RubyGems - grpc - Versions diffs - 1.33.0.pre1 → 1.34.0 - Mend

grpc 1.33.0.pre1 → 1.34.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (533) hide show

data/src/core/lib/security/credentials/external/external_account_credentials.h ADDED

@@ -0,0 +1,118 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
+#include <grpc/support/port_platform.h>
+#include <string>
+#include <vector>
+#include "src/core/lib/json/json.h"
+#include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
+namespace grpc_core {
+// Base external account credentials. The base class implements common logic for
+// exchanging external account credentials for GCP access token to authorize
+// requests to GCP APIs. The specific logic of retrieving subject token is
+// implemented in subclasses.
+class ExternalAccountCredentials
+    : public grpc_oauth2_token_fetcher_credentials {
+ public:
+  // External account credentials json interface.
+  struct ExternalAccountCredentialsOptions {
+    std::string type;
+    std::string audience;
+    std::string subject_token_type;
+    std::string service_account_impersonation_url;
+    std::string token_url;
+    std::string token_info_url;
+    Json credential_source;
+    std::string quota_project_id;
+    std::string client_id;
+    std::string client_secret;
+  };
+  ExternalAccountCredentials(ExternalAccountCredentialsOptions options,
+                             std::vector<std::string> scopes);
+  ~ExternalAccountCredentials() override;
+  std::string debug_string() override;
+ protected:
+  // This is a helper struct to pass information between multiple callback based
+  // asynchronous calls.
+  struct HTTPRequestContext {
+    HTTPRequestContext(grpc_httpcli_context* httpcli_context,
+                       grpc_polling_entity* pollent, grpc_millis deadline)
+        : httpcli_context(httpcli_context),
+          pollent(pollent),
+          deadline(deadline) {}
+    ~HTTPRequestContext() { grpc_http_response_destroy(&response); }
+    // Contextual parameters passed from
+    // grpc_oauth2_token_fetcher_credentials::fetch_oauth2().
+    grpc_httpcli_context* httpcli_context;
+    grpc_polling_entity* pollent;
+    grpc_millis deadline;
+    // Reusable token fetch http response and closure.
+    grpc_closure closure;
+    grpc_http_response response;
+  };
+  // Subclasses of base external account credentials need to override this
+  // method to implement the specific subject token retrieval logic.
+  // Once the subject token is ready, subclasses need to invoke
+  // the callback function (cb) to pass the subject token (or error)
+  // back.
+  virtual void RetrieveSubjectToken(
+      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      std::function<void(std::string, grpc_error*)> cb) = 0;
+ private:
+  // This method implements the common token fetch logic and it will be called
+  // when grpc_oauth2_token_fetcher_credentials request a new access token.
+  void fetch_oauth2(grpc_credentials_metadata_request* req,
+                    grpc_httpcli_context* httpcli_context,
+                    grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
+                    grpc_millis deadline) override;
+  void OnRetrieveSubjectTokenInternal(absl::string_view subject_token,
+                                      grpc_error* error);
+  void ExchangeToken(absl::string_view subject_token);
+  static void OnExchangeToken(void* arg, grpc_error* error);
+  void OnExchangeTokenInternal(grpc_error* error);
+  void ImpersenateServiceAccount();
+  static void OnImpersenateServiceAccount(void* arg, grpc_error* error);
+  void OnImpersenateServiceAccountInternal(grpc_error* error);
+  void FinishTokenFetch(grpc_error* error);
+  ExternalAccountCredentialsOptions options_;
+  std::vector<std::string> scopes_;
+  HTTPRequestContext* ctx_ = nullptr;
+  grpc_credentials_metadata_request* metadata_req_ = nullptr;
+  grpc_iomgr_cb_func response_cb_ = nullptr;
+};
+}  // namespace grpc_core
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H

data/src/core/lib/security/credentials/external/file_external_account_credentials.cc ADDED

