1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
20
21 #include <grpc/credentials.h>
22 #include <grpc/grpc_security.h>
23 #include <grpc/grpc_security_constants.h>
24 #include <grpc/impl/channel_arg_names.h>
25 #include <grpc/slice.h>
26 #include <grpc/support/alloc.h>
27 #include <grpc/support/port_platform.h>
28 #include <grpc/support/sync.h>
29 #include <string.h>
30
31 #include <memory>
32 #include <string>
33
34 #include "absl/log/check.h"
35 #include "absl/log/log.h"
36 #include "absl/status/statusor.h"
37 #include "absl/strings/match.h"
38 #include "absl/strings/str_cat.h"
39 #include "absl/strings/string_view.h"
40 #include "absl/types/optional.h"
41 #include "src/core/lib/channel/channel_args.h"
42 #include "src/core/lib/debug/trace.h"
43 #include "src/core/lib/iomgr/closure.h"
44 #include "src/core/lib/iomgr/error.h"
45 #include "src/core/lib/iomgr/exec_ctx.h"
46 #include "src/core/lib/iomgr/iomgr_fwd.h"
47 #include "src/core/lib/iomgr/polling_entity.h"
48 #include "src/core/lib/iomgr/pollset.h"
49 #include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
50 #include "src/core/lib/security/credentials/credentials.h"
51 #include "src/core/lib/security/credentials/external/external_account_credentials.h"
52 #include "src/core/lib/security/credentials/jwt/json_token.h"
53 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
54 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
55 #include "src/core/lib/slice/slice.h"
56 #include "src/core/lib/slice/slice_internal.h"
57 #include "src/core/lib/transport/error_utils.h"
58 #include "src/core/load_balancing/grpclb/grpclb.h"
59 #include "src/core/load_balancing/xds/xds_channel_args.h"
60 #include "src/core/util/env.h"
61 #include "src/core/util/http_client/httpcli.h"
62 #include "src/core/util/http_client/parser.h"
63 #include "src/core/util/json/json.h"
64 #include "src/core/util/json/json_reader.h"
65 #include "src/core/util/load_file.h"
66 #include "src/core/util/orphanable.h"
67 #include "src/core/util/ref_counted_ptr.h"
68 #include "src/core/util/status_helper.h"
69 #include "src/core/util/sync.h"
70 #include "src/core/util/time.h"
71 #include "src/core/util/uri.h"
72
73 using grpc_core::Json;
74
75 // -- Constants. --
76
77 #define GRPC_COMPUTE_ENGINE_DETECTION_HOST "metadata.google.internal."
78 #define GRPC_GOOGLE_CREDENTIAL_CREATION_ERROR \
79 "Failed to create Google credentials"
80
81 // -- Default credentials. --
82
83 // A sticky bit that will be set only if the result of metadata server detection
84 // is positive. We do not set the bit if the result is negative. Because it
85 // means the detection is done via network test that is unreliable and the
86 // unreliable result should not be referred by successive calls.
87 static int g_metadata_server_available = 0;
88 static grpc_core::Mutex* g_state_mu;
89 // Protect a metadata_server_detector instance that can be modified by more than
90 // one gRPC threads
91 static gpr_mu* g_polling_mu;
92 static gpr_once g_once = GPR_ONCE_INIT;
93 static grpc_core::internal::grpc_gce_tenancy_checker g_gce_tenancy_checker =
94 grpc_alts_is_running_on_gcp;
95
init_default_credentials(void)96 static void init_default_credentials(void) {
97 g_state_mu = new grpc_core::Mutex();
98 }
99
100 struct metadata_server_detector {
101 grpc_polling_entity pollent;
102 int is_done;
103 int success;
104 grpc_http_response response;
105 };
106
107 namespace {
108
IsXdsNonCfeCluster(absl::optional<absl::string_view> xds_cluster)109 bool IsXdsNonCfeCluster(absl::optional<absl::string_view> xds_cluster) {
110 if (!xds_cluster.has_value()) return false;
111 if (absl::StartsWith(*xds_cluster, "google_cfe_")) return false;
112 if (!absl::StartsWith(*xds_cluster, "xdstp:")) return true;
113 auto uri = grpc_core::URI::Parse(*xds_cluster);
114 if (!uri.ok()) return true; // Shouldn't happen, but assume ALTS.
