From 9835cf02349840524491bd1684e5b7ea39b63ada Mon Sep 17 00:00:00 2001 From: Julien Boeuf Date: Mon, 9 Mar 2015 16:56:44 -0700 Subject: Adding refresh token credentials. - The google default credentials now work with the cloud SDK. - Verified end to end with print_default_credentials and fetch_oauth2 tools. --- include/grpc/grpc_security.h | 9 +++ src/core/security/credentials.c | 79 +++++++++++++++---- src/core/security/credentials.h | 16 ++++ src/core/security/google_default_credentials.c | 19 ++++- test/core/security/credentials_test.c | 102 +++++++++++++++++++++++-- test/core/security/fetch_oauth2.c | 77 +++++++++++-------- 6 files changed, 247 insertions(+), 55 deletions(-) diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index ab2cc08489..f94183457b 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -117,6 +117,15 @@ grpc_credentials *grpc_service_account_credentials_create( grpc_credentials *grpc_jwt_credentials_create(const char *json_key, gpr_timespec token_lifetime); +/* Creates an Oauth2 Refresh Token crednetials object. May return NULL if the + input is invalid. + WARNING: Do NOT use this credentials to connect to a non-google service as + this could result in an oauth2 token leak. + - json_refresh_token is the JSON string containing the refresh token itself + along with a client_id and client_secret. */ +grpc_credentials *grpc_refresh_token_credentials_create( + const char *json_refresh_token); + /* Creates a fake transport security credentials object for testing. */ grpc_credentials *grpc_fake_transport_security_credentials_create(void); diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c index 3ad1e7edd7..698e099134 100644 --- a/src/core/security/credentials.c +++ b/src/core/security/credentials.c @@ -46,20 +46,6 @@ #include #include -/* -- Constants. -- */ - -#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60 - -#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata" -#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \ - "/computeMetadata/v1/instance/service-accounts/default/token" - -#define GRPC_SERVICE_ACCOUNT_HOST "www.googleapis.com" -#define GRPC_SERVICE_ACCOUNT_TOKEN_PATH "/oauth2/v3/token" -#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \ - "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \ - "assertion=" - /* -- Common. -- */ typedef struct { @@ -671,8 +657,8 @@ static void service_account_fetch_oauth2( } gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt); memset(&request, 0, sizeof(grpc_httpcli_request)); - request.host = GRPC_SERVICE_ACCOUNT_HOST; - request.path = GRPC_SERVICE_ACCOUNT_TOKEN_PATH; + request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST; + request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH; request.hdr_count = 1; request.hdrs = &header; request.use_ssl = 1; @@ -703,6 +689,67 @@ grpc_credentials *grpc_service_account_credentials_create( return &c->base.base; } +/* -- RefreshToken credentials. -- */ + +typedef struct { + grpc_oauth2_token_fetcher_credentials base; + grpc_auth_refresh_token refresh_token; +} grpc_refresh_token_credentials; + +static void refresh_token_destroy(grpc_credentials *creds) { + grpc_refresh_token_credentials *c = + (grpc_refresh_token_credentials *)creds; + grpc_auth_refresh_token_destruct(&c->refresh_token); + oauth2_token_fetcher_destroy(&c->base.base); +} + +static grpc_credentials_vtable refresh_token_vtable = { + refresh_token_destroy, oauth2_token_fetcher_has_request_metadata, + oauth2_token_fetcher_has_request_metadata_only, + oauth2_token_fetcher_get_request_metadata}; + +static void refresh_token_fetch_oauth2( + grpc_credentials_metadata_request *metadata_req, + grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { + grpc_refresh_token_credentials *c = + (grpc_refresh_token_credentials *)metadata_req->creds; + grpc_httpcli_header header = {"Content-Type", + "application/x-www-form-urlencoded"}; + grpc_httpcli_request request; + char *body = NULL; + gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, + c->refresh_token.client_id, c->refresh_token.client_secret, + c->refresh_token.refresh_token); + memset(&request, 0, sizeof(grpc_httpcli_request)); + request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST; + request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH; + request.hdr_count = 1; + request.hdrs = &header; + request.use_ssl = 1; + grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb, + metadata_req); + gpr_free(body); +} + +grpc_credentials *grpc_refresh_token_credentials_create( + const char *json_refresh_token) { + grpc_refresh_token_credentials *c; + grpc_auth_refresh_token refresh_token = + grpc_auth_refresh_token_create_from_string(json_refresh_token); + + if (!grpc_auth_refresh_token_is_valid(&refresh_token)) { + gpr_log(GPR_ERROR, + "Invalid input for refresh token credentials creation"); + return NULL; + } + c = gpr_malloc(sizeof(grpc_refresh_token_credentials)); + memset(c, 0, sizeof(grpc_refresh_token_credentials)); + init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2); + c->base.base.vtable = &refresh_token_vtable; + c->refresh_token = refresh_token; + return &c->base.base; +} + /* -- Fake Oauth2 credentials. -- */ typedef struct { diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h index 454e66845d..0f70670ced 100644 --- a/src/core/security/credentials.h +++ b/src/core/security/credentials.h @@ -64,6 +64,22 @@ typedef enum { #define GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE \ "application_default_credentials.json" +#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60 + +#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata" +#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \ + "/computeMetadata/v1/instance/service-accounts/default/token" + +#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com" +#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token" + +#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \ + "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \ + "assertion=" + +#define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \ + "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token" + /* --- grpc_credentials. --- */ /* It is the caller's responsibility to gpr_free the result if not NULL. */ diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c index bdc907e7b3..ebea70dad2 100644 --- a/src/core/security/google_default_credentials.c +++ b/src/core/security/google_default_credentials.c @@ -138,6 +138,23 @@ static grpc_credentials *create_jwt_creds_from_path(char *creds_path) { return result; } +/* Takes ownership of creds_path if not NULL. */ +static grpc_credentials *create_refresh_token_creds_from_path( + char *creds_path) { + grpc_credentials *result = NULL; + gpr_slice creds_data; + int file_ok = 0; + if (creds_path == NULL) return NULL; + creds_data = gpr_load_file(creds_path, &file_ok); + gpr_free(creds_path); + if (file_ok) { + result = grpc_refresh_token_credentials_create( + (const char *)GPR_SLICE_START_PTR(creds_data)); + gpr_slice_unref(creds_data); + } + return result; +} + grpc_credentials *grpc_google_default_credentials_create(void) { grpc_credentials *result = NULL; int serving_cached_credentials = 0; @@ -157,7 +174,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) { if (result != NULL) goto end; /* Then the well-known file. */ - result = create_jwt_creds_from_path( + result = create_refresh_token_creds_from_path( grpc_get_well_known_google_credentials_file_path()); if (result != NULL) goto end; diff --git a/test/core/security/credentials_test.c b/test/core/security/credentials_test.c index 078462410a..d1d1ec1562 100644 --- a/test/core/security/credentials_test.c +++ b/test/core/security/credentials_test.c @@ -84,6 +84,13 @@ static const char test_json_key_str_part3[] = "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent." "com\", \"type\": \"service_account\" }"; +/* Test refresh token. */ +static const char test_refresh_token_str[] = + "{ \"client_id\": \"32555999999.apps.googleusercontent.com\"," + " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\"," + " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\"," + " \"type\": \"authorized_user\"}"; + static const char valid_oauth2_json_response[] = "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\"," " \"expires_in\":3599, " @@ -97,10 +104,6 @@ static const char test_signed_jwt[] = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW" "U0MDcyZTViYTdmZDkwODg2YzcifQ"; -static const char expected_service_account_http_body_prefix[] = - "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" - "assertion="; - static const char test_service_url[] = "https://foo.com/foo.v1"; static const char other_test_service_url[] = "https://bar.com/bar.v1"; @@ -463,6 +466,87 @@ static void test_compute_engine_creds_failure(void) { grpc_httpcli_set_override(NULL, NULL); } +static void