Adding refresh token credentials.

- The google default credentials now work with the cloud SDK.
- Verified end to end with print_default_credentials and fetch_oauth2
  tools.
pull/983/head
Julien Boeuf 10 years ago
parent 3371cdf918
commit 9835cf0234
  1. 9
      include/grpc/grpc_security.h
  2. 79
      src/core/security/credentials.c
  3. 16
      src/core/security/credentials.h
  4. 19
      src/core/security/google_default_credentials.c
  5. 102
      test/core/security/credentials_test.c
  6. 75
      test/core/security/fetch_oauth2.c

@ -117,6 +117,15 @@ grpc_credentials *grpc_service_account_credentials_create(
grpc_credentials *grpc_jwt_credentials_create(const char *json_key, grpc_credentials *grpc_jwt_credentials_create(const char *json_key,
gpr_timespec token_lifetime); gpr_timespec token_lifetime);
/* Creates an Oauth2 Refresh Token crednetials object. May return NULL if the
input is invalid.
WARNING: Do NOT use this credentials to connect to a non-google service as
this could result in an oauth2 token leak.
- json_refresh_token is the JSON string containing the refresh token itself
along with a client_id and client_secret. */
grpc_credentials *grpc_refresh_token_credentials_create(
const char *json_refresh_token);
/* Creates a fake transport security credentials object for testing. */ /* Creates a fake transport security credentials object for testing. */
grpc_credentials *grpc_fake_transport_security_credentials_create(void); grpc_credentials *grpc_fake_transport_security_credentials_create(void);

@ -46,20 +46,6 @@
#include <grpc/support/sync.h> #include <grpc/support/sync.h>
#include <grpc/support/time.h> #include <grpc/support/time.h>
/* -- Constants. -- */
#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
"/computeMetadata/v1/instance/service-accounts/default/token"
#define GRPC_SERVICE_ACCOUNT_HOST "www.googleapis.com"
#define GRPC_SERVICE_ACCOUNT_TOKEN_PATH "/oauth2/v3/token"
#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
"assertion="
/* -- Common. -- */ /* -- Common. -- */
typedef struct { typedef struct {
@ -671,8 +657,8 @@ static void service_account_fetch_oauth2(
} }
gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt); gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt);
memset(&request, 0, sizeof(grpc_httpcli_request)); memset(&request, 0, sizeof(grpc_httpcli_request));
request.host = GRPC_SERVICE_ACCOUNT_HOST; request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
request.path = GRPC_SERVICE_ACCOUNT_TOKEN_PATH; request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
request.hdr_count = 1; request.hdr_count = 1;
request.hdrs = &header; request.hdrs = &header;
request.use_ssl = 1; request.use_ssl = 1;
@ -703,6 +689,67 @@ grpc_credentials *grpc_service_account_credentials_create(
return &c->base.base; return &c->base.base;
} }
/* -- RefreshToken credentials. -- */
typedef struct {
grpc_oauth2_token_fetcher_credentials base;
grpc_auth_refresh_token refresh_token;
} grpc_refresh_token_credentials;
static void refresh_token_destroy(grpc_credentials *creds) {
grpc_refresh_token_credentials *c =
(grpc_refresh_token_credentials *)creds;
grpc_auth_refresh_token_destruct(&c->refresh_token);
oauth2_token_fetcher_destroy(&c->base.base);
}
static grpc_credentials_vtable refresh_token_vtable = {
refresh_token_destroy, oauth2_token_fetcher_has_request_metadata,
oauth2_token_fetcher_has_request_metadata_only,
oauth2_token_fetcher_get_request_metadata};
static void refresh_token_fetch_oauth2(
grpc_credentials_metadata_request *metadata_req,
grpc_httpcli_response_cb response_cb, gpr_timespec deadline) {
grpc_refresh_token_credentials *c =
(grpc_refresh_token_credentials *)metadata_req->creds;
grpc_httpcli_header header = {"Content-Type",
"application/x-www-form-urlencoded"};
grpc_httpcli_request request;
char *body = NULL;
gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
c->refresh_token.client_id, c->refresh_token.client_secret,
c->refresh_token.refresh_token);
memset(&request, 0, sizeof(grpc_httpcli_request));
request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
request.hdr_count = 1;
request.hdrs = &header;
request.use_ssl = 1;
grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb,
metadata_req);
gpr_free(body);
}
grpc_credentials *grpc_refresh_token_credentials_create(
const char *json_refresh_token) {
grpc_refresh_token_credentials *c;
grpc_auth_refresh_token refresh_token =
grpc_auth_refresh_token_create_from_string(json_refresh_token);
if (!grpc_auth_refresh_token_is_valid(&refresh_token)) {
gpr_log(GPR_ERROR,
"Invalid input for refresh token credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_refresh_token_credentials));
memset(c, 0, sizeof(grpc_refresh_token_credentials));
init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2);
c->base.base.vtable = &refresh_token_vtable;
c->refresh_token = refresh_token;
return &c->base.base;
}
/* -- Fake Oauth2 credentials. -- */ /* -- Fake Oauth2 credentials. -- */
typedef struct { typedef struct {

