Motion >> Repos - motion2.git/blob

   1 /*
   2  *
   3  * Copyright 2018 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #include <grpc/support/port_platform.h>
  20
  21 #include "src/core/lib/security/security_connector/tls/spiffe_security_connector.h"
  22
  23 #include <stdbool.h>
  24 #include <string.h>
  25
  26 #include <grpc/grpc.h>
  27 #include <grpc/support/alloc.h>
  28 #include <grpc/support/log.h>
  29 #include <grpc/support/string_util.h>
  30
  31 #include "src/core/lib/gpr/host_port.h"
  32 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
  33 #include "src/core/lib/security/credentials/tls/spiffe_credentials.h"
  34 #include "src/core/lib/security/security_connector/ssl_utils.h"
  35 #include "src/core/lib/security/transport/security_handshaker.h"
  36 #include "src/core/lib/slice/slice_internal.h"
  37 #include "src/core/lib/transport/transport.h"
  38 #include "src/core/tsi/ssl_transport_security.h"
  39 #include "src/core/tsi/transport_security.h"
  40
  41 namespace {
  42
  43 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
  44     const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
  45   tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
  46   size_t num_key_cert_pairs = cert_pair_list.size();
  47   if (num_key_cert_pairs > 0) {
  48     GPR_ASSERT(cert_pair_list.data() != nullptr);
  49     tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
  50         gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
  51   }
  52   for (size_t i = 0; i < num_key_cert_pairs; i++) {
  53     GPR_ASSERT(cert_pair_list[i].private_key() != nullptr);
  54     GPR_ASSERT(cert_pair_list[i].cert_chain() != nullptr);
  55     tsi_pairs[i].cert_chain = gpr_strdup(cert_pair_list[i].cert_chain());
  56     tsi_pairs[i].private_key = gpr_strdup(cert_pair_list[i].private_key());
  57   }
  58   return tsi_pairs;
  59 }
  60
  61 /** -- Util function to populate SPIFFE server/channel credentials. -- */
  62 grpc_core::RefCountedPtr<grpc_tls_key_materials_config>
  63 PopulateSpiffeCredentials(const grpc_tls_credentials_options& options) {
  64   GPR_ASSERT(options.credential_reload_config() != nullptr ||
  65              options.key_materials_config() != nullptr);
  66   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config;
  67   /* Use credential reload config to fetch credentials. */
  68   if (options.credential_reload_config() != nullptr) {
  69     grpc_tls_credential_reload_arg* arg =
  70         grpc_core::New<grpc_tls_credential_reload_arg>();
  71     key_materials_config = grpc_tls_key_materials_config_create()->Ref();
  72     arg->key_materials_config = key_materials_config.get();
  73     int result = options.credential_reload_config()->Schedule(arg);
  74     if (result) {
  75       /* Do not support async credential reload. */
  76       gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
  77     } else {
  78       grpc_ssl_certificate_config_reload_status status = arg->status;
  79       if (status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
  80         gpr_log(GPR_DEBUG, "Credential does not change after reload.");
  81       } else if (status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
  82         gpr_log(GPR_ERROR, "Credential reload failed with an error: %s",
  83                 arg->error_details);
  84       }
  85     }
  86     gpr_free((void*)arg->error_details);
  87     grpc_core::Delete(arg);
  88     /* Use existing key materials config. */
  89   } else {
  90     key_materials_config = options.key_materials_config()->Ref();
  91   }
  92   return key_materials_config;
  93 }
  94
  95 }  // namespace
  96
  97 SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
  98     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
  99     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
 100     const char* target_name, const char* overridden_target_name)
 101     : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
 102                                       std::move(channel_creds),
 103                                       std::move(request_metadata_creds)),
 104       overridden_target_name_(overridden_target_name == nullptr
 105                                   ? nullptr
 106                                   : gpr_strdup(overridden_target_name)) {
 107   check_arg_ = ServerAuthorizationCheckArgCreate(this);
 108   char* port;
 109   gpr_split_host_port(target_name, &target_name_, &port);
 110   gpr_free(port);
 111 }
 112
 113 SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
 114   if (target_name_ != nullptr) {
 115     gpr_free(target_name_);
 116   }
 117   if (overridden_target_name_ != nullptr) {
 118     gpr_free(overridden_target_name_);
 119   }
 120   if (client_handshaker_factory_ != nullptr) {
 121     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
 122   }
 123   ServerAuthorizationCheckArgDestroy(check_arg_);
 124 }
 125
 126 void SpiffeChannelSecurityConnector::add_handshakers(
 127     grpc_pollset_set* interested_parties,
 128     grpc_core::HandshakeManager* handshake_mgr) {
 129   // Instantiate TSI handshaker.
