Credentials cleanup:

- Removing service_accounts credentials. These credentials just have
  drawbacks compared to service_account_jwt_access credentials, notably
  in terms for security.
- Renaming Google specific credentials with a Google prefix for C and
  C++. This should be done as well for wrapped languages.
pull/3075/head
Julien Boeuf 9 years ago
parent c17fecd224
commit 510a920c75
  1. 16
      include/grpc++/credentials.h
  2. 29
      include/grpc/grpc_security.h
  3. 111
      src/core/security/credentials.c
  4. 17
      src/core/security/credentials.h
  5. 2
      src/core/security/google_default_credentials.c
  6. 30
      src/cpp/client/secure_credentials.cc
  7. 4
      src/node/ext/credentials.cc
  8. 2
      src/php/ext/grpc/credentials.c
  9. 29
      src/python/grpcio/grpc/_adapter/_c/types/client_credentials.c
  10. 2
      src/ruby/ext/grpc/rb_credentials.c
  11. 6
      test/core/end2end/tests/request_response_with_payload_and_call_creds.c
  12. 185
      test/core/security/credentials_test.c
  13. 45
      test/core/security/fetch_oauth2.c
  14. 4
      test/cpp/client/credentials_test.cc
  15. 8
      test/cpp/end2end/end2end_test.cc
  16. 20
      test/cpp/interop/client_helper.cc

@ -94,17 +94,7 @@ std::shared_ptr<Credentials> SslCredentials(
const SslCredentialsOptions& options);
// Builds credentials for use when running in GCE
std::shared_ptr<Credentials> ComputeEngineCredentials();
// Builds service account credentials.
// json_key is the JSON key string containing the client's private key.
// scope is a space-delimited list of the requested permissions.
// token_lifetime_seconds is the lifetime in seconds of each token acquired
// through this service account credentials. It should be positive and should
// not exceed grpc_max_auth_token_lifetime or will be cropped to this value.
std::shared_ptr<Credentials> ServiceAccountCredentials(
const grpc::string& json_key, const grpc::string& scope,
long token_lifetime_seconds);
std::shared_ptr<Credentials> GoogleComputeEngineCredentials();
// Builds Service Account JWT Access credentials.
// json_key is the JSON key string containing the client's private key.
@ -117,7 +107,7 @@ std::shared_ptr<Credentials> ServiceAccountJWTAccessCredentials(
// Builds refresh token credentials.
// json_refresh_token is the JSON string containing the refresh token along
// with a client_id and client_secret.
std::shared_ptr<Credentials> RefreshTokenCredentials(
std::shared_ptr<Credentials> GoogleRefreshTokenCredentials(
const grpc::string& json_refresh_token);
// Builds access token credentials.
@ -127,7 +117,7 @@ std::shared_ptr<Credentials> AccessTokenCredentials(
const grpc::string& access_token);
// Builds IAM credentials.
std::shared_ptr<Credentials> IAMCredentials(
std::shared_ptr<Credentials> GoogleIAMCredentials(
const grpc::string& authorization_token,
const grpc::string& authority_selector);

@ -97,26 +97,13 @@ grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1,
grpc_credentials *creds2,
void *reserved);
/* Creates a compute engine credentials object.
/* Creates a compute engine credentials object for connecting to Google.
WARNING: Do NOT use this credentials to connect to a non-google service as
this could result in an oauth2 token leak. */
grpc_credentials *grpc_compute_engine_credentials_create(void *reserved);
grpc_credentials *grpc_google_compute_engine_credentials_create(void *reserved);
extern const gpr_timespec grpc_max_auth_token_lifetime;
/* Creates a service account credentials object. May return NULL if the input is
invalid.
WARNING: Do NOT use this credentials to connect to a non-google service as
this could result in an oauth2 token leak.
- json_key is the JSON key string containing the client's private key.
- scope is a space-delimited list of the requested permissions.
- token_lifetime is the lifetime of each token acquired through this service
account credentials. It should not exceed grpc_max_auth_token_lifetime
or will be cropped to this value. */
grpc_credentials *grpc_service_account_credentials_create(
const char *json_key, const char *scope, gpr_timespec token_lifetime,
void *reserved);
/* Creates a JWT credentials object. May return NULL if the input is invalid.
- json_key is the JSON key string containing the client's private key.
- token_lifetime is the lifetime of each Json Web Token (JWT) created with
@ -125,13 +112,13 @@ grpc_credentials *grpc_service_account_credentials_create(
grpc_credentials *grpc_service_account_jwt_access_credentials_create(
const char *json_key, gpr_timespec token_lifetime, void *reserved);
/* Creates an Oauth2 Refresh Token credentials object. May return NULL if the
input is invalid.
/* Creates an Oauth2 Refresh Token credentials object for connecting to Google.
May return NULL if the input is invalid.
WARNING: Do NOT use this credentials to connect to a non-google service as
this could result in an oauth2 token leak.
- json_refresh_token is the JSON string containing the refresh token itself
along with a client_id and client_secret. */
grpc_credentials *grpc_refresh_token_credentials_create(
grpc_credentials *grpc_google_refresh_token_credentials_create(
const char *json_refresh_token, void *reserved);
/* Creates an Oauth2 Access Token credentials with an access token that was
@ -139,9 +126,9 @@ grpc_credentials *grpc_refresh_token_credentials_create(
grpc_credentials *grpc_access_token_credentials_create(
const char *access_token, void *reserved);
/* Creates an IAM credentials object. */
grpc_credentials *grpc_iam_credentials_create(const char *authorization_token,
const char *authority_selector,
/* Creates an IAM credentials object for connecting to Google. */
grpc_credentials *grpc_google_iam_credentials_create(
const char *authorization_token, const char *authority_selector,
void *reserved);
/* --- Secure channel creation. --- */

