aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc')
-rw-r--r--src/core/lib/security/credentials/oauth2/oauth2_credentials.cc279
1 files changed, 130 insertions, 149 deletions
diff --git a/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc b/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
index 44b093557f..ad63b01e75 100644
--- a/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
+++ b/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
@@ -22,6 +22,7 @@
#include <string.h>
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
#include "src/core/lib/security/util/json_util.h"
#include "src/core/lib/surface/api_trace.h"
@@ -105,13 +106,12 @@ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token) {
// Oauth2 Token Fetcher credentials.
//
-static void oauth2_token_fetcher_destruct(grpc_call_credentials* creds) {
- grpc_oauth2_token_fetcher_credentials* c =
- reinterpret_cast<grpc_oauth2_token_fetcher_credentials*>(creds);
- GRPC_MDELEM_UNREF(c->access_token_md);
- gpr_mu_destroy(&c->mu);
- grpc_pollset_set_destroy(grpc_polling_entity_pollset_set(&c->pollent));
- grpc_httpcli_context_destroy(&c->httpcli_context);
+grpc_oauth2_token_fetcher_credentials::
+ ~grpc_oauth2_token_fetcher_credentials() {
+ GRPC_MDELEM_UNREF(access_token_md_);
+ gpr_mu_destroy(&mu_);
+ grpc_pollset_set_destroy(grpc_polling_entity_pollset_set(&pollent_));
+ grpc_httpcli_context_destroy(&httpcli_context_);
}
grpc_credentials_status
@@ -209,25 +209,29 @@ static void on_oauth2_token_fetcher_http_response(void* user_data,
grpc_credentials_metadata_request* r =
static_cast<grpc_credentials_metadata_request*>(user_data);
grpc_oauth2_token_fetcher_credentials* c =
- reinterpret_cast<grpc_oauth2_token_fetcher_credentials*>(r->creds);
+ reinterpret_cast<grpc_oauth2_token_fetcher_credentials*>(r->creds.get());
+ c->on_http_response(r, error);
+}
+
+void grpc_oauth2_token_fetcher_credentials::on_http_response(
+ grpc_credentials_metadata_request* r, grpc_error* error) {
grpc_mdelem access_token_md = GRPC_MDNULL;
grpc_millis token_lifetime;
grpc_credentials_status status =
grpc_oauth2_token_fetcher_credentials_parse_server_response(
&r->response, &access_token_md, &token_lifetime);
// Update cache and grab list of pending requests.
- gpr_mu_lock(&c->mu);
- c->token_fetch_pending = false;
- c->access_token_md = GRPC_MDELEM_REF(access_token_md);
- c->token_expiration =
+ gpr_mu_lock(&mu_);
+ token_fetch_pending_ = false;
+ access_token_md_ = GRPC_MDELEM_REF(access_token_md);
+ token_expiration_ =
status == GRPC_CREDENTIALS_OK
? gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
gpr_time_from_millis(token_lifetime, GPR_TIMESPAN))
: gpr_inf_past(GPR_CLOCK_MONOTONIC);
- grpc_oauth2_pending_get_request_metadata* pending_request =
- c->pending_requests;
- c->pending_requests = nullptr;
- gpr_mu_unlock(&c->mu);
+ grpc_oauth2_pending_get_request_metadata* pending_request = pending_requests_;
+ pending_requests_ = nullptr;
+ gpr_mu_unlock(&mu_);
// Invoke callbacks for all pending requests.
