Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1 | /* |
| 2 | * |
Craig Tiller | 6169d5f | 2016-03-31 07:46:18 -0700 | [diff] [blame] | 3 | * Copyright 2015, Google Inc. |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 4 | * All rights reserved. |
| 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions are |
| 8 | * met: |
| 9 | * |
| 10 | * * Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * * Redistributions in binary form must reproduce the above |
| 13 | * copyright notice, this list of conditions and the following disclaimer |
| 14 | * in the documentation and/or other materials provided with the |
| 15 | * distribution. |
| 16 | * * Neither the name of Google Inc. nor the names of its |
| 17 | * contributors may be used to endorse or promote products derived from |
| 18 | * this software without specific prior written permission. |
| 19 | * |
| 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 21 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 22 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 23 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 24 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 25 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 26 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 27 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 28 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 29 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 30 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 31 | * |
| 32 | */ |
| 33 | |
Julien Boeuf | 8ca294e | 2016-05-02 14:56:30 -0700 | [diff] [blame] | 34 | #include "src/core/lib/security/transport/auth_filters.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 35 | |
| 36 | #include <string.h> |
| 37 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 38 | #include <grpc/support/alloc.h> |
| 39 | #include <grpc/support/log.h> |
Masood Malekghassemi | 701af60 | 2015-06-03 15:01:17 -0700 | [diff] [blame] | 40 | #include <grpc/support/string_util.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 41 | |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 42 | #include "src/core/lib/channel/channel_stack.h" |
Julien Boeuf | 8ca294e | 2016-05-02 14:56:30 -0700 | [diff] [blame] | 43 | #include "src/core/lib/security/context/security_context.h" |
| 44 | #include "src/core/lib/security/credentials/credentials.h" |
| 45 | #include "src/core/lib/security/transport/security_connector.h" |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 46 | #include "src/core/lib/support/string.h" |
| 47 | #include "src/core/lib/surface/call.h" |
| 48 | #include "src/core/lib/transport/static_metadata.h" |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 49 | |
Craig Tiller | 9c9d4e0 | 2015-04-20 09:03:29 -0700 | [diff] [blame] | 50 | #define MAX_CREDENTIALS_METADATA_COUNT 4 |
Craig Tiller | 6902ad2 | 2015-04-16 08:01:49 -0700 | [diff] [blame] | 51 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 52 | /* We can have a per-call credentials. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 53 | typedef struct { |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 54 | grpc_call_credentials *creds; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 55 | grpc_mdstr *host; |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 56 | grpc_mdstr *method; |
David Garcia Quintas | f72eb97 | 2016-05-03 18:28:09 -0700 | [diff] [blame] | 57 | /* pollset{_set} bound to this call; if we need to make external |
David Garcia Quintas | 4afce7e | 2016-04-18 16:25:17 -0700 | [diff] [blame] | 58 | network requests, they should be done under a pollset added to this |
| 59 | pollset_set so that work can progress when this call wants work to progress |
| 60 | */ |
David Garcia Quintas | 2a50dfe | 2016-05-31 15:09:12 -0700 | [diff] [blame] | 61 | grpc_polling_entity *pollent; |
Craig Tiller | b7959a0 | 2015-06-25 08:50:54 -0700 | [diff] [blame] | 62 | grpc_transport_stream_op op; |
Craig Tiller | 7536af0 | 2015-12-22 13:49:30 -0800 | [diff] [blame] | 63 | uint8_t security_context_set; |
Craig Tiller | 9c9d4e0 | 2015-04-20 09:03:29 -0700 | [diff] [blame] | 64 | grpc_linked_mdelem md_links[MAX_CREDENTIALS_METADATA_COUNT]; |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 65 | grpc_auth_metadata_context auth_md_context; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 66 | } call_data; |
| 67 | |
| 68 | /* We can have a per-channel credentials. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 69 | typedef struct { |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 70 | grpc_channel_security_connector *security_connector; |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 71 | grpc_auth_context *auth_context; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 72 | } channel_data; |
| 73 | |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 74 | static void reset_auth_metadata_context( |
| 75 | grpc_auth_metadata_context *auth_md_context) { |