@ -618,7 +618,7 @@ static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials *c,
grpc_httpcli_context_init(&c->httpcli_context);
}
/* -- ComputeEngine credentials. -- */
/* -- GoogleComputeEngine credentials. -- */
static grpc_credentials_vtable compute_engine_vtable = {
oauth2_token_fetcher_destroy, oauth2_token_fetcher_has_request_metadata,
@ -640,7 +640,8 @@ static void compute_engine_fetch_oauth2(
metadata_req);
}
grpc_credentials *grpc_compute_engine_credentials_create(void *reserved) {
grpc_credentials *grpc_google_compute_engine_credentials_create(
void *reserved) {
grpc_oauth2_token_fetcher_credentials *c =
gpr_malloc(sizeof(grpc_oauth2_token_fetcher_credentials));
GPR_ASSERT(reserved == NULL);
@ -649,81 +650,11 @@ grpc_credentials *grpc_compute_engine_credentials_create(void *reserved) {
return &c->base;
}
/* -- ServiceAccount credentials. -- */
static void service_account_destroy(grpc_credentials *creds) {
grpc_service_account_credentials *c =
(grpc_service_account_credentials *)creds;
if (c->scope != NULL) gpr_free(c->scope);
grpc_auth_json_key_destruct(&c->key);
oauth2_token_fetcher_destroy(&c->base.base);
}
static grpc_credentials_vtable service_account_vtable = {
service_account_destroy, oauth2_token_fetcher_has_request_metadata,
oauth2_token_fetcher_has_request_metadata_only,
oauth2_token_fetcher_get_request_metadata, NULL};
static void service_account_fetch_oauth2(
grpc_credentials_metadata_request *metadata_req,
grpc_httpcli_context *httpcli_context, grpc_pollset *pollset,
grpc_httpcli_response_cb response_cb, gpr_timespec deadline) {
grpc_service_account_credentials *c =
(grpc_service_account_credentials *)metadata_req->creds;
grpc_httpcli_header header = {"Content-Type",
"application/x-www-form-urlencoded"};
grpc_httpcli_request request;
char *body = NULL;
char *jwt = grpc_jwt_encode_and_sign(&c->key, GRPC_JWT_OAUTH2_AUDIENCE,
c->token_lifetime, c->scope);
if (jwt == NULL) {
grpc_httpcli_response response;
memset(&response, 0, sizeof(grpc_httpcli_response));
response.status = 400; /* Invalid request. */
gpr_log(GPR_ERROR, "Could not create signed jwt.");
/* Do not even send the request, just call the response callback. */
response_cb(metadata_req, &response);
return;
}
gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt);
memset(&request, 0, sizeof(grpc_httpcli_request));
request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
request.hdr_count = 1;
request.hdrs = &header;
request.handshaker = &grpc_httpcli_ssl;
grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body),
deadline, response_cb, metadata_req);
gpr_free(body);
gpr_free(jwt);
}
grpc_credentials *grpc_service_account_credentials_create(
const char *json_key, const char *scope, gpr_timespec token_lifetime,
void *reserved) {
grpc_service_account_credentials *c;
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(json_key);
GPR_ASSERT(reserved == NULL);
if (scope == NULL || (strlen(scope) == 0) ||
!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR,
"Invalid input for service account credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_service_account_credentials));
memset(c, 0, sizeof(grpc_service_account_credentials));
init_oauth2_token_fetcher(&c->base, service_account_fetch_oauth2);
c->base.base.vtable = &service_account_vtable;
c->scope = gpr_strdup(scope);
c->key = key;
c->token_lifetime = token_lifetime;
return &c->base.base;
}
/* -- RefreshToken credentials. -- */
/* -- GoogleRefreshToken credentials. -- */
static void refresh_token_destroy(grpc_credentials *creds) {
grpc_refresh_token_credentials *c = (grpc_refresh_token_credentials *)creds;
grpc_google_refresh_token_credentials *c =
(grpc_google_refresh_token_credentials *)creds;
grpc_auth_refresh_token_destruct(&c->refresh_token);
oauth2_token_fetcher_destroy(&c->base.base);
}
@ -737,8 +668,8 @@ static void refresh_token_fetch_oauth2(
grpc_credentials_metadata_request *metadata_req,
grpc_httpcli_context *httpcli_context, grpc_pollset *pollset,
grpc_httpcli_response_cb response_cb, gpr_timespec deadline) {
grpc_refresh_token_credentials *c =
(grpc_refresh_token_credentials *)metadata_req->creds;
grpc_google_refresh_token_credentials *c =
(grpc_google_refresh_token_credentials *)metadata_req->creds;
grpc_httpcli_header header = {"Content-Type",
"application/x-www-form-urlencoded"};
grpc_httpcli_request request;
@ -757,22 +688,23 @@ static void refresh_token_fetch_oauth2(
gpr_free(body);
}
grpc_credentials *grpc_refresh_token_credentials_create_from_auth_refresh_token(
grpc_credentials *
grpc_refresh_token_credentials_create_from_auth_refresh_token(
grpc_auth_refresh_token refresh_token) {
grpc_refresh_token_credentials *c;
grpc_google_refresh_token_credentials *c;
if (!grpc_auth_refresh_token_is_valid(&refresh_token)) {
gpr_log(GPR_ERROR, "Invalid input for refresh token credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_refresh_token_credentials));
memset(c, 0, sizeof(grpc_refresh_token_credentials));
c = gpr_malloc(sizeof(grpc_google_refresh_token_credentials));
memset(c, 0, sizeof(grpc_google_refresh_token_credentials));
init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2);
c->base.base.vtable = &refresh_token_vtable;
c->refresh_token = refresh_token;
return &c->base.base;
}
grpc_credentials *grpc_refresh_token_credentials_create(
grpc_credentials *grpc_google_refresh_token_credentials_create(
const char *json_refresh_token, void *reserved) {
GPR_ASSERT(reserved == NULL);
return grpc_refresh_token_credentials_create_from_auth_refresh_token(
@ -1194,7 +1126,7 @@ grpc_credentials *grpc_credentials_contains_type(
/* -- IAM credentials. -- */
static void iam_destroy(grpc_credentials *creds) {
grpc_iam_credentials *c = (grpc_iam_credentials *)creds;
grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds;
grpc_credentials_md_store_unref(c->iam_md);
gpr_free(c);
}
@ -1210,7 +1142,7 @@ static void iam_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
grpc_iam_credentials *c = (grpc_iam_credentials *)creds;
grpc_google_iam_credentials *c = (grpc_google_iam_credentials *)creds;
cb(user_data, c->iam_md->entries, c->iam_md->num_entries,
GRPC_CREDENTIALS_OK);
}
@ -1219,15 +1151,14 @@ static grpc_credentials_vtable iam_vtable = {
iam_destroy, iam_has_request_metadata, iam_has_request_metadata_only,
iam_get_request_metadata, NULL};
grpc_credentials *grpc_iam_credentials_create(const char *token,
const char *authority_selector,
void *reserved) {
grpc_iam_credentials *c;
grpc_credentials *grpc_google_iam_credentials_create(
const char *token, const char *authority_selector, void *reserved) {
grpc_google_iam_credentials *c;
GPR_ASSERT(reserved == NULL);
GPR_ASSERT(token != NULL);
GPR_ASSERT(authority_selector != NULL);
c = gpr_malloc(sizeof(grpc_iam_credentials));
memset(c, 0, sizeof(grpc_iam_credentials));
c = gpr_malloc(sizeof(grpc_google_iam_credentials));
memset(c, 0, sizeof(grpc_google_iam_credentials));
c->base.type = GRPC_CREDENTIALS_TYPE_IAM;
c->base.vtable = &iam_vtable;
gpr_ref_init(&c->base.refcount, 1);

