Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Implementing JWT credentials (a.k.a JWT ID Tokens).

Browse Source 
- Not tested end to end yet
pull/641/head
Julien Boeuf 10 years ago
parent 52978e5326
commit f47a5cb93d
11 changed files with 404 additions and 69 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      include/grpc/grpc_security.h
  2. 32
      src/core/security/auth.c
  3. 158
      src/core/security/credentials.c
  4. 3
      src/core/security/credentials.h
  5. 34
      src/core/security/json_token.c
  6. 13
      src/core/security/json_token.h
  7. 4
      src/core/security/security_context.c
  8. 6
      src/core/security/security_context.h
  9. 136
      test/core/security/credentials_test.c
  10. 2
      test/core/security/fetch_oauth2.c
  11. 77
      test/core/security/json_token_test.c

8
include/grpc/grpc_security.h
Unescape View File

@ -100,6 +100,14 @@ extern const gpr_timespec grpc_max_auth_token_lifetime;
grpc_credentials *grpc_service_account_credentials_create(
const char *json_key, const char *scope, gpr_timespec token_lifetime);
/* Creates a JWT credentials object. May return NULL if the input is invalid.
- json_key is the JSON key string containing the client's private key.
- token_lifetime is the lifetime of each Json Web Token (JWT) created with
this credentials. It should not exceed grpc_max_auth_token_lifetime or
will be cropped to this value. */
grpc_credentials *grpc_jwt_credentials_create(const char *json_key,
gpr_timespec token_lifetime);
/* Creates a fake transport security credentials object for testing. */
grpc_credentials *grpc_fake_transport_security_credentials_create(void);

32
src/core/security/auth.c
Unescape View File

@ -48,6 +48,7 @@
typedef struct {
grpc_credentials *creds;
grpc_mdstr *host;
grpc_mdstr *method;
grpc_call_op op;
} call_data;
@ -56,6 +57,7 @@ typedef struct {
grpc_channel_security_context *security_context;
grpc_mdctx *md_ctx;
grpc_mdstr *authority_string;
grpc_mdstr *path_string;
grpc_mdstr *error_msg_key;
} channel_data;
@ -89,6 +91,26 @@ static void on_credentials_metadata(void *user_data, grpc_mdelem **md_elems,
grpc_call_next_op(elem, &((call_data *)elem->call_data)->op);
}
static char *build_service_url(const char *url_scheme, call_data *calld) {
char *service_url;
char *service = gpr_strdup(grpc_mdstr_as_c_string(calld->method));
char *last_slash = strrchr(service, '/');
if (last_slash == NULL) {
gpr_log(GPR_ERROR, "No '/' found in fully qualified method name");
service[0] = '\0';
} else if (last_slash == service) {
/* No service part in fully qualified method name: will just be "/". */
service[1] = '\0';
} else {
*last_slash = '\0';
}
if (url_scheme == NULL) url_scheme = "";
gpr_asprintf(&service_url, "%s://%s%s", url_scheme,
grpc_mdstr_as_c_string(calld->host), service);
gpr_free(service);
return service_url;
}
static void send_security_metadata(grpc_call_element *elem, grpc_call_op *op) {
/* grab pointers to our data from the call element */
call_data *calld = elem->call_data;
@ -106,9 +128,12 @@ static void send_security_metadata(grpc_call_element *elem, grpc_call_op *op) {
}
if (channel_creds != NULL &&
grpc_credentials_has_request_metadata(channel_creds)) {
char *service_url =
build_service_url(channeld->security_context->base.url_scheme, calld);
calld->op = *op; /* Copy op (originates from the caller's stack). */
grpc_credentials_get_request_metadata(channel_creds,
grpc_credentials_get_request_metadata(channel_creds, service_url,
on_credentials_metadata, elem);
gpr_free(service_url);
} else {
grpc_call_next_op(elem, op);
}
@ -146,6 +171,9 @@ static void call_op(grpc_call_element *elem, grpc_call_element *from_elem,
if (op->data.metadata->key == channeld->authority_string) {
if (calld->host != NULL) grpc_mdstr_unref(calld->host);
calld->host = grpc_mdstr_ref(op->data.metadata->value);
} else if (op->data.metadata->key == channeld->path_string) {
if (calld->method != NULL) grpc_mdstr_unref(calld->method);
calld->method = grpc_mdstr_ref(op->data.metadata->value);
}
grpc_call_next_op(elem, op);
break;
@ -194,6 +222,7 @@ static void init_call_elem(grpc_call_element *elem,
call_data *calld = elem->call_data;
calld->creds = NULL;
calld->host = NULL;
calld->method = NULL;
}
/* Destructor for call_data */
@ -230,6 +259,7 @@ static void init_channel_elem(grpc_channel_element *elem,
channeld->md_ctx = metadata_context;
channeld->authority_string =
grpc_mdstr_from_string(channeld->md_ctx, ":authority");
channeld->path_string = grpc_mdstr_from_string(channeld->md_ctx, ":path");
channeld->error_msg_key =
grpc_mdstr_from_string(channeld->md_ctx, "grpc-message");
}

