1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "src/cpp/client/secure_credentials.h"
20
21 #include <grpc/impl/codegen/slice.h>
22 #include <grpc/slice.h>
23 #include <grpc/support/alloc.h>
24 #include <grpc/support/log.h>
25 #include <grpc/support/string_util.h>
26 #include <grpcpp/channel.h>
27 #include <grpcpp/impl/codegen/status.h>
28 #include <grpcpp/impl/grpc_library.h>
29 #include <grpcpp/support/channel_arguments.h>
30
31 #include "src/core/lib/gpr/env.h"
32 #include "src/core/lib/iomgr/error.h"
33 #include "src/core/lib/iomgr/executor.h"
34 #include "src/core/lib/iomgr/load_file.h"
35 #include "src/core/lib/json/json.h"
36 #include "src/core/lib/security/transport/auth_filters.h"
37 #include "src/core/lib/security/util/json_util.h"
38 #include "src/cpp/client/create_channel_internal.h"
39 #include "src/cpp/common/secure_auth_context.h"
40
41 namespace grpc_impl {
42
43 static grpc::internal::GrpcLibraryInitializer g_gli_initializer;
SecureChannelCredentials(grpc_channel_credentials * c_creds)44 SecureChannelCredentials::SecureChannelCredentials(
45 grpc_channel_credentials* c_creds)
46 : c_creds_(c_creds) {
47 g_gli_initializer.summon();
48 }
49
CreateChannelImpl(const grpc::string & target,const ChannelArguments & args)50 std::shared_ptr<Channel> SecureChannelCredentials::CreateChannelImpl(
51 const grpc::string& target, const ChannelArguments& args) {
52 return CreateChannelWithInterceptors(
53 target, args,
54 std::vector<std::unique_ptr<
55 grpc::experimental::ClientInterceptorFactoryInterface>>());
56 }
57
58 std::shared_ptr<Channel>
CreateChannelWithInterceptors(const grpc::string & target,const ChannelArguments & args,std::vector<std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>> interceptor_creators)59 SecureChannelCredentials::CreateChannelWithInterceptors(
60 const grpc::string& target, const ChannelArguments& args,
61 std::vector<
62 std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
63 interceptor_creators) {
64 grpc_channel_args channel_args;
65 args.SetChannelArgs(&channel_args);
66 return ::grpc::CreateChannelInternal(
67 args.GetSslTargetNameOverride(),
68 grpc_secure_channel_create(c_creds_, target.c_str(), &channel_args,
69 nullptr),
70 std::move(interceptor_creators));
71 }
72
SecureCallCredentials(grpc_call_credentials * c_creds)73 SecureCallCredentials::SecureCallCredentials(grpc_call_credentials* c_creds)
74 : c_creds_(c_creds) {
75 g_gli_initializer.summon();
76 }
77
ApplyToCall(grpc_call * call)78 bool SecureCallCredentials::ApplyToCall(grpc_call* call) {
79 return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK;
80 }
81
82 namespace {
WrapChannelCredentials(grpc_channel_credentials * creds)83 std::shared_ptr<ChannelCredentials> WrapChannelCredentials(
84 grpc_channel_credentials* creds) {
85 return creds == nullptr ? nullptr
86 : std::shared_ptr<ChannelCredentials>(
87 new SecureChannelCredentials(creds));
88 }
89
WrapCallCredentials(grpc_call_credentials * creds)90 std::shared_ptr<CallCredentials> WrapCallCredentials(
91 grpc_call_credentials* creds) {
92 return creds == nullptr ? nullptr
93 : std::shared_ptr<CallCredentials>(
94 new SecureCallCredentials(creds));
95 }
96 } // namespace
97
GoogleDefaultCredentials()98 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
99 grpc::GrpcLibraryCodegen init; // To call grpc_init().
100 return WrapChannelCredentials(grpc_google_default_credentials_create());
101 }
102
103 // Builds SSL Credentials given SSL specific options
SslCredentials(const SslCredentialsOptions & options)104 std::shared_ptr<ChannelCredentials> SslCredentials(
105 const SslCredentialsOptions& options) {
106 grpc::GrpcLibraryCodegen init; // To call grpc_init().
