grpc/cpp/tls__certificate__provider_8h_source.html

//

// Copyright 2020 gRPC authors.

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//     http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//


#ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H

#define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H


#include <memory>

#include <vector>


#include <grpc/credentials.h>

#include <grpc/grpc_security.h>

#include <grpc/grpc_security_constants.h>

#include <grpc/status.h>

#include <grpc/support/log.h>

#include <grpcpp/support/config.h>


namespace grpc {

namespace experimental {


// Interface for a class that handles the process to fetch credential data.

// Implementations should be a wrapper class of an internal provider

// implementation.

class GRPCXX_DLL CertificateProviderInterface {

 public:

  virtual ~CertificateProviderInterface() = default;

  virtual grpc_tls_certificate_provider* c_provider() = 0;

};


// A struct that stores the credential data presented to the peer in handshake

// to show local identity. The private_key and certificate_chain should always

// match.

struct GRPCXX_DLL IdentityKeyCertPair {

  std::string private_key;

  std::string certificate_chain;

};


// A basic CertificateProviderInterface implementation that will load credential

// data from static string during initialization. This provider will always

// return the same cert data for all cert names, and reloading is not supported.

class GRPCXX_DLL StaticDataCertificateProvider

    : public CertificateProviderInterface {

 public:

  StaticDataCertificateProvider(

      const std::string& root_certificate,

      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs);


  explicit StaticDataCertificateProvider(const std::string& root_certificate)

      : StaticDataCertificateProvider(root_certificate, {}) {}


  explicit StaticDataCertificateProvider(

      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs)

      : StaticDataCertificateProvider("", identity_key_cert_pairs) {}


  ~StaticDataCertificateProvider() override;


  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }


 private:

  grpc_tls_certificate_provider* c_provider_ = nullptr;

};


// A CertificateProviderInterface implementation that will watch the credential

// changes on the file system. This provider will always return the up-to-date

// cert data for all the cert names callers set through |TlsCredentialsOptions|.

// Several things to note:

// 1. This API only supports one key-cert file and hence one set of identity

// key-cert pair, so SNI(Server Name Indication) is not supported.

// 2. The private key and identity certificate should always match. This API

// guarantees atomic read, and it is the callers' responsibility to do atomic

// updates. There are many ways to atomically update the key and certs in the

// file system. To name a few:

//   1)  creating a new directory, renaming the old directory to a new name, and

//   then renaming the new directory to the original name of the old directory.

//   2)  using a symlink for the directory. When need to change, put new

//   credential data in a new directory, and change symlink.

class GRPCXX_DLL FileWatcherCertificateProvider final

    : public CertificateProviderInterface {

 public:

  // Constructor to get credential updates from root and identity file paths.

  //

  // @param private_key_path is the file path of the private key.

  // @param identity_certificate_path is the file path of the identity

  // certificate chain.

  // @param root_cert_path is the file path to the root certificate bundle.

  // @param refresh_interval_sec is the refreshing interval that we will check

  // the files for updates.

  FileWatcherCertificateProvider(const std::string& private_key_path,

                                 const std::string& identity_certificate_path,

                                 const std::string& root_cert_path,

                                 unsigned int refresh_interval_sec);

  // Constructor to get credential updates from identity file paths only.

  FileWatcherCertificateProvider(const std::string& private_key_path,

                                 const std::string& identity_certificate_path,

                                 unsigned int refresh_interval_sec)

      : FileWatcherCertificateProvider(private_key_path,

                                       identity_certificate_path, "",

                                       refresh_interval_sec) {}

  // Constructor to get credential updates from root file path only.

  FileWatcherCertificateProvider(const std::string& root_cert_path,

                                 unsigned int refresh_interval_sec)

      : FileWatcherCertificateProvider("", "", root_cert_path,

                                       refresh_interval_sec) {}


  ~FileWatcherCertificateProvider() override;


  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }


 private:

  grpc_tls_certificate_provider* c_provider_ = nullptr;

};


}  // namespace experimental

}  // namespace grpc


#endif  // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H