Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #21256 from markdroth/json_new_api_security

Browse Source 
Convert security code to use new JSON API
reviewable/pr21846/r1
Mark D. Roth 5 years ago committed by GitHub
parent 42433a18c2 f961942266
commit 568f490aef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 381 additions and 461 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      src/core/lib/security/credentials/google_default/google_default_credentials.cc
  2. 82
      src/core/lib/security/credentials/jwt/json_token.cc
  3. 3
      src/core/lib/security/credentials/jwt/json_token.h
  4. 26
      src/core/lib/security/credentials/jwt/jwt_credentials.cc
  5. 308
      src/core/lib/security/credentials/jwt/jwt_verifier.cc
  6. 5
      src/core/lib/security/credentials/jwt/jwt_verifier.h
  7. 71
      src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
  8. 2
      src/core/lib/security/credentials/oauth2/oauth2_credentials.h
  9. 37
      src/core/lib/security/util/json_util.cc
  10. 4
      src/core/lib/security/util/json_util.h
  11. 36
      src/cpp/client/secure_credentials.cc
  12. 173
      test/core/security/json_token_test.cc
  13. 70
      test/core/security/jwt_verifier_test.cc
  14. 7
      test/core/security/verify_jwt.cc

18
src/core/lib/security/credentials/google_default/google_default_credentials.cc
Unescape View File

@ -44,6 +44,8 @@
#include "src/core/lib/slice/slice_string_helpers.h" #include "src/core/lib/slice/slice_string_helpers.h"
#include "src/core/lib/surface/api_trace.h" #include "src/core/lib/surface/api_trace.h"
using grpc_core::Json;
/* -- Constants. -- */ /* -- Constants. -- */
#define GRPC_COMPUTE_ENGINE_DETECTION_HOST "metadata.google.internal." #define GRPC_COMPUTE_ENGINE_DETECTION_HOST "metadata.google.internal."
@ -216,24 +218,25 @@ static int is_metadata_server_reachable() {
/* Takes ownership of creds_path if not NULL. */ /* Takes ownership of creds_path if not NULL. */
static grpc_error* create_default_creds_from_path( static grpc_error* create_default_creds_from_path(
char* creds_path, grpc_core::RefCountedPtr<grpc_call_credentials>* creds) { char* creds_path, grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
grpc_json* json = nullptr;
grpc_auth_json_key key; grpc_auth_json_key key;
grpc_auth_refresh_token token; grpc_auth_refresh_token token;
grpc_core::RefCountedPtr<grpc_call_credentials> result; grpc_core::RefCountedPtr<grpc_call_credentials> result;
grpc_slice creds_data = grpc_empty_slice(); grpc_slice creds_data = grpc_empty_slice();
grpc_error* error = GRPC_ERROR_NONE; grpc_error* error = GRPC_ERROR_NONE;
Json json;
grpc_core::StringView str;
if (creds_path == nullptr) { if (creds_path == nullptr) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("creds_path unset"); error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("creds_path unset");
goto end; goto end;
} }
error = grpc_load_file(creds_path, 0, &creds_data); error = grpc_load_file(creds_path, 0, &creds_data);
if (error != GRPC_ERROR_NONE) { if (error != GRPC_ERROR_NONE) goto end;
goto end; str = grpc_core::StringView(
} reinterpret_cast<char*>(GRPC_SLICE_START_PTR(creds_data)),
json = grpc_json_parse_string_with_len(
reinterpret_cast<char*> GRPC_SLICE_START_PTR(creds_data),
GRPC_SLICE_LENGTH(creds_data)); GRPC_SLICE_LENGTH(creds_data));
if (json == nullptr) { json = Json::Parse(str, &error);
if (error != GRPC_ERROR_NONE) goto end;
if (json.type() != Json::Type::OBJECT) {
error = grpc_error_set_str( error = grpc_error_set_str(
GRPC_ERROR_CREATE_FROM_STATIC_STRING("Failed to parse JSON"), GRPC_ERROR_CREATE_FROM_STATIC_STRING("Failed to parse JSON"),
GRPC_ERROR_STR_RAW_BYTES, grpc_slice_ref_internal(creds_data)); GRPC_ERROR_STR_RAW_BYTES, grpc_slice_ref_internal(creds_data));
@ -271,7 +274,6 @@ end:
GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1); GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1);
if (creds_path != nullptr) gpr_free(creds_path); if (creds_path != nullptr) gpr_free(creds_path);
grpc_slice_unref_internal(creds_data); grpc_slice_unref_internal(creds_data);
grpc_json_destroy(json);
*creds = result; *creds = result;
return error; return error;
} }

82
src/core/lib/security/credentials/jwt/json_token.cc
Unescape View File

@ -39,6 +39,8 @@ extern "C" {
#include <openssl/pem.h> #include <openssl/pem.h>
} }
using grpc_core::Json;
/* --- Constants. --- */ /* --- Constants. --- */
/* 1 hour max. */ /* 1 hour max. */
@ -65,7 +67,7 @@ int grpc_auth_json_key_is_valid(const grpc_auth_json_key* json_key) {
strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID); strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID);
} }
grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json) { grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) {
grpc_auth_json_key result; grpc_auth_json_key result;
BIO* bio = nullptr; BIO* bio = nullptr;
const char* prop_value; const char* prop_value;
@ -74,7 +76,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json) {
memset(&result, 0, sizeof(grpc_auth_json_key)); memset(&result, 0, sizeof(grpc_auth_json_key));
result.type = GRPC_AUTH_JSON_TYPE_INVALID; result.type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json == nullptr) { if (json.type() == Json::Type::JSON_NULL) {
gpr_log(GPR_ERROR, "Invalid json."); gpr_log(GPR_ERROR, "Invalid json.");
goto end; goto end;
} }
@ -122,12 +124,10 @@ end:
grpc_auth_json_key grpc_auth_json_key_create_from_string( grpc_auth_json_key grpc_auth_json_key_create_from_string(
const char* json_string) { const char* json_string) {
char* scratchpad = gpr_strdup(json_string); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string(scratchpad); Json json = Json::Parse(json_string, &error);
grpc_auth_json_key result = grpc_auth_json_key_create_from_json(json); GRPC_LOG_IF_ERROR("JSON key parsing", error);
grpc_json_destroy(json); return grpc_auth_json_key_create_from_json(std::move(json));
gpr_free(scratchpad);
return result;
} }
void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key) { void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key) {
@ -153,72 +153,42 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key) {
/* --- jwt encoding and signature. --- */ /* --- jwt encoding and signature. --- */
static grpc_json* create_child(grpc_json* brother, grpc_json* parent,
const char* key, const char* value,
grpc_json_type type) {
grpc_json* child = grpc_json_create(type);
if (brother) brother->next = child;
if (!parent->child) parent->child = child;
child->parent = parent;
child->value = value;
child->key = key;
return child;
}
static char* encoded_jwt_header(const char* key_id, const char* algorithm) { static char* encoded_jwt_header(const char* key_id, const char* algorithm) {
grpc_json* json = grpc_json_create(GRPC_JSON_OBJECT); Json json = Json::Object{
grpc_json* child = nullptr; {"alg", algorithm},
char* json_str = nullptr; {"typ", GRPC_JWT_TYPE},
char* result = nullptr; {"kid", key_id},
};
child = create_child(nullptr, json, "alg", algorithm, GRPC_JSON_STRING); std::string json_str = json.Dump();
child = create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING); return grpc_base64_encode(json_str.c_str(), json_str.size(), 1, 0);
create_child(child, json, "kid", key_id, GRPC_JSON_STRING);
json_str = grpc_json_dump_to_string(json, 0);
result = grpc_base64_encode(json_str, strlen(json_str), 1, 0);
gpr_free(json_str);
grpc_json_destroy(json);
return result;
} }
static char* encoded_jwt_claim(const grpc_auth_json_key* json_key, static char* encoded_jwt_claim(const grpc_auth_json_key* json_key,
const char* audience, const char* audience,
gpr_timespec token_lifetime, const char* scope) { gpr_timespec token_lifetime, const char* scope) {
grpc_json* json = grpc_json_create(GRPC_JSON_OBJECT);
grpc_json* child = nullptr;
char* json_str = nullptr;
char* result = nullptr;
gpr_timespec now = gpr_now(GPR_CLOCK_REALTIME); gpr_timespec now = gpr_now(GPR_CLOCK_REALTIME);
gpr_timespec expiration = gpr_time_add(now, token_lifetime); gpr_timespec expiration = gpr_time_add(now, token_lifetime);
char now_str[GPR_LTOA_MIN_BUFSIZE];
char expiration_str[GPR_LTOA_MIN_BUFSIZE];
if (gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime()) > 0) { if (gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime()) > 0) {
gpr_log(GPR_INFO, "Cropping token lifetime to maximum allowed value."); gpr_log(GPR_INFO, "Cropping token lifetime to maximum allowed value.");
expiration = gpr_time_add(now, grpc_max_auth_token_lifetime()); expiration = gpr_time_add(now, grpc_max_auth_token_lifetime());
} }
int64_ttoa(now.tv_sec, now_str);
int64_ttoa(expiration.tv_sec, expiration_str);
child = create_child(nullptr, json, "iss", json_key->client_email, Json::Object object = {
GRPC_JSON_STRING); {"iss", json_key->client_email},
{"aud", audience},
{"iat", now.tv_sec},
{"exp", expiration.tv_sec},
};
if (scope != nullptr) { if (scope != nullptr) {
child = create_child(child, json, "scope", scope, GRPC_JSON_STRING); object["scope"] = scope;
} else { } else {
/* Unscoped JWTs need a sub field. */ /* Unscoped JWTs need a sub field. */
child = create_child(child, json, "sub", json_key->client_email, object["sub"] = json_key->client_email;
GRPC_JSON_STRING);
} }
child = create_child(child, json, "aud", audience, GRPC_JSON_STRING); Json json(object);
child = create_child(child, json, "iat", now_str, GRPC_JSON_NUMBER); std::string json_str = json.Dump();
create_child(child, json, "exp", expiration_str, GRPC_JSON_NUMBER); return grpc_base64_encode(json_str.c_str(), json_str.size(), 1, 0);
json_str = grpc_json_dump_to_string(json, 0);
result = grpc_base64_encode(json_str, strlen(json_str), 1, 0);
gpr_free(json_str);
grpc_json_destroy(json);
return result;
} }
static char* dot_concat_and_free_strings(char* str1, char* str2) { static char* dot_concat_and_free_strings(char* str1, char* str2) {

