core/security/credentials_test.cc
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <grpc/support/port_platform.h>
20 
21 #include "src/core/lib/security/credentials/credentials.h"
22 
23 #include <stdlib.h>
24 #include <string.h>
25 
26 #include <string>
27 
28 #include <gmock/gmock.h>
29 #include <openssl/rsa.h>
30 
31 #include "absl/strings/match.h"
32 #include "absl/strings/str_cat.h"
33 #include "absl/strings/str_format.h"
34 #include "absl/strings/str_replace.h"
35 
36 #include <grpc/grpc_security.h>
37 #include <grpc/slice.h>
38 #include <grpc/support/alloc.h>
39 #include <grpc/support/log.h>
40 #include <grpc/support/string_util.h>
41 #include <grpc/support/time.h>
42 
43 #include "src/core/lib/gpr/env.h"
44 #include "src/core/lib/gpr/string.h"
45 #include "src/core/lib/gpr/tmpfile.h"
46 #include "src/core/lib/gprpp/host_port.h"
47 #include "src/core/lib/gprpp/time.h"
48 #include "src/core/lib/gprpp/unique_type_name.h"
49 #include "src/core/lib/http/httpcli.h"
50 #include "src/core/lib/http/httpcli_ssl_credentials.h"
51 #include "src/core/lib/iomgr/error.h"
52 #include "src/core/lib/promise/exec_ctx_wakeup_scheduler.h"
53 #include "src/core/lib/promise/promise.h"
54 #include "src/core/lib/promise/seq.h"
55 #include "src/core/lib/security/context/security_context.h"
56 #include "src/core/lib/security/credentials/composite/composite_credentials.h"
57 #include "src/core/lib/security/credentials/external/aws_external_account_credentials.h"
58 #include "src/core/lib/security/credentials/external/external_account_credentials.h"
59 #include "src/core/lib/security/credentials/external/file_external_account_credentials.h"
60 #include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
61 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
62 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
63 #include "src/core/lib/security/credentials/iam/iam_credentials.h"
64 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
65 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
66 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
67 #include "src/core/lib/security/credentials/xds/xds_credentials.h"
68 #include "src/core/lib/security/transport/auth_filters.h"
69 #include "src/core/lib/transport/error_utils.h"
70 #include "src/core/lib/uri/uri_parser.h"
71 #include "test/core/util/test_config.h"
72 
73 namespace grpc_core {
74 
75 using internal::grpc_flush_cached_google_default_credentials;
76 using internal::set_gce_tenancy_checker_for_testing;
77 
78 namespace {
79 
80 auto* g_memory_allocator = new MemoryAllocator(
81  ResourceQuota::Default()->memory_quota()->CreateMemoryAllocator("test"));
82 
83 /* -- Constants. -- */
84 
85 const char test_google_iam_authorization_token[] = "blahblahblhahb";
86 const char test_google_iam_authority_selector[] = "respectmyauthoritah";
87 const char test_oauth2_bearer_token[] = "Bearer blaaslkdjfaslkdfasdsfasf";
88 
89 /* This JSON key was generated with the GCE console and revoked immediately.
90  The identifiers have been changed as well.
91  Maximum size for a string literal is 509 chars in C89, yay! */
92 const char test_json_key_str_part1[] =
93  "{ \"private_key\": \"-----BEGIN PRIVATE KEY-----"
94  "\\nMIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOEvJsnoHnyHkXcp\\n7mJE"
95  "qg"
96  "WGjiw71NfXByguekSKho65FxaGbsnSM9SMQAqVk7Q2rG+I0OpsT0LrWQtZ\\nyjSeg/"
97  "rWBQvS4hle4LfijkP3J5BG+"
98  "IXDMP8RfziNRQsenAXDNPkY4kJCvKux2xdD\\nOnVF6N7dL3nTYZg+"
99  "uQrNsMTz9UxVAgMBAAECgYEAzbLewe1xe9vy+2GoSsfib+28\\nDZgSE6Bu/"
100  "zuFoPrRc6qL9p2SsnV7txrunTyJkkOnPLND9ABAXybRTlcVKP/sGgza\\n/"
101  "8HpCqFYM9V8f34SBWfD4fRFT+n/"
102  "73cfRUtGXdXpseva2lh8RilIQfPhNZAncenU\\ngqXjDvpkypEusgXAykECQQD+";
103 const char test_json_key_str_part2[] =
104  "53XxNVnxBHsYb+AYEfklR96yVi8HywjVHP34+OQZ\\nCslxoHQM8s+"
105  "dBnjfScLu22JqkPv04xyxmt0QAKm9+vTdAkEA4ib7YvEAn2jXzcCI\\nEkoy2L/"
106  "XydR1GCHoacdfdAwiL2npOdnbvi4ZmdYRPY1LSTO058tQHKVXV7NLeCa3\\nAARh2QJBAMKeDA"
107  "G"
108  "W303SQv2cZTdbeaLKJbB5drz3eo3j7dDKjrTD9JupixFbzcGw\\n8FZi5c8idxiwC36kbAL6Hz"
109  "A"
110  "ZoX+ofI0CQE6KCzPJTtYNqyShgKAZdJ8hwOcvCZtf\\n6z8RJm0+"
111  "6YBd38lfh5j8mZd7aHFf6I17j5AQY7oPEc47TjJj/"
112  "5nZ68ECQQDvYuI3\\nLyK5fS8g0SYbmPOL9TlcHDOqwG0mrX9qpg5DC2fniXNSrrZ64GTDKdzZ"
113  "Y"
114  "Ap6LI9W\\nIqv4vr6y38N79TTC\\n-----END PRIVATE KEY-----\\n\", ";
115 const char test_json_key_str_part3[] =
116  "\"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
117  "\"client_email\": "
118  "\"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount."
119  "com\", \"client_id\": "
120  "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
121  "com\", \"type\": \"service_account\" }";
122 
123 /* Test refresh token. */
124 const char test_refresh_token_str[] =
125  "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
126  " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
127  " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
128  " \"type\": \"authorized_user\"}";
129 
130 /* Test external account credentials. */
131 const char test_external_account_credentials_str[] =
132  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
133  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
134  "url\":\"https://iamcredentials.googleapis.com:5555/"
135  "service_account_impersonation_url\",\"token_url\":\"https://"
136  "sts.googleapis.com:5555/"
137  "token\",\"token_info_url\":\"https://sts.googleapis.com:5555/"
138  "token_info\",\"credential_source\":{\"file\":"
139  "\"credentials_file_path\"},"
140  "\"quota_project_id\":\"quota_"
141  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
142  "secret\"}";
143 
144 const char test_external_account_credentials_multi_pattern_sts_str[] =
145  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
146  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
147  "url\":\"https://sts.test.googleapis.com:5555/"
148  "service_account_impersonation_url\",\"token_url\":\"https://"
149  "test.sts.googleapis.com:5555/token\",\"token_info_url\":\"https://"
150  "test-sts.googleapis.com:5555/"
151  "token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
152  "\"quota_project_id\":\"quota_"
153  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
154  "secret\"}";
155 
156 const char test_external_account_credentials_multi_pattern_iam_str[] =
157  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
158  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
159  "url\":\"https://iamcredentials.test.googleapis.com:5555/"
160  "service_account_impersonation_url\",\"token_url\":\"https://"
161  "test.iamcredentials.googleapis.com:5555/"
162  "token\",\"token_info_url\":\"https://"
163  "test-iamcredentials.googleapis.com:5555/"
164  "token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
165  "\"quota_project_id\":\"quota_"
166  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
167  "secret\"}";
168 
169 const char valid_oauth2_json_response[] =
170  "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
171  " \"expires_in\":3599, "
172  " \"token_type\":\"Bearer\"}";
173 
174 const char valid_sts_json_response[] =
175  "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
176  " \"expires_in\":3599, "
177  " \"issued_token_type\":\"urn:ietf:params:oauth:token-type:access_token\", "
178  " \"token_type\":\"Bearer\"}";
179 
180 const char test_scope[] = "perm1 perm2";
181 
182 const char test_signed_jwt[] =
183  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW"
184  "U0MDcyZTViYTdmZDkwODg2YzcifQ";
185 const char test_signed_jwt_token_type[] =
186  "urn:ietf:params:oauth:token-type:id_token";
187 const char test_signed_jwt2[] =
188  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW"
189  "U2MDcyZTViYTdnZDkwODg5YzcifQ";
190 const char test_signed_jwt_token_type2[] =
191  "urn:ietf:params:oauth:token-type:jwt";
192 const char test_signed_jwt_path_prefix[] = "test_sign_jwt";
193 
194 const char test_service_url[] = "https://foo.com/foo.v1";
195 const char test_service_url_no_service_name[] = "https://foo.com/";
196 const char other_test_service_url_no_service_name[] = "https://bar.com/";
197 const char test_method[] = "ThisIsNotAMethod";
198 
199 const char kTestUrlScheme[] = "https";
200 const char kTestAuthority[] = "foo.com";
201 const char kTestPath[] = "/foo.v1/ThisIsNotAMethod";
202 const char kTestOtherAuthority[] = "bar.com";
203 const char kTestOtherPath[] = "/bar.v1/ThisIsNotAMethod";
204 
205 const char test_sts_endpoint_url[] = "https://foo.com:5555/v1/token-exchange";
206 
207 const char valid_external_account_creds_token_exchange_response[] =
208  "{\"access_token\":\"token_exchange_access_token\","
209  " \"expires_in\":3599,"
210  " \"token_type\":\"Bearer\"}";
211 
212 const char
213  valid_external_account_creds_service_account_impersonation_response[] =
214  "{\"accessToken\":\"service_account_impersonation_access_token\","
215  " \"expireTime\":\"2050-01-01T00:00:00Z\"}";
216 
217 const char
218  valid_url_external_account_creds_options_credential_source_format_text[] =
219  "{\"url\":\"https://foo.com:5555/generate_subject_token_format_text\","
220  "\"headers\":{\"Metadata-Flavor\":\"Google\"}}";
221 
222 const char
223  valid_url_external_account_creds_options_credential_source_with_qurey_params_format_text
224  [] = "{\"url\":\"https://foo.com:5555/"
225  "path/to/url/creds?p1=v1&p2=v2\","
226  "\"headers\":{\"Metadata-Flavor\":\"Google\"}}";
227 
228 const char
229  valid_url_external_account_creds_retrieve_subject_token_response_format_text
230  [] = "test_subject_token";
231 
232 const char
233  valid_url_external_account_creds_options_credential_source_format_json[] =
234  "{\"url\":\"https://foo.com:5555/generate_subject_token_format_json\","
235  "\"headers\":{\"Metadata-Flavor\":\"Google\"},"
236  "\"format\":{\"type\":\"json\",\"subject_token_field_name\":\"access_"
237  "token\"}}";
238 
239 const char
240  valid_url_external_account_creds_retrieve_subject_token_response_format_json
241  [] = "{\"access_token\":\"test_subject_token\"}";
242 
243 const char invalid_url_external_account_creds_options_credential_source[] =
244  "{\"url\":\"invalid_credential_source_url\","
245  "\"headers\":{\"Metadata-Flavor\":\"Google\"}}";
246 
247 const char valid_aws_external_account_creds_retrieve_signing_keys_response[] =
248  "{\"AccessKeyId\":\"test_access_key_id\",\"SecretAccessKey\":"
249  "\"test_secret_access_key\",\"Token\":\"test_token\"}";
250 
251 const char aws_imdsv2_session_token[] = "imdsv2_session_token";
252 
253 const char valid_aws_external_account_creds_options_credential_source[] =
254  "{\"environment_id\":\"aws1\","
255  "\"region_url\":\"https://foo.com:5555/region_url\","
256  "\"url\":\"https://foo.com:5555/url\","
257  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
258  "regional_cred_verification_url_{region}\"}";
259 
260 const char valid_aws_imdsv2_external_account_creds_options_credential_source[] =
261  "{\"environment_id\":\"aws1\","
262  "\"region_url\":\"https://foo.com:5555/region_url\","
263  "\"url\":\"https://foo.com:5555/url\","
264  "\"imdsv2_session_token_url\":\"https://foo.com:5555/"
265  "imdsv2_session_token_url\","
266  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
267  "regional_cred_verification_url_{region}\"}";
268 
269 const char
270  invalid_aws_external_account_creds_options_credential_source_unmatched_environment_id
271  [] = "{\"environment_id\":\"unsupported_aws_version\","
272  "\"region_url\":\"https://foo.com:5555/region_url\","
273  "\"url\":\"https://foo.com:5555/url\","
274  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
275  "regional_cred_verification_url_{region}\"}";
276 
277 const char
278  invalid_aws_external_account_creds_options_credential_source_invalid_region_url
279  [] = "{\"environment_id\":\"aws1\","
280  "\"region_url\":\"invalid_region_url\","
281  "\"url\":\"https://foo.com:5555/url\","
282  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
283  "regional_cred_verification_url_{region}\"}";
284 
285 const char
286  invalid_aws_external_account_creds_options_credential_source_invalid_url[] =
287  "{\"environment_id\":\"aws1\","
288  "\"region_url\":\"https://foo.com:5555/region_url\","
289  "\"url\":\"invalid_url\","
290  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
291  "regional_cred_verification_url_{region}\"}";
292 
293 const char
294  invalid_aws_external_account_creds_options_credential_source_missing_role_name
295  [] = "{\"environment_id\":\"aws1\","
296  "\"region_url\":\"https://foo.com:5555/region_url\","
297  "\"url\":\"https://foo.com:5555/url_no_role_name\","
298  "\"regional_cred_verification_url\":\"https://foo.com:5555/"
299  "regional_cred_verification_url_{region}\"}";
300 
301 const char
302  invalid_aws_external_account_creds_options_credential_source_invalid_regional_cred_verification_url
303  [] = "{\"environment_id\":\"aws1\","
304  "\"region_url\":\"https://foo.com:5555/region_url\","
305  "\"url\":\"https://foo.com:5555/url_no_role_name\","
306  "\"regional_cred_verification_url\":\"invalid_regional_cred_"
307  "verification_url\"}";
308 
309 /* -- Global state flags. -- */
310 
311 bool g_test_is_on_gce = false;
312 
313 bool g_test_gce_tenancy_checker_called = false;
314 
315 /* -- Utils. -- */
316 
317 char* test_json_key_str(void) {
318  size_t result_len = strlen(test_json_key_str_part1) +
319  strlen(test_json_key_str_part2) +
320  strlen(test_json_key_str_part3);
321  char* result = static_cast<char*>(gpr_malloc(result_len + 1));
322  char* current = result;
323  strcpy(result, test_json_key_str_part1);
324  current += strlen(test_json_key_str_part1);
325  strcpy(current, test_json_key_str_part2);
326  current += strlen(test_json_key_str_part2);
327  strcpy(current, test_json_key_str_part3);
328  return result;
329 }
330 
331 grpc_http_response http_response(int status, const char* body) {
332  grpc_http_response response;
333  response = {};
334  response.status = status;
335  response.body = gpr_strdup(const_cast<char*>(body));
336  response.body_length = strlen(body);
337  return response;
338 }
339 
340 /* -- Tests. -- */
341 
342 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingOk) {
343  ExecCtx exec_ctx;
344  absl::optional<Slice> token_value;
345  Duration token_lifetime;
346  grpc_http_response response = http_response(200, valid_oauth2_json_response);
347  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
348  &response, &token_value, &token_lifetime) ==
349  GRPC_CREDENTIALS_OK);
350  GPR_ASSERT(token_lifetime == Duration::Seconds(3599));
351  GPR_ASSERT(token_value->as_string_view() ==
352  "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_");
353  grpc_http_response_destroy(&response);
354 }
355 
356 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingBadHttpStatus) {
357  ExecCtx exec_ctx;
358  absl::optional<Slice> token_value;
359  Duration token_lifetime;
360  grpc_http_response response = http_response(401, valid_oauth2_json_response);
361  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
362  &response, &token_value, &token_lifetime) ==
363  GRPC_CREDENTIALS_ERROR);
364  grpc_http_response_destroy(&response);
365 }
366 
367 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingEmptyHttpBody) {
368  ExecCtx exec_ctx;
369  absl::optional<Slice> token_value;
370  Duration token_lifetime;
371  grpc_http_response response = http_response(200, "");
372  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
373  &response, &token_value, &token_lifetime) ==
374  GRPC_CREDENTIALS_ERROR);
375  grpc_http_response_destroy(&response);
376 }
377 
378 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingInvalidJson) {
379  ExecCtx exec_ctx;
380  absl::optional<Slice> token_value;
381  Duration token_lifetime;
382  grpc_http_response response =
383  http_response(200,
384  "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
385  " \"expires_in\":3599, "
386  " \"token_type\":\"Bearer\"");
387  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
388  &response, &token_value, &token_lifetime) ==
389  GRPC_CREDENTIALS_ERROR);
390  grpc_http_response_destroy(&response);
391 }
392 
393 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingMissingToken) {
394  ExecCtx exec_ctx;
395  absl::optional<Slice> token_value;
396  Duration token_lifetime;
397  grpc_http_response response = http_response(200,
398  "{"
399  " \"expires_in\":3599, "
400  " \"token_type\":\"Bearer\"}");
401  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
402  &response, &token_value, &token_lifetime) ==
403  GRPC_CREDENTIALS_ERROR);
404  grpc_http_response_destroy(&response);
405 }
406 
407 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingMissingTokenType) {
408  ExecCtx exec_ctx;
409  absl::optional<Slice> token_value;
410  Duration token_lifetime;
411  grpc_http_response response =
412  http_response(200,
413  "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
414  " \"expires_in\":3599, "
415  "}");
416  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
417  &response, &token_value, &token_lifetime) ==
418  GRPC_CREDENTIALS_ERROR);
419  grpc_http_response_destroy(&response);
420 }
421 
422 TEST(CredentialsTest, TestOauth2TokenFetcherCredsParsingMissingTokenLifetime) {
423  ExecCtx exec_ctx;
424  absl::optional<Slice> token_value;
425  Duration token_lifetime;
426  grpc_http_response response =
427  http_response(200,
428  "{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
429  " \"token_type\":\"Bearer\"}");
430  GPR_ASSERT(grpc_oauth2_token_fetcher_credentials_parse_server_response(
431  &response, &token_value, &token_lifetime) ==
432  GRPC_CREDENTIALS_ERROR);
433  grpc_http_response_destroy(&response);
434 }
435 
436 class RequestMetadataState : public RefCounted<RequestMetadataState> {
437  public:
438  static RefCountedPtr<RequestMetadataState> NewInstance(
439  grpc_error_handle expected_error, std::string expected) {
440  return MakeRefCounted<RequestMetadataState>(
441  expected_error, std::move(expected),
442  grpc_polling_entity_create_from_pollset_set(grpc_pollset_set_create()));
443  }
444 
445  RequestMetadataState(grpc_error_handle expected_error, std::string expected,
446  grpc_polling_entity pollent)
447  : expected_error_(expected_error),
448  expected_(std::move(expected)),
449  pollent_(pollent) {}
450 
451  ~RequestMetadataState() override {
452  grpc_pollset_set_destroy(grpc_polling_entity_pollset_set(&pollent_));
453  }
454 
455  void RunRequestMetadataTest(grpc_call_credentials* creds,
456  const char* url_scheme, const char* authority,
457  const char* path) {
458  auto self = Ref();
459  get_request_metadata_args_.security_connector =
460  MakeRefCounted<BogusSecurityConnector>(url_scheme);
461  md_.Set(HttpAuthorityMetadata(), Slice::FromStaticString(authority));
462  md_.Set(HttpPathMetadata(), Slice::FromStaticString(path));
463  activity_ = MakeActivity(
464  [this, creds] {
465  return Seq(creds->GetRequestMetadata(
466  ClientMetadataHandle::TestOnlyWrap(&md_),
467  &get_request_metadata_args_),
468  [this](absl::StatusOr<ClientMetadataHandle> metadata) {
469  if (metadata.ok()) {
470  GPR_ASSERT(metadata->get() == &md_);
471  }
472  return metadata.status();
473  });
474  },
475  ExecCtxWakeupScheduler(),
476  [self](absl::Status status) mutable {
477  self->CheckRequestMetadata(
478  absl_status_to_grpc_error(std::move(status)));
479  self.reset();
480  },
481  arena_.get(), &pollent_);
482  }
483 
484  private:
485  // No-op security connector, exists only to inject url_scheme.