 130   tsi_handshaker* tsi_hs = nullptr;
 131   tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
 132       client_handshaker_factory_,
 133       overridden_target_name_ != nullptr ? overridden_target_name_
 134                                          : target_name_,
 135       &tsi_hs);
 136   if (result != TSI_OK) {
 137     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
 138             tsi_result_to_string(result));
 139     return;
 140   }
 141   // Create handshakers.
 142   handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
 143 }
 144
 145 void SpiffeChannelSecurityConnector::check_peer(
 146     tsi_peer peer, grpc_endpoint* ep,
 147     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 148     grpc_closure* on_peer_checked) {
 149   const char* target_name = overridden_target_name_ != nullptr
 150                                 ? overridden_target_name_
 151                                 : target_name_;
 152   grpc_error* error = grpc_ssl_check_alpn(&peer);
 153   if (error != GRPC_ERROR_NONE) {
 154     GRPC_CLOSURE_SCHED(on_peer_checked, error);
 155     tsi_peer_destruct(&peer);
 156     return;
 157   }
 158   *auth_context = grpc_ssl_peer_to_auth_context(&peer);
 159   const SpiffeCredentials* creds =
 160       static_cast<const SpiffeCredentials*>(channel_creds());
 161   const grpc_tls_server_authorization_check_config* config =
 162       creds->options().server_authorization_check_config();
 163   /* If server authorization config is not null, use it to perform
 164    * server authorization check. */
 165   if (config != nullptr) {
 166     const tsi_peer_property* p =
 167         tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
 168     if (p == nullptr) {
 169       error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
 170           "Cannot check peer: missing pem cert property.");
 171     } else {
 172       char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
 173       memcpy(peer_pem, p->value.data, p->value.length);
 174       peer_pem[p->value.length] = '\0';
 175       GPR_ASSERT(check_arg_ != nullptr);
 176       check_arg_->peer_cert = check_arg_->peer_cert == nullptr
 177                                   ? gpr_strdup(peer_pem)
 178                                   : check_arg_->peer_cert;
 179       check_arg_->target_name = check_arg_->target_name == nullptr
 180                                     ? gpr_strdup(target_name)
 181                                     : check_arg_->target_name;
 182       on_peer_checked_ = on_peer_checked;
 183       gpr_free(peer_pem);
 184       int callback_status = config->Schedule(check_arg_);
 185       /* Server authorization check is handled asynchronously. */
 186       if (callback_status) {
 187         tsi_peer_destruct(&peer);
 188         return;
 189       }
 190       /* Server authorization check is handled synchronously. */
 191       error = ProcessServerAuthorizationCheckResult(check_arg_);
 192     }
 193   }
 194   GRPC_CLOSURE_SCHED(on_peer_checked, error);
 195   tsi_peer_destruct(&peer);
 196 }
 197
 198 int SpiffeChannelSecurityConnector::cmp(
 199     const grpc_security_connector* other_sc) const {
 200   auto* other =
 201       reinterpret_cast<const SpiffeChannelSecurityConnector*>(other_sc);
 202   int c = channel_security_connector_cmp(other);
 203   if (c != 0) {
 204     return c;
 205   }
 206   return grpc_ssl_cmp_target_name(target_name_, other->target_name_,
 207                                   overridden_target_name_,
 208                                   other->overridden_target_name_);
 209 }
 210
 211 bool SpiffeChannelSecurityConnector::check_call_host(
 212     const char* host, grpc_auth_context* auth_context,
 213     grpc_closure* on_call_host_checked, grpc_error** error) {
 214   return grpc_ssl_check_call_host(host, target_name_, overridden_target_name_,
 215                                   auth_context, on_call_host_checked, error);
 216 }
 217
 218 void SpiffeChannelSecurityConnector::cancel_check_call_host(
 219     grpc_closure* on_call_host_checked, grpc_error* error) {
 220   GRPC_ERROR_UNREF(error);
 221 }
 222
 223 grpc_core::RefCountedPtr<grpc_channel_security_connector>
 224 SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
