GRPC C++  1.39.1
credentials.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
21 
23 
24 #include <string.h>
25 
26 #include <string>
27 
28 #include <grpc/grpc.h>
29 #include <grpc/grpc_security.h>
30 #include <grpc/support/sync.h>
32 
38 
39 struct grpc_http_response;
40 
41 /* --- Constants. --- */
42 
43 typedef enum {
47 
48 #define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake"
49 
50 #define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl"
51 #define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \
52  "FakeTransportSecurity"
53 #define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault"
54 
55 #define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
56 #define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt"
57 #define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam"
58 #define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite"
59 
60 #define GRPC_AUTHORIZATION_METADATA_KEY "authorization"
61 #define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \
62  "x-goog-iam-authorization-token"
63 #define GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY "x-goog-iam-authority-selector"
64 
65 #define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
66 
67 #define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal."
68 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
69  "/computeMetadata/v1/instance/service-accounts/default/token"
70 
71 #define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "oauth2.googleapis.com"
72 #define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/token"
73 
74 #define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \
75  "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
76  "assertion="
77 
78 #define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
79  "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
80 
81 /* --- Google utils --- */
82 
83 /* It is the caller's responsibility to gpr_free the result if not NULL. */
85 
86 /* Implementation function for the different platforms. */
88 
89 /* Override for testing only. Not thread-safe */
90 typedef std::string (*grpc_well_known_credentials_path_getter)(void);
93 
94 /* --- grpc_channel_credentials. --- */
95 
96 #define GRPC_ARG_CHANNEL_CREDENTIALS "grpc.channel_credentials"
97 
98 // This type is forward declared as a C struct and we cannot define it as a
99 // class. Otherwise, compiler will complain about type mismatch due to
100 // -Wmismatched-tags.
102  : grpc_core::RefCounted<grpc_channel_credentials> {
103  public:
104  explicit grpc_channel_credentials(const char* type) : type_(type) {}
105  ~grpc_channel_credentials() override = default;
106 
107  // Creates a security connector for the channel. May also create new channel
108  // args for the channel to be used in place of the passed in const args if
109  // returned non NULL. In that case the caller is responsible for destroying
110  // new_args after channel creation.
114  const char* target, const grpc_channel_args* args,
115  grpc_channel_args** new_args) = 0;
116 
117  // Creates a version of the channel credentials without any attached call
118  // credentials. This can be used in order to open a channel to a non-trusted
119  // gRPC load balancer.
122  // By default we just increment the refcount.
123  return Ref();
124  }
125 
126  // Allows credentials to optionally modify a parent channel's args.
127  // By default, leave channel args as is. The callee takes ownership
128  // of the passed-in channel args, and the caller takes ownership
129  // of the returned channel args.
131  return args;
132  }
133 
134  const char* type() const { return type_; }
135 
136  private:
137  const char* type_;
138 };
139 
140 /* Util to encapsulate the channel credentials in a channel arg. */
142 
143 /* Util to get the channel credentials from a channel arg. */
145  const grpc_arg* arg);
146 
147 /* Util to find the channel credentials from channel args. */
149  const grpc_channel_args* args);
150 
151 /* --- grpc_credentials_mdelem_array. --- */
152 
154  grpc_mdelem* md = nullptr;
155  size_t size = 0;
156 };
159  grpc_mdelem md);
160 
164 
166 
167 /* --- grpc_call_credentials. --- */
168 
169 // This type is forward declared as a C struct and we cannot define it as a
170 // class. Otherwise, compiler will complain about type mismatch due to
171 // -Wmismatched-tags.
173  : public grpc_core::RefCounted<grpc_call_credentials> {
174  public:
176  const char* type,
178  : type_(type), min_security_level_(min_security_level) {}
179 
180  ~grpc_call_credentials() override = default;
181 
182  // Returns true if completed synchronously, in which case \a error will
183  // be set to indicate the result. Otherwise, \a on_request_metadata will
184  // be invoked asynchronously when complete. \a md_array will be populated
185  // with the resulting metadata once complete.
