1 /* 2 * 3 * Copyright 2015 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_GRPC_SECURITY_H 20 #define GRPC_GRPC_SECURITY_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <grpc/grpc.h> 25 #include <grpc/grpc_security_constants.h> 26 #include <grpc/status.h> 27 28 #ifdef __cplusplus 29 extern "C" { 30 #endif 31 32 /** --- Authentication Context. --- */ 33 34 typedef struct grpc_auth_context grpc_auth_context; 35 36 typedef struct grpc_auth_property_iterator { 37 const grpc_auth_context* ctx; 38 size_t index; 39 const char* name; 40 } grpc_auth_property_iterator; 41 42 /** value, if not NULL, is guaranteed to be NULL terminated. */ 43 typedef struct grpc_auth_property { 44 char* name; 45 char* value; 46 size_t value_length; 47 } grpc_auth_property; 48 49 /** Returns NULL when the iterator is at the end. */ 50 GRPCAPI const grpc_auth_property* grpc_auth_property_iterator_next( 51 grpc_auth_property_iterator* it); 52 53 /** Iterates over the auth context. */ 54 GRPCAPI grpc_auth_property_iterator 55 grpc_auth_context_property_iterator(const grpc_auth_context* ctx); 56 57 /** Gets the peer identity. Returns an empty iterator (first _next will return 58 NULL) if the peer is not authenticated. */ 59 GRPCAPI grpc_auth_property_iterator 60 grpc_auth_context_peer_identity(const grpc_auth_context* ctx); 61 62 /** Finds a property in the context. May return an empty iterator (first _next 63 will return NULL) if no property with this name was found in the context. */ 64 GRPCAPI grpc_auth_property_iterator grpc_auth_context_find_properties_by_name( 65 const grpc_auth_context* ctx, const char* name); 66 67 /** Gets the name of the property that indicates the peer identity. Will return 68 NULL if the peer is not authenticated. */ 69 GRPCAPI const char* grpc_auth_context_peer_identity_property_name( 70 const grpc_auth_context* ctx); 71 72 /** Returns 1 if the peer is authenticated, 0 otherwise. */ 73 GRPCAPI int grpc_auth_context_peer_is_authenticated( 74 const grpc_auth_context* ctx); 75 76 /** Gets the auth context from the call. Caller needs to call 77 grpc_auth_context_release on the returned context. */ 78 GRPCAPI grpc_auth_context* grpc_call_auth_context(grpc_call* call); 79 80 /** Releases the auth context returned from grpc_call_auth_context. */ 81 GRPCAPI void grpc_auth_context_release(grpc_auth_context* context); 82 83 /** -- 84 The following auth context methods should only be called by a server metadata 85 processor to set properties extracted from auth metadata. 86 -- */ 87 88 /** Add a property. */ 89 GRPCAPI void grpc_auth_context_add_property(grpc_auth_context* ctx, 90 const char* name, const char* value, 91 size_t value_length); 92 93 /** Add a C string property. */ 94 GRPCAPI void grpc_auth_context_add_cstring_property(grpc_auth_context* ctx, 95 const char* name, 96 const char* value); 97 98 /** Sets the property name. Returns 1 if successful or 0 in case of failure 99 (which means that no property with this name exists). */ 100 GRPCAPI int grpc_auth_context_set_peer_identity_property_name( 101 grpc_auth_context* ctx, const char* name); 102 103 /** --- SSL Session Cache. --- 104 105 A SSL session cache object represents a way to cache client sessions 106 between connections. Only ticket-based resumption is supported. */ 107 108 typedef struct grpc_ssl_session_cache grpc_ssl_session_cache; 109 110 /** Create LRU cache for client-side SSL sessions with the given capacity. 111 If capacity is < 1, a default capacity is used instead. */ 112 GRPCAPI grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru( 113 size_t capacity); 114 115 /** Destroy SSL session cache. */ 116 GRPCAPI void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache); 117 118 /** Create a channel arg with the given cache object. */ 119 GRPCAPI grpc_arg 120 grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache* cache); 121 122 /** --- grpc_channel_credentials object. --- 123 124 A channel credentials object represents a way to authenticate a client on a 125 channel. */ 126 127 typedef struct grpc_channel_credentials grpc_channel_credentials; 128 129 /** Releases a channel credentials object. 130 The creator of the credentials object is responsible for its release. */ 131 GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials* creds); 132 133 /** Creates default credentials to connect to a google gRPC service. 134 WARNING: Do NOT use this credentials to connect to a non-google service as 135 this could result in an oauth2 token leak. */ 136 GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(void); 137 138 /** Callback for getting the SSL roots override from the application. 