grpc/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

/*
 *
 * Copyright 2015 gRPC authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

#include <grpc/support/port_platform.h>

#include <string.h>

#include "absl/strings/str_cat.h"

#include <grpc/grpc.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>

#include "src/core/ext/transport/chttp2/server/chttp2_server.h"

#include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
#include "src/core/lib/channel/channel_args.h"
#include "src/core/lib/channel/handshaker.h"
#include "src/core/lib/gprpp/ref_counted_ptr.h"
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/surface/api_trace.h"
#include "src/core/lib/surface/server.h"

namespace {

grpc_channel_args* ModifyArgsForConnection(grpc_channel_args* args,
                                           grpc_error_handle* error) {
  grpc_server_credentials* server_credentials =
      grpc_find_server_credentials_in_args(args);
  if (server_credentials == nullptr) {
    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
        "Could not find server credentials");
    return args;
  }
  auto security_connector = server_credentials->create_security_connector(args);
  if (security_connector == nullptr) {
    *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
        absl::StrCat("Unable to create secure server with credentials of type ",
                     server_credentials->type())
            .c_str());
    return args;
  }
  grpc_arg arg_to_add =
      grpc_security_connector_to_arg(security_connector.get());
  grpc_channel_args* new_args =
      grpc_channel_args_copy_and_add(args, &arg_to_add, 1);
  grpc_channel_args_destroy(args);
  return new_args;
}

}  // namespace

int grpc_server_add_secure_http2_port(grpc_server* server, const char* addr,
                                      grpc_server_credentials* creds) {
  grpc_core::ExecCtx exec_ctx;
  grpc_error_handle err = GRPC_ERROR_NONE;
  grpc_core::RefCountedPtr<grpc_server_security_connector> sc;
  int port_num = 0;
  grpc_channel_args* args = nullptr;
  GRPC_API_TRACE(
      "grpc_server_add_secure_http2_port("
      "server=%p, addr=%s, creds=%p)",
      3, (server, addr, creds));
  // Create security context.
  if (creds == nullptr) {
    err = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
        "No credentials specified for secure server port (creds==NULL)");
    goto done;
  }
  // TODO(yashykt): Ideally, we would not want to have different behavior here
  // based on whether a config fetcher is configured or not. Currently, we have
  // a feature for SSL credentials reloading with an application callback that
  // assumes that there is a single security connector. If we delay the creation
  // of the security connector to after the creation of the listener(s), we
  // would have potentially multiple security connectors which breaks the
  // assumption for SSL creds reloading. When the API for SSL creds reloading is
  // rewritten, we would be able to make this workaround go away by removing
  // that assumption. As an immediate drawback of this workaround, config
  // fetchers need to be registered before adding ports to the server.
  if (server->core_server->config_fetcher() != nullptr) {
    // Create channel args.
    grpc_arg arg_to_add = grpc_server_credentials_to_arg(creds);
    args = grpc_channel_args_copy_and_add(server->core_server->channel_args(),
                                          &arg_to_add, 1);
  } else {
    sc = creds->create_security_connector(nullptr);
    if (sc == nullptr) {
      err = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
          absl::StrCat(
              "Unable to create secure server with credentials of type ",
              creds->type())
              .c_str());
      goto done;
    }
    grpc_arg args_to_add[2];
    args_to_add[0] = grpc_server_credentials_to_arg(creds);
    args_to_add[1] = grpc_security_connector_to_arg(sc.get());
    args = grpc_channel_args_copy_and_add(server->core_server->channel_args(),
                                          args_to_add,
                                          GPR_ARRAY_SIZE(args_to_add));
  }
  // Add server port.
  err = grpc_core::Chttp2ServerAddPort(server->core_server.get(), addr, args,
                                       ModifyArgsForConnection, &port_num);
done:
  sc.reset(DEBUG_LOCATION, "server");
  if (err != GRPC_ERROR_NONE) {
    gpr_log(GPR_ERROR, "%s", grpc_error_std_string(err).c_str());

    GRPC_ERROR_UNREF(err);
  }
  return port_num;
}