Merge pull request grpc#14727 from yihuazhang/hook_alts_cpp

Add C++ wrapper APIs for ALTS credentials

BUILD

@@ -1708,6 +1708,7 @@ grpc_cc_library(
         "src/core/tsi/alts/handshaker/alts_handshaker_service_api_util.h",
         "src/core/tsi/alts/handshaker/transport_security_common_api.h",
     ],
+    public_hdrs = GRPC_SECURE_PUBLIC_HDRS, 
     external_deps = [
         "nanopb",
     ],

build.yaml

@@ -70,6 +70,8 @@ filegroups:
   - tsi_interface
   - tsi
 - name: alts_util
+  public_headers:
+  - include/grpc/grpc_security.h
   headers:
   - src/core/lib/security/credentials/alts/check_gcp_environment.h
   - src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h

grpc.def

@@ -115,6 +115,12 @@ EXPORTS
     grpc_server_add_secure_http2_port
     grpc_call_set_credentials
     grpc_server_credentials_set_auth_metadata_processor
+    grpc_alts_credentials_client_options_create
+    grpc_alts_credentials_server_options_create
+    grpc_alts_credentials_client_options_add_target_service_account
+    grpc_alts_credentials_options_destroy
+    grpc_alts_credentials_create
+    grpc_alts_server_credentials_create
     grpc_raw_byte_buffer_create
     grpc_raw_compressed_byte_buffer_create
     grpc_byte_buffer_copy

include/grpc/grpc_security.h

@@ -488,6 +488,76 @@ typedef struct {
 GRPCAPI void grpc_server_credentials_set_auth_metadata_processor(
     grpc_server_credentials* creds, grpc_auth_metadata_processor processor);
 
+/** --- ALTS channel/server credentials --- **/
+
+/**
+ * Main interface for ALTS credentials options. The options will contain
+ * information that will be passed from grpc to TSI layer such as RPC protocol
+ * versions. ALTS client (channel) and server credentials will have their own
+ * implementation of this interface. The APIs listed in this header are
+ * thread-compatible. It is used for experimental purpose for now and subject
+ * to change.
+ */
+typedef struct grpc_alts_credentials_options grpc_alts_credentials_options;
+
+/**
+ * This method creates a grpc ALTS credentials client options instance.
+ * It is used for experimental purpose for now and subject to change.
+ */
+GRPCAPI grpc_alts_credentials_options*
+grpc_alts_credentials_client_options_create();
+
+/**
+ * This method creates a grpc ALTS credentials server options instance.
+ * It is used for experimental purpose for now and subject to change.
+ */
+GRPCAPI grpc_alts_credentials_options*
+grpc_alts_credentials_server_options_create();
+
+/**
+ * This method adds a target service account to grpc client's ALTS credentials
+ * options instance. It is used for experimental purpose for now and subject
+ * to change.
+ *
+ * - options: grpc ALTS credentials options instance.
+ * - service_account: service account of target endpoint.
+ */
+GRPCAPI void grpc_alts_credentials_client_options_add_target_service_account(
+    grpc_alts_credentials_options* options, const char* service_account);
+
+/**
+ * This method destroys a grpc_alts_credentials_options instance by
+ * de-allocating all of its occupied memory. It is used for experimental purpose
+ * for now and subject to change.
+ *
+ * - options: a grpc_alts_credentials_options instance that needs to be
+ *   destroyed.
+ */
+GRPCAPI void grpc_alts_credentials_options_destroy(
+    grpc_alts_credentials_options* options);
+
+/**
+ * This method creates an ALTS channel credential object. It is used for
+ * experimental purpose for now and subject to change.
+ *
+ * - options: grpc ALTS credentials options instance for client.
+ *
+ * It returns the created ALTS channel credential object.
+ */
+GRPCAPI grpc_channel_credentials* grpc_alts_credentials_create(
+    const grpc_alts_credentials_options* options);
+
+/**
+ * This method creates an ALTS server credential object. It is used for
+ * experimental purpose for now and subject to change.
+ *
+ * - options: grpc ALTS credentials options instance for server.
+ *
+ * It returns the created ALTS server credential object.
+ */
+GRPCAPI grpc_server_credentials* grpc_alts_server_credentials_create(
+    const grpc_alts_credentials_options* options);
+
 #ifdef __cplusplus
 }
 #endif

include/grpcpp/security/credentials.h

@@ -21,6 +21,7 @@
 
 #include <map>
 #include <memory>
+#include <vector>
 
 #include <grpcpp/impl/codegen/grpc_library.h>
 #include <grpcpp/security/auth_context.h>
@@ -219,6 +220,21 @@ class MetadataCredentialsPlugin {
 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
     std::unique_ptr<MetadataCredentialsPlugin> plugin);
 
