Revert "Allow to specify user provided audience in google default credentials and JWT credentials (#26456)" (#26531)

This reverts commit 5a91a513fd.
pull/26532/head
yihuaz 3 years ago committed by GitHub
parent 3c4601b349
commit 932dbed49d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 22
      include/grpc/grpc_security.h
  2. 15
      include/grpcpp/security/credentials.h
  3. 2
      src/core/ext/xds/xds_bootstrap.cc
  4. 18
      src/core/lib/security/credentials/google_default/google_default_credentials.cc
  5. 43
      src/core/lib/security/credentials/jwt/jwt_credentials.cc
  6. 17
      src/core/lib/security/credentials/jwt/jwt_credentials.h
  7. 15
      src/cpp/client/secure_credentials.cc
  8. 2
      src/php/ext/grpc/channel_credentials.c
  9. 2
      src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
  10. 4
      src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
  11. 4
      src/ruby/ext/grpc/rb_grpc_imports.generated.h
  12. 129
      test/core/security/credentials_test.cc

@ -159,18 +159,9 @@ GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials* creds);
If nullptr is supplied, the returned channel credentials object will use a If nullptr is supplied, the returned channel credentials object will use a
call credentials object based on the Application Default Credentials call credentials object based on the Application Default Credentials
mechanism. mechanism.
user_provided_audience is an optional field for user to override the
audience in the JWT token if used. If user_provided_audience is nullptr,
the service URL will be used as the audience. Note that
user_provided_audience will only be used if a service account JWT access
credential is created by the application default credentials mechanism. Also
note that user_provided_audience will be ignored if the call_credentials is
not nullptr.
*/ */
GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(
grpc_call_credentials* call_credentials, grpc_call_credentials* call_credentials);
const char* user_provided_audience);
/** Callback for getting the SSL roots override from the application. /** Callback for getting the SSL roots override from the application.
In case of success, *pem_roots_certs must be set to a NULL terminated string In case of success, *pem_roots_certs must be set to a NULL terminated string
@ -333,14 +324,11 @@ GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void);
- json_key is the JSON key string containing the client's private key. - json_key is the JSON key string containing the client's private key.
- token_lifetime is the lifetime of each Json Web Token (JWT) created with - token_lifetime is the lifetime of each Json Web Token (JWT) created with
this credentials. It should not exceed grpc_max_auth_token_lifetime or this credentials. It should not exceed grpc_max_auth_token_lifetime or
will be cropped to this value. will be cropped to this value. */
- user_provided_audience is an optional field for user to override the
auidence in the JWT token. If user_provided_audience is nullptr, the
service URL will be used as the audience. */
GRPCAPI grpc_call_credentials* GRPCAPI grpc_call_credentials*
grpc_service_account_jwt_access_credentials_create( grpc_service_account_jwt_access_credentials_create(const char* json_key,
const char* json_key, gpr_timespec token_lifetime, gpr_timespec token_lifetime,
const char* user_provided_audience); void* reserved);
/** Builds External Account credentials. /** Builds External Account credentials.
- json_string is the JSON string containing the credentials options. - json_string is the JSON string containing the credentials options.

@ -172,18 +172,11 @@ struct SslCredentialsOptions {
/// Builds credentials with reasonable defaults. /// Builds credentials with reasonable defaults.
/// ///
/// user_provided_audience is an optional field for user to override the
/// auidence in the JWT token. If user_provided_audience is empty, the service
/// URL will be used as the audience. Note that user_provided_audience will
/// only be used if a service account JWT access credential is created by
/// the application default credentials mechanism.
///
/// \warning Only use these credentials when connecting to a Google endpoint. /// \warning Only use these credentials when connecting to a Google endpoint.
/// Using these credentials to connect to any other service may result in this /// Using these credentials to connect to any other service may result in this
/// service being able to impersonate your client for requests to Google /// service being able to impersonate your client for requests to Google
/// services. /// services.
std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials( std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
const grpc::string& user_provided_audience = "");
/// Builds SSL Credentials given SSL specific options /// Builds SSL Credentials given SSL specific options
std::shared_ptr<ChannelCredentials> SslCredentials( std::shared_ptr<ChannelCredentials> SslCredentials(
@ -204,13 +197,9 @@ constexpr long kMaxAuthTokenLifetimeSecs = 3600;
/// token_lifetime_seconds is the lifetime in seconds of each Json Web Token /// token_lifetime_seconds is the lifetime in seconds of each Json Web Token
/// (JWT) created with this credentials. It should not exceed /// (JWT) created with this credentials. It should not exceed
/// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value. /// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value.
