grpc/cpp/grpcpp_2security_2credentials_8h_source.html

/*

 *

 * Copyright 2015 gRPC authors.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */


#ifndef GRPCPP_SECURITY_CREDENTIALS_H

#define GRPCPP_SECURITY_CREDENTIALS_H


#include <map>

#include <memory>

#include <vector>


#include <grpc/grpc_security_constants.h>

#include <grpcpp/channel.h>

#include <grpcpp/impl/codegen/client_interceptor.h>

#include <grpcpp/impl/codegen/grpc_library.h>

#include <grpcpp/security/auth_context.h>

#include <grpcpp/security/tls_credentials_options.h>

#include <grpcpp/support/channel_arguments.h>

#include <grpcpp/support/status.h>

#include <grpcpp/support/string_ref.h>


struct grpc_call;


namespace grpc {

class CallCredentials;

class SecureCallCredentials;

class SecureChannelCredentials;

class ChannelCredentials;


std::shared_ptr<Channel> CreateCustomChannel(

    const grpc::string& target,

    const std::shared_ptr<grpc::ChannelCredentials>& creds,

    const grpc::ChannelArguments& args);


namespace experimental {

std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(

    const grpc::string& target,

    const std::shared_ptr<grpc::ChannelCredentials>& creds,

    const grpc::ChannelArguments& args,

    std::vector<

        std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>

        interceptor_creators);


GRPC_DEPRECATED(

    "Use grpc::XdsCredentials instead. The experimental version will be "

    "deleted after the 1.41 release.")

std::shared_ptr<ChannelCredentials> XdsCredentials(

    const std::shared_ptr<ChannelCredentials>& fallback_creds);

}  // namespace experimental


std::shared_ptr<ChannelCredentials> XdsCredentials(

    const std::shared_ptr<ChannelCredentials>& fallback_creds);


class ChannelCredentials : private grpc::GrpcLibraryCodegen {

 public:

  ChannelCredentials();

  ~ChannelCredentials() override;


 protected:

  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(

      const std::shared_ptr<ChannelCredentials>& channel_creds,

      const std::shared_ptr<CallCredentials>& call_creds);


  // TODO(yashykt): We need this friend declaration mainly for access to

  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC

  // (and also internal dependencies on the indirect method of creating a

  // channel through credentials), we would be able to remove this.

  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(

      const std::shared_ptr<ChannelCredentials>& fallback_creds);


  virtual SecureChannelCredentials* AsSecureCredentials() = 0;


 private:

  friend std::shared_ptr<grpc::Channel> CreateCustomChannel(

      const grpc::string& target,

      const std::shared_ptr<grpc::ChannelCredentials>& creds,

      const grpc::ChannelArguments& args);


  friend std::shared_ptr<grpc::Channel>

  grpc::experimental::CreateCustomChannelWithInterceptors(

      const grpc::string& target,

      const std::shared_ptr<grpc::ChannelCredentials>& creds,

      const grpc::ChannelArguments& args,

      std::vector<std::unique_ptr<

          grpc::experimental::ClientInterceptorFactoryInterface>>

          interceptor_creators);


  virtual std::shared_ptr<Channel> CreateChannelImpl(

      const grpc::string& target, const ChannelArguments& args) = 0;


  // This function should have been a pure virtual function, but it is

  // implemented as a virtual function so that it does not break API.

  virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(

      const grpc::string& /*target*/, const ChannelArguments& /*args*/,

      std::vector<std::unique_ptr<

          grpc::experimental::ClientInterceptorFactoryInterface>>

      /*interceptor_creators*/) {

    return nullptr;

  }


  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can

  // not use grpc_channel_credentials internally and should be removed after

  // insecure builds are removed from gRPC.

  virtual bool IsInsecure() const { return false; }

};


class CallCredentials : private grpc::GrpcLibraryCodegen {

 public:

  CallCredentials();

  ~CallCredentials() override;


  virtual bool ApplyToCall(grpc_call* call) = 0;

  virtual grpc::string DebugString() {

    return "CallCredentials did not provide a debug string";