158
src/core/security/credentials.c
Unescape View File

@ -33,6 +33,10 @@
#include "src/core/security/credentials.h"
#include <string.h>
#include <stdio.h>
#include "src/core/json/json.h"
#include "src/core/httpcli/httpcli.h"
#include "src/core/iomgr/iomgr.h"
#include "src/core/security/json_token.h"
@ -42,14 +46,9 @@
#include <grpc/support/sync.h>
#include <grpc/support/time.h>
#include "src/core/json/json.h"
#include <string.h>
#include <stdio.h>
/* -- Constants. -- */
#define GRPC_OAUTH2_TOKEN_REFRESH_THRESHOLD_SECS 60
#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
@ -113,6 +112,7 @@ int grpc_credentials_has_request_metadata_only(grpc_credentials *creds) {
}
void grpc_credentials_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
if (creds == NULL || !grpc_credentials_has_request_metadata(creds) ||
@ -122,7 +122,7 @@ void grpc_credentials_get_request_metadata(grpc_credentials *creds,
}
return;
}
creds->vtable->get_request_metadata(creds, cb, user_data);
creds->vtable->get_request_metadata(creds, service_url, cb, user_data);
}
void grpc_server_credentials_release(grpc_server_credentials *creds) {
@ -288,6 +288,128 @@ grpc_server_credentials *grpc_ssl_server_credentials_create(
return &c->base;
}
/* -- Jwt credentials -- */
typedef struct {
grpc_credentials base;
grpc_mdctx *md_ctx;
/* Have a simple cache for now with just 1 entry. We could have a map based on
the service_url for a more sophisticated one. */
gpr_mu cache_mu;
struct {
grpc_mdelem *jwt_md;
char *service_url;
gpr_timespec jwt_expiration;
} cached;
grpc_auth_json_key key;
gpr_timespec jwt_lifetime;
} grpc_jwt_credentials;
static void jwt_reset_cache(grpc_jwt_credentials *c) {
if (c->cached.jwt_md != NULL) {
grpc_mdelem_unref(c->cached.jwt_md);
c->cached.jwt_md = NULL;
}
if (c->cached.service_url != NULL) {
gpr_free(c->cached.service_url);
c->cached.service_url = NULL;
}
c->cached.jwt_expiration = gpr_inf_past;
}
static void jwt_destroy(grpc_credentials *creds) {
grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds;
grpc_auth_json_key_destruct(&c->key);
jwt_reset_cache(c);
gpr_mu_destroy(&c->cache_mu);
grpc_mdctx_unref(c->md_ctx);
gpr_free(c);
}
static int jwt_has_request_metadata(const grpc_credentials *creds) { return 1; }
static int jwt_has_request_metadata_only(const grpc_credentials *creds) {
return 1;
}
static void jwt_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds;
gpr_timespec refresh_threshold = {GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS,
0};
/* See if we can return a cached jwt. */
grpc_mdelem *jwt_md = NULL;
{
gpr_mu_lock(&c->cache_mu);
if (c->cached.service_url != NULL &&
!strcmp(c->cached.service_url, service_url) &&
c->cached.jwt_md != NULL &&
(gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration, gpr_now()),
refresh_threshold) > 0)) {
jwt_md = grpc_mdelem_ref(c->cached.jwt_md);
}
gpr_mu_unlock(&c->cache_mu);
}
if (jwt_md == NULL) {
char *jwt = NULL;
/* Generate a new jwt. */
gpr_mu_lock(&c->cache_mu);
jwt_reset_cache(c);
jwt = grpc_jwt_encode_and_sign(&c->key, service_url, c->jwt_lifetime, NULL);
if (jwt != NULL) {
char *md_value;
gpr_asprintf(&md_value, "Bearer %s", jwt);
gpr_free(jwt);
c->cached.jwt_expiration = gpr_time_add(gpr_now(), c->jwt_lifetime);
c->cached.service_url = gpr_strdup(service_url);
c->cached.jwt_md = grpc_mdelem_from_strings(
c->md_ctx, GRPC_AUTHORIZATION_METADATA_KEY, md_value);
gpr_free(md_value);
jwt_md = grpc_mdelem_ref(c->cached.jwt_md);
}
gpr_mu_unlock(&c->cache_mu);
}
if (jwt_md != NULL) {
cb(user_data, &jwt_md, 1, GRPC_CREDENTIALS_OK);
grpc_mdelem_unref(jwt_md);
} else {
cb(user_data, NULL, 0, GRPC_CREDENTIALS_ERROR);
}
}
static grpc_credentials_vtable jwt_vtable = {
jwt_destroy, jwt_has_request_metadata, jwt_has_request_metadata_only,
jwt_get_request_metadata};
grpc_credentials *grpc_jwt_credentials_create(const char *json_key,
gpr_timespec token_lifetime) {