139 In case of success, *pem_roots_certs must be set to a NULL terminated string 140 containing the list of PEM encoded root certificates. The ownership is passed 141 to the core and freed (laster by the core) with gpr_free. 142 If this function fails and GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is 143 set to a valid path, it will override the roots specified this func */ 144 typedef grpc_ssl_roots_override_result (*grpc_ssl_roots_override_callback)( 145 char** pem_root_certs); 146 147 /** Setup a callback to override the default TLS/SSL roots. 148 This function is not thread-safe and must be called at initialization time 149 before any ssl credentials are created to have the desired side effect. 150 If GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path, the 151 callback will not be called. */ 152 GRPCAPI void grpc_set_ssl_roots_override_callback( 153 grpc_ssl_roots_override_callback cb); 154 155 /** Object that holds a private key / certificate chain pair in PEM format. */ 156 typedef struct { 157 /** private_key is the NULL-terminated string containing the PEM encoding of 158 the client's private key. */ 159 const char* private_key; 160 161 /** cert_chain is the NULL-terminated string containing the PEM encoding of 162 the client's certificate chain. */ 163 const char* cert_chain; 164 } grpc_ssl_pem_key_cert_pair; 165 166 /** Object that holds additional peer-verification options on a secure 167 channel. */ 168 typedef struct { 169 /** If non-NULL this callback will be invoked with the expected 170 target_name, the peer's certificate (in PEM format), and whatever 171 userdata pointer is set below. If a non-zero value is returned by this 172 callback then it is treated as a verification failure. Invocation of 173 the callback is blocking, so any implementation should be light-weight. 174 */ 175 int (*verify_peer_callback)(const char* target_name, const char* peer_pem, 176 void* userdata); 177 /** Arbitrary userdata that will be passed as the last argument to 178 verify_peer_callback. */ 179 void* verify_peer_callback_userdata; 180 /** A destruct callback that will be invoked when the channel is being 181 cleaned up. The userdata argument will be passed to it. The intent is 182 to perform any cleanup associated with that userdata. */ 183 void (*verify_peer_destruct)(void* userdata); 184 } verify_peer_options; 185 186 /** Creates an SSL credentials object. 187 - pem_root_certs is the NULL-terminated string containing the PEM encoding 188 of the server root certificates. If this parameter is NULL, the 189 implementation will first try to dereference the file pointed by the 190 GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails, 191 try to get the roots set by grpc_override_ssl_default_roots. Eventually, 192 if all these fail, it will try to get the roots from a well-known place on 193 disk (in the grpc install directory). 194 - pem_key_cert_pair is a pointer on the object containing client's private 195 key and certificate chain. This parameter can be NULL if the client does 196 not have such a key/cert pair. 197 - verify_options is an optional verify_peer_options object which holds 198 additional options controlling how peer certificates are verified. For 199 example, you can supply a callback which receives the peer's certificate 200 with which you can do additional verification. Can be NULL, in which 201 case verification will retain default behavior. Any settings in 202 verify_options are copied during this call, so the verify_options 203 object can be released afterwards. */ 204 GRPCAPI grpc_channel_credentials* grpc_ssl_credentials_create( 205 const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, 206 const verify_peer_options* verify_options, void* reserved); 207 208 /** --- grpc_call_credentials object. 209 210 A call credentials object represents a way to authenticate on a particular 211 call. These credentials can be composed with a channel credentials object 212 so that they are sent with every call on this channel. */ 213 214 typedef struct grpc_call_credentials grpc_call_credentials; 215 216 /** Releases a call credentials object. 217 The creator of the credentials object is responsible for its release. */ 218 GRPCAPI void grpc_call_credentials_release(grpc_call_credentials* creds); 219 220 /** Creates a composite channel credentials object. */ 221 GRPCAPI grpc_channel_credentials* grpc_composite_channel_credentials_create( 222 grpc_channel_credentials* channel_creds, grpc_call_credentials* call_creds, 223 void* reserved); 224 225 /** Creates a composite call credentials object. */ 226 GRPCAPI grpc_call_credentials* grpc_composite_call_credentials_create( 227 grpc_call_credentials* creds1, grpc_call_credentials* creds2, 228 void* reserved); 229 230 /** Creates a compute engine credentials object for connecting to Google. 