1*cc02d7e2SAndroid Build Coastguard Worker // 2*cc02d7e2SAndroid Build Coastguard Worker // 3*cc02d7e2SAndroid Build Coastguard Worker // Copyright 2015 gRPC authors. 4*cc02d7e2SAndroid Build Coastguard Worker // 5*cc02d7e2SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); 6*cc02d7e2SAndroid Build Coastguard Worker // you may not use this file except in compliance with the License. 7*cc02d7e2SAndroid Build Coastguard Worker // You may obtain a copy of the License at 8*cc02d7e2SAndroid Build Coastguard Worker // 9*cc02d7e2SAndroid Build Coastguard Worker // http://www.apache.org/licenses/LICENSE-2.0 10*cc02d7e2SAndroid Build Coastguard Worker // 11*cc02d7e2SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software 12*cc02d7e2SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, 13*cc02d7e2SAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*cc02d7e2SAndroid Build Coastguard Worker // See the License for the specific language governing permissions and 15*cc02d7e2SAndroid Build Coastguard Worker // limitations under the License. 16*cc02d7e2SAndroid Build Coastguard Worker // 17*cc02d7e2SAndroid Build Coastguard Worker // 18*cc02d7e2SAndroid Build Coastguard Worker 19*cc02d7e2SAndroid Build Coastguard Worker #ifndef GRPCPP_SECURITY_CREDENTIALS_H 20*cc02d7e2SAndroid Build Coastguard Worker #define GRPCPP_SECURITY_CREDENTIALS_H 21*cc02d7e2SAndroid Build Coastguard Worker 22*cc02d7e2SAndroid Build Coastguard Worker #include <map> 23*cc02d7e2SAndroid Build Coastguard Worker #include <memory> 24*cc02d7e2SAndroid Build Coastguard Worker #include <vector> 25*cc02d7e2SAndroid Build Coastguard Worker 26*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/grpc_security_constants.h> 27*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/channel.h> 28*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/impl/grpc_library.h> 29*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/security/auth_context.h> 30*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/security/tls_credentials_options.h> 31*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/channel_arguments.h> 32*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/client_interceptor.h> 33*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/status.h> 34*cc02d7e2SAndroid Build Coastguard Worker #include <grpcpp/support/string_ref.h> 35*cc02d7e2SAndroid Build Coastguard Worker 36*cc02d7e2SAndroid Build Coastguard Worker struct grpc_call; 37*cc02d7e2SAndroid Build Coastguard Worker 38*cc02d7e2SAndroid Build Coastguard Worker namespace grpc { 39*cc02d7e2SAndroid Build Coastguard Worker class CallCredentials; 40*cc02d7e2SAndroid Build Coastguard Worker class ChannelCredentials; 41*cc02d7e2SAndroid Build Coastguard Worker namespace testing { 42*cc02d7e2SAndroid Build Coastguard Worker std::string GetOauth2AccessToken(); 43*cc02d7e2SAndroid Build Coastguard Worker } 44*cc02d7e2SAndroid Build Coastguard Worker 45*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<Channel> CreateCustomChannel( 46*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, 47*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<grpc::ChannelCredentials>& creds, 48*cc02d7e2SAndroid Build Coastguard Worker const grpc::ChannelArguments& args); 49*cc02d7e2SAndroid Build Coastguard Worker 50*cc02d7e2SAndroid Build Coastguard Worker namespace experimental { 51*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors( 52*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, 53*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<grpc::ChannelCredentials>& creds, 54*cc02d7e2SAndroid Build Coastguard Worker const grpc::ChannelArguments& args, 55*cc02d7e2SAndroid Build Coastguard Worker std::vector< 56*cc02d7e2SAndroid Build Coastguard Worker std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>> 57*cc02d7e2SAndroid Build Coastguard Worker interceptor_creators); 58*cc02d7e2SAndroid Build Coastguard Worker } // namespace experimental 59*cc02d7e2SAndroid Build Coastguard Worker 60*cc02d7e2SAndroid Build Coastguard Worker /// Builds XDS Credentials. 