grpc-native: Working mTLS on JVM

Signed-off-by: Johannes Zottele <[email protected]>

Author: Jozott00

grpc/grpc-core/src/commonMain/kotlin/kotlinx/rpc/grpc/ManagedChannel.kt

@@ -69,6 +69,8 @@ public interface ManagedChannel {
  */
 public expect abstract class ManagedChannelBuilder<T : ManagedChannelBuilder<T>> {
     public fun usePlaintext(): T
+
+    public abstract fun overrideAuthority(authority: String): T
 }
 
 internal expect fun ManagedChannelBuilder(

grpc/grpc-core/src/commonMain/kotlin/kotlinx/rpc/grpc/credentials.kt

@@ -15,19 +15,53 @@ public expect class InsecureServerCredentials : ServerCredentials
 public expect class TlsChannelCredentials : ChannelCredentials
 public expect class TlsServerCredentials : ServerCredentials
 
-public expect fun TlsChannelCredentials(): ChannelCredentials
-public expect fun TlsServerCredentials(certChain: String, privateKey: String): ServerCredentials
+public fun TlsChannelCredentials(configure: TlsChannelCredentialsBuilder.() -> Unit = {}): ChannelCredentials {
+    val builder = TlsChannelCredentialsBuilder()
+    builder.configure()
+    return builder.build()
+}
+
+public fun TlsServerCredentials(
+    certChain: String,
+    privateKey: String,
+    configure: TlsServerCredentialsBuilder.() -> Unit = {},
+): ServerCredentials {
+    val builder = TlsServerCredentialsBuilder(certChain, privateKey)
+    builder.configure()
+    return builder.build()
+}
 
 public interface TlsChannelCredentialsBuilder {
     public fun trustManager(rootCertsPem: String): TlsChannelCredentialsBuilder
+    public fun keyManager(certChainPem: String, privateKeyPem: String): TlsChannelCredentialsBuilder
     public fun build(): ChannelCredentials
 }
 
+public enum class TlsClientAuth {
+    /** Clients will not present any identity.  */
+    NONE,
+
+    /**
+     * Clients are requested to present their identity, but clients without identities are
+     * permitted.
+     */
+    OPTIONAL,
+
+    /**
+     * Clients are requested to present their identity, and are required to provide a valid
+     * identity.
+     */
+    REQUIRE
+}
+
 public interface TlsServerCredentialsBuilder {
-    public fun keyManager(certChainPem: String, privateKeyPem: String): TlsServerCredentialsBuilder
+    public fun trustManager(rootCertsPem: String): TlsServerCredentialsBuilder
+    public fun clientAuth(clientAuth: TlsClientAuth): TlsServerCredentialsBuilder
     public fun build(): ServerCredentials
 }
 
-
-public expect fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder
-public expect fun TlsServerCredentialsBuilder(): TlsServerCredentialsBuilder
+internal expect fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder
+internal expect fun TlsServerCredentialsBuilder(
+    certChain: String,
+    privateKey: String,
+): TlsServerCredentialsBuilder

grpc/grpc-core/src/commonMain/kotlin/kotlinx/rpc/grpc/internal/GrpcChannel.kt

@@ -13,5 +13,5 @@ public expect abstract class GrpcChannel {
         callOptions: GrpcCallOptions,
     ): ClientCall<RequestT, ResponseT>
 
-    public abstract fun authority(): String
+    public abstract fun authority(): String?
 }

grpc/grpc-core/src/commonTest/kotlin/kotlinx/rpc/grpc/test/proto/GrpcbInTlsTest.kt

@@ -8,53 +8,66 @@ public actual typealias ChannelCredentials = io.grpc.ChannelCredentials
 
 public actual typealias ServerCredentials = io.grpc.ServerCredentials
 
-
 // we need a wrapper for InsecureChannelCredentials as our constructor would conflict with the private
 // java constructor.
 public actual typealias InsecureChannelCredentials = io.grpc.InsecureChannelCredentials
 public actual typealias InsecureServerCredentials = io.grpc.InsecureServerCredentials
 