| 76 | if (auth_md_context->service_url != NULL) { |
| 77 | gpr_free((char *)auth_md_context->service_url); |
| 78 | auth_md_context->service_url = NULL; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 79 | } |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 80 | if (auth_md_context->method_name != NULL) { |
| 81 | gpr_free((char *)auth_md_context->method_name); |
| 82 | auth_md_context->method_name = NULL; |
| 83 | } |
| 84 | GRPC_AUTH_CONTEXT_UNREF( |
| 85 | (grpc_auth_context *)auth_md_context->channel_auth_context, |
| 86 | "grpc_auth_metadata_context"); |
| 87 | auth_md_context->channel_auth_context = NULL; |
Julien Boeuf | 1928d49 | 2015-09-15 15:20:11 -0700 | [diff] [blame] | 88 | } |
| 89 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 90 | static void bubble_up_error(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, |
| 91 | grpc_status_code status, const char *error_msg) { |
Julien Boeuf | 9f218dd | 2015-04-23 10:24:02 -0700 | [diff] [blame] | 92 | call_data *calld = elem->call_data; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 93 | gpr_log(GPR_ERROR, "Client side authentication failure: %s", error_msg); |
Julien Boeuf | c49464d | 2016-05-18 23:11:50 -0700 | [diff] [blame] | 94 | gpr_slice error_slice = gpr_slice_from_copied_string(error_msg); |
| 95 | grpc_transport_stream_op_add_close(&calld->op, status, &error_slice); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 96 | grpc_call_next_op(exec_ctx, elem, &calld->op); |
Julien Boeuf | 9f218dd | 2015-04-23 10:24:02 -0700 | [diff] [blame] | 97 | } |
| 98 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 99 | static void on_credentials_metadata(grpc_exec_ctx *exec_ctx, void *user_data, |
| 100 | grpc_credentials_md *md_elems, |
| 101 | size_t num_md, |
Julien Boeuf | 2e3c9ad | 2016-01-19 17:14:38 -0800 | [diff] [blame] | 102 | grpc_credentials_status status, |
| 103 | const char *error_details) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 104 | grpc_call_element *elem = (grpc_call_element *)user_data; |
Craig Tiller | 6902ad2 | 2015-04-16 08:01:49 -0700 | [diff] [blame] | 105 | call_data *calld = elem->call_data; |
Craig Tiller | b7959a0 | 2015-06-25 08:50:54 -0700 | [diff] [blame] | 106 | grpc_transport_stream_op *op = &calld->op; |
Craig Tiller | 6e84aba | 2015-04-23 15:08:17 -0700 | [diff] [blame] | 107 | grpc_metadata_batch *mdb; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 108 | size_t i; |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 109 | reset_auth_metadata_context(&calld->auth_md_context); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 110 | if (status != GRPC_CREDENTIALS_OK) { |
| 111 | bubble_up_error(exec_ctx, elem, GRPC_STATUS_UNAUTHENTICATED, |
Julien Boeuf | c49464d | 2016-05-18 23:11:50 -0700 | [diff] [blame] | 112 | (error_details != NULL && strlen(error_details) > 0) |
| 113 | ? error_details |
| 114 | : "Credentials failed to get metadata."); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 115 | return; |
| 116 | } |
| 117 | GPR_ASSERT(num_md <= MAX_CREDENTIALS_METADATA_COUNT); |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 118 | GPR_ASSERT(op->send_initial_metadata != NULL); |
| 119 | mdb = op->send_initial_metadata; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 120 | for (i = 0; i < num_md; i++) { |
| 121 | grpc_metadata_batch_add_tail( |
| 122 | mdb, &calld->md_links[i], |
Craig Tiller | b2b4261 | 2015-11-20 12:02:17 -0800 | [diff] [blame] | 123 | grpc_mdelem_from_slices(gpr_slice_ref(md_elems[i].key), |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 124 | gpr_slice_ref(md_elems[i].value))); |
| 125 | } |
| 126 | grpc_call_next_op(exec_ctx, elem, op); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 127 | } |
| 128 | |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 129 | void build_auth_metadata_context(grpc_security_connector *sc, |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 130 | grpc_auth_context *auth_context, |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 131 | call_data *calld) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 132 | char *service = gpr_strdup(grpc_mdstr_as_c_string(calld->method)); |
| 133 | char *last_slash = strrchr(service, '/'); |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 134 | char *method_name = NULL; |
| 135 | char *service_url = NULL; |
| 136 | reset_auth_metadata_context(&calld->auth_md_context); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 137 | if (last_slash == NULL) { |
| 138 | gpr_log(GPR_ERROR, "No '/' found in fully qualified method name"); |
| 139 | service[0] = '\0'; |
| 140 | } else if (last_slash == service) { |
| 141 | /* No service part in fully qualified method name: will just be "/". */ |
| 142 | service[1] = '\0'; |
| 143 | } else { |
| 144 | *last_slash = '\0'; |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 145 | method_name = gpr_strdup(last_slash + 1); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 146 | } |