/// user_provided_audience is an optional field for user to override the
/// auidence in the JWT token. If user_provided_audience is empty, the service
/// URL will be used as the audience.
std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials( std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
const grpc::string& json_key, const grpc::string& json_key,
long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs, long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
const grpc::string& user_provided_audience = "");
/// Builds refresh token credentials. /// Builds refresh token credentials.
/// json_refresh_token is the JSON string containing the refresh token along /// json_refresh_token is the JSON string containing the refresh token along

@ -59,7 +59,7 @@ RefCountedPtr<grpc_channel_credentials>
XdsChannelCredsRegistry::MakeChannelCreds(const std::string& creds_type, XdsChannelCredsRegistry::MakeChannelCreds(const std::string& creds_type,
const Json& /*config*/) { const Json& /*config*/) {
if (creds_type == "google_default") { if (creds_type == "google_default") {
return grpc_google_default_credentials_create(nullptr, nullptr); return grpc_google_default_credentials_create(nullptr);
} else if (creds_type == "insecure") { } else if (creds_type == "insecure") {
return grpc_insecure_credentials_create(); return grpc_insecure_credentials_create();
} else if (creds_type == "fake") { } else if (creds_type == "fake") {

@ -224,7 +224,7 @@ static int is_metadata_server_reachable() {
/* Takes ownership of creds_path if not NULL. */ /* Takes ownership of creds_path if not NULL. */
static grpc_error_handle create_default_creds_from_path( static grpc_error_handle create_default_creds_from_path(
const std::string& creds_path, const char* user_provided_audience, const std::string& creds_path,
grpc_core::RefCountedPtr<grpc_call_credentials>* creds) { grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
grpc_auth_json_key key; grpc_auth_json_key key;
grpc_auth_refresh_token token; grpc_auth_refresh_token token;
@ -250,10 +250,9 @@ static grpc_error_handle create_default_creds_from_path(
/* First, try an auth json key. */ /* First, try an auth json key. */
key = grpc_auth_json_key_create_from_json(json); key = grpc_auth_json_key_create_from_json(json);
if (grpc_auth_json_key_is_valid(&key)) { if (grpc_auth_json_key_is_valid(&key)) {
if (user_provided_audience == nullptr) user_provided_audience = "";
result = result =
grpc_service_account_jwt_access_credentials_create_from_auth_json_key( grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
key, grpc_max_auth_token_lifetime(), user_provided_audience); key, grpc_max_auth_token_lifetime());
if (result == nullptr) { if (result == nullptr) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"grpc_service_account_jwt_access_credentials_create_from_auth_json_" "grpc_service_account_jwt_access_credentials_create_from_auth_json_"
@ -307,15 +306,14 @@ static bool metadata_server_available() {
} }
static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds( static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
const char* user_provided_audience, grpc_error_handle* error) { grpc_error_handle* error) {
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds; grpc_core::RefCountedPtr<grpc_call_credentials> call_creds;
grpc_error_handle err; grpc_error_handle err;
/* First, try the environment variable. */ /* First, try the environment variable. */
char* path_from_env = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR); char* path_from_env = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
if (path_from_env != nullptr) { if (path_from_env != nullptr) {
err = create_default_creds_from_path(path_from_env, user_provided_audience, err = create_default_creds_from_path(path_from_env, &call_creds);
&call_creds);
gpr_free(path_from_env); gpr_free(path_from_env);
if (err == GRPC_ERROR_NONE) return call_creds; if (err == GRPC_ERROR_NONE) return call_creds;
*error = grpc_error_add_child(*error, err); *error = grpc_error_add_child(*error, err);
@ -323,8 +321,7 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
/* Then the well-known file. */ /* Then the well-known file. */
err = create_default_creds_from_path( err = create_default_creds_from_path(
grpc_get_well_known_google_credentials_file_path(), grpc_get_well_known_google_credentials_file_path(), &call_creds);
user_provided_audience, &call_creds);
if (err == GRPC_ERROR_NONE) return call_creds; if (err == GRPC_ERROR_NONE) return call_creds;
*error = grpc_error_add_child(*error, err); *error = grpc_error_add_child(*error, err);
@ -346,8 +343,7 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
} }
