GRPC C++  1.62.0
credentials.h
Go to the documentation of this file.
1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPCPP_SECURITY_CREDENTIALS_H
20 #define GRPCPP_SECURITY_CREDENTIALS_H
21 
22 #include <map>
23 #include <memory>
24 #include <vector>
25 
26 #include <grpc/grpc_security_constants.h>
27 #include <grpcpp/channel.h>
28 #include <grpcpp/impl/grpc_library.h>
29 #include <grpcpp/security/auth_context.h>
30 #include <grpcpp/security/tls_credentials_options.h>
31 #include <grpcpp/support/channel_arguments.h>
32 #include <grpcpp/support/client_interceptor.h>
33 #include <grpcpp/support/status.h>
34 #include <grpcpp/support/string_ref.h>
35 
36 struct grpc_call;
37 
38 namespace grpc {
39 class CallCredentials;
40 class SecureCallCredentials;
41 class SecureChannelCredentials;
42 class ChannelCredentials;
43 
44 std::shared_ptr<Channel> CreateCustomChannel(
45  const grpc::string& target,
46  const std::shared_ptr<grpc::ChannelCredentials>& creds,
47  const grpc::ChannelArguments& args);
48 
49 namespace experimental {
50 std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
51  const grpc::string& target,
52  const std::shared_ptr<grpc::ChannelCredentials>& creds,
53  const grpc::ChannelArguments& args,
54  std::vector<
55  std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
56  interceptor_creators);
57 } // namespace experimental
58 
60 std::shared_ptr<ChannelCredentials> XdsCredentials(
61  const std::shared_ptr<ChannelCredentials>& fallback_creds);
62 
69 class ChannelCredentials : private grpc::internal::GrpcLibrary {
70  public:
71  protected:
72  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
73  const std::shared_ptr<ChannelCredentials>& channel_creds,
74  const std::shared_ptr<CallCredentials>& call_creds);
75 
76  // TODO(yashykt): We need this friend declaration mainly for access to
77  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
78  // (and also internal dependencies on the indirect method of creating a
79  // channel through credentials), we would be able to remove this.
80  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
81  const std::shared_ptr<ChannelCredentials>& fallback_creds);
82 
83  virtual SecureChannelCredentials* AsSecureCredentials() = 0;
84 
85  private:
86  friend std::shared_ptr<grpc::Channel> CreateCustomChannel(
87  const grpc::string& target,
88  const std::shared_ptr<grpc::ChannelCredentials>& creds,
89  const grpc::ChannelArguments& args);
90 
91  friend std::shared_ptr<grpc::Channel>
92  grpc::experimental::CreateCustomChannelWithInterceptors(
93  const grpc::string& target,
94  const std::shared_ptr<grpc::ChannelCredentials>& creds,
95  const grpc::ChannelArguments& args,
96  std::vector<std::unique_ptr<
97  grpc::experimental::ClientInterceptorFactoryInterface>>
98  interceptor_creators);
99 
100  virtual std::shared_ptr<Channel> CreateChannelImpl(
101  const grpc::string& target, const ChannelArguments& args) = 0;
102 
103  // This function should have been a pure virtual function, but it is
104  // implemented as a virtual function so that it does not break API.
105  virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
106  const grpc::string& /*target*/, const ChannelArguments& /*args*/,
107  std::vector<std::unique_ptr<
108  grpc::experimental::ClientInterceptorFactoryInterface>>
109  /*interceptor_creators*/) {
110  return nullptr;
111  }
112 
113  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
114  // not use grpc_channel_credentials internally and should be removed after
115  // insecure builds are removed from gRPC.
