Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add url-sourced external credentials

Browse Source
pull/24411/head
Chuan Ren 4 years ago
parent 384a6f8d51
commit 4c93d36d08
19 changed files with 449 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      BUILD
  2. 2
      BUILD.gn
  3. 1
      CMakeLists.txt
  4. 2
      Makefile
  5. 2
      build_autogenerated.yaml
  6. 1
      config.m4
  7. 1
      config.w32
  8. 2
      gRPC-C++.podspec
  9. 3
      gRPC-Core.podspec
  10. 2
      grpc.gemspec
  11. 1
      grpc.gyp
  12. 2
      package.xml
  13. 3
      src/core/lib/security/credentials/external/external_account_credentials.h
  14. 211
      src/core/lib/security/credentials/external/url_external_account_credentials.cc
  15. 59
      src/core/lib/security/credentials/external/url_external_account_credentials.h
  16. 1
      src/python/grpcio/grpc_core_dependencies.py
  17. 154
      test/core/security/credentials_test.cc
  18. 2
      tools/doxygen/Doxyfile.c++.internal
  19. 2
      tools/doxygen/Doxyfile.core.internal

2
BUILD
Unescape View File

@ -1760,6 +1760,7 @@ grpc_cc_library(
"src/core/lib/security/credentials/credentials.cc",
"src/core/lib/security/credentials/credentials_metadata.cc",
"src/core/lib/security/credentials/external/external_account_credentials.cc",
"src/core/lib/security/credentials/external/url_external_account_credentials.cc",
"src/core/lib/security/credentials/fake/fake_credentials.cc",
"src/core/lib/security/credentials/google_default/credentials_generic.cc",
"src/core/lib/security/credentials/google_default/google_default_credentials.cc",
@ -1803,6 +1804,7 @@ grpc_cc_library(
"src/core/lib/security/credentials/composite/composite_credentials.h",
"src/core/lib/security/credentials/credentials.h",
"src/core/lib/security/credentials/external/external_account_credentials.h",
"src/core/lib/security/credentials/external/url_external_account_credentials.h",
"src/core/lib/security/credentials/fake/fake_credentials.h",
"src/core/lib/security/credentials/google_default/google_default_credentials.h",
"src/core/lib/security/credentials/iam/iam_credentials.h",

2
BUILD.gn
Unescape View File

@ -996,6 +996,8 @@ config("grpc_config") {
"src/core/lib/security/credentials/credentials_metadata.cc",
"src/core/lib/security/credentials/external/external_account_credentials.cc",
"src/core/lib/security/credentials/external/external_account_credentials.h",
"src/core/lib/security/credentials/external/url_external_account_credentials.cc",
"src/core/lib/security/credentials/external/url_external_account_credentials.h",
"src/core/lib/security/credentials/fake/fake_credentials.cc",
"src/core/lib/security/credentials/fake/fake_credentials.h",
"src/core/lib/security/credentials/google_default/credentials_generic.cc",

1
CMakeLists.txt
Unescape View File

@ -1836,6 +1836,7 @@ add_library(grpc
src/core/lib/security/credentials/credentials.cc
src/core/lib/security/credentials/credentials_metadata.cc
src/core/lib/security/credentials/external/external_account_credentials.cc
src/core/lib/security/credentials/external/url_external_account_credentials.cc
src/core/lib/security/credentials/fake/fake_credentials.cc
src/core/lib/security/credentials/google_default/credentials_generic.cc
src/core/lib/security/credentials/google_default/google_default_credentials.cc

2
Makefile
Unescape View File

@ -2250,6 +2250,7 @@ LIBGRPC_SRC = \
src/core/lib/security/credentials/credentials.cc \
src/core/lib/security/credentials/credentials_metadata.cc \
src/core/lib/security/credentials/external/external_account_credentials.cc \
src/core/lib/security/credentials/external/url_external_account_credentials.cc \
src/core/lib/security/credentials/fake/fake_credentials.cc \
src/core/lib/security/credentials/google_default/credentials_generic.cc \
src/core/lib/security/credentials/google_default/google_default_credentials.cc \
@ -4784,6 +4785,7 @@ src/core/lib/security/credentials/composite/composite_credentials.cc: $(OPENSSL_
src/core/lib/security/credentials/credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/credentials_metadata.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/external/external_account_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/external/url_external_account_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/fake/fake_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP)

