GRPC C++  1.46.2
credentials.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPCPP_SECURITY_CREDENTIALS_H
20 #define GRPCPP_SECURITY_CREDENTIALS_H
21 
22 #include <map>
23 #include <memory>
24 #include <vector>
25 
27 #include <grpcpp/channel.h>
33 #include <grpcpp/support/status.h>
35 
36 struct grpc_call;
37 
38 namespace grpc {
39 class CallCredentials;
40 class SecureCallCredentials;
41 class SecureChannelCredentials;
42 class ChannelCredentials;
43 
44 std::shared_ptr<Channel> CreateCustomChannel(
45  const grpc::string& target,
46  const std::shared_ptr<grpc::ChannelCredentials>& creds,
47  const grpc::ChannelArguments& args);
48 
49 namespace experimental {
50 std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
51  const grpc::string& target,
52  const std::shared_ptr<grpc::ChannelCredentials>& creds,
53  const grpc::ChannelArguments& args,
54  std::vector<
55  std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
56  interceptor_creators);
57 
59  "Use grpc::XdsCredentials instead. The experimental version will be "
60  "deleted after the 1.41 release.")
61 std::shared_ptr<ChannelCredentials> XdsCredentials(
62  const std::shared_ptr<ChannelCredentials>& fallback_creds);
63 } // namespace experimental
64 
66 std::shared_ptr<ChannelCredentials> XdsCredentials(
67  const std::shared_ptr<ChannelCredentials>& fallback_creds);
68 
76  public:
78  ~ChannelCredentials() override;
79 
80  protected:
81  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
82  const std::shared_ptr<ChannelCredentials>& channel_creds,
83  const std::shared_ptr<CallCredentials>& call_creds);
84 
85  // TODO(yashykt): We need this friend declaration mainly for access to
86  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
87  // (and also internal dependencies on the indirect method of creating a
88  // channel through credentials), we would be able to remove this.
89  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
90  const std::shared_ptr<ChannelCredentials>& fallback_creds);
91 
92  virtual SecureChannelCredentials* AsSecureCredentials() = 0;
93 
94  private:
95  friend std::shared_ptr<grpc::Channel> CreateCustomChannel(
96  const grpc::string& target,
97  const std::shared_ptr<grpc::ChannelCredentials>& creds,
98  const grpc::ChannelArguments& args);
99 
100  friend std::shared_ptr<grpc::Channel>
102  const grpc::string& target,
103  const std::shared_ptr<grpc::ChannelCredentials>& creds,
104  const grpc::ChannelArguments& args,
105  std::vector<std::unique_ptr<
107  interceptor_creators);
108 
109  virtual std::shared_ptr<Channel> CreateChannelImpl(
110  const grpc::string& target, const ChannelArguments& args) = 0;
111 
112  // This function should have been a pure virtual function, but it is
113  // implemented as a virtual function so that it does not break API.
114  virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
115  const grpc::string& /*target*/, const ChannelArguments& /*args*/,
116  std::vector<std::unique_ptr<
118  /*interceptor_creators*/) {
119  return nullptr;
120  }
121 
122  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
123  // not use grpc_channel_credentials internally and should be removed after
124  // insecure builds are removed from gRPC.
125  virtual bool IsInsecure() const { return false; }
126 };
127 
133  public:
134  CallCredentials();
135  ~CallCredentials() override;
136 
138  virtual bool ApplyToCall(grpc_call* call) = 0;
139  virtual grpc::string DebugString() {
140  return "CallCredentials did not provide a debug string";
141  }
142 
143  protected:
144  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
145  const std::shared_ptr<ChannelCredentials>& channel_creds,
146  const std::shared_ptr<CallCredentials>& call_creds);
147 
148  friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
149  const std::shared_ptr<CallCredentials>& creds1,
150  const std::shared_ptr<CallCredentials>& creds2);
151 
152  virtual SecureCallCredentials* AsSecureCredentials() = 0;
153 };
154 
162  grpc::string pem_root_certs;
163 
166  grpc::string pem_private_key;
167 
171  grpc::string pem_cert_chain;
172 };
173 
174 // Factories for building different types of Credentials The functions may
175 // return empty shared_ptr when credentials cannot be created. If a
176 // Credentials pointer is returned, it can still be invalid when used to create
177 // a channel. A lame channel will be created then and all rpcs will fail on it.