validate_refresh_token_http_request( + const grpc_httpcli_request *request, const char *body, size_t body_size) { + /* The content of the assertion is tested extensively in json_token_test. */ + char *expected_body = NULL; + GPR_ASSERT(body != NULL); + GPR_ASSERT(body_size != 0); + gpr_asprintf(&expected_body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, + "32555999999.apps.googleusercontent.com", + "EmssLNjJy1332hD4KFsecret", + "1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42"); + GPR_ASSERT(strlen(expected_body) == body_size); + GPR_ASSERT(memcmp(expected_body, body, body_size) == 0); + gpr_free(expected_body); + GPR_ASSERT(request->use_ssl); + GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0); + GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0); + GPR_ASSERT(request->hdr_count == 1); + GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); + GPR_ASSERT(strcmp(request->hdrs[0].value, + "application/x-www-form-urlencoded") == 0); +} + +static int refresh_token_httpcli_post_success( + const grpc_httpcli_request *request, const char *body, size_t body_size, + gpr_timespec deadline, grpc_httpcli_response_cb on_response, + void *user_data) { + grpc_httpcli_response response = + http_response(200, valid_oauth2_json_response); + validate_refresh_token_http_request(request, body, body_size); + on_response(user_data, &response); + return 1; +} + +static int refresh_token_httpcli_post_failure( + const grpc_httpcli_request *request, const char *body, size_t body_size, + gpr_timespec deadline, grpc_httpcli_response_cb on_response, + void *user_data) { + grpc_httpcli_response response = http_response(403, "Not Authorized."); + validate_refresh_token_http_request(request, body, body_size); + on_response(user_data, &response); + return 1; +} + +static void test_refresh_token_creds_success(void) { + grpc_credentials *refresh_token_creds = + grpc_refresh_token_credentials_create(test_refresh_token_str); + GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); + GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds)); + + /* First request: http get should be called. */ + grpc_httpcli_set_override(httpcli_get_should_not_be_called, + refresh_token_httpcli_post_success); + grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url, + on_oauth2_creds_get_metadata_success, + (void *)test_user_data); + + /* Second request: the cached token should be served directly. */ + grpc_httpcli_set_override(httpcli_get_should_not_be_called, + httpcli_post_should_not_be_called); + grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url, + on_oauth2_creds_get_metadata_success, + (void *)test_user_data); + + grpc_credentials_unref(refresh_token_creds); + grpc_httpcli_set_override(NULL, NULL); +} + +static void test_refresh_token_creds_failure(void) { + grpc_credentials *refresh_token_creds = + grpc_refresh_token_credentials_create(test_refresh_token_str); + grpc_httpcli_set_override(httpcli_get_should_not_be_called, + refresh_token_httpcli_post_failure); + GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds)); + GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds)); + grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url, + on_oauth2_creds_get_metadata_failure, + (void *)test_user_data); + grpc_credentials_unref(refresh_token_creds); + grpc_httpcli_set_override(NULL, NULL); +} + static void validate_jwt_encode_and_sign_params( const grpc_auth_json_key *json_key, const char *scope, gpr_timespec token_lifetime) { @@ -515,13 +599,13 @@ static void validate_service_account_http_request( GPR_ASSERT(body != NULL); GPR_ASSERT(body_size != 0); gpr_asprintf(&expected_body, "%s%s", - expected_service_account_http_body_prefix, test_signed_jwt); + GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, test_signed_jwt); GPR_ASSERT(strlen(expected_body) == body_size); - GPR_ASSERT(!memcmp(expected_body, body, body_size)); + GPR_ASSERT(memcmp(expected_body, body, body_size) == 0); gpr_free(expected_body); GPR_ASSERT(request->use_ssl); - GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0); - GPR_ASSERT(strcmp(request->path, "/oauth2/v3/token") == 0); + GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0); + GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0); GPR_ASSERT(request->hdr_count == 1); GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0); GPR_ASSERT(strcmp(request->hdrs[0].value, @@ -711,6 +795,8 @@ int main(int argc, char **argv) { test_ssl_oauth2_iam_composite_creds(); test_compute_engine_creds_success(); test_compute_engine_creds_failure(); + test_refresh_token_creds_success(); + test_refresh_token_creds_failure(); test_service_account_creds_success(); test_service_account_creds_http_failure(); test_service_account_creds_signing_failure(); diff --git a/test/core/security/fetch_oauth2.c b/test/core/security/fetch_oauth2.c index 748a5982fd..cc847c82f7 100644 --- a/test/core/security/fetch_oauth2.c +++ b/test/core/security/fetch_oauth2.c @@ -34,7 +34,6 @@ #include #include -#include "src/core/security/credentials.h" #include #include #include @@ -43,6 +42,9 @@ #include #include +#include "src/core/security/credentials.h" +#include "src/core/support/file.h" + typedef struct { gpr_cv cv; gpr_mu mu; @@ -74,50 +76,50 @@ static void on_oauth2_response(void *user_data, grpc_mdelem **md_elems, static grpc_credentials *create_service_account_creds( const char *json_key_file_path, const char *scope) { - char json_key[8192]; /* Should be plenty. */ - char *current = json_key; - FILE *json_key_file = fopen(json_key_file_path, "r"); - if (json_key_file == NULL) { - gpr_log(GPR_ERROR, "Invalid path for json key file: %s.", - json_key_file_path); + int success; + gpr_slice json_key = gpr_load_file(json_key_file_path, &success); + if (!success) { + gpr_log(GPR_ERROR, "Could not read file %s.", json_key_file_path); exit(1); } + return grpc_service_account_credentials_create( + (const char *)GPR_SLICE_START_PTR(json_key), scope, + grpc_max_auth_token_lifetime); +} - do { - size_t bytes_read = fread( - current, 1, sizeof(json_key) - (current - json_key), json_key_file); - if (bytes_read == 0) { - if (!feof(json_key_file)) { - gpr_log(GPR_ERROR, "Error occured while reading %s.", - json_key_file_path); - exit(1); - } - break; - } - current += bytes_read; - } while (sizeof(json_key) > (size_t)(current - json_key)); - - if ((current - json_key) == sizeof(json_key)) { - gpr_log(GPR_ERROR, "Json key file %s exceeds size limit (%d bytes).", - json_key_file_path, (int)sizeof(json_key)); +static grpc_credentials *create_refresh_token_creds( + const char *json_refresh_token_file_path) { + int success; + gpr_slice refresh_token = + gpr_load_file(json_refresh_token_file_path, &success); + if (!success) { + gpr_log(GPR_ERROR, "Could not read file %s.", json_refresh_token_file_path); exit(1); } - fclose(json_key_file); - - return grpc_service_account_credentials_create(json_key, scope, - grpc_max_auth_token_lifetime); + return grpc_refresh_token_credentials_create( + (const char *)GPR_SLICE_START_PTR(refresh_token)); } int main(int argc, char **argv) { synchronizer sync; grpc_credentials *creds = NULL; char *json_key_file_path = NULL; + char *json_refresh_token_file_path = NULL; int use_gce = 0; char *scope = NULL; gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2"); - gpr_cmdline_add_string(cl, "json_key", "File path of the json key.", + gpr_cmdline_add_string(cl, "json_key", + "File path of the json key. Mutually exclusive with " + "--json_refresh_token.", &json_key_file_path); - gpr_cmdline_add_string(cl, "scope", "Space delimited permissions.", &scope); + gpr_cmdline_add_string(cl, "json_refresh_token", + "File path of the json refresh token. Mutually " + "exclusive with --json_key.", + &json_refresh_token_file_path); + gpr_cmdline_add_string(cl, "scope", + "Space delimited permissions. Only used for " + "--json_key, ignored otherwise.", + &scope); gpr_cmdline_add_flag( cl, "gce", "Get a token from the GCE metadata server (only works in GCE).", @@ -126,6 +128,12 @@ int main(int argc, char **argv) { grpc_init(); + if (json_key_file_path != NULL && json_refresh_token_file_path != NULL) { + gpr_log(GPR_ERROR, + "--json_key and --json_refresh_token are mutually exclusive."); + exit(1); + } + if (use_gce) { if (json_key_file_path != NULL || scope != NULL) { gpr_log(GPR_INFO, @@ -137,6 +145,15 @@ int main(int argc, char **argv) { gpr_log(GPR_ERROR, "Could not create gce credentials."); exit(1); } + } else if (json_refresh_token_file_path != NULL) { + creds = create_refresh_token_creds(json_refresh_token_file_path); + if (creds == NULL) { + gpr_log(GPR_ERROR, + "Could not create refresh token creds. %s does probably not " + "contain a valid json refresh token.", + json_refresh_token_file_path); + exit(1); + } } else { if (json_key_file_path == NULL) { gpr_log(GPR_ERROR, "Missing --json_key option."); -- cgit v1.2.3