2
build_autogenerated.yaml
Unescape View File

@ -756,6 +756,7 @@ libs:
- src/core/lib/security/credentials/composite/composite_credentials.h
- src/core/lib/security/credentials/credentials.h
- src/core/lib/security/credentials/external/external_account_credentials.h
- src/core/lib/security/credentials/external/url_external_account_credentials.h
- src/core/lib/security/credentials/fake/fake_credentials.h
- src/core/lib/security/credentials/google_default/google_default_credentials.h
- src/core/lib/security/credentials/iam/iam_credentials.h
@ -1264,6 +1265,7 @@ libs:
- src/core/lib/security/credentials/credentials.cc
- src/core/lib/security/credentials/credentials_metadata.cc
- src/core/lib/security/credentials/external/external_account_credentials.cc
- src/core/lib/security/credentials/external/url_external_account_credentials.cc
- src/core/lib/security/credentials/fake/fake_credentials.cc
- src/core/lib/security/credentials/google_default/credentials_generic.cc
- src/core/lib/security/credentials/google_default/google_default_credentials.cc

1
config.m4
Unescape View File

@ -497,6 +497,7 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/credentials/credentials.cc \
src/core/lib/security/credentials/credentials_metadata.cc \
src/core/lib/security/credentials/external/external_account_credentials.cc \
src/core/lib/security/credentials/external/url_external_account_credentials.cc \
src/core/lib/security/credentials/fake/fake_credentials.cc \
src/core/lib/security/credentials/google_default/credentials_generic.cc \
src/core/lib/security/credentials/google_default/google_default_credentials.cc \

1
config.w32
Unescape View File

@ -464,6 +464,7 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\credentials\\credentials.cc " +
"src\\core\\lib\\security\\credentials\\credentials_metadata.cc " +
"src\\core\\lib\\security\\credentials\\external\\external_account_credentials.cc " +
"src\\core\\lib\\security\\credentials\\external\\url_external_account_credentials.cc " +
"src\\core\\lib\\security\\credentials\\fake\\fake_credentials.cc " +
"src\\core\\lib\\security\\credentials\\google_default\\credentials_generic.cc " +
"src\\core\\lib\\security\\credentials\\google_default\\google_default_credentials.cc " +

2
gRPC-C++.podspec
Unescape View File

@ -604,6 +604,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/composite/composite_credentials.h',
'src/core/lib/security/credentials/credentials.h',
'src/core/lib/security/credentials/external/external_account_credentials.h',
'src/core/lib/security/credentials/external/url_external_account_credentials.h',
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',
@ -1201,6 +1202,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/composite/composite_credentials.h',
'src/core/lib/security/credentials/credentials.h',
'src/core/lib/security/credentials/external/external_account_credentials.h',
'src/core/lib/security/credentials/external/url_external_account_credentials.h',
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',

3
gRPC-Core.podspec
Unescape View File

@ -1053,6 +1053,8 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/credentials_metadata.cc',
'src/core/lib/security/credentials/external/external_account_credentials.cc',
'src/core/lib/security/credentials/external/external_account_credentials.h',
'src/core/lib/security/credentials/external/url_external_account_credentials.cc',
'src/core/lib/security/credentials/external/url_external_account_credentials.h',
'src/core/lib/security/credentials/fake/fake_credentials.cc',
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/credentials_generic.cc',
@ -1725,6 +1727,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/composite/composite_credentials.h',
'src/core/lib/security/credentials/credentials.h',
'src/core/lib/security/credentials/external/external_account_credentials.h',
'src/core/lib/security/credentials/external/url_external_account_credentials.h',
'src/core/lib/security/credentials/fake/fake_credentials.h',
'src/core/lib/security/credentials/google_default/google_default_credentials.h',
'src/core/lib/security/credentials/iam/iam_credentials.h',

2
grpc.gemspec
Unescape View File

@ -971,6 +971,8 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/credentials_metadata.cc )
s.files += %w( src/core/lib/security/credentials/external/external_account_credentials.cc )
s.files += %w( src/core/lib/security/credentials/external/external_account_credentials.h )
s.files += %w( src/core/lib/security/credentials/external/url_external_account_credentials.cc )
s.files += %w( src/core/lib/security/credentials/external/url_external_account_credentials.h )
s.files += %w( src/core/lib/security/credentials/fake/fake_credentials.cc )
s.files += %w( src/core/lib/security/credentials/fake/fake_credentials.h )
s.files += %w( src/core/lib/security/credentials/google_default/credentials_generic.cc )