115 return uri->authority() != "traffic-director-c2p.xds.googleapis.com" ||
116 !absl::StartsWith(uri->path(),
117 "/envoy.config.cluster.v3.Cluster/google_cfe_");
118 }
119
120 } // namespace
121
122 grpc_core::RefCountedPtr<grpc_channel_security_connector>
create_security_connector(grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,const char * target,grpc_core::ChannelArgs * args)123 grpc_google_default_channel_credentials::create_security_connector(
124 grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
125 const char* target, grpc_core::ChannelArgs* args) {
126 const bool is_grpclb_load_balancer =
127 args->GetBool(GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER).value_or(false);
128 const bool is_backend_from_grpclb_load_balancer =
129 args->GetBool(GRPC_ARG_ADDRESS_IS_BACKEND_FROM_GRPCLB_LOAD_BALANCER)
130 .value_or(false);
131 const bool is_xds_non_cfe_cluster =
132 IsXdsNonCfeCluster(args->GetString(GRPC_ARG_XDS_CLUSTER_NAME));
133 const bool use_alts = is_grpclb_load_balancer ||
134 is_backend_from_grpclb_load_balancer ||
135 is_xds_non_cfe_cluster;
136 // Return failure if ALTS is selected but not running on GCE.
137 if (use_alts && alts_creds_ == nullptr) {
138 LOG(ERROR) << "ALTS is selected, but not running on GCE.";
139 return nullptr;
140 }
141 grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
142 use_alts
143 ? alts_creds_->create_security_connector(call_creds, target, args)
144 : ssl_creds_->create_security_connector(call_creds, target, args);
145 // grpclb-specific channel args are removed from the channel args set
146 // to ensure backends and fallback addresses will have the same set of channel
147 // args. By doing that, it guarantees the connections to backends will not be
148 // torn down and re-connected when switching in and out of fallback mode.
149 //
150 if (use_alts) {
151 *args = args->Remove(GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER)
152 .Remove(GRPC_ARG_ADDRESS_IS_BACKEND_FROM_GRPCLB_LOAD_BALANCER);
153 }
154 return sc;
155 }
156
157 grpc_core::ChannelArgs
update_arguments(grpc_core::ChannelArgs args)158 grpc_google_default_channel_credentials::update_arguments(
159 grpc_core::ChannelArgs args) {
160 return args.SetIfUnset(GRPC_ARG_DNS_ENABLE_SRV_QUERIES, true);
161 }
162
Type()163 grpc_core::UniqueTypeName grpc_google_default_channel_credentials::Type() {
164 static grpc_core::UniqueTypeName::Factory kFactory("GoogleDefault");
165 return kFactory.Create();
166 }
167
on_metadata_server_detection_http_response(void * user_data,grpc_error_handle error)168 static void on_metadata_server_detection_http_response(
169 void* user_data, grpc_error_handle error) {
170 metadata_server_detector* detector =
171 static_cast<metadata_server_detector*>(user_data);
172 if (error.ok() && detector->response.status == 200 &&
173 detector->response.hdr_count > 0) {
174 // Internet providers can return a generic response to all requests, so
175 // it is necessary to check that metadata header is present also.
176 size_t i;
177 for (i = 0; i < detector->response.hdr_count; i++) {
178 grpc_http_header* header = &detector->response.hdrs[i];
179 if (strcmp(header->key, "Metadata-Flavor") == 0 &&
180 strcmp(header->value, "Google") == 0) {
181 detector->success = 1;
182 break;
183 }
184 }
185 }
186 gpr_mu_lock(g_polling_mu);
187 detector->is_done = 1;
188 GRPC_LOG_IF_ERROR(
189 "Pollset kick",
190 grpc_pollset_kick(grpc_polling_entity_pollset(&detector->pollent),
191 nullptr));
192 gpr_mu_unlock(g_polling_mu);
193 }
194
destroy_pollset(void * p,grpc_error_handle)195 static void destroy_pollset(void* p, grpc_error_handle /*e*/) {
196 grpc_pollset_destroy(static_cast<grpc_pollset*>(p));
197 }
198
is_metadata_server_reachable()199 static int is_metadata_server_reachable() {
200 metadata_server_detector detector;
201 grpc_http_request request;
202 grpc_closure destroy_closure;
203 // The http call is local. If it takes more than one sec, it is for sure not
204 // on compute engine.