-public actual typealias TlsServerCredentials = io.grpc.TlsServerCredentials
 public actual typealias TlsChannelCredentials = io.grpc.TlsChannelCredentials
+public actual typealias TlsServerCredentials = io.grpc.TlsServerCredentials
 
-public actual fun TlsChannelCredentials(): ChannelCredentials {
-    return TlsChannelCredentialsBuilder().build()
-}
+internal actual fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder =
+    object : TlsChannelCredentialsBuilder {
+        private var cb = TlsChannelCredentials.newBuilder()
+
+
+        override fun trustManager(rootCertsPem: String): TlsChannelCredentialsBuilder {
+            cb.trustManager(rootCertsPem.byteInputStream())
+            return this
+        }
 
-public actual fun TlsServerCredentials(
+        override fun keyManager(
+            certChainPem: String,
+            privateKeyPem: String,
+        ): TlsChannelCredentialsBuilder {
+            cb.keyManager(certChainPem.byteInputStream(), privateKeyPem.byteInputStream())
+            return this
+        }
+
+        override fun build(): ChannelCredentials {
+            return cb.build()
+        }
+    }
+
+internal actual fun TlsServerCredentialsBuilder(
     certChain: String,
     privateKey: String,
-): ServerCredentials {
-    return TlsServerCredentialsBuilder().keyManager(certChain, privateKey).build()
-}
-
-public actual fun TlsServerCredentialsBuilder(): TlsServerCredentialsBuilder = object : TlsServerCredentialsBuilder {
+): TlsServerCredentialsBuilder = object : TlsServerCredentialsBuilder {
     private var sb = TlsServerCredentials.newBuilder()
 
-    override fun keyManager(
-        certChainPem: String,
-        privateKeyPem: String,
-    ): TlsServerCredentialsBuilder {
-        sb.keyManager(certChainPem.byteInputStream(), privateKeyPem.byteInputStream())
+    override fun trustManager(rootCertsPem: String): TlsServerCredentialsBuilder {
+        sb.trustManager(rootCertsPem.byteInputStream())
         return this
     }
 
-    override fun build(): ServerCredentials {
-        return sb.build()
+    override fun clientAuth(clientAuth: TlsClientAuth): TlsServerCredentialsBuilder {
+        sb.clientAuth(clientAuth.toJava())
+        return this
     }
-}
-
-public actual fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder = object : TlsChannelCredentialsBuilder {
-    private var cb = TlsChannelCredentials.newBuilder()
 
-    override fun trustManager(rootCertsPem: String): TlsChannelCredentialsBuilder {
-        cb.trustManager(rootCertsPem.byteInputStream())
-        return this
+    init {
+        sb.keyManager(certChain.byteInputStream(), privateKey.byteInputStream())
     }
 
-    override fun build(): ChannelCredentials {
-        return cb.build()
+    override fun build(): ServerCredentials {
+        return sb.build()
     }
 }
 
+private fun TlsClientAuth.toJava(): io.grpc.TlsServerCredentials.ClientAuth = when (this) {
+    TlsClientAuth.NONE -> io.grpc.TlsServerCredentials.ClientAuth.NONE
+    TlsClientAuth.OPTIONAL -> io.grpc.TlsServerCredentials.ClientAuth.OPTIONAL
+    TlsClientAuth.REQUIRE -> io.grpc.TlsServerCredentials.ClientAuth.REQUIRE
+}
+
 

grpc/grpc-core/src/jvmMain/kotlin/kotlinx/rpc/grpc/credentials.jvm.kt

@@ -22,21 +22,31 @@ public actual abstract class ManagedChannelBuilder<T : ManagedChannelBuilder<T>>
     public actual open fun usePlaintext(): T {
         error("Builder does not support usePlaintext()")
     }
+
+    public actual abstract fun overrideAuthority(authority: String): T
 }
 
 internal class NativeManagedChannelBuilder(
     private val target: String,
     private var credentials: Lazy<ChannelCredentials>,
 ) : ManagedChannelBuilder<NativeManagedChannelBuilder>() {
 
+    private var authority: String? = null
+
     override fun usePlaintext(): NativeManagedChannelBuilder {
         credentials = lazy { InsecureChannelCredentials() }
         return this
     }
 
