Reland empty target introduction to ease the internal merge of #25586 (…

…#28408) * revert #28172 * fix missing arena dependency * add missing dependency * sync to upstream/master
grpc · Jan 7, 2022 · 10b2b50 · 10b2b50
1 parent 9b12e83
commit 10b2b50
Show file tree

Hide file tree

Showing 16 changed files with 408 additions and 232 deletions.
diff --git a/BUILD b/BUILD
diff --git a/src/core/lib/security/credentials/ssl/ssl_credentials.cc b/src/core/lib/security/credentials/ssl/ssl_credentials.cc
@@ -27,23 +27,14 @@
 #include <grpc/support/string_util.h>
 
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/tsi/ssl_transport_security.h"
 
 //
 // SSL Channel Credentials.
 //
 
-void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
-                                             size_t num_key_cert_pairs) {
-  if (kp == nullptr) return;
-  for (size_t i = 0; i < num_key_cert_pairs; i++) {
-    gpr_free(const_cast<char*>(kp[i].private_key));
-    gpr_free(const_cast<char*>(kp[i].cert_chain));
-  }
-  gpr_free(kp);
-}
-
 grpc_ssl_credentials::grpc_ssl_credentials(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
     const grpc_ssl_verify_peer_options* verify_options)

diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc
@@ -25,15 +25,11 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
-#include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/gpr/string.h"
-#include "src/core/lib/gprpp/host_port.h"
-#include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
-#include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/lib/security/security_connector/security_connector.h"
 #include "src/core/lib/security/transport/security_handshaker.h"
 

diff --git a/src/core/lib/security/security_connector/security_connector.h b/src/core/lib/security/security_connector/security_connector.h
@@ -30,11 +30,15 @@
 #include "src/core/lib/iomgr/endpoint.h"
 #include "src/core/lib/iomgr/pollset.h"
 #include "src/core/lib/iomgr/tcp_server.h"
-#include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 
 extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount;
 
+/* --- URL schemes. --- */
+
+#define GRPC_SSL_URL_SCHEME "https"
+#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security"
+
 typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status;
 
 /* --- security_connector object. ---

diff --git a/src/core/lib/security/security_connector/ssl_utils.cc b/src/core/lib/security/security_connector/ssl_utils.cc
@@ -92,30 +92,6 @@ const char* grpc_get_ssl_cipher_suites(void) {
   return cipher_suites;
 }
 
-grpc_security_level grpc_tsi_security_level_string_to_enum(
-    const char* security_level) {
-  if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) {
-    return GRPC_INTEGRITY_ONLY;
-  } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) {
-    return GRPC_PRIVACY_AND_INTEGRITY;
-  }
-  return GRPC_SECURITY_NONE;
-}
-
-const char* grpc_security_level_to_string(grpc_security_level security_level) {
-  if (security_level == GRPC_PRIVACY_AND_INTEGRITY) {
-    return "GRPC_PRIVACY_AND_INTEGRITY";
-  } else if (security_level == GRPC_INTEGRITY_ONLY) {
-    return "GRPC_INTEGRITY_ONLY";
-  }
-  return "GRPC_SECURITY_NONE";
-}
-
-bool grpc_check_security_level(grpc_security_level channel_level,
-                               grpc_security_level call_cred_level) {
-  return static_cast<int>(channel_level) >= static_cast<int>(call_cred_level);
-}
-
 tsi_client_certificate_request_type
 grpc_get_tsi_client_certificate_request_type(
     grpc_ssl_client_certificate_request_type grpc_request_type) {
@@ -179,6 +155,16 @@ grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
   return GRPC_ERROR_NONE;
 }
 
+void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
+                                             size_t num_key_cert_pairs) {
+  if (kp == nullptr) return;
+  for (size_t i = 0; i < num_key_cert_pairs; i++) {
+    gpr_free(const_cast<char*>(kp[i].private_key));
+    gpr_free(const_cast<char*>(kp[i].cert_chain));
+  }
+  gpr_free(kp);
+}
+
 bool grpc_ssl_check_call_host(absl::string_view host,
                               absl::string_view target_name,
                               absl::string_view overridden_target_name,

diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h
@@ -40,9 +40,6 @@
 
 /* --- Util --- */
 
-/* --- URL schemes. --- */
-#define GRPC_SSL_URL_SCHEME "https"
-
 /* Check ALPN information returned from SSL handshakes. */
 grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer);
 
@@ -69,20 +66,9 @@ tsi_client_certificate_request_type
 grpc_get_tsi_client_certificate_request_type(
     grpc_ssl_client_certificate_request_type grpc_request_type);
 
-/* Map tsi_security_level string to grpc_security_level enum. */
-grpc_security_level grpc_tsi_security_level_string_to_enum(
-    const char* security_level);
-
 /* Map grpc_tls_version to tsi_tls_version. */
 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version);
 