61*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> XdsCredentials( 62*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<ChannelCredentials>& fallback_creds); 63*cc02d7e2SAndroid Build Coastguard Worker 64*cc02d7e2SAndroid Build Coastguard Worker /// A channel credentials object encapsulates all the state needed by a client 65*cc02d7e2SAndroid Build Coastguard Worker /// to authenticate with a server for a given channel. 66*cc02d7e2SAndroid Build Coastguard Worker /// It can make various assertions, e.g., about the client’s identity, role 67*cc02d7e2SAndroid Build Coastguard Worker /// for all the calls on that channel. 68*cc02d7e2SAndroid Build Coastguard Worker /// 69*cc02d7e2SAndroid Build Coastguard Worker /// \see https://grpc.io/docs/guides/auth.html 70*cc02d7e2SAndroid Build Coastguard Worker class ChannelCredentials : private grpc::internal::GrpcLibrary { 71*cc02d7e2SAndroid Build Coastguard Worker public: 72*cc02d7e2SAndroid Build Coastguard Worker ~ChannelCredentials() override; 73*cc02d7e2SAndroid Build Coastguard Worker 74*cc02d7e2SAndroid Build Coastguard Worker protected: 75*cc02d7e2SAndroid Build Coastguard Worker explicit ChannelCredentials(grpc_channel_credentials* creds); 76*cc02d7e2SAndroid Build Coastguard Worker c_creds()77*cc02d7e2SAndroid Build Coastguard Worker grpc_channel_credentials* c_creds() { return c_creds_; } 78*cc02d7e2SAndroid Build Coastguard Worker 79*cc02d7e2SAndroid Build Coastguard Worker private: 80*cc02d7e2SAndroid Build Coastguard Worker friend std::shared_ptr<grpc::Channel> CreateCustomChannel( 81*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, 82*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<grpc::ChannelCredentials>& creds, 83*cc02d7e2SAndroid Build Coastguard Worker const grpc::ChannelArguments& args); 84*cc02d7e2SAndroid Build Coastguard Worker friend std::shared_ptr<grpc::Channel> 85*cc02d7e2SAndroid Build Coastguard Worker grpc::experimental::CreateCustomChannelWithInterceptors( 86*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, 87*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<grpc::ChannelCredentials>& creds, 88*cc02d7e2SAndroid Build Coastguard Worker const grpc::ChannelArguments& args, 89*cc02d7e2SAndroid Build Coastguard Worker std::vector<std::unique_ptr< 90*cc02d7e2SAndroid Build Coastguard Worker grpc::experimental::ClientInterceptorFactoryInterface>> 91*cc02d7e2SAndroid Build Coastguard Worker interceptor_creators); 92*cc02d7e2SAndroid Build Coastguard Worker friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 93*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<ChannelCredentials>& channel_creds, 94*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<CallCredentials>& call_creds); 95*cc02d7e2SAndroid Build Coastguard Worker friend class XdsChannelCredentialsImpl; 96*cc02d7e2SAndroid Build Coastguard Worker CreateChannelImpl(const grpc::string & target,const ChannelArguments & args)97*cc02d7e2SAndroid Build Coastguard Worker virtual std::shared_ptr<Channel> CreateChannelImpl( 98*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, const ChannelArguments& args) { 99*cc02d7e2SAndroid Build Coastguard Worker return CreateChannelWithInterceptors(target, args, {}); 100*cc02d7e2SAndroid Build Coastguard Worker } 101*cc02d7e2SAndroid Build Coastguard Worker 102*cc02d7e2SAndroid Build Coastguard Worker virtual std::shared_ptr<Channel> CreateChannelWithInterceptors( 103*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& target, const