Julien Boeuf | eb029c9 | 2015-11-25 13:47:56 -0800 | [diff] [blame] | 147 | if (method_name == NULL) method_name = gpr_strdup(""); |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 148 | gpr_asprintf(&service_url, "%s://%s%s", |
| 149 | sc->url_scheme == NULL ? "" : sc->url_scheme, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 150 | grpc_mdstr_as_c_string(calld->host), service); |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 151 | calld->auth_md_context.service_url = service_url; |
| 152 | calld->auth_md_context.method_name = method_name; |
Nicolas "Pixel" Noble | f9c58f3 | 2015-12-01 22:40:44 +0100 | [diff] [blame] | 153 | calld->auth_md_context.channel_auth_context = |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 154 | GRPC_AUTH_CONTEXT_REF(auth_context, "grpc_auth_metadata_context"); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 155 | gpr_free(service); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 156 | } |
| 157 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 158 | static void send_security_metadata(grpc_exec_ctx *exec_ctx, |
| 159 | grpc_call_element *elem, |
| 160 | grpc_transport_stream_op *op) { |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 161 | call_data *calld = elem->call_data; |
| 162 | channel_data *chand = elem->channel_data; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 163 | grpc_client_security_context *ctx = |
| 164 | (grpc_client_security_context *)op->context[GRPC_CONTEXT_SECURITY].value; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 165 | grpc_call_credentials *channel_call_creds = |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 166 | chand->security_connector->request_metadata_creds; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 167 | int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 168 | |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 169 | if (channel_call_creds == NULL && !call_creds_has_md) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 170 | /* Skip sending metadata altogether. */ |
| 171 | grpc_call_next_op(exec_ctx, elem, op); |
| 172 | return; |
| 173 | } |
| 174 | |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 175 | if (channel_call_creds != NULL && call_creds_has_md) { |
| 176 | calld->creds = grpc_composite_call_credentials_create(channel_call_creds, |
| 177 | ctx->creds, NULL); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 178 | if (calld->creds == NULL) { |
Julien Boeuf | f0ae3e3 | 2016-07-06 11:23:51 -0700 | [diff] [blame] | 179 | bubble_up_error(exec_ctx, elem, GRPC_STATUS_UNAUTHENTICATED, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 180 | "Incompatible credentials set on channel and call."); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 181 | return; |
| 182 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 183 | } else { |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 184 | calld->creds = grpc_call_credentials_ref( |
| 185 | call_creds_has_md ? ctx->creds : channel_call_creds); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 186 | } |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 187 | |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 188 | build_auth_metadata_context(&chand->security_connector->base, |
| 189 | chand->auth_context, calld); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 190 | calld->op = *op; /* Copy op (originates from the caller's stack). */ |
David Garcia Quintas | 2a50dfe | 2016-05-31 15:09:12 -0700 | [diff] [blame] | 191 | GPR_ASSERT(calld->pollent != NULL); |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 192 | grpc_call_credentials_get_request_metadata( |
David Garcia Quintas | 2a50dfe | 2016-05-31 15:09:12 -0700 | [diff] [blame] | 193 | exec_ctx, calld->creds, calld->pollent, calld->auth_md_context, |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 194 | on_credentials_metadata, elem); |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 195 | } |
| 196 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 197 | static void on_host_checked(grpc_exec_ctx *exec_ctx, void *user_data, |
| 198 | grpc_security_status status) { |
| 199 | grpc_call_element *elem = (grpc_call_element *)user_data; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 200 | call_data *calld = elem->call_data; |
| 201 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 202 | if (status == GRPC_SECURITY_OK) { |
| 203 | send_security_metadata(exec_ctx, elem, &calld->op); |
| 204 | } else { |
| 205 | char *error_msg; |
| 206 | gpr_asprintf(&error_msg, "Invalid host %s set in :authority metadata.", |
| 207 | grpc_mdstr_as_c_string(calld->host)); |
Julien Boeuf | f0ae3e3 | 2016-07-06 11:23:51 -0700 | [diff] [blame] | 208 | bubble_up_error(exec_ctx, elem, GRPC_STATUS_UNAUTHENTICATED, error_msg); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 209 | gpr_free(error_msg); |
