[Security - Revocation] Crl Directory Watcher Implementation (grpc#34749

) This adds the directory reloader implementation of the CrlProvider. This will periodically reload CRL files in a directory per [gRFC A69](grpc/proposal#382) Included in this is the following: * A public API to create the `DirectoryReloaderCrlProvider` * A basic directory interface in gprpp and platform specific impls for getting the list of files in a directory (unfortunately prior C++17, there is no std::filesystem, so we have to have platform specific impls) * The implementation of `DirectoryReloaderCrlProvider` takes an event_engine and a directory interface. This allows us to test using the fuzzing event engine for time mocking, and to implement a test directory interface so we avoid having to make temporary directories and files in the tests. This is notably not in `include`, and the `CreateDirectoryReloaderCrlProvider` is the only way to construct one from the public API, so we don't expose the event engine and directory details to the user. --------- Co-authored-by: gtcooke94 <[email protected]>
gtcooke94 · Nov 13, 2023 · 6c25cf1 · 6c25cf1
1 parent d1ae64f
commit 6c25cf1
Show file tree

Hide file tree

Showing 26 changed files with 832 additions and 17 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
diff --git a/Makefile b/Makefile
diff --git a/Package.swift b/Package.swift
diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml
diff --git a/config.m4 b/config.m4
diff --git a/config.w32 b/config.w32
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
diff --git a/grpc.gemspec b/grpc.gemspec
diff --git a/grpc.gyp b/grpc.gyp
diff --git a/include/grpc/grpc_crl_provider.h b/include/grpc/grpc_crl_provider.h
@@ -28,7 +28,6 @@
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc_security.h>
-#include <grpc/support/sync.h>
 
 namespace grpc_core {
 namespace experimental {
@@ -68,6 +67,17 @@ class CrlProvider {
 absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
     absl::Span<const std::string> crls);
 
+// Creates a CRL Provider that periodically and asynchronously reloads a
+// directory. The refresh_duration minimum is 60 seconds. The
+// reload_error_callback provides a way for the user to specifically log or
+// otherwise notify of errors during reloading. Since reloading is asynchronous
+// and not on the main codepath, the grpc process will continue to run through
+// reloading errors, so this mechanism is an important way to provide signals to
+// your monitoring and alerting setup.
+absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
+    absl::string_view directory, std::chrono::seconds refresh_duration,
+    std::function<void(absl::Status)> reload_error_callback);
+
 }  // namespace experimental
 }  // namespace grpc_core
 
@@ -81,5 +91,4 @@ absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
 void grpc_tls_credentials_options_set_crl_provider(
     grpc_tls_credentials_options* options,
     std::shared_ptr<grpc_core::experimental::CrlProvider> provider);
-
 #endif /* GRPC_GRPC_CRL_PROVIDER_H */
diff --git a/package.xml b/package.xml