From c173b196d66430d96cd52402707bd874fc2931db Mon Sep 17 00:00:00 2001 From: Nathan Herring Date: Thu, 9 Aug 2018 11:29:05 -0500 Subject: Add flags to use client certs for cli. This allows `grpc_cli` to act with the specific client identity when using SSL. It does _not_ however set the cert when using Google Default Credentials, as it does not have the necessary options to provide a client cert and key. --- test/cpp/util/cli_credentials.cc | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) (limited to 'test/cpp/util') diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc index acf4ef8ef1..a78027e5aa 100644 --- a/test/cpp/util/cli_credentials.cc +++ b/test/cpp/util/cli_credentials.cc @@ -19,6 +19,11 @@ #include "test/cpp/util/cli_credentials.h" #include +#include +#include +#include + +#include "src/core/lib/iomgr/load_file.h" DEFINE_bool( enable_ssl, false, @@ -33,6 +38,14 @@ DEFINE_string( ssl_target, "", "If not empty, treat the server host name as this for ssl/tls certificate " "validation."); +DEFINE_string( + ssl_client_cert, "", + "If not empty, load this PEM formated client certificate file. Requires " + "use of --ssl_client_key."); +DEFINE_string( + ssl_client_key, "", + "If not empty, load this PEM formated private key. Requires use of " + "--ssl_client_cert"); DEFINE_string( channel_creds_type, "", "The channel creds type: insecure, ssl, gdc (Google Default Credentials) " @@ -64,7 +77,27 @@ CliCredentials::GetChannelCredentials() const { if (FLAGS_channel_creds_type.compare("insecure") == 0) { return grpc::InsecureChannelCredentials(); } else if (FLAGS_channel_creds_type.compare("ssl") == 0) { - return grpc::SslCredentials(grpc::SslCredentialsOptions()); + grpc::SslCredentialsOptions ssl_creds_options; + // TODO(@Capstan): This won't affect Google Default Credentials using SSL. + if (!FLAGS_ssl_client_cert.empty()) { + grpc_slice cert_slice = grpc_empty_slice(); + GRPC_LOG_IF_ERROR( + "load_file", + grpc_load_file(FLAGS_ssl_client_cert.c_str(), 1, &cert_slice)); + ssl_creds_options.pem_cert_chain = + grpc::StringFromCopiedSlice(cert_slice); + grpc_slice_unref(cert_slice); + } + if (!FLAGS_ssl_client_key.empty()) { + grpc_slice key_slice = grpc_empty_slice(); + GRPC_LOG_IF_ERROR( + "load_file", + grpc_load_file(FLAGS_ssl_client_key.c_str(), 1, &key_slice)); + ssl_creds_options.pem_private_key = + grpc::StringFromCopiedSlice(key_slice); + grpc_slice_unref(key_slice); + } + return grpc::SslCredentials(ssl_creds_options); } else if (FLAGS_channel_creds_type.compare("gdc") == 0) { return grpc::GoogleDefaultCredentials(); } else if (FLAGS_channel_creds_type.compare("alts") == 0) { @@ -129,6 +162,8 @@ const grpc::string CliCredentials::GetCredentialUsage() const { " --access_token ; Set the access token in metadata," " overrides --use_auth\n" " --ssl_target ; Set server host for ssl validation\n" + " --ssl_client_cert ; Client cert for ssl\n" + " --ssl_client_key ; Client private key for ssl\n" " --channel_creds_type ; Set to insecure, ssl, gdc, or alts\n"; } -- cgit v1.2.3 From 147826a909cc60d963c34b919417ce7a888e29ce Mon Sep 17 00:00:00 2001 From: Nathan Herring Date: Tue, 21 Aug 2018 23:16:22 +0200 Subject: Use grpc_slice_unref_internal --- test/cpp/util/cli_credentials.