diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index c297622a512bf32891b871a77502c2471a3284ba..586cfcffe7f105e30e2e0a6159091903eb837e4e 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -117,6 +117,15 @@ grpc_credentials *grpc_service_account_credentials_create(
grpc_credentials *grpc_jwt_credentials_create(const char *json_key,
gpr_timespec token_lifetime);
+/* Creates an Oauth2 Refresh Token crednetials object. May return NULL if the
+ input is invalid.
+ WARNING: Do NOT use this credentials to connect to a non-google service as
+ this could result in an oauth2 token leak.
+ - json_refresh_token is the JSON string containing the refresh token itself
+ along with a client_id and client_secret. */
+grpc_credentials *grpc_refresh_token_credentials_create(
+ const char *json_refresh_token);
+
/* Creates a fake transport security credentials object for testing. */
grpc_credentials *grpc_fake_transport_security_credentials_create(void);
diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c
index 3ad1e7edd7617b7274ac19041ac694b64e704547..698e0991349822ee50d9b261054472e66ffe9ed9 100644
--- a/src/core/security/credentials.c
+++ b/src/core/security/credentials.c
@@ -46,20 +46,6 @@
#include <grpc/support/sync.h>
#include <grpc/support/time.h>
-/* -- Constants. -- */
-
-#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
-
-#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
-#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
- "/computeMetadata/v1/instance/service-accounts/default/token"
-
-#define GRPC_SERVICE_ACCOUNT_HOST "www.googleapis.com"
-#define GRPC_SERVICE_ACCOUNT_TOKEN_PATH "/oauth2/v3/token"
-#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \
- "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
- "assertion="
-
/* -- Common. -- */
typedef struct {
@@ -671,8 +657,8 @@ static void service_account_fetch_oauth2(
}
gpr_asprintf(&body, "%s%s", GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, jwt);
memset(&request, 0, sizeof(grpc_httpcli_request));
- request.host = GRPC_SERVICE_ACCOUNT_HOST;
- request.path = GRPC_SERVICE_ACCOUNT_TOKEN_PATH;
+ request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
+ request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
request.hdr_count = 1;
request.hdrs = &header;
request.use_ssl = 1;
@@ -703,6 +689,67 @@ grpc_credentials *grpc_service_account_credentials_create(
return &c->base.base;
}
+/* -- RefreshToken credentials. -- */
+
+typedef struct {
+ grpc_oauth2_token_fetcher_credentials base;
+ grpc_auth_refresh_token refresh_token;
+} grpc_refresh_token_credentials;
+
+static void refresh_token_destroy(grpc_credentials *creds) {
+ grpc_refresh_token_credentials *c =
+ (grpc_refresh_token_credentials *)creds;
+ grpc_auth_refresh_token_destruct(&c->refresh_token);
+ oauth2_token_fetcher_destroy(&c->base.base);
+}
+
+static grpc_credentials_vtable refresh_token_vtable = {
+ refresh_token_destroy, oauth2_token_fetcher_has_request_metadata,
+ oauth2_token_fetcher_has_request_metadata_only,
+ oauth2_token_fetcher_get_request_metadata};
+
+static void refresh_token_fetch_oauth2(
+ grpc_credentials_metadata_request *metadata_req,
+ grpc_httpcli_response_cb response_cb, gpr_timespec deadline) {
+ grpc_refresh_token_credentials *c =
+ (grpc_refresh_token_credentials *)metadata_req->creds;
+ grpc_httpcli_header header = {"Content-Type",
+ "application/x-www-form-urlencoded"};
+ grpc_httpcli_request request;
+ char *body = NULL;
+ gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
+ c->refresh_token.client_id, c->refresh_token.client_secret,
+ c->refresh_token.refresh_token);
+ memset(&request, 0, sizeof(grpc_httpcli_request));
+ request.host = GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
+ request.path = GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
+ request.hdr_count = 1;
+ request.hdrs = &header;
+ request.use_ssl = 1;