231 WARNING: Do NOT use this credentials to connect to a non-google service as 232 this could result in an oauth2 token leak. */ 233 GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( 234 void* reserved); 235 236 GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void); 237 238 /** Creates a JWT credentials object. May return NULL if the input is invalid. 239 - json_key is the JSON key string containing the client's private key. 240 - token_lifetime is the lifetime of each Json Web Token (JWT) created with 241 this credentials. It should not exceed grpc_max_auth_token_lifetime or 242 will be cropped to this value. */ 243 GRPCAPI grpc_call_credentials* 244 grpc_service_account_jwt_access_credentials_create(const char* json_key, 245 gpr_timespec token_lifetime, 246 void* reserved); 247 248 /** Creates an Oauth2 Refresh Token credentials object for connecting to Google. 249 May return NULL if the input is invalid. 250 WARNING: Do NOT use this credentials to connect to a non-google service as 251 this could result in an oauth2 token leak. 252 - json_refresh_token is the JSON string containing the refresh token itself 253 along with a client_id and client_secret. */ 254 GRPCAPI grpc_call_credentials* grpc_google_refresh_token_credentials_create( 255 const char* json_refresh_token, void* reserved); 256 257 /** Creates an Oauth2 Access Token credentials with an access token that was 258 aquired by an out of band mechanism. */ 259 GRPCAPI grpc_call_credentials* grpc_access_token_credentials_create( 260 const char* access_token, void* reserved); 261 262 /** Creates an IAM credentials object for connecting to Google. */ 263 GRPCAPI grpc_call_credentials* grpc_google_iam_credentials_create( 264 const char* authorization_token, const char* authority_selector, 265 void* reserved); 266 267 /** Callback function to be called by the metadata credentials plugin 268 implementation when the metadata is ready. 269 - user_data is the opaque pointer that was passed in the get_metadata method 270 of the grpc_metadata_credentials_plugin (see below). 271 - creds_md is an array of credentials metadata produced by the plugin. It 272 may be set to NULL in case of an error. 273 - num_creds_md is the number of items in the creds_md array. 274 - status must be GRPC_STATUS_OK in case of success or another specific error 275 code otherwise. 276 - error_details contains details about the error if any. In case of success 277 it should be NULL and will be otherwise ignored. */ 278 typedef void (*grpc_credentials_plugin_metadata_cb)( 279 void* user_data, const grpc_metadata* creds_md, size_t num_creds_md, 280 grpc_status_code status, const char* error_details); 281 282 /** Context that can be used by metadata credentials plugin in order to create 283 auth related metadata. */ 284 typedef struct { 285 /** The fully qualifed service url. */ 286 const char* service_url; 287 288 /** The method name of the RPC being called (not fully qualified). 289 The fully qualified method name can be built from the service_url: 290 full_qualified_method_name = ctx->service_url + '/' + ctx->method_name. */ 291 const char* method_name; 292 293 /** The auth_context of the channel which gives the server's identity. */ 294 const grpc_auth_context* channel_auth_context; 295 296 /** Reserved for future use. */ 297 void* reserved; 298 } grpc_auth_metadata_context; 299 300 /** Maximum number of metadata entries returnable by a credentials plugin via 301 a synchronous return. */ 302 #define GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX 4 303 304 /** grpc_metadata_credentials plugin is an API user provided structure used to 305 create grpc_credentials objects that can be set on a channel (composed) or 306 a call. See grpc_credentials_metadata_create_from_plugin below. 307 The grpc client stack will call the get_metadata method of the plugin for 308 every call in scope for the credentials created from it. */ 309 typedef struct { 310 /** The implementation of this method has to be non-blocking, but can 311 be performed synchronously or asynchronously. 312 313 If processing occurs synchronously, returns non-zero and populates 314 creds_md, num_creds_md, status, and error_details. In this case, 315 the caller takes ownership of the entries in creds_md and of 316 error_details. Note that if the plugin needs to return more than 317 GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX entries in creds_md, it must 318 return asynchronously. 