Line data Source code
1 : /*
2 : *
3 : * Copyright 2015, Google Inc.
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions are
8 : * met:
9 : *
10 : * * Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : * * Redistributions in binary form must reproduce the above
13 : * copyright notice, this list of conditions and the following disclaimer
14 : * in the documentation and/or other materials provided with the
15 : * distribution.
16 : * * Neither the name of Google Inc. nor the names of its
17 : * contributors may be used to endorse or promote products derived from
18 : * this software without specific prior written permission.
19 : *
20 : * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 : * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 : * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 : * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 : * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 : * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 : * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 : * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 : * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 : * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 : *
32 : */
33 :
34 : #include <string.h>
35 :
36 : #include "src/core/security/security_context.h"
37 : #include "src/core/surface/api_trace.h"
38 : #include "src/core/surface/call.h"
39 : #include "src/core/support/string.h"
40 :
41 : #include <grpc/grpc_security.h>
42 : #include <grpc/support/alloc.h>
43 : #include <grpc/support/log.h>
44 : #include <grpc/support/string_util.h>
45 :
46 : /* --- grpc_call --- */
47 :
48 58 : grpc_call_error grpc_call_set_credentials(grpc_call *call,
49 : grpc_credentials *creds) {
50 58 : grpc_client_security_context *ctx = NULL;
51 58 : GRPC_API_TRACE("grpc_call_set_credentials(call=%p, creds=%p)", 2,
52 : (call, creds));
53 58 : if (!grpc_call_is_client(call)) {
54 15 : gpr_log(GPR_ERROR, "Method is client-side only.");
55 15 : return GRPC_CALL_ERROR_NOT_ON_SERVER;
56 : }
57 43 : if (creds != NULL && !grpc_credentials_has_request_metadata_only(creds)) {
58 5 : gpr_log(GPR_ERROR, "Incompatible credentials to set on a call.");
59 5 : return GRPC_CALL_ERROR;
60 : }
61 38 : ctx = (grpc_client_security_context *)grpc_call_context_get(
62 : call, GRPC_CONTEXT_SECURITY);
63 38 : if (ctx == NULL) {
64 28 : ctx = grpc_client_security_context_create();
65 28 : ctx->creds = grpc_credentials_ref(creds);
66 28 : grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx,
67 : grpc_client_security_context_destroy);
68 : } else {
69 10 : grpc_credentials_unref(ctx->creds);
70 10 : ctx->creds = grpc_credentials_ref(creds);
71 : }
72 38 : return GRPC_CALL_OK;
73 : }
74 :
75 1298952 : grpc_auth_context *grpc_call_auth_context(grpc_call *call) {
76 1298952 : void *sec_ctx = grpc_call_context_get(call, GRPC_CONTEXT_SECURITY);
77 1299139 : GRPC_API_TRACE("grpc_call_auth_context(call=%p)", 1, (call));
78 1299139 : if (sec_ctx == NULL) return NULL;
79 534 : return grpc_call_is_client(call)
80 16 : ? GRPC_AUTH_CONTEXT_REF(
81 : ((grpc_client_security_context *)sec_ctx)->auth_context,
82 : "grpc_call_auth_context client")
83 283 : : GRPC_AUTH_CONTEXT_REF(
84 : ((grpc_server_security_context *)sec_ctx)->auth_context,
85 : "grpc_call_auth_context server");
86 : }
87 :
88 1299108 : void grpc_auth_context_release(grpc_auth_context *context) {
