Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add support of implicit and explicit flows for external account creds

Browse Source
pull/24814/head
Chuan Ren 4 years ago
parent 393687c3b7
commit 06cc42eb85
18 changed files with 559 additions and 261 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      grpc.def
  2. 8
      include/grpc/grpc_security.h
  3. 6
      include/grpcpp/security/credentials.h
  4. 7
      src/core/lib/security/credentials/external/aws_external_account_credentials.cc
  5. 7
      src/core/lib/security/credentials/external/aws_external_account_credentials.h
  6. 146
      src/core/lib/security/credentials/external/external_account_credentials.cc
  7. 12
      src/core/lib/security/credentials/external/external_account_credentials.h
  8. 9
      src/core/lib/security/credentials/external/file_external_account_credentials.cc
  9. 7
      src/core/lib/security/credentials/external/file_external_account_credentials.h
  10. 7
      src/core/lib/security/credentials/external/url_external_account_credentials.cc
  11. 7
      src/core/lib/security/credentials/external/url_external_account_credentials.h
  12. 4
      src/core/lib/security/credentials/google_default/google_default_credentials.cc
  13. 13
      src/cpp/client/secure_credentials.cc
  14. 2
      src/ruby/ext/grpc/rb_grpc_imports.generated.c
  15. 3
      src/ruby/ext/grpc/rb_grpc_imports.generated.h
  16. 157
      test/core/security/credentials_test.cc
  17. 1
      test/core/surface/public_headers_must_be_c89.c
  18. 47
      test/cpp/client/credentials_test.cc

1
grpc.def
Unescape View File

@ -110,6 +110,7 @@ EXPORTS
grpc_google_compute_engine_credentials_create
grpc_max_auth_token_lifetime
grpc_service_account_jwt_access_credentials_create
grpc_external_account_credentials_create
grpc_google_refresh_token_credentials_create
grpc_access_token_credentials_create
grpc_google_iam_credentials_create

8
include/grpc/grpc_security.h
Unescape View File

@ -330,6 +330,14 @@ grpc_service_account_jwt_access_credentials_create(const char* json_key,
gpr_timespec token_lifetime,
void* reserved);
/** Builds External Account credentials.
- json_string is the JSON string containing the credentials options.
- scopes_string contains the scopes to be binded with the credentials.
This API is used for experimental purposes for now and may change in the
future. */
GRPCAPI grpc_call_credentials* grpc_external_account_credentials_create(
const char* json_string, const char* scopes_string);
/** Creates an Oauth2 Refresh Token credentials object for connecting to Google.
May return NULL if the input is invalid.
WARNING: Do NOT use this credentials to connect to a non-google service as

6
include/grpcpp/security/credentials.h
Unescape View File

@ -307,6 +307,12 @@ grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options);
std::shared_ptr<CallCredentials> StsCredentials(
const StsCredentialsOptions& options);
/// Builds External Account credentials.
/// json_string is the JSON string containing the credentials options.
/// scopes contains the scopes to be binded with the credentials.
std::shared_ptr<CallCredentials> ExternalAccountCredentials(
const grpc::string& json_string, const std::vector<grpc::string>& scopes);
std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
std::unique_ptr<MetadataCredentialsPlugin> plugin,
grpc_security_level min_security_level);

7
src/core/lib/security/credentials/external/aws_external_account_credentials.cc vendored
Unescape View File

@ -55,7 +55,7 @@ std::string UrlEncode(const absl::string_view& s) {
} // namespace
RefCountedPtr<AwsExternalAccountCredentials>
AwsExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
AwsExternalAccountCredentials::Create(Options options,
std::vector<std::string> scopes,
grpc_error** error) {
auto creds = MakeRefCounted<AwsExternalAccountCredentials>(
@ -68,8 +68,7 @@ AwsExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
}
AwsExternalAccountCredentials::AwsExternalAccountCredentials(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
grpc_error** error)
Options options, std::vector<std::string> scopes, grpc_error** error)
: ExternalAccountCredentials(options, std::move(scopes)) {
audience_ = options.audience;
auto it = options.credential_source.object_value().find("environment_id");
@ -121,7 +120,7 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
}
void AwsExternalAccountCredentials::RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) {
if (ctx == nullptr) {
FinishRetrieveSubjectToken(