grpc_jwt_credentials *c;
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(json_key);
if (!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_jwt_credentials));
memset(c, 0, sizeof(grpc_jwt_credentials));
c->base.type = GRPC_CREDENTIALS_TYPE_JWT;
gpr_ref_init(&c->base.refcount, 1);
c->base.vtable = &jwt_vtable;
c->md_ctx = grpc_mdctx_create();
c->key = key;
c->jwt_lifetime = token_lifetime;
gpr_mu_init(&c->cache_mu);
jwt_reset_cache(c);
return &c->base;
}
/* -- Oauth2TokenFetcher credentials -- */
/* This object is a base for credentials that need to acquire an oauth2 token
@ -439,10 +561,11 @@ static void on_oauth2_token_fetcher_http_response(
}
static void oauth2_token_fetcher_get_request_metadata(
grpc_credentials *creds, grpc_credentials_metadata_cb cb, void *user_data) {
grpc_credentials *creds, const char *service_url,
grpc_credentials_metadata_cb cb, void *user_data) {
grpc_oauth2_token_fetcher_credentials *c =
(grpc_oauth2_token_fetcher_credentials *)creds;
gpr_timespec refresh_threshold = {GRPC_OAUTH2_TOKEN_REFRESH_THRESHOLD_SECS,
gpr_timespec refresh_threshold = {GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS,
0};
grpc_mdelem *cached_access_token_md = NULL;
{
@ -535,7 +658,8 @@ static void service_account_fetch_oauth2(
"application/x-www-form-urlencoded"};
grpc_httpcli_request request;
char *body = NULL;
char *jwt = grpc_jwt_encode_and_sign(&c->key, c->scope, c->token_lifetime);
char *jwt = grpc_jwt_encode_and_sign(&c->key, GRPC_JWT_OAUTH2_AUDIENCE,
c->token_lifetime, c->scope);
if (jwt == NULL) {
grpc_httpcli_response response;
memset(&response, 0, sizeof(grpc_httpcli_response));
@ -616,6 +740,7 @@ void on_simulated_token_fetch_done(void *user_data, int success) {
}
static void fake_oauth2_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
grpc_fake_oauth2_credentials *c = (grpc_fake_oauth2_credentials *)creds;
@ -709,6 +834,7 @@ typedef struct {
size_t creds_index;
grpc_mdelem **md_elems;
size_t num_md;
char *service_url;
void *user_data;
grpc_credentials_metadata_cb cb;
} grpc_composite_credentials_metadata_context;
@ -754,6 +880,7 @@ static void composite_md_context_destroy(
grpc_mdelem_unref(ctx->md_elems[i]);
}
gpr_free(ctx->md_elems);
if (ctx->service_url != NULL) gpr_free(ctx->service_url);
gpr_free(ctx);
}
@ -783,8 +910,8 @@ static void composite_metadata_cb(void *user_data, grpc_mdelem **md_elems,
grpc_credentials *inner_creds =
ctx->composite_creds->inner.creds_array[ctx->creds_index++];
if (grpc_credentials_has_request_metadata(inner_creds)) {
grpc_credentials_get_request_metadata(inner_creds, composite_metadata_cb,
ctx);
grpc_credentials_get_request_metadata(inner_creds, ctx->service_url,
composite_metadata_cb, ctx);
return;
}
}
@ -795,6 +922,7 @@ static void composite_metadata_cb(void *user_data, grpc_mdelem **md_elems,
}
static void composite_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
grpc_composite_credentials *c = (grpc_composite_credentials *)creds;
@ -805,14 +933,15 @@ static void composite_get_request_metadata(grpc_credentials *creds,
}
ctx = gpr_malloc(sizeof(grpc_composite_credentials_metadata_context));
memset(ctx, 0, sizeof(grpc_composite_credentials_metadata_context));
ctx->service_url = gpr_strdup(service_url);
ctx->user_data = user_data;
ctx->cb = cb;
ctx->composite_creds = c;
while (ctx->creds_index < c->inner.num_creds) {
grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++];
if (grpc_credentials_has_request_metadata(inner_creds)) {
grpc_credentials_get_request_metadata(inner_creds, composite_metadata_cb,
ctx);
grpc_credentials_get_request_metadata(inner_creds, service_url,
composite_metadata_cb, ctx);
return;
}
}
@ -916,6 +1045,7 @@ static int iam_has_request_metadata_only(const grpc_credentials *creds) {
}
static void iam_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data) {
grpc_iam_credentials *c = (grpc_iam_credentials *)creds;

