1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H
21 
22 #include <grpc/support/port_platform.h>
23 
24 #include <grpc/grpc.h>
25 #include <grpc/grpc_security.h>
26 #include <grpc/support/sync.h>
27 #include "src/core/lib/transport/metadata_batch.h"
28 
29 #include "src/core/lib/http/httpcli.h"
30 #include "src/core/lib/http/parser.h"
31 #include "src/core/lib/iomgr/polling_entity.h"
32 #include "src/core/lib/security/security_connector/security_connector.h"
33 
34 struct grpc_http_response;
35 
36 /* --- Constants. --- */
37 
38 typedef enum {
39   GRPC_CREDENTIALS_OK = 0,
40   GRPC_CREDENTIALS_ERROR
41 } grpc_credentials_status;
42 
43 #define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake"
44 
45 #define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl"
46 #define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \
47   "FakeTransportSecurity"
48 #define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault"
49 
50 #define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
51 #define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt"
52 #define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam"
53 #define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite"
54 
55 #define GRPC_AUTHORIZATION_METADATA_KEY "authorization"
56 #define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \
57   "x-goog-iam-authorization-token"
58 #define GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY "x-goog-iam-authority-selector"
59 
60 #define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
61 
62 #define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal"
63 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
64   "/computeMetadata/v1/instance/service-accounts/default/token"
65 
66 #define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
67 #define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
68 
69 #define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX                         \
70   "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
71   "assertion="
72 
73 #define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
74   "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
75 
76 /* --- Google utils --- */
77 
78 /* It is the caller's responsibility to gpr_free the result if not NULL. */
79 char* grpc_get_well_known_google_credentials_file_path(void);
80 
81 /* Implementation function for the different platforms. */
82 char* grpc_get_well_known_google_credentials_file_path_impl(void);
83 
84 /* Override for testing only. Not thread-safe */
85 typedef char* (*grpc_well_known_credentials_path_getter)(void);
86 void grpc_override_well_known_credentials_path_getter(
87     grpc_well_known_credentials_path_getter getter);
88 
89 /* --- grpc_channel_credentials. --- */
90 
91 #define GRPC_ARG_CHANNEL_CREDENTIALS "grpc.channel_credentials"
92 
93 typedef struct {
94   void (*destruct)(grpc_channel_credentials* c);
95 
96   grpc_security_status (*create_security_connector)(
97       grpc_channel_credentials* c, grpc_call_credentials* call_creds,
98       const char* target, const grpc_channel_args* args,
99       grpc_channel_security_connector** sc, grpc_channel_args** new_args);
100 
101   grpc_channel_credentials* (*duplicate_without_call_credentials)(
102       grpc_channel_credentials* c);
103 } grpc_channel_credentials_vtable;
104 
105 struct grpc_channel_credentials {
106   const grpc_channel_credentials_vtable* vtable;
107   const char* type;
108   gpr_refcount refcount;
109 };
110 
111 grpc_channel_credentials* grpc_channel_credentials_ref(
112     grpc_channel_credentials* creds);
113 void grpc_channel_credentials_unref(grpc_channel_credentials* creds);
114 
115 /* Creates a security connector for the channel. May also create new channel
116    args for the channel to be used in place of the passed in const args if
117    returned non NULL. In that case the caller is responsible for destroying
118    new_args after channel creation. */
119 grpc_security_status grpc_channel_credentials_create_security_connector(
120     grpc_channel_credentials* creds, const char* target,
121     const grpc_channel_args* args, grpc_channel_security_connector** sc,
122     grpc_channel_args** new_args);
123 
124 /* Creates a version of the channel credentials without any attached call
125    credentials. This can be used in order to open a channel to a non-trusted
126    gRPC load balancer. */
127 grpc_channel_credentials*
128 grpc_channel_credentials_duplicate_without_call_credentials(
129     grpc_channel_credentials* creds);
130 
131 /* Util to encapsulate the channel credentials in a channel arg. */
132 grpc_arg grpc_channel_credentials_to_arg(grpc_channel_credentials* credentials);
133 
134 /* Util to get the channel credentials from a channel arg. */
135 grpc_channel_credentials* grpc_channel_credentials_from_arg(
136     const grpc_arg* arg);
137 
138 /* Util to find the channel credentials from channel args. */
139 grpc_channel_credentials* grpc_channel_credentials_find_in_args(
140     const grpc_channel_args* args);
141 
142 /* --- grpc_credentials_mdelem_array. --- */
143 
144 typedef struct {
145   grpc_mdelem* md;
146   size_t size;
147 } grpc_credentials_mdelem_array;
148 
149 /// Takes a new ref to \a md.
