|
|
|
/*
|
|
|
|
*
|
|
|
|
* Copyright 2015 gRPC authors.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef GRPCPP_SECURITY_CREDENTIALS_H
|
|
|
|
#define GRPCPP_SECURITY_CREDENTIALS_H
|
|
|
|
|
|
|
|
#include <map>
|
|
|
|
#include <memory>
|
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
#include <grpc/grpc_security_constants.h>
|
|
|
|
#include <grpcpp/impl/codegen/client_interceptor.h>
|
|
|
|
#include <grpcpp/impl/codegen/grpc_library.h>
|
|
|
|
#include <grpcpp/security/auth_context.h>
|
|
|
|
#include <grpcpp/support/status.h>
|
|
|
|
#include <grpcpp/support/string_ref.h>
|
|
|
|
|
|
|
|
struct grpc_call;
|
|
|
|
|
|
|
|
namespace grpc {
|
|
|
|
class ChannelArguments;
|
|
|
|
class Channel;
|
|
|
|
class SecureChannelCredentials;
|
|
|
|
class CallCredentials;
|
|
|
|
class SecureCallCredentials;
|
|
|
|
|
|
|
|
class ChannelCredentials;
|
|
|
|
|
|
|
|
namespace experimental {
|
|
|
|
std::shared_ptr<Channel> CreateCustomChannelWithInterceptors(
|
|
|
|
const grpc::string& target,
|
|
|
|
const std::shared_ptr<ChannelCredentials>& creds,
|
|
|
|
const ChannelArguments& args,
|
|
|
|
std::unique_ptr<std::vector<
|
|
|
|
std::unique_ptr<experimental::ClientInterceptorFactoryInterface>>>
|
|
|
|
interceptor_creators);
|
|
|
|
} // namespace experimental
|
|
|
|
|
|
|
|
/// A channel credentials object encapsulates all the state needed by a client
|
|
|
|
/// to authenticate with a server for a given channel.
|
|
|
|
/// It can make various assertions, e.g., about the client’s identity, role
|
|
|
|
/// for all the calls on that channel.
|
|
|
|
///
|
|
|
|
/// \see https://grpc.io/docs/guides/auth.html
|
|
|
|
class ChannelCredentials : private GrpcLibraryCodegen {
|
|
|
|
public:
|
|
|
|
ChannelCredentials();
|
|
|
|
~ChannelCredentials();
|
|
|
|
|
|
|
|
protected:
|
|
|
|
friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
|
|
|
|
const std::shared_ptr<ChannelCredentials>& channel_creds,
|
|
|
|
const std::shared_ptr<CallCredentials>& call_creds);
|
|
|
|
|
|
|
|
virtual SecureChannelCredentials* AsSecureCredentials() = 0;
|
|
|
|
|
|
|
|
private:
|
|
|
|
friend std::shared_ptr<Channel> CreateCustomChannel(
|
|
|
|
const grpc::string& target,
|
|
|
|
const std::shared_ptr<ChannelCredentials>& creds,
|
|
|
|
const ChannelArguments& args);
|
|
|
|
|
|
|
|
friend std::shared_ptr<Channel>
|
|
|
|
experimental::CreateCustomChannelWithInterceptors(
|
|
|
|
const grpc::string& target,
|
|
|
|
const std::shared_ptr<ChannelCredentials>& creds,
|
|
|
|
const ChannelArguments& args,
|
|
|
|
std::unique_ptr<std::vector<
|
|
|
|
std::unique_ptr<experimental::ClientInterceptorFactoryInterface>>>
|
|
|
|
interceptor_creators);
|
|
|
|
|
|
|
|
virtual std::shared_ptr<Channel> CreateChannel(
|
|
|
|
const grpc::string& target, const ChannelArguments& args) = 0;
|
|
|
|
|
|
|
|
// This function should have been a pure virtual function, but it is
|
|
|
|
// implemented as a virtual function so that it does not break API.
|
|
|
|
virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
|
|
|
|
const grpc::string& target, const ChannelArguments& args,
|
|
|
|
std::unique_ptr<std::vector<
|
|
|
|
std::unique_ptr<experimental::ClientInterceptorFactoryInterface>>>
|
|
|
|
interceptor_creators) {
|
|
|
|
return nullptr;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
/// A call credentials object encapsulates the state needed by a client to
|
|
|
|
/// authenticate with a server for a given call on a channel.
|
|
|
|
///
|
|
|
|
/// \see https://grpc.io/docs/guides/auth.html
|
|
|
|
class CallCredentials : private GrpcLibraryCodegen {
|
|
|
|
public:
|
|
|
|
CallCredentials();
|
|
|
|
~CallCredentials();
|
|
|
|
|
|
|
|
/// Apply this instance's credentials to \a call.
