3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H
22 #include <grpc/support/port_platform.h>
24 #include "src/core/lib/gprpp/sync.h"
25 #include "src/core/lib/security/context/security_context.h"
26 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
28 #define GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE "spiffe"
32 // Spiffe channel security connector.
33 class SpiffeChannelSecurityConnector final
34 : public grpc_channel_security_connector {
36 // static factory method to create a SPIFFE channel security connector.
37 static grpc_core::RefCountedPtr<grpc_channel_security_connector>
38 CreateSpiffeChannelSecurityConnector(
39 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
40 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
41 const char* target_name, const char* overridden_target_name,
42 tsi_ssl_session_cache* ssl_session_cache);
44 SpiffeChannelSecurityConnector(
45 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
46 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
47 const char* target_name, const char* overridden_target_name);
48 ~SpiffeChannelSecurityConnector() override;
50 void add_handshakers(grpc_pollset_set* interested_parties,
51 grpc_core::HandshakeManager* handshake_mgr) override;
53 void check_peer(tsi_peer peer, grpc_endpoint* ep,
54 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
55 grpc_closure* on_peer_checked) override;
57 int cmp(const grpc_security_connector* other_sc) const override;
59 bool check_call_host(grpc_core::StringView host,
60 grpc_auth_context* auth_context,
61 grpc_closure* on_call_host_checked,
62 grpc_error** error) override;
64 void cancel_check_call_host(grpc_closure* on_call_host_checked,
65 grpc_error* error) override;
68 // Initialize SSL TSI client handshaker factory.
69 grpc_security_status InitializeHandshakerFactory(
70 tsi_ssl_session_cache* ssl_session_cache);
72 // A util function to create a new client handshaker factory to replace
73 // the existing one if exists.
74 grpc_security_status ReplaceHandshakerFactory(
75 tsi_ssl_session_cache* ssl_session_cache);
77 // gRPC-provided callback executed by application, which servers to bring the
78 // control back to gRPC core.
79 static void ServerAuthorizationCheckDone(
80 grpc_tls_server_authorization_check_arg* arg);
82 // A util function to process server authorization check result.
83 static grpc_error* ProcessServerAuthorizationCheckResult(
84 grpc_tls_server_authorization_check_arg* arg);
86 // A util function to create a server authorization check arg instance.
87 static grpc_tls_server_authorization_check_arg*
88 ServerAuthorizationCheckArgCreate(void* user_data);
90 // A util function to destroy a server authorization check arg instance.
91 static void ServerAuthorizationCheckArgDestroy(
92 grpc_tls_server_authorization_check_arg* arg);
94 // A util function to refresh SSL TSI client handshaker factory with a valid
96 grpc_security_status RefreshHandshakerFactory();
99 grpc_closure* on_peer_checked_;
100 grpc_core::UniquePtr<char> target_name_;
101 grpc_core::UniquePtr<char> overridden_target_name_;
102 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
103 grpc_tls_server_authorization_check_arg* check_arg_;
104 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
107 // Spiffe server security connector.
108 class SpiffeServerSecurityConnector final
109 : public grpc_server_security_connector {
111 // static factory method to create a SPIFFE server security connector.
112 static grpc_core::RefCountedPtr<grpc_server_security_connector>
113 CreateSpiffeServerSecurityConnector(
114 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
116 explicit SpiffeServerSecurityConnector(
117 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
118 ~SpiffeServerSecurityConnector() override;
120 void add_handshakers(grpc_pollset_set* interested_parties,
121 grpc_core::HandshakeManager* handshake_mgr) override;
123 void check_peer(tsi_peer peer, grpc_endpoint* ep,
124 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
125 grpc_closure* on_peer_checked) override;
127 int cmp(const grpc_security_connector* other) const override;
130 // Initialize SSL TSI server handshaker factory.
131 grpc_security_status InitializeHandshakerFactory();
133 // A util function to create a new server handshaker factory to replace the
134 // existing once if exists.
135 grpc_security_status ReplaceHandshakerFactory();
137 // A util function to refresh SSL TSI server handshaker factory with a valid
139 grpc_security_status RefreshHandshakerFactory();
141 grpc_core::Mutex mu_;
142 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
143 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
146 // Exposed for testing only.
147 grpc_status_code TlsFetchKeyMaterials(
148 const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
149 key_materials_config,
150 const grpc_tls_credentials_options& options,
151 grpc_ssl_certificate_config_reload_status* status);
153 } // namespace grpc_core
155 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_SPIFFE_SECURITY_CONNECTOR_H \