486  class BogusSecurityConnector : public grpc_channel_security_connector {
487  public:
488  explicit BogusSecurityConnector(absl::string_view url_scheme)
489  : grpc_channel_security_connector(url_scheme, nullptr, nullptr) {}
490 
491  void check_peer(tsi_peer, grpc_endpoint*, RefCountedPtr<grpc_auth_context>*,
492  grpc_closure*) override {
493  GPR_ASSERT(false);
494  }
495 
496  void cancel_check_peer(grpc_closure*, grpc_error_handle) override {
497  GPR_ASSERT(false);
498  }
499 
500  int cmp(const grpc_security_connector*) const override {
501  GPR_UNREACHABLE_CODE(return 0);
502  }
503 
504  ArenaPromise<absl::Status> CheckCallHost(absl::string_view,
505  grpc_auth_context*) override {
506  GPR_UNREACHABLE_CODE(
507  return Immediate(absl::PermissionDeniedError("should never happen")));
508  }
509 
510  void add_handshakers(const grpc_channel_args*, grpc_pollset_set*,
511  HandshakeManager*) override {
512  GPR_ASSERT(false);
513  }
514  };
515 
516  void CheckRequestMetadata(grpc_error_handle error) {
517  gpr_log(GPR_INFO, "expected_error: %s",
518  grpc_error_std_string(expected_error_).c_str());
519  gpr_log(GPR_INFO, "actual_error: %s", grpc_error_std_string(error).c_str());
520  if (GRPC_ERROR_IS_NONE(expected_error_)) {
521  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
522  } else {
523  std::string expected_error;
524  GPR_ASSERT(grpc_error_get_str(expected_error_, GRPC_ERROR_STR_DESCRIPTION,
525  &expected_error));
526  std::string actual_error;
527  GPR_ASSERT(
528  grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION, &actual_error));
529  GPR_ASSERT(expected_error == actual_error);
530  GRPC_ERROR_UNREF(expected_error_);
531  }
532  md_.Remove(HttpAuthorityMetadata());
533  md_.Remove(HttpPathMetadata());
534  gpr_log(GPR_INFO, "expected metadata: %s", expected_.c_str());
535  gpr_log(GPR_INFO, "actual metadata: %s", md_.DebugString().c_str());
536  GPR_ASSERT(md_.DebugString() == expected_);
537  GRPC_ERROR_UNREF(error);
538  }
539 
540  private:
541  grpc_error_handle expected_error_;
542  std::string expected_;
543  ScopedArenaPtr arena_ = MakeScopedArena(1024, g_memory_allocator);
544  grpc_metadata_batch md_{arena_.get()};
545  grpc_call_credentials::GetRequestMetadataArgs get_request_metadata_args_;
546  grpc_polling_entity pollent_;
547  ActivityPtr activity_;
548 };
549 
550 TEST(CredentialsTest, TestGoogleIamCreds) {
551  ExecCtx exec_ctx;
552  auto state = RequestMetadataState::NewInstance(
553  GRPC_ERROR_NONE,
554  absl::StrCat(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, ": ",
555  test_google_iam_authorization_token, ", ",
556  GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, ": ",
557  test_google_iam_authority_selector));
558  grpc_call_credentials* creds = grpc_google_iam_credentials_create(
559  test_google_iam_authorization_token, test_google_iam_authority_selector,
560  nullptr);
561  /* Check security level. */
562  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
563  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
564  kTestPath);
565  creds->Unref();
566 }
567 
568 TEST(CredentialsTest, TestAccessTokenCreds) {
569  ExecCtx exec_ctx;
570  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE,
571  "authorization: Bearer blah");
572  grpc_call_credentials* creds =
573  grpc_access_token_credentials_create("blah", nullptr);
574  GPR_ASSERT(creds->type() == grpc_access_token_credentials::Type());
575  /* Check security level. */
576  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
577  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
578  kTestPath);
579  creds->Unref();
580 }
581 
582 class check_channel_oauth2 final : public grpc_channel_credentials {
583  public:
584  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
585  RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
586  const grpc_channel_args* /*args*/,
587  grpc_channel_args** /*new_args*/) override {
588  GPR_ASSERT(type() == Type());
589  GPR_ASSERT(call_creds != nullptr);
590  GPR_ASSERT(call_creds->type() == grpc_access_token_credentials::Type());
591  return nullptr;
592  }
593 
594  static UniqueTypeName Type() {
595  static UniqueTypeName::Factory kFactory("check_channel_oauth2");
596  return kFactory.Create();
597  }
598 
599  UniqueTypeName type() const override { return Type(); }
600 
601  private:
602  int cmp_impl(const grpc_channel_credentials* other) const override {
603  // TODO(yashykt): Check if we can do something better here
604  return QsortCompare(static_cast<const grpc_channel_credentials*>(this),
605  other);
606  }
607 };
608 
609 TEST(CredentialsTest, TestChannelOauth2CompositeCreds) {
610  ExecCtx exec_ctx;
611  grpc_channel_args* new_args;
612  grpc_channel_credentials* channel_creds = new check_channel_oauth2();
613  grpc_call_credentials* oauth2_creds =
614  grpc_access_token_credentials_create("blah", nullptr);
615  grpc_channel_credentials* channel_oauth2_creds =
616  grpc_composite_channel_credentials_create(channel_creds, oauth2_creds,
617  nullptr);
618  grpc_channel_credentials_release(channel_creds);
619  grpc_call_credentials_release(oauth2_creds);
620  channel_oauth2_creds->create_security_connector(nullptr, nullptr, nullptr,
621  &new_args);
622  grpc_channel_credentials_release(channel_oauth2_creds);
623 }
624 
625 TEST(CredentialsTest, TestOauth2GoogleIamCompositeCreds) {
626  ExecCtx exec_ctx;
627  auto state = RequestMetadataState::NewInstance(
628  GRPC_ERROR_NONE,
629  absl::StrCat(GRPC_AUTHORIZATION_METADATA_KEY, ": ",
630  test_oauth2_bearer_token, ", ",
631  GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY, ": ",
632  test_google_iam_authorization_token, ", ",
633  GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY, ": ",
634  test_google_iam_authority_selector));
635  grpc_call_credentials* oauth2_creds = grpc_md_only_test_credentials_create(
636  "authorization", test_oauth2_bearer_token);
637 
638  /* Check security level of fake credentials. */
639  GPR_ASSERT(oauth2_creds->min_security_level() == GRPC_SECURITY_NONE);
640 
641  grpc_call_credentials* google_iam_creds = grpc_google_iam_credentials_create(
642  test_google_iam_authorization_token, test_google_iam_authority_selector,
643  nullptr);
644  grpc_call_credentials* composite_creds =
645  grpc_composite_call_credentials_create(oauth2_creds, google_iam_creds,
646  nullptr);
647  /* Check security level of composite credentials. */
648  GPR_ASSERT(composite_creds->min_security_level() ==
649  GRPC_PRIVACY_AND_INTEGRITY);
650 
651  oauth2_creds->Unref();
652  google_iam_creds->Unref();
653  GPR_ASSERT(composite_creds->type() ==
654  grpc_composite_call_credentials::Type());
655  const grpc_composite_call_credentials::CallCredentialsList& creds_list =
656  static_cast<const grpc_composite_call_credentials*>(composite_creds)
657  ->inner();
658  GPR_ASSERT(creds_list.size() == 2);
659  GPR_ASSERT(creds_list[0]->type() == grpc_md_only_test_credentials::Type());
660  GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
661  state->RunRequestMetadataTest(composite_creds, kTestUrlScheme, kTestAuthority,
662  kTestPath);
663  composite_creds->Unref();
664 }
665 
666 class check_channel_oauth2_google_iam final : public grpc_channel_credentials {
667  public:
668  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
669  RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
670  const grpc_channel_args* /*args*/,
671  grpc_channel_args** /*new_args*/) override {
672  GPR_ASSERT(type() == Type());
673  GPR_ASSERT(call_creds != nullptr);
674  GPR_ASSERT(call_creds->type() == grpc_composite_call_credentials::Type());
675  const grpc_composite_call_credentials::CallCredentialsList& creds_list =
676  static_cast<const grpc_composite_call_credentials*>(call_creds.get())
677  ->inner();
678  GPR_ASSERT(creds_list[0]->type() == grpc_access_token_credentials::Type());
679  GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
680  return nullptr;
681  }
682 
683  static UniqueTypeName Type() {
684  static UniqueTypeName::Factory kFactory("check_channel_oauth2_google_iam");
685  return kFactory.Create();
686  }
687 
688  UniqueTypeName type() const override { return Type(); }
689 
690  private:
691  int cmp_impl(const grpc_channel_credentials* other) const override {
692  // TODO(yashykt): Check if we can do something better here
693  return QsortCompare(static_cast<const grpc_channel_credentials*>(this),
694  other);
695  }
696 };
697 
698 TEST(CredentialsTest, TestChannelOauth2GoogleIamCompositeCreds) {
699  ExecCtx exec_ctx;
700  grpc_channel_args* new_args;
701  grpc_channel_credentials* channel_creds =
702  new check_channel_oauth2_google_iam();
703  grpc_call_credentials* oauth2_creds =
704  grpc_access_token_credentials_create("blah", nullptr);
705  grpc_channel_credentials* channel_oauth2_creds =
706  grpc_composite_channel_credentials_create(channel_creds, oauth2_creds,
707  nullptr);
708  grpc_call_credentials* google_iam_creds = grpc_google_iam_credentials_create(
709  test_google_iam_authorization_token, test_google_iam_authority_selector,
710  nullptr);
711 
712  grpc_channel_credentials* channel_oauth2_iam_creds =
713  grpc_composite_channel_credentials_create(channel_oauth2_creds,
714  google_iam_creds, nullptr);
715  grpc_channel_credentials_release(channel_creds);
716  grpc_call_credentials_release(oauth2_creds);
717  grpc_channel_credentials_release(channel_oauth2_creds);
718  grpc_call_credentials_release(google_iam_creds);
719 
720  channel_oauth2_iam_creds->create_security_connector(nullptr, nullptr, nullptr,
721  &new_args);
722 
723  grpc_channel_credentials_release(channel_oauth2_iam_creds);
724 }
725 
726 void validate_compute_engine_http_request(const grpc_http_request* request,
727  const char* host, const char* path) {
728  GPR_ASSERT(strcmp(host, "metadata.google.internal.") == 0);
729  GPR_ASSERT(
730  strcmp(path,
731  "/computeMetadata/v1/instance/service-accounts/default/token") ==
732  0);
733  GPR_ASSERT(request->hdr_count == 1);
734  GPR_ASSERT(strcmp(request->hdrs[0].key, "Metadata-Flavor") == 0);
735  GPR_ASSERT(strcmp(request->hdrs[0].value, "Google") == 0);
736 }
737 
738 int compute_engine_httpcli_get_success_override(
739  const grpc_http_request* request, const char* host, const char* path,
740  Timestamp /*deadline*/, grpc_closure* on_done,
741  grpc_http_response* response) {
742  validate_compute_engine_http_request(request, host, path);
743  *response = http_response(200, valid_oauth2_json_response);
744  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
745  return 1;
746 }
747 
748 int compute_engine_httpcli_get_failure_override(
749  const grpc_http_request* request, const char* host, const char* path,
750  Timestamp /*deadline*/, grpc_closure* on_done,
751  grpc_http_response* response) {
752  validate_compute_engine_http_request(request, host, path);
753  *response = http_response(403, "Not Authorized.");
754  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
755  return 1;
756 }
757 
758 int httpcli_post_should_not_be_called(
759  const grpc_http_request* /*request*/, const char* /*host*/,
760  const char* /*path*/, const char* /*body_bytes*/, size_t /*body_size*/,
761  Timestamp /*deadline*/, grpc_closure* /*on_done*/,
762  grpc_http_response* /*response*/) {
763  GPR_ASSERT("HTTP POST should not be called" == nullptr);
764  return 1;
765 }
766 
767 int httpcli_get_should_not_be_called(const grpc_http_request* /*request*/,
768  const char* /*host*/, const char* /*path*/,
769  Timestamp /*deadline*/,
770  grpc_closure* /*on_done*/,
771  grpc_http_response* /*response*/) {
772  GPR_ASSERT("HTTP GET should not be called" == nullptr);
773  return 1;
774 }
775 
776 int httpcli_put_should_not_be_called(const grpc_http_request* /*request*/,
777  const char* /*host*/, const char* /*path*/,
778  const char* /*body_bytes*/,
779  size_t /*body_size*/,
780  Timestamp /*deadline*/,
781  grpc_closure* /*on_done*/,
782  grpc_http_response* /*response*/) {
783  GPR_ASSERT("HTTP PUT should not be called" == nullptr);
784  return 1;
785 }
786 
787 TEST(CredentialsTest, TestComputeEngineCredsSuccess) {
788  ExecCtx exec_ctx;
789  std::string emd = "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_";
790  const char expected_creds_debug_string[] =
791  "GoogleComputeEngineTokenFetcherCredentials{"
792  "OAuth2TokenFetcherCredentials}";
793  grpc_call_credentials* creds =
794  grpc_google_compute_engine_credentials_create(nullptr);
795  /* Check security level. */
796  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
797 
798  /* First request: http get should be called. */
799  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
800  HttpRequest::SetOverride(compute_engine_httpcli_get_success_override,
801  httpcli_post_should_not_be_called,
802  httpcli_put_should_not_be_called);
803  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
804  kTestPath);
805  ExecCtx::Get()->Flush();
806 
807  /* Second request: the cached token should be served directly. */
808  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
809  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
810  httpcli_post_should_not_be_called,
811  httpcli_put_should_not_be_called);
812  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
813  kTestPath);
814  ExecCtx::Get()->Flush();
815 
816  GPR_ASSERT(
817  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
818  creds->Unref();
819  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
820 }
821 
822 TEST(CredentialsTest, TestComputeEngineCredsFailure) {
823  ExecCtx exec_ctx;
824  const char expected_creds_debug_string[] =
825  "GoogleComputeEngineTokenFetcherCredentials{"
826  "OAuth2TokenFetcherCredentials}";
827  auto state = RequestMetadataState::NewInstance(
828  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
829  "Error occurred when fetching oauth2 token."),
830  {});
831  grpc_call_credentials* creds =
832  grpc_google_compute_engine_credentials_create(nullptr);
833  HttpRequest::SetOverride(compute_engine_httpcli_get_failure_override,
834  httpcli_post_should_not_be_called,
835  httpcli_put_should_not_be_called);
836  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
837  kTestPath);
838  GPR_ASSERT(
839  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
840  creds->Unref();
841  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
842 }
843 
844 void validate_refresh_token_http_request(const grpc_http_request* request,
845  const char* host, const char* path,
846  const char* body, size_t body_size) {
847  /* The content of the assertion is tested extensively in json_token_test. */
848  GPR_ASSERT(body != nullptr);
849  GPR_ASSERT(body_size != 0);
850  std::string expected_body = absl::StrFormat(
851  GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
852  "32555999999.apps.googleusercontent.com", "EmssLNjJy1332hD4KFsecret",
853  "1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42");
854  GPR_ASSERT(expected_body.size() == body_size);
855  GPR_ASSERT(memcmp(expected_body.data(), body, body_size) == 0);
856  GPR_ASSERT(strcmp(host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
857  GPR_ASSERT(strcmp(path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
858  GPR_ASSERT(request->hdr_count == 1);
859  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
860  GPR_ASSERT(
861  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
862 }
863 
864 int refresh_token_httpcli_post_success(const grpc_http_request* request,
865  const char* host, const char* path,
866  const char* body, size_t body_size,
867  Timestamp /*deadline*/,
868  grpc_closure* on_done,
869  grpc_http_response* response) {
870  validate_refresh_token_http_request(request, host, path, body, body_size);
871  *response = http_response(200, valid_oauth2_json_response);
872  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
873  return 1;
874 }
875 
876 int token_httpcli_post_failure(const grpc_http_request* /*request*/,
877  const char* /*host*/, const char* /*path*/,
878  const char* /*body*/, size_t /*body_size*/,
879  Timestamp /*deadline*/, grpc_closure* on_done,
880  grpc_http_response* response) {
881  *response = http_response(403, "Not Authorized.");
882  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
883  return 1;
884 }
885 
886 TEST(CredentialsTest, TestRefreshTokenCredsSuccess) {
887  ExecCtx exec_ctx;
888  std::string emd = "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_";
889  const char expected_creds_debug_string[] =
890  "GoogleRefreshToken{ClientID:32555999999.apps.googleusercontent.com,"
891  "OAuth2TokenFetcherCredentials}";
892  grpc_call_credentials* creds = grpc_google_refresh_token_credentials_create(
893  test_refresh_token_str, nullptr);
894 
895  /* Check security level. */
896  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
897 
898  /* First request: http put should be called. */
899  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
900  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
901  refresh_token_httpcli_post_success,
902  httpcli_put_should_not_be_called);
903  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
904  kTestPath);
905  ExecCtx::Get()->Flush();
906 
907  /* Second request: the cached token should be served directly. */
908  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
909  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
910  httpcli_post_should_not_be_called,
911  httpcli_put_should_not_be_called);
912  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
913  kTestPath);
914  ExecCtx::Get()->Flush();
915  GPR_ASSERT(
916  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
917 
918  creds->Unref();
919  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
920 }
921 
922 TEST(CredentialsTest, TestRefreshTokenCredsFailure) {
923  ExecCtx exec_ctx;
924  const char expected_creds_debug_string[] =
925  "GoogleRefreshToken{ClientID:32555999999.apps.googleusercontent.com,"
926  "OAuth2TokenFetcherCredentials}";
927  auto state = RequestMetadataState::NewInstance(
928  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
929  "Error occurred when fetching oauth2 token."),
930  {});
931  grpc_call_credentials* creds = grpc_google_refresh_token_credentials_create(
932  test_refresh_token_str, nullptr);
933  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
934  token_httpcli_post_failure,
935  httpcli_put_should_not_be_called);
936  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
937  kTestPath);
938  GPR_ASSERT(
939  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
940 
941  creds->Unref();
942  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
943 }
944 
945 TEST(CredentialsTest, TestValidStsCredsOptions) {
946  grpc_sts_credentials_options valid_options = {
947  test_sts_endpoint_url, // sts_endpoint_url
948  nullptr, // resource
949  nullptr, // audience
950  nullptr, // scope
951  nullptr, // requested_token_type
952  test_signed_jwt_path_prefix, // subject_token_path
953  test_signed_jwt_token_type, // subject_token_type
954  nullptr, // actor_token_path
955  nullptr // actor_token_type
956  };
957  absl::StatusOr<URI> sts_url = ValidateStsCredentialsOptions(&valid_options);
958  GPR_ASSERT(sts_url.ok());
959  absl::string_view host;
960  absl::string_view port;
961  GPR_ASSERT(SplitHostPort(sts_url->authority(), &host, &port));
962  GPR_ASSERT(host == "foo.com");
963  GPR_ASSERT(port == "5555");
964 }
965 
966 TEST(CredentialsTest, TestInvalidStsCredsOptions) {
967  grpc_sts_credentials_options invalid_options = {
968  test_sts_endpoint_url, // sts_endpoint_url
969  nullptr, // resource
970  nullptr, // audience
971  nullptr, // scope
972  nullptr, // requested_token_type
973  nullptr, // subject_token_path (Required)
974  test_signed_jwt_token_type, // subject_token_type
975  nullptr, // actor_token_path
976  nullptr // actor_token_type
977  };
978  absl::StatusOr<URI> url_should_be_invalid =
979  ValidateStsCredentialsOptions(&invalid_options);
980  GPR_ASSERT(!url_should_be_invalid.ok());
981 
982  invalid_options = {
983  test_sts_endpoint_url, // sts_endpoint_url
984  nullptr, // resource
985  nullptr, // audience
986  nullptr, // scope
987  nullptr, // requested_token_type
988  test_signed_jwt_path_prefix, // subject_token_path
989  nullptr, // subject_token_type (Required)
990  nullptr, // actor_token_path
991  nullptr // actor_token_type
992  };
993  url_should_be_invalid = ValidateStsCredentialsOptions(&invalid_options);
994  GPR_ASSERT(!url_should_be_invalid.ok());
995 
996  invalid_options = {
997  nullptr, // sts_endpoint_url (Required)
998  nullptr, // resource
999  nullptr, // audience
1000  nullptr, // scope
1001  nullptr, // requested_token_type
1002  test_signed_jwt_path_prefix, // subject_token_path
1003  test_signed_jwt_token_type, // subject_token_type (Required)
1004  nullptr, // actor_token_path
1005  nullptr // actor_token_type
1006  };
1007  url_should_be_invalid = ValidateStsCredentialsOptions(&invalid_options);
1008  GPR_ASSERT(!url_should_be_invalid.ok());
1009 
1010  invalid_options = {
1011  "not_a_valid_uri", // sts_endpoint_url
1012  nullptr, // resource
1013  nullptr, // audience
1014  nullptr, // scope
1015  nullptr, // requested_token_type
1016  test_signed_jwt_path_prefix, // subject_token_path
1017  test_signed_jwt_token_type, // subject_token_type (Required)
1018  nullptr, // actor_token_path
1019  nullptr // actor_token_type
1020  };
1021  url_should_be_invalid = ValidateStsCredentialsOptions(&invalid_options);
1022  GPR_ASSERT(!url_should_be_invalid.ok());
1023 
1024  invalid_options = {
1025  "ftp://ftp.is.not.a.valid.scheme/bar", // sts_endpoint_url
1026  nullptr, // resource
1027  nullptr, // audience
1028  nullptr, // scope
1029  nullptr, // requested_token_type
1030  test_signed_jwt_path_prefix, // subject_token_path
1031  test_signed_jwt_token_type, // subject_token_type (Required)
1032  nullptr, // actor_token_path
1033  nullptr // actor_token_type
1034  };
1035  url_should_be_invalid = ValidateStsCredentialsOptions(&invalid_options);
1036  GPR_ASSERT(!url_should_be_invalid.ok());
1037 }
1038 
1039 void assert_query_parameters(const URI& uri, absl::string_view expected_key,
1040  absl::string_view expected_val) {
1041  const auto it = uri.query_parameter_map().find(expected_key);
1042  GPR_ASSERT(it != uri.query_parameter_map().end());
1043  if (it->second != expected_val) {
1044  gpr_log(GPR_ERROR, "%s!=%s", std::string(it->second).c_str(),
1045  std::string(expected_val).c_str());
1046  }
1047  GPR_ASSERT(it->second == expected_val);
1048 }
1049 
1050 void validate_sts_token_http_request(const grpc_http_request* request,
1051  const char* host, const char* path,
1052  const char* body, size_t body_size,
1053  bool expect_actor_token) {
1054  // Check that the body is constructed properly.
1055  GPR_ASSERT(body != nullptr);
1056  GPR_ASSERT(body_size != 0);
1057  std::string get_url_equivalent =
1058  absl::StrFormat("%s?%s", test_sts_endpoint_url, body);
1059  absl::StatusOr<URI> url = URI::Parse(get_url_equivalent);
1060  if (!url.ok()) {
1061  gpr_log(GPR_ERROR, "%s", url.status().ToString().c_str());
1062  GPR_ASSERT(url.ok());
1063  }
1064  assert_query_parameters(*url, "resource", "resource");
1065  assert_query_parameters(*url, "audience", "audience");
1066  assert_query_parameters(*url, "scope", "scope");
1067  assert_query_parameters(*url, "requested_token_type", "requested_token_type");
1068  assert_query_parameters(*url, "subject_token", test_signed_jwt);
1069  assert_query_parameters(*url, "subject_token_type",
1070  test_signed_jwt_token_type);
1071  if (expect_actor_token) {
1072  assert_query_parameters(*url, "actor_token", test_signed_jwt2);
1073  assert_query_parameters(*url, "actor_token_type",
1074  test_signed_jwt_token_type2);
1075  } else {
1076  GPR_ASSERT(url->query_parameter_map().find("actor_token") ==
1077  url->query_parameter_map().end());
1078  GPR_ASSERT(url->query_parameter_map().find("actor_token_type") ==
1079  url->query_parameter_map().end());
1080  }
1081 
1082  // Check the rest of the request.
1083  GPR_ASSERT(strcmp(host, "foo.com:5555") == 0);
1084  GPR_ASSERT(strcmp(path, "/v1/token-exchange") == 0);
1085  GPR_ASSERT(request->hdr_count == 1);
1086  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
1087  GPR_ASSERT(
1088  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
1089 }
1090 
1091 int sts_token_httpcli_post_success(const grpc_http_request* request,
1092  const char* host, const char* path,
1093  const char* body, size_t body_size,
1094  Timestamp /*deadline*/,
1095  grpc_closure* on_done,
1096  grpc_http_response* response) {
1097  validate_sts_token_http_request(request, host, path, body, body_size, true);
1098  *response = http_response(200, valid_sts_json_response);
1099  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
1100  return 1;
1101 }
1102 
1103 int sts_token_httpcli_post_success_no_actor_token(
1104  const grpc_http_request* request, const char* host, const char* path,
1105  const char* body, size_t body_size, Timestamp /*deadline*/,
1106  grpc_closure* on_done, grpc_http_response* response) {
1107  validate_sts_token_http_request(request, host, path, body, body_size, false);
1108  *response = http_response(200, valid_sts_json_response);
1109  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
1110  return 1;
1111 }
1112 
1113 char* write_tmp_jwt_file(const char* jwt_contents) {
1114  char* path;
1115  FILE* tmp = gpr_tmpfile(test_signed_jwt_path_prefix, &path);
1116  GPR_ASSERT(path != nullptr);
1117  GPR_ASSERT(tmp != nullptr);
1118  size_t jwt_length = strlen(jwt_contents);
1119  GPR_ASSERT(fwrite(jwt_contents, 1, jwt_length, tmp) == jwt_length);
1120  fclose(tmp);
1121  return path;
1122 }
1123 
1124 TEST(CredentialsTest, TestStsCredsSuccess) {
1125  ExecCtx exec_ctx;
1126  std::string emd = "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_";
1127  const char expected_creds_debug_string[] =
1128  "StsTokenFetcherCredentials{Path:/v1/"
1129  "token-exchange,Authority:foo.com:5555,OAuth2TokenFetcherCredentials}";
1130  char* subject_token_path = write_tmp_jwt_file(test_signed_jwt);
1131  char* actor_token_path = write_tmp_jwt_file(test_signed_jwt2);
1132  grpc_sts_credentials_options valid_options = {
1133  test_sts_endpoint_url, // sts_endpoint_url
1134  "resource", // resource
1135  "audience", // audience
1136  "scope", // scope
1137  "requested_token_type", // requested_token_type
1138  subject_token_path, // subject_token_path
1139  test_signed_jwt_token_type, // subject_token_type
1140  actor_token_path, // actor_token_path
1141  test_signed_jwt_token_type2 // actor_token_type
1142  };
1143  grpc_call_credentials* creds =
1144  grpc_sts_credentials_create(&valid_options, nullptr);
1145 
1146  /* Check security level. */
1147  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
1148 
1149  /* First request: http put should be called. */
1150  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1151  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1152  sts_token_httpcli_post_success,
1153  httpcli_put_should_not_be_called);
1154  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1155  kTestPath);
1156  ExecCtx::Get()->Flush();
1157 
1158  /* Second request: the cached token should be served directly. */
1159  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1160  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1161  httpcli_post_should_not_be_called,
1162  httpcli_put_should_not_be_called);
1163  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1164  kTestPath);
1165  ExecCtx::Get()->Flush();
1166  GPR_ASSERT(
1167  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1168 
1169  creds->Unref();
1170  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1171  gpr_free(subject_token_path);
1172  gpr_free(actor_token_path);
1173 }
1174 
1175 TEST(CredentialsTest, TestStsCredsTokenFileNotFound) {
1176  ExecCtx exec_ctx;
1177  grpc_sts_credentials_options valid_options = {
1178  test_sts_endpoint_url, // sts_endpoint_url
1179  "resource", // resource
1180  "audience", // audience
1181  "scope", // scope
1182  "requested_token_type", // requested_token_type
1183  "/some/completely/random/path", // subject_token_path
1184  test_signed_jwt_token_type, // subject_token_type
1185  "", // actor_token_path
1186  "" // actor_token_type
1187  };
1188  grpc_call_credentials* creds =
1189  grpc_sts_credentials_create(&valid_options, nullptr);
1190 
1191  /* Check security level. */
1192  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
1193 
1194  auto state = RequestMetadataState::NewInstance(
1195  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
1196  "Error occurred when fetching oauth2 token."),
1197  {});
1198  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1199  httpcli_post_should_not_be_called,
1200  httpcli_put_should_not_be_called);
1201  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1202  kTestPath);
1203  ExecCtx::Get()->Flush();
1204 
1205  /* Cleanup. */
1206  creds->Unref();
1207  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1208 }
1209 
1210 TEST(CredentialsTest, TestStsCredsNoActorTokenSuccess) {
1211  ExecCtx exec_ctx;
1212  std::string emd = "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_";
1213  const char expected_creds_debug_string[] =
1214  "StsTokenFetcherCredentials{Path:/v1/"
1215  "token-exchange,Authority:foo.com:5555,OAuth2TokenFetcherCredentials}";
1216  char* subject_token_path = write_tmp_jwt_file(test_signed_jwt);
1217  grpc_sts_credentials_options valid_options = {
1218  test_sts_endpoint_url, // sts_endpoint_url
1219  "resource", // resource
1220  "audience", // audience
1221  "scope", // scope
1222  "requested_token_type", // requested_token_type
1223  subject_token_path, // subject_token_path
1224  test_signed_jwt_token_type, // subject_token_type
1225  "", // actor_token_path
1226  "" // actor_token_type
1227  };
1228  grpc_call_credentials* creds =
1229  grpc_sts_credentials_create(&valid_options, nullptr);
1230 
1231  /* Check security level. */
1232  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
1233 
1234  /* First request: http put should be called. */
1235  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1236  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1237  sts_token_httpcli_post_success_no_actor_token,
1238  httpcli_put_should_not_be_called);
1239  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1240  kTestPath);
1241  ExecCtx::Get()->Flush();
1242 
1243  /* Second request: the cached token should be served directly. */
1244  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1245  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1246  httpcli_post_should_not_be_called,
1247  httpcli_put_should_not_be_called);
1248  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1249  kTestPath);
1250  ExecCtx::Get()->Flush();
1251  GPR_ASSERT(
1252  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1253 
1254  creds->Unref();
1255  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1256  gpr_free(subject_token_path);
1257 }
1258 
1259 TEST(CredentialsTest, TestStsCredsLoadTokenFailure) {
1260  const char expected_creds_debug_string[] =
1261  "StsTokenFetcherCredentials{Path:/v1/"
1262  "token-exchange,Authority:foo.com:5555,OAuth2TokenFetcherCredentials}";
1263  ExecCtx exec_ctx;
1264  auto state = RequestMetadataState::NewInstance(
1265  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
1266  "Error occurred when fetching oauth2 token."),
1267  {});
1268  char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
1269  grpc_sts_credentials_options options = {
1270  test_sts_endpoint_url, // sts_endpoint_url
1271  "resource", // resource
1272  "audience", // audience
1273  "scope", // scope
1274  "requested_token_type", // requested_token_type
1275  "invalid_path", // subject_token_path
1276  test_signed_jwt_token_type, // subject_token_type
1277  nullptr, // actor_token_path
1278  nullptr // actor_token_type
1279  };
1280  grpc_call_credentials* creds = grpc_sts_credentials_create(&options, nullptr);
1281  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1282  httpcli_post_should_not_be_called,
1283  httpcli_put_should_not_be_called);
1284  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1285  kTestPath);
1286  GPR_ASSERT(
1287  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1288 
1289  creds->Unref();
1290  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1291  gpr_free(test_signed_jwt_path);
1292 }
1293 
1294 TEST(CredentialsTest, TestStsCredsHttpFailure) {
1295  const char expected_creds_debug_string[] =
1296  "StsTokenFetcherCredentials{Path:/v1/"
1297  "token-exchange,Authority:foo.com:5555,OAuth2TokenFetcherCredentials}";
1298  ExecCtx exec_ctx;
1299  auto state = RequestMetadataState::NewInstance(
1300  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
1301  "Error occurred when fetching oauth2 token."),
1302  {});
1303  char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
1304  grpc_sts_credentials_options valid_options = {
1305  test_sts_endpoint_url, // sts_endpoint_url
1306  "resource", // resource
1307  "audience", // audience
1308  "scope", // scope
1309  "requested_token_type", // requested_token_type
1310  test_signed_jwt_path, // subject_token_path
1311  test_signed_jwt_token_type, // subject_token_type
1312  nullptr, // actor_token_path
1313  nullptr // actor_token_type
1314  };
1315  grpc_call_credentials* creds =
1316  grpc_sts_credentials_create(&valid_options, nullptr);
1317  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
1318  token_httpcli_post_failure,
1319  httpcli_put_should_not_be_called);
1320  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1321  kTestPath);
1322  GPR_ASSERT(
1323  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1324  creds->Unref();
1325  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1326  gpr_free(test_signed_jwt_path);
1327 }
1328 
1329 void validate_jwt_encode_and_sign_params(const grpc_auth_json_key* json_key,
1330  const char* scope,
1331  gpr_timespec token_lifetime) {
1332  GPR_ASSERT(grpc_auth_json_key_is_valid(json_key));
1333  GPR_ASSERT(json_key->private_key != nullptr);
1334  GPR_ASSERT(RSA_check_key(json_key->private_key));
1335  GPR_ASSERT(json_key->type != nullptr &&
1336  strcmp(json_key->type, "service_account") == 0);
1337  GPR_ASSERT(json_key->private_key_id != nullptr &&
1338  strcmp(json_key->private_key_id,
1339  "e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0);
1340  GPR_ASSERT(json_key->client_id != nullptr &&
1341  strcmp(json_key->client_id,
1342  "777-abaslkan11hlb6nmim3bpspl31ud.apps."