 225     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
 226     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
 227     const char* target_name, const char* overridden_target_name,
 228     tsi_ssl_session_cache* ssl_session_cache) {
 229   if (channel_creds == nullptr) {
 230     gpr_log(GPR_ERROR,
 231             "channel_creds is nullptr in "
 232             "SpiffeChannelSecurityConnectorCreate()");
 233     return nullptr;
 234   }
 235   if (target_name == nullptr) {
 236     gpr_log(GPR_ERROR,
 237             "target_name is nullptr in "
 238             "SpiffeChannelSecurityConnectorCreate()");
 239     return nullptr;
 240   }
 241   grpc_core::RefCountedPtr<SpiffeChannelSecurityConnector> c =
 242       grpc_core::MakeRefCounted<SpiffeChannelSecurityConnector>(
 243           std::move(channel_creds), std::move(request_metadata_creds),
 244           target_name, overridden_target_name);
 245   if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
 246     return nullptr;
 247   }
 248   return c;
 249 }
 250
 251 grpc_security_status
 252 SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
 253     tsi_ssl_session_cache* ssl_session_cache) {
 254   const SpiffeCredentials* creds =
 255       static_cast<const SpiffeCredentials*>(channel_creds());
 256   auto key_materials_config = PopulateSpiffeCredentials(creds->options());
 257   if (key_materials_config->pem_key_cert_pair_list().empty()) {
 258     key_materials_config->Unref();
 259     return GRPC_SECURITY_ERROR;
 260   }
 261   tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
 262       key_materials_config->pem_key_cert_pair_list());
 263   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
 264       pem_key_cert_pair, key_materials_config->pem_root_certs(),
 265       ssl_session_cache, &client_handshaker_factory_);
 266   // Free memory.
 267   key_materials_config->Unref();
 268   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
 269   return status;
 270 }
 271
 272 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckDone(
 273     grpc_tls_server_authorization_check_arg* arg) {
 274   GPR_ASSERT(arg != nullptr);
 275   grpc_core::ExecCtx exec_ctx;
 276   grpc_error* error = ProcessServerAuthorizationCheckResult(arg);
 277   SpiffeChannelSecurityConnector* connector =
 278       static_cast<SpiffeChannelSecurityConnector*>(arg->cb_user_data);
 279   GRPC_CLOSURE_SCHED(connector->on_peer_checked_, error);
 280 }
 281
 282 grpc_error*
 283 SpiffeChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
 284     grpc_tls_server_authorization_check_arg* arg) {
 285   grpc_error* error = GRPC_ERROR_NONE;
 286   char* msg = nullptr;
 287   /* Server authorization check is cancelled by caller. */
 288   if (arg->status == GRPC_STATUS_CANCELLED) {
 289     gpr_asprintf(&msg,
 290                  "Server authorization check is cancelled by the caller with "
 291                  "error: %s",
 292                  arg->error_details);
 293     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
 294   } else if (arg->status == GRPC_STATUS_OK) {
 295     /* Server authorization check completed successfully but returned check
 296      * failure. */
 297     if (!arg->success) {
 298       gpr_asprintf(&msg, "Server authorization check failed with error: %s",
 299                    arg->error_details);
 300       error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
 301     }
 302     /* Server authorization check did not complete correctly. */
 303   } else {
 304     gpr_asprintf(
 305         &msg,
 306         "Server authorization check did not finish correctly with error: %s",
 307         arg->error_details);
 308     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
 309   }
 310   gpr_free(msg);
 311   return error;
 312 }
 313
 314 grpc_tls_server_authorization_check_arg*
 315 SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
 316     void* user_data) {
 317   grpc_tls_server_authorization_check_arg* arg =
 318       grpc_core::New<grpc_tls_server_authorization_check_arg>();
 319   arg->cb = ServerAuthorizationCheckDone;
 320   arg->cb_user_data = user_data;
 321   arg->status = GRPC_STATUS_OK;
 322   return arg;
 323 }
 324