7
src/core/lib/security/credentials/external/aws_external_account_credentials.h vendored
Unescape View File

@ -28,16 +28,15 @@ namespace grpc_core {
class AwsExternalAccountCredentials final : public ExternalAccountCredentials {
public:
static RefCountedPtr<AwsExternalAccountCredentials> Create(
ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes, grpc_error** error);
Options options, std::vector<std::string> scopes, grpc_error** error);
AwsExternalAccountCredentials(ExternalAccountCredentialsOptions options,
AwsExternalAccountCredentials(Options options,
std::vector<std::string> scopes,
grpc_error** error);
private:
void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) override;
void RetrieveRegion();

146
src/core/lib/security/credentials/external/external_account_credentials.cc vendored
Unescape View File

@ -19,6 +19,7 @@
#include "absl/strings/str_format.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "absl/time/clock.h"
#include "absl/time/time.h"
@ -26,6 +27,10 @@
#include "src/core/lib/security/util/json_util.h"
#include "src/core/lib/slice/b64.h"
#include "src/core/lib/security/credentials/external/aws_external_account_credentials.h"
#include "src/core/lib/security/credentials/external/file_external_account_credentials.h"
#include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
#define EXTERNAL_ACCOUNT_CREDENTIALS_GRANT_TYPE \
"urn:ietf:params:oauth:grant-type:token-exchange"
#define EXTERNAL_ACCOUNT_CREDENTIALS_REQUESTED_TOKEN_TYPE \
@ -57,8 +62,122 @@ std::string UrlEncode(const absl::string_view& s) {
} // namespace
RefCountedPtr<ExternalAccountCredentials> ExternalAccountCredentials::Create(
const Json& json, std::vector<std::string> scopes, grpc_error** error) {
GPR_ASSERT(*error == GRPC_ERROR_NONE);
Options options;
options.type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json.type() != Json::Type::OBJECT) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Invalid json to construct credentials options.");
return nullptr;
}
auto it = json.object_value().find("type");
if (it == json.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("type field not present.");
return nullptr;
}
if (it->second.type() != Json::Type::STRING) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("type field must be a string.");
return nullptr;
}
if (it->second.string_value() != GRPC_AUTH_JSON_TYPE_EXTERNAL_ACCOUNT) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid credentials json type.");
return nullptr;
}
options.type = GRPC_AUTH_JSON_TYPE_EXTERNAL_ACCOUNT;
it = json.object_value().find("audience");
if (it == json.object_value().end()) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("audience field not present.");
return nullptr;
}
if (it->second.type() != Json::Type::STRING) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"audience field must be a string.");
return nullptr;
}
options.audience = it->second.string_value();
it = json.object_value().find("subject_token_type");
if (it == json.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"subject_token_type field not present.");
return nullptr;
}
if (it->second.type() != Json::Type::STRING) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"subject_token_type field must be a string.");
return nullptr;
}
options.subject_token_type = it->second.string_value();
it = json.object_value().find("service_account_impersonation_url");
if (it != json.object_value().end()) {
options.service_account_impersonation_url = it->second.string_value();
}
it = json.object_value().find("token_url");
if (it == json.object_value().end()) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("token_url field not present.");
return nullptr;
}
if (it->second.type() != Json::Type::STRING) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"token_url field must be a string.");
return nullptr;
}
options.token_url = it->second.string_value();
it = json.object_value().find("token_info_url");
if (it != json.object_value().end()) {
options.token_info_url = it->second.string_value();
}
it = json.object_value().find("credential_source");
if (it == json.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"credential_source field not present.");
return nullptr;
}
options.credential_source = it->second;
it = json.object_value().find("quota_project_id");
if (it != json.object_value().end()) {
options.quota_project_id = it->second.string_value();
}
it = json.object_value().find("client_id");
if (it != json.object_value().end()) {
options.client_id = it->second.string_value();
}
it = json.object_value().find("client_secret");
if (it != json.object_value().end()) {
options.client_secret = it->second.string_value();
}
RefCountedPtr<ExternalAccountCredentials> creds;
if (options.credential_source.object_value().find("environment_id") !=
options.credential_source.object_value().end()) {
creds = MakeRefCounted<AwsExternalAccountCredentials>(
std::move(options), std::move(scopes), error);
} else if (options.credential_source.object_value().find("file") !=
options.credential_source.object_value().end()) {
creds = MakeRefCounted<FileExternalAccountCredentials>(
std::move(options), std::move(scopes), error);
} else if (options.credential_source.object_value().find("url") !=
options.credential_source.object_value().end()) {
creds = MakeRefCounted<UrlExternalAccountCredentials>(
std::move(options), std::move(scopes), error);
} else {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Invalid options credential source to create "
"ExternalAccountCredentials.");
}
if (*error == GRPC_ERROR_NONE) {
return creds;
} else {
return nullptr;
}
}
ExternalAccountCredentials::ExternalAccountCredentials(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes)
Options options, std::vector<std::string> scopes)
: options_(std::move(options)) {
if (scopes.empty()) {
scopes.push_back(GOOGLE_CLOUD_PLATFORM_DEFAULT_SCOPE);
@ -351,3 +470,28 @@ void ExternalAccountCredentials::FinishTokenFetch(grpc_error* error) {
}
} // namespace grpc_core
grpc_call_credentials* grpc_external_account_credentials_create(
const char* json_string, const char* scopes_string) {
grpc_error* error = GRPC_ERROR_NONE;
grpc_core::Json json = grpc_core::Json::Parse(json_string, &error);
if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR,
"External account credentials creation failed. Error: %s.",
grpc_error_string(error));
GRPC_ERROR_UNREF(error);
return nullptr;
}
std::vector<std::string> scopes = absl::StrSplit(scopes_string, ',');
auto creds = grpc_core::ExternalAccountCredentials::Create(
json, std::move(scopes), &error)
.release();
if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR,
"External account credentials creation failed. Error: %s.",
grpc_error_string(error));
GRPC_ERROR_UNREF(error);
return nullptr;
}
return creds;
}

