diff --git a/include/grpc++/channel.h b/include/grpc++/channel.h index 60c816d58ac..d6d72a9cf98 100644 --- a/include/grpc++/channel.h +++ b/include/grpc++/channel.h @@ -47,8 +47,8 @@ namespace grpc { class CallOpSetInterface; class ChannelArguments; class CompletionQueue; -class Credentials; -class SecureCredentials; +class ChannelCredentials; +class SecureChannelCredentials; template class ClientReader; diff --git a/include/grpc++/client_context.h b/include/grpc++/client_context.h index 7046f939e5e..17b66ddbca0 100644 --- a/include/grpc++/client_context.h +++ b/include/grpc++/client_context.h @@ -69,7 +69,7 @@ namespace grpc { class Channel; class CompletionQueue; -class Credentials; +class CallCredentials; class RpcMethod; template class ClientReader; @@ -244,7 +244,7 @@ class ClientContext { /// call. /// /// \see https://github.com/grpc/grpc/blob/master/doc/grpc-auth-support.md - void set_credentials(const std::shared_ptr& creds) { + void set_credentials(const std::shared_ptr& creds) { creds_ = creds; } @@ -318,7 +318,7 @@ class ClientContext { grpc_call* call_; gpr_timespec deadline_; grpc::string authority_; - std::shared_ptr creds_; + std::shared_ptr creds_; mutable std::shared_ptr auth_context_; struct census_context* census_context_; std::multimap send_initial_metadata_; diff --git a/include/grpc++/create_channel.h b/include/grpc++/create_channel.h index 196d2927a9a..aff9c291c26 100644 --- a/include/grpc++/create_channel.h +++ b/include/grpc++/create_channel.h @@ -49,7 +49,8 @@ namespace grpc { /// an object or is invalid, a lame channel is returned. /// \param args Options for channel creation. std::shared_ptr CreateChannel( - const grpc::string& target, const std::shared_ptr& creds); + const grpc::string& target, + const std::shared_ptr& creds); /// Create a new \em custom \a Channel pointing to \a target /// @@ -61,7 +62,8 @@ std::shared_ptr CreateChannel( /// an object or is invalid, a lame channel is returned. /// \param args Options for channel creation. std::shared_ptr CreateCustomChannel( - const grpc::string& target, const std::shared_ptr& creds, + const grpc::string& target, + const std::shared_ptr& creds, const ChannelArguments& args); } // namespace grpc diff --git a/include/grpc++/security/credentials.h b/include/grpc++/security/credentials.h index ff41bc597eb..56827c0f21b 100644 --- a/include/grpc++/security/credentials.h +++ b/include/grpc++/security/credentials.h @@ -45,37 +45,60 @@ namespace grpc { class ChannelArguments; class Channel; -class SecureCredentials; - -/// A credentials object encapsulates all the state needed by a client to -/// authenticate with a server and make various assertions, e.g., about the -/// client’s identity, role, or whether it is authorized to make a particular -/// call. +class SecureChannelCredentials; +class CallCredentials; +class SecureCallCredentials; + +/// A channel credentials object encapsulates all the state needed by a client +/// to authenticate with a server for a given channel. +/// It can make various assertions, e.g., about the client’s identity, role +/// for all the calls on that channel. /// /// \see https://github.com/grpc/grpc/blob/master/doc/grpc-auth-support.md -class Credentials : public GrpcLibrary { +class ChannelCredentials : public GrpcLibrary { public: - ~Credentials() GRPC_OVERRIDE; - - /// Apply this instance's credentials to \a call. - virtual bool ApplyToCall(grpc_call* call) = 0; + ~ChannelCredentials() GRPC_OVERRIDE; protected: - friend std::shared_ptr CompositeCredentials( - const std::shared_ptr& creds1, - const std::shared_ptr& creds2); + friend std::shared_ptr CompositeChannelCredentials( + const std::shared_ptr& channel_creds, + const std::shared_ptr& call_creds); - virtual SecureCredentials* AsSecureCredentials() = 0; + virtual SecureChannelCredentials* AsSecureCredentials() = 0; private: