intermediate changes

ref:953ca886ec160075b38c0f3614de029b423f0a9e

1 files changed, 130 insertions, 0 deletions

diff --git a/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h
new file mode 100644
index 0000000000..12c60452d2
--- /dev/null
+++ b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h
@@ -0,0 +1,130 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
+#define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
+
+#include <grpc/grpc_security_constants.h>
+#include <grpc/status.h>
+#include <grpc/support/log.h>
+#include <grpcpp/impl/codegen/grpc_library.h>
+#include <grpcpp/support/config.h>
+
+#include <memory>
+#include <vector>
+
+// TODO(yihuazhang): remove the forward declaration here and include
+// <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
+typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
+
+namespace grpc {
+namespace experimental {
+
+// Interface for a class that handles the process to fetch credential data.
+// Implementations should be a wrapper class of an internal provider
+// implementation.
+class CertificateProviderInterface {
+ public:
+  virtual ~CertificateProviderInterface() = default;
+  virtual grpc_tls_certificate_provider* c_provider() = 0;
+};
+
+// A struct that stores the credential data presented to the peer in handshake
+// to show local identity. The private_key and certificate_chain should always
+// match.
+struct IdentityKeyCertPair {
+  TString private_key;
+  TString certificate_chain;
+};
+
+// A basic CertificateProviderInterface implementation that will load credential
+// data from static string during initialization. This provider will always
+// return the same cert data for all cert names, and reloading is not supported.
+class StaticDataCertificateProvider : public CertificateProviderInterface {
+ public:
+  StaticDataCertificateProvider(
+      const TString& root_certificate,
+      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs);
+
+  explicit StaticDataCertificateProvider(const TString& root_certificate)
+      : StaticDataCertificateProvider(root_certificate, {}) {}
+
+  explicit StaticDataCertificateProvider(
+      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs)
+      : StaticDataCertificateProvider("", identity_key_cert_pairs) {}
+
+  ~StaticDataCertificateProvider() override;
+
+  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
+
+ private:
+  grpc_tls_certificate_provider* c_provider_ = nullptr;
+};
+
+// A CertificateProviderInterface implementation that will watch the credential
+// changes on the file system. This provider will always return the up-to-date
+// cert data for all the cert names callers set through |TlsCredentialsOptions|.
+// Several things to note:
+// 1. This API only supports one key-cert file and hence one set of identity
+// key-cert pair, so SNI(Server Name Indication) is not supported.
+// 2. The private key and identity certificate should always match. This API
+// guarantees atomic read, and it is the callers' responsibility to do atomic
+// updates. There are many ways to atomically update the key and certs in the
+// file system. To name a few:
+//   1)  creating a new directory, renaming the old directory to a new name, and
+//   then renaming the new directory to the original name of the old directory.
+//   2)  using a symlink for the directory. When need to change, put new
+//   credential data in a new directory, and change symlink.
+class FileWatcherCertificateProvider final
+    : public CertificateProviderInterface {
+ public:
+  // Constructor to get credential updates from root and identity file paths.
+  //
+  // @param private_key_path is the file path of the private key.
+  // @param identity_certificate_path is the file path of the identity
+  // certificate chain.
+  // @param root_cert_path is the file path to the root certificate bundle.
+  // @param refresh_interval_sec is the refreshing interval that we will check
+  // the files for updates.
+  FileWatcherCertificateProvider(const TString& private_key_path,
+                                 const TString& identity_certificate_path,
+                                 const TString& root_cert_path,
+                                 unsigned int refresh_interval_sec);
+  // Constructor to get credential updates from identity file paths only.
+  FileWatcherCertificateProvider(const TString& private_key_path,
+                                 const TString& identity_certificate_path,
+                                 unsigned int refresh_interval_sec)
+      : FileWatcherCertificateProvider(private_key_path,
+                                       identity_certificate_path, "",
+                                       refresh_interval_sec) {}
+  // Constructor to get credential updates from root file path only.
+  FileWatcherCertificateProvider(const TString& root_cert_path,
+                                 unsigned int refresh_interval_sec)
+      : FileWatcherCertificateProvider("", "", root_cert_path,
+                                       refresh_interval_sec) {}
+
+  ~FileWatcherCertificateProvider() override;
+
+  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
+
+ private:
+  grpc_tls_certificate_provider* c_provider_ = nullptr;
+};
+
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H