3
src/core/lib/security/credentials/jwt/json_token.h
Unescape View File

@ -52,7 +52,8 @@ grpc_auth_json_key grpc_auth_json_key_create_from_string(
/* Creates a json_key object from parsed json. Returns an invalid object if a /* Creates a json_key object from parsed json. Returns an invalid object if a
parsing error has been encountered. */ parsing error has been encountered. */
grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json); grpc_auth_json_key grpc_auth_json_key_create_from_json(
const grpc_core::Json& json);
/* Destructs the object. */ /* Destructs the object. */
void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key); void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key);

26
src/core/lib/security/credentials/jwt/jwt_credentials.cc
Unescape View File

@ -32,6 +32,8 @@
#include <grpc/support/string_util.h> #include <grpc/support/string_util.h>
#include <grpc/support/sync.h> #include <grpc/support/sync.h>
using grpc_core::Json;
void grpc_service_account_jwt_access_credentials::reset_cache() { void grpc_service_account_jwt_access_credentials::reset_cache() {
GRPC_MDELEM_UNREF(cached_.jwt_md); GRPC_MDELEM_UNREF(cached_.jwt_md);
cached_.jwt_md = GRPC_MDNULL; cached_.jwt_md = GRPC_MDNULL;
@ -136,26 +138,14 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
} }
static char* redact_private_key(const char* json_key) { static char* redact_private_key(const char* json_key) {
char* json_copy = gpr_strdup(json_key); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string(json_copy); Json json = Json::Parse(json_key, &error);
if (!json) { if (error != GRPC_ERROR_NONE || json.type() != Json::Type::OBJECT) {
gpr_free(json_copy); GRPC_ERROR_UNREF(error);
return gpr_strdup("<Json failed to parse.>"); return gpr_strdup("<Json failed to parse.>");
} }
const char* redacted = "<redacted>"; (*json.mutable_object())["private_key"] = "<redacted>";
grpc_json* current = json->child; return gpr_strdup(json.Dump(/*indent=*/2).c_str());
while (current) {
if (current->type == GRPC_JSON_STRING &&
strcmp(current->key, "private_key") == 0) {
current->value = const_cast<char*>(redacted);
break;
}
current = current->next;
}
char* clean_json = grpc_json_dump_to_string(json, 2);
gpr_free(json_copy);
grpc_json_destroy(json);
return clean_json;
} }
grpc_call_credentials* grpc_service_account_jwt_access_credentials_create( grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(

