static void jwt_destroy(grpc_credentials *creds) {
grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds;
grpc_auth_json_key_destruct(&c->key);
jwt_reset_cache(c);
gpr_mu_destroy(&c->cache_mu);
gpr_free(c);
}
static void service_account_destroy(grpc_credentials *creds) {
grpc_service_account_credentials *c =
(grpc_service_account_credentials *)creds;
if (c->scope != NULL) gpr_free(c->scope);
grpc_auth_json_key_destruct(&c->key);
oauth2_token_fetcher_destroy(&c->base.base);
}
static void jwt_destruct(grpc_credentials *creds) {
grpc_service_account_jwt_access_credentials *c =
(grpc_service_account_jwt_access_credentials *)creds;
grpc_auth_json_key_destruct(&c->key);
jwt_reset_cache(c);
gpr_mu_destroy(&c->cache_mu);
}
void create_jwt(const char *json_key_file_path, const char *service_url,
const char *scope) {
grpc_auth_json_key key;
char *jwt;
grpc_slice json_key_data;
GPR_ASSERT(GRPC_LOG_IF_ERROR(
"load_file", grpc_load_file(json_key_file_path, 1, &json_key_data)));
key = grpc_auth_json_key_create_from_string(
(const char *)GRPC_SLICE_START_PTR(json_key_data));
grpc_slice_unref(json_key_data);
if (!grpc_auth_json_key_is_valid(&key)) {
fprintf(stderr, "Could not parse json key.\n");
exit(1);
}
jwt = grpc_jwt_encode_and_sign(
&key, service_url == NULL ? GRPC_JWT_OAUTH2_AUDIENCE : service_url,
grpc_max_auth_token_lifetime(), scope);
grpc_auth_json_key_destruct(&key);
if (jwt == NULL) {
fprintf(stderr, "Could not create JWT.\n");
exit(1);
}
fprintf(stdout, "%s\n", jwt);
gpr_free(jwt);
}
grpc_auth_json_key grpc_auth_json_key_create_from_string(
const char *json_string) {
grpc_auth_json_key result;
char *scratchpad = gpr_strdup(json_string);
grpc_json *json = grpc_json_parse_string(scratchpad);
BIO *bio = NULL;
const char *prop_value;
int success = 0;
memset(&result, 0, sizeof(grpc_auth_json_key));
result.type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json == NULL) {
gpr_log(GPR_ERROR, "Invalid json string %s", json_string);
goto end;
}
prop_value = json_get_string_property(json, "type");
if (prop_value == NULL ||
strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) {
goto end;
}
result.type = GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT;
if (!set_json_key_string_property(json, "private_key_id",
&result.private_key_id) ||
!set_json_key_string_property(json, "client_id", &result.client_id) ||
!set_json_key_string_property(json, "client_email",
&result.client_email)) {
goto end;
}
prop_value = json_get_string_property(json, "private_key");
if (prop_value == NULL) {
goto end;
}
bio = BIO_new(BIO_s_mem());
success = BIO_puts(bio, prop_value);
if ((success < 0) || ((size_t)success != strlen(prop_value))) {
gpr_log(GPR_ERROR, "Could not write into openssl BIO.");
goto end;
}
result.private_key = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, "");
if (result.private_key == NULL) {
gpr_log(GPR_ERROR, "Could not deserialize private key.");
goto end;
}
success = 1;
end:
if (bio != NULL) BIO_free(bio);
if (json != NULL) grpc_json_destroy(json);
if (!success) grpc_auth_json_key_destruct(&result);
gpr_free(scratchpad);
return result;
}
static void test_parse_json_key_failure_no_private_key(void) {
const char no_private_key_json_string[] =
"{ \"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
"\"client_email\": "
"\"[email protected]."
"com\", \"client_id\": "
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(no_private_key_json_string);
GPR_ASSERT(!grpc_auth_json_key_is_valid(&json_key));
grpc_auth_json_key_destruct(&json_key);
}
static void test_parse_json_key_failure_no_private_key_id(void) {
const char no_private_key_id_part3[] =
"\"client_email\": "
"\"[email protected]."