150 void grpc_credentials_mdelem_array_add(grpc_credentials_mdelem_array* list,
151                                        grpc_mdelem md);
152 
153 /// Appends all elements from \a src to \a dst, taking a new ref to each one.
154 void grpc_credentials_mdelem_array_append(grpc_credentials_mdelem_array* dst,
155                                           grpc_credentials_mdelem_array* src);
156 
157 void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array* list);
158 
159 /* --- grpc_call_credentials. --- */
160 
161 typedef struct {
162   void (*destruct)(grpc_call_credentials* c);
163   bool (*get_request_metadata)(grpc_call_credentials* c,
164                                grpc_polling_entity* pollent,
165                                grpc_auth_metadata_context context,
166                                grpc_credentials_mdelem_array* md_array,
167                                grpc_closure* on_request_metadata,
168                                grpc_error** error);
169   void (*cancel_get_request_metadata)(grpc_call_credentials* c,
170                                       grpc_credentials_mdelem_array* md_array,
171                                       grpc_error* error);
172 } grpc_call_credentials_vtable;
173 
174 struct grpc_call_credentials {
175   const grpc_call_credentials_vtable* vtable;
176   const char* type;
177   gpr_refcount refcount;
178 };
179 
180 grpc_call_credentials* grpc_call_credentials_ref(grpc_call_credentials* creds);
181 void grpc_call_credentials_unref(grpc_call_credentials* creds);
182 
183 /// Returns true if completed synchronously, in which case \a error will
184 /// be set to indicate the result.  Otherwise, \a on_request_metadata will
185 /// be invoked asynchronously when complete.  \a md_array will be populated
186 /// with the resulting metadata once complete.
187 bool grpc_call_credentials_get_request_metadata(
188     grpc_call_credentials* creds, grpc_polling_entity* pollent,
189     grpc_auth_metadata_context context, grpc_credentials_mdelem_array* md_array,
190     grpc_closure* on_request_metadata, grpc_error** error);
191 
192 /// Cancels a pending asynchronous operation started by
193 /// grpc_call_credentials_get_request_metadata() with the corresponding
194 /// value of \a md_array.
195 void grpc_call_credentials_cancel_get_request_metadata(
196     grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array,
197     grpc_error* error);
198 
199 /* Metadata-only credentials with the specified key and value where
200    asynchronicity can be simulated for testing. */
201 grpc_call_credentials* grpc_md_only_test_credentials_create(
202     const char* md_key, const char* md_value, bool is_async);
203 
204 /* --- grpc_server_credentials. --- */
205 
206 typedef struct {
207   void (*destruct)(grpc_server_credentials* c);
208   grpc_security_status (*create_security_connector)(
209       grpc_server_credentials* c, grpc_server_security_connector** sc);
210 } grpc_server_credentials_vtable;
211 
212 struct grpc_server_credentials {
213   const grpc_server_credentials_vtable* vtable;
214   const char* type;
215   gpr_refcount refcount;
216   grpc_auth_metadata_processor processor;
217 };
218 
219 grpc_security_status grpc_server_credentials_create_security_connector(
220     grpc_server_credentials* creds, grpc_server_security_connector** sc);
221 
222 grpc_server_credentials* grpc_server_credentials_ref(
223     grpc_server_credentials* creds);
224 
225 void grpc_server_credentials_unref(grpc_server_credentials* creds);
226 
227 #define GRPC_SERVER_CREDENTIALS_ARG "grpc.server_credentials"
228 
229 grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials* c);
230 grpc_server_credentials* grpc_server_credentials_from_arg(const grpc_arg* arg);
231 grpc_server_credentials* grpc_find_server_credentials_in_args(
232     const grpc_channel_args* args);
233 
234 /* -- Credentials Metadata Request. -- */
235 
236 typedef struct {
237   grpc_call_credentials* creds;
238   grpc_http_response response;
239 } grpc_credentials_metadata_request;
240 
241 grpc_credentials_metadata_request* grpc_credentials_metadata_request_create(
242     grpc_call_credentials* creds);
243 
244 void grpc_credentials_metadata_request_destroy(
245     grpc_credentials_metadata_request* r);
246 
247 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_CREDENTIALS_H */
248