205 const auto max_detection_delay = grpc_core::Duration::Seconds(1);
206 grpc_pollset* pollset =
207 static_cast<grpc_pollset*>(gpr_zalloc(grpc_pollset_size()));
208 grpc_pollset_init(pollset, &g_polling_mu);
209 detector.pollent = grpc_polling_entity_create_from_pollset(pollset);
210 detector.is_done = 0;
211 detector.success = 0;
212 memset(&request, 0, sizeof(grpc_http_request));
213 auto uri =
214 grpc_core::URI::Create("http", GRPC_COMPUTE_ENGINE_DETECTION_HOST, "/",
215 {} /* query params */, "" /* fragment */);
216 CHECK(uri.ok()); // params are hardcoded
217 auto http_request = grpc_core::HttpRequest::Get(
218 std::move(*uri), nullptr /* channel args */, &detector.pollent, &request,
219 grpc_core::Timestamp::Now() + max_detection_delay,
220 GRPC_CLOSURE_CREATE(on_metadata_server_detection_http_response, &detector,
221 grpc_schedule_on_exec_ctx),
222 &detector.response,
223 grpc_core::RefCountedPtr<grpc_channel_credentials>(
224 grpc_insecure_credentials_create()));
225 http_request->Start();
226 grpc_core::ExecCtx::Get()->Flush();
227 // Block until we get the response. This is not ideal but this should only be
228 // called once for the lifetime of the process by the default credentials.
229 gpr_mu_lock(g_polling_mu);
230 while (!detector.is_done) {
231 grpc_pollset_worker* worker = nullptr;
232 if (!GRPC_LOG_IF_ERROR(
233 "pollset_work",
234 grpc_pollset_work(grpc_polling_entity_pollset(&detector.pollent),
235 &worker, grpc_core::Timestamp::InfFuture()))) {
236 detector.is_done = 1;
237 detector.success = 0;
238 }
239 }
240 gpr_mu_unlock(g_polling_mu);
241 http_request.reset();
242 GRPC_CLOSURE_INIT(&destroy_closure, destroy_pollset,
243 grpc_polling_entity_pollset(&detector.pollent),
244 grpc_schedule_on_exec_ctx);
245 grpc_pollset_shutdown(grpc_polling_entity_pollset(&detector.pollent),
246 &destroy_closure);
247 g_polling_mu = nullptr;
248 grpc_core::ExecCtx::Get()->Flush();
249 gpr_free(grpc_polling_entity_pollset(&detector.pollent));
250 grpc_http_response_destroy(&detector.response);
251 return detector.success;
252 }
253
254 // Takes ownership of creds_path if not NULL.
create_default_creds_from_path(const std::string & creds_path,grpc_core::RefCountedPtr<grpc_call_credentials> * creds)255 static grpc_error_handle create_default_creds_from_path(
256 const std::string& creds_path,
257 grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
258 if (creds_path.empty()) {
259 return GRPC_ERROR_CREATE("creds_path unset");
260 }
261 auto creds_data =
262 grpc_core::LoadFile(creds_path, /*add_null_terminator=*/false);
263 if (!creds_data.ok()) {
264 return absl_status_to_grpc_error(creds_data.status());
265 }
266 auto json = grpc_core::JsonParse(creds_data->as_string_view());
267 if (!json.ok()) {
268 return absl_status_to_grpc_error(json.status());
269 }
270 if (json->type() != Json::Type::kObject) {
271 return GRPC_ERROR_CREATE(absl::StrCat("Failed to parse JSON \"",
272 creds_data->as_string_view(), "\""));
273 }
274 // First, try an auth json key.
275 grpc_auth_json_key key = grpc_auth_json_key_create_from_json(*json);
276 if (grpc_auth_json_key_is_valid(&key)) {
277 *creds =
278 grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
279 key, grpc_max_auth_token_lifetime());
280 if (*creds == nullptr) {
281 return GRPC_ERROR_CREATE(
282 "grpc_service_account_jwt_access_credentials_create_from_auth_json_"
283 "key failed");
284 }
285 return absl::OkStatus();
286 }
287 // Then try a refresh token if the auth json key was invalid.
288 grpc_auth_refresh_token token =
289 grpc_auth_refresh_token_create_from_json(*json);
290 if (grpc_auth_refresh_token_is_valid(&token)) {
291 *creds =
292 grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
293 if (*creds == nullptr) {
294 return GRPC_ERROR_CREATE(
295 "grpc_refresh_token_credentials_create_from_auth_refresh_token "
296 "failed");
297 }
298 return absl::OkStatus();
299 }
300 // Use external creds.
301 auto external_creds =
302 grpc_core::ExternalAccountCredentials::Create(*json, {});
303 if (!external_creds.ok()) return external_creds.status();
304 *creds = std::move(*external_creds);
305 return absl::OkStatus();
306 }
307
update_tenancy()308 static void update_tenancy() {
309 gpr_once_init(&g_once, init_default_credentials);
310 grpc_core::MutexLock lock(g_state_mu);
311
312 // Try a platform-provided hint for GCE.
313 if (!g_metadata_server_available) {
314 g_metadata_server_available = g_gce_tenancy_checker();
315 }
316 // TODO(unknown): Add a platform-provided hint for GAE.
