1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <ruby/ruby.h>
20
21 #include "rb_server_credentials.h"
22
23 #include "rb_grpc.h"
24 #include "rb_grpc_imports.generated.h"
25
26 #include <grpc/grpc.h>
27 #include <grpc/grpc_security.h>
28 #include <grpc/support/log.h>
29
30 /* grpc_rb_cServerCredentials is the ruby class that proxies
31 grpc_server_credentials. */
32 static VALUE grpc_rb_cServerCredentials = Qnil;
33
34 /* grpc_rb_server_credentials wraps a grpc_server_credentials. It provides a
35 peer ruby object, 'mark' to hold references to objects involved in
36 constructing the server credentials. */
37 typedef struct grpc_rb_server_credentials {
38 /* Holder of ruby objects involved in constructing the server credentials */
39 VALUE mark;
40 /* The actual server credentials */
41 grpc_server_credentials* wrapped;
42 } grpc_rb_server_credentials;
43
44 /* Destroys the server credentials instances. */
grpc_rb_server_credentials_free_internal(void * p)45 static void grpc_rb_server_credentials_free_internal(void* p) {
46 grpc_rb_server_credentials* wrapper = NULL;
47 if (p == NULL) {
48 return;
49 };
50 wrapper = (grpc_rb_server_credentials*)p;
51
52 /* Delete the wrapped object if the mark object is Qnil, which indicates that
53 no other object is the actual owner. */
54 if (wrapper->wrapped != NULL && wrapper->mark == Qnil) {
55 grpc_server_credentials_release(wrapper->wrapped);
56 wrapper->wrapped = NULL;
57 }
58
59 xfree(p);
60 }
61
62 /* Destroys the server credentials instances. */
grpc_rb_server_credentials_free(void * p)63 static void grpc_rb_server_credentials_free(void* p) {
64 grpc_rb_server_credentials_free_internal(p);
65 grpc_ruby_shutdown();
66 }
67
68 /* Protects the mark object from GC */
grpc_rb_server_credentials_mark(void * p)69 static void grpc_rb_server_credentials_mark(void* p) {
70 grpc_rb_server_credentials* wrapper = NULL;
71 if (p == NULL) {
72 return;
73 }
74 wrapper = (grpc_rb_server_credentials*)p;
75
76 /* If it's not already cleaned up, mark the mark object */
77 if (wrapper->mark != Qnil) {
78 rb_gc_mark(wrapper->mark);
79 }
80 }
81
82 static const rb_data_type_t grpc_rb_server_credentials_data_type = {
83 "grpc_server_credentials",
84 {grpc_rb_server_credentials_mark,
85 grpc_rb_server_credentials_free,
86 GRPC_RB_MEMSIZE_UNAVAILABLE,
87 {NULL, NULL}},
88 NULL,
89 NULL,
90 #ifdef RUBY_TYPED_FREE_IMMEDIATELY
91 RUBY_TYPED_FREE_IMMEDIATELY
92 #endif
93 };
94
95 /* Allocates ServerCredential instances.
96 Provides safe initial defaults for the instance fields. */
grpc_rb_server_credentials_alloc(VALUE cls)97 static VALUE grpc_rb_server_credentials_alloc(VALUE cls) {
98 grpc_ruby_init();
99 grpc_rb_server_credentials* wrapper = ALLOC(grpc_rb_server_credentials);
100 wrapper->wrapped = NULL;
101 wrapper->mark = Qnil;
102 return TypedData_Wrap_Struct(cls, &grpc_rb_server_credentials_data_type,
103 wrapper);
104 }
105
106 /* The attribute used on the mark object to preserve the pem_root_certs. */
107 static ID id_pem_root_certs;
108
109 /* The attribute used on the mark object to preserve the pem_key_certs */
110 static ID id_pem_key_certs;
111
112 /* The key used to access the pem cert in a key_cert pair hash */
113 static VALUE sym_cert_chain;
114
115 /* The key used to access the pem private key in a key_cert pair hash */
116 static VALUE sym_private_key;
117
118 /*
119 call-seq:
120 creds = ServerCredentials.new(nil,
121 [{private_key: <pem_private_key1>,
122 {cert_chain: <pem_cert_chain1>}],
123 force_client_auth)
124 creds = ServerCredentials.new(pem_root_certs,
125 [{private_key: <pem_private_key1>,
126 {cert_chain: <pem_cert_chain1>}],
127 force_client_auth)
128
129 pem_root_certs: (optional) PEM encoding of the server root certificate
130 pem_private_key: (required) PEM encoding of the server's private keys
131 force_client_auth: indicatees
132
133 Initializes ServerCredential instances. */
grpc_rb_server_credentials_init(VALUE self,VALUE pem_root_certs,VALUE pem_key_certs,VALUE force_client_auth)134 static VALUE grpc_rb_server_credentials_init(VALUE self, VALUE pem_root_certs,
135 VALUE pem_key_certs,
136 VALUE force_client_auth) {
137 grpc_rb_server_credentials* wrapper = NULL;
138 grpc_server_credentials* creds = NULL;
139 grpc_ssl_pem_key_cert_pair* key_cert_pairs = NULL;
140 VALUE cert = Qnil;
141 VALUE key = Qnil;
142 VALUE key_cert = Qnil;
143 int auth_client = 0;
144 long num_key_certs = 0;
145 int i;
146