107 grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
108 options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
109
110 grpc_channel_credentials* c_creds = grpc_ssl_credentials_create(
111 options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
112 options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr,
113 nullptr);
114 return WrapChannelCredentials(c_creds);
115 }
116
117 namespace experimental {
118
119 namespace {
120
ClearStsCredentialsOptions(StsCredentialsOptions * options)121 void ClearStsCredentialsOptions(StsCredentialsOptions* options) {
122 if (options == nullptr) return;
123 options->token_exchange_service_uri.clear();
124 options->resource.clear();
125 options->audience.clear();
126 options->scope.clear();
127 options->requested_token_type.clear();
128 options->subject_token_path.clear();
129 options->subject_token_type.clear();
130 options->actor_token_path.clear();
131 options->actor_token_type.clear();
132 }
133
134 } // namespace
135
136 // Builds STS credentials options from JSON.
StsCredentialsOptionsFromJson(const grpc::string & json_string,StsCredentialsOptions * options)137 grpc::Status StsCredentialsOptionsFromJson(const grpc::string& json_string,
138 StsCredentialsOptions* options) {
139 if (options == nullptr) {
140 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
141 "options cannot be nullptr.");
142 }
143 ClearStsCredentialsOptions(options);
144 grpc_error* error = GRPC_ERROR_NONE;
145 grpc_core::Json json = grpc_core::Json::Parse(json_string.c_str(), &error);
146 if (error != GRPC_ERROR_NONE ||
147 json.type() != grpc_core::Json::Type::OBJECT) {
148 GRPC_ERROR_UNREF(error);
149 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid json.");
150 }
151
152 // Required fields.
153 const char* value = grpc_json_get_string_property(
154 json, "token_exchange_service_uri", nullptr);
155 if (value == nullptr) {
156 ClearStsCredentialsOptions(options);
157 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
158 "token_exchange_service_uri must be specified.");
159 }
160 options->token_exchange_service_uri.assign(value);
161 value = grpc_json_get_string_property(json, "subject_token_path", nullptr);
162 if (value == nullptr) {
163 ClearStsCredentialsOptions(options);
164 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
165 "subject_token_path must be specified.");
166 }
167 options->subject_token_path.assign(value);
168 value = grpc_json_get_string_property(json, "subject_token_type", nullptr);
169 if (value == nullptr) {
170 ClearStsCredentialsOptions(options);
171 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
172 "subject_token_type must be specified.");
173 }
174 options->subject_token_type.assign(value);
175
176 // Optional fields.
177 value = grpc_json_get_string_property(json, "resource", nullptr);
178 if (value != nullptr) options->resource.assign(value);
179 value = grpc_json_get_string_property(json, "audience", nullptr);
180 if (value != nullptr) options->audience.assign(value);
181 value = grpc_json_get_string_property(json, "scope", nullptr);
182 if (value != nullptr) options->scope.assign(value);
183 value = grpc_json_get_string_property(json, "requested_token_type", nullptr);
184 if (value != nullptr) options->requested_token_type.assign(value);
185 value = grpc_json_get_string_property(json, "actor_token_path", nullptr);
186 if (value != nullptr) options->actor_token_path.assign(value);
187 value = grpc_json_get_string_property(json, "actor_token_type", nullptr);
188 if (value != nullptr) options->actor_token_type.assign(value);
189
190 return grpc::Status();
191 }
192
193 // Builds STS credentials Options from the $STS_CREDENTIALS env var.
StsCredentialsOptionsFromEnv(StsCredentialsOptions * options)194 grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options) {
195 if (options == nullptr) {
196 return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
197 "options cannot be nullptr.");
198 }
199 ClearStsCredentialsOptions(options);
200 grpc_slice json_string = grpc_empty_slice();
201 char* sts_creds_path = gpr_getenv("STS_CREDENTIALS");
202 grpc_error* error = GRPC_ERROR_NONE;
203 grpc::Status status;
204 auto cleanup = [&json_string, &sts_creds_path, &error, &status]() {
205 grpc_slice_unref_internal(json_string);
206 gpr_free(sts_creds_path);
207 GRPC_ERROR_UNREF(error);
208 return status;
209 };
210
211 if (sts_creds_path == nullptr) {
212 status = grpc::Status(grpc::StatusCode::NOT_FOUND,
213 "STS_CREDENTIALS environment variable not set.");
214 return cleanup();
215 }
216 error = grpc_load_file(sts_creds_path, 1, &json_string);
217 if (error != GRPC_ERROR_NONE) {
218 status =
219 grpc::Status(grpc::StatusCode::NOT_FOUND, grpc_error_string(error));
220 return cleanup();
221 }
222 status = StsCredentialsOptionsFromJson(
223 reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(json_string)),
224 options);
225 return cleanup();
226 }
227
228 // C++ to Core STS Credentials options.