while (pending_request != nullptr) {
if (status == GRPC_CREDENTIALS_OK) {
@@ -239,42 +243,40 @@ static void on_oauth2_token_fetcher_http_response(void* user_data,
}
GRPC_CLOSURE_SCHED(pending_request->on_request_metadata, error);
grpc_polling_entity_del_from_pollset_set(
- pending_request->pollent, grpc_polling_entity_pollset_set(&c->pollent));
+ pending_request->pollent, grpc_polling_entity_pollset_set(&pollent_));
grpc_oauth2_pending_get_request_metadata* prev = pending_request;
pending_request = pending_request->next;
gpr_free(prev);
}
GRPC_MDELEM_UNREF(access_token_md);
- grpc_call_credentials_unref(r->creds);
+ Unref();
grpc_credentials_metadata_request_destroy(r);
}
-static bool oauth2_token_fetcher_get_request_metadata(
- grpc_call_credentials* creds, grpc_polling_entity* pollent,
- grpc_auth_metadata_context context, grpc_credentials_mdelem_array* md_array,
- grpc_closure* on_request_metadata, grpc_error** error) {
- grpc_oauth2_token_fetcher_credentials* c =
- reinterpret_cast<grpc_oauth2_token_fetcher_credentials*>(creds);
+bool grpc_oauth2_token_fetcher_credentials::get_request_metadata(
+ grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+ grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
+ grpc_error** error) {
// Check if we can use the cached token.
grpc_millis refresh_threshold =
GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS * GPR_MS_PER_SEC;
grpc_mdelem cached_access_token_md = GRPC_MDNULL;
- gpr_mu_lock(&c->mu);
- if (!GRPC_MDISNULL(c->access_token_md) &&
+ gpr_mu_lock(&mu_);
+ if (!GRPC_MDISNULL(access_token_md_) &&
gpr_time_cmp(
- gpr_time_sub(c->token_expiration, gpr_now(GPR_CLOCK_MONOTONIC)),
+ gpr_time_sub(token_expiration_, gpr_now(GPR_CLOCK_MONOTONIC)),
gpr_time_from_seconds(GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS,
GPR_TIMESPAN)) > 0) {
- cached_access_token_md = GRPC_MDELEM_REF(c->access_token_md);
+ cached_access_token_md = GRPC_MDELEM_REF(access_token_md_);
}
if (!GRPC_MDISNULL(cached_access_token_md)) {
- gpr_mu_unlock(&c->mu);
+ gpr_mu_unlock(&mu_);
grpc_credentials_mdelem_array_add(md_array, cached_access_token_md);
GRPC_MDELEM_UNREF(cached_access_token_md);
return true;
}
// Couldn't get the token from the cache.
- // Add request to c->pending_requests and start a new fetch if needed.
+ // Add request to pending_requests_ and start a new fetch if needed.
grpc_oauth2_pending_get_request_metadata* pending_request =
static_cast<grpc_oauth2_pending_get_request_metadata*>(
gpr_malloc(sizeof(*pending_request)));
@@ -282,41 +284,37 @@ static bool oauth2_token_fetcher_get_request_metadata(
pending_request->on_request_metadata = on_request_metadata;
pending_request->pollent = pollent;
grpc_polling_entity_add_to_pollset_set(
- pollent, grpc_polling_entity_pollset_set(&c->pollent));
- pending_request->next = c->pending_requests;
- c->pending_requests = pending_request;
+ pollent, grpc_polling_entity_pollset_set(&pollent_));
+ pending_request->next = pending_requests_;
+ pending_requests_ = pending_request;
bool start_fetch = false;
- if (!c->token_fetch_pending) {
- c->token_fetch_pending = true;
+ if (!token_fetch_pending_) {
+ token_fetch_pending_ = true;
start_fetch = true;
}
- gpr_mu_unlock(&c->mu);
+ gpr_mu_unlock(&mu_);
if (start_fetch) {
- grpc_call_credentials_ref(creds);
- c->fetch_func(grpc_credentials_metadata_request_create(creds),
- &c->httpcli_context, &c->pollent,
- on_oauth2_token_fetcher_http_response,
- grpc_core::ExecCtx::Get()->Now() + refresh_threshold);
+ Ref().release();
+ fetch_oauth2(grpc_credentials_metadata_request_create(this->Ref()),
+ &httpcli_context_, &pollent_,
+ on_oauth2_token_fetcher_http_response,
+ grpc_core::ExecCtx::Get()->Now() + refresh_threshold);
}
return false;
}
-static void oauth2_token_fetcher_cancel_get_request_metadata(
- grpc_call_credentials* creds, grpc_credentials_mdelem_array* md_array,
- grpc_error* error) {
- grpc_oauth2_token_fetcher_credentials* c =
- reinterpret_cast<grpc_oauth2_token_fetcher_credentials*>(creds);
- gpr_mu_lock(&c->mu);
+void grpc_oauth2_token_fetcher_credentials::cancel_get_request_metadata(
+ grpc_credentials_mdelem_array* md_array, grpc_error* error) {
+ gpr_mu_lock(&mu_);
grpc_oauth2_pending_get_request_metadata* prev = nullptr;
- grpc_oauth2_pending_get_request_metadata* pending_request =
- c->pending_requests;
+ grpc_oauth2_pending_get_request_metadata* pending_request = pending_requests_;
while (pending_request != nullptr) {
if (pending_request->md_array == md_array) {
// Remove matching pending request from the list.
