1 /* 2 * 3 * Copyright 2016 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H 20 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <string> 25 26 #include <grpc/grpc_security.h> 27 28 #include "src/core/lib/json/json.h" 29 #include "src/core/lib/security/credentials/credentials.h" 30 #include "src/core/lib/uri/uri_parser.h" 31 32 // Constants. 33 #define GRPC_STS_POST_MINIMAL_BODY_FORMAT_STRING \ 34 "grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=%" \ 35 "s&subject_token_type=%s" 36 37 // auth_refresh_token parsing. 38 struct grpc_auth_refresh_token { 39 const char* type; 40 char* client_id; 41 char* client_secret; 42 char* refresh_token; 43 }; 44 /// Returns 1 if the object is valid, 0 otherwise. 45 int grpc_auth_refresh_token_is_valid( 46 const grpc_auth_refresh_token* refresh_token); 47 48 /// Creates a refresh token object from string. Returns an invalid object if a 49 /// parsing error has been encountered. 50 grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string( 51 const char* json_string); 52 53 /// Creates a refresh token object from parsed json. Returns an invalid object 54 /// if a parsing error has been encountered. 55 grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json( 56 const grpc_core::Json& json); 57 58 /// Destructs the object. 59 void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token); 60 61 // -- Oauth2 Token Fetcher credentials -- 62 // 63 // This object is a base for credentials that need to acquire an oauth2 token 64 // from an http service. 65 66 struct grpc_oauth2_pending_get_request_metadata { 67 grpc_credentials_mdelem_array* md_array; 68 grpc_closure* on_request_metadata; 69 grpc_polling_entity* pollent; 70 struct grpc_oauth2_pending_get_request_metadata* next; 71 }; 72 73 class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials { 74 public: 75 grpc_oauth2_token_fetcher_credentials(); 76 ~grpc_oauth2_token_fetcher_credentials() override; 77 78 bool get_request_metadata(grpc_polling_entity* pollent, 79 grpc_auth_metadata_context context, 80 grpc_credentials_mdelem_array* md_array, 81 grpc_closure* on_request_metadata, 82 grpc_error_handle* error) override; 83 84 void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array, 85 grpc_error_handle error) override; 86 87 void on_http_response(grpc_credentials_metadata_request* r, 88 grpc_error_handle error); 89 std::string debug_string() override; 90 91 protected: 92 virtual void fetch_oauth2(grpc_credentials_metadata_request* req, 93 grpc_httpcli_context* httpcli_context, 94 grpc_polling_entity* pollent, grpc_iomgr_cb_func cb, 95 grpc_millis deadline) = 0; 96 97 private: 98 gpr_mu mu_; 99 grpc_mdelem access_token_md_ = GRPC_MDNULL; 100 gpr_timespec token_expiration_; 101 bool token_fetch_pending_ = false; 102 grpc_oauth2_pending_get_request_metadata* pending_requests_ = nullptr; 103 grpc_httpcli_context httpcli_context_; 104 grpc_polling_entity pollent_; 105 }; 106 107 // Google refresh token credentials. 108 class grpc_google_refresh_token_credentials final 109 : public grpc_oauth2_token_fetcher_credentials { 110 public: 111 explicit grpc_google_refresh_token_credentials( 112 grpc_auth_refresh_token refresh_token); 113 ~grpc_google_refresh_token_credentials() override; 114 refresh_token()115 const grpc_auth_refresh_token& refresh_token() const { 116 return refresh_token_; 117 } 118 119 std::string debug_string() override; 120 121 protected: 122 void fetch_oauth2(grpc_credentials_metadata_request* req, 123 grpc_httpcli_context* httpcli_context, 124 grpc_polling_entity* pollent, grpc_iomgr_cb_func cb, 125 grpc_millis deadline) override; 126 127 private: 128 grpc_auth_refresh_token refresh_token_; 129 grpc_closure http_post_cb_closure_; 130 }; 131 132 // Access token credentials. 133 class grpc_access_token_credentials final : public grpc_call_credentials { 134 public: 135 explicit grpc_access_token_credentials(const char* access_token); 136 ~grpc_access_token_credentials() override; 137 138 bool get_request_metadata(grpc_polling_entity* pollent, 139 grpc_auth_metadata_context context, 140 grpc_credentials_mdelem_array* md_array, 141 grpc_closure* on_request_metadata, 142 grpc_error_handle* error) override; 143 144 void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array, 145 grpc_error_handle error) override; 146 147 std::string debug_string() override; 148 149 private: 150 grpc_mdelem access_token_md_; 151 }; 152 153 // Private constructor for refresh token credentials from an already parsed 154 // refresh token. Takes ownership of the refresh token. 155 grpc_core::RefCountedPtr<grpc_call_credentials> 156 grpc_refresh_token_credentials_create_from_auth_refresh_token( 157 grpc_auth_refresh_token token); 158 159 // Exposed for testing only. 160 grpc_credentials_status 161 grpc_oauth2_token_fetcher_credentials_parse_server_response( 162 const struct grpc_http_response* response, grpc_mdelem* token_md, 163 grpc_millis* token_lifetime); 164 165 namespace grpc_core { 166 // Exposed for testing only. This function validates the options, ensuring that 167 // the required fields are set, and outputs the parsed URL of the STS token 168 // exchanged service. 169 absl::StatusOr<URI> ValidateStsCredentialsOptions( 170 const grpc_sts_credentials_options* options); 171 } // namespace grpc_core 172 173 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_OAUTH2_OAUTH2_CREDENTIALS_H */ 174