1 /* 2 * 3 * Copyright 2015 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPCPP_SECURITY_CREDENTIALS_IMPL_H 20 #define GRPCPP_SECURITY_CREDENTIALS_IMPL_H 21 22 #include <map> 23 #include <memory> 24 #include <vector> 25 26 #include <grpc/grpc_security_constants.h> 27 #include <grpcpp/channel_impl.h> 28 #include <grpcpp/impl/codegen/client_interceptor.h> 29 #include <grpcpp/impl/codegen/grpc_library.h> 30 #include <grpcpp/security/auth_context.h> 31 #include <grpcpp/security/tls_credentials_options.h> 32 #include <grpcpp/support/channel_arguments_impl.h> 33 #include <grpcpp/support/status.h> 34 #include <grpcpp/support/string_ref.h> 35 36 struct grpc_call; 37 38 namespace grpc_impl { 39 40 class ChannelCredentials; 41 class CallCredentials; 42 class SecureCallCredentials; 43 class SecureChannelCredentials; 44 45 std::shared_ptr<Channel> CreateCustomChannelImpl( 46 const std::string& target, const std::shared_ptr<ChannelCredentials>& creds, 47 const ChannelArguments& args); 48 49 namespace experimental { 50 std::shared_ptr<Channel> CreateCustomChannelWithInterceptors( 51 const std::string& target, const std::shared_ptr<ChannelCredentials>& creds, 52 const ChannelArguments& args, 53 std::vector< 54 std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>> 55 interceptor_creators); 56 } 57 58 /// A channel credentials object encapsulates all the state needed by a client 59 /// to authenticate with a server for a given channel. 60 /// It can make various assertions, e.g., about the client’s identity, role 61 /// for all the calls on that channel. 62 /// 63 /// \see https://grpc.io/docs/guides/auth 64 class ChannelCredentials : private grpc::GrpcLibraryCodegen { 65 public: 66 ChannelCredentials(); 67 ~ChannelCredentials(); 68 69 protected: 70 friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 71 const std::shared_ptr<ChannelCredentials>& channel_creds, 72 const std::shared_ptr<CallCredentials>& call_creds); 73 74 virtual SecureChannelCredentials* AsSecureCredentials() = 0; 75 76 private: 77 friend std::shared_ptr<Channel> CreateCustomChannelImpl( 78 const std::string& target, 79 const std::shared_ptr<ChannelCredentials>& creds, 80 const ChannelArguments& args); 81 82 friend std::shared_ptr<Channel> 83 grpc_impl::experimental::CreateCustomChannelWithInterceptors( 84 const std::string& target, 85 const std::shared_ptr<ChannelCredentials>& creds, 86 const ChannelArguments& args, 87 std::vector<std::unique_ptr< 88 grpc::experimental::ClientInterceptorFactoryInterface>> 89 interceptor_creators); 90 91 virtual std::shared_ptr<Channel> CreateChannelImpl( 92 const std::string& target, const ChannelArguments& args) = 0; 93 94 // This function should have been a pure virtual function, but it is 95 // implemented as a virtual function so that it does not break API. CreateChannelWithInterceptors(const std::string &,const ChannelArguments &,std::vector<std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>)96 virtual std::shared_ptr<Channel> CreateChannelWithInterceptors( 97 const std::string& /*target*/, const ChannelArguments& /*args*/, 98 std::vector<std::unique_ptr< 99 grpc::experimental::ClientInterceptorFactoryInterface>> 100 /*interceptor_creators*/) { 101 return nullptr; 102 } 103 }; 104 105 /// A call credentials object encapsulates the state needed by a client to 106 /// authenticate with a server for a given call on a channel. 107 /// 108 /// \see https://grpc.io/docs/guides/auth 109 class CallCredentials : private grpc::GrpcLibraryCodegen { 110 public: 111 CallCredentials(); 112 ~CallCredentials(); 113 114 /// Apply this instance's credentials to \a call. 115 virtual bool ApplyToCall(grpc_call* call) = 0; DebugString()116 virtual std::string DebugString() { 117 return "CallCredentials did not provide a debug string"; 118 } 119 120 protected: 121 friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 122 const std::shared_ptr<ChannelCredentials>& channel_creds, 123 const std::shared_ptr<CallCredentials>& call_creds); 124 125 friend std::shared_ptr<CallCredentials> CompositeCallCredentials( 126 const std::shared_ptr<CallCredentials>& creds1, 127 const std::shared_ptr<CallCredentials>& creds2); 128 129 virtual SecureCallCredentials* AsSecureCredentials() = 0; 130 }; 131 132 /// Options used to build SslCredentials. 133 struct SslCredentialsOptions { 134 /// The buffer containing the PEM encoding of the server root certificates. If 135 /// this parameter is empty, the default roots will be used. The default 136 /// roots can be overridden using the \a GRPC_DEFAULT_SSL_ROOTS_FILE_PATH 137 /// environment variable pointing to a file on the file system containing the 138 /// roots. 