/* * * Copyright 2015, Google Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following disclaimer * in the documentation and/or other materials provided with the * distribution. * * Neither the name of Google Inc. nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include "src/core/security/credentials.h" #include #include "src/core/httpcli/httpcli.h" #include "src/core/security/json_token.h" #include "src/core/support/env.h" #include "src/core/support/file.h" #include "src/core/support/string.h" #include "test/core/util/test_config.h" #include #include #include #include #include static const char test_iam_authorization_token[] = "blahblahblhahb"; static const char test_iam_authority_selector[] = "respectmyauthoritah"; static const char test_oauth2_bearer_token[] = "Bearer blaaslkdjfaslkdfasdsfasf"; static const char test_root_cert[] = "I am the root!"; /* This JSON key was generated with the GCE console and revoked immediately. The identifiers have been changed as well. Maximum size for a string literal is 509 chars in C89, yay! */ static const char test_json_key_str_part1[] = "{ \"private_key\": \"-----BEGIN PRIVATE KEY-----" "\\nMIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOEvJsnoHnyHkXcp\\n7mJE" "qg" "WGjiw71NfXByguekSKho65FxaGbsnSM9SMQAqVk7Q2rG+I0OpsT0LrWQtZ\\nyjSeg/" "rWBQvS4hle4LfijkP3J5BG+" "IXDMP8RfziNRQsenAXDNPkY4kJCvKux2xdD\\nOnVF6N7dL3nTYZg+" "uQrNsMTz9UxVAgMBAAECgYEAzbLewe1xe9vy+2GoSsfib+28\\nDZgSE6Bu/" "zuFoPrRc6qL9p2SsnV7txrunTyJkkOnPLND9ABAXybRTlcVKP/sGgza\\n/" "8HpCqFYM9V8f34SBWfD4fRFT+n/" "73cfRUtGXdXpseva2lh8RilIQfPhNZAncenU\\ngqXjDvpkypEusgXAykECQQD+"; static const char test_json_key_str_part2[] = "53XxNVnxBHsYb+AYEfklR96yVi8HywjVHP34+OQZ\\nCslxoHQM8s+" "dBnjfScLu22JqkPv04xyxmt0QAKm9+vTdAkEA4ib7YvEAn2jXzcCI\\nEkoy2L/" "XydR1GCHoacdfdAwiL2npOdnbvi4ZmdYRPY1LSTO058tQHKVXV7NLeCa3\\nAARh2QJBAMKeDA" "G" "W303SQv2cZTdbeaLKJbB5drz3eo3j7dDKjrTD9JupixFbzcGw\\n8FZi5c8idxiwC36kbAL6Hz" "A" "ZoX+ofI0CQE6KCzPJTtYNqyShgKAZdJ8hwOcvCZtf\\n6z8RJm0+" "6YBd38lfh5j8mZd7aHFf6I17j5AQY7oPEc47TjJj/" "5nZ68ECQQDvYuI3\\nLyK5fS8g0SYbmPOL9TlcHDOqwG0mrX9qpg5DC2fniXNSrrZ64GTDKdzZ" "Y" "Ap6LI9W\\nIqv4vr6y38N79TTC\\n-----END PRIVATE KEY-----\\n\", "; static const char test_json_key_str_part3[] = "\"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", " "\"client_email\": " "\"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount." "com\", \"client_id\": " "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent." "com\", \"type\": \"service_account\" }"; /* Test refresh token. */ static const char test_refresh_token_str[] = "{ \"client_id\": \"32555999999.apps.googleusercontent.com\"," " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\"," " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\"," " \"type\": \"authorized_user\"}"; static const char valid_oauth2_json_response[] = "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," " \"expires_in\":3599, " " \"token_type\":\"Bearer\"}"; static const char test_user_data[] = "user data"; static const char test_scope[] = "perm1 perm2"; static const char test_signed_jwt[] = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW" "U0MDcyZTViYTdmZDkwODg2YzcifQ"; static const char test_service_url[] = "https://foo.com/foo.v1"; static const char other_test_service_url[] = "https://bar.com/bar.v1"; static char *test_json_key_str(void) { size_t result_len = strlen(test_json_key_str_part1) + strlen(test_json_key_str_part2) + strlen(test_json_key_str_part3); char *result = gpr_malloc(result_len + 1); char *current = result; strcpy(result, test_json_key_str_part1); current += strlen(test_json_key_str_part1); strcpy(current, test_json_key_str_part2); current += strlen(test_json_key_str_part2); strcpy(current, test_json_key_str_part3); return result; } typedef struct { const char *key; const char *value; } expected_md; static grpc_httpcli_response http_response(int status, const char *body) { grpc_httpcli_response response; memset(&response, 0, sizeof(grpc_httpcli_response)); response.status = status; response.body = (char *)body; response.body_length = strlen(body); return response; } static void test_empty_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(0); GPR_ASSERT(store->num_entries == 0); GPR_ASSERT(store->allocated == 0); grpc_credentials_md_store_unref(store); } static void test_ref_unref_empty_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(0); grpc_credentials_md_store_ref(store); grpc_credentials_md_store_ref(store); GPR_ASSERT(store->num_entries == 0); GPR_ASSERT(store->allocated == 0); grpc_credentials_md_store_unref(store); grpc_credentials_md_store_unref(store); grpc_credentials_md_store_unref(store); } static void test_add_to_empty_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(0); const char *key_str = "hello"; const char *value_str = "there blah blah blah blah blah blah blah"; gpr_slice key = gpr_slice_from_copied_string(key_str); gpr_slice value = gpr_slice_from_copied_string(value_str); grpc_credentials_md_store_add(store, key, value); GPR_ASSERT(store->num_entries == 1); GPR_ASSERT(gpr_slice_cmp(key, store->entries[0].key) == 0); GPR_ASSERT(gpr_slice_cmp(value, store->entries[0].value) == 0); gpr_slice_unref(key); gpr_slice_unref(value); grpc_credentials_md_store_unref(store); } static void test_add_cstrings_to_empty_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(0); const char *key_str = "hello"; const char *value_str = "there blah blah blah blah blah blah blah"; grpc_credentials_md_store_add_cstrings(store, key_str, value_str); GPR_ASSERT(store->num_entries == 1); GPR_ASSERT(gpr_slice_str_cmp(store->entries[0].key, key_str) == 0); GPR_ASSERT(gpr_slice_str_cmp(store->entries[0].value, value_str) == 0); grpc_credentials_md_store_unref(store); } static void test_empty_preallocated_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(4); GPR_ASSERT(store->num_entries == 0); GPR_ASSERT(store->allocated == 4); GPR_ASSERT(store->entries != NULL); grpc_credentials_md_store_unref(store); } static void test_add_abunch_to_md_store(void) { grpc_credentials_md_store *store = grpc_credentials_md_store_create(4); size_t num_entries = 1000; const char *key_str = "hello"; const char *value_str = "there blah blah blah blah blah blah blah"; size_t i; for (i = 0; i < num_entries; i++) { grpc_credentials_md_store_add_cstrings(store, key_str, value_str); } for (i = 0; i < num_entries; i++) { GPR_ASSERT(gpr_slice_str_cmp(store->entries[i].key, key_str) == 0); GPR_ASSERT(gpr_slice_str_cmp(store->entries[i].value, value_str) == 0); } grpc_credentials_md_store_unref(store); } static void test_oauth2_token_fetcher_creds_parsing_ok(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, valid_oauth2_json_response); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_OK); GPR_ASSERT(token_lifetime.tv_sec == 3599); GPR_ASSERT(token_lifetime.tv_nsec == 0); GPR_ASSERT(token_md->num_entries == 1); GPR_ASSERT(gpr_slice_str_cmp(token_md->entries[0].key, "Authorization") == 0); GPR_ASSERT(gpr_slice_str_cmp(token_md->entries[0].value, "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_") == 0); grpc_credentials_md_store_unref(token_md); } static void test_oauth2_token_fetcher_creds_parsing_bad_http_status(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(401, valid_oauth2_json_response); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void test_oauth2_token_fetcher_creds_parsing_empty_http_body(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, ""); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void test_oauth2_token_fetcher_creds_parsing_invalid_json(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," " \"expires_in\":3599, " " \"token_type\":\"Bearer\""); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void test_oauth2_token_fetcher_creds_parsing_missing_token(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, "{" " \"expires_in\":3599, " " \"token_type\":\"Bearer\"}"); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void test_oauth2_token_fetcher_creds_parsing_missing_token_type(void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," " \"expires_in\":3599, " "}"); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void test_oauth2_token_fetcher_creds_parsing_missing_token_lifetime( void) { grpc_credentials_md_store *token_md = NULL; gpr_timespec token_lifetime; grpc_httpcli_response response = http_response(200, "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," " \"token_type\":\"Bearer\"}"); GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response( &response, &token_md, &token_lifetime) == GRPC_CREDENTIALS_ERROR); } static void check_metadata(expected_md *expected, grpc_credentials_md *md_elems, size_t num_md) { size_t i; for (i = 0; i < num_md; i++) { size_t j; for (j = 0; j < num_md; j++) { if (0 == gpr_slice_str_cmp(md_elems[j].key, expected[i].key)) { GPR_ASSERT(gpr_slice_str_cmp(md_elems[j].value, expected[i].value) == 0); break; } } if (j == num_md) { gpr_log(GPR_ERROR, "key %s not