89 1299108 : GRPC_API_TRACE("grpc_auth_context_release(context=%p)", 1, (context));
90 1299108 : GRPC_AUTH_CONTEXT_UNREF(context, "grpc_auth_context_unref");
91 1299086 : }
92 :
93 : /* --- grpc_client_security_context --- */
94 :
95 871 : grpc_client_security_context *grpc_client_security_context_create(void) {
96 871 : grpc_client_security_context *ctx =
97 : gpr_malloc(sizeof(grpc_client_security_context));
98 871 : memset(ctx, 0, sizeof(grpc_client_security_context));
99 871 : return ctx;
100 : }
101 :
102 871 : void grpc_client_security_context_destroy(void *ctx) {
103 871 : grpc_client_security_context *c = (grpc_client_security_context *)ctx;
104 871 : grpc_credentials_unref(c->creds);
105 871 : GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "client_security_context");
106 871 : gpr_free(ctx);
107 871 : }
108 :
109 : /* --- grpc_server_security_context --- */
110 :
111 869 : grpc_server_security_context *grpc_server_security_context_create(void) {
112 869 : grpc_server_security_context *ctx =
113 : gpr_malloc(sizeof(grpc_server_security_context));
114 869 : memset(ctx, 0, sizeof(grpc_server_security_context));
115 869 : return ctx;
116 : }
117 :
118 869 : void grpc_server_security_context_destroy(void *ctx) {
119 869 : grpc_server_security_context *c = (grpc_server_security_context *)ctx;
120 869 : GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "server_security_context");
121 869 : gpr_free(ctx);
122 869 : }
123 :
124 : /* --- grpc_auth_context --- */
125 :
126 : static grpc_auth_property_iterator empty_iterator = {NULL, 0, NULL};
127 :
128 1760 : grpc_auth_context *grpc_auth_context_create(grpc_auth_context *chained) {
129 1760 : grpc_auth_context *ctx = gpr_malloc(sizeof(grpc_auth_context));
130 1760 : memset(ctx, 0, sizeof(grpc_auth_context));
131 1760 : gpr_ref_init(&ctx->refcount, 1);
132 1760 : if (chained != NULL) {
133 870 : ctx->chained = GRPC_AUTH_CONTEXT_REF(chained, "chained");
134 870 : ctx->peer_identity_property_name =
135 870 : ctx->chained->peer_identity_property_name;
136 : }
137 1760 : return ctx;
138 : }
139 :
140 : #ifdef GRPC_AUTH_CONTEXT_REFCOUNT_DEBUG
141 : grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *ctx,
142 : const char *file, int line,
143 : const char *reason) {
144 : if (ctx == NULL) return NULL;
145 : gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
146 : "AUTH_CONTEXT:%p ref %d -> %d %s", ctx, (int)ctx->refcount.count,
147 : (int)ctx->refcount.count + 1, reason);
148 : #else
149 2888 : grpc_auth_context *grpc_auth_context_ref(grpc_auth_context *ctx) {
150 2888 : if (ctx == NULL) return NULL;
151 : #endif
152 2888 : gpr_ref(&ctx->refcount);
153 2888 : return ctx;
154 : }
155 :
156 : #ifdef GRPC_AUTH_CONTEXT_REFCOUNT_DEBUG
157 : void grpc_auth_context_unref(grpc_auth_context *ctx, const char *file, int line,
158 : const char *reason) {
159 : if (ctx == NULL) return;
160 : gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
161 : "AUTH_CONTEXT:%p unref %d -> %d %s", ctx, (int)ctx->refcount.count,
162 : (int)ctx->refcount.count - 1, reason);
163 : #else
164 1305602 : void grpc_auth_context_unref(grpc_auth_context *ctx) {
165 2611204 : if (ctx == NULL) return;
166 : #endif
167 4648 : if (gpr_unref(&ctx->refcount)) {
168 : size_t i;
169 1760 : GRPC_AUTH_CONTEXT_UNREF(ctx->chained, "chained");
170 1760 : if (ctx->properties.array != NULL) {
171 3482 : for (i = 0; i < ctx->properties.count; i++) {
172 2483 : grpc_auth_property_reset(&ctx->properties.array[i]);
