Home | History | Annotate | Download | only in credentials
      1 /*
      2  *
      3  * Copyright 2015 gRPC authors.
      4  *
      5  * Licensed under the Apache License, Version 2.0 (the "License");
      6  * you may not use this file except in compliance with the License.
      7  * You may obtain a copy of the License at
      8  *
      9  *     http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  * Unless required by applicable law or agreed to in writing, software
     12  * distributed under the License is distributed on an "AS IS" BASIS,
     13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  * See the License for the specific language governing permissions and
     15  * limitations under the License.
     16  *
     17  */
     18 
     19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
     20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
     21 
     22 #include <grpc/support/port_platform.h>
     23 
     24 #include <grpc/grpc.h>
     25 #include <grpc/grpc_security.h>
     26 #include <grpc/support/sync.h>
     27 #include "src/core/lib/transport/metadata_batch.h"
     28 
     29 #include "src/core/lib/http/httpcli.h"
     30 #include "src/core/lib/http/parser.h"
     31 #include "src/core/lib/iomgr/polling_entity.h"
     32 #include "src/core/lib/security/security_connector/security_connector.h"
     33 
     34 struct grpc_http_response;
     35 
     36 /* --- Constants. --- */
     37 
     38 typedef enum {
     39   GRPC_CREDENTIALS_OK = 0,
     40   GRPC_CREDENTIALS_ERROR
     41 } grpc_credentials_status;
     42 
     43 #define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake"
     44 
     45 #define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl"
     46 #define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \
     47   "FakeTransportSecurity"
     48 #define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault"
     49 
     50 #define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
     51 #define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt"
     52 #define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam"
     53 #define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite"
     54 
     55 #define GRPC_AUTHORIZATION_METADATA_KEY "authorization"
     56 #define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \
     57   "x-goog-iam-authorization-token"
     58 #define GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY "x-goog-iam-authority-selector"
     59 
     60 #define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
     61 
     62 #define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal"
     63 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
     64   "/computeMetadata/v1/instance/service-accounts/default/token"
     65 
     66 #define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
     67 #define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
     68 
     69 #define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX                         \
     70   "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
     71   "assertion="
     72 
     73 #define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
     74   "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
     75 
     76 /* --- Google utils --- */
     77 
     78 /* It is the caller's responsibility to gpr_free the result if not NULL. */
     79 char* grpc_get_well_known_google_credentials_file_path(void);
     80 
     81 /* Implementation function for the different platforms. */
     82 char* grpc_get_well_known_google_credentials_file_path_impl(void);
     83 
     84 /* Override for testing only. Not thread-safe */
     85 typedef char* (*grpc_well_known_credentials_path_getter)(void);
     86 void grpc_override_well_known_credentials_path_getter(
     87     grpc_well_known_credentials_path_getter getter);
     88 
     89 /* --- grpc_channel_credentials. --- */
     90 
     91 #define GRPC_ARG_CHANNEL_CREDENTIALS "grpc.channel_credentials"
     92 
     93 typedef struct {
     94   void (*destruct)(grpc_channel_credentials* c);
     95 
     96   grpc_security_status (*create_security_connector)(
     97       grpc_channel_credentials* c, grpc_call_credentials* call_creds,
     98       const char* target, const grpc_channel_args* args,
     99       grpc_channel_security_connector** sc, grpc_channel_args** new_args);
    100 
    101   grpc_channel_credentials* (*duplicate_without_call_credentials)(
    102       grpc_channel_credentials* c);
    103 } grpc_channel_credentials_vtable;
    104 
    105 struct grpc_channel_credentials {
    106   const grpc_channel_credentials_vtable* vtable;
    107   const char* type;
    108   gpr_refcount refcount;
    109 };
    110 
    111 grpc_channel_credentials* grpc_channel_credentials_ref(
    112     grpc_channel_credentials* creds);
    113 void grpc_channel_credentials_unref(grpc_channel_credentials* creds);
    114 
    115 /* Creates a security connector for the channel. May also create new channel
    116    args for the channel to be used in place of the passed in const args if
    117    returned non NULL. In that case the caller is responsible for destroying
    118    new_args after channel creation. */
    119 grpc_security_status grpc_channel_credentials_create_security_connector(
    120     grpc_channel_credentials* creds, const char* target,
    121     const grpc_channel_args* args, grpc_channel_security_connector** sc,
    122     grpc_channel_args** new_args);
    123 
    124 /* Creates a version of the channel credentials without any attached call
    125    credentials. This can be used in order to open a channel to a non-trusted
    126    gRPC load balancer. */
    127 grpc_channel_credentials*
    128 grpc_channel_credentials_duplicate_without_call_credentials(
    129     grpc_channel_credentials* creds);
    130 
    131 /* Util to encapsulate the channel credentials in a channel arg. */
    132 grpc_arg grpc_channel_credentials_to_arg(grpc_channel_credentials* credentials);
    133 
    134 /* Util to get the channel credentials from a channel arg. */
    135 grpc_channel_credentials* grpc_channel_credentials_from_arg(
    136     const grpc_arg* arg);
    137 
    138 /* Util to find the channel credentials from channel args. */
    139 grpc_channel_credentials* grpc_channel_credentials_find_in_args(
    140     const grpc_channel_args* args);
    141 
    142 /* --- grpc_credentials_mdelem_array. --- */
    143 
    144 typedef struct {
    145   grpc_mdelem* md;
    146   size_t size;
    147 } grpc_credentials_mdelem_array;
    148 
    149 /// Takes a new ref to \a md.
