Add spiffe client-side credential reload

gracelicd · Aug 12, 2019 · ae86363 · ae86363
1 parent 5bf40ae
commit ae86363
Show file tree

Hide file tree

Showing 19 changed files with 722 additions and 60 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -641,6 +641,7 @@ add_dependencies(buildtests_cxx grpc_cli)
 add_dependencies(buildtests_cxx grpc_core_map_test)
 add_dependencies(buildtests_cxx grpc_fetch_oauth2)
 add_dependencies(buildtests_cxx grpc_linux_system_roots_test)
+add_dependencies(buildtests_cxx grpc_spiffe_security_connector_test)
 add_dependencies(buildtests_cxx grpc_tool_test)
 add_dependencies(buildtests_cxx grpclb_api_test)
 add_dependencies(buildtests_cxx grpclb_end2end_test)
@@ -14722,6 +14723,49 @@ endif()
 endif (gRPC_BUILD_CODEGEN)
 if (gRPC_BUILD_TESTS)
 
+add_executable(grpc_spiffe_security_connector_test
+  test/core/security/spiffe_security_connector_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+
+target_include_directories(grpc_spiffe_security_connector_test
+  PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}
+  PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
+  PRIVATE ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+  PRIVATE ${_gRPC_BENCHMARK_INCLUDE_DIR}
+  PRIVATE ${_gRPC_CARES_INCLUDE_DIR}
+  PRIVATE ${_gRPC_GFLAGS_INCLUDE_DIR}
+  PRIVATE ${_gRPC_NANOPB_INCLUDE_DIR}
+  PRIVATE ${_gRPC_PROTOBUF_INCLUDE_DIR}
+  PRIVATE ${_gRPC_SSL_INCLUDE_DIR}
+  PRIVATE ${_gRPC_UPB_GENERATED_DIR}
+  PRIVATE ${_gRPC_UPB_GRPC_GENERATED_DIR}
+  PRIVATE ${_gRPC_UPB_INCLUDE_DIR}
+  PRIVATE ${_gRPC_ZLIB_INCLUDE_DIR}
+  PRIVATE third_party/googletest/googletest/include
+  PRIVATE third_party/googletest/googletest
+  PRIVATE third_party/googletest/googlemock/include
+  PRIVATE third_party/googletest/googlemock
+  PRIVATE ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(grpc_spiffe_security_connector_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+  grpc++_test_util
+  grpc++
+  grpc
+  gpr
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
+endif (gRPC_BUILD_TESTS)
+if (gRPC_BUILD_TESTS)
+
 add_executable(grpc_tool_test
   ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
   ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc

diff --git a/Makefile b/Makefile
@@ -1222,6 +1222,7 @@ grpc_objective_c_plugin: $(BINDIR)/$(CONFIG)/grpc_objective_c_plugin
 grpc_php_plugin: $(BINDIR)/$(CONFIG)/grpc_php_plugin
 grpc_python_plugin: $(BINDIR)/$(CONFIG)/grpc_python_plugin
 grpc_ruby_plugin: $(BINDIR)/$(CONFIG)/grpc_ruby_plugin
+grpc_spiffe_security_connector_test: $(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test
 grpc_tool_test: $(BINDIR)/$(CONFIG)/grpc_tool_test
 grpclb_api_test: $(BINDIR)/$(CONFIG)/grpclb_api_test
 grpclb_end2end_test: $(BINDIR)/$(CONFIG)/grpclb_end2end_test
@@ -1695,6 +1696,7 @@ buildtests_cxx: privatelibs_cxx \
   $(BINDIR)/$(CONFIG)/grpc_core_map_test \
   $(BINDIR)/$(CONFIG)/grpc_fetch_oauth2 \
   $(BINDIR)/$(CONFIG)/grpc_linux_system_roots_test \
+  $(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test \
   $(BINDIR)/$(CONFIG)/grpc_tool_test \
   $(BINDIR)/$(CONFIG)/grpclb_api_test \
   $(BINDIR)/$(CONFIG)/grpclb_end2end_test \
@@ -1862,6 +1864,7 @@ buildtests_cxx: privatelibs_cxx \
   $(BINDIR)/$(CONFIG)/grpc_core_map_test \
   $(BINDIR)/$(CONFIG)/grpc_fetch_oauth2 \
   $(BINDIR)/$(CONFIG)/grpc_linux_system_roots_test \
+  $(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test \
   $(BINDIR)/$(CONFIG)/grpc_tool_test \
   $(BINDIR)/$(CONFIG)/grpclb_api_test \
   $(BINDIR)/$(CONFIG)/grpclb_end2end_test \
@@ -2370,6 +2373,8 @@ test_cxx: buildtests_cxx
 	$(Q) $(BINDIR)/$(CONFIG)/grpc_core_map_test || ( echo test grpc_core_map_test failed ; exit 1 )
 	$(E) "[RUN]     Testing grpc_linux_system_roots_test"
 	$(Q) $(BINDIR)/$(CONFIG)/grpc_linux_system_roots_test || ( echo test grpc_linux_system_roots_test failed ; exit 1 )
+	$(E) "[RUN]     Testing grpc_spiffe_security_connector_test"
+	$(Q) $(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test || ( echo test grpc_spiffe_security_connector_test failed ; exit 1 )
 	$(E) "[RUN]     Testing grpc_tool_test"
 	$(Q) $(BINDIR)/$(CONFIG)/grpc_tool_test || ( echo test grpc_tool_test failed ; exit 1 )
 	$(E) "[RUN]     Testing grpclb_api_test"
@@ -16944,6 +16949,49 @@ ifneq ($(NO_DEPS),true)
 endif
 
