include/grpcpp/security/credentials.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPCPP_SECURITY_CREDENTIALS_H
20 #define GRPCPP_SECURITY_CREDENTIALS_H
21 
22 #include <map>
23 #include <memory>
24 #include <vector>
25 
26 #include <grpc/grpc_security_constants.h>
27 #include <grpcpp/channel.h>
28 #include <grpcpp/impl/codegen/client_interceptor.h>
29 #include <grpcpp/impl/codegen/grpc_library.h>
30 #include <grpcpp/security/auth_context.h>
31 #include <grpcpp/security/tls_credentials_options.h>
32 #include <grpcpp/support/channel_arguments.h>
33 #include <grpcpp/support/status.h>
34 #include <grpcpp/support/string_ref.h>
35 
36 struct grpc_call;
37 
38 namespace grpc {
39 class CallCredentials;
40 class SecureCallCredentials;
41 class SecureChannelCredentials;
42 class ChannelCredentials;
43 
44 std::shared_ptr<Channel> CreateCustomChannel(
45  const grpc::string& target,
46  const std::shared_ptr<grpc::ChannelCredentials>& creds,
47  const grpc::ChannelArguments& args);
48 
49 namespace experimental {
50 std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
51  const grpc::string& target,
52  const std::shared_ptr<grpc::ChannelCredentials>& creds,
53  const grpc::ChannelArguments& args,
54  std::vector<
55  std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
56  interceptor_creators);
57 
58 GRPC_DEPRECATED(
59  "Use grpc::XdsCredentials instead. The experimental version will be "
60  "deleted after the 1.41 release.")
61 std::shared_ptr<ChannelCredentials> XdsCredentials(
62  const std::shared_ptr<ChannelCredentials>& fallback_creds);
63 } // namespace experimental
64 
66 std::shared_ptr<ChannelCredentials> XdsCredentials(
67  const std::shared_ptr<ChannelCredentials>& fallback_creds);
68 
75 class ChannelCredentials : private grpc::GrpcLibraryCodegen {
76  public:
77  ChannelCredentials();
78  ~ChannelCredentials() override;
79 
80  protected:
81  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
82  const std::shared_ptr<ChannelCredentials>& channel_creds,
83  const std::shared_ptr<CallCredentials>& call_creds);
84 
85  // TODO(yashykt): We need this friend declaration mainly for access to
86  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
87  // (and also internal dependencies on the indirect method of creating a
88  // channel through credentials), we would be able to remove this.
89  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
90  const std::shared_ptr<ChannelCredentials>& fallback_creds);
91 
92  virtual SecureChannelCredentials* AsSecureCredentials() = 0;
93 
94  private:
95  friend std::shared_ptr<grpc::Channel> CreateCustomChannel(
96  const grpc::string& target,
97  const std::shared_ptr<grpc::ChannelCredentials>& creds,
98  const grpc::ChannelArguments& args);
99 
100  friend std::shared_ptr<grpc::Channel>
101  grpc::experimental::CreateCustomChannelWithInterceptors(
102  const grpc::string& target,
103  const std::shared_ptr<grpc::ChannelCredentials>& creds,
104  const grpc::ChannelArguments& args,
105  std::vector<std::unique_ptr<
106  grpc::experimental::ClientInterceptorFactoryInterface>>
107  interceptor_creators);
108 
109  virtual std::shared_ptr<Channel> CreateChannelImpl(
110  const grpc::string& target, const ChannelArguments& args) = 0;
111 
112  // This function should have been a pure virtual function, but it is
113  // implemented as a virtual function so that it does not break API.
114  virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
115  const grpc::string& /*target*/, const ChannelArguments& /*args*/,
116  std::vector<std::unique_ptr<
117  grpc::experimental::ClientInterceptorFactoryInterface>>
118  /*interceptor_creators*/) {
119  return nullptr;
120  }
121 
122  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
123  // not use grpc_channel_credentials internally and should be removed after
124  // insecure builds are removed from gRPC.