ChannelArguments& args, 104*cc02d7e2SAndroid Build Coastguard Worker std::vector<std::unique_ptr< 105*cc02d7e2SAndroid Build Coastguard Worker grpc::experimental::ClientInterceptorFactoryInterface>> 106*cc02d7e2SAndroid Build Coastguard Worker interceptor_creators); 107*cc02d7e2SAndroid Build Coastguard Worker 108*cc02d7e2SAndroid Build Coastguard Worker grpc_channel_credentials* const c_creds_; 109*cc02d7e2SAndroid Build Coastguard Worker }; 110*cc02d7e2SAndroid Build Coastguard Worker 111*cc02d7e2SAndroid Build Coastguard Worker /// A call credentials object encapsulates the state needed by a client to 112*cc02d7e2SAndroid Build Coastguard Worker /// authenticate with a server for a given call on a channel. 113*cc02d7e2SAndroid Build Coastguard Worker /// 114*cc02d7e2SAndroid Build Coastguard Worker /// \see https://grpc.io/docs/guides/auth.html 115*cc02d7e2SAndroid Build Coastguard Worker class CallCredentials : private grpc::internal::GrpcLibrary { 116*cc02d7e2SAndroid Build Coastguard Worker public: 117*cc02d7e2SAndroid Build Coastguard Worker ~CallCredentials() override; 118*cc02d7e2SAndroid Build Coastguard Worker 119*cc02d7e2SAndroid Build Coastguard Worker /// Apply this instance's credentials to \a call. 120*cc02d7e2SAndroid Build Coastguard Worker bool ApplyToCall(grpc_call* call); 121*cc02d7e2SAndroid Build Coastguard Worker 122*cc02d7e2SAndroid Build Coastguard Worker grpc::string DebugString(); 123*cc02d7e2SAndroid Build Coastguard Worker 124*cc02d7e2SAndroid Build Coastguard Worker protected: 125*cc02d7e2SAndroid Build Coastguard Worker explicit CallCredentials(grpc_call_credentials* creds); 126*cc02d7e2SAndroid Build Coastguard Worker 127*cc02d7e2SAndroid Build Coastguard Worker private: 128*cc02d7e2SAndroid Build Coastguard Worker friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 129*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<ChannelCredentials>& channel_creds, 130*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<CallCredentials>& call_creds); 131*cc02d7e2SAndroid Build Coastguard Worker friend class CompositeCallCredentialsImpl; 132*cc02d7e2SAndroid Build Coastguard Worker friend std::string grpc::testing::GetOauth2AccessToken(); 133*cc02d7e2SAndroid Build Coastguard Worker 134*cc02d7e2SAndroid Build Coastguard Worker grpc_call_credentials* c_creds_ = nullptr; 135*cc02d7e2SAndroid Build Coastguard Worker }; 136*cc02d7e2SAndroid Build Coastguard Worker 137*cc02d7e2SAndroid Build Coastguard Worker /// Options used to build SslCredentials. 138*cc02d7e2SAndroid Build Coastguard Worker struct SslCredentialsOptions { 139*cc02d7e2SAndroid Build Coastguard Worker /// The buffer containing the PEM encoding of the server root certificates. If 140*cc02d7e2SAndroid Build Coastguard Worker /// this parameter is empty, the default roots will be used. The default 141*cc02d7e2SAndroid Build Coastguard Worker /// roots can be overridden using the \a GRPC_DEFAULT_SSL_ROOTS_FILE_PATH 142*cc02d7e2SAndroid Build Coastguard Worker /// environment variable pointing to a file on the file system containing the 143*cc02d7e2SAndroid Build Coastguard Worker /// roots. 144*cc02d7e2SAndroid Build Coastguard Worker grpc::string pem_root_certs; 145*cc02d7e2SAndroid Build Coastguard Worker 146*cc02d7e2SAndroid Build Coastguard Worker /// The buffer containing the PEM encoding of the client's private key. This 147*cc02d7e2SAndroid Build Coastguard Worker /// parameter can be empty if the client does not have a private key. 148*cc02d7e2SAndroid Build Coastguard Worker grpc::string pem_private_key; 149*cc02d7e2SAndroid Build Coastguard Worker 150*cc02d7e2SAndroid Build Coastguard Worker /// The buffer containing the PEM encoding of the client's certificate chain. 