grpc 1.56.2 → 1.57.0.pre1

data/src/core/lib/resolver/server_address.h

@@ -21,17 +21,21 @@
 
 #include <grpc/support/port_platform.h>
 
-#include <stdint.h>
-
-#include <map>
-#include <memory>
 #include <string>
 #include <vector>
 
 #include "src/core/lib/channel/channel_args.h"
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/iomgr/resolved_address.h"
 
+// A channel arg key prefix used for args that are intended to be used
+// only internally to resolvers and LB policies and should not be part
+// of the subchannel key.  The channel will automatically filter out any
+// args with this prefix from the subchannel's args.
+#define GRPC_ARG_NO_SUBCHANNEL_PREFIX "grpc.internal.no_subchannel."
+
+// A channel arg indicating the weight of an address.
+#define GRPC_ARG_ADDRESS_WEIGHT GRPC_ARG_NO_SUBCHANNEL_PREFIX "address.weight"
+
 namespace grpc_core {
 
 //
@@ -43,30 +47,7 @@ namespace grpc_core {
 // args when a subchannel is created for this address.
 class ServerAddress {
  public:
-  // Base class for resolver-supplied attributes.
-  // Unlike channel args, these attributes don't affect subchannel
-  // uniqueness or behavior.  They are for use by LB policies only.
-  //
-  // Attributes are keyed by a C string that is unique by address, not
-  // by value.  All attributes added with the same key must be of the
-  // same type.
-  class AttributeInterface {
-   public:
-    virtual ~AttributeInterface() = default;
-
-    // Creates a copy of the attribute.
-    virtual std::unique_ptr<AttributeInterface> Copy() const = 0;
-
-    // Compares this attribute with another.
-    virtual int Cmp(const AttributeInterface* other) const = 0;
-
-    // Returns a human-readable representation of the attribute.
-    virtual std::string ToString() const = 0;
-  };
-
-  ServerAddress(const grpc_resolved_address& address, const ChannelArgs& args,
-                std::map<const char*, std::unique_ptr<AttributeInterface>>
-                    attributes = {});
+  ServerAddress(const grpc_resolved_address& address, const ChannelArgs& args);
 
   // Copyable.
   ServerAddress(const ServerAddress& other);
@@ -83,13 +64,6 @@ class ServerAddress {
   const grpc_resolved_address& address() const { return address_; }
   const ChannelArgs& args() const { return args_; }
 
-  const AttributeInterface* GetAttribute(const char* key) const;
-
-  // Returns a copy of the address with a modified attribute.
-  // If the new value is null, the attribute is removed.
-  ServerAddress WithAttribute(const char* key,
-                              std::unique_ptr<AttributeInterface> value) const;
-
   // TODO(ctiller): Prior to making this a public API we should ensure that the
   // channel args are not part of the generated string, lest we make that debug
   // format load-bearing via Hyrum's law.
@@ -98,7 +72,6 @@ class ServerAddress {
  private:
   grpc_resolved_address address_;
   ChannelArgs args_;
-  std::map<const char*, std::unique_ptr<AttributeInterface>> attributes_;
 };
 
 //
@@ -107,33 +80,6 @@ class ServerAddress {
 
 using ServerAddressList = std::vector<ServerAddress>;
 
-//
-// ServerAddressWeightAttribute
-//
-class ServerAddressWeightAttribute : public ServerAddress::AttributeInterface {
- public:
-  static const char* kServerAddressWeightAttributeKey;
-
-  explicit ServerAddressWeightAttribute(uint32_t weight) : weight_(weight) {}
-
-  uint32_t weight() const { return weight_; }
-
-  std::unique_ptr<AttributeInterface> Copy() const override {
-    return std::make_unique<ServerAddressWeightAttribute>(weight_);
-  }
-
-  int Cmp(const AttributeInterface* other) const override {
-    const auto* other_locality_attr =
-        static_cast<const ServerAddressWeightAttribute*>(other);
-    return QsortCompare(weight_, other_locality_attr->weight_);
-  }
-
-  std::string ToString() const override;
-
- private:
-  uint32_t weight_;
-};
-
 }  // namespace grpc_core
 