178 
185 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
186 
188 std::shared_ptr<ChannelCredentials> SslCredentials(
189  const SslCredentialsOptions& options);
190 
197 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials();
198 
199 constexpr long kMaxAuthTokenLifetimeSecs = 3600;
200 
206 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
207  const grpc::string& json_key,
208  long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
209 
218 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
219  const grpc::string& json_refresh_token);
220 
229 std::shared_ptr<CallCredentials> AccessTokenCredentials(
230  const grpc::string& access_token);
231 
238 std::shared_ptr<CallCredentials> GoogleIAMCredentials(
239  const grpc::string& authorization_token,
240  const grpc::string& authority_selector);
241 
244 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
245  const std::shared_ptr<ChannelCredentials>& channel_creds,
246  const std::shared_ptr<CallCredentials>& call_creds);
247 
249 std::shared_ptr<CallCredentials> CompositeCallCredentials(
250  const std::shared_ptr<CallCredentials>& creds1,
251  const std::shared_ptr<CallCredentials>& creds2);
252 
254 std::shared_ptr<ChannelCredentials> InsecureChannelCredentials();
255 
258  public:
260 
263  virtual bool IsBlocking() const { return true; }
264 
266  virtual const char* GetType() const { return ""; }
267 
273  virtual grpc::Status GetMetadata(
274  grpc::string_ref service_url, grpc::string_ref method_name,
275  const grpc::AuthContext& channel_auth_context,
276  std::multimap<grpc::string, grpc::string>* metadata) = 0;
277 
278  virtual grpc::string DebugString() {
279  return "MetadataCredentialsPlugin did not provide a debug string";
280  }
281 };
282 
283 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
284  std::unique_ptr<MetadataCredentialsPlugin> plugin);
285 
289 std::shared_ptr<CallCredentials> ExternalAccountCredentials(
290  const grpc::string& json_string, const std::vector<grpc::string>& scopes);
291 
292 namespace experimental {
293 
300  grpc::string token_exchange_service_uri; // Required.
301  grpc::string resource; // Optional.
302  grpc::string audience; // Optional.
303  grpc::string scope; // Optional.
304  grpc::string requested_token_type; // Optional.
305  grpc::string subject_token_path; // Required.
306  grpc::string subject_token_type; // Required.
307  grpc::string actor_token_path; // Optional.
308  grpc::string actor_token_type; // Optional.
309 };
310 
311 grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,
312  StsCredentialsOptions* options);
313 
318 
319 std::shared_ptr<CallCredentials> StsCredentials(
320  const StsCredentialsOptions& options);
321 
322 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
323  std::unique_ptr<MetadataCredentialsPlugin> plugin,
324  grpc_security_level min_security_level);
325 
331  std::vector<grpc::string> target_service_accounts;
332 };
333 
335 std::shared_ptr<ChannelCredentials> AltsCredentials(
336  const AltsCredentialsOptions& options);
337 
339 std::shared_ptr<ChannelCredentials> LocalCredentials(
341 
343 std::shared_ptr<ChannelCredentials> TlsCredentials(
344  const TlsChannelCredentialsOptions& options);
345 
346 } // namespace experimental
347 } // namespace grpc
348 
349 #endif // GRPCPP_SECURITY_CREDENTIALS_H
grpc::experimental::StsCredentials
std::shared_ptr< CallCredentials > StsCredentials(const StsCredentialsOptions &options)
grpc::GrpcLibraryCodegen
Classes that require gRPC to be initialized should inherit from this class.
Definition: grpc_library.h:40
grpc::experimental::TlsCredentials
std::shared_ptr< ChannelCredentials > TlsCredentials(const TlsChannelCredentialsOptions &options)
Builds TLS Credentials given TLS options.
grpc::XdsCredentials
std::shared_ptr< ChannelCredentials > XdsCredentials(const std::shared_ptr< ChannelCredentials > &fallback_creds)
Builds XDS Credentials.
grpc::string_ref
This class is a non owning reference to a string.