@ -277,21 +277,12 @@ typedef struct {
grpc_fetch_oauth2_func fetch_func;
} grpc_oauth2_token_fetcher_credentials;
/* -- ServiceAccount credentials. -- */
typedef struct {
grpc_oauth2_token_fetcher_credentials base;
grpc_auth_json_key key;
char *scope;
gpr_timespec token_lifetime;
} grpc_service_account_credentials;
/* -- RefreshToken credentials. -- */
/* -- GoogleRefreshToken credentials. -- */
typedef struct {
grpc_oauth2_token_fetcher_credentials base;
grpc_auth_refresh_token refresh_token;
} grpc_refresh_token_credentials;
} grpc_google_refresh_token_credentials;
/* -- Oauth2 Access Token credentials. -- */
@ -308,12 +299,12 @@ typedef struct {
int is_async;
} grpc_md_only_test_credentials;
/* -- IAM credentials. -- */
/* -- GoogleIAM credentials. -- */
typedef struct {
grpc_credentials base;
grpc_credentials_md_store *iam_md;
} grpc_iam_credentials;
} grpc_google_iam_credentials;
/* -- Composite credentials. -- */

@ -194,7 +194,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) {
int need_compute_engine_creds = is_stack_running_on_compute_engine();
compute_engine_detection_done = 1;
if (need_compute_engine_creds) {
result = grpc_compute_engine_credentials_create(NULL);
result = grpc_google_compute_engine_credentials_create(NULL);
}
}

