grpc 0.9.0

The official Rust implementation of gRPC: a high performance, open source, universal RPC framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221

/*
 *
 * Copyright 2026 gRPC authors.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to
 * deal in the Software without restriction, including without limitation the
 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
 * sell copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 * IN THE SOFTWARE.
 *
 */

//! Authentication and security credentials (e.g. TLS and OAuth2).
//!
//! This module provides traits and types for handling credentials in gRPC,
//! including channel credentials (for securing connections) and call
//! credentials (for authenticating individual RPCs).
//!
//! # Key Concepts
//!
//! - **[`ChannelCredentials`]:** Trait for client-side transport security
//!   (e.g., TLS). May also include [`CallCredentials`] by using
//!   [`CompositeChannelCredentials`].
//! - **[`ServerCredentials`]:** Trait for server-side transport security.

pub mod call;
pub(crate) mod client;
pub(crate) mod dyn_wrapper;
mod local;
#[cfg(feature = "tls-rustls")]
pub mod rustls;
pub(crate) mod server;

use std::sync::Arc;

pub use client::CompositeChannelCredentials;
pub use local::LocalChannelCredentials;
pub use local::LocalServerCredentials;

use crate::credentials::call::CallCredentials;
use crate::credentials::client::ClientConnectionSecurityContext;
use crate::credentials::client::ClientHandshakeInfo;
use crate::credentials::client::HandshakeOutput;
use crate::credentials::common::Authority;
use crate::private;
use crate::rt::GrpcEndpoint;
use crate::rt::GrpcRuntime;

/// Client-side trait for all live gRPC wire protocols and supported transport
/// security protocols (e.g., TLS, ALTS).
///
/// Also includes the ability to attach [`CallCredentials`] when used with the
/// [`CompositeChannelCredentials`].
#[trait_variant::make(Send)]
pub trait ChannelCredentials: Sync + 'static {
    #[doc(hidden)]
    type ContextType: ClientConnectionSecurityContext;
    #[doc(hidden)]
    type Output<I>;

    /// Provides the ProtocolInfo of these credentials.
    fn info(&self) -> &ProtocolInfo;

    /// Returns call credentials to be used for all RPCs made on a connection.
    #[doc(hidden)]
    fn get_call_credentials(&self, token: private::Internal) -> Option<&Arc<dyn CallCredentials>>;

    /// Performs the client-side authentication handshake on a raw endpoint.
    ///
    /// This method wraps the provided `source` endpoint with the security protocol
    /// (e.g., TLS) and returns the authenticated endpoint along with its
    /// security details.
    ///
    /// # Arguments
    ///
    /// * `authority` - The `:authority` header value to be used when creating
    ///   new streams.
    ///   **Important:** Implementations must use this value as the server name
    ///   (e.g., for SNI) during the handshake.
    /// * `source` - The raw connection handle.
    /// * `info` - Additional context passed from the resolver or load balancer.
    #[doc(hidden)]
    async fn connect<Input: GrpcEndpoint>(
        &self,
        authority: &Authority,
        source: Input,
        info: &ClientHandshakeInfo,
        runtime: &GrpcRuntime,
        token: private::Internal,
    ) -> Result<HandshakeOutput<Self::Output<Input>, Self::ContextType>, String>;
}

/// Server-side trait for all live gRPC wire protocols and supported
/// transport security protocols (e.g., TLS, ALTS).
#[trait_variant::make(Send)]
pub trait ServerCredentials: Sync + 'static {
    #[doc(hidden)]
    type Output<I>;

    /// Provides the ProtocolInfo of these credentials.
    fn info(&self) -> &ProtocolInfo;

    /// Performs the server-side authentication handshake.
    ///
    /// This method wraps the incoming raw `source` connection with the configured
    /// security protocol (e.g., TLS).
    #[doc(hidden)]
    async fn accept<Input: GrpcEndpoint>(
        &self,
        source: Input,
        runtime: GrpcRuntime,
        token: private::Internal,
    ) -> Result<server::HandshakeOutput<Self::Output<Input>>, String>;
}

/// Defines the level of protection provided by an established connection.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
#[non_exhaustive]
pub enum SecurityLevel {
    /// The connection is insecure; no protection is applied.
    NoSecurity,
    /// The connection guarantees data integrity (tamper-proofing) but not
    /// privacy.
    ///
    /// Payloads are visible to observers but cannot be modified without
    /// detection.
    IntegrityOnly,
    /// The connection guarantees both privacy (confidentiality) and data
    /// integrity.
    ///
    /// This is the standard level for secure transports like TLS.
    PrivacyAndIntegrity,
}

pub(crate) mod common {
    /// Represents the value passed as the `:authority` pseudo-header, typically
    /// in the form `host:port`.
    #[derive(Clone, PartialEq, Debug)]
    pub struct Authority {
        host: String,
        port: Option<u16>,
    }

    impl Authority {
        pub fn new(host: impl Into<String>, port: Option<u16>) -> Self {
            Self {
                host: host.into(),
                port,
            }
        }

        pub fn host(&self) -> &str {
            &self.host
        }

        pub fn port(&self) -> Option<u16> {
            self.port
        }

        pub fn host_port_string(&self) -> String {
            let host_str = &self.host;
            match self.port() {
                None => host_str.to_string(),
                // Add [] for IPv6 addresses.
                Some(port) if host_str.contains(':') => {
                    format!("[{}]:{}", host_str, port)
                }
                Some(port) => format!("{}:{}", host_str, port),
            }
        }
    }
}

/// Contains information about a [`ChannelCredentials`] or
/// [`ServerCredentials`].
pub struct ProtocolInfo {
    security_protocol: &'static str,
}

impl ProtocolInfo {
    pub(crate) const fn new(security_protocol: &'static str) -> Self {
        Self { security_protocol }
    }

    /// Returns the security protocol name currently in use, e.g. "tls".
    pub fn security_protocol(&self) -> &'static str {
        self.security_protocol
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn authority_host_port_str() {
        let authority = Authority::new("localhost", None);
        assert_eq!(&authority.host_port_string(), "localhost");

        let authority = Authority::new("localhost", Some(443));
        assert_eq!(&authority.host_port_string(), "localhost:443");

        let authority = Authority::new("::1", Some(50051));
        assert_eq!(&authority.host_port_string(), "[::1]:50051");

        let authority = Authority::new("::1", None);
        assert_eq!(&authority.host_port_string(), "::1");
    }
}