src/core/lib/security/credentials/external/external_account_credentials.h

   1 //
   2 // Copyright 2020 gRPC authors.
   3 //
   4 // Licensed under the Apache License, Version 2.0 (the "License");
   5 // you may not use this file except in compliance with the License.
   6 // You may obtain a copy of the License at
   7 //
   8 //     http://www.apache.org/licenses/LICENSE-2.0
   9 //
  10 // Unless required by applicable law or agreed to in writing, software
  11 // distributed under the License is distributed on an "AS IS" BASIS,
  12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 // See the License for the specific language governing permissions and
  14 // limitations under the License.
  15 //
  16
  17 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
  18 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H
  19
  20 #include <grpc/support/port_platform.h>
  21
  22 #include <string>
  23 #include <vector>
  24
  25 #include "src/core/lib/json/json.h"
  26 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
  27
  28 namespace grpc_core {
  29
  30 // Base external account credentials. The base class implements common logic for
  31 // exchanging external account credentials for GCP access token to authorize
  32 // requests to GCP APIs. The specific logic of retrieving subject token is
  33 // implemented in subclasses.
  34 class ExternalAccountCredentials
  35     : public grpc_oauth2_token_fetcher_credentials {
  36  public:
  37   // External account credentials json interface.
  38   struct ExternalAccountCredentialsOptions {
  39     std::string type;
  40     std::string audience;
  41     std::string subject_token_type;
  42     std::string service_account_impersonation_url;
  43     std::string token_url;
  44     std::string token_info_url;
  45     Json credential_source;
  46     std::string quota_project_id;
  47     std::string client_id;
  48     std::string client_secret;
  49   };
  50
  51   ExternalAccountCredentials(ExternalAccountCredentialsOptions options,
  52                              std::vector<std::string> scopes);
  53   ~ExternalAccountCredentials() override;
  54   std::string debug_string() override;
  55
  56  protected:
  57   // This is a helper struct to pass information between multiple callback based
  58   // asynchronous calls.
  59   struct HTTPRequestContext {
  60     HTTPRequestContext(grpc_httpcli_context* httpcli_context,
  61                        grpc_polling_entity* pollent, grpc_millis deadline)
  62         : httpcli_context(httpcli_context),
  63           pollent(pollent),
  64           deadline(deadline) {}
  65     ~HTTPRequestContext() { grpc_http_response_destroy(&response); }
  66
  67     // Contextual parameters passed from
  68     // grpc_oauth2_token_fetcher_credentials::fetch_oauth2().
  69     grpc_httpcli_context* httpcli_context;
  70     grpc_polling_entity* pollent;
  71     grpc_millis deadline;
  72
  73     // Reusable token fetch http response and closure.
  74     grpc_closure closure;
  75     grpc_http_response response;
  76   };
  77
  78   // Subclasses of base external account credentials need to override this
  79   // method to implement the specific subject token retrieval logic.
  80   // Once the subject token is ready, subclasses need to invoke
  81   // the callback function (cb) to pass the subject token (or error)
  82   // back.
  83   virtual void RetrieveSubjectToken(
  84       const HTTPRequestContext* ctx,
  85       const ExternalAccountCredentialsOptions& options,
  86       std::function<void(std::string, grpc_error*)> cb) = 0;
  87
  88  private:
  89   // This method implements the common token fetch logic and it will be called
  90   // when grpc_oauth2_token_fetcher_credentials request a new access token.
  91   void fetch_oauth2(grpc_credentials_metadata_request* req,
  92                     grpc_httpcli_context* httpcli_context,
  93                     grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
  94                     grpc_millis deadline) override;
  95
  96   void OnRetrieveSubjectTokenInternal(absl::string_view subject_token,
  97                                       grpc_error* error);
  98
  99   void ExchangeToken(absl::string_view subject_token);
 100   static void OnExchangeToken(void* arg, grpc_error* error);
 101   void OnExchangeTokenInternal(grpc_error* error);
 102
 103   void ImpersenateServiceAccount();
 104   static void OnImpersenateServiceAccount(void* arg, grpc_error* error);
 105   void OnImpersenateServiceAccountInternal(grpc_error* error);
 106
 107   void FinishTokenFetch(grpc_error* error);
 108
 109   ExternalAccountCredentialsOptions options_;
 110   std::vector<std::string> scopes_;
 111
 112   HTTPRequestContext* ctx_ = nullptr;
 113   grpc_credentials_metadata_request* metadata_req_ = nullptr;
 114   grpc_iomgr_cb_func response_cb_ = nullptr;
 115 };
 116
 117 }  // namespace grpc_core
 118
 119 #endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_EXTERNAL_ACCOUNT_CREDENTIALS_H