@ -81,26 +81,10 @@ std::shared_ptr<Credentials> SslCredentials(
}
// Builds credentials for use when running in GCE
std::shared_ptr<Credentials> ComputeEngineCredentials() {
std::shared_ptr<Credentials> GoogleComputeEngineCredentials() {
GrpcLibrary init; // To call grpc_init().
return WrapCredentials(grpc_compute_engine_credentials_create(nullptr));
}
// Builds service account credentials.
std::shared_ptr<Credentials> ServiceAccountCredentials(
const grpc::string& json_key, const grpc::string& scope,
long token_lifetime_seconds) {
GrpcLibrary init; // To call grpc_init().
if (token_lifetime_seconds <= 0) {
gpr_log(GPR_ERROR,
"Trying to create ServiceAccountCredentials "
"with non-positive lifetime");
return WrapCredentials(nullptr);
}
gpr_timespec lifetime =
gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
return WrapCredentials(grpc_service_account_credentials_create(
json_key.c_str(), scope.c_str(), lifetime, nullptr));
return WrapCredentials(
grpc_google_compute_engine_credentials_create(nullptr));
}
// Builds JWT credentials.
@ -119,10 +103,10 @@ std::shared_ptr<Credentials> ServiceAccountJWTAccessCredentials(
}
// Builds refresh token credentials.
std::shared_ptr<Credentials> RefreshTokenCredentials(
std::shared_ptr<Credentials> GoogleRefreshTokenCredentials(
const grpc::string& json_refresh_token) {
GrpcLibrary init; // To call grpc_init().
return WrapCredentials(grpc_refresh_token_credentials_create(
return WrapCredentials(grpc_google_refresh_token_credentials_create(
json_refresh_token.c_str(), nullptr));
}
@ -135,11 +119,11 @@ std::shared_ptr<Credentials> AccessTokenCredentials(
}
// Builds IAM credentials.
std::shared_ptr<Credentials> IAMCredentials(
std::shared_ptr<Credentials> GoogleIAMCredentials(
const grpc::string& authorization_token,
const grpc::string& authority_selector) {
GrpcLibrary init; // To call grpc_init().
return WrapCredentials(grpc_iam_credentials_create(
return WrapCredentials(grpc_google_iam_credentials_create(
authorization_token.c_str(), authority_selector.c_str(), nullptr));
}

@ -186,7 +186,7 @@ NAN_METHOD(Credentials::CreateComposite) {
NAN_METHOD(Credentials::CreateGce) {
NanScope();
grpc_credentials *creds = grpc_compute_engine_credentials_create(NULL);
grpc_credentials *creds = grpc_google_compute_engine_credentials_create(NULL);
if (creds == NULL) {
NanReturnNull();
}
@ -204,7 +204,7 @@ NAN_METHOD(Credentials::CreateIam) {
NanUtf8String auth_token(args[0]);
NanUtf8String auth_selector(args[1]);
grpc_credentials *creds =
grpc_iam_credentials_create(*auth_token, *auth_selector, NULL);
grpc_google_iam_credentials_create(*auth_token, *auth_selector, NULL);
if (creds == NULL) {
NanReturnNull();
}

@ -170,7 +170,7 @@ PHP_METHOD(Credentials, createComposite) {
* @return Credentials The new GCE credentials object
*/
PHP_METHOD(Credentials, createGce) {
grpc_credentials *creds = grpc_compute_engine_credentials_create(NULL);
grpc_credentials *creds = grpc_google_compute_engine_credentials_create(NULL);
zval *creds_object = grpc_php_wrap_credentials(creds);
RETURN_DESTROY_ZVAL(creds_object);
}

@ -173,7 +173,7 @@ ClientCredentials *pygrpc_ClientCredentials_composite(
ClientCredentials *pygrpc_ClientCredentials_compute_engine(
PyTypeObject *type, PyObject *ignored) {
ClientCredentials *self = (ClientCredentials *)type->tp_alloc(type, 0);
self->c_creds = grpc_compute_engine_credentials_create(NULL);
self->c_creds = grpc_google_compute_engine_credentials_create(NULL);
if (!self->c_creds) {
Py_DECREF(self);
PyErr_SetString(PyExc_RuntimeError,
@ -183,29 +183,6 @@ ClientCredentials *pygrpc_ClientCredentials_compute_engine(
return self;
}
ClientCredentials *pygrpc_ClientCredentials_service_account(
PyTypeObject *type, PyObject *args, PyObject *kwargs) {
ClientCredentials *self;
const char *json_key;
const char *scope;
double lifetime;
static char *keywords[] = {"json_key", "scope", "token_lifetime", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwargs, "ssd:service_account", keywords,
&json_key, &scope, &lifetime)) {
return NULL;
}
self = (ClientCredentials *)type->tp_alloc(type, 0);
self->c_creds = grpc_service_account_credentials_create(
json_key, scope, pygrpc_cast_double_to_gpr_timespec(lifetime), NULL);
if (!self->c_creds) {
Py_DECREF(self);
PyErr_SetString(PyExc_RuntimeError,
"couldn't create service account credentials");
return NULL;
}
return self;
}
/* TODO: Rename this credentials to something like service_account_jwt_access */
ClientCredentials *pygrpc_ClientCredentials_jwt(
PyTypeObject *type, PyObject *args, PyObject *kwargs) {
@ -239,7 +216,7 @@ ClientCredentials *pygrpc_ClientCredentials_refresh_token(
}
self = (ClientCredentials *)type->tp_alloc(type, 0);
self->c_creds =
grpc_refresh_token_credentials_create(json_refresh_token, NULL);
grpc_google_refresh_token_credentials_create(json_refresh_token, NULL);
if (!self->c_creds) {
Py_DECREF(self);
PyErr_SetString(PyExc_RuntimeError,
@ -260,7 +237,7 @@ ClientCredentials *pygrpc_ClientCredentials_iam(
return NULL;
}
self = (ClientCredentials *)type->tp_alloc(type, 0);
self->c_creds = grpc_iam_credentials_create(authorization_token,
self->c_creds = grpc_google_iam_credentials_create(authorization_token,
authority_selector, NULL);
if (!self->c_creds) {
Py_DECREF(self);

