legacy-libs/grpc-cloned/deps/grpc/src/core/lib/security/security_connector/fake/fake_security_connector.cc

   1 /*
   2  *
   3  * Copyright 2018 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #include <grpc/support/port_platform.h>
  20
  21 #include "src/core/lib/security/security_connector/fake/fake_security_connector.h"
  22
  23 #include <stdbool.h>
  24
  25 #include <grpc/support/alloc.h>
  26 #include <grpc/support/log.h>
  27 #include <grpc/support/string_util.h>
  28
  29 #include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
  30 #include "src/core/ext/filters/client_channel/lb_policy/xds/xds.h"
  31 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
  32 #include "src/core/lib/channel/channel_args.h"
  33 #include "src/core/lib/channel/handshaker.h"
  34 #include "src/core/lib/gpr/string.h"
  35 #include "src/core/lib/gprpp/host_port.h"
  36 #include "src/core/lib/gprpp/ref_counted_ptr.h"
  37 #include "src/core/lib/security/context/security_context.h"
  38 #include "src/core/lib/security/credentials/credentials.h"
  39 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
  40 #include "src/core/lib/security/transport/security_handshaker.h"
  41 #include "src/core/lib/security/transport/target_authority_table.h"
  42 #include "src/core/tsi/fake_transport_security.h"
  43
  44 namespace {
  45 class grpc_fake_channel_security_connector final
  46     : public grpc_channel_security_connector {
  47  public:
  48   grpc_fake_channel_security_connector(
  49       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
  50       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
  51       const char* target, const grpc_channel_args* args)
  52       : grpc_channel_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
  53                                         std::move(channel_creds),
  54                                         std::move(request_metadata_creds)),
  55         target_(gpr_strdup(target)),
  56         expected_targets_(
  57             gpr_strdup(grpc_fake_transport_get_expected_targets(args))),
  58         is_lb_channel_(
  59             grpc_channel_args_find(
  60                 args, GRPC_ARG_ADDRESS_IS_XDS_LOAD_BALANCER) != nullptr ||
  61             grpc_channel_args_find(
  62                 args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER) != nullptr) {
  63     const grpc_arg* target_name_override_arg =
  64         grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
  65     if (target_name_override_arg != nullptr) {
  66       target_name_override_ =
  67           gpr_strdup(grpc_channel_arg_get_string(target_name_override_arg));
  68     } else {
  69       target_name_override_ = nullptr;
  70     }
  71   }
  72
  73   ~grpc_fake_channel_security_connector() override {
  74     gpr_free(target_);
  75     gpr_free(expected_targets_);
  76     if (target_name_override_ != nullptr) gpr_free(target_name_override_);
  77   }
  78
  79   void check_peer(tsi_peer peer, grpc_endpoint* ep,
  80                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
  81                   grpc_closure* on_peer_checked) override;
  82
  83   int cmp(const grpc_security_connector* other_sc) const override {
  84     auto* other =
  85         reinterpret_cast<const grpc_fake_channel_security_connector*>(other_sc);
  86     int c = channel_security_connector_cmp(other);
  87     if (c != 0) return c;
  88     c = strcmp(target_, other->target_);
  89     if (c != 0) return c;
  90     if (expected_targets_ == nullptr || other->expected_targets_ == nullptr) {
  91       c = GPR_ICMP(expected_targets_, other->expected_targets_);
  92     } else {
  93       c = strcmp(expected_targets_, other->expected_targets_);
  94     }
  95     if (c != 0) return c;
  96     return GPR_ICMP(is_lb_channel_, other->is_lb_channel_);
  97   }
  98
  99   void add_handshakers(grpc_pollset_set* interested_parties,
 100                        grpc_core::HandshakeManager* handshake_mgr) override {
 101     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
 102         tsi_create_fake_handshaker(/*is_client=*/true), this));
 103   }
 104
 105   bool check_call_host(grpc_core::StringView host,