|
|
|
|
virtual bool ApplyToCall(grpc_call* call) = 0;
|
|
|
|
|
|
|
|
protected:
|
|
|
|
friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
|
|
|
|
const std::shared_ptr<ChannelCredentials>& channel_creds,
|
|
|
|
const std::shared_ptr<CallCredentials>& call_creds);
|
|
|
|
|
|
|
|
friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
|
|
|
|
const std::shared_ptr<CallCredentials>& creds1,
|
|
|
|
const std::shared_ptr<CallCredentials>& creds2);
|
|
|
|
|
|
|
|
virtual SecureCallCredentials* AsSecureCredentials() = 0;
|
|
|
|
};
|
|
|
|
|
|
|
|
/// Options used to build SslCredentials.
|
|
|
|
struct SslCredentialsOptions {
|
|
|
|
/// The buffer containing the PEM encoding of the server root certificates. If
|
|
|
|
/// this parameter is empty, the default roots will be used. The default
|
|
|
|
/// roots can be overridden using the \a GRPC_DEFAULT_SSL_ROOTS_FILE_PATH
|
|
|
|
/// environment variable pointing to a file on the file system containing the
|
|
|
|
/// roots.
|
|
|
|
grpc::string pem_root_certs;
|
|
|
|
|
|
|
|
/// The buffer containing the PEM encoding of the client's private key. This
|
|
|
|
/// parameter can be empty if the client does not have a private key.
|
|
|
|
grpc::string pem_private_key;
|
|
|
|
|
|
|
|
/// The buffer containing the PEM encoding of the client's certificate chain.
|
|
|
|
/// This parameter can be empty if the client does not have a certificate
|
|
|
|
/// chain.
|
|
|
|
grpc::string pem_cert_chain;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Factories for building different types of Credentials The functions may
|
|
|
|
// return empty shared_ptr when credentials cannot be created. If a
|
|
|
|
// Credentials pointer is returned, it can still be invalid when used to create
|
|
|
|
// a channel. A lame channel will be created then and all rpcs will fail on it.
|
|
|
|
|
|
|
|
/// Builds credentials with reasonable defaults.
|
|
|
|
///
|
|
|
|
/// \warning Only use these credentials when connecting to a Google endpoint.
|
|
|
|
/// Using these credentials to connect to any other service may result in this
|
|
|
|
/// service being able to impersonate your client for requests to Google
|
|
|
|
/// services.
|
|
|
|
std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
|
|
|
|
|
|
|
|
/// Builds SSL Credentials given SSL specific options
|
|
|
|
std::shared_ptr<ChannelCredentials> SslCredentials(
|
|
|
|
const SslCredentialsOptions& options);
|
|
|
|
|
|
|
|
/// Builds credentials for use when running in GCE
|
|
|
|
///
|
|
|
|
/// \warning Only use these credentials when connecting to a Google endpoint.
|
|
|
|
/// Using these credentials to connect to any other service may result in this
|
|
|
|
/// service being able to impersonate your client for requests to Google
|
|
|
|
/// services.
|
|
|
|
std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials();
|
|
|
|
|
|
|
|
/// Constant for maximum auth token lifetime.
|
|
|
|
constexpr long kMaxAuthTokenLifetimeSecs = 3600;
|
|
|
|
|
|
|
|
/// Builds Service Account JWT Access credentials.
|
|
|
|
/// json_key is the JSON key string containing the client's private key.
|
|
|
|
/// token_lifetime_seconds is the lifetime in seconds of each Json Web Token
|
|
|
|
/// (JWT) created with this credentials. It should not exceed
|
|
|
|
/// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value.
|
|
|
|
std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
|
|
|
|
const grpc::string& json_key,
|
|
|
|
long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
|
|
|
|
|
|
|
|
/// Builds refresh token credentials.
|
|
|
|
/// json_refresh_token is the JSON string containing the refresh token along
|
|
|
|
/// with a client_id and client_secret.
|
|
|
|
///
|
|
|
|
/// \warning Only use these credentials when connecting to a Google endpoint.
|
|
|
|
/// Using these credentials to connect to any other service may result in this
|
|
|
|
/// service being able to impersonate your client for requests to Google
|
|
|
|
/// services.
|
|
|
|
std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
|
|
|
|
const grpc::string& json_refresh_token);
|
|
|
|
|
|
|
|
/// Builds access token credentials.
|
|
|
|
/// access_token is an oauth2 access token that was fetched using an out of band
|
|
|
|
/// mechanism.