StsCredentialsCppToCoreOptions(const StsCredentialsOptions & options)229 grpc_sts_credentials_options StsCredentialsCppToCoreOptions(
230 const StsCredentialsOptions& options) {
231 grpc_sts_credentials_options opts;
232 memset(&opts, 0, sizeof(opts));
233 opts.token_exchange_service_uri = options.token_exchange_service_uri.c_str();
234 opts.resource = options.resource.c_str();
235 opts.audience = options.audience.c_str();
236 opts.scope = options.scope.c_str();
237 opts.requested_token_type = options.requested_token_type.c_str();
238 opts.subject_token_path = options.subject_token_path.c_str();
239 opts.subject_token_type = options.subject_token_type.c_str();
240 opts.actor_token_path = options.actor_token_path.c_str();
241 opts.actor_token_type = options.actor_token_type.c_str();
242 return opts;
243 }
244
245 // Builds STS credentials.
StsCredentials(const StsCredentialsOptions & options)246 std::shared_ptr<CallCredentials> StsCredentials(
247 const StsCredentialsOptions& options) {
248 auto opts = StsCredentialsCppToCoreOptions(options);
249 return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr));
250 }
251
MetadataCredentialsFromPlugin(std::unique_ptr<MetadataCredentialsPlugin> plugin,grpc_security_level min_security_level)252 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
253 std::unique_ptr<MetadataCredentialsPlugin> plugin,
254 grpc_security_level min_security_level) {
255 grpc::GrpcLibraryCodegen init; // To call grpc_init().
256 const char* type = plugin->GetType();
257 grpc::MetadataCredentialsPluginWrapper* wrapper =
258 new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
259 grpc_metadata_credentials_plugin c_plugin = {
260 grpc::MetadataCredentialsPluginWrapper::GetMetadata,
261 grpc::MetadataCredentialsPluginWrapper::DebugString,
262 grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
263 return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
264 c_plugin, min_security_level, nullptr));
265 }
266
267 // Builds ALTS Credentials given ALTS specific options
AltsCredentials(const AltsCredentialsOptions & options)268 std::shared_ptr<ChannelCredentials> AltsCredentials(
269 const AltsCredentialsOptions& options) {
270 grpc::GrpcLibraryCodegen init; // To call grpc_init().
271 grpc_alts_credentials_options* c_options =
272 grpc_alts_credentials_client_options_create();
273 for (const auto& service_account : options.target_service_accounts) {
274 grpc_alts_credentials_client_options_add_target_service_account(
275 c_options, service_account.c_str());
276 }
277 grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
278 grpc_alts_credentials_options_destroy(c_options);
279 return WrapChannelCredentials(c_creds);
280 }
281
282 // Builds Local Credentials
LocalCredentials(grpc_local_connect_type type)283 std::shared_ptr<ChannelCredentials> LocalCredentials(
284 grpc_local_connect_type type) {
285 grpc::GrpcLibraryCodegen init; // To call grpc_init().
286 return WrapChannelCredentials(grpc_local_credentials_create(type));
287 }
288
289 // Builds TLS Credentials given TLS options.
TlsCredentials(const TlsCredentialsOptions & options)290 std::shared_ptr<ChannelCredentials> TlsCredentials(
291 const TlsCredentialsOptions& options) {
292 return WrapChannelCredentials(
293 grpc_tls_credentials_create(options.c_credentials_options()));
294 }
295
296 } // namespace experimental
297
298 // Builds credentials for use when running in GCE
GoogleComputeEngineCredentials()299 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
300 grpc::GrpcLibraryCodegen init; // To call grpc_init().
301 return WrapCallCredentials(
302 grpc_google_compute_engine_credentials_create(nullptr));
303 }
304
305 // Builds JWT credentials.
ServiceAccountJWTAccessCredentials(const grpc::string & json_key,long token_lifetime_seconds)306 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
307 const grpc::string& json_key, long token_lifetime_seconds) {
308 grpc::GrpcLibraryCodegen init; // To call grpc_init().
309 if (token_lifetime_seconds <= 0) {
310 gpr_log(GPR_ERROR,
311 "Trying to create JWTCredentials with non-positive lifetime");
312 return WrapCallCredentials(nullptr);
313 }
314 gpr_timespec lifetime =
315 gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
316 return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create(
317 json_key.c_str(), lifetime, nullptr));
318 }
319
320 // Builds refresh token credentials.
GoogleRefreshTokenCredentials(const grpc::string & json_refresh_token)321 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
322 const grpc::string& json_refresh_token) {
323 grpc::GrpcLibraryCodegen init; // To call grpc_init().
324 return WrapCallCredentials(grpc_google_refresh_token_credentials_create(
325 json_refresh_token.c_str(), nullptr));
326 }
327
328 // Builds access token credentials.