12
src/core/lib/security/credentials/external/external_account_credentials.h vendored
Unescape View File

@ -35,7 +35,7 @@ class ExternalAccountCredentials
: public grpc_oauth2_token_fetcher_credentials {
public:
// External account credentials json interface.
struct ExternalAccountCredentialsOptions {
struct Options {
std::string type;
std::string audience;
std::string subject_token_type;
@ -48,8 +48,10 @@ class ExternalAccountCredentials
std::string client_secret;
};
ExternalAccountCredentials(ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes);
static RefCountedPtr<ExternalAccountCredentials> Create(
const Json& json, std::vector<std::string> scopes, grpc_error** error);
ExternalAccountCredentials(Options options, std::vector<std::string> scopes);
~ExternalAccountCredentials() override;
std::string debug_string() override;
@ -81,7 +83,7 @@ class ExternalAccountCredentials
// the callback function (cb) to pass the subject token (or error)
// back.
virtual void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) = 0;
private:
@ -105,7 +107,7 @@ class ExternalAccountCredentials
void FinishTokenFetch(grpc_error* error);
ExternalAccountCredentialsOptions options_;
Options options_;
std::vector<std::string> scopes_;
HTTPRequestContext* ctx_ = nullptr;

9
src/core/lib/security/credentials/external/file_external_account_credentials.cc vendored
Unescape View File

@ -26,8 +26,8 @@
namespace grpc_core {
RefCountedPtr<FileExternalAccountCredentials>
FileExternalAccountCredentials::Create(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
FileExternalAccountCredentials::Create(Options options,
std::vector<std::string> scopes,
grpc_error** error) {
auto creds = MakeRefCounted<FileExternalAccountCredentials>(
std::move(options), std::move(scopes), error);
@ -39,8 +39,7 @@ FileExternalAccountCredentials::Create(
}
FileExternalAccountCredentials::FileExternalAccountCredentials(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
grpc_error** error)
Options options, std::vector<std::string> scopes, grpc_error** error)
: ExternalAccountCredentials(options, std::move(scopes)) {
auto it = options.credential_source.object_value().find("file");
if (it == options.credential_source.object_value().end()) {
@ -92,7 +91,7 @@ FileExternalAccountCredentials::FileExternalAccountCredentials(
}
void FileExternalAccountCredentials::RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) {
struct SliceWrapper {
~SliceWrapper() { grpc_slice_unref_internal(slice); }

