src/core/lib/security/security_connector/fake/fake_security_connector.cc

   1 /*
   2  *
   3  * Copyright 2018 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #include <grpc/support/port_platform.h>
  20
  21 #include "src/core/lib/security/security_connector/fake/fake_security_connector.h"
  22
  23 #include <stdbool.h>
  24
  25 #include "absl/strings/str_cat.h"
  26
  27 #include <grpc/support/alloc.h>
  28 #include <grpc/support/log.h>
  29 #include <grpc/support/string_util.h>
  30
  31 #include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
  32 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
  33 #include "src/core/ext/xds/xds_channel_args.h"
  34 #include "src/core/lib/channel/channel_args.h"
  35 #include "src/core/lib/channel/handshaker.h"
  36 #include "src/core/lib/gpr/string.h"
  37 #include "src/core/lib/gprpp/host_port.h"
  38 #include "src/core/lib/gprpp/ref_counted_ptr.h"
  39 #include "src/core/lib/security/context/security_context.h"
  40 #include "src/core/lib/security/credentials/credentials.h"
  41 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
  42 #include "src/core/lib/security/transport/security_handshaker.h"
  43 #include "src/core/tsi/fake_transport_security.h"
  44
  45 namespace {
  46 class grpc_fake_channel_security_connector final
  47     : public grpc_channel_security_connector {
  48  public:
  49   grpc_fake_channel_security_connector(
  50       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
  51       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
  52       const char* target, const grpc_channel_args* args)
  53       : grpc_channel_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
  54                                         std::move(channel_creds),
  55                                         std::move(request_metadata_creds)),
  56         target_(gpr_strdup(target)),
  57         expected_targets_(
  58             gpr_strdup(grpc_fake_transport_get_expected_targets(args))),
  59         is_lb_channel_(grpc_channel_args_find(
  60                            args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER) !=
  61                        nullptr) {
  62     const grpc_arg* target_name_override_arg =
  63         grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
  64     if (target_name_override_arg != nullptr) {
  65       target_name_override_ =
  66           gpr_strdup(grpc_channel_arg_get_string(target_name_override_arg));
  67     } else {
  68       target_name_override_ = nullptr;
  69     }
  70   }
  71
  72   ~grpc_fake_channel_security_connector() override {
  73     gpr_free(target_);
  74     gpr_free(expected_targets_);
  75     if (target_name_override_ != nullptr) gpr_free(target_name_override_);
  76   }
  77
  78   void check_peer(tsi_peer peer, grpc_endpoint* ep,
  79                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
  80                   grpc_closure* on_peer_checked) override;
  81
  82   int cmp(const grpc_security_connector* other_sc) const override {
  83     auto* other =
  84         reinterpret_cast<const grpc_fake_channel_security_connector*>(other_sc);
  85     int c = channel_security_connector_cmp(other);
  86     if (c != 0) return c;
  87     c = strcmp(target_, other->target_);
  88     if (c != 0) return c;
  89     if (expected_targets_ == nullptr || other->expected_targets_ == nullptr) {
  90       c = GPR_ICMP(expected_targets_, other->expected_targets_);
  91     } else {
  92       c = strcmp(expected_targets_, other->expected_targets_);
  93     }
  94     if (c != 0) return c;
  95     return GPR_ICMP(is_lb_channel_, other->is_lb_channel_);
  96   }
  97
  98   void add_handshakers(const grpc_channel_args* args,
  99                        grpc_pollset_set* /*interested_parties*/,
 100                        grpc_core::HandshakeManager* handshake_mgr) override {
 101     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
 102         tsi_create_fake_handshaker(/*is_client=*/true), this, args));
 103   }
 104
 105   bool check_call_host(absl::string_view host,
 106                        grpc_auth_context* /*auth_context*/,
 107                        grpc_closure* /*on_call_host_checked*/,
 108                        grpc_error** /*error*/) override {
 109     absl::string_view authority_hostname;
 110     absl::string_view authority_ignored_port;
 111     absl::string_view target_hostname;