319 320 If processing occurs asynchronously, returns zero and invokes \a cb 321 when processing is completed. \a user_data will be passed as the 322 first parameter of the callback. NOTE: \a cb MUST be invoked in a 323 different thread, not from the thread in which \a get_metadata() is 324 invoked. 325 326 \a context is the information that can be used by the plugin to create 327 auth metadata. */ 328 int (*get_metadata)( 329 void* state, grpc_auth_metadata_context context, 330 grpc_credentials_plugin_metadata_cb cb, void* user_data, 331 grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], 332 size_t* num_creds_md, grpc_status_code* status, 333 const char** error_details); 334 335 /** Destroys the plugin state. */ 336 void (*destroy)(void* state); 337 338 /** State that will be set as the first parameter of the methods above. */ 339 void* state; 340 341 /** Type of credentials that this plugin is implementing. */ 342 const char* type; 343 } grpc_metadata_credentials_plugin; 344 345 /** Creates a credentials object from a plugin. */ 346 GRPCAPI grpc_call_credentials* grpc_metadata_credentials_create_from_plugin( 347 grpc_metadata_credentials_plugin plugin, void* reserved); 348 349 /** --- Secure channel creation. --- */ 350 351 /** Creates a secure channel using the passed-in credentials. Additional 352 channel level configuration MAY be provided by grpc_channel_args, though 353 the expectation is that most clients will want to simply pass NULL. The 354 user data in 'args' need only live through the invocation of this function. 355 However, if any args of the 'pointer' type are passed, then the referenced 356 vtable must be maintained by the caller until grpc_channel_destroy 357 terminates. See grpc_channel_args definition for more on this. */ 358 GRPCAPI grpc_channel* grpc_secure_channel_create( 359 grpc_channel_credentials* creds, const char* target, 360 const grpc_channel_args* args, void* reserved); 361 362 /** --- grpc_server_credentials object. --- 363 364 A server credentials object represents a way to authenticate a server. */ 365 366 typedef struct grpc_server_credentials grpc_server_credentials; 367 368 /** Releases a server_credentials object. 369 The creator of the server_credentials object is responsible for its release. 370 */ 371 GRPCAPI void grpc_server_credentials_release(grpc_server_credentials* creds); 372 373 /** Server certificate config object holds the server's public certificates and 374 associated private keys, as well as any CA certificates needed for client 375 certificate validation (if applicable). Create using 376 grpc_ssl_server_certificate_config_create(). */ 377 typedef struct grpc_ssl_server_certificate_config 378 grpc_ssl_server_certificate_config; 379 380 /** Creates a grpc_ssl_server_certificate_config object. 381 - pem_roots_cert is the NULL-terminated string containing the PEM encoding of 382 the client root certificates. This parameter may be NULL if the server does 383 not want the client to be authenticated with SSL. 384 - pem_key_cert_pairs is an array private key / certificate chains of the 385 server. This parameter cannot be NULL. 386 - num_key_cert_pairs indicates the number of items in the private_key_files 387 and cert_chain_files parameters. It must be at least 1. 388 - It is the caller's responsibility to free this object via 389 grpc_ssl_server_certificate_config_destroy(). */ 390 GRPCAPI grpc_ssl_server_certificate_config* 391 grpc_ssl_server_certificate_config_create( 392 const char* pem_root_certs, 393 const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 394 size_t num_key_cert_pairs); 395 396 /** Destroys a grpc_ssl_server_certificate_config object. */ 397 GRPCAPI void grpc_ssl_server_certificate_config_destroy( 398 grpc_ssl_server_certificate_config* config); 399 400 /** Callback to retrieve updated SSL server certificates, private keys, and 401 trusted CAs (for client authentication). 402 - user_data parameter, if not NULL, contains opaque data to be used by the 403 callback. 404 - Use grpc_ssl_server_certificate_config_create to create the config. 405 - The caller assumes ownership of the config. */ 406 typedef grpc_ssl_certificate_config_reload_status ( 407 *grpc_ssl_server_certificate_config_callback)( 408 void* user_data, grpc_ssl_server_certificate_config** config); 409 410 /** Deprecated in favor of grpc_ssl_server_credentials_create_ex. 411 Creates an SSL server_credentials object. 