1
grpc.gyp
Unescape View File

@ -860,6 +860,7 @@
'src/core/lib/security/credentials/credentials.cc',
'src/core/lib/security/credentials/credentials_metadata.cc',
'src/core/lib/security/credentials/external/external_account_credentials.cc',
'src/core/lib/security/credentials/external/url_external_account_credentials.cc',
'src/core/lib/security/credentials/fake/fake_credentials.cc',
'src/core/lib/security/credentials/google_default/credentials_generic.cc',
'src/core/lib/security/credentials/google_default/google_default_credentials.cc',

2
package.xml
Unescape View File

@ -951,6 +951,8 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/credentials_metadata.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/external/external_account_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/external/external_account_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/external/url_external_account_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/external/url_external_account_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/fake/fake_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/fake/fake_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/google_default/credentials_generic.cc" role="src" />

3
src/core/lib/security/credentials/external/external_account_credentials.h vendored
Unescape View File

@ -81,8 +81,7 @@ class ExternalAccountCredentials
// the callback function (cb) to pass the subject token (or error)
// back.
virtual void RetrieveSubjectToken(
const HTTPRequestContext* ctx,
const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
std::function<void(std::string, grpc_error*)> cb) = 0;
private:

211
src/core/lib/security/credentials/external/url_external_account_credentials.cc vendored
Unescape View File

@ -0,0 +1,211 @@
//
// Copyright 2020 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
#include "absl/strings/str_format.h"
namespace grpc_core {
RefCountedPtr<UrlExternalAccountCredentials>
UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes,
grpc_error** error) {
auto creds = MakeRefCounted<UrlExternalAccountCredentials>(
std::move(options), std::move(scopes), error);
if (*error == GRPC_ERROR_NONE) {
return creds;
} else {
return nullptr;
}
}
UrlExternalAccountCredentials::UrlExternalAccountCredentials(
ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
grpc_error** error)
: ExternalAccountCredentials(options, std::move(scopes)) {
auto it = options.credential_source.object_value().find("url");
if (it == options.credential_source.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("url field not present.");
return;
}
if (it->second.type() != Json::Type::STRING) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("url field must be a string.");
return;
}
grpc_uri* url = grpc_uri_parse(it->second.string_value(), false);
if (url == nullptr) {
*error =
GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid credential source url.");
return;
}
url_ = url;
it = options.credential_source.object_value().find("headers");
if (it != options.credential_source.object_value().end()) {
if (it->second.type() != Json::Type::OBJECT) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"The JSON value of credential source headers is not an object.");
return;
}
for (auto const& header : it->second.object_value()) {
headers_[header.first] = header.second.string_value();
}
}
it = options.credential_source.object_value().find("format");
if (it != options.credential_source.object_value().end()) {
const Json& format_json = it->second;
if (format_json.type() != Json::Type::OBJECT) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"The JSON value of credential source format is not an object.");
return;
}
auto format_it = format_json.object_value().find("type");
if (format_it == format_json.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"format.type field not present.");
return;
}
if (format_it->second.type() != Json::Type::STRING) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"format.type field must be a string.");
return;
}
format_type_ = format_it->second.string_value();
if (format_type_ == "json") {
format_it = format_json.object_value().find("subject_token_field_name");
if (format_it == format_json.object_value().end()) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"format.subject_token_field_name field must be present if the "
"format is in Json.");
return;
}
if (format_it->second.type() != Json::Type::STRING) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"format.subject_token_field_name field must be a string.");
return;
}
format_subject_token_field_name_ = format_it->second.string_value();
}
}
}
UrlExternalAccountCredentials::~UrlExternalAccountCredentials() {
grpc_uri_destroy(url_);
}
void UrlExternalAccountCredentials::RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
std::function<void(std::string, grpc_error*)> cb) {
if (ctx == nullptr) {
FinishRetrieveSubjectToken(
"",
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Missing HTTPRequestContext to start subject token retrieval."));
return;
}
ctx_ = ctx;
cb_ = cb;
grpc_httpcli_request request;
memset(&request, 0, sizeof(grpc_httpcli_request));
request.host = const_cast<char*>(url_->authority);
request.http.path = gpr_strdup(url_->path);
grpc_http_header* headers = nullptr;
request.http.hdr_count = headers_.size();
headers = static_cast<grpc_http_header*>(
gpr_malloc(sizeof(grpc_http_header) * request.http.hdr_count));
int i = 0;
for (auto const& header : headers_) {
headers[i].key = gpr_strdup(header.first.c_str());
headers[i].value = gpr_strdup(header.second.c_str());
++i;
}
request.http.hdrs = headers;
request.handshaker = (strcmp(url_->scheme, "https") == 0)
? &grpc_httpcli_ssl
: &grpc_httpcli_plaintext;
grpc_resource_quota* resource_quota =
grpc_resource_quota_create("external_account_credentials");
grpc_http_response_destroy(&ctx_->response);
ctx_->response = {};
GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveSubjectToken, this, nullptr);
grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent, resource_quota,
&request, ctx_->deadline, &ctx_->closure, &ctx_->response);
grpc_resource_quota_unref_internal(resource_quota);
grpc_http_request_destroy(&request.http);
}
void UrlExternalAccountCredentials::OnRetrieveSubjectToken(void* arg,
grpc_error* error) {
UrlExternalAccountCredentials* self =
static_cast<UrlExternalAccountCredentials*>(arg);
self->OnRetrieveSubjectTokenInternal(GRPC_ERROR_REF(error));
}
void UrlExternalAccountCredentials::OnRetrieveSubjectTokenInternal(
grpc_error* error) {
if (error != GRPC_ERROR_NONE) {
FinishRetrieveSubjectToken("", error);
return;
}
absl::string_view response_body(ctx_->response.body,
ctx_->response.body_length);
if (format_type_ == "json") {
grpc_error* error = GRPC_ERROR_NONE;
Json response_json = Json::Parse(response_body, &error);
if (error != GRPC_ERROR_NONE ||
response_json.type() != Json::Type::OBJECT) {
FinishRetrieveSubjectToken(
"", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"The format of response is not a valid json object."));
return;
}
auto response_it =
response_json.object_value().find(format_subject_token_field_name_);
if (response_it == response_json.object_value().end()) {
FinishRetrieveSubjectToken("", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Subject token field not present."));
return;
}
if (response_it->second.type() != Json::Type::STRING) {
FinishRetrieveSubjectToken("",
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Subject token field must be a string."));
return;
}
FinishRetrieveSubjectToken(response_it->second.string_value(), error);
return;
}
FinishRetrieveSubjectToken(std::string(response_body), GRPC_ERROR_NONE);
}
void UrlExternalAccountCredentials::FinishRetrieveSubjectToken(
std::string subject_token, grpc_error* error) {
// Reset context
ctx_ = nullptr;
// Move object state into local variables.
auto cb = cb_;
cb_ = nullptr;
// Invoke the callback.
if (error != GRPC_ERROR_NONE) {
cb("", error);
} else {
cb(subject_token, GRPC_ERROR_NONE);
}
}
} // namespace grpc_core