125  virtual bool IsInsecure() const { return false; }
126 };
127 
132 class CallCredentials : private grpc::GrpcLibraryCodegen {
133  public:
134  CallCredentials();
135  ~CallCredentials() override;
136 
138  virtual bool ApplyToCall(grpc_call* call) = 0;
139  virtual grpc::string DebugString() {
140  return "CallCredentials did not provide a debug string";
141  }
142 
143  protected:
144  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
145  const std::shared_ptr<ChannelCredentials>& channel_creds,
146  const std::shared_ptr<CallCredentials>& call_creds);
147 
148  friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
149  const std::shared_ptr<CallCredentials>& creds1,
150  const std::shared_ptr<CallCredentials>& creds2);
151 
152  virtual SecureCallCredentials* AsSecureCredentials() = 0;
153 };
154 
156 struct SslCredentialsOptions {
162  grpc::string pem_root_certs;
163 
166  grpc::string pem_private_key;
167 
171  grpc::string pem_cert_chain;
172 };
173 
174 // Factories for building different types of Credentials The functions may
175 // return empty shared_ptr when credentials cannot be created. If a
176 // Credentials pointer is returned, it can still be invalid when used to create
177 // a channel. A lame channel will be created then and all rpcs will fail on it.
178 
185 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
186 
188 std::shared_ptr<ChannelCredentials> SslCredentials(
189  const SslCredentialsOptions& options);
190 
197 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials();
198 
199 constexpr long kMaxAuthTokenLifetimeSecs = 3600;
200 
206 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
207  const grpc::string& json_key,
208  long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
209 
218 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
219  const grpc::string& json_refresh_token);
220 
229 std::shared_ptr<CallCredentials> AccessTokenCredentials(
230  const grpc::string& access_token);
231 
238 std::shared_ptr<CallCredentials> GoogleIAMCredentials(
239  const grpc::string& authorization_token,
240  const grpc::string& authority_selector);
241 
244 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
245  const std::shared_ptr<ChannelCredentials>& channel_creds,
246  const std::shared_ptr<CallCredentials>& call_creds);
247 
249 std::shared_ptr<CallCredentials> CompositeCallCredentials(
250  const std::shared_ptr<CallCredentials>& creds1,
251  const std::shared_ptr<CallCredentials>& creds2);
252 
254 std::shared_ptr<ChannelCredentials> InsecureChannelCredentials();
255 
257 class MetadataCredentialsPlugin {
258  public:
259  virtual ~MetadataCredentialsPlugin() {}
260 
263  virtual bool IsBlocking() const { return true; }
264 
266  virtual const char* GetType() const { return ""; }
267 
273  virtual grpc::Status GetMetadata(
274  grpc::string_ref service_url, grpc::string_ref method_name,
275  const grpc::AuthContext& channel_auth_context,
276  std::multimap<grpc::string, grpc::string>* metadata) = 0;
277 
278  virtual grpc::string DebugString() {
279  return "MetadataCredentialsPlugin did not provide a debug string";
280  }
281 };
282 
283 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
284  std::unique_ptr<MetadataCredentialsPlugin> plugin);
285 
289 std::shared_ptr<CallCredentials> ExternalAccountCredentials(
290  const grpc::string& json_string, const std::vector<grpc::string>& scopes);
291 
292 namespace experimental {
293 
299 struct StsCredentialsOptions {
300  grpc::string token_exchange_service_uri; // Required.
301  grpc::string resource; // Optional.
302  grpc::string audience; // Optional.
303  grpc::string scope; // Optional.
304  grpc::string requested_token_type; // Optional.
305  grpc::string subject_token_path; // Required.
306  grpc::string subject_token_type; // Required.
307  grpc::string actor_token_path; // Optional.
308  grpc::string actor_token_type; // Optional.