317
318 // Do a network test for metadata server.
319 if (!g_metadata_server_available) {
320 g_metadata_server_available = is_metadata_server_reachable();
321 }
322 }
323
metadata_server_available()324 static bool metadata_server_available() {
325 grpc_core::MutexLock lock(g_state_mu);
326 return static_cast<bool>(g_metadata_server_available);
327 }
328
make_default_call_creds(grpc_error_handle * error)329 static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
330 grpc_error_handle* error) {
331 grpc_core::RefCountedPtr<grpc_call_credentials> call_creds;
332 grpc_error_handle err;
333
334 // First, try the environment variable.
335 auto path_from_env = grpc_core::GetEnv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
336 if (path_from_env.has_value()) {
337 err = create_default_creds_from_path(*path_from_env, &call_creds);
338 if (err.ok()) return call_creds;
339 *error = grpc_error_add_child(*error, err);
340 }
341
342 // Then the well-known file.
343 err = create_default_creds_from_path(
344 grpc_get_well_known_google_credentials_file_path(), &call_creds);
345 if (err.ok()) return call_creds;
346 *error = grpc_error_add_child(*error, err);
347
348 update_tenancy();
349
350 if (metadata_server_available()) {
351 call_creds = grpc_core::RefCountedPtr<grpc_call_credentials>(
352 grpc_google_compute_engine_credentials_create(nullptr));
353 if (call_creds == nullptr) {
354 *error = GRPC_ERROR_CREATE(GRPC_GOOGLE_CREDENTIAL_CREATION_ERROR);
355 *error = grpc_error_add_child(
356 *error, GRPC_ERROR_CREATE("Failed to get credentials from network"));
357 }
358 }
359
360 return call_creds;
361 }
362
grpc_google_default_credentials_create(grpc_call_credentials * call_credentials)363 grpc_channel_credentials* grpc_google_default_credentials_create(
364 grpc_call_credentials* call_credentials) {
365 grpc_channel_credentials* result = nullptr;
366 grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
367 grpc_error_handle error;
368 grpc_core::ExecCtx exec_ctx;
369
370 GRPC_TRACE_LOG(api, INFO)
371 << "grpc_google_default_credentials_create(" << call_credentials << ")";
372
373 if (call_creds == nullptr) {
374 call_creds = make_default_call_creds(&error);
375 }
376
377 if (call_creds != nullptr) {
378 // Create google default credentials.
379 grpc_channel_credentials* ssl_creds =
380 grpc_ssl_credentials_create(nullptr, nullptr, nullptr, nullptr);
381 CHECK_NE(ssl_creds, nullptr);
382 grpc_alts_credentials_options* options =
383 grpc_alts_credentials_client_options_create();
384 grpc_channel_credentials* alts_creds =
385 grpc_alts_credentials_create(options);
386 grpc_alts_credentials_options_destroy(options);
387 auto creds =
388 grpc_core::MakeRefCounted<grpc_google_default_channel_credentials>(
389 grpc_core::RefCountedPtr<grpc_channel_credentials>(alts_creds),
390 grpc_core::RefCountedPtr<grpc_channel_credentials>(ssl_creds));
391 result = grpc_composite_channel_credentials_create(
392 creds.get(), call_creds.get(), nullptr);
393 CHECK_NE(result, nullptr);
394 } else {
395 LOG(ERROR) << "Could not create google default credentials: "
396 << grpc_core::StatusToString(error);
397 }
398 return result;
399 }
400
401 namespace grpc_core {
402 namespace internal {
403
set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker)404 void set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker) {
405 g_gce_tenancy_checker = checker;
406 }
407
grpc_flush_cached_google_default_credentials(void)408 void grpc_flush_cached_google_default_credentials(void) {
409 ExecCtx exec_ctx;
410 gpr_once_init(&g_once, init_default_credentials);
411 MutexLock lock(g_state_mu);
412 g_metadata_server_available = 0;
413 }
414
415 } // namespace internal
416 } // namespace grpc_core
417
418 // -- Well known credentials path. --
419
420 static grpc_well_known_credentials_path_getter creds_path_getter = nullptr;
421
grpc_get_well_known_google_credentials_file_path(void)422 std::string grpc_get_well_known_google_credentials_file_path(void) {
423 if (creds_path_getter != nullptr) return creds_path_getter();
424 return grpc_get_well_known_google_credentials_file_path_impl();
425 }
426
grpc_override_well_known_credentials_path_getter(grpc_well_known_credentials_path_getter getter)427 void grpc_override_well_known_credentials_path_getter(
428 grpc_well_known_credentials_path_getter getter) {
429 creds_path_getter = getter;
430 }
431