151*cc02d7e2SAndroid Build Coastguard Worker /// This parameter can be empty if the client does not have a certificate 152*cc02d7e2SAndroid Build Coastguard Worker /// chain. 153*cc02d7e2SAndroid Build Coastguard Worker grpc::string pem_cert_chain; 154*cc02d7e2SAndroid Build Coastguard Worker }; 155*cc02d7e2SAndroid Build Coastguard Worker 156*cc02d7e2SAndroid Build Coastguard Worker // Factories for building different types of Credentials The functions may 157*cc02d7e2SAndroid Build Coastguard Worker // return empty shared_ptr when credentials cannot be created. If a 158*cc02d7e2SAndroid Build Coastguard Worker // Credentials pointer is returned, it can still be invalid when used to create 159*cc02d7e2SAndroid Build Coastguard Worker // a channel. A lame channel will be created then and all rpcs will fail on it. 160*cc02d7e2SAndroid Build Coastguard Worker 161*cc02d7e2SAndroid Build Coastguard Worker /// Builds credentials with reasonable defaults. 162*cc02d7e2SAndroid Build Coastguard Worker /// 163*cc02d7e2SAndroid Build Coastguard Worker /// \warning Only use these credentials when connecting to a Google endpoint. 164*cc02d7e2SAndroid Build Coastguard Worker /// Using these credentials to connect to any other service may result in this 165*cc02d7e2SAndroid Build Coastguard Worker /// service being able to impersonate your client for requests to Google 166*cc02d7e2SAndroid Build Coastguard Worker /// services. 167*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials(); 168*cc02d7e2SAndroid Build Coastguard Worker 169*cc02d7e2SAndroid Build Coastguard Worker /// Builds SSL Credentials given SSL specific options 170*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> SslCredentials( 171*cc02d7e2SAndroid Build Coastguard Worker const SslCredentialsOptions& options); 172*cc02d7e2SAndroid Build Coastguard Worker 173*cc02d7e2SAndroid Build Coastguard Worker /// Builds credentials for use when running in GCE 174*cc02d7e2SAndroid Build Coastguard Worker /// 175*cc02d7e2SAndroid Build Coastguard Worker /// \warning Only use these credentials when connecting to a Google endpoint. 176*cc02d7e2SAndroid Build Coastguard Worker /// Using these credentials to connect to any other service may result in this 177*cc02d7e2SAndroid Build Coastguard Worker /// service being able to impersonate your client for requests to Google 178*cc02d7e2SAndroid Build Coastguard Worker /// services. 179*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials(); 180*cc02d7e2SAndroid Build Coastguard Worker 181*cc02d7e2SAndroid Build Coastguard Worker constexpr long kMaxAuthTokenLifetimeSecs = 3600; 182*cc02d7e2SAndroid Build Coastguard Worker 183*cc02d7e2SAndroid Build Coastguard Worker /// Builds Service Account JWT Access credentials. 184*cc02d7e2SAndroid Build Coastguard Worker /// json_key is the JSON key string containing the client's private key. 185*cc02d7e2SAndroid Build Coastguard Worker /// token_lifetime_seconds is the lifetime in seconds of each Json Web Token 186*cc02d7e2SAndroid Build Coastguard Worker /// (JWT) created with this credentials. It should not exceed 187*cc02d7e2SAndroid Build Coastguard Worker /// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value. 188*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials( 189*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& json_key, 190*cc02d7e2SAndroid Build Coastguard Worker long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs); 191*cc02d7e2SAndroid Build Coastguard Worker 192*cc02d7e2SAndroid Build Coastguard Worker /// Builds refresh token credentials. 193*cc02d7e2SAndroid Build Coastguard Worker /// json_refresh_token is the JSON string containing the refresh token along 194*cc02d7e2SAndroid Build Coastguard Worker /// with a client_id and client_secret. 