 
+GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_SRC = \
+    test/core/security/spiffe_security_connector_test.cc \
+
+GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test: openssl_dep_error
+
+else
+
+
+
+
+ifeq ($(NO_PROTOBUF),true)
+
+# You can't build the protoc plugins or protobuf-enabled targets if you don't have protobuf 3.5.0+.
+
+$(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test: protobuf_dep_error
+
+else
+
+$(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test: $(PROTOBUF_DEP) $(GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LDXX) $(LDFLAGS) $(GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBSXX) $(LDLIBS_PROTOBUF) $(LDLIBS) $(LDLIBS_SECURE) $(GTEST_LIB) -o $(BINDIR)/$(CONFIG)/grpc_spiffe_security_connector_test
+
+endif
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/security/spiffe_security_connector_test.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc++.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_grpc_spiffe_security_connector_test: $(GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(GRPC_SPIFFE_SECURITY_CONNECTOR_TEST_OBJS:.o=.dep)
+endif
+endif
+
+
 GRPC_TOOL_TEST_SRC = \
     $(GENDIR)/src/proto/grpc/testing/echo.pb.cc $(GENDIR)/src/proto/grpc/testing/echo.grpc.pb.cc \
     $(GENDIR)/src/proto/grpc/testing/echo_messages.pb.cc $(GENDIR)/src/proto/grpc/testing/echo_messages.grpc.pb.cc \

diff --git a/build.yaml b/build.yaml
@@ -5112,6 +5112,20 @@ targets:
   deps:
   - grpc_plugin_support
   secure: false
+- name: grpc_spiffe_security_connector_test
+  gtest: true
+  build: test
+  language: c++
+  src:
+  - test/core/security/spiffe_security_connector_test.cc
+  deps:
+  - grpc_test_util
+  - grpc++_test_util
+  - grpc++
+  - grpc
+  - gpr
+  uses:
+  - grpc++_test
 - name: grpc_tool_test
   gtest: true
   build: test

diff --git a/grpc.def b/grpc.def
@@ -141,6 +141,8 @@ EXPORTS
     grpc_tls_credentials_options_set_server_authorization_check_config
     grpc_tls_key_materials_config_create
     grpc_tls_key_materials_config_set_key_materials
+    grpc_tls_key_materials_config_set_version
+    grpc_tls_key_materials_config_get_version
     grpc_tls_credential_reload_config_create
     grpc_tls_server_authorization_check_config_create
     grpc_raw_byte_buffer_create

diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
@@ -778,6 +778,21 @@ GRPCAPI int grpc_tls_key_materials_config_set_key_materials(
     const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
     size_t num_key_cert_pairs);
 
+/** Set grpc_tls_key_materials_config instance with a provided version number,
+    which is used to keep track of the version of key materials.
+    It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change.
+ */
+GRPCAPI int grpc_tls_key_materials_config_set_version(
+    grpc_tls_key_materials_config* config, int version);
+
+/** Get the version number of a grpc_tls_key_materials_config instance.
+    It returns the version number on success and -1 on failure.
+    It is used for experimental purpose for now and subject to change.
+ */
+GRPCAPI int grpc_tls_key_materials_config_get_version(
+    grpc_tls_key_materials_config* config);
+
 /** --- TLS credential reload config. ---
     It is used for experimental purpose for now and subject to change.*/
 