|
|
|
|
///
|
|
|
|
/// \warning Only use these credentials when connecting to a Google endpoint.
|
|
|
|
/// Using these credentials to connect to any other service may result in this
|
|
|
|
/// service being able to impersonate your client for requests to Google
|
|
|
|
/// services.
|
|
|
|
std::shared_ptr<CallCredentials> AccessTokenCredentials(
|
|
|
|
const grpc::string& access_token);
|
|
|
|
|
|
|
|
/// Builds IAM credentials.
|
|
|
|
///
|
|
|
|
/// \warning Only use these credentials when connecting to a Google endpoint.
|
|
|
|
/// Using these credentials to connect to any other service may result in this
|
|
|
|
/// service being able to impersonate your client for requests to Google
|
|
|
|
/// services.
|
|
|
|
std::shared_ptr<CallCredentials> GoogleIAMCredentials(
|
|
|
|
const grpc::string& authorization_token,
|
|
|
|
const grpc::string& authority_selector);
|
|
|
|
|
|
|
|
/// Combines a channel credentials and a call credentials into a composite
|
|
|
|
/// channel credentials.
|
|
|
|
std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
|
|
|
|
const std::shared_ptr<ChannelCredentials>& channel_creds,
|
|
|
|
const std::shared_ptr<CallCredentials>& call_creds);
|
|
|
|
|
|
|
|
/// Combines two call credentials objects into a composite call credentials.
|
|
|
|
std::shared_ptr<CallCredentials> CompositeCallCredentials(
|
|
|
|
const std::shared_ptr<CallCredentials>& creds1,
|
|
|
|
const std::shared_ptr<CallCredentials>& creds2);
|
|
|
|
|
|
|
|
/// Credentials for an unencrypted, unauthenticated channel
|
|
|
|
std::shared_ptr<ChannelCredentials> InsecureChannelCredentials();
|
|
|
|
|
|
|
|
/// Credentials for a channel using Cronet.
|
|
|
|
std::shared_ptr<ChannelCredentials> CronetChannelCredentials(void* engine);
|
|
|
|
|
|
|
|
/// User defined metadata credentials.
|
|
|
|
class MetadataCredentialsPlugin {
|
|
|
|
public:
|
|
|
|
virtual ~MetadataCredentialsPlugin() {}
|
|
|
|
|
|
|
|
/// If this method returns true, the Process function will be scheduled in
|
|
|
|
/// a different thread from the one processing the call.
|
|
|
|
virtual bool IsBlocking() const { return true; }
|
|
|
|
|
|
|
|
/// Type of credentials this plugin is implementing.
|
|
|
|
virtual const char* GetType() const { return ""; }
|
|
|
|
|
|
|
|
/// Gets the auth metatada produced by this plugin.
|
|
|
|
/// The fully qualified method name is:
|
|
|
|
/// service_url + "/" + method_name.
|
|
|
|
/// The channel_auth_context contains (among other things), the identity of
|
|
|
|
/// the server.
|
|
|
|
virtual Status GetMetadata(
|
|
|
|
grpc::string_ref service_url, grpc::string_ref method_name,
|
|
|
|
const AuthContext& channel_auth_context,
|
|
|
|
std::multimap<grpc::string, grpc::string>* metadata) = 0;
|
|
|
|
};
|
|
|
|
|
|
|
|
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
|
|
|
|
std::unique_ptr<MetadataCredentialsPlugin> plugin);
|
|
|
|
|
|
|
|
namespace experimental {
|
|
|
|
|
|
|
|
/// Options used to build AltsCredentials.
|
|
|
|
struct AltsCredentialsOptions {
|
|
|
|
/// service accounts of target endpoint that will be acceptable
|
|
|
|
/// by the client. If service accounts are provided and none of them matches
|
|
|
|
/// that of the server, authentication will fail.
|
|
|
|
std::vector<grpc::string> target_service_accounts;
|
|
|
|
};
|
|
|
|
|
|
|
|
/// Builds ALTS Credentials given ALTS specific options
|
|
|
|
std::shared_ptr<ChannelCredentials> AltsCredentials(
|
|
|
|
const AltsCredentialsOptions& options);
|
|
|
|
|
|
|
|
/// Builds Local Credentials.
|
|
|
|
std::shared_ptr<ChannelCredentials> LocalCredentials(
|
|
|
|
grpc_local_connect_type type);
|
|
|
|
|
|
|
|
} // namespace experimental
|
|
|
|
} // namespace grpc
|
|
|
|
|
|
|
|
#endif // GRPCPP_SECURITY_CREDENTIALS_H
|