-/* Map grpc_security_level enum to a string. */
-const char* grpc_security_level_to_string(grpc_security_level security_level);
-
-/* Check security level of channel and call credential.*/
-bool grpc_check_security_level(grpc_security_level channel_level,
-                               grpc_security_level call_cred_level);
-
 /* Return an array of strings containing alpn protocols. */
 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 
@@ -102,6 +88,9 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     const char* crl_directory,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
+/* Free the memory occupied by key cert pairs. */
+void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
+                                             size_t num_key_cert_pairs);
 /* Exposed for testing only. */
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
     const tsi_peer* peer, const char* transport_security_type);

diff --git a/src/core/lib/security/security_connector/tls/tls_security_connector.cc b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
@@ -34,7 +34,6 @@
 #include <grpc/support/string_util.h>
 
 #include "src/core/lib/gprpp/host_port.h"
-#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/lib/security/transport/security_handshaker.h"

diff --git a/src/core/lib/security/transport/auth_filters.h b/src/core/lib/security/transport/auth_filters.h
@@ -33,4 +33,11 @@ void grpc_auth_metadata_context_build(
     const grpc_slice& call_method, grpc_auth_context* auth_context,
     grpc_auth_metadata_context* auth_md_context);
 
+// Exposed for testing purposes only.
+// Check if the channel's security level is higher or equal to
+// that of call credentials to make a decision whether the transfer
+// of call credentials should be allowed or not.
+bool grpc_check_security_level(grpc_security_level channel_level,
+                               grpc_security_level call_cred_level);
+
 #endif /* GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H */
diff --git a/src/core/lib/security/transport/client_auth_filter.cc b/src/core/lib/security/transport/client_auth_filter.cc
@@ -35,7 +35,6 @@
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/security_connector/security_connector.h"
-#include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/lib/security/transport/auth_filters.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/slice/slice_string_helpers.h"
@@ -239,6 +238,21 @@ static void cancel_get_request_metadata(void* arg, grpc_error_handle error) {
   GRPC_CALL_STACK_UNREF(calld->owning_call, "cancel_get_request_metadata");
 }
 
+static grpc_security_level convert_security_level_string_to_enum(
+    const char* security_level) {
+  if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) {
+    return GRPC_INTEGRITY_ONLY;
+  } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) {
+    return GRPC_PRIVACY_AND_INTEGRITY;
+  }
+  return GRPC_SECURITY_NONE;
+}
+
+bool grpc_check_security_level(grpc_security_level channel_level,
+                               grpc_security_level call_cred_level) {
+  return static_cast<int>(channel_level) >= static_cast<int>(call_cred_level);
+}
+
 static void send_security_metadata(grpc_call_element* elem,
                                    grpc_transport_stream_op_batch* batch) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
@@ -294,7 +308,7 @@ static void send_security_metadata(grpc_call_element* elem,
   grpc_security_level call_cred_security_level =
       calld->creds->min_security_level();
   int is_security_level_ok = grpc_check_security_level(
-      grpc_tsi_security_level_string_to_enum(prop->value),
+      convert_security_level_string_to_enum(prop->value),
       call_cred_security_level);
   if (!is_security_level_ok) {
     grpc_transport_stream_op_batch_finish_with_failure(

diff --git a/test/core/security/insecure_security_connector_test.cc b/test/core/security/insecure_security_connector_test.cc
@@ -47,8 +47,7 @@ TEST(InsecureSecurityConnector, MakeAuthContextTest) {
       auth_context.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME);
   prop = grpc_auth_property_iterator_next(&it);
   ASSERT_NE(prop, nullptr);
-  EXPECT_EQ(grpc_tsi_security_level_string_to_enum(prop->value),
-            GRPC_SECURITY_NONE);
+  EXPECT_STREQ(prop->value, tsi_security_level_to_string(TSI_SECURITY_NONE));
 }
 
 }  // namespace

diff --git a/test/core/security/security_connector_test.cc b/test/core/security/security_connector_test.cc
@@ -71,27 +71,6 @@ static int check_ssl_peer_equivalence(const tsi_peer* original,
   return 1;
 }
 
