free(c->config.pem_root_certs); if (c->config.pem_private_key != NULL) gpr_free(c->config.pem_private_key); @@ -254,15 +263,9 @@ static void ssl_server_destruct(grpc_server_credentials *creds) { if (c->config.pem_root_certs != NULL) gpr_free(c->config.pem_root_certs); } -static int ssl_has_request_metadata(const grpc_credentials *creds) { return 0; } - -static int ssl_has_request_metadata_only(const grpc_credentials *creds) { - return 0; -} - static grpc_security_status ssl_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, + grpc_channel_credentials *creds, const char *target, + const grpc_channel_args *args, grpc_channel_security_connector **sc, grpc_channel_args **new_args) { grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds; grpc_security_status status = GRPC_SECURITY_OK; @@ -279,7 +282,7 @@ static grpc_security_status ssl_create_security_connector( } } status = grpc_ssl_channel_security_connector_create( - request_metadata_creds, &c->config, target, overridden_target_name, sc); + creds->call_creds, &c->config, target, overridden_target_name, sc); if (status != GRPC_SECURITY_OK) { return status; } @@ -296,9 +299,8 @@ static grpc_security_status ssl_server_create_security_connector( return grpc_ssl_server_security_connector_create(&c->config, sc); } -static grpc_credentials_vtable ssl_vtable = { - ssl_destruct, ssl_has_request_metadata, ssl_has_request_metadata_only, NULL, - ssl_create_security_connector}; +static grpc_channel_credentials_vtable ssl_vtable = { + ssl_destruct, ssl_create_security_connector}; static grpc_server_credentials_vtable ssl_server_vtable = { ssl_server_destruct, ssl_server_create_security_connector}; @@ -363,7 +365,7 @@ static void ssl_build_server_config( } } -grpc_credentials *grpc_ssl_credentials_create( +grpc_channel_credentials *grpc_ssl_credentials_create( const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, void *reserved) { grpc_ssl_credentials *c = gpr_malloc(sizeof(grpc_ssl_credentials)); @@ -374,7 +376,7 @@ grpc_credentials *grpc_ssl_credentials_create( 3, (pem_root_certs, pem_key_cert_pair, reserved)); GPR_ASSERT(reserved == NULL); memset(c, 0, sizeof(grpc_ssl_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_SSL; + c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL; c->base.vtable = &ssl_vtable; gpr_ref_init(&c->base.refcount, 1); ssl_build_config(pem_root_certs, pem_key_cert_pair, &c->config); @@ -394,7 +396,7 @@ grpc_server_credentials *grpc_ssl_server_credentials_create( force_client_auth, reserved)); GPR_ASSERT(reserved == NULL); memset(c, 0, sizeof(grpc_ssl_server_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_SSL; + c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL; gpr_ref_init(&c->base.refcount, 1); c->base.vtable = &ssl_server_vtable; ssl_build_server_config(pem_root_certs, pem_key_cert_pairs, @@ -416,7 +418,7 @@ static void jwt_reset_cache(grpc_service_account_jwt_access_credentials *c) { c->cached.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); } -static void jwt_destruct(grpc_credentials *creds) { +static void jwt_destruct(grpc_call_credentials *creds) { grpc_service_account_jwt_access_credentials *c = (grpc_service_account_jwt_access_credentials *)creds; grpc_auth_json_key_destruct(&c->key); @@ -424,14 +426,8 @@ static void jwt_destruct(grpc_credentials *creds) { gpr_mu_destroy(&c->cache_mu); } -static int jwt_has_request_metadata(const grpc_credentials *creds) { return 1; } - -static int jwt_has_request_metadata_only(const grpc_credentials *creds) { - return 1; -} - static void jwt_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_service_account_jwt_access_credentials *c = (grpc_service_account_jwt_access_credentials *)creds; @@ -484,11 +480,10 @@ static void jwt_get_request_metadata( } } -static grpc_credentials_vtable jwt_vtable = { - jwt_destruct, jwt_has_request_metadata, jwt_has_request_metadata_only, - jwt_get_request_metadata, NULL}; +static grpc_call_credentials_vtable jwt_vtable = {jwt_destruct, + jwt_get_request_metadata}; -grpc_credentials * +grpc_call_credentials * grpc_service_account_jwt_access_credentials_create_from_auth_json_key( grpc_auth_json_key key, gpr_timespec token_lifetime) { grpc_service_account_jwt_access_credentials *c; @@ -498,7 +493,7 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key( } c = gpr_malloc(sizeof(grpc_service_account_jwt_access_credentials)); memset(c, 0, sizeof(grpc_service_account_jwt_access_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_JWT; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_JWT; gpr_ref_init(&c->base.refcount, 1); c->base.vtable = &jwt_vtable; c->key = key; @@ -508,7 +503,7 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key( return &c->base; } -grpc_credentials *grpc_service_account_jwt_access_credentials_create( +grpc_call_credentials *grpc_service_account_jwt_access_credentials_create( const char *json_key, gpr_timespec token_lifetime, void *reserved) { GRPC_API_TRACE( "grpc_service_account_jwt_access_credentials_create(" @@ -525,7 +520,7 @@ grpc_credentials *grpc_service_account_jwt_access_credentials_create( /* -- Oauth2TokenFetcher credentials -- */ -static void oauth2_token_fetcher_destruct(grpc_credentials *creds) { +static void oauth2_token_fetcher_destruct(grpc_call_credentials *creds) { grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *)creds; grpc_credentials_md_store_unref(c->access_token_md); @@ -533,16 +528,6 @@ static void oauth2_token_fetcher_destruct(grpc_credentials *creds) { grpc_httpcli_context_destroy(&c->httpcli_context); } -static