@ -64,6 +64,22 @@ typedef enum {
#define GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE \ #define GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE \
"application_default_credentials.json" "application_default_credentials.json"
#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
"/computeMetadata/v1/instance/service-accounts/default/token"
#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
"assertion="
#define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
"client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
/* --- grpc_credentials. --- */ /* --- grpc_credentials. --- */
/* It is the caller's responsibility to gpr_free the result if not NULL. */ /* It is the caller's responsibility to gpr_free the result if not NULL. */

@ -138,6 +138,23 @@ static grpc_credentials *create_jwt_creds_from_path(char *creds_path) {
return result; return result;
} }
/* Takes ownership of creds_path if not NULL. */
static grpc_credentials *create_refresh_token_creds_from_path(
char *creds_path) {
grpc_credentials *result = NULL;
gpr_slice creds_data;
int file_ok = 0;
if (creds_path == NULL) return NULL;
creds_data = gpr_load_file(creds_path, &file_ok);
gpr_free(creds_path);
if (file_ok) {
result = grpc_refresh_token_credentials_create(
(const char *)GPR_SLICE_START_PTR(creds_data));
gpr_slice_unref(creds_data);
}
return result;
}
grpc_credentials *grpc_google_default_credentials_create(void) { grpc_credentials *grpc_google_default_credentials_create(void) {
grpc_credentials *result = NULL; grpc_credentials *result = NULL;
int serving_cached_credentials = 0; int serving_cached_credentials = 0;
@ -157,7 +174,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) {
if (result != NULL) goto end; if (result != NULL) goto end;
/* Then the well-known file. */ /* Then the well-known file. */
result = create_jwt_creds_from_path( result = create_refresh_token_creds_from_path(
grpc_get_well_known_google_credentials_file_path()); grpc_get_well_known_google_credentials_file_path());
if (result != NULL) goto end; if (result != NULL) goto end;