 #endif  // GRPC_SRC_CORE_LIB_RESOLVER_SERVER_ADDRESS_H

data/src/core/lib/resource_quota/memory_quota.h

@@ -459,7 +459,7 @@ class GrpcMemoryAllocatorImpl final : public EventEngineMemoryAllocatorImpl {
   static constexpr size_t kMaxQuotaBufferSize = 1024 * 1024;
 
   // Primitive reservation function.
-  absl::optional<size_t> TryReserve(MemoryRequest request) GRPC_MUST_USE_RESULT;
+  GRPC_MUST_USE_RESULT absl::optional<size_t> TryReserve(MemoryRequest request);
   // This function may be invoked during a memory release operation.
   // It will try to return half of our free pool to the quota.
   void MaybeDonateBack();

data/src/core/lib/security/credentials/channel_creds_registry.h

@@ -21,81 +21,105 @@
 
 #include <map>
 #include <memory>
-#include <string>
 #include <type_traits>
+#include <utility>
 
 #include "absl/strings/string_view.h"
 
+#include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/validation_errors.h"
 #include "src/core/lib/json/json.h"
+#include "src/core/lib/json/json_args.h"
 
 struct grpc_channel_credentials;
 
 namespace grpc_core {
 
+class ChannelCredsConfig : public RefCounted<ChannelCredsConfig> {
+ public:
+  virtual absl::string_view type() const = 0;
+
+  virtual bool Equals(const ChannelCredsConfig& other) const = 0;
+
+  virtual Json ToJson() const = 0;
+};
+
 template <typename T = grpc_channel_credentials>
 class ChannelCredsFactory final {
  public:
   virtual ~ChannelCredsFactory() {}
-  virtual absl::string_view creds_type() const = delete;
-  virtual bool IsValidConfig(const Json& config) const = delete;
-  virtual RefCountedPtr<T> CreateChannelCreds(const Json& config) const =
-      delete;
+  virtual absl::string_view type() const = delete;
+  virtual RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& config, const JsonArgs& args,
+      ValidationErrors* errors) const = delete;
+  virtual RefCountedPtr<T> CreateChannelCreds(
+      RefCountedPtr<ChannelCredsConfig> config) const = delete;
 };
 
 template <>
 class ChannelCredsFactory<grpc_channel_credentials> {
  public:
   virtual ~ChannelCredsFactory() {}
-  virtual absl::string_view creds_type() const = 0;
-  virtual bool IsValidConfig(const Json& config) const = 0;
+  virtual absl::string_view type() const = 0;
+  virtual RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& config, const JsonArgs& args,
+      ValidationErrors* errors) const = 0;
   virtual RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
-      const Json& config) const = 0;
+      RefCountedPtr<ChannelCredsConfig> config) const = 0;
 };
 
 template <typename T = grpc_channel_credentials>
 class ChannelCredsRegistry {
+ private:
+  using FactoryMap =
+      std::map<absl::string_view, std::unique_ptr<ChannelCredsFactory<T>>>;
+
  public:
   static_assert(std::is_base_of<grpc_channel_credentials, T>::value,
                 "ChannelCredsRegistry must be instantiated with "
                 "grpc_channel_credentials.");
+
   class Builder {
    public:
     void RegisterChannelCredsFactory(
         std::unique_ptr<ChannelCredsFactory<T>> factory) {
-      factories_[factory->creds_type()] = std::move(factory);
+      absl::string_view type = factory->type();
+      factories_[type] = std::move(factory);
     }
     ChannelCredsRegistry Build() {
-      ChannelCredsRegistry<T> registry;
-      registry.factories_.swap(factories_);
-      return registry;
+      return ChannelCredsRegistry<T>(std::move(factories_));
     }
 
    private:
-    std::map<absl::string_view, std::unique_ptr<ChannelCredsFactory<T>>>
-        factories_;
+    FactoryMap factories_;
   };
 