+ grpc_httpcli_post(&request, body, strlen(body), deadline, response_cb,
+ metadata_req);
+ gpr_free(body);
+}
+
+grpc_credentials *grpc_refresh_token_credentials_create(
+ const char *json_refresh_token) {
+ grpc_refresh_token_credentials *c;
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(json_refresh_token);
+
+ if (!grpc_auth_refresh_token_is_valid(&refresh_token)) {
+ gpr_log(GPR_ERROR,
+ "Invalid input for refresh token credentials creation");
+ return NULL;
+ }
+ c = gpr_malloc(sizeof(grpc_refresh_token_credentials));
+ memset(c, 0, sizeof(grpc_refresh_token_credentials));
+ init_oauth2_token_fetcher(&c->base, refresh_token_fetch_oauth2);
+ c->base.base.vtable = &refresh_token_vtable;
+ c->refresh_token = refresh_token;
+ return &c->base.base;
+}
+
/* -- Fake Oauth2 credentials. -- */
typedef struct {
diff --git a/src/core/security/credentials.h b/src/core/security/credentials.h
index 454e66845d169e022751e671bf73e919caaedf99..0f70670ced4c15ff191cb0f4525831bfa1af5f9c 100644
--- a/src/core/security/credentials.h
+++ b/src/core/security/credentials.h
@@ -64,6 +64,22 @@ typedef enum {
#define GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE \
"application_default_credentials.json"
+#define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
+
+#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata"
+#define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
+ "/computeMetadata/v1/instance/service-accounts/default/token"
+
+#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
+#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
+
+#define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX \
+ "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
+ "assertion="
+
+#define GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING \
+ "client_id=%s&client_secret=%s&refresh_token=%s&grant_type=refresh_token"
+
/* --- grpc_credentials. --- */
/* It is the caller's responsibility to gpr_free the result if not NULL. */
diff --git a/src/core/security/google_default_credentials.c b/src/core/security/google_default_credentials.c
index bdc907e7b33ada137d4af315799ac63db8f669ac..ebea70dad26a107b66fa98a12c34dfb8a4048384 100644
--- a/src/core/security/google_default_credentials.c
+++ b/src/core/security/google_default_credentials.c
@@ -138,6 +138,23 @@ static grpc_credentials *create_jwt_creds_from_path(char *creds_path) {
return result;
}
+/* Takes ownership of creds_path if not NULL. */
+static grpc_credentials *create_refresh_token_creds_from_path(
+ char *creds_path) {
+ grpc_credentials *result = NULL;
+ gpr_slice creds_data;
+ int file_ok = 0;
+ if (creds_path == NULL) return NULL;
+ creds_data = gpr_load_file(creds_path, &file_ok);
+ gpr_free(creds_path);
+ if (file_ok) {
+ result = grpc_refresh_token_credentials_create(
+ (const char *)GPR_SLICE_START_PTR(creds_data));
+ gpr_slice_unref(creds_data);
+ }
+ return result;
+}
+
grpc_credentials *grpc_google_default_credentials_create(void) {
grpc_credentials *result = NULL;
int serving_cached_credentials = 0;
@@ -157,7 +174,7 @@ grpc_credentials *grpc_google_default_credentials_create(void) {
if (result != NULL) goto end;
/* Then the well-known file. */
- result = create_jwt_creds_from_path(
+ result = create_refresh_token_creds_from_path(
grpc_get_well_known_google_credentials_file_path());
if (result != NULL) goto end;
diff --git a/src/core/security/json_token.c b/src/core/security/json_token.c
index 40b612b2065e11213f82a33834407a6a452376b9..eadae336099ae6f48f33fa636823adcf9d906ab3 100644
--- a/src/core/security/json_token.c
+++ b/src/core/security/json_token.c
@@ -52,8 +52,9 @@
/* 1 hour max. */
const gpr_timespec grpc_max_auth_token_lifetime = {3600, 0};
-#define GRPC_AUTH_JSON_KEY_TYPE_INVALID "invalid"
-#define GRPC_AUTH_JSON_KEY_TYPE_SERVICE_ACCOUNT "service_account"
+#define GRPC_AUTH_JSON_TYPE_INVALID "invalid"
+#define GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT "service_account"
