GRPC C++  1.62.0
tls_certificate_provider.h
Go to the documentation of this file.
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
18 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
19 
20 #include <memory>
21 #include <vector>
22 
23 #include <grpc/grpc_security.h>
25 #include <grpc/status.h>
26 #include <grpc/support/log.h>
27 #include <grpcpp/support/config.h>
28 
29 namespace grpc {
30 namespace experimental {
31 
32 // Interface for a class that handles the process to fetch credential data.
33 // Implementations should be a wrapper class of an internal provider
34 // implementation.
36  public:
37  virtual ~CertificateProviderInterface() = default;
38  virtual grpc_tls_certificate_provider* c_provider() = 0;
39 };
40 
41 // A struct that stores the credential data presented to the peer in handshake
42 // to show local identity. The private_key and certificate_chain should always
43 // match.
45  std::string private_key;
46  std::string certificate_chain;
47 };
48 
49 // A basic CertificateProviderInterface implementation that will load credential
50 // data from static string during initialization. This provider will always
51 // return the same cert data for all cert names, and reloading is not supported.
54  public:
56  const std::string& root_certificate,
57  const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs);
58 
59  explicit StaticDataCertificateProvider(const std::string& root_certificate)
60  : StaticDataCertificateProvider(root_certificate, {}) {}
61 
63  const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs)
64  : StaticDataCertificateProvider("", identity_key_cert_pairs) {}
65 
67 
68  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
69 
70  private:
71  grpc_tls_certificate_provider* c_provider_ = nullptr;
72 };
73 
74 // A CertificateProviderInterface implementation that will watch the credential
75 // changes on the file system. This provider will always return the up-to-date
76 // cert data for all the cert names callers set through |TlsCredentialsOptions|.
77 // Several things to note:
78 // 1. This API only supports one key-cert file and hence one set of identity
79 // key-cert pair, so SNI(Server Name Indication) is not supported.
80 // 2. The private key and identity certificate should always match. This API
81 // guarantees atomic read, and it is the callers' responsibility to do atomic
82 // updates. There are many ways to atomically update the key and certs in the
83 // file system. To name a few:
84 // 1) creating a new directory, renaming the old directory to a new name, and
85 // then renaming the new directory to the original name of the old directory.
86 // 2) using a symlink for the directory. When need to change, put new
87 // credential data in a new directory, and change symlink.
90  public:
91  // Constructor to get credential updates from root and identity file paths.
92  //
93  // @param private_key_path is the file path of the private key.
94  // @param identity_certificate_path is the file path of the identity
95  // certificate chain.
96  // @param root_cert_path is the file path to the root certificate bundle.
97  // @param refresh_interval_sec is the refreshing interval that we will check
98  // the files for updates.
99  FileWatcherCertificateProvider(const std::string& private_key_path,
100  const std::string& identity_certificate_path,
101  const std::string& root_cert_path,
102  unsigned int refresh_interval_sec);
103  // Constructor to get credential updates from identity file paths only.
104  FileWatcherCertificateProvider(const std::string& private_key_path,
105  const std::string& identity_certificate_path,
106  unsigned int refresh_interval_sec)
107  : FileWatcherCertificateProvider(private_key_path,
108  identity_certificate_path, "",
109  refresh_interval_sec) {}
110  // Constructor to get credential updates from root file path only.
111  FileWatcherCertificateProvider(const std::string& root_cert_path,
112  unsigned int refresh_interval_sec)
113  : FileWatcherCertificateProvider("", "", root_cert_path,
114  refresh_interval_sec) {}
115 
116  ~FileWatcherCertificateProvider() override;
117 
118  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
119 
120  private:
121  grpc_tls_certificate_provider* c_provider_ = nullptr;
122 };
123 
124 } // namespace experimental
125 } // namespace grpc
126 
127 #endif // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
grpc::experimental::FileWatcherCertificateProvider
Definition: tls_certificate_provider.h:88
grpc
An Alarm posts the user-provided tag to its associated completion queue or invokes the user-provided ...
Definition: alarm.h:33
grpc::experimental::FileWatcherCertificateProvider::FileWatcherCertificateProvider
FileWatcherCertificateProvider(const std::string &private_key_path, const std::string &identity_certificate_path, unsigned int refresh_interval_sec)
Definition: tls_certificate_provider.h:104
grpc_security.h
status.h
grpc::experimental::StaticDataCertificateProvider::StaticDataCertificateProvider
StaticDataCertificateProvider(const std::vector< IdentityKeyCertPair > &identity_key_cert_pairs)
Definition: tls_certificate_provider.h:62
grpc_tls_certificate_provider
struct grpc_tls_certificate_provider grpc_tls_certificate_provider
EXPERIMENTAL API - Subject to change.
Definition: grpc_security.h:722
grpc::experimental::FileWatcherCertificateProvider::FileWatcherCertificateProvider
FileWatcherCertificateProvider(const std::string &root_cert_path, unsigned int refresh_interval_sec)
Definition: tls_certificate_provider.h:111
GRPCXX_DLL
#define GRPCXX_DLL
Definition: port_platform.h:128
log.h
grpc::experimental::IdentityKeyCertPair::certificate_chain
std::string certificate_chain
Definition: tls_certificate_provider.h:46
grpc::experimental::StaticDataCertificateProvider::c_provider
grpc_tls_certificate_provider * c_provider() override
Definition: tls_certificate_provider.h:68
grpc::experimental::IdentityKeyCertPair
Definition: tls_certificate_provider.h:44
grpc::experimental::CertificateProviderInterface
Definition: tls_certificate_provider.h:35
grpc::experimental::IdentityKeyCertPair::private_key
std::string private_key
Definition: tls_certificate_provider.h:45
config.h
grpc::experimental::FileWatcherCertificateProvider::c_provider
grpc_tls_certificate_provider * c_provider() override
Definition: tls_certificate_provider.h:118
grpc::experimental::StaticDataCertificateProvider
Definition: tls_certificate_provider.h:52
grpc_security_constants.h
grpc::experimental::StaticDataCertificateProvider::StaticDataCertificateProvider
StaticDataCertificateProvider(const std::string &root_certificate)
Definition: tls_certificate_provider.h:59