grpc_channel_credentials* grpc_google_default_credentials_create( grpc_channel_credentials* grpc_google_default_credentials_create(
grpc_call_credentials* call_credentials, grpc_call_credentials* call_credentials) {
const char* user_provided_audience) {
grpc_channel_credentials* result = nullptr; grpc_channel_credentials* result = nullptr;
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials); grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
grpc_error_handle error = GRPC_ERROR_NONE; grpc_error_handle error = GRPC_ERROR_NONE;
@ -357,7 +353,7 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
(call_credentials)); (call_credentials));
if (call_creds == nullptr) { if (call_creds == nullptr) {
call_creds = make_default_call_creds(user_provided_audience, &error); call_creds = make_default_call_creds(&error);
} }
if (call_creds != nullptr) { if (call_creds != nullptr) {

@ -42,7 +42,10 @@ using grpc_core::Json;
void grpc_service_account_jwt_access_credentials::reset_cache() { void grpc_service_account_jwt_access_credentials::reset_cache() {
GRPC_MDELEM_UNREF(cached_.jwt_md); GRPC_MDELEM_UNREF(cached_.jwt_md);
cached_.jwt_md = GRPC_MDNULL; cached_.jwt_md = GRPC_MDNULL;
cached_.audience.clear(); if (cached_.service_url != nullptr) {
gpr_free(cached_.service_url);
cached_.service_url = nullptr;
}
cached_.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME); cached_.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME);
} }
@ -59,14 +62,13 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
grpc_closure* /*on_request_metadata*/, grpc_error_handle* error) { grpc_closure* /*on_request_metadata*/, grpc_error_handle* error) {
gpr_timespec refresh_threshold = gpr_time_from_seconds( gpr_timespec refresh_threshold = gpr_time_from_seconds(
GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN);
absl::string_view audience = user_provided_audience_.empty()
? absl::string_view(context.service_url)
: user_provided_audience_;
/* See if we can return a cached jwt. */ /* See if we can return a cached jwt. */
grpc_mdelem jwt_md = GRPC_MDNULL; grpc_mdelem jwt_md = GRPC_MDNULL;
{ {
gpr_mu_lock(&cache_mu_); gpr_mu_lock(&cache_mu_);
if (!cached_.audience.empty() && cached_.audience == audience && if (cached_.service_url != nullptr &&
strcmp(cached_.service_url, context.service_url) == 0 &&
!GRPC_MDISNULL(cached_.jwt_md) && !GRPC_MDISNULL(cached_.jwt_md) &&
(gpr_time_cmp( (gpr_time_cmp(
gpr_time_sub(cached_.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)), gpr_time_sub(cached_.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)),
@ -81,14 +83,14 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
/* Generate a new jwt. */ /* Generate a new jwt. */
gpr_mu_lock(&cache_mu_); gpr_mu_lock(&cache_mu_);
reset_cache(); reset_cache();
jwt = grpc_jwt_encode_and_sign(&key_, audience.data(), jwt_lifetime_, jwt = grpc_jwt_encode_and_sign(&key_, context.service_url, jwt_lifetime_,
nullptr); nullptr);
if (jwt != nullptr) { if (jwt != nullptr) {
std::string md_value = absl::StrCat("Bearer ", jwt); std::string md_value = absl::StrCat("Bearer ", jwt);
gpr_free(jwt); gpr_free(jwt);
cached_.jwt_expiration = cached_.jwt_expiration =
gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_); gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_);
cached_.audience = std::string(audience); cached_.service_url = gpr_strdup(context.service_url);
cached_.jwt_md = grpc_mdelem_from_slices( cached_.jwt_md = grpc_mdelem_from_slices(
grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY), grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
grpc_slice_from_cpp_string(std::move(md_value))); grpc_slice_from_cpp_string(std::move(md_value)));
@ -112,12 +114,9 @@ void grpc_service_account_jwt_access_credentials::cancel_get_request_metadata(
} }
grpc_service_account_jwt_access_credentials:: grpc_service_account_jwt_access_credentials::
grpc_service_account_jwt_access_credentials( grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
grpc_auth_json_key key, gpr_timespec token_lifetime, gpr_timespec token_lifetime)
std::string user_provided_audience) : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT), key_(key) {
: grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT),
key_(key),
user_provided_audience_(std::move(user_provided_audience)) {
gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime(); gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) { if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
gpr_log(GPR_INFO, gpr_log(GPR_INFO,
@ -132,14 +131,13 @@ grpc_service_account_jwt_access_credentials::
grpc_core::RefCountedPtr<grpc_call_credentials> grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_service_account_jwt_access_credentials_create_from_auth_json_key( grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