int oauth2_token_fetcher_has_request_metadata( - const grpc_credentials *creds) { - return 1; -} - -static int oauth2_token_fetcher_has_request_metadata_only( - const grpc_credentials *creds) { - return 1; -} - grpc_credentials_status grpc_oauth2_token_fetcher_credentials_parse_server_response( const grpc_httpcli_response *response, grpc_credentials_md_store **token_md, @@ -660,8 +645,9 @@ static void on_oauth2_token_fetcher_http_response( } static void oauth2_token_fetcher_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, - const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, + grpc_pollset *pollset, const char *service_url, + grpc_credentials_metadata_cb cb, void *user_data) { grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *)creds; gpr_timespec refresh_threshold = gpr_time_from_seconds( @@ -694,7 +680,7 @@ static void oauth2_token_fetcher_get_request_metadata( static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c, grpc_fetch_oauth2_func fetch_func) { memset(c, 0, sizeof(grpc_oauth2_token_fetcher_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2; gpr_ref_init(&c->base.refcount, 1); gpr_mu_init(&c->mu); c->token_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); @@ -704,10 +690,8 @@ static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c, /* -- GoogleComputeEngine credentials. -- */ -static grpc_credentials_vtable compute_engine_vtable = { - oauth2_token_fetcher_destruct, oauth2_token_fetcher_has_request_metadata, - oauth2_token_fetcher_has_request_metadata_only, - oauth2_token_fetcher_get_request_metadata, NULL}; +static grpc_call_credentials_vtable compute_engine_vtable = { + oauth2_token_fetcher_destruct, oauth2_token_fetcher_get_request_metadata}; static void compute_engine_fetch_oauth2( grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_request *metadata_req, @@ -724,7 +708,7 @@ static void compute_engine_fetch_oauth2( response_cb, metadata_req); } -grpc_credentials *grpc_google_compute_engine_credentials_create( +grpc_call_credentials *grpc_google_compute_engine_credentials_create( void *reserved) { grpc_oauth2_token_fetcher_credentials *c = gpr_malloc(sizeof(grpc_oauth2_token_fetcher_credentials)); @@ -738,17 +722,15 @@ grpc_credentials *grpc_google_compute_engine_credentials_create( /* -- GoogleRefreshToken credentials. -- */ -static void refresh_token_destruct(grpc_credentials *creds) { +static void refresh_token_destruct(grpc_call_credentials *creds) { grpc_google_refresh_token_credentials *c = (grpc_google_refresh_token_credentials *)creds; grpc_auth_refresh_token_destruct(&c->refresh_token); oauth2_token_fetcher_destruct(&c->base.base); } -static grpc_credentials_vtable refresh_token_vtable = { - refresh_token_destruct, oauth2_token_fetcher_has_request_metadata, - oauth2_token_fetcher_has_request_metadata_only, - oauth2_token_fetcher_get_request_metadata, NULL}; +static grpc_call_credentials_vtable refresh_token_vtable = { + refresh_token_destruct, oauth2_token_fetcher_get_request_metadata}; static void refresh_token_fetch_oauth2( grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_request *metadata_req, @@ -774,7 +756,8 @@ static void refresh_token_fetch_oauth2( gpr_free(body); } -grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token( +grpc_call_credentials * +grpc_refresh_token_credentials_create_from_auth_refresh_token( grpc_auth_refresh_token refresh_token) { grpc_google_refresh_token_credentials *c; if (!grpc_auth_refresh_token_is_valid(&refresh_token)) { @@ -789,7 +772,7 @@ grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token( return &c->base.base; } -grpc_credentials *grpc_google_refresh_token_credentials_create( +grpc_call_credentials *grpc_google_refresh_token_credentials_create( const char *json_refresh_token, void *reserved) { GRPC_API_TRACE( "grpc_refresh_token_credentials_create(json_refresh_token=%s, " @@ -802,20 +785,11 @@ grpc_credentials *grpc_google_refresh_token_credentials_create( /* -- Metadata-only credentials. -- */ -static void md_only_test_destruct(grpc_credentials *creds) { +static void md_only_test_destruct(grpc_call_credentials *creds) { grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; grpc_credentials_md_store_unref(c->md_store); } -static int md_only_test_has_request_metadata(const grpc_credentials *creds) { - return 1; -} - -static int md_only_test_has_request_metadata_only( - const grpc_credentials *creds) { - return 1; -} - static void on_simulated_token_fetch_done(void *user_data) { grpc_credentials_metadata_request *r = (grpc_credentials_metadata_request *)user_data; @@ -828,7 +802,7 @@ static void on_simulated_token_fetch_done(void *user_data) { } static void md_only_test_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_md_only_test_credentials *c = (grpc_md_only_test_credentials *)creds; @@ -842,18 +816,15 @@ static void md_only_test_get_request_metadata( } } -static grpc_credentials_vtable md_only_test_vtable = { - md_only_test_destruct, md_only_test_has_request_metadata, - md_only_test_has_request_metadata_only, md_only_test_get_request_metadata, - NULL}; +static grpc_call_credentials_vtable md_only_test_vtable = { + md_only_test_destruct, md_only_test_get_request_metadata}; -grpc_credentials *grpc_md_only_test_credentials_create(const char *md_key, - const char *md_value, - int is_async) { +grpc_call_credentials *grpc_md_only_test_credentials_create( + const char *md_key, const char *md_value, int is_async) { grpc_md_only_test_credentials *c = gpr_malloc(sizeof(grpc_md_only_test_credentials)); memset(c, 