139 std::string pem_root_certs; 140 141 /// The buffer containing the PEM encoding of the client's private key. This 142 /// parameter can be empty if the client does not have a private key. 143 std::string pem_private_key; 144 145 /// The buffer containing the PEM encoding of the client's certificate chain. 146 /// This parameter can be empty if the client does not have a certificate 147 /// chain. 148 std::string pem_cert_chain; 149 }; 150 151 // Factories for building different types of Credentials The functions may 152 // return empty shared_ptr when credentials cannot be created. If a 153 // Credentials pointer is returned, it can still be invalid when used to create 154 // a channel. A lame channel will be created then and all rpcs will fail on it. 155 156 /// Builds credentials with reasonable defaults. 157 /// 158 /// \warning Only use these credentials when connecting to a Google endpoint. 159 /// Using these credentials to connect to any other service may result in this 160 /// service being able to impersonate your client for requests to Google 161 /// services. 162 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials(); 163 164 /// Builds SSL Credentials given SSL specific options 165 std::shared_ptr<ChannelCredentials> SslCredentials( 166 const SslCredentialsOptions& options); 167 168 /// Builds credentials for use when running in GCE 169 /// 170 /// \warning Only use these credentials when connecting to a Google endpoint. 171 /// Using these credentials to connect to any other service may result in this 172 /// service being able to impersonate your client for requests to Google 173 /// services. 174 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials(); 175 176 constexpr long kMaxAuthTokenLifetimeSecs = 3600; 177 178 /// Builds Service Account JWT Access credentials. 179 /// json_key is the JSON key string containing the client's private key. 180 /// token_lifetime_seconds is the lifetime in seconds of each Json Web Token 181 /// (JWT) created with this credentials. It should not exceed 182 /// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value. 183 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials( 184 const std::string& json_key, 185 long token_lifetime_seconds = grpc_impl::kMaxAuthTokenLifetimeSecs); 186 187 /// Builds refresh token credentials. 188 /// json_refresh_token is the JSON string containing the refresh token along 189 /// with a client_id and client_secret. 190 /// 191 /// \warning Only use these credentials when connecting to a Google endpoint. 192 /// Using these credentials to connect to any other service may result in this 193 /// service being able to impersonate your client for requests to Google 194 /// services. 195 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials( 196 const std::string& json_refresh_token); 197 198 /// Builds access token credentials. 199 /// access_token is an oauth2 access token that was fetched using an out of band 200 /// mechanism. 201 /// 202 /// \warning Only use these credentials when connecting to a Google endpoint. 203 /// Using these credentials to connect to any other service may result in this 204 /// service being able to impersonate your client for requests to Google 205 /// services. 206 std::shared_ptr<CallCredentials> AccessTokenCredentials( 207 const std::string& access_token); 208 209 /// Builds IAM credentials. 210 /// 211 /// \warning Only use these credentials when connecting to a Google endpoint. 212 /// Using these credentials to connect to any other service may result in this 213 /// service being able to impersonate your client for requests to Google 214 /// services. 215 std::shared_ptr<CallCredentials> GoogleIAMCredentials( 216 const std::string& authorization_token, 217 const std::string& authority_selector); 218 219 /// Combines a channel credentials and a call credentials into a composite 220 /// channel credentials. 221 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 222 const std::shared_ptr<ChannelCredentials>& channel_creds, 223 const std::shared_ptr<CallCredentials>& call_creds); 224 225 /// Combines two call credentials objects into a composite call credentials. 226 std::shared_ptr<CallCredentials> CompositeCallCredentials( 227 const std::shared_ptr<CallCredentials>& creds1, 228 const std::shared_ptr<CallCredentials>& creds2); 229 230 /// Credentials for an unencrypted, unauthenticated channel 231 std::shared_ptr<ChannelCredentials> InsecureChannelCredentials(); 232 233 /// User defined metadata credentials. 