147 if (NIL_P(force_client_auth) ||
148 !(force_client_auth == Qfalse || force_client_auth == Qtrue)) {
149 rb_raise(rb_eTypeError,
150 "bad force_client_auth: got:<%s> want: <True|False|nil>",
151 rb_obj_classname(force_client_auth));
152 return Qnil;
153 }
154 if (NIL_P(pem_key_certs) || TYPE(pem_key_certs) != T_ARRAY) {
155 rb_raise(rb_eTypeError, "bad pem_key_certs: got:<%s> want: <Array>",
156 rb_obj_classname(pem_key_certs));
157 return Qnil;
158 }
159 num_key_certs = RARRAY_LEN(pem_key_certs);
160 if (num_key_certs == 0) {
161 rb_raise(rb_eTypeError, "bad pem_key_certs: it had no elements");
162 return Qnil;
163 }
164 for (i = 0; i < num_key_certs; i++) {
165 key_cert = rb_ary_entry(pem_key_certs, i);
166 if (key_cert == Qnil) {
167 rb_raise(rb_eTypeError,
168 "could not create a server credential: nil key_cert");
169 return Qnil;
170 } else if (TYPE(key_cert) != T_HASH) {
171 rb_raise(rb_eTypeError,
172 "could not create a server credential: want <Hash>, got <%s>",
173 rb_obj_classname(key_cert));
174 return Qnil;
175 } else if (rb_hash_aref(key_cert, sym_private_key) == Qnil) {
176 rb_raise(rb_eTypeError,
177 "could not create a server credential: want nil private key");
178 return Qnil;
179 } else if (rb_hash_aref(key_cert, sym_cert_chain) == Qnil) {
180 rb_raise(rb_eTypeError,
181 "could not create a server credential: want nil cert chain");
182 return Qnil;
183 }
184 }
185
186 auth_client = TYPE(force_client_auth) == T_TRUE
187 ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
188 : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
189 key_cert_pairs = ALLOC_N(grpc_ssl_pem_key_cert_pair, num_key_certs);
190 for (i = 0; i < num_key_certs; i++) {
191 key_cert = rb_ary_entry(pem_key_certs, i);
192 key = rb_hash_aref(key_cert, sym_private_key);
193 cert = rb_hash_aref(key_cert, sym_cert_chain);
194 key_cert_pairs[i].private_key = RSTRING_PTR(key);
195 key_cert_pairs[i].cert_chain = RSTRING_PTR(cert);
196 }
197
198 TypedData_Get_Struct(self, grpc_rb_server_credentials,
199 &grpc_rb_server_credentials_data_type, wrapper);
200
201 if (pem_root_certs == Qnil) {
202 creds = grpc_ssl_server_credentials_create_ex(
203 NULL, key_cert_pairs, num_key_certs, auth_client, NULL);
204 } else {
205 creds = grpc_ssl_server_credentials_create_ex(RSTRING_PTR(pem_root_certs),
206 key_cert_pairs, num_key_certs,
207 auth_client, NULL);
208 }
209 xfree(key_cert_pairs);
210 if (creds == NULL) {
211 rb_raise(rb_eRuntimeError,
212 "the call to grpc_ssl_server_credentials_create_ex() failed, "
213 "could not create a credentials, see "
214 "https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md for "
215 "debugging tips");
216 return Qnil;
217 }
218 wrapper->wrapped = creds;
219
220 /* Add the input objects as hidden fields to preserve them. */
221 rb_ivar_set(self, id_pem_key_certs, pem_key_certs);
222 rb_ivar_set(self, id_pem_root_certs, pem_root_certs);
223
224 return self;
225 }
226
Init_grpc_server_credentials()227 void Init_grpc_server_credentials() {
228 grpc_rb_cServerCredentials =
229 rb_define_class_under(grpc_rb_mGrpcCore, "ServerCredentials", rb_cObject);
230
231 /* Allocates an object managed by the ruby runtime */
232 rb_define_alloc_func(grpc_rb_cServerCredentials,
233 grpc_rb_server_credentials_alloc);
234
235 /* Provides a ruby constructor and support for dup/clone. */
236 rb_define_method(grpc_rb_cServerCredentials, "initialize",
237 grpc_rb_server_credentials_init, 3);
238 rb_define_method(grpc_rb_cServerCredentials, "initialize_copy",
239 grpc_rb_cannot_init_copy, 1);
240
241 id_pem_key_certs = rb_intern("__pem_key_certs");
242 id_pem_root_certs = rb_intern("__pem_root_certs");
243 sym_private_key = ID2SYM(rb_intern("private_key"));
244 sym_cert_chain = ID2SYM(rb_intern("cert_chain"));
245 }
246
247 /* Gets the wrapped grpc_server_credentials from the ruby wrapper */
grpc_rb_get_wrapped_server_credentials(VALUE v)248 grpc_server_credentials* grpc_rb_get_wrapped_server_credentials(VALUE v) {
249 grpc_rb_server_credentials* wrapper = NULL;
250 Check_TypedStruct(v, &grpc_rb_server_credentials_data_type);
251 TypedData_Get_Struct(v, grpc_rb_server_credentials,
252 &grpc_rb_server_credentials_data_type, wrapper);
253 return wrapper->wrapped;
254 }
255
256 /* Check if v is kind of ServerCredentials */
grpc_rb_is_server_credentials(VALUE v)257 bool grpc_rb_is_server_credentials(VALUE v) {
258 return rb_typeddata_is_kind_of(v, &grpc_rb_server_credentials_data_type);
259 }
260