@ -154,7 +154,7 @@ static VALUE grpc_rb_default_credentials_create(VALUE cls) {
Creates the default credential instances. */
static VALUE grpc_rb_compute_engine_credentials_create(VALUE cls) {
grpc_rb_credentials *wrapper = ALLOC(grpc_rb_credentials);
wrapper->wrapped = grpc_compute_engine_credentials_create(NULL);
wrapper->wrapped = grpc_google_compute_engine_credentials_create(NULL);
if (wrapper->wrapped == NULL) {
rb_raise(rb_eRuntimeError,
"could not create composite engine credentials, not sure why");

@ -190,7 +190,7 @@ static void request_response_with_payload_and_call_creds(
c = grpc_channel_create_call(f.client, NULL, GRPC_PROPAGATE_DEFAULTS, f.cq,
"/foo", "foo.test.google.fr", deadline, NULL);
GPR_ASSERT(c);
creds = grpc_iam_credentials_create(iam_token, iam_selector, NULL);
creds = grpc_google_iam_credentials_create(iam_token, iam_selector, NULL);
GPR_ASSERT(creds != NULL);
GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK);
switch (mode) {
@ -198,7 +198,7 @@ static void request_response_with_payload_and_call_creds(
break;
case OVERRIDE:
grpc_credentials_release(creds);
creds = grpc_iam_credentials_create(overridden_iam_token,
creds = grpc_google_iam_credentials_create(overridden_iam_token,
overridden_iam_selector, NULL);
GPR_ASSERT(creds != NULL);
GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK);
@ -421,7 +421,7 @@ static void test_request_with_server_rejecting_client_creds(
"/foo", "foo.test.google.fr", deadline, NULL);
GPR_ASSERT(c);
creds = grpc_iam_credentials_create(iam_token, iam_selector, NULL);
creds = grpc_google_iam_credentials_create(iam_token, iam_selector, NULL);
GPR_ASSERT(creds != NULL);
GPR_ASSERT(grpc_call_set_credentials(c, creds) == GRPC_CALL_OK);
grpc_credentials_release(creds);