friend std::shared_ptr CreateCustomChannel( - const grpc::string& target, const std::shared_ptr& creds, + const grpc::string& target, + const std::shared_ptr& creds, const ChannelArguments& args); virtual std::shared_ptr CreateChannel( const grpc::string& target, const ChannelArguments& args) = 0; }; +/// A call credentials object encapsulates the state needed by a client to +/// authenticate with a server for a given call on a channel. +/// +/// \see https://github.com/grpc/grpc/blob/master/doc/grpc-auth-support.md +class CallCredentials : public GrpcLibrary { + public: + ~CallCredentials() GRPC_OVERRIDE; + + /// Apply this instance's credentials to \a call. + virtual bool ApplyToCall(grpc_call* call) = 0; + + protected: + friend std::shared_ptr CompositeChannelCredentials( + const std::shared_ptr& channel_creds, + const std::shared_ptr& call_creds); + + friend std::shared_ptr CompositeCallCredentials( + const std::shared_ptr& creds1, + const std::shared_ptr& creds2); + + virtual SecureCallCredentials* AsSecureCredentials() = 0; +}; + /// Options used to build SslCredentials. struct SslCredentialsOptions { /// The buffer containing the PEM encoding of the server root certificates. If @@ -106,10 +129,10 @@ struct SslCredentialsOptions { /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. -std::shared_ptr GoogleDefaultCredentials(); +std::shared_ptr GoogleDefaultCredentials(); /// Builds SSL Credentials given SSL specific options -std::shared_ptr SslCredentials( +std::shared_ptr SslCredentials( const SslCredentialsOptions& options); /// Builds credentials for use when running in GCE @@ -118,14 +141,14 @@ std::shared_ptr SslCredentials( /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. -std::shared_ptr GoogleComputeEngineCredentials(); +std::shared_ptr GoogleComputeEngineCredentials(); /// Builds Service Account JWT Access credentials. /// json_key is the JSON key string containing the client's private key. /// token_lifetime_seconds is the lifetime in seconds of each Json Web Token /// (JWT) created with this credentials. It should not exceed /// grpc_max_auth_token_lifetime or will be cropped to this value. -std::shared_ptr ServiceAccountJWTAccessCredentials( +std::shared_ptr ServiceAccountJWTAccessCredentials( const grpc::string& json_key, long token_lifetime_seconds); /// Builds refresh token credentials. @@ -136,7 +159,7 @@ std::shared_ptr ServiceAccountJWTAccessCredentials( /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. -std::shared_ptr GoogleRefreshTokenCredentials( +std::shared_ptr GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token); /// Builds access token credentials. @@ -147,7 +170,7 @@ std::shared_ptr GoogleRefreshTokenCredentials( /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. -std::shared_ptr AccessTokenCredentials( +std::shared_ptr AccessTokenCredentials( const grpc::string& access_token); /// Builds IAM credentials. @@ -156,17 +179,24 @@ std::shared_ptr AccessTokenCredentials( /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. -std::shared_ptr GoogleIAMCredentials( +std::shared_ptr GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector); -/// Combines two credentials objects into a composite credentials -std::shared_ptr CompositeCredentials( - const std::shared_ptr& creds1, - const std::shared_ptr& creds2); +/// Combines a channel credentials and a call credentials into a composite +/// channel credentials. +std::shared_ptr CompositeChannelCredentials( + const std::shared_ptr& channel_creds, + const std::shared_ptr& call_creds); + + +/// Combines two call credentials objects into a composite call credentials. +std::shared_ptr CompositeCallCredentials( + const std::shared_ptr& creds1, + const std::shared_ptr& creds2); /// Credentials for an unencrypted, unauthenticated channel -std::shared_ptr InsecureCredentials(); +std::shared_ptr