7
src/core/lib/security/credentials/external/file_external_account_credentials.h vendored
Unescape View File

@ -26,16 +26,15 @@ namespace grpc_core {
class FileExternalAccountCredentials final : public ExternalAccountCredentials {
public:
static RefCountedPtr<FileExternalAccountCredentials> Create(
ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes, grpc_error** error);
Options options, std::vector<std::string> scopes, grpc_error** error);
FileExternalAccountCredentials(ExternalAccountCredentialsOptions options,
FileExternalAccountCredentials(Options options,
std::vector<std::string> scopes,
grpc_error** error);
private:
void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) override;
// Fields of credential source

7
src/core/lib/security/credentials/external/url_external_account_credentials.cc vendored
Unescape View File

@ -24,7 +24,7 @@
namespace grpc_core {
RefCountedPtr<UrlExternalAccountCredentials>
UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
UrlExternalAccountCredentials::Create(Options options,
std::vector<std::string> scopes,
grpc_error** error) {
auto creds = MakeRefCounted<UrlExternalAccountCredentials>(
@ -37,8 +37,7 @@ UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
}
UrlExternalAccountCredentials::UrlExternalAccountCredentials(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
grpc_error** error)
Options options, std::vector<std::string> scopes, grpc_error** error)
: ExternalAccountCredentials(options, std::move(scopes)) {
auto it = options.credential_source.object_value().find("url");
if (it == options.credential_source.object_value().end()) {
@ -113,7 +112,7 @@ UrlExternalAccountCredentials::UrlExternalAccountCredentials(
}
void UrlExternalAccountCredentials::RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) {
if (ctx == nullptr) {
FinishRetrieveSubjectToken(

7
src/core/lib/security/credentials/external/url_external_account_credentials.h vendored
Unescape View File

@ -26,16 +26,15 @@ namespace grpc_core {
class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
public:
static RefCountedPtr<UrlExternalAccountCredentials> Create(
ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes, grpc_error** error);
Options options, std::vector<std::string> scopes, grpc_error** error);
UrlExternalAccountCredentials(ExternalAccountCredentialsOptions options,
UrlExternalAccountCredentials(Options options,
std::vector<std::string> scopes,
grpc_error** error);
private:
void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) override;
static void OnRetrieveSubjectToken(void* arg, grpc_error* error);

4
src/core/lib/security/credentials/google_default/google_default_credentials.cc
Unescape View File

@ -38,6 +38,7 @@
#include "src/core/lib/iomgr/polling_entity.h"
#include "src/core/lib/security/credentials/alts/alts_credentials.h"
#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
#include "src/core/lib/security/credentials/external/external_account_credentials.h"
#include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
#include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
#include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
@ -269,6 +270,9 @@ static grpc_error* create_default_creds_from_path(
goto end;
}
/* Finally try an external account credentials.*/
result = grpc_core::ExternalAccountCredentials::Create(json, {}, &error);
end:
GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1);
grpc_slice_unref_internal(creds_data);

13
src/cpp/client/secure_credentials.cc
Unescape View File

@ -28,6 +28,8 @@
#include <grpcpp/impl/grpc_library.h>
#include <grpcpp/support/channel_arguments.h>
#include "absl/strings/str_join.h"
// TODO(yashykt): We shouldn't be including "src/core" headers.
#include "src/core/lib/gpr/env.h"
#include "src/core/lib/iomgr/error.h"
@ -107,6 +109,17 @@ std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
grpc_google_default_credentials_create(nullptr));
}
namespace experimental {
std::shared_ptr<CallCredentials> ExternalAccountCredentials(
const grpc::string& json_string, const std::vector<grpc::string>& scopes) {
grpc::GrpcLibraryCodegen init; // To call grpc_init().
return WrapCallCredentials(grpc_external_account_credentials_create(
json_string.c_str(), absl::StrJoin(scopes, ",").c_str()));
}
} // namespace experimental
// Builds SSL Credentials given SSL specific options
std::shared_ptr<ChannelCredentials> SslCredentials(
const SslCredentialsOptions& options) {