309 };
310 
311 grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,
312  StsCredentialsOptions* options);
313 
317 grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options);
318 
319 std::shared_ptr<CallCredentials> StsCredentials(
320  const StsCredentialsOptions& options);
321 
322 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
323  std::unique_ptr<MetadataCredentialsPlugin> plugin,
324  grpc_security_level min_security_level);
325 
327 struct AltsCredentialsOptions {
331  std::vector<grpc::string> target_service_accounts;
332 };
333 
335 std::shared_ptr<ChannelCredentials> AltsCredentials(
336  const AltsCredentialsOptions& options);
337 
339 std::shared_ptr<ChannelCredentials> LocalCredentials(
340  grpc_local_connect_type type);
341 
343 std::shared_ptr<ChannelCredentials> TlsCredentials(
344  const TlsChannelCredentialsOptions& options);
345 
346 } // namespace experimental
347 } // namespace grpc
348 
349 #endif // GRPCPP_SECURITY_CREDENTIALS_H
grpc::string_ref
Definition: grpcpp/impl/codegen/string_ref.h:43
grpc::experimental::StsCredentialsOptionsFromJson
grpc::Status StsCredentialsOptionsFromJson(const std::string &json_string, StsCredentialsOptions *options)
Definition: secure_credentials.cc:162
tls_credentials_options.h
const
#define const
Definition: bloaty/third_party/zlib/zconf.h:230
grpc::experimental::MetadataCredentialsFromPlugin
std::shared_ptr< CallCredentials > MetadataCredentialsFromPlugin(std::unique_ptr< MetadataCredentialsPlugin > plugin, grpc_security_level min_security_level)
Definition: secure_credentials.cc:278
metadata
Definition: cq_verifier.cc:48
grpc
Definition: grpcpp/alarm.h:33
grpc::SslCredentials
std::shared_ptr< ChannelCredentials > SslCredentials(const SslCredentialsOptions &options)
Builds SSL Credentials given SSL specific options.
Definition: secure_credentials.cc:129
options
double_dict options[]
Definition: capstone_test.c:55
grpc::experimental::StsCredentialsOptionsFromEnv
grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions *options)
Definition: secure_credentials.cc:219
grpc::SslCredentialsOptions::pem_cert_chain
grpc::string pem_cert_chain
Definition: include/grpcpp/security/credentials.h:171
grpc::experimental::ClientInterceptorFactoryInterface
Definition: impl/codegen/client_interceptor.h:48
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
grpc::CompositeChannelCredentials
std::shared_ptr< ChannelCredentials > CompositeChannelCredentials(const std::shared_ptr< ChannelCredentials > &channel_creds, const std::shared_ptr< CallCredentials > &call_creds)
Definition: secure_credentials.cc:373
grpc::MetadataCredentialsPlugin::~MetadataCredentialsPlugin
virtual ~MetadataCredentialsPlugin()
Definition: include/grpcpp/security/credentials.h:259
grpc::experimental::XdsCredentials
std::shared_ptr< ChannelCredentials > XdsCredentials(const std::shared_ptr< ChannelCredentials > &fallback_creds)
Definition: cpp/client/xds_credentials.cc:48
grpc::GoogleDefaultCredentials
std::shared_ptr< ChannelCredentials > GoogleDefaultCredentials()
Definition: secure_credentials.cc:115
grpc::SecureCallCredentials
Definition: secure_credentials.h:72
grpc::ChannelCredentials
Definition: include/grpcpp/security/credentials.h:75
grpc::experimental::StsCredentialsOptions::token_exchange_service_uri
grpc::string token_exchange_service_uri
Definition: include/grpcpp/security/credentials.h:300
service_url
std::string service_url
Definition: call_creds_util.cc:39
grpc::GrpcLibraryCodegen
Classes that require gRPC to be initialized should inherit from this class.