308
src/core/lib/security/credentials/jwt/jwt_verifier.cc
Unescape View File

@ -37,12 +37,15 @@ extern "C" {
} }
#include "src/core/lib/gpr/string.h" #include "src/core/lib/gpr/string.h"
#include "src/core/lib/gprpp/manual_constructor.h"
#include "src/core/lib/http/httpcli.h" #include "src/core/lib/http/httpcli.h"
#include "src/core/lib/iomgr/polling_entity.h" #include "src/core/lib/iomgr/polling_entity.h"
#include "src/core/lib/slice/b64.h" #include "src/core/lib/slice/b64.h"
#include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/slice/slice_internal.h"
#include "src/core/tsi/ssl_types.h" #include "src/core/tsi/ssl_types.h"
using grpc_core::Json;
/* --- Utils. --- */ /* --- Utils. --- */
const char* grpc_jwt_verifier_status_to_string( const char* grpc_jwt_verifier_status_to_string(
@ -79,42 +82,41 @@ static const EVP_MD* evp_md_from_alg(const char* alg) {
} }
} }
static grpc_json* parse_json_part_from_jwt(const char* str, size_t len, static Json parse_json_part_from_jwt(const char* str, size_t len) {
grpc_slice* buffer) { grpc_slice slice = grpc_base64_decode_with_len(str, len, 1);
grpc_json* json; if (GRPC_SLICE_IS_EMPTY(slice)) {
*buffer = grpc_base64_decode_with_len(str, len, 1);
if (GRPC_SLICE_IS_EMPTY(*buffer)) {
gpr_log(GPR_ERROR, "Invalid base64."); gpr_log(GPR_ERROR, "Invalid base64.");
return nullptr; return Json(); // JSON null
} }
json = grpc_json_parse_string_with_len( grpc_core::StringView string(
reinterpret_cast<char*> GRPC_SLICE_START_PTR(*buffer), reinterpret_cast<char*>(GRPC_SLICE_START_PTR(slice)),
GRPC_SLICE_LENGTH(*buffer)); GRPC_SLICE_LENGTH(slice));
if (json == nullptr) { grpc_error* error = GRPC_ERROR_NONE;
grpc_slice_unref_internal(*buffer); Json json = Json::Parse(string, &error);
gpr_log(GPR_ERROR, "JSON parsing error."); if (error != GRPC_ERROR_NONE) {
} gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
GRPC_ERROR_UNREF(error);
json = Json(); // JSON null
}
grpc_slice_unref_internal(slice);
return json; return json;
} }
static const char* validate_string_field(const grpc_json* json, static const char* validate_string_field(const Json& json, const char* key) {
const char* key) { if (json.type() != Json::Type::STRING) {
if (json->type != GRPC_JSON_STRING) { gpr_log(GPR_ERROR, "Invalid %s field", key);
gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value);
return nullptr; return nullptr;
} }
return json->value; return json.string_value().c_str();
} }
static gpr_timespec validate_time_field(const grpc_json* json, static gpr_timespec validate_time_field(const Json& json, const char* key) {
const char* key) {
gpr_timespec result = gpr_time_0(GPR_CLOCK_REALTIME); gpr_timespec result = gpr_time_0(GPR_CLOCK_REALTIME);
if (json->type != GRPC_JSON_NUMBER) { if (json.type() != Json::Type::NUMBER) {
gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value); gpr_log(GPR_ERROR, "Invalid %s field", key);
return result; return result;
} }
result.tv_sec = strtol(json->value, nullptr, 10); result.tv_sec = strtol(json.string_value().c_str(), nullptr, 10);
return result; return result;
} }
@ -125,50 +127,55 @@ typedef struct {
const char* kid; const char* kid;
const char* typ; const char* typ;
/* TODO(jboeuf): Add others as needed (jku, jwk, x5u, x5c and so on...). */ /* TODO(jboeuf): Add others as needed (jku, jwk, x5u, x5c and so on...). */
grpc_slice buffer; grpc_core::ManualConstructor<Json> json;
} jose_header; } jose_header;
static void jose_header_destroy(jose_header* h) { static void jose_header_destroy(jose_header* h) {
grpc_slice_unref_internal(h->buffer); h->json.Destroy();
gpr_free(h); gpr_free(h);
} }
/* Takes ownership of json and buffer. */ static jose_header* jose_header_from_json(Json json) {
static jose_header* jose_header_from_json(grpc_json* json, const char* alg_value;
const grpc_slice& buffer) { Json::Object::const_iterator it;
grpc_json* cur;
jose_header* h = static_cast<jose_header*>(gpr_zalloc(sizeof(jose_header))); jose_header* h = static_cast<jose_header*>(gpr_zalloc(sizeof(jose_header)));
h->buffer = buffer; if (json.type() != Json::Type::OBJECT) {
for (cur = json->child; cur != nullptr; cur = cur->next) { gpr_log(GPR_ERROR, "JSON value is not an object");
if (strcmp(cur->key, "alg") == 0) { goto error;
/* We only support RSA-1.5 signatures for now.
Beware of this if we add HMAC support:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
*/
if (cur->type != GRPC_JSON_STRING || strncmp(cur->value, "RS", 2) ||
evp_md_from_alg(cur->value) == nullptr) {
gpr_log(GPR_ERROR, "Invalid alg field [%s]", cur->value);
goto error;
}
h->alg = cur->value;
} else if (strcmp(cur->key, "typ") == 0) {
h->typ = validate_string_field(cur, "typ");
if (h->typ == nullptr) goto error;
} else if (strcmp(cur->key, "kid") == 0) {
h->kid = validate_string_field(cur, "kid");
if (h->kid == nullptr) goto error;
}
} }
if (h->alg == nullptr) { // Check alg field.
it = json.object_value().find("alg");
if (it == json.object_value().end()) {
gpr_log(GPR_ERROR, "Missing alg field."); gpr_log(GPR_ERROR, "Missing alg field.");
goto error; goto error;
} }
grpc_json_destroy(json); /* We only support RSA-1.5 signatures for now.
h->buffer = buffer; Beware of this if we add HMAC support:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
*/
alg_value = it->second.string_value().c_str();
if (it->second.type() != Json::Type::STRING || strncmp(alg_value, "RS", 2) ||
evp_md_from_alg(alg_value) == nullptr) {
gpr_log(GPR_ERROR, "Invalid alg field");
goto error;
}
h->alg = alg_value;
// Check typ field.
it = json.object_value().find("typ");
if (it != json.object_value().end()) {
h->typ = validate_string_field(it->second, "typ");
if (h->typ == nullptr) goto error;
}
// Check kid field.
it = json.object_value().find("kid");
if (it != json.object_value().end()) {
h->kid = validate_string_field(it->second, "kid");
if (h->kid == nullptr) goto error;
}
h->json.Init(std::move(json));
return h; return h;
error: error:
grpc_json_destroy(json);
jose_header_destroy(h); jose_header_destroy(h);
return nullptr; return nullptr;
} }
@ -185,19 +192,17 @@ struct grpc_jwt_claims {
gpr_timespec exp; gpr_timespec exp;
gpr_timespec nbf; gpr_timespec nbf;
grpc_json* json; grpc_core::ManualConstructor<Json> json;
grpc_slice buffer;
}; };
void grpc_jwt_claims_destroy(grpc_jwt_claims* claims) { void grpc_jwt_claims_destroy(grpc_jwt_claims* claims) {
grpc_json_destroy(claims->json); claims->json.Destroy();
grpc_slice_unref_internal(claims->buffer);
gpr_free(claims); gpr_free(claims);
} }
const grpc_json* grpc_jwt_claims_json(const grpc_jwt_claims* claims) { const Json* grpc_jwt_claims_json(const grpc_jwt_claims* claims) {
if (claims == nullptr) return nullptr; if (claims == nullptr) return nullptr;
return claims->json; return claims->json.get();
} }
const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims) { const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims) {
@ -235,45 +240,43 @@ gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims* claims) {
return claims->nbf; return claims->nbf;
} }
/* Takes ownership of json and buffer even in case of failure. */ grpc_jwt_claims* grpc_jwt_claims_from_json(Json json) {
grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json,
const grpc_slice& buffer) {
grpc_json* cur;
grpc_jwt_claims* claims = grpc_jwt_claims* claims =
static_cast<grpc_jwt_claims*>(gpr_malloc(sizeof(grpc_jwt_claims))); static_cast<grpc_jwt_claims*>(gpr_zalloc(sizeof(grpc_jwt_claims)));
memset(claims, 0, sizeof(grpc_jwt_claims)); claims->json.Init(std::move(json));
claims->json = json;
claims->buffer = buffer;
claims->iat = gpr_inf_past(GPR_CLOCK_REALTIME); claims->iat = gpr_inf_past(GPR_CLOCK_REALTIME);
claims->nbf = gpr_inf_past(GPR_CLOCK_REALTIME); claims->nbf = gpr_inf_past(GPR_CLOCK_REALTIME);
claims->exp = gpr_inf_future(GPR_CLOCK_REALTIME); claims->exp = gpr_inf_future(GPR_CLOCK_REALTIME);
/* Per the spec, all fields are optional. */ /* Per the spec, all fields are optional. */
for (cur = json->child; cur != nullptr; cur = cur->next) { for (const auto& p : claims->json->object_value()) {
if (strcmp(cur->key, "sub") == 0) { if (p.first == "sub") {
claims->sub = validate_string_field(cur, "sub"); claims->sub = validate_string_field(p.second, "sub");
if (claims->sub == nullptr) goto error; if (claims->sub == nullptr) goto error;
} else if (strcmp(cur->key, "iss") == 0) { } else if (p.first == "iss") {
claims->iss = validate_string_field(cur, "iss"); claims->iss = validate_string_field(p.second, "iss");
if (claims->iss == nullptr) goto error; if (claims->iss == nullptr) goto error;
} else if (strcmp(cur->key, "aud") == 0) { } else if (p.first == "aud") {
claims->aud = validate_string_field(cur, "aud"); claims->aud = validate_string_field(p.second, "aud");
if (claims->aud == nullptr) goto error; if (claims->aud == nullptr) goto error;
} else if (strcmp(cur->key, "jti") == 0) { } else if (p.first == "jti") {
claims->jti = validate_string_field(cur, "jti"); claims->jti = validate_string_field(p.second, "jti");
if (claims->jti == nullptr) goto error; if (claims->jti == nullptr) goto error;
} else if (strcmp(cur->key, "iat") == 0) { } else if (p.first == "iat") {
claims->iat = validate_time_field(cur, "iat"); claims->iat = validate_time_field(p.second, "iat");
if (gpr_time_cmp(claims->iat, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) if (gpr_time_cmp(claims->iat, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) {
goto error; goto error;
} else if (strcmp(cur->key, "exp") == 0) { }
claims->exp = validate_time_field(cur, "exp"); } else if (p.first == "exp") {
if (gpr_time_cmp(claims->exp, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) claims->exp = validate_time_field(p.second, "exp");
if (gpr_time_cmp(claims->exp, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) {
goto error; goto error;
} else if (strcmp(cur->key, "nbf") == 0) { }
claims->nbf = validate_time_field(cur, "nbf"); } else if (p.first == "nbf") {
if (gpr_time_cmp(claims->nbf, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) claims->nbf = validate_time_field(p.second, "nbf");
if (gpr_time_cmp(claims->nbf, gpr_time_0(GPR_CLOCK_REALTIME)) == 0) {
goto error; goto error;
}
} }
} }
return claims; return claims;
@ -405,33 +408,32 @@ struct grpc_jwt_verifier {
grpc_httpcli_context http_ctx; grpc_httpcli_context http_ctx;
}; };
static grpc_json* json_from_http(const grpc_httpcli_response* response) { static Json json_from_http(const grpc_httpcli_response* response) {
grpc_json* json = nullptr;
if (response == nullptr) { if (response == nullptr) {
gpr_log(GPR_ERROR, "HTTP response is NULL."); gpr_log(GPR_ERROR, "HTTP response is NULL.");
return nullptr; return Json(); // JSON null
} }
if (response->status != 200) { if (response->status != 200) {
gpr_log(GPR_ERROR, "Call to http server failed with error %d.", gpr_log(GPR_ERROR, "Call to http server failed with error %d.",
response->status); response->status);
return nullptr; return Json(); // JSON null
} }
grpc_error* error = GRPC_ERROR_NONE;
json = grpc_json_parse_string_with_len(response->body, response->body_length); Json json = Json::Parse(
if (json == nullptr) { grpc_core::StringView(response->body, response->body_length), &error);
if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR, "Invalid JSON found in response."); gpr_log(GPR_ERROR, "Invalid JSON found in response.");
return Json(); // JSON null
} }
return json; return json;
} }
static const grpc_json* find_property_by_name(const grpc_json* json, static const Json* find_property_by_name(const Json& json, const char* name) {