+#define GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER "authorized_user"
#define GRPC_JWT_RSA_SHA256_ALGORITHM "RS256"
#define GRPC_JWT_TYPE "JWT"
@@ -87,7 +88,7 @@ static int set_json_key_string_property(grpc_json *json, const char *prop_name,
int grpc_auth_json_key_is_valid(const grpc_auth_json_key *json_key) {
return (json_key != NULL) &&
- strcmp(json_key->type, GRPC_AUTH_JSON_KEY_TYPE_INVALID);
+ strcmp(json_key->type, GRPC_AUTH_JSON_TYPE_INVALID);
}
grpc_auth_json_key grpc_auth_json_key_create_from_string(
@@ -100,7 +101,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_string(
int success = 0;
memset(&result, 0, sizeof(grpc_auth_json_key));
- result.type = GRPC_AUTH_JSON_KEY_TYPE_INVALID;
+ result.type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json == NULL) {
gpr_log(GPR_ERROR, "Invalid json string %s", json_string);
goto end;
@@ -108,10 +109,10 @@ grpc_auth_json_key grpc_auth_json_key_create_from_string(
prop_value = json_get_string_property(json, "type");
if (prop_value == NULL ||
- strcmp(prop_value, GRPC_AUTH_JSON_KEY_TYPE_SERVICE_ACCOUNT)) {
+ strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) {
goto end;
}
- result.type = GRPC_AUTH_JSON_KEY_TYPE_SERVICE_ACCOUNT;
+ result.type = GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT;
if (!set_json_key_string_property(json, "private_key_id",
&result.private_key_id) ||
@@ -148,7 +149,7 @@ end:
void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key) {
if (json_key == NULL) return;
- json_key->type = GRPC_AUTH_JSON_KEY_TYPE_INVALID;
+ json_key->type = GRPC_AUTH_JSON_TYPE_INVALID;
if (json_key->client_id != NULL) {
gpr_free(json_key->client_id);
json_key->client_id = NULL;
@@ -331,3 +332,67 @@ void grpc_jwt_encode_and_sign_set_override(
grpc_jwt_encode_and_sign_override func) {
g_jwt_encode_and_sign_override = func;
}
+
+/* --- grpc_auth_refresh_token --- */
+
+int grpc_auth_refresh_token_is_valid(
+ const grpc_auth_refresh_token *refresh_token) {
+ return (refresh_token != NULL) &&
+ strcmp(refresh_token->type, GRPC_AUTH_JSON_TYPE_INVALID);
+}
+
+grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
+ const char *json_string) {
+ grpc_auth_refresh_token result;
+ char *scratchpad = gpr_strdup(json_string);
+ grpc_json *json = grpc_json_parse_string(scratchpad);
+ const char *prop_value;
+ int success = 0;
+
+ memset(&result, 0, sizeof(grpc_auth_refresh_token));
+ result.type = GRPC_AUTH_JSON_TYPE_INVALID;
+ if (json == NULL) {
+ gpr_log(GPR_ERROR, "Invalid json string %s", json_string);
+ goto end;
+ }
+
+ prop_value = json_get_string_property(json, "type");
+ if (prop_value == NULL ||
+ strcmp(prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER)) {
+ goto end;
+ }
+ result.type = GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER;
+
+ if (!set_json_key_string_property(json, "client_secret",
+ &result.client_secret) ||
+ !set_json_key_string_property(json, "client_id", &result.client_id) ||
+ !set_json_key_string_property(json, "refresh_token",
+ &result.refresh_token)) {
+ goto end;
+ }
+ success = 1;
+
+end:
+ if (json != NULL) grpc_json_destroy(json);
+ if (!success) grpc_auth_refresh_token_destruct(&result);
+ gpr_free(scratchpad);
+ return result;
+}
+
+void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token) {
+ if (refresh_token == NULL) return;
+ refresh_token->type = GRPC_AUTH_JSON_TYPE_INVALID;
+ if (refresh_token->client_id != NULL) {
+ gpr_free(refresh_token->client_id);
+ refresh_token->client_id = NULL;
+ }
+ if (refresh_token->client_secret != NULL) {
+ gpr_free(refresh_token->client_secret);
+ refresh_token->client_secret = NULL;
+ }
+ if (refresh_token->refresh_token != NULL) {
+ gpr_free(refresh_token->refresh_token);
+ refresh_token->refresh_token = NULL;
+ }
+}
+
diff --git a/src/core/security/json_token.h b/src/core/security/json_token.h