 325 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
 326     grpc_tls_server_authorization_check_arg* arg) {
 327   if (arg == nullptr) {
 328     return;
 329   }
 330   gpr_free((void*)arg->target_name);
 331   gpr_free((void*)arg->peer_cert);
 332   gpr_free((void*)arg->error_details);
 333   grpc_core::Delete(arg);
 334 }
 335
 336 SpiffeServerSecurityConnector::SpiffeServerSecurityConnector(
 337     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
 338     : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
 339                                      std::move(server_creds)) {}
 340
 341 SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
 342   if (server_handshaker_factory_ != nullptr) {
 343     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
 344   }
 345 }
 346
 347 void SpiffeServerSecurityConnector::add_handshakers(
 348     grpc_pollset_set* interested_parties,
 349     grpc_core::HandshakeManager* handshake_mgr) {
 350   /* Create a TLS SPIFFE TSI handshaker for server. */
 351   RefreshServerHandshakerFactory();
 352   tsi_handshaker* tsi_hs = nullptr;
 353   tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
 354       server_handshaker_factory_, &tsi_hs);
 355   if (result != TSI_OK) {
 356     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
 357             tsi_result_to_string(result));
 358     return;
 359   }
 360   handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
 361 }
 362
 363 void SpiffeServerSecurityConnector::check_peer(
 364     tsi_peer peer, grpc_endpoint* ep,
 365     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
 366     grpc_closure* on_peer_checked) {
 367   grpc_error* error = grpc_ssl_check_alpn(&peer);
 368   *auth_context = grpc_ssl_peer_to_auth_context(&peer);
 369   tsi_peer_destruct(&peer);
 370   GRPC_CLOSURE_SCHED(on_peer_checked, error);
 371 }
 372
 373 int SpiffeServerSecurityConnector::cmp(
 374     const grpc_security_connector* other) const {
 375   return server_security_connector_cmp(
 376       static_cast<const grpc_server_security_connector*>(other));
 377 }
 378
 379 grpc_core::RefCountedPtr<grpc_server_security_connector>
 380 SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
 381     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
 382   if (server_creds == nullptr) {
 383     gpr_log(GPR_ERROR,
 384             "server_creds is nullptr in "
 385             "SpiffeServerSecurityConnectorCreate()");
 386     return nullptr;
 387   }
 388   grpc_core::RefCountedPtr<SpiffeServerSecurityConnector> c =
 389       grpc_core::MakeRefCounted<SpiffeServerSecurityConnector>(
 390           std::move(server_creds));
 391   if (c->RefreshServerHandshakerFactory() != GRPC_SECURITY_OK) {
 392     return nullptr;
 393   }
 394   return c;
 395 }
 396
 397 grpc_security_status
 398 SpiffeServerSecurityConnector::RefreshServerHandshakerFactory() {
 399   const SpiffeServerCredentials* creds =
 400       static_cast<const SpiffeServerCredentials*>(server_creds());
 401   auto key_materials_config = PopulateSpiffeCredentials(creds->options());
 402   /* Credential reload does NOT take effect and we need to keep using
 403    * the existing handshaker factory. */
 404   if (key_materials_config->pem_key_cert_pair_list().empty()) {
 405     key_materials_config->Unref();
 406     return GRPC_SECURITY_ERROR;
 407   }
 408   /* Credential reload takes effect and we need to free the existing
 409    * handshaker library. */
 410   if (server_handshaker_factory_) {
 411     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
 412   }
 413   tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
 414       key_materials_config->pem_key_cert_pair_list());
 415   size_t num_key_cert_pairs =
 416       key_materials_config->pem_key_cert_pair_list().size();
 417   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
 418       pem_key_cert_pairs, num_key_cert_pairs,
 419       key_materials_config->pem_root_certs(),
 420       creds->options().cert_request_type(), &server_handshaker_factory_);
 421   // Free memory.
 422   key_materials_config->Unref();
 423   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
 424                                           num_key_cert_pairs);
 425   return status;
 426 }