found", expected[i].key); GPR_ASSERT(0); } } } static void check_iam_metadata(void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; expected_md emd[] = { {GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token}, {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 2); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } static void test_iam_creds(void) { grpc_credentials *creds = grpc_iam_credentials_create( test_iam_authorization_token, test_iam_authority_selector); GPR_ASSERT(grpc_credentials_has_request_metadata(creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds)); grpc_credentials_get_request_metadata(creds, NULL, test_service_url, check_iam_metadata, creds); } static void check_access_token_metadata(void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; expected_md emd[] = {{GRPC_AUTHORIZATION_METADATA_KEY, "Bearer blah"}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 1); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } static void test_access_token_creds(void) { grpc_credentials *creds = grpc_access_token_credentials_create("blah"); GPR_ASSERT(grpc_credentials_has_request_metadata(creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds)); GPR_ASSERT(strcmp(creds->type, GRPC_CREDENTIALS_TYPE_OAUTH2) == 0); grpc_credentials_get_request_metadata(creds, NULL, test_service_url, check_access_token_metadata, creds); } static void check_ssl_oauth2_composite_metadata( void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; expected_md emd[] = { {GRPC_AUTHORIZATION_METADATA_KEY, test_oauth2_bearer_token}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 1); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } static void test_ssl_oauth2_composite_creds(void) { grpc_credentials *ssl_creds = grpc_ssl_credentials_create(test_root_cert, NULL); const grpc_credentials_array *creds_array; grpc_credentials *oauth2_creds = grpc_fake_oauth2_credentials_create(test_oauth2_bearer_token, 0); grpc_credentials *composite_creds = grpc_composite_credentials_create(ssl_creds, oauth2_creds); grpc_credentials_unref(ssl_creds); grpc_credentials_unref(oauth2_creds); GPR_ASSERT(strcmp(composite_creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); GPR_ASSERT(grpc_credentials_has_request_metadata(composite_creds)); GPR_ASSERT(!grpc_credentials_has_request_metadata_only(composite_creds)); creds_array = grpc_composite_credentials_get_credentials(composite_creds); GPR_ASSERT(creds_array->num_creds == 2); GPR_ASSERT(strcmp(creds_array->creds_array[0]->type, GRPC_CREDENTIALS_TYPE_SSL) == 0); GPR_ASSERT(strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2) == 0); grpc_credentials_get_request_metadata(composite_creds, NULL, test_service_url, check_ssl_oauth2_composite_metadata, composite_creds); } void test_ssl_fake_transport_security_composite_creds_failure(void) { grpc_credentials *ssl_creds = grpc_ssl_credentials_create(NULL, NULL); grpc_credentials *fake_transport_security_creds = grpc_fake_transport_security_credentials_create(); /* 2 connector credentials: should not work. */ GPR_ASSERT(grpc_composite_credentials_create( ssl_creds, fake_transport_security_creds) == NULL); grpc_credentials_unref(ssl_creds); grpc_credentials_unref(fake_transport_security_creds); } static void check_ssl_oauth2_iam_composite_metadata( void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { grpc_credentials *c = (grpc_credentials *)user_data; expected_md emd[] = { {GRPC_AUTHORIZATION_METADATA_KEY, test_oauth2_bearer_token}, {GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token}, {GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}}; GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 3); check_metadata(emd, md_elems, num_md); grpc_credentials_unref(c); } static void test_ssl_oauth2_iam_composite_creds(void) { grpc_credentials *ssl_creds = grpc_ssl_credentials_create(test_root_cert, NULL); const grpc_credentials_array *creds_array; grpc_credentials *oauth2_creds = grpc_fake_oauth2_credentials_create(test_oauth2_bearer_token, 0); grpc_credentials *aux_creds = grpc_composite_credentials_create(ssl_creds, oauth2_creds); grpc_credentials *iam_creds = grpc_iam_credentials_create( test_iam_authorization_token, test_iam_authority_selector); grpc_credentials *composite_creds = grpc_composite_credentials_create(aux_creds, iam_creds); grpc_credentials_unref(ssl_creds); grpc_credentials_unref(oauth2_creds); grpc_credentials_unref(aux_creds); grpc_credentials_unref(iam_creds); GPR_ASSERT(strcmp(composite_creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); GPR_ASSERT(grpc_credentials_has_request_metadata(composite_creds)); GPR_ASSERT(!grpc_credentials_has_request_metadata_only(composite_creds)); creds_array = grpc_composite_credentials_get_credentials(composite_creds); GPR_ASSERT(creds_array->num_creds == 3); GPR_ASSERT(strcmp(creds_array->creds_array[0]->type, GRPC_CREDENTIALS_TYPE_SSL) == 0); GPR_ASSERT(strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2) == 0); GPR_ASSERT(strcmp(creds_array->creds_array[2]->type, GRPC_CREDENTIALS_TYPE_IAM) == 0); grpc_credentials_get_request_metadata(composite_creds, NULL, test_service_url, check_ssl_oauth2_iam_composite_metadata, composite_creds); } static void on_oauth2_creds_get_metadata_success( void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 1); GPR_ASSERT(gpr_slice_str_cmp(md_elems[0].key, "Authorization") == 0); GPR_ASSERT(gpr_slice_str_cmp(md_elems[0].value, "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_") == 0); GPR_ASSERT(user_data != NULL); GPR_ASSERT(strcmp((const char *)user_data, test_user_data) == 0); } static void on_oauth2_creds_get_metadata_failure( void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { GPR_ASSERT(status == GRPC_CREDENTIALS_ERROR); GPR_ASSERT(num_md == 0); GPR_ASSERT(user_data != NULL); GPR_ASSERT(strcmp((const char *)user_data, test_user_data) == 0); } static void validate_compute_engine_http_request( const grpc_httpcli_request *request) { GPR_ASSERT(!request->use_ssl); GPR_ASSERT(strcmp(request->host, "metadata") == 0); GPR_ASSERT( strcmp(request->path, "/computeMetadata/v1/instance/service-accounts/default/token") == 0); GPR_ASSERT(request->hdr_count == 1); GPR_ASSERT(strcmp(request->hdrs[0].key, "Metadata-Flavor") == 0); GPR_ASSERT(strcmp(request->hdrs[0].value, "Google") == 0); } static int compute_engine_httpcli_get_success_override( const grpc_httpcli_request *request, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(200, valid_oauth2_json_response); validate_compute_engine_http_request(request); on_response(user_data, &response); return 1; } static int compute_engine_httpcli_get_failure_override( const grpc_httpcli_request *request, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(403, "Not Authorized."); validate_compute_engine_http_request(request); on_response(user_data, &response); return 1; } static int httpcli_post_should_not_be_called( const grpc_httpcli_request *request, const char *body_bytes, size_t body_size, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { GPR_ASSERT("HTTP POST should not be called" == NULL); return 1; } static int httpcli_get_should_not_be_called( const grpc_httpcli_request *request, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { GPR_ASSERT("HTTP GET should not be called" == NULL); return 1; } static void test_compute_engine_creds_success(void) { grpc_credentials *compute_engine_creds = grpc_compute_engine_credentials_create(); GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds)); /* First request: http get should be called. */ grpc_httpcli_set_override(compute_engine_httpcli_get_success_override, httpcli_post_should_not_be_called); grpc_credentials_get_request_metadata( compute_engine_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); /* Second request: the cached token should be served directly. */ grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); grpc_credentials_get_request_metadata( compute_engine_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); grpc_credentials_unref(compute_engine_creds); grpc_httpcli_set_override(NULL, NULL); } static void test_compute_engine_creds_failure(void) { grpc_credentials *compute_engine_creds = grpc_compute_engine_credentials_create(); grpc_httpcli_set_override(compute_engine_httpcli_get_failure_override, httpcli_post_should_not_be_called); GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds)); grpc_credentials_get_request_metadata( compute_engine_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); grpc_credentials_unref(compute_engine_creds); grpc_httpcli_set_override(NULL, NULL); } static void validate_refresh_token_http_request( const grpc_httpcli_request *request, const char *body, size_t body_size) { /* The content of the assertion is tested extensively in json_token_test. */ char *expected_body = NULL; GPR_ASSERT(body != NULL); GPR_ASSERT(body_size != 0); gpr_asprintf(&expected_body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, "32555999999.apps.googleusercontent.com", "EmssLNjJy1332hD4KFsecret", "1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42"); GPR_ASSERT(strlen(expected_body) == body_size); GPR_ASSERT(memcmp(expected_body, body, body_size) == 