59
src/core/lib/security/credentials/external/url_external_account_credentials.h vendored
Unescape View File

@ -0,0 +1,59 @@
//
// Copyright 2020 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/external/external_account_credentials.h"
namespace grpc_core {
class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
public:
static RefCountedPtr<UrlExternalAccountCredentials> Create(
ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes, grpc_error** error);
UrlExternalAccountCredentials(ExternalAccountCredentialsOptions options,
std::vector<std::string> scopes,
grpc_error** error);
~UrlExternalAccountCredentials() override;
private:
void RetrieveSubjectToken(
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
std::function<void(std::string, grpc_error*)> cb) override;
static void OnRetrieveSubjectToken(void* arg, grpc_error* error);
void OnRetrieveSubjectTokenInternal(grpc_error* error);
void FinishRetrieveSubjectToken(std::string subject_token, grpc_error* error);
// Fields of credential source
grpc_uri* url_ = nullptr;
std::map<std::string, std::string> headers_;
std::string format_type_;
std::string format_subject_token_field_name_;
HTTPRequestContext* ctx_ = nullptr;
std::function<void(std::string, grpc_error*)> cb_ = nullptr;
};
} // namespace grpc_core
#endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_URL_EXTERNAL_ACCOUNT_CREDENTIALS_H

1
src/python/grpcio/grpc_core_dependencies.py
Unescape View File

@ -473,6 +473,7 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/credentials/credentials.cc',
'src/core/lib/security/credentials/credentials_metadata.cc',
'src/core/lib/security/credentials/external/external_account_credentials.cc',
'src/core/lib/security/credentials/external/url_external_account_credentials.cc',
'src/core/lib/security/credentials/fake/fake_credentials.cc',
'src/core/lib/security/credentials/google_default/credentials_generic.cc',
'src/core/lib/security/credentials/google_default/google_default_credentials.cc',