InsecureChannelCredentials(); // User defined metadata credentials. class MetadataCredentialsPlugin { @@ -183,7 +213,7 @@ class MetadataCredentialsPlugin { std::multimap* metadata) = 0; }; -std::shared_ptr MetadataCredentialsFromPlugin( +std::shared_ptr MetadataCredentialsFromPlugin( std::unique_ptr plugin); } // namespace grpc diff --git a/include/grpc++/support/channel_arguments.h b/include/grpc++/support/channel_arguments.h index 9957712a965..e9d510e96a5 100644 --- a/include/grpc++/support/channel_arguments.h +++ b/include/grpc++/support/channel_arguments.h @@ -83,7 +83,7 @@ class ChannelArguments { void SetString(const grpc::string& key, const grpc::string& value); private: - friend class SecureCredentials; + friend class SecureChannelCredentials; friend class testing::ChannelArgumentsTest; // Returns empty string when it is not set. diff --git a/src/cpp/client/create_channel.cc b/src/cpp/client/create_channel.cc index d2b2d30126c..3bbca807d37 100644 --- a/src/cpp/client/create_channel.cc +++ b/src/cpp/client/create_channel.cc @@ -44,12 +44,14 @@ namespace grpc { class ChannelArguments; std::shared_ptr CreateChannel( - const grpc::string& target, const std::shared_ptr& creds) { + const grpc::string& target, + const std::shared_ptr& creds) { return CreateCustomChannel(target, creds, ChannelArguments()); } std::shared_ptr CreateCustomChannel( - const grpc::string& target, const std::shared_ptr& creds, + const grpc::string& target, + const std::shared_ptr& creds, const ChannelArguments& args) { GrpcLibrary init_lib; // We need to call init in case of a bad creds. ChannelArguments cp_args = args; diff --git a/src/cpp/client/credentials.cc b/src/cpp/client/credentials.cc index 7a8149e9c7a..0c08db11a9c 100644 --- a/src/cpp/client/credentials.cc +++ b/src/cpp/client/credentials.cc @@ -35,6 +35,8 @@ namespace grpc { -Credentials::~Credentials() {} +ChannelCredentials::~ChannelCredentials() {} + +CallCredentials::~CallCredentials() {} } // namespace grpc diff --git a/src/cpp/client/insecure_credentials.cc b/src/cpp/client/insecure_credentials.cc index c476f3ce95b..563fa9267d0 100644 --- a/src/cpp/client/insecure_credentials.cc +++ b/src/cpp/client/insecure_credentials.cc @@ -43,7 +43,7 @@ namespace grpc { namespace { -class InsecureCredentialsImpl GRPC_FINAL : public Credentials { +class InsecureChannelCredentialsImpl GRPC_FINAL : public ChannelCredentials { public: std::shared_ptr CreateChannel( const string& target, const grpc::ChannelArguments& args) GRPC_OVERRIDE { @@ -54,15 +54,13 @@ class InsecureCredentialsImpl GRPC_FINAL : public Credentials { grpc_insecure_channel_create(target.c_str(), &channel_args, nullptr)); } - // InsecureCredentials should not be applied to a call. - bool ApplyToCall(grpc_call* call) GRPC_OVERRIDE { return false; } - - SecureCredentials* AsSecureCredentials() GRPC_OVERRIDE { return nullptr; } + SecureChannelCredentials* AsSecureCredentials() GRPC_OVERRIDE { return nullptr; } }; } // namespace -std::shared_ptr InsecureCredentials() { - return std::shared_ptr(new InsecureCredentialsImpl()); +std::shared_ptr InsecureChannelCredentials() { + return std::shared_ptr( + new InsecureChannelCredentialsImpl()); } } // namespace grpc diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc index 8299ebeb8a2..a1b9a3018e8 100644 --- a/src/cpp/client/secure_credentials.cc +++ b/src/cpp/client/secure_credentials.cc @@ -40,7 +40,7 @@ namespace grpc { -std::shared_ptr SecureCredentials::CreateChannel( +std::shared_ptr SecureChannelCredentials::CreateChannel( const string& target, const grpc::ChannelArguments& args) { grpc_channel_args channel_args; args.SetChannelArgs(&channel_args); @@ -50,96 +50,104 @@ std::shared_ptr SecureCredentials::CreateChannel( nullptr)); } -bool SecureCredentials::ApplyToCall(grpc_call* call) { +bool