const char* name) { auto it = json.object_value().find(name);
const grpc_json* cur; if (it == json.object_value().end()) {
for (cur = json->child; cur != nullptr; cur = cur->next) { return nullptr;
if (strcmp(cur->key, name) == 0) return cur;
} }
return nullptr; return &it->second;
} }
static EVP_PKEY* extract_pkey_from_x509(const char* x509_str) { static EVP_PKEY* extract_pkey_from_x509(const char* x509_str) {
@ -502,14 +504,15 @@ static int RSA_set0_key(RSA* r, BIGNUM* n, BIGNUM* e, BIGNUM* d) {
} }
#endif // OPENSSL_VERSION_NUMBER < 0x10100000L #endif // OPENSSL_VERSION_NUMBER < 0x10100000L
static EVP_PKEY* pkey_from_jwk(const grpc_json* json, const char* kty) { static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) {
const grpc_json* key_prop;
RSA* rsa = nullptr; RSA* rsa = nullptr;
EVP_PKEY* result = nullptr; EVP_PKEY* result = nullptr;
BIGNUM* tmp_n = nullptr; BIGNUM* tmp_n = nullptr;
BIGNUM* tmp_e = nullptr; BIGNUM* tmp_e = nullptr;
Json::Object::const_iterator it;
GPR_ASSERT(kty != nullptr && json != nullptr); GPR_ASSERT(json.type() == Json::Type::OBJECT);
GPR_ASSERT(kty != nullptr);
if (strcmp(kty, "RSA") != 0) { if (strcmp(kty, "RSA") != 0) {
gpr_log(GPR_ERROR, "Unsupported key type %s.", kty); gpr_log(GPR_ERROR, "Unsupported key type %s.", kty);
goto end; goto end;
@ -519,19 +522,20 @@ static EVP_PKEY* pkey_from_jwk(const grpc_json* json, const char* kty) {
gpr_log(GPR_ERROR, "Could not create rsa key."); gpr_log(GPR_ERROR, "Could not create rsa key.");
goto end; goto end;
} }
for (key_prop = json->child; key_prop != nullptr; key_prop = key_prop->next) { it = json.object_value().find("n");
if (strcmp(key_prop->key, "n") == 0) { if (it == json.object_value().end()) {
tmp_n = bignum_from_base64(validate_string_field(key_prop, "n")); gpr_log(GPR_ERROR, "Missing RSA public key field.");
if (tmp_n == nullptr) goto end; goto end;
} else if (strcmp(key_prop->key, "e") == 0) {
tmp_e = bignum_from_base64(validate_string_field(key_prop, "e"));
if (tmp_e == nullptr) goto end;
}
} }
if (tmp_e == nullptr || tmp_n == nullptr) { tmp_n = bignum_from_base64(validate_string_field(it->second, "n"));
if (tmp_n == nullptr) goto end;
it = json.object_value().find("e");
if (it == json.object_value().end()) {
gpr_log(GPR_ERROR, "Missing RSA public key field."); gpr_log(GPR_ERROR, "Missing RSA public key field.");
goto end; goto end;
} }
tmp_e = bignum_from_base64(validate_string_field(it->second, "e"));
if (tmp_e == nullptr) goto end;
if (!RSA_set0_key(rsa, tmp_n, tmp_e, nullptr)) { if (!RSA_set0_key(rsa, tmp_n, tmp_e, nullptr)) {
gpr_log(GPR_ERROR, "Cannot set RSA key from inputs."); gpr_log(GPR_ERROR, "Cannot set RSA key from inputs.");
goto end; goto end;
@ -549,48 +553,41 @@ end:
return result; return result;
} }
static EVP_PKEY* find_verification_key(const grpc_json* json, static EVP_PKEY* find_verification_key(const Json& json, const char* header_alg,
const char* header_alg,
const char* header_kid) { const char* header_kid) {
const grpc_json* jkey;
const grpc_json* jwk_keys;
/* Try to parse the json as a JWK set: /* Try to parse the json as a JWK set:
https://tools.ietf.org/html/rfc7517#section-5. */ https://tools.ietf.org/html/rfc7517#section-5. */
jwk_keys = find_property_by_name(json, "keys"); const Json* jwt_keys = find_property_by_name(json, "keys");
if (jwk_keys == nullptr) { if (jwt_keys == nullptr) {
/* Use the google proprietary format which is: /* Use the google proprietary format which is:
{ <kid1>: <x5091>, <kid2>: <x5092>, ... } */ { <kid1>: <x5091>, <kid2>: <x5092>, ... } */
const grpc_json* cur = find_property_by_name(json, header_kid); const Json* cur = find_property_by_name(json, header_kid);
if (cur == nullptr) return nullptr; if (cur == nullptr) return nullptr;
return extract_pkey_from_x509(cur->value); return extract_pkey_from_x509(cur->string_value().c_str());
} }
if (jwt_keys->type() != Json::Type::ARRAY) {
if (jwk_keys->type != GRPC_JSON_ARRAY) {
gpr_log(GPR_ERROR, gpr_log(GPR_ERROR,
"Unexpected value type of keys property in jwks key set."); "Unexpected value type of keys property in jwks key set.");
return nullptr; return nullptr;
} }
/* Key format is specified in: /* Key format is specified in:
https://tools.ietf.org/html/rfc7518#section-6. */ https://tools.ietf.org/html/rfc7518#section-6. */
for (jkey = jwk_keys->child; jkey != nullptr; jkey = jkey->next) { for (const Json& jkey : jwt_keys->array_value()) {
grpc_json* key_prop; if (jkey.type() != Json::Type::OBJECT) continue;
const char* alg = nullptr; const char* alg = nullptr;
auto it = jkey.object_value().find("alg");
if (it != jkey.object_value().end()) {
alg = validate_string_field(it->second, "alg");
}
const char* kid = nullptr; const char* kid = nullptr;
it = jkey.object_value().find("kid");
if (it != jkey.object_value().end()) {
kid = validate_string_field(it->second, "kid");
}
const char* kty = nullptr; const char* kty = nullptr;
it = jkey.object_value().find("kty");
if (jkey->type != GRPC_JSON_OBJECT) continue; if (it != jkey.object_value().end()) {
for (key_prop = jkey->child; key_prop != nullptr; kty = validate_string_field(it->second, "kty");
key_prop = key_prop->next) {
if (strcmp(key_prop->key, "alg") == 0 &&
key_prop->type == GRPC_JSON_STRING) {
alg = key_prop->value;
} else if (strcmp(key_prop->key, "kid") == 0 &&
key_prop->type == GRPC_JSON_STRING) {
kid = key_prop->value;
} else if (strcmp(key_prop->key, "kty") == 0 &&
key_prop->type == GRPC_JSON_STRING) {
kty = key_prop->value;
}
} }
if (alg != nullptr && kid != nullptr && kty != nullptr && if (alg != nullptr && kid != nullptr && kty != nullptr &&
strcmp(kid, header_kid) == 0 && strcmp(alg, header_alg) == 0) { strcmp(kid, header_kid) == 0 && strcmp(alg, header_alg) == 0) {
@ -638,12 +635,12 @@ end:
static void on_keys_retrieved(void* user_data, grpc_error* /*error*/) { static void on_keys_retrieved(void* user_data, grpc_error* /*error*/) {
verifier_cb_ctx* ctx = static_cast<verifier_cb_ctx*>(user_data); verifier_cb_ctx* ctx = static_cast<verifier_cb_ctx*>(user_data);
grpc_json* json = json_from_http(&ctx->responses[HTTP_RESPONSE_KEYS]); Json json = json_from_http(&ctx->responses[HTTP_RESPONSE_KEYS]);
EVP_PKEY* verification_key = nullptr; EVP_PKEY* verification_key = nullptr;
grpc_jwt_verifier_status status = GRPC_JWT_VERIFIER_GENERIC_ERROR; grpc_jwt_verifier_status status = GRPC_JWT_VERIFIER_GENERIC_ERROR;
grpc_jwt_claims* claims = nullptr; grpc_jwt_claims* claims = nullptr;
if (json == nullptr) { if (json.type() == Json::Type::JSON_NULL) {
status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR; status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR;
goto end; goto end;
} }
@ -670,29 +667,28 @@ static void on_keys_retrieved(void* user_data, grpc_error* /*error*/) {
} }
end: end:
grpc_json_destroy(json);
EVP_PKEY_free(verification_key); EVP_PKEY_free(verification_key);
ctx->user_cb(ctx->user_data, status, claims); ctx->user_cb(ctx->user_data, status, claims);
verifier_cb_ctx_destroy(ctx); verifier_cb_ctx_destroy(ctx);
} }
static void on_openid_config_retrieved(void* user_data, grpc_error* /*error*/) { static void on_openid_config_retrieved(void* user_data, grpc_error* /*error*/) {
const grpc_json* cur;
verifier_cb_ctx* ctx = static_cast<verifier_cb_ctx*>(user_data); verifier_cb_ctx* ctx = static_cast<verifier_cb_ctx*>(user_data);
const grpc_http_response* response = &ctx->responses[HTTP_RESPONSE_OPENID]; const grpc_http_response* response = &ctx->responses[HTTP_RESPONSE_OPENID];
grpc_json* json = json_from_http(response); Json json = json_from_http(response);
grpc_httpcli_request req; grpc_httpcli_request req;
const char* jwks_uri; const char* jwks_uri;
grpc_resource_quota* resource_quota = nullptr; grpc_resource_quota* resource_quota = nullptr;
const Json* cur;
/* TODO(jboeuf): Cache the jwks_uri in order to avoid this hop next time. */ /* TODO(jboeuf): Cache the jwks_uri in order to avoid this hop next time. */
if (json == nullptr) goto error; if (json.type() == Json::Type::JSON_NULL) goto error;
cur = find_property_by_name(json, "jwks_uri"); cur = find_property_by_name(json, "jwks_uri");
if (cur == nullptr) { if (cur == nullptr) {
gpr_log(GPR_ERROR, "Could not find jwks_uri in openid config."); gpr_log(GPR_ERROR, "Could not find jwks_uri in openid config.");
goto error; goto error;
} }
jwks_uri = validate_string_field(cur, "jwks_uri"); jwks_uri = validate_string_field(*cur, "jwks_uri");
if (jwks_uri == nullptr) goto error; if (jwks_uri == nullptr) goto error;
if (strstr(jwks_uri, "https://") != jwks_uri) { if (strstr(jwks_uri, "https://") != jwks_uri) {
gpr_log(GPR_ERROR, "Invalid non https jwks_uri: %s.", jwks_uri); gpr_log(GPR_ERROR, "Invalid non https jwks_uri: %s.", jwks_uri);
@ -718,12 +714,10 @@ static void on_openid_config_retrieved(void* user_data, grpc_error* /*error*/) {
GRPC_CLOSURE_CREATE(on_keys_retrieved, ctx, grpc_schedule_on_exec_ctx), GRPC_CLOSURE_CREATE(on_keys_retrieved, ctx, grpc_schedule_on_exec_ctx),
&ctx->responses[HTTP_RESPONSE_KEYS]); &ctx->responses[HTTP_RESPONSE_KEYS]);
grpc_resource_quota_unref_internal(resource_quota); grpc_resource_quota_unref_internal(resource_quota);
grpc_json_destroy(json);
gpr_free(req.host); gpr_free(req.host);
return; return;
error: error:
grpc_json_destroy(json);
ctx->user_cb(ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, nullptr); ctx->user_cb(ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, nullptr);
verifier_cb_ctx_destroy(ctx); verifier_cb_ctx_destroy(ctx);
} }
@ -860,32 +854,28 @@ void grpc_jwt_verifier_verify(grpc_jwt_verifier* verifier,
grpc_jwt_verification_done_cb cb, grpc_jwt_verification_done_cb cb,
void* user_data) { void* user_data) {
const char* dot = nullptr; const char* dot = nullptr;
grpc_json* json;
jose_header* header = nullptr; jose_header* header = nullptr;
grpc_jwt_claims* claims = nullptr; grpc_jwt_claims* claims = nullptr;
grpc_slice header_buffer;
grpc_slice claims_buffer;
grpc_slice signature; grpc_slice signature;
size_t signed_jwt_len; size_t signed_jwt_len;
const char* cur = jwt; const char* cur = jwt;
Json json;
GPR_ASSERT(verifier != nullptr && jwt != nullptr && audience != nullptr && GPR_ASSERT(verifier != nullptr && jwt != nullptr && audience != nullptr &&
cb != nullptr); cb != nullptr);
dot = strchr(cur, '.'); dot = strchr(cur, '.');
if (dot == nullptr) goto error; if (dot == nullptr) goto error;
json = parse_json_part_from_jwt(cur, static_cast<size_t>(dot - cur), json = parse_json_part_from_jwt(cur, static_cast<size_t>(dot - cur));
&header_buffer); if (json.type() == Json::Type::JSON_NULL) goto error;
if (json == nullptr) goto error; header = jose_header_from_json(std::move(json));
header = jose_header_from_json(json, header_buffer);
if (header == nullptr) goto error; if (header == nullptr) goto error;
cur = dot + 1; cur = dot + 1;
dot = strchr(cur, '.'); dot = strchr(cur, '.');
if (dot == nullptr) goto error; if (dot == nullptr) goto error;
json = parse_json_part_from_jwt(cur, static_cast<size_t>(dot - cur), json = parse_json_part_from_jwt(cur, static_cast<size_t>(dot - cur));
&claims_buffer); if (json.type() == Json::Type::JSON_NULL) goto error;
if (json == nullptr) goto error; claims = grpc_jwt_claims_from_json(std::move(json));
claims = grpc_jwt_claims_from_json(json, claims_buffer);
if (claims == nullptr) goto error; if (claims == nullptr) goto error;
signed_jwt_len = static_cast<size_t>(dot - jwt); signed_jwt_len = static_cast<size_t>(dot - jwt);