+    override fun overrideAuthority(authority: String): NativeManagedChannelBuilder {
+        this.authority = authority
+        return this
+    }
+
     fun buildChannel(): NativeManagedChannel {
         return NativeManagedChannel(
             target,
+            authority = authority,
             credentials = credentials.value,
         )
     }

grpc/grpc-core/src/nativeMain/kotlin/kotlinx/rpc/grpc/ManagedChannel.native.kt

@@ -15,11 +15,13 @@ import libkgrpc.grpc_channel_credentials_release
 import libkgrpc.grpc_insecure_credentials_create
 import libkgrpc.grpc_insecure_server_credentials_create
 import libkgrpc.grpc_server_credentials_release
+import libkgrpc.grpc_ssl_client_certificate_request_type
 import libkgrpc.grpc_tls_certificate_provider_release
 import libkgrpc.grpc_tls_certificate_provider_static_data_create
 import libkgrpc.grpc_tls_credentials_create
 import libkgrpc.grpc_tls_credentials_options_create
 import libkgrpc.grpc_tls_credentials_options_destroy
+import libkgrpc.grpc_tls_credentials_options_set_cert_request_type
 import libkgrpc.grpc_tls_credentials_options_set_certificate_provider
 import libkgrpc.grpc_tls_credentials_options_watch_identity_key_cert_pairs
 import libkgrpc.grpc_tls_credentials_options_watch_root_certs
@@ -76,44 +78,51 @@ public fun InsecureServerCredentials(): ServerCredentials {
     )
 }
 
-public actual fun TlsChannelCredentials(): ChannelCredentials {
-    val raw = grpc_tls_credentials_options_create()?.let {
-        grpc_tls_credentials_create(it)
-    } ?: error("Failed to create TLS credentials")
-    return TlsChannelCredentials(raw)
-}
+internal actual fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder =
+    object : TlsChannelCredentialsBuilder {
+        var optionsBuilder = TlsCredentialsOptionsBuilder()
+
+        override fun trustManager(rootCertsPem: String): TlsChannelCredentialsBuilder {
+            optionsBuilder.trustManager(rootCertsPem)
+            return this
+        }
+
+        override fun keyManager(
+            certChainPem: String,
+            privateKeyPem: String,
+        ): TlsChannelCredentialsBuilder {
+            optionsBuilder.keyManager(certChainPem, privateKeyPem)
+            return this
+        }
+
+        override fun build(): ChannelCredentials {
+            val opts = optionsBuilder.build()
+            val creds = grpc_tls_credentials_create(opts)
+                ?: run {
+                    grpc_tls_credentials_options_destroy(opts);
+                    error("TLS channel credential creation failed")
+                }
+            return TlsChannelCredentials(creds)
+        }
+    }
 
-public actual fun TlsServerCredentials(
+internal actual fun TlsServerCredentialsBuilder(
     certChain: String,
     privateKey: String,
-): ServerCredentials {
-    return TlsServerCredentialsBuilder().keyManager(certChain, privateKey).build()
-}
-
-public actual fun TlsChannelCredentialsBuilder(): TlsChannelCredentialsBuilder = object : TlsChannelCredentialsBuilder {
+): TlsServerCredentialsBuilder = object : TlsServerCredentialsBuilder {
     var optionsBuilder = TlsCredentialsOptionsBuilder()
 
-    override fun trustManager(rootCertsPem: String): TlsChannelCredentialsBuilder {
-        optionsBuilder.trustManager(rootCertsPem)
-        return this
+    init {
+        optionsBuilder.keyManager(certChain, privateKey)
     }
 
-    override fun build(): ChannelCredentials {
-        val opts = optionsBuilder.build()
-        val creds = grpc_tls_credentials_create(opts)
-            ?: run {
-                grpc_tls_credentials_options_destroy(opts);
-                error("TLS channel credential creation failed")
-            }
-        return TlsChannelCredentials(creds)
+    override fun trustManager(rootCertsPem: String): TlsServerCredentialsBuilder {
+        optionsBuilder.trustManager(rootCertsPem)
+        return this
     }
-}
-
-public actual fun TlsServerCredentialsBuilder(): TlsServerCredentialsBuilder = object : TlsServerCredentialsBuilder {
-    var optionsBuilder = TlsCredentialsOptionsBuilder()
 