grpc_auth_json_key key, gpr_timespec token_lifetime, grpc_auth_json_key key, gpr_timespec token_lifetime) {
std::string user_provided_audience) {
if (!grpc_auth_json_key_is_valid(&key)) { if (!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation"); gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
return nullptr; return nullptr;
} }
return grpc_core::MakeRefCounted<grpc_service_account_jwt_access_credentials>( return grpc_core::MakeRefCounted<grpc_service_account_jwt_access_credentials>(
key, token_lifetime, std::move(user_provided_audience)); key, token_lifetime);
} }
static char* redact_private_key(const char* json_key) { static char* redact_private_key(const char* json_key) {
@ -154,8 +152,7 @@ static char* redact_private_key(const char* json_key) {
} }
grpc_call_credentials* grpc_service_account_jwt_access_credentials_create( grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
const char* json_key, gpr_timespec token_lifetime, const char* json_key, gpr_timespec token_lifetime, void* reserved) {
const char* user_provided_audience) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_api_trace)) { if (GRPC_TRACE_FLAG_ENABLED(grpc_api_trace)) {
char* clean_json = redact_private_key(json_key); char* clean_json = redact_private_key(json_key);
gpr_log(GPR_INFO, gpr_log(GPR_INFO,
@ -164,17 +161,15 @@ grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
"token_lifetime=" "token_lifetime="
"gpr_timespec { tv_sec: %" PRId64 "gpr_timespec { tv_sec: %" PRId64
", tv_nsec: %d, clock_type: %d }, " ", tv_nsec: %d, clock_type: %d }, "
"user_provided_audience=%s)", "reserved=%p)",
clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec, clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec,
static_cast<int>(token_lifetime.clock_type), static_cast<int>(token_lifetime.clock_type), reserved);
user_provided_audience);
gpr_free(clean_json); gpr_free(clean_json);
} }
GPR_ASSERT(reserved == nullptr);
grpc_core::ApplicationCallbackExecCtx callback_exec_ctx; grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
if (user_provided_audience == nullptr) user_provided_audience = "";
return grpc_service_account_jwt_access_credentials_create_from_auth_json_key( return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
grpc_auth_json_key_create_from_string(json_key), token_lifetime, grpc_auth_json_key_create_from_string(json_key), token_lifetime)
user_provided_audience)
.release(); .release();
} }

@ -33,9 +33,8 @@
class grpc_service_account_jwt_access_credentials class grpc_service_account_jwt_access_credentials
: public grpc_call_credentials { : public grpc_call_credentials {
public: public:
grpc_service_account_jwt_access_credentials( grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
grpc_auth_json_key key, gpr_timespec token_lifetime, gpr_timespec token_lifetime);
std::string user_provided_audience);
~grpc_service_account_jwt_access_credentials() override; ~grpc_service_account_jwt_access_credentials() override;
bool get_request_metadata(grpc_polling_entity* pollent, bool get_request_metadata(grpc_polling_entity* pollent,
@ -49,9 +48,7 @@ class grpc_service_account_jwt_access_credentials
const gpr_timespec& jwt_lifetime() const { return jwt_lifetime_; } const gpr_timespec& jwt_lifetime() const { return jwt_lifetime_; }
const grpc_auth_json_key& key() const { return key_; } const grpc_auth_json_key& key() const { return key_; }
const std::string& user_provided_audience() const {
return user_provided_audience_;
}
std::string debug_string() override { std::string debug_string() override {
return absl::StrFormat( return absl::StrFormat(
"JWTAccessCredentials{ExpirationTime:%s}", "JWTAccessCredentials{ExpirationTime:%s}",
@ -63,24 +60,22 @@ class grpc_service_account_jwt_access_credentials
void reset_cache(); void reset_cache();
// Have a simple cache for now with just 1 entry. We could have a map based on // Have a simple cache for now with just 1 entry. We could have a map based on
// the audience for a more sophisticated one. // the service_url for a more sophisticated one.
gpr_mu cache_mu_; gpr_mu cache_mu_;
struct { struct {
grpc_mdelem jwt_md = GRPC_MDNULL; grpc_mdelem jwt_md = GRPC_MDNULL;
std::string audience; char* service_url = nullptr;
gpr_timespec jwt_expiration; gpr_timespec jwt_expiration;
} cached_; } cached_;
grpc_auth_json_key key_; grpc_auth_json_key key_;
gpr_timespec jwt_lifetime_; gpr_timespec jwt_lifetime_;
std::string user_provided_audience_;
}; };
// Private constructor for jwt credentials from an already parsed json key. // Private constructor for jwt credentials from an already parsed json key.