116  virtual bool IsInsecure() const { return false; }
117 };
118 
123 class CallCredentials : private grpc::internal::GrpcLibrary {
124  public:
126  virtual bool ApplyToCall(grpc_call* call) = 0;
127  virtual grpc::string DebugString() {
128  return "CallCredentials did not provide a debug string";
129  }
130 
131  protected:
132  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
133  const std::shared_ptr<ChannelCredentials>& channel_creds,
134  const std::shared_ptr<CallCredentials>& call_creds);
135 
136  friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
137  const std::shared_ptr<CallCredentials>& creds1,
138  const std::shared_ptr<CallCredentials>& creds2);
139 
140  virtual SecureCallCredentials* AsSecureCredentials() = 0;
141 };
142 
144 struct SslCredentialsOptions {
150  grpc::string pem_root_certs;
151 
154  grpc::string pem_private_key;
155 
159  grpc::string pem_cert_chain;
160 };
161 
162 // Factories for building different types of Credentials The functions may
163 // return empty shared_ptr when credentials cannot be created. If a
164 // Credentials pointer is returned, it can still be invalid when used to create
165 // a channel. A lame channel will be created then and all rpcs will fail on it.
166 
173 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
174 
176 std::shared_ptr<ChannelCredentials> SslCredentials(
177  const SslCredentialsOptions& options);
178 
185 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials();
186 
187 constexpr long kMaxAuthTokenLifetimeSecs = 3600;
188 
194 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
195  const grpc::string& json_key,
196  long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
197 
206 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
207  const grpc::string& json_refresh_token);
208 
217 std::shared_ptr<CallCredentials> AccessTokenCredentials(
218  const grpc::string& access_token);
219 
226 std::shared_ptr<CallCredentials> GoogleIAMCredentials(
227  const grpc::string& authorization_token,
228  const grpc::string& authority_selector);
229 
232 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
233  const std::shared_ptr<ChannelCredentials>& channel_creds,
234  const std::shared_ptr<CallCredentials>& call_creds);
235 
237 std::shared_ptr<CallCredentials> CompositeCallCredentials(
238  const std::shared_ptr<CallCredentials>& creds1,
239  const std::shared_ptr<CallCredentials>& creds2);
240 
242 std::shared_ptr<ChannelCredentials> InsecureChannelCredentials();
243 
245 class MetadataCredentialsPlugin {
246  public:
247  virtual ~MetadataCredentialsPlugin() {}
248 
251  virtual bool IsBlocking() const { return true; }
252 
254  virtual const char* GetType() const { return ""; }
255 
261  virtual grpc::Status GetMetadata(
262  grpc::string_ref service_url, grpc::string_ref method_name,
263  const grpc::AuthContext& channel_auth_context,
264  std::multimap<grpc::string, grpc::string>* metadata) = 0;
265 
266  virtual grpc::string DebugString() {
267  return "MetadataCredentialsPlugin did not provide a debug string";
268  }
269 };
270 
271 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
272  std::unique_ptr<MetadataCredentialsPlugin> plugin);
273 
277 std::shared_ptr<CallCredentials> ExternalAccountCredentials(
278  const grpc::string& json_string, const std::vector<grpc::string>& scopes);
279 
280 namespace experimental {
281 
287 struct StsCredentialsOptions {
288  grpc::string token_exchange_service_uri; // Required.
289  grpc::string resource; // Optional.
290  grpc::string audience; // Optional.
291  grpc::string scope; // Optional.
292  grpc::string requested_token_type; // Optional.
293  grpc::string subject_token_path; // Required.
294  grpc::string subject_token_type; // Required.
295  grpc::string actor_token_path; // Optional.
296  grpc::string actor_token_type; // Optional.