+namespace experimental {
+
+/// Options used to build AltsCredentials.
+struct AltsCredentialsOptions {
+  /// service accounts of target endpoint that will be acceptable
+  /// by the client. If service accounts are provided and none of them matches
+  /// that of the server, authentication will fail.
+  std::vector<grpc::string> target_service_accounts;
+};
+
+/// Builds ALTS Credentials given ALTS specific options
+std::shared_ptr<ChannelCredentials> AltsCredentials(
+    const AltsCredentialsOptions& options);
+
+}  // namespace experimental
 }  // namespace grpc
 
 #endif  // GRPCPP_SECURITY_CREDENTIALS_H

include/grpcpp/security/server_credentials.h

@@ -86,6 +86,18 @@ std::shared_ptr<ServerCredentials> SslServerCredentials(
 /// Builds insecure server credentials.
 std::shared_ptr<ServerCredentials> InsecureServerCredentials();
 
+namespace experimental {
+
+/// Options to create ServerCredentials with ALTS
+struct AltsServerCredentialsOptions {
+  /// Add fields if needed.
+};
+
+/// Builds ALTS ServerCredentials given ALTS specific options
+std::shared_ptr<ServerCredentials> AltsServerCredentials(
+    const AltsServerCredentialsOptions& options);
+
+}  // namespace experimental
 }  // namespace grpc
 
 #endif  // GRPCPP_SECURITY_SERVER_CREDENTIALS_H

src/core/lib/security/credentials/alts/alts_credentials.h

@@ -40,26 +40,6 @@ typedef struct grpc_alts_server_credentials {
   char* handshaker_service_url;
 } grpc_alts_server_credentials;
 
-/**
- * This method creates an ALTS channel credential object.
- *
- * - options: grpc ALTS credentials options instance for client.
- *
- * It returns the created ALTS channel credential object.
- */
-grpc_channel_credentials* grpc_alts_credentials_create(
-    const grpc_alts_credentials_options* options);
-
-/**
- * This method creates an ALTS server credential object.
- *
- * - options: grpc ALTS credentials options instance for server.
- *
- * It returns the created ALTS server credential object.
- */
-grpc_server_credentials* grpc_alts_server_credentials_create(
-    const grpc_alts_credentials_options* options);
-
 /**
  * This method creates an ALTS channel credential object with customized
  * information provided by caller.

src/core/lib/security/credentials/alts/grpc_alts_credentials_client_options.cc

@@ -44,20 +44,20 @@ static target_service_account* target_service_account_create(
   return sa;
 }
 
-bool grpc_alts_credentials_client_options_add_target_service_account(
-    grpc_alts_credentials_client_options* options,
-    const char* service_account) {
+void grpc_alts_credentials_client_options_add_target_service_account(
+    grpc_alts_credentials_options* options, const char* service_account) {
   if (options == nullptr || service_account == nullptr) {
     gpr_log(
         GPR_ERROR,
         "Invalid nullptr arguments to "
         "grpc_alts_credentials_client_options_add_target_service_account()");
-    return false;
+    return;
   }
+  auto client_options =
+      reinterpret_cast<grpc_alts_credentials_client_options*>(options);
   target_service_account* node = target_service_account_create(service_account);
-  node->next = options->target_account_list_head;
-  options->target_account_list_head = node;
-  return true;
+  node->next = client_options->target_account_list_head;
+  client_options->target_account_list_head = node;
 }
 
 static void target_service_account_destroy(

src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h

@@ -21,19 +21,10 @@
 
 #include <grpc/support/port_platform.h>
 
-#include <stdbool.h>
+#include <grpc/grpc_security.h>
 
 #include "src/core/tsi/alts/handshaker/transport_security_common_api.h"
 