195*cc02d7e2SAndroid Build Coastguard Worker /// 196*cc02d7e2SAndroid Build Coastguard Worker /// \warning Only use these credentials when connecting to a Google endpoint. 197*cc02d7e2SAndroid Build Coastguard Worker /// Using these credentials to connect to any other service may result in this 198*cc02d7e2SAndroid Build Coastguard Worker /// service being able to impersonate your client for requests to Google 199*cc02d7e2SAndroid Build Coastguard Worker /// services. 200*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials( 201*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& json_refresh_token); 202*cc02d7e2SAndroid Build Coastguard Worker 203*cc02d7e2SAndroid Build Coastguard Worker /// Builds access token credentials. 204*cc02d7e2SAndroid Build Coastguard Worker /// access_token is an oauth2 access token that was fetched using an out of band 205*cc02d7e2SAndroid Build Coastguard Worker /// mechanism. 206*cc02d7e2SAndroid Build Coastguard Worker /// 207*cc02d7e2SAndroid Build Coastguard Worker /// \warning Only use these credentials when connecting to a Google endpoint. 208*cc02d7e2SAndroid Build Coastguard Worker /// Using these credentials to connect to any other service may result in this 209*cc02d7e2SAndroid Build Coastguard Worker /// service being able to impersonate your client for requests to Google 210*cc02d7e2SAndroid Build Coastguard Worker /// services. 211*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> AccessTokenCredentials( 212*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& access_token); 213*cc02d7e2SAndroid Build Coastguard Worker 214*cc02d7e2SAndroid Build Coastguard Worker /// Builds IAM credentials. 215*cc02d7e2SAndroid Build Coastguard Worker /// 216*cc02d7e2SAndroid Build Coastguard Worker /// \warning Only use these credentials when connecting to a Google endpoint. 217*cc02d7e2SAndroid Build Coastguard Worker /// Using these credentials to connect to any other service may result in this 218*cc02d7e2SAndroid Build Coastguard Worker /// service being able to impersonate your client for requests to Google 219*cc02d7e2SAndroid Build Coastguard Worker /// services. 220*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> GoogleIAMCredentials( 221*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& authorization_token, 222*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& authority_selector); 223*cc02d7e2SAndroid Build Coastguard Worker 224*cc02d7e2SAndroid Build Coastguard Worker /// Combines a channel credentials and a call credentials into a composite 225*cc02d7e2SAndroid Build Coastguard Worker /// channel credentials. 226*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( 227*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<ChannelCredentials>& channel_creds, 228*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<CallCredentials>& call_creds); 229*cc02d7e2SAndroid Build Coastguard Worker 230*cc02d7e2SAndroid Build Coastguard Worker /// Combines two call credentials objects into a composite call credentials. 231*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> CompositeCallCredentials( 232*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<CallCredentials>& creds1, 233*cc02d7e2SAndroid Build Coastguard Worker const std::shared_ptr<CallCredentials>& creds2); 234*cc02d7e2SAndroid Build Coastguard Worker 235*cc02d7e2SAndroid Build Coastguard Worker /// Credentials for an unencrypted, unauthenticated channel 236*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> InsecureChannelCredentials(); 237*cc02d7e2SAndroid Build Coastguard Worker 238*cc02d7e2SAndroid Build Coastguard Worker /// User defined metadata credentials. 