0, sizeof(grpc_md_only_test_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2; c->base.vtable = &md_only_test_vtable; gpr_ref_init(&c->base.refcount, 1); c->md_store = grpc_credentials_md_store_create(1); @@ -864,34 +835,23 @@ grpc_credentials *grpc_md_only_test_credentials_create(const char *md_key, /* -- Oauth2 Access Token credentials. -- */ -static void access_token_destruct(grpc_credentials *creds) { +static void access_token_destruct(grpc_call_credentials *creds) { grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; grpc_credentials_md_store_unref(c->access_token_md); } -static int access_token_has_request_metadata(const grpc_credentials *creds) { - return 1; -} - -static int access_token_has_request_metadata_only( - const grpc_credentials *creds) { - return 1; -} - static void access_token_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds; cb(exec_ctx, user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK); } -static grpc_credentials_vtable access_token_vtable = { - access_token_destruct, access_token_has_request_metadata, - access_token_has_request_metadata_only, access_token_get_request_metadata, - NULL}; +static grpc_call_credentials_vtable access_token_vtable = { + access_token_destruct, access_token_get_request_metadata}; -grpc_credentials *grpc_access_token_credentials_create(const char *access_token, - void *reserved) { +grpc_call_credentials *grpc_access_token_credentials_create( + const char *access_token, void *reserved) { grpc_access_token_credentials *c = gpr_malloc(sizeof(grpc_access_token_credentials)); char *token_md_value; @@ -901,7 +861,7 @@ grpc_credentials *grpc_access_token_credentials_create(const char *access_token, 2, (access_token, reserved)); GPR_ASSERT(reserved == NULL); memset(c, 0, sizeof(grpc_access_token_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2; c->base.vtable = &access_token_vtable; gpr_ref_init(&c->base.refcount, 1); c->access_token_md = grpc_credentials_md_store_create(1); @@ -915,7 +875,7 @@ grpc_credentials *grpc_access_token_credentials_create(const char *access_token, /* -- Fake transport security credentials. -- */ static void fake_transport_security_credentials_destruct( - grpc_credentials *creds) { + grpc_channel_credentials *creds) { /* Nothing to do here. */ } @@ -924,21 +884,11 @@ static void fake_transport_security_server_credentials_destruct( /* Nothing to do here. */ } -static int fake_transport_security_has_request_metadata( - const grpc_credentials *creds) { - return 0; -} - -static int fake_transport_security_has_request_metadata_only( - const grpc_credentials *creds) { - return 0; -} - static grpc_security_status fake_transport_security_create_security_connector( - grpc_credentials *c, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { - *sc = grpc_fake_channel_security_connector_create(request_metadata_creds, 1); + grpc_channel_credentials *c, const char *target, + const grpc_channel_args *args, grpc_channel_security_connector **sc, + grpc_channel_args **new_args) { + *sc = grpc_fake_channel_security_connector_create(c->call_creds, 1); return GRPC_SECURITY_OK; } @@ -949,21 +899,21 @@ fake_transport_security_server_create_security_connector( return GRPC_SECURITY_OK; } -static grpc_credentials_vtable fake_transport_security_credentials_vtable = { - fake_transport_security_credentials_destruct, - fake_transport_security_has_request_metadata, - fake_transport_security_has_request_metadata_only, NULL, - fake_transport_security_create_security_connector}; +static grpc_channel_credentials_vtable + fake_transport_security_credentials_vtable = { + fake_transport_security_credentials_destruct, + fake_transport_security_create_security_connector}; static grpc_server_credentials_vtable fake_transport_security_server_credentials_vtable = { fake_transport_security_server_credentials_destruct, fake_transport_security_server_create_security_connector}; -grpc_credentials *grpc_fake_transport_security_credentials_create(void) { - grpc_credentials *c = gpr_malloc(sizeof(grpc_credentials)); - memset(c, 0, sizeof(grpc_credentials)); - c->type = GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; +grpc_channel_credentials *grpc_fake_transport_security_credentials_create( + void) { + grpc_channel_credentials *c = gpr_malloc(sizeof(grpc_channel_credentials)); + memset(c, 0, sizeof(grpc_channel_credentials)); + c->type = GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; c->vtable = &fake_transport_security_credentials_vtable; gpr_ref_init(&c->refcount, 1); return c; @@ -973,7 +923,7 @@ grpc_server_credentials *grpc_fake_transport_security_server_credentials_create( void) { grpc_server_credentials *c = gpr_malloc(sizeof(grpc_server_credentials)); memset(c, 0, sizeof(grpc_server_credentials)); - c->type = GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; + c->type = GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY; gpr_ref_init(&c->refcount, 1); c->vtable = &fake_transport_security_server_credentials_vtable; return c; @@ -991,39 +941,15 @@ typedef struct { grpc_credentials_metadata_cb cb; } grpc_composite_credentials_metadata_context; -static void composite_destruct(grpc_credentials *creds) { +static void composite_destruct(grpc_call_credentials *creds) { grpc_composite_credentials *c = (grpc_composite_credentials *)creds; size_t i; for (i = 0; i < c->inner.num_creds; i++) { - grpc_credentials_unref(c->inner.creds_array[i]); + grpc_call_credentials_unref(c->inner.creds_array[i]); } gpr_free(c->inner.creds_array); } -static int