index 029ede3955846412a1d86abc6c38ab2efae92673..197796ab4cd2f6f3d1f5553e0798a08fb6035f24 100644
--- a/src/core/security/json_token.h
+++ b/src/core/security/json_token.h
@@ -44,7 +44,7 @@
/* --- auth_json_key parsing. --- */
typedef struct {
- char *type;
+ const char *type;
char *private_key_id;
char *client_id;
char *client_email;
@@ -79,4 +79,25 @@ typedef char *(*grpc_jwt_encode_and_sign_override)(
void grpc_jwt_encode_and_sign_set_override(
grpc_jwt_encode_and_sign_override func);
+/* --- auth_refresh_token parsing. --- */
+
+typedef struct {
+ const char *type;
+ char *client_id;
+ char *client_secret;
+ char *refresh_token;
+} grpc_auth_refresh_token;
+
+/* Returns 1 if the object is valid, 0 otherwise. */
+int grpc_auth_refresh_token_is_valid(
+ const grpc_auth_refresh_token *refresh_token);
+
+/* Creates a refresh token object from string. Returns an invalid object if a
+ parsing error has been encountered. */
+grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
+ const char *json_string);
+
+/* Destructs the object. */
+void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token *refresh_token);
+
#endif /* GRPC_INTERNAL_CORE_SECURITY_JSON_TOKEN_H */
diff --git a/test/core/security/credentials_test.c b/test/core/security/credentials_test.c
index 078462410ad6df115e3efc064e763561f7c3f818..d1d1ec15623fa58e99be6cefc110d78f4abd328f 100644
--- a/test/core/security/credentials_test.c
+++ b/test/core/security/credentials_test.c
@@ -84,6 +84,13 @@ static const char test_json_key_str_part3[] =
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
+/* Test refresh token. */
+static const char test_refresh_token_str[] =
+ "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
+ " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
+ " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
+ " \"type\": \"authorized_user\"}";
+
static const char valid_oauth2_json_response[] =
"{\"access_token\":\"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_\","
" \"expires_in\":3599, "
@@ -97,10 +104,6 @@ static const char test_signed_jwt[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM4YW"
"U0MDcyZTViYTdmZDkwODg2YzcifQ";
-static const char expected_service_account_http_body_prefix[] =
- "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&"
- "assertion=";
-
static const char test_service_url[] = "https://foo.com/foo.v1";
static const char other_test_service_url[] = "https://bar.com/bar.v1";
@@ -463,6 +466,87 @@ static void test_compute_engine_creds_failure(void) {
grpc_httpcli_set_override(NULL, NULL);
}
+static void validate_refresh_token_http_request(
+ const grpc_httpcli_request *request, const char *body, size_t body_size) {
+ /* The content of the assertion is tested extensively in json_token_test. */
+ char *expected_body = NULL;
+ GPR_ASSERT(body != NULL);
+ GPR_ASSERT(body_size != 0);
+ gpr_asprintf(&expected_body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
+ "32555999999.apps.googleusercontent.com",
+ "EmssLNjJy1332hD4KFsecret",
+ "1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42");
+ GPR_ASSERT(strlen(expected_body) == body_size);
+ GPR_ASSERT(memcmp(expected_body, body, body_size) == 0);
+ gpr_free(expected_body);
+ GPR_ASSERT(request->use_ssl);
+ GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
+ GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
+ GPR_ASSERT(request->hdr_count == 1);
+ GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
+ GPR_ASSERT(strcmp(request->hdrs[0].value,
+ "application/x-www-form-urlencoded") == 0);
+}
+
+static int refresh_token_httpcli_post_success(
+ const grpc_httpcli_request *request, const char *body, size_t body_size,
+ gpr_timespec deadline, grpc_httpcli_response_cb on_response,
+ void *user_data) {
+ grpc_httpcli_response response =
+ http_response(200, valid_oauth2_json_response);
+ validate_refresh_token_http_request(request, body, body_size);