-/**
- * Main interface for ALTS credentials options. The options will contain
- * information that will be passed from grpc to TSI layer such as RPC protocol
- * versions. ALTS client (channel) and server credentials will have their own
- * implementation of this interface. The APIs listed in this header are
- * thread-compatible.
- */
-typedef struct grpc_alts_credentials_options grpc_alts_credentials_options;
-
 /* V-table for grpc_alts_credentials_options */
 typedef struct grpc_alts_credentials_options_vtable {
   grpc_alts_credentials_options* (*copy)(
@@ -80,33 +71,5 @@ typedef struct grpc_alts_credentials_server_options {
 grpc_alts_credentials_options* grpc_alts_credentials_options_copy(
     const grpc_alts_credentials_options* options);
 
-/**
- * This method destroys a grpc_alts_credentials_options instance by
- * de-allocating all of its occupied memory.
- *
- * - options: a grpc_alts_credentials_options instance that needs to be
- *   destroyed.
- */
-void grpc_alts_credentials_options_destroy(
-    grpc_alts_credentials_options* options);
-
-/* This method creates a grpc ALTS credentials client options instance. */
-grpc_alts_credentials_options* grpc_alts_credentials_client_options_create();
-
-/* This method creates a grpc ALTS credentials server options instance. */
-grpc_alts_credentials_options* grpc_alts_credentials_server_options_create();
-
-/**
- * This method adds a target service account to grpc ALTS credentials client
- * options instance.
- *
- * - options: grpc ALTS credentials client options instance.
- * - service_account: service account of target endpoint.
- *
- * It returns true on success and false on failure.
- */
-bool grpc_alts_credentials_client_options_add_target_service_account(
-    grpc_alts_credentials_client_options* options, const char* service_account);
-
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_ALTS_GRPC_ALTS_CREDENTIALS_OPTIONS_H \
         */

src/cpp/client/secure_credentials.cc

@@ -87,6 +87,27 @@ std::shared_ptr<ChannelCredentials> SslCredentials(
   return WrapChannelCredentials(c_creds);
 }
 
+namespace experimental {
+
+// Builds ALTS Credentials given ALTS specific options
+std::shared_ptr<ChannelCredentials> AltsCredentials(
+    const AltsCredentialsOptions& options) {
+  GrpcLibraryCodegen init;  // To call grpc_init().
+  grpc_alts_credentials_options* c_options =
+      grpc_alts_credentials_client_options_create();
+  for (auto service_account = options.target_service_accounts.begin();
+       service_account != options.target_service_accounts.end();
+       service_account++) {
+    grpc_alts_credentials_client_options_add_target_service_account(
+        c_options, service_account->c_str());
+  }
+  grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
+  grpc_alts_credentials_options_destroy(c_options);
+  return WrapChannelCredentials(c_creds);
+}
+
+}  // namespace experimental
+
 // Builds credentials for use when running in GCE
 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
   GrpcLibraryCodegen init;  // To call grpc_init().

src/cpp/server/secure_server_credentials.cc

@@ -126,4 +126,18 @@ std::shared_ptr<ServerCredentials> SslServerCredentials(
       new SecureServerCredentials(c_creds));
 }
 
+namespace experimental {
+
+std::shared_ptr<ServerCredentials> AltsServerCredentials(
+    const AltsServerCredentialsOptions& options) {
+  grpc_alts_credentials_options* c_options =
+      grpc_alts_credentials_server_options_create();
+  grpc_server_credentials* c_creds =
+      grpc_alts_server_credentials_create(c_options);
+  grpc_alts_credentials_options_destroy(c_options);
+  return std::shared_ptr<ServerCredentials>(
+      new SecureServerCredentials(c_creds));
+}
+
+}  // namespace experimental
 }  // namespace grpc