3
src/core/security/credentials.h
Unescape View File

@ -50,6 +50,7 @@ typedef enum {
#define GRPC_CREDENTIALS_TYPE_SSL "Ssl"
#define GRPC_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
#define GRPC_CREDENTIALS_TYPE_JWT "Jwt"
#define GRPC_CREDENTIALS_TYPE_IAM "Iam"
#define GRPC_CREDENTIALS_TYPE_COMPOSITE "Composite"
#define GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY "FakeTransportSecurity"
@ -71,6 +72,7 @@ typedef struct {
int (*has_request_metadata)(const grpc_credentials *c);
int (*has_request_metadata_only)(const grpc_credentials *c);
void (*get_request_metadata)(grpc_credentials *c,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data);
} grpc_credentials_vtable;
@ -86,6 +88,7 @@ void grpc_credentials_unref(grpc_credentials *creds);
int grpc_credentials_has_request_metadata(grpc_credentials *creds);
int grpc_credentials_has_request_metadata_only(grpc_credentials *creds);
void grpc_credentials_get_request_metadata(grpc_credentials *creds,
const char *service_url,
grpc_credentials_metadata_cb cb,
void *user_data);
typedef struct {

34
src/core/security/json_token.c
Unescape View File

@ -55,7 +55,6 @@ const gpr_timespec grpc_max_auth_token_lifetime = {3600, 0};
#define GRPC_AUTH_JSON_KEY_TYPE_INVALID "invalid"
#define GRPC_AUTH_JSON_KEY_TYPE_SERVICE_ACCOUNT "service_account"
#define GRPC_JWT_AUDIENCE "https://www.googleapis.com/oauth2/v3/token"
#define GRPC_JWT_RSA_SHA256_ALGORITHM "RS256"
#define GRPC_JWT_TYPE "JWT"
@ -171,8 +170,8 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key) {
/* --- jwt encoding and signature. --- */
static grpc_json *create_child(grpc_json *brother, grpc_json *parent,
const char *key, const char *value,
grpc_json_type type) {
const char *key, const char *value,
grpc_json_type type) {
grpc_json *child = grpc_json_create(type);
if (brother) brother->next = child;
if (!parent->child) parent->child = child;
@ -182,14 +181,15 @@ static grpc_json *create_child(grpc_json *brother, grpc_json *parent,
return child;
}
static char *encoded_jwt_header(const char *algorithm) {
static char *encoded_jwt_header(const char *key_id, const char *algorithm) {
grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT);
grpc_json *child = NULL;
char *json_str = NULL;
char *result = NULL;
child = create_child(NULL, json, "alg", algorithm, GRPC_JSON_STRING);
create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING);
child = create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING);
create_child(child, json, "kid", key_id, GRPC_JSON_STRING);
json_str = grpc_json_dump_to_string(json, 0);
result = grpc_base64_encode(json_str, strlen(json_str), 1, 0);
@ -199,7 +199,8 @@ static char *encoded_jwt_header(const char *algorithm) {
}
static char *encoded_jwt_claim(const grpc_auth_json_key *json_key,
const char *scope, gpr_timespec token_lifetime) {
const char *audience,
gpr_timespec token_lifetime, const char *scope) {
grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT);
grpc_json *child = NULL;
char *json_str = NULL;
@ -217,8 +218,15 @@ static char *encoded_jwt_claim(const grpc_auth_json_key *json_key,
child = create_child(NULL, json, "iss", json_key->client_email,
GRPC_JSON_STRING);
child = create_child(child, json, "scope", scope, GRPC_JSON_STRING);
child = create_child(child, json, "aud", GRPC_JWT_AUDIENCE, GRPC_JSON_STRING);
if (scope != NULL) {
child = create_child(child, json, "scope", scope, GRPC_JSON_STRING);
} else {
/* Unscoped JWTs need a sub field. */
child = create_child(child, json, "sub", json_key->client_email,
GRPC_JSON_STRING);
}
child = create_child(child, json, "aud", audience, GRPC_JSON_STRING);
child = create_child(child, json, "iat", now_str, GRPC_JSON_NUMBER);
create_child(child, json, "exp", expiration_str, GRPC_JSON_NUMBER);
@ -300,14 +308,16 @@ end:
}
char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key,
const char *scope, gpr_timespec token_lifetime) {
const char *audience,
gpr_timespec token_lifetime, const char *scope) {
if (g_jwt_encode_and_sign_override != NULL) {
return g_jwt_encode_and_sign_override(json_key, scope, token_lifetime);
return g_jwt_encode_and_sign_override(json_key, audience, token_lifetime,
scope);
} else {
const char *sig_algo = GRPC_JWT_RSA_SHA256_ALGORITHM;
char *to_sign = dot_concat_and_free_strings(
encoded_jwt_header(sig_algo),
encoded_jwt_claim(json_key, scope, token_lifetime));
encoded_jwt_header(json_key->private_key_id, sig_algo),
encoded_jwt_claim(json_key, audience, token_lifetime, scope));
char *sig = compute_and_encode_signature(json_key, sig_algo, to_sign);
if (sig == NULL) {
gpr_free(to_sign);