@@ -0,0 +1,136 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/external/file_external_account_credentials.h"
+#include <fstream>
+#include "src/core/lib/iomgr/load_file.h"
+#include "src/core/lib/slice/slice_internal.h"
+#include "src/core/lib/slice/slice_utils.h"
+namespace grpc_core {
+RefCountedPtr<FileExternalAccountCredentials>
+FileExternalAccountCredentials::Create(
+    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
+    grpc_error** error) {
+  auto creds = MakeRefCounted<FileExternalAccountCredentials>(
+      std::move(options), std::move(scopes), error);
+  if (*error == GRPC_ERROR_NONE) {
+    return creds;
+  } else {
+    return nullptr;
+  }
+}
+FileExternalAccountCredentials::FileExternalAccountCredentials(
+    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
+    grpc_error** error)
+    : ExternalAccountCredentials(options, std::move(scopes)) {
+  auto it = options.credential_source.object_value().find("file");
+  if (it == options.credential_source.object_value().end()) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("file field not present.");
+    return;
+  }
+  if (it->second.type() != Json::Type::STRING) {
+    *error =
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING("file field must be a string.");
+    return;
+  }
+  file_ = it->second.string_value();
+  it = options.credential_source.object_value().find("format");
+  if (it != options.credential_source.object_value().end()) {
+    const Json& format_json = it->second;
+    if (format_json.type() != Json::Type::OBJECT) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "The JSON value of credential source format is not an object.");
+      return;
+    }
+    auto format_it = format_json.object_value().find("type");
+    if (format_it == format_json.object_value().end()) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "format.type field not present.");
+      return;
+    }
+    if (format_it->second.type() != Json::Type::STRING) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "format.type field must be a string.");
+      return;
+    }
+    format_type_ = format_it->second.string_value();
+    if (format_type_ == "json") {
+      format_it = format_json.object_value().find("subject_token_field_name");
+      if (format_it == format_json.object_value().end()) {
+        *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "format.subject_token_field_name field must be present if the "
+            "format is in Json.");
+        return;
+      }
+      if (format_it->second.type() != Json::Type::STRING) {
+        *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "format.subject_token_field_name field must be a string.");
+        return;
+      }
+      format_subject_token_field_name_ = format_it->second.string_value();
+    }
+  }
+}
+void FileExternalAccountCredentials::RetrieveSubjectToken(
+    HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+    std::function<void(std::string, grpc_error*)> cb) {
+  struct SliceWrapper {
+    ~SliceWrapper() { grpc_slice_unref_internal(slice); }
+    grpc_slice slice = grpc_empty_slice();
+  };
+  SliceWrapper content_slice;
+  // To retrieve the subject token, we read the file every time we make a
+  // request because it may have changed since the last request.
+  grpc_error* error = grpc_load_file(file_.c_str(), 0, &content_slice.slice);
+  if (error != GRPC_ERROR_NONE) {
+    cb("", error);
+    return;
+  }
+  absl::string_view content = StringViewFromSlice(content_slice.slice);
+  if (format_type_ == "json") {
+    Json content_json = Json::Parse(content, &error);
+    if (error != GRPC_ERROR_NONE || content_json.type() != Json::Type::OBJECT) {
+      cb("", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                 "The content of the file is not a valid json object."));
+      GRPC_ERROR_UNREF(error);
+      return;
+    }
+    auto content_it =
+        content_json.object_value().find(format_subject_token_field_name_);
+    if (content_it == content_json.object_value().end()) {
+      cb("", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                 "Subject token field not present."));
+      return;
+    }
+    if (content_it->second.type() != Json::Type::STRING) {
+      cb("", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                 "Subject token field must be a string."));
+      return;
+    }
+    cb(content_it->second.string_value(), GRPC_ERROR_NONE);
+    return;
+  }
+  cb(std::string(content), GRPC_ERROR_NONE);
+}
+}  // namespace grpc_core

data/src/core/lib/security/credentials/external/file_external_account_credentials.h ADDED