173 : }
174 999 : gpr_free(ctx->properties.array);
175 : }
176 1760 : gpr_free(ctx);
177 : }
178 : }
179 :
180 7 : const char *grpc_auth_context_peer_identity_property_name(
181 : const grpc_auth_context *ctx) {
182 7 : GRPC_API_TRACE("grpc_auth_context_peer_identity_property_name(ctx=%p)", 1,
183 : (ctx));
184 7 : return ctx->peer_identity_property_name;
185 : }
186 :
187 485 : int grpc_auth_context_set_peer_identity_property_name(grpc_auth_context *ctx,
188 : const char *name) {
189 485 : grpc_auth_property_iterator it =
190 : grpc_auth_context_find_properties_by_name(ctx, name);
191 485 : const grpc_auth_property *prop = grpc_auth_property_iterator_next(&it);
192 485 : GRPC_API_TRACE(
193 : "grpc_auth_context_set_peer_identity_property_name(ctx=%p, name=%s)", 2,
194 : (ctx, name));
195 485 : if (prop == NULL) {
196 1 : gpr_log(GPR_ERROR, "Property name %s not found in auth context.",
197 : name != NULL ? name : "NULL");
198 1 : return 0;
199 : }
200 484 : ctx->peer_identity_property_name = prop->name;
201 484 : return 1;
202 : }
203 :
204 42 : int grpc_auth_context_peer_is_authenticated(const grpc_auth_context *ctx) {
205 42 : GRPC_API_TRACE("grpc_auth_context_peer_is_authenticated(ctx=%p)", 1, (ctx));
206 42 : return ctx->peer_identity_property_name == NULL ? 0 : 1;
207 : }
208 :
209 35 : grpc_auth_property_iterator grpc_auth_context_property_iterator(
210 : const grpc_auth_context *ctx) {
211 35 : grpc_auth_property_iterator it = empty_iterator;
212 35 : GRPC_API_TRACE("grpc_auth_context_property_iterator(ctx=%p)", 1, (ctx));
213 35 : if (ctx == NULL) return it;
214 35 : it.ctx = ctx;
215 35 : return it;
216 : }
217 :
218 777 : const grpc_auth_property *grpc_auth_property_iterator_next(
219 : grpc_auth_property_iterator *it) {
220 777 : GRPC_API_TRACE("grpc_auth_property_iterator_next(it=%p)", 1, (it));
221 777 : if (it == NULL || it->ctx == NULL) return NULL;
222 1546 : while (it->index == it->ctx->properties.count) {
223 103 : if (it->ctx->chained == NULL) return NULL;
224 26 : it->ctx = it->ctx->chained;
225 26 : it->index = 0;
226 : }
227 683 : if (it->name == NULL) {
228 95 : return &it->ctx->properties.array[it->index++];
229 : } else {
230 1996 : while (it->index < it->ctx->properties.count) {
231 1389 : const grpc_auth_property *prop = &it->ctx->properties.array[it->index++];
232 1389 : GPR_ASSERT(prop->name != NULL);
233 1389 : if (strcmp(it->name, prop->name) == 0) {
234 569 : return prop;
235 : }
236 : }
237 : /* We could not find the name, try another round. */
238 19 : return grpc_auth_property_iterator_next(it);
239 : }
240 : }
241 :
242 547 : grpc_auth_property_iterator grpc_auth_context_find_properties_by_name(
243 : const grpc_auth_context *ctx, const char *name) {
244 547 : grpc_auth_property_iterator it = empty_iterator;
245 547 : GRPC_API_TRACE("grpc_auth_context_find_properties_by_name(ctx=%p, name=%s)",
246 : 2, (ctx, name));
247 547 : if (ctx == NULL || name == NULL) return empty_iterator;
248 530 : it.ctx = ctx;
249 530 : it.name = name;
250 530 : return it;
251 : }
252 :
253 45 : grpc_auth_property_iterator grpc_auth_context_peer_identity(
254 : const grpc_auth_context *ctx) {
255 45 : GRPC_API_TRACE("grpc_auth_context_peer_identity(ctx=%p)", 1, (ctx));
256 45 : if (ctx == NULL) return empty_iterator;
257 45 : return grpc_auth_context_find_properties_by_name(
258 : ctx, ctx->peer_identity_property_name);
259 : }
260 :