-  bool IsSupported(const std::string& creds_type) const {
-    return factories_.find(creds_type) != factories_.end();
+  bool IsSupported(absl::string_view type) const {
+    return factories_.find(type) != factories_.end();
   }
 
-  bool IsValidConfig(const std::string& creds_type, const Json& config) const {
-    const auto iter = factories_.find(creds_type);
-    return iter != factories_.cend() && iter->second->IsValidConfig(config);
+  RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      absl::string_view type, const Json& config, const JsonArgs& args,
+      ValidationErrors* errors) const {
+    const auto it = factories_.find(type);
+    if (it == factories_.cend()) return nullptr;
+    return it->second->ParseConfig(config, args, errors);
   }
 
-  RefCountedPtr<T> CreateChannelCreds(const std::string& creds_type,
-                                      const Json& config) const {
-    const auto iter = factories_.find(creds_type);
-    if (iter == factories_.cend()) return nullptr;
-    return iter->second->CreateChannelCreds(config);
+  RefCountedPtr<T> CreateChannelCreds(
+      RefCountedPtr<ChannelCredsConfig> config) const {
+    if (config == nullptr) return nullptr;
+    const auto it = factories_.find(config->type());
+    if (it == factories_.cend()) return nullptr;
+    return it->second->CreateChannelCreds(std::move(config));
   }
 
  private:
-  ChannelCredsRegistry() = default;
-  std::map<absl::string_view, std::unique_ptr<ChannelCredsFactory<T>>>
-      factories_;
+  explicit ChannelCredsRegistry(FactoryMap factories)
+      : factories_(std::move(factories)) {}
+
+  FactoryMap factories_;
 };
 
 }  // namespace grpc_core

data/src/core/lib/security/credentials/channel_creds_registry_init.cc

@@ -18,59 +18,219 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <map>
 #include <memory>
+#include <string>
+#include <utility>
 
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
+#include <grpc/support/json.h>
+#include <grpc/support/time.h>
 
 #include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/time.h"
+#include "src/core/lib/gprpp/validation_errors.h"
 #include "src/core/lib/json/json.h"
+#include "src/core/lib/json/json_args.h"
+#include "src/core/lib/json/json_object_loader.h"
 #include "src/core/lib/security/credentials/channel_creds_registry.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"  // IWYU pragma: keep
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+#include "src/core/lib/security/credentials/tls/tls_credentials.h"
 