@ -84,6 +84,13 @@ static const char test_json_key_str_part3[] =
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent." "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }"; "com\", \"type\": \"service_account\" }";
/* Test refresh token. */
static const char test_refresh_token_str[] =
"{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
" \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
" \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
" \"type\": \"authorized_user\"}";
static const char valid_oauth2_json_response[] = static const char valid_oauth2_json_response[] =
"{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
" \"expires_in\":3599, " " \"expires_in\":3599, "
@ -97,10 +104,6 @@ static const char test_signed_jwt[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW" "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW"
"U0MDcyZTViYTdmZDkwODg2YzcifQ"; "U0MDcyZTViYTdmZDkwODg2YzcifQ";
static const char expected_service_account_http_body_prefix[] =
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&"
"assertion=";
static const char test_service_url[] = "https://foo.com/foo.v1"; static const char test_service_url[] = "https://foo.com/foo.v1";
static const char other_test_service_url[] = "https://bar.com/bar.v1"; static const char other_test_service_url[] = "https://bar.com/bar.v1";
@ -463,6 +466,87 @@ static void test_compute_engine_creds_failure(void) {
grpc_httpcli_set_override(NULL, NULL); grpc_httpcli_set_override(NULL, NULL);
} }
static void validate_refresh_token_http_request(
const grpc_httpcli_request *request, const char *body, size_t body_size) {
/* The content of the assertion is tested extensively in json_token_test. */
char *expected_body = NULL;
GPR_ASSERT(body != NULL);
GPR_ASSERT(body_size != 0);
gpr_asprintf(&expected_body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
"32555999999.apps.googleusercontent.com",
"EmssLNjJy1332hD4KFsecret",
"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42");
GPR_ASSERT(strlen(expected_body) == body_size);
GPR_ASSERT(memcmp(expected_body, body, body_size) == 0);
gpr_free(expected_body);
GPR_ASSERT(request->use_ssl);
GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
GPR_ASSERT(request->hdr_count == 1);
GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
GPR_ASSERT(strcmp(request->hdrs[0].value,
"application/x-www-form-urlencoded") == 0);
}
static int refresh_token_httpcli_post_success(
const grpc_httpcli_request *request, const char *body, size_t body_size,
gpr_timespec deadline, grpc_httpcli_response_cb on_response,
void *user_data) {
grpc_httpcli_response response =
http_response(200, valid_oauth2_json_response);
validate_refresh_token_http_request(request, body, body_size);
on_response(user_data, &response);
return 1;
}
static int refresh_token_httpcli_post_failure(
const grpc_httpcli_request *request, const char *body, size_t body_size,
gpr_timespec deadline, grpc_httpcli_response_cb on_response,
void *user_data) {
grpc_httpcli_response response = http_response(403, "Not Authorized.");
validate_refresh_token_http_request(request, body, body_size);
on_response(user_data, &response);
return 1;
}
static void test_refresh_token_creds_success(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
/* First request: http get should be called. */
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
refresh_token_httpcli_post_success);
grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
grpc_credentials_unref(refresh_token_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_refresh_token_creds_failure(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
refresh_token_httpcli_post_failure);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
on_oauth2_creds_get_metadata_failure,
(void *)test_user_data);
grpc_credentials_unref(refresh_token_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void validate_jwt_encode_and_sign_params( static void validate_jwt_encode_and_sign_params(
const grpc_auth_json_key *json_key, const char *scope, const grpc_auth_json_key *json_key, const char *scope,
gpr_timespec token_lifetime) { gpr_timespec token_lifetime) {
@ -515,13 +599,13 @@ static void validate_service_account_http_request(
GPR_ASSERT(body != NULL); GPR_ASSERT(body != NULL);
GPR_ASSERT(body_size != 0); GPR_ASSERT(body_size != 0);
gpr_asprintf(&expected_body, "%s%s", gpr_asprintf(&expected_body, "%s%s",
expected_service_account_http_body_prefix, test_signed_jwt); GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, test_signed_jwt);
GPR_ASSERT(strlen(expected_body) == body_size); GPR_ASSERT(strlen(expected_body) == body_size);
GPR_ASSERT(!memcmp(expected_body, body, body_size)); GPR_ASSERT(memcmp(expected_body, body, body_size) == 0);
gpr_free(expected_body); gpr_free(expected_body);
GPR_ASSERT(request->use_ssl); GPR_ASSERT(request->use_ssl);
GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0); GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
GPR_ASSERT(strcmp(request->path, "/oauth2/v3/token") == 0); GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
GPR_ASSERT(request->hdr_count == 1); GPR_ASSERT(request->hdr_count == 1);
GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
GPR_ASSERT(strcmp(request->hdrs[0].value, GPR_ASSERT(strcmp(request->hdrs[0].value,
@ -711,6 +795,8 @@ int main(int argc, char **argv) {
test_ssl_oauth2_iam_composite_creds(); test_ssl_oauth2_iam_composite_creds();
test_compute_engine_creds_success(); test_compute_engine_creds_success();
test_compute_engine_creds_failure(); test_compute_engine_creds_failure();
test_refresh_token_creds_success();
test_refresh_token_creds_failure();
test_service_account_creds_success(); test_service_account_creds_success();
test_service_account_creds_http_failure(); test_service_account_creds_http_failure();
test_service_account_creds_signing_failure(); test_service_account_creds_signing_failure();

