GRPC Core  9.0.0
spiffe_security_connector.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H
21 
23 
27 
28 #define GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE "spiffe"
29 
30 namespace grpc_core {
31 
32 // Spiffe channel security connector.
35  public:
36  // static factory method to create a SPIFFE channel security connector.
41  const char* target_name, const char* overridden_target_name,
42  tsi_ssl_session_cache* ssl_session_cache);
43 
47  const char* target_name, const char* overridden_target_name);
49 
50  void add_handshakers(const grpc_channel_args* args,
51  grpc_pollset_set* interested_parties,
52  grpc_core::HandshakeManager* handshake_mgr) override;
53 
54  void check_peer(tsi_peer peer, grpc_endpoint* ep,
56  grpc_closure* on_peer_checked) override;
57 
58  int cmp(const grpc_security_connector* other_sc) const override;
59 
61  grpc_auth_context* auth_context,
62  grpc_closure* on_call_host_checked,
63  grpc_error** error) override;
64 
65  void cancel_check_call_host(grpc_closure* on_call_host_checked,
66  grpc_error* error) override;
67 
68  private:
69  // Initialize SSL TSI client handshaker factory.
70  grpc_security_status InitializeHandshakerFactory(
71  tsi_ssl_session_cache* ssl_session_cache);
72 
73  // A util function to create a new client handshaker factory to replace
74  // the existing one if exists.
75  grpc_security_status ReplaceHandshakerFactory(
76  tsi_ssl_session_cache* ssl_session_cache);
77 
78  // gRPC-provided callback executed by application, which servers to bring the
79  // control back to gRPC core.
80  static void ServerAuthorizationCheckDone(
82 
83  // A util function to process server authorization check result.
84  static grpc_error* ProcessServerAuthorizationCheckResult(
86 
87  // A util function to create a server authorization check arg instance.
89  ServerAuthorizationCheckArgCreate(void* user_data);
90 
91  // A util function to destroy a server authorization check arg instance.
92  static void ServerAuthorizationCheckArgDestroy(
94 
95  // A util function to refresh SSL TSI client handshaker factory with a valid
96  // credential.
97  grpc_security_status RefreshHandshakerFactory();
98 
99  grpc_core::Mutex mu_;
100  grpc_closure* on_peer_checked_;
101  grpc_core::UniquePtr<char> target_name_;
102  grpc_core::UniquePtr<char> overridden_target_name_;
103  tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
106 };
107 
108 // Spiffe server security connector.
111  public:
112  // static factory method to create a SPIFFE server security connector.
116 
120 
121  void add_handshakers(const grpc_channel_args* args,
122  grpc_pollset_set* interested_parties,
123  grpc_core::HandshakeManager* handshake_mgr) override;
124 
125  void check_peer(tsi_peer peer, grpc_endpoint* ep,
127  grpc_closure* on_peer_checked) override;
128 
129  int cmp(const grpc_security_connector* other) const override;
130 
131  private:
132  // Initialize SSL TSI server handshaker factory.
133  grpc_security_status InitializeHandshakerFactory();
134 
135  // A util function to create a new server handshaker factory to replace the
136  // existing once if exists.
137  grpc_security_status ReplaceHandshakerFactory();
138 
139  // A util function to refresh SSL TSI server handshaker factory with a valid
140  // credential.
141  grpc_security_status RefreshHandshakerFactory();
142 
143  grpc_core::Mutex mu_;
144  tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
146 };
147 
148 // Exposed for testing only.
151  key_materials_config,
152  const grpc_tls_credentials_options& options,
154 
155 } // namespace grpc_core
156 
157 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H \
158  */
Definition: security_connector.h:87
const grpc_call_credentials * request_metadata_creds() const
Definition: security_connector.h:121
const grpc_channel_credentials * channel_creds() const
Definition: security_connector.h:115
Definition: handshaker.h:91
Definition: sync.h:40
Definition: ref_counted_ptr.h:35
Definition: spiffe_security_connector.h:34
void check_peer(tsi_peer peer, grpc_endpoint *ep, grpc_core::RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: spiffe_security_connector.cc:165
~SpiffeChannelSecurityConnector() override
Definition: spiffe_security_connector.cc:132
bool check_call_host(grpc_core::StringView host, grpc_auth_context *auth_context, grpc_closure *on_call_host_checked, grpc_error **error) override
Checks that the host that will be set for a call is acceptable.