 namespace grpc_core {
 
 class GoogleDefaultChannelCredsFactory : public ChannelCredsFactory<> {
  public:
-  absl::string_view creds_type() const override { return "google_default"; }
-  bool IsValidConfig(const Json& /*config*/) const override { return true; }
+  absl::string_view type() const override { return Type(); }
+  RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& /*config*/, const JsonArgs& /*args*/,
+      ValidationErrors* /*errors*/) const override {
+    return MakeRefCounted<Config>();
+  }
   RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
-      const Json& /*config*/) const override {
+      RefCountedPtr<ChannelCredsConfig> /*config*/) const override {
     return RefCountedPtr<grpc_channel_credentials>(
         grpc_google_default_credentials_create(nullptr));
   }
+
+ private:
+  class Config : public ChannelCredsConfig {
+   public:
+    absl::string_view type() const override { return Type(); }
+    bool Equals(const ChannelCredsConfig&) const override { return true; }
+    Json ToJson() const override { return Json::FromObject({}); }
+  };
+
+  static absl::string_view Type() { return "google_default"; }
+};
+
+class TlsChannelCredsFactory : public ChannelCredsFactory<> {
+ public:
+  absl::string_view type() const override { return Type(); }
+
+  RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& config, const JsonArgs& args,
+      ValidationErrors* errors) const override {
+    return LoadFromJson<RefCountedPtr<TlsConfig>>(config, args, errors);
+  }
+
+  RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
+      RefCountedPtr<ChannelCredsConfig> base_config) const override {
+    auto* config = static_cast<const TlsConfig*>(base_config.get());
+    auto options = MakeRefCounted<grpc_tls_credentials_options>();
+    if (!config->certificate_file().empty() ||
+        !config->ca_certificate_file().empty()) {
+      options->set_certificate_provider(
+          MakeRefCounted<FileWatcherCertificateProvider>(
+              config->private_key_file(), config->certificate_file(),
+              config->ca_certificate_file(),
+              config->refresh_interval().millis() / GPR_MS_PER_SEC));
+    }
+    options->set_watch_root_cert(!config->ca_certificate_file().empty());
+    options->set_watch_identity_pair(!config->certificate_file().empty());
+    return MakeRefCounted<TlsCredentials>(std::move(options));
+  }
+
+ private:
+  // TODO(roth): It would be nice to share most of this config with the
+  // xDS file watcher cert provider factory, but that would require
+  // adding a dependency from lib to ext.
+  class TlsConfig : public ChannelCredsConfig {
+   public:
+    absl::string_view type() const override { return Type(); }
+
+    bool Equals(const ChannelCredsConfig& other) const override {
+      auto& o = static_cast<const TlsConfig&>(other);
+      return certificate_file_ == o.certificate_file_ &&
+             private_key_file_ == o.private_key_file_ &&
+             ca_certificate_file_ == o.ca_certificate_file_ &&
+             refresh_interval_ == o.refresh_interval_;
+    }
+
+    Json ToJson() const override {
+      Json::Object obj;
+      if (!certificate_file_.empty()) {
+        obj["certificate_file"] = Json::FromString(certificate_file_);
+      }
+      if (!private_key_file_.empty()) {
+        obj["private_key_file"] = Json::FromString(private_key_file_);
+      }
+      if (!ca_certificate_file_.empty()) {
+        obj["ca_certificate_file"] = Json::FromString(ca_certificate_file_);
+      }
+      if (refresh_interval_ != kDefaultRefreshInterval) {
+        obj["refresh_interval"] =
+            Json::FromString(refresh_interval_.ToJsonString());
+      }
+      return Json::FromObject(std::move(obj));
+    }
+
+    const std::string& certificate_file() const { return certificate_file_; }
+    const std::string& private_key_file() const { return private_key_file_; }
+    const std::string& ca_certificate_file() const {
+      return ca_certificate_file_;
+    }
+    Duration refresh_interval() const { return refresh_interval_; }
+
+    static const JsonLoaderInterface* JsonLoader(const JsonArgs&) {
+      static const auto* loader =
+          JsonObjectLoader<TlsConfig>()
+              .OptionalField("certificate_file", &TlsConfig::certificate_file_)
+              .OptionalField("private_key_file", &TlsConfig::private_key_file_)
+              .OptionalField("ca_certificate_file",
+                             &TlsConfig::ca_certificate_file_)
+              .OptionalField("refresh_interval", &TlsConfig::refresh_interval_)
+              .Finish();
+      return loader;
+    }
+
+    void JsonPostLoad(const Json& json, const JsonArgs& /*args*/,
+                      ValidationErrors* errors) {
+      if ((json.object().find("certificate_file") == json.object().end()) !=
+          (json.object().find("private_key_file") == json.object().end())) {
+        errors->AddError(
+            "fields \"certificate_file\" and \"private_key_file\" must be "
+            "both set or both unset");
+      }
+    }
+
+   private:
+    static constexpr Duration kDefaultRefreshInterval = Duration::Minutes(10);
+
+    std::string certificate_file_;
+    std::string private_key_file_;
+    std::string ca_certificate_file_;
+    Duration refresh_interval_ = kDefaultRefreshInterval;
+  };
+
+  static absl::string_view Type() { return "tls"; }
 };
 