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/cpp/util') diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc index a78027e5aa..7e05ac2d53 100644 --- a/test/cpp/util/cli_credentials.cc +++ b/test/cpp/util/cli_credentials.cc @@ -86,7 +86,7 @@ CliCredentials::GetChannelCredentials() const { grpc_load_file(FLAGS_ssl_client_cert.c_str(), 1, &cert_slice)); ssl_creds_options.pem_cert_chain = grpc::StringFromCopiedSlice(cert_slice); - grpc_slice_unref(cert_slice); + grpc_slice_unref_internal(cert_slice); } if (!FLAGS_ssl_client_key.empty()) { grpc_slice key_slice = grpc_empty_slice(); @@ -95,7 +95,7 @@ CliCredentials::GetChannelCredentials() const { grpc_load_file(FLAGS_ssl_client_key.c_str(), 1, &key_slice)); ssl_creds_options.pem_private_key = grpc::StringFromCopiedSlice(key_slice); - grpc_slice_unref(key_slice); + grpc_slice_unref_internal(key_slice); } return grpc::SslCredentials(ssl_creds_options); } else if (FLAGS_channel_creds_type.compare("gdc") == 0) { -- cgit v1.2.3 From 234fdc6fbf68aa6c29990db7c7ddcface3355cb5 Mon Sep 17 00:00:00 2001 From: Nathan Herring Date: Tue, 21 Aug 2018 23:28:45 +0200 Subject: Missing #include --- test/cpp/util/cli_credentials.cc | 1 + 1 file changed, 1 insertion(+) (limited to 'test/cpp/util') diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc index 7e05ac2d53..73ecc78d5c 100644 --- a/test/cpp/util/cli_credentials.cc +++ b/test/cpp/util/cli_credentials.cc @@ -24,6 +24,7 @@ #include #include "src/core/lib/iomgr/load_file.h" +#include "src/core/lib/slice/slice_internal.h" DEFINE_bool( enable_ssl, false, -- cgit v1.2.3 From 2d8c682cac54ff2f6024a4b629b1f12be41fca9e Mon Sep 17 00:00:00 2001 From: Nathan Herring Date: Tue, 11 Sep 2018 09:31:39 +0200 Subject: Revert "Missing #include" This reverts commit 234fdc6fbf68aa6c29990db7c7ddcface3355cb5. --- test/cpp/util/cli_credentials.cc | 1 - 1 file changed, 1 deletion(-) (limited to 'test/cpp/util') diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc index 3defd82443..d48b94ad85 100644 --- a/test/cpp/util/cli_credentials.cc +++ b/test/cpp/util/cli_credentials.cc @@ -24,7 +24,6 @@ #include #include "src/core/lib/iomgr/load_file.h" -#include "src/core/lib/slice/slice_internal.h" DEFINE_bool( enable_ssl, false, -- cgit v1.2.3 From 916a686ef3b69a9036ed0423c62a2ce1c53ef062 Mon Sep 17 00:00:00 2001 From: Nathan Herring Date: Tue, 11 Sep 2018 09:32:06 +0200 Subject: Revert "Use grpc_slice_unref_internal" This reverts commit 147826a909cc60d963c34b919417ce7a888e29ce. --- test/cpp/util/cli_credentials.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/cpp/util') diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc index d48b94ad85..1125b2d945 100644 --- a/test/cpp/util/cli_credentials.cc +++ b/test/cpp/util/cli_credentials.cc @@ -121,7 +121,7 @@ CliCredentials::GetChannelCredentials() const { grpc_load_file(FLAGS_ssl_client_cert.c_str(), 1, &cert_slice)); ssl_creds_options.pem_cert_chain = grpc::StringFromCopiedSlice(cert_slice); - grpc_slice_unref_internal(cert_slice); + grpc_slice_unref(cert_slice); } if (!FLAGS_ssl_client_key.empty()) { grpc_slice key_slice = grpc_empty_slice(); @@ -130,7 +130,7 @@ CliCredentials::GetChannelCredentials() const { grpc_load_file(FLAGS_ssl_client_key.c_str(), 1, &key_slice)); ssl_creds_options.pem_private_key = grpc::StringFromCopiedSlice(key_slice); - grpc_slice_unref_internal(key_slice); + grpc_slice_unref(key_slice); } return grpc::SslCredentials(ssl_creds_options); } else if (FLAGS_channel_creds_type.compare("gdc") == 0) { -- cgit v1.2.3