diff options
-rw-r--r-- | include/grpc/grpc_security.h | 8 | ||||
-rw-r--r-- | src/core/security/auth.c | 32 | ||||
-rw-r--r-- | src/core/security/credentials.c | 158 | ||||
-rw-r--r-- | src/core/security/credentials.h | 3 | ||||
-rw-r--r-- | src/core/security/json_token.c | 34 | ||||
-rw-r--r-- | src/core/security/json_token.h | 13 | ||||
-rw-r--r-- | src/core/security/security_context.c | 4 | ||||
-rw-r--r-- | src/core/security/security_context.h | 6 | ||||
-rw-r--r-- | test/core/security/credentials_test.c | 136 | ||||
-rw-r--r-- | test/core/security/fetch_oauth2.c | 2 | ||||
-rw-r--r-- | test/core/security/json_token_test.c | 77 |
11 files changed, 404 insertions, 69 deletions
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index f03ac8004d..472887f7c6 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -100,6 +100,14 @@ extern const gpr_timespec grpc_max_auth_token_lifetime; grpc_credentials *grpc_service_account_credentials_create( const char *json_key, const char *scope, gpr_timespec token_lifetime); +/* Creates a JWT credentials object. May return NULL if the input is invalid. + - json_key is the JSON key string containing the client's private key. + - token_lifetime is the lifetime of each Json Web Token (JWT) created with + this credentials. It should not exceed grpc_max_auth_token_lifetime or + will be cropped to this value. */ +grpc_credentials *grpc_jwt_credentials_create(const char *json_key, + gpr_timespec token_lifetime); + /* Creates a fake transport security credentials object for testing. */ grpc_credentials *grpc_fake_transport_security_credentials_create(void); diff --git a/src/core/security/auth.c b/src/core/security/auth.c index 58679a87aa..92878e3b7e 100644 --- a/src/core/security/auth.c +++ b/src/core/security/auth.c @@ -48,6 +48,7 @@ typedef struct { grpc_credentials *creds; grpc_mdstr *host; + grpc_mdstr *method; grpc_call_op op; } call_data; @@ -56,6 +57,7 @@ typedef struct { grpc_channel_security_context *security_context; grpc_mdctx *md_ctx; grpc_mdstr *authority_string; + grpc_mdstr *path_string; grpc_mdstr *error_msg_key; } channel_data; @@ -89,6 +91,26 @@ static void on_credentials_metadata(void *user_data, grpc_mdelem **md_elems, grpc_call_next_op(elem, &((call_data *)elem->call_data)->op); } +static char *build_service_url(const char *url_scheme, call_data *calld) { + char *service_url; + char *service = gpr_strdup(grpc_mdstr_as_c_string(calld->method)); + char *last_slash = strrchr(service, '/'); + if (last_slash == NULL) { + gpr_log(GPR_ERROR, "No '/' found in fully qualified method name"); + service[0] = '\0'; + } else if (last_slash == service) { + /* No service part in fully qualified method name: will just be "/". */ + service[1] = '\0'; + } else { + *last_slash = '\0'; + } + if (url_scheme == NULL) url_scheme = ""; + gpr_asprintf(&service_url, "%s://%s%s", url_scheme, + grpc_mdstr_as_c_string(calld->host), service); + gpr_free(service); + return service_url; +} + static void send_security_metadata(grpc_call_element *elem, grpc_call_op *op) { /* grab pointers to our data from the call element */ call_data *calld = elem->call_data; @@ -106,9 +128,12 @@ static void send_security_metadata(grpc_call_element *elem, grpc_call_op *op) { } if (channel_creds != NULL && grpc_credentials_has_request_metadata(channel_creds)) { + char *service_url = + build_service_url(channeld->security_context->base.url_scheme, calld); calld->op = *op; /* Copy op (originates from the caller's stack). */ - grpc_credentials_get_request_metadata(channel_creds, + grpc_credentials_get_request_metadata(channel_creds, service_url, on_credentials_metadata, elem); + gpr_free(service_url); } else { grpc_call_next_op(elem, op); } @@ -146,6 +171,9 @@ static void call_op(grpc_call_element *elem, grpc_call_element *from_elem, if (op->data.metadata->key == channeld->authority_string) { if (calld->host != NULL) grpc_mdstr_unref(calld->host); calld->host = grpc_mdstr_ref(op->data.metadata->value); + } else if (op->data.metadata->key == channeld->path_string) { + if (calld->method != NULL) grpc_mdstr_unref(calld->method); + calld->method = grpc_mdstr_ref(op->data.metadata->value); } grpc_call_next_op(elem, op); break; @@ -194,6 +222,7 @@ static void init_call_elem(grpc_call_element *elem, call_data *calld = elem->call_data; calld->creds = NULL; calld->host = NULL; + calld->method = NULL; } /* Destructor for call_data */ @@ -230,6 +259,7 @@ static void init_channel_elem(grpc_channel_element *elem, channeld->md_ctx = metadata_context; channeld->authority_string = grpc_mdstr_from_string(channeld->md_ctx, ":authority"); + channeld->path_string = grpc_mdstr_from_string(channeld->md_ctx, ":path"); channeld->error_msg_key = grpc_mdstr_from_string(channeld->md_ctx, "grpc-message"); } diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index a21c27bff9..42d1a900fc 