// Takes ownership of the key. // Takes ownership of the key.
grpc_core::RefCountedPtr<grpc_call_credentials> grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_service_account_jwt_access_credentials_create_from_auth_json_key( grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
grpc_auth_json_key key, gpr_timespec token_lifetime, grpc_auth_json_key key, gpr_timespec token_lifetime);
std::string user_provided_audience);
#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_CREDENTIALS_H */ #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_CREDENTIALS_H */

@ -103,14 +103,10 @@ std::shared_ptr<CallCredentials> WrapCallCredentials(
} }
} // namespace } // namespace
std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials( std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
const grpc::string& user_provided_audience) {
grpc::GrpcLibraryCodegen init; // To call grpc_init(). grpc::GrpcLibraryCodegen init; // To call grpc_init().
return internal::WrapChannelCredentials( return internal::WrapChannelCredentials(
grpc_google_default_credentials_create( grpc_google_default_credentials_create(nullptr));
nullptr, user_provided_audience.empty()
? nullptr
: user_provided_audience.c_str()));
} }
std::shared_ptr<CallCredentials> ExternalAccountCredentials( std::shared_ptr<CallCredentials> ExternalAccountCredentials(
@ -324,8 +320,7 @@ std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
// Builds JWT credentials. // Builds JWT credentials.
std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials( std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
const std::string& json_key, long token_lifetime_seconds, const std::string& json_key, long token_lifetime_seconds) {
const grpc::string& user_provided_audience) {
grpc::GrpcLibraryCodegen init; // To call grpc_init(). grpc::GrpcLibraryCodegen init; // To call grpc_init().
if (token_lifetime_seconds <= 0) { if (token_lifetime_seconds <= 0) {
gpr_log(GPR_ERROR, gpr_log(GPR_ERROR,
@ -335,9 +330,7 @@ std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
gpr_timespec lifetime = gpr_timespec lifetime =
gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN); gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create( return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create(
json_key.c_str(), lifetime, json_key.c_str(), lifetime, nullptr));
user_provided_audience.empty() ? nullptr
: user_provided_audience.c_str()));
} }
// Builds refresh token credentials. // Builds refresh token credentials.

@ -131,7 +131,7 @@ PHP_METHOD(ChannelCredentials, invalidateDefaultRootsPem) {
* @return ChannelCredentials The new default channel credentials object * @return ChannelCredentials The new default channel credentials object
*/ */
PHP_METHOD(ChannelCredentials, createDefault) { PHP_METHOD(ChannelCredentials, createDefault) {
grpc_channel_credentials *creds = grpc_google_default_credentials_create(NULL, NULL); grpc_channel_credentials *creds = grpc_google_default_credentials_create(NULL);
zval *creds_object = grpc_php_wrap_channel_credentials(creds, NULL, false zval *creds_object = grpc_php_wrap_channel_credentials(creds, NULL, false
TSRMLS_CC); TSRMLS_CC);
RETURN_DESTROY_ZVAL(creds_object); RETURN_DESTROY_ZVAL(creds_object);

@ -434,7 +434,7 @@ cdef class ComputeEngineChannelCredentials(ChannelCredentials):
raise ValueError("Call credentials may not be NULL.") raise ValueError("Call credentials may not be NULL.")
cdef grpc_channel_credentials *c(self) except *: cdef grpc_channel_credentials *c(self) except *:
self._c_creds = grpc_google_default_credentials_create(self._call_creds, NULL) self._c_creds = grpc_google_default_credentials_create(self._call_creds)
return self._c_creds return self._c_creds

@ -525,7 +525,7 @@ cdef extern from "grpc/grpc_security.h":
void grpc_set_ssl_roots_override_callback( void grpc_set_ssl_roots_override_callback(
grpc_ssl_roots_override_callback cb) nogil grpc_ssl_roots_override_callback cb) nogil
grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials, const char *user_provided_audience) nogil grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
grpc_channel_credentials *grpc_ssl_credentials_create( grpc_channel_credentials *grpc_ssl_credentials_create(
const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
verify_peer_options *verify_options, void *reserved) nogil verify_peer_options *verify_options, void *reserved) nogil
@ -551,7 +551,7 @@ cdef extern from "grpc/grpc_security.h":
void *reserved) nogil void *reserved) nogil
grpc_call_credentials *grpc_service_account_jwt_access_credentials_create( grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
const char *json_key, const char *json_key,
gpr_timespec token_lifetime, const char* user_provided_audience) nogil gpr_timespec token_lifetime, void *reserved) nogil
grpc_call_credentials *grpc_google_refresh_token_credentials_create( grpc_call_credentials *grpc_google_refresh_token_credentials_create(
const char *json_refresh_token, void *reserved) nogil const char *json_refresh_token, void *reserved) nogil
grpc_call_credentials *grpc_google_iam_credentials_create( grpc_call_credentials *grpc_google_iam_credentials_create(

@ -353,7 +353,7 @@ extern grpc_call_credentials_release_type grpc_call_credentials_release_import;
typedef void(*grpc_channel_credentials_release_type)(grpc_channel_credentials* creds); typedef void(*grpc_channel_credentials_release_type)(grpc_channel_credentials* creds);
extern grpc_channel_credentials_release_type grpc_channel_credentials_release_import; extern grpc_channel_credentials_release_type grpc_channel_credentials_release_import;
#define grpc_channel_credentials_release grpc_channel_credentials_release_import #define grpc_channel_credentials_release grpc_channel_credentials_release_import
typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials, const char* user_provided_audience); typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials);
extern grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import; extern grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
#define grpc_google_default_credentials_create grpc_google_default_credentials_create_import #define grpc_google_default_credentials_create grpc_google_default_credentials_create_import
typedef void(*grpc_set_ssl_roots_override_callback_type)(grpc_ssl_roots_override_callback cb); typedef void(*grpc_set_ssl_roots_override_callback_type)(grpc_ssl_roots_override_callback cb);
@ -377,7 +377,7 @@ extern grpc_google_compute_engine_credentials_create_type grpc_google_compute_en
typedef gpr_timespec(*grpc_max_auth_token_lifetime_type)(void); typedef gpr_timespec(*grpc_max_auth_token_lifetime_type)(void);
extern grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import; extern grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import;
#define grpc_max_auth_token_lifetime grpc_max_auth_token_lifetime_import #define grpc_max_auth_token_lifetime grpc_max_auth_token_lifetime_import
typedef grpc_call_credentials*(*grpc_service_account_jwt_access_credentials_create_type)(const char* json_key, gpr_timespec token_lifetime, const char* user_provided_audience); typedef grpc_call_credentials*(*grpc_service_account_jwt_access_credentials_create_type)(const char* json_key, gpr_timespec token_lifetime, void* reserved);
extern grpc_service_account_jwt_access_credentials_create_type grpc_service_account_jwt_access_credentials_create_import; extern grpc_service_account_jwt_access_credentials_create_type grpc_service_account_jwt_access_credentials_create_import;
#define grpc_service_account_jwt_access_credentials_create grpc_service_account_jwt_access_credentials_create_import #define grpc_service_account_jwt_access_credentials_create grpc_service_account_jwt_access_credentials_create_import
typedef grpc_call_credentials*(*grpc_external_account_credentials_create_type)(const char* json_string, const char* scopes_string); typedef grpc_call_credentials*(*grpc_external_account_credentials_create_type)(const char* json_string, const char* scopes_string);

@ -129,9 +129,6 @@ static const char test_signed_jwt_token_type[] =
static const char test_signed_jwt2[] = static const char test_signed_jwt2[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW" "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW"
"U2MDcyZTViYTdnZDkwODg5YzcifQ"; "U2MDcyZTViYTdnZDkwODg5YzcifQ";
static const char test_signed_jwt3[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM6YW"
"U3MDcyZTViYTdnZDkwODg5YzcifQ";
static const char test_signed_jwt_token_type2[] = static const char test_signed_jwt_token_type2[] =
"urn:ietf:params:oauth:token-type:jwt"; "urn:ietf:params:oauth:token-type:jwt";
static const char test_signed_jwt_path_prefix[] = "test_sign_jwt"; static const char test_signed_jwt_path_prefix[] = "test_sign_jwt";
@ -139,8 +136,6 @@ static const char test_signed_jwt_path_prefix[] = "test_sign_jwt";
static const char test_service_url[] = "https://foo.com/foo.v1"; static const char test_service_url[] = "https://foo.com/foo.v1";
static const char other_test_service_url[] = "https://bar.com/bar.v1"; static const char other_test_service_url[] = "https://bar.com/bar.v1";
static const char test_user_provided_audience[] = "https://baz.com/baz.v2";
static const char test_sts_endpoint_url[] = static const char test_sts_endpoint_url[] =
"https://foo.com:5555/v1/token-exchange"; "https://foo.com:5555/v1/token-exchange";
@ -1301,16 +1296,6 @@ static char* encode_and_sign_jwt_success(const grpc_auth_json_key* json_key,
return gpr_strdup(test_signed_jwt); return gpr_strdup(test_signed_jwt);
} }
static char* encode_and_sign_jwt_user_provided_audience_success(
const grpc_auth_json_key* json_key, const char* audience,
gpr_timespec token_lifetime, const char* scope) {
if (strcmp(audience, test_user_provided_audience) == 0) {
validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
return gpr_strdup(test_signed_jwt3);
}
return nullptr;
}
static char* encode_and_sign_jwt_failure(const grpc_auth_json_key* json_key, static char* encode_and_sign_jwt_failure(const grpc_auth_json_key* json_key,
const char* /*audience*/, const char* /*audience*/,
gpr_timespec token_lifetime, gpr_timespec token_lifetime,
@ -1423,56 +1408,6 @@ static void test_jwt_creds_success(void) {
grpc_jwt_encode_and_sign_set_override(nullptr); grpc_jwt_encode_and_sign_set_override(nullptr);
} }
static void test_jwt_creds_user_provided_audience_success(void) {
const char expected_creds_debug_string_prefix[] =
"JWTAccessCredentials{ExpirationTime:";
char* json_key_string = test_json_key_str();
grpc_core::ExecCtx exec_ctx;
grpc_auth_metadata_context auth_md_ctx = {test_user_provided_audience,
test_method, nullptr, nullptr};
std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt3);
expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
grpc_call_credentials* creds =
grpc_service_account_jwt_access_credentials_create(
json_key_string, grpc_max_auth_token_lifetime(),
test_user_provided_audience);
/* First request: jwt_encode_and_sign should be called. */
request_metadata_state* state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_user_provided_audience_success);
run_request_metadata_test(creds, auth_md_ctx, state);
grpc_core::ExecCtx::Get()->Flush();
/* Second request: the cached token should be served directly. */
state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
run_request_metadata_test(creds, auth_md_ctx, state);
grpc_core::ExecCtx::Get()->Flush();
/* Third request: If service url is provided, it should keep using
* user_provided_audience and the cached token should be served.