@ -50,8 +50,8 @@
#include <openssl/rsa.h>
static const char test_iam_authorization_token[] = "blahblahblhahb";
static const char test_iam_authority_selector[] = "respectmyauthoritah";
static const char test_google_iam_authorization_token[] = "blahblahblhahb";
static const char test_google_iam_authority_selector[] = "respectmyauthoritah";
static const char test_oauth2_bearer_token[] =
"Bearer blaaslkdjfaslkdfasdsfasf";
static const char test_root_cert[] = "I am the root!";
@ -315,25 +315,29 @@ static void check_metadata(expected_md *expected, grpc_credentials_md *md_elems,
}
}
static void check_iam_metadata(void *user_data, grpc_credentials_md *md_elems,
size_t num_md, grpc_credentials_status status) {
static void check_google_iam_metadata(void *user_data,
grpc_credentials_md *md_elems,
size_t num_md,
grpc_credentials_status status) {
grpc_credentials *c = (grpc_credentials *)user_data;
expected_md emd[] = {
{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token},
{GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}};
expected_md emd[] = {{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY,
test_google_iam_authorization_token},
{GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY,
test_google_iam_authority_selector}};
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 2);
check_metadata(emd, md_elems, num_md);
grpc_credentials_unref(c);
}
static void test_iam_creds(void) {
grpc_credentials *creds = grpc_iam_credentials_create(
test_iam_authorization_token, test_iam_authority_selector, NULL);
static void test_google_iam_creds(void) {
grpc_credentials *creds = grpc_google_iam_credentials_create(
test_google_iam_authorization_token, test_google_iam_authority_selector,
NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds));
grpc_credentials_get_request_metadata(creds, NULL, test_service_url,
check_iam_metadata, creds);
check_google_iam_metadata, creds);
}
static void check_access_token_metadata(void *user_data,
@ -406,21 +410,23 @@ void test_ssl_fake_transport_security_composite_creds_failure(void) {
grpc_credentials_unref(fake_transport_security_creds);
}
static void check_ssl_oauth2_iam_composite_metadata(
static void check_ssl_oauth2_google_iam_composite_metadata(
void *user_data, grpc_credentials_md *md_elems, size_t num_md,
grpc_credentials_status status) {
grpc_credentials *c = (grpc_credentials *)user_data;
expected_md emd[] = {
{GRPC_AUTHORIZATION_METADATA_KEY, test_oauth2_bearer_token},
{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token},
{GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}};
{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY,
test_google_iam_authorization_token},
{GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY,
test_google_iam_authority_selector}};
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 3);
check_metadata(emd, md_elems, num_md);
grpc_credentials_unref(c);
}
static void test_ssl_oauth2_iam_composite_creds(void) {
static void test_ssl_oauth2_google_iam_composite_creds(void) {
grpc_credentials *ssl_creds =
grpc_ssl_credentials_create(test_root_cert, NULL, NULL);
const grpc_credentials_array *creds_array;
@ -428,14 +434,15 @@ static void test_ssl_oauth2_iam_composite_creds(void) {
"Authorization", test_oauth2_bearer_token, 0);
grpc_credentials *aux_creds =
grpc_composite_credentials_create(ssl_creds, oauth2_creds, NULL);
grpc_credentials *iam_creds = grpc_iam_credentials_create(
test_iam_authorization_token, test_iam_authority_selector, NULL);
grpc_credentials *google_iam_creds = grpc_google_iam_credentials_create(
test_google_iam_authorization_token, test_google_iam_authority_selector,
NULL);
grpc_credentials *composite_creds =
grpc_composite_credentials_create(aux_creds, iam_creds, NULL);
grpc_composite_credentials_create(aux_creds, google_iam_creds, NULL);
grpc_credentials_unref(ssl_creds);
grpc_credentials_unref(oauth2_creds);
grpc_credentials_unref(aux_creds);
grpc_credentials_unref(iam_creds);
grpc_credentials_unref(google_iam_creds);
GPR_ASSERT(strcmp(composite_creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) ==
0);
GPR_ASSERT(grpc_credentials_has_request_metadata(composite_creds));
@ -448,9 +455,9 @@ static void test_ssl_oauth2_iam_composite_creds(void) {
GRPC_CREDENTIALS_TYPE_OAUTH2) == 0);
GPR_ASSERT(strcmp(creds_array->creds_array[2]->type,
GRPC_CREDENTIALS_TYPE_IAM) == 0);
grpc_credentials_get_request_metadata(composite_creds, NULL, test_service_url,
check_ssl_oauth2_iam_composite_metadata,
composite_creds);
grpc_credentials_get_request_metadata(
composite_creds, NULL, test_service_url,
check_ssl_oauth2_google_iam_composite_metadata, composite_creds);
}
static void on_oauth2_creds_get_metadata_success(
@ -524,7 +531,7 @@ static int httpcli_get_should_not_be_called(
static void test_compute_engine_creds_success(void) {
grpc_credentials *compute_engine_creds =
grpc_compute_engine_credentials_create(NULL);
grpc_google_compute_engine_credentials_create(NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds));
@ -548,7 +555,7 @@ static void test_compute_engine_creds_success(void) {
static void test_compute_engine_creds_failure(void) {
grpc_credentials *compute_engine_creds =
grpc_compute_engine_credentials_create(NULL);
grpc_google_compute_engine_credentials_create(NULL);
grpc_httpcli_set_override(compute_engine_httpcli_get_failure_override,
httpcli_post_should_not_be_called);
GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds));
@ -605,7 +612,8 @@ static int refresh_token_httpcli_post_failure(
static void test_refresh_token_creds_success(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str, NULL);
grpc_google_refresh_token_credentials_create(test_refresh_token_str,
NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
@ -629,7 +637,8 @@ static void test_refresh_token_creds_success(void) {
static void test_refresh_token_creds_failure(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str, NULL);
grpc_google_refresh_token_credentials_create(test_refresh_token_str,
NULL);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
refresh_token_httpcli_post_failure);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
@ -686,119 +695,6 @@ static char *encode_and_sign_jwt_should_not_be_called(
GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == NULL);
}
static void validate_service_account_http_request(
const grpc_httpcli_request *request, const char *body, size_t body_size) {
/* The content of the assertion is tested extensively in json_token_test. */
char *expected_body = NULL;
GPR_ASSERT(body != NULL);
GPR_ASSERT(body_size != 0);
gpr_asprintf(&expected_body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX,
test_signed_jwt);
GPR_ASSERT(strlen(expected_body) == body_size);
GPR_ASSERT(memcmp(expected_body, body, body_size) == 0);
gpr_free(expected_body);
GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
GPR_ASSERT(request->hdr_count == 1);
GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
GPR_ASSERT(
strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
}
static int service_account_httpcli_post_success(
const grpc_httpcli_request *request, const char *body, size_t body_size,
gpr_timespec deadline, grpc_httpcli_response_cb on_response,
void *user_data) {
grpc_httpcli_response response =
http_response(200, valid_oauth2_json_response);
validate_service_account_http_request(request, body, body_size);
on_response(user_data, &response);
return 1;
}
static int service_account_httpcli_post_failure(
const grpc_httpcli_request *request, const char *body, size_t body_size,
gpr_timespec deadline, grpc_httpcli_response_cb on_response,
void *user_data) {
grpc_httpcli_response response = http_response(403, "Not Authorized.");
validate_service_account_http_request(request, body, body_size);
on_response(user_data, &response);
return 1;
}
static void test_service_account_creds_success(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
grpc_max_auth_token_lifetime, NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds));
/* First request: http get should be called. */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_success);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_service_account_creds_http_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(
json_key_string, test_scope, grpc_max_auth_token_lifetime, NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds));
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_failure);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_failure, (void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_service_account_creds_signing_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(
json_key_string, test_scope, grpc_max_auth_token_lifetime, NULL);
GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds));
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_failure, (void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_httpcli_set_override(NULL, NULL);
grpc_jwt_encode_and_sign_set_override(NULL);
}
static void on_jwt_creds_get_metadata_success(void *user_data,
grpc_credentials_md *md_elems,
size_t num_md,
@ -922,14 +818,14 @@ static void test_google_default_creds_auth_key(void) {
}
static void test_google_default_creds_access_token(void) {
grpc_refresh_token_credentials *refresh;
grpc_google_refresh_token_credentials *refresh;
grpc_credentials *creds;
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"refresh_token_google_default_creds", test_refresh_token_str);
creds = grpc_google_default_credentials_create();
GPR_ASSERT(creds != NULL);
refresh = (grpc_refresh_token_credentials *)composite_inner_creds(
refresh = (grpc_google_refresh_token_credentials *)composite_inner_creds(
creds, GRPC_CREDENTIALS_TYPE_OAUTH2);
GPR_ASSERT(strcmp(refresh->refresh_token.client_id,
"32555999999.apps.googleusercontent.com") == 0);
@ -952,17 +848,14 @@ int main(int argc, char **argv) {
test_oauth2_token_fetcher_creds_parsing_missing_token();
test_oauth2_token_fetcher_creds_parsing_missing_token_type();
test_oauth2_token_fetcher_creds_parsing_missing_token_lifetime();
test_iam_creds();
test_google_iam_creds();
test_access_token_creds();
test_ssl_oauth2_composite_creds();
test_ssl_oauth2_iam_composite_creds();
test_ssl_oauth2_google_iam_composite_creds();
test_compute_engine_creds_success();
test_compute_engine_creds_failure();
test_refresh_token_creds_success();
test_refresh_token_creds_failure();
test_service_account_creds_success();
test_service_account_creds_http_failure();
test_service_account_creds_signing_failure();
test_jwt_creds_success();
test_jwt_creds_signing_failure();
test_google_default_creds_auth_key();