-    override fun keyManager(certChainPem: String, privateKeyPem: String): TlsServerCredentialsBuilder {
-        optionsBuilder.keyManager(certChainPem, privateKeyPem)
+    override fun clientAuth(clientAuth: TlsClientAuth): TlsServerCredentialsBuilder {
+        optionsBuilder.clientAuth(clientAuth)
         return this
     }
 
@@ -134,11 +143,20 @@ private class TlsCredentialsOptionsBuilder {
     private var cert: String? = null
     private var key: String? = null
 
-    fun trustManager(rootCertsPem: String) = apply { roots = rootCertsPem }
+    private var clientAuth: TlsClientAuth? = null
+
+    fun trustManager(rootCertsPem: String) {
+        roots = rootCertsPem
+    }
+
     fun keyManager(certChainPem: String, privateKeyPem: String) = apply {
         cert = certChainPem; key = privateKeyPem
     }
 
+    fun clientAuth(clientAuth: TlsClientAuth) {
+        this.clientAuth = clientAuth
+    }
+
     fun build(): CPointer<grpc_tls_credentials_options> {
         val opts = grpc_tls_credentials_options_create() ?: error("alloc opts failed")
 
@@ -160,6 +178,15 @@ private class TlsCredentialsOptionsBuilder {
         if (pairs != null) grpc_tls_credentials_options_watch_identity_key_cert_pairs(opts)
         if (roots != null) grpc_tls_credentials_options_watch_root_certs(opts)
 
+        val clientAuth = clientAuth
+        if (clientAuth != null) grpc_tls_credentials_options_set_cert_request_type(opts, clientAuth.toRaw())
+
         return opts
     }
 }
+
+private fun TlsClientAuth.toRaw(): grpc_ssl_client_certificate_request_type = when (this) {
+    TlsClientAuth.NONE -> grpc_ssl_client_certificate_request_type.GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE
+    TlsClientAuth.OPTIONAL -> grpc_ssl_client_certificate_request_type.GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY
+    TlsClientAuth.REQUIRE -> grpc_ssl_client_certificate_request_type.GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
+}

grpc/grpc-core/src/nativeMain/kotlin/kotlinx/rpc/grpc/credentials.native.kt

@@ -13,5 +13,5 @@ public actual abstract class GrpcChannel {
         callOptions: GrpcCallOptions,
     ): ClientCall<RequestT, ResponseT>
 
-    public actual abstract fun authority(): String
+    public actual abstract fun authority(): String?
 }

grpc/grpc-core/src/nativeMain/kotlin/kotlinx/rpc/grpc/internal/GrpcChannel.native.kt

@@ -39,6 +39,7 @@ import kotlin.time.Duration
  */
 internal class NativeManagedChannel(
     target: String,
+    val authority: String?,
     // we must store them, otherwise the credentials are getting released
     credentials: ChannelCredentials,
 ) : ManagedChannel, ManagedChannelPlatform() {
@@ -122,26 +123,29 @@ internal class NativeManagedChannel(
         // to construct a valid HTTP/2 path, we must prepend the name with a slash.
         // the user does not do this to align it with the java implementation.
         val methodNameSlice = "/$methodFullName".toGrpcSlice()
+        val authoritySlice = authority?.toGrpcSlice()
+
         val rawCall = grpc_channel_create_call(
             channel = raw,
             parent_call = null,
             propagation_mask = GRPC_PROPAGATE_DEFAULTS,
             completion_queue = cq.raw,
             method = methodNameSlice,
-            host = null,
+            host = authoritySlice,
             deadline = gpr_inf_future(GPR_CLOCK_REALTIME),
             reserved = null
         ) ?: error("Failed to create call")
 
         grpc_slice_unref(methodNameSlice)
+        authoritySlice?.let { grpc_slice_unref(it) }
 
         return NativeClientCall(
             cq, rawCall, methodDescriptor, callJob
         )
     }
 
-    override fun authority(): String {
-        TODO("Not yet implemented")
+    override fun authority(): String? {
+        return authority
     }
 
 }