• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 //
3 // Copyright 2016 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H
20 #define GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H
21 
22 #include <grpc/credentials.h>
23 #include <grpc/grpc_security.h>
24 #include <grpc/support/port_platform.h>
25 #include <grpc/support/sync.h>
26 #include <grpc/support/time.h>
27 
28 #include <atomic>
29 #include <string>
30 #include <utility>
31 
32 #include "absl/status/statusor.h"
33 #include "absl/strings/string_view.h"
34 #include "absl/types/optional.h"
35 #include "src/core/lib/iomgr/closure.h"
36 #include "src/core/lib/iomgr/error.h"
37 #include "src/core/lib/iomgr/polling_entity.h"
38 #include "src/core/lib/promise/activity.h"
39 #include "src/core/lib/promise/arena_promise.h"
40 #include "src/core/lib/security/credentials/credentials.h"
41 #include "src/core/lib/security/credentials/token_fetcher/token_fetcher_credentials.h"
42 #include "src/core/lib/slice/slice.h"
43 #include "src/core/lib/transport/transport.h"
44 #include "src/core/util/http_client/httpcli.h"
45 #include "src/core/util/http_client/parser.h"
46 #include "src/core/util/json/json.h"
47 #include "src/core/util/orphanable.h"
48 #include "src/core/util/ref_counted.h"
49 #include "src/core/util/ref_counted_ptr.h"
50 #include "src/core/util/time.h"
51 #include "src/core/util/unique_type_name.h"
52 #include "src/core/util/uri.h"
53 #include "src/core/util/useful.h"
54 
55 // Constants.
56 #define GRPC_STS_POST_MINIMAL_BODY_FORMAT_STRING                               \
57   "grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=%" \
58   "s&subject_token_type=%s"
59 
60 // auth_refresh_token parsing.
61 struct grpc_auth_refresh_token {
62   const char* type;
63   char* client_id;
64   char* client_secret;
65   char* refresh_token;
66 };
67 /// Returns 1 if the object is valid, 0 otherwise.
68 int grpc_auth_refresh_token_is_valid(
69     const grpc_auth_refresh_token* refresh_token);
70 
71 /// Creates a refresh token object from string. Returns an invalid object if a
72 /// parsing error has been encountered.
73 grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
74     const char* json_string);
75 
76 /// Creates a refresh token object from parsed json. Returns an invalid object
77 /// if a parsing error has been encountered.
78 grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
79     const grpc_core::Json& json);
80 
81 /// Destructs the object.
82 void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token);
83 
84 // -- Oauth2 Token Fetcher credentials --
85 //
86 //  This object is a base for credentials that need to acquire an oauth2 token
87 //  from an http service.
88 
89 namespace grpc_core {
90 
91 // A base class for oauth2 token fetching credentials.
92 // Subclasses must implement StartHttpRequest().
93 class Oauth2TokenFetcherCredentials : public TokenFetcherCredentials {
94  public:
95   std::string debug_string() override;
96 
97   UniqueTypeName type() const override;
98 
99   OrphanablePtr<FetchRequest> FetchToken(
100       Timestamp deadline,
101       absl::AnyInvocable<
102           void(absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
103           on_done) final;
104 
105   virtual OrphanablePtr<HttpRequest> StartHttpRequest(
106       grpc_polling_entity* pollent, Timestamp deadline,
107       grpc_http_response* response, grpc_closure* on_complete) = 0;
108 
109  private:
110   class HttpFetchRequest;
111 
cmp_impl(const grpc_call_credentials * other)112   int cmp_impl(const grpc_call_credentials* other) const override {
113     // TODO(yashykt): Check if we can do something better here
114     return QsortCompare(static_cast<const grpc_call_credentials*>(this), other);
115   }
116 };
117 
118 }  // namespace grpc_core
119 
120 // Google refresh token credentials.
121 class grpc_google_refresh_token_credentials final
122     : public grpc_core::Oauth2TokenFetcherCredentials {
123  public:
124   explicit grpc_google_refresh_token_credentials(
125       grpc_auth_refresh_token refresh_token);
126   ~grpc_google_refresh_token_credentials() override;
127 
refresh_token()128   const grpc_auth_refresh_token& refresh_token() const {
129     return refresh_token_;
130   }
131 
132   std::string debug_string() override;
133 
134   grpc_core::UniqueTypeName type() const override;
135 
136  private:
137   grpc_core::OrphanablePtr<grpc_core::HttpRequest> StartHttpRequest(
138       grpc_polling_entity* pollent, grpc_core::Timestamp deadline,
139       grpc_http_response* response, grpc_closure* on_complete) override;
140 
141   grpc_auth_refresh_token refresh_token_;
142 };
143 
144 // Access token credentials.
145 class grpc_access_token_credentials final : public grpc_call_credentials {
146  public:
147   explicit grpc_access_token_credentials(const char* access_token);
148 
Orphaned()149   void Orphaned() override {}
150 
151   grpc_core::ArenaPromise<absl::StatusOr<grpc_core::ClientMetadataHandle>>
152   GetRequestMetadata(grpc_core::ClientMetadataHandle initial_metadata,
153                      const GetRequestMetadataArgs* args) override;
154 
155   std::string debug_string() override;
156 
157   static grpc_core::UniqueTypeName Type();
158 
type()159   grpc_core::UniqueTypeName type() const override { return Type(); }
160 
161  private:
cmp_impl(const grpc_call_credentials * other)162   int cmp_impl(const grpc_call_credentials* other) const override {
163     // TODO(yashykt): Check if we can do something better here
164     return grpc_core::QsortCompare(
165         static_cast<const grpc_call_credentials*>(this), other);
166   }
167 
168   const grpc_core::Slice access_token_value_;
169 };
170 
171 // Private constructor for refresh token credentials from an already parsed
172 // refresh token. Takes ownership of the refresh token.
173 grpc_core::RefCountedPtr<grpc_call_credentials>
174 grpc_refresh_token_credentials_create_from_auth_refresh_token(
175     grpc_auth_refresh_token token);
176 
177 grpc_credentials_status
178 grpc_oauth2_token_fetcher_credentials_parse_server_response_body(
179     absl::string_view body, absl::optional<grpc_core::Slice>* token_value,
180     grpc_core::Duration* token_lifetime);
181 
182 // Exposed for testing only.
183 grpc_credentials_status
184 grpc_oauth2_token_fetcher_credentials_parse_server_response(
185     const struct grpc_http_response* response,
186     absl::optional<grpc_core::Slice>* token_value,
187     grpc_core::Duration* token_lifetime);
188 
189 namespace grpc_core {
190 // Exposed for testing only. This function validates the options, ensuring that
191 // the required fields are set, and outputs the parsed URL of the STS token
192 // exchanged service.
193 absl::StatusOr<URI> ValidateStsCredentialsOptions(
194     const grpc_sts_credentials_options* options);
195 }  // namespace grpc_core
196 
197 #endif  // GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H
198