static void test_ssl_oauth2_iam_composite_creds(void) {
grpc_credentials *ssl_creds =
grpc_ssl_credentials_create(test_root_cert, NULL);
const grpc_credentials_array *creds_array;
grpc_credentials *oauth2_creds =
grpc_fake_oauth2_credentials_create(test_oauth2_bearer_token, 0);
grpc_credentials *aux_creds =
grpc_composite_credentials_create(ssl_creds, oauth2_creds);
grpc_credentials *iam_creds = grpc_iam_credentials_create(
test_iam_authorization_token, test_iam_authority_selector);
grpc_credentials *composite_creds =
grpc_composite_credentials_create(aux_creds, iam_creds);
grpc_credentials_unref(ssl_creds);
grpc_credentials_unref(oauth2_creds);
grpc_credentials_unref(aux_creds);
grpc_credentials_unref(iam_creds);
GPR_ASSERT(strcmp(composite_creds->type, GRPC_CREDENTIALS_TYPE_COMPOSITE) ==
0);
GPR_ASSERT(grpc_credentials_has_request_metadata(composite_creds));
GPR_ASSERT(!grpc_credentials_has_request_metadata_only(composite_creds));
creds_array = grpc_composite_credentials_get_credentials(composite_creds);
GPR_ASSERT(creds_array->num_creds == 3);
GPR_ASSERT(strcmp(creds_array->creds_array[0]->type,
GRPC_CREDENTIALS_TYPE_SSL) == 0);
GPR_ASSERT(strcmp(creds_array->creds_array[1]->type,
GRPC_CREDENTIALS_TYPE_OAUTH2) == 0);
GPR_ASSERT(strcmp(creds_array->creds_array[2]->type,
GRPC_CREDENTIALS_TYPE_IAM) == 0);
grpc_credentials_get_request_metadata(composite_creds, NULL, test_service_url,
check_ssl_oauth2_iam_composite_metadata,
composite_creds);
}
void test_ssl_fake_transport_security_composite_creds_failure(void) {
grpc_credentials *ssl_creds = grpc_ssl_credentials_create(NULL, NULL);
grpc_credentials *fake_transport_security_creds =
grpc_fake_transport_security_credentials_create();
/* 2 connector credentials: should not work. */
GPR_ASSERT(grpc_composite_credentials_create(
ssl_creds, fake_transport_security_creds) == NULL);
grpc_credentials_unref(ssl_creds);
grpc_credentials_unref(fake_transport_security_creds);
}
static void test_jwt_creds_success(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *jwt_creds =
grpc_service_account_jwt_access_credentials_create(
json_key_string, grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds));
/* First request: jwt_encode_and_sign should be called. */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
/* Third request: Different service url so jwt_encode_and_sign should be
called again (no caching). */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_credentials_get_request_metadata(jwt_creds, NULL, other_test_service_url,
on_jwt_creds_get_metadata_success,
(void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(jwt_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
}
static void test_service_account_creds_success(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds));
/* First request: http get should be called. */
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_success);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_jwt_encode_and_sign_set_override(
encode_and_sign_jwt_should_not_be_called);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
grpc_httpcli_set_override(NULL, NULL);
}
static void composite_destruct(grpc_credentials *creds) {
grpc_composite_credentials *c = (grpc_composite_credentials *)creds;
size_t i;
for (i = 0; i < c->inner.num_creds; i++) {
grpc_credentials_unref(c->inner.creds_array[i]);
}
gpr_free(c->inner.creds_array);
}
grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1,
grpc_credentials *creds2,
void *reserved) {
size_t i;
size_t creds_array_byte_size;
grpc_credentials_array creds1_array;
grpc_credentials_array creds2_array;
grpc_composite_credentials *c;
GRPC_API_TRACE(
"grpc_composite_credentials_create(creds1=%p, creds2=%p, "
"reserved=%p)",
3, (creds1, creds2, reserved));
GPR_ASSERT(reserved == NULL);
GPR_ASSERT(creds1 != NULL);
GPR_ASSERT(creds2 != NULL);
c = gpr_malloc(sizeof(grpc_composite_credentials));
memset(c, 0, sizeof(grpc_composite_credentials));
c->base.type = GRPC_CREDENTIALS_TYPE_COMPOSITE;
c->base.vtable = &composite_credentials_vtable;
gpr_ref_init(&c->base.refcount, 1);
creds1_array = get_creds_array(&creds1);
creds2_array = get_creds_array(&creds2);
c->inner.num_creds = creds1_array.num_creds + creds2_array.num_creds;
creds_array_byte_size = c->inner.num_creds * sizeof(grpc_credentials *);
c->inner.creds_array = gpr_malloc(creds_array_byte_size);
memset(c->inner.creds_array, 0, creds_array_byte_size);
for (i = 0; i < creds1_array.num_creds; i++) {
grpc_credentials *cur_creds = creds1_array.creds_array[i];
if (!grpc_credentials_has_request_metadata_only(cur_creds)) {
if (c->connector_creds == NULL) {
c->connector_creds = cur_creds;
} else {
gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials.");
goto fail;
}
}
c->inner.creds_array[i] = grpc_credentials_ref(cur_creds);
}
for (i = 0; i < creds2_array.num_creds; i++) {
grpc_credentials *cur_creds = creds2_array.creds_array[i];
if (!grpc_credentials_has_request_metadata_only(cur_creds)) {
if (c->connector_creds == NULL) {