@@ -793,10 +808,11 @@ typedef void (*grpc_tls_on_credential_reload_done_cb)(
 /** A struct containing all information necessary to schedule/cancel
     a credential reload request. cb and cb_user_data represent a gRPC-provided
     callback and an argument passed to it. key_materials is an in/output
-    parameter containing currently used/newly reloaded credentials. status and
-    error_details are used to hold information about errors occurred when a
-    credential reload request is scheduled/cancelled. It is used for
-    experimental purpose for now and subject to change. */
+    parameter containing currently used/newly reloaded credentials. If
+    credential reload does not result in a new credential, key_materials should
+    not be modified. status and error_details are used to hold information about
+    errors occurred when a credential reload request is scheduled/cancelled. It
+    is used for experimental purpose for now and subject to change. */
 struct grpc_tls_credential_reload_arg {
   grpc_tls_on_credential_reload_done_cb cb;
   void* cb_user_data;

diff --git a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
@@ -157,6 +157,29 @@ int grpc_tls_key_materials_config_set_key_materials(
   return 1;
 }
 
+int grpc_tls_key_materials_config_set_version(
+    grpc_tls_key_materials_config* config, int version) {
+  if (config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid arguments to "
+            "grpc_tls_key_materials_config_set_version()");
+    return 0;
+  }
+  config->set_version(version);
+  return 1;
+}
+
+int grpc_tls_key_materials_config_get_version(
+    grpc_tls_key_materials_config* config) {
+  if (config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid arguments to "
+            "grpc_tls_key_materials_config_get_version()");
+    return -1;
+  }
+  return config->version();
+}
+
 grpc_tls_credential_reload_config* grpc_tls_credential_reload_config_create(
     const void* config_user_data,
     int (*schedule)(void* config_user_data,

diff --git a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
@@ -39,12 +39,15 @@ struct grpc_tls_key_materials_config
   const PemKeyCertPairList& pem_key_cert_pair_list() const {
     return pem_key_cert_pair_list_;
   }
+  int version() const { return version_; }
 
   /** Setters for member fields. **/
   void set_key_materials(grpc_core::UniquePtr<char> pem_root_certs,
                          PemKeyCertPairList pem_key_cert_pair_list);
+  void set_version(int version) { version_ = version; }
 
  private:
+  int version_ = 0;
   PemKeyCertPairList pem_key_cert_pair_list_;
   grpc_core::UniquePtr<char> pem_root_certs_;
 };

diff --git a/src/core/lib/security/credentials/tls/spiffe_credentials.cc b/src/core/lib/security/credentials/tls/spiffe_credentials.cc
@@ -84,7 +84,7 @@ SpiffeCredentials::create_security_connector(
           static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
     }
   }
-  grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> sc = grpc_core::
       SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
           this->Ref(), std::move(call_creds), target_name,
           overridden_target_name, ssl_session_cache);
@@ -106,8 +106,8 @@ SpiffeServerCredentials::~SpiffeServerCredentials() {}
 
 grpc_core::RefCountedPtr<grpc_server_security_connector>
 SpiffeServerCredentials::create_security_connector() {
-  return SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
-      this->Ref());
+  return grpc_core::SpiffeServerSecurityConnector::
+      CreateSpiffeServerSecurityConnector(this->Ref());
 }
 
 grpc_channel_credentials* grpc_tls_spiffe_credentials_create(

diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h
@@ -149,9 +149,15 @@ class PemKeyCertPair {
     return *this;
   }
 
-  // Not copyable.
-  PemKeyCertPair(const PemKeyCertPair&) = delete;
-  PemKeyCertPair& operator=(const PemKeyCertPair&) = delete;
+  // Copyable.
+  PemKeyCertPair(const PemKeyCertPair& other)
+      : private_key_(gpr_strdup(other.private_key())),
+        cert_chain_(gpr_strdup(other.cert_chain())) {}
+  PemKeyCertPair& operator=(const PemKeyCertPair& other) {
+    private_key_ = grpc_core::UniquePtr<char>(gpr_strdup(other.private_key()));
+    cert_chain_ = grpc_core::UniquePtr<char>(gpr_strdup(other.cert_chain()));
+    return *this;
+  }
 
   char* private_key() const { return private_key_.get(); }
   char* cert_chain() const { return cert_chain_.get(); }