13
src/core/security/json_token.h
Unescape View File

@ -37,6 +37,10 @@
#include <grpc/support/slice.h>
#include <openssl/rsa.h>
/* --- Constants. --- */
#define GRPC_JWT_OAUTH2_AUDIENCE "https://www.googleapis.com/oauth2/v3/token"
/* --- auth_json_key parsing. --- */
typedef struct {
@ -61,14 +65,15 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key);
/* --- json token encoding and signing. --- */
/* Caller is responsible for calling gpr_free on the returned value. May return
NULL on invalid input. */
NULL on invalid input. The scope parameter may be NULL. */
char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key,
const char *scope, gpr_timespec token_lifetime);
const char *audience,
gpr_timespec token_lifetime, const char *scope);
/* Override encode_and_sign function for testing. */
typedef char *(*grpc_jwt_encode_and_sign_override)(
const grpc_auth_json_key *json_key, const char *scope,
gpr_timespec token_lifetime);
const grpc_auth_json_key *json_key, const char *audience,
gpr_timespec token_lifetime, const char *scope);
/* Set a custom encode_and_sign override for testing. */
void grpc_jwt_encode_and_sign_set_override(

4
src/core/security/security_context.c
Unescape View File

@ -232,6 +232,7 @@ grpc_channel_security_context *grpc_fake_channel_security_context_create(
gpr_malloc(sizeof(grpc_fake_channel_security_context));
gpr_ref_init(&c->base.base.refcount, 1);
c->base.base.is_client_side = 1;
c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
c->base.base.vtable = &fake_channel_vtable;
GPR_ASSERT(check_request_metadata_creds(request_metadata_creds));
c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
@ -244,6 +245,7 @@ grpc_security_context *grpc_fake_server_security_context_create(void) {
grpc_security_context *c = gpr_malloc(sizeof(grpc_security_context));
gpr_ref_init(&c->refcount, 1);
c->vtable = &fake_server_vtable;
c->url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
return c;
}
@ -451,6 +453,7 @@ grpc_security_status grpc_ssl_channel_security_context_create(
gpr_ref_init(&c->base.base.refcount, 1);
c->base.base.vtable = &ssl_channel_vtable;
c->base.base.is_client_side = 1;
c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
c->base.check_call_host = ssl_channel_check_call_host;
if (target_name != NULL) {
@ -518,6 +521,7 @@ grpc_security_status grpc_ssl_server_security_context_create(
memset(c, 0, sizeof(grpc_ssl_server_security_context));
gpr_ref_init(&c->base.refcount, 1);
c->base.url_scheme = GRPC_SSL_URL_SCHEME;
c->base.vtable = &ssl_server_vtable;
result = tsi_create_ssl_server_handshaker_factory(
(const unsigned char **)config->pem_private_keys,

6
src/core/security/security_context.h
Unescape View File

@ -47,6 +47,11 @@ typedef enum {
GRPC_SECURITY_ERROR
} grpc_security_status;
/* --- URL schemes. --- */
#define GRPC_SSL_URL_SCHEME "https"
#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security"
/* --- security_context object. ---
A security context object represents away to configure the underlying
@ -72,6 +77,7 @@ struct grpc_security_context {
const grpc_security_context_vtable *vtable;
gpr_refcount refcount;
int is_client_side;
const char *url_scheme;
};
/* Increments the refcount. */