1343  "googleusercontent.com") == 0);
1344  GPR_ASSERT(json_key->client_email != nullptr &&
1345  strcmp(json_key->client_email,
1346  "777-abaslkan11hlb6nmim3bpspl31ud@developer."
1347  "gserviceaccount.com") == 0);
1348  if (scope != nullptr) GPR_ASSERT(strcmp(scope, test_scope) == 0);
1349  GPR_ASSERT(gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime()) == 0);
1350 }
1351 
1352 char* encode_and_sign_jwt_success(const grpc_auth_json_key* json_key,
1353  const char* audience,
1354  gpr_timespec token_lifetime,
1355  const char* scope) {
1356  if (strcmp(audience, test_service_url_no_service_name) != 0 &&
1357  strcmp(audience, other_test_service_url_no_service_name) != 0) {
1358  return nullptr;
1359  }
1360  validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
1361  return gpr_strdup(test_signed_jwt);
1362 }
1363 
1364 char* encode_and_sign_jwt_failure(const grpc_auth_json_key* json_key,
1365  const char* /*audience*/,
1366  gpr_timespec token_lifetime,
1367  const char* scope) {
1368  validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
1369  return nullptr;
1370 }
1371 
1372 char* encode_and_sign_jwt_should_not_be_called(
1373  const grpc_auth_json_key* /*json_key*/, const char* /*audience*/,
1374  gpr_timespec /*token_lifetime*/, const char* /*scope*/) {
1375  GPR_ASSERT("grpc_jwt_encode_and_sign should not be called" == nullptr);
1376  return nullptr;
1377 }
1378 
1379 grpc_service_account_jwt_access_credentials* creds_as_jwt(
1380  grpc_call_credentials* creds) {
1381  GPR_ASSERT(creds != nullptr);
1382  GPR_ASSERT(creds->type() ==
1383  grpc_service_account_jwt_access_credentials::Type());
1384  return reinterpret_cast<grpc_service_account_jwt_access_credentials*>(creds);
1385 }
1386 
1387 TEST(CredentialsTest, TestJwtCredsLifetime) {
1388  char* json_key_string = test_json_key_str();
1389  const char expected_creds_debug_string_prefix[] =
1390  "JWTAccessCredentials{ExpirationTime:";
1391  // Max lifetime.
1392  grpc_call_credentials* jwt_creds =
1393  grpc_service_account_jwt_access_credentials_create(
1394  json_key_string, grpc_max_auth_token_lifetime(), nullptr);
1395  GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
1396  grpc_max_auth_token_lifetime()) == 0);
1397  /* Check security level. */
1398  GPR_ASSERT(jwt_creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
1399  GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
1400  jwt_creds->debug_string().c_str(),
1401  strlen(expected_creds_debug_string_prefix)) == 0);
1402  grpc_call_credentials_release(jwt_creds);
1403 
1404  // Shorter lifetime.
1405  gpr_timespec token_lifetime = {10, 0, GPR_TIMESPAN};
1406  GPR_ASSERT(gpr_time_cmp(grpc_max_auth_token_lifetime(), token_lifetime) > 0);
1407  jwt_creds = grpc_service_account_jwt_access_credentials_create(
1408  json_key_string, token_lifetime, nullptr);
1409  GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
1410  token_lifetime) == 0);
1411  GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
1412  jwt_creds->debug_string().c_str(),
1413  strlen(expected_creds_debug_string_prefix)) == 0);
1414  grpc_call_credentials_release(jwt_creds);
1415 
1416  // Cropped lifetime.
1417  gpr_timespec add_to_max = {10, 0, GPR_TIMESPAN};
1418  token_lifetime = gpr_time_add(grpc_max_auth_token_lifetime(), add_to_max);
1419  jwt_creds = grpc_service_account_jwt_access_credentials_create(
1420  json_key_string, token_lifetime, nullptr);
1421  GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
1422  grpc_max_auth_token_lifetime()) == 0);
1423  GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
1424  jwt_creds->debug_string().c_str(),
1425  strlen(expected_creds_debug_string_prefix)) == 0);
1426  grpc_call_credentials_release(jwt_creds);
1427 
1428  gpr_free(json_key_string);
1429 }
1430 
1431 TEST(CredentialsTest, TestRemoveServiceFromJwtUri) {
1432  const char wrong_uri[] = "hello world";
1433  GPR_ASSERT(!RemoveServiceNameFromJwtUri(wrong_uri).ok());
1434  const char valid_uri[] = "https://foo.com/get/";
1435  const char expected_uri[] = "https://foo.com/";
1436  auto output = RemoveServiceNameFromJwtUri(valid_uri);
1437  GPR_ASSERT(output.ok());
1438  GPR_ASSERT(strcmp(output->c_str(), expected_uri) == 0);
1439 }
1440 
1441 TEST(CredentialsTest, TestJwtCredsSuccess) {
1442  const char expected_creds_debug_string_prefix[] =
1443  "JWTAccessCredentials{ExpirationTime:";
1444 
1445  char* json_key_string = test_json_key_str();
1446  ExecCtx exec_ctx;
1447  std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt);
1448  std::string emd = absl::StrCat("authorization: ", expected_md_value);
1449  grpc_call_credentials* creds =
1450  grpc_service_account_jwt_access_credentials_create(
1451  json_key_string, grpc_max_auth_token_lifetime(), nullptr);
1452 
1453  /* First request: jwt_encode_and_sign should be called. */
1454  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1455  grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
1456  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1457  kTestPath);
1458  ExecCtx::Get()->Flush();
1459 
1460  /* Second request: the cached token should be served directly. */
1461  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1462  grpc_jwt_encode_and_sign_set_override(
1463  encode_and_sign_jwt_should_not_be_called);
1464  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1465  kTestPath);
1466  ExecCtx::Get()->Flush();
1467 
1468  /* Third request: Different service url so jwt_encode_and_sign should be
1469  called again (no caching). */
1470  state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, emd);
1471  grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_success);
1472  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestOtherAuthority,
1473  kTestOtherPath);
1474  ExecCtx::Get()->Flush();
1475  GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
1476  creds->debug_string().c_str(),
1477  strlen(expected_creds_debug_string_prefix)) == 0);
1478 
1479  creds->Unref();
1480  gpr_free(json_key_string);
1481  grpc_jwt_encode_and_sign_set_override(nullptr);
1482 }
1483 
1484 TEST(CredentialsTest, TestJwtCredsSigningFailure) {
1485  const char expected_creds_debug_string_prefix[] =
1486  "JWTAccessCredentials{ExpirationTime:";
1487  char* json_key_string = test_json_key_str();
1488  ExecCtx exec_ctx;
1489  auto state = RequestMetadataState::NewInstance(
1490  GRPC_ERROR_CREATE_FROM_STATIC_STRING("Could not generate JWT."), {});
1491  grpc_call_credentials* creds =
1492  grpc_service_account_jwt_access_credentials_create(
1493  json_key_string, grpc_max_auth_token_lifetime(), nullptr);
1494 
1495  grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
1496  state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1497  kTestPath);
1498 
1499  gpr_free(json_key_string);
1500  GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
1501  creds->debug_string().c_str(),
1502  strlen(expected_creds_debug_string_prefix)) == 0);
1503 
1504  creds->Unref();
1505  grpc_jwt_encode_and_sign_set_override(nullptr);
1506 }
1507 
1508 void set_google_default_creds_env_var_with_file_contents(
1509  const char* file_prefix, const char* contents) {
1510  size_t contents_len = strlen(contents);
1511  char* creds_file_name;
1512  FILE* creds_file = gpr_tmpfile(file_prefix, &creds_file_name);
1513  GPR_ASSERT(creds_file_name != nullptr);
1514  GPR_ASSERT(creds_file != nullptr);
1515  GPR_ASSERT(fwrite(contents, 1, contents_len, creds_file) == contents_len);
1516  fclose(creds_file);
1517  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, creds_file_name);
1518  gpr_free(creds_file_name);
1519 }
1520 
1521 bool test_gce_tenancy_checker(void) {
1522  g_test_gce_tenancy_checker_called = true;
1523  return g_test_is_on_gce;
1524 }
1525 
1526 std::string null_well_known_creds_path_getter(void) { return ""; }
1527 
1528 TEST(CredentialsTest, TestGoogleDefaultCredsAuthKey) {
1529  ExecCtx exec_ctx;
1530  grpc_composite_channel_credentials* creds;
1531  char* json_key = test_json_key_str();
1532  grpc_flush_cached_google_default_credentials();
1533  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1534  g_test_gce_tenancy_checker_called = false;
1535  g_test_is_on_gce = true;
1536  set_google_default_creds_env_var_with_file_contents(
1537  "json_key_google_default_creds", json_key);
1538  grpc_override_well_known_credentials_path_getter(
1539  null_well_known_creds_path_getter);
1540  gpr_free(json_key);
1541  creds = reinterpret_cast<grpc_composite_channel_credentials*>(
1542  grpc_google_default_credentials_create(nullptr));
1543  auto* default_creds =
1544  reinterpret_cast<const grpc_google_default_channel_credentials*>(
1545  creds->inner_creds());
1546  GPR_ASSERT(default_creds->ssl_creds() != nullptr);
1547  auto* jwt =
1548  reinterpret_cast<const grpc_service_account_jwt_access_credentials*>(
1549  creds->call_creds());
1550  GPR_ASSERT(
1551  strcmp(jwt->key().client_id,
1552  "777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent.com") ==
1553  0);
1554  GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
1555  creds->Unref();
1556  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1557  grpc_override_well_known_credentials_path_getter(nullptr);
1558 }
1559 
1560 TEST(CredentialsTest, TestGoogleDefaultCredsRefreshToken) {
1561  ExecCtx exec_ctx;
1562  grpc_composite_channel_credentials* creds;
1563  grpc_flush_cached_google_default_credentials();
1564  set_google_default_creds_env_var_with_file_contents(
1565  "refresh_token_google_default_creds", test_refresh_token_str);
1566  grpc_override_well_known_credentials_path_getter(
1567  null_well_known_creds_path_getter);
1568  creds = reinterpret_cast<grpc_composite_channel_credentials*>(
1569  grpc_google_default_credentials_create(nullptr));
1570  auto* default_creds =
1571  reinterpret_cast<const grpc_google_default_channel_credentials*>(
1572  creds->inner_creds());
1573  GPR_ASSERT(default_creds->ssl_creds() != nullptr);
1574  auto* refresh =
1575  reinterpret_cast<const grpc_google_refresh_token_credentials*>(
1576  creds->call_creds());
1577  GPR_ASSERT(strcmp(refresh->refresh_token().client_id,
1578  "32555999999.apps.googleusercontent.com") == 0);
1579  creds->Unref();
1580  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1581  grpc_override_well_known_credentials_path_getter(nullptr);
1582 }
1583 
1584 TEST(CredentialsTest, TestGoogleDefaultCredsExternalAccountCredentials) {
1585  ExecCtx exec_ctx;
1586  grpc_composite_channel_credentials* creds;
1587  grpc_flush_cached_google_default_credentials();
1588  set_google_default_creds_env_var_with_file_contents(
1589  "google_default_creds_external_account_credentials",
1590  test_external_account_credentials_str);
1591  grpc_override_well_known_credentials_path_getter(
1592  null_well_known_creds_path_getter);
1593  creds = reinterpret_cast<grpc_composite_channel_credentials*>(
1594  grpc_google_default_credentials_create(nullptr));
1595  auto* default_creds =
1596  reinterpret_cast<const grpc_google_default_channel_credentials*>(
1597  creds->inner_creds());
1598  GPR_ASSERT(default_creds->ssl_creds() != nullptr);
1599  auto* external =
1600  reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
1601  GPR_ASSERT(external != nullptr);
1602  creds->Unref();
1603  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1604  grpc_override_well_known_credentials_path_getter(nullptr);
1605 }
1606 
1607 TEST(CredentialsTest,
1608  TestGoogleDefaultCredsExternalAccountCredentialsMultiPatternSts) {
1609  ExecCtx exec_ctx;
1610  grpc_composite_channel_credentials* creds;
1611  grpc_flush_cached_google_default_credentials();
1612  set_google_default_creds_env_var_with_file_contents(
1613  "google_default_creds_external_account_credentials_multi_pattern_sts",
1614  test_external_account_credentials_multi_pattern_sts_str);
1615  grpc_override_well_known_credentials_path_getter(
1616  null_well_known_creds_path_getter);
1617  creds = reinterpret_cast<grpc_composite_channel_credentials*>(
1618  grpc_google_default_credentials_create(nullptr));
1619  auto* default_creds =
1620  reinterpret_cast<const grpc_google_default_channel_credentials*>(
1621  creds->inner_creds());
1622  GPR_ASSERT(default_creds->ssl_creds() != nullptr);
1623  auto* external =
1624  reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
1625  GPR_ASSERT(external != nullptr);
1626  creds->Unref();
1627  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1628  grpc_override_well_known_credentials_path_getter(nullptr);
1629 }
1630 
1631 TEST(CredentialsTest,
1632  TestGoogleDefaultCredsExternalAccountCredentialsMultiPatternIam) {
1633  ExecCtx exec_ctx;
1634  grpc_composite_channel_credentials* creds;
1635  grpc_flush_cached_google_default_credentials();
1636  set_google_default_creds_env_var_with_file_contents(
1637  "google_default_creds_external_account_credentials_multi_pattern_iam",
1638  test_external_account_credentials_multi_pattern_iam_str);
1639  grpc_override_well_known_credentials_path_getter(
1640  null_well_known_creds_path_getter);
1641  creds = reinterpret_cast<grpc_composite_channel_credentials*>(
1642  grpc_google_default_credentials_create(nullptr));
1643  auto* default_creds =
1644  reinterpret_cast<const grpc_google_default_channel_credentials*>(
1645  creds->inner_creds());
1646  GPR_ASSERT(default_creds->ssl_creds() != nullptr);
1647  auto* external =
1648  reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
1649  GPR_ASSERT(external != nullptr);
1650  creds->Unref();
1651  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1652  grpc_override_well_known_credentials_path_getter(nullptr);
1653 }
1654 
1655 int default_creds_metadata_server_detection_httpcli_get_success_override(
1656  const grpc_http_request* /*request*/, const char* host, const char* path,
1657  Timestamp /*deadline*/, grpc_closure* on_done,
1658  grpc_http_response* response) {
1659  *response = http_response(200, "");
1660  grpc_http_header* headers =
1661  static_cast<grpc_http_header*>(gpr_malloc(sizeof(*headers) * 1));
1662  headers[0].key = gpr_strdup("Metadata-Flavor");
1663  headers[0].value = gpr_strdup("Google");
1664  response->hdr_count = 1;
1665  response->hdrs = headers;
1666  GPR_ASSERT(strcmp(path, "/") == 0);
1667  GPR_ASSERT(strcmp(host, "metadata.google.internal.") == 0);
1668  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
1669  return 1;
1670 }
1671 
1672 TEST(CredentialsTest, TestGoogleDefaultCredsGce) {
1673  ExecCtx exec_ctx;
1674  auto state = RequestMetadataState::NewInstance(
1675  GRPC_ERROR_NONE,
1676  "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_");
1677  grpc_flush_cached_google_default_credentials();
1678  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1679  grpc_override_well_known_credentials_path_getter(
1680  null_well_known_creds_path_getter);
1681  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1682  g_test_gce_tenancy_checker_called = false;
1683  g_test_is_on_gce = true;
1684 
1685  /* Simulate a successful detection of GCE. */
1686  grpc_composite_channel_credentials* creds =
1687  reinterpret_cast<grpc_composite_channel_credentials*>(
1688  grpc_google_default_credentials_create(nullptr));
1689 
1690  /* Verify that the default creds actually embeds a GCE creds. */
1691  GPR_ASSERT(creds != nullptr);
1692  GPR_ASSERT(creds->call_creds() != nullptr);
1693  HttpRequest::SetOverride(compute_engine_httpcli_get_success_override,
1694  httpcli_post_should_not_be_called,
1695  httpcli_put_should_not_be_called);
1696  state->RunRequestMetadataTest(creds->mutable_call_creds(), kTestUrlScheme,
1697  kTestAuthority, kTestPath);
1698  ExecCtx::Get()->Flush();
1699 
1700  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
1701 
1702  /* Cleanup. */
1703  creds->Unref();
1704  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1705  grpc_override_well_known_credentials_path_getter(nullptr);
1706 }
1707 
1708 TEST(CredentialsTest, TestGoogleDefaultCredsNonGce) {
1709  ExecCtx exec_ctx;
1710  auto state = RequestMetadataState::NewInstance(
1711  GRPC_ERROR_NONE,
1712  "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_");
1713  grpc_flush_cached_google_default_credentials();
1714  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1715  grpc_override_well_known_credentials_path_getter(
1716  null_well_known_creds_path_getter);
1717  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1718  g_test_gce_tenancy_checker_called = false;
1719  g_test_is_on_gce = false;
1720  /* Simulate a successful detection of metadata server. */
1721  HttpRequest::SetOverride(
1722  default_creds_metadata_server_detection_httpcli_get_success_override,
1723  httpcli_post_should_not_be_called, httpcli_put_should_not_be_called);
1724  grpc_composite_channel_credentials* creds =
1725  reinterpret_cast<grpc_composite_channel_credentials*>(
1726  grpc_google_default_credentials_create(nullptr));
1727  /* Verify that the default creds actually embeds a GCE creds. */
1728  GPR_ASSERT(creds != nullptr);
1729  GPR_ASSERT(creds->call_creds() != nullptr);
1730  HttpRequest::SetOverride(compute_engine_httpcli_get_success_override,
1731  httpcli_post_should_not_be_called,
1732  httpcli_put_should_not_be_called);
1733  state->RunRequestMetadataTest(creds->mutable_call_creds(), kTestUrlScheme,
1734  kTestAuthority, kTestPath);
1735  ExecCtx::Get()->Flush();
1736  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
1737  /* Cleanup. */
1738  creds->Unref();
1739  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1740  grpc_override_well_known_credentials_path_getter(nullptr);
1741 }
1742 
1743 int default_creds_gce_detection_httpcli_get_failure_override(
1744  const grpc_http_request* /*request*/, const char* host, const char* path,
1745  Timestamp /*deadline*/, grpc_closure* on_done,
1746  grpc_http_response* response) {
1747  /* No magic header. */
1748  GPR_ASSERT(strcmp(path, "/") == 0);
1749  GPR_ASSERT(strcmp(host, "metadata.google.internal.") == 0);
1750  *response = http_response(200, "");
1751  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
1752  return 1;
1753 }
1754 
1755 TEST(CredentialsTest, TestNoGoogleDefaultCreds) {
1756  grpc_flush_cached_google_default_credentials();
1757  gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
1758  grpc_override_well_known_credentials_path_getter(
1759  null_well_known_creds_path_getter);
1760  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1761  g_test_gce_tenancy_checker_called = false;
1762  g_test_is_on_gce = false;
1763  HttpRequest::SetOverride(
1764  default_creds_gce_detection_httpcli_get_failure_override,
1765  httpcli_post_should_not_be_called, httpcli_put_should_not_be_called);
1766  /* Simulate a successful detection of GCE. */
1767  GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
1768  /* Try a second one. GCE detection should occur again. */
1769  g_test_gce_tenancy_checker_called = false;
1770  GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
1771  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
1772  /* Cleanup. */
1773  grpc_override_well_known_credentials_path_getter(nullptr);
1774  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1775 }
1776 
1777 TEST(CredentialsTest, TestGoogleDefaultCredsCallCredsSpecified) {
1778  auto state = RequestMetadataState::NewInstance(
1779  GRPC_ERROR_NONE,
1780  "authorization: Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_");
1781  ExecCtx exec_ctx;
1782  grpc_flush_cached_google_default_credentials();
1783  grpc_call_credentials* call_creds =
1784  grpc_google_compute_engine_credentials_create(nullptr);
1785  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1786  g_test_gce_tenancy_checker_called = false;
1787  g_test_is_on_gce = true;
1788  HttpRequest::SetOverride(
1789  default_creds_metadata_server_detection_httpcli_get_success_override,
1790  httpcli_post_should_not_be_called, httpcli_put_should_not_be_called);
1791  grpc_composite_channel_credentials* channel_creds =
1792  reinterpret_cast<grpc_composite_channel_credentials*>(
1793  grpc_google_default_credentials_create(call_creds));
1794  GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
1795  GPR_ASSERT(channel_creds != nullptr);
1796  GPR_ASSERT(channel_creds->call_creds() != nullptr);
1797  HttpRequest::SetOverride(compute_engine_httpcli_get_success_override,
1798  httpcli_post_should_not_be_called,
1799  httpcli_put_should_not_be_called);
1800  state->RunRequestMetadataTest(channel_creds->mutable_call_creds(),
1801  kTestUrlScheme, kTestAuthority, kTestPath);
1802  ExecCtx::Get()->Flush();
1803  channel_creds->Unref();
1804  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1805 }
1806 
1807 struct fake_call_creds : public grpc_call_credentials {
1808  public:
1809  ArenaPromise<absl::StatusOr<ClientMetadataHandle>> GetRequestMetadata(
1810  ClientMetadataHandle initial_metadata,
1811  const grpc_call_credentials::GetRequestMetadataArgs*) override {
1812  initial_metadata->Append("foo", Slice::FromStaticString("oof"),
1813  [](absl::string_view, const Slice&) { abort(); });
1814  return Immediate(std::move(initial_metadata));
1815  }
1816 
1817  UniqueTypeName type() const override {
1818  static UniqueTypeName::Factory kFactory("fake");
1819  return kFactory.Create();
1820  }
1821 
1822  private:
1823  int cmp_impl(const grpc_call_credentials* other) const override {
1824  // TODO(yashykt): Check if we can do something better here
1825  return QsortCompare(static_cast<const grpc_call_credentials*>(this), other);
1826  }
1827 };
1828 
1829 TEST(CredentialsTest, TestGoogleDefaultCredsNotDefault) {
1830  auto state = RequestMetadataState::NewInstance(GRPC_ERROR_NONE, "foo: oof");
1831  ExecCtx exec_ctx;
1832  grpc_flush_cached_google_default_credentials();
1833  RefCountedPtr<grpc_call_credentials> call_creds =
1834  MakeRefCounted<fake_call_creds>();
1835  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
1836  g_test_gce_tenancy_checker_called = false;
1837  g_test_is_on_gce = true;
1838  HttpRequest::SetOverride(
1839  default_creds_metadata_server_detection_httpcli_get_success_override,
1840  httpcli_post_should_not_be_called, httpcli_put_should_not_be_called);
1841  grpc_composite_channel_credentials* channel_creds =
1842  reinterpret_cast<grpc_composite_channel_credentials*>(
1843  grpc_google_default_credentials_create(call_creds.release()));
1844  GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
1845  GPR_ASSERT(channel_creds != nullptr);
1846  GPR_ASSERT(channel_creds->call_creds() != nullptr);
1847  state->RunRequestMetadataTest(channel_creds->mutable_call_creds(),
1848  kTestUrlScheme, kTestAuthority, kTestPath);
1849  ExecCtx::Get()->Flush();
1850  channel_creds->Unref();
1851  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
1852 }
1853 
1854 typedef enum {
1855  PLUGIN_INITIAL_STATE,
1856  PLUGIN_GET_METADATA_CALLED_STATE,
1857  PLUGIN_DESTROY_CALLED_STATE
1858 } plugin_state;
1859 
1860 const std::map<std::string, std::string> plugin_md = {{"foo", "bar"},
1861  {"hi", "there"}};
1862 
1863 int plugin_get_metadata_success(
1864  void* state, grpc_auth_metadata_context context,
1865  grpc_credentials_plugin_metadata_cb /*cb*/, void* /*user_data*/,
1866  grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
1867  size_t* num_creds_md, grpc_status_code* /*status*/,
1868  const char** /*error_details*/) {
1869  GPR_ASSERT(strcmp(context.service_url, test_service_url) == 0);
1870  GPR_ASSERT(strcmp(context.method_name, test_method) == 0);
1871  GPR_ASSERT(context.channel_auth_context == nullptr);
1872  GPR_ASSERT(context.reserved == nullptr);
1873  GPR_ASSERT(plugin_md.size() < GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX);
1874  plugin_state* s = static_cast<plugin_state*>(state);
1875  *s = PLUGIN_GET_METADATA_CALLED_STATE;
1876  size_t i = 0;
1877  for (auto const& md : plugin_md) {
1878  memset(&creds_md[i], 0, sizeof(grpc_metadata));
1879  creds_md[i].key = grpc_slice_from_copied_string(md.first.c_str());
1880  creds_md[i].value = grpc_slice_from_copied_string(md.second.c_str());
1881  i += 1;
1882  }
1883  *num_creds_md = plugin_md.size();
1884  return true; // Synchronous return.
