1 /* 2 * 3 * Copyright 2015 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H 20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <grpc/grpc.h> 25 #include <grpc/grpc_security.h> 26 #include <grpc/support/sync.h> 27 #include "src/core/lib/transport/metadata_batch.h" 28 29 #include "src/core/lib/http/httpcli.h" 30 #include "src/core/lib/http/parser.h" 31 #include "src/core/lib/iomgr/polling_entity.h" 32 #include "src/core/lib/security/security_connector/security_connector.h" 33 34 struct grpc_http_response; 35 36 /* --- Constants. --- */ 37 38 typedef enum { 39 GRPC_CREDENTIALS_OK = 0, 40 GRPC_CREDENTIALS_ERROR 41 } grpc_credentials_status; 42 43 #define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake" 44 45 #define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl" 46 #define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \ 47 "FakeTransportSecurity" 48 #define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault" 49 50 #define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2" 51 #define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt" 52 #define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam" 53 #define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite" 54 55 #define GRPC_AUTHORIZATION_METADATA_KEY "authorization" 56 #define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \ 57 "x-goog-iam-authorization-token" 58 #define GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY "x-goog-iam-authority-selector" 59 60 #define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60 61 62 #define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal" 63 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \ 64 "/computeMetadata/v1/instance/service-accounts/default/token" 65 66 #define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com" 67 #define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token" 68 69 #define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \ 70 "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \ 71 "assertion=" 72 73 #define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \ 74 "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token" 75 76 /* --- Google utils --- */ 77 78 /* It is the caller's responsibility to gpr_free the result if not NULL. */ 79 char* grpc_get_well_known_google_credentials_file_path(void); 80 81 /* Implementation function for the different platforms. */ 82 char* grpc_get_well_known_google_credentials_file_path_impl(void); 83 84 /* Override for testing only. Not thread-safe */ 85 typedef char* (*grpc_well_known_credentials_path_getter)(void); 86 void grpc_override_well_known_credentials_path_getter( 87 grpc_well_known_credentials_path_getter getter); 88 89 /* --- grpc_channel_credentials. --- */ 90 91 #define GRPC_ARG_CHANNEL_CREDENTIALS "grpc.channel_credentials" 92 93 typedef struct { 94 void (*destruct)(grpc_channel_credentials* c); 95 96 grpc_security_status (*create_security_connector)( 97 grpc_channel_credentials* c, grpc_call_credentials* call_creds, 98 const char* target, const grpc_channel_args* args, 99 grpc_channel_security_connector** sc, grpc_channel_args** new_args); 100 101 grpc_channel_credentials* (*duplicate_without_call_credentials)( 102 grpc_channel_credentials* c); 103 } grpc_channel_credentials_vtable; 104 105 struct grpc_channel_credentials { 106 const grpc_channel_credentials_vtable* vtable; 107 const char* type; 108 gpr_refcount refcount; 109 }; 110 111 grpc_channel_credentials* grpc_channel_credentials_ref( 112 grpc_channel_credentials* creds); 113 void grpc_channel_credentials_unref(grpc_channel_credentials* creds); 114 115 /* Creates a security connector for the channel. May also create new channel 116 args for the channel to be used in place of the passed in const args if 117 returned non NULL. In that case the caller is responsible for destroying 118 new_args after channel creation. */ 119 grpc_security_status grpc_channel_credentials_create_security_connector( 120 grpc_channel_credentials* creds, const char* target, 121 const grpc_channel_args* args, grpc_channel_security_connector** sc, 122 grpc_channel_args** new_args); 123 124 /* Creates a version of the channel credentials without any attached call 125 credentials. This can be used in order to open a channel to a non-trusted 126 gRPC load balancer. */ 127 grpc_channel_credentials* 128 grpc_channel_credentials_duplicate_without_call_credentials( 129 grpc_channel_credentials* creds); 130 131 /* Util to encapsulate the channel credentials in a channel arg. */ 132 grpc_arg