0); gpr_free(expected_body); GPR_ASSERT(request->use_ssl); GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0); GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0); GPR_ASSERT(request->hdr_count == 1); GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); GPR_ASSERT( strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0); } static int refresh_token_httpcli_post_success( const grpc_httpcli_request *request, const char *body, size_t body_size, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(200, valid_oauth2_json_response); validate_refresh_token_http_request(request, body, body_size); on_response(user_data, &response); return 1; } static int refresh_token_httpcli_post_failure( const grpc_httpcli_request *request, const char *body, size_t body_size, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(403, "Not Authorized."); validate_refresh_token_http_request(request, body, body_size); on_response(user_data, &response); return 1; } static void test_refresh_token_creds_success(void) { grpc_credentials *refresh_token_creds = grpc_refresh_token_credentials_create(test_refresh_token_str); GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds)); /* First request: http get should be called. */ grpc_httpcli_set_override(httpcli_get_should_not_be_called, refresh_token_httpcli_post_success); grpc_credentials_get_request_metadata( refresh_token_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); /* Second request: the cached token should be served directly. */ grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); grpc_credentials_get_request_metadata( refresh_token_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); grpc_credentials_unref(refresh_token_creds); grpc_httpcli_set_override(NULL, NULL); } static void test_refresh_token_creds_failure(void) { grpc_credentials *refresh_token_creds = grpc_refresh_token_credentials_create(test_refresh_token_str); grpc_httpcli_set_override(httpcli_get_should_not_be_called, refresh_token_httpcli_post_failure); GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds)); grpc_credentials_get_request_metadata( refresh_token_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); grpc_credentials_unref(refresh_token_creds); grpc_httpcli_set_override(NULL, NULL); } static void validate_jwt_encode_and_sign_params( const grpc_auth_json_key *json_key, const char *scope, gpr_timespec token_lifetime) { GPR_ASSERT(grpc_auth_json_key_is_valid(json_key)); GPR_ASSERT(json_key->private_key != NULL); GPR_ASSERT(RSA_check_key(json_key->private_key)); GPR_ASSERT(json_key->type != NULL && strcmp(json_key->type, "service_account") == 0); GPR_ASSERT(json_key->private_key_id != NULL && strcmp(json_key->private_key_id, "e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0); GPR_ASSERT(json_key->client_id != NULL && strcmp(json_key->client_id, "777-abaslkan11hlb6nmim3bpspl31ud.apps." "googleusercontent.com") == 0); GPR_ASSERT(json_key->client_email != NULL && strcmp(json_key->client_email, "777-abaslkan11hlb6nmim3bpspl31ud@developer." "gserviceaccount.com") == 0); if (scope != NULL) GPR_ASSERT(strcmp(scope, test_scope) == 0); GPR_ASSERT(!gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime)); } static char *encode_and_sign_jwt_success(const grpc_auth_json_key *json_key, const char *audience, gpr_timespec token_lifetime, const char *scope) { validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime); return gpr_strdup(test_signed_jwt); } static char *encode_and_sign_jwt_failure(const grpc_auth_json_key *json_key, const char *audience, gpr_timespec token_lifetime, const char *scope) { validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime); return NULL; } static char *encode_and_sign_jwt_should_not_be_called( const grpc_auth_json_key *json_key, const char *audience, gpr_timespec token_lifetime, const char *scope) { GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == NULL); } static void validate_service_account_http_request( const grpc_httpcli_request *request, const char *body, size_t body_size) { /* The content of the assertion is tested extensively in json_token_test. */ char *expected_body = NULL; GPR_ASSERT(body != NULL); GPR_ASSERT(body_size != 0); gpr_asprintf(&expected_body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, test_signed_jwt); GPR_ASSERT(strlen(expected_body) == body_size); GPR_ASSERT(memcmp(expected_body, body, body_size) == 