static void service_account_fetch_oauth2( grpc_credentials_metadata_request *metadata_req, grpc_httpcli_context *httpcli_context, grpc_pollset *pollset, grpc_httpcli_response_cb response_cb, gpr_timespec deadline) { grpc_service_account_credentials *c = (grpc_service_account_credentials *)metadata_req->creds; grpc_httpcli_header header = {"Content-Type", "application/x-www-form-urlencoded"}; grpc_httpcli_request request; char *body = NULL; char *jwt = grpc_jwt_encode_and_sign(&c->key, GRPC_JWT_OAUTH2_AUDIENCE, c->token_lifetime, c->scope); if (jwt == NULL) { grpc_httpcli_response response; memset(&response, 0, sizeof(grpc_httpcli_response)); response.status = 400; /* Invalid request. */ gpr_log(GPR_ERROR, "Could not create signed jwt."); /* Do not even send the request, just call the response callback. */ response_cb(metadata_req, &response); return; } gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt); memset(&request, 0, sizeof(grpc_httpcli_request)); request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST; request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH; request.hdr_count = 1; request.hdrs = &header; request.use_ssl = 1; grpc_httpcli_post(httpcli_context, pollset, &request, body, strlen(body), deadline, response_cb, metadata_req); gpr_free(body); gpr_free(jwt); }
void create_jwt(const char *json_key_file_path, const char *service_url, const char *scope) { grpc_auth_json_key key; char *jwt; grpc_slice json_key_data; GPR_ASSERT(GRPC_LOG_IF_ERROR( "load_file", grpc_load_file(json_key_file_path, 1, &json_key_data))); key = grpc_auth_json_key_create_from_string( (const char *)GRPC_SLICE_START_PTR(json_key_data)); grpc_slice_unref(json_key_data); if (!grpc_auth_json_key_is_valid(&key)) { fprintf(stderr, "Could not parse json key.\n"); exit(1); } jwt = grpc_jwt_encode_and_sign( &key, service_url == NULL ? GRPC_JWT_OAUTH2_AUDIENCE : service_url, grpc_max_auth_token_lifetime(), scope); grpc_auth_json_key_destruct(&key); if (jwt == NULL) { fprintf(stderr, "Could not create JWT.\n"); exit(1); } fprintf(stdout, "%s\n", jwt); gpr_free(jwt); }
static void jwt_get_request_metadata(grpc_exec_ctx *exec_ctx, grpc_call_credentials *creds, grpc_polling_entity *pollent, grpc_auth_metadata_context context, grpc_credentials_metadata_cb cb, void *user_data) { grpc_service_account_jwt_access_credentials *c = (grpc_service_account_jwt_access_credentials *)creds; gpr_timespec refresh_threshold = gpr_time_from_seconds( GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN); /* See if we can return a cached jwt. */ grpc_credentials_md_store *jwt_md = NULL; { gpr_mu_lock(&c->cache_mu); if (c->cached.service_url != NULL && strcmp(c->cached.service_url, context.service_url) == 0 && c->cached.jwt_md != NULL && (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)), refresh_threshold) > 0)) { jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); } gpr_mu_unlock(&c->cache_mu); } if (jwt_md == NULL) { char *jwt = NULL; /* Generate a new jwt. */ gpr_mu_lock(&c->cache_mu); jwt_reset_cache(exec_ctx, c); jwt = grpc_jwt_encode_and_sign(&c->key, context.service_url, c->jwt_lifetime, NULL); if (jwt != NULL) { char *md_value; gpr_asprintf(&md_value, "Bearer %s", jwt); gpr_free(jwt); c->cached.jwt_expiration = gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), c->jwt_lifetime); c->cached.service_url = gpr_strdup(context.service_url); c->cached.jwt_md = grpc_credentials_md_store_create(1); grpc_credentials_md_store_add_cstrings( c->cached.jwt_md, GRPC_AUTHORIZATION_METADATA_KEY, md_value); gpr_free(md_value); jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); } gpr_mu_unlock(&c->cache_mu); } if (jwt_md != NULL) { cb(exec_ctx, user_data, jwt_md->entries, jwt_md->num_entries, GRPC_CREDENTIALS_OK, NULL); grpc_credentials_md_store_unref(exec_ctx, jwt_md); } else { cb(exec_ctx, user_data, NULL, 0, GRPC_CREDENTIALS_ERROR, "Could not generate JWT."); } }