@ -34,7 +34,6 @@
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include "src/core/security/credentials.h"
#include <grpc/grpc.h> #include <grpc/grpc.h>
#include <grpc/grpc_security.h> #include <grpc/grpc_security.h>
#include <grpc/support/alloc.h> #include <grpc/support/alloc.h>
@ -43,6 +42,9 @@
#include <grpc/support/slice.h> #include <grpc/support/slice.h>
#include <grpc/support/sync.h> #include <grpc/support/sync.h>
#include "src/core/security/credentials.h"
#include "src/core/support/file.h"
typedef struct { typedef struct {
gpr_cv cv; gpr_cv cv;
gpr_mu mu; gpr_mu mu;
@ -74,50 +76,50 @@ static void on_oauth2_response(void *user_data, grpc_mdelem **md_elems,
static grpc_credentials *create_service_account_creds( static grpc_credentials *create_service_account_creds(
const char *json_key_file_path, const char *scope) { const char *json_key_file_path, const char *scope) {
char json_key[8192]; /* Should be plenty. */ int success;
char *current = json_key; gpr_slice json_key = gpr_load_file(json_key_file_path, &success);
FILE *json_key_file = fopen(json_key_file_path, "r"); if (!success) {
if (json_key_file == NULL) { gpr_log(GPR_ERROR, "Could not read file %s.", json_key_file_path);
gpr_log(GPR_ERROR, "Invalid path for json key file: %s.",
json_key_file_path);
exit(1);
}
do {
size_t bytes_read = fread(
current, 1, sizeof(json_key) - (current - json_key), json_key_file);
if (bytes_read == 0) {
if (!feof(json_key_file)) {
gpr_log(GPR_ERROR, "Error occured while reading %s.",
json_key_file_path);
exit(1); exit(1);
} }
break; return grpc_service_account_credentials_create(
(const char *)GPR_SLICE_START_PTR(json_key), scope,
grpc_max_auth_token_lifetime);
} }
current += bytes_read;
} while (sizeof(json_key) > (size_t)(current - json_key));
if ((current - json_key) == sizeof(json_key)) { static grpc_credentials *create_refresh_token_creds(
gpr_log(GPR_ERROR, "Json key file %s exceeds size limit (%d bytes).", const char *json_refresh_token_file_path) {
json_key_file_path, (int)sizeof(json_key)); int success;
gpr_slice refresh_token =
gpr_load_file(json_refresh_token_file_path, &success);
if (!success) {
gpr_log(GPR_ERROR, "Could not read file %s.", json_refresh_token_file_path);
exit(1); exit(1);
} }
fclose(json_key_file); return grpc_refresh_token_credentials_create(
(const char *)GPR_SLICE_START_PTR(refresh_token));
return grpc_service_account_credentials_create(json_key, scope,
grpc_max_auth_token_lifetime);
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
synchronizer sync; synchronizer sync;
grpc_credentials *creds = NULL; grpc_credentials *creds = NULL;
char *json_key_file_path = NULL; char *json_key_file_path = NULL;
char *json_refresh_token_file_path = NULL;
int use_gce = 0; int use_gce = 0;
char *scope = NULL; char *scope = NULL;
gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2"); gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2");
gpr_cmdline_add_string(cl, "json_key", "File path of the json key.", gpr_cmdline_add_string(cl, "json_key",
"File path of the json key. Mutually exclusive with "
"--json_refresh_token.",
&json_key_file_path); &json_key_file_path);
gpr_cmdline_add_string(cl, "scope", "Space delimited permissions.", &scope); gpr_cmdline_add_string(cl, "json_refresh_token",
"File path of the json refresh token. Mutually "
"exclusive with --json_key.",
&json_refresh_token_file_path);
gpr_cmdline_add_string(cl, "scope",
"Space delimited permissions. Only used for "
"--json_key, ignored otherwise.",
&scope);
gpr_cmdline_add_flag( gpr_cmdline_add_flag(
cl, "gce", cl, "gce",
"Get a token from the GCE metadata server (only works in GCE).", "Get a token from the GCE metadata server (only works in GCE).",
@ -126,6 +128,12 @@ int main(int argc, char **argv) {
grpc_init(); grpc_init();
if (json_key_file_path != NULL && json_refresh_token_file_path != NULL) {
gpr_log(GPR_ERROR,
"--json_key and --json_refresh_token are mutually exclusive.");
exit(1);
}
if (use_gce) { if (use_gce) {
if (json_key_file_path != NULL || scope != NULL) { if (json_key_file_path != NULL || scope != NULL) {
gpr_log(GPR_INFO, gpr_log(GPR_INFO,
@ -137,6 +145,15 @@ int main(int argc, char **argv) {
gpr_log(GPR_ERROR, "Could not create gce credentials."); gpr_log(GPR_ERROR, "Could not create gce credentials.");
exit(1); exit(1);
} }
} else if (json_refresh_token_file_path != NULL) {
creds = create_refresh_token_creds(json_refresh_token_file_path);
if (creds == NULL) {
gpr_log(GPR_ERROR,
"Could not create refresh token creds. %s does probably not "
"contain a valid json refresh token.",
json_refresh_token_file_path);
exit(1);
}
} else { } else {
if (json_key_file_path == NULL) { if (json_key_file_path == NULL) {
gpr_log(GPR_ERROR, "Missing --json_key option."); gpr_log(GPR_ERROR, "Missing --json_key option.");

Loading…
Cancel
Save