c->connector_creds = cur_creds;
} else {
gpr_log(GPR_ERROR, "Cannot compose multiple connector credentials.");
goto fail;
}
}
c->inner.creds_array[i + creds1_array.num_creds] =
grpc_credentials_ref(cur_creds);
}
return &c->base;
fail:
grpc_credentials_unref(&c->base);
return NULL;
}
/* Destructor for call_data */
static void destroy_call_elem(grpc_call_element *elem) {
call_data *calld = elem->call_data;
grpc_credentials_unref(calld->creds);
if (calld->host != NULL) {
GRPC_MDSTR_UNREF(calld->host);
}
if (calld->method != NULL) {
GRPC_MDSTR_UNREF(calld->method);
}
}
static void check_access_token_metadata(void *user_data,
grpc_credentials_md *md_elems,
size_t num_md,
grpc_credentials_status status) {
grpc_credentials *c = (grpc_credentials *)user_data;
expected_md emd[] = {{GRPC_AUTHORIZATION_METADATA_KEY, "Bearer blah"}};
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 1);
check_metadata(emd, md_elems, num_md);
grpc_credentials_unref(c);
}
static void check_iam_metadata(void *user_data, grpc_credentials_md *md_elems,
size_t num_md, grpc_credentials_status status) {
grpc_credentials *c = (grpc_credentials *)user_data;
expected_md emd[] = {
{GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, test_iam_authorization_token},
{GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, test_iam_authority_selector}
};
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 2);
check_metadata(emd, md_elems, num_md);
grpc_credentials_unref(c);
}
static void ssl_channel_destroy(grpc_security_context *ctx) {
grpc_ssl_channel_security_context *c =
(grpc_ssl_channel_security_context *)ctx;
grpc_credentials_unref(c->base.request_metadata_creds);
if (c->handshaker_factory != NULL) {
tsi_ssl_handshaker_factory_destroy(c->handshaker_factory);
}
if (c->target_name != NULL) gpr_free(c->target_name);
if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name);
tsi_peer_destruct(&c->peer);
gpr_free(ctx);
}
/* Destructor for call_data */
static void destroy_call_elem(grpc_exec_ctx *exec_ctx,
grpc_call_element *elem) {
call_data *calld = elem->call_data;
grpc_credentials_unref(calld->creds);
if (calld->host != NULL) {
GRPC_MDSTR_UNREF(calld->host);
}
if (calld->method != NULL) {
GRPC_MDSTR_UNREF(calld->method);
}
reset_service_url(calld);
}
static void check_ssl_oauth2_composite_metadata(
void *user_data, grpc_credentials_md *md_elems, size_t num_md,
grpc_credentials_status status) {
grpc_credentials *c = (grpc_credentials *)user_data;
expected_md emd[] = {
{GRPC_AUTHORIZATION_METADATA_KEY, test_oauth2_bearer_token}
};
GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
GPR_ASSERT(num_md == 1);
check_metadata(emd, md_elems, num_md);
grpc_credentials_unref(c);
}
static void ssl_channel_destroy(grpc_security_connector *sc) {
grpc_ssl_channel_security_connector *c =
(grpc_ssl_channel_security_connector *)sc;
grpc_credentials_unref(c->base.request_metadata_creds);
if (c->handshaker_factory != NULL) {
tsi_ssl_handshaker_factory_destroy(c->handshaker_factory);
}
if (c->target_name != NULL) gpr_free(c->target_name);
if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name);
tsi_peer_destruct(&c->peer);
GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
gpr_free(sc);
}
static void test_refresh_token_creds_failure(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
refresh_token_httpcli_post_failure);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
grpc_credentials_get_request_metadata(
refresh_token_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_failure, (void *)test_user_data);
grpc_credentials_unref(refresh_token_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_compute_engine_creds_failure(void) {
grpc_credentials *compute_engine_creds =
grpc_compute_engine_credentials_create();
grpc_httpcli_set_override(compute_engine_httpcli_get_failure_override,
httpcli_post_should_not_be_called);
GPR_ASSERT(grpc_credentials_has_request_metadata(compute_engine_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(compute_engine_creds));
grpc_credentials_get_request_metadata(
compute_engine_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_failure, (void *)test_user_data);
grpc_credentials_unref(compute_engine_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_google_default_creds_access_token(void) {
grpc_refresh_token_credentials *refresh;
grpc_credentials *creds;
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"refresh_token_google_default_creds", test_refresh_token_str);
creds = grpc_google_default_credentials_create();
GPR_ASSERT(creds != NULL);
refresh = (grpc_refresh_token_credentials *)composite_inner_creds(
creds, GRPC_CREDENTIALS_TYPE_OAUTH2);
GPR_ASSERT(strcmp(refresh->refresh_token.client_id,
"32555999999.apps.googleusercontent.com") == 0);
grpc_credentials_unref(creds);
gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
}
static void test_jwt_creds_signing_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *jwt_creds =
grpc_service_account_jwt_access_credentials_create(