composite_has_request_metadata(const grpc_credentials *creds) { - const grpc_composite_credentials *c = - (const grpc_composite_credentials *)creds; - size_t i; - for (i = 0; i < c->inner.num_creds; i++) { - if (grpc_credentials_has_request_metadata(c->inner.creds_array[i])) { - return 1; - } - } - return 0; -} - -static int composite_has_request_metadata_only(const grpc_credentials *creds) { - const grpc_composite_credentials *c = - (const grpc_composite_credentials *)creds; - size_t i; - for (i = 0; i < c->inner.num_creds; i++) { - if (!grpc_credentials_has_request_metadata_only(c->inner.creds_array[i])) { - return 0; - } - } - return 1; -} - static void composite_md_context_destroy( grpc_composite_credentials_metadata_context *ctx) { grpc_credentials_md_store_unref(ctx->md_elems); @@ -1051,15 +977,13 @@ static void composite_metadata_cb(grpc_exec_ctx *exec_ctx, void *user_data, } /* See if we need to get some more metadata. */ - while (ctx->creds_index < ctx->composite_creds->inner.num_creds) { - grpc_credentials *inner_creds = + if (ctx->creds_index < ctx->composite_creds->inner.num_creds) { + grpc_call_credentials *inner_creds = ctx->composite_creds->inner.creds_array[ctx->creds_index++]; - if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(exec_ctx, inner_creds, ctx->pollset, - ctx->service_url, - composite_metadata_cb, ctx); - return; - } + grpc_credentials_get_request_metadata(exec_ctx, inner_creds, ctx->pollset, + ctx->service_url, + composite_metadata_cb, ctx); + return; } /* We're done!. */ @@ -1069,14 +993,11 @@ static void composite_metadata_cb(grpc_exec_ctx *exec_ctx, void *user_data, } static void composite_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, + grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_composite_credentials *c = (grpc_composite_credentials *)creds; grpc_composite_credentials_metadata_context *ctx; - if (!grpc_credentials_has_request_metadata(creds)) { - cb(exec_ctx, user_data, NULL, 0, GRPC_CREDENTIALS_OK); - return; - } + ctx = gpr_malloc(sizeof(grpc_composite_credentials_metadata_context)); memset(ctx, 0, sizeof(grpc_composite_credentials_metadata_context)); ctx->service_url = gpr_strdup(service_url); @@ -1085,55 +1006,33 @@ static void composite_get_request_metadata( ctx->composite_creds = c; ctx->pollset = pollset; ctx->md_elems = grpc_credentials_md_store_create(c->inner.num_creds); - while (ctx->creds_index < c->inner.num_creds) { - grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++]; - if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(exec_ctx, inner_creds, pollset, - service_url, composite_metadata_cb, - ctx); - return; - } - } - GPR_ASSERT(0); /* Should have exited before. */ + grpc_credentials_get_request_metadata( + exec_ctx, c->inner.creds_array[ctx->creds_index++], pollset, service_url, + composite_metadata_cb, ctx); } -static grpc_security_status composite_create_security_connector( - grpc_credentials *creds, const char *target, const grpc_channel_args *args, - grpc_credentials *request_metadata_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args) { - grpc_composite_credentials *c = (grpc_composite_credentials *)creds; - if (c->connector_creds == NULL) { - gpr_log(GPR_ERROR, - "Cannot create security connector, missing connector credentials."); - return GRPC_SECURITY_ERROR; - } - return grpc_credentials_create_security_connector(c->connector_creds, target, - args, creds, sc, new_args); -} +static grpc_call_credentials_vtable composite_credentials_vtable = { + composite_destruct, composite_get_request_metadata}; -static grpc_credentials_vtable composite_credentials_vtable = { - composite_destruct, composite_has_request_metadata, - composite_has_request_metadata_only, composite_get_request_metadata, - composite_create_security_connector}; - -static grpc_credentials_array get_creds_array(grpc_credentials **creds_addr) { - grpc_credentials_array result; - grpc_credentials *creds = *creds_addr; +static grpc_call_credentials_array get_creds_array( + grpc_call_credentials **creds_addr) { + grpc_call_credentials_array result; + grpc_call_credentials *creds = *creds_addr; result.creds_array = creds_addr; result.num_creds = 1; - if (strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) { + if (strcmp(creds->type, GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0) { result = *grpc_composite_credentials_get_credentials(creds); } return result; } -grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1, - grpc_credentials *creds2, - void *reserved) { +grpc_call_credentials *grpc_composite_call_credentials_create( + grpc_call_credentials *creds1, grpc_call_credentials *creds2, + void *reserved) { size_t i; size_t creds_array_byte_size; - grpc_credentials_array creds1_array; - grpc_credentials_array creds2_array; + grpc_call_credentials_array creds1_array; + grpc_call_credentials_array creds2_array; grpc_composite_credentials *c; GRPC_API_TRACE( "grpc_composite_credentials_create(creds1=%p, creds2=%p, " @@ -1144,64 +1043,44 @@ grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1, GPR_ASSERT(creds2 != NULL); c = gpr_malloc(sizeof(grpc_composite_credentials)); memset(c, 0, sizeof(grpc_composite_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_COMPOSITE; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE; c->base.vtable = &composite_credentials_vtable; gpr_ref_init(&c->base.refcount, 1); creds1_array = get_creds_array(&creds1); creds2_array = get_creds_array(&creds2); c->inner.num_creds = creds1_array.num_creds + creds2_array.num_creds; - creds_array_byte_size = c->inner.num_creds * sizeof(grpc_credentials *); + creds_array_byte_size = c->inner.num_creds * sizeof(grpc_call_credentials *); c->inner.creds_array = gpr_malloc(creds_array_byte_size); memset(c->inner.creds_array, 0, creds_array_byte_size); for (i = 0; i < creds1_array.num_creds; i++) { - grpc_credentials *cur_creds = creds1_array.creds_array[i]; - if (!grpc_credentials_has_request_metadata_only(cur_creds)) { - if (c->connector_creds == NULL) { - c->connector_creds = cur_creds; - } else { - gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials."); - goto fail; - } - } - c->inner.creds_array[i] = grpc_credentials_ref(cur_creds); + grpc_call_credentials *cur_creds = creds1_array.creds_array[i]; + c->inner.creds_array[i] = grpc_call_credentials_ref(cur_creds); } for (i = 0; i < creds2_array.num_creds; i++) { - grpc_credentials *cur_creds = creds2_array.creds_array[i]; - if (!grpc_credentials_has_request_metadata_only(cur_creds)) { - if (c->connector_creds == NULL) { - c->connector_creds = cur_creds; - } else { - gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials."); - goto fail; - } - } + grpc_call_credentials *cur_creds = creds2_array.creds_array[i]; c->inner.creds_array[i + creds1_array.num_creds] = - grpc_credentials_ref(cur_creds); + grpc_call_credentials_ref(cur_creds); } return &c->base; - -fail: - grpc_credentials_unref(&c->base); - return NULL; } -const grpc_credentials_array *grpc_composite_credentials_get_credentials( - grpc_credentials *creds) { +const grpc_call_credentials_array *grpc_composite_credentials_get_credentials( + grpc_call_credentials *creds) { const grpc_composite_credentials *c = (const grpc_composite_credentials *)creds; - GPR_ASSERT(strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); + GPR_ASSERT(strcmp(creds->type, GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0); return &c->inner; } -grpc_credentials *grpc_credentials_contains_type( - grpc_credentials *creds, const char *type, - grpc_credentials **composite_creds) { +grpc_call_credentials *grpc_credentials_contains_type( + grpc_call_credentials *creds, const char *type, + grpc_call_credentials **composite_creds) { size_t i; if (strcmp(creds->type, type) == 0) { if (composite_creds != NULL) *composite_creds = NULL; return creds; - } else if (strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0) { - const grpc_credentials_array *inner_creds_array = + } else if (strcmp(creds->type, GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0) { + const grpc_call_credentials_array *inner_creds_array = grpc_composite_credentials_get_credentials(creds); for (i = 0; i < inner_creds_array->num_creds; i++) { if (strcmp(type, inner_creds_array->creds_array[i]->type) == 0) { @@ -1215,30 +1094,26 @@ grpc_credentials *grpc_credentials_contains_type( /* -- IAM credentials. -- */ -static void iam_destruct(grpc_credentials *creds) { +static void iam_destruct(grpc_call_credentials *creds) { grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; grpc_credentials_md_store_unref(c->iam_md); } -static int iam_has_request_metadata(const grpc_credentials *creds) { return 1; } - -static int iam_has_request_metadata_only(const grpc_credentials *creds) { - return 1; -} - -static void iam_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, - const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { +static void iam_get_request_metadata(grpc_exec_ctx *exec_ctx, + grpc_call_credentials *creds, + grpc_pollset *pollset, + const char *service_url, + grpc_credentials_metadata_cb cb, + void *user_data) { grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; cb(exec_ctx, user_data, c->iam_md->entries, c->iam_md->num_entries, GRPC_CREDENTIALS_OK); } -static grpc_credentials_vtable iam_vtable = { - iam_destruct, iam_has_request_metadata, iam_has_request_metadata_only, - iam_get_request_metadata, NULL}; +static grpc_call_credentials_vtable iam_vtable = {iam_destruct, + iam_get_request_metadata}; -grpc_credentials *grpc_google_iam_credentials_create( +grpc_call_credentials *grpc_google_iam_credentials_create( const char *token, const char *authority_selector, void *reserved) { grpc_google_iam_credentials *c; GRPC_API_TRACE( @@ -1250,7 +1125,7 @@ grpc_credentials *grpc_google_iam_credentials_create( GPR_ASSERT(authority_selector != NULL); c = gpr_malloc(sizeof(grpc_google_iam_credentials)); memset(c, 0, sizeof(grpc_google_iam_credentials)); - c->base.type = GRPC_CREDENTIALS_TYPE_IAM; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_IAM; c->base.vtable = &iam_vtable; gpr_ref_init(&c->base.refcount, 1); c->iam_md = grpc_credentials_md_store_create(2); @@ -1268,21 +1143,13 @@ typedef struct { grpc_credentials_metadata_cb cb; } grpc_metadata_plugin_request; -static void plugin_destruct(grpc_credentials *creds) { +static void plugin_destruct(grpc_call_credentials *creds) { grpc_plugin_credentials *c = (grpc_plugin_credentials *)creds; if (c->plugin.state != NULL && c->plugin.destroy != NULL) { c->plugin.destroy(c->plugin.state); } } -static int plugin_has_request_metadata(const grpc_credentials *creds) { - return 1; -} - -static int plugin_has_request_metadata_only(const grpc_credentials *creds) { - return 1; -} - static void plugin_md_request_metadata_ready(void *request, const grpc_metadata *md, size_t num_md, @@ -1321,9 +1188,12 @@ static void plugin_md_request_metadata_ready(void *request, grpc_exec_ctx_finish(&exec_ctx); } -static void plugin_get_request_metadata( - grpc_exec_ctx *exec_ctx, grpc_credentials *creds, grpc_pollset *pollset, - const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { +static void plugin_get_request_metadata(grpc_exec_ctx *exec_ctx, + grpc_call_credentials *creds, + grpc_pollset *pollset, + const char *service_url, + grpc_credentials_metadata_cb cb, + void *user_data) { grpc_plugin_credentials *c = (grpc_plugin_credentials *)creds; if (c->plugin.get_metadata != NULL) { grpc_metadata_plugin_request *request = gpr_malloc(sizeof(*request)); @@ -1337,16 +1207,15 @@ static void plugin_get_request_metadata( } } -static grpc_credentials_vtable plugin_vtable = { - plugin_destruct, plugin_has_request_metadata, - plugin_has_request_metadata_only, plugin_get_request_metadata, NULL}; +static grpc_call_credentials_vtable plugin_vtable = { + plugin_destruct, plugin_get_request_metadata}; -grpc_credentials *grpc_metadata_credentials_create_from_plugin( +grpc_call_credentials *grpc_metadata_credentials_create_from_plugin( grpc_metadata_credentials_plugin plugin, void *reserved) { grpc_plugin_credentials *c = gpr_malloc(sizeof(*c)); GPR_ASSERT(reserved == NULL); memset(c, 0, sizeof(*c)); - c->base.type = GRPC_CREDENTIALS_TYPE_METADATA_PLUGIN; + c->base.type = GRPC_CALL_CREDENTIALS_TYPE_METADATA_PLUGIN; c->base.vtable = &plugin_vtable; gpr_ref_init(&c->base.refcount, 1); c->plugin = plugin; diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 81fa2ea10b..1218983e7b 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -98,10 +98,11 @@ char *grpc_get_well_known_google_credentials_file_path(void); typedef struct { void (*destruct)(grpc_channel_credentials *c); + grpc_security_status (*create_security_connector)( - grpc_channel_credentials *c, const char *target, const grpc_channel_args *args, - grpc_call_credentials *call_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args); + grpc_channel_credentials *c, const char *target, + const grpc_channel_args *args, grpc_channel_security_connector **sc, + grpc_channel_args **new_args); } grpc_channel_credentials_vtable; struct grpc_channel_credentials { @@ -121,8 +122,8 @@ void grpc_channel_credentials_unref(grpc_channel_credentials *creds); new_args after channel creation. */ grpc_security_status grpc_channel_credentials_create_security_connector( grpc_channel_credentials *creds, const char *target, - const grpc_channel_args *args, grpc_call_credentials *call_creds, - grpc_channel_security_connector **sc, grpc_channel_args **new_args); + const grpc_channel_args *args, grpc_channel_security_connector **sc, + grpc_channel_args **new_args); /* --- grpc_credentials_md. --- */ @@ -160,7 +161,6 @@ typedef void (*grpc_credentials_metadata_cb)(grpc_exec_ctx *exec_ctx, typedef struct { void (*destruct)(grpc_call_credentials *c); - int (*has_request_metadata)(const grpc_call_credentials *c); void (*get_request_metadata)(grpc_exec_ctx *exec_ctx, grpc_call_credentials *c, grpc_pollset *pollset, const char *service_url, @@ -174,9 +174,8 @@ struct grpc_call_credentials { gpr_refcount refcount; }; -grpc_call_credentials *grpc_credentials_ref(grpc_call_credentials *creds); +grpc_call_credentials *grpc_call_credentials_ref(grpc_call_credentials *creds); void grpc_call_credentials_unref(grpc_call_credentials *creds); -int grpc_call_credentials_has_request_metadata(grpc_call_credentials *creds); void grpc_call_credentials_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_pollset *pollset, @@ -184,7 +183,6 @@ void grpc_call_credentials_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_credentials_metadata_cb cb, void *user_data); - typedef struct { grpc_call_credentials **creds_array; size_t num_creds; diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index 45135305b2..e5a810f23c 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -50,7 +50,7 @@ /* -- Default credentials. -- */ -static grpc_credentials *default_credentials = NULL; +static grpc_channel_credentials *default_credentials = NULL; static int compute_engine_detection_done = 0; static gpr_mu g_mu; static gpr_once g_once = GPR_ONCE_INIT; @@ -138,11 +138,11 @@ static int is_stack_running_on_compute_engine(void) { } /* Takes ownership of creds_path if not NULL. */ -static grpc_credentials *create_default_creds_from_path(char *creds_path) { +static grpc_call_credentials *create_default_creds_from_path(char *creds_path) { grpc_json *json = NULL; grpc_auth_json_key key; grpc_auth_refresh_token token; - grpc_credentials *result = NULL; + grpc_call_credentials *result = NULL; gpr_slice creds_data = gpr_empty_slice(); int file_ok = 0; if (creds_path == NULL) goto end; @@ -176,9 +176,9 @@ end: return result; } -grpc_credentials *grpc_google_default_credentials_create(void) { - grpc_credentials *result = NULL; - int serving_cached_credentials = 0; +grpc_channel_credentials *grpc_google_default_credentials_create(void) { + grpc_channel_credentials *result = NULL; + grpc_call_credentials *call_creds = NULL; GRPC_API_TRACE("grpc_google_default_credentials_create(void)", 0, ()); @@ -187,20 +187,19 @@ grpc_credentials *grpc_google_default_credentials_create(void) { gpr_mu_lock(&g_mu); if (default_credentials != NULL) { - result = grpc_credentials_ref(default_credentials); - serving_cached_credentials = 1; + result = grpc_channel_credentials_ref(default_credentials); goto end; } /* First, try the environment variable. */ - result = create_default_creds_from_path( + call_creds = create_default_creds_from_path( gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR)); - if (result != NULL) goto end; + if (call_creds != NULL) goto end; /* Then the well-known file. */ - result = create_default_creds_from_path( + call_creds = create_default_creds_from_path( grpc_get_well_known_google_credentials_file_path()); - if (result != NULL) goto end; + if (call_creds != NULL) goto end; /* At last try to see if we're on compute engine (do the detection only once since it requires a network test). */ @@ -208,21 +207,27 @@ grpc_credentials *grpc_google_default_credentials_create(void) { int need_compute_engine_creds = is_stack_running_on_compute_engine(); compute_engine_detection_done = 1; if (need_compute_engine_creds) { - result = grpc_google_compute_engine_credentials_create(NULL); + call_creds = grpc_google_compute_engine_credentials_create(NULL); } } end: - if (!serving_cached_credentials && result != NULL) { - /* Blend with default ssl credentials and add a global reference so that it - can be cached and re-served. */ - grpc_credentials *ssl_creds = grpc_ssl_credentials_create(NULL, NULL, NULL); - default_credentials = grpc_credentials_ref( - grpc_composite_credentials_create(ssl_creds, result, NULL)); - GPR_ASSERT(default_credentials != NULL); - grpc_credentials_unref(ssl_creds); - grpc_credentials_unref(result); - result = default_credentials; + if (result == NULL) { + if (call_creds != NULL) { + /* Blend with default ssl credentials and add a global reference so that it + can be cached and re-served. */ + grpc_channel_credentials *ssl_creds = + grpc_ssl_credentials_create(NULL, NULL, NULL); + default_credentials = grpc_channel_credentials_ref( + grpc_composite_channel_credentials_create(ssl_creds, call_creds, + NULL)); + GPR_ASSERT(default_credentials != NULL); + grpc_channel_credentials_unref(ssl_creds); + grpc_call_credentials_unref(call_creds); + result = default_credentials; + } else { + gpr_log(GPR_ERROR, "Could not create google default credentials."); + } } gpr_mu_unlock(&g_mu); return result; @@ -232,7 +237,7 @@ void grpc_flush_cached_google_default_credentials(void) { gpr_once_init(&g_once, init_default_credentials); gpr_mu_lock(&g_mu); if (default_credentials != NULL) { - grpc_credentials_unref(default_credentials); + grpc_channel_credentials_unref(default_credentials); default_credentials = NULL; } gpr_mu_unlock(&g_mu); diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c index 7c4cf6f04d..8dbacdd35e 100644 --- a/src/core/security/security_connector.c +++ b/src/core/security/security_connector.c @@ -203,16 +203,6 @@ grpc_security_connector *grpc_find_security_connector_in_args( return NULL; } -static int check_request_metadata_creds(grpc_credentials *creds) { - if (creds != NULL && !grpc_credentials_has_request_metadata(creds)) { - gpr_log(GPR_ERROR, - "Incompatible credentials for channel security connector: needs to " - "set request metadata."); - return 0; - } - return 1; -} - /* -- Fake implementation. -- */ typedef struct { @@ -222,7 +212,7 @@ typedef struct { static void fake_channel_destroy(grpc_security_connector *sc) { grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc; - grpc_credentials_unref(c->request_metadata_creds); + grpc_call_credentials_unref(c->request_metadata_creds); GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector"); gpr_free(sc); } @@ -306,7 +296,8 @@ static grpc_security_connector_vtable fake_server_vtable = { fake_server_destroy, fake_server_do_handshake, fake_check_peer}; grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_credentials *request_metadata_creds, int call_host_check_is_async) { + grpc_call_credentials *request_metadata_creds, + int call_host_check_is_async) { grpc_fake_channel_security_connector *c = gpr_malloc(sizeof(grpc_fake_channel_security_connector)); memset(c, 0, sizeof(grpc_fake_channel_security_connector)); @@ -314,8 +305,8 @@ grpc_channel_security_connector *grpc_fake_channel_security_connector_create( c->base.base.is_client_side = 1; c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; c->base.base.vtable = &fake_channel_vtable; - GPR_ASSERT(check_request_metadata_creds(request_metadata_creds)); - c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); + c->base.request_metadata_creds = + grpc_call_credentials_ref(request_metadata_creds); c->base.check_call_host = fake_channel_check_call_host; c->call_host_check_is_async = call_host_check_is_async; return &c->base; @@ -349,7 +340,7 @@ typedef struct { static void ssl_channel_destroy(grpc_security_connector *sc) { grpc_ssl_channel_security_connector *c = (grpc_ssl_channel_security_connector *)sc; - grpc_credentials_unref(c->base.request_metadata_creds); + grpc_call_credentials_unref(c->base.request_metadata_creds); if (c->handshaker_factory != NULL) { tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); } @@ -580,7 +571,7 @@ size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) { } grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_credentials *request_metadata_creds, const grpc_ssl_config *config, + grpc_call_credentials *request_metadata_creds, const grpc_ssl_config *config, const char *target_name, const char *overridden_target_name, grpc_channel_security_connector **sc) { size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); @@ -606,9 +597,6 @@ grpc_security_status grpc_ssl_channel_security_connector_create( gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name."); goto error; } - if (!check_request_metadata_creds(request_metadata_creds)) { - goto error; - } if (config->pem_root_certs == NULL) { pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); if (pem_root_certs == NULL || pem_root_certs_size == 0) { @@ -627,7 +615,8 @@ grpc_security_status