grpc_channel_credentials_to_arg(grpc_channel_credentials* credentials); 133 134 /* Util to get the channel credentials from a channel arg. */ 135 grpc_channel_credentials* grpc_channel_credentials_from_arg( 136 const grpc_arg* arg); 137 138 /* Util to find the channel credentials from channel args. */ 139 grpc_channel_credentials* grpc_channel_credentials_find_in_args( 140 const grpc_channel_args* args); 141 142 /* --- grpc_credentials_mdelem_array. --- */ 143 144 typedef struct { 145 grpc_mdelem* md; 146 size_t size; 147 } grpc_credentials_mdelem_array; 148 149 /// Takes a new ref to \a md. 150 void grpc_credentials_mdelem_array_add(grpc_credentials_mdelem_array* list, 151 grpc_mdelem md); 152 153 /// Appends all elements from \a src to \a dst, taking a new ref to each one. 154 void grpc_credentials_mdelem_array_append(grpc_credentials_mdelem_array* dst, 155 grpc_credentials_mdelem_array* src); 156 157 void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array* list); 158 159 /* --- grpc_call_credentials. --- */ 160 161 typedef struct { 162 void (*destruct)(grpc_call_credentials* c); 163 bool (*get_request_metadata)(grpc_call_credentials* c, 164 grpc_polling_entity* pollent, 165 grpc_auth_metadata_context context, 166 grpc_credentials_mdelem_array* md_array, 167 grpc_closure* on_request_metadata, 168 grpc_error** error); 169 void (*cancel_get_request_metadata)(grpc_call_credentials* c, 170 grpc_credentials_mdelem_array* md_array, 171 grpc_error* error); 172 } grpc_call_credentials_vtable; 173 174 struct grpc_call_credentials { 175 const grpc_call_credentials_vtable* vtable; 176 const char* type; 177 gpr_refcount refcount; 178 }; 179 180 grpc_call_credentials* grpc_call_credentials_ref(grpc_call_credentials* creds); 181 void grpc_call_credentials_unref(grpc_call_credentials* creds); 182 183 /// Returns true if completed synchronously, in which case \a error will 184 /// be set to indicate the result. Otherwise, \a on_request_metadata will 185 /// be invoked asynchronously when complete. \a md_array will be populated 186 /// with the resulting metadata once complete. 187 bool grpc_call_credentials_get_request_metadata( 188 grpc_call_credentials* creds, grpc_polling_entity* pollent, 189 grpc_auth_metadata_context context, grpc_credentials_mdelem_array* md_array, 190 grpc_closure* on_request_metadata, grpc_error** error); 191 192 /// Cancels a pending asynchronous operation started by 193 /// grpc_call_credentials_get_request_metadata() with the corresponding 194 /// value of \a md_array. 195 void grpc_call_credentials_cancel_get_request_metadata( 196 grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array, 197 grpc_error* error); 198 199 /* Metadata-only credentials with the specified key and value where 200 asynchronicity can be simulated for testing. */ 201 grpc_call_credentials* grpc_md_only_test_credentials_create( 202 const char* md_key, const char* md_value, bool is_async); 203 204 /* --- grpc_server_credentials. --- */ 205 206 typedef struct { 207 void (*destruct)(grpc_server_credentials* c); 208 grpc_security_status (*create_security_connector)( 209 grpc_server_credentials* c, grpc_server_security_connector** sc); 210 } grpc_server_credentials_vtable; 211 212 struct grpc_server_credentials { 213 const grpc_server_credentials_vtable* vtable; 214 const char* type; 215 gpr_refcount refcount; 216 grpc_auth_metadata_processor processor; 217 }; 218 219 grpc_security_status grpc_server_credentials_create_security_connector( 220 grpc_server_credentials* creds, grpc_server_security_connector** sc); 221 222 grpc_server_credentials* grpc_server_credentials_ref( 223 grpc_server_credentials* creds); 224 225 void grpc_server_credentials_unref(grpc_server_credentials* creds); 226 227 #define GRPC_SERVER_CREDENTIALS_ARG "grpc.server_credentials" 228 229 grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials* c); 230 grpc_server_credentials* grpc_server_credentials_from_arg(const grpc_arg* arg); 231 grpc_server_credentials* grpc_find_server_credentials_in_args( 232 const grpc_channel_args* args); 233 234 /* -- Credentials Metadata Request. -- */ 235 236 typedef struct { 237 grpc_call_credentials* creds; 238 grpc_http_response response; 239 } grpc_credentials_metadata_request; 240 241 grpc_credentials_metadata_request* grpc_credentials_metadata_request_create( 242 grpc_call_credentials* creds); 243 244 void grpc_credentials_metadata_request_destroy( 245 grpc_credentials_metadata_request* r); 246 247 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H */ 248