src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc

   1 /*
   2  *
   3  * Copyright 2015 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #include <grpc/support/port_platform.h>
  20
  21 #include <string.h>
  22
  23 #include "absl/strings/str_cat.h"
  24
  25 #include <grpc/grpc.h>
  26 #include <grpc/support/alloc.h>
  27 #include <grpc/support/log.h>
  28
  29 #include "src/core/ext/transport/chttp2/server/chttp2_server.h"
  30
  31 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
  32 #include "src/core/lib/channel/channel_args.h"
  33 #include "src/core/lib/channel/handshaker.h"
  34 #include "src/core/lib/gprpp/ref_counted_ptr.h"
  35 #include "src/core/lib/security/context/security_context.h"
  36 #include "src/core/lib/security/credentials/credentials.h"
  37 #include "src/core/lib/surface/api_trace.h"
  38 #include "src/core/lib/surface/server.h"
  39
  40 namespace {
  41
  42 grpc_channel_args* ModifyArgsForConnection(grpc_channel_args* args,
  43                                            grpc_error_handle* error) {
  44   grpc_server_credentials* server_credentials =
  45       grpc_find_server_credentials_in_args(args);
  46   if (server_credentials == nullptr) {
  47     *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
  48         "Could not find server credentials");
  49     return args;
  50   }
  51   auto security_connector = server_credentials->create_security_connector(args);
  52   if (security_connector == nullptr) {
  53     *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
  54         absl::StrCat("Unable to create secure server with credentials of type ",
  55                      server_credentials->type())
  56             .c_str());
  57     return args;
  58   }
  59   grpc_arg arg_to_add =
  60       grpc_security_connector_to_arg(security_connector.get());
  61   grpc_channel_args* new_args =
  62       grpc_channel_args_copy_and_add(args, &arg_to_add, 1);
  63   grpc_channel_args_destroy(args);
  64   return new_args;
  65 }
  66
  67 }  // namespace
  68
  69 int grpc_server_add_secure_http2_port(grpc_server* server, const char* addr,
  70                                       grpc_server_credentials* creds) {
  71   grpc_core::ExecCtx exec_ctx;
  72   grpc_error_handle err = GRPC_ERROR_NONE;
  73   grpc_core::RefCountedPtr<grpc_server_security_connector> sc;
  74   int port_num = 0;
  75   grpc_channel_args* args = nullptr;
  76   GRPC_API_TRACE(
  77       "grpc_server_add_secure_http2_port("
  78       "server=%p, addr=%s, creds=%p)",
  79       3, (server, addr, creds));
  80   // Create security context.
  81   if (creds == nullptr) {
  82     err = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
  83         "No credentials specified for secure server port (creds==NULL)");
  84     goto done;
  85   }
  86   // TODO(yashykt): Ideally, we would not want to have different behavior here
  87   // based on whether a config fetcher is configured or not. Currently, we have
  88   // a feature for SSL credentials reloading with an application callback that
  89   // assumes that there is a single security connector. If we delay the creation
  90   // of the security connector to after the creation of the listener(s), we
  91   // would have potentially multiple security connectors which breaks the
  92   // assumption for SSL creds reloading. When the API for SSL creds reloading is
  93   // rewritten, we would be able to make this workaround go away by removing
  94   // that assumption. As an immediate drawback of this workaround, config
  95   // fetchers need to be registered before adding ports to the server.
  96   if (server->core_server->config_fetcher() != nullptr) {
  97     // Create channel args.
  98     grpc_arg arg_to_add = grpc_server_credentials_to_arg(creds);
  99     args = grpc_channel_args_copy_and_add(server->core_server->channel_args(),
 100                                           &arg_to_add, 1);
 101   } else {
 102     sc = creds->create_security_connector(nullptr);
 103     if (sc == nullptr) {
 104       err = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
 105           absl::StrCat(
 106               "Unable to create secure server with credentials of type ",
 107               creds->type())
 108               .c_str());
 109       goto done;
 110     }
 111     grpc_arg args_to_add[2];
 112     args_to_add[0] = grpc_server_credentials_to_arg(creds);
 113     args_to_add[1] = grpc_security_connector_to_arg(sc.get());
 114     args = grpc_channel_args_copy_and_add(server->core_server->channel_args(),
 115                                           args_to_add,
 116                                           GPR_ARRAY_SIZE(args_to_add));
 117   }
 118   // Add server port.
 119   err = grpc_core::Chttp2ServerAddPort(server->core_server.get(), addr, args,
 120                                        ModifyArgsForConnection, &port_num);
 121 done:
 122   sc.reset(DEBUG_LOCATION, "server");
 123   if (err != GRPC_ERROR_NONE) {
 124     gpr_log(GPR_ERROR, "%s", grpc_error_std_string(err).c_str());
 125
 126     GRPC_ERROR_UNREF(err);
 127   }
 128   return port_num;
 129 }