if (prev != nullptr) {
prev->next = pending_request->next;
} else {
- c->pending_requests = pending_request->next;
+ pending_requests_ = pending_request->next;
}
// Invoke the callback immediately with an error.
GRPC_CLOSURE_SCHED(pending_request->on_request_metadata,
@@ -327,96 +325,89 @@ static void oauth2_token_fetcher_cancel_get_request_metadata(
prev = pending_request;
pending_request = pending_request->next;
}
- gpr_mu_unlock(&c->mu);
+ gpr_mu_unlock(&mu_);
GRPC_ERROR_UNREF(error);
}
-static void init_oauth2_token_fetcher(grpc_oauth2_token_fetcher_credentials* c,
- grpc_fetch_oauth2_func fetch_func) {
- memset(c, 0, sizeof(grpc_oauth2_token_fetcher_credentials));
- c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2;
- gpr_ref_init(&c->base.refcount, 1);
- gpr_mu_init(&c->mu);
- c->token_expiration = gpr_inf_past(GPR_CLOCK_MONOTONIC);
- c->fetch_func = fetch_func;
- c->pollent =
- grpc_polling_entity_create_from_pollset_set(grpc_pollset_set_create());
- grpc_httpcli_context_init(&c->httpcli_context);
+grpc_oauth2_token_fetcher_credentials::grpc_oauth2_token_fetcher_credentials()
+ : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
+ token_expiration_(gpr_inf_past(GPR_CLOCK_MONOTONIC)),
+ pollent_(grpc_polling_entity_create_from_pollset_set(
+ grpc_pollset_set_create())) {
+ gpr_mu_init(&mu_);
+ grpc_httpcli_context_init(&httpcli_context_);
}
//
// Google Compute Engine credentials.
//
-static grpc_call_credentials_vtable compute_engine_vtable = {
- oauth2_token_fetcher_destruct, oauth2_token_fetcher_get_request_metadata,
- oauth2_token_fetcher_cancel_get_request_metadata};
+namespace {
+
+class grpc_compute_engine_token_fetcher_credentials
+ : public grpc_oauth2_token_fetcher_credentials {
+ public:
+ grpc_compute_engine_token_fetcher_credentials() = default;
+ ~grpc_compute_engine_token_fetcher_credentials() override = default;
+
+ protected:
+ void fetch_oauth2(grpc_credentials_metadata_request* metadata_req,
+ grpc_httpcli_context* http_context,
+ grpc_polling_entity* pollent,
+ grpc_iomgr_cb_func response_cb,
+ grpc_millis deadline) override {
+ grpc_http_header header = {(char*)"Metadata-Flavor", (char*)"Google"};
+ grpc_httpcli_request request;
+ memset(&request, 0, sizeof(grpc_httpcli_request));
+ request.host = (char*)GRPC_COMPUTE_ENGINE_METADATA_HOST;
+ request.http.path = (char*)GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH;
+ request.http.hdr_count = 1;
+ request.http.hdrs = &header;
+ /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
+ channel. This would allow us to cancel an authentication query when under
+ extreme memory pressure. */
+ grpc_resource_quota* resource_quota =
+ grpc_resource_quota_create("oauth2_credentials");
+ grpc_httpcli_get(http_context, pollent, resource_quota, &request, deadline,
+ GRPC_CLOSURE_CREATE(response_cb, metadata_req,
+ grpc_schedule_on_exec_ctx),
+ &metadata_req->response);
+ grpc_resource_quota_unref_internal(resource_quota);
+ }
+};
-static void compute_engine_fetch_oauth2(
- grpc_credentials_metadata_request* metadata_req,
- grpc_httpcli_context* httpcli_context, grpc_polling_entity* pollent,
- grpc_iomgr_cb_func response_cb, grpc_millis deadline) {
- grpc_http_header header = {(char*)"Metadata-Flavor", (char*)"Google"};
- grpc_httpcli_request request;
- memset(&request, 0, sizeof(grpc_httpcli_request));
- request.host = (char*)GRPC_COMPUTE_ENGINE_METADATA_HOST;
- request.http.path = (char*)GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH;
- request.http.hdr_count = 1;
- request.http.hdrs = &header;
- /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
- channel. This would allow us to cancel an authentication query when under
- extreme memory pressure. */
- grpc_resource_quota* resource_quota =
- grpc_resource_quota_create("oauth2_credentials");
- grpc_httpcli_get(
- httpcli_context, pollent, resource_quota, &request, deadline,