@@ -0,0 +1,49 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_FILE_EXTERNAL_ACCOUNT_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_FILE_EXTERNAL_ACCOUNT_CREDENTIALS_H
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/external/external_account_credentials.h"
+namespace grpc_core {
+class FileExternalAccountCredentials final : public ExternalAccountCredentials {
+ public:
+  static RefCountedPtr<FileExternalAccountCredentials> Create(
+      ExternalAccountCredentialsOptions options,
+      std::vector<std::string> scopes, grpc_error** error);
+  FileExternalAccountCredentials(ExternalAccountCredentialsOptions options,
+                                 std::vector<std::string> scopes,
+                                 grpc_error** error);
+ private:
+  void RetrieveSubjectToken(
+      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      std::function<void(std::string, grpc_error*)> cb) override;
+  // Fields of credential source
+  std::string file_;
+  std::string format_type_;
+  std::string format_subject_token_field_name_;
+};
+}  // namespace grpc_core
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_FILE_EXTERNAL_ACCOUNT_CREDENTIALS_H

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc ADDED

@@ -0,0 +1,211 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
+#include "absl/strings/str_format.h"
+namespace grpc_core {
+RefCountedPtr<UrlExternalAccountCredentials>
+UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
+                                      std::vector<std::string> scopes,
+                                      grpc_error** error) {
+  auto creds = MakeRefCounted<UrlExternalAccountCredentials>(
+      std::move(options), std::move(scopes), error);
+  if (*error == GRPC_ERROR_NONE) {
+    return creds;
+  } else {
+    return nullptr;
+  }
+}
+UrlExternalAccountCredentials::UrlExternalAccountCredentials(
+    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
+    grpc_error** error)
+    : ExternalAccountCredentials(options, std::move(scopes)) {
+  auto it = options.credential_source.object_value().find("url");
+  if (it == options.credential_source.object_value().end()) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("url field not present.");
+    return;
+  }
+  if (it->second.type() != Json::Type::STRING) {
+    *error =
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING("url field must be a string.");
+    return;
+  }
+  grpc_uri* url = grpc_uri_parse(it->second.string_value(), false);
+  if (url == nullptr) {
+    *error =
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid credential source url.");
+    return;
+  }
+  url_ = url;
+  it = options.credential_source.object_value().find("headers");
+  if (it != options.credential_source.object_value().end()) {
+    if (it->second.type() != Json::Type::OBJECT) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "The JSON value of credential source headers is not an object.");
+      return;
+    }
+    for (auto const& header : it->second.object_value()) {
+      headers_[header.first] = header.second.string_value();
+    }
+  }
+  it = options.credential_source.object_value().find("format");
+  if (it != options.credential_source.object_value().end()) {
+    const Json& format_json = it->second;
+    if (format_json.type() != Json::Type::OBJECT) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "The JSON value of credential source format is not an object.");
+      return;
+    }
+    auto format_it = format_json.object_value().find("type");
+    if (format_it == format_json.object_value().end()) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "format.type field not present.");
+      return;
+    }
+    if (format_it->second.type() != Json::Type::STRING) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "format.type field must be a string.");
+      return;
+    }
+    format_type_ = format_it->second.string_value();
+    if (format_type_ == "json") {
+      format_it = format_json.object_value().find("subject_token_field_name");
+      if (format_it == format_json.object_value().end()) {
+        *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "format.subject_token_field_name field must be present if the "
+            "format is in Json.");
+        return;
+      }
+      if (format_it->second.type() != Json::Type::STRING) {