+constexpr Duration TlsChannelCredsFactory::TlsConfig::kDefaultRefreshInterval;
+
 class InsecureChannelCredsFactory : public ChannelCredsFactory<> {
  public:
-  absl::string_view creds_type() const override { return "insecure"; }
-  bool IsValidConfig(const Json& /*config*/) const override { return true; }
+  absl::string_view type() const override { return Type(); }
+  RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& /*config*/, const JsonArgs& /*args*/,
+      ValidationErrors* /*errors*/) const override {
+    return MakeRefCounted<Config>();
+  }
   RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
-      const Json& /*config*/) const override {
+      RefCountedPtr<ChannelCredsConfig> /*config*/) const override {
     return RefCountedPtr<grpc_channel_credentials>(
         grpc_insecure_credentials_create());
   }
+
+ private:
+  class Config : public ChannelCredsConfig {
+   public:
+    absl::string_view type() const override { return Type(); }
+    bool Equals(const ChannelCredsConfig&) const override { return true; }
+    Json ToJson() const override { return Json::FromObject({}); }
+  };
+
+  static absl::string_view Type() { return "insecure"; }
 };
 
 class FakeChannelCredsFactory : public ChannelCredsFactory<> {
  public:
-  absl::string_view creds_type() const override { return "fake"; }
-  bool IsValidConfig(const Json& /*config*/) const override { return true; }
+  absl::string_view type() const override { return Type(); }
+  RefCountedPtr<ChannelCredsConfig> ParseConfig(
+      const Json& /*config*/, const JsonArgs& /*args*/,
+      ValidationErrors* /*errors*/) const override {
+    return MakeRefCounted<Config>();
+  }
   RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
-      const Json& /*config*/) const override {
+      RefCountedPtr<ChannelCredsConfig> /*config*/) const override {
     return RefCountedPtr<grpc_channel_credentials>(
         grpc_fake_transport_security_credentials_create());
   }
+
+ private:
+  class Config : public ChannelCredsConfig {
+   public:
+    absl::string_view type() const override { return Type(); }
+    bool Equals(const ChannelCredsConfig&) const override { return true; }
+    Json ToJson() const override { return Json::FromObject({}); }
+  };
+
+  static absl::string_view Type() { return "fake"; }
 };
 
 void RegisterChannelDefaultCreds(CoreConfiguration::Builder* builder) {
   builder->channel_creds_registry()->RegisterChannelCredsFactory(
       std::make_unique<GoogleDefaultChannelCredsFactory>());
+  builder->channel_creds_registry()->RegisterChannelCredsFactory(
+      std::make_unique<TlsChannelCredsFactory>());
   builder->channel_creds_registry()->RegisterChannelCredsFactory(
       std::make_unique<InsecureChannelCredsFactory>());
   builder->channel_creds_registry()->RegisterChannelCredsFactory(

data/src/core/lib/security/credentials/composite/composite_credentials.cc

@@ -39,7 +39,7 @@
 // grpc_composite_channel_credentials
 //
 
-grpc_core::UniqueTypeName grpc_composite_channel_credentials::type() const {
+grpc_core::UniqueTypeName grpc_composite_channel_credentials::Type() {
   static grpc_core::UniqueTypeName::Factory kFactory("Composite");
   return kFactory.Create();
 }

data/src/core/lib/security/credentials/composite/composite_credentials.h

@@ -68,7 +68,9 @@ class grpc_composite_channel_credentials : public grpc_channel_credentials {
     return inner_creds_->update_arguments(std::move(args));
   }
 
-  grpc_core::UniqueTypeName type() const override;
+  static grpc_core::UniqueTypeName Type();
+
+  grpc_core::UniqueTypeName type() const override { return Type(); }
 
   const grpc_channel_credentials* inner_creds() const {
     return inner_creds_.get();

data/src/core/lib/security/credentials/external/external_account_credentials.cc

@@ -29,6 +29,7 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/match.h"
+#include "absl/strings/numbers.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
@@ -63,6 +64,9 @@
   "urn:ietf:params:oauth:token-type:access_token"
 #define GOOGLE_CLOUD_PLATFORM_DEFAULT_SCOPE \
   "https://www.googleapis.com/auth/cloud-platform"
+#define IMPERSONATED_CRED_DEFAULT_LIFETIME_IN_SECONDS 3600  // 1 hour
+#define IMPERSONATED_CRED_MIN_LIFETIME_IN_SECONDS 600       // 10 mins
+#define IMPERSONATED_CRED_MAX_LIFETIME_IN_SECONDS 43200     // 12 hours
 