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -33,6 +33,10 @@ #include "src/core/security/credentials.h" +#include <string.h> +#include <stdio.h> + +#include "src/core/json/json.h" #include "src/core/httpcli/httpcli.h" #include "src/core/iomgr/iomgr.h" #include "src/core/security/json_token.h" @@ -42,14 +46,9 @@ #include <grpc/support/sync.h> #include <grpc/support/time.h> -#include "src/core/json/json.h" - -#include <string.h> -#include <stdio.h> - /* -- Constants. -- */ -#define GRPC_OAUTH2_TOKEN_REFRESH_THRESHOLD_SECS 60 +#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60 #define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata" #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \ @@ -113,6 +112,7 @@ int grpc_credentials_has_request_metadata_only(grpc_credentials *creds) { } void grpc_credentials_get_request_metadata(grpc_credentials *creds, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { if (creds == NULL || !grpc_credentials_has_request_metadata(creds) || @@ -122,7 +122,7 @@ void grpc_credentials_get_request_metadata(grpc_credentials *creds, } return; } - creds->vtable->get_request_metadata(creds, cb, user_data); + creds->vtable->get_request_metadata(creds, service_url, cb, user_data); } void grpc_server_credentials_release(grpc_server_credentials *creds) { @@ -288,6 +288,128 @@ grpc_server_credentials *grpc_ssl_server_credentials_create( return &c->base; } +/* -- Jwt credentials -- */ + +typedef struct { + grpc_credentials base; + grpc_mdctx *md_ctx; + + /* Have a simple cache for now with just 1 entry. We could have a map based on + the service_url for a more sophisticated one. */ + gpr_mu cache_mu; + struct { + grpc_mdelem *jwt_md; + char *service_url; + gpr_timespec jwt_expiration; + } cached; + + grpc_auth_json_key key; + gpr_timespec jwt_lifetime; +} grpc_jwt_credentials; + +static void jwt_reset_cache(grpc_jwt_credentials *c) { + if (c->cached.jwt_md != NULL) { + grpc_mdelem_unref(c->cached.jwt_md); + c->cached.jwt_md = NULL; + } + if (c->cached.service_url != NULL) { + gpr_free(c->cached.service_url); + c->cached.service_url = NULL; + } + c->cached.jwt_expiration = gpr_inf_past; +} + +static void jwt_destroy(grpc_credentials *creds) { + grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds; + grpc_auth_json_key_destruct(&c->key); + jwt_reset_cache(c); + gpr_mu_destroy(&c->cache_mu); + grpc_mdctx_unref(c->md_ctx); + gpr_free(c); +} + +static int jwt_has_request_metadata(const grpc_credentials *creds) { return 1; } + +static int jwt_has_request_metadata_only(const grpc_credentials *creds) { + return 1; +} + + +static void jwt_get_request_metadata(grpc_credentials *creds, + const char *service_url, + grpc_credentials_metadata_cb cb, + void *user_data) { + grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds; + gpr_timespec refresh_threshold = {GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, + 0}; + + /* See if we can return a cached jwt. */ + grpc_mdelem *jwt_md = NULL; + { + gpr_mu_lock(&c->cache_mu); + if (c->cached.service_url != NULL && + !strcmp(c->cached.service_url, service_url) && + c->cached.jwt_md != NULL && + (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration, gpr_now()), + refresh_threshold) > 0)) { + jwt_md = grpc_mdelem_ref(c->cached.jwt_md); + } + gpr_mu_unlock(&c->cache_mu); + } + + if (jwt_md == NULL) { + char *jwt = NULL; + /* Generate a new jwt. */ + gpr_mu_lock(&c->cache_mu); + jwt_reset_cache(c); + jwt = grpc_jwt_encode_and_sign(&c->key, service_url, c->jwt_lifetime, NULL); + if (jwt != NULL) { + char *md_value; + gpr_asprintf(&md_value, "Bearer %s", jwt); + gpr_free(jwt); + c->cached.jwt_expiration = gpr_time_add(gpr_now(), c->jwt_lifetime); + c->cached.service_url = gpr_strdup(service_url); + c->cached.jwt_md = grpc_mdelem_from_strings( + c->md_ctx, GRPC_AUTHORIZATION_METADATA_KEY, md_value); + gpr_free(md_value); + jwt_md = grpc_mdelem_ref(c->cached.jwt_md); + } + gpr_mu_unlock(&c->cache_mu); + } + + if (jwt_md != NULL) { + cb(user_data, &jwt_md, 1, GRPC_CREDENTIALS_OK); + grpc_mdelem_unref(jwt_md); + } else { + cb(user_data, NULL, 0, GRPC_CREDENTIALS_ERROR); + } +} + +static grpc_credentials_vtable jwt_vtable = { + jwt_destroy, jwt_has_request_metadata, jwt_has_request_metadata_only, + jwt_get_request_metadata}; + +grpc_credentials *grpc_jwt_credentials_create(const char *json_key, + gpr_timespec token_lifetime) { + grpc_jwt_credentials *c; + grpc_auth_json_key key = grpc_auth_json_key_create_from_string(json_key); + if (!grpc_auth_json_key_is_valid(&key)) { + gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation"); + return NULL; + } + c = gpr_malloc(sizeof(grpc_jwt_credentials)); + memset(c, 0, sizeof(grpc_jwt_credentials)); + c->base.type = GRPC_CREDENTIALS_TYPE_JWT; + gpr_ref_init(&c->base.refcount, 1); + c->base.vtable = &jwt_vtable; + c->md_ctx = grpc_mdctx_create(); + c->key = key; + c->jwt_lifetime = token_lifetime; + gpr_mu_init(&c->cache_mu); + jwt_reset_cache(c); + return &c->base; +} + /* -- Oauth2TokenFetcher credentials -- */ /* This object is a base for credentials that need to acquire an oauth2 token @@ -439,10 +561,11 @@ static void on_oauth2_token_fetcher_http_response( } static void oauth2_token_fetcher_get_request_metadata( - grpc_credentials *creds, grpc_credentials_metadata_cb cb, void *user_data) { + grpc_credentials *creds, const char *service_url, + grpc_credentials_metadata_cb cb, void *user_data) { grpc_oauth2_token_fetcher_credentials *c = (grpc_oauth2_token_fetcher_credentials *)creds; - gpr_timespec refresh_threshold = {GRPC_OAUTH2_TOKEN_REFRESH_THRESHOLD_SECS, + gpr_timespec refresh_threshold = {GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, 0}; grpc_mdelem *cached_access_token_md = NULL; { @@ -535,7 +658,8 @@ static void service_account_fetch_oauth2( "application/x-www-form-urlencoded"}; grpc_httpcli_request request; char *body = NULL; - char *jwt = grpc_jwt_encode_and_sign(&c->key, c->scope, c->token_lifetime); + char *jwt = grpc_jwt_encode_and_sign(&c->key, GRPC_JWT_OAUTH2_AUDIENCE, + c->token_lifetime, c->scope); if (jwt == NULL) { grpc_httpcli_response response; memset(&response, 0, sizeof(grpc_httpcli_response)); @@ -616,6 +740,7 @@ void on_simulated_token_fetch_done(void *user_data, int success) { } static void fake_oauth2_get_request_metadata(grpc_credentials *creds, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_fake_oauth2_credentials *c = (grpc_fake_oauth2_credentials *)creds; @@ -709,6 +834,7 @@ typedef struct { size_t creds_index; grpc_mdelem **md_elems; size_t num_md; + char *service_url; void *user_data; grpc_credentials_metadata_cb cb; } grpc_composite_credentials_metadata_context; @@ -754,6 +880,7 @@ static void composite_md_context_destroy( grpc_mdelem_unref(ctx->md_elems[i]); } gpr_free(ctx->md_elems); + if (ctx->service_url != NULL) gpr_free(ctx->service_url); gpr_free(ctx); } @@ -783,8 +910,8 @@ static void composite_metadata_cb(void *user_data, grpc_mdelem **md_elems, grpc_credentials *inner_creds = ctx->composite_creds->inner.creds_array[ctx->creds_index++]; if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(inner_creds, composite_metadata_cb, - ctx); + grpc_credentials_get_request_metadata(inner_creds, ctx->service_url, + composite_metadata_cb, ctx); return; } } @@ -795,6 +922,7 @@ static void composite_metadata_cb(void *user_data, grpc_mdelem **md_elems, } static void composite_get_request_metadata(grpc_credentials *creds, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_composite_credentials *c = (grpc_composite_credentials *)creds; @@ -805,14 +933,15 @@ static void composite_get_request_metadata(grpc_credentials *creds, } ctx = gpr_malloc(sizeof(grpc_composite_credentials_metadata_context)); memset(ctx, 0, sizeof(grpc_composite_credentials_metadata_context)); + ctx->service_url = gpr_strdup(service_url); ctx->user_data = user_data; ctx->cb = cb; ctx->composite_creds = c; while (ctx->creds_index < c->inner.num_creds) { grpc_credentials *inner_creds = c->inner.creds_array[ctx->creds_index++]; if (grpc_credentials_has_request_metadata(inner_creds)) { - grpc_credentials_get_request_metadata(inner_creds, composite_metadata_cb, - ctx); + grpc_credentials_get_request_metadata(inner_creds, service_url, + composite_metadata_cb, ctx); return; } } @@ -916,6 +1045,7 @@ static int iam_has_request_metadata_only(const grpc_credentials *creds) { } static void iam_get_request_metadata(grpc_credentials *creds, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_iam_credentials *c = (grpc_iam_credentials *)creds; diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 614db96ad7..7b8929492b 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -50,6 +50,7 @@ typedef enum { #define GRPC_CREDENTIALS_TYPE_SSL "Ssl" #define GRPC_CREDENTIALS_TYPE_OAUTH2 "Oauth2" +#define GRPC_CREDENTIALS_TYPE_JWT "Jwt" #define GRPC_CREDENTIALS_TYPE_IAM "Iam" #define GRPC_CREDENTIALS_TYPE_COMPOSITE "Composite" #define GRPC_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY "FakeTransportSecurity" @@ -71,6 +72,7 @@ typedef struct { int (*has_request_metadata)(const grpc_credentials *c); int (*has_request_metadata_only)(const grpc_credentials *c); void (*get_request_metadata)(grpc_credentials *c, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data); } grpc_credentials_vtable; @@ -86,6 +88,7 @@ void grpc_credentials_unref(grpc_credentials *creds); int grpc_credentials_has_request_metadata(grpc_credentials *creds); int grpc_credentials_has_request_metadata_only(grpc_credentials *creds); void grpc_credentials_get_request_metadata(grpc_credentials *creds, + const char *service_url, grpc_credentials_metadata_cb cb, void *user_data); typedef struct { diff --git a/src/core/security/json_token.c b/src/core/security/json_token.c index 20d62e2b43..26d57036a6 100644 --- a/src/core/security/json_token.c +++ b/src/core/security/json_token.c @@ -55,7 +55,6 @@ const gpr_timespec grpc_max_auth_token_lifetime = {3600, 0}; #define GRPC_AUTH_JSON_KEY_TYPE_INVALID "invalid" #define GRPC_AUTH_JSON_KEY_TYPE_SERVICE_ACCOUNT "service_account" -#define GRPC_JWT_AUDIENCE "https://www.googleapis.com/oauth2/v3/token" #define GRPC_JWT_RSA_SHA256_ALGORITHM "RS256" #define GRPC_JWT_TYPE "JWT" @@ -171,8 +170,8 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key) { /* --- jwt encoding and signature. --- */ static grpc_json *create_child(grpc_json *brother, grpc_json *parent, - const char *key, const char *value, - grpc_json_type type) { + const char *key, const char *value, + grpc_json_type type) { grpc_json *child = grpc_json_create(type); if (brother) brother->next = child; if (!parent->child) parent->child = child; @@ -182,14 +181,15 @@ static grpc_json *create_child(grpc_json *brother, grpc_json *parent, return child; } -static char *encoded_jwt_header(const char *algorithm) { +static char *encoded_jwt_header(const char *key_id, const char *algorithm) { grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT); grpc_json *child = NULL; char *json_str = NULL; char *result = NULL; child = create_child(NULL, json, "alg", algorithm, GRPC_JSON_STRING); - create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING); + child = create_child(child, json, "typ", GRPC_JWT_TYPE, GRPC_JSON_STRING); + create_child(child, json, "kid", key_id, GRPC_JSON_STRING); json_str = grpc_json_dump_to_string(json, 0); result = grpc_base64_encode(json_str, strlen(json_str), 1, 0); @@ -199,7 +199,8 @@ static char *encoded_jwt_header(const char *algorithm) { } static char *encoded_jwt_claim(const grpc_auth_json_key *json_key, - const char *scope, gpr_timespec token_lifetime) { + const char *audience, + gpr_timespec token_lifetime, const char *scope) { grpc_json *json = grpc_json_create(GRPC_JSON_OBJECT); grpc_json *child = NULL; char *json_str = NULL; @@ -217,8 +218,15 @@ static char *encoded_jwt_claim(const grpc_auth_json_key *json_key, child = create_child(NULL, json, "iss", json_key->client_email, GRPC_JSON_STRING); - child = create_child(child, json, "scope", scope, GRPC_JSON_STRING); - child = create_child(child, json, "aud", GRPC_JWT_AUDIENCE, GRPC_JSON_STRING); + if (scope != NULL) { + child = create_child(child, json, "scope", scope, GRPC_JSON_STRING); + } else { + /* Unscoped JWTs need a sub field. */ + child = create_child(child, json, "sub", json_key->client_email, + GRPC_JSON_STRING); + } + + child = create_child(child, json, "aud", audience, GRPC_JSON_STRING); child = create_child(child, json, "iat", now_str, GRPC_JSON_NUMBER); create_child(child, json, "exp", expiration_str, GRPC_JSON_NUMBER); @@ -300,14 +308,16 @@ end: } char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key, - const char *scope, gpr_timespec token_lifetime) { + const char *audience, + gpr_timespec token_lifetime, const char *scope) { if (g_jwt_encode_and_sign_override != NULL) { - return g_jwt_encode_and_sign_override(json_key, scope, token_lifetime); + return g_jwt_encode_and_sign_override(json_key, audience, token_lifetime, + scope); } else { const char *sig_algo = GRPC_JWT_RSA_SHA256_ALGORITHM; char *to_sign = dot_concat_and_free_strings( - encoded_jwt_header(sig_algo), - encoded_jwt_claim(json_key, scope, token_lifetime)); + encoded_jwt_header(json_key->private_key_id, sig_algo), + encoded_jwt_claim(json_key, audience, token_lifetime, scope)); char *sig = compute_and_encode_signature(json_key, sig_algo, to_sign); if (sig == NULL) { gpr_free(to_sign); diff --git a/src/core/security/json_token.h b/src/core/security/json_token.h index 5a9b2dab4b..1ef9682f52 100644 --- a/src/core/security/json_token.h +++ b/src/core/security/json_token.h @@ -37,6 +37,10 @@ #include <grpc/support/slice.h> #include <openssl/rsa.h> +/* --- Constants. --- */ + +#define GRPC_JWT_OAUTH2_AUDIENCE "https://www.googleapis.com/oauth2/v3/token" + /* --- auth_json_key parsing. --- */ typedef struct { @@ -61,14 +65,15 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key); /* --- json token encoding and signing. --- */ /* Caller is responsible for calling gpr_free on the returned value. May return - NULL on invalid input. */ + NULL on invalid input. The scope parameter may be NULL. */ char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key, - const char *scope, gpr_timespec token_lifetime); + const char *audience, + gpr_timespec token_lifetime, const char *scope); /* Override encode_and_sign function for testing. */ typedef char *(*grpc_jwt_encode_and_sign_override)( - const grpc_auth_json_key *json_key, const char *scope, - gpr_timespec token_lifetime); + const grpc_auth_json_key *json_key, const char *audience, + gpr_timespec token_lifetime, const char *scope); /* Set a custom encode_and_sign override for testing. */ void grpc_jwt_encode_and_sign_set_override( diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c index f9fb2407cf..9078993bc3 100644 --- a/src/core/security/security_context.c +++ b/src/core/security/security_context.c @@ -232,6 +232,7 @@ grpc_channel_security_context *grpc_fake_channel_security_context_create( gpr_malloc(sizeof(grpc_fake_channel_security_context)); gpr_ref_init(&c->base.base.refcount, 1); c->base.base.is_client_side = 1; + c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; c->base.base.vtable = &fake_channel_vtable; GPR_ASSERT(check_request_metadata_creds(request_metadata_creds)); c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); @@ -244,6 +245,7 @@ grpc_security_context *grpc_fake_server_security_context_create(void) { grpc_security_context *c = gpr_malloc(sizeof(grpc_security_context)); gpr_ref_init(&c->refcount, 1); c->vtable = &fake_server_vtable; + c->url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; return c; } @@ -451,6 +453,7 @@ grpc_security_status grpc_ssl_channel_security_context_create( gpr_ref_init(&c->base.base.refcount, 1); c->base.base.vtable = &ssl_channel_vtable; c->base.base.is_client_side = 1; + c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); c->base.check_call_host = ssl_channel_check_call_host; if (target_name != NULL) { @@ -518,6 +521,7 @@ grpc_security_status grpc_ssl_server_security_context_create( memset(c, 0, sizeof(grpc_ssl_server_security_context)); gpr_ref_init(&c->base.refcount, 1); + c->base.url_scheme = GRPC_SSL_URL_SCHEME; c->base.vtable = &ssl_server_vtable; result = tsi_create_ssl_server_handshaker_factory( (const unsigned char **)config->pem_private_keys, diff --git a/src/core/security/security_context.h b/src/core/security/security_context.h index e3d9113967..c7555576f9 100644 --- a/src/core/security/security_context.h +++ b/src/core/security/security_context.h @@ -47,6 +47,11 @@ typedef enum { GRPC_SECURITY_ERROR } grpc_security_status; +/* --- URL schemes. --- */ + +#define GRPC_SSL_URL_SCHEME "https" +#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security" + /* --- security_context object. --- A security context object represents away to configure the underlying @@ -72,6 +77,7 @@ struct grpc_security_context { const grpc_security_context_vtable *vtable; gpr_refcount refcount; int is_client_side; + const char *url_scheme; }; /* Increments the refcount. */ diff --git a/test/core/security/credentials_test.c b/test/core/security/credentials_test.c index f911db6de1..91229c95c2 100644 --- a/test/core/security/credentials_test.c +++ b/test/core/security/credentials_test.c @@ -89,12 +89,17 @@ static const char test_user_data[] = "user data"; static const char test_scope[] = "perm1 perm2"; -static const char test_signed_jwt[] = "signed jwt"; +static const char test_signed_jwt[] = + "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW" + "U0MDcyZTViYTdmZDkwODg2YzcifQ"; static const char expected_service_account_http_body_prefix[] = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" "assertion="; +static const char test_service_url[] = "https://foo.com/foo.v1"; +static const char other_test_service_url[] = "https://bar.com/bar.v1"; + static char *test_json_key_str(void) { size_t result_len = strlen(test_json_key_str_part1) + strlen(test_json_key_str_part2) + @@ -259,7 +264,8 @@ static void test_iam_creds(void) { test_iam_authorization_token, test_iam_authority_selector); GPR_ASSERT(grpc_credentials_has_request_metadata(creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds)); - grpc_credentials_get_request_metadata(creds, check_iam_metadata, creds); + grpc_credentials_get_request_metadata(creds, test_service_url, + check_iam_metadata, creds); } static void check_ssl_oauth2_composite_metadata( @@ -293,8 +299,9 @@ static void test_ssl_oauth2_composite_creds(void) { !strcmp(creds_array->creds_array[0]->type, GRPC_CREDENTIALS_TYPE_SSL)); GPR_ASSERT( !strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2)); - grpc_credentials_get_request_metadata( - composite_creds, check_ssl_oauth2_composite_metadata, composite_creds); + grpc_credentials_get_request_metadata(composite_creds, test_service_url, + check_ssl_oauth2_composite_metadata, + composite_creds); } static void check_ssl_oauth2_iam_composite_metadata( @@ -338,7 +345,7 @@ static void test_ssl_oauth2_iam_composite_creds(void) { !strcmp(creds_array->creds_array[1]->type, GRPC_CREDENTIALS_TYPE_OAUTH2)); GPR_ASSERT( !strcmp(creds_array->creds_array[2]->type, GRPC_CREDENTIALS_TYPE_IAM)); - grpc_credentials_get_request_metadata(composite_creds, + grpc_credentials_get_request_metadata(composite_creds, test_service_url, check_ssl_oauth2_iam_composite_metadata, composite_creds); } @@ -420,14 +427,14 @@ static void test_compute_engine_creds_success(void) { /* First request: http get should be called. */ grpc_httpcli_set_override(compute_engine_httpcli_get_success_override, httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata(compute_engine_creds, + grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); /* Second request: the cached token should be served directly. */ grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata(compute_engine_creds, + grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); @@ -442,7 +449,7 @@ static void test_compute_engine_creds_failure(void) { httpcli_post_should_not_be_called); GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds)); GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds)); - grpc_credentials_get_request_metadata(compute_engine_creds, + grpc_credentials_get_request_metadata(compute_engine_creds, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); grpc_credentials_unref(compute_engine_creds); @@ -468,27 +475,29 @@ static void validate_jwt_encode_and_sign_params( !strcmp(json_key->client_email, "777-abaslkan11hlb6nmim3bpspl31ud@developer." "gserviceaccount.com")); - GPR_ASSERT(!strcmp(scope, test_scope)); + if (scope != NULL) GPR_ASSERT(!strcmp(scope, test_scope)); GPR_ASSERT(!gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime)); } static char *encode_and_sign_jwt_success(const grpc_auth_json_key *json_key, - const char *scope, - gpr_timespec token_lifetime) { + const char *audience, + gpr_timespec token_lifetime, + const char *scope) { validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime); return gpr_strdup(test_signed_jwt); } static char *encode_and_sign_jwt_failure(const grpc_auth_json_key *json_key, - const char *scope, - gpr_timespec token_lifetime) { + const char *audience, + gpr_timespec token_lifetime, + const char *scope) { validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime); return NULL; } static char *encode_and_sign_jwt_should_not_be_called( - const grpc_auth_json_key *json_key, const char *scope, - gpr_timespec token_lifetime) { + const grpc_auth_json_key *json_key, const char *audience, + gpr_timespec token_lifetime, const char *scope) { GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == NULL); } @@ -533,7 +542,7 @@ static int service_account_httpcli_post_failure( return 1; } -static void test_service_accounts_creds_success(void) { +static void test_service_account_creds_success(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, @@ -545,7 +554,7 @@ static void test_service_accounts_creds_success(void) { grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_httpcli_set_override(httpcli_get_should_not_be_called, service_account_httpcli_post_success); - grpc_credentials_get_request_metadata(service_account_creds, + grpc_credentials_get_request_metadata(service_account_creds, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); @@ -554,7 +563,7 @@ static void test_service_accounts_creds_success(void) { encode_and_sign_jwt_should_not_be_called); grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata(service_account_creds, + grpc_credentials_get_request_metadata(service_account_creds, test_service_url, on_oauth2_creds_get_metadata_success, (void *)test_user_data); @@ -564,7 +573,7 @@ static void test_service_accounts_creds_success(void) { grpc_httpcli_set_override(NULL, NULL); } -static void test_service_accounts_creds_http_failure(void) { +static void test_service_account_creds_http_failure(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, @@ -575,7 +584,7 @@ static void test_service_accounts_creds_http_failure(void) { grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); grpc_httpcli_set_override(httpcli_get_should_not_be_called, service_account_httpcli_post_failure); - grpc_credentials_get_request_metadata(service_account_creds, + grpc_credentials_get_request_metadata(service_account_creds, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); @@ -584,7 +593,7 @@ static void test_service_accounts_creds_http_failure(void) { grpc_httpcli_set_override(NULL, NULL); } -static void test_service_accounts_creds_signing_failure(void) { +static void test_service_account_creds_signing_failure(void) { char *json_key_string = test_json_key_str(); grpc_credentials *service_account_creds = grpc_service_account_credentials_create(json_key_string, test_scope, @@ -595,13 +604,88 @@ static void test_service_accounts_creds_signing_failure(void) { grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure); grpc_httpcli_set_override(httpcli_get_should_not_be_called, httpcli_post_should_not_be_called); - grpc_credentials_get_request_metadata(service_account_creds, + grpc_credentials_get_request_metadata(service_account_creds, test_service_url, on_oauth2_creds_get_metadata_failure, (void *)test_user_data); gpr_free(json_key_string); grpc_credentials_unref(service_account_creds); grpc_httpcli_set_override(NULL, NULL); + grpc_jwt_encode_and_sign_set_override(NULL); +} + +static void on_jwt_creds_get_metadata_success( + void *user_data, grpc_mdelem **md_elems, size_t num_md, + grpc_credentials_status status) { + char *expected_md_value; + gpr_asprintf(&expected_md_value, "Bearer %s", test_signed_jwt); + GPR_ASSERT(status == GRPC_CREDENTIALS_OK); + GPR_ASSERT(num_md == 1); + GPR_ASSERT( + !strcmp(grpc_mdstr_as_c_string(md_elems[0]->key), "Authorization")); + GPR_ASSERT( + !strcmp(grpc_mdstr_as_c_string(md_elems[0]->value), expected_md_value)); + GPR_ASSERT(user_data != NULL); + GPR_ASSERT(!strcmp((const char *)user_data, test_user_data)); + gpr_free(expected_md_value); +} + +static void on_jwt_creds_get_metadata_failure( + void *user_data, grpc_mdelem **md_elems, size_t num_md, + grpc_credentials_status status) { + GPR_ASSERT(status == GRPC_CREDENTIALS_ERROR); + GPR_ASSERT(num_md == 0); + GPR_ASSERT(user_data != NULL); + GPR_ASSERT(!strcmp((const char *)user_data, test_user_data)); +} + +static void test_jwt_creds_success(void) { + char *json_key_string = test_json_key_str(); + grpc_credentials *jwt_creds = grpc_jwt_credentials_create( + json_key_string, grpc_max_auth_token_lifetime); + GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds)); + GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds)); + + /* First request: jwt_encode_and_sign should be called. */ + grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); + grpc_credentials_get_request_metadata(jwt_creds, test_service_url, + on_jwt_creds_get_metadata_success, + (void *)test_user_data); + + /* Second request: the cached token should be served directly. */ + grpc_jwt_encode_and_sign_set_override( + encode_and_sign_jwt_should_not_be_called); + grpc_credentials_get_request_metadata(jwt_creds, test_service_url, + on_jwt_creds_get_metadata_success, + (void *)test_user_data); + + /* Third request: Different service url so jwt_encode_and_sign should be + called again (no caching). */ + grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success); + grpc_credentials_get_request_metadata(jwt_creds, other_test_service_url, + on_jwt_creds_get_metadata_success, + (void *)test_user_data); + + gpr_free(json_key_string); + grpc_credentials_unref(jwt_creds); + grpc_jwt_encode_and_sign_set_override(NULL); +} + +static void test_jwt_creds_signing_failure(void) { + char *json_key_string = test_json_key_str(); + grpc_credentials *jwt_creds = grpc_jwt_credentials_create( + json_key_string, grpc_max_auth_token_lifetime); + GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds)); + GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds)); + + grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure); + grpc_credentials_get_request_metadata(jwt_creds, test_service_url, + on_jwt_creds_get_metadata_failure, + (void *)test_user_data); + + gpr_free(json_key_string); + grpc_credentials_unref(jwt_creds); + grpc_jwt_encode_and_sign_set_override(NULL); } int main(int argc, char **argv) { @@ -618,8 +702,10 @@ int main(int argc, char **argv) { test_ssl_oauth2_iam_composite_creds(); test_compute_engine_creds_success(); test_compute_engine_creds_failure(); - test_service_accounts_creds_success(); - test_service_accounts_creds_http_failure(); - test_service_accounts_creds_signing_failure(); + test_service_account_creds_success(); + test_service_account_creds_http_failure(); + test_service_account_creds_signing_failure(); + test_jwt_creds_success(); + test_jwt_creds_signing_failure(); return 0; } diff --git a/test/core/security/fetch_oauth2.c b/test/core/security/fetch_oauth2.c index 6315087448..951281d5b3 100644 --- a/test/core/security/fetch_oauth2.c +++ b/test/core/security/fetch_oauth2.c @@ -162,7 +162,7 @@ int main(int argc, char **argv) { gpr_cv_init(&sync.cv); sync.is_done = 0; - grpc_credentials_get_request_metadata(creds, on_oauth2_response, &sync); + grpc_credentials_get_request_metadata(creds, "", on_oauth2_response, &sync); gpr_mu_lock(&sync.mu); while (!sync.is_done) gpr_cv_wait(&sync.cv, &sync.mu, gpr_inf_future); diff --git a/test/core/security/json_token_test.c b/test/core/security/json_token_test.c index 8615fca5fb..eed0fdf332 100644 --- a/test/core/security/json_token_test.c +++ b/test/core/security/json_token_test.c @@ -76,6 +76,8 @@ static const char test_json_key_str_part3[] = static const char test_scope[] = "myperm1 myperm2"; +static const char test_service_url[] = "https://foo.com/foo.v1"; + static char *test_json_key_str(const char *bad_part3) { const char *part3 = bad_part3 != NULL ? bad_part3 : test_json_key_str_part3; size_t result_len = strlen(test_json_key_str_part1) + @@ -229,12 +231,15 @@ static void check_jwt_header(grpc_json *header) { grpc_json *ptr; grpc_json *alg = NULL; grpc_json *typ = NULL; + grpc_json *kid = NULL; for (ptr = header->child; ptr; ptr = ptr->next) { if (strcmp(ptr->key, "alg") == 0) { alg = ptr; } else if (strcmp(ptr->key, "typ") == 0) { typ = ptr; + } else if (strcmp(ptr->key, "kid") == 0) { + kid = ptr; } } GPR_ASSERT(alg != NULL); @@ -244,9 +249,14 @@ static void check_jwt_header(grpc_json *header) { GPR_ASSERT(typ != NULL); GPR_ASSERT(typ->type == GRPC_JSON_STRING); GPR_ASSERT(!strcmp(typ->value, "JWT")); + + GPR_ASSERT(kid != NULL); + GPR_ASSERT(kid->type == GRPC_JSON_STRING); + GPR_ASSERT(!strcmp(kid->value, "e6b5137873db8d2ef81e06a47289e6434ec8a165")); } -static void check_jwt_claim(grpc_json *claim) { +static void check_jwt_claim(grpc_json *claim, const char *expected_audience, + const char *expected_scope) { gpr_timespec expiration = {0, 0}; gpr_timespec issue_time = {0, 0}; gpr_timespec parsed_lifetime; @@ -255,11 +265,14 @@ static void check_jwt_claim(grpc_json *claim) { grpc_json *aud = NULL; grpc_json *exp = NULL; grpc_json *iat = NULL; + grpc_json *sub = NULL; grpc_json *ptr; for (ptr = claim->child; ptr; ptr = ptr->next) { if (strcmp(ptr->key, "iss") == 0) { iss = ptr; + } else if (strcmp(ptr->key, "sub") == 0) { + sub = ptr; } else if (strcmp(ptr->key, "scope") == 0) { scope = ptr; } else if (strcmp(ptr->key, "aud") == 0) { @@ -278,14 +291,22 @@ static void check_jwt_claim(grpc_json *claim) { iss->value, "777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount.com")); - GPR_ASSERT(scope != NULL); - GPR_ASSERT(scope->type == GRPC_JSON_STRING); - GPR_ASSERT(!strcmp(scope->value, test_scope)); + if (expected_scope != NULL) { + GPR_ASSERT(scope != NULL); + GPR_ASSERT(sub == NULL); + GPR_ASSERT(scope->type == GRPC_JSON_STRING); + GPR_ASSERT(!strcmp(scope->value, expected_scope)); + } else { + /* Claims without scope must have a sub. */ + GPR_ASSERT(scope == NULL); + GPR_ASSERT(sub != NULL); + GPR_ASSERT(sub->type == GRPC_JSON_STRING); + GPR_ASSERT(!strcmp(iss->value, sub->value)); + } GPR_ASSERT(aud != NULL); GPR_ASSERT(aud->type == GRPC_JSON_STRING); - GPR_ASSERT(!strcmp(aud->value, - "https://www.googleapis.com/oauth2/v3/token")); + GPR_ASSERT(!strcmp(aud->value, expected_audience)); GPR_ASSERT(exp != NULL); GPR_ASSERT(exp->type == GRPC_JSON_NUMBER); @@ -324,7 +345,28 @@ static void check_jwt_signature(const char *b64_signature, RSA *rsa_key, if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx); } -static void test_jwt_encode_and_sign(void) { +static char *service_account_creds_jwt_encode_and_sign( + const grpc_auth_json_key *key) { + return grpc_jwt_encode_and_sign(key, GRPC_JWT_OAUTH2_AUDIENCE, + grpc_max_auth_token_lifetime, test_scope); +} + +static char *jwt_creds_jwt_encode_and_sign(const grpc_auth_json_key *key) { + return grpc_jwt_encode_and_sign(key, test_service_url, + grpc_max_auth_token_lifetime, NULL); +} + +static void service_account_creds_check_jwt_claim(grpc_json *claim) { + check_jwt_claim(claim, GRPC_JWT_OAUTH2_AUDIENCE, test_scope); +} + +static void jwt_creds_check_jwt_claim(grpc_json *claim) { + check_jwt_claim(claim, test_service_url, NULL); +} + +static void test_jwt_encode_and_sign( + char *(*jwt_encode_and_sign_func)(const grpc_auth_json_key *), + void (*check_jwt_claim_func)(grpc_json *)) { char *json_string = test_json_key_str(NULL); grpc_json *parsed_header = NULL; grpc_json *parsed_claim = NULL; @@ -333,8 +375,7 @@ static void test_jwt_encode_and_sign(void) { grpc_auth_json_key_create_from_string(json_string); const char *b64_signature; size_t offset = 0; - char *jwt = grpc_jwt_encode_and_sign(&json_key, test_scope, - grpc_max_auth_token_lifetime); + char *jwt = jwt_encode_and_sign_func(&json_key); const char *dot = strchr(jwt, '.'); GPR_ASSERT(dot != NULL); parsed_header = parse_json_part_from_jwt(jwt, dot - jwt, &scratchpad); @@ -346,9 +387,10 @@ static void test_jwt_encode_and_sign(void) { dot = strchr(jwt + offset, '.'); GPR_ASSERT(dot != NULL); - parsed_claim = parse_json_part_from_jwt(jwt + offset, dot - (jwt + offset), &scratchpad); + parsed_claim = + parse_json_part_from_jwt(jwt + offset, dot - (jwt + offset), &scratchpad); GPR_ASSERT(parsed_claim != NULL); - check_jwt_claim(parsed_claim); + check_jwt_claim_func(parsed_claim); offset = dot - jwt + 1; grpc_json_destroy(parsed_claim); gpr_free(scratchpad); @@ -363,6 +405,16 @@ static void test_jwt_encode_and_sign(void) { gpr_free(jwt); } +static void test_service_account_creds_jwt_encode_and_sign(void) { + test_jwt_encode_and_sign(service_account_creds_jwt_encode_and_sign, + service_account_creds_check_jwt_claim); +} + +static void test_jwt_creds_jwt_encode_and_sign(void) { + test_jwt_encode_and_sign(jwt_creds_jwt_encode_and_sign, + jwt_creds_check_jwt_claim); +} + int main(int argc, char **argv) { grpc_test_init(argc, argv); test_parse_json_key_success(); @@ -372,6 +424,7 @@ int main(int argc, char **argv) { test_parse_json_key_failure_no_client_email(); test_parse_json_key_failure_no_private_key_id(); test_parse_json_key_failure_no_private_key(); - test_jwt_encode_and_sign(); + test_service_account_creds_jwt_encode_and_sign(); + test_jwt_creds_jwt_encode_and_sign(); return 0; } |