src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -138,6 +138,12 @@ grpc_ssl_server_credentials_create_with_options_type grpc_ssl_server_credentials
 grpc_server_add_secure_http2_port_type grpc_server_add_secure_http2_port_import;
 grpc_call_set_credentials_type grpc_call_set_credentials_import;
 grpc_server_credentials_set_auth_metadata_processor_type grpc_server_credentials_set_auth_metadata_processor_import;
+grpc_alts_credentials_client_options_create_type grpc_alts_credentials_client_options_create_import;
+grpc_alts_credentials_server_options_create_type grpc_alts_credentials_server_options_create_import;
+grpc_alts_credentials_client_options_add_target_service_account_type grpc_alts_credentials_client_options_add_target_service_account_import;
+grpc_alts_credentials_options_destroy_type grpc_alts_credentials_options_destroy_import;
+grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
+grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
 grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
 grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import;
 grpc_byte_buffer_copy_type grpc_byte_buffer_copy_import;
@@ -380,6 +386,12 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_server_add_secure_http2_port_import = (grpc_server_add_secure_http2_port_type) GetProcAddress(library, "grpc_server_add_secure_http2_port");
   grpc_call_set_credentials_import = (grpc_call_set_credentials_type) GetProcAddress(library, "grpc_call_set_credentials");
   grpc_server_credentials_set_auth_metadata_processor_import = (grpc_server_credentials_set_auth_metadata_processor_type) GetProcAddress(library, "grpc_server_credentials_set_auth_metadata_processor");
+  grpc_alts_credentials_client_options_create_import = (grpc_alts_credentials_client_options_create_type) GetProcAddress(library, "grpc_alts_credentials_client_options_create");
+  grpc_alts_credentials_server_options_create_import = (grpc_alts_credentials_server_options_create_type) GetProcAddress(library, "grpc_alts_credentials_server_options_create");
+  grpc_alts_credentials_client_options_add_target_service_account_import = (grpc_alts_credentials_client_options_add_target_service_account_type) GetProcAddress(library, "grpc_alts_credentials_client_options_add_target_service_account");
+  grpc_alts_credentials_options_destroy_import = (grpc_alts_credentials_options_destroy_type) GetProcAddress(library, "grpc_alts_credentials_options_destroy");
+  grpc_alts_credentials_create_import = (grpc_alts_credentials_create_type) GetProcAddress(library, "grpc_alts_credentials_create");
+  grpc_alts_server_credentials_create_import = (grpc_alts_server_credentials_create_type) GetProcAddress(library, "grpc_alts_server_credentials_create");
   grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create");
   grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create");
   grpc_byte_buffer_copy_import = (grpc_byte_buffer_copy_type) GetProcAddress(library, "grpc_byte_buffer_copy");

src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -389,6 +389,24 @@ extern grpc_call_set_credentials_type grpc_call_set_credentials_import;
 typedef void(*grpc_server_credentials_set_auth_metadata_processor_type)(grpc_server_credentials* creds, grpc_auth_metadata_processor processor);
 extern grpc_server_credentials_set_auth_metadata_processor_type grpc_server_credentials_set_auth_metadata_processor_import;
 #define grpc_server_credentials_set_auth_metadata_processor grpc_server_credentials_set_auth_metadata_processor_import
+typedef grpc_alts_credentials_options*(*grpc_alts_credentials_client_options_create_type)();
+extern grpc_alts_credentials_client_options_create_type grpc_alts_credentials_client_options_create_import;
+#define grpc_alts_credentials_client_options_create grpc_alts_credentials_client_options_create_import
+typedef grpc_alts_credentials_options*(*grpc_alts_credentials_server_options_create_type)();
+extern grpc_alts_credentials_server_options_create_type grpc_alts_credentials_server_options_create_import;
+#define grpc_alts_credentials_server_options_create grpc_alts_credentials_server_options_create_import
+typedef void(*grpc_alts_credentials_client_options_add_target_service_account_type)(grpc_alts_credentials_options* options, const char* service_account);
+extern grpc_alts_credentials_client_options_add_target_service_account_type grpc_alts_credentials_client_options_add_target_service_account_import;
+#define grpc_alts_credentials_client_options_add_target_service_account grpc_alts_credentials_client_options_add_target_service_account_import
+typedef void(*grpc_alts_credentials_options_destroy_type)(grpc_alts_credentials_options* options);
+extern grpc_alts_credentials_options_destroy_type grpc_alts_credentials_options_destroy_import;
+#define grpc_alts_credentials_options_destroy grpc_alts_credentials_options_destroy_import
+typedef grpc_channel_credentials*(*grpc_alts_credentials_create_type)(const grpc_alts_credentials_options* options);
+extern grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
+#define grpc_alts_credentials_create grpc_alts_credentials_create_import
+typedef grpc_server_credentials*(*grpc_alts_server_credentials_create_type)(const grpc_alts_credentials_options* options);
+extern grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
+#define grpc_alts_server_credentials_create grpc_alts_server_credentials_create_import
 typedef grpc_byte_buffer*(*grpc_raw_byte_buffer_create_type)(grpc_slice* slices, size_t nslices);
 extern grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
 #define grpc_raw_byte_buffer_create grpc_raw_byte_buffer_create_import