136
test/core/security/credentials_test.c
Unescape View File

@ -89,12 +89,17 @@ static const char test_user_data[] = "user data";
static const char test_scope[] = "perm1 perm2";
static const char test_signed_jwt[] = "signed jwt";
static const char test_signed_jwt[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW"
"U0MDcyZTViYTdmZDkwODg2YzcifQ";
static const char expected_service_account_http_body_prefix[] =
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&"
"assertion=";
static const char test_service_url[] = "https://foo.com/foo.v1";
static const char other_test_service_url[] = "https://bar.com/bar.v1";
static char *test_json_key_str(void) {
size_t result_len = strlen(test_json_key_str_part1) +
strlen(test_json_key_str_part2) +
@ -259,7 +264,8 @@ static void test_iam_creds(void) {
test_iam_authorization_token, test_iam_authority_selector);
GPR_ASSERT(grpc_credentials_has_request_metadata(creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds));
grpc_credentials_get_request_metadata(creds, check_iam_metadata, creds);
grpc_credentials_get_request_metadata(creds, test_service_url,
check_iam_metadata, creds);
}
static void check_ssl_oauth2_composite_metadata(
@ -293,8 +299,9 @@ static void test_ssl_oauth2_composite_creds(void) {
!strcmp(creds_array->creds_array[0]->type, GRPC_CREDENTIALS_TYPE_SSL));
GPR_ASSERT(
!strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2));
grpc_credentials_get_request_metadata(
composite_creds, check_ssl_oauth2_composite_metadata, composite_creds);
grpc_credentials_get_request_metadata(composite_creds, test_service_url,
check_ssl_oauth2_composite_metadata,
composite_creds);
}
static void check_ssl_oauth2_iam_composite_metadata(
@ -338,7 +345,7 @@ static void test_ssl_oauth2_iam_composite_creds(void) {
!strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2));
GPR_ASSERT(
!strcmp(creds_array->creds_array[2]->type, GRPC_CREDENTIALS_TYPE_IAM));
grpc_credentials_get_request_metadata(composite_creds,
grpc_credentials_get_request_metadata(composite_creds, test_service_url,
check_ssl_oauth2_iam_composite_metadata,
composite_creds);
}
@ -420,14 +427,14 @@ static void test_compute_engine_creds_success(void) {
/* First request: http get should be called. */
grpc_httpcli_set_override(compute_engine_httpcli_get_success_override,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(compute_engine_creds,
grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(compute_engine_creds,
grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
@ -442,7 +449,7 @@ static void test_compute_engine_creds_failure(void) {
httpcli_post_should_not_be_called);
GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds));
grpc_credentials_get_request_metadata(compute_engine_creds,
grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url,
on_oauth2_creds_get_metadata_failure,
(void *)test_user_data);
grpc_credentials_unref(compute_engine_creds);
@ -468,27 +475,29 @@ static void validate_jwt_encode_and_sign_params(
!strcmp(json_key->client_email,
"777-abaslkan11hlb6nmim3bpspl31ud@developer."
"gserviceaccount.com"));
GPR_ASSERT(!strcmp(scope, test_scope));
if (scope != NULL) GPR_ASSERT(!strcmp(scope, test_scope));
GPR_ASSERT(!gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime));
}
static char *encode_and_sign_jwt_success(const grpc_auth_json_key *json_key,
const char *scope,
gpr_timespec token_lifetime) {
const char *audience,
gpr_timespec token_lifetime,
const char *scope) {
validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
return gpr_strdup(test_signed_jwt);
}
static char *encode_and_sign_jwt_failure(const grpc_auth_json_key *json_key,
const char *scope,
gpr_timespec token_lifetime) {
const char *audience,
gpr_timespec token_lifetime,
const char *scope) {
validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
return NULL;
}
static char *encode_and_sign_jwt_should_not_be_called(
const grpc_auth_json_key *json_key, const char *scope,
gpr_timespec token_lifetime) {
const grpc_auth_json_key *json_key, const char *audience,
gpr_timespec token_lifetime, const char *scope) {
GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == NULL);
}
@ -533,7 +542,7 @@ static int service_account_httpcli_post_failure(
return 1;
}
static void test_service_accounts_creds_success(void) {
static void test_service_account_creds_success(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
@ -545,7 +554,7 @@ static void test_service_accounts_creds_success(void) {
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_success);
