3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
22 #include <grpc/support/port_platform.h>
24 #include "absl/container/inlined_vector.h"
26 #include <grpc/grpc_security.h>
28 #include "src/core/lib/gprpp/ref_counted.h"
29 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
30 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
31 #include "src/core/lib/security/security_connector/ssl_utils.h"
33 struct grpc_tls_error_details
34 : public grpc_core::RefCounted<grpc_tls_error_details> {
36 grpc_tls_error_details() : error_details_("") {}
37 void set_error_details(const char* err_details) {
38 error_details_ = err_details;
40 const std::string& error_details() { return error_details_; }
43 std::string error_details_;
46 /** TLS server authorization check config. **/
47 struct grpc_tls_server_authorization_check_config
48 : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
50 grpc_tls_server_authorization_check_config(
51 const void* config_user_data,
52 int (*schedule)(void* config_user_data,
53 grpc_tls_server_authorization_check_arg* arg),
54 void (*cancel)(void* config_user_data,
55 grpc_tls_server_authorization_check_arg* arg),
56 void (*destruct)(void* config_user_data));
57 ~grpc_tls_server_authorization_check_config() override;
59 void* context() const { return context_; }
61 void set_context(void* context) { context_ = context; }
63 int Schedule(grpc_tls_server_authorization_check_arg* arg) const;
65 void Cancel(grpc_tls_server_authorization_check_arg* arg) const;
68 /** This is a pointer to the wrapped language implementation of
69 * grpc_tls_server_authorization_check_config. It is necessary to implement
70 * the C schedule and cancel functions, given the schedule or cancel function
71 * in a wrapped language. **/
72 void* context_ = nullptr;
73 /** config-specific, read-only user data that works for all channels created
74 with a Credential using the config. */
75 void* config_user_data_;
77 /** callback function for invoking server authorization check. The
78 implementation of this method has to be non-blocking, but can be performed
79 synchronously or asynchronously.
80 If processing occurs synchronously, it populates \a arg->result, \a
81 arg->status, and \a arg->error_details, and returns zero.
82 If processing occurs asynchronously, it returns a non-zero value.
83 Application then invokes \a arg->cb when processing is completed. Note that
84 \a arg->cb cannot be invoked before \a schedule() returns.
86 int (*schedule_)(void* config_user_data,
87 grpc_tls_server_authorization_check_arg* arg);
89 /** callback function for canceling a server authorization check request. */
90 void (*cancel_)(void* config_user_data,
91 grpc_tls_server_authorization_check_arg* arg);
93 /** callback function for cleaning up any data associated with server
94 authorization check config. */
95 void (*destruct_)(void* config_user_data);
98 // Contains configurable options specified by callers to configure their certain
99 // security features supported in TLS.
100 // TODO(ZhenLian): consider making this not ref-counted.
101 struct grpc_tls_credentials_options
102 : public grpc_core::RefCounted<grpc_tls_credentials_options> {
104 ~grpc_tls_credentials_options() override = default;
106 // Getters for member fields.
107 grpc_ssl_client_certificate_request_type cert_request_type() const {
108 return cert_request_type_;
110 grpc_tls_server_verification_option server_verification_option() const {
111 return server_verification_option_;
113 grpc_tls_version min_tls_version() const { return min_tls_version_; }
114 grpc_tls_version max_tls_version() const { return max_tls_version_; }
115 grpc_tls_server_authorization_check_config*
116 server_authorization_check_config() const {
117 return server_authorization_check_config_.get();
119 // Returns the distributor from provider_ if it is set, nullptr otherwise.
120 grpc_tls_certificate_distributor* certificate_distributor() {
121 if (provider_ != nullptr) return provider_->distributor().get();
124 bool watch_root_cert() { return watch_root_cert_; }
125 const std::string& root_cert_name() { return root_cert_name_; }
126 bool watch_identity_pair() { return watch_identity_pair_; }
127 const std::string& identity_cert_name() { return identity_cert_name_; }
129 // Setters for member fields.
130 void set_cert_request_type(
131 const grpc_ssl_client_certificate_request_type type) {
132 cert_request_type_ = type;
134 void set_server_verification_option(
135 const grpc_tls_server_verification_option server_verification_option) {
136 server_verification_option_ = server_verification_option;
138 void set_min_tls_version(grpc_tls_version min_tls_version) {
139 min_tls_version_ = min_tls_version;
141 void set_max_tls_version(grpc_tls_version max_tls_version) {
142 max_tls_version_ = max_tls_version;
144 void set_server_authorization_check_config(
145 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
147 server_authorization_check_config_ = std::move(config);
149 // Sets the provider in the options.
150 void set_certificate_provider(
151 grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
152 provider_ = std::move(provider);
154 // If need to watch the updates of root certificates with name
155 // |root_cert_name|. The default value is false. If used in tls_credentials,
156 // it should always be set to true unless the root certificates are not
158 void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; }
159 // Sets the name of root certificates being watched, if |set_watch_root_cert|
160 // is called. If not set, an empty string will be used as the name.
161 void set_root_cert_name(std::string root_cert_name) {
162 root_cert_name_ = std::move(root_cert_name);
164 // If need to watch the updates of identity certificates with name
165 // |identity_cert_name|.
166 // The default value is false.
167 // If used in tls_credentials, it should always be set to true
168 // unless the identity key-cert pairs are not needed.
169 void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; }
170 // Sets the name of identity key-cert pairs being watched, if
171 // |set_watch_identity_pair| is called. If not set, an empty string will
172 // be used as the name.
173 void set_identity_cert_name(std::string identity_cert_name) {
174 identity_cert_name_ = std::move(identity_cert_name);
178 grpc_ssl_client_certificate_request_type cert_request_type_ =
179 GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
180 grpc_tls_server_verification_option server_verification_option_ =
181 GRPC_TLS_SERVER_VERIFICATION;
182 grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
183 grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
184 grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
185 server_authorization_check_config_;
186 grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
187 bool watch_root_cert_ = false;
188 std::string root_cert_name_;
189 bool watch_identity_pair_ = false;
190 std::string identity_cert_name_;
193 #endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H