239*cc02d7e2SAndroid Build Coastguard Worker class MetadataCredentialsPlugin { 240*cc02d7e2SAndroid Build Coastguard Worker public: ~MetadataCredentialsPlugin()241*cc02d7e2SAndroid Build Coastguard Worker virtual ~MetadataCredentialsPlugin() {} 242*cc02d7e2SAndroid Build Coastguard Worker 243*cc02d7e2SAndroid Build Coastguard Worker /// If this method returns true, the Process function will be scheduled in 244*cc02d7e2SAndroid Build Coastguard Worker /// a different thread from the one processing the call. IsBlocking()245*cc02d7e2SAndroid Build Coastguard Worker virtual bool IsBlocking() const { return true; } 246*cc02d7e2SAndroid Build Coastguard Worker 247*cc02d7e2SAndroid Build Coastguard Worker /// Type of credentials this plugin is implementing. GetType()248*cc02d7e2SAndroid Build Coastguard Worker virtual const char* GetType() const { return ""; } 249*cc02d7e2SAndroid Build Coastguard Worker 250*cc02d7e2SAndroid Build Coastguard Worker /// Gets the auth metatada produced by this plugin. 251*cc02d7e2SAndroid Build Coastguard Worker /// The fully qualified method name is: 252*cc02d7e2SAndroid Build Coastguard Worker /// service_url + "/" + method_name. 253*cc02d7e2SAndroid Build Coastguard Worker /// The channel_auth_context contains (among other things), the identity of 254*cc02d7e2SAndroid Build Coastguard Worker /// the server. 255*cc02d7e2SAndroid Build Coastguard Worker virtual grpc::Status GetMetadata( 256*cc02d7e2SAndroid Build Coastguard Worker grpc::string_ref service_url, grpc::string_ref method_name, 257*cc02d7e2SAndroid Build Coastguard Worker const grpc::AuthContext& channel_auth_context, 258*cc02d7e2SAndroid Build Coastguard Worker std::multimap<grpc::string, grpc::string>* metadata) = 0; 259*cc02d7e2SAndroid Build Coastguard Worker DebugString()260*cc02d7e2SAndroid Build Coastguard Worker virtual grpc::string DebugString() { 261*cc02d7e2SAndroid Build Coastguard Worker return "MetadataCredentialsPlugin did not provide a debug string"; 262*cc02d7e2SAndroid Build Coastguard Worker } 263*cc02d7e2SAndroid Build Coastguard Worker }; 264*cc02d7e2SAndroid Build Coastguard Worker 265*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin( 266*cc02d7e2SAndroid Build Coastguard Worker std::unique_ptr<MetadataCredentialsPlugin> plugin); 267*cc02d7e2SAndroid Build Coastguard Worker 268*cc02d7e2SAndroid Build Coastguard Worker /// Builds External Account credentials. 269*cc02d7e2SAndroid Build Coastguard Worker /// json_string is the JSON string containing the credentials options. 270*cc02d7e2SAndroid Build Coastguard Worker /// scopes contains the scopes to be binded with the credentials. 271*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> ExternalAccountCredentials( 272*cc02d7e2SAndroid Build Coastguard Worker const grpc::string& json_string, const std::vector<grpc::string>& scopes); 273*cc02d7e2SAndroid Build Coastguard Worker 274*cc02d7e2SAndroid Build Coastguard Worker namespace experimental { 275*cc02d7e2SAndroid Build Coastguard Worker 276*cc02d7e2SAndroid Build Coastguard Worker /// Options for creating STS Oauth Token Exchange credentials following the IETF 277*cc02d7e2SAndroid Build Coastguard Worker /// draft https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16. 278*cc02d7e2SAndroid Build Coastguard Worker /// Optional fields may be set to empty string. It is the responsibility of the 279*cc02d7e2SAndroid Build Coastguard Worker /// caller to ensure that the subject and actor tokens are refreshed on disk at 280*cc02d7e2SAndroid Build Coastguard Worker /// the specified paths. 281*cc02d7e2SAndroid Build Coastguard Worker struct StsCredentialsOptions { 282*cc02d7e2SAndroid Build Coastguard Worker grpc::string token_exchange_service_uri; // Required. 283*cc02d7e2SAndroid Build Coastguard Worker grpc::string resource; // Optional. 284*cc02d7e2SAndroid Build Coastguard Worker grpc::string audience; // Optional. 285*cc02d7e2SAndroid Build Coastguard Worker grpc::string scope; // Optional. 286*cc02d7e2SAndroid Build Coastguard Worker grpc::string requested_token_type; // Optional. 287*cc02d7e2SAndroid Build Coastguard Worker grpc::string subject_token_path; // Required. 288*cc02d7e2SAndroid Build Coastguard Worker grpc::string subject_token_type; // Required. 289*cc02d7e2SAndroid Build Coastguard Worker grpc::string actor_token_path; // Optional. 290*cc02d7e2SAndroid Build Coastguard Worker grpc::string actor_token_type; // Optional. 291*cc02d7e2SAndroid Build Coastguard Worker }; 292*cc02d7e2SAndroid Build Coastguard Worker 293*cc02d7e2SAndroid Build Coastguard Worker grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string, 294*cc02d7e2SAndroid Build Coastguard Worker StsCredentialsOptions* options); 295*cc02d7e2SAndroid Build Coastguard Worker 296*cc02d7e2SAndroid Build Coastguard Worker /// Creates STS credentials options from the $STS_CREDENTIALS environment 297*cc02d7e2SAndroid Build Coastguard Worker /// variable. This environment variable points to the path of a JSON file 298*cc02d7e2SAndroid Build Coastguard Worker /// comforming to the schema described above. 299*cc02d7e2SAndroid Build Coastguard Worker grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options); 300*cc02d7e2SAndroid Build Coastguard Worker 301*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> StsCredentials( 302*cc02d7e2SAndroid Build Coastguard Worker const StsCredentialsOptions& options); 303*cc02d7e2SAndroid Build Coastguard Worker 304*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin( 305*cc02d7e2SAndroid Build Coastguard Worker std::unique_ptr<MetadataCredentialsPlugin> plugin, 306*cc02d7e2SAndroid Build Coastguard Worker grpc_security_level min_security_level); 307*cc02d7e2SAndroid Build Coastguard Worker 308*cc02d7e2SAndroid Build Coastguard Worker /// Options used to build AltsCredentials. 309*cc02d7e2SAndroid Build Coastguard Worker struct AltsCredentialsOptions { 310*cc02d7e2SAndroid Build Coastguard Worker /// service accounts of target endpoint that will be acceptable 311*cc02d7e2SAndroid Build Coastguard Worker /// by the client. If service accounts are provided and none of them matches 312*cc02d7e2SAndroid Build Coastguard Worker /// that of the server, authentication will fail. 313*cc02d7e2SAndroid Build Coastguard Worker std::vector<grpc::string> target_service_accounts; 314*cc02d7e2SAndroid Build Coastguard Worker }; 315*cc02d7e2SAndroid Build Coastguard Worker 316*cc02d7e2SAndroid Build Coastguard Worker /// Builds ALTS Credentials given ALTS specific options 317*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> AltsCredentials( 318*cc02d7e2SAndroid Build Coastguard Worker const AltsCredentialsOptions& options); 319*cc02d7e2SAndroid Build Coastguard Worker 320*cc02d7e2SAndroid Build Coastguard Worker /// Builds Local Credentials. 321*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> LocalCredentials( 322*cc02d7e2SAndroid Build Coastguard Worker grpc_local_connect_type type); 323*cc02d7e2SAndroid Build Coastguard Worker 324*cc02d7e2SAndroid Build Coastguard Worker /// Builds TLS Credentials given TLS options. 325*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<ChannelCredentials> TlsCredentials( 326*cc02d7e2SAndroid Build Coastguard Worker const TlsChannelCredentialsOptions& options); 327*cc02d7e2SAndroid Build Coastguard Worker 328*cc02d7e2SAndroid Build Coastguard Worker } // namespace experimental 329*cc02d7e2SAndroid Build Coastguard Worker } // namespace grpc 330*cc02d7e2SAndroid Build Coastguard Worker 331*cc02d7e2SAndroid Build Coastguard Worker #endif // GRPCPP_SECURITY_CREDENTIALS_H 332