 namespace grpc_core {
 
@@ -197,6 +201,36 @@ RefCountedPtr<ExternalAccountCredentials> ExternalAccountCredentials::Create(
       return nullptr;
     }
   }
+  it = json.object().find("service_account_impersonation");
+  options.service_account_impersonation.token_lifetime_seconds =
+      IMPERSONATED_CRED_DEFAULT_LIFETIME_IN_SECONDS;
+  if (it != json.object().end() && it->second.type() == Json::Type::kObject) {
+    auto service_acc_imp_json = it->second;
+    auto service_acc_imp_obj_it =
+        service_acc_imp_json.object().find("token_lifetime_seconds");
+    if (service_acc_imp_obj_it != service_acc_imp_json.object().end()) {
+      if (!absl::SimpleAtoi(
+              service_acc_imp_obj_it->second.string(),
+              &options.service_account_impersonation.token_lifetime_seconds)) {
+        *error = GRPC_ERROR_CREATE("token_lifetime_seconds must be a number");
+        return nullptr;
+      }
+      if (options.service_account_impersonation.token_lifetime_seconds >
+          IMPERSONATED_CRED_MAX_LIFETIME_IN_SECONDS) {
+        *error = GRPC_ERROR_CREATE(
+            absl::StrFormat("token_lifetime_seconds must be less than %ds",
+                            IMPERSONATED_CRED_MAX_LIFETIME_IN_SECONDS));
+        return nullptr;
+      }
+      if (options.service_account_impersonation.token_lifetime_seconds <
+          IMPERSONATED_CRED_MIN_LIFETIME_IN_SECONDS) {
+        *error = GRPC_ERROR_CREATE(
+            absl::StrFormat("token_lifetime_seconds must be more than %ds",
+                            IMPERSONATED_CRED_MIN_LIFETIME_IN_SECONDS));
+        return nullptr;
+      }
+    }
+  }
   RefCountedPtr<ExternalAccountCredentials> creds;
   if (options.credential_source.object().find("environment_id") !=
       options.credential_source.object().end()) {
@@ -430,8 +464,13 @@ void ExternalAccountCredentials::ImpersenateServiceAccount() {
   headers[1].key = gpr_strdup("Authorization");
   headers[1].value = gpr_strdup(str.c_str());
   request.hdrs = headers;
+  std::vector<std::string> body_members;
   std::string scope = absl::StrJoin(scopes_, " ");
-  std::string body = absl::StrFormat("scope=%s", scope);
+  body_members.push_back(absl::StrFormat("scope=%s", UrlEncode(scope).c_str()));
+  body_members.push_back(absl::StrFormat(
+      "lifetime=%ds",
+      options_.service_account_impersonation.token_lifetime_seconds));
+  std::string body = absl::StrJoin(body_members, "&");
   request.body = const_cast<char*>(body.c_str());
   request.body_length = body.size();
   grpc_http_response_destroy(&ctx_->response);

data/src/core/lib/security/credentials/external/external_account_credentials.h

@@ -19,6 +19,8 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <stdint.h>
+
 #include <functional>
 #include <string>
 #include <vector>
@@ -45,12 +47,16 @@ namespace grpc_core {
 class ExternalAccountCredentials
     : public grpc_oauth2_token_fetcher_credentials {
  public:
+  struct ServiceAccountImpersonation {
+    int32_t token_lifetime_seconds;
+  };
   // External account credentials json interface.
   struct Options {
     std::string type;
     std::string audience;
     std::string subject_token_type;
     std::string service_account_impersonation_url;
+    ServiceAccountImpersonation service_account_impersonation;
     std::string token_url;
     std::string token_info_url;
     Json credential_source;