diff --git a/include/grpc++/credentials.h b/include/grpc++/credentials.h index 71e1f00f15a..a1488add1e4 100644 --- a/include/grpc++/credentials.h +++ b/include/grpc++/credentials.h @@ -94,17 +94,7 @@ std::shared_ptr SslCredentials( const SslCredentialsOptions& options); // Builds credentials for use when running in GCE -std::shared_ptr ComputeEngineCredentials(); - -// Builds service account credentials. -// json_key is the JSON key string containing the client's private key. -// scope is a space-delimited list of the requested permissions. -// token_lifetime_seconds is the lifetime in seconds of each token acquired -// through this service account credentials. It should be positive and should -// not exceed grpc_max_auth_token_lifetime or will be cropped to this value. -std::shared_ptr ServiceAccountCredentials( - const grpc::string& json_key, const grpc::string& scope, - long token_lifetime_seconds); +std::shared_ptr GoogleComputeEngineCredentials(); // Builds Service Account JWT Access credentials. // json_key is the JSON key string containing the client's private key. @@ -117,7 +107,7 @@ std::shared_ptr ServiceAccountJWTAccessCredentials( // Builds refresh token credentials. // json_refresh_token is the JSON string containing the refresh token along // with a client_id and client_secret. -std::shared_ptr RefreshTokenCredentials( +std::shared_ptr GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token); // Builds access token credentials. @@ -127,7 +117,7 @@ std::shared_ptr AccessTokenCredentials( const grpc::string& access_token); // Builds IAM credentials. -std::shared_ptr IAMCredentials( +std::shared_ptr GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector); diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index 0bc36c059c7..86470782330 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -97,26 +97,13 @@ grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1, grpc_credentials *creds2, void *reserved); -/* Creates a compute engine credentials object. +/* Creates a compute engine credentials object for connecting to Google. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. */ -grpc_credentials *grpc_compute_engine_credentials_create(void *reserved); +grpc_credentials *grpc_google_compute_engine_credentials_create(void *reserved); extern const gpr_timespec grpc_max_auth_token_lifetime; -/* Creates a service account credentials object. May return NULL if the input is - invalid. - WARNING: Do NOT use this credentials to connect to a non-google service as - this could result in an oauth2 token leak. - - json_key is the JSON key string containing the client's private key. - - scope is a space-delimited list of the requested permissions. - - token_lifetime is the lifetime of each token acquired through this service - account credentials. It should not exceed grpc_max_auth_token_lifetime - or will be cropped to this value. */ -grpc_credentials *grpc_service_account_credentials_create( - const char *json_key, const char *scope, gpr_timespec token_lifetime, - void *reserved); - /* Creates a JWT credentials object. May return NULL if the input is invalid. - json_key is the JSON key string containing the client's private key. - token_lifetime is the lifetime of each Json Web Token (JWT) created with @@ -125,13 +112,13 @@ grpc_credentials *grpc_service_account_credentials_create( grpc_credentials *grpc_service_account_jwt_access_credentials_create( const char *json_key, gpr_timespec token_lifetime, void *reserved); -/* Creates an Oauth2 Refresh Token credentials object. May return NULL if the - input is invalid. +/* Creates an Oauth2 Refresh Token credentials object for connecting to Google. + May return NULL if the input is invalid. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. - json_refresh_token is the JSON string containing the refresh token itself along with a client_id and client_secret. */ -grpc_credentials *grpc_refresh_token_credentials_create( +grpc_credentials *grpc_google_refresh_token_credentials_create( const char *json_refresh_token, void *reserved); /* Creates an Oauth2 Access Token credentials with an access token that was @@ -139,10 +126,10 @@ grpc_credentials *grpc_refresh_token_credentials_create( grpc_credentials *grpc_access_token_credentials_create( const char *access_token, void *reserved); -/* Creates an IAM credentials object. */ -grpc_credentials *grpc_iam_credentials_create(const char *authorization_token, - const char *authority_selector, - void *reserved); +/* Creates an IAM credentials object for connecting to Google. */ +grpc_credentials *grpc_google_iam_credentials_create( + const char *authorization_token, const char *authority_selector, + void *reserved); /* --- Secure channel creation. --- */ diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index 362d5f4b6ff..1c665f1edea 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -618,7 +618,7 @@ static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c, grpc_httpcli_context_init(&c->httpcli_context); } -/* -- ComputeEngine credentials. -- */ +/* -- GoogleComputeEngine credentials. -- */ static grpc_credentials_vtable compute_engine_vtable = { oauth2_token_fetcher_destroy, oauth2_token_fetcher_has_request_metadata, @@ -640,7 +640,8 @@ static void compute_engine_fetch_oauth2( metadata_req); } -grpc_credentials *grpc_compute_engine_credentials_create(void *reserved) { +grpc_credentials *grpc_google_compute_engine_credentials_create( + void *reserved) { grpc_oauth2_token_fetcher_credentials *c = gpr_malloc(sizeof(grpc_oauth2_token_fetcher_credentials)); GPR_ASSERT(reserved == NULL); @@ -649,81 +650,11 @@ grpc_credentials *grpc_compute_engine_credentials_create(void *reserved) { return &c->base; } -/* -- ServiceAccount credentials. -- */ - -static void service_account_destroy(grpc_credentials *creds) { - grpc_service_account_credentials *c = - (grpc_service_account_credentials *)creds; - if (c->scope != NULL) gpr_free(c->scope); - grpc_auth_json_key_destruct(&c->key); - oauth2_token_fetcher_destroy(&c->base.base); -} - -static grpc_credentials_vtable service_account_vtable = { - service_account_destroy, oauth2_token_fetcher_has_request_metadata, - oauth2_token_fetcher_has_request_metadata_only, - oauth2_token_fetcher_get_request_metadata, NULL}; - -static void service_account_fetch_oauth2( - grpc_credentials_metadata_request *metadata_req, - grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, - grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { - grpc_service_account_credentials *c = - (grpc_service_account_credentials *)metadata_req->creds; - grpc_httpcli_header header = {"Content-Type", - "application/x-www-form-urlencoded"}; - grpc_httpcli_request request; - char *body = NULL; - char *jwt = grpc_jwt_encode_and_sign(&c->key, GRPC_JWT_OAUTH2_AUDIENCE, - c->token_lifetime, c->scope); - if (jwt == NULL) { - grpc_httpcli_response response; - memset(&response, 0, sizeof(grpc_httpcli_response)); - response.status = 400; /* Invalid request. */ - gpr_log(GPR_ERROR, "Could not create signed jwt."); - /* Do not even send the request, just call the response callback. */ - response_cb(metadata_req, &response); - return; - } - gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt); - memset(&request, 0, sizeof(grpc_httpcli_request)); - request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST; - request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH; - request.hdr_count = 1; - request.hdrs = &header; - request.handshaker = &grpc_httpcli_ssl; - grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body), - deadline, response_cb, metadata_req); - gpr_free(body); - gpr_free(jwt); -} - -grpc_credentials *grpc_service_account_credentials_create( - const char *json_key, const char *scope, gpr_timespec token_lifetime, - void *reserved) { - grpc_service_account_credentials *c; - grpc_auth_json_key key = grpc_auth_json_key_create_from_string(json_key); - GPR_ASSERT(reserved == NULL); - if (scope == NULL || (strlen(scope) == 0) || - !grpc_auth_json_key_is_valid(&key)) { - gpr_log(GPR_ERROR, - "Invalid input for service account credentials creation"); - return NULL; - } - c = gpr_malloc(sizeof(grpc_service_account_credentials)); - memset(c, 0, sizeof(grpc_service_account_credentials)); - init_oauth2_token_fetcher(&c->base, service_account_fetch_oauth2); - c->base.base.vtable = &service_account_vtable; - c->scope = gpr_strdup(scope); - c->key = key; - c->token_lifetime = token_lifetime; - return &c->base.base; -} - -/* -- RefreshToken credentials. -- */ +/* -- GoogleRefreshToken credentials. -- */ static void refresh_token_destroy(grpc_credentials *creds) { - grpc_refresh_token_credentials *c = (grpc_refresh_token_credentials *)creds; + grpc_google_refresh_token_credentials *c = + (grpc_google_refresh_token_credentials *)creds; grpc_auth_refresh_token_destruct(&c->refresh_token); oauth2_token_fetcher_destroy(&c->base.base); } @@ -737,8 +668,8 @@ static void refresh_token_fetch_oauth2( grpc_credentials_metadata_request *metadata_req, grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { - grpc_refresh_token_credentials *c = - (grpc_refresh_token_credentials *)metadata_req->creds; + grpc_google_refresh_token_credentials *c = + (grpc_google_refresh_token_credentials *)metadata_req->creds; grpc_httpcli_header header = {"Content-Type", "application/x-www-form-urlencoded"}; grpc_httpcli_request request; @@ -757,22 +688,23 @@ static void refresh_token_fetch_oauth2( gpr_free(body); } -grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token( +grpc_credentials * +grpc_refresh_token_credentials_create_from_auth_refresh_token( grpc_auth_refresh_token refresh_token) { - grpc_refresh_token_credentials *c; + grpc_google_refresh_token_credentials *c; if (!grpc_auth_refresh_token_is_valid(&refresh_token)) { gpr_log(GPR_ERROR, "Invalid input for refresh token credentials creation"); return NULL; } - c = gpr_malloc(sizeof(grpc_refresh_token_credentials)); - memset(c, 0, sizeof(grpc_refresh_token_credentials)); + c = gpr_malloc(sizeof(grpc_google_refresh_token_credentials)); + memset(c, 0, sizeof(grpc_google_refresh_token_credentials)); init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2); c->base.base.vtable = &refresh_token_vtable; c->refresh_token = refresh_token; return &c->base.base; } -grpc_credentials *grpc_refresh_token_credentials_create( +grpc_credentials *grpc_google_refresh_token_credentials_create( const char *json_refresh_token, void *reserved) { GPR_ASSERT(reserved == NULL); return grpc_refresh_token_credentials_create_from_auth_refresh_token( @@ -1194,7 +1126,7 @@ grpc_credentials *grpc_credentials_contains_type( /* -- IAM credentials. -- */ static void iam_destroy(grpc_credentials *creds) { - grpc_iam_credentials *c = (grpc_iam_credentials *)creds; + grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; grpc_credentials_md_store_unref(c->iam_md); gpr_free(c); } @@ -1210,7 +1142,7 @@ static void iam_get_request_metadata(grpc_credentials *creds, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { - grpc_iam_credentials *c = (grpc_iam_credentials *)creds; + grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds; cb(user_data, c->iam_md->entries, c->iam_md->num_entries, GRPC_CREDENTIALS_OK); } @@ -1219,15 +1151,14 @@ static grpc_credentials_vtable iam_vtable = { iam_destroy, iam_has_request_metadata, iam_has_request_metadata_only, iam_get_request_metadata, NULL}; -grpc_credentials *grpc_iam_credentials_create(const char *token, - const char *authority_selector, - void *reserved) { - grpc_iam_credentials *c; +grpc_credentials *grpc_google_iam_credentials_create( + const char *token, const char *authority_selector, void *reserved) { + grpc_google_iam_credentials *c; GPR_ASSERT(reserved == NULL); GPR_ASSERT(token != NULL); GPR_ASSERT(authority_selector != NULL); - c = gpr_malloc(sizeof(grpc_iam_credentials)); - memset(c, 0, sizeof(grpc_iam_credentials)); + c = gpr_malloc(sizeof(grpc_google_iam_credentials)); + memset(c, 0, sizeof(grpc_google_iam_credentials)); c->base.type = GRPC_CREDENTIALS_TYPE_IAM; c->base.vtable = &iam_vtable; gpr_ref_init(&c->base.refcount, 1); diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 29cd1ac87fc..d9bd53adc27 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -277,21 +277,12 @@ typedef struct { grpc_fetch_oauth2_func fetch_func; } grpc_oauth2_token_fetcher_credentials; -/* -- ServiceAccount credentials. -- */ - -typedef struct { - grpc_oauth2_token_fetcher_credentials base; - grpc_auth_json_key key; - char *scope; - gpr_timespec token_lifetime; -} grpc_service_account_credentials; - -/* -- RefreshToken credentials. -- */ +/* -- GoogleRefreshToken credentials. -- */ typedef struct { grpc_oauth2_token_fetcher_credentials base; grpc_auth_refresh_token refresh_token; -} grpc_refresh_token_credentials; +} grpc_google_refresh_token_credentials; /* -- Oauth2 Access Token credentials. -- */ @@ -308,12 +299,12 @@ typedef struct { int is_async; } grpc_md_only_test_credentials; -/* -- IAM credentials. -- */ +/* -- GoogleIAM credentials. -- */ typedef struct { grpc_credentials base; grpc_credentials_md_store *iam_md; -} grpc_iam_credentials; +} grpc_google_iam_credentials; /* -- Composite credentials. -- */ diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index f9aa5187ce6..874dd59e846 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -194,7 +194,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) { int need_compute_engine_creds = is_stack_running_on_compute_engine(); compute_engine_detection_done = 1; if (need_compute_engine_creds) { - result = grpc_compute_engine_credentials_create(NULL); + result = grpc_google_compute_engine_credentials_create(NULL); } } diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc index e0642469b49..2260f6d33eb 100644 --- a/src/cpp/client/secure_credentials.cc +++ b/src/cpp/client/secure_credentials.cc @@ -81,26 +81,10 @@ std::shared_ptr SslCredentials( } // Builds credentials for use when running in GCE -std::shared_ptr ComputeEngineCredentials() { +std::shared_ptr GoogleComputeEngineCredentials() { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_compute_engine_credentials_create(nullptr)); -} - -// Builds service account credentials. -std::shared_ptr ServiceAccountCredentials( - const grpc::string& json_key, const grpc::string& scope, - long token_lifetime_seconds) { - GrpcLibrary init; // To call grpc_init(). - if (token_lifetime_seconds <= 0) { - gpr_log(GPR_ERROR, - "Trying to create ServiceAccountCredentials " - "with non-positive lifetime"); - return WrapCredentials(nullptr); - } - gpr_timespec lifetime = - gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN); - return WrapCredentials(grpc_service_account_credentials_create( - json_key.c_str(), scope.c_str(), lifetime, nullptr)); + return WrapCredentials( + grpc_google_compute_engine_credentials_create(nullptr)); } // Builds JWT credentials. @@ -119,10 +103,10 @@ std::shared_ptr ServiceAccountJWTAccessCredentials( } // Builds refresh token credentials. -std::shared_ptr RefreshTokenCredentials( +std::shared_ptr GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token) { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_refresh_token_credentials_create( + return WrapCredentials(grpc_google_refresh_token_credentials_create( json_refresh_token.c_str(), nullptr)); } @@ -135,11 +119,11 @@ std::shared_ptr AccessTokenCredentials( } // Builds IAM credentials. -std::shared_ptr IAMCredentials( +std::shared_ptr GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector) { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_iam_credentials_create( + return WrapCredentials(grpc_google_iam_credentials_create( authorization_token.c_str(), authority_selector.c_str(), nullptr)); } diff --git a/src/node/ext/credentials.cc b/src/node/ext/credentials.cc index 85a823a1085..c3b04dcea75 100644 --- a/src/node/ext/credentials.cc +++ b/src/node/ext/credentials.cc @@ -186,7 +186,7 @@ NAN_METHOD(Credentials::CreateComposite) { NAN_METHOD(Credentials::CreateGce) { NanScope(); - grpc_credentials *creds = grpc_compute_engine_credentials_create(NULL); + grpc_credentials *creds = grpc_google_compute_engine_credentials_create(NULL); if (creds == NULL) { NanReturnNull(); } @@ -204,7 +204,7 @@ NAN_METHOD(Credentials::CreateIam) { NanUtf8String auth_token(args[0]); NanUtf8String auth_selector(args[1]); grpc_credentials *creds = - grpc_iam_credentials_create(*auth_token, *auth_selector, NULL); + grpc_google_iam_credentials_create(*auth_token, *auth_selector, NULL); if (creds == NULL) { NanReturnNull(); } diff --git a/src/php/ext/grpc/credentials.c b/src/php/ext/grpc/credentials.c index 0eba6608bb5..8e3b7ff2124 100644 --- a/src/php/ext/grpc/credentials.c +++ b/src/php/ext/grpc/credentials.c @@ -170,7 +170,7 @@ PHP_METHOD(Credentials, createComposite) { * @return Credentials The new GCE credentials object */ PHP_METHOD(Credentials, createGce) { - grpc_credentials *creds = grpc_compute_engine_credentials_create(NULL); + grpc_credentials *creds = grpc_google_compute_engine_credentials_create(NULL); zval *creds_object = grpc_php_wrap_credentials(creds); RETURN_DESTROY_ZVAL(creds_object); } diff --git a/src/python/grpcio/grpc/_adapter/_c/types/client_credentials.c b/src/python/grpcio/grpc/_adapter/_c/types/client_credentials.c index 36fd207464b..95547966319 100644 --- a/src/python/grpcio/grpc/_adapter/_c/types/client_credentials.c +++ b/src/python/grpcio/grpc/_adapter/_c/types/client_credentials.c @@ -173,7 +173,7 @@ ClientCredentials *pygrpc_ClientCredentials_composite( ClientCredentials *pygrpc_ClientCredentials_compute_engine( PyTypeObject *type, PyObject *ignored) { ClientCredentials *self = (ClientCredentials *)type->tp_alloc(type, 0); - self->c_creds = grpc_compute_engine_credentials_create(NULL); + self->c_creds = grpc_google_compute_engine_credentials_create(NULL); if (!self->c_creds) { Py_DECREF(self); PyErr_SetString(PyExc_RuntimeError, @@ -183,29 +183,6 @@ ClientCredentials *pygrpc_ClientCredentials_compute_engine( return self; } -ClientCredentials *pygrpc_ClientCredentials_service_account( - PyTypeObject *type, PyObject *args, PyObject *kwargs) { - ClientCredentials *self; - const char *json_key; - const char *scope; - double lifetime; - static char *keywords[] = {"json_key", "scope", "token_lifetime", NULL}; - if (!PyArg_ParseTupleAndKeywords(args, kwargs, "ssd:service_account", keywords, - &json_key, &scope, &lifetime)) { - return NULL; - } - self = (ClientCredentials *)type->tp_alloc(type, 0); - self->c_creds = grpc_service_account_credentials_create( - json_key, scope, pygrpc_cast_double_to_gpr_timespec(lifetime), NULL); - if (!self->c_creds) { - Py_DECREF(self); - PyErr_SetString(PyExc_RuntimeError, - "couldn't create service account credentials"); - return NULL; - } - return self; -} - /* TODO: Rename this credentials to something like service_account_jwt_access */ ClientCredentials *pygrpc_ClientCredentials_jwt( PyTypeObject *type, PyObject *args, PyObject *kwargs) { @@ -239,7 +216,7 @@ ClientCredentials *pygrpc_ClientCredentials_refresh_token( } self = (ClientCredentials *)type->tp_alloc(type, 0); self->c_creds = - grpc_refresh_token_credentials_create(json_refresh_token, NULL); + grpc_google_refresh_token_credentials_create(json_refresh_token, NULL); if (!self->c_creds) { Py_DECREF(self); PyErr_SetString(PyExc_RuntimeError, @@ -260,8 +237,8 @@ ClientCredentials *pygrpc_ClientCredentials_iam( return NULL; } self = (ClientCredentials *)type->tp_alloc(type, 0); - self->c_creds = grpc_iam_credentials_create(authorization_token, - authority_selector, NULL); + self->c_creds = grpc_google_iam_credentials_create(authorization_token, + authority_selector, NULL); if (!self->c_creds) { Py_DECREF(self); PyErr_SetString(PyExc_RuntimeError, "couldn't create IAM credentials"); diff --git a/src/ruby/ext/grpc/rb_credentials.c b/src/ruby/ext/grpc/rb_credentials.c index ac3804df6ff..ae757f69866 100644 --- a/src/ruby/ext/grpc/rb_credentials.c +++ b/src/ruby/ext/grpc/rb_credentials.c @@ -154,7 +154,7 @@ static VALUE grpc_rb_default_credentials_create(VALUE cls) { Creates the default credential instances. */ static VALUE grpc_rb_compute_engine_credentials_create(VALUE cls) { grpc_rb_credentials *wrapper = ALLOC(grpc_rb_credentials); - wrapper->wrapped = grpc_compute_engine_credentials_create(NULL); + wrapper->wrapped = grpc_google_compute_engine_credentials_create(NULL); if (wrapper->wrapped == NULL) { rb_raise(rb_eRuntimeError, "could not create composite engine credentials, not sure why"); diff --git a/test/core/end2end/tests/request_response_with_payload_and_call_creds.c b/test/core/end2end/tests/request_response_with_payload_and_call_creds.c index 48dd0aa2cee..75c5bba5bd1 100644 --- a/test/core/end2end/tests/request_response_with_payload_and_call_creds.c +++ b/test/core/end2end/tests/request_response_with_payload_and_call_creds.c @@ -190,7 +190,7 @@ static void request_response_with_payload_and_call_creds( c = grpc_channel_create_call(f.client, NULL, GRPC_PROPAGATE_DEFAULTS, f.cq, "/foo", "foo.test.google.fr", deadline, NULL); GPR_ASSERT(c); - creds = grpc_iam_credentials_create(iam_token, iam_selector, NULL); + creds = grpc_google_iam_credentials_create(iam_token, iam_selector, NULL); GPR_ASSERT(creds != NULL); GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK); switch (mode) { @@ -198,8 +198,8 @@ static void request_response_with_payload_and_call_creds( break; case OVERRIDE: grpc_credentials_release(creds); - creds = grpc_iam_credentials_create(overridden_iam_token, - overridden_iam_selector, NULL); + creds = grpc_google_iam_credentials_create(overridden_iam_token, + overridden_iam_selector, NULL); GPR_ASSERT(creds != NULL); GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK); break; @@ -421,7 +421,7 @@ static void test_request_with_server_rejecting_client_creds( "/foo", "foo.test.google.fr", deadline, NULL); GPR_ASSERT(c); - creds = grpc_iam_credentials_create(iam_token, iam_selector, NULL); + creds = grpc_google_iam_credentials_create(iam_token, iam_selector, NULL); GPR_ASSERT(creds != NULL); GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK); grpc_credentials_release(creds); diff --git a/test/core/security/credentials_test.c b/test/core/security/credentials_test.c index 880fc5da1e1..97ebaa05708 100644 --- a/test/core/security/credentials_test.c +++ b/test/core/security/credentials_test.c @@ -50,8 +50,8 @@ #include -static const char test_iam_authorization_token[] = "blahblahblhahb"; -static const char test_iam_authority_selector[] = "respectmyauthoritah"; +static const char test_google_iam_authorization_token[] = "blahblahblhahb"; +static const char test_google_iam_authority_selector[] = "respectmyauthoritah"; static const char test_oauth2_bearer_token[] = "Bearer blaaslkdjfaslkdfasdsfasf"; static const char test_root_cert[] = "I am the root!"; @@ -315,25 +315,29 @@ static void check_metadata(expected_md *expected, grpc_credentials_md *md_elems, } } -static void check_iam_metadata(void *user_data, grpc_credentials_md *md_elems, - size_t num_md, grpc_credentials_status status) { +static void check_google_iam_metadata(void *user_data, + grpc_credentials_md *md_elems, + size_t num_md, + grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; - expected_md emd[] = { - {GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token}, - {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}}; + expected_md emd[] = {{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, + test_google_iam_authorization_token}, + {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, + test_google_iam_authority_selector}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 2); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } -static void test_iam_creds(void) { - grpc_credentials *creds = grpc_iam_credentials_create( - test_iam_authorization_token, test_iam_authority_selector, NULL); +static void test_google_iam_creds(void) { + grpc_credentials *creds = grpc_google_iam_credentials_create( + test_google_iam_authorization_token, test_google_iam_authority_selector, + NULL); GPR_ASSERT(grpc_credentials_has_request_metadata(creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds)); grpc_credentials_get_request_metadata(creds, NULL, test_service_url, - check_iam_metadata, creds); + check_google_iam_metadata, creds); } static void check_access_token_metadata(void *user_data, @@ -406,21 +410,23 @@ void test_ssl_fake_transport_security_composite_creds_failure(void) { grpc_credentials_unref(fake_transport_security_creds); } -static void check_ssl_oauth2_iam_composite_metadata( +static void check_ssl_oauth2_google_iam_composite_metadata( void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; expected_md emd[] = { {GRPC_AUTHORIZATION_METADATA_KEY, test_oauth2_bearer_token}, - {GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token}, - {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}}; + {GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, + test_google_iam_authorization_token}, + {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, + test_google_iam_authority_selector}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 3); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } -static void test_ssl_oauth2_iam_composite_creds(void) { +static void test_ssl_oauth2_google_iam_composite_creds(void) { grpc_credentials *ssl_creds = grpc_ssl_credentials_create(test_root_cert, NULL, NULL); const grpc_credentials_array *creds_array; @@ -428,14 +434,15 @@ static void test_ssl_oauth2_iam_composite_creds(void) { "Authorization", test_oauth2_bearer_token, 0); grpc_credentials *aux_creds = grpc_composite_credentials_create(ssl_creds, oauth2_creds, NULL); - grpc_credentials *iam_creds = grpc_iam_credentials_create( - test_iam_authorization_token, test_iam_authority_selector, NULL); + grpc_credentials *google_iam_creds = grpc_google_iam_credentials_create( + test_google_iam_authorization_token, test_google_iam_authority_selector, + NULL); grpc_credentials *composite_creds = - grpc_composite_credentials_create(aux_creds, iam_creds, NULL); + grpc_composite_credentials_create(aux_creds, google_iam_creds, NULL); grpc_credentials_unref(ssl_creds); grpc_credentials_unref(oauth2_creds); grpc_credentials_unref(aux_creds); - grpc_credentials_unref(iam_creds); + grpc_credentials_unref(google_iam_creds); GPR_ASSERT(strcmp(composite_creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); GPR_ASSERT(grpc_credentials_has_request_metadata(composite_creds)); @@ -448,9 +455,9 @@ static void test_ssl_oauth2_iam_composite_creds(void) { GRPC_CREDENTIALS_TYPE_OAUTH2) == 0); GPR_ASSERT(strcmp(creds_array->creds_array[2]->type, GRPC_CREDENTIALS_TYPE_IAM) == 0); - grpc_credentials_get_request_metadata(composite_creds, NULL, test_service_url, - check_ssl_oauth2_iam_composite_metadata, - composite_creds); + grpc_credentials_get_request_metadata( + composite_creds, NULL, test_service_url, + check_ssl_oauth2_google_iam_composite_metadata, composite_creds); } static void on_oauth2_creds_get_metadata_success( @@ -524,7 +531,7 @@ static int httpcli_get_should_not_be_called( static void test_compute_engine_creds_success(void) { grpc_credentials *compute_engine_creds = - grpc_compute_engine_credentials_create(NULL); + grpc_google_compute_engine_credentials_create(NULL); GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds)); @@ -548,7 +555,7 @@ static void test_compute_engine_creds_success(void) { static void test_compute_engine_creds_failure(void) { grpc_credentials *compute_engine_creds = - grpc_compute_engine_credentials_create(NULL); + grpc_google_compute_engine_credentials_create(NULL); grpc_httpcli_set_override(compute_engine_httpcli_get_failure_override, httpcli_post_should_not_be_called); GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds)); @@ -605,7 +612,8 @@ static int refresh_token_httpcli_post_failure( static void test_refresh_token_creds_success(void) { grpc_credentials *refresh_token_creds = - grpc_refresh_token_credentials_create(test_refresh_token_str, NULL); + grpc_google_refresh_token_credentials_create(test_refresh_token_str, + NULL); GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds)); @@ -629,7 +637,8 @@ static void test_refresh_token_creds_success(void) { static void test_refresh_token_creds_failure(void) { grpc_credentials *refresh_token_creds = - grpc_refresh_token_credentials_create(test_refresh_token_str, NULL); + grpc_google_refresh_token_credentials_create(test_refresh_token_str, + NULL); grpc_httpcli_set_override(httpcli_get_should_not_be_called, refresh_token_httpcli_post_failure); GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); @@ -686,119 +695,6 @@ static char *encode_and_sign_jwt_should_not_be_called( GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == NULL); } -static void validate_service_account_http_request( - const grpc_httpcli_request *request, const char *body, size_t body_size) { - /* The content of the assertion is tested extensively in json_token_test. */ - char *expected_body = NULL; - GPR_ASSERT(body != NULL); - GPR_ASSERT(body_size != 0); - gpr_asprintf(&expected_body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, - test_signed_jwt); - GPR_ASSERT(strlen(expected_body) == body_size); - GPR_ASSERT(memcmp(expected_body, body, body_size) == 0); - gpr_free(expected_body); - GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl); - GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0); - GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0); - GPR_ASSERT(request->hdr_count == 1); - GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); - GPR_ASSERT( - strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0); -} - -static int service_account_httpcli_post_success( - const grpc_httpcli_request *request, const char *body, size_t body_size, - gpr_timespec deadline, grpc_httpcli_response_cb on_response, - void *user_data) { - grpc_httpcli_response response = - http_response(200, valid_oauth2_json_response); - validate_service_account_http_request(request, body, body_size); - on_response(user_data, &response); - return 1; -} - -static int service_account_httpcli_post_failure( - const grpc_httpcli_request *request, const char *body, size_t body_size, - gpr_timespec deadline, grpc_httpcli_response_cb on_response, - void *user_data) { - grpc_httpcli_response response = http_response(403, "Not Authorized."); - validate_service_account_http_request(request, body, body_size); - on_response(user_data, &response); - return 1; -} - -static void test_service_account_creds_success(void) { - char *json_key_string = test_json_key_str(); - grpc_credentials *service_account_creds = - grpc_service_account_credentials_create(json_key_string, test_scope, - grpc_max_auth_token_lifetime, NULL); - GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); - GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); - - /* First request: http get should be called. */ - grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); - grpc_httpcli_set_override(httpcli_get_should_not_be_called, - service_account_httpcli_post_success); - grpc_credentials_get_request_metadata( - service_account_creds, NULL, test_service_url, - on_oauth2_creds_get_metadata_success, (void *)test_user_data); - - /* Second request: the cached token should be served directly. */ - grpc_jwt_encode_and_sign_set_override( - encode_and_sign_jwt_should_not_be_called); - grpc_httpcli_set_override(httpcli_get_should_not_be_called, - httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata( - service_account_creds, NULL, test_service_url, - on_oauth2_creds_get_metadata_success, (void *)test_user_data); - - gpr_free(json_key_string); - grpc_credentials_unref(service_account_creds); - grpc_jwt_encode_and_sign_set_override(NULL); - grpc_httpcli_set_override(NULL, NULL); -} - -static void test_service_account_creds_http_failure(void) { - char *json_key_string = test_json_key_str(); - grpc_credentials *service_account_creds = - grpc_service_account_credentials_create( - json_key_string, test_scope, grpc_max_auth_token_lifetime, NULL); - GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); - GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); - - grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); - grpc_httpcli_set_override(httpcli_get_should_not_be_called, - service_account_httpcli_post_failure); - grpc_credentials_get_request_metadata( - service_account_creds, NULL, test_service_url, - on_oauth2_creds_get_metadata_failure, (void *)test_user_data); - - gpr_free(json_key_string); - grpc_credentials_unref(service_account_creds); - grpc_httpcli_set_override(NULL, NULL); -} - -static void test_service_account_creds_signing_failure(void) { - char *json_key_string = test_json_key_str(); - grpc_credentials *service_account_creds = - grpc_service_account_credentials_create( - json_key_string, test_scope, grpc_max_auth_token_lifetime, NULL); - GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); - GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); - - grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure); - grpc_httpcli_set_override(httpcli_get_should_not_be_called, - httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata( - service_account_creds, NULL, test_service_url, - on_oauth2_creds_get_metadata_failure, (void *)test_user_data); - - gpr_free(json_key_string); - grpc_credentials_unref(service_account_creds); - grpc_httpcli_set_override(NULL, NULL); - grpc_jwt_encode_and_sign_set_override(NULL); -} - static void on_jwt_creds_get_metadata_success(void *user_data, grpc_credentials_md *md_elems, size_t num_md, @@ -922,14 +818,14 @@ static void test_google_default_creds_auth_key(void) { } static void test_google_default_creds_access_token(void) { - grpc_refresh_token_credentials *refresh; + grpc_google_refresh_token_credentials *refresh; grpc_credentials *creds; grpc_flush_cached_google_default_credentials(); set_google_default_creds_env_var_with_file_contents( "refresh_token_google_default_creds", test_refresh_token_str); creds = grpc_google_default_credentials_create(); GPR_ASSERT(creds != NULL); - refresh = (grpc_refresh_token_credentials *)composite_inner_creds( + refresh = (grpc_google_refresh_token_credentials *)composite_inner_creds( creds, GRPC_CREDENTIALS_TYPE_OAUTH2); GPR_ASSERT(strcmp(refresh->refresh_token.client_id, "32555999999.apps.googleusercontent.com") == 0); @@ -952,17 +848,14 @@ int main(int argc, char **argv) { test_oauth2_token_fetcher_creds_parsing_missing_token(); test_oauth2_token_fetcher_creds_parsing_missing_token_type(); test_oauth2_token_fetcher_creds_parsing_missing_token_lifetime(); - test_iam_creds(); + test_google_iam_creds(); test_access_token_creds(); test_ssl_oauth2_composite_creds(); - test_ssl_oauth2_iam_composite_creds(); + test_ssl_oauth2_google_iam_composite_creds(); test_compute_engine_creds_success(); test_compute_engine_creds_failure(); test_refresh_token_creds_success(); test_refresh_token_creds_failure(); - test_service_account_creds_success(); - test_service_account_creds_http_failure(); - test_service_account_creds_signing_failure(); test_jwt_creds_success(); test_jwt_creds_signing_failure(); test_google_default_creds_auth_key(); diff --git a/test/core/security/fetch_oauth2.c b/test/core/security/fetch_oauth2.c index 7354a9f8f77..764d8da9b60 100644 --- a/test/core/security/fetch_oauth2.c +++ b/test/core/security/fetch_oauth2.c @@ -46,19 +46,6 @@ #include "src/core/support/file.h" #include "test/core/security/oauth2_utils.h" -static grpc_credentials *create_service_account_creds( - const char *json_key_file_path, const char *scope) { - int success; - gpr_slice json_key = gpr_load_file(json_key_file_path, 1, &success); - if (!success) { - gpr_log(GPR_ERROR, "Could not read file %s.", json_key_file_path); - exit(1); - } - return grpc_service_account_credentials_create( - (const char *)GPR_SLICE_START_PTR(json_key), scope, - grpc_max_auth_token_lifetime, NULL); -} - static grpc_credentials *create_refresh_token_creds( const char *json_refresh_token_file_path) { int success; @@ -68,7 +55,7 @@ static grpc_credentials *create_refresh_token_creds( gpr_log(GPR_ERROR, "Could not read file %s.", json_refresh_token_file_path); exit(1); } - return grpc_refresh_token_credentials_create( + return grpc_google_refresh_token_credentials_create( (const char *)GPR_SLICE_START_PTR(refresh_token), NULL); } @@ -80,18 +67,9 @@ int main(int argc, char **argv) { int use_gce = 0; char *scope = NULL; gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2"); - gpr_cmdline_add_string(cl, "json_key", - "File path of the json key. Mutually exclusive with " - "--json_refresh_token.", - &json_key_file_path); gpr_cmdline_add_string(cl, "json_refresh_token", - "File