grpc_credentials_get_request_metadata(service_account_creds,
grpc_credentials_get_request_metadata(service_account_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
@ -554,7 +563,7 @@ static void test_service_accounts_creds_success(void) {
encode_and_sign_jwt_should_not_be_called);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(service_account_creds,
grpc_credentials_get_request_metadata(service_account_creds, test_service_url,
on_oauth2_creds_get_metadata_success,
(void *)test_user_data);
@ -564,7 +573,7 @@ static void test_service_accounts_creds_success(void) {
grpc_httpcli_set_override(NULL, NULL);
}
static void test_service_accounts_creds_http_failure(void) {
static void test_service_account_creds_http_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
@ -575,7 +584,7 @@ static void test_service_accounts_creds_http_failure(void) {
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_failure);
grpc_credentials_get_request_metadata(service_account_creds,
grpc_credentials_get_request_metadata(service_account_creds, test_service_url,
on_oauth2_creds_get_metadata_failure,
(void *)test_user_data);
@ -584,7 +593,7 @@ static void test_service_accounts_creds_http_failure(void) {
grpc_httpcli_set_override(NULL, NULL);
}
static void test_service_accounts_creds_signing_failure(void) {
static void test_service_account_creds_signing_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
@ -595,13 +604,88 @@ static void test_service_accounts_creds_signing_failure(void) {
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(service_account_creds,
grpc_credentials_get_request_metadata(service_account_creds, test_service_url,
on_oauth2_creds_get_metadata_failure,
(void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_httpcli_set_override(NULL, NULL);
grpc_jwt_encode_and_sign_set_override(NULL);
}
static void on_jwt_creds_get_metadata_success(
void *user_data, grpc_mdelem **md_elems, size_t num_md,
grpc_credentials_status status) {
char *expected_md_value;
gpr_asprintf(&expected_md_value, "Bearer %s", test_signed_jwt);
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 1);
GPR_ASSERT(
!strcmp(grpc_mdstr_as_c_string(md_elems[0]->key), "Authorization"));
GPR_ASSERT(
!strcmp(grpc_mdstr_as_c_string(md_elems[0]->value), expected_md_value));
GPR_ASSERT(user_data != NULL);
GPR_ASSERT(!strcmp((const char *)user_data, test_user_data));
gpr_free(expected_md_value);
}
static void on_jwt_creds_get_metadata_failure(
void *user_data, grpc_mdelem **md_elems, size_t num_md,
grpc_credentials_status status) {
GPR_ASSERT(status == GRPC_CREDENTIALS_ERROR);
GPR_ASSERT(num_md == 0);
GPR_ASSERT(user_data != NULL);
GPR_ASSERT(!strcmp((const char *)user_data, test_user_data));
}
static void test_jwt_creds_success(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *jwt_creds = grpc_jwt_credentials_create(
json_key_string, grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds));
/* First request: jwt_encode_and_sign should be called. */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_credentials_get_request_metadata(jwt_creds, test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
grpc_credentials_get_request_metadata(jwt_creds, test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
/* Third request: Different service url so jwt_encode_and_sign should be
called again (no caching). */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_credentials_get_request_metadata(jwt_creds, other_test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(jwt_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
}
static void test_jwt_creds_signing_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *jwt_creds = grpc_jwt_credentials_create(
json_key_string, grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds));
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
grpc_credentials_get_request_metadata(jwt_creds, test_service_url,
on_jwt_creds_get_metadata_failure,
(void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(jwt_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
}
int main(int argc, char **argv) {
@ -618,8 +702,10 @@ int main(int argc, char **argv) {
test_ssl_oauth2_iam_composite_creds();
test_compute_engine_creds_success();
test_compute_engine_creds_failure();
test_service_accounts_creds_success();
test_service_accounts_creds_http_failure();
test_service_accounts_creds_signing_failure();
test_service_account_creds_success();
test_service_account_creds_http_failure();
test_service_account_creds_signing_failure();
test_jwt_creds_success();
test_jwt_creds_signing_failure();
return 0;
}