297 };
298 
299 grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,
300  StsCredentialsOptions* options);
301 
305 grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options);
306 
307 std::shared_ptr<CallCredentials> StsCredentials(
308  const StsCredentialsOptions& options);
309 
310 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
311  std::unique_ptr<MetadataCredentialsPlugin> plugin,
312  grpc_security_level min_security_level);
313 
315 struct AltsCredentialsOptions {
319  std::vector<grpc::string> target_service_accounts;
320 };
321 
323 std::shared_ptr<ChannelCredentials> AltsCredentials(
324  const AltsCredentialsOptions& options);
325 
327 std::shared_ptr<ChannelCredentials> LocalCredentials(
328  grpc_local_connect_type type);
329 
331 std::shared_ptr<ChannelCredentials> TlsCredentials(
332  const TlsChannelCredentialsOptions& options);
333 
334 } // namespace experimental
335 } // namespace grpc
336 
337 #endif // GRPCPP_SECURITY_CREDENTIALS_H
grpc::experimental::StsCredentials
std::shared_ptr< CallCredentials > StsCredentials(const StsCredentialsOptions &options)
grpc::experimental::TlsCredentials
std::shared_ptr< ChannelCredentials > TlsCredentials(const TlsChannelCredentialsOptions &options)
Builds TLS Credentials given TLS options.
grpc::XdsCredentials
std::shared_ptr< ChannelCredentials > XdsCredentials(const std::shared_ptr< ChannelCredentials > &fallback_creds)
Builds XDS Credentials.
grpc::string_ref
This class is a non owning reference to a string.
Definition: string_ref.h:41
grpc::experimental::StsCredentialsOptionsFromJson
grpc::Status StsCredentialsOptionsFromJson(const std::string &json_string, StsCredentialsOptions *options)
tls_credentials_options.h
grpc::SslCredentialsOptions::pem_cert_chain
grpc::string pem_cert_chain
The buffer containing the PEM encoding of the client's certificate chain.
Definition: credentials.h:159
grpc::experimental::StsCredentialsOptions
Options for creating STS Oauth Token Exchange credentials following the IETF draft https://tools....
Definition: credentials.h:287
grpc::SslCredentialsOptions::pem_private_key
grpc::string pem_private_key
The buffer containing the PEM encoding of the client's private key.
Definition: credentials.h:154
grpc
An Alarm posts the user-provided tag to its associated completion queue or invokes the user-provided ...
Definition: alarm.h:33
grpc::ChannelCredentials::CompositeChannelCredentials
friend std::shared_ptr< ChannelCredentials > CompositeChannelCredentials(const std::shared_ptr< ChannelCredentials > &channel_creds, const std::shared_ptr< CallCredentials > &call_creds)
Combines a channel credentials and a call credentials into a composite channel credentials.
grpc::GoogleDefaultCredentials
std::shared_ptr< ChannelCredentials > GoogleDefaultCredentials()
Builds credentials with reasonable defaults.
grpc::SslCredentialsOptions::pem_root_certs
grpc::string pem_root_certs
The buffer containing the PEM encoding of the server root certificates.
Definition: credentials.h:150
grpc::ChannelCredentials::AsSecureCredentials
virtual SecureChannelCredentials * AsSecureCredentials()=0
grpc::experimental::AltsCredentials
std::shared_ptr< ChannelCredentials > AltsCredentials(const AltsCredentialsOptions &options)
Builds ALTS Credentials given ALTS specific options.
grpc::MetadataCredentialsPlugin
User defined metadata credentials.
Definition: credentials.h:245
grpc::MetadataCredentialsPlugin::GetType
virtual const char * GetType() const
Type of credentials this plugin is implementing.
Definition: credentials.h:254
grpc::MetadataCredentialsPlugin::IsBlocking
virtual bool IsBlocking() const
If this method returns true, the Process function will be scheduled in a different thread from the on...
Definition: credentials.h:251
grpc::MetadataCredentialsPlugin::~MetadataCredentialsPlugin
virtual ~MetadataCredentialsPlugin()
Definition: credentials.h:247
grpc::experimental::StsCredentialsOptionsFromEnv
grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions *options)
Creates STS credentials options from the $STS_CREDENTIALS environment variable.
grpc::CallCredentials::CompositeChannelCredentials
friend std::shared_ptr< ChannelCredentials > CompositeChannelCredentials(const std::shared_ptr< ChannelCredentials > &channel_creds, const std::shared_ptr< CallCredentials > &call_creds)
Combines a channel credentials and a call credentials into a composite channel credentials.
grpc::SslCredentialsOptions
Options used to build SslCredentials.