path of the json refresh token. Mutually " - "exclusive with --json_key.", + "File path of the json refresh token.", &json_refresh_token_file_path); - gpr_cmdline_add_string(cl, "scope", - "Space delimited permissions. Only used for " - "--json_key, ignored otherwise.", - &scope); gpr_cmdline_add_flag( cl, "gce", "Get a token from the GCE metadata server (only works in GCE).", @@ -112,7 +90,7 @@ int main(int argc, char **argv) { "Ignoring json key and scope to get a token from the GCE " "metadata server."); } - creds = grpc_compute_engine_credentials_create(NULL); + creds = grpc_google_compute_engine_credentials_create(NULL); if (creds == NULL) { gpr_log(GPR_ERROR, "Could not create gce credentials."); exit(1); @@ -127,23 +105,8 @@ int main(int argc, char **argv) { exit(1); } } else { - if (json_key_file_path == NULL) { - gpr_log(GPR_ERROR, "Missing --json_key option."); - exit(1); - } - if (scope == NULL) { - gpr_log(GPR_ERROR, "Missing --scope option."); - exit(1); - } - - creds = create_service_account_creds(json_key_file_path, scope); - if (creds == NULL) { - gpr_log(GPR_ERROR, - "Could not create service account creds. %s does probably not " - "contain a valid json key.", - json_key_file_path); - exit(1); - } + gpr_log(GPR_ERROR, "Missing --gce or --json_refresh_token option."); + exit(1); } GPR_ASSERT(creds != NULL); diff --git a/test/cpp/client/credentials_test.cc b/test/cpp/client/credentials_test.cc index 6fb24d71e5a..18fcffe7cd1 100644 --- a/test/cpp/client/credentials_test.cc +++ b/test/cpp/client/credentials_test.cc @@ -45,8 +45,8 @@ class CredentialsTest : public ::testing::Test { protected: }; -TEST_F(CredentialsTest, InvalidServiceAccountCreds) { - std::shared_ptr bad1 = ServiceAccountCredentials("", "", 1); +TEST_F(CredentialsTest, InvalidGoogleRefreshToken) { + std::shared_ptr bad1 = GoogleRefreshTokenCredentials(""); EXPECT_EQ(static_cast(nullptr), bad1.get()); } diff --git a/test/cpp/end2end/end2end_test.cc b/test/cpp/end2end/end2end_test.cc index 2728dce07e5..b6f156a24ab 100644 --- a/test/cpp/end2end/end2end_test.cc +++ b/test/cpp/end2end/end2end_test.cc @@ -561,7 +561,7 @@ TEST_F(End2endTest, DiffPackageServices) { // rpc and stream should fail on bad credentials. TEST_F(End2endTest, BadCredentials) { - std::shared_ptr bad_creds = ServiceAccountCredentials("", "", 1); + std::shared_ptr bad_creds = GoogleRefreshTokenCredentials(""); EXPECT_EQ(static_cast(nullptr), bad_creds.get()); std::shared_ptr channel = CreateChannel(server_address_.str(), bad_creds, ChannelArguments()); @@ -741,7 +741,7 @@ TEST_F(End2endTest, SetPerCallCredentials) { EchoResponse response; ClientContext context; std::shared_ptr creds = - IAMCredentials("fake_token", "fake_selector"); + GoogleIAMCredentials("fake_token", "fake_selector"); context.set_credentials(creds); request.set_message("Hello"); request.mutable_param()->set_echo_metadata(true); @@ -778,10 +778,10 @@ TEST_F(End2endTest, OverridePerCallCredentials) { EchoResponse response; ClientContext context; std::shared_ptr creds1 = - IAMCredentials("fake_token1", "fake_selector1"); + GoogleIAMCredentials("fake_token1", "fake_selector1"); context.set_credentials(creds1); std::shared_ptr creds2 = - IAMCredentials("fake_token2", "fake_selector2"); + GoogleIAMCredentials("fake_token2", "fake_selector2"); context.set_credentials(creds2); request.set_message("Hello"); request.mutable_param()->set_echo_metadata(true); diff --git a/test/cpp/interop/client_helper.cc b/test/cpp/interop/client_helper.cc index abc14aeb983..7093463fa8c 100644 --- a/test/cpp/interop/client_helper.cc +++ b/test/cpp/interop/client_helper.cc @@ -64,16 +64,6 @@ DECLARE_string(oauth_scope); namespace grpc { namespace testing { -namespace { -std::shared_ptr CreateServiceAccountCredentials() { - GPR_ASSERT(FLAGS_enable_ssl); - grpc::string json_key = GetServiceAccountJsonKey(); - std::chrono::seconds token_lifetime = std::chrono::hours(1); - return ServiceAccountCredentials(json_key, FLAGS_oauth_scope, - token_lifetime.count()); -} -} // namespace - grpc::string GetServiceAccountJsonKey() { static grpc::string json_key; if (json_key.empty()) { @@ -86,7 +76,7 @@ grpc::string GetServiceAccountJsonKey() { } grpc::string GetOauth2AccessToken() { - std::shared_ptr creds = CreateServiceAccountCredentials(); + std::shared_ptr creds = GoogleComputeEngineCredentials(); SecureCredentials* secure_creds = dynamic_cast(creds.get()); GPR_ASSERT(secure_creds != nullptr); @@ -107,14 +97,10 @@ std::shared_ptr CreateChannelForTestCase( snprintf(host_port, host_port_buf_size, "%s:%d", FLAGS_server_host.c_str(), FLAGS_server_port); - if (test_case == "service_account_creds") { - std::shared_ptr creds = CreateServiceAccountCredentials(); - return CreateTestChannel(host_port, FLAGS_server_host_override, - FLAGS_enable_ssl, FLAGS_use_prod_roots, creds); - } else if (test_case == "compute_engine_creds") { + if (test_case == "compute_engine_creds") { std::shared_ptr creds; GPR_ASSERT(FLAGS_enable_ssl); - creds = ComputeEngineCredentials(); + creds = GoogleComputeEngineCredentials(); return CreateTestChannel(host_port, FLAGS_server_host_override, FLAGS_enable_ssl, FLAGS_use_prod_roots, creds); } else if (test_case == "jwt_token_creds") {