grpc_ssl_channel_security_connector_create( c->base.base.vtable = &ssl_channel_vtable; c->base.base.is_client_side = 1; c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; - c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); + c->base.request_metadata_creds = + grpc_call_credentials_ref(request_metadata_creds); c->base.check_call_host = ssl_channel_check_call_host; gpr_split_host_port(target_name, &c->target_name, &port); gpr_free(port); diff --git a/src/core/security/security_connector.h b/src/core/security/security_connector.h index 9218a3caab..c5f00c5563 100644 --- a/src/core/security/security_connector.h +++ b/src/core/security/security_connector.h @@ -145,7 +145,7 @@ typedef struct grpc_channel_security_connector grpc_channel_security_connector; struct grpc_channel_security_connector { grpc_security_connector base; /* requires is_client_side to be non 0. */ - grpc_credentials *request_metadata_creds; + grpc_call_credentials *request_metadata_creds; grpc_security_status (*check_call_host)(grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, const char *host, @@ -167,7 +167,8 @@ grpc_security_status grpc_channel_security_connector_check_call_host( /* For TESTING ONLY! Creates a fake connector that emulates real channel security. */ grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_credentials *request_metadata_creds, int call_host_check_is_async); + grpc_call_credentials *request_metadata_creds, + int call_host_check_is_async); /* For TESTING ONLY! Creates a fake connector that emulates real server security. */ @@ -197,9 +198,9 @@ typedef struct { specific error code otherwise. */ grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_credentials *request_metadata_creds, const grpc_ssl_config *config, - const char *target_name, const char *overridden_target_name, - grpc_channel_security_connector **sc); + grpc_call_credentials *request_metadata_creds, + const grpc_ssl_config *config, const char *target_name, + const char *overridden_target_name, grpc_channel_security_connector **sc); /* Gets the default ssl roots. */ size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs); diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c index f544c1d943..56c56a9506 100644 --- a/src/core/security/security_context.c +++ b/src/core/security/security_context.c @@ -46,7 +46,7 @@ /* --- grpc_call --- */ grpc_call_error grpc_call_set_credentials(grpc_call *call, - grpc_credentials *creds) { + grpc_call_credentials *creds) { grpc_client_security_context *ctx = NULL; GRPC_API_TRACE("grpc_call_set_credentials(call=%p, creds=%p)", 2, (call, creds)); @@ -54,20 +54,16 @@ grpc_call_error grpc_call_set_credentials(grpc_call *call, gpr_log(GPR_ERROR, "Method is client-side only."); return GRPC_CALL_ERROR_NOT_ON_SERVER; } - if (creds != NULL && !grpc_credentials_has_request_metadata_only(creds)) { - gpr_log(GPR_ERROR, "Incompatible credentials to set on a call."); - return GRPC_CALL_ERROR; - } ctx = (grpc_client_security_context *)grpc_call_context_get( call, GRPC_CONTEXT_SECURITY); if (ctx == NULL) { ctx = grpc_client_security_context_create(); - ctx->creds = grpc_credentials_ref(creds); + ctx->creds = grpc_call_credentials_ref(creds); grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx, grpc_client_security_context_destroy); } else { - grpc_credentials_unref(ctx->creds); - ctx->creds = grpc_credentials_ref(creds); + grpc_call_credentials_unref(ctx->creds); + ctx->creds = grpc_call_credentials_ref(creds); } return GRPC_CALL_OK; } @@ -101,7 +97,7 @@ grpc_client_security_context *grpc_client_security_context_create(void) { void grpc_client_security_context_destroy(void *ctx) { grpc_client_security_context *c = (grpc_client_security_context *)ctx; - grpc_credentials_unref(c->creds); + grpc_call_credentials_unref(c->creds); GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "client_security_context"); gpr_free(ctx); } diff --git a/src/core/security/security_context.h b/src/core/security/security_context.h index 2bbdc4be97..794258edbc 100644 --- a/src/core/security/security_context.h +++ b/src/core/security/security_context.h @@ -85,7 +85,7 @@ void grpc_auth_property_reset(grpc_auth_property *property); Internal client-side security context. */ typedef struct { - grpc_credentials *creds; + grpc_call_credentials *creds; grpc_auth_context *auth_context; } grpc_client_security_context; diff --git a/src/core/surface/secure_channel_create.c b/src/core/surface/secure_channel_create.c index 1282ee99ed..0dd0a31169 100644 --- a/src/core/surface/secure_channel_create.c +++ b/src/core/surface/secure_channel_create.c @@ -230,7 +230,7 @@ static const grpc_subchannel_factory_vtable subchannel_factory_vtable = { Asynchronously: - resolve target - connect to it (trying alternatives as presented) - perform handshakes */ -grpc_channel *grpc_secure_channel_create(grpc_credentials *creds, +grpc_channel *grpc_secure_channel_create(grpc_channel_credentials *creds, const char *target, const grpc_channel_args *args, void *reserved) { @@ -261,9 +261,9 @@ grpc_channel *grpc_secure_channel_create(grpc_credentials *creds, "Security connector exists in channel args."); } - if (grpc_credentials_create_security_connector( - creds, target, args, NULL, &security_connector, - &new_args_from_connector) != GRPC_SECURITY_OK) { + if (grpc_channel_credentials_create_security_connector( + creds, target, args, &security_connector, &new_args_from_connector) != + GRPC_SECURITY_OK) { grpc_exec_ctx_finish(&exec_ctx); return grpc_lame_client_channel_create( target, GRPC_STATUS_INVALID_ARGUMENT, |