*/
state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
auth_md_ctx.service_url = test_service_url;
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
run_request_metadata_test(creds, auth_md_ctx, state);
grpc_core::ExecCtx::Get()->Flush();
GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
creds->debug_string().c_str(),
strlen(expected_creds_debug_string_prefix)) == 0);
creds->Unref();
gpr_free(json_key_string);
grpc_jwt_encode_and_sign_set_override(nullptr);
}
static void test_jwt_creds_signing_failure(void) { static void test_jwt_creds_signing_failure(void) {
const char expected_creds_debug_string_prefix[] = const char expected_creds_debug_string_prefix[] =
"JWTAccessCredentials{ExpirationTime:"; "JWTAccessCredentials{ExpirationTime:";
@ -1529,7 +1464,7 @@ static void test_google_default_creds_auth_key(void) {
"json_key_google_default_creds", json_key); "json_key_google_default_creds", json_key);
gpr_free(json_key); gpr_free(json_key);
creds = reinterpret_cast<grpc_composite_channel_credentials*>( creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr, nullptr)); grpc_google_default_credentials_create(nullptr));
auto* default_creds = auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>( reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds()); creds->inner_creds());
@ -1553,7 +1488,7 @@ static void test_google_default_creds_refresh_token(void) {
set_google_default_creds_env_var_with_file_contents( set_google_default_creds_env_var_with_file_contents(
"refresh_token_google_default_creds", test_refresh_token_str); "refresh_token_google_default_creds", test_refresh_token_str);
creds = reinterpret_cast<grpc_composite_channel_credentials*>( creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr, nullptr)); grpc_google_default_credentials_create(nullptr));
auto* default_creds = auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>( reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds()); creds->inner_creds());
@ -1604,7 +1539,7 @@ static void test_google_default_creds_gce(void) {
/* Simulate a successful detection of GCE. */ /* Simulate a successful detection of GCE. */
grpc_composite_channel_credentials* creds = grpc_composite_channel_credentials* creds =
reinterpret_cast<grpc_composite_channel_credentials*>( reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr, nullptr)); grpc_google_default_credentials_create(nullptr));
/* Verify that the default creds actually embeds a GCE creds. */ /* Verify that the default creds actually embeds a GCE creds. */
GPR_ASSERT(creds != nullptr); GPR_ASSERT(creds != nullptr);
@ -1622,49 +1557,6 @@ static void test_google_default_creds_gce(void) {
grpc_override_well_known_credentials_path_getter(nullptr); grpc_override_well_known_credentials_path_getter(nullptr);
} }
static void test_google_default_creds_user_provided_audience(void) {
grpc_core::ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;
char* json_key = test_json_key_str();
grpc_flush_cached_google_default_credentials();
set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
g_test_gce_tenancy_checker_called = false;
g_test_is_on_gce = true;
set_google_default_creds_env_var_with_file_contents(
"json_key_google_default_creds", json_key);
gpr_free(json_key);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr,
test_user_provided_audience));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
GPR_ASSERT(default_creds->ssl_creds() != nullptr);
grpc_auth_metadata_context auth_md_ctx = {test_user_provided_audience,
test_method, nullptr, nullptr};
std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt3);
expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
request_metadata_state* state =
make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_user_provided_audience_success);
run_request_metadata_test(
const_cast<grpc_call_credentials*>(creds->call_creds()), auth_md_ctx,
state);
grpc_core::ExecCtx::Get()->Flush();
auto* jwt =
reinterpret_cast<const grpc_service_account_jwt_access_credentials*>(
creds->call_creds());
GPR_ASSERT(
strcmp(jwt->key().client_id,
"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent.com") ==
0);
GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
creds->Unref();
gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
}
static void test_google_default_creds_non_gce(void) { static void test_google_default_creds_non_gce(void) {