5
src/core/lib/security/credentials/jwt/jwt_verifier.h
Unescape View File

@ -56,7 +56,7 @@ typedef struct grpc_jwt_claims grpc_jwt_claims;
void grpc_jwt_claims_destroy(grpc_jwt_claims* claims); void grpc_jwt_claims_destroy(grpc_jwt_claims* claims);
/* Returns the whole JSON tree of the claims. */ /* Returns the whole JSON tree of the claims. */
const grpc_json* grpc_jwt_claims_json(const grpc_jwt_claims* claims); const grpc_core::Json* grpc_jwt_claims_json(const grpc_jwt_claims* claims);
/* Access to registered claims in https://tools.ietf.org/html/rfc7519#page-9 */ /* Access to registered claims in https://tools.ietf.org/html/rfc7519#page-9 */
const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims); const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims);
@ -115,8 +115,7 @@ void grpc_jwt_verifier_verify(grpc_jwt_verifier* verifier,
/* --- TESTING ONLY exposed functions. --- */ /* --- TESTING ONLY exposed functions. --- */
grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json, grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_core::Json json);
const grpc_slice& buffer);
grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims, grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims,
const char* audience); const char* audience);
const char* grpc_jwt_issuer_email_domain(const char* issuer); const char* grpc_jwt_issuer_email_domain(const char* issuer);

71
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
Unescape View File

@ -40,6 +40,8 @@
#include "src/core/lib/surface/api_trace.h" #include "src/core/lib/surface/api_trace.h"
#include "src/core/lib/uri/uri_parser.h" #include "src/core/lib/uri/uri_parser.h"
using grpc_core::Json;
// //
// Auth Refresh Token. // Auth Refresh Token.
// //
@ -51,7 +53,7 @@ int grpc_auth_refresh_token_is_valid(
} }
grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
const grpc_json* json) { const Json& json) {
grpc_auth_refresh_token result; grpc_auth_refresh_token result;
const char* prop_value; const char* prop_value;
int success = 0; int success = 0;
@ -59,7 +61,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
memset(&result, 0, sizeof(grpc_auth_refresh_token)); memset(&result, 0, sizeof(grpc_auth_refresh_token));
result.type = GRPC_AUTH_JSON_TYPE_INVALID; result.type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json == nullptr) { if (json.type() != Json::Type::OBJECT) {
gpr_log(GPR_ERROR, "Invalid json."); gpr_log(GPR_ERROR, "Invalid json.");
goto end; goto end;
} }
@ -88,13 +90,13 @@ end:
grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string( grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
const char* json_string) { const char* json_string) {
char* scratchpad = gpr_strdup(json_string); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string(scratchpad); Json json = Json::Parse(json_string, &error);
grpc_auth_refresh_token result = if (error != GRPC_ERROR_NONE) {
grpc_auth_refresh_token_create_from_json(json); gpr_log(GPR_ERROR, "JSON parsing failed: %s", grpc_error_string(error));
grpc_json_destroy(json); GRPC_ERROR_UNREF(error);
gpr_free(scratchpad); }
return result; return grpc_auth_refresh_token_create_from_json(std::move(json));
} }
void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token) { void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token) {
@ -133,7 +135,7 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
char* null_terminated_body = nullptr; char* null_terminated_body = nullptr;
char* new_access_token = nullptr; char* new_access_token = nullptr;
grpc_credentials_status status = GRPC_CREDENTIALS_OK; grpc_credentials_status status = GRPC_CREDENTIALS_OK;
grpc_json* json = nullptr; Json json;
if (response == nullptr) { if (response == nullptr) {
gpr_log(GPR_ERROR, "Received NULL response."); gpr_log(GPR_ERROR, "Received NULL response.");
@ -155,48 +157,50 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} else { } else {
grpc_json* access_token = nullptr; const char* access_token = nullptr;
grpc_json* token_type = nullptr; const char* token_type = nullptr;
grpc_json* expires_in = nullptr; const char* expires_in = nullptr;
grpc_json* ptr; Json::Object::const_iterator it;
json = grpc_json_parse_string(null_terminated_body); grpc_error* error = GRPC_ERROR_NONE;
if (json == nullptr) { json = Json::Parse(null_terminated_body, &error);
gpr_log(GPR_ERROR, "Could not parse JSON from %s", null_terminated_body); if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR, "Could not parse JSON from %s: %s",
null_terminated_body, grpc_error_string(error));
GRPC_ERROR_UNREF(error);
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} }
if (json->type != GRPC_JSON_OBJECT) { if (json.type() != Json::Type::OBJECT) {
gpr_log(GPR_ERROR, "Response should be a JSON object"); gpr_log(GPR_ERROR, "Response should be a JSON object");
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} }
for (ptr = json->child; ptr; ptr = ptr->next) { it = json.object_value().find("access_token");
if (strcmp(ptr->key, "access_token") == 0) { if (it == json.object_value().end() ||
access_token = ptr; it->second.type() != Json::Type::STRING) {
} else if (strcmp(ptr->key, "token_type") == 0) {
token_type = ptr;
} else if (strcmp(ptr->key, "expires_in") == 0) {
expires_in = ptr;
}
}
if (access_token == nullptr || access_token->type != GRPC_JSON_STRING) {
gpr_log(GPR_ERROR, "Missing or invalid access_token in JSON."); gpr_log(GPR_ERROR, "Missing or invalid access_token in JSON.");
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} }
if (token_type == nullptr || token_type->type != GRPC_JSON_STRING) { access_token = it->second.string_value().c_str();
it = json.object_value().find("token_type");
if (it == json.object_value().end() ||
it->second.type() != Json::Type::STRING) {
gpr_log(GPR_ERROR, "Missing or invalid token_type in JSON."); gpr_log(GPR_ERROR, "Missing or invalid token_type in JSON.");
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} }
if (expires_in == nullptr || expires_in->type != GRPC_JSON_NUMBER) { token_type = it->second.string_value().c_str();
it = json.object_value().find("expires_in");
if (it == json.object_value().end() ||
it->second.type() != Json::Type::NUMBER) {
gpr_log(GPR_ERROR, "Missing or invalid expires_in in JSON."); gpr_log(GPR_ERROR, "Missing or invalid expires_in in JSON.");
status = GRPC_CREDENTIALS_ERROR; status = GRPC_CREDENTIALS_ERROR;
goto end; goto end;
} }
gpr_asprintf(&new_access_token, "%s %s", token_type->value, expires_in = it->second.string_value().c_str();
access_token->value); gpr_asprintf(&new_access_token, "%s %s", token_type, access_token);
*token_lifetime = strtol(expires_in->value, nullptr, 10) * GPR_MS_PER_SEC; *token_lifetime = strtol(expires_in, nullptr, 10) * GPR_MS_PER_SEC;
if (!GRPC_MDISNULL(*token_md)) GRPC_MDELEM_UNREF(*token_md); if (!GRPC_MDISNULL(*token_md)) GRPC_MDELEM_UNREF(*token_md);
*token_md = grpc_mdelem_from_slices( *token_md = grpc_mdelem_from_slices(
grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY), grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
@ -211,7 +215,6 @@ end:
} }
if (null_terminated_body != nullptr) gpr_free(null_terminated_body); if (null_terminated_body != nullptr) gpr_free(null_terminated_body);
if (new_access_token != nullptr) gpr_free(new_access_token); if (new_access_token != nullptr) gpr_free(new_access_token);
grpc_json_destroy(json);
return status; return status;
} }