0); gpr_free(expected_body); GPR_ASSERT(request->use_ssl); GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0); GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0); GPR_ASSERT(request->hdr_count == 1); GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); GPR_ASSERT( strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0); } static int service_account_httpcli_post_success( const grpc_httpcli_request *request, const char *body, size_t body_size, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(200, valid_oauth2_json_response); validate_service_account_http_request(request, body, body_size); on_response(user_data, &response); return 1; } static int service_account_httpcli_post_failure( const grpc_httpcli_request *request, const char *body, size_t body_size, gpr_timespec deadline, grpc_httpcli_response_cb on_response, void *user_data) { grpc_httpcli_response response = http_response(403, "Not Authorized."); validate_service_account_http_request(request, body, body_size); on_response(user_data, &response); return 1; } static void test_service_account_creds_success(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, grpc_max_auth_token_lifetime); GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); /* First request: http get should be called. */ grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_httpcli_set_override(httpcli_get_should_not_be_called, service_account_httpcli_post_success); grpc_credentials_get_request_metadata( service_account_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); /* Second request: the cached token should be served directly. */ grpc_jwt_encode_and_sign_set_override( encode_and_sign_jwt_should_not_be_called); grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); grpc_credentials_get_request_metadata( service_account_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(service_account_creds); grpc_jwt_encode_and_sign_set_override(NULL); grpc_httpcli_set_override(NULL, NULL); } static void test_service_account_creds_http_failure(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, grpc_max_auth_token_lifetime); GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_httpcli_set_override(httpcli_get_should_not_be_called, service_account_httpcli_post_failure); grpc_credentials_get_request_metadata( service_account_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(service_account_creds); grpc_httpcli_set_override(NULL, NULL); } static void test_service_account_creds_signing_failure(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, grpc_max_auth_token_lifetime); GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds)); grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure); grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); grpc_credentials_get_request_metadata( service_account_creds, NULL, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(service_account_creds); grpc_httpcli_set_override(NULL, NULL); grpc_jwt_encode_and_sign_set_override(NULL); } static void on_jwt_creds_get_metadata_success(void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { char *expected_md_value; gpr_asprintf(&expected_md_value, "Bearer %s", test_signed_jwt); GPR_ASSERT(status == GRPC_CREDENTIALS_OK); GPR_ASSERT(num_md == 1); GPR_ASSERT(gpr_slice_str_cmp(md_elems[0].key, "Authorization") == 0); GPR_ASSERT(gpr_slice_str_cmp(md_elems[0].value, expected_md_value) == 0); GPR_ASSERT(user_data != NULL); GPR_ASSERT(strcmp((const char *)user_data, test_user_data) == 0); gpr_free(expected_md_value); } static void on_jwt_creds_get_metadata_failure(void *user_data, grpc_credentials_md *md_elems, size_t num_md, grpc_credentials_status status) { GPR_ASSERT(status == GRPC_CREDENTIALS_ERROR); GPR_ASSERT(num_md == 0); GPR_ASSERT(user_data != NULL); GPR_ASSERT(strcmp((const char *)user_data, test_user_data) == 0); } static void test_jwt_creds_success(void) { char *json_key_string = test_json_key_str(); grpc_credentials *jwt_creds = grpc_jwt_credentials_create( json_key_string, grpc_max_auth_token_lifetime); GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds)); /* First request: jwt_encode_and_sign should be called. */ grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url, on_jwt_creds_get_metadata_success, (void *)test_user_data); /* Second request: the cached token should be served directly. */ grpc_jwt_encode_and_sign_set_override( encode_and_sign_jwt_should_not_be_called); grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url, on_jwt_creds_get_metadata_success, (void *)test_user_data); /* Third request: Different service url so jwt_encode_and_sign should be called again (no caching). */ grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_credentials_get_request_metadata(jwt_creds, NULL, other_test_service_url, on_jwt_creds_get_metadata_success, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(jwt_creds); grpc_jwt_encode_and_sign_set_override(NULL); } static void test_jwt_creds_signing_failure(void) { char *json_key_string = test_json_key_str(); grpc_credentials *jwt_creds = grpc_jwt_credentials_create( json_key_string, grpc_max_auth_token_lifetime); GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds)); grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure); grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url, on_jwt_creds_get_metadata_failure, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(jwt_creds); grpc_jwt_encode_and_sign_set_override(NULL); } static void set_google_default_creds_env_var_with_file_contents( const char *file_prefix, const char *contents) { size_t contents_len = strlen(contents); char *creds_file_name; FILE *creds_file = gpr_tmpfile(file_prefix, &creds_file_name); GPR_ASSERT(creds_file_name != NULL); GPR_ASSERT(creds_file != NULL); GPR_ASSERT(fwrite(contents, 1, contents_len, creds_file) == contents_len); fclose(creds_file); gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, creds_file_name); gpr_free(creds_file_name); } static grpc_credentials *composite_inner_creds(grpc_credentials *creds, const char *inner_creds_type) { size_t i; grpc_composite_credentials *composite; GPR_ASSERT(strcmp(creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) == 0); composite = (grpc_composite_credentials *)creds; for (i = 0; i < composite->inner.num_creds; i++) { grpc_credentials *c = composite->inner.creds_array[i]; if (strcmp(c->type, inner_creds_type) == 0) return c; } GPR_ASSERT(0); /* Not found. */ } static void test_google_default_creds_auth_key(void) { grpc_jwt_credentials *jwt; grpc_credentials *creds; char *json_key = test_json_key_str(); grpc_flush_cached_google_default_credentials(); set_google_default_creds_env_var_with_file_contents( "json_key_google_default_creds", json_key); gpr_free(json_key); creds = grpc_google_default_credentials_create(); GPR_ASSERT(creds != NULL); jwt = (grpc_jwt_credentials *)composite_inner_creds( creds, GRPC_CREDENTIALS_TYPE_JWT); GPR_ASSERT( strcmp(jwt->key.client_id, "777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent.com") == 0); grpc_credentials_unref(creds); gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */ } static void test_google_default_creds_access_token(void) { grpc_refresh_token_credentials *refresh; grpc_credentials *creds; grpc_flush_cached_google_default_credentials(); set_google_default_creds_env_var_with_file_contents( "refresh_token_google_default_creds", test_refresh_token_str); creds = grpc_google_default_credentials_create(); GPR_ASSERT(creds != NULL); refresh = (grpc_refresh_token_credentials *)composite_inner_creds( creds, GRPC_CREDENTIALS_TYPE_OAUTH2); GPR_ASSERT(strcmp(refresh->refresh_token.client_id, "32555999999.apps.googleusercontent.com") == 0); grpc_credentials_unref(creds); gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */ } int main(int argc, char **argv) { grpc_test_init(argc, argv); test_empty_md_store(); test_ref_unref_empty_md_store(); test_add_to_empty_md_store(); test_add_cstrings_to_empty_md_store(); test_empty_preallocated_md_store(); test_add_abunch_to_md_store(); test_oauth2_token_fetcher_creds_parsing_ok(); test_oauth2_token_fetcher_creds_parsing_bad_http_status(); test_oauth2_token_fetcher_creds_parsing_empty_http_body(); test_oauth2_token_fetcher_creds_parsing_invalid_json(); test_oauth2_token_fetcher_creds_parsing_missing_token(); test_oauth2_token_fetcher_creds_parsing_missing_token_type(); test_oauth2_token_fetcher_creds_parsing_missing_token_lifetime(); test_iam_creds(); test_access_token_creds(); test_ssl_oauth2_composite_creds(); test_ssl_oauth2_iam_composite_creds(); test_compute_engine_creds_success(); test_compute_engine_creds_failure(); test_refresh_token_creds_success(); test_refresh_token_creds_failure(); test_service_account_creds_success(); test_service_account_creds_http_failure(); test_service_account_creds_signing_failure(); test_jwt_creds_success(); test_jwt_creds_signing_failure(); test_google_default_creds_auth_key(); test_google_default_creds_access_token(); return 0; }