grpc_core::ExecCtx exec_ctx; grpc_core::ExecCtx exec_ctx;
expected_md emd[] = { expected_md emd[] = {
@ -1686,7 +1578,7 @@ static void test_google_default_creds_non_gce(void) {
httpcli_post_should_not_be_called); httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* creds = grpc_composite_channel_credentials* creds =
reinterpret_cast<grpc_composite_channel_credentials*>( reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr, nullptr)); grpc_google_default_credentials_create(nullptr));
/* Verify that the default creds actually embeds a GCE creds. */ /* Verify that the default creds actually embeds a GCE creds. */
GPR_ASSERT(creds != nullptr); GPR_ASSERT(creds != nullptr);
GPR_ASSERT(creds->call_creds() != nullptr); GPR_ASSERT(creds->call_creds() != nullptr);
@ -1724,12 +1616,10 @@ static void test_no_google_default_creds(void) {
default_creds_gce_detection_httpcli_get_failure_override, default_creds_gce_detection_httpcli_get_failure_override,
httpcli_post_should_not_be_called); httpcli_post_should_not_be_called);
/* Simulate a successful detection of GCE. */ /* Simulate a successful detection of GCE. */
GPR_ASSERT(grpc_google_default_credentials_create(nullptr, nullptr) == GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
nullptr);
/* Try a second one. GCE detection should occur again. */ /* Try a second one. GCE detection should occur again. */
g_test_gce_tenancy_checker_called = false; g_test_gce_tenancy_checker_called = false;
GPR_ASSERT(grpc_google_default_credentials_create(nullptr, nullptr) == GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
nullptr);
GPR_ASSERT(g_test_gce_tenancy_checker_called == true); GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
/* Cleanup. */ /* Cleanup. */
grpc_override_well_known_credentials_path_getter(nullptr); grpc_override_well_known_credentials_path_getter(nullptr);
@ -1755,7 +1645,7 @@ static void test_google_default_creds_call_creds_specified(void) {
httpcli_post_should_not_be_called); httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* channel_creds = grpc_composite_channel_credentials* channel_creds =
reinterpret_cast<grpc_composite_channel_credentials*>( reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(call_creds, nullptr)); grpc_google_default_credentials_create(call_creds));
GPR_ASSERT(g_test_gce_tenancy_checker_called == false); GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
GPR_ASSERT(channel_creds != nullptr); GPR_ASSERT(channel_creds != nullptr);
GPR_ASSERT(channel_creds->call_creds() != nullptr); GPR_ASSERT(channel_creds->call_creds() != nullptr);
@ -1814,8 +1704,7 @@ static void test_google_default_creds_not_default(void) {
httpcli_post_should_not_be_called); httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* channel_creds = grpc_composite_channel_credentials* channel_creds =
reinterpret_cast<grpc_composite_channel_credentials*>( reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(call_creds.release(), grpc_google_default_credentials_create(call_creds.release()));
nullptr));
GPR_ASSERT(g_test_gce_tenancy_checker_called == false); GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
GPR_ASSERT(channel_creds != nullptr); GPR_ASSERT(channel_creds != nullptr);
GPR_ASSERT(channel_creds->call_creds() != nullptr); GPR_ASSERT(channel_creds->call_creds() != nullptr);
@ -3501,14 +3390,12 @@ int main(int argc, char** argv) {
test_sts_creds_token_file_not_found(); test_sts_creds_token_file_not_found();
test_jwt_creds_lifetime(); test_jwt_creds_lifetime();
test_jwt_creds_success(); test_jwt_creds_success();
test_jwt_creds_user_provided_audience_success();
test_jwt_creds_signing_failure(); test_jwt_creds_signing_failure();
test_google_default_creds_auth_key(); test_google_default_creds_auth_key();
test_google_default_creds_refresh_token(); test_google_default_creds_refresh_token();
test_google_default_creds_gce(); test_google_default_creds_gce();
test_google_default_creds_non_gce(); test_google_default_creds_non_gce();
test_no_google_default_creds(); test_no_google_default_creds();
test_google_default_creds_user_provided_audience();
test_google_default_creds_call_creds_specified(); test_google_default_creds_call_creds_specified();
test_google_default_creds_not_default(); test_google_default_creds_not_default();
test_metadata_plugin_success(); test_metadata_plugin_success();

Loading…
Cancel
Save