2 // Copyright 2020 gRPC authors.
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
8 // http://www.apache.org/licenses/LICENSE-2.0
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
17 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
18 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
20 #include <grpc/support/port_platform.h>
25 #include "src/core/lib/json/json.h"
26 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
30 // Base external account credentials. The base class implements common logic for
31 // exchanging external account credentials for GCP access token to authorize
32 // requests to GCP APIs. The specific logic of retrieving subject token is
33 // implemented in subclasses.
34 class ExternalAccountCredentials
35 : public grpc_oauth2_token_fetcher_credentials {
37 // External account credentials json interface.
38 struct ExternalAccountCredentialsOptions {
41 std::string subject_token_type;
42 std::string service_account_impersonation_url;
43 std::string token_url;
44 std::string token_info_url;
45 Json credential_source;
46 std::string quota_project_id;
47 std::string client_id;
48 std::string client_secret;
51 ExternalAccountCredentials(ExternalAccountCredentialsOptions options,
52 std::vector<std::string> scopes);
53 ~ExternalAccountCredentials() override;
54 std::string debug_string() override;
57 // This is a helper struct to pass information between multiple callback based
58 // asynchronous calls.
59 struct HTTPRequestContext {
60 HTTPRequestContext(grpc_httpcli_context* httpcli_context,
61 grpc_polling_entity* pollent, grpc_millis deadline)
62 : httpcli_context(httpcli_context),
65 ~HTTPRequestContext() { grpc_http_response_destroy(&response); }
67 // Contextual parameters passed from
68 // grpc_oauth2_token_fetcher_credentials::fetch_oauth2().
69 grpc_httpcli_context* httpcli_context;
70 grpc_polling_entity* pollent;
73 // Reusable token fetch http response and closure.
75 grpc_http_response response;
78 // Subclasses of base external account credentials need to override this
79 // method to implement the specific subject token retrieval logic.
80 // Once the subject token is ready, subclasses need to invoke
81 // the callback function (cb) to pass the subject token (or error)
83 virtual void RetrieveSubjectToken(
84 const HTTPRequestContext* ctx,
85 const ExternalAccountCredentialsOptions& options,
86 std::function<void(std::string, grpc_error*)> cb) = 0;
89 // This method implements the common token fetch logic and it will be called
90 // when grpc_oauth2_token_fetcher_credentials request a new access token.
91 void fetch_oauth2(grpc_credentials_metadata_request* req,
92 grpc_httpcli_context* httpcli_context,
93 grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
94 grpc_millis deadline) override;
96 void OnRetrieveSubjectTokenInternal(absl::string_view subject_token,
99 void ExchangeToken(absl::string_view subject_token);
100 static void OnExchangeToken(void* arg, grpc_error* error);
101 void OnExchangeTokenInternal(grpc_error* error);
103 void ImpersenateServiceAccount();
104 static void OnImpersenateServiceAccount(void* arg, grpc_error* error);
105 void OnImpersenateServiceAccountInternal(grpc_error* error);
107 void FinishTokenFetch(grpc_error* error);
109 ExternalAccountCredentialsOptions options_;
110 std::vector<std::string> scopes_;
112 HTTPRequestContext* ctx_ = nullptr;
113 grpc_credentials_metadata_request* metadata_req_ = nullptr;
114 grpc_iomgr_cb_func response_cb_ = nullptr;
117 } // namespace grpc_core
119 #endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H