+        *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "format.subject_token_field_name field must be a string.");
+        return;
+      }
+      format_subject_token_field_name_ = format_it->second.string_value();
+    }
+  }
+}
+UrlExternalAccountCredentials::~UrlExternalAccountCredentials() {
+  grpc_uri_destroy(url_);
+}
+void UrlExternalAccountCredentials::RetrieveSubjectToken(
+    HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+    std::function<void(std::string, grpc_error*)> cb) {
+  if (ctx == nullptr) {
+    FinishRetrieveSubjectToken(
+        "",
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "Missing HTTPRequestContext to start subject token retrieval."));
+    return;
+  }
+  ctx_ = ctx;
+  cb_ = cb;
+  grpc_httpcli_request request;
+  memset(&request, 0, sizeof(grpc_httpcli_request));
+  request.host = const_cast<char*>(url_->authority);
+  request.http.path = gpr_strdup(url_->path);
+  grpc_http_header* headers = nullptr;
+  request.http.hdr_count = headers_.size();
+  headers = static_cast<grpc_http_header*>(
+      gpr_malloc(sizeof(grpc_http_header) * request.http.hdr_count));
+  int i = 0;
+  for (auto const& header : headers_) {
+    headers[i].key = gpr_strdup(header.first.c_str());
+    headers[i].value = gpr_strdup(header.second.c_str());
+    ++i;
+  }
+  request.http.hdrs = headers;
+  request.handshaker = (strcmp(url_->scheme, "https") == 0)
+                           ? &grpc_httpcli_ssl
+                           : &grpc_httpcli_plaintext;
+  grpc_resource_quota* resource_quota =
+      grpc_resource_quota_create("external_account_credentials");
+  grpc_http_response_destroy(&ctx_->response);
+  ctx_->response = {};
+  GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveSubjectToken, this, nullptr);
+  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent, resource_quota,
+                   &request, ctx_->deadline, &ctx_->closure, &ctx_->response);
+  grpc_resource_quota_unref_internal(resource_quota);
+  grpc_http_request_destroy(&request.http);
+}
+void UrlExternalAccountCredentials::OnRetrieveSubjectToken(void* arg,
+                                                           grpc_error* error) {
+  UrlExternalAccountCredentials* self =
+      static_cast<UrlExternalAccountCredentials*>(arg);
+  self->OnRetrieveSubjectTokenInternal(GRPC_ERROR_REF(error));
+}
+void UrlExternalAccountCredentials::OnRetrieveSubjectTokenInternal(
+    grpc_error* error) {
+  if (error != GRPC_ERROR_NONE) {
+    FinishRetrieveSubjectToken("", error);
+    return;
+  }
+  absl::string_view response_body(ctx_->response.body,
+                                  ctx_->response.body_length);
+  if (format_type_ == "json") {
+    grpc_error* error = GRPC_ERROR_NONE;
+    Json response_json = Json::Parse(response_body, &error);
+    if (error != GRPC_ERROR_NONE ||
+        response_json.type() != Json::Type::OBJECT) {
+      FinishRetrieveSubjectToken(
+          "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                  "The format of response is not a valid json object."));
+      return;
+    }
+    auto response_it =
+        response_json.object_value().find(format_subject_token_field_name_);
+    if (response_it == response_json.object_value().end()) {
+      FinishRetrieveSubjectToken("", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                                         "Subject token field not present."));
+      return;
+    }
+    if (response_it->second.type() != Json::Type::STRING) {
+      FinishRetrieveSubjectToken("",
+                                 GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                                     "Subject token field must be a string."));
+      return;
+    }
+    FinishRetrieveSubjectToken(response_it->second.string_value(), error);
+    return;
+  }
+  FinishRetrieveSubjectToken(std::string(response_body), GRPC_ERROR_NONE);
+}
+void UrlExternalAccountCredentials::FinishRetrieveSubjectToken(
+    std::string subject_token, grpc_error* error) {
+  // Reset context
+  ctx_ = nullptr;
+  // Move object state into local variables.
+  auto cb = cb_;
+  cb_ = nullptr;
+  // Invoke the callback.
+  if (error != GRPC_ERROR_NONE) {
+    cb("", error);
+  } else {
+    cb(subject_token, GRPC_ERROR_NONE);
+  }
+}
+}  // namespace grpc_core