SecureCallCredentials::ApplyToCall(grpc_call* call) { return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK; } namespace { -std::shared_ptr WrapCredentials(grpc_credentials* creds) { - return creds == nullptr - ? nullptr - : std::shared_ptr(new SecureCredentials(creds)); +std::shared_ptr WrapChannelCredentials( + grpc_channel_credentials* creds) { + return creds == nullptr ? nullptr : std::shared_ptr( + new SecureChannelCredentials(creds)); +} + +std::shared_ptr WrapCallCredentials( + grpc_call_credentials* creds) { + return creds == nullptr ? nullptr : std::shared_ptr( + new SecureCallCredentials(creds)); } } // namespace -std::shared_ptr GoogleDefaultCredentials() { +std::shared_ptr GoogleDefaultCredentials() { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_google_default_credentials_create()); + return WrapChannelCredentials(grpc_google_default_credentials_create()); } // Builds SSL Credentials given SSL specific options -std::shared_ptr SslCredentials( +std::shared_ptr SslCredentials( const SslCredentialsOptions& options) { GrpcLibrary init; // To call grpc_init(). grpc_ssl_pem_key_cert_pair pem_key_cert_pair = { options.pem_private_key.c_str(), options.pem_cert_chain.c_str()}; - grpc_credentials* c_creds = grpc_ssl_credentials_create( + grpc_channel_credentials* c_creds = grpc_ssl_credentials_create( options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(), options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr); - return WrapCredentials(c_creds); + return WrapChannelCredentials(c_creds); } // Builds credentials for use when running in GCE -std::shared_ptr GoogleComputeEngineCredentials() { +std::shared_ptr GoogleComputeEngineCredentials() { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials( + return WrapCallCredentials( grpc_google_compute_engine_credentials_create(nullptr)); } // Builds JWT credentials. -std::shared_ptr ServiceAccountJWTAccessCredentials( +std::shared_ptr ServiceAccountJWTAccessCredentials( const grpc::string& json_key, long token_lifetime_seconds) { GrpcLibrary init; // To call grpc_init(). if (token_lifetime_seconds <= 0) { gpr_log(GPR_ERROR, "Trying to create JWTCredentials with non-positive lifetime"); - return WrapCredentials(nullptr); + return WrapCallCredentials(nullptr); } gpr_timespec lifetime = gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN); - return WrapCredentials(grpc_service_account_jwt_access_credentials_create( + return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create( json_key.c_str(), lifetime, nullptr)); } // Builds refresh token credentials. -std::shared_ptr GoogleRefreshTokenCredentials( +std::shared_ptr GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token) { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_google_refresh_token_credentials_create( + return WrapCallCredentials(grpc_google_refresh_token_credentials_create( json_refresh_token.c_str(), nullptr)); } // Builds access token credentials. -std::shared_ptr AccessTokenCredentials( +std::shared_ptr AccessTokenCredentials( const grpc::string& access_token) { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials( + return WrapCallCredentials( grpc_access_token_credentials_create(access_token.c_str(), nullptr)); } // Builds IAM credentials. -std::shared_ptr GoogleIAMCredentials( +std::shared_ptr GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector) { GrpcLibrary init; // To call grpc_init(). - return WrapCredentials(grpc_google_iam_credentials_create( + return WrapCallCredentials(grpc_google_iam_credentials_create( authorization_token.c_str(), authority_selector.c_str(), nullptr)); } -// Combines two credentials objects into a composite credentials. -std::shared_ptr CompositeCredentials( - const std::shared_ptr& creds1, - const std::shared_ptr& creds2) { - // Note that we are not saving shared_ptrs to the two credentials - // passed in