diff options
author | Julien Boeuf <jboeuf@google.com> | 2015-08-28 16:28:18 -0700 |
---|---|---|
committer | Julien Boeuf <jboeuf@google.com> | 2015-08-28 16:28:18 -0700 |
commit | 5be92a316de32fd7552d64bcf70703f1ea9e41d8 (patch) | |
tree | 7d1c863d1ab08dc9c46f10ced51ff3dc6bb4c884 /include/grpc++/security | |
parent | 97cd4ae606a39a62c07b0d2ce2687af3ce812645 (diff) |
Shuffling headers around.
Diffstat (limited to 'include/grpc++/security')
-rw-r--r-- | include/grpc++/security/auth_context.h | 104 | ||||
-rw-r--r-- | include/grpc++/security/auth_metadata_processor.h | 74 | ||||
-rw-r--r-- | include/grpc++/security/credentials.h | 134 | ||||
-rw-r--r-- | include/grpc++/security/server_credentials.h | 86 |
4 files changed, 398 insertions, 0 deletions
diff --git a/include/grpc++/security/auth_context.h b/include/grpc++/security/auth_context.h new file mode 100644 index 0000000000..fc2701e806 --- /dev/null +++ b/include/grpc++/security/auth_context.h @@ -0,0 +1,104 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_SUPPORT_AUTH_CONTEXT_H +#define GRPCXX_SUPPORT_AUTH_CONTEXT_H + +#include <iterator> +#include <vector> + +#include <grpc++/support/config.h> +#include <grpc++/support/string_ref.h> + +struct grpc_auth_context; +struct grpc_auth_property; +struct grpc_auth_property_iterator; + +namespace grpc { +class SecureAuthContext; + +typedef std::pair<grpc::string_ref, grpc::string_ref> AuthProperty; + +class AuthPropertyIterator + : public std::iterator<std::input_iterator_tag, const AuthProperty> { + public: + ~AuthPropertyIterator(); + AuthPropertyIterator& operator++(); + AuthPropertyIterator operator++(int); + bool operator==(const AuthPropertyIterator& rhs) const; + bool operator!=(const AuthPropertyIterator& rhs) const; + const AuthProperty operator*(); + + protected: + AuthPropertyIterator(); + AuthPropertyIterator(const grpc_auth_property* property, + const grpc_auth_property_iterator* iter); + + private: + friend class SecureAuthContext; + const grpc_auth_property* property_; + // The following items form a grpc_auth_property_iterator. + const grpc_auth_context* ctx_; + size_t index_; + const char* name_; +}; + +class AuthContext { + public: + virtual ~AuthContext() {} + + // Returns true if the peer is authenticated. + virtual bool IsPeerAuthenticated() const = 0; + + // A peer identity, in general is one or more properties (in which case they + // have the same name). + virtual std::vector<grpc::string_ref> GetPeerIdentity() const = 0; + virtual grpc::string GetPeerIdentityPropertyName() const = 0; + + // Returns all the property values with the given name. + virtual std::vector<grpc::string_ref> FindPropertyValues( + const grpc::string& name) const = 0; + + // Iteration over all the properties. + virtual AuthPropertyIterator begin() const = 0; + virtual AuthPropertyIterator end() const = 0; + + // Mutation functions: should only be used by an AuthMetadataProcessor. + virtual void AddProperty(const grpc::string& key, + const grpc::string_ref& value) = 0; + virtual bool SetPeerIdentityPropertyName(const grpc::string& name) = 0; +}; + +} // namespace grpc + +#endif // GRPCXX_SUPPORT_AUTH_CONTEXT_H diff --git a/include/grpc++/security/auth_metadata_processor.h b/include/grpc++/security/auth_metadata_processor.h new file mode 100644 index 0000000000..18ad922321 --- /dev/null +++ b/include/grpc++/security/auth_metadata_processor.h @@ -0,0 +1,74 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_AUTH_METADATA_PROCESSOR_H_ +#define GRPCXX_AUTH_METADATA_PROCESSOR_H_ + +#include <map> + +#include <grpc++/security/auth_context.h> +#include <grpc++/support/status.h> +#include <grpc++/support/string_ref.h> + +namespace grpc { + +class AuthMetadataProcessor { + public: + typedef std::multimap<grpc::string_ref, grpc::string_ref> InputMetadata; + typedef std::multimap<grpc::string, grpc::string_ref> OutputMetadata; + + virtual ~AuthMetadataProcessor() {} + + // If this method returns true, the Process function will be scheduled in + // a different thread from the one processing the call. + virtual bool IsBlocking() const { return true; } + + // context is read/write: it contains the properties of the channel peer and + // it is the job of the Process method to augment it with properties derived + // from the passed-in auth_metadata. + // consumed_auth_metadata needs to be filled with metadata that has been + // consumed by the processor and will be removed from the call. + // response_metadata is the metadata that will be sent as part of the + // response. + // If the return value is not Status::OK, the rpc call will be aborted with + // the error code and error message sent back to the client. + virtual Status Process(const InputMetadata& auth_metadata, + AuthContext* context, + OutputMetadata* consumed_auth_metadata, + OutputMetadata* response_metadata) = 0; +}; + +} // namespace grpc + +#endif // GRPCXX_AUTH_METADATA_PROCESSOR_H_ + diff --git a/include/grpc++/security/credentials.h b/include/grpc++/security/credentials.h new file mode 100644 index 0000000000..ce5a9e0606 --- /dev/null +++ b/include/grpc++/security/credentials.h @@ -0,0 +1,134 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_CREDENTIALS_H +#define GRPCXX_CREDENTIALS_H + +#include <memory> + +#include <grpc++/impl/grpc_library.h> +#include <grpc++/support/config.h> + +namespace grpc { +class ChannelArguments; +class Channel; +class SecureCredentials; + +class Credentials : public GrpcLibrary { + public: + ~Credentials() GRPC_OVERRIDE; + virtual bool ApplyToCall(grpc_call* call) = 0; + + protected: + friend std::shared_ptr<Credentials> CompositeCredentials( + const std::shared_ptr<Credentials>& creds1, + const std::shared_ptr<Credentials>& creds2); + + virtual SecureCredentials* AsSecureCredentials() = 0; + + private: + friend std::shared_ptr<Channel> CreateCustomChannel( + const grpc::string& target, const std::shared_ptr<Credentials>& creds, + const ChannelArguments& args); + + virtual std::shared_ptr<Channel> CreateChannel( + const grpc::string& target, const ChannelArguments& args) = 0; +}; + +// Options used to build SslCredentials +// pem_roots_cert is the buffer containing the PEM encoding of the server root +// certificates. If this parameter is empty, the default roots will be used. +// pem_private_key is the buffer containing the PEM encoding of the client's +// private key. This parameter can be empty if the client does not have a +// private key. +// pem_cert_chain is the buffer containing the PEM encoding of the client's +// certificate chain. This parameter can be empty if the client does not have +// a certificate chain. +struct SslCredentialsOptions { + grpc::string pem_root_certs; + grpc::string pem_private_key; + grpc::string pem_cert_chain; +}; + +// Factories for building different types of Credentials +// The functions may return empty shared_ptr when credentials cannot be created. +// If a Credentials pointer is returned, it can still be invalid when used to +// create a channel. A lame channel will be created then and all rpcs will +// fail on it. + +// Builds credentials with reasonable defaults. +std::shared_ptr<Credentials> GoogleDefaultCredentials(); + +// Builds SSL Credentials given SSL specific options +std::shared_ptr<Credentials> SslCredentials( + const SslCredentialsOptions& options); + +// Builds credentials for use when running in GCE +std::shared_ptr<Credentials> GoogleComputeEngineCredentials(); + +// Builds Service Account JWT Access credentials. +// json_key is the JSON key string containing the client's private key. +// token_lifetime_seconds is the lifetime in seconds of each Json Web Token +// (JWT) created with this credentials. It should not exceed +// grpc_max_auth_token_lifetime or will be cropped to this value. +std::shared_ptr<Credentials> ServiceAccountJWTAccessCredentials( + const grpc::string& json_key, long token_lifetime_seconds); + +// Builds refresh token credentials. +// json_refresh_token is the JSON string containing the refresh token along +// with a client_id and client_secret. +std::shared_ptr<Credentials> GoogleRefreshTokenCredentials( + const grpc::string& json_refresh_token); + +// Builds access token credentials. +// access_token is an oauth2 access token that was fetched using an out of band +// mechanism. +std::shared_ptr<Credentials> AccessTokenCredentials( + const grpc::string& access_token); + +// Builds IAM credentials. +std::shared_ptr<Credentials> GoogleIAMCredentials( + const grpc::string& authorization_token, + const grpc::string& authority_selector); + +// Combines two credentials objects into a composite credentials +std::shared_ptr<Credentials> CompositeCredentials( + const std::shared_ptr<Credentials>& creds1, + const std::shared_ptr<Credentials>& creds2); + +// Credentials for an unencrypted, unauthenticated channel +std::shared_ptr<Credentials> InsecureCredentials(); + +} // namespace grpc + +#endif // GRPCXX_CREDENTIALS_H diff --git a/include/grpc++/security/server_credentials.h b/include/grpc++/security/server_credentials.h new file mode 100644 index 0000000000..2094c7403c --- /dev/null +++ b/include/grpc++/security/server_credentials.h @@ -0,0 +1,86 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_SERVER_CREDENTIALS_H +#define GRPCXX_SERVER_CREDENTIALS_H + +#include <memory> +#include <vector> + +#include <grpc++/security/auth_metadata_processor.h> +#include <grpc++/support/config.h> + +struct grpc_server; + +namespace grpc { +class Server; + +// grpc_server_credentials wrapper class. +class ServerCredentials { + public: + virtual ~ServerCredentials(); + + // This method is not thread-safe and has to be called before the server is + // started. The last call to this function wins. + virtual void SetAuthMetadataProcessor( + const std::shared_ptr<AuthMetadataProcessor>& processor) = 0; + + private: + friend class ::grpc::Server; + + virtual int AddPortToServer(const grpc::string& addr, + grpc_server* server) = 0; +}; + +// Options to create ServerCredentials with SSL +struct SslServerCredentialsOptions { + SslServerCredentialsOptions() : force_client_auth(false) {} + + struct PemKeyCertPair { + grpc::string private_key; + grpc::string cert_chain; + }; + grpc::string pem_root_certs; + std::vector<PemKeyCertPair> pem_key_cert_pairs; + bool force_client_auth; +}; + +// Builds SSL ServerCredentials given SSL specific options +std::shared_ptr<ServerCredentials> SslServerCredentials( + const SslServerCredentialsOptions& options); + +std::shared_ptr<ServerCredentials> InsecureServerCredentials(); + +} // namespace grpc + +#endif // GRPCXX_SERVER_CREDENTIALS_H |