189  grpc_closure* on_request_metadata,
190  grpc_error_handle* error) = 0;
191 
192  // Cancels a pending asynchronous operation started by
193  // grpc_call_credentials_get_request_metadata() with the corresponding
194  // value of \a md_array.
197 
199  return min_security_level_;
200  }
201 
202  virtual std::string debug_string() {
203  return "grpc_call_credentials did not provide debug string";
204  }
205 
206  const char* type() const { return type_; }
207 
208  private:
209  const char* type_;
210  const grpc_security_level min_security_level_;
211 };
212 
213 /* Metadata-only credentials with the specified key and value where
214  asynchronicity can be simulated for testing. */
216  const char* md_key, const char* md_value, bool is_async);
217 
218 /* --- grpc_server_credentials. --- */
219 
220 // This type is forward declared as a C struct and we cannot define it as a
221 // class. Otherwise, compiler will complain about type mismatch due to
222 // -Wmismatched-tags.
224  : public grpc_core::RefCounted<grpc_server_credentials> {
225  public:
226  explicit grpc_server_credentials(const char* type) : type_(type) {}
227 
228  ~grpc_server_credentials() override { DestroyProcessor(); }
229 
230  // Ownership of \a args is not passed.
233 
234  const char* type() const { return type_; }
235 
237  return processor_;
238  }
240  const grpc_auth_metadata_processor& processor);
241 
242  private:
243  void DestroyProcessor() {
244  if (processor_.destroy != nullptr && processor_.state != nullptr) {
245  processor_.destroy(processor_.state);
246  }
247  }
248 
249  const char* type_;
250  grpc_auth_metadata_processor processor_ =
251  grpc_auth_metadata_processor(); // Zero-initialize the C struct.
252 };
253 
254 #define GRPC_SERVER_CREDENTIALS_ARG "grpc.server_credentials"
255 
259  const grpc_channel_args* args);
260 
261 /* -- Credentials Metadata Request. -- */
262 
266  : creds(std::move(creds)) {}
269  }
270 
273 };
274 
278  return new grpc_credentials_metadata_request(std::move(creds));
279 }
280 
283  delete r;
284 }
285 
286 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H */
Definition: ref_counted.h:282
RefCountedPtr< grpc_channel_credentials > Ref() GRPC_MUST_USE_RESULT
Definition: ref_counted.h:287
Definition: ref_counted_ptr.h:35
grpc_security_level
Definition: grpc_security_constants.h:129
@ GRPC_PRIVACY_AND_INTEGRITY
Definition: grpc_security_constants.h:133
grpc_error_handle error
Definition: lame_client.cc:54
Definition: async_unary_call.h:398
void grpc_http_response_destroy(grpc_http_response *response)
Definition: parser.cc:364
grpc_channel_credentials * grpc_channel_credentials_find_in_args(const grpc_channel_args *args)
Definition: credentials.cc:86
grpc_channel_credentials * grpc_channel_credentials_from_arg(const grpc_arg *arg)
Definition: credentials.cc:75
grpc_arg grpc_channel_credentials_to_arg(grpc_channel_credentials *credentials)
Definition: credentials.cc:68
grpc_credentials_status
Definition: credentials.h:43
@ GRPC_CREDENTIALS_OK
Definition: credentials.h:44
@ GRPC_CREDENTIALS_ERROR
Definition: credentials.h:45
void grpc_credentials_mdelem_array_add(grpc_credentials_mdelem_array *list, grpc_mdelem md)
Takes a new ref to md.
Definition: credentials_metadata.cc:42
grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials *c)
Definition: credentials.cc:137
void grpc_credentials_mdelem_array_append(grpc_credentials_mdelem_array *dst, grpc_credentials_mdelem_array *src)
Appends all elements from src to dst, taking a new ref to each one.