2
src/ruby/ext/grpc/rb_grpc_imports.generated.c
Unescape View File

@ -133,6 +133,7 @@ grpc_composite_call_credentials_create_type grpc_composite_call_credentials_crea
grpc_google_compute_engine_credentials_create_type grpc_google_compute_engine_credentials_create_import;
grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import;
grpc_service_account_jwt_access_credentials_create_type grpc_service_account_jwt_access_credentials_create_import;
grpc_external_account_credentials_create_type grpc_external_account_credentials_create_import;
grpc_google_refresh_token_credentials_create_type grpc_google_refresh_token_credentials_create_import;
grpc_access_token_credentials_create_type grpc_access_token_credentials_create_import;
grpc_google_iam_credentials_create_type grpc_google_iam_credentials_create_import;
@ -416,6 +417,7 @@ void grpc_rb_load_imports(HMODULE library) {
grpc_google_compute_engine_credentials_create_import = (grpc_google_compute_engine_credentials_create_type) GetProcAddress(library, "grpc_google_compute_engine_credentials_create");
grpc_max_auth_token_lifetime_import = (grpc_max_auth_token_lifetime_type) GetProcAddress(library, "grpc_max_auth_token_lifetime");
grpc_service_account_jwt_access_credentials_create_import = (grpc_service_account_jwt_access_credentials_create_type) GetProcAddress(library, "grpc_service_account_jwt_access_credentials_create");
grpc_external_account_credentials_create_import = (grpc_external_account_credentials_create_type) GetProcAddress(library, "grpc_external_account_credentials_create");
grpc_google_refresh_token_credentials_create_import = (grpc_google_refresh_token_credentials_create_type) GetProcAddress(library, "grpc_google_refresh_token_credentials_create");
grpc_access_token_credentials_create_import = (grpc_access_token_credentials_create_type) GetProcAddress(library, "grpc_access_token_credentials_create");
grpc_google_iam_credentials_create_import = (grpc_google_iam_credentials_create_type) GetProcAddress(library, "grpc_google_iam_credentials_create");

3
src/ruby/ext/grpc/rb_grpc_imports.generated.h
Unescape View File

@ -374,6 +374,9 @@ extern grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import;
typedef grpc_call_credentials*(*grpc_service_account_jwt_access_credentials_create_type)(const char* json_key, gpr_timespec token_lifetime, void* reserved);
extern grpc_service_account_jwt_access_credentials_create_type grpc_service_account_jwt_access_credentials_create_import;
#define grpc_service_account_jwt_access_credentials_create grpc_service_account_jwt_access_credentials_create_import
typedef grpc_call_credentials*(*grpc_external_account_credentials_create_type)(const char* json_string, const char* scopes_string);
extern grpc_external_account_credentials_create_type grpc_external_account_credentials_create_import;
#define grpc_external_account_credentials_create grpc_external_account_credentials_create_import
typedef grpc_call_credentials*(*grpc_google_refresh_token_credentials_create_type)(const char* json_refresh_token, void* reserved);
extern grpc_google_refresh_token_credentials_create_type grpc_google_refresh_token_credentials_create_import;
#define grpc_google_refresh_token_credentials_create grpc_google_refresh_token_credentials_create_import

