1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/ext/xds/certificate_provider_store.h"
22
23 #include "absl/strings/str_cat.h"
24
25 #include <grpc/support/json.h>
26 #include <grpc/support/log.h>
27
28 #include "src/core/lib/config/core_configuration.h"
29 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
30
31 namespace grpc_core {
32
33 //
34 // CertificateProviderStore::PluginDefinition
35 //
36
37 const JsonLoaderInterface*
JsonLoader(const JsonArgs &)38 CertificateProviderStore::PluginDefinition::JsonLoader(const JsonArgs&) {
39 static const auto* loader =
40 JsonObjectLoader<PluginDefinition>()
41 .Field("plugin_name", &PluginDefinition::plugin_name)
42 .Finish();
43 return loader;
44 }
45
JsonPostLoad(const Json & json,const JsonArgs & args,ValidationErrors * errors)46 void CertificateProviderStore::PluginDefinition::JsonPostLoad(
47 const Json& json, const JsonArgs& args, ValidationErrors* errors) {
48 // Check that plugin is supported.
49 CertificateProviderFactory* factory = nullptr;
50 if (!plugin_name.empty()) {
51 ValidationErrors::ScopedField field(errors, ".plugin_name");
52 factory = CoreConfiguration::Get()
53 .certificate_provider_registry()
54 .LookupCertificateProviderFactory(plugin_name);
55 if (factory == nullptr) {
56 errors->AddError(absl::StrCat("Unrecognized plugin name: ", plugin_name));
57 return; // No point checking config.
58 }
59 }
60 // Parse the config field.
61 {
62 ValidationErrors::ScopedField field(errors, ".config");
63 auto it = json.object().find("config");
64 // The config field is optional; if not present, we use an empty JSON
65 // object.
66 Json::Object config_json;
67 if (it != json.object().end()) {
68 if (it->second.type() != Json::Type::kObject) {
69 errors->AddError("is not an object");
70 return; // No point parsing config.
71 } else {
72 config_json = it->second.object();
73 }
74 }
75 if (factory == nullptr) return;
76 // Use plugin to validate and parse config.
77 config = factory->CreateCertificateProviderConfig(
78 Json::FromObject(std::move(config_json)), args, errors);
79 }
80 }
81
82 //
83 // CertificateProviderStore::CertificateProviderWrapper
84 //
85
type() const86 UniqueTypeName CertificateProviderStore::CertificateProviderWrapper::type()
87 const {
88 static UniqueTypeName::Factory kFactory("Wrapper");
89 return kFactory.Create();
90 }
91
92 // If a certificate provider is created, the CertificateProviderStore
93 // maintains a raw pointer to the created CertificateProviderWrapper so that
94 // future calls to `CreateOrGetCertificateProvider()` with the same key result
95 // in returning a ref to this created certificate provider. This entry is
96 // deleted when the refcount to this provider reaches zero.
97 RefCountedPtr<grpc_tls_certificate_provider>
CreateOrGetCertificateProvider(absl::string_view key)98 CertificateProviderStore::CreateOrGetCertificateProvider(
99 absl::string_view key) {
100 RefCountedPtr<CertificateProviderWrapper> result;
101 MutexLock lock(&mu_);
102 auto it = certificate_providers_map_.find(key);
103 if (it == certificate_providers_map_.end()) {
104 result = CreateCertificateProviderLocked(key);
105 if (result != nullptr) {
106 certificate_providers_map_.insert({result->key(), result.get()});
107 }
108 } else {
109 result = it->second->RefIfNonZero();
110 if (result == nullptr) {
111 result = CreateCertificateProviderLocked(key);
112 it->second = result.get();
113 }
114 }
115 return result;
116 }
117
118 RefCountedPtr<CertificateProviderStore::CertificateProviderWrapper>
CreateCertificateProviderLocked(absl::string_view key)119 CertificateProviderStore::CreateCertificateProviderLocked(
120 absl::string_view key) {
121 auto plugin_config_it = plugin_config_map_.find(std::string(key));
122 if (plugin_config_it == plugin_config_map_.end()) {
123 return nullptr;
124 }
125 CertificateProviderFactory* factory =
126 CoreConfiguration::Get()
127 .certificate_provider_registry()
128 .LookupCertificateProviderFactory(
129 plugin_config_it->second.plugin_name);
130 if (factory == nullptr) {
131 // This should never happen since an entry is only inserted in the
132 // plugin_config_map_ if the corresponding factory was found when parsing
133 // the xDS bootstrap file.
134 gpr_log(GPR_ERROR, "Certificate provider factory %s not found",
135 plugin_config_it->second.plugin_name.c_str());
136 return nullptr;
137 }
138 return MakeRefCounted<CertificateProviderWrapper>(
139 factory->CreateCertificateProvider(plugin_config_it->second.config),
140 Ref(), plugin_config_it->first);
141 }
142
ReleaseCertificateProvider(absl::string_view key,CertificateProviderWrapper * wrapper)143 void CertificateProviderStore::ReleaseCertificateProvider(
144 absl::string_view key, CertificateProviderWrapper* wrapper) {
145 MutexLock lock(&mu_);
146 auto it = certificate_providers_map_.find(key);
147 if (it != certificate_providers_map_.end()) {
148 if (it->second == wrapper) {
149 certificate_providers_map_.erase(it);
150 }
151 }
152 }
153
154 } // namespace grpc_core
155