154
test/core/security/credentials_test.cc
Unescape View File

@ -44,6 +44,7 @@
#include "src/core/lib/iomgr/error.h"
#include "src/core/lib/security/credentials/composite/composite_credentials.h"
#include "src/core/lib/security/credentials/external/external_account_credentials.h"
#include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
#include "src/core/lib/security/credentials/fake/fake_credentials.h"
#include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
#include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
@ -146,6 +147,31 @@ static const char
"{\"accessToken\":\"service_account_impersonation_access_token\","
" \"expireTime\":\"2050-01-01T00:00:00Z\"}";
static const char
valid_url_external_account_creds_options_credential_source_format_text[] =
"{\"url\":\"https://foo.com:5555/generate_subject_token_format_text\","
"\"headers\":{\"Metadata-Flavor\":\"Google\"}}";
static const char
valid_url_external_account_creds_retrieve_subject_token_response_format_text
[] = "test_subject_token";
static const char
valid_url_external_account_creds_options_credential_source_format_json[] =
"{\"url\":\"https://foo.com:5555/generate_subject_token_format_json\","
"\"headers\":{\"Metadata-Flavor\":\"Google\"},"
"\"format\":{\"type\":\"json\",\"subject_token_field_name\":\"access_"
"token\"}}";
static const char
valid_url_external_account_creds_retrieve_subject_token_response_format_json
[] = "{\"access_token\":\"test_subject_token\"}";
static const char
invalid_url_external_account_creds_options_credential_source[] =
"{\"url\":\"invalid_credential_source_url\","
"\"headers\":{\"Metadata-Flavor\":\"Google\"}}";
/* -- Global state flags. -- */
static bool g_test_is_on_gce = false;
@ -1990,6 +2016,23 @@ external_account_creds_httpcli_post_failure_token_exchange_response_missing_acce
return 1;
}
static int url_external_account_creds_httpcli_get_success(
const grpc_httpcli_request* request, grpc_millis /*deadline*/,
grpc_closure* on_done, grpc_httpcli_response* response) {
if (strcmp(request->http.path, "/generate_subject_token_format_text") == 0) {
*response = http_response(
200,
valid_url_external_account_creds_retrieve_subject_token_response_format_text);
} else if (strcmp(request->http.path,
"/generate_subject_token_format_json") == 0) {
*response = http_response(
200,
valid_url_external_account_creds_retrieve_subject_token_response_format_json);
}
grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
return 1;
}
// The subclass of ExternalAccountCredentials for testing.
// ExternalAccountCredentials is an abstract class so we can't directly test
// against it.
@ -2002,8 +2045,7 @@ class TestExternalAccountCredentials final
protected:
void RetrieveSubjectToken(
const HTTPRequestContext* ctx,
const ExternalAccountCredentialsOptions& options,
HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
std::function<void(std::string, grpc_error*)> cb) override {
cb("test_subject_token", GRPC_ERROR_NONE);
}
@ -2184,6 +2226,111 @@ test_external_account_creds_faiure_token_exchange_response_missing_access_token(
grpc_httpcli_set_override(nullptr, nullptr);
}
static void test_url_external_account_creds_success_format_text(void) {
expected_md emd[] = {{"authorization", "Bearer token_exchange_access_token"}};
grpc_core::ExecCtx exec_ctx;
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_error* error = GRPC_ERROR_NONE;
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_url_external_account_creds_options_credential_source_format_text,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
"", // service_account_impersonation_url;
"https://foo.com:5555/token", // token_url;
"https://foo.com:5555/token_info", // token_info_url;
credential_source, // credential_source;
"quota_project_id", // quota_project_id;
"client_id", // client_id;
"client_secret", // client_secret;
};
auto creds =
grpc_core::UrlExternalAccountCredentials::Create(options, {}, &error);
GPR_ASSERT(creds != nullptr);
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
request_metadata_state* state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
grpc_httpcli_set_override(url_external_account_creds_httpcli_get_success,
external_account_creds_httpcli_post_success);
run_request_metadata_test(creds.get(), auth_md_ctx, state);
grpc_core::ExecCtx::Get()->Flush();
grpc_httpcli_set_override(nullptr, nullptr);
}
static void test_url_external_account_creds_success_format_json(void) {
expected_md emd[] = {{"authorization", "Bearer token_exchange_access_token"}};
grpc_core::ExecCtx exec_ctx;
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr};
grpc_error* error = GRPC_ERROR_NONE;
grpc_core::Json credential_source = grpc_core::Json::Parse(
valid_url_external_account_creds_options_credential_source_format_json,
&error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
"", // service_account_impersonation_url;
"https://foo.com:5555/token", // token_url;
"https://foo.com:5555/token_info", // token_info_url;
credential_source, // credential_source;
"quota_project_id", // quota_project_id;
"client_id", // client_id;
"client_secret", // client_secret;
};
auto creds =
grpc_core::UrlExternalAccountCredentials::Create(options, {}, &error);
GPR_ASSERT(creds != nullptr);
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
request_metadata_state* state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
grpc_httpcli_set_override(url_external_account_creds_httpcli_get_success,
external_account_creds_httpcli_post_success);
run_request_metadata_test(creds.get(), auth_md_ctx, state);
grpc_core::ExecCtx::Get()->Flush();
grpc_httpcli_set_override(nullptr, nullptr);
}
static void
test_url_external_account_creds_faiure_invalid_credential_source_url(void) {
grpc_error* error = GRPC_ERROR_NONE;
grpc_core::Json credential_source = grpc_core::Json::Parse(
invalid_url_external_account_creds_options_credential_source, &error);
GPR_ASSERT(error == GRPC_ERROR_NONE);
grpc_core::ExternalAccountCredentials::ExternalAccountCredentialsOptions
options = {
"external_account", // type;
"audience", // audience;
"subject_token_type", // subject_token_type;
"", // service_account_impersonation_url;
"https://foo.com:5555/token", // token_url;
"https://foo.com:5555/token_info", // token_info_url;
credential_source, // credential_source;
"quota_project_id", // quota_project_id;
"client_id", // client_id;
"client_secret", // client_secret;
};
auto creds =
grpc_core::UrlExternalAccountCredentials::Create(options, {}, &error);
GPR_ASSERT(creds == nullptr);
grpc_slice expected_error_slice =
grpc_slice_from_static_string("Invalid credential source url.");
grpc_slice actual_error_slice;
GPR_ASSERT(grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION,
&actual_error_slice));
GPR_ASSERT(grpc_slice_cmp(expected_error_slice, actual_error_slice) == 0);
GRPC_ERROR_UNREF(error);
}
int main(int argc, char** argv) {
grpc::testing::TestEnvironment env(argc, argv);
grpc_init();
@ -2233,6 +2380,9 @@ int main(int argc, char** argv) {
test_external_account_creds_faiure_invalid_token_url();
test_external_account_creds_faiure_invalid_service_account_impersonation_url();
test_external_account_creds_faiure_token_exchange_response_missing_access_token();
test_url_external_account_creds_success_format_text();
test_url_external_account_creds_success_format_json();
test_url_external_account_creds_faiure_invalid_credential_source_url();
grpc_shutdown();
return 0;
}