@ -46,19 +46,6 @@
#include "src/core/support/file.h"
#include "test/core/security/oauth2_utils.h"
static grpc_credentials *create_service_account_creds(
const char *json_key_file_path, const char *scope) {
int success;
gpr_slice json_key = gpr_load_file(json_key_file_path, 1, &success);
if (!success) {
gpr_log(GPR_ERROR, "Could not read file %s.", json_key_file_path);
exit(1);
}
return grpc_service_account_credentials_create(
(const char *)GPR_SLICE_START_PTR(json_key), scope,
grpc_max_auth_token_lifetime, NULL);
}
static grpc_credentials *create_refresh_token_creds(
const char *json_refresh_token_file_path) {
int success;
@ -68,7 +55,7 @@ static grpc_credentials *create_refresh_token_creds(
gpr_log(GPR_ERROR, "Could not read file %s.", json_refresh_token_file_path);
exit(1);
}
return grpc_refresh_token_credentials_create(
return grpc_google_refresh_token_credentials_create(
(const char *)GPR_SLICE_START_PTR(refresh_token), NULL);
}
@ -80,18 +67,9 @@ int main(int argc, char **argv) {
int use_gce = 0;
char *scope = NULL;
gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2");
gpr_cmdline_add_string(cl, "json_key",
"File path of the json key. Mutually exclusive with "
"--json_refresh_token.",
&json_key_file_path);
gpr_cmdline_add_string(cl, "json_refresh_token",
"File path of the json refresh token. Mutually "
"exclusive with --json_key.",
"File path of the json refresh token.",
&json_refresh_token_file_path);
gpr_cmdline_add_string(cl, "scope",
"Space delimited permissions. Only used for "
"--json_key, ignored otherwise.",
&scope);
gpr_cmdline_add_flag(
cl, "gce",
"Get a token from the GCE metadata server (only works in GCE).",
@ -112,7 +90,7 @@ int main(int argc, char **argv) {
"Ignoring json key and scope to get a token from the GCE "
"metadata server.");
}
creds = grpc_compute_engine_credentials_create(NULL);
creds = grpc_google_compute_engine_credentials_create(NULL);
if (creds == NULL) {
gpr_log(GPR_ERROR, "Could not create gce credentials.");
exit(1);
@ -127,24 +105,9 @@ int main(int argc, char **argv) {
exit(1);
}
} else {
if (json_key_file_path == NULL) {
gpr_log(GPR_ERROR, "Missing --json_key option.");
exit(1);
}
if (scope == NULL) {
gpr_log(GPR_ERROR, "Missing --scope option.");
gpr_log(GPR_ERROR, "Missing --gce or --json_refresh_token option.");
exit(1);
}
creds = create_service_account_creds(json_key_file_path, scope);
if (creds == NULL) {
gpr_log(GPR_ERROR,
"Could not create service account creds. %s does probably not "
"contain a valid json key.",
json_key_file_path);
exit(1);
}
}
GPR_ASSERT(creds != NULL);
token = grpc_test_fetch_oauth2_token_with_credentials(creds);