2
test/core/security/fetch_oauth2.c
Unescape View File

@ -162,7 +162,7 @@ int main(int argc, char **argv) {
gpr_cv_init(&sync.cv);
sync.is_done = 0;
grpc_credentials_get_request_metadata(creds, on_oauth2_response, &sync);
grpc_credentials_get_request_metadata(creds, "", on_oauth2_response, &sync);
gpr_mu_lock(&sync.mu);
while (!sync.is_done) gpr_cv_wait(&sync.cv, &sync.mu, gpr_inf_future);

77
test/core/security/json_token_test.c
Unescape View File

@ -76,6 +76,8 @@ static const char test_json_key_str_part3[] =
static const char test_scope[] = "myperm1 myperm2";
static const char test_service_url[] = "https://foo.com/foo.v1";
static char *test_json_key_str(const char *bad_part3) {
const char *part3 = bad_part3 != NULL ? bad_part3 : test_json_key_str_part3;
size_t result_len = strlen(test_json_key_str_part1) +
@ -229,12 +231,15 @@ static void check_jwt_header(grpc_json *header) {
grpc_json *ptr;
grpc_json *alg = NULL;
grpc_json *typ = NULL;
grpc_json *kid = NULL;
for (ptr = header->child; ptr; ptr = ptr->next) {
if (strcmp(ptr->key, "alg") == 0) {
alg = ptr;
} else if (strcmp(ptr->key, "typ") == 0) {
typ = ptr;
} else if (strcmp(ptr->key, "kid") == 0) {
kid = ptr;
}
}
GPR_ASSERT(alg != NULL);
@ -244,9 +249,14 @@ static void check_jwt_header(grpc_json *header) {
GPR_ASSERT(typ != NULL);
GPR_ASSERT(typ->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(typ->value, "JWT"));
GPR_ASSERT(kid != NULL);
GPR_ASSERT(kid->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(kid->value, "e6b5137873db8d2ef81e06a47289e6434ec8a165"));
}
static void check_jwt_claim(grpc_json *claim) {
static void check_jwt_claim(grpc_json *claim, const char *expected_audience,
const char *expected_scope) {
gpr_timespec expiration = {0, 0};
gpr_timespec issue_time = {0, 0};
gpr_timespec parsed_lifetime;
@ -255,11 +265,14 @@ static void check_jwt_claim(grpc_json *claim) {
grpc_json *aud = NULL;
grpc_json *exp = NULL;
grpc_json *iat = NULL;
grpc_json *sub = NULL;
grpc_json *ptr;
for (ptr = claim->child; ptr; ptr = ptr->next) {
if (strcmp(ptr->key, "iss") == 0) {
iss = ptr;
} else if (strcmp(ptr->key, "sub") == 0) {
sub = ptr;
} else if (strcmp(ptr->key, "scope") == 0) {
scope = ptr;
} else if (strcmp(ptr->key, "aud") == 0) {
@ -278,14 +291,22 @@ static void check_jwt_claim(grpc_json *claim) {
iss->value,
"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount.com"));
GPR_ASSERT(scope != NULL);
GPR_ASSERT(scope->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(scope->value, test_scope));
if (expected_scope != NULL) {
GPR_ASSERT(scope != NULL);
GPR_ASSERT(sub == NULL);
GPR_ASSERT(scope->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(scope->value, expected_scope));
} else {
/* Claims without scope must have a sub. */
GPR_ASSERT(scope == NULL);
GPR_ASSERT(sub != NULL);
GPR_ASSERT(sub->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(iss->value, sub->value));
}
GPR_ASSERT(aud != NULL);
GPR_ASSERT(aud->type == GRPC_JSON_STRING);
GPR_ASSERT(!strcmp(aud->value,
"https://www.googleapis.com/oauth2/v3/token"));
GPR_ASSERT(!strcmp(aud->value, expected_audience));
GPR_ASSERT(exp != NULL);
GPR_ASSERT(exp->type == GRPC_JSON_NUMBER);
@ -324,7 +345,28 @@ static void check_jwt_signature(const char *b64_signature, RSA *rsa_key,
if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx);
}
static void test_jwt_encode_and_sign(void) {
static char *service_account_creds_jwt_encode_and_sign(
const grpc_auth_json_key *key) {
return grpc_jwt_encode_and_sign(key, GRPC_JWT_OAUTH2_AUDIENCE,
grpc_max_auth_token_lifetime, test_scope);
}
static char *jwt_creds_jwt_encode_and_sign(const grpc_auth_json_key *key) {
return grpc_jwt_encode_and_sign(key, test_service_url,
grpc_max_auth_token_lifetime, NULL);
}
static void service_account_creds_check_jwt_claim(grpc_json *claim) {
check_jwt_claim(claim, GRPC_JWT_OAUTH2_AUDIENCE, test_scope);
}
static void jwt_creds_check_jwt_claim(grpc_json *claim) {
check_jwt_claim(claim, test_service_url, NULL);
}
static void test_jwt_encode_and_sign(
char *(*jwt_encode_and_sign_func)(const grpc_auth_json_key *),
void (*check_jwt_claim_func)(grpc_json *)) {
char *json_string = test_json_key_str(NULL);
grpc_json *parsed_header = NULL;
grpc_json *parsed_claim = NULL;
@ -333,8 +375,7 @@ static void test_jwt_encode_and_sign(void) {
grpc_auth_json_key_create_from_string(json_string);
const char *b64_signature;
size_t offset = 0;
char *jwt = grpc_jwt_encode_and_sign(&json_key, test_scope,
grpc_max_auth_token_lifetime);
char *jwt = jwt_encode_and_sign_func(&json_key);
const char *dot = strchr(jwt, '.');
GPR_ASSERT(dot != NULL);
parsed_header = parse_json_part_from_jwt(jwt, dot - jwt, &scratchpad);
@ -346,9 +387,10 @@ static void test_jwt_encode_and_sign(void) {
dot = strchr(jwt + offset, '.');
GPR_ASSERT(dot != NULL);
parsed_claim = parse_json_part_from_jwt(jwt + offset, dot - (jwt + offset), &scratchpad);
parsed_claim =
parse_json_part_from_jwt(jwt + offset, dot - (jwt + offset), &scratchpad);
GPR_ASSERT(parsed_claim != NULL);
check_jwt_claim(parsed_claim);
check_jwt_claim_func(parsed_claim);
offset = dot - jwt + 1;
grpc_json_destroy(parsed_claim);
gpr_free(scratchpad);
@ -363,6 +405,16 @@ static void test_jwt_encode_and_sign(void) {
gpr_free(jwt);
}
static void test_service_account_creds_jwt_encode_and_sign(void) {
test_jwt_encode_and_sign(service_account_creds_jwt_encode_and_sign,
service_account_creds_check_jwt_claim);
}
static void test_jwt_creds_jwt_encode_and_sign(void) {
test_jwt_encode_and_sign(jwt_creds_jwt_encode_and_sign,
jwt_creds_check_jwt_claim);
}
int main(int argc, char **argv) {
grpc_test_init(argc, argv);
test_parse_json_key_success();
@ -372,6 +424,7 @@ int main(int argc, char **argv) {
test_parse_json_key_failure_no_client_email();
test_parse_json_key_failure_no_private_key_id();
test_parse_json_key_failure_no_private_key();
test_jwt_encode_and_sign();
test_service_account_creds_jwt_encode_and_sign();
test_jwt_creds_jwt_encode_and_sign();
return 0;
}

Write Preview
Loading…
Cancel
Save