AccessTokenCredentials(const grpc::string & access_token)329 std::shared_ptr<CallCredentials> AccessTokenCredentials(
330 const grpc::string& access_token) {
331 grpc::GrpcLibraryCodegen init; // To call grpc_init().
332 return WrapCallCredentials(
333 grpc_access_token_credentials_create(access_token.c_str(), nullptr));
334 }
335
336 // Builds IAM credentials.
GoogleIAMCredentials(const grpc::string & authorization_token,const grpc::string & authority_selector)337 std::shared_ptr<CallCredentials> GoogleIAMCredentials(
338 const grpc::string& authorization_token,
339 const grpc::string& authority_selector) {
340 grpc::GrpcLibraryCodegen init; // To call grpc_init().
341 return WrapCallCredentials(grpc_google_iam_credentials_create(
342 authorization_token.c_str(), authority_selector.c_str(), nullptr));
343 }
344
345 // Combines one channel credentials and one call credentials into a channel
346 // composite credentials.
CompositeChannelCredentials(const std::shared_ptr<ChannelCredentials> & channel_creds,const std::shared_ptr<CallCredentials> & call_creds)347 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
348 const std::shared_ptr<ChannelCredentials>& channel_creds,
349 const std::shared_ptr<CallCredentials>& call_creds) {
350 // Note that we are not saving shared_ptrs to the two credentials passed in
351 // here. This is OK because the underlying C objects (i.e., channel_creds and
352 // call_creds) into grpc_composite_credentials_create will see their refcounts
353 // incremented.
354 SecureChannelCredentials* s_channel_creds =
355 channel_creds->AsSecureCredentials();
356 SecureCallCredentials* s_call_creds = call_creds->AsSecureCredentials();
357 if (s_channel_creds && s_call_creds) {
358 return WrapChannelCredentials(grpc_composite_channel_credentials_create(
359 s_channel_creds->GetRawCreds(), s_call_creds->GetRawCreds(), nullptr));
360 }
361 return nullptr;
362 }
363
CompositeCallCredentials(const std::shared_ptr<CallCredentials> & creds1,const std::shared_ptr<CallCredentials> & creds2)364 std::shared_ptr<CallCredentials> CompositeCallCredentials(
365 const std::shared_ptr<CallCredentials>& creds1,
366 const std::shared_ptr<CallCredentials>& creds2) {
367 SecureCallCredentials* s_creds1 = creds1->AsSecureCredentials();
368 SecureCallCredentials* s_creds2 = creds2->AsSecureCredentials();
369 if (s_creds1 != nullptr && s_creds2 != nullptr) {
370 return WrapCallCredentials(grpc_composite_call_credentials_create(
371 s_creds1->GetRawCreds(), s_creds2->GetRawCreds(), nullptr));
372 }
373 return nullptr;
374 }
375
MetadataCredentialsFromPlugin(std::unique_ptr<MetadataCredentialsPlugin> plugin)376 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
377 std::unique_ptr<MetadataCredentialsPlugin> plugin) {
378 grpc::GrpcLibraryCodegen init; // To call grpc_init().
379 const char* type = plugin->GetType();
380 grpc::MetadataCredentialsPluginWrapper* wrapper =
381 new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
382 grpc_metadata_credentials_plugin c_plugin = {
383 grpc::MetadataCredentialsPluginWrapper::GetMetadata,
384 grpc::MetadataCredentialsPluginWrapper::DebugString,
385 grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
386 return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
387 c_plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr));
388 }
389
390 } // namespace grpc_impl
391
392 namespace grpc {
393 namespace {
DeleteWrapper(void * wrapper,grpc_error *)394 void DeleteWrapper(void* wrapper, grpc_error* /*ignored*/) {
395 MetadataCredentialsPluginWrapper* w =
396 static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
397 delete w;
398 }
399 } // namespace
400
DebugString(void * wrapper)401 char* MetadataCredentialsPluginWrapper::DebugString(void* wrapper) {
402 GPR_ASSERT(wrapper);
403 MetadataCredentialsPluginWrapper* w =
404 static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
405 return gpr_strdup(w->plugin_->DebugString().c_str());
406 }
407
Destroy(void * wrapper)408 void MetadataCredentialsPluginWrapper::Destroy(void* wrapper) {
409 if (wrapper == nullptr) return;
410 grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
411 grpc_core::ExecCtx exec_ctx;
412 grpc_core::Executor::Run(GRPC_CLOSURE_CREATE(DeleteWrapper, wrapper, nullptr),
413 GRPC_ERROR_NONE);
414 }
415
GetMetadata(void * wrapper,grpc_auth_metadata_context context,grpc_credentials_plugin_metadata_cb cb,void * user_data,grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],size_t * num_creds_md,grpc_status_code * status,const char ** error_details)416 int MetadataCredentialsPluginWrapper::GetMetadata(
417 void* wrapper, grpc_auth_metadata_context context,
418 grpc_credentials_plugin_metadata_cb cb, void* user_data,
419 grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
420 size_t* num_creds_md, grpc_status_code* status,
421 const char** error_details) {
422 GPR_ASSERT(wrapper);
423 MetadataCredentialsPluginWrapper* w =
424 static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
425 if (!w->plugin_) {
426 *num_creds_md = 0;
427 *status = GRPC_STATUS_OK;
428 *error_details = nullptr;
429 return 1;
430 }
431 if (w->plugin_->IsBlocking()) {
432 // The internals of context may be destroyed if GetMetadata is cancelled.