 112     absl::string_view target_ignored_port;
 113     grpc_core::SplitHostPort(host, &authority_hostname,
 114                              &authority_ignored_port);
 115     grpc_core::SplitHostPort(target_, &target_hostname, &target_ignored_port);
 116     if (target_name_override_ != nullptr) {
 117       absl::string_view fake_security_target_name_override_hostname;
 118       absl::string_view fake_security_target_name_override_ignored_port;
 119       grpc_core::SplitHostPort(
 120           target_name_override_, &fake_security_target_name_override_hostname,
 121           &fake_security_target_name_override_ignored_port);
 122       if (authority_hostname != fake_security_target_name_override_hostname) {
 123         gpr_log(GPR_ERROR,
 124                 "Authority (host) '%s' != Fake Security Target override '%s'",
 125                 host.data(),
 126                 fake_security_target_name_override_hostname.data());
 127         abort();
 128       }
 129     } else if (authority_hostname != target_hostname) {
 130       gpr_log(GPR_ERROR, "Authority (host) '%s' != Target '%s'", host.data(),
 131               target_);
 132       abort();
 133     }
 134     return true;
 135   }
 136
 137   void cancel_check_call_host(grpc_closure* /*on_call_host_checked*/,
 138                               grpc_error* error) override {
 139     GRPC_ERROR_UNREF(error);
 140   }
 141
 142   char* target() const { return target_; }
 143   char* expected_targets() const { return expected_targets_; }
 144   bool is_lb_channel() const { return is_lb_channel_; }
 145   char* target_name_override() const { return target_name_override_; }
 146
 147  private:
 148   bool fake_check_target(const char* target, const char* set_str) const {
 149     GPR_ASSERT(target != nullptr);
 150     char** set = nullptr;
 151     size_t set_size = 0;
 152     gpr_string_split(set_str, ",", &set, &set_size);
 153     bool found = false;
 154     for (size_t i = 0; i < set_size; ++i) {
 155       if (set[i] != nullptr && strcmp(target, set[i]) == 0) found = true;
 156     }
 157     for (size_t i = 0; i < set_size; ++i) {
 158       gpr_free(set[i]);
 159     }
 160     gpr_free(set);
 161     return found;
 162   }
 163
 164   void fake_secure_name_check() const {
 165     if (expected_targets_ == nullptr) return;
 166     char** lbs_and_backends = nullptr;
 167     size_t lbs_and_backends_size = 0;
 168     bool success = false;
 169     gpr_string_split(expected_targets_, ";", &lbs_and_backends,
 170                      &lbs_and_backends_size);
 171     if (lbs_and_backends_size > 2 || lbs_and_backends_size == 0) {
 172       gpr_log(GPR_ERROR, "Invalid expected targets arg value: '%s'",
 173               expected_targets_);
 174       goto done;
 175     }
 176     if (is_lb_channel_) {
 177       if (lbs_and_backends_size != 2) {
 178         gpr_log(GPR_ERROR,
 179                 "Invalid expected targets arg value: '%s'. Expectations for LB "
 180                 "channels must be of the form 'be1,be2,be3,...;lb1,lb2,...",
 181                 expected_targets_);
 182         goto done;
 183       }
 184       if (!fake_check_target(target_, lbs_and_backends[1])) {
 185         gpr_log(GPR_ERROR, "LB target '%s' not found in expected set '%s'",
 186                 target_, lbs_and_backends[1]);
 187         goto done;
 188       }
 189       success = true;
 190     } else {
 191       if (!fake_check_target(target_, lbs_and_backends[0])) {
 192         gpr_log(GPR_ERROR, "Backend target '%s' not found in expected set '%s'",
 193                 target_, lbs_and_backends[0]);
 194         goto done;
 195       }
 196       success = true;
 197     }
 198   done:
 199     for (size_t i = 0; i < lbs_and_backends_size; ++i) {
 200       gpr_free(lbs_and_backends[i]);
 201     }
 202     gpr_free(lbs_and_backends);
 203     if (!success) abort();
 204   }
 205
 206   char* target_;
 207   char* expected_targets_;
 208   bool is_lb_channel_;
 209   char* target_name_override_;
 210 };
 211
 212 static void fake_check_peer(
 213     grpc_security_connector* /*sc*/, tsi_peer peer,
 214     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 215     grpc_closure* on_peer_checked) {
 216   const char* prop_name;
 217   grpc_error* error = GRPC_ERROR_NONE;
 218   *auth_context = nullptr;
 219   if (peer.property_count != 2) {