| 210 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 211 | } |
| 212 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 213 | /* Called either: |
| 214 | - in response to an API call (or similar) from above, to send something |
| 215 | - a network event (or similar) from below, to receive something |
| 216 | op contains type and call direction information, in addition to the data |
| 217 | that is being sent or received. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 218 | static void auth_start_transport_op(grpc_exec_ctx *exec_ctx, |
| 219 | grpc_call_element *elem, |
| 220 | grpc_transport_stream_op *op) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 221 | /* grab pointers to our data from the call element */ |
| 222 | call_data *calld = elem->call_data; |
Julien Boeuf | 9f218dd | 2015-04-23 10:24:02 -0700 | [diff] [blame] | 223 | channel_data *chand = elem->channel_data; |
Craig Tiller | 6902ad2 | 2015-04-16 08:01:49 -0700 | [diff] [blame] | 224 | grpc_linked_mdelem *l; |
Craig Tiller | d6c98df | 2015-08-18 09:33:44 -0700 | [diff] [blame] | 225 | grpc_client_security_context *sec_ctx = NULL; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 226 | |
Craig Tiller | f0f70a8 | 2016-06-23 13:55:06 -0700 | [diff] [blame] | 227 | if (calld->security_context_set == 0 && op->cancel_error == GRPC_ERROR_NONE) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 228 | calld->security_context_set = 1; |
| 229 | GPR_ASSERT(op->context); |
| 230 | if (op->context[GRPC_CONTEXT_SECURITY].value == NULL) { |
| 231 | op->context[GRPC_CONTEXT_SECURITY].value = |
| 232 | grpc_client_security_context_create(); |
| 233 | op->context[GRPC_CONTEXT_SECURITY].destroy = |
| 234 | grpc_client_security_context_destroy; |
yang-g | d8c466e | 2015-06-30 09:50:53 -0700 | [diff] [blame] | 235 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 236 | sec_ctx = op->context[GRPC_CONTEXT_SECURITY].value; |
| 237 | GRPC_AUTH_CONTEXT_UNREF(sec_ctx->auth_context, "client auth filter"); |
Craig Tiller | be52c6e | 2016-01-04 15:35:26 -0800 | [diff] [blame] | 238 | sec_ctx->auth_context = |
| 239 | GRPC_AUTH_CONTEXT_REF(chand->auth_context, "client_auth_filter"); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 240 | } |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 241 | |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 242 | if (op->send_initial_metadata != NULL) { |
| 243 | for (l = op->send_initial_metadata->list.head; l != NULL; l = l->next) { |
| 244 | grpc_mdelem *md = l->md; |
| 245 | /* Pointer comparison is OK for md_elems created from the same context. |
| 246 | */ |
Craig Tiller | ed43f51 | 2015-11-19 08:53:23 -0800 | [diff] [blame] | 247 | if (md->key == GRPC_MDSTR_AUTHORITY) { |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 248 | if (calld->host != NULL) GRPC_MDSTR_UNREF(calld->host); |
| 249 | calld->host = GRPC_MDSTR_REF(md->value); |
Craig Tiller | ed43f51 | 2015-11-19 08:53:23 -0800 | [diff] [blame] | 250 | } else if (md->key == GRPC_MDSTR_PATH) { |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 251 | if (calld->method != NULL) GRPC_MDSTR_UNREF(calld->method); |
| 252 | calld->method = GRPC_MDSTR_REF(md->value); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 253 | } |
Craig Tiller | 45724b3 | 2015-09-22 10:42:19 -0700 | [diff] [blame] | 254 | } |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 255 | if (calld->host != NULL) { |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 256 | const char *call_host = grpc_mdstr_as_c_string(calld->host); |
| 257 | calld->op = *op; /* Copy op (originates from the caller's stack). */ |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 258 | grpc_channel_security_connector_check_call_host( |
| 259 | exec_ctx, chand->security_connector, call_host, chand->auth_context, |
| 260 | on_host_checked, elem); |
| 261 | return; /* early exit */ |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 262 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 263 | } |
Craig Tiller | 6e84aba | 2015-04-23 15:08:17 -0700 | [diff] [blame] | 264 | |
Craig Tiller | d1bec03 | 2015-09-18 17:29:00 -0700 | [diff] [blame] | 265 | /* pass control down the stack */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 266 | grpc_call_next_op(exec_ctx, elem, op); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 267 | } |
| 268 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 269 | /* Constructor for call_data */ |
Mark D. Roth | 76d2442 | 2016-06-23 13:22:10 -0700 | [diff] [blame] | 270 | static grpc_error *init_call_elem(grpc_exec_ctx *exec_ctx, |
Mark D. Roth | 0badbe8 | 2016-06-23 10:15:12 -0700 | [diff] [blame] | 271 | grpc_call_element *elem, |
| 272 | grpc_call_element_args *args) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 273 | call_data *calld = elem->call_data; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 274 | memset(calld, 0, sizeof(*calld)); |