+ on_response(user_data, &response);
+ return 1;
+}
+
+static int refresh_token_httpcli_post_failure(
+ const grpc_httpcli_request *request, const char *body, size_t body_size,
+ gpr_timespec deadline, grpc_httpcli_response_cb on_response,
+ void *user_data) {
+ grpc_httpcli_response response = http_response(403, "Not Authorized.");
+ validate_refresh_token_http_request(request, body, body_size);
+ on_response(user_data, &response);
+ return 1;
+}
+
+static void test_refresh_token_creds_success(void) {
+ grpc_credentials *refresh_token_creds =
+ grpc_refresh_token_credentials_create(test_refresh_token_str);
+ GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
+ GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
+
+ /* First request: http get should be called. */
+ grpc_httpcli_set_override(httpcli_get_should_not_be_called,
+ refresh_token_httpcli_post_success);
+ grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
+ on_oauth2_creds_get_metadata_success,
+ (void *)test_user_data);
+
+ /* Second request: the cached token should be served directly. */
+ grpc_httpcli_set_override(httpcli_get_should_not_be_called,
+ httpcli_post_should_not_be_called);
+ grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
+ on_oauth2_creds_get_metadata_success,
+ (void *)test_user_data);
+
+ grpc_credentials_unref(refresh_token_creds);
+ grpc_httpcli_set_override(NULL, NULL);
+}
+
+static void test_refresh_token_creds_failure(void) {
+ grpc_credentials *refresh_token_creds =
+ grpc_refresh_token_credentials_create(test_refresh_token_str);
+ grpc_httpcli_set_override(httpcli_get_should_not_be_called,
+ refresh_token_httpcli_post_failure);
+ GPR_ASSERT(grpc_credentials_has_request_metadata(refresh_token_creds));
+ GPR_ASSERT(grpc_credentials_has_request_metadata_only(refresh_token_creds));
+ grpc_credentials_get_request_metadata(refresh_token_creds, test_service_url,
+ on_oauth2_creds_get_metadata_failure,
+ (void *)test_user_data);
+ grpc_credentials_unref(refresh_token_creds);
+ grpc_httpcli_set_override(NULL, NULL);
+}
+
static void validate_jwt_encode_and_sign_params(
const grpc_auth_json_key *json_key, const char *scope,
gpr_timespec token_lifetime) {
@@ -515,13 +599,13 @@ static void validate_service_account_http_request(
GPR_ASSERT(body != NULL);
GPR_ASSERT(body_size != 0);
gpr_asprintf(&expected_body, "%s%s",
- expected_service_account_http_body_prefix, test_signed_jwt);
+ GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX, test_signed_jwt);
GPR_ASSERT(strlen(expected_body) == body_size);
- GPR_ASSERT(!memcmp(expected_body, body, body_size));
+ GPR_ASSERT(memcmp(expected_body, body, body_size) == 0);
gpr_free(expected_body);
GPR_ASSERT(request->use_ssl);
- GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0);
- GPR_ASSERT(strcmp(request->path, "/oauth2/v3/token") == 0);
+ GPR_ASSERT(strcmp(request->host, GRPC_GOOGLE_OAUTH2_SERVICE_HOST) == 0);
+ GPR_ASSERT(strcmp(request->path, GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH) == 0);
GPR_ASSERT(request->hdr_count == 1);
GPR_ASSERT(strcmp(request->hdrs[0].key, "Content-Type") == 0);
GPR_ASSERT(strcmp(request->hdrs[0].value,
@@ -711,6 +795,8 @@ int main(int argc, char **argv) {
test_ssl_oauth2_iam_composite_creds();
test_compute_engine_creds_success();
test_compute_engine_creds_failure();
+ test_refresh_token_creds_success();
+ test_refresh_token_creds_failure();
test_service_account_creds_success();
test_service_account_creds_http_failure();
test_service_account_creds_signing_failure();
diff --git a/test/core/security/fetch_oauth2.c b/test/core/security/fetch_oauth2.c
index 748a5982fdeb41343874c06b523c54e96147df37..cc847c82f71c4e5dd5c55d62e5753a3d5792d98d 100644
--- a/test/core/security/fetch_oauth2.c
+++ b/test/core/security/fetch_oauth2.c
@@ -34,7 +34,6 @@
#include <stdio.h>
#include <string.h>
-#include "src/core/security/credentials.h"