Definition: credentials.h:144
grpc::SslCredentials
std::shared_ptr< ChannelCredentials > SslCredentials(const SslCredentialsOptions &options)
Builds SSL Credentials given SSL specific options.
grpc::experimental::MetadataCredentialsFromPlugin
std::shared_ptr< CallCredentials > MetadataCredentialsFromPlugin(std::unique_ptr< MetadataCredentialsPlugin > plugin, grpc_security_level min_security_level)
status.h
grpc::experimental::StsCredentialsOptions::scope
grpc::string scope
Definition: credentials.h:291
grpc::CallCredentials::CompositeCallCredentials
friend std::shared_ptr< CallCredentials > CompositeCallCredentials(const std::shared_ptr< CallCredentials > &creds1, const std::shared_ptr< CallCredentials > &creds2)
Combines two call credentials objects into a composite call credentials.
grpc::CallCredentials::DebugString
virtual grpc::string DebugString()
Definition: credentials.h:127
grpc::experimental::StsCredentialsOptions::subject_token_path
grpc::string subject_token_path
Definition: credentials.h:293
grpc::ChannelArguments
Options for channel creation.
Definition: channel_arguments.h:39
grpc::experimental::StsCredentialsOptions::token_exchange_service_uri
grpc::string token_exchange_service_uri
Definition: credentials.h:288
grpc::ServiceAccountJWTAccessCredentials
std::shared_ptr< CallCredentials > ServiceAccountJWTAccessCredentials(const grpc::string &json_key, long token_lifetime_seconds=kMaxAuthTokenLifetimeSecs)
Builds Service Account JWT Access credentials.
grpc::Status
Did it work? If it didn't, why?
Definition: status.h:35
client_interceptor.h
grpc::experimental::AltsCredentialsOptions
Options used to build AltsCredentials.
Definition: credentials.h:315
grpc::CallCredentials
A call credentials object encapsulates the state needed by a client to authenticate with a server for...
Definition: credentials.h:123
grpc::experimental::StsCredentialsOptions::subject_token_type
grpc::string subject_token_type
Definition: credentials.h:294
grpc::CallCredentials::AsSecureCredentials
virtual SecureCallCredentials * AsSecureCredentials()=0
channel_arguments.h
grpc::experimental::TlsChannelCredentialsOptions
Definition: tls_credentials_options.h:151
grpc::MetadataCredentialsFromPlugin
std::shared_ptr< CallCredentials > MetadataCredentialsFromPlugin(std::unique_ptr< MetadataCredentialsPlugin > plugin)
grpc::experimental::StsCredentialsOptions::audience
grpc::string audience
Definition: credentials.h:290
grpc_call
struct grpc_call grpc_call
A Call represents an RPC.
Definition: grpc_types.h:70
grpc::experimental::StsCredentialsOptions::resource
grpc::string resource
Definition: credentials.h:289
grpc::AuthContext
Class encapsulating the Authentication Information.
Definition: auth_context.h:70
grpc::experimental::LocalCredentials
std::shared_ptr< ChannelCredentials > LocalCredentials(grpc_local_connect_type type)
Builds Local Credentials.
channel.h
grpc::internal::GrpcLibrary
Classes that require gRPC to be initialized should inherit from this class.
Definition: grpc_library.h:32
grpc::ExternalAccountCredentials
std::shared_ptr< CallCredentials > ExternalAccountCredentials(const grpc::string &json_string, const std::vector< grpc::string > &scopes)
Builds External Account credentials.
grpc::GoogleComputeEngineCredentials
std::shared_ptr< CallCredentials > GoogleComputeEngineCredentials()
Builds credentials for use when running in GCE.
grpc::experimental::StsCredentialsOptions::actor_token_type
grpc::string actor_token_type
Definition: credentials.h:296
grpc::experimental::AltsCredentialsOptions::target_service_accounts
std::vector< grpc::string > target_service_accounts
service accounts of target endpoint that will be acceptable by the client.