412 - pem_roots_cert is the NULL-terminated string containing the PEM encoding of 413 the client root certificates. This parameter may be NULL if the server does 414 not want the client to be authenticated with SSL. 415 - pem_key_cert_pairs is an array private key / certificate chains of the 416 server. This parameter cannot be NULL. 417 - num_key_cert_pairs indicates the number of items in the private_key_files 418 and cert_chain_files parameters. It should be at least 1. 419 - force_client_auth, if set to non-zero will force the client to authenticate 420 with an SSL cert. Note that this option is ignored if pem_root_certs is 421 NULL. */ 422 GRPCAPI grpc_server_credentials* grpc_ssl_server_credentials_create( 423 const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 424 size_t num_key_cert_pairs, int force_client_auth, void* reserved); 425 426 /** Deprecated in favor of grpc_ssl_server_credentials_create_with_options. 427 Same as grpc_ssl_server_credentials_create method except uses 428 grpc_ssl_client_certificate_request_type enum to support more ways to 429 authenticate client cerificates.*/ 430 GRPCAPI grpc_server_credentials* grpc_ssl_server_credentials_create_ex( 431 const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 432 size_t num_key_cert_pairs, 433 grpc_ssl_client_certificate_request_type client_certificate_request, 434 void* reserved); 435 436 typedef struct grpc_ssl_server_credentials_options 437 grpc_ssl_server_credentials_options; 438 439 /** Creates an options object using a certificate config. Use this method when 440 the certificates and keys of the SSL server will not change during the 441 server's lifetime. 442 - Takes ownership of the certificate_config parameter. */ 443 GRPCAPI grpc_ssl_server_credentials_options* 444 grpc_ssl_server_credentials_create_options_using_config( 445 grpc_ssl_client_certificate_request_type client_certificate_request, 446 grpc_ssl_server_certificate_config* certificate_config); 447 448 /** Creates an options object using a certificate config fetcher. Use this 449 method to reload the certificates and keys of the SSL server without 450 interrupting the operation of the server. Initial certificate config will be 451 fetched during server initialization. 452 - user_data parameter, if not NULL, contains opaque data which will be passed 453 to the fetcher (see definition of 454 grpc_ssl_server_certificate_config_callback). */ 455 GRPCAPI grpc_ssl_server_credentials_options* 456 grpc_ssl_server_credentials_create_options_using_config_fetcher( 457 grpc_ssl_client_certificate_request_type client_certificate_request, 458 grpc_ssl_server_certificate_config_callback cb, void* user_data); 459 460 /** Destroys a grpc_ssl_server_credentials_options object. */ 461 GRPCAPI void grpc_ssl_server_credentials_options_destroy( 462 grpc_ssl_server_credentials_options* options); 463 464 /** Creates an SSL server_credentials object using the provided options struct. 465 - Takes ownership of the options parameter. */ 466 GRPCAPI grpc_server_credentials* 467 grpc_ssl_server_credentials_create_with_options( 468 grpc_ssl_server_credentials_options* options); 469 470 /** --- Server-side secure ports. --- */ 471 472 /** Add a HTTP2 over an encrypted link over tcp listener. 473 Returns bound port number on success, 0 on failure. 474 REQUIRES: server not started */ 475 GRPCAPI int grpc_server_add_secure_http2_port(grpc_server* server, 476 const char* addr, 477 grpc_server_credentials* creds); 478 479 /** --- Call specific credentials. --- */ 480 481 /** Sets a credentials to a call. Can only be called on the client side before 482 grpc_call_start_batch. */ 483 GRPCAPI grpc_call_error grpc_call_set_credentials(grpc_call* call, 484 grpc_call_credentials* creds); 485 486 /** --- Auth Metadata Processing --- */ 487 488 /** Callback function that is called when the metadata processing is done. 489 - Consumed metadata will be removed from the set of metadata available on the 490 call. consumed_md may be NULL if no metadata has been consumed. 491 - Response metadata will be set on the response. response_md may be NULL. 492 - status is GRPC_STATUS_OK for success or a specific status for an error. 493 Common error status for auth metadata processing is either 494 GRPC_STATUS_UNAUTHENTICATED in case of an authentication failure or 495 GRPC_STATUS PERMISSION_DENIED in case of an authorization failure. 