here. This is OK because the underlying C objects (i.e., - // creds1 and creds2) into grpc_composite_credentials_create will see their - // refcounts incremented. - SecureCredentials* s1 = creds1->AsSecureCredentials(); - SecureCredentials* s2 = creds2->AsSecureCredentials(); - if (s1 && s2) { - return WrapCredentials(grpc_composite_credentials_create( - s1->GetRawCreds(), s2->GetRawCreds(), nullptr)); +// Combines one channel credentials and one call credentials into a channel +// composite credentials. +std::shared_ptr CompositeChannelCredentials( + const std::shared_ptr& channel_creds, + const std::shared_ptr& call_creds) { + // Note that we are not saving shared_ptrs to the two credentials passed in + // here. This is OK because the underlying C objects (i.e., channel_creds and + // call_creds) into grpc_composite_credentials_create will see their refcounts + // incremented. + SecureChannelCredentials* s_channel_creds = + channel_creds->AsSecureCredentials(); + SecureCallCredentials* s_call_creds = call_creds->AsSecureCredentials(); + if (s_channel_creds && s_call_creds) { + return WrapChannelCredentials(grpc_composite_channel_credentials_create( + s_channel_creds->GetRawCreds(), s_call_creds->GetRawCreds(), nullptr)); } return nullptr; } @@ -193,7 +201,7 @@ MetadataCredentialsPluginWrapper::MetadataCredentialsPluginWrapper( std::unique_ptr plugin) : thread_pool_(CreateDefaultThreadPool()), plugin_(std::move(plugin)) {} -std::shared_ptr MetadataCredentialsFromPlugin( +std::shared_ptr MetadataCredentialsFromPlugin( std::unique_ptr plugin) { GrpcLibrary init; // To call grpc_init(). MetadataCredentialsPluginWrapper* wrapper = @@ -201,7 +209,7 @@ std::shared_ptr MetadataCredentialsFromPlugin( grpc_metadata_credentials_plugin c_plugin = { MetadataCredentialsPluginWrapper::GetMetadata, MetadataCredentialsPluginWrapper::Destroy, wrapper}; - return WrapCredentials( + return WrapCallCredentials( grpc_metadata_credentials_create_from_plugin(c_plugin, nullptr)); } diff --git a/src/cpp/client/secure_credentials.h b/src/cpp/client/secure_credentials.h index d354827725a..b241761a7c4 100644 --- a/src/cpp/client/secure_credentials.h +++ b/src/cpp/client/secure_credentials.h @@ -43,21 +43,40 @@ namespace grpc { -class SecureCredentials GRPC_FINAL : public Credentials { +class SecureChannelCredentials GRPC_FINAL : public ChannelCredentials { public: - explicit SecureCredentials(grpc_credentials* c_creds) : c_creds_(c_creds) {} - ~SecureCredentials() GRPC_OVERRIDE { grpc_credentials_release(c_creds_); } - grpc_credentials* GetRawCreds() { return c_creds_; } - bool ApplyToCall(grpc_call* call) GRPC_OVERRIDE; + explicit SecureChannelCredentials(grpc_channel_credentials* c_creds) + : c_creds_(c_creds) {} + ~SecureChannelCredentials() GRPC_OVERRIDE { + grpc_channel_credentials_release(c_creds_); + } + grpc_channel_credentials* GetRawCreds() { return c_creds_; } std::shared_ptr CreateChannel( const string& target, const grpc::ChannelArguments& args) GRPC_OVERRIDE; - SecureCredentials* AsSecureCredentials() GRPC_OVERRIDE { return this; } + SecureChannelCredentials* AsSecureCredentials() GRPC_OVERRIDE { return this; } private: - grpc_credentials* const c_creds_; + grpc_channel_credentials* const c_creds_; }; +class SecureCallCredentials GRPC_FINAL : public CallCredentials { + public: + explicit SecureCallCredentials(grpc_call_credentials* c_creds) + : c_creds_(c_creds) {} + ~SecureCallCredentials() GRPC_OVERRIDE { + grpc_call_credentials_release(c_creds_); + } + grpc_call_credentials* GetRawCreds() { return c_creds_; } + + bool ApplyToCall(grpc_call* call) GRPC_OVERRIDE; + SecureCallCredentials* AsSecureCredentials() GRPC_OVERRIDE { return this; } + + private: + grpc_call_credentials* const c_creds_; +}; + + class MetadataCredentialsPluginWrapper GRPC_FINAL { public: static void Destroy(void* wrapper);