src/core/lib/security/security_connector/tls/tls_security_connector.h

   1 /*
   2  *
   3  * Copyright 2018 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
  20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
  21
  22 #include <grpc/support/port_platform.h>
  23
  24 #include "src/core/lib/gprpp/sync.h"
  25 #include "src/core/lib/security/context/security_context.h"
  26 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
  27 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
  28
  29 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls"
  30
  31 namespace grpc_core {
  32
  33 // Channel security connector using TLS as transport security protocol.
  34 class TlsChannelSecurityConnector final
  35     : public grpc_channel_security_connector {
  36  public:
  37   // static factory method to create a TLS channel security connector.
  38   static grpc_core::RefCountedPtr<grpc_channel_security_connector>
  39   CreateTlsChannelSecurityConnector(
  40       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
  41       grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
  42       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
  43       const char* target_name, const char* overridden_target_name,
  44       tsi_ssl_session_cache* ssl_session_cache);
  45
  46   TlsChannelSecurityConnector(
  47       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
  48       grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
  49       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
  50       const char* target_name, const char* overridden_target_name,
  51       tsi_ssl_session_cache* ssl_session_cache);
  52
  53   ~TlsChannelSecurityConnector() override;
  54
  55   void add_handshakers(const grpc_channel_args* args,
  56                        grpc_pollset_set* interested_parties,
  57                        grpc_core::HandshakeManager* handshake_mgr) override;
  58
  59   void check_peer(tsi_peer peer, grpc_endpoint* ep,
  60                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
  61                   grpc_closure* on_peer_checked) override;
  62
  63   int cmp(const grpc_security_connector* other_sc) const override;
  64
  65   bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
  66                        grpc_closure* on_call_host_checked,
  67                        grpc_error** error) override;
  68
  69   void cancel_check_call_host(grpc_closure* on_call_host_checked,
  70                               grpc_error* error) override;
  71
  72   tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() {
  73     grpc_core::MutexLock lock(&mu_);
  74     return client_handshaker_factory_;
  75   };
  76
  77   const absl::optional<absl::string_view>& RootCertsForTesting() {
  78     grpc_core::MutexLock lock(&mu_);
  79     return pem_root_certs_;
  80   }
  81
  82   const absl::optional<grpc_core::PemKeyCertPairList>&
  83   KeyCertPairListForTesting() {
  84     grpc_core::MutexLock lock(&mu_);
  85     return pem_key_cert_pair_list_;
  86   }
  87
  88  private:
  89   // A watcher that watches certificate updates from
  90   // grpc_tls_certificate_distributor. It will never outlive
  91   // |security_connector_|.
  92   class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor::
  93                                            TlsCertificatesWatcherInterface {
  94    public:
  95     explicit TlsChannelCertificateWatcher(
  96         TlsChannelSecurityConnector* security_connector)
  97         : security_connector_(security_connector) {}
  98     void OnCertificatesChanged(
  99         absl::optional<absl::string_view> root_certs,
 100         absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
 101     void OnError(grpc_error* root_cert_error,
 102                  grpc_error* identity_cert_error) override;
 103
 104    private:
 105     TlsChannelSecurityConnector* security_connector_ = nullptr;
 106   };
 107
 108   // Updates |client_handshaker_factory_| when the certificates that
 109   // |certificate_watcher_| is watching get updated.
 110   grpc_security_status UpdateHandshakerFactoryLocked();
 111
 112   // gRPC-provided callback executed by application, which servers to bring the
 113   // control back to gRPC core.
 114   static void ServerAuthorizationCheckDone(
 115       grpc_tls_server_authorization_check_arg* arg);
 116
 117   // A util function to process server authorization check result.
 118   static grpc_error* ProcessServerAuthorizationCheckResult(
 119       grpc_tls_server_authorization_check_arg* arg);
 120
 121   // A util function to create a server authorization check arg instance.