 106                        grpc_auth_context* auth_context,
 107                        grpc_closure* on_call_host_checked,
 108                        grpc_error** error) override {
 109     grpc_core::StringView authority_hostname;
 110     grpc_core::StringView authority_ignored_port;
 111     grpc_core::StringView target_hostname;
 112     grpc_core::StringView target_ignored_port;
 113     grpc_core::SplitHostPort(host, &authority_hostname,
 114                              &authority_ignored_port);
 115     grpc_core::SplitHostPort(target_, &target_hostname, &target_ignored_port);
 116     if (target_name_override_ != nullptr) {
 117       grpc_core::StringView fake_security_target_name_override_hostname;
 118       grpc_core::StringView fake_security_target_name_override_ignored_port;
 119       grpc_core::SplitHostPort(
 120           target_name_override_, &fake_security_target_name_override_hostname,
 121           &fake_security_target_name_override_ignored_port);
 122       if (authority_hostname != fake_security_target_name_override_hostname) {
 123         gpr_log(GPR_ERROR,
 124                 "Authority (host) '%s' != Fake Security Target override '%s'",
 125                 host.data(),
 126                 fake_security_target_name_override_hostname.data());
 127         abort();
 128       }
 129     } else if (authority_hostname != target_hostname) {
 130       gpr_log(GPR_ERROR, "Authority (host) '%s' != Target '%s'", host.data(),
 131               target_);
 132       abort();
 133     }
 134     return true;
 135   }
 136
 137   void cancel_check_call_host(grpc_closure* on_call_host_checked,
 138                               grpc_error* error) override {
 139     GRPC_ERROR_UNREF(error);
 140   }
 141
 142   char* target() const { return target_; }
 143   char* expected_targets() const { return expected_targets_; }
 144   bool is_lb_channel() const { return is_lb_channel_; }
 145   char* target_name_override() const { return target_name_override_; }
 146
 147  private:
 148   bool fake_check_target(const char* target_type, const char* target,
 149                          const char* set_str) const {
 150     GPR_ASSERT(target_type != nullptr);
 151     GPR_ASSERT(target != nullptr);
 152     char** set = nullptr;
 153     size_t set_size = 0;
 154     gpr_string_split(set_str, ",", &set, &set_size);
 155     bool found = false;
 156     for (size_t i = 0; i < set_size; ++i) {
 157       if (set[i] != nullptr && strcmp(target, set[i]) == 0) found = true;
 158     }
 159     for (size_t i = 0; i < set_size; ++i) {
 160       gpr_free(set[i]);
 161     }
 162     gpr_free(set);
 163     return found;
 164   }
 165
 166   void fake_secure_name_check() const {
 167     if (expected_targets_ == nullptr) return;
 168     char** lbs_and_backends = nullptr;
 169     size_t lbs_and_backends_size = 0;
 170     bool success = false;
 171     gpr_string_split(expected_targets_, ";", &lbs_and_backends,
 172                      &lbs_and_backends_size);
 173     if (lbs_and_backends_size > 2 || lbs_and_backends_size == 0) {
 174       gpr_log(GPR_ERROR, "Invalid expected targets arg value: '%s'",
 175               expected_targets_);
 176       goto done;
 177     }
 178     if (is_lb_channel_) {
 179       if (lbs_and_backends_size != 2) {
 180         gpr_log(GPR_ERROR,
 181                 "Invalid expected targets arg value: '%s'. Expectations for LB "
 182                 "channels must be of the form 'be1,be2,be3,...;lb1,lb2,...",
 183                 expected_targets_);
 184         goto done;
 185       }
 186       if (!fake_check_target("LB", target_, lbs_and_backends[1])) {
 187         gpr_log(GPR_ERROR, "LB target '%s' not found in expected set '%s'",
 188                 target_, lbs_and_backends[1]);
 189         goto done;
 190       }
 191       success = true;
 192     } else {
 193       if (!fake_check_target("Backend", target_, lbs_and_backends[0])) {
 194         gpr_log(GPR_ERROR, "Backend target '%s' not found in expected set '%s'",
 195                 target_, lbs_and_backends[0]);
 196         goto done;
 197       }
 198       success = true;
 199     }
 200   done:
 201     for (size_t i = 0; i < lbs_and_backends_size; ++i) {
 202       gpr_free(lbs_and_backends[i]);
 203     }
 204     gpr_free(lbs_and_backends);
 205     if (!success) abort();
 206   }
 207
 208   char* target_;
 209   char* expected_targets_;
 210   bool is_lb_channel_;
 211   char* target_name_override_;
 212 };
 213
 214 static void fake_check_peer(
 215     grpc_security_connector* sc, tsi_peer peer,
 216     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 217     grpc_closure* on_peer_checked) {
 218   const char* prop_name;
 219   grpc_error* error = GRPC_ERROR_NONE;
 220   *auth_context = nullptr;
 221   if (peer.property_count != 1) {
 222     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 223         "Fake peers should only have 1 property.");
 224     goto end;
 225   }
 226   prop_name = peer.properties[0].name;
 227   if (prop_name == nullptr ||
 228       strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
 229     char* msg;
 230     gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
 231                  prop_name == nullptr ? "<EMPTY>" : prop_name);
 232     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
 233     gpr_free(msg);
 234     goto end;
 235   }
 236   if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
 237               peer.properties[0].value.length)) {
 238     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 239         "Invalid value for cert type property.");
 240     goto end;
 241   }
 242   *auth_context = grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
 243   grpc_auth_context_add_cstring_property(
 244       auth_context->get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
 245       GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
 246 end:
 247   GRPC_CLOSURE_SCHED(on_peer_checked, error);
 248   tsi_peer_destruct(&peer);
 249 }
 250
 251 void grpc_fake_channel_security_connector::check_peer(
 252     tsi_peer peer, grpc_endpoint* ep,
 253     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 254     grpc_closure* on_peer_checked) {
 255   fake_check_peer(this, peer, auth_context, on_peer_checked);
 256   fake_secure_name_check();
 257 }
 258
 259 class grpc_fake_server_security_connector
 260     : public grpc_server_security_connector {
 261  public:
 262   grpc_fake_server_security_connector(
 263       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
 264       : grpc_server_security_connector(GRPC_FAKE_SECURITY_URL_SCHEME,
 265                                        std::move(server_creds)) {}
 266   ~grpc_fake_server_security_connector() override = default;
 267
 268   void check_peer(tsi_peer peer, grpc_endpoint* ep,
 269                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 270                   grpc_closure* on_peer_checked) override {
 271     fake_check_peer(this, peer, auth_context, on_peer_checked);
 272   }
 273
 274   void add_handshakers(grpc_pollset_set* interested_parties,
 275                        grpc_core::HandshakeManager* handshake_mgr) override {
 276     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(
 277         tsi_create_fake_handshaker(/*=is_client*/ false), this));
 278   }
 279
 280   int cmp(const grpc_security_connector* other) const override {
 281     return server_security_connector_cmp(
 282         static_cast<const grpc_server_security_connector*>(other));
 283   }
 284 };
 285 }  // namespace
 286
 287 grpc_core::RefCountedPtr<grpc_channel_security_connector>
 288 grpc_fake_channel_security_connector_create(
 289     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
 290     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
 291     const char* target, const grpc_channel_args* args) {
 292   return grpc_core::MakeRefCounted<grpc_fake_channel_security_connector>(
 293       std::move(channel_creds), std::move(request_metadata_creds), target,
 294       args);
 295 }
 296
 297 grpc_core::RefCountedPtr<grpc_server_security_connector>
 298 grpc_fake_server_security_connector_create(
 299     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
 300   return grpc_core::MakeRefCounted<grpc_fake_server_security_connector>(
 301       std::move(server_creds));
 302 }