2
src/core/lib/security/credentials/oauth2/oauth2_credentials.h
Unescape View File

@ -51,7 +51,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
/// Creates a refresh token object from parsed json. Returns an invalid object /// Creates a refresh token object from parsed json. Returns an invalid object
/// if a parsing error has been encountered. /// if a parsing error has been encountered.
grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
const grpc_json* json); const grpc_core::Json& json);
/// Destructs the object. /// Destructs the object.
void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token); void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token);

37
src/core/lib/security/util/json_util.cc
Unescape View File

@ -26,34 +26,41 @@
#include <grpc/support/log.h> #include <grpc/support/log.h>
#include <grpc/support/string_util.h> #include <grpc/support/string_util.h>
const char* grpc_json_get_string_property(const grpc_json* json, const char* grpc_json_get_string_property(const grpc_core::Json& json,
const char* prop_name, const char* prop_name,
grpc_error** error) { grpc_error** error) {
grpc_json* child = nullptr; if (json.type() != grpc_core::Json::Type::OBJECT) {
if (error != nullptr) *error = GRPC_ERROR_NONE; if (error != nullptr) {
for (child = json->child; child != nullptr; child = child->next) { *error =
if (child->key == nullptr) { GRPC_ERROR_CREATE_FROM_STATIC_STRING("JSON value is not an object");
if (error != nullptr) {
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"Invalid (null) JSON key encountered");
}
return nullptr;
} }
if (strcmp(child->key, prop_name) == 0) break; return nullptr;
}
auto it = json.object_value().find(prop_name);
if (it == json.object_value().end()) {
if (error != nullptr) {
char* error_msg;
gpr_asprintf(&error_msg, "Property %s not found in JSON object.",
prop_name);
*error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(error_msg);
gpr_free(error_msg);
}
return nullptr;
} }
if (child == nullptr || child->type != GRPC_JSON_STRING) { if (it->second.type() != grpc_core::Json::Type::STRING) {
if (error != nullptr) { if (error != nullptr) {
char* error_msg; char* error_msg;
gpr_asprintf(&error_msg, "Invalid or missing %s property.", prop_name); gpr_asprintf(&error_msg, "Property %s in JSON object is not a string.",
prop_name);
*error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(error_msg); *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(error_msg);
gpr_free(error_msg); gpr_free(error_msg);
} }
return nullptr; return nullptr;
} }
return child->value; return it->second.string_value().c_str();
} }
bool grpc_copy_json_string_property(const grpc_json* json, bool grpc_copy_json_string_property(const grpc_core::Json& json,
const char* prop_name, const char* prop_name,
char** copied_value) { char** copied_value) {
grpc_error* error = GRPC_ERROR_NONE; grpc_error* error = GRPC_ERROR_NONE;

4
src/core/lib/security/util/json_util.h
Unescape View File

@ -32,13 +32,13 @@
#define GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER "authorized_user" #define GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER "authorized_user"
// Gets a child property from a json node. // Gets a child property from a json node.
const char* grpc_json_get_string_property(const grpc_json* json, const char* grpc_json_get_string_property(const grpc_core::Json& json,
const char* prop_name, const char* prop_name,
grpc_error** error); grpc_error** error);
// Copies the value of the json child property specified by prop_name. // Copies the value of the json child property specified by prop_name.
// Returns false if the property was not found. // Returns false if the property was not found.
bool grpc_copy_json_string_property(const grpc_json* json, bool grpc_copy_json_string_property(const grpc_core::Json& json,
const char* prop_name, char** copied_value); const char* prop_name, char** copied_value);
#endif /* GRPC_CORE_LIB_SECURITY_UTIL_JSON_UTIL_H */ #endif /* GRPC_CORE_LIB_SECURITY_UTIL_JSON_UTIL_H */

36
src/cpp/client/secure_credentials.cc
Unescape View File

@ -135,41 +135,36 @@ void ClearStsCredentialsOptions(StsCredentialsOptions* options) {
// Builds STS credentials options from JSON. // Builds STS credentials options from JSON.
grpc::Status StsCredentialsOptionsFromJson(const grpc::string& json_string, grpc::Status StsCredentialsOptionsFromJson(const grpc::string& json_string,
StsCredentialsOptions* options) { StsCredentialsOptions* options) {
struct GrpcJsonDeleter {
void operator()(grpc_json* json) { grpc_json_destroy(json); }
};
if (options == nullptr) { if (options == nullptr) {
return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
"options cannot be nullptr."); "options cannot be nullptr.");
} }
ClearStsCredentialsOptions(options); ClearStsCredentialsOptions(options);
std::vector<char> scratchpad(json_string.c_str(), grpc_error* error = GRPC_ERROR_NONE;
json_string.c_str() + json_string.size() + 1); grpc_core::Json json = grpc_core::Json::Parse(json_string.c_str(), &error);
std::unique_ptr<grpc_json, GrpcJsonDeleter> json( if (error != GRPC_ERROR_NONE ||
grpc_json_parse_string(&scratchpad[0])); json.type() != grpc_core::Json::Type::OBJECT) {
if (json == nullptr) { GRPC_ERROR_UNREF(error);
return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid json."); return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid json.");
} }
// Required fields. // Required fields.
const char* value = grpc_json_get_string_property( const char* value = grpc_json_get_string_property(
json.get(), "token_exchange_service_uri", nullptr); json, "token_exchange_service_uri", nullptr);
if (value == nullptr) { if (value == nullptr) {
ClearStsCredentialsOptions(options); ClearStsCredentialsOptions(options);
return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
"token_exchange_service_uri must be specified."); "token_exchange_service_uri must be specified.");
} }
options->token_exchange_service_uri.assign(value); options->token_exchange_service_uri.assign(value);
value = value = grpc_json_get_string_property(json, "subject_token_path", nullptr);
grpc_json_get_string_property(json.get(), "subject_token_path", nullptr);
if (value == nullptr) { if (value == nullptr) {
ClearStsCredentialsOptions(options); ClearStsCredentialsOptions(options);
return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
"subject_token_path must be specified."); "subject_token_path must be specified.");
} }
options->subject_token_path.assign(value); options->subject_token_path.assign(value);
value = value = grpc_json_get_string_property(json, "subject_token_type", nullptr);
grpc_json_get_string_property(json.get(), "subject_token_type", nullptr);
if (value == nullptr) { if (value == nullptr) {
ClearStsCredentialsOptions(options); ClearStsCredentialsOptions(options);
return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
@ -178,20 +173,17 @@ grpc::Status StsCredentialsOptionsFromJson(const grpc::string& json_string,
options->subject_token_type.assign(value); options->subject_token_type.assign(value);
// Optional fields. // Optional fields.
value = grpc_json_get_string_property(json.get(), "resource", nullptr); value = grpc_json_get_string_property(json, "resource", nullptr);
if (value != nullptr) options->resource.assign(value); if (value != nullptr) options->resource.assign(value);
value = grpc_json_get_string_property(json.get(), "audience", nullptr); value = grpc_json_get_string_property(json, "audience", nullptr);
if (value != nullptr) options->audience.assign(value); if (value != nullptr) options->audience.assign(value);
value = grpc_json_get_string_property(json.get(), "scope", nullptr); value = grpc_json_get_string_property(json, "scope", nullptr);
if (value != nullptr) options->scope.assign(value); if (value != nullptr) options->scope.assign(value);
value = grpc_json_get_string_property(json.get(), "requested_token_type", value = grpc_json_get_string_property(json, "requested_token_type", nullptr);
nullptr);
if (value != nullptr) options->requested_token_type.assign(value); if (value != nullptr) options->requested_token_type.assign(value);
value = value = grpc_json_get_string_property(json, "actor_token_path", nullptr);
grpc_json_get_string_property(json.get(), "actor_token_path", nullptr);
if (value != nullptr) options->actor_token_path.assign(value); if (value != nullptr) options->actor_token_path.assign(value);
value = value = grpc_json_get_string_property(json, "actor_token_type", nullptr);
grpc_json_get_string_property(json.get(), "actor_token_type", nullptr);
if (value != nullptr) options->actor_token_type.assign(value); if (value != nullptr) options->actor_token_type.assign(value);
return grpc::Status(); return grpc::Status();