234 class MetadataCredentialsPlugin { 235 public: ~MetadataCredentialsPlugin()236 virtual ~MetadataCredentialsPlugin() {} 237 238 /// If this method returns true, the Process function will be scheduled in 239 /// a different thread from the one processing the call. IsBlocking()240 virtual bool IsBlocking() const { return true; } 241 242 /// Type of credentials this plugin is implementing. GetType()243 virtual const char* GetType() const { return ""; } 244 245 /// Gets the auth metatada produced by this plugin. 246 /// The fully qualified method name is: 247 /// service_url + "/" + method_name. 248 /// The channel_auth_context contains (among other things), the identity of 249 /// the server. 250 virtual grpc::Status GetMetadata( 251 grpc::string_ref service_url, grpc::string_ref method_name, 252 const grpc::AuthContext& channel_auth_context, 253 std::multimap<std::string, std::string>* metadata) = 0; 254 DebugString()255 virtual std::string DebugString() { 256 return "MetadataCredentialsPlugin did not provide a debug string"; 257 } 258 }; 259 260 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin( 261 std::unique_ptr<MetadataCredentialsPlugin> plugin); 262 263 namespace experimental { 264 265 /// Options for creating STS Oauth Token Exchange credentials following the IETF 266 /// draft https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16. 267 /// Optional fields may be set to empty string. It is the responsibility of the 268 /// caller to ensure that the subject and actor tokens are refreshed on disk at 269 /// the specified paths. 270 struct StsCredentialsOptions { 271 std::string token_exchange_service_uri; // Required. 272 std::string resource; // Optional. 273 std::string audience; // Optional. 274 std::string scope; // Optional. 275 std::string requested_token_type; // Optional. 276 std::string subject_token_path; // Required. 277 std::string subject_token_type; // Required. 278 std::string actor_token_path; // Optional. 279 std::string actor_token_type; // Optional. 280 }; 281 282 /// Creates STS Options from a JSON string. The JSON schema is as follows: 283 /// { 284 /// "title": "STS Credentials Config", 285 /// "type": "object", 286 /// "required": ["token_exchange_service_uri", "subject_token_path", 287 /// "subject_token_type"], 288 /// "properties": { 289 /// "token_exchange_service_uri": { 290 /// "type": "string" 291 /// }, 292 /// "resource": { 293 /// "type": "string" 294 /// }, 295 /// "audience": { 296 /// "type": "string" 297 /// }, 298 /// "scope": { 299 /// "type": "string" 300 /// }, 301 /// "requested_token_type": { 302 /// "type": "string" 303 /// }, 304 /// "subject_token_path": { 305 /// "type": "string" 306 /// }, 307 /// "subject_token_type": { 308 /// "type": "string" 309 /// }, 310 /// "actor_token_path" : { 311 /// "type": "string" 312 /// }, 313 /// "actor_token_type": { 314 /// "type": "string" 315 /// } 316 /// } 317 /// } 318 grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string, 319 StsCredentialsOptions* options); 320 321 /// Creates STS credentials options from the $STS_CREDENTIALS environment 322 /// variable. This environment variable points to the path of a JSON file 323 /// comforming to the schema described above. 324 grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options); 325 326 std::shared_ptr<CallCredentials> StsCredentials( 327 const StsCredentialsOptions& options); 328 329 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin( 330 std::unique_ptr<MetadataCredentialsPlugin> plugin, 331 grpc_security_level min_security_level); 332 333 /// Options used to build AltsCredentials. 334 struct AltsCredentialsOptions { 335 /// service accounts of target endpoint that will be acceptable 336 /// by the client. If service accounts are provided and none of them matches 337 /// that of the server, authentication will fail. 338 std::vector<std::string> target_service_accounts; 339 }; 340 341 /// Builds ALTS Credentials given ALTS specific options 342 std::shared_ptr<ChannelCredentials> AltsCredentials( 343 const AltsCredentialsOptions& options); 344 345 /// Builds Local Credentials. 346 std::shared_ptr<ChannelCredentials> LocalCredentials( 347 grpc_local_connect_type type); 348 349 /// Builds TLS Credentials given TLS options. 350 std::shared_ptr<ChannelCredentials> TlsCredentials( 351 const TlsCredentialsOptions& options); 352 353 } // namespace experimental 354 } // namespace grpc_impl 355 356 #endif // GRPCPP_SECURITY_CREDENTIALS_IMPL_H 357