#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
#include <grpc/support/alloc.h>
@@ -43,6 +42,9 @@
#include <grpc/support/slice.h>
#include <grpc/support/sync.h>
+#include "src/core/security/credentials.h"
+#include "src/core/support/file.h"
+
typedef struct {
gpr_cv cv;
gpr_mu mu;
@@ -74,50 +76,50 @@ static void on_oauth2_response(void *user_data, grpc_mdelem **md_elems,
static grpc_credentials *create_service_account_creds(
const char *json_key_file_path, const char *scope) {
- char json_key[8192]; /* Should be plenty. */
- char *current = json_key;
- FILE *json_key_file = fopen(json_key_file_path, "r");
- if (json_key_file == NULL) {
- gpr_log(GPR_ERROR, "Invalid path for json key file: %s.",
- json_key_file_path);
+ int success;
+ gpr_slice json_key = gpr_load_file(json_key_file_path, &success);
+ if (!success) {
+ gpr_log(GPR_ERROR, "Could not read file %s.", json_key_file_path);
exit(1);
}
+ return grpc_service_account_credentials_create(
+ (const char *)GPR_SLICE_START_PTR(json_key), scope,
+ grpc_max_auth_token_lifetime);
+}
- do {
- size_t bytes_read = fread(
- current, 1, sizeof(json_key) - (current - json_key), json_key_file);
- if (bytes_read == 0) {
- if (!feof(json_key_file)) {
- gpr_log(GPR_ERROR, "Error occured while reading %s.",
- json_key_file_path);
- exit(1);
- }
- break;
- }
- current += bytes_read;
- } while (sizeof(json_key) > (size_t)(current - json_key));
-
- if ((current - json_key) == sizeof(json_key)) {
- gpr_log(GPR_ERROR, "Json key file %s exceeds size limit (%d bytes).",
- json_key_file_path, (int)sizeof(json_key));
+static grpc_credentials *create_refresh_token_creds(
+ const char *json_refresh_token_file_path) {
+ int success;
+ gpr_slice refresh_token =
+ gpr_load_file(json_refresh_token_file_path, &success);
+ if (!success) {
+ gpr_log(GPR_ERROR, "Could not read file %s.", json_refresh_token_file_path);
exit(1);
}
- fclose(json_key_file);
-
- return grpc_service_account_credentials_create(json_key, scope,
- grpc_max_auth_token_lifetime);
+ return grpc_refresh_token_credentials_create(
+ (const char *)GPR_SLICE_START_PTR(refresh_token));
}
int main(int argc, char **argv) {
synchronizer sync;
grpc_credentials *creds = NULL;
char *json_key_file_path = NULL;
+ char *json_refresh_token_file_path = NULL;
int use_gce = 0;
char *scope = NULL;
gpr_cmdline *cl = gpr_cmdline_create("fetch_oauth2");
- gpr_cmdline_add_string(cl, "json_key", "File path of the json key.",
+ gpr_cmdline_add_string(cl, "json_key",
+ "File path of the json key. Mutually exclusive with "
+ "--json_refresh_token.",
&json_key_file_path);
- gpr_cmdline_add_string(cl, "scope", "Space delimited permissions.", &scope);
+ gpr_cmdline_add_string(cl, "json_refresh_token",
+ "File path of the json refresh token. Mutually "
+ "exclusive with --json_key.",
+ &json_refresh_token_file_path);
+ gpr_cmdline_add_string(cl, "scope",
+ "Space delimited permissions. Only used for "
+ "--json_key, ignored otherwise.",
+ &scope);
gpr_cmdline_add_flag(
cl, "gce",
"Get a token from the GCE metadata server (only works in GCE).",
@@ -126,6 +128,12 @@ int main(int argc, char **argv) {
grpc_init();
+ if (json_key_file_path != NULL && json_refresh_token_file_path != NULL) {
+ gpr_log(GPR_ERROR,
+ "--json_key and --json_refresh_token are mutually exclusive.");
+ exit(1);
+ }
+
if (use_gce) {
if (json_key_file_path != NULL || scope != NULL) {
gpr_log(GPR_INFO,
@@ -137,6 +145,15 @@ int main(int argc, char **argv) {
gpr_log(GPR_ERROR, "Could not create gce credentials.");
exit(1);
}
+ } else if (json_refresh_token_file_path != NULL) {
+ creds = create_refresh_token_creds(json_refresh_token_file_path);
+ if (creds == NULL) {
+ gpr_log(GPR_ERROR,
+ "Could not create refresh token creds. %s does probably not "
+ "contain a valid json refresh token.",
+ json_refresh_token_file_path);
+ exit(1);
+ }
} else {
if (json_key_file_path == NULL) {
gpr_log(GPR_ERROR, "Missing --json_key option.");