496 - error_details gives details about the error. May be NULL. */ 497 typedef void (*grpc_process_auth_metadata_done_cb)( 498 void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md, 499 const grpc_metadata* response_md, size_t num_response_md, 500 grpc_status_code status, const char* error_details); 501 502 /** Pluggable server-side metadata processor object. */ 503 typedef struct { 504 /** The context object is read/write: it contains the properties of the 505 channel peer and it is the job of the process function to augment it with 506 properties derived from the passed-in metadata. 507 The lifetime of these objects is guaranteed until cb is invoked. */ 508 void (*process)(void* state, grpc_auth_context* context, 509 const grpc_metadata* md, size_t num_md, 510 grpc_process_auth_metadata_done_cb cb, void* user_data); 511 void (*destroy)(void* state); 512 void* state; 513 } grpc_auth_metadata_processor; 514 515 GRPCAPI void grpc_server_credentials_set_auth_metadata_processor( 516 grpc_server_credentials* creds, grpc_auth_metadata_processor processor); 517 518 /** --- ALTS channel/server credentials --- **/ 519 520 /** 521 * Main interface for ALTS credentials options. The options will contain 522 * information that will be passed from grpc to TSI layer such as RPC protocol 523 * versions. ALTS client (channel) and server credentials will have their own 524 * implementation of this interface. The APIs listed in this header are 525 * thread-compatible. It is used for experimental purpose for now and subject 526 * to change. 527 */ 528 typedef struct grpc_alts_credentials_options grpc_alts_credentials_options; 529 530 /** 531 * This method creates a grpc ALTS credentials client options instance. 532 * It is used for experimental purpose for now and subject to change. 533 */ 534 GRPCAPI grpc_alts_credentials_options* 535 grpc_alts_credentials_client_options_create(void); 536 537 /** 538 * This method creates a grpc ALTS credentials server options instance. 539 * It is used for experimental purpose for now and subject to change. 540 */ 541 GRPCAPI grpc_alts_credentials_options* 542 grpc_alts_credentials_server_options_create(void); 543 544 /** 545 * This method adds a target service account to grpc client's ALTS credentials 546 * options instance. It is used for experimental purpose for now and subject 547 * to change. 548 * 549 * - options: grpc ALTS credentials options instance. 550 * - service_account: service account of target endpoint. 551 */ 552 GRPCAPI void grpc_alts_credentials_client_options_add_target_service_account( 553 grpc_alts_credentials_options* options, const char* service_account); 554 555 /** 556 * This method destroys a grpc_alts_credentials_options instance by 557 * de-allocating all of its occupied memory. It is used for experimental purpose 558 * for now and subject to change. 559 * 560 * - options: a grpc_alts_credentials_options instance that needs to be 561 * destroyed. 562 */ 563 GRPCAPI void grpc_alts_credentials_options_destroy( 564 grpc_alts_credentials_options* options); 565 566 /** 567 * This method creates an ALTS channel credential object. It is used for 568 * experimental purpose for now and subject to change. 569 * 570 * - options: grpc ALTS credentials options instance for client. 571 * 572 * It returns the created ALTS channel credential object. 573 */ 574 GRPCAPI grpc_channel_credentials* grpc_alts_credentials_create( 575 const grpc_alts_credentials_options* options); 576 577 /** 578 * This method creates an ALTS server credential object. It is used for 579 * experimental purpose for now and subject to change. 580 * 581 * - options: grpc ALTS credentials options instance for server. 582 * 583 * It returns the created ALTS server credential object. 584 */ 585 GRPCAPI grpc_server_credentials* grpc_alts_server_credentials_create( 586 const grpc_alts_credentials_options* options); 587 588 /** --- Local channel/server credentials --- **/ 589 590 /** 591 * This method creates a local channel credential object. It is used for 592 * experimental purpose for now and subject to change. 593 * 594 * - type: local connection type 595 * 596 * It returns the created local channel credential object. 597 */ 598 GRPCAPI grpc_channel_credentials* grpc_local_credentials_create( 599 grpc_local_connect_type type); 600 601 /** 602 * This method creates a local server credential object. It is used for 603 * experimental purpose for now and subject to change. 604 * 605 * - type: local connection type 606 * 607 * It returns the created local server credential object. 608 */ 609 GRPCAPI grpc_server_credentials* grpc_local_server_credentials_create( 610 grpc_local_connect_type type); 611 612 #ifdef __cplusplus 613 } 614 #endif 615 616 #endif /* GRPC_GRPC_SECURITY_H */ 617