1885 }
1886 
1887 const char* plugin_error_details = "Could not get metadata for plugin.";
1888 
1889 int plugin_get_metadata_failure(
1890  void* state, grpc_auth_metadata_context context,
1891  grpc_credentials_plugin_metadata_cb /*cb*/, void* /*user_data*/,
1892  grpc_metadata /*creds_md*/[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
1893  size_t* /*num_creds_md*/, grpc_status_code* status,
1894  const char** error_details) {
1895  GPR_ASSERT(strcmp(context.service_url, test_service_url) == 0);
1896  GPR_ASSERT(strcmp(context.method_name, test_method) == 0);
1897  GPR_ASSERT(context.channel_auth_context == nullptr);
1898  GPR_ASSERT(context.reserved == nullptr);
1899  plugin_state* s = static_cast<plugin_state*>(state);
1900  *s = PLUGIN_GET_METADATA_CALLED_STATE;
1901  *status = GRPC_STATUS_UNAUTHENTICATED;
1902  *error_details = gpr_strdup(plugin_error_details);
1903  return true; // Synchronous return.
1904 }
1905 
1906 void plugin_destroy(void* state) {
1907  plugin_state* s = static_cast<plugin_state*>(state);
1908  *s = PLUGIN_DESTROY_CALLED_STATE;
1909 }
1910 
1911 char* plugin_debug_string(void* state) {
1912  plugin_state* s = static_cast<plugin_state*>(state);
1913  char* ret = nullptr;
1914  switch (*s) {
1915  case PLUGIN_INITIAL_STATE:
1916  gpr_asprintf(&ret, "TestPluginCredentials{state:INITIAL}");
1917  break;
1918  case PLUGIN_GET_METADATA_CALLED_STATE:
1919  gpr_asprintf(&ret, "TestPluginCredentials{state:GET_METADATA_CALLED}");
1920  break;
1921  case PLUGIN_DESTROY_CALLED_STATE:
1922  gpr_asprintf(&ret, "TestPluginCredentials{state:DESTROY}");
1923  break;
1924  default:
1925  gpr_asprintf(&ret, "TestPluginCredentials{state:UNKNOWN}");
1926  break;
1927  }
1928  return ret;
1929 }
1930 
1931 TEST(CredentialsTest, TestMetadataPluginSuccess) {
1932  const char expected_creds_debug_string[] =
1933  "TestPluginCredentials{state:GET_METADATA_CALLED}";
1934  plugin_state state = PLUGIN_INITIAL_STATE;
1935  grpc_metadata_credentials_plugin plugin;
1936  ExecCtx exec_ctx;
1937  auto md_state =
1938  RequestMetadataState::NewInstance(GRPC_ERROR_NONE, "foo: bar, hi: there");
1939 
1940  plugin.state = &state;
1941  plugin.get_metadata = plugin_get_metadata_success;
1942  plugin.destroy = plugin_destroy;
1943  plugin.debug_string = plugin_debug_string;
1944 
1945  grpc_call_credentials* creds = grpc_metadata_credentials_create_from_plugin(
1946  plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr);
1947  /* Check security level. */
1948  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
1949  GPR_ASSERT(state == PLUGIN_INITIAL_STATE);
1950  md_state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1951  kTestPath);
1952  GPR_ASSERT(state == PLUGIN_GET_METADATA_CALLED_STATE);
1953  GPR_ASSERT(
1954  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1955  creds->Unref();
1956 
1957  GPR_ASSERT(state == PLUGIN_DESTROY_CALLED_STATE);
1958 }
1959 
1960 TEST(CredentialsTest, TestMetadataPluginFailure) {
1961  const char expected_creds_debug_string[] =
1962  "TestPluginCredentials{state:GET_METADATA_CALLED}";
1963 
1964  plugin_state state = PLUGIN_INITIAL_STATE;
1965  grpc_metadata_credentials_plugin plugin;
1966  ExecCtx exec_ctx;
1967  auto md_state = RequestMetadataState::NewInstance(
1968  GRPC_ERROR_CREATE_FROM_CPP_STRING(
1969  absl::StrCat("Getting metadata from plugin failed with error: ",
1970  plugin_error_details)),
1971  {});
1972 
1973  plugin.state = &state;
1974  plugin.get_metadata = plugin_get_metadata_failure;
1975  plugin.destroy = plugin_destroy;
1976  plugin.debug_string = plugin_debug_string;
1977 
1978  grpc_call_credentials* creds = grpc_metadata_credentials_create_from_plugin(
1979  plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr);
1980  GPR_ASSERT(state == PLUGIN_INITIAL_STATE);
1981  md_state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
1982  kTestPath);
1983  GPR_ASSERT(state == PLUGIN_GET_METADATA_CALLED_STATE);
1984  GPR_ASSERT(
1985  strcmp(creds->debug_string().c_str(), expected_creds_debug_string) == 0);
1986  creds->Unref();
1987 
1988  GPR_ASSERT(state == PLUGIN_DESTROY_CALLED_STATE);
1989 }
1990 
1991 TEST(CredentialsTest, TestGetWellKnownGoogleCredentialsFilePath) {
1992  char* home = gpr_getenv("HOME");
1993  bool restore_home_env = false;
1994 #if defined(GRPC_BAZEL_BUILD) && \
1995  (defined(GPR_POSIX_ENV) || defined(GPR_LINUX_ENV))
1996  // when running under bazel locally, the HOME variable is not set
1997  // so we set it to some fake value
1998  restore_home_env = true;
1999  gpr_setenv("HOME", "/fake/home/for/bazel");
2000 #endif /* defined(GRPC_BAZEL_BUILD) && (defined(GPR_POSIX_ENV) || \
2001  defined(GPR_LINUX_ENV)) */
2002  std::string path = grpc_get_well_known_google_credentials_file_path();
2003  GPR_ASSERT(!path.empty());
2004 #if defined(GPR_POSIX_ENV) || defined(GPR_LINUX_ENV)
2005  restore_home_env = true;
2006  gpr_unsetenv("HOME");
2007  path = grpc_get_well_known_google_credentials_file_path();
2008  GPR_ASSERT(path.empty());
2009 #endif /* GPR_POSIX_ENV || GPR_LINUX_ENV */
2010  if (restore_home_env) {
2011  if (home) {
2012  gpr_setenv("HOME", home);
2013  } else {
2014  gpr_unsetenv("HOME");
2015  }
2016  }
2017  gpr_free(home);
2018 }
2019 
2020 TEST(CredentialsTest, TestChannelCredsDuplicateWithoutCallCreds) {
2021  const char expected_creds_debug_string[] =
2022  "AccessTokenCredentials{Token:present}";
2023  ExecCtx exec_ctx;
2024 
2025  grpc_channel_credentials* channel_creds =
2026  grpc_fake_transport_security_credentials_create();
2027 
2028  RefCountedPtr<grpc_channel_credentials> dup =
2029  channel_creds->duplicate_without_call_credentials();
2030  GPR_ASSERT(dup == channel_creds);
2031  dup.reset();
2032 
2033  grpc_call_credentials* call_creds =
2034  grpc_access_token_credentials_create("blah", nullptr);
2035  grpc_channel_credentials* composite_creds =
2036  grpc_composite_channel_credentials_create(channel_creds, call_creds,
2037  nullptr);
2038  GPR_ASSERT(strcmp(call_creds->debug_string().c_str(),
2039  expected_creds_debug_string) == 0);
2040 
2041  call_creds->Unref();
2042  dup = composite_creds->duplicate_without_call_credentials();
2043  GPR_ASSERT(dup == channel_creds);
2044  dup.reset();
2045 
2046  channel_creds->Unref();
2047  composite_creds->Unref();
2048 }
2049 
2050 typedef struct {
2051  const char* url_scheme;
2052  const char* call_host;
2053  const char* call_method;
2054  const char* desired_service_url;
2055  const char* desired_method_name;
2056 } auth_metadata_context_test_case;
2057 
2058 void auth_metadata_context_build(const char* url_scheme,
2059  const grpc_slice& call_host,
2060  const grpc_slice& call_method,
2061  grpc_auth_context* auth_context,
2062  grpc_auth_metadata_context* auth_md_context) {
2063  char* service = grpc_slice_to_c_string(call_method);
2064  char* last_slash = strrchr(service, '/');
2065  char* method_name = nullptr;
2066  char* service_url = nullptr;
2067  grpc_auth_metadata_context_reset(auth_md_context);
2068  if (last_slash == nullptr) {
2069  gpr_log(GPR_ERROR, "No '/' found in fully qualified method name");
2070  service[0] = '\0';
2071  method_name = gpr_strdup("");
2072  } else if (last_slash == service) {
2073  method_name = gpr_strdup("");
2074  } else {
2075  *last_slash = '\0';
2076  method_name = gpr_strdup(last_slash + 1);
2077  }
2078  char* host_and_port = grpc_slice_to_c_string(call_host);
2079  if (url_scheme != nullptr && strcmp(url_scheme, GRPC_SSL_URL_SCHEME) == 0) {
2080  /* Remove the port if it is 443. */
2081  char* port_delimiter = strrchr(host_and_port, ':');
2082  if (port_delimiter != nullptr && strcmp(port_delimiter + 1, "443") == 0) {
2083  *port_delimiter = '\0';
2084  }
2085  }
2086  gpr_asprintf(&service_url, "%s://%s%s",
2087  url_scheme == nullptr ? "" : url_scheme, host_and_port, service);
2088  auth_md_context->service_url = service_url;
2089  auth_md_context->method_name = method_name;
2090  auth_md_context->channel_auth_context =
2091  auth_context == nullptr
2092  ? nullptr
2093  : auth_context->Ref(DEBUG_LOCATION, "grpc_auth_metadata_context")
2094  .release();
2095  gpr_free(service);
2096  gpr_free(host_and_port);
2097 }
2098 
2099 TEST(CredentialsTest, TestAuthMetadataContext) {
2100  auth_metadata_context_test_case test_cases[] = {
2101  // No service nor method.
2102  {"https", "www.foo.com", "", "https://www.foo.com", ""},
2103  // No method.
2104  {"https", "www.foo.com", "/Service", "https://www.foo.com/Service", ""},
2105  // Empty service and method.
2106  {"https", "www.foo.com", "//", "https://www.foo.com/", ""},
2107  // Empty method.
2108  {"https", "www.foo.com", "/Service/", "https://www.foo.com/Service", ""},
2109  // Malformed url.
2110  {"https", "www.foo.com:", "/Service/", "https://www.foo.com:/Service",
2111  ""},
2112  // https, default explicit port.
2113  {"https", "www.foo.com:443", "/Service/FooMethod",
2114  "https://www.foo.com/Service", "FooMethod"},
2115  // https, default implicit port.
2116  {"https", "www.foo.com", "/Service/FooMethod",
2117  "https://www.foo.com/Service", "FooMethod"},
2118  // https with ipv6 literal, default explicit port.
2119  {"https", "[1080:0:0:0:8:800:200C:417A]:443", "/Service/FooMethod",
2120  "https://[1080:0:0:0:8:800:200C:417A]/Service", "FooMethod"},
2121  // https with ipv6 literal, default implicit port.
2122  {"https", "[1080:0:0:0:8:800:200C:443]", "/Service/FooMethod",
2123  "https://[1080:0:0:0:8:800:200C:443]/Service", "FooMethod"},
2124  // https, custom port.
2125  {"https", "www.foo.com:8888", "/Service/FooMethod",
2126  "https://www.foo.com:8888/Service", "FooMethod"},
2127  // https with ipv6 literal, custom port.
2128  {"https", "[1080:0:0:0:8:800:200C:417A]:8888", "/Service/FooMethod",
2129  "https://[1080:0:0:0:8:800:200C:417A]:8888/Service", "FooMethod"},
2130  // custom url scheme, https default port.
2131  {"blah", "www.foo.com:443", "/Service/FooMethod",
2132  "blah://www.foo.com:443/Service", "FooMethod"}};
2133  for (uint32_t i = 0; i < GPR_ARRAY_SIZE(test_cases); i++) {
2134  const char* url_scheme = test_cases[i].url_scheme;
2135  grpc_slice call_host =
2136  grpc_slice_from_copied_string(test_cases[i].call_host);
2137  grpc_slice call_method =
2138  grpc_slice_from_copied_string(test_cases[i].call_method);
2139  grpc_auth_metadata_context auth_md_context;
2140  memset(&auth_md_context, 0, sizeof(auth_md_context));
2141  auth_metadata_context_build(url_scheme, call_host, call_method, nullptr,
2142  &auth_md_context);
2143  if (strcmp(auth_md_context.service_url,
2144  test_cases[i].desired_service_url) != 0) {
2145  gpr_log(GPR_ERROR, "Invalid service url, want: %s, got %s.",
2146  test_cases[i].desired_service_url, auth_md_context.service_url);
2147  GPR_ASSERT(false);
2148  }
2149  if (strcmp(auth_md_context.method_name,
2150  test_cases[i].desired_method_name) != 0) {
2151  gpr_log(GPR_ERROR, "Invalid method name, want: %s, got %s.",
2152  test_cases[i].desired_method_name, auth_md_context.method_name);
2153  GPR_ASSERT(false);
2154  }
2155  GPR_ASSERT(auth_md_context.channel_auth_context == nullptr);
2156  grpc_slice_unref(call_host);
2157  grpc_slice_unref(call_method);
2158  grpc_auth_metadata_context_reset(&auth_md_context);
2159  }
2160 }
2161 
2162 void validate_external_account_creds_token_exchage_request(
2163  const grpc_http_request* request, const char* host, const char* path,
2164  const char* body, size_t body_size, bool /*expect_actor_token*/) {
2165  // Check that the body is constructed properly.
2166  GPR_ASSERT(body != nullptr);
2167  GPR_ASSERT(body_size != 0);
2168  std::string get_url_equivalent =
2169  absl::StrFormat("%s?%s", "https://foo.com:5555/token", body);
2170  absl::StatusOr<URI> uri = URI::Parse(get_url_equivalent);
2171  if (!uri.ok()) {
2172  gpr_log(GPR_ERROR, "%s", uri.status().ToString().c_str());
2173  GPR_ASSERT(uri.ok());
2174  }
2175  assert_query_parameters(*uri, "audience", "audience");
2176  assert_query_parameters(*uri, "grant_type",
2177  "urn:ietf:params:oauth:grant-type:token-exchange");
2178  assert_query_parameters(*uri, "requested_token_type",
2179  "urn:ietf:params:oauth:token-type:access_token");
2180  assert_query_parameters(*uri, "subject_token", "test_subject_token");
2181  assert_query_parameters(*uri, "subject_token_type", "subject_token_type");
2182  assert_query_parameters(*uri, "scope",
2183  "https://www.googleapis.com/auth/cloud-platform");
2184 
2185  // Check the rest of the request.
2186  GPR_ASSERT(strcmp(host, "foo.com:5555") == 0);
2187  GPR_ASSERT(strcmp(path, "/token") == 0);
2188  GPR_ASSERT(request->hdr_count == 2);
2189  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
2190  GPR_ASSERT(
2191  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
2192  GPR_ASSERT(strcmp(request->hdrs[1].key, "Authorization") == 0);
2193  GPR_ASSERT(strcmp(request->hdrs[1].value,
2194  "Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=") == 0);
2195 }
2196 
2197 void validate_external_account_creds_token_exchage_request_with_url_encode(
2198  const grpc_http_request* request, const char* host, const char* path,
2199  const char* body, size_t body_size, bool /*expect_actor_token*/) {
2200  // Check that the body is constructed properly.
2201  GPR_ASSERT(body != nullptr);
2202  GPR_ASSERT(body_size != 0);
2203  GPR_ASSERT(
2204  strcmp(
2205  std::string(body, body_size).c_str(),
2206  "audience=audience_!%40%23%24&grant_type=urn%3Aietf%3Aparams%3Aoauth%"
2207  "3Agrant-type%3Atoken-exchange&requested_token_type=urn%3Aietf%"
2208  "3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token_type="
2209  "subject_token_type_!%40%23%24&subject_token=test_subject_token&"
2210  "scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&"
2211  "options=%7B%7D") == 0);
2212 
2213  // Check the rest of the request.
2214  GPR_ASSERT(strcmp(host, "foo.com:5555") == 0);
2215  GPR_ASSERT(strcmp(path, "/token_url_encode") == 0);
2216  GPR_ASSERT(request->hdr_count == 2);
2217  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
2218  GPR_ASSERT(
2219  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
2220  GPR_ASSERT(strcmp(request->hdrs[1].key, "Authorization") == 0);
2221  GPR_ASSERT(strcmp(request->hdrs[1].value,
2222  "Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=") == 0);
2223 }
2224 
2225 void validate_external_account_creds_service_account_impersonation_request(
2226  const grpc_http_request* request, const char* host, const char* path,
2227  const char* body, size_t body_size, bool /*expect_actor_token*/) {
2228  // Check that the body is constructed properly.
2229  GPR_ASSERT(body != nullptr);
2230  GPR_ASSERT(body_size != 0);
2231  GPR_ASSERT(strcmp(body, "scope=scope_1 scope_2") == 0);
2232  // Check the rest of the request.
2233  GPR_ASSERT(strcmp(host, "foo.com:5555") == 0);
2234  GPR_ASSERT(strcmp(path, "/service_account_impersonation") == 0);
2235  GPR_ASSERT(request->hdr_count == 2);
2236  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
2237  GPR_ASSERT(
2238  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
2239  GPR_ASSERT(strcmp(request->hdrs[1].key, "Authorization") == 0);
2240  GPR_ASSERT(strcmp(request->hdrs[1].value,
2241  "Bearer token_exchange_access_token") == 0);
2242 }
2243 
2244 int external_account_creds_httpcli_post_success(
2245  const grpc_http_request* request, const char* host, const char* path,
2246  const char* body, size_t body_size, Timestamp /*deadline*/,
2247  grpc_closure* on_done, grpc_http_response* response) {
2248  if (strcmp(path, "/token") == 0) {
2249  validate_external_account_creds_token_exchage_request(
2250  request, host, path, body, body_size, true);
2251  *response = http_response(
2252  200, valid_external_account_creds_token_exchange_response);
2253  } else if (strcmp(path, "/service_account_impersonation") == 0) {
2254  validate_external_account_creds_service_account_impersonation_request(
2255  request, host, path, body, body_size, true);
2256  *response = http_response(
2257  200,
2258  valid_external_account_creds_service_account_impersonation_response);
2259  } else if (strcmp(path, "/token_url_encode") == 0) {
2260  validate_external_account_creds_token_exchage_request_with_url_encode(
2261  request, host, path, body, body_size, true);
2262  *response = http_response(
2263  200, valid_external_account_creds_token_exchange_response);
2264  }
2265  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2266  return 1;
2267 }
2268 
2269 int external_account_creds_httpcli_post_failure_token_exchange_response_missing_access_token(
2270  const grpc_http_request* /*request*/, const char* /*host*/,
2271  const char* path, const char* /*body*/, size_t /*body_size*/,
2272  Timestamp /*deadline*/, grpc_closure* on_done,
2273  grpc_http_response* response) {
2274  if (strcmp(path, "/token") == 0) {
2275  *response = http_response(200,
2276  "{\"not_access_token\":\"not_access_token\","
2277  "\"expires_in\":3599,"
2278  " \"token_type\":\"Bearer\"}");
2279  } else if (strcmp(path, "/service_account_impersonation") == 0) {
2280  *response = http_response(
2281  200,
2282  valid_external_account_creds_service_account_impersonation_response);
2283  }
2284  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2285  return 1;
2286 }
2287 
2288 int url_external_account_creds_httpcli_get_success(
2289  const grpc_http_request* /*request*/, const char* /*host*/,
2290  const char* path, Timestamp /*deadline*/, grpc_closure* on_done,
2291  grpc_http_response* response) {
2292  if (strcmp(path, "/generate_subject_token_format_text") == 0) {
2293  *response = http_response(
2294  200,
2295  valid_url_external_account_creds_retrieve_subject_token_response_format_text);
2296  } else if (strcmp(path, "/path/to/url/creds?p1=v1&p2=v2") == 0) {
2297  *response = http_response(
2298  200,
2299  valid_url_external_account_creds_retrieve_subject_token_response_format_text);
2300  } else if (strcmp(path, "/generate_subject_token_format_json") == 0) {
2301  *response = http_response(
2302  200,
2303  valid_url_external_account_creds_retrieve_subject_token_response_format_json);
2304  }
2305  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2306  return 1;
2307 }
2308 
2309 void validate_aws_external_account_creds_token_exchage_request(
2310  const grpc_http_request* request, const char* host, const char* path,
2311  const char* body, size_t body_size, bool /*expect_actor_token*/) {
2312  // Check that the body is constructed properly.