433 // Make a copy for InvokePlugin.
434 grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
435 grpc_auth_metadata_context_copy(&context, &context_copy);
436 // Asynchronous return.
437 w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
438 w->MetadataCredentialsPluginWrapper::InvokePlugin(
439 context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
440 grpc_auth_metadata_context_reset(&context_copy);
441 });
442 return 0;
443 } else {
444 // Synchronous return.
445 w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
446 error_details);
447 return 1;
448 }
449 }
450
451 namespace {
452
UnrefMetadata(const std::vector<grpc_metadata> & md)453 void UnrefMetadata(const std::vector<grpc_metadata>& md) {
454 for (const auto& metadatum : md) {
455 grpc_slice_unref(metadatum.key);
456 grpc_slice_unref(metadatum.value);
457 }
458 }
459
460 } // namespace
461
InvokePlugin(grpc_auth_metadata_context context,grpc_credentials_plugin_metadata_cb cb,void * user_data,grpc_metadata creds_md[4],size_t * num_creds_md,grpc_status_code * status_code,const char ** error_details)462 void MetadataCredentialsPluginWrapper::InvokePlugin(
463 grpc_auth_metadata_context context, grpc_credentials_plugin_metadata_cb cb,
464 void* user_data, grpc_metadata creds_md[4], size_t* num_creds_md,
465 grpc_status_code* status_code, const char** error_details) {
466 std::multimap<grpc::string, grpc::string> metadata;
467
468 // const_cast is safe since the SecureAuthContext only inc/dec the refcount
469 // and the object is passed as a const ref to plugin_->GetMetadata.
470 SecureAuthContext cpp_channel_auth_context(
471 const_cast<grpc_auth_context*>(context.channel_auth_context));
472
473 Status status = plugin_->GetMetadata(context.service_url, context.method_name,
474 cpp_channel_auth_context, &metadata);
475 std::vector<grpc_metadata> md;
476 for (auto& metadatum : metadata) {
477 grpc_metadata md_entry;
478 md_entry.key = SliceFromCopiedString(metadatum.first);
479 md_entry.value = SliceFromCopiedString(metadatum.second);
480 md_entry.flags = 0;
481 md.push_back(md_entry);
482 }
483 if (creds_md != nullptr) {
484 // Synchronous return.
485 if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
486 *num_creds_md = 0;
487 *status_code = GRPC_STATUS_INTERNAL;
488 *error_details = gpr_strdup(
489 "blocking plugin credentials returned too many metadata keys");
490 UnrefMetadata(md);
491 } else {
492 for (const auto& elem : md) {
493 creds_md[*num_creds_md].key = elem.key;
494 creds_md[*num_creds_md].value = elem.value;
495 creds_md[*num_creds_md].flags = elem.flags;
496 ++(*num_creds_md);
497 }
498 *status_code = static_cast<grpc_status_code>(status.error_code());
499 *error_details =
500 status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
501 }
502 } else {
503 // Asynchronous return.
504 cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
505 static_cast<grpc_status_code>(status.error_code()),
506 status.error_message().c_str());
507 UnrefMetadata(md);
508 }
509 }
510
MetadataCredentialsPluginWrapper(std::unique_ptr<MetadataCredentialsPlugin> plugin)511 MetadataCredentialsPluginWrapper::MetadataCredentialsPluginWrapper(
512 std::unique_ptr<MetadataCredentialsPlugin> plugin)
513 : thread_pool_(CreateDefaultThreadPool()), plugin_(std::move(plugin)) {}
514
515 } // namespace grpc
516