首頁 探索 說明
登入
mirror
/
grpc-swift
镜像来自 https://github.com/grpc/grpc-swift.git
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: e969195ad2
分支列表 標籤列表
grpc-swift
/
Sources
/
GRPC
/
TLSVerificationHandler.swift

TLSVerificationHandler.swift 4.1 KB
文件歷史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. /*
    2. 

  2.  * Copyright 2019, gRPC Authors All rights reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5.  * you may not use this file except in compliance with the License.
    6. 

  6.  * You may obtain a copy of the License at
    7. 

  7.  *
    8. 

  8.  *     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9.  *
    10. 

  10.  * Unless required by applicable law or agreed to in writing, software
    11. 

  11.  * distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13.  * See the License for the specific language governing permissions and
    14. 

  14.  * limitations under the License.
    15. 

  15.  */
    16. 

  16. import Foundation
    17. 

  17. import NIO
    18. 

  18. import NIOSSL
    19. 

  19. import NIOTLS
    20. 

  20. import Logging
    21. 

  21. 

  22. /// Application protocol identifiers for ALPN.
    23. 

  23. internal enum GRPCApplicationProtocolIdentifier: String, CaseIterable {
    24. 

  24.   // This is not in the IANA ALPN protocol ID registry, but may be used by servers to indicate that
    25. 

  25.   // they serve only gRPC traffic. It is part of the gRPC core implementation.
    26. 

  26.   case gRPC = "grpc-ext"
    27. 

  27.   case h2 = "h2"
    28. 

  28. }
    29. 

  29. 

  30. /// A helper `ChannelInboundHandler` to verify that a TLS handshake was completed successfully
    31. 

  31. /// and that the negotiated application protocol is valid.
    32. 

  32. ///
    33. 

  33. /// The handler holds a promise which is succeeded on successful verification of the negotiated
    34. 

  34. /// application protocol and failed if any error is received by this handler or an invalid
    35. 

  35. /// application protocol was negotiated.
    36. 

  36. ///
    37. 

  37. /// Users of this handler should rely on the `verification` future held by this instance.
    38. 

  38. ///
    39. 

  39. /// On fulfillment of the promise this handler is removed from the channel pipeline.
    40. 

  40. internal class TLSVerificationHandler: ChannelInboundHandler, RemovableChannelHandler {
    41. 

  41.   typealias InboundIn = Any
    42. 

  42. 

  43.   private let logger = Logger(subsystem: .clientChannel)
    44. 

  44.   private var verificationPromise: EventLoopPromise<Void>!
    45. 

  45. 

  46.   /// A future which is fulfilled when the state of the TLS handshake is known. If the handshake
    47. 

  47.   /// was successful and the negotiated application protocol is valid then the future is succeeded.
    48. 

  48.   /// If an error occurred or the application protocol is not valid then the future will have been
    49. 

  49.   /// failed.
    50. 

  50.   ///
    51. 

  51.   /// - Important: The promise associated with this future is created in `handlerAdded(context:)`,
    52. 

  52.   ///   and as such must _not_ be accessed before the handler has be added to a pipeline.
    53. 

  53.   var verification: EventLoopFuture<Void>! {
    54. 

  54.     return verificationPromise.futureResult
    55. 

  55.   }
    56. 

  56. 

  57.   init() { }
    58. 

  58. 

  59.   func handlerAdded(context: ChannelHandlerContext) {
    60. 

  60.     self.verificationPromise = context.eventLoop.makePromise()
    61. 

  61.     // Remove ourselves from the pipeline when the promise gets fulfilled.
    62. 

  62.     self.verificationPromise.futureResult.recover { error in
    63. 

  63.       // If we have an error we should let the rest of the pipeline know.
    64. 

  64.       context.fireErrorCaught(error)
    65. 

  65.     }.whenComplete { _ in
    66. 

  66.       context.pipeline.removeHandler(self, promise: nil)
    67. 

  67.     }
    68. 

  68.   }
    69. 

  69. 

  70.   func errorCaught(context: ChannelHandlerContext, error: Error) {
    71. 

  71.     precondition(self.verificationPromise != nil, "handler has not been added to the pipeline")
    72. 

  72.     self.logger.error(
    73. 

  73.       "error caught before TLS was verified",
    74. 

  74.       metadata: [MetadataKey.error: "\(error)"]
    75. 

  75.     )
    76. 

  76.     verificationPromise.fail(error)
    77. 

  77.   }
    78. 

  78. 

  79.   func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {
    80. 

  80.     precondition(self.verificationPromise != nil, "handler has not been added to the pipeline")
    81. 

  81. 

  82.     guard let tlsEvent = event as? TLSUserEvent,
    83. 

  83.       case .handshakeCompleted(negotiatedProtocol: let negotiatedProtocol) = tlsEvent else {
    84. 

  84.         context.fireUserInboundEventTriggered(event)
    85. 

  85.         return
    86. 

  86.     }
    87. 

  87. 

  88.     self.logger.debug("TLS handshake completed, negotiated protocol: \(String(describing: negotiatedProtocol))")
    89. 

  89.     if let proto = negotiatedProtocol, GRPCApplicationProtocolIdentifier(rawValue: proto) != nil {
    90. 

  90.       self.logger.debug("negotiated application protocol is valid")
    91. 

  91.       self.verificationPromise.succeed(())
    92. 

  92.     } else {
    93. 

  93.       self.logger.error("negotiated application protocol is invalid: \(String(describing: negotiatedProtocol))")
    94. 

  94.       let error = GRPCError.client(.applicationLevelProtocolNegotiationFailed)
    95. 

  95.       self.verificationPromise.fail(error)
    96. 

  96.     }
    97. 

  97.   }
    98. 

  98. }
    99.