json_key_string, grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(jwt_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(jwt_creds));
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
grpc_credentials_get_request_metadata(jwt_creds, NULL, test_service_url,
on_jwt_creds_get_metadata_failure,
(void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(jwt_creds);
grpc_jwt_encode_and_sign_set_override(NULL);
}
static void test_service_account_creds_http_failure(void) {
char *json_key_string = test_json_key_str();
grpc_credentials *service_account_creds =
grpc_service_account_credentials_create(json_key_string, test_scope,
grpc_max_auth_token_lifetime);
GPR_ASSERT(grpc_credentials_has_request_metadata(service_account_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(service_account_creds));
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
service_account_httpcli_post_failure);
grpc_credentials_get_request_metadata(
service_account_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_failure, (void *)test_user_data);
gpr_free(json_key_string);
grpc_credentials_unref(service_account_creds);
grpc_httpcli_set_override(NULL, NULL);
}
static void test_google_default_creds_auth_key(void) {
grpc_service_account_jwt_access_credentials *jwt;
grpc_credentials *creds;
char *json_key = test_json_key_str();
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"json_key_google_default_creds", json_key);
gpr_free(json_key);
creds = grpc_google_default_credentials_create();
GPR_ASSERT(creds != NULL);
jwt = (grpc_service_account_jwt_access_credentials *)composite_inner_creds(
creds, GRPC_CREDENTIALS_TYPE_JWT);
GPR_ASSERT(
strcmp(jwt->key.client_id,
"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent.com") ==
0);
grpc_credentials_unref(creds);
gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
}
static void test_refresh_token_creds_success(void) {
grpc_credentials *refresh_token_creds =
grpc_refresh_token_credentials_create(test_refresh_token_str);
GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
/* First request: http get should be called. */
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
refresh_token_httpcli_post_success);
grpc_credentials_get_request_metadata(
refresh_token_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
/* Second request: the cached token should be served directly. */
grpc_httpcli_set_override(httpcli_get_should_not_be_called,
httpcli_post_should_not_be_called);
grpc_credentials_get_request_metadata(
refresh_token_creds, NULL, test_service_url,
on_oauth2_creds_get_metadata_success, (void *)test_user_data);
grpc_credentials_unref(refresh_token_creds);
grpc_httpcli_set_override(NULL, NULL);
}
grpc_call_error grpc_call_set_credentials(grpc_call *call,
grpc_credentials *creds) {
grpc_client_security_context *ctx = NULL;
if (!grpc_call_is_client(call)) {
gpr_log(GPR_ERROR, "Method is client-side only.");
return GRPC_CALL_ERROR_NOT_ON_SERVER;
}
if (creds != NULL && !grpc_credentials_has_request_metadata_only(creds)) {
gpr_log(GPR_ERROR, "Incompatible credentials to set on a call.");
return GRPC_CALL_ERROR;
}
ctx = (grpc_client_security_context *)grpc_call_context_get(
call, GRPC_CONTEXT_SECURITY);
if (ctx == NULL) {
ctx = grpc_client_security_context_create();
ctx->creds = grpc_credentials_ref(creds);
grpc_call_context_set(call, GRPC_CONTEXT_SECURITY, ctx,
grpc_client_security_context_destroy);
} else {
grpc_credentials_unref(ctx->creds);
ctx->creds = grpc_credentials_ref(creds);
}
return GRPC_CALL_OK;
}
void grpc_client_security_context_destroy(void *ctx) {
grpc_client_security_context *c = (grpc_client_security_context *)ctx;
grpc_credentials_unref(c->creds);
GRPC_AUTH_CONTEXT_UNREF(c->auth_context, "client_security_context");
gpr_free(ctx);
}
static void fake_channel_destroy(grpc_security_connector *sc) {
grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc;
grpc_credentials_unref(c->request_metadata_creds);
GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
gpr_free(sc);
}
static void fake_channel_destroy(grpc_security_context *ctx) {
grpc_channel_security_context *c = (grpc_channel_security_context *)ctx;
grpc_credentials_unref(c->request_metadata_creds);
gpr_free(ctx);
}
static void grpc_credentials_metadata_request_destroy(
grpc_credentials_metadata_request *r) {
grpc_credentials_unref(r->creds);
gpr_free(r);
}
void grpc_credentials_release(grpc_credentials *creds) {
GRPC_API_TRACE("grpc_credentials_release(creds=%p)", 1, (creds));
grpc_credentials_unref(creds);
}
static void grpc_credentials_metadata_request_destroy(
grpc_credentials_metadata_request *r) {
grpc_credentials_unref(r->creds);
gpr_free(r->on_simulated_token_fetch_done_closure);
gpr_free(r);
}
void grpc_credentials_release(grpc_credentials *creds) {
grpc_credentials_unref(creds);
}
static void fake_channel_destroy(grpc_security_connector *sc) {
grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc;
grpc_credentials_unref(c->request_metadata_creds);
grpc_auth_context_unref(sc->auth_context);
gpr_free(sc);
}