• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //     http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
18 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
19 
20 #include <grpc/support/port_platform.h>
21 
22 #include <string>
23 #include <vector>
24 
25 #include "src/core/lib/json/json.h"
26 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
27 
28 namespace grpc_core {
29 
30 // Base external account credentials. The base class implements common logic for
31 // exchanging external account credentials for GCP access token to authorize
32 // requests to GCP APIs. The specific logic of retrieving subject token is
33 // implemented in subclasses.
34 class ExternalAccountCredentials
35     : public grpc_oauth2_token_fetcher_credentials {
36  public:
37   // External account credentials json interface.
38   struct Options {
39     std::string type;
40     std::string audience;
41     std::string subject_token_type;
42     std::string service_account_impersonation_url;
43     std::string token_url;
44     std::string token_info_url;
45     Json credential_source;
46     std::string quota_project_id;
47     std::string client_id;
48     std::string client_secret;
49   };
50 
51   static RefCountedPtr<ExternalAccountCredentials> Create(
52       const Json& json, std::vector<std::string> scopes, grpc_error** error);
53 
54   ExternalAccountCredentials(Options options, std::vector<std::string> scopes);
55   ~ExternalAccountCredentials() override;
56   std::string debug_string() override;
57 
58  protected:
59   // This is a helper struct to pass information between multiple callback based
60   // asynchronous calls.
61   struct HTTPRequestContext {
HTTPRequestContextHTTPRequestContext62     HTTPRequestContext(grpc_httpcli_context* httpcli_context,
63                        grpc_polling_entity* pollent, grpc_millis deadline)
64         : httpcli_context(httpcli_context),
65           pollent(pollent),
66           deadline(deadline) {}
~HTTPRequestContextHTTPRequestContext67     ~HTTPRequestContext() { grpc_http_response_destroy(&response); }
68 
69     // Contextual parameters passed from
70     // grpc_oauth2_token_fetcher_credentials::fetch_oauth2().
71     grpc_httpcli_context* httpcli_context;
72     grpc_polling_entity* pollent;
73     grpc_millis deadline;
74 
75     // Reusable token fetch http response and closure.
76     grpc_closure closure;
77     grpc_http_response response;
78   };
79 
80   // Subclasses of base external account credentials need to override this
81   // method to implement the specific subject token retrieval logic.
82   // Once the subject token is ready, subclasses need to invoke
83   // the callback function (cb) to pass the subject token (or error)
84   // back.
85   virtual void RetrieveSubjectToken(
86       HTTPRequestContext* ctx, const Options& options,
87       std::function<void(std::string, grpc_error*)> cb) = 0;
88 
89  private:
90   // This method implements the common token fetch logic and it will be called
91   // when grpc_oauth2_token_fetcher_credentials request a new access token.
92   void fetch_oauth2(grpc_credentials_metadata_request* req,
93                     grpc_httpcli_context* httpcli_context,
94                     grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
95                     grpc_millis deadline) override;
96 
97   void OnRetrieveSubjectTokenInternal(absl::string_view subject_token,
98                                       grpc_error* error);
99 
100   void ExchangeToken(absl::string_view subject_token);
101   static void OnExchangeToken(void* arg, grpc_error* error);
102   void OnExchangeTokenInternal(grpc_error* error);
103 
104   void ImpersenateServiceAccount();
105   static void OnImpersenateServiceAccount(void* arg, grpc_error* error);
106   void OnImpersenateServiceAccountInternal(grpc_error* error);
107 
108   void FinishTokenFetch(grpc_error* error);
109 
110   Options options_;
111   std::vector<std::string> scopes_;
112 
113   HTTPRequestContext* ctx_ = nullptr;
114   grpc_credentials_metadata_request* metadata_req_ = nullptr;
115   grpc_iomgr_cb_func response_cb_ = nullptr;
116 };
117 
118 }  // namespace grpc_core
119 
120 #endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
121