Definition: grpcpp/impl/codegen/grpc_library.h:40
grpc::ExternalAccountCredentials
std::shared_ptr< CallCredentials > ExternalAccountCredentials(const grpc::string &json_string, const std::vector< grpc::string > &scopes)
Definition: secure_credentials.cc:121
grpc::experimental::StsCredentialsOptions::subject_token_path
grpc::string subject_token_path
Definition: include/grpcpp/security/credentials.h:305
grpc::experimental::StsCredentialsOptions::audience
grpc::string audience
Definition: include/grpcpp/security/credentials.h:302
call
FilterStackCall * call
Definition: call.cc:750
grpc::ServiceAccountJWTAccessCredentials
std::shared_ptr< CallCredentials > ServiceAccountJWTAccessCredentials(const grpc::string &json_key, long token_lifetime_seconds=kMaxAuthTokenLifetimeSecs)
grpc::CallCredentials::DebugString
virtual grpc::string DebugString()
Definition: include/grpcpp/security/credentials.h:139
GRPC_DEPRECATED
#define GRPC_DEPRECATED(reason)
Definition: impl/codegen/port_platform.h:36
grpc::experimental::StsCredentialsOptions::subject_token_type
grpc::string subject_token_type
Definition: include/grpcpp/security/credentials.h:306
grpc::experimental::AltsCredentialsOptions::target_service_accounts
std::vector< grpc::string > target_service_accounts
Definition: include/grpcpp/security/credentials.h:331
asyncio_get_stats.args
args
Definition: asyncio_get_stats.py:40
grpc::MetadataCredentialsPlugin::IsBlocking
virtual bool IsBlocking() const
Definition: include/grpcpp/security/credentials.h:263
channel_arguments.h
grpc::SslCredentialsOptions
Options used to build SslCredentials.
Definition: include/grpcpp/security/credentials.h:156
grpc::experimental::LocalCredentials
std::shared_ptr< ChannelCredentials > LocalCredentials(grpc_local_connect_type type)
Builds Local Credentials.
Definition: secure_credentials.cc:309
grpc::experimental::StsCredentialsOptions::requested_token_type
grpc::string requested_token_type
Definition: include/grpcpp/security/credentials.h:304
grpc_call
struct grpc_call grpc_call
Definition: grpc_types.h:70
call_creds
void call_creds(grpc_end2end_test_config config)
Definition: call_creds.cc:523
grpc::ChannelCredentials::CreateChannelWithInterceptors
virtual std::shared_ptr< Channel > CreateChannelWithInterceptors(const grpc::string &, const ChannelArguments &, std::vector< std::unique_ptr< grpc::experimental::ClientInterceptorFactoryInterface >>)
Definition: include/grpcpp/security/credentials.h:114
channel.h
grpc::experimental::StsCredentialsOptions::scope
grpc::string scope
Definition: include/grpcpp/security/credentials.h:303
grpc.beta.implementations.CallCredentials
CallCredentials
Definition: implementations.py:35
grpc::MetadataCredentialsPlugin::GetType
virtual const char * GetType() const
Type of credentials this plugin is implementing.
Definition: include/grpcpp/security/credentials.h:266
grpc::SslCredentialsOptions::pem_root_certs
grpc::string pem_root_certs
Definition: include/grpcpp/security/credentials.h:162
grpc::experimental::TlsChannelCredentialsOptions
Definition: tls_credentials_options.h:125
grpc::CompositeCallCredentials
std::shared_ptr< CallCredentials > CompositeCallCredentials(const std::shared_ptr< CallCredentials > &creds1, const std::shared_ptr< CallCredentials > &creds2)
Combines two call credentials objects into a composite call credentials.
Definition: secure_credentials.cc:392
client_interceptor.h
grpc::SslCredentialsOptions::pem_private_key
grpc::string pem_private_key
Definition: include/grpcpp/security/credentials.h:166
grpc_library.h
grpc::experimental::StsCredentialsOptions::actor_token_path
grpc::string actor_token_path
Definition: include/grpcpp/security/credentials.h:307
grpc::MetadataCredentialsPlugin
User defined metadata credentials.
Definition: include/grpcpp/security/credentials.h:257
grpc::ChannelArguments
Definition: grpcpp/support/channel_arguments.h:39
grpc_security_level
grpc_security_level
Definition: grpc_security_constants.h:131
grpc::GoogleRefreshTokenCredentials
std::shared_ptr< CallCredentials > GoogleRefreshTokenCredentials(const grpc::string &json_refresh_token)
grpc::experimental::TlsCredentials
std::shared_ptr< ChannelCredentials > TlsCredentials(const TlsChannelCredentialsOptions &options)
Builds TLS Credentials given TLS options.