Definition: credentials_metadata.cc:48
grpc_server_credentials * grpc_find_server_credentials_in_args(const grpc_channel_args *args)
Definition: credentials.cc:152
std::string grpc_get_well_known_google_credentials_file_path_impl(void)
Definition: credentials_generic.cc:32
void grpc_override_well_known_credentials_path_getter(grpc_well_known_credentials_path_getter getter)
Definition: google_default_credentials.cc:410
std::string(* grpc_well_known_credentials_path_getter)(void)
Definition: credentials.h:90
void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array *list)
Definition: credentials_metadata.cc:56
void grpc_credentials_metadata_request_destroy(grpc_credentials_metadata_request *r)
Definition: credentials.h:281
std::string grpc_get_well_known_google_credentials_file_path(void)
Definition: google_default_credentials.cc:405
grpc_credentials_metadata_request * grpc_credentials_metadata_request_create(grpc_core::RefCountedPtr< grpc_call_credentials > creds)
Definition: credentials.h:276
grpc_call_credentials * grpc_md_only_test_credentials_create(const char *md_key, const char *md_value, bool is_async)
Definition: fake_credentials.cc:110
grpc_server_credentials * grpc_server_credentials_from_arg(const grpc_arg *arg)
Definition: credentials.cc:142
A single argument...
Definition: grpc_types.h:103
Context that can be used by metadata credentials plugin in order to create auth related metadata.
Definition: grpc_security.h:402
Pluggable server-side metadata processor object.
Definition: grpc_security.h:635
void(* destroy)(void *state)
Definition: grpc_security.h:643
void * state
Definition: grpc_security.h:644
Definition: credentials.h:173
grpc_call_credentials(const char *type, grpc_security_level min_security_level=GRPC_PRIVACY_AND_INTEGRITY)
Definition: credentials.h:175
~grpc_call_credentials() override=default
const char * type() const
Definition: credentials.h:206
virtual std::string debug_string()
Definition: credentials.h:202
virtual bool get_request_metadata(grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_mdelem_array *md_array, grpc_closure *on_request_metadata, grpc_error_handle *error)=0
virtual void cancel_get_request_metadata(grpc_credentials_mdelem_array *md_array, grpc_error_handle error)=0
virtual grpc_security_level min_security_level() const
Definition: credentials.h:198
An array of arguments that can be passed around.
Definition: grpc_types.h:132
Definition: credentials.h:102
virtual grpc_core::RefCountedPtr< grpc_channel_credentials > duplicate_without_call_credentials()
Definition: credentials.h:121
grpc_channel_credentials(const char *type)
Definition: credentials.h:104
~grpc_channel_credentials() override=default
const char * type() const
Definition: credentials.h:134
virtual grpc_channel_args * update_arguments(grpc_channel_args *args)
Definition: credentials.h:130
virtual grpc_core::RefCountedPtr< grpc_channel_security_connector > create_security_connector(grpc_core::RefCountedPtr< grpc_call_credentials > call_creds, const char *target, const grpc_channel_args *args, grpc_channel_args **new_args)=0
A closure over a grpc_iomgr_cb_func.
Definition: closure.h:56
Definition: credentials.h:153
grpc_mdelem * md
Definition: credentials.h:154
size_t size
Definition: credentials.h:155
Definition: credentials.h:263
grpc_http_response response
Definition: credentials.h:272
~grpc_credentials_metadata_request()
Definition: credentials.h:267
grpc_credentials_metadata_request(grpc_core::RefCountedPtr< grpc_call_credentials > creds)
Definition: credentials.h:264
grpc_core::RefCountedPtr< grpc_call_credentials > creds
Definition: credentials.h:271
Definition: error_internal.h:41
Definition: parser.h:71
Definition: metadata.h:98
Definition: polling_entity.h:37
Definition: credentials.h:224
const grpc_auth_metadata_processor & auth_metadata_processor() const
Definition: credentials.h:236
grpc_server_credentials(const char *type)
Definition: credentials.h:226
const char * type() const
Definition: credentials.h:234
virtual grpc_core::RefCountedPtr< grpc_server_security_connector > create_security_connector(const grpc_channel_args *args)=0
~grpc_server_credentials() override
Definition: credentials.h:228
void set_auth_metadata_processor(const grpc_auth_metadata_processor &processor)
Definition: credentials.cc:104