261 2483 : static void ensure_auth_context_capacity(grpc_auth_context *ctx) {
262 2483 : if (ctx->properties.count == ctx->properties.capacity) {
263 999 : ctx->properties.capacity =
264 999 : GPR_MAX(ctx->properties.capacity + 8, ctx->properties.capacity * 2);
265 999 : ctx->properties.array =
266 999 : gpr_realloc(ctx->properties.array,
267 999 : ctx->properties.capacity * sizeof(grpc_auth_property));
268 : }
269 2483 : }
270 :
271 1479 : void grpc_auth_context_add_property(grpc_auth_context *ctx, const char *name,
272 : const char *value, size_t value_length) {
273 : grpc_auth_property *prop;
274 1479 : GRPC_API_TRACE(
275 : "grpc_auth_context_add_property(ctx=%p, name=%s, value=%*.*s, "
276 : "value_length=%lu)",
277 : 6, (ctx, name, (int)value_length, (int)value_length, value,
278 : (unsigned long)value_length));
279 1479 : ensure_auth_context_capacity(ctx);
280 1479 : prop = &ctx->properties.array[ctx->properties.count++];
281 1479 : prop->name = gpr_strdup(name);
282 1479 : prop->value = gpr_malloc(value_length + 1);
283 1479 : memcpy(prop->value, value, value_length);
284 1479 : prop->value[value_length] = '\0';
285 1479 : prop->value_length = value_length;
286 1479 : }
287 :
288 1004 : void grpc_auth_context_add_cstring_property(grpc_auth_context *ctx,
289 : const char *name,
290 : const char *value) {
291 : grpc_auth_property *prop;
292 1004 : GRPC_API_TRACE(
293 : "grpc_auth_context_add_cstring_property(ctx=%p, name=%s, value=%s)", 3,
294 : (ctx, name, value));
295 1004 : ensure_auth_context_capacity(ctx);
296 1004 : prop = &ctx->properties.array[ctx->properties.count++];
297 1004 : prop->name = gpr_strdup(name);
298 1004 : prop->value = gpr_strdup(value);
299 1004 : prop->value_length = strlen(value);
300 1004 : }
301 :
302 2483 : void grpc_auth_property_reset(grpc_auth_property *property) {
303 2483 : gpr_free(property->name);
304 2483 : gpr_free(property->value);
305 2483 : memset(property, 0, sizeof(grpc_auth_property));
306 2483 : }
307 :
308 440 : static void auth_context_pointer_arg_destroy(void *p) {
309 440 : GRPC_AUTH_CONTEXT_UNREF(p, "auth_context_pointer_arg");
310 440 : }
311 :
312 440 : static void *auth_context_pointer_arg_copy(void *p) {
313 440 : return GRPC_AUTH_CONTEXT_REF(p, "auth_context_pointer_arg");
314 : }
315 :
316 440 : grpc_arg grpc_auth_context_to_arg(grpc_auth_context *p) {
317 : grpc_arg arg;
318 440 : memset(&arg, 0, sizeof(grpc_arg));
319 440 : arg.type = GRPC_ARG_POINTER;
320 440 : arg.key = GRPC_AUTH_CONTEXT_ARG;
321 440 : arg.value.pointer.p = p;
322 440 : arg.value.pointer.copy = auth_context_pointer_arg_copy;
323 440 : arg.value.pointer.destroy = auth_context_pointer_arg_destroy;
324 440 : return arg;
325 : }
326 :
327 1005 : grpc_auth_context *grpc_auth_context_from_arg(
328 : const grpc_arg *arg) {
329 1005 : if (strcmp(arg->key, GRPC_AUTH_CONTEXT_ARG) != 0) return NULL;
330 440 : if (arg->type != GRPC_ARG_POINTER) {
331 0 : gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type,
332 : GRPC_AUTH_CONTEXT_ARG);
333 0 : return NULL;
334 : }
335 440 : return arg->value.pointer.p;
336 : }
337 :
338 440 : grpc_auth_context *grpc_find_auth_context_in_args(
339 : const grpc_channel_args *args) {
340 : size_t i;
341 440 : if (args == NULL) return NULL;
342 1005 : for (i = 0; i < args->num_args; i++) {
343 1005 : grpc_auth_context *p =
344 1005 : grpc_auth_context_from_arg(&args->args[i]);
345 1005 : if (p != NULL) return p;
346 : }
347 0 : return NULL;
348 : }
|