"com\", \"client_id\": "
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
char *json_string = test_json_key_str(no_private_key_id_part3);
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string);
GPR_ASSERT(!grpc_auth_json_key_is_valid(&json_key));
gpr_free(json_string);
grpc_auth_json_key_destruct(&json_key);
}
static void test_jwt_verifier_url_issuer_success(void) {
grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(NULL, 0);
char *jwt = NULL;
char *key_str = json_key_str(json_key_str_part3_for_url_issuer);
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
gpr_free(key_str);
GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
grpc_httpcli_set_override(httpcli_get_openid_config,
httpcli_post_should_not_be_called);
jwt =
grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime, NULL);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != NULL);
grpc_jwt_verifier_verify(verifier, NULL, jwt, expected_audience,
on_verification_success, (void *)expected_user_data);
gpr_free(jwt);
grpc_jwt_verifier_destroy(verifier);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_jwt_encode_and_sign(
char *(*jwt_encode_and_sign_func)(const grpc_auth_json_key *),
void (*check_jwt_claim_func)(grpc_json *)) {
char *json_string = test_json_key_str(NULL);
grpc_json *parsed_header = NULL;
grpc_json *parsed_claim = NULL;
char *scratchpad;
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string);
const char *b64_signature;
size_t offset = 0;
char *jwt = jwt_encode_and_sign_func(&json_key);
const char *dot = strchr(jwt, '.');
GPR_ASSERT(dot != NULL);
parsed_header =
parse_json_part_from_jwt(jwt, (size_t)(dot - jwt), &scratchpad);
GPR_ASSERT(parsed_header != NULL);
check_jwt_header(parsed_header);
offset = (size_t)(dot - jwt) + 1;
grpc_json_destroy(parsed_header);
gpr_free(scratchpad);
dot = strchr(jwt + offset, '.');
GPR_ASSERT(dot != NULL);
parsed_claim = parse_json_part_from_jwt(
jwt + offset, (size_t)(dot - (jwt + offset)), &scratchpad);
GPR_ASSERT(parsed_claim != NULL);
check_jwt_claim_func(parsed_claim);
offset = (size_t)(dot - jwt) + 1;
grpc_json_destroy(parsed_claim);
gpr_free(scratchpad);
dot = strchr(jwt + offset, '.');
GPR_ASSERT(dot == NULL); /* no more part. */
b64_signature = jwt + offset;
check_jwt_signature(b64_signature, json_key.private_key, jwt, offset - 1);
gpr_free(json_string);
grpc_auth_json_key_destruct(&json_key);
gpr_free(jwt);
}
static void test_jwt_verifier_custom_email_issuer_success(void) {
grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(&custom_mapping, 1);
char *jwt = NULL;
char *key_str = json_key_str(json_key_str_part3_for_custom_email_issuer);
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
gpr_free(key_str);
GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
grpc_httpcli_set_override(httpcli_get_custom_keys_for_email,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
NULL);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != NULL);
grpc_jwt_verifier_verify(&exec_ctx, verifier, NULL, jwt, expected_audience,
on_verification_success, (void *)expected_user_data);
gpr_free(jwt);
grpc_jwt_verifier_destroy(verifier);
grpc_httpcli_set_override(NULL, NULL);
grpc_exec_ctx_finish(&exec_ctx);
}
static void test_parse_json_key_success(void) {
char *json_string = test_json_key_str(NULL);
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string);
GPR_ASSERT(grpc_auth_json_key_is_valid(&json_key));
GPR_ASSERT(json_key.type != NULL &&
strcmp(json_key.type, "service_account") == 0);
GPR_ASSERT(json_key.private_key_id != NULL &&
strcmp(json_key.private_key_id,
"e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0);
GPR_ASSERT(json_key.client_id != NULL &&
strcmp(json_key.client_id,
"777-abaslkan11hlb6nmim3bpspl31ud.apps."
"googleusercontent.com") == 0);
GPR_ASSERT(json_key.client_email != NULL &&
strcmp(json_key.client_email,
"777-abaslkan11hlb6nmim3bpspl31ud@developer."
"gserviceaccount.com") == 0);
GPR_ASSERT(json_key.private_key != NULL);
gpr_free(json_string);
grpc_auth_json_key_destruct(&json_key);
}