157
test/core/security/credentials_test.cc
Unescape View File

@ -2206,13 +2206,13 @@ static int aws_external_account_creds_httpcli_post_success(
class TestExternalAccountCredentials final
: public grpc_core::ExternalAccountCredentials {
public:
TestExternalAccountCredentials(ExternalAccountCredentialsOptions options,
TestExternalAccountCredentials(Options options,
std::vector<std::string> scopes)
: ExternalAccountCredentials(std::move(options), std::move(scopes)) {}
protected:
void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const Options& options,
std::function<void(std::string, grpc_error*)> cb) override {
cb("test_subject_token", GRPC_ERROR_NONE);
}
@ -2224,7 +2224,7 @@ static void test_external_account_creds_success(void) {
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2262,7 +2262,7 @@ static void test_external_account_creds_success_with_url_encode(void) {
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience_!@#$", // audience;
"subject_token_type_!@#$", // subject_token_type;
@ -2292,7 +2292,7 @@ test_external_account_creds_success_with_service_account_impersonation(void) {
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2322,7 +2322,7 @@ static void test_external_account_creds_failure_invalid_token_url(void) {
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2356,7 +2356,7 @@ test_external_account_creds_failure_invalid_service_account_impersonation_url(
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2391,7 +2391,7 @@ test_external_account_creds_failure_token_exchange_response_missing_access_token
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_core::Json credential_source("");
TestExternalAccountCredentials::ExternalAccountCredentialsOptions options = {
TestExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2431,8 +2431,7 @@ static void test_url_external_account_creds_success_format_text(void) {
valid_url_external_account_creds_options_credential_source_format_text,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2469,8 +2468,7 @@ test_url_external_account_creds_success_with_qurey_params_format_text(void) {
valid_url_external_account_creds_options_credential_source_with_qurey_params_format_text,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2506,8 +2504,7 @@ static void test_url_external_account_creds_success_format_json(void) {
valid_url_external_account_creds_options_credential_source_format_json,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2539,8 +2536,7 @@ test_url_external_account_creds_failure_invalid_credential_source_url(void) {
grpc_core::Json credential_source = grpc_core::Json::Parse(
invalid_url_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2577,8 +2573,7 @@ static void test_file_external_account_creds_success_format_text(void) {
absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2627,8 +2622,7 @@ static void test_file_external_account_creds_success_format_json(void) {
absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2664,8 +2658,7 @@ static void test_file_external_account_creds_failure_file_not_found(void) {
grpc_core::Json credential_source =
grpc_core::Json::Parse("{\"file\":\"non_exisiting_file\"}", &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2714,8 +2707,7 @@ static void test_file_external_account_creds_failure_invalid_json_content(
absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2755,8 +2747,7 @@ static void test_aws_external_account_creds_success(void) {
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_aws_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2793,8 +2784,7 @@ static void test_aws_external_account_creds_success_path_region_env_keys_url(
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_aws_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2834,8 +2824,7 @@ static void test_aws_external_account_creds_success_path_region_url_keys_env(
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_aws_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2878,8 +2867,7 @@ static void test_aws_external_account_creds_success_path_region_env_keys_env(
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_aws_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2916,8 +2904,7 @@ static void test_aws_external_account_creds_failure_unmatched_environment_id(
invalid_aws_external_account_creds_options_credential_source_unmatched_environment_id,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2950,8 +2937,7 @@ static void test_aws_external_account_creds_failure_invalid_region_url(void) {
invalid_aws_external_account_creds_options_credential_source_invalid_region_url,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -2991,8 +2977,7 @@ static void test_aws_external_account_creds_failure_invalid_url(void) {
invalid_aws_external_account_creds_options_credential_source_invalid_url,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -3031,8 +3016,7 @@ static void test_aws_external_account_creds_failure_missing_role_name(void) {
invalid_aws_external_account_creds_options_credential_source_missing_role_name,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -3074,8 +3058,7 @@ test_aws_external_account_creds_failure_invalid_regional_cred_verification_url(
invalid_aws_external_account_creds_options_credential_source_invalid_regional_cred_verification_url,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
grpc_core::ExternalAccountCredentials::Options options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
@ -3106,6 +3089,92 @@ test_aws_external_account_creds_failure_invalid_regional_cred_verification_url(
GRPC_ERROR_UNREF(error);
}
static void test_external_account_credentials_create_success(void) {
// url credentials
const char* url_options_string =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"url\":\"https://foo.com:5555/"
"generate_subject_token_format_json\",\"headers\":{\"Metadata-Flavor\":"
"\"Google\"},\"format\":{\"type\":\"json\",\"subject_token_field_name\":"
"\"access_token\"}},\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char* url_scopes_string = "scope1,scope2";
grpc_call_credentials* url_creds = grpc_external_account_credentials_create(
url_options_string, url_scopes_string);
GPR_ASSERT(url_creds != nullptr);
url_creds->Unref();
// file credentials
const char* file_options_string =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char* file_scopes_string = "scope1,scope2";
grpc_call_credentials* file_creds = grpc_external_account_credentials_create(
file_options_string, file_scopes_string);
GPR_ASSERT(file_creds != nullptr);
file_creds->Unref();
// aws credentials
const char* aws_options_string =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"environment_id\":\"aws1\","
"\"region_url\":\"https://foo.com:5555/region_url\",\"url\":\"https://"
"foo.com:5555/url\",\"regional_cred_verification_url\":\"https://"
"foo.com:5555/regional_cred_verification_url_{region}\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char* aws_scopes_string = "scope1,scope2";
grpc_call_credentials* aws_creds = grpc_external_account_credentials_create(
aws_options_string, aws_scopes_string);
GPR_ASSERT(aws_creds != nullptr);
aws_creds->Unref();
}
static void
test_external_account_credentials_create_failure_invalid_json_format(void) {
const char* options_string = "invalid_json";
grpc_call_credentials* creds =
grpc_external_account_credentials_create(options_string, "");
GPR_ASSERT(creds == nullptr);
}
static void
test_external_account_credentials_create_failure_invalid_options_format(void) {
const char* options_string = "{\"random_key\":\"random_value\"}";
grpc_call_credentials* creds =
grpc_external_account_credentials_create(options_string, "");
GPR_ASSERT(creds == nullptr);
}
static void
test_external_account_credentials_create_failure_invalid_options_credential_source(
void) {
const char* options_string =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"random_key\":\"random_value\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
grpc_call_credentials* creds =
grpc_external_account_credentials_create(options_string, "");
GPR_ASSERT(creds == nullptr);
}
int main(int argc, char** argv) {
grpc::testing::TestEnvironment env(argc, argv);
grpc_init();
@ -3173,6 +3242,10 @@ int main(int argc, char** argv) {
test_aws_external_account_creds_failure_invalid_url();
test_aws_external_account_creds_failure_missing_role_name();
test_aws_external_account_creds_failure_invalid_regional_cred_verification_url();
test_external_account_credentials_create_success();
test_external_account_credentials_create_failure_invalid_json_format();
test_external_account_credentials_create_failure_invalid_options_format();
test_external_account_credentials_create_failure_invalid_options_credential_source();
grpc_shutdown();
return 0;
}