- GRPC_CLOSURE_CREATE(response_cb, metadata_req, grpc_schedule_on_exec_ctx),
- &metadata_req->response);
- grpc_resource_quota_unref_internal(resource_quota);
-}
+} // namespace
grpc_call_credentials* grpc_google_compute_engine_credentials_create(
void* reserved) {
- grpc_oauth2_token_fetcher_credentials* c =
- static_cast<grpc_oauth2_token_fetcher_credentials*>(
- gpr_malloc(sizeof(grpc_oauth2_token_fetcher_credentials)));
GRPC_API_TRACE("grpc_compute_engine_credentials_create(reserved=%p)", 1,
(reserved));
GPR_ASSERT(reserved == nullptr);
- init_oauth2_token_fetcher(c, compute_engine_fetch_oauth2);
- c->base.vtable = &compute_engine_vtable;
- return &c->base;
+ return grpc_core::MakeRefCounted<
+ grpc_compute_engine_token_fetcher_credentials>()
+ .release();
}
//
// Google Refresh Token credentials.
//
-static void refresh_token_destruct(grpc_call_credentials* creds) {
- grpc_google_refresh_token_credentials* c =
- reinterpret_cast<grpc_google_refresh_token_credentials*>(creds);
- grpc_auth_refresh_token_destruct(&c->refresh_token);
- oauth2_token_fetcher_destruct(&c->base.base);
+grpc_google_refresh_token_credentials::
+ ~grpc_google_refresh_token_credentials() {
+ grpc_auth_refresh_token_destruct(&refresh_token_);
}
-static grpc_call_credentials_vtable refresh_token_vtable = {
- refresh_token_destruct, oauth2_token_fetcher_get_request_metadata,
- oauth2_token_fetcher_cancel_get_request_metadata};
-
-static void refresh_token_fetch_oauth2(
+void grpc_google_refresh_token_credentials::fetch_oauth2(
grpc_credentials_metadata_request* metadata_req,
grpc_httpcli_context* httpcli_context, grpc_polling_entity* pollent,
grpc_iomgr_cb_func response_cb, grpc_millis deadline) {
- grpc_google_refresh_token_credentials* c =
- reinterpret_cast<grpc_google_refresh_token_credentials*>(
- metadata_req->creds);
grpc_http_header header = {(char*)"Content-Type",
(char*)"application/x-www-form-urlencoded"};
grpc_httpcli_request request;
char* body = nullptr;
gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
- c->refresh_token.client_id, c->refresh_token.client_secret,
- c->refresh_token.refresh_token);
+ refresh_token_.client_id, refresh_token_.client_secret,
+ refresh_token_.refresh_token);
memset(&request, 0, sizeof(grpc_httpcli_request));
request.host = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
request.http.path = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
@@ -437,20 +428,19 @@ static void refresh_token_fetch_oauth2(
gpr_free(body);
}
-grpc_call_credentials*
+grpc_google_refresh_token_credentials::grpc_google_refresh_token_credentials(
+ grpc_auth_refresh_token refresh_token)
+ : refresh_token_(refresh_token) {}
+
+grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_refresh_token_credentials_create_from_auth_refresh_token(
grpc_auth_refresh_token refresh_token) {
- grpc_google_refresh_token_credentials* c;
if (!grpc_auth_refresh_token_is_valid(&refresh_token)) {
gpr_log(GPR_ERROR, "Invalid input for refresh token credentials creation");
return nullptr;
}
- c = static_cast<grpc_google_refresh_token_credentials*>(
- gpr_zalloc(sizeof(grpc_google_refresh_token_credentials)));
- init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2);
- c->base.base.vtable = &refresh_token_vtable;
- c->refresh_token = refresh_token;
- return &c->base.base;
+ return grpc_core::MakeRefCounted<grpc_google_refresh_token_credentials>(
+ refresh_token);
}
static char* create_loggable_refresh_token(grpc_auth_refresh_token* token) {
@@ -478,59 +468,50 @@ grpc_call_credentials* grpc_google_refresh_token_credentials_create(
gpr_free(loggable_token);
}
GPR_ASSERT(reserved == nullptr);
- return grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
+ return grpc_refresh_token_credentials_create_from_auth_refresh_token(token)
+ .release();
}
//
// Oauth2 Access Token credentials.