Definition: credentials.h:319
grpc_security_level
grpc_security_level
Definition: grpc_security_constants.h:131
grpc::InsecureChannelCredentials
std::shared_ptr< ChannelCredentials > InsecureChannelCredentials()
Credentials for an unencrypted, unauthenticated channel.
grpc::GoogleRefreshTokenCredentials
std::shared_ptr< CallCredentials > GoogleRefreshTokenCredentials(const grpc::string &json_refresh_token)
Builds refresh token credentials.
grpc::experimental::StsCredentialsOptions::requested_token_type
grpc::string requested_token_type
Definition: credentials.h:292
grpc_library.h
grpc::experimental::ClientInterceptorFactoryInterface
Definition: client_interceptor.h:47
grpc::experimental::CreateCustomChannelWithInterceptors
std::shared_ptr< Channel > CreateCustomChannelWithInterceptors(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args, std::vector< std::unique_ptr< experimental::ClientInterceptorFactoryInterface >> interceptor_creators)
Create a new custom Channel pointing to target with interceptors being invoked per call.
grpc::ChannelCredentials
A channel credentials object encapsulates all the state needed by a client to authenticate with a ser...
Definition: credentials.h:69
grpc::ChannelCredentials::CreateCustomChannel
friend std::shared_ptr< grpc::Channel > CreateCustomChannel(const grpc::string &target, const std::shared_ptr< grpc::ChannelCredentials > &creds, const grpc::ChannelArguments &args)
grpc::CreateCustomChannel
std::shared_ptr< Channel > CreateCustomChannel(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args)
Create a new custom Channel pointing to target.
grpc::CallCredentials::ApplyToCall
virtual bool ApplyToCall(grpc_call *call)=0
Apply this instance's credentials to call.
grpc_security_constants.h
grpc::CompositeChannelCredentials
std::shared_ptr< ChannelCredentials > CompositeChannelCredentials(const std::shared_ptr< ChannelCredentials > &channel_creds, const std::shared_ptr< CallCredentials > &call_creds)
Combines a channel credentials and a call credentials into a composite channel credentials.
grpc::CompositeCallCredentials
std::shared_ptr< CallCredentials > CompositeCallCredentials(const std::shared_ptr< CallCredentials > &creds1, const std::shared_ptr< CallCredentials > &creds2)
Combines two call credentials objects into a composite call credentials.
grpc::kMaxAuthTokenLifetimeSecs
constexpr long kMaxAuthTokenLifetimeSecs
Definition: credentials.h:187
grpc::AccessTokenCredentials
std::shared_ptr< CallCredentials > AccessTokenCredentials(const grpc::string &access_token)
Builds access token credentials.
grpc::experimental::StsCredentialsOptions::actor_token_path
grpc::string actor_token_path
Definition: credentials.h:295
auth_context.h
grpc_local_connect_type
grpc_local_connect_type
Type of local connections for which local channel/server credentials will be applied.
Definition: grpc_security_constants.h:143
grpc::MetadataCredentialsPlugin::DebugString
virtual grpc::string DebugString()
Definition: credentials.h:266
grpc::MetadataCredentialsPlugin::GetMetadata
virtual grpc::Status GetMetadata(grpc::string_ref service_url, grpc::string_ref method_name, const grpc::AuthContext &channel_auth_context, std::multimap< grpc::string, grpc::string > *metadata)=0
Gets the auth metatada produced by this plugin.
string_ref.h
grpc::GoogleIAMCredentials
std::shared_ptr< CallCredentials > GoogleIAMCredentials(const grpc::string &authorization_token, const grpc::string &authority_selector)
Builds IAM credentials.
Generated on Fri Feb 23 2024 23:02:59 for GRPC C++ by   doxygen 1.8.17