diff --git a/test/core/security/json_token_test.c b/test/core/security/json_token_test.c
index ca5b8891023e7e216e5aea9d5eccbd5ccdb68dda..b43e0425ee2af3e5164243ece5b915f09cd44965 100644
--- a/test/core/security/json_token_test.c
+++ b/test/core/security/json_token_test.c
@@ -78,6 +78,13 @@ static const char test_json_key_str_part3[] =
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
+/* Test refresh token. */
+static const char test_refresh_token_str[] =
+ "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
+ " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
+ " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
+ " \"type\": \"authorized_user\"}";
+
static const char test_scope[] = "myperm1 myperm2";
static const char test_service_url[] = "https://foo.com/foo.v1";
@@ -419,6 +426,64 @@ static void test_jwt_creds_jwt_encode_and_sign(void) {
jwt_creds_check_jwt_claim);
}
+static void test_parse_refresh_token_success(void) {
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(test_refresh_token_str);
+ GPR_ASSERT(grpc_auth_refresh_token_is_valid(&refresh_token));
+ GPR_ASSERT(refresh_token.type != NULL &&
+ (strcmp(refresh_token.type, "authorized_user") == 0));
+ GPR_ASSERT(refresh_token.client_id != NULL &&
+ (strcmp(refresh_token.client_id,
+ "32555999999.apps.googleusercontent.com") == 0));
+ GPR_ASSERT(
+ refresh_token.client_secret != NULL &&
+ (strcmp(refresh_token.client_secret, "EmssLNjJy1332hD4KFsecret") == 0));
+ GPR_ASSERT(refresh_token.refresh_token != NULL &&
+ (strcmp(refresh_token.refresh_token,
+ "1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42") == 0));
+ grpc_auth_refresh_token_destruct(&refresh_token);
+}
+
+static void test_parse_refresh_token_failure_no_type(void) {
+ const char refresh_token_str[] =
+ "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
+ " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
+ " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\"}";
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(refresh_token_str);
+ GPR_ASSERT(!grpc_auth_refresh_token_is_valid(&refresh_token));
+}
+
+static void test_parse_refresh_token_failure_no_client_id(void) {
+ const char refresh_token_str[] =
+ "{ \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
+ " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
+ " \"type\": \"authorized_user\"}";
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(refresh_token_str);
+ GPR_ASSERT(!grpc_auth_refresh_token_is_valid(&refresh_token));
+}
+
+static void test_parse_refresh_token_failure_no_client_secret(void) {
+ const char refresh_token_str[] =
+ "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
+ " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
+ " \"type\": \"authorized_user\"}";
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(refresh_token_str);
+ GPR_ASSERT(!grpc_auth_refresh_token_is_valid(&refresh_token));
+}
+
+static void test_parse_refresh_token_failure_no_refresh_token(void) {
+ const char refresh_token_str[] =
+ "{ \"client_id\": \"32555999999.apps.googleusercontent.com\","
+ " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\","
+ " \"type\": \"authorized_user\"}";
+ grpc_auth_refresh_token refresh_token =
+ grpc_auth_refresh_token_create_from_string(refresh_token_str);
+ GPR_ASSERT(!grpc_auth_refresh_token_is_valid(&refresh_token));
+}
+
int main(int argc, char **argv) {
grpc_test_init(argc, argv);
test_parse_json_key_success();
@@ -430,5 +495,10 @@ int main(int argc, char **argv) {
test_parse_json_key_failure_no_private_key();
test_service_account_creds_jwt_encode_and_sign();
test_jwt_creds_jwt_encode_and_sign();
+ test_parse_refresh_token_success();
+ test_parse_refresh_token_failure_no_type();
+ test_parse_refresh_token_failure_no_client_id();
+ test_parse_refresh_token_failure_no_client_secret();
+ test_parse_refresh_token_failure_no_refresh_token();
return 0;
}