-static void test_check_security_level() {
-  GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY,
-                                       GRPC_PRIVACY_AND_INTEGRITY) == true);
-  GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY,
-                                       GRPC_INTEGRITY_ONLY) == true);
-  GPR_ASSERT(grpc_check_security_level(GRPC_PRIVACY_AND_INTEGRITY,
-                                       GRPC_SECURITY_NONE) == true);
-  GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY,
-                                       GRPC_PRIVACY_AND_INTEGRITY) == false);
-  GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY,
-                                       GRPC_INTEGRITY_ONLY) == true);
-  GPR_ASSERT(grpc_check_security_level(GRPC_INTEGRITY_ONLY,
-                                       GRPC_SECURITY_NONE) == true);
-  GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE,
-                                       GRPC_PRIVACY_AND_INTEGRITY) == false);
-  GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE,
-                                       GRPC_INTEGRITY_ONLY) == false);
-  GPR_ASSERT(grpc_check_security_level(GRPC_SECURITY_NONE,
-                                       GRPC_SECURITY_NONE) == true);
-}
-
 static int check_property(const grpc_auth_context* ctx,
                           const char* expected_property_name,
                           const char* expected_property_value) {
@@ -745,7 +724,6 @@ int main(int argc, char** argv) {
   test_ipv6_address_san();
   test_default_ssl_roots();
   test_peer_alpn_check();
-  test_check_security_level();
   grpc_shutdown();
   return 0;
 }
diff --git a/test/core/security/ssl_credentials_test.cc b/test/core/security/ssl_credentials_test.cc
@@ -25,6 +25,7 @@
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 
+#include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "test/core/util/test_config.h"
 

diff --git a/test/core/tsi/alts/crypt/BUILD b/test/core/tsi/alts/crypt/BUILD
@@ -27,7 +27,6 @@ grpc_cc_test(
     language = "C++",
     deps = [
         ":alts_crypt_test_util",
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//test/core/util:grpc_test_util",

diff --git a/test/core/tsi/alts/frame_protector/BUILD b/test/core/tsi/alts/frame_protector/BUILD
@@ -23,7 +23,6 @@ grpc_cc_test(
     srcs = ["alts_counter_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//test/core/tsi/alts/crypt:alts_crypt_test_util",
@@ -36,7 +35,6 @@ grpc_cc_test(
     srcs = ["alts_crypter_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//test/core/tsi/alts/crypt:alts_crypt_test_util",
@@ -49,11 +47,8 @@ grpc_cc_test(
     srcs = ["alts_frame_protector_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
-        "//:tsi",
-        "//:tsi_interface",
         "//test/core/tsi:transport_security_test_lib",
         "//test/core/tsi/alts/crypt:alts_crypt_test_util",
         "//test/core/util:grpc_test_util",
@@ -65,7 +60,6 @@ grpc_cc_test(
     srcs = ["frame_handler_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:gpr_base",
         "//:grpc",

diff --git a/test/core/tsi/alts/handshaker/BUILD b/test/core/tsi/alts/handshaker/BUILD
@@ -23,7 +23,6 @@ grpc_cc_library(
     srcs = ["alts_handshaker_service_api_test_lib.cc"],
     hdrs = ["alts_handshaker_service_api_test_lib.h"],
     deps = [
-        "//:alts_util",
         "//:grpc",
     ],
 )
@@ -35,8 +34,6 @@ grpc_cc_test(
     deps = [
         ":alts_handshaker_service_api_test_lib",
         "//:grpc",
-        "//:tsi",
-        "//:tsi_interface",
         "//test/core/util:grpc_test_util",
     ],
 )
@@ -50,7 +47,6 @@ grpc_cc_test(
         "//:gpr",
         "//:gpr_base",
         "//:grpc",
-        "//:tsi",
         "//test/core/util:grpc_test_util",
     ],
 )
@@ -62,7 +58,6 @@ grpc_cc_test(
     deps = [
         ":alts_handshaker_service_api_test_lib",
         "//:grpc",
-        "//:tsi",
         "//test/core/util:grpc_test_util",
     ],
 )
@@ -72,7 +67,6 @@ grpc_cc_test(
     srcs = ["transport_security_common_api_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_util",
         "//:grpc",
         "//test/core/util:grpc_test_util",
     ],
@@ -92,7 +86,6 @@ grpc_cc_test(
         "no_windows",
     ],
     deps = [
-        "//:alts_util",
         "//:grpc",
         "//test/core/end2end:cq_verifier",
         "//test/core/tsi/alts/fake_handshaker:fake_handshaker_lib",

diff --git a/test/core/tsi/alts/zero_copy_frame_protector/BUILD b/test/core/tsi/alts/zero_copy_frame_protector/BUILD
@@ -23,7 +23,6 @@ grpc_cc_test(
     srcs = ["alts_grpc_record_protocol_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//:grpc_base",
@@ -37,7 +36,6 @@ grpc_cc_test(
     srcs = ["alts_iovec_record_protocol_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//test/core/tsi/alts/crypt:alts_crypt_test_util",
@@ -50,7 +48,6 @@ grpc_cc_test(
     srcs = ["alts_zero_copy_grpc_protector_test.cc"],
     language = "C++",
     deps = [
-        "//:alts_frame_protector",
         "//:gpr",
         "//:grpc",
         "//:grpc_base",