//
-static void access_token_destruct(grpc_call_credentials* creds) {
- grpc_access_token_credentials* c =
- reinterpret_cast<grpc_access_token_credentials*>(creds);
- GRPC_MDELEM_UNREF(c->access_token_md);
+grpc_access_token_credentials::~grpc_access_token_credentials() {
+ GRPC_MDELEM_UNREF(access_token_md_);
}
-static bool access_token_get_request_metadata(
- grpc_call_credentials* creds, grpc_polling_entity* pollent,
- grpc_auth_metadata_context context, grpc_credentials_mdelem_array* md_array,
- grpc_closure* on_request_metadata, grpc_error** error) {
- grpc_access_token_credentials* c =
- reinterpret_cast<grpc_access_token_credentials*>(creds);
- grpc_credentials_mdelem_array_add(md_array, c->access_token_md);
+bool grpc_access_token_credentials::get_request_metadata(
+ grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+ grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
+ grpc_error** error) {
+ grpc_credentials_mdelem_array_add(md_array, access_token_md_);
return true;
}
-static void access_token_cancel_get_request_metadata(
- grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array,
- grpc_error* error) {
+void grpc_access_token_credentials::cancel_get_request_metadata(
+ grpc_credentials_mdelem_array* md_array, grpc_error* error) {
GRPC_ERROR_UNREF(error);
}
-static grpc_call_credentials_vtable access_token_vtable = {
- access_token_destruct, access_token_get_request_metadata,
- access_token_cancel_get_request_metadata};
+grpc_access_token_credentials::grpc_access_token_credentials(
+ const char* access_token)
+ : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) {
+ char* token_md_value;
+ gpr_asprintf(&token_md_value, "Bearer %s", access_token);
+ grpc_core::ExecCtx exec_ctx;
+ access_token_md_ = grpc_mdelem_from_slices(
+ grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
+ grpc_slice_from_copied_string(token_md_value));
+ gpr_free(token_md_value);
+}
grpc_call_credentials* grpc_access_token_credentials_create(
const char* access_token, void* reserved) {
- grpc_access_token_credentials* c =
- static_cast<grpc_access_token_credentials*>(
- gpr_zalloc(sizeof(grpc_access_token_credentials)));
GRPC_API_TRACE(
"grpc_access_token_credentials_create(access_token=<redacted>, "
"reserved=%p)",
1, (reserved));
GPR_ASSERT(reserved == nullptr);
- c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2;
- c->base.vtable = &access_token_vtable;
- gpr_ref_init(&c->base.refcount, 1);
- char* token_md_value;
- gpr_asprintf(&token_md_value, "Bearer %s", access_token);
- grpc_core::ExecCtx exec_ctx;
- c->access_token_md = grpc_mdelem_from_slices(
- grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
- grpc_slice_from_copied_string(token_md_value));
-
- gpr_free(token_md_value);
- return &c->base;
+ return grpc_core::MakeRefCounted<grpc_access_token_credentials>(access_token)
+ .release();
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-31 06:13:14 +0000