2
tools/doxygen/Doxyfile.c++.internal
Unescape View File

@ -1902,6 +1902,8 @@ src/core/lib/security/credentials/credentials.h \
src/core/lib/security/credentials/credentials_metadata.cc \
src/core/lib/security/credentials/external/external_account_credentials.cc \
src/core/lib/security/credentials/external/external_account_credentials.h \
src/core/lib/security/credentials/external/url_external_account_credentials.cc \
src/core/lib/security/credentials/external/url_external_account_credentials.h \
src/core/lib/security/credentials/fake/fake_credentials.cc \
src/core/lib/security/credentials/fake/fake_credentials.h \
src/core/lib/security/credentials/google_default/credentials_generic.cc \

2
tools/doxygen/Doxyfile.core.internal
Unescape View File

@ -1745,6 +1745,8 @@ src/core/lib/security/credentials/credentials.h \
src/core/lib/security/credentials/credentials_metadata.cc \
src/core/lib/security/credentials/external/external_account_credentials.cc \
src/core/lib/security/credentials/external/external_account_credentials.h \
src/core/lib/security/credentials/external/url_external_account_credentials.cc \
src/core/lib/security/credentials/external/url_external_account_credentials.h \
src/core/lib/security/credentials/fake/fake_credentials.cc \
src/core/lib/security/credentials/fake/fake_credentials.h \
src/core/lib/security/credentials/google_default/credentials_generic.cc \

Write Preview
Loading…
Cancel
Save