Definition: spiffe_security_connector.cc:232
void cancel_check_call_host(grpc_closure *on_call_host_checked, grpc_error *error) override
Cancels a pending asynchronous call to grpc_channel_security_connector_check_call_host() with on_call...
Definition: spiffe_security_connector.cc:240
static grpc_core::RefCountedPtr< grpc_channel_security_connector > CreateSpiffeChannelSecurityConnector(grpc_core::RefCountedPtr< grpc_channel_credentials > channel_creds, grpc_core::RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: spiffe_security_connector.cc:246
void add_handshakers(const grpc_channel_args *args, grpc_pollset_set *interested_parties, grpc_core::HandshakeManager *handshake_mgr) override
Registers handshakers with handshake_mgr.
Definition: spiffe_security_connector.cc:142
int cmp(const grpc_security_connector *other_sc) const override
Definition: spiffe_security_connector.cc:219
SpiffeChannelSecurityConnector(grpc_core::RefCountedPtr< grpc_channel_credentials > channel_creds, grpc_core::RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name)
Definition: spiffe_security_connector.cc:114
Definition: spiffe_security_connector.h:110
~SpiffeServerSecurityConnector() override
Definition: spiffe_security_connector.cc:411
void check_peer(tsi_peer peer, grpc_endpoint *ep, grpc_core::RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: spiffe_security_connector.cc:440
SpiffeServerSecurityConnector(grpc_core::RefCountedPtr< grpc_server_credentials > server_creds)
Definition: spiffe_security_connector.cc:404
void add_handshakers(const grpc_channel_args *args, grpc_pollset_set *interested_parties, grpc_core::HandshakeManager *handshake_mgr) override
Definition: spiffe_security_connector.cc:420
int cmp(const grpc_security_connector *other) const override
Definition: spiffe_security_connector.cc:451
static grpc_core::RefCountedPtr< grpc_server_security_connector > CreateSpiffeServerSecurityConnector(grpc_core::RefCountedPtr< grpc_server_credentials > server_creds)
Definition: spiffe_security_connector.cc:458
Definition: string_view.h:69
Definition: security_connector.h:48
Definition: security_connector.h:149
const grpc_server_credentials * server_creds() const
Definition: security_connector.h:160
grpc_ssl_certificate_config_reload_status
Callback results for dynamically loading a SSL certificate config.
Definition: grpc_security_constants.h:53
grpc_status_code
Definition: status.h:26
grpc_linked_mdelem status
Definition: lame_client.cc:44
Round Robin Policy.
Definition: backend_metric.cc:24
grpc_status_code TlsFetchKeyMaterials(const grpc_core::RefCountedPtr< grpc_tls_key_materials_config > &key_materials_config, const grpc_tls_credentials_options &options, grpc_ssl_certificate_config_reload_status *reload_status)
– Util function to fetch SPIFFE server/channel credentials.
Definition: spiffe_security_connector.cc:66
std::unique_ptr< T, DefaultDeleteChar > UniquePtr
Definition: memory.h:45
struct grpc_pollset_set grpc_pollset_set
Definition: pollset_set.h:31
grpc_security_status
Definition: security_connector.h:38
struct tsi_ssl_session_cache tsi_ssl_session_cache
Definition: ssl_transport_security.h:58
Definition: security_context.h:51
An array of arguments that can be passed around.
Definition: grpc_types.h:132
A closure over a grpc_iomgr_cb_func.
Definition: closure.h:56
Definition: endpoint.h:102
Definition: error_internal.h:39
Definition: grpc_tls_credentials_options.h:219
A struct containing all information necessary to schedule/cancel a server authorization check request...
Definition: grpc_security.h:899
Definition: transport_security_interface.h:198
Definition: ssl_transport_security.cc:86
Definition: ssl_transport_security.cc:94