Adding refresh token credentials.

- The google default credentials now work with the cloud SDK. - Verified end to end with print_default_credentials and fetch_oauth2 tools.
author: Julien Boeuf <jboeuf@google.com> 2015-03-09 16:56:44 -0700
committer: Julien Boeuf <jboeuf@google.com> 2015-03-09 16:56:44 -0700
commit: 9835cf02349840524491bd1684e5b7ea39b63ada (patch)
tree: 846efb529c3a7169522150e615f3f38b9ede76aa /src/core/security
parent: 3371cdf918a153674eff3e0e446ab77d8f7234a5 (diff)
3 files changed, 97 insertions, 17 deletions
diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c
index 3ad1e7edd7..698e099134 100644
--- a/src/core/security/credentials.c
+++ b/src/core/security/credentials.c
@@ -46,20 +46,6 @@
 #include <grpc/support/sync.h>
 #include <grpc/support/time.h>
 
-/* -- Constants. -- */
-
-#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
-
-#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
-#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
-  "/computeMetadata/v1/instance/service-accounts/default/token"
-
-#define GRPC_SERVICE_ACCOUNT_HOST "www.googleapis.com"
-#define GRPC_SERVICE_ACCOUNT_TOKEN_PATH "/oauth2/v3/token"
-#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX                         \
-  "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
-  "assertion="
-
 /* -- Common. -- */
 
 typedef struct {
@@ -671,8 +657,8 @@ static void service_account_fetch_oauth2(
   }
   gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt);
   memset(&request, 0, sizeof(grpc_httpcli_request));
-  request.host = GRPC_SERVICE_ACCOUNT_HOST;
-  request.path = GRPC_SERVICE_ACCOUNT_TOKEN_PATH;
+  request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
+  request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
   request.hdr_count = 1;
   request.hdrs = &header;
   request.use_ssl = 1;
@@ -703,6 +689,67 @@ grpc_credentials *grpc_service_account_credentials_create(
   return &c->base.base;
 }
 
+/* -- RefreshToken credentials. -- */
+
+typedef struct {
+  grpc_oauth2_token_fetcher_credentials base;
+  grpc_auth_refresh_token refresh_token;
+} grpc_refresh_token_credentials;
+
+static void refresh_token_destroy(grpc_credentials *creds) {
+  grpc_refresh_token_credentials *c =
+      (grpc_refresh_token_credentials *)creds;
+  grpc_auth_refresh_token_destruct(&c->refresh_token);
+  oauth2_token_fetcher_destroy(&c->base.base);
+}
+
+static grpc_credentials_vtable refresh_token_vtable = {
+    refresh_token_destroy, oauth2_token_fetcher_has_request_metadata,
+    oauth2_token_fetcher_has_request_metadata_only,
+    oauth2_token_fetcher_get_request_metadata};
+
+static void refresh_token_fetch_oauth2(
+    grpc_credentials_metadata_request *metadata_req,
+    grpc_httpcli_response_cb response_cb, gpr_timespec deadline) {
+  grpc_refresh_token_credentials *c =
+      (grpc_refresh_token_credentials *)metadata_req->creds;
+  grpc_httpcli_header header = {"Content-Type",
+                                "application/x-www-form-urlencoded"};
+  grpc_httpcli_request request;
+  char *body = NULL;
+  gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
+               c->refresh_token.client_id, c->refresh_token.client_secret,
+               c->refresh_token.refresh_token);
+  memset(&request, 0, sizeof(grpc_httpcli_request));
+  request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
+  request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
+  request.hdr_count = 1;
+  request.hdrs = &header;
+  request.use_ssl = 1;
+  grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb,
+                    metadata_req);
+  gpr_free(body);
+}
+
+grpc_credentials *grpc_refresh_token_credentials_create(
+    const char *json_refresh_token) {
+  grpc_refresh_token_credentials *c;
+  grpc_auth_refresh_token refresh_token =
+      grpc_auth_refresh_token_create_from_string(json_refresh_token);
+
+  if (!grpc_auth_refresh_token_is_valid(&refresh_token)) {
+    gpr_log(GPR_ERROR,
+            "Invalid input for refresh token credentials creation");
+    return NULL;
+  }
+  c = gpr_malloc(sizeof(grpc_refresh_token_credentials));
+  memset(c, 0, sizeof(grpc_refresh_token_credentials));
+  init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2);
+  c->base.base.vtable = &refresh_token_vtable;
+  c->refresh_token = refresh_token;
+  return &c->base.base;
+}
+
 /* -- Fake Oauth2 credentials. -- */
 
 typedef struct {
diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h
index 454e66845d..0f70670ced 100644
--- a/src/core/security/credentials.h
+++ b/src/core/security/credentials.h
@@ -64,6 +64,22 @@ typedef enum {
 #define GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE \
   "application_default_credentials.json"
 
+#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
+
+#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
+#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
+  "/computeMetadata/v1/instance/service-accounts/default/token"
+
+#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
+#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
+
+#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX                         \
+  "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
+  "assertion="
+
+#define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
+  "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
+
 /* --- grpc_credentials. --- */
 
 /* It is the caller's responsibility to gpr_free the result if not NULL. */
diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c
index bdc907e7b3..ebea70dad2 100644
--- a/src/core/security/google_default_credentials.c
+++ b/src/core/security/google_default_credentials.c
@@ -138,6 +138,23 @@ static grpc_credentials *create_jwt_creds_from_path(char *creds_path) {
   return result;
 }
 
+/* Takes ownership of creds_path if not NULL. */
+static grpc_credentials *create_refresh_token_creds_from_path(
+    char *creds_path) {
+  grpc_credentials *result = NULL;
+  gpr_slice creds_data;
+  int file_ok = 0;
+  if (creds_path == NULL) return NULL;
+  creds_data = gpr_load_file(creds_path, &file_ok);
+  gpr_free(creds_path);
+  if (file_ok) {
+    result = grpc_refresh_token_credentials_create(
+        (const char *)GPR_SLICE_START_PTR(creds_data));
+    gpr_slice_unref(creds_data);
+  }
+  return result;
+}
+
 grpc_credentials *grpc_google_default_credentials_create(void) {
   grpc_credentials *result = NULL;
   int serving_cached_credentials = 0;
@@ -157,7 +174,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) {
   if (result != NULL) goto end;
 
   /* Then the well-known file. */
-  result = create_jwt_creds_from_path(
+  result = create_refresh_token_creds_from_path(
       grpc_get_well_known_google_credentials_file_path());
   if (result != NULL) goto end;
author	Julien Boeuf <jboeuf@google.com>	2015-03-09 16:56:44 -0700
committer	Julien Boeuf <jboeuf@google.com>	2015-03-09 16:56:44 -0700
commit	9835cf02349840524491bd1684e5b7ea39b63ada (patch)
tree	846efb529c3a7169522150e615f3f38b9ede76aa /src/core/security
parent	3371cdf918a153674eff3e0e446ab77d8f7234a5 (diff)