@ -45,8 +45,8 @@ class CredentialsTest : public ::testing::Test {
protected:
};
TEST_F(CredentialsTest, InvalidServiceAccountCreds) {
std::shared_ptr<Credentials> bad1 = ServiceAccountCredentials("", "", 1);
TEST_F(CredentialsTest, InvalidGoogleRefreshToken) {
std::shared_ptr<Credentials> bad1 = GoogleRefreshTokenCredentials("");
EXPECT_EQ(static_cast<Credentials*>(nullptr), bad1.get());
}

@ -561,7 +561,7 @@ TEST_F(End2endTest, DiffPackageServices) {
// rpc and stream should fail on bad credentials.
TEST_F(End2endTest, BadCredentials) {
std::shared_ptr<Credentials> bad_creds = ServiceAccountCredentials("", "", 1);
std::shared_ptr<Credentials> bad_creds = GoogleRefreshTokenCredentials("");
EXPECT_EQ(static_cast<Credentials*>(nullptr), bad_creds.get());
std::shared_ptr<Channel> channel =
CreateChannel(server_address_.str(), bad_creds, ChannelArguments());
@ -741,7 +741,7 @@ TEST_F(End2endTest, SetPerCallCredentials) {
EchoResponse response;
ClientContext context;
std::shared_ptr<Credentials> creds =
IAMCredentials("fake_token", "fake_selector");
GoogleIAMCredentials("fake_token", "fake_selector");
context.set_credentials(creds);
request.set_message("Hello");
request.mutable_param()->set_echo_metadata(true);
@ -778,10 +778,10 @@ TEST_F(End2endTest, OverridePerCallCredentials) {
EchoResponse response;
ClientContext context;
std::shared_ptr<Credentials> creds1 =
IAMCredentials("fake_token1", "fake_selector1");
GoogleIAMCredentials("fake_token1", "fake_selector1");
context.set_credentials(creds1);
std::shared_ptr<Credentials> creds2 =
IAMCredentials("fake_token2", "fake_selector2");
GoogleIAMCredentials("fake_token2", "fake_selector2");
context.set_credentials(creds2);
request.set_message("Hello");
request.mutable_param()->set_echo_metadata(true);

@ -64,16 +64,6 @@ DECLARE_string(oauth_scope);
namespace grpc {
namespace testing {
namespace {
std::shared_ptr<Credentials> CreateServiceAccountCredentials() {
GPR_ASSERT(FLAGS_enable_ssl);
grpc::string json_key = GetServiceAccountJsonKey();
std::chrono::seconds token_lifetime = std::chrono::hours(1);
return ServiceAccountCredentials(json_key, FLAGS_oauth_scope,
token_lifetime.count());
}
} // namespace
grpc::string GetServiceAccountJsonKey() {
static grpc::string json_key;
if (json_key.empty()) {
@ -86,7 +76,7 @@ grpc::string GetServiceAccountJsonKey() {
}
grpc::string GetOauth2AccessToken() {
std::shared_ptr<Credentials> creds = CreateServiceAccountCredentials();
std::shared_ptr<Credentials> creds = GoogleComputeEngineCredentials();
SecureCredentials* secure_creds =
dynamic_cast<SecureCredentials*>(creds.get());
GPR_ASSERT(secure_creds != nullptr);
@ -107,14 +97,10 @@ std::shared_ptr<Channel> CreateChannelForTestCase(
snprintf(host_port, host_port_buf_size, "%s:%d", FLAGS_server_host.c_str(),
FLAGS_server_port);
if (test_case == "service_account_creds") {
std::shared_ptr<Credentials> creds = CreateServiceAccountCredentials();
return CreateTestChannel(host_port, FLAGS_server_host_override,
FLAGS_enable_ssl, FLAGS_use_prod_roots, creds);
} else if (test_case == "compute_engine_creds") {
if (test_case == "compute_engine_creds") {
std::shared_ptr<Credentials> creds;
GPR_ASSERT(FLAGS_enable_ssl);
creds = ComputeEngineCredentials();
creds = GoogleComputeEngineCredentials();
return CreateTestChannel(host_port, FLAGS_server_host_override,
FLAGS_enable_ssl, FLAGS_use_prod_roots, creds);
} else if (test_case == "jwt_token_creds") {

Loading…
Cancel
Save