static void jwt_get_request_metadata(grpc_credentials *creds, grpc_pollset *pollset, const char *service_url, grpc_credentials_metadata_cb cb, void *user_data) { grpc_jwt_credentials *c = (grpc_jwt_credentials *)creds; gpr_timespec refresh_threshold = {GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, 0}; /* See if we can return a cached jwt. */ grpc_credentials_md_store *jwt_md = NULL; { gpr_mu_lock(&c->cache_mu); if (c->cached.service_url != NULL && strcmp(c->cached.service_url, service_url) == 0 && c->cached.jwt_md != NULL && (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)), refresh_threshold) > 0)) { jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); } gpr_mu_unlock(&c->cache_mu); } if (jwt_md == NULL) { char *jwt = NULL; /* Generate a new jwt. */ gpr_mu_lock(&c->cache_mu); jwt_reset_cache(c); jwt = grpc_jwt_encode_and_sign(&c->key, service_url, c->jwt_lifetime, NULL); if (jwt != NULL) { char *md_value; gpr_asprintf(&md_value, "Bearer %s", jwt); gpr_free(jwt); c->cached.jwt_expiration = gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), c->jwt_lifetime); c->cached.service_url = gpr_strdup(service_url); c->cached.jwt_md = grpc_credentials_md_store_create(1); grpc_credentials_md_store_add_cstrings( c->cached.jwt_md, GRPC_AUTHORIZATION_METADATA_KEY, md_value); gpr_free(md_value); jwt_md = grpc_credentials_md_store_ref(c->cached.jwt_md); } gpr_mu_unlock(&c->cache_mu); } if (jwt_md != NULL) { cb(user_data, jwt_md->entries, jwt_md->num_entries, GRPC_CREDENTIALS_OK); grpc_credentials_md_store_unref(jwt_md); } else { cb(user_data, NULL, 0, GRPC_CREDENTIALS_ERROR); } }
static void test_jwt_verifier_url_issuer_success(void) { grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(NULL, 0); char *jwt = NULL; char *key_str = json_key_str(json_key_str_part3_for_url_issuer); grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str); gpr_free(key_str); GPR_ASSERT(grpc_auth_json_key_is_valid(&key)); grpc_httpcli_set_override(httpcli_get_openid_config, httpcli_post_should_not_be_called); jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime, NULL); grpc_auth_json_key_destruct(&key); GPR_ASSERT(jwt != NULL); grpc_jwt_verifier_verify(verifier, NULL, jwt, expected_audience, on_verification_success, (void *)expected_user_data); gpr_free(jwt); grpc_jwt_verifier_destroy(verifier); grpc_httpcli_set_override(NULL, NULL); }
static void test_jwt_verifier_custom_email_issuer_success(void) { grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(&custom_mapping, 1); char *jwt = NULL; char *key_str = json_key_str(json_key_str_part3_for_custom_email_issuer); grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str); gpr_free(key_str); GPR_ASSERT(grpc_auth_json_key_is_valid(&key)); grpc_httpcli_set_override(httpcli_get_custom_keys_for_email, httpcli_post_should_not_be_called); jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime, NULL); grpc_auth_json_key_destruct(&key); GPR_ASSERT(jwt != NULL); grpc_jwt_verifier_verify(&exec_ctx, verifier, NULL, jwt, expected_audience, on_verification_success, (void *)expected_user_data); gpr_free(jwt); grpc_jwt_verifier_destroy(verifier); grpc_httpcli_set_override(NULL, NULL); grpc_exec_ctx_finish(&exec_ctx); }
static char *jwt_creds_jwt_encode_and_sign(const grpc_auth_json_key *key) { return grpc_jwt_encode_and_sign(key, test_service_url, grpc_max_auth_token_lifetime, NULL); }
static char *service_account_creds_jwt_encode_and_sign( const grpc_auth_json_key *key) { return grpc_jwt_encode_and_sign(key, GRPC_JWT_OAUTH2_AUDIENCE, grpc_max_auth_token_lifetime, test_scope); }