2313  GPR_ASSERT(body != nullptr);
2314  GPR_ASSERT(body_size != 0);
2315  // Check that the regional_cred_verification_url got constructed
2316  // with the correct AWS Region ("test_regionz" or "test_region").
2317  GPR_ASSERT(strstr(body, "regional_cred_verification_url_test_region"));
2318  std::string get_url_equivalent =
2319  absl::StrFormat("%s?%s", "https://foo.com:5555/token", body);
2320  absl::StatusOr<URI> uri = URI::Parse(get_url_equivalent);
2321  GPR_ASSERT(uri.ok());
2322  assert_query_parameters(*uri, "audience", "audience");
2323  assert_query_parameters(*uri, "grant_type",
2324  "urn:ietf:params:oauth:grant-type:token-exchange");
2325  assert_query_parameters(*uri, "requested_token_type",
2326  "urn:ietf:params:oauth:token-type:access_token");
2327  assert_query_parameters(*uri, "subject_token_type", "subject_token_type");
2328  assert_query_parameters(*uri, "scope",
2329  "https://www.googleapis.com/auth/cloud-platform");
2330  // Check the rest of the request.
2331  GPR_ASSERT(strcmp(host, "foo.com:5555") == 0);
2332  GPR_ASSERT(strcmp(path, "/token") == 0);
2333  GPR_ASSERT(request->hdr_count == 2);
2334  GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
2335  GPR_ASSERT(
2336  strcmp(request->hdrs[0].value, "application/x-www-form-urlencoded") == 0);
2337  GPR_ASSERT(strcmp(request->hdrs[1].key, "Authorization") == 0);
2338  GPR_ASSERT(strcmp(request->hdrs[1].value,
2339  "Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=") == 0);
2340 }
2341 
2342 int aws_external_account_creds_httpcli_get_success(
2343  const grpc_http_request* /*request*/, const char* /*host*/,
2344  const char* path, Timestamp /*deadline*/, grpc_closure* on_done,
2345  grpc_http_response* response) {
2346  if (strcmp(path, "/region_url") == 0) {
2347  *response = http_response(200, "test_regionz");
2348  } else if (strcmp(path, "/url") == 0) {
2349  *response = http_response(200, "test_role_name");
2350  } else if (strcmp(path, "/url_no_role_name") == 0) {
2351  *response = http_response(200, "");
2352  } else if (strcmp(path, "/url/test_role_name") == 0) {
2353  *response = http_response(
2354  200, valid_aws_external_account_creds_retrieve_signing_keys_response);
2355  }
2356  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2357  return 1;
2358 }
2359 
2360 int aws_imdsv2_external_account_creds_httpcli_get_success(
2361  const grpc_http_request* request, const char* host, const char* path,
2362  Timestamp deadline, grpc_closure* on_done, grpc_http_response* response) {
2363  GPR_ASSERT(request->hdr_count == 1);
2364  GPR_ASSERT(strcmp(request->hdrs[0].key, "x-aws-ec2-metadata-token") == 0);
2365  GPR_ASSERT(strcmp(request->hdrs[0].value, aws_imdsv2_session_token) == 0);
2366  return aws_external_account_creds_httpcli_get_success(
2367  request, host, path, deadline, on_done, response);
2368 }
2369 
2370 int aws_imdsv2_external_account_creds_httpcli_put_success(
2371  const grpc_http_request* request, const char* /*host*/, const char* path,
2372  const char* /*body*/, size_t /*body_size*/, Timestamp /*deadline*/,
2373  grpc_closure* on_done, grpc_http_response* response) {
2374  GPR_ASSERT(request->hdr_count == 1);
2375  GPR_ASSERT(strcmp(request->hdrs[0].key,
2376  "x-aws-ec2-metadata-token-ttl-seconds") == 0);
2377  GPR_ASSERT(strcmp(request->hdrs[0].value, "300") == 0);
2378  GPR_ASSERT(strcmp(path, "/imdsv2_session_token_url") == 0);
2379  *response = http_response(200, aws_imdsv2_session_token);
2380  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2381  return 1;
2382 }
2383 
2384 int aws_external_account_creds_httpcli_post_success(
2385  const grpc_http_request* request, const char* host, const char* path,
2386  const char* body, size_t body_size, Timestamp /*deadline*/,
2387  grpc_closure* on_done, grpc_http_response* response) {
2388  if (strcmp(path, "/token") == 0) {
2389  validate_aws_external_account_creds_token_exchage_request(
2390  request, host, path, body, body_size, true);
2391  *response = http_response(
2392  200, valid_external_account_creds_token_exchange_response);
2393  }
2394  ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
2395  return 1;
2396 }
2397 
2398 // The subclass of ExternalAccountCredentials for testing.
2399 // ExternalAccountCredentials is an abstract class so we can't directly test
2400 // against it.
2401 class TestExternalAccountCredentials final : public ExternalAccountCredentials {
2402  public:
2403  TestExternalAccountCredentials(Options options,
2404  std::vector<std::string> scopes)
2405  : ExternalAccountCredentials(std::move(options), std::move(scopes)) {}
2406 
2407  protected:
2408  void RetrieveSubjectToken(
2409  HTTPRequestContext* /*ctx*/, const Options& /*options*/,
2410  std::function<void(std::string, grpc_error_handle)> cb) override {
2411  cb("test_subject_token", GRPC_ERROR_NONE);
2412  }
2413 };
2414 
2415 TEST(CredentialsTest, TestExternalAccountCredsSuccess) {
2416  ExecCtx exec_ctx;
2417  Json credential_source("");
2418  TestExternalAccountCredentials::Options options = {
2419  "external_account", // type;
2420  "audience", // audience;
2421  "subject_token_type", // subject_token_type;
2422  "", // service_account_impersonation_url;
2423  "https://foo.com:5555/token", // token_url;
2424  "https://foo.com:5555/token_info", // token_info_url;
2425  credential_source, // credential_source;
2426  "quota_project_id", // quota_project_id;
2427  "client_id", // client_id;
2428  "client_secret", // client_secret;
2429  "", // workforce_pool_user_project;
2430  };
2431  TestExternalAccountCredentials creds(options, {});
2432  /* Check security level. */
2433  GPR_ASSERT(creds.min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2434  /* First request: http put should be called. */
2435  auto state = RequestMetadataState::NewInstance(
2436  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2437  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2438  external_account_creds_httpcli_post_success,
2439  httpcli_put_should_not_be_called);
2440  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2441  kTestPath);
2442  ExecCtx::Get()->Flush();
2443  /* Second request: the cached token should be served directly. */
2444  state = RequestMetadataState::NewInstance(
2445  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2446  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2447  httpcli_post_should_not_be_called,
2448  httpcli_put_should_not_be_called);
2449  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2450  kTestPath);
2451  ExecCtx::Get()->Flush();
2452  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2453 }
2454 
2455 TEST(CredentialsTest, TestExternalAccountCredsSuccessWithUrlEncode) {
2456  std::map<std::string, std::string> emd = {
2457  {"authorization", "Bearer token_exchange_access_token"}};
2458  ExecCtx exec_ctx;
2459  Json credential_source("");
2460  TestExternalAccountCredentials::Options options = {
2461  "external_account", // type;
2462  "audience_!@#$", // audience;
2463  "subject_token_type_!@#$", // subject_token_type;
2464  "", // service_account_impersonation_url;
2465  "https://foo.com:5555/token_url_encode", // token_url;
2466  "https://foo.com:5555/token_info", // token_info_url;
2467  credential_source, // credential_source;
2468  "quota_project_id", // quota_project_id;
2469  "client_id", // client_id;
2470  "client_secret", // client_secret;
2471  "", // workforce_pool_user_project;
2472  };
2473  TestExternalAccountCredentials creds(options, {});
2474  auto state = RequestMetadataState::NewInstance(
2475  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2476  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2477  external_account_creds_httpcli_post_success,
2478  httpcli_put_should_not_be_called);
2479  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2480  kTestPath);
2481  ExecCtx::Get()->Flush();
2482  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2483 }
2484 
2485 TEST(CredentialsTest,
2486  TestExternalAccountCredsSuccessWithServiceAccountImpersonation) {
2487  ExecCtx exec_ctx;
2488  Json credential_source("");
2489  TestExternalAccountCredentials::Options options = {
2490  "external_account", // type;
2491  "audience", // audience;
2492  "subject_token_type", // subject_token_type;
2493  "https://foo.com:5555/service_account_impersonation", // service_account_impersonation_url;
2494  "https://foo.com:5555/token", // token_url;
2495  "https://foo.com:5555/token_info", // token_info_url;
2496  credential_source, // credential_source;
2497  "quota_project_id", // quota_project_id;
2498  "client_id", // client_id;
2499  "client_secret", // client_secret;
2500  "", // workforce_pool_user_project;
2501  };
2502  TestExternalAccountCredentials creds(options, {"scope_1", "scope_2"});
2503  /* Check security level. */
2504  GPR_ASSERT(creds.min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2505  /* First request: http put should be called. */
2506  auto state = RequestMetadataState::NewInstance(
2507  GRPC_ERROR_NONE,
2508  "authorization: Bearer service_account_impersonation_access_token");
2509  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2510  external_account_creds_httpcli_post_success,
2511  httpcli_put_should_not_be_called);
2512  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2513  kTestPath);
2514  ExecCtx::Get()->Flush();
2515  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2516 }
2517 
2518 TEST(CredentialsTest, TestExternalAccountCredsFailureInvalidTokenUrl) {
2519  ExecCtx exec_ctx;
2520  Json credential_source("");
2521  TestExternalAccountCredentials::Options options = {
2522  "external_account", // type;
2523  "audience", // audience;
2524  "subject_token_type", // subject_token_type;
2525  "https://foo.com:5555/service_account_impersonation", // service_account_impersonation_url;
2526  "invalid_token_url", // token_url;
2527  "https://foo.com:5555/token_info", // token_info_url;
2528  credential_source, // credential_source;
2529  "quota_project_id", // quota_project_id;
2530  "client_id", // client_id;
2531  "client_secret", // client_secret;
2532  "", // workforce_pool_user_project;
2533  };
2534  TestExternalAccountCredentials creds(options, {});
2535  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2536  httpcli_post_should_not_be_called,
2537  httpcli_put_should_not_be_called);
2538  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
2539  "Invalid token url: invalid_token_url.");
2540  grpc_error_handle expected_error =
2541  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
2542  "Error occurred when fetching oauth2 token.", &error, 1);
2543  auto state = RequestMetadataState::NewInstance(expected_error, {});
2544  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2545  kTestPath);
2546  GRPC_ERROR_UNREF(error);
2547  ExecCtx::Get()->Flush();
2548  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2549 }
2550 
2551 TEST(CredentialsTest,
2552  TestExternalAccountCredsFailureInvalidServiceAccountImpersonationUrl) {
2553  ExecCtx exec_ctx;
2554  Json credential_source("");
2555  TestExternalAccountCredentials::Options options = {
2556  "external_account", // type;
2557  "audience", // audience;
2558  "subject_token_type", // subject_token_type;
2559  "invalid_service_account_impersonation_url", // service_account_impersonation_url;
2560  "https://foo.com:5555/token", // token_url;
2561  "https://foo.com:5555/token_info", // token_info_url;
2562  credential_source, // credential_source;
2563  "quota_project_id", // quota_project_id;
2564  "client_id", // client_id;
2565  "client_secret", // client_secret;
2566  "", // workforce_pool_user_project;
2567  };
2568  TestExternalAccountCredentials creds(options, {});
2569  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2570  external_account_creds_httpcli_post_success,
2571  httpcli_put_should_not_be_called);
2572  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
2573  "Invalid service account impersonation url: "
2574  "invalid_service_account_impersonation_url.");
2575  grpc_error_handle expected_error =
2576  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
2577  "Error occurred when fetching oauth2 token.", &error, 1);
2578  auto state = RequestMetadataState::NewInstance(expected_error, {});
2579  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2580  kTestPath);
2581  GRPC_ERROR_UNREF(error);
2582  ExecCtx::Get()->Flush();
2583  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2584 }
2585 
2586 TEST(CredentialsTest,
2587  TestExternalAccountCredsFailureTokenExchangeResponseMissingAccessToken) {
2588  ExecCtx exec_ctx;
2589  Json credential_source("");
2590  TestExternalAccountCredentials::Options options = {
2591  "external_account", // type;
2592  "audience", // audience;
2593  "subject_token_type", // subject_token_type;
2594  "https://foo.com:5555/service_account_impersonation", // service_account_impersonation_url;
2595  "https://foo.com:5555/token", // token_url;
2596  "https://foo.com:5555/token_info", // token_info_url;
2597  credential_source, // credential_source;
2598  "quota_project_id", // quota_project_id;
2599  "client_id", // client_id;
2600  "client_secret", // client_secret;
2601  "", // workforce_pool_user_project;
2602  };
2603  TestExternalAccountCredentials creds(options, {});
2604  HttpRequest::SetOverride(
2605  httpcli_get_should_not_be_called,
2606  external_account_creds_httpcli_post_failure_token_exchange_response_missing_access_token,
2607  httpcli_put_should_not_be_called);
2608  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
2609  "Missing or invalid access_token in "
2610  "{\"not_access_token\":\"not_access_token\",\"expires_in\":3599,\"token_"
2611  "type\":\"Bearer\"}.");
2612  grpc_error_handle expected_error =
2613  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
2614  "Error occurred when fetching oauth2 token.", &error, 1);
2615  auto state = RequestMetadataState::NewInstance(expected_error, {});
2616  state->RunRequestMetadataTest(&creds, kTestUrlScheme, kTestAuthority,
2617  kTestPath);
2618  GRPC_ERROR_UNREF(error);
2619  ExecCtx::Get()->Flush();
2620  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2621 }
2622 
2623 TEST(CredentialsTest, TestUrlExternalAccountCredsSuccessFormatText) {
2624  ExecCtx exec_ctx;
2625  grpc_error_handle error = GRPC_ERROR_NONE;
2626  Json credential_source = Json::Parse(
2627  valid_url_external_account_creds_options_credential_source_format_text,
2628  &error);
2629  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2630  ExternalAccountCredentials::Options options = {
2631  "external_account", // type;
2632  "audience", // audience;
2633  "subject_token_type", // subject_token_type;
2634  "", // service_account_impersonation_url;
2635  "https://foo.com:5555/token", // token_url;
2636  "https://foo.com:5555/token_info", // token_info_url;
2637  credential_source, // credential_source;
2638  "quota_project_id", // quota_project_id;
2639  "client_id", // client_id;
2640  "client_secret", // client_secret;
2641  "", // workforce_pool_user_project;
2642  };
2643  auto creds = UrlExternalAccountCredentials::Create(options, {}, &error);
2644  GPR_ASSERT(creds != nullptr);
2645  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2646  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2647  auto state = RequestMetadataState::NewInstance(
2648  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2649  HttpRequest::SetOverride(url_external_account_creds_httpcli_get_success,
2650  external_account_creds_httpcli_post_success,
2651  httpcli_put_should_not_be_called);
2652  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2653  kTestPath);
2654  ExecCtx::Get()->Flush();
2655  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2656 }
2657 
2658 TEST(CredentialsTest,
2659  TestUrlExternalAccountCredsSuccessWithQureyParamsFormatText) {
2660  std::map<std::string, std::string> emd = {
2661  {"authorization", "Bearer token_exchange_access_token"}};
2662  ExecCtx exec_ctx;
2663  grpc_error_handle error = GRPC_ERROR_NONE;
2664  Json credential_source = Json::Parse(
2665  valid_url_external_account_creds_options_credential_source_with_qurey_params_format_text,
2666  &error);
2667  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2668  ExternalAccountCredentials::Options options = {
2669  "external_account", // type;
2670  "audience", // audience;
2671  "subject_token_type", // subject_token_type;
2672  "", // service_account_impersonation_url;
2673  "https://foo.com:5555/token", // token_url;
2674  "https://foo.com:5555/token_info", // token_info_url;
2675  credential_source, // credential_source;
2676  "quota_project_id", // quota_project_id;
2677  "client_id", // client_id;
2678  "client_secret", // client_secret;
2679  "", // workforce_pool_user_project;
2680  };
2681  auto creds = UrlExternalAccountCredentials::Create(options, {}, &error);
2682  GPR_ASSERT(creds != nullptr);
2683  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2684  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2685  auto state = RequestMetadataState::NewInstance(
2686  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2687  HttpRequest::SetOverride(url_external_account_creds_httpcli_get_success,
2688  external_account_creds_httpcli_post_success,
2689  httpcli_put_should_not_be_called);
2690  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2691  kTestPath);
2692  ExecCtx::Get()->Flush();
2693  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2694 }
2695 
2696 TEST(CredentialsTest, TestUrlExternalAccountCredsSuccessFormatJson) {
2697  ExecCtx exec_ctx;
2698  grpc_error_handle error = GRPC_ERROR_NONE;
2699  Json credential_source = Json::Parse(
2700  valid_url_external_account_creds_options_credential_source_format_json,
2701  &error);
2702  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2703  ExternalAccountCredentials::Options options = {
2704  "external_account", // type;
2705  "audience", // audience;
2706  "subject_token_type", // subject_token_type;
2707  "", // service_account_impersonation_url;
2708  "https://foo.com:5555/token", // token_url;
2709  "https://foo.com:5555/token_info", // token_info_url;
2710  credential_source, // credential_source;
2711  "quota_project_id", // quota_project_id;
2712  "client_id", // client_id;
2713  "client_secret", // client_secret;
2714  "", // workforce_pool_user_project;
2715  };
2716  auto creds = UrlExternalAccountCredentials::Create(options, {}, &error);
2717  GPR_ASSERT(creds != nullptr);
2718  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2719  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2720  auto state = RequestMetadataState::NewInstance(
2721  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2722  HttpRequest::SetOverride(url_external_account_creds_httpcli_get_success,
2723  external_account_creds_httpcli_post_success,
2724  httpcli_put_should_not_be_called);
2725  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2726  kTestPath);
2727  ExecCtx::Get()->Flush();
2728  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2729 }
2730 
2731 TEST(CredentialsTest,
2732  TestUrlExternalAccountCredsFailureInvalidCredentialSourceUrl) {
2733  grpc_error_handle error = GRPC_ERROR_NONE;
2734  Json credential_source = Json::Parse(
2735  invalid_url_external_account_creds_options_credential_source, &error);
2736  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2737  ExternalAccountCredentials::Options options = {
2738  "external_account", // type;
2739  "audience", // audience;
2740  "subject_token_type", // subject_token_type;
2741  "", // service_account_impersonation_url;
2742  "https://foo.com:5555/token", // token_url;
2743  "https://foo.com:5555/token_info", // token_info_url;
2744  credential_source, // credential_source;
2745  "quota_project_id", // quota_project_id;
2746  "client_id", // client_id;
2747  "client_secret", // client_secret;
2748  "", // workforce_pool_user_project;
2749  };
2750  auto creds = UrlExternalAccountCredentials::Create(options, {}, &error);
2751  GPR_ASSERT(creds == nullptr);
2752  std::string actual_error;
2753  GPR_ASSERT(
2754  grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION, &actual_error));
2755  GPR_ASSERT(absl::StartsWith(actual_error, "Invalid credential source url."));
2756  GRPC_ERROR_UNREF(error);
2757 }
2758 
2759 TEST(CredentialsTest, TestFileExternalAccountCredsSuccessFormatText) {
2760  ExecCtx exec_ctx;
2761  grpc_error_handle error = GRPC_ERROR_NONE;
2762  char* subject_token_path = write_tmp_jwt_file("test_subject_token");
2763  Json credential_source = Json::Parse(
2764  absl::StrFormat(
2765  "{\"file\":\"%s\"}",
2766  absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
2767  &error);
2768  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2769  ExternalAccountCredentials::Options options = {
2770  "external_account", // type;
2771  "audience", // audience;
2772  "subject_token_type", // subject_token_type;
2773  "", // service_account_impersonation_url;
2774  "https://foo.com:5555/token", // token_url;
2775  "https://foo.com:5555/token_info", // token_info_url;
2776  credential_source, // credential_source;
2777  "quota_project_id", // quota_project_id;
2778  "client_id", // client_id;
2779  "client_secret", // client_secret;
2780  "", // workforce_pool_user_project;
2781  };
2782  auto creds = FileExternalAccountCredentials::Create(options, {}, &error);
2783  GPR_ASSERT(creds != nullptr);
2784  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2785  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2786  auto state = RequestMetadataState::NewInstance(
2787  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2788  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2789  external_account_creds_httpcli_post_success,
2790  httpcli_put_should_not_be_called);
2791  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2792  kTestPath);
2793  ExecCtx::Get()->Flush();
2794  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2795  GRPC_ERROR_UNREF(error);
2796  gpr_free(subject_token_path);
2797 }
2798 
2799 TEST(CredentialsTest, TestFileExternalAccountCredsSuccessFormatJson) {
2800  ExecCtx exec_ctx;
2801  grpc_error_handle error = GRPC_ERROR_NONE;
2802  char* subject_token_path =
2803  write_tmp_jwt_file("{\"access_token\":\"test_subject_token\"}");
2804  Json credential_source = Json::Parse(
2805  absl::StrFormat(
2806  "{\n"
2807  "\"file\":\"%s\",\n"
2808  "\"format\":\n"
2809  "{\n"
2810  "\"type\":\"json\",\n"
2811  "\"subject_token_field_name\":\"access_token\"\n"
2812  "}\n"
2813  "}",
2814  absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
2815  &error);
2816  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2817  ExternalAccountCredentials::Options options = {
2818  "external_account", // type;
2819  "audience", // audience;
2820  "subject_token_type", // subject_token_type;
2821  "", // service_account_impersonation_url;
2822  "https://foo.com:5555/token", // token_url;
2823  "https://foo.com:5555/token_info", // token_info_url;
2824  credential_source, // credential_source;
2825  "quota_project_id", // quota_project_id;
2826  "client_id", // client_id;
2827  "client_secret", // client_secret;
2828  "", // workforce_pool_user_project;
2829  };
2830  auto creds = FileExternalAccountCredentials::Create(options, {}, &error);
2831  GPR_ASSERT(creds != nullptr);
2832  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2833  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2834  auto state = RequestMetadataState::NewInstance(
2835  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2836  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2837  external_account_creds_httpcli_post_success,
2838  httpcli_put_should_not_be_called);
2839  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2840  kTestPath);
2841  ExecCtx::Get()->Flush();
2842  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2843  GRPC_ERROR_UNREF(error);
2844  gpr_free(subject_token_path);
2845 }
2846 
2847 TEST(CredentialsTest, TestFileExternalAccountCredsFailureFileNotFound) {
2848  ExecCtx exec_ctx;
2849  grpc_error_handle error = GRPC_ERROR_NONE;
2850  Json credential_source =
2851  Json::Parse("{\"file\":\"non_exisiting_file\"}", &error);
2852  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2853  ExternalAccountCredentials::Options options = {
2854  "external_account", // type;
2855  "audience", // audience;
2856  "subject_token_type", // subject_token_type;
2857  "", // service_account_impersonation_url;
2858  "https://foo.com:5555/token", // token_url;
2859  "https://foo.com:5555/token_info", // token_info_url;
2860  credential_source, // credential_source;
2861  "quota_project_id", // quota_project_id;
2862  "client_id", // client_id;
2863  "client_secret", // client_secret;
2864  "", // workforce_pool_user_project;
2865  };
2866  auto creds = FileExternalAccountCredentials::Create(options, {}, &error);