173
test/core/security/json_token_test.cc
Unescape View File

@ -32,6 +32,8 @@
#include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/slice/slice_internal.h"
#include "test/core/util/test_config.h" #include "test/core/util/test_config.h"
using grpc_core::Json;
/* This JSON key was generated with the GCE console and revoked immediately. /* This JSON key was generated with the GCE console and revoked immediately.
The identifiers have been changed as well. The identifiers have been changed as well.
Maximum size for a string literal is 509 chars in C89, yay! */ Maximum size for a string literal is 509 chars in C89, yay! */
@ -205,122 +207,78 @@ static void test_parse_json_key_failure_no_private_key(void) {
grpc_auth_json_key_destruct(&json_key); grpc_auth_json_key_destruct(&json_key);
} }
static grpc_json* parse_json_part_from_jwt(const char* str, size_t len, static Json parse_json_part_from_jwt(const char* str, size_t len) {
char** scratchpad) {
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
char* b64; char* b64 = static_cast<char*>(gpr_malloc(len + 1));
char* decoded;
grpc_json* json;
grpc_slice slice;
b64 = static_cast<char*>(gpr_malloc(len + 1));
strncpy(b64, str, len); strncpy(b64, str, len);
b64[len] = '\0'; b64[len] = '\0';
slice = grpc_base64_decode(b64, 1); grpc_slice slice = grpc_base64_decode(b64, 1);
GPR_ASSERT(!GRPC_SLICE_IS_EMPTY(slice));
decoded = static_cast<char*>(gpr_malloc(GRPC_SLICE_LENGTH(slice) + 1));
strncpy(decoded, reinterpret_cast<const char*> GRPC_SLICE_START_PTR(slice),
GRPC_SLICE_LENGTH(slice));
decoded[GRPC_SLICE_LENGTH(slice)] = '\0';
json = grpc_json_parse_string(decoded);
gpr_free(b64); gpr_free(b64);
*scratchpad = decoded; GPR_ASSERT(!GRPC_SLICE_IS_EMPTY(slice));
grpc_error* error = GRPC_ERROR_NONE;
grpc_core::StringView string(
reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(slice)),
GRPC_SLICE_LENGTH(slice));
Json json = Json::Parse(string, &error);
if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
GRPC_ERROR_UNREF(error);
}
grpc_slice_unref(slice); grpc_slice_unref(slice);
return json; return json;
} }
static void check_jwt_header(grpc_json* header) { static void check_jwt_header(const Json& header) {
grpc_json* ptr; Json::Object object = header.object_value();
grpc_json* alg = nullptr; Json value = object["alg"];
grpc_json* typ = nullptr; GPR_ASSERT(value.type() == Json::Type::STRING);
grpc_json* kid = nullptr; GPR_ASSERT(strcmp(value.string_value().c_str(), "RS256") == 0);
value = object["typ"];
for (ptr = header->child; ptr; ptr = ptr->next) { GPR_ASSERT(value.type() == Json::Type::STRING);
if (strcmp(ptr->key, "alg") == 0) { GPR_ASSERT(strcmp(value.string_value().c_str(), "JWT") == 0);
alg = ptr; value = object["kid"];
} else if (strcmp(ptr->key, "typ") == 0) { GPR_ASSERT(value.type() == Json::Type::STRING);
typ = ptr; GPR_ASSERT(strcmp(value.string_value().c_str(),
} else if (strcmp(ptr->key, "kid") == 0) { "e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0);
kid = ptr;
}
}
GPR_ASSERT(alg != nullptr);
GPR_ASSERT(alg->type == GRPC_JSON_STRING);
GPR_ASSERT(strcmp(alg->value, "RS256") == 0);
GPR_ASSERT(typ != nullptr);
GPR_ASSERT(typ->type == GRPC_JSON_STRING);
GPR_ASSERT(strcmp(typ->value, "JWT") == 0);
GPR_ASSERT(kid != nullptr);
GPR_ASSERT(kid->type == GRPC_JSON_STRING);
GPR_ASSERT(strcmp(kid->value, "e6b5137873db8d2ef81e06a47289e6434ec8a165") ==
0);
} }
static void check_jwt_claim(grpc_json* claim, const char* expected_audience, static void check_jwt_claim(const Json& claim, const char* expected_audience,
const char* expected_scope) { const char* expected_scope) {
gpr_timespec expiration = gpr_time_0(GPR_CLOCK_REALTIME); Json::Object object = claim.object_value();
gpr_timespec issue_time = gpr_time_0(GPR_CLOCK_REALTIME);
gpr_timespec parsed_lifetime;
grpc_json* iss = nullptr;
grpc_json* scope = nullptr;
grpc_json* aud = nullptr;
grpc_json* exp = nullptr;
grpc_json* iat = nullptr;
grpc_json* sub = nullptr;
grpc_json* ptr;
for (ptr = claim->child; ptr; ptr = ptr->next) {
if (strcmp(ptr->key, "iss") == 0) {
iss = ptr;
} else if (strcmp(ptr->key, "sub") == 0) {
sub = ptr;
} else if (strcmp(ptr->key, "scope") == 0) {
scope = ptr;
} else if (strcmp(ptr->key, "aud") == 0) {
aud = ptr;
} else if (strcmp(ptr->key, "exp") == 0) {
exp = ptr;
} else if (strcmp(ptr->key, "iat") == 0) {
iat = ptr;
}
}
GPR_ASSERT(iss != nullptr); Json value = object["iss"];
GPR_ASSERT(iss->type == GRPC_JSON_STRING); GPR_ASSERT(value.type() == Json::Type::STRING);
GPR_ASSERT( GPR_ASSERT(value.string_value() ==
strcmp( "777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount.com");
iss->value,
"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount.com") ==
0);
if (expected_scope != nullptr) { if (expected_scope != nullptr) {
GPR_ASSERT(scope != nullptr); GPR_ASSERT(object.find("sub") == object.end());
GPR_ASSERT(sub == nullptr); value = object["scope"];
GPR_ASSERT(scope->type == GRPC_JSON_STRING); GPR_ASSERT(value.type() == Json::Type::STRING);
GPR_ASSERT(strcmp(scope->value, expected_scope) == 0); GPR_ASSERT(value.string_value() == expected_scope);
} else { } else {
/* Claims without scope must have a sub. */ /* Claims without scope must have a sub. */
GPR_ASSERT(scope == nullptr); GPR_ASSERT(object.find("scope") == object.end());
GPR_ASSERT(sub != nullptr); value = object["sub"];
GPR_ASSERT(sub->type == GRPC_JSON_STRING); GPR_ASSERT(value.type() == Json::Type::STRING);
GPR_ASSERT(strcmp(iss->value, sub->value) == 0); GPR_ASSERT(value.string_value() == object["iss"].string_value());
} }
GPR_ASSERT(aud != nullptr); value = object["aud"];
GPR_ASSERT(aud->type == GRPC_JSON_STRING); GPR_ASSERT(value.type() == Json::Type::STRING);
GPR_ASSERT(strcmp(aud->value, expected_audience) == 0); GPR_ASSERT(value.string_value() == expected_audience);
GPR_ASSERT(exp != nullptr); gpr_timespec expiration = gpr_time_0(GPR_CLOCK_REALTIME);
GPR_ASSERT(exp->type == GRPC_JSON_NUMBER); value = object["exp"];
expiration.tv_sec = strtol(exp->value, nullptr, 10); GPR_ASSERT(value.type() == Json::Type::NUMBER);
expiration.tv_sec = strtol(value.string_value().c_str(), nullptr, 10);
GPR_ASSERT(iat != nullptr); gpr_timespec issue_time = gpr_time_0(GPR_CLOCK_REALTIME);
GPR_ASSERT(iat->type == GRPC_JSON_NUMBER); value = object["iat"];
issue_time.tv_sec = strtol(iat->value, nullptr, 10); GPR_ASSERT(value.type() == Json::Type::NUMBER);
issue_time.tv_sec = strtol(value.string_value().c_str(), nullptr, 10);
parsed_lifetime = gpr_time_sub(expiration, issue_time); gpr_timespec parsed_lifetime = gpr_time_sub(expiration, issue_time);
GPR_ASSERT(parsed_lifetime.tv_sec == grpc_max_auth_token_lifetime().tv_sec); GPR_ASSERT(parsed_lifetime.tv_sec == grpc_max_auth_token_lifetime().tv_sec);
} }
@ -363,21 +321,18 @@ static char* jwt_creds_jwt_encode_and_sign(const grpc_auth_json_key* key) {
grpc_max_auth_token_lifetime(), nullptr); grpc_max_auth_token_lifetime(), nullptr);
} }
static void service_account_creds_check_jwt_claim(grpc_json* claim) { static void service_account_creds_check_jwt_claim(const Json& claim) {
check_jwt_claim(claim, GRPC_JWT_OAUTH2_AUDIENCE, test_scope); check_jwt_claim(claim, GRPC_JWT_OAUTH2_AUDIENCE, test_scope);
} }
static void jwt_creds_check_jwt_claim(grpc_json* claim) { static void jwt_creds_check_jwt_claim(const Json& claim) {
check_jwt_claim(claim, test_service_url, nullptr); check_jwt_claim(claim, test_service_url, nullptr);
} }
static void test_jwt_encode_and_sign( static void test_jwt_encode_and_sign(
char* (*jwt_encode_and_sign_func)(const grpc_auth_json_key*), char* (*jwt_encode_and_sign_func)(const grpc_auth_json_key*),
void (*check_jwt_claim_func)(grpc_json*)) { void (*check_jwt_claim_func)(const Json&)) {
char* json_string = test_json_key_str(nullptr); char* json_string = test_json_key_str(nullptr);
grpc_json* parsed_header = nullptr;
grpc_json* parsed_claim = nullptr;
char* scratchpad;
grpc_auth_json_key json_key = grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string); grpc_auth_json_key_create_from_string(json_string);
const char* b64_signature; const char* b64_signature;
@ -385,23 +340,19 @@ static void test_jwt_encode_and_sign(
char* jwt = jwt_encode_and_sign_func(&json_key); char* jwt = jwt_encode_and_sign_func(&json_key);
const char* dot = strchr(jwt, '.'); const char* dot = strchr(jwt, '.');
GPR_ASSERT(dot != nullptr); GPR_ASSERT(dot != nullptr);
parsed_header = parse_json_part_from_jwt(jwt, static_cast<size_t>(dot - jwt), Json parsed_header =
&scratchpad); parse_json_part_from_jwt(jwt, static_cast<size_t>(dot - jwt));
GPR_ASSERT(parsed_header != nullptr); GPR_ASSERT(parsed_header.type() == Json::Type::OBJECT);
check_jwt_header(parsed_header); check_jwt_header(parsed_header);
offset = static_cast<size_t>(dot - jwt) + 1; offset = static_cast<size_t>(dot - jwt) + 1;
grpc_json_destroy(parsed_header);
gpr_free(scratchpad);
dot = strchr(jwt + offset, '.'); dot = strchr(jwt + offset, '.');
GPR_ASSERT(dot != nullptr); GPR_ASSERT(dot != nullptr);
parsed_claim = parse_json_part_from_jwt( Json parsed_claim = parse_json_part_from_jwt(
jwt + offset, static_cast<size_t>(dot - (jwt + offset)), &scratchpad); jwt + offset, static_cast<size_t>(dot - (jwt + offset)));
GPR_ASSERT(parsed_claim != nullptr); GPR_ASSERT(parsed_claim.type() == Json::Type::OBJECT);
check_jwt_claim_func(parsed_claim); check_jwt_claim_func(parsed_claim);
offset = static_cast<size_t>(dot - jwt) + 1; offset = static_cast<size_t>(dot - jwt) + 1;
grpc_json_destroy(parsed_claim);
gpr_free(scratchpad);
dot = strchr(jwt + offset, '.'); dot = strchr(jwt + offset, '.');
GPR_ASSERT(dot == nullptr); /* no more part. */ GPR_ASSERT(dot == nullptr); /* no more part. */