1
test/core/surface/public_headers_must_be_c89.c
Unescape View File

@ -177,6 +177,7 @@ int main(int argc, char **argv) {
printf("%lx", (unsigned long) grpc_google_compute_engine_credentials_create);
printf("%lx", (unsigned long) grpc_max_auth_token_lifetime);
printf("%lx", (unsigned long) grpc_service_account_jwt_access_credentials_create);
printf("%lx", (unsigned long) grpc_external_account_credentials_create);
printf("%lx", (unsigned long) grpc_google_refresh_token_credentials_create);
printf("%lx", (unsigned long) grpc_access_token_credentials_create);
printf("%lx", (unsigned long) grpc_google_iam_credentials_create);

47
test/cpp/client/credentials_test.cc
Unescape View File

@ -97,6 +97,53 @@ TEST(CredentialsTest, DefaultCredentials) {
auto creds = GoogleDefaultCredentials();
}
TEST(CredentialsTest, ExternalAccountCredentials) {
// url credentials
std::string url_options_string(
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"url\":\"https://foo.com:5555/"
"generate_subject_token_format_json\",\"headers\":{\"Metadata-Flavor\":"
"\"Google\"},\"format\":{\"type\":\"json\",\"subject_token_field_name\":"
"\"access_token\"}},\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}");
auto url_creds = grpc::experimental::ExternalAccountCredentials(
url_options_string, {"scope1", "scope2"});
EXPECT_TRUE(url_creds != nullptr);
// file credentials
std::string file_options_string(
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}");
auto file_creds = grpc::experimental::ExternalAccountCredentials(
file_options_string, {"scope1", "scope2"});
EXPECT_TRUE(file_creds != nullptr);
// aws credentials
std::string aws_options_string(
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
"foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
"token_info\",\"credential_source\":{\"environment_id\":\"aws1\","
"\"region_url\":\"https://foo.com:5555/region_url\",\"url\":\"https://"
"foo.com:5555/url\",\"regional_cred_verification_url\":\"https://"
"foo.com:5555/regional_cred_verification_url_{region}\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}");
auto aws_creds = grpc::experimental::ExternalAccountCredentials(
aws_options_string, {"scope1", "scope2"});
EXPECT_TRUE(aws_creds != nullptr);
}
TEST(CredentialsTest, StsCredentialsOptionsCppToCore) {
grpc::experimental::StsCredentialsOptions options;
options.token_exchange_service_uri = "https://foo.com/exchange";

Write Preview
Loading…
Cancel
Save