Skip to content

feat grpc: ability to provide SSL certificate for GRPC client #1106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DmitriyH wants to merge 1 commit into
base: develop
Choose a base branch
from
+55 −0
Open

feat grpc: ability to provide SSL certificate for GRPC client #1106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions grpc/include/userver/ugrpc/client/external_credentials_provider.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#pragma once

/// @file userver/ugrpc/client/external_credentials_provider.hpp
/// @brief @copybrief ugrpc::client::ExternalCredentialsProvider

#include <grpcpp/security/credentials.h>
#include <optional>
#include <string_view>
#include <userver/components/component_base.hpp>

USERVER_NAMESPACE_BEGIN

namespace ugrpc::client {

// clang-format off

/// @ingroup userver_components
///
/// @brief Provides GRPC SSL credentials options to @ref ugrpc::client::ClientFactoryComponent
/// Should be implemented by userver framework client as a component.

// clang-format on

class ExternalCredentialsProvider : public components::ComponentBase {
public:
static constexpr std::string_view kName = "external-grpc-client-credentials-provider";

using components::ComponentBase::ComponentBase;

/// The method is called by @ref ugrpc::client::ClientFactoryComponent.
/// Implement the method, in order to override SSL credentials specified in GRPC client factory config.
/// Returned credentials have a precedence over the credentials from GPRC client factory config.
/// If returned value is not `std::nullopt`, SSL is turned on with the provided credentials in GRPC client factory.
/// Otherwise, SSL credentials from GRPC client factory config is used.
virtual std::optional<grpc::SslCredentialsOptions> GetSslCredentialsOptions() = 0;
};

} // namespace ugrpc::client

USERVER_NAMESPACE_END
15 changes: 15 additions & 0 deletions grpc/src/ugrpc/client/client_factory_component.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
#include <userver/logging/log.hpp>
#include <userver/storages/secdist/component.hpp>
#include <userver/testsuite/testsuite_support.hpp>
#include <userver/ugrpc/client/external_credentials_provider.hpp>
#include <userver/yaml_config/merge_schemas.hpp>

#include <userver/ugrpc/client/common_component.hpp>
Expand Down Expand Up @@ -85,6 +86,20 @@ ClientFactoryComponent::ClientFactoryComponent(
client_factory_config.auth_type = AuthType::kInsecure;
}

if (auto* external_credentials_provider = context.FindComponentOptional<ExternalCredentialsProvider>();
external_credentials_provider) {
LOG_INFO() << "Requesting external SSL credentials options for gRPC";
if (auto ssl_credentials_options = external_credentials_provider->GetSslCredentialsOptions();
ssl_credentials_options.has_value()) {
LOG_INFO() << "Using external SSL credentials options for gRPC";
client_factory_config.ssl_credentials_options = std::move(ssl_credentials_options.value());
if (testsuite_grpc.IsTlsEnabled()) {
LOG_INFO() << "gRPC SSL is turned on, because external credentials are provided";
client_factory_config.auth_type = AuthType::kSsl;
}
}
}

auto credentials = MakeCredentials(client_factory_config.auth_type, client_factory_config.ssl_credentials_options);

auto client_credentials = MakeClientCredentials(credentials, GetSecdistConfig(context));
Expand Down
Loading