 122   static grpc_tls_server_authorization_check_arg*
 123   ServerAuthorizationCheckArgCreate(void* user_data);
 124
 125   // A util function to destroy a server authorization check arg instance.
 126   static void ServerAuthorizationCheckArgDestroy(
 127       grpc_tls_server_authorization_check_arg* arg);
 128
 129   grpc_core::Mutex mu_;
 130   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
 131   grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
 132       certificate_watcher_ = nullptr;
 133   grpc_closure* on_peer_checked_ = nullptr;
 134   std::string target_name_;
 135   std::string overridden_target_name_;
 136   tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
 137   grpc_tls_server_authorization_check_arg* check_arg_ = nullptr;
 138   tsi_ssl_session_cache* ssl_session_cache_ = nullptr;
 139   absl::optional<absl::string_view> pem_root_certs_;
 140   absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
 141 };
 142
 143 // Server security connector using TLS as transport security protocol.
 144 class TlsServerSecurityConnector final : public grpc_server_security_connector {
 145  public:
 146   // static factory method to create a TLS server security connector.
 147   static grpc_core::RefCountedPtr<grpc_server_security_connector>
 148   CreateTlsServerSecurityConnector(
 149       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
 150       grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
 151
 152   TlsServerSecurityConnector(
 153       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
 154       grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
 155   ~TlsServerSecurityConnector() override;
 156
 157   void add_handshakers(const grpc_channel_args* args,
 158                        grpc_pollset_set* interested_parties,
 159                        grpc_core::HandshakeManager* handshake_mgr) override;
 160
 161   void check_peer(tsi_peer peer, grpc_endpoint* ep,
 162                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 163                   grpc_closure* on_peer_checked) override;
 164
 165   int cmp(const grpc_security_connector* other) const override;
 166
 167   tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() {
 168     grpc_core::MutexLock lock(&mu_);
 169     return server_handshaker_factory_;
 170   };
 171
 172   const absl::optional<absl::string_view>& RootCertsForTesting() {
 173     grpc_core::MutexLock lock(&mu_);
 174     return pem_root_certs_;
 175   }
 176
 177   const absl::optional<grpc_core::PemKeyCertPairList>&
 178   KeyCertPairListForTesting() {
 179     grpc_core::MutexLock lock(&mu_);
 180     return pem_key_cert_pair_list_;
 181   }
 182
 183  private:
 184   // A watcher that watches certificate updates from
 185   // grpc_tls_certificate_distributor. It will never outlive
 186   // |security_connector_|.
 187   class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor::
 188                                           TlsCertificatesWatcherInterface {
 189    public:
 190     explicit TlsServerCertificateWatcher(
 191         TlsServerSecurityConnector* security_connector)
 192         : security_connector_(security_connector) {}
 193     void OnCertificatesChanged(
 194         absl::optional<absl::string_view> root_certs,
 195         absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
 196     void OnError(grpc_error* root_cert_error,
 197                  grpc_error* identity_cert_error) override;
 198
 199    private:
 200     TlsServerSecurityConnector* security_connector_ = nullptr;
 201   };
 202
 203   // Updates |server_handshaker_factory_| when the certificates that
 204   // |certificate_watcher_| is watching get updated.
 205   grpc_security_status UpdateHandshakerFactoryLocked();
 206
 207   grpc_core::Mutex mu_;
 208   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
 209   grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
 210       certificate_watcher_ = nullptr;
 211
 212   tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
 213   absl::optional<absl::string_view> pem_root_certs_;
 214   absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
 215 };
 216
 217 // ---- Functions below are exposed for testing only -----------------------
 218 namespace internal {
 219
 220 // TlsCheckHostName checks if |peer_name| matches the identity information
 221 // contained in |peer|. This is AKA hostname check.
 222 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer);
 223
 224 }  // namespace internal
 225
 226 }  // namespace grpc_core
 227
 228 #endif  // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H