 220     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 221         "Fake peers should only have 2 properties.");
 222     goto end;
 223   }
 224   prop_name = peer.properties[0].name;
 225   if (prop_name == nullptr ||
 226       strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
 227     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
 228         absl::StrCat("Unexpected property in fake peer: ",
 229                      prop_name == nullptr ? "<EMPTY>" : prop_name)
 230             .c_str());
 231     goto end;
 232   }
 233   if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
 234               peer.properties[0].value.length)) {
 235     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 236         "Invalid value for cert type property.");
 237     goto end;
 238   }
 239   prop_name = peer.properties[1].name;
 240   if (prop_name == nullptr ||
 241       strcmp(prop_name, TSI_SECURITY_LEVEL_PEER_PROPERTY) != 0) {
 242     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
 243         absl::StrCat("Unexpected property in fake peer: ",
 244                      prop_name == nullptr ? "<EMPTY>" : prop_name)
 245             .c_str());
 246     goto end;
 247   }
 248   if (strncmp(peer.properties[1].value.data, TSI_FAKE_SECURITY_LEVEL,
 249               peer.properties[1].value.length) != 0) {
 250     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 251         "Invalid value for security level property.");
 252     goto end;
 253   }
 254
 255   *auth_context = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
 256   grpc_auth_context_add_cstring_property(
 257       auth_context->get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
 258       GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
 259   grpc_auth_context_add_cstring_property(
 260       auth_context->get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
 261       TSI_FAKE_SECURITY_LEVEL);
 262 end:
 263   grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
 264   tsi_peer_destruct(&peer);
 265 }
 266
 267 void grpc_fake_channel_security_connector::check_peer(
 268     tsi_peer peer, grpc_endpoint* /*ep*/,
 269     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 270     grpc_closure* on_peer_checked) {
 271   fake_check_peer(this, peer, auth_context, on_peer_checked);
 272   fake_secure_name_check();
 273 }
 274
 275 class grpc_fake_server_security_connector
 276     : public grpc_server_security_connector {
 277  public:
 278   grpc_fake_server_security_connector(
 279       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
 280       : grpc_server_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
 281                                        std::move(server_creds)) {}
 282   ~grpc_fake_server_security_connector() override = default;
 283
 284   void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
 285                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 286                   grpc_closure* on_peer_checked) override {
 287     fake_check_peer(this, peer, auth_context, on_peer_checked);
 288   }
 289
 290   void add_handshakers(const grpc_channel_args* args,
 291                        grpc_pollset_set* /*interested_parties*/,
 292                        grpc_core::HandshakeManager* handshake_mgr) override {
 293     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
 294         tsi_create_fake_handshaker(/*=is_client*/ false), this, args));
 295   }
 296
 297   int cmp(const grpc_security_connector* other) const override {
 298     return server_security_connector_cmp(
 299         static_cast<const grpc_server_security_connector*>(other));
 300   }
 301 };
 302 }  // namespace
 303
 304 grpc_core::RefCountedPtr<grpc_channel_security_connector>
 305 grpc_fake_channel_security_connector_create(
 306     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
 307     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
 308     const char* target, const grpc_channel_args* args) {
 309   return grpc_core::MakeRefCounted<grpc_fake_channel_security_connector>(
 310       std::move(channel_creds), std::move(request_metadata_creds), target,
 311       args);
 312 }
 313
 314 grpc_core::RefCountedPtr<grpc_server_security_connector>
 315 grpc_fake_server_security_connector_create(
 316     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
 317   return grpc_core::MakeRefCounted<grpc_fake_server_security_connector>(
 318       std::move(server_creds));
 319 }