Mark D. Roth | 0badbe8 | 2016-06-23 10:15:12 -0700 | [diff] [blame] | 275 | return GRPC_ERROR_NONE; |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 276 | } |
| 277 | |
David Garcia Quintas | f72eb97 | 2016-05-03 18:28:09 -0700 | [diff] [blame] | 278 | static void set_pollset_or_pollset_set(grpc_exec_ctx *exec_ctx, |
| 279 | grpc_call_element *elem, |
David Garcia Quintas | 2a50dfe | 2016-05-31 15:09:12 -0700 | [diff] [blame] | 280 | grpc_polling_entity *pollent) { |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 281 | call_data *calld = elem->call_data; |
David Garcia Quintas | 2a50dfe | 2016-05-31 15:09:12 -0700 | [diff] [blame] | 282 | calld->pollent = pollent; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 283 | } |
| 284 | |
| 285 | /* Destructor for call_data */ |
Craig Tiller | 2c8063c | 2016-03-22 22:12:15 -0700 | [diff] [blame] | 286 | static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, |
David Garcia Quintas | 5dde14c | 2016-07-28 17:29:27 -0700 | [diff] [blame] | 287 | const grpc_call_final_info *final_info, |
| 288 | void *ignored) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 289 | call_data *calld = elem->call_data; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 290 | grpc_call_credentials_unref(calld->creds); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 291 | if (calld->host != NULL) { |
| 292 | GRPC_MDSTR_UNREF(calld->host); |
| 293 | } |
| 294 | if (calld->method != NULL) { |
| 295 | GRPC_MDSTR_UNREF(calld->method); |
| 296 | } |
Julien Boeuf | 3c957e6 | 2015-11-18 21:33:58 -0800 | [diff] [blame] | 297 | reset_auth_metadata_context(&calld->auth_md_context); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 298 | } |
| 299 | |
| 300 | /* Constructor for channel_data */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 301 | static void init_channel_elem(grpc_exec_ctx *exec_ctx, |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 302 | grpc_channel_element *elem, |
| 303 | grpc_channel_element_args *args) { |
| 304 | grpc_security_connector *sc = |
| 305 | grpc_find_security_connector_in_args(args->channel_args); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 306 | grpc_auth_context *auth_context = |
| 307 | grpc_find_auth_context_in_args(args->channel_args); |
| 308 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 309 | /* grab pointers to our data from the channel element */ |
Julien Boeuf | 9f218dd | 2015-04-23 10:24:02 -0700 | [diff] [blame] | 310 | channel_data *chand = elem->channel_data; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 311 | |
| 312 | /* The first and the last filters tend to be implemented differently to |
| 313 | handle the case that there's no 'next' filter to call on the up or down |
| 314 | path */ |
Craig Tiller | 0581d12 | 2015-11-02 14:09:40 -0800 | [diff] [blame] | 315 | GPR_ASSERT(!args->is_last); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 316 | GPR_ASSERT(sc != NULL); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 317 | GPR_ASSERT(auth_context != NULL); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 318 | |
| 319 | /* initialize members */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 320 | chand->security_connector = |
| 321 | (grpc_channel_security_connector *)GRPC_SECURITY_CONNECTOR_REF( |
| 322 | sc, "client_auth_filter"); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 323 | chand->auth_context = |
| 324 | GRPC_AUTH_CONTEXT_REF(auth_context, "client_auth_filter"); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 325 | } |
| 326 | |
| 327 | /* Destructor for channel data */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 328 | static void destroy_channel_elem(grpc_exec_ctx *exec_ctx, |
| 329 | grpc_channel_element *elem) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 330 | /* grab pointers to our data from the channel element */ |
Julien Boeuf | 9f218dd | 2015-04-23 10:24:02 -0700 | [diff] [blame] | 331 | channel_data *chand = elem->channel_data; |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 332 | grpc_channel_security_connector *sc = chand->security_connector; |
| 333 | if (sc != NULL) { |
| 334 | GRPC_SECURITY_CONNECTOR_UNREF(&sc->base, "client_auth_filter"); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 335 | } |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 336 | GRPC_AUTH_CONTEXT_UNREF(chand->auth_context, "client_auth_filter"); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 337 | } |
| 338 | |
David Garcia Quintas | 4afce7e | 2016-04-18 16:25:17 -0700 | [diff] [blame] | 339 | const grpc_channel_filter grpc_client_auth_filter = {auth_start_transport_op, |
| 340 | grpc_channel_next_op, |
| 341 | sizeof(call_data), |
| 342 | init_call_elem, |
| 343 | set_pollset_or_pollset_set, |
| 344 | destroy_call_elem, |
| 345 | sizeof(channel_data), |
| 346 | init_channel_elem, |
| 347 | destroy_channel_elem, |
| 348 | grpc_call_next_get_peer, |
| 349 | "client-auth"}; |