2867  GPR_ASSERT(creds != nullptr);
2868  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2869  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2870  httpcli_post_should_not_be_called,
2871  httpcli_put_should_not_be_called);
2872  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Failed to load file");
2873  grpc_error_handle expected_error =
2874  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
2875  "Error occurred when fetching oauth2 token.", &error, 1);
2876  auto state = RequestMetadataState::NewInstance(expected_error, {});
2877  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2878  kTestPath);
2879  ExecCtx::Get()->Flush();
2880  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2881  GRPC_ERROR_UNREF(error);
2882 }
2883 
2884 TEST(CredentialsTest, TestFileExternalAccountCredsFailureInvalidJsonContent) {
2885  ExecCtx exec_ctx;
2886  grpc_error_handle error = GRPC_ERROR_NONE;
2887  char* subject_token_path = write_tmp_jwt_file("not_a_valid_json_file");
2888  Json credential_source = Json::Parse(
2889  absl::StrFormat(
2890  "{\n"
2891  "\"file\":\"%s\",\n"
2892  "\"format\":\n"
2893  "{\n"
2894  "\"type\":\"json\",\n"
2895  "\"subject_token_field_name\":\"access_token\"\n"
2896  "}\n"
2897  "}",
2898  absl::StrReplaceAll(subject_token_path, {{"\\", "\\\\"}})),
2899  &error);
2900  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2901  ExternalAccountCredentials::Options options = {
2902  "external_account", // type;
2903  "audience", // audience;
2904  "subject_token_type", // subject_token_type;
2905  "", // service_account_impersonation_url;
2906  "https://foo.com:5555/token", // token_url;
2907  "https://foo.com:5555/token_info", // token_info_url;
2908  credential_source, // credential_source;
2909  "quota_project_id", // quota_project_id;
2910  "client_id", // client_id;
2911  "client_secret", // client_secret;
2912  "", // workforce_pool_user_project;
2913  };
2914  auto creds = FileExternalAccountCredentials::Create(options, {}, &error);
2915  GPR_ASSERT(creds != nullptr);
2916  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2917  HttpRequest::SetOverride(httpcli_get_should_not_be_called,
2918  httpcli_post_should_not_be_called,
2919  httpcli_put_should_not_be_called);
2920  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
2921  "The content of the file is not a valid json object.");
2922  grpc_error_handle expected_error =
2923  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
2924  "Error occurred when fetching oauth2 token.", &error, 1);
2925  auto state = RequestMetadataState::NewInstance(expected_error, {});
2926  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2927  kTestPath);
2928  ExecCtx::Get()->Flush();
2929  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2930  GRPC_ERROR_UNREF(error);
2931  gpr_free(subject_token_path);
2932 }
2933 
2934 TEST(CredentialsTest, TestAwsExternalAccountCredsSuccess) {
2935  ExecCtx exec_ctx;
2936  grpc_error_handle error = GRPC_ERROR_NONE;
2937  Json credential_source = Json::Parse(
2938  valid_aws_external_account_creds_options_credential_source, &error);
2939  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2940  ExternalAccountCredentials::Options options = {
2941  "external_account", // type;
2942  "audience", // audience;
2943  "subject_token_type", // subject_token_type;
2944  "", // service_account_impersonation_url;
2945  "https://foo.com:5555/token", // token_url;
2946  "https://foo.com:5555/token_info", // token_info_url;
2947  credential_source, // credential_source;
2948  "quota_project_id", // quota_project_id;
2949  "client_id", // client_id;
2950  "client_secret", // client_secret;
2951  "", // workforce_pool_user_project;
2952  };
2953  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
2954  GPR_ASSERT(creds != nullptr);
2955  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2956  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2957  auto state = RequestMetadataState::NewInstance(
2958  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2959  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
2960  aws_external_account_creds_httpcli_post_success,
2961  httpcli_put_should_not_be_called);
2962  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2963  kTestPath);
2964  ExecCtx::Get()->Flush();
2965  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
2966 }
2967 
2968 TEST(CredentialsTest, TestAwsImdsv2ExternalAccountCredsSuccess) {
2969  ExecCtx exec_ctx;
2970  grpc_error_handle error = GRPC_ERROR_NONE;
2971  Json credential_source = Json::Parse(
2972  valid_aws_imdsv2_external_account_creds_options_credential_source,
2973  &error);
2974  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2975  ExternalAccountCredentials::Options options = {
2976  "external_account", // type;
2977  "audience", // audience;
2978  "subject_token_type", // subject_token_type;
2979  "", // service_account_impersonation_url;
2980  "https://foo.com:5555/token", // token_url;
2981  "https://foo.com:5555/token_info", // token_info_url;
2982  credential_source, // credential_source;
2983  "quota_project_id", // quota_project_id;
2984  "client_id", // client_id;
2985  "client_secret", // client_secret;
2986  "", // workforce_pool_user_project;
2987  };
2988  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
2989  GPR_ASSERT(creds != nullptr);
2990  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
2991  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
2992  auto state = RequestMetadataState::NewInstance(
2993  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
2994  HttpRequest::SetOverride(
2995  aws_imdsv2_external_account_creds_httpcli_get_success,
2996  aws_external_account_creds_httpcli_post_success,
2997  aws_imdsv2_external_account_creds_httpcli_put_success);
2998  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
2999  kTestPath);
3000  ExecCtx::Get()->Flush();
3001  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3002 }
3003 
3004 TEST(CredentialsTest, TestAwsExternalAccountCredsSuccessPathRegionEnvKeysUrl) {
3005  ExecCtx exec_ctx;
3006  gpr_setenv("AWS_REGION", "test_regionz");
3007  grpc_error_handle error = GRPC_ERROR_NONE;
3008  Json credential_source = Json::Parse(
3009  valid_aws_external_account_creds_options_credential_source, &error);
3010  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3011  ExternalAccountCredentials::Options options = {
3012  "external_account", // type;
3013  "audience", // audience;
3014  "subject_token_type", // subject_token_type;
3015  "", // service_account_impersonation_url;
3016  "https://foo.com:5555/token", // token_url;
3017  "https://foo.com:5555/token_info", // token_info_url;
3018  credential_source, // credential_source;
3019  "quota_project_id", // quota_project_id;
3020  "client_id", // client_id;
3021  "client_secret", // client_secret;
3022  "", // workforce_pool_user_project;
3023  };
3024  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3025  GPR_ASSERT(creds != nullptr);
3026  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3027  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3028  auto state = RequestMetadataState::NewInstance(
3029  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3030  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3031  aws_external_account_creds_httpcli_post_success,
3032  httpcli_put_should_not_be_called);
3033  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3034  kTestPath);
3035  ExecCtx::Get()->Flush();
3036  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3037  gpr_unsetenv("AWS_REGION");
3038 }
3039 
3040 TEST(CredentialsTest,
3041  TestAwsExternalAccountCredsSuccessPathDefaultRegionEnvKeysUrl) {
3042  ExecCtx exec_ctx;
3043  gpr_setenv("AWS_DEFAULT_REGION", "test_regionz");
3044  grpc_error_handle error = GRPC_ERROR_NONE;
3045  Json credential_source = Json::Parse(
3046  valid_aws_external_account_creds_options_credential_source, &error);
3047  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3048  ExternalAccountCredentials::Options options = {
3049  "external_account", // type;
3050  "audience", // audience;
3051  "subject_token_type", // subject_token_type;
3052  "", // service_account_impersonation_url;
3053  "https://foo.com:5555/token", // token_url;
3054  "https://foo.com:5555/token_info", // token_info_url;
3055  credential_source, // credential_source;
3056  "quota_project_id", // quota_project_id;
3057  "client_id", // client_id;
3058  "client_secret", // client_secret;
3059  "", // workforce_pool_user_project;
3060  };
3061  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3062  GPR_ASSERT(creds != nullptr);
3063  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3064  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3065  auto state = RequestMetadataState::NewInstance(
3066  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3067  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3068  aws_external_account_creds_httpcli_post_success,
3069  httpcli_put_should_not_be_called);
3070  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3071  kTestPath);
3072  ExecCtx::Get()->Flush();
3073  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3074  gpr_unsetenv("AWS_DEFAULT_REGION");
3075 }
3076 
3077 TEST(CredentialsTest,
3078  TestAwsExternalAccountCredsSuccessPathDuplicateRegionEnvKeysUrl) {
3079  ExecCtx exec_ctx;
3080  // Make sure that AWS_REGION gets used over AWS_DEFAULT_REGION
3081  gpr_setenv("AWS_REGION", "test_regionz");
3082  gpr_setenv("AWS_DEFAULT_REGION", "ERROR_REGION");
3083  grpc_error_handle error = GRPC_ERROR_NONE;
3084  Json credential_source = Json::Parse(
3085  valid_aws_external_account_creds_options_credential_source, &error);
3086  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3087  ExternalAccountCredentials::Options options = {
3088  "external_account", // type;
3089  "audience", // audience;
3090  "subject_token_type", // subject_token_type;
3091  "", // service_account_impersonation_url;
3092  "https://foo.com:5555/token", // token_url;
3093  "https://foo.com:5555/token_info", // token_info_url;
3094  credential_source, // credential_source;
3095  "quota_project_id", // quota_project_id;
3096  "client_id", // client_id;
3097  "client_secret", // client_secret;
3098  "", // workforce_pool_user_project;
3099  };
3100  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3101  GPR_ASSERT(creds != nullptr);
3102  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3103  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3104  auto state = RequestMetadataState::NewInstance(
3105  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3106  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3107  aws_external_account_creds_httpcli_post_success,
3108  httpcli_put_should_not_be_called);
3109  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3110  kTestPath);
3111  ExecCtx::Get()->Flush();
3112  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3113  gpr_unsetenv("AWS_REGION");
3114  gpr_unsetenv("AWS_DEFAULT_REGION");
3115 }
3116 
3117 TEST(CredentialsTest, TestAwsExternalAccountCredsSuccessPathRegionUrlKeysEnv) {
3118  ExecCtx exec_ctx;
3119  gpr_setenv("AWS_ACCESS_KEY_ID", "test_access_key_id");
3120  gpr_setenv("AWS_SECRET_ACCESS_KEY", "test_secret_access_key");
3121  gpr_setenv("AWS_SESSION_TOKEN", "test_token");
3122  grpc_error_handle error = GRPC_ERROR_NONE;
3123  Json credential_source = Json::Parse(
3124  valid_aws_external_account_creds_options_credential_source, &error);
3125  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3126  ExternalAccountCredentials::Options options = {
3127  "external_account", // type;
3128  "audience", // audience;
3129  "subject_token_type", // subject_token_type;
3130  "", // service_account_impersonation_url;
3131  "https://foo.com:5555/token", // token_url;
3132  "https://foo.com:5555/token_info", // token_info_url;
3133  credential_source, // credential_source;
3134  "quota_project_id", // quota_project_id;
3135  "client_id", // client_id;
3136  "client_secret", // client_secret;
3137  "", // workforce_pool_user_project;
3138  };
3139  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3140  GPR_ASSERT(creds != nullptr);
3141  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3142  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3143  auto state = RequestMetadataState::NewInstance(
3144  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3145  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3146  aws_external_account_creds_httpcli_post_success,
3147  httpcli_put_should_not_be_called);
3148  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3149  kTestPath);
3150  ExecCtx::Get()->Flush();
3151  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3152  gpr_unsetenv("AWS_ACCESS_KEY_ID");
3153  gpr_unsetenv("AWS_SECRET_ACCESS_KEY");
3154  gpr_unsetenv("AWS_SESSION_TOKEN");
3155 }
3156 
3157 TEST(CredentialsTest, TestAwsExternalAccountCredsSuccessPathRegionEnvKeysEnv) {
3158  ExecCtx exec_ctx;
3159  gpr_setenv("AWS_REGION", "test_regionz");
3160  gpr_setenv("AWS_ACCESS_KEY_ID", "test_access_key_id");
3161  gpr_setenv("AWS_SECRET_ACCESS_KEY", "test_secret_access_key");
3162  gpr_setenv("AWS_SESSION_TOKEN", "test_token");
3163  grpc_error_handle error = GRPC_ERROR_NONE;
3164  Json credential_source = Json::Parse(
3165  valid_aws_external_account_creds_options_credential_source, &error);
3166  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3167  ExternalAccountCredentials::Options options = {
3168  "external_account", // type;
3169  "audience", // audience;
3170  "subject_token_type", // subject_token_type;
3171  "", // service_account_impersonation_url;
3172  "https://foo.com:5555/token", // token_url;
3173  "https://foo.com:5555/token_info", // token_info_url;
3174  credential_source, // credential_source;
3175  "quota_project_id", // quota_project_id;
3176  "client_id", // client_id;
3177  "client_secret", // client_secret;
3178  "", // workforce_pool_user_project;
3179  };
3180  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3181  GPR_ASSERT(creds != nullptr);
3182  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3183  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3184  auto state = RequestMetadataState::NewInstance(
3185  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3186  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3187  aws_external_account_creds_httpcli_post_success,
3188  httpcli_put_should_not_be_called);
3189  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3190  kTestPath);
3191  ExecCtx::Get()->Flush();
3192  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3193  gpr_unsetenv("AWS_REGION");
3194  gpr_unsetenv("AWS_ACCESS_KEY_ID");
3195  gpr_unsetenv("AWS_SECRET_ACCESS_KEY");
3196  gpr_unsetenv("AWS_SESSION_TOKEN");
3197 }
3198 
3199 TEST(CredentialsTest,
3200  TestAwsExternalAccountCredsSuccessPathDefaultRegionEnvKeysEnv) {
3201  std::map<std::string, std::string> emd = {
3202  {"authorization", "Bearer token_exchange_access_token"}};
3203  ExecCtx exec_ctx;
3204  gpr_setenv("AWS_DEFAULT_REGION", "test_regionz");
3205  gpr_setenv("AWS_ACCESS_KEY_ID", "test_access_key_id");
3206  gpr_setenv("AWS_SECRET_ACCESS_KEY", "test_secret_access_key");
3207  gpr_setenv("AWS_SESSION_TOKEN", "test_token");
3208  grpc_error_handle error = GRPC_ERROR_NONE;
3209  Json credential_source = Json::Parse(
3210  valid_aws_external_account_creds_options_credential_source, &error);
3211  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3212  ExternalAccountCredentials::Options options = {
3213  "external_account", // type;
3214  "audience", // audience;
3215  "subject_token_type", // subject_token_type;
3216  "", // service_account_impersonation_url;
3217  "https://foo.com:5555/token", // token_url;
3218  "https://foo.com:5555/token_info", // token_info_url;
3219  credential_source, // credential_source;
3220  "quota_project_id", // quota_project_id;
3221  "client_id", // client_id;
3222  "client_secret", // client_secret;
3223  "", // workforce_pool_user_project;
3224  };
3225  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3226  GPR_ASSERT(creds != nullptr);
3227  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3228  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3229  auto state = RequestMetadataState::NewInstance(
3230  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3231  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3232  aws_external_account_creds_httpcli_post_success,
3233  httpcli_put_should_not_be_called);
3234  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3235  kTestPath);
3236  ExecCtx::Get()->Flush();
3237  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3238  gpr_unsetenv("AWS_DEFAULT_REGION");
3239  gpr_unsetenv("AWS_ACCESS_KEY_ID");
3240  gpr_unsetenv("AWS_SECRET_ACCESS_KEY");
3241  gpr_unsetenv("AWS_SESSION_TOKEN");
3242 }
3243 
3244 TEST(CredentialsTest,
3245  TestAwsExternalAccountCredsSuccessPathDuplicateRegionEnvKeysEnv) {
3246  ExecCtx exec_ctx;
3247  // Make sure that AWS_REGION gets used over AWS_DEFAULT_REGION
3248  gpr_setenv("AWS_REGION", "test_regionz");
3249  gpr_setenv("AWS_DEFAULT_REGION", "ERROR_REGION");
3250  gpr_setenv("AWS_ACCESS_KEY_ID", "test_access_key_id");
3251  gpr_setenv("AWS_SECRET_ACCESS_KEY", "test_secret_access_key");
3252  gpr_setenv("AWS_SESSION_TOKEN", "test_token");
3253  grpc_error_handle error = GRPC_ERROR_NONE;
3254  Json credential_source = Json::Parse(
3255  valid_aws_external_account_creds_options_credential_source, &error);
3256  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3257  ExternalAccountCredentials::Options options = {
3258  "external_account", // type;
3259  "audience", // audience;
3260  "subject_token_type", // subject_token_type;
3261  "", // service_account_impersonation_url;
3262  "https://foo.com:5555/token", // token_url;
3263  "https://foo.com:5555/token_info", // token_info_url;
3264  credential_source, // credential_source;
3265  "quota_project_id", // quota_project_id;
3266  "client_id", // client_id;
3267  "client_secret", // client_secret;
3268  "", // workforce_pool_user_project;
3269  };
3270  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3271  GPR_ASSERT(creds != nullptr);
3272  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3273  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3274  auto state = RequestMetadataState::NewInstance(
3275  GRPC_ERROR_NONE, "authorization: Bearer token_exchange_access_token");
3276  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3277  aws_external_account_creds_httpcli_post_success,
3278  httpcli_put_should_not_be_called);
3279  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3280  kTestPath);
3281  ExecCtx::Get()->Flush();
3282  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3283  gpr_unsetenv("AWS_REGION");
3284  gpr_unsetenv("AWS_DEFAULT_REGION");
3285  gpr_unsetenv("AWS_ACCESS_KEY_ID");
3286  gpr_unsetenv("AWS_SECRET_ACCESS_KEY");
3287  gpr_unsetenv("AWS_SESSION_TOKEN");
3288 }
3289 
3290 TEST(CredentialsTest,
3291  TestAwsExternalAccountCredsFailureUnmatchedEnvironmentId) {
3292  grpc_error_handle error = GRPC_ERROR_NONE;
3293  Json credential_source = Json::Parse(
3294  invalid_aws_external_account_creds_options_credential_source_unmatched_environment_id,
3295  &error);
3296  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3297  ExternalAccountCredentials::Options options = {
3298  "external_account", // type;
3299  "audience", // audience;
3300  "subject_token_type", // subject_token_type;
3301  "", // service_account_impersonation_url;
3302  "https://foo.com:5555/token", // token_url;
3303  "https://foo.com:5555/token_info", // token_info_url;
3304  credential_source, // credential_source;
3305  "quota_project_id", // quota_project_id;
3306  "client_id", // client_id;
3307  "client_secret", // client_secret;
3308  "", // workforce_pool_user_project;
3309  };
3310  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3311  GPR_ASSERT(creds == nullptr);
3312  std::string expected_error = "environment_id does not match.";
3313  std::string actual_error;
3314  GPR_ASSERT(
3315  grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION, &actual_error));
3316  GPR_ASSERT(expected_error == actual_error);
3317  GRPC_ERROR_UNREF(error);
3318 }
3319 
3320 TEST(CredentialsTest, TestAwsExternalAccountCredsFailureInvalidRegionUrl) {
3321  ExecCtx exec_ctx;
3322  grpc_error_handle error = GRPC_ERROR_NONE;
3323  Json credential_source = Json::Parse(
3324  invalid_aws_external_account_creds_options_credential_source_invalid_region_url,
3325  &error);
3326  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3327  ExternalAccountCredentials::Options options = {
3328  "external_account", // type;
3329  "audience", // audience;
3330  "subject_token_type", // subject_token_type;
3331  "", // service_account_impersonation_url;
3332  "https://foo.com:5555/token", // token_url;
3333  "https://foo.com:5555/token_info", // token_info_url;
3334  credential_source, // credential_source;
3335  "quota_project_id", // quota_project_id;
3336  "client_id", // client_id;
3337  "client_secret", // client_secret;
3338  "", // workforce_pool_user_project;
3339  };
3340  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3341  GPR_ASSERT(creds != nullptr);
3342  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3343  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3344  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
3345  "Invalid region url: invalid_region_url.");
3346  grpc_error_handle expected_error =
3347  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
3348  "Error occurred when fetching oauth2 token.", &error, 1);
3349  auto state = RequestMetadataState::NewInstance(expected_error, {});
3350  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3351  aws_external_account_creds_httpcli_post_success,
3352  httpcli_put_should_not_be_called);
3353  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3354  kTestPath);
3355  ExecCtx::Get()->Flush();
3356  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3357  GRPC_ERROR_UNREF(error);
3358 }
3359 
3360 TEST(CredentialsTest, TestAwsExternalAccountCredsFailureInvalidUrl) {
3361  ExecCtx exec_ctx;
3362  grpc_error_handle error = GRPC_ERROR_NONE;
3363  Json credential_source = Json::Parse(
3364  invalid_aws_external_account_creds_options_credential_source_invalid_url,
3365  &error);
3366  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3367  ExternalAccountCredentials::Options options = {
3368  "external_account", // type;
3369  "audience", // audience;
3370  "subject_token_type", // subject_token_type;
3371  "", // service_account_impersonation_url;
3372  "https://foo.com:5555/token", // token_url;
3373  "https://foo.com:5555/token_info", // token_info_url;
3374  credential_source, // credential_source;
3375  "quota_project_id", // quota_project_id;
3376  "client_id", // client_id;
3377  "client_secret", // client_secret;
3378  "", // workforce_pool_user_project;
3379  };
3380  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3381  GPR_ASSERT(creds != nullptr);
3382  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3383  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3384  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid url: invalid_url.");
3385  grpc_error_handle expected_error =
3386  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
3387  "Error occurred when fetching oauth2 token.", &error, 1);
3388  auto state = RequestMetadataState::NewInstance(expected_error, {});
3389  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3390  aws_external_account_creds_httpcli_post_success,
3391  httpcli_put_should_not_be_called);
3392  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3393  kTestPath);
3394  ExecCtx::Get()->Flush();
3395  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3396  GRPC_ERROR_UNREF(error);
3397 }
3398 
3399 TEST(CredentialsTest, TestAwsExternalAccountCredsFailureMissingRoleName) {
3400  ExecCtx exec_ctx;
3401  grpc_error_handle error = GRPC_ERROR_NONE;
3402  Json credential_source = Json::Parse(
3403  invalid_aws_external_account_creds_options_credential_source_missing_role_name,
3404  &error);
3405  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3406  ExternalAccountCredentials::Options options = {
3407  "external_account", // type;
3408  "audience", // audience;
3409  "subject_token_type", // subject_token_type;
3410  "", // service_account_impersonation_url;
3411  "https://foo.com:5555/token", // token_url;
3412  "https://foo.com:5555/token_info", // token_info_url;
3413  credential_source, // credential_source;
3414  "quota_project_id", // quota_project_id;
3415  "client_id", // client_id;
3416  "client_secret", // client_secret;
3417  "", // workforce_pool_user_project;
3418  };
3419  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3420  GPR_ASSERT(creds != nullptr);
