public ClientCredentialKey(ITokenAccess tokenAccess, ServiceEndpoint serviceEndpoint,
IDictionary additionalOptions) : this()
{
Credential = tokenAccess;
AdditionalOptions = additionalOptions;
Endpoint = serviceEndpoint ?? SpannerClient.DefaultEndpoint;
}
public static async Task RunOAuth2AuthTokenAsync(TestService.TestServiceClient client, string oauthScope)
{
#if !NETCOREAPP1_0
Console.WriteLine("running oauth2_auth_token");
ITokenAccess credential = (await GoogleCredential.GetApplicationDefaultAsync()).CreateScoped(new[] { oauthScope });
string oauth2Token = await credential.GetAccessTokenForRequestAsync();
var credentials = GoogleGrpcCredentials.FromAccessToken(oauth2Token);
var request = new SimpleRequest
{
FillUsername = true,
FillOauthScope = true
};
var response = client.UnaryCall(request, new CallOptions(credentials: credentials));
Assert.False(string.IsNullOrEmpty(response.OauthScope));
Assert.True(oauthScope.Contains(response.OauthScope));
Assert.AreEqual(GetEmailFromServiceAccountFile(), response.Username);
Console.WriteLine("Passed!");
#else
// TODO(jtattermusch): implement this
throw new NotImplementedException("Not supported on CoreCLR yet");
#endif
}
/// <summary>
/// Creates an <see cref="AsyncAuthInterceptor"/> that will obtain access token from any credential type that implements
/// <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The interceptor.</returns>
public static AsyncAuthInterceptor FromCredential(ITokenAccess credential)
{
return new AsyncAuthInterceptor(async (context, metadata) =>
{
var accessToken = await credential.GetAccessTokenForRequestAsync(context.ServiceUrl, CancellationToken.None).ConfigureAwait(false);
metadata.Add(CreateBearerTokenHeader(accessToken));
});
}
public async Task <string> GetAccessTokenForRequestAsync()
{
ITokenAccess c = _googleCredential as ITokenAccess;
_accessToken = await c.GetAccessTokenForRequestAsync();
return(_accessToken);
}
/// <summary>
/// Creates an <see cref="AsyncAuthInterceptor"/> that will obtain access token from any credential type that implements
/// <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The interceptor.</returns>
public static AsyncAuthInterceptor FromCredential(ITokenAccess credential)
{
return(new AsyncAuthInterceptor(async(authUri, metadata) =>
{
var accessToken = await credential.GetAccessTokenForRequestAsync(authUri, CancellationToken.None).ConfigureAwait(false);
metadata.Add(CreateBearerTokenHeader(accessToken));
}));
}
/// <summary>
/// Creates interceptor that will obtain access token from any credential type that implements
/// <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The header interceptor.</returns>
public static HeaderInterceptor FromCredential(ITokenAccess credential)
{
return new HeaderInterceptor((method, authUri, metadata) =>
{
// TODO(jtattermusch): Rethink synchronous wait to obtain the result.
var accessToken = credential.GetAccessTokenForRequestAsync(authUri, CancellationToken.None)
.ConfigureAwait(false).GetAwaiter().GetResult();
metadata.Add(CreateBearerTokenHeader(accessToken));
});
}
/// <summary>
/// Creates interceptor that will obtain access token from any credential type that implements
/// <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The header interceptor.</returns>
public static HeaderInterceptor FromCredential(ITokenAccess credential)
{
return(new HeaderInterceptor((method, authUri, metadata) =>
{
// TODO(jