diff options
author | Muxi Yan <mxyan@google.com> | 2018-01-26 15:39:32 -0800 |
---|---|---|
committer | Muxi Yan <mxyan@google.com> | 2018-02-15 14:49:34 -0800 |
commit | 0e00c430827e81d61e1e7164ef04ca21ccbfaa77 (patch) | |
tree | 9246301d4f3583a4befd834f7ea426663b8eb622 /include/grpcpp/security | |
parent | 8224c45866c6a2cfa29ede0c91a6ae9f40572658 (diff) |
Move headers from grpc++ to grpcpp
Diffstat (limited to 'include/grpcpp/security')
-rw-r--r-- | include/grpcpp/security/auth_context.h | 24 | ||||
-rw-r--r-- | include/grpcpp/security/auth_metadata_processor.h | 61 | ||||
-rw-r--r-- | include/grpcpp/security/credentials.h | 224 | ||||
-rw-r--r-- | include/grpcpp/security/server_credentials.h | 91 |
4 files changed, 400 insertions, 0 deletions
diff --git a/include/grpcpp/security/auth_context.h b/include/grpcpp/security/auth_context.h new file mode 100644 index 0000000000..7a6f2cb718 --- /dev/null +++ b/include/grpcpp/security/auth_context.h @@ -0,0 +1,24 @@ +/* + * + * Copyright 2015 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#ifndef GRPCPP_SECURITY_AUTH_CONTEXT_H +#define GRPCPP_SECURITY_AUTH_CONTEXT_H + +#include <grpcpp/impl/codegen/security/auth_context.h> + +#endif // GRPCPP_SECURITY_AUTH_CONTEXT_H diff --git a/include/grpcpp/security/auth_metadata_processor.h b/include/grpcpp/security/auth_metadata_processor.h new file mode 100644 index 0000000000..30e24c9f0b --- /dev/null +++ b/include/grpcpp/security/auth_metadata_processor.h @@ -0,0 +1,61 @@ +/* + * + * Copyright 2015 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#ifndef GRPCPP_SECURITY_AUTH_METADATA_PROCESSOR_H +#define GRPCPP_SECURITY_AUTH_METADATA_PROCESSOR_H + +#include <map> + +#include <grpcpp/security/auth_context.h> +#include <grpcpp/support/status.h> +#include <grpcpp/support/string_ref.h> + +namespace grpc { + +/// Interface allowing custom server-side authorization based on credentials +/// encoded in metadata. Objects of this type can be passed to +/// \a ServerCredentials::SetAuthMetadataProcessor(). +class AuthMetadataProcessor { + public: + typedef std::multimap<grpc::string_ref, grpc::string_ref> InputMetadata; + typedef std::multimap<grpc::string, grpc::string> OutputMetadata; + + virtual ~AuthMetadataProcessor() {} + + /// If this method returns true, the \a Process function will be scheduled in + /// a different thread from the one processing the call. + virtual bool IsBlocking() const { return true; } + + /// context is read/write: it contains the properties of the channel peer and + /// it is the job of the Process method to augment it with properties derived + /// from the passed-in auth_metadata. + /// consumed_auth_metadata needs to be filled with metadata that has been + /// consumed by the processor and will be removed from the call. + /// response_metadata is the metadata that will be sent as part of the + /// response. + /// If the return value is not Status::OK, the rpc call will be aborted with + /// the error code and error message sent back to the client. + virtual Status Process(const InputMetadata& auth_metadata, + AuthContext* context, + OutputMetadata* consumed_auth_metadata, + OutputMetadata* response_metadata) = 0; +}; + +} // namespace grpc + +#endif // GRPCPP_SECURITY_AUTH_METADATA_PROCESSOR_H diff --git a/include/grpcpp/security/credentials.h b/include/grpcpp/security/credentials.h new file mode 100644 index 0000000000..837a0e43ed --- /dev/null +++ b/include/grpcpp/security/credentials.h @@ -0,0 +1,224 @@ +/* + * + * Copyright 2015 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#ifndef GRPCPP_SECURITY_CREDENTIALS_H +#define GRPCPP_SECURITY_CREDENTIALS_H + +#include <map> +#include <memory> + +#include <grpcpp/impl/codegen/grpc_library.h> +#include <grpcpp/security/auth_context.h> +#include <grpcpp/support/status.h> +#include <grpcpp/support/string_ref.h> + +struct grpc_call; + +namespace grpc { +class ChannelArguments; +class Channel; +class SecureChannelCredentials; +class CallCredentials; +class SecureCallCredentials; + +/// A channel credentials object encapsulates all the state needed by a client +/// to authenticate with a server for a given channel. +/// It can make various assertions, e.g., about the client’s identity, role +/// for all the calls on that channel. +/// +/// \see https://grpc.io/docs/guides/auth.html +class ChannelCredentials : private GrpcLibraryCodegen { + public: + ChannelCredentials(); + ~ChannelCredentials(); + + protected: + friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( + const std::shared_ptr<ChannelCredentials>& channel_creds, + const std::shared_ptr<CallCredentials>& call_creds); + + virtual SecureChannelCredentials* AsSecureCredentials() = 0; + + private: + friend std::shared_ptr<Channel> CreateCustomChannel( + const grpc::string& target, + const std::shared_ptr<ChannelCredentials>& creds, + const ChannelArguments& args); + + virtual std::shared_ptr<Channel> CreateChannel( + const grpc::string& target, const ChannelArguments& args) = 0; +}; + +/// A call credentials object encapsulates the state needed by a client to +/// authenticate with a server for a given call on a channel. +/// +/// \see https://grpc.io/docs/guides/auth.html +class CallCredentials : private GrpcLibraryCodegen { + public: + CallCredentials(); + ~CallCredentials(); + + /// Apply this instance's credentials to \a call. + virtual bool ApplyToCall(grpc_call* call) = 0; + + protected: + friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( + const std::shared_ptr<ChannelCredentials>& channel_creds, + const std::shared_ptr<CallCredentials>& call_creds); + + friend std::shared_ptr<CallCredentials> CompositeCallCredentials( + const std::shared_ptr<CallCredentials>& creds1, + const std::shared_ptr<CallCredentials>& creds2); + + virtual SecureCallCredentials* AsSecureCredentials() = 0; +}; + +/// Options used to build SslCredentials. +struct SslCredentialsOptions { + /// The buffer containing the PEM encoding of the server root certificates. If + /// this parameter is empty, the default roots will be used. The default + /// roots can be overridden using the \a GRPC_DEFAULT_SSL_ROOTS_FILE_PATH + /// environment variable pointing to a file on the file system containing the + /// roots. + grpc::string pem_root_certs; + + /// The buffer containing the PEM encoding of the client's private key. This + /// parameter can be empty if the client does not have a private key. + grpc::string pem_private_key; + + /// The buffer containing the PEM encoding of the client's certificate chain. + /// This parameter can be empty if the client does not have a certificate + /// chain. + grpc::string pem_cert_chain; +}; + +// Factories for building different types of Credentials The functions may +// return empty shared_ptr when credentials cannot be created. If a +// Credentials pointer is returned, it can still be invalid when used to create +// a channel. A lame channel will be created then and all rpcs will fail on it. + +/// Builds credentials with reasonable defaults. +/// +/// \warning Only use these credentials when connecting to a Google endpoint. +/// Using these credentials to connect to any other service may result in this +/// service being able to impersonate your client for requests to Google +/// services. +std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials(); + +/// Builds SSL Credentials given SSL specific options +std::shared_ptr<ChannelCredentials> SslCredentials( + const SslCredentialsOptions& options); + +/// Builds credentials for use when running in GCE +/// +/// \warning Only use these credentials when connecting to a Google endpoint. +/// Using these credentials to connect to any other service may result in this +/// service being able to impersonate your client for requests to Google +/// services. +std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials(); + +/// Constant for maximum auth token lifetime. +constexpr long kMaxAuthTokenLifetimeSecs = 3600; + +/// Builds Service Account JWT Access credentials. +/// json_key is the JSON key string containing the client's private key. +/// token_lifetime_seconds is the lifetime in seconds of each Json Web Token +/// (JWT) created with this credentials. It should not exceed +/// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value. +std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials( + const grpc::string& json_key, + long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs); + +/// Builds refresh token credentials. +/// json_refresh_token is the JSON string containing the refresh token along +/// with a client_id and client_secret. +/// +/// \warning Only use these credentials when connecting to a Google endpoint. +/// Using these credentials to connect to any other service may result in this +/// service being able to impersonate your client for requests to Google +/// services. +std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials( + const grpc::string& json_refresh_token); + +/// Builds access token credentials. +/// access_token is an oauth2 access token that was fetched using an out of band +/// mechanism. +/// +/// \warning Only use these credentials when connecting to a Google endpoint. +/// Using these credentials to connect to any other service may result in this +/// service being able to impersonate your client for requests to Google +/// services. +std::shared_ptr<CallCredentials> AccessTokenCredentials( + const grpc::string& access_token); + +/// Builds IAM credentials. +/// +/// \warning Only use these credentials when connecting to a Google endpoint. +/// Using these credentials to connect to any other service may result in this +/// service being able to impersonate your client for requests to Google +/// services. +std::shared_ptr<CallCredentials> GoogleIAMCredentials( + const grpc::string& authorization_token, + const grpc::string& authority_selector); + +/// Combines a channel credentials and a call credentials into a composite +/// channel credentials. +std::shared_ptr<ChannelCredentials> CompositeChannelCredentials( + const std::shared_ptr<ChannelCredentials>& channel_creds, + const std::shared_ptr<CallCredentials>& call_creds); + +/// Combines two call credentials objects into a composite call credentials. +std::shared_ptr<CallCredentials> CompositeCallCredentials( + const std::shared_ptr<CallCredentials>& creds1, + const std::shared_ptr<CallCredentials>& creds2); + +/// Credentials for an unencrypted, unauthenticated channel +std::shared_ptr<ChannelCredentials> InsecureChannelCredentials(); + +/// Credentials for a channel using Cronet. +std::shared_ptr<ChannelCredentials> CronetChannelCredentials(void* engine); + +/// User defined metadata credentials. +class MetadataCredentialsPlugin { + public: + virtual ~MetadataCredentialsPlugin() {} + + /// If this method returns true, the Process function will be scheduled in + /// a different thread from the one processing the call. + virtual bool IsBlocking() const { return true; } + + /// Type of credentials this plugin is implementing. + virtual const char* GetType() const { return ""; } + + /// Gets the auth metatada produced by this plugin. + /// The fully qualified method name is: + /// service_url + "/" + method_name. + /// The channel_auth_context contains (among other things), the identity of + /// the server. + virtual Status GetMetadata( + grpc::string_ref service_url, grpc::string_ref method_name, + const AuthContext& channel_auth_context, + std::multimap<grpc::string, grpc::string>* metadata) = 0; +}; + +std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin( + std::unique_ptr<MetadataCredentialsPlugin> plugin); + +} // namespace grpc + +#endif // GRPCPP_SECURITY_CREDENTIALS_H diff --git a/include/grpcpp/security/server_credentials.h b/include/grpcpp/security/server_credentials.h new file mode 100644 index 0000000000..892863ef54 --- /dev/null +++ b/include/grpcpp/security/server_credentials.h @@ -0,0 +1,91 @@ +/* + * + * Copyright 2015 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#ifndef GRPCPP_SECURITY_SERVER_CREDENTIALS_H +#define GRPCPP_SECURITY_SERVER_CREDENTIALS_H + +#include <memory> +#include <vector> + +#include <grpc/grpc_security_constants.h> +#include <grpcpp/security/auth_metadata_processor.h> +#include <grpcpp/support/config.h> + +struct grpc_server; + +namespace grpc { +class Server; + +/// Wrapper around \a grpc_server_credentials, a way to authenticate a server. +class ServerCredentials { + public: + virtual ~ServerCredentials(); + + /// This method is not thread-safe and has to be called before the server is + /// started. The last call to this function wins. + virtual void SetAuthMetadataProcessor( + const std::shared_ptr<AuthMetadataProcessor>& processor) = 0; + + private: + friend class ::grpc::Server; + + /// Tries to bind \a server to the given \a addr (eg, localhost:1234, + /// 192.168.1.1:31416, [::1]:27182, etc.) + /// + /// \return bound port number on sucess, 0 on failure. + // TODO(dgq): the "port" part seems to be a misnomer. + virtual int AddPortToServer(const grpc::string& addr, + grpc_server* server) = 0; +}; + +/// Options to create ServerCredentials with SSL +struct SslServerCredentialsOptions { + /// \warning Deprecated + SslServerCredentialsOptions() + : force_client_auth(false), + client_certificate_request(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {} + SslServerCredentialsOptions( + grpc_ssl_client_certificate_request_type request_type) + : force_client_auth(false), client_certificate_request(request_type) {} + + struct PemKeyCertPair { + grpc::string private_key; + grpc::string cert_chain; + }; + grpc::string pem_root_certs; + std::vector<PemKeyCertPair> pem_key_cert_pairs; + /// \warning Deprecated + bool force_client_auth; + + /// If both \a force_client_auth and \a client_certificate_request + /// fields are set, \a force_client_auth takes effect, i.e. + /// \a REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY + /// will be enforced. + grpc_ssl_client_certificate_request_type client_certificate_request; +}; + +/// Builds SSL ServerCredentials given SSL specific options +std::shared_ptr<ServerCredentials> SslServerCredentials( + const SslServerCredentialsOptions& options); + +/// Builds insecure server credentials. +std::shared_ptr<ServerCredentials> InsecureServerCredentials(); + +} // namespace grpc + +#endif // GRPCPP_SECURITY_SERVER_CREDENTIALS_H |