3421  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3422  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3423  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
3424  "Missing role name when retrieving signing keys.");
3425  grpc_error_handle expected_error =
3426  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
3427  "Error occurred when fetching oauth2 token.", &error, 1);
3428  auto state = RequestMetadataState::NewInstance(expected_error, {});
3429  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3430  aws_external_account_creds_httpcli_post_success,
3431  httpcli_put_should_not_be_called);
3432  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3433  kTestPath);
3434  ExecCtx::Get()->Flush();
3435  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3436  GRPC_ERROR_UNREF(error);
3437 }
3438 
3439 TEST(CredentialsTest,
3440  TestAwsExternalAccountCredsFailureInvalidRegionalCredVerificationUrl) {
3441  ExecCtx exec_ctx;
3442  grpc_error_handle error = GRPC_ERROR_NONE;
3443  Json credential_source = Json::Parse(
3444  invalid_aws_external_account_creds_options_credential_source_invalid_regional_cred_verification_url,
3445  &error);
3446  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3447  ExternalAccountCredentials::Options options = {
3448  "external_account", // type;
3449  "audience", // audience;
3450  "subject_token_type", // subject_token_type;
3451  "", // service_account_impersonation_url;
3452  "https://foo.com:5555/token", // token_url;
3453  "https://foo.com:5555/token_info", // token_info_url;
3454  credential_source, // credential_source;
3455  "quota_project_id", // quota_project_id;
3456  "client_id", // client_id;
3457  "client_secret", // client_secret;
3458  "", // workforce_pool_user_project;
3459  };
3460  auto creds = AwsExternalAccountCredentials::Create(options, {}, &error);
3461  GPR_ASSERT(creds != nullptr);
3462  GPR_ASSERT(GRPC_ERROR_IS_NONE(error));
3463  GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
3464  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
3465  "Creating aws request signer failed.");
3466  grpc_error_handle expected_error =
3467  GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
3468  "Error occurred when fetching oauth2 token.", &error, 1);
3469  auto state = RequestMetadataState::NewInstance(expected_error, {});
3470  HttpRequest::SetOverride(aws_external_account_creds_httpcli_get_success,
3471  aws_external_account_creds_httpcli_post_success,
3472  httpcli_put_should_not_be_called);
3473  state->RunRequestMetadataTest(creds.get(), kTestUrlScheme, kTestAuthority,
3474  kTestPath);
3475  ExecCtx::Get()->Flush();
3476  HttpRequest::SetOverride(nullptr, nullptr, nullptr);
3477  GRPC_ERROR_UNREF(error);
3478 }
3479 
3480 TEST(CredentialsTest, TestExternalAccountCredentialsCreateSuccess) {
3481  // url credentials
3482  const char* url_options_string =
3483  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
3484  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3485  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3486  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3487  "token_info\",\"credential_source\":{\"url\":\"https://foo.com:5555/"
3488  "generate_subject_token_format_json\",\"headers\":{\"Metadata-Flavor\":"
3489  "\"Google\"},\"format\":{\"type\":\"json\",\"subject_token_field_name\":"
3490  "\"access_token\"}},\"quota_project_id\":\"quota_"
3491  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3492  "secret\"}";
3493  const char* url_scopes_string = "scope1,scope2";
3494  grpc_call_credentials* url_creds = grpc_external_account_credentials_create(
3495  url_options_string, url_scopes_string);
3496  GPR_ASSERT(url_creds != nullptr);
3497  url_creds->Unref();
3498  // file credentials
3499  const char* file_options_string =
3500  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
3501  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3502  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3503  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3504  "token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
3505  "\"quota_project_id\":\"quota_"
3506  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3507  "secret\"}";
3508  const char* file_scopes_string = "scope1,scope2";
3509  grpc_call_credentials* file_creds = grpc_external_account_credentials_create(
3510  file_options_string, file_scopes_string);
3511  GPR_ASSERT(file_creds != nullptr);
3512  file_creds->Unref();
3513  // aws credentials
3514  const char* aws_options_string =
3515  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
3516  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3517  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3518  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3519  "token_info\",\"credential_source\":{\"environment_id\":\"aws1\","
3520  "\"region_url\":\"https://foo.com:5555/region_url\",\"url\":\"https://"
3521  "foo.com:5555/url\",\"regional_cred_verification_url\":\"https://"
3522  "foo.com:5555/regional_cred_verification_url_{region}\"},"
3523  "\"quota_project_id\":\"quota_"
3524  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3525  "secret\"}";
3526  const char* aws_scopes_string = "scope1,scope2";
3527  grpc_call_credentials* aws_creds = grpc_external_account_credentials_create(
3528  aws_options_string, aws_scopes_string);
3529  GPR_ASSERT(aws_creds != nullptr);
3530  aws_creds->Unref();
3531 }
3532 
3533 TEST(CredentialsTest,
3534  TestExternalAccountCredentialsCreateFailureInvalidJsonFormat) {
3535  const char* options_string = "invalid_json";
3536  grpc_call_credentials* creds =
3537  grpc_external_account_credentials_create(options_string, "");
3538  GPR_ASSERT(creds == nullptr);
3539 }
3540 
3541 TEST(CredentialsTest,
3542  TestExternalAccountCredentialsCreateFailureInvalidOptionsFormat) {
3543  const char* options_string = "{\"random_key\":\"random_value\"}";
3544  grpc_call_credentials* creds =
3545  grpc_external_account_credentials_create(options_string, "");
3546  GPR_ASSERT(creds == nullptr);
3547 }
3548 
3549 TEST(
3550  CredentialsTest,
3551  TestExternalAccountCredentialsCreateFailureInvalidOptionsCredentialSource) {
3552  const char* options_string =
3553  "{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
3554  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3555  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3556  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3557  "token_info\",\"credential_source\":{\"random_key\":\"random_value\"},"
3558  "\"quota_project_id\":\"quota_"
3559  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3560  "secret\"}";
3561  grpc_call_credentials* creds =
3562  grpc_external_account_credentials_create(options_string, "");
3563  GPR_ASSERT(creds == nullptr);
3564 }
3565 
3566 TEST(CredentialsTest,
3567  TestExternalAccountCredentialsCreateSuccessWorkforcePool) {
3568  const char* url_options_string =
3569  "{\"type\":\"external_account\",\"audience\":\"//iam.googleapis.com/"
3570  "locations/location/workforcePools/pool/providers/provider\",\"subject_"
3571  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3572  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3573  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3574  "token_info\",\"credential_source\":{\"url\":\"https://foo.com:5555/"
3575  "generate_subject_token_format_json\",\"headers\":{\"Metadata-Flavor\":"
3576  "\"Google\"},\"format\":{\"type\":\"json\",\"subject_token_field_name\":"
3577  "\"access_token\"}},\"quota_project_id\":\"quota_"
3578  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3579  "secret\",\"workforce_pool_user_project\":\"workforce_pool_user_"
3580  "project\"}";
3581  const char* url_scopes_string = "scope1,scope2";
3582  grpc_call_credentials* url_creds = grpc_external_account_credentials_create(
3583  url_options_string, url_scopes_string);
3584  GPR_ASSERT(url_creds != nullptr);
3585  url_creds->Unref();
3586 }
3587 
3588 TEST(CredentialsTest,
3589  TestExternalAccountCredentialsCreateFailureInvalidWorkforcePoolAudience) {
3590  const char* url_options_string =
3591  "{\"type\":\"external_account\",\"audience\":\"invalid_workforce_pool_"
3592  "audience\",\"subject_"
3593  "token_type\":\"subject_token_type\",\"service_account_impersonation_"
3594  "url\":\"service_account_impersonation_url\",\"token_url\":\"https://"
3595  "foo.com:5555/token\",\"token_info_url\":\"https://foo.com:5555/"
3596  "token_info\",\"credential_source\":{\"url\":\"https://foo.com:5555/"
3597  "generate_subject_token_format_json\",\"headers\":{\"Metadata-Flavor\":"
3598  "\"Google\"},\"format\":{\"type\":\"json\",\"subject_token_field_name\":"
3599  "\"access_token\"}},\"quota_project_id\":\"quota_"
3600  "project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
3601  "secret\",\"workforce_pool_user_project\":\"workforce_pool_user_"
3602  "project\"}";
3603  const char* url_scopes_string = "scope1,scope2";
3604  grpc_call_credentials* url_creds = grpc_external_account_credentials_create(
3605  url_options_string, url_scopes_string);
3606  GPR_ASSERT(url_creds == nullptr);
3607 }
3608 
3609 TEST(CredentialsTest, TestInsecureCredentialsCompareSuccess) {
3610  auto insecure_creds_1 = grpc_insecure_credentials_create();
3611  auto insecure_creds_2 = grpc_insecure_credentials_create();
3612  ASSERT_EQ(insecure_creds_1->cmp(insecure_creds_2), 0);
3613  grpc_arg arg_1 = grpc_channel_credentials_to_arg(insecure_creds_1);
3614  grpc_channel_args args_1 = {1, &arg_1};
3615  grpc_arg arg_2 = grpc_channel_credentials_to_arg(insecure_creds_2);
3616  grpc_channel_args args_2 = {1, &arg_2};
3617  EXPECT_EQ(grpc_channel_args_compare(&args_1, &args_2), 0);
3618  grpc_channel_credentials_release(insecure_creds_1);
3619  grpc_channel_credentials_release(insecure_creds_2);
3620 }
3621 
3622 TEST(CredentialsTest, TestInsecureCredentialsCompareFailure) {
3623  auto* insecure_creds = grpc_insecure_credentials_create();
3624  auto* fake_creds = grpc_fake_transport_security_credentials_create();
3625  ASSERT_NE(insecure_creds->cmp(fake_creds), 0);
3626  ASSERT_NE(fake_creds->cmp(insecure_creds), 0);
3627  grpc_arg arg_1 = grpc_channel_credentials_to_arg(insecure_creds);
3628  grpc_channel_args args_1 = {1, &arg_1};
3629  grpc_arg arg_2 = grpc_channel_credentials_to_arg(fake_creds);
3630  grpc_channel_args args_2 = {1, &arg_2};
3631  EXPECT_NE(grpc_channel_args_compare(&args_1, &args_2), 0);
3632  grpc_channel_credentials_release(fake_creds);
3633  grpc_channel_credentials_release(insecure_creds);
3634 }
3635 
3636 TEST(CredentialsTest, TestInsecureCredentialsSingletonCreate) {
3637  auto* insecure_creds_1 = grpc_insecure_credentials_create();
3638  auto* insecure_creds_2 = grpc_insecure_credentials_create();
3639  EXPECT_EQ(insecure_creds_1, insecure_creds_2);
3640 }
3641 
3642 TEST(CredentialsTest, TestFakeCallCredentialsCompareSuccess) {
3643  auto call_creds = MakeRefCounted<fake_call_creds>();
3644  GPR_ASSERT(call_creds->cmp(call_creds.get()) == 0);
3645 }
3646 
3647 TEST(CredentialsTest, TestFakeCallCredentialsCompareFailure) {
3648  auto fake_creds = MakeRefCounted<fake_call_creds>();
3649  auto* md_creds = grpc_md_only_test_credentials_create("key", "value");
3650  GPR_ASSERT(fake_creds->cmp(md_creds) != 0);
3651  GPR_ASSERT(md_creds->cmp(fake_creds.get()) != 0);
3652  grpc_call_credentials_release(md_creds);
3653 }
3654 
3655 TEST(CredentialsTest, TestHttpRequestSSLCredentialsCompare) {
3656  auto creds_1 = CreateHttpRequestSSLCredentials();
3657  auto creds_2 = CreateHttpRequestSSLCredentials();
3658  EXPECT_EQ(creds_1->cmp(creds_2.get()), 0);
3659  EXPECT_EQ(creds_2->cmp(creds_1.get()), 0);
3660 }
3661 
3662 TEST(CredentialsTest, TestHttpRequestSSLCredentialsSingleton) {
3663  auto creds_1 = CreateHttpRequestSSLCredentials();
3664  auto creds_2 = CreateHttpRequestSSLCredentials();
3665  EXPECT_EQ(creds_1, creds_2);
3666 }
3667 
3668 TEST(CredentialsTest, TestCompositeChannelCredsCompareSuccess) {
3669  auto* insecure_creds = grpc_insecure_credentials_create();
3670  auto fake_creds = MakeRefCounted<fake_call_creds>();
3671  auto* composite_creds_1 = grpc_composite_channel_credentials_create(
3672  insecure_creds, fake_creds.get(), nullptr);
3673  auto* composite_creds_2 = grpc_composite_channel_credentials_create(
3674  insecure_creds, fake_creds.get(), nullptr);
3675  EXPECT_EQ(composite_creds_1->cmp(composite_creds_2), 0);
3676  EXPECT_EQ(composite_creds_2->cmp(composite_creds_1), 0);
3677  grpc_channel_credentials_release(insecure_creds);
3678  grpc_channel_credentials_release(composite_creds_1);
3679  grpc_channel_credentials_release(composite_creds_2);
3680 }
3681 
3682 TEST(CredentialsTest,
3683  TestCompositeChannelCredsCompareFailureDifferentChannelCreds) {
3684  auto* insecure_creds = grpc_insecure_credentials_create();
3685  auto* fake_channel_creds = grpc_fake_transport_security_credentials_create();
3686  auto fake_creds = MakeRefCounted<fake_call_creds>();
3687  auto* composite_creds_1 = grpc_composite_channel_credentials_create(
3688  insecure_creds, fake_creds.get(), nullptr);
3689  auto* composite_creds_2 = grpc_composite_channel_credentials_create(
3690  fake_channel_creds, fake_creds.get(), nullptr);
3691  EXPECT_NE(composite_creds_1->cmp(composite_creds_2), 0);
3692  EXPECT_NE(composite_creds_2->cmp(composite_creds_1), 0);
3693  grpc_channel_credentials_release(insecure_creds);
3694  grpc_channel_credentials_release(fake_channel_creds);
3695  grpc_channel_credentials_release(composite_creds_1);
3696  grpc_channel_credentials_release(composite_creds_2);
3697 }
3698 
3699 TEST(CredentialsTest,
3700  TestCompositeChannelCredsCompareFailureDifferentCallCreds) {
3701  auto* insecure_creds = grpc_insecure_credentials_create();
3702  auto fake_creds = MakeRefCounted<fake_call_creds>();
3703  auto* md_creds = grpc_md_only_test_credentials_create("key", "value");
3704  auto* composite_creds_1 = grpc_composite_channel_credentials_create(
3705  insecure_creds, fake_creds.get(), nullptr);
3706  auto* composite_creds_2 = grpc_composite_channel_credentials_create(
3707  insecure_creds, md_creds, nullptr);
3708  EXPECT_NE(composite_creds_1->cmp(composite_creds_2), 0);
3709  EXPECT_NE(composite_creds_2->cmp(composite_creds_1), 0);
3710  grpc_channel_credentials_release(insecure_creds);
3711  grpc_call_credentials_release(md_creds);
3712  grpc_channel_credentials_release(composite_creds_1);
3713  grpc_channel_credentials_release(composite_creds_2);
3714 }
3715 
3716 TEST(CredentialsTest, TestTlsCredentialsCompareSuccess) {
3717  auto* tls_creds_1 =
3718  grpc_tls_credentials_create(grpc_tls_credentials_options_create());
3719  auto* tls_creds_2 =
3720  grpc_tls_credentials_create(grpc_tls_credentials_options_create());
3721  EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
3722  EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
3723  grpc_channel_credentials_release(tls_creds_1);
3724  grpc_channel_credentials_release(tls_creds_2);
3725 }
3726 
3727 TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareSuccess) {
3728  auto* options_1 = grpc_tls_credentials_options_create();
3729  options_1->set_certificate_verifier(
3730  MakeRefCounted<HostNameCertificateVerifier>());
3731  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
3732  auto* options_2 = grpc_tls_credentials_options_create();
3733  options_2->set_certificate_verifier(
3734  MakeRefCounted<HostNameCertificateVerifier>());
3735  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
3736  EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
3737  EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
3738  grpc_channel_credentials_release(tls_creds_1);
3739  grpc_channel_credentials_release(tls_creds_2);
3740 }
3741 
3742 TEST(CredentialsTest, TestTlsCredentialsCompareFailure) {
3743  auto* options_1 = grpc_tls_credentials_options_create();
3744  options_1->set_check_call_host(true);
3745  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
3746  auto* options_2 = grpc_tls_credentials_options_create();
3747  options_2->set_check_call_host(false);
3748  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
3749  EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
3750  EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
3751  grpc_channel_credentials_release(tls_creds_1);
3752  grpc_channel_credentials_release(tls_creds_2);
3753 }
3754 
3755 TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareFailure) {
3756  auto* options_1 = grpc_tls_credentials_options_create();
3757  options_1->set_certificate_verifier(
3758  MakeRefCounted<HostNameCertificateVerifier>());
3759  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
3760  auto* options_2 = grpc_tls_credentials_options_create();
3761  grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
3762  nullptr};
3763  options_2->set_certificate_verifier(
3764  MakeRefCounted<ExternalCertificateVerifier>(&verifier));
3765  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
3766  EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
3767  EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
3768  grpc_channel_credentials_release(tls_creds_1);
3769  grpc_channel_credentials_release(tls_creds_2);
3770 }
3771 
3772 TEST(CredentialsTest, TestXdsCredentialsCompareSucces) {
3773  auto* insecure_creds = grpc_insecure_credentials_create();
3774  auto* xds_creds_1 = grpc_xds_credentials_create(insecure_creds);
3775  auto* xds_creds_2 = grpc_xds_credentials_create(insecure_creds);
3776  EXPECT_EQ(xds_creds_1->cmp(xds_creds_2), 0);
3777  EXPECT_EQ(xds_creds_2->cmp(xds_creds_1), 0);
3778  grpc_channel_credentials_release(insecure_creds);
3779  grpc_channel_credentials_release(xds_creds_1);
3780  grpc_channel_credentials_release(xds_creds_2);
3781 }
3782 
3783 TEST(CredentialsTest, TestXdsCredentialsCompareFailure) {
3784  auto* insecure_creds = grpc_insecure_credentials_create();
3785  auto* fake_creds = grpc_fake_transport_security_credentials_create();
3786  auto* xds_creds_1 = grpc_xds_credentials_create(insecure_creds);
3787  auto* xds_creds_2 = grpc_xds_credentials_create(fake_creds);
3788  EXPECT_NE(xds_creds_1->cmp(xds_creds_2), 0);
3789  EXPECT_NE(xds_creds_2->cmp(xds_creds_1), 0);
3790  grpc_channel_credentials_release(insecure_creds);
3791  grpc_channel_credentials_release(fake_creds);
3792  grpc_channel_credentials_release(xds_creds_1);
3793  grpc_channel_credentials_release(xds_creds_2);
3794 }
3795 
3796 } // namespace
3797 } // namespace grpc_core
3798 
3799 int main(int argc, char** argv) {
3800  testing::InitGoogleTest(&argc, argv);
3801  grpc::testing::TestEnvironment env(&argc, argv);
3802  grpc_init();
3803  auto result = RUN_ALL_TESTS();
3804  grpc_shutdown();
3805  return result;
3806 }
desired_service_url
const char * desired_service_url
Definition: core/security/credentials_test.cc:2054
url_external_account_credentials.h
grpc_arg
Definition: grpc_types.h:103
grpc_access_token_credentials::Type
static grpc_core::UniqueTypeName Type()
Definition: oauth2_credentials.cc:730
GPR_TIMESPAN
@ GPR_TIMESPAN
Definition: gpr_types.h:45
grpc_slice_unref
GPRAPI void grpc_slice_unref(grpc_slice s)
Definition: slice_api.cc:32
_gevent_test_main.result
result
Definition: _gevent_test_main.py:96
auth_filters.h
Type
struct Type Type
Definition: bloaty/third_party/protobuf/php/ext/google/protobuf/protobuf.h:673
grpc_core::MakeScopedArena
ScopedArenaPtr MakeScopedArena(size_t initial_size, MemoryAllocator *memory_allocator)
Definition: src/core/lib/resource_quota/arena.h:130
GPR_INFO
#define GPR_INFO
Definition: include/grpc/impl/codegen/log.h:56
GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX
#define GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX
Definition: grpc_security.h:417
httpcli_put_should_not_be_called
static int httpcli_put_should_not_be_called(const grpc_http_request *, const char *, const char *, const char *, size_t, grpc_core::Timestamp, grpc_closure *, grpc_http_response *)
Definition: jwt_verifier_test.cc:351
GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY
#define GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY
Definition: src/core/lib/security/credentials/credentials.h:58
ASSERT_NE
#define ASSERT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2060
test_scope
static const char test_scope[]
Definition: json_token_test.cc:79
grpc_auth_context
Definition: security_context.h:63
desired_method_name
const char * desired_method_name
Definition: core/security/credentials_test.cc:2055
grpc_core::UrlExternalAccountCredentials::Create
static RefCountedPtr< UrlExternalAccountCredentials > Create(Options options, std::vector< std::string > scopes, grpc_error_handle *error)
Definition: url_external_account_credentials.cc:48
grpc_core::MetadataMap::Set
absl::enable_if_t< Which::kRepeatable==false, void > Set(Which, Args &&... args)
Definition: metadata_batch.h:1075
grpc_credentials_plugin_metadata_cb
void(* grpc_credentials_plugin_metadata_cb)(void *user_data, const grpc_metadata *creds_md, size_t num_creds_md, grpc_status_code status, const char *error_details)
Definition: grpc_security.h:385
regen-readme.it
it
Definition: regen-readme.py:15
fake_credentials.h
GRPC_ERROR_NONE
#define GRPC_ERROR_NONE
Definition: error.h:234
grpc_call_credentials::GetRequestMetadataArgs
Definition: src/core/lib/security/credentials/credentials.h:196
log.h
generate.env
env
Definition: generate.py:37
absl::StrCat
std::string StrCat(const AlphaNum &a, const AlphaNum &b)
Definition: abseil-cpp/absl/strings/str_cat.cc:98
grpc_core::internal::set_gce_tenancy_checker_for_testing
void set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker)
Definition: google_default_credentials.cc:471
metadata
Definition: cq_verifier.cc:48
GRPC_STATUS_UNAUTHENTICATED
@ GRPC_STATUS_UNAUTHENTICATED
Definition: include/grpc/impl/codegen/status.h:72
grpc_md_only_test_credentials_create
grpc_call_credentials * grpc_md_only_test_credentials_create(const char *md_key, const char *md_value)
Definition: fake_credentials.cc:118
memset
return memset(p, 0, total)
expected_
std::string expected_
Definition: core/security/credentials_test.cc:542
absl::StrFormat
ABSL_MUST_USE_RESULT std::string StrFormat(const FormatSpec< Args... > &format, const Args &... args)
Definition: abseil-cpp/absl/strings/str_format.h:338
grpc_service_account_jwt_access_credentials::Type
static grpc_core::UniqueTypeName Type()
Definition: jwt_credentials.cc:127
Timestamp
Definition: bloaty/third_party/protobuf/src/google/protobuf/timestamp.pb.h:69
grpc_call_credentials::GetRequestMetadata
virtual grpc_core::ArenaPromise< absl::StatusOr< grpc_core::ClientMetadataHandle > > GetRequestMetadata(grpc_core::ClientMetadataHandle initial_metadata, const GetRequestMetadataArgs *args)=0
grpc_slice_from_copied_string
GPRAPI grpc_slice grpc_slice_from_copied_string(const char *source)
Definition: slice/slice.cc:177
GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH
#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH
Definition: src/core/lib/security/credentials/credentials.h:67
slice.h
grpc_call_credentials::type
virtual grpc_core::UniqueTypeName type() const =0
file_external_account_credentials.h
grpc_core
Definition: call_metric_recorder.h:31
GRPC_CREDENTIALS_ERROR
@ GRPC_CREDENTIALS_ERROR
Definition: src/core/lib/security/credentials/credentials.h:50
GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING
#define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING
Definition: src/core/lib/security/credentials/credentials.h:73
grpc_service_account_jwt_access_credentials
Definition: jwt_credentials.h:48
expected_error_
grpc_error_handle expected_error_
Definition: core/security/credentials_test.cc:541
grpc_sts_credentials_options
Definition: grpc_security.h:355
grpc_pollset_set
struct grpc_pollset_set grpc_pollset_set
Definition: iomgr_fwd.h:23
grpc_metadata_credentials_plugin::state
void * state
Definition: grpc_security.h:458
grpc_call_credentials::min_security_level
virtual grpc_security_level min_security_level() const
Definition: src/core/lib/security/credentials/credentials.h:217
string.h
options
double_dict options[]
Definition: capstone_test.c:55
grpc_auth_metadata_context::service_url
const char * service_url
Definition: grpc_security.h:393
grpc_google_iam_credentials_create
GRPCAPI grpc_call_credentials * grpc_google_iam_credentials_create(const char *authorization_token, const char *authority_selector, void *reserved)
Definition: iam_credentials.cc:70
benchmark.request
request
Definition: benchmark.py:77
grpc_core::slice_detail::StaticConstructors< Slice >::FromStaticString
static Slice FromStaticString(const char *s)
Definition: src/core/lib/slice/slice.h:201
absl::StartsWith
bool StartsWith(absl::string_view text, absl::string_view prefix) noexcept
Definition: third_party/abseil-cpp/absl/strings/match.h:58
call_host
const char * call_host