Definition: string_ref.h:43
grpc::experimental::StsCredentialsOptionsFromJson
grpc::Status StsCredentialsOptionsFromJson(const std::string &json_string, StsCredentialsOptions *options)
tls_credentials_options.h
grpc::SslCredentialsOptions::pem_cert_chain
grpc::string pem_cert_chain
The buffer containing the PEM encoding of the client's certificate chain.
Definition: credentials.h:171
grpc::experimental::StsCredentialsOptions
Options for creating STS Oauth Token Exchange credentials following the IETF draft https://tools....
Definition: credentials.h:299
grpc::SslCredentialsOptions::pem_private_key
grpc::string pem_private_key
The buffer containing the PEM encoding of the client's private key.
Definition: credentials.h:166
grpc
An Alarm posts the user-provided tag to its associated completion queue or invokes the user-provided ...
Definition: alarm.h:33
grpc::GoogleDefaultCredentials
std::shared_ptr< ChannelCredentials > GoogleDefaultCredentials()
Builds credentials with reasonable defaults.
grpc::SslCredentialsOptions::pem_root_certs
grpc::string pem_root_certs
The buffer containing the PEM encoding of the server root certificates.
Definition: credentials.h:162
grpc::experimental::AltsCredentials
std::shared_ptr< ChannelCredentials > AltsCredentials(const AltsCredentialsOptions &options)
Builds ALTS Credentials given ALTS specific options.
grpc::MetadataCredentialsPlugin
User defined metadata credentials.
Definition: credentials.h:257
grpc::MetadataCredentialsPlugin::GetType
virtual const char * GetType() const
Type of credentials this plugin is implementing.
Definition: credentials.h:266
grpc::MetadataCredentialsPlugin::IsBlocking
virtual bool IsBlocking() const
If this method returns true, the Process function will be scheduled in a different thread from the on...
Definition: credentials.h:263
grpc::MetadataCredentialsPlugin::~MetadataCredentialsPlugin
virtual ~MetadataCredentialsPlugin()
Definition: credentials.h:259
grpc::experimental::StsCredentialsOptionsFromEnv
grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions *options)
Creates STS credentials options from the $STS_CREDENTIALS environment variable.
grpc::SslCredentialsOptions
Options used to build SslCredentials.
Definition: credentials.h:156
grpc::SslCredentials
std::shared_ptr< ChannelCredentials > SslCredentials(const SslCredentialsOptions &options)
Builds SSL Credentials given SSL specific options.
grpc::experimental::MetadataCredentialsFromPlugin
std::shared_ptr< CallCredentials > MetadataCredentialsFromPlugin(std::unique_ptr< MetadataCredentialsPlugin > plugin, grpc_security_level min_security_level)
status.h
grpc::experimental::StsCredentialsOptions::scope
grpc::string scope
Definition: credentials.h:303
grpc::CallCredentials::DebugString
virtual grpc::string DebugString()
Definition: credentials.h:139
grpc::experimental::StsCredentialsOptions::subject_token_path
grpc::string subject_token_path
Definition: credentials.h:305
grpc::ChannelArguments
Options for channel creation.
Definition: channel_arguments.h:39
grpc::experimental::StsCredentialsOptions::token_exchange_service_uri
grpc::string token_exchange_service_uri
Definition: credentials.h:300
grpc::ServiceAccountJWTAccessCredentials
std::shared_ptr< CallCredentials > ServiceAccountJWTAccessCredentials(const grpc::string &json_key, long token_lifetime_seconds=kMaxAuthTokenLifetimeSecs)
Builds Service Account JWT Access credentials.
GRPC_DEPRECATED
#define GRPC_DEPRECATED(reason)
Definition: port_platform.h:36
grpc::Status
Did it work? If it didn't, why?
Definition: status.h:33
grpc::experimental::AltsCredentialsOptions
Options used to build AltsCredentials.
Definition: credentials.h:327
grpc::CallCredentials
A call credentials object encapsulates the state needed by a client to authenticate with a server for...
Definition: credentials.h:132
grpc::experimental::StsCredentialsOptions::subject_token_type
grpc::string subject_token_type
Definition: credentials.h:306
channel_arguments.h
grpc::experimental::TlsChannelCredentialsOptions
Definition: tls_credentials_options.h:125
grpc::experimental::StsCredentialsOptions::audience
grpc::string audience
Definition: credentials.h:302
grpc_call
struct grpc_call grpc_call
A Call represents an RPC.
Definition: grpc_types.h:69
grpc::experimental::StsCredentialsOptions::resource
grpc::string resource
Definition: credentials.h:301
grpc::AuthContext
Class encapsulating the Authentication Information.
Definition: auth_context.h:67
grpc::experimental::LocalCredentials
std::shared_ptr< ChannelCredentials > LocalCredentials(grpc_local_connect_type type)
Builds Local Credentials.
channel.h
grpc::ExternalAccountCredentials
std::shared_ptr< CallCredentials > ExternalAccountCredentials(const grpc::string &json_string, const std::vector< grpc::string > &scopes)
Builds External Account credentials.
client_interceptor.h
grpc::GoogleComputeEngineCredentials
std::shared_ptr< CallCredentials > GoogleComputeEngineCredentials()
Builds credentials for use when running in GCE.
grpc::experimental::StsCredentialsOptions::actor_token_type
grpc::string actor_token_type
Definition: credentials.h:308
grpc_library.h
grpc::experimental::AltsCredentialsOptions::target_service_accounts
std::vector< grpc::string > target_service_accounts
service accounts of target endpoint that will be acceptable by the client.
Definition: credentials.h:331
grpc_security_level
grpc_security_level
Definition: grpc_security_constants.h:131
grpc::InsecureChannelCredentials
std::shared_ptr< ChannelCredentials > InsecureChannelCredentials()
Credentials for an unencrypted, unauthenticated channel.
grpc::GoogleRefreshTokenCredentials
std::shared_ptr< CallCredentials > GoogleRefreshTokenCredentials(const grpc::string &json_refresh_token)
Builds refresh token credentials.
grpc::experimental::StsCredentialsOptions::requested_token_type
grpc::string requested_token_type
Definition: credentials.h:304
grpc::experimental::ClientInterceptorFactoryInterface
Definition: client_interceptor.h:48
grpc::experimental::CreateCustomChannelWithInterceptors
std::shared_ptr< Channel > CreateCustomChannelWithInterceptors(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args, std::vector< std::unique_ptr< experimental::ClientInterceptorFactoryInterface >> interceptor_creators)
Create a new custom Channel pointing to target with interceptors being invoked per call.
grpc::ChannelCredentials
A channel credentials object encapsulates all the state needed by a client to authenticate with a ser...
Definition: credentials.h:75
std
Definition: async_unary_call.h:407
grpc::CreateCustomChannel
std::shared_ptr< Channel > CreateCustomChannel(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args)
Create a new custom Channel pointing to target.
grpc_security_constants.h
grpc::CompositeChannelCredentials
std::shared_ptr< ChannelCredentials > CompositeChannelCredentials(const std::shared_ptr< ChannelCredentials > &channel_creds, const std::shared_ptr< CallCredentials > &call_creds)
Combines a channel credentials and a call credentials into a composite channel credentials.
grpc::CompositeCallCredentials
std::shared_ptr< CallCredentials > CompositeCallCredentials(const std::shared_ptr< CallCredentials > &creds1, const std::shared_ptr< CallCredentials > &creds2)
Combines two call credentials objects into a composite call credentials.
grpc::kMaxAuthTokenLifetimeSecs
constexpr long kMaxAuthTokenLifetimeSecs
Definition: credentials.h:199
grpc::AccessTokenCredentials
std::shared_ptr< CallCredentials > AccessTokenCredentials(const grpc::string &access_token)
Builds access token credentials.
grpc::experimental::StsCredentialsOptions::actor_token_path
grpc::string actor_token_path
Definition: credentials.h:307
auth_context.h
grpc_local_connect_type
grpc_local_connect_type
Type of local connections for which local channel/server credentials will be applied.
Definition: grpc_security_constants.h:143
grpc::MetadataCredentialsPlugin::DebugString
virtual grpc::string DebugString()
Definition: credentials.h:278
string_ref.h
grpc::GoogleIAMCredentials
std::shared_ptr< CallCredentials > GoogleIAMCredentials(const grpc::string &authorization_token, const grpc::string &authority_selector)
Builds IAM credentials.