    150 void grpc_credentials_mdelem_array_add(grpc_credentials_mdelem_array* list,
    151                                        grpc_mdelem md);
    152 
    153 /// Appends all elements from \a src to \a dst, taking a new ref to each one.
    154 void grpc_credentials_mdelem_array_append(grpc_credentials_mdelem_array* dst,
    155                                           grpc_credentials_mdelem_array* src);
    156 
    157 void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array* list);
    158 
    159 /* --- grpc_call_credentials. --- */
    160 
    161 typedef struct {
    162   void (*destruct)(grpc_call_credentials* c);
    163   bool (*get_request_metadata)(grpc_call_credentials* c,
    164                                grpc_polling_entity* pollent,
    165                                grpc_auth_metadata_context context,
    166                                grpc_credentials_mdelem_array* md_array,
    167                                grpc_closure* on_request_metadata,
    168                                grpc_error** error);
    169   void (*cancel_get_request_metadata)(grpc_call_credentials* c,
    170                                       grpc_credentials_mdelem_array* md_array,
    171                                       grpc_error* error);
    172 } grpc_call_credentials_vtable;
    173 
    174 struct grpc_call_credentials {
    175   const grpc_call_credentials_vtable* vtable;
    176   const char* type;
    177   gpr_refcount refcount;
    178 };
    179 
    180 grpc_call_credentials* grpc_call_credentials_ref(grpc_call_credentials* creds);
    181 void grpc_call_credentials_unref(grpc_call_credentials* creds);
    182 
    183 /// Returns true if completed synchronously, in which case \a error will
    184 /// be set to indicate the result.  Otherwise, \a on_request_metadata will
    185 /// be invoked asynchronously when complete.  \a md_array will be populated
    186 /// with the resulting metadata once complete.
    187 bool grpc_call_credentials_get_request_metadata(
    188     grpc_call_credentials* creds, grpc_polling_entity* pollent,
    189     grpc_auth_metadata_context context, grpc_credentials_mdelem_array* md_array,
    190     grpc_closure* on_request_metadata, grpc_error** error);
    191 
    192 /// Cancels a pending asynchronous operation started by
    193 /// grpc_call_credentials_get_request_metadata() with the corresponding
    194 /// value of \a md_array.
    195 void grpc_call_credentials_cancel_get_request_metadata(
    196     grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array,
    197     grpc_error* error);
    198 
    199 /* Metadata-only credentials with the specified key and value where
    200    asynchronicity can be simulated for testing. */
    201 grpc_call_credentials* grpc_md_only_test_credentials_create(
    202     const char* md_key, const char* md_value, bool is_async);
    203 
    204 /* --- grpc_server_credentials. --- */
    205 
    206 typedef struct {
    207   void (*destruct)(grpc_server_credentials* c);
    208   grpc_security_status (*create_security_connector)(
    209       grpc_server_credentials* c, grpc_server_security_connector** sc);
    210 } grpc_server_credentials_vtable;
    211 
    212 struct grpc_server_credentials {
    213   const grpc_server_credentials_vtable* vtable;
    214   const char* type;
    215   gpr_refcount refcount;
    216   grpc_auth_metadata_processor processor;
    217 };
    218 
    219 grpc_security_status grpc_server_credentials_create_security_connector(
    220     grpc_server_credentials* creds, grpc_server_security_connector** sc);
    221 
    222 grpc_server_credentials* grpc_server_credentials_ref(
    223     grpc_server_credentials* creds);
    224 
    225 void grpc_server_credentials_unref(grpc_server_credentials* creds);
    226 
    227 #define GRPC_SERVER_CREDENTIALS_ARG "grpc.server_credentials"
    228 
    229 grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials* c);
    230 grpc_server_credentials* grpc_server_credentials_from_arg(const grpc_arg* arg);
    231 grpc_server_credentials* grpc_find_server_credentials_in_args(
    232     const grpc_channel_args* args);
    233 
    234 /* -- Credentials Metadata Request. -- */
    235 
    236 typedef struct {
    237   grpc_call_credentials* creds;
    238   grpc_http_response response;
    239 } grpc_credentials_metadata_request;
    240 
    241 grpc_credentials_metadata_request* grpc_credentials_metadata_request_create(
    242     grpc_call_credentials* creds);
    243 
    244 void grpc_credentials_metadata_request_destroy(
    245     grpc_credentials_metadata_request* r);
    246 
    247 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H */
    248