Definition: core/security/credentials_test.cc:2052
absl::string_view
Definition: abseil-cpp/absl/strings/string_view.h:167
grpc_pollset_set_create
grpc_pollset_set * grpc_pollset_set_create()
Definition: pollset_set.cc:29
grpc_google_iam_credentials::Type
static grpc_core::UniqueTypeName Type()
Definition: iam_credentials.cc:65
gpr_free
GPRAPI void gpr_free(void *ptr)
Definition: alloc.cc:51
grpc_channel_credentials::duplicate_without_call_credentials
virtual grpc_core::RefCountedPtr< grpc_channel_credentials > duplicate_without_call_credentials()
Definition: src/core/lib/security/credentials/credentials.h:122
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
error
grpc_error_handle error
Definition: retry_filter.cc:499
grpc_status_code
grpc_status_code
Definition: include/grpc/impl/codegen/status.h:28
grpc_composite_channel_credentials
Definition: composite_credentials.h:47
grpc_metadata_credentials_create_from_plugin
GRPCAPI grpc_call_credentials * grpc_metadata_credentials_create_from_plugin(grpc_metadata_credentials_plugin plugin, grpc_security_level min_security_level, void *reserved)
Definition: plugin_credentials.cc:208
gpr_malloc
GPRAPI void * gpr_malloc(size_t size)
Definition: alloc.cc:29
gpr_tmpfile
FILE * gpr_tmpfile(const char *prefix, char **tmp_filename)
GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(desc, errs, count)
Definition: error.h:307
grpc_call_credentials
Definition: src/core/lib/security/credentials/credentials.h:189
grpc_core::TEST
TEST(AvlTest, NoOp)
Definition: avl_test.cc:21
grpc_core::SplitHostPort
bool SplitHostPort(absl::string_view name, absl::string_view *host, absl::string_view *port)
Definition: host_port.cc:88
status
absl::Status status
Definition: rls.cc:251
grpc_google_compute_engine_credentials_create
GRPCAPI grpc_call_credentials * grpc_google_compute_engine_credentials_create(void *reserved)
Definition: oauth2_credentials.cc:421
grpc_call_credentials_release
GRPCAPI void grpc_call_credentials_release(grpc_call_credentials *creds)
Definition: credentials.cc:42
grpc_core::ValidateStsCredentialsOptions
absl::StatusOr< URI > ValidateStsCredentialsOptions(const grpc_sts_credentials_options *options)
Definition: oauth2_credentials.cc:663
grpc_core::RefCountedPtr::release
T * release()
Definition: ref_counted_ptr.h:140
env.h
absl::FormatConversionChar::s
@ s
grpc_tls_credentials_create
grpc_channel_credentials * grpc_tls_credentials_create(grpc_tls_credentials_options *options)
Definition: tls_credentials.cc:146
call_method
const char * call_method
Definition: core/security/credentials_test.cc:2053
time.h
check_documentation.path
path
Definition: check_documentation.py:57
grpc_composite_call_credentials_create
GRPCAPI grpc_call_credentials * grpc_composite_call_credentials_create(grpc_call_credentials *creds1, grpc_call_credentials *creds2, void *reserved)
Definition: composite_credentials.cc:129
grpc_core::CreateHttpRequestSSLCredentials
RefCountedPtr< grpc_channel_credentials > CreateHttpRequestSSLCredentials()
Definition: httpcli_security_connector.cc:208
grpc_security.h
grpc_auth_metadata_context_reset
GRPCAPI void grpc_auth_metadata_context_reset(grpc_auth_metadata_context *context)
Definition: client_auth_filter.cc:71
grpc_call_credentials::GetRequestMetadataArgs::security_connector
grpc_core::RefCountedPtr< grpc_channel_security_connector > security_connector
Definition: src/core/lib/security/credentials/credentials.h:198
service_url
std::string service_url
Definition: call_creds_util.cc:39
grpc_core::URI::Parse
static absl::StatusOr< URI > Parse(absl::string_view uri_text)
Definition: uri_parser.cc:209
seq.h
verifier
static void verifier(grpc_server *server, grpc_completion_queue *cq, void *)
Definition: badreq.cc:31
grpc::creds_file
FILE * creds_file
Definition: cpp/client/credentials_test.cc:244
grpc::ExternalAccountCredentials
std::shared_ptr< CallCredentials > ExternalAccountCredentials(const grpc::string &json_string, const std::vector< grpc::string > &scopes)
Definition: secure_credentials.cc:121
GRPC_ERROR_STR_DESCRIPTION
@ GRPC_ERROR_STR_DESCRIPTION
top-level textual description of this error
Definition: error.h:106
credentials.h
grpc_channel_args
Definition: grpc_types.h:132
grpc_core::MetadataMap::DebugString
std::string DebugString() const
Definition: metadata_batch.h:1027
grpc_access_token_credentials_create
GRPCAPI grpc_call_credentials * grpc_access_token_credentials_create(const char *access_token, void *reserved)
Definition: oauth2_credentials.cc:744
grpc_google_default_channel_credentials
Definition: google_default_credentials.h:52
absl::PermissionDeniedError
Status PermissionDeniedError(absl::string_view message)
Definition: third_party/abseil-cpp/absl/status/status.cc:363
grpc_core::AwsExternalAccountCredentials::Create
static RefCountedPtr< AwsExternalAccountCredentials > Create(Options options, std::vector< std::string > scopes, grpc_error_handle *error)
Definition: aws_external_account_credentials.cc:80
grpc_core::FileExternalAccountCredentials::Create
static RefCountedPtr< FileExternalAccountCredentials > Create(Options options, std::vector< std::string > scopes, grpc_error_handle *error)
Definition: file_external_account_credentials.cc:35
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
grpc_core::MakeActivity
ActivityPtr MakeActivity(Factory promise_factory, WakeupScheduler wakeup_scheduler, OnDone on_done, Contexts &&... contexts)
Definition: activity.h:522
grpc_core::ScopedArenaPtr
std::unique_ptr< Arena, ScopedArenaDeleter > ScopedArenaPtr
Definition: src/core/lib/resource_quota/arena.h:129
grpc_core::HttpRequest::SetOverride
static void SetOverride(grpc_httpcli_get_override get, grpc_httpcli_post_override post, grpc_httpcli_put_override put)
Definition: httpcli.cc:143
uint32_t
unsigned int uint32_t
Definition: stdint-msvc2008.h:80
grpc_service_account_jwt_access_credentials_create
GRPCAPI grpc_call_credentials * grpc_service_account_jwt_access_credentials_create(const char *json_key, gpr_timespec token_lifetime, void *reserved)
Definition: jwt_credentials.cc:154
grpc_core::MetadataMap::Remove
void Remove(Which)
Definition: metadata_batch.h:1087
grpc_security_connector
Definition: security_connector.h:61
DEBUG_LOCATION
#define DEBUG_LOCATION
Definition: debug_location.h:41
string_util.h
grpc_core::RefCounted::Unref
void Unref()
Definition: ref_counted.h:302
setup.url
url
Definition: setup.py:547
grpc_http_response
Definition: src/core/lib/http/parser.h:85
grpc_composite_channel_credentials::call_creds
const grpc_call_credentials * call_creds() const
Definition: composite_credentials.h:78
grpc_metadata
Definition: grpc_types.h:537
external_account_credentials.h
grpc_auth_metadata_context::method_name
const char * method_name
Definition: grpc_security.h:398
exec_ctx_wakeup_scheduler.h
grpc_get_well_known_google_credentials_file_path
std::string grpc_get_well_known_google_credentials_file_path(void)
Definition: google_default_credentials.cc:489
GRPC_SECURITY_NONE
@ GRPC_SECURITY_NONE
Definition: grpc_security_constants.h:133
grpc_tls_certificate_verifier_external
Definition: grpc_security.h:963
grpc_http_header::key
char * key
Definition: src/core/lib/http/parser.h:37
url_scheme
const char * url_scheme
Definition: core/security/credentials_test.cc:2051
grpc_composite_channel_credentials::inner_creds
const grpc_channel_credentials * inner_creds() const
Definition: composite_credentials.h:75
gpr_getenv
char * gpr_getenv(const char *name)
grpc::creds_file_name
char * creds_file_name
Definition: cpp/client/credentials_test.cc:242
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
GPR_ASSERT
#define GPR_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:94
grpc_oauth2_token_fetcher_credentials_parse_server_response
grpc_credentials_status grpc_oauth2_token_fetcher_credentials_parse_server_response(const grpc_http_response *response, absl::optional< grpc_core::Slice > *token_value, grpc_core::Duration *token_lifetime)
Definition: oauth2_credentials.cc:155
grpc_sts_credentials_create
GRPCAPI grpc_call_credentials * grpc_sts_credentials_create(const grpc_sts_credentials_options *options, void *reserved)
Definition: oauth2_credentials.cc:701
grpc_auth_json_key_is_valid
int grpc_auth_json_key_is_valid(const grpc_auth_json_key *json_key)
Definition: json_token.cc:66
grpc_http_header
Definition: src/core/lib/http/parser.h:36
gpr_time_cmp
GPRAPI int gpr_time_cmp(gpr_timespec a, gpr_timespec b)
Definition: src/core/lib/gpr/time.cc:30
grpc_polling_entity_pollset_set
grpc_pollset_set * grpc_polling_entity_pollset_set(grpc_polling_entity *pollent)
Definition: polling_entity.cc:49
gen_stats_data.c_str
def c_str(s, encoding='ascii')
Definition: gen_stats_data.py:38
grpc_core::URI::authority
const std::string & authority() const
Definition: uri_parser.h:69
test_json_key_str
static char * test_json_key_str(const char *bad_part3)
Definition: json_token_test.cc:83
Json
JSON (JavaScript Object Notation).
Definition: third_party/bloaty/third_party/protobuf/conformance/third_party/jsoncpp/json.h:227
gmock_output_test.output
output
Definition: bloaty/third_party/googletest/googlemock/test/gmock_output_test.py:175
grpc_core::ExecCtx::Flush
bool Flush()
Definition: exec_ctx.cc:69
plugin_state
struct plugin_state plugin_state
EXPECT_NE
#define EXPECT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2028
grpc_auth_json_key::type
const char * type
Definition: json_token.h:37
grpc_external_account_credentials_create
GRPCAPI grpc_call_credentials * grpc_external_account_credentials_create(const char *json_string, const char *scopes_string)
Definition: external_account_credentials.cc:539
grpc_channel_args_compare
int grpc_channel_args_compare(const grpc_channel_args *a, const grpc_channel_args *b)
Definition: channel_args.cc:380
grpc_max_auth_token_lifetime
GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void)
Definition: json_token.cc:48
gpr_log
GPRAPI void gpr_log(const char *file, int line, gpr_log_severity severity, const char *format,...) GPR_PRINT_FORMAT_CHECK(4
grpc_core::RemoveServiceNameFromJwtUri
absl::StatusOr< std::string > RemoveServiceNameFromJwtUri(absl::string_view uri)
Definition: jwt_credentials.cc:179
httpcli_ssl_credentials.h
httpcli.h
grpc_pollset_set_destroy
void grpc_pollset_set_destroy(grpc_pollset_set *pollset_set)
Definition: pollset_set.cc:33
grpc_auth_json_key::private_key_id
char * private_key_id
Definition: json_token.h:38
grpc_composite_call_credentials::Type
static grpc_core::UniqueTypeName Type()
Definition: composite_credentials.cc:64
grpc_fake_transport_security_credentials_create
grpc_channel_credentials * grpc_fake_transport_security_credentials_create()
Definition: fake_credentials.cc:79
call_creds
void call_creds(grpc_end2end_test_config config)
Definition: call_creds.cc:523
GRPC_AUTHORIZATION_METADATA_KEY
#define GRPC_AUTHORIZATION_METADATA_KEY
Definition: src/core/lib/security/credentials/credentials.h:55
tmpfile.h
absl::optional
Definition: abseil-cpp/absl/types/internal/optional.h:61
grpc_insecure_credentials_create
GRPCAPI grpc_channel_credentials * grpc_insecure_credentials_create()
Definition: core/lib/security/credentials/insecure/insecure_credentials.cc:64
GRPC_GOOGLE_OAUTH2_SERVICE_HOST
#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST
Definition: src/core/lib/security/credentials/credentials.h:66
rsa.h
arena_
ScopedArenaPtr arena_
Definition: core/security/credentials_test.cc:543
grpc_core::ActivityPtr
OrphanablePtr< Activity > ActivityPtr
Definition: activity.h:163
time.h
grpc_slice
Definition: include/grpc/impl/codegen/slice.h:65
main
int main(int argc, char **argv)
Definition: core/security/credentials_test.cc:3799
grpc_core::slice_detail::BaseSlice::as_string_view
absl::string_view as_string_view() const
Definition: src/core/lib/slice/slice.h:89
grpc_metadata_credentials_plugin::debug_string
char *(* debug_string)(void *state)
Definition: grpc_security.h:452
grpc_core::g_memory_allocator
static auto * g_memory_allocator
Definition: call_finalization_test.cc:24
gpr_asprintf
GPRAPI int gpr_asprintf(char **strp, const char *format,...) GPR_PRINT_FORMAT_CHECK(2
grpc_http_response_destroy
void grpc_http_response_destroy(grpc_http_response *response)
Definition: src/core/lib/http/parser.cc:434
grpc_core::ResourceQuota::Default
static ResourceQuotaRefPtr Default()
Definition: resource_quota.cc:27
grpc_metadata_credentials_plugin
Definition: grpc_security.h:424
grpc_md_only_test_credentials::Type
static grpc_core::UniqueTypeName Type()
Definition: fake_credentials.cc:113
error.h
md_
grpc_metadata_batch md_
Definition: core/security/credentials_test.cc:544
grpc_polling_entity
Definition: polling_entity.h:38
host_port.h
grpc_composite_channel_credentials_create
GRPCAPI grpc_channel_credentials * grpc_composite_channel_credentials_create(grpc_channel_credentials *channel_creds, grpc_call_credentials *call_creds, void *reserved)
Definition: composite_credentials.cc:164
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
GPR_ERROR
#define GPR_ERROR
Definition: include/grpc/impl/codegen/log.h:57
GPR_UNREACHABLE_CODE
#define GPR_UNREACHABLE_CODE(STATEMENT)
Definition: impl/codegen/port_platform.h:652
tests.google.protobuf.internal.message_test.cmp
cmp
Definition: bloaty/third_party/protobuf/python/compatibility_tests/v2.5.0/tests/google/protobuf/internal/message_test.py:61
httpcli_get_should_not_be_called
static int httpcli_get_should_not_be_called(const grpc_http_request *, const char *, const char *, grpc_core::Timestamp, grpc_closure *, grpc_http_response *)
Definition: jwt_verifier_test.cc:613
grpc_core::ok
Poll< absl::StatusOr< std::tuple< T... > > > ok(T... x)
Definition: try_join_test.cc:40
pollent_
grpc_polling_entity pollent_
Definition: core/security/credentials_test.cc:546
xds_credentials.h
test_json_key_str_part1
static const char test_json_key_str_part1[]
Definition: json_token_test.cc:41
promise.h
grpc_auth_json_key::private_key
RSA * private_key
Definition: json_token.h:41
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
GRPC_GOOGLE_CREDENTIALS_ENV_VAR
#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR
Definition: grpc_security_constants.h:63
grpc_core::Json::Parse
static Json Parse(absl::string_view json_str, grpc_error_handle *error)
Definition: json_reader.cc:899
tests.unit._exit_scenarios.port
port
Definition: _exit_scenarios.py:179
test_config.h
grpc_slice_to_c_string
GPRAPI char * grpc_slice_to_c_string(grpc_slice s)
Definition: slice/slice.cc:35
grpc_channel_credentials_release
GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials *creds)
Definition: credentials.cc:36
test_json_key_str_part2
static const char test_json_key_str_part2[]
Definition: json_token_test.cc:52
tsi_peer
Definition: transport_security_interface.h:238
contents
string_view contents
Definition: elf.cc:597
security_context.h
grpc_composite_call_credentials
Definition: composite_credentials.h:95
absl::StatusOr::ok
ABSL_MUST_USE_RESULT bool ok() const
Definition: abseil-cpp/absl/status/statusor.h:491
GPR_ARRAY_SIZE
#define GPR_ARRAY_SIZE(array)
Definition: useful.h:129
benchmark.md
md
Definition: benchmark.py:86
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
absl_status_to_grpc_error
grpc_error_handle absl_status_to_grpc_error(absl::Status status)
Definition: error_utils.cc:167
grpc_google_refresh_token_credentials_create
GRPCAPI grpc_call_credentials * grpc_google_refresh_token_credentials_create(const char *json_refresh_token, void *reserved)
Definition: oauth2_credentials.cc:508
test_service_url
static const char test_service_url[]
Definition: json_token_test.cc:81
grpc_tls_credentials_options.h
benchmark.FILE
FILE
Definition: benchmark.py:21
grpc_tls_credentials_options_create
GRPCAPI grpc_tls_credentials_options * grpc_tls_credentials_options_create(void)
Definition: grpc_tls_credentials_options.cc:33
grpc_metadata_credentials_plugin::get_metadata
int(* get_metadata)(void *state, grpc_auth_metadata_context context, grpc_credentials_plugin_metadata_cb cb, void *user_data, grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], size_t *num_creds_md, grpc_status_code *status, const char **error_details)
Definition: grpc_security.h:443
gpr_time_add
GPRAPI gpr_timespec gpr_time_add(gpr_timespec a, gpr_timespec b)
Definition: src/core/lib/gpr/time.cc:135
grpc_core::QsortCompare
int QsortCompare(const T &a, const T &b)
Definition: useful.h:95
grpc_auth_metadata_context::channel_auth_context
const grpc_auth_context * channel_auth_context
Definition: grpc_security.h:401
exec_ctx
grpc_core::ExecCtx exec_ctx
Definition: end2end_binder_transport_test.cc:75
grpc_error_std_string
std::string grpc_error_std_string(grpc_error_handle error)
Definition: error.cc:944
grpc::fclose
fclose(creds_file)
absl::Status
Definition: third_party/abseil-cpp/absl/status/status.h:424
composite_credentials.h
check_peer
static void check_peer(char *peer_name)
Definition: end2end/tests/simple_request.cc:91
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
GRPC_ERROR_CREATE_FROM_CPP_STRING
#define GRPC_ERROR_CREATE_FROM_CPP_STRING(desc)
Definition: error.h:297
alloc.h
RSA_check_key
#define RSA_check_key
Definition: boringssl_prefix_symbols.h:2085
grpc_override_well_known_credentials_path_getter
void grpc_override_well_known_credentials_path_getter(grpc_well_known_credentials_path_getter getter)
Definition: google_default_credentials.cc:494
asyncio_get_stats.response
response
Definition: asyncio_get_stats.py:28
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
grpc_core::Duration::Seconds
static constexpr Duration Seconds(int64_t seconds)
Definition: src/core/lib/gprpp/time.h:151
file_prefix
static const char file_prefix[]
Definition: test-fs-event.c:50
absl::StrReplaceAll
std::string StrReplaceAll(absl::string_view s, strings_internal::FixedMapping replacements)
Definition: abseil-cpp/absl/strings/str_replace.cc:71
grpc_core::MetadataHandle< ClientMetadata >::TestOnlyWrap
static MetadataHandle TestOnlyWrap(ClientMetadata *p)
Definition: transport.h:123
test_refresh_token_str
static const char test_refresh_token_str[]
Definition: json_token_test.cc:73
http_response
static grpc_http_response http_response(int status, char *body)
Definition: jwt_verifier_test.cc:333
iam_credentials.h
grpc_http_header::value
char * value
Definition: src/core/lib/http/parser.h:38
state
Definition: bloaty/third_party/zlib/contrib/blast/blast.c:41
GRPC_CREDENTIALS_OK
@ GRPC_CREDENTIALS_OK
Definition: src/core/lib/security/credentials/credentials.h:49
unique_type_name.h
python_utils.upload_rbe_results.test_cases
list test_cases
Definition: upload_rbe_results.py:197
GRPC_PRIVACY_AND_INTEGRITY
@ GRPC_PRIVACY_AND_INTEGRITY
Definition: grpc_security_constants.h:135
GRPC_ERROR_UNREF
#define GRPC_ERROR_UNREF(err)
Definition: error.h:262
grpc_core::ExecCtx::Run
static void Run(const DebugLocation &location, grpc_closure *closure, grpc_error_handle error)
Definition: exec_ctx.cc:98
GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY
#define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY
Definition: src/core/lib/security/credentials/credentials.h:56
grpc_composite_call_credentials::CallCredentialsList
std::vector< grpc_core::RefCountedPtr< grpc_call_credentials > > CallCredentialsList
Definition: composite_credentials.h:98
gpr_strdup
GPRAPI char * gpr_strdup(const char *src)
Definition: string.cc:39
plugin_destroy
static void plugin_destroy(void)
Definition: init_test.cc:33
grpc_channel_security_connector
Definition: security_connector.h:118
grpc_core::Immediate
promise_detail::Immediate< T > Immediate(T value)
Definition: promise/promise.h:73
grpc_channel_credentials_to_arg
grpc_arg grpc_channel_credentials_to_arg(grpc_channel_credentials *credentials)
Definition: credentials.cc:65
httpcli_post_should_not_be_called
static int httpcli_post_should_not_be_called(const grpc_http_request *, const char *, const char *, const char *, size_t, grpc_core::Timestamp, grpc_closure *, grpc_http_response *)
Definition: jwt_verifier_test.cc:342
context
grpc::ClientContext context
Definition: istio_echo_server_lib.cc:61
grpc_google_default_credentials_create
GRPCAPI grpc_channel_credentials * grpc_google_default_credentials_create(grpc_call_credentials *call_credentials)
Definition: google_default_credentials.cc:429
grpc_core::internal::grpc_flush_cached_google_default_credentials
void grpc_flush_cached_google_default_credentials(void)
Definition: google_default_credentials.cc:475
Duration
Definition: bloaty/third_party/protobuf/src/google/protobuf/duration.pb.h:69
grpc_core::ClientMetadataHandle
MetadataHandle< ClientMetadata > ClientMetadataHandle
Definition: transport.h:153
google_default_credentials.h
grpc_google_refresh_token_credentials
Definition: oauth2_credentials.h:148
get_request_metadata_args_
grpc_call_credentials::GetRequestMetadataArgs get_request_metadata_args_
Definition: core/security/credentials_test.cc:545
grpc_core::Seq
promise_detail::Seq< Functors... > Seq(Functors... functors)
Definition: seq.h:62
grpc_xds_credentials_create
GRPCAPI grpc_channel_credentials * grpc_xds_credentials_create(grpc_channel_credentials *fallback_credentials)
Definition: core/lib/security/credentials/xds/xds_credentials.cc:243
absl::StatusOr
Definition: abseil-cpp/absl/status/statusor.h:187
grpc_error_get_str
bool grpc_error_get_str(grpc_error_handle err, grpc_error_strs which, std::string *s)
Returns false if the specified string is not set.
Definition: error.cc:659
asyncio_get_stats.type
type
Definition: asyncio_get_stats.py:37
uri_parser.h
autogen_x86imm.tmp
tmp
Definition: autogen_x86imm.py:12
gpr_timespec
Definition: gpr_types.h:50
GRPC_SSL_URL_SCHEME
#define GRPC_SSL_URL_SCHEME
Definition: security_connector.h:49
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
service
__attribute__((deprecated("Please use GRPCProtoMethod."))) @interface ProtoMethod NSString * service
Definition: ProtoMethod.h:25
grpc_error
Definition: error_internal.h:42
grpc_polling_entity_create_from_pollset_set
grpc_polling_entity grpc_polling_entity_create_from_pollset_set(grpc_pollset_set *pollset_set)
Definition: polling_entity.cc:26
function
std::function< bool(GrpcTool *, int, const char **, const CliCredentials &, GrpcToolOutputCallback)> function
Definition: grpc_tool.cc:250
grpc_auth_metadata_context
Definition: grpc_security.h:391
oauth2_credentials.h
grpc_jwt_encode_and_sign_set_override
void grpc_jwt_encode_and_sign_set_override(grpc_jwt_encode_and_sign_override func)
Definition: json_token.cc:286
testing::Ref
internal::RefMatcher< T & > Ref(T &x)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:8628
grpc_channel_credentials::create_security_connector
virtual grpc_core::RefCountedPtr< grpc_channel_security_connector > create_security_connector(grpc_core::RefCountedPtr< grpc_call_credentials > call_creds, const char *target, const grpc_channel_args *args, grpc_channel_args **new_args)=0
gpr_unsetenv
void gpr_unsetenv(const char *name)
grpc_metadata_batch
Definition: metadata_batch.h:1259
plugin_state
Definition: call_credentials.h:42
aws_external_account_credentials.h
grpc_closure
Definition: closure.h:56
method_name
absl::string_view method_name
Definition: call_creds_util.cc:40
grpc_auth_json_key::client_email
char * client_email
Definition: json_token.h:40
activity_
ActivityPtr activity_
Definition: core/security/credentials_test.cc:547
grpc_auth_json_key::client_id
char * client_id
Definition: json_token.h:39
grpc_endpoint
Definition: endpoint.h:105
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
grpc_channel_credentials
Definition: src/core/lib/security/credentials/credentials.h:96
grpc_metadata_credentials_plugin::destroy
void(* destroy)(void *state)
Definition: grpc_security.h:455
cb
OPENSSL_EXPORT pem_password_cb * cb
Definition: pem.h:351
grpc_core::ExecCtx::Get
static ExecCtx * Get()
Definition: exec_ctx.h:205
grpc_core::RefCounted::Ref
RefCountedPtr< Child > Ref() GRPC_MUST_USE_RESULT
Definition: ref_counted.h:287
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
state
static struct rpc_state state
Definition: bad_server_response_test.cc:87
test_json_key_str_part3
static const char test_json_key_str_part3[]
Definition: json_token_test.cc:64
absl::StatusOr::status
const Status & status() const &
Definition: abseil-cpp/absl/status/statusor.h:678
error_utils.h
ASSERT_EQ
#define ASSERT_EQ(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2056
gpr_setenv
void gpr_setenv(const char *name, const char *value)
grpc_composite_channel_credentials::mutable_call_creds
grpc_call_credentials * mutable_call_creds()
Definition: composite_credentials.h:79
GRPC_ERROR_IS_NONE
#define GRPC_ERROR_IS_NONE(err)
Definition: error.h:241
grpc_http_request
Definition: src/core/lib/http/parser.h:69
jwt_credentials.h
port_platform.h
grpc_auth_json_key
Definition: json_token.h:36
grpc_call_credentials::debug_string
virtual std::string debug_string()
Definition: src/core/lib/security/credentials/credentials.h:231

grpc
Author(s):
autogenerated on Fri May 16 2025 02:58:06