70
test/core/security/jwt_verifier_test.cc
Unescape View File

@ -32,6 +32,8 @@
#include "src/core/lib/slice/b64.h" #include "src/core/lib/slice/b64.h"
#include "test/core/util/test_config.h" #include "test/core/util/test_config.h"
using grpc_core::Json;
/* This JSON key was generated with the GCE console and revoked immediately. /* This JSON key was generated with the GCE console and revoked immediately.
The identifiers have been changed as well. The identifiers have been changed as well.
Maximum size for a string literal is 509 chars in C89, yay! */ Maximum size for a string literal is 509 chars in C89, yay! */
@ -205,14 +207,17 @@ static void test_jwt_issuer_email_domain(void) {
static void test_claims_success(void) { static void test_claims_success(void) {
grpc_jwt_claims* claims; grpc_jwt_claims* claims;
grpc_slice s = grpc_slice_from_copied_string(claims_without_time_constraint); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string_with_len( Json json = Json::Parse(claims_without_time_constraint, &error);
reinterpret_cast<char*> GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); if (error != GRPC_ERROR_NONE) {
GPR_ASSERT(json != nullptr); gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
}
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(json.type() == Json::Type::OBJECT);
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
claims = grpc_jwt_claims_from_json(json, s); claims = grpc_jwt_claims_from_json(json);
GPR_ASSERT(claims != nullptr); GPR_ASSERT(claims != nullptr);
GPR_ASSERT(grpc_jwt_claims_json(claims) == json); GPR_ASSERT(*grpc_jwt_claims_json(claims) == json);
GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0);
GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0);
@ -224,17 +229,20 @@ static void test_claims_success(void) {
static void test_expired_claims_failure(void) { static void test_expired_claims_failure(void) {
grpc_jwt_claims* claims; grpc_jwt_claims* claims;
grpc_slice s = grpc_slice_from_copied_string(expired_claims); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string_with_len( Json json = Json::Parse(expired_claims, &error);
reinterpret_cast<char*> GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
}
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(json.type() == Json::Type::OBJECT);
gpr_timespec exp_iat = {100, 0, GPR_CLOCK_REALTIME}; gpr_timespec exp_iat = {100, 0, GPR_CLOCK_REALTIME};
gpr_timespec exp_exp = {120, 0, GPR_CLOCK_REALTIME}; gpr_timespec exp_exp = {120, 0, GPR_CLOCK_REALTIME};
gpr_timespec exp_nbf = {60, 0, GPR_CLOCK_REALTIME}; gpr_timespec exp_nbf = {60, 0, GPR_CLOCK_REALTIME};
GPR_ASSERT(json != nullptr);
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
claims = grpc_jwt_claims_from_json(json, s); claims = grpc_jwt_claims_from_json(json);
GPR_ASSERT(claims != nullptr); GPR_ASSERT(claims != nullptr);
GPR_ASSERT(grpc_jwt_claims_json(claims) == json); GPR_ASSERT(*grpc_jwt_claims_json(claims) == json);
GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0);
GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0); GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0);
@ -249,21 +257,28 @@ static void test_expired_claims_failure(void) {
} }
static void test_invalid_claims_failure(void) { static void test_invalid_claims_failure(void) {
grpc_slice s = grpc_slice_from_copied_string(invalid_claims); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string_with_len( Json json = Json::Parse(invalid_claims, &error);
reinterpret_cast<char*> GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); if (error != GRPC_ERROR_NONE) {
gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
}
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(json.type() == Json::Type::OBJECT);
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
GPR_ASSERT(grpc_jwt_claims_from_json(json, s) == nullptr); GPR_ASSERT(grpc_jwt_claims_from_json(json) == nullptr);
} }
static void test_bad_audience_claims_failure(void) { static void test_bad_audience_claims_failure(void) {
grpc_jwt_claims* claims; grpc_jwt_claims* claims;
grpc_slice s = grpc_slice_from_copied_string(claims_without_time_constraint); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string_with_len( Json json = Json::Parse(claims_without_time_constraint, &error);
reinterpret_cast<char*> GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); if (error != GRPC_ERROR_NONE) {
GPR_ASSERT(json != nullptr); gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
}
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(json.type() == Json::Type::OBJECT);
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
claims = grpc_jwt_claims_from_json(json, s); claims = grpc_jwt_claims_from_json(json);
GPR_ASSERT(claims != nullptr); GPR_ASSERT(claims != nullptr);
GPR_ASSERT(grpc_jwt_claims_check(claims, "https://bar.com") == GPR_ASSERT(grpc_jwt_claims_check(claims, "https://bar.com") ==
GRPC_JWT_VERIFIER_BAD_AUDIENCE); GRPC_JWT_VERIFIER_BAD_AUDIENCE);
@ -272,12 +287,15 @@ static void test_bad_audience_claims_failure(void) {
static void test_bad_subject_claims_failure(void) { static void test_bad_subject_claims_failure(void) {
grpc_jwt_claims* claims; grpc_jwt_claims* claims;
grpc_slice s = grpc_slice_from_copied_string(claims_with_bad_subject); grpc_error* error = GRPC_ERROR_NONE;
grpc_json* json = grpc_json_parse_string_with_len( Json json = Json::Parse(claims_with_bad_subject, &error);
reinterpret_cast<char*> GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); if (error != GRPC_ERROR_NONE) {
GPR_ASSERT(json != nullptr); gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
}
GPR_ASSERT(error == GRPC_ERROR_NONE);
GPR_ASSERT(json.type() == Json::Type::OBJECT);
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
claims = grpc_jwt_claims_from_json(json, s); claims = grpc_jwt_claims_from_json(json);
GPR_ASSERT(claims != nullptr); GPR_ASSERT(claims != nullptr);
GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") == GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
GRPC_JWT_VERIFIER_BAD_SUBJECT); GRPC_JWT_VERIFIER_BAD_SUBJECT);

7
test/core/security/verify_jwt.cc
Unescape View File

@ -52,12 +52,9 @@ static void on_jwt_verification_done(void* user_data,
sync->success = (status == GRPC_JWT_VERIFIER_OK); sync->success = (status == GRPC_JWT_VERIFIER_OK);
if (sync->success) { if (sync->success) {
char* claims_str;
GPR_ASSERT(claims != nullptr); GPR_ASSERT(claims != nullptr);
claims_str = grpc_json_dump_to_string( std::string claims_str = grpc_jwt_claims_json(claims)->Dump(/*indent=*/2);
const_cast<grpc_json*>(grpc_jwt_claims_json(claims)), 2); printf("Claims: \n\n%s\n", claims_str.c_str());
printf("Claims: \n\n%s\n", claims_str);
gpr_free(claims_str);
grpc_jwt_claims_destroy(claims); grpc_jwt_claims_destroy(claims);
} else { } else {
GPR_ASSERT(claims == nullptr); GPR_ASSERT(claims == nullptr);

Write Preview
Loading…
Cancel
Save