  }


 protected:

  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(

      const std::shared_ptr<ChannelCredentials>& channel_creds,

      const std::shared_ptr<CallCredentials>& call_creds);


  friend std::shared_ptr<CallCredentials> CompositeCallCredentials(

      const std::shared_ptr<CallCredentials>& creds1,

      const std::shared_ptr<CallCredentials>& creds2);


  virtual SecureCallCredentials* AsSecureCredentials() = 0;

};


struct SslCredentialsOptions {

  grpc::string pem_root_certs;


  grpc::string pem_private_key;


  grpc::string pem_cert_chain;

};


// Factories for building different types of Credentials The functions may

// return empty shared_ptr when credentials cannot be created. If a

// Credentials pointer is returned, it can still be invalid when used to create

// a channel. A lame channel will be created then and all rpcs will fail on it.


std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();


std::shared_ptr<ChannelCredentials> SslCredentials(

    const SslCredentialsOptions& options);


std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials();


constexpr long kMaxAuthTokenLifetimeSecs = 3600;


std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(

    const grpc::string& json_key,

    long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);


std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(

    const grpc::string& json_refresh_token);


std::shared_ptr<CallCredentials> AccessTokenCredentials(

    const grpc::string& access_token);


std::shared_ptr<CallCredentials> GoogleIAMCredentials(

    const grpc::string& authorization_token,

    const grpc::string& authority_selector);


std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(

    const std::shared_ptr<ChannelCredentials>& channel_creds,

    const std::shared_ptr<CallCredentials>& call_creds);


std::shared_ptr<CallCredentials> CompositeCallCredentials(

    const std::shared_ptr<CallCredentials>& creds1,

    const std::shared_ptr<CallCredentials>& creds2);


std::shared_ptr<ChannelCredentials> InsecureChannelCredentials();


class MetadataCredentialsPlugin {

 public:

  virtual ~MetadataCredentialsPlugin() {}


  virtual bool IsBlocking() const { return true; }


  virtual const char* GetType() const { return ""; }


  virtual grpc::Status GetMetadata(

      grpc::string_ref service_url, grpc::string_ref method_name,

      const grpc::AuthContext& channel_auth_context,

      std::multimap<grpc::string, grpc::string>* metadata) = 0;


  virtual grpc::string DebugString() {

    return "MetadataCredentialsPlugin did not provide a debug string";

  }

};


std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(

    std::unique_ptr<MetadataCredentialsPlugin> plugin);


std::shared_ptr<CallCredentials> ExternalAccountCredentials(

    const grpc::string& json_string, const std::vector<grpc::string>& scopes);


namespace experimental {


struct StsCredentialsOptions {

  grpc::string token_exchange_service_uri;  // Required.

  grpc::string resource;                    // Optional.

  grpc::string audience;                    // Optional.

  grpc::string scope;                       // Optional.

  grpc::string requested_token_type;        // Optional.

  grpc::string subject_token_path;          // Required.

  grpc::string subject_token_type;          // Required.

  grpc::string actor_token_path;            // Optional.

  grpc::string actor_token_type;            // Optional.

};


grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,

                                           StsCredentialsOptions* options);


grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options);


std::shared_ptr<CallCredentials> StsCredentials(

    const StsCredentialsOptions& options);


std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(

    std::unique_ptr<MetadataCredentialsPlugin> plugin,

    grpc_security_level min_security_level);


struct AltsCredentialsOptions {

  std::vector<grpc::string> target_service_accounts;

};


std::shared_ptr<ChannelCredentials> AltsCredentials(

    const AltsCredentialsOptions& options);


std::shared_ptr<ChannelCredentials> LocalCredentials(

    grpc_local_connect_type type);


std::shared_ptr<ChannelCredentials> TlsCredentials(

    const TlsChannelCredentialsOptions& options);


}  // namespace experimental

}  // namespace grpc


#endif  // GRPCPP_SECURITY_CREDENTIALS_H