Definition: secure_credentials.cc:316
grpc.beta.implementations.ChannelCredentials
ChannelCredentials
Definition: implementations.py:33
grpc::MetadataCredentialsPlugin::DebugString
virtual grpc::string DebugString()
Definition: include/grpcpp/security/credentials.h:278
grpc::experimental::CreateCustomChannelWithInterceptors
std::shared_ptr< Channel > CreateCustomChannelWithInterceptors(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args, std::vector< std::unique_ptr< experimental::ClientInterceptorFactoryInterface >> interceptor_creators)
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
grpc::CreateCustomChannel
std::shared_ptr< Channel > CreateCustomChannel(const grpc::string &target, const std::shared_ptr< ChannelCredentials > &creds, const ChannelArguments &args)
grpc::XdsCredentials
std::shared_ptr< ChannelCredentials > XdsCredentials(const std::shared_ptr< ChannelCredentials > &fallback_creds)
Builds XDS Credentials.
Definition: cpp/client/xds_credentials.cc:30
grpc_security_constants.h
grpc::experimental::StsCredentials
std::shared_ptr< CallCredentials > StsCredentials(const StsCredentialsOptions &options)
Definition: secure_credentials.cc:272
grpc::Status
Definition: include/grpcpp/impl/codegen/status.h:35
grpc::ChannelCredentials::IsInsecure
virtual bool IsInsecure() const
Definition: include/grpcpp/security/credentials.h:125
grpc::SecureChannelCredentials
Definition: secure_credentials.h:49
grpc::experimental::StsCredentialsOptions::actor_token_type
grpc::string actor_token_type
Definition: include/grpcpp/security/credentials.h:308
grpc::kMaxAuthTokenLifetimeSecs
constexpr long kMaxAuthTokenLifetimeSecs
Definition: include/grpcpp/security/credentials.h:199
grpc::experimental::AltsCredentials
std::shared_ptr< ChannelCredentials > AltsCredentials(const AltsCredentialsOptions &options)
Builds ALTS Credentials given ALTS specific options.
Definition: secure_credentials.cc:294
grpc::experimental::StsCredentialsOptions
Definition: include/grpcpp/security/credentials.h:299
grpc::AccessTokenCredentials
std::shared_ptr< CallCredentials > AccessTokenCredentials(const grpc::string &access_token)
asyncio_get_stats.type
type
Definition: asyncio_get_stats.py:37
grpc::experimental::StsCredentialsOptions::resource
grpc::string resource
Definition: include/grpcpp/security/credentials.h:301
grpc::InsecureChannelCredentials
std::shared_ptr< ChannelCredentials > InsecureChannelCredentials()
Credentials for an unencrypted, unauthenticated channel.
Definition: cpp/client/insecure_credentials.cc:69
grpc::experimental::AltsCredentialsOptions
Options used to build AltsCredentials.
Definition: include/grpcpp/security/credentials.h:327
auth_context.h
grpc_local_connect_type
grpc_local_connect_type
Definition: grpc_security_constants.h:143
method_name
absl::string_view method_name
Definition: call_creds_util.cc:40
grpc::GoogleComputeEngineCredentials
std::shared_ptr< CallCredentials > GoogleComputeEngineCredentials()
Definition: secure_credentials.cc:325
grpc::AuthContext
Definition: grpcpp/impl/codegen/security/auth_context.h:72
setup.target
target
Definition: third_party/bloaty/third_party/protobuf/python/setup.py:179
grpc::CallCredentials
Definition: include/grpcpp/security/credentials.h:132
string_ref.h
status.h
grpc::GoogleIAMCredentials
std::shared_ptr< CallCredentials > GoogleIAMCredentials(const grpc::string &authorization_token, const grpc::string &authority_selector)

grpc
Author(s):
autogenerated on Fri May 16 2025 02:58:06