/* * * Copyright 2015 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #ifndef GRPCPP_SECURITY_CREDENTIALS_H #define GRPCPP_SECURITY_CREDENTIALS_H #include #include #include #include #include #include #include #include #include struct grpc_call; namespace grpc { class ChannelArguments; class Channel; class SecureChannelCredentials; class CallCredentials; class SecureCallCredentials; class ChannelCredentials; namespace experimental { std::shared_ptr CreateCustomChannelWithInterceptors( const grpc::string& target, const std::shared_ptr& creds, const ChannelArguments& args, std::vector< std::unique_ptr> interceptor_creators); } // namespace experimental /// A channel credentials object encapsulates all the state needed by a client /// to authenticate with a server for a given channel. /// It can make various assertions, e.g., about the client’s identity, role /// for all the calls on that channel. /// /// \see https://grpc.io/docs/guides/auth.html class ChannelCredentials : private GrpcLibraryCodegen { public: ChannelCredentials(); ~ChannelCredentials(); protected: friend std::shared_ptr CompositeChannelCredentials( const std::shared_ptr& channel_creds, const std::shared_ptr& call_creds); virtual SecureChannelCredentials* AsSecureCredentials() = 0; private: friend std::shared_ptr CreateCustomChannel( const grpc::string& target, const std::shared_ptr& creds, const ChannelArguments& args); friend std::shared_ptr experimental::CreateCustomChannelWithInterceptors( const grpc::string& target, const std::shared_ptr& creds, const ChannelArguments& args, std::vector< std::unique_ptr> interceptor_creators); virtual std::shared_ptr CreateChannel( const grpc::string& target, const ChannelArguments& args) = 0; // This function should have been a pure virtual function, but it is // implemented as a virtual function so that it does not break API. virtual std::shared_ptr CreateChannelWithInterceptors( const grpc::string& target, const ChannelArguments& args, std::vector< std::unique_ptr> interceptor_creators) { return nullptr; } }; /// A call credentials object encapsulates the state needed by a client to /// authenticate with a server for a given call on a channel. /// /// \see https://grpc.io/docs/guides/auth.html class CallCredentials : private GrpcLibraryCodegen { public: CallCredentials(); ~CallCredentials(); /// Apply this instance's credentials to \a call. virtual bool ApplyToCall(grpc_call* call) = 0; protected: friend std::shared_ptr CompositeChannelCredentials( const std::shared_ptr& channel_creds, const std::shared_ptr& call_creds); friend std::shared_ptr CompositeCallCredentials( const std::shared_ptr& creds1, const std::shared_ptr& creds2); virtual SecureCallCredentials* AsSecureCredentials() = 0; }; /// Options used to build SslCredentials. struct SslCredentialsOptions { /// The buffer containing the PEM encoding of the server root certificates. If /// this parameter is empty, the default roots will be used. The default /// roots can be overridden using the \a GRPC_DEFAULT_SSL_ROOTS_FILE_PATH /// environment variable pointing to a file on the file system containing the /// roots. grpc::string pem_root_certs; /// The buffer containing the PEM encoding of the client's private key. This /// parameter can be empty if the client does not have a private key. grpc::string pem_private_key; /// The buffer containing the PEM encoding of the client's certificate chain. /// This parameter can be empty if the client does not have a certificate /// chain. grpc::string pem_cert_chain; }; // Factories for building different types of Credentials The functions may // return empty shared_ptr when credentials cannot be created. If a // Credentials pointer is returned, it can still be invalid when used to create // a channel. A lame channel will be created then and all rpcs will fail on it. /// Builds credentials with reasonable defaults. /// /// \warning Only use these credentials when connecting to a Google endpoint. /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. std::shared_ptr GoogleDefaultCredentials(); /// Builds SSL Credentials given SSL specific options std::shared_ptr SslCredentials( const SslCredentialsOptions& options); /// Builds credentials for use when running in GCE /// /// \warning Only use these credentials when connecting to a Google endpoint. /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. std::shared_ptr GoogleComputeEngineCredentials(); /// Constant for maximum auth token lifetime. constexpr long kMaxAuthTokenLifetimeSecs = 3600; /// Builds Service Account JWT Access credentials. /// json_key is the JSON key string containing the client's private key. /// token_lifetime_seconds is the lifetime in seconds of each Json Web Token /// (JWT) created with this credentials. It should not exceed /// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value. std::shared_ptr ServiceAccountJWTAccessCredentials( const grpc::string& json_key, long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs); /// Builds refresh token credentials. /// json_refresh_token is the JSON string containing the refresh token along /// with a client_id and client_secret. /// /// \warning Only use these credentials when connecting to a Google endpoint. /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. std::shared_ptr GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token); /// Builds access token credentials. /// access_token is an oauth2 access token that was fetched using an out of band /// mechanism. /// /// \warning Only use these credentials when connecting to a Google endpoint. /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. std::shared_ptr AccessTokenCredentials( const grpc::string& access_token); /// Builds IAM credentials. /// /// \warning Only use these credentials when connecting to a Google endpoint. /// Using these credentials to connect to any other service may result in this /// service being able to impersonate your client for requests to Google /// services. std::shared_ptr GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector); /// Combines a channel credentials and a call credentials into a composite /// channel credentials. std::shared_ptr CompositeChannelCredentials( const std::shared_ptr& channel_creds, const std::shared_ptr& call_creds); /// Combines two call credentials objects into a composite call credentials. std::shared_ptr CompositeCallCredentials( const std::shared_ptr& creds1, const std::shared_ptr& creds2); /// Credentials for an unencrypted, unauthenticated channel std::shared_ptr InsecureChannelCredentials(); /// Credentials for a channel using Cronet. std::shared_ptr CronetChannelCredentials(void* engine); /// User defined metadata credentials. class MetadataCredentialsPlugin { public: virtual ~MetadataCredentialsPlugin() {} /// If this method returns true, the Process function will be scheduled in /// a different thread from the one processing the call. virtual bool IsBlocking() const { return true; } /// Type of credentials this plugin is implementing. virtual const char* GetType() const { return ""; } /// Gets the auth metatada produced by this plugin. /// The fully qualified method name is: /// service_url + "/" + method_name. /// The channel_auth_context contains (among other things), the identity of /// the server. virtual Status GetMetadata( grpc::string_ref service_url, grpc::string_ref method_name, const AuthContext& channel_auth_context, std::multimap* metadata) = 0; }; std::shared_ptr MetadataCredentialsFromPlugin( std::unique_ptr plugin); namespace experimental { /// Options used to build AltsCredentials. struct AltsCredentialsOptions { /// service accounts of target endpoint that will be acceptable /// by the client. If service accounts are provided and none of them matches /// that of the server, authentication will fail. std::vector target_service_accounts; }; /// Builds ALTS Credentials given ALTS specific options std::shared_ptr AltsCredentials( const AltsCredentialsOptions& options); /// Builds Local Credentials. std::shared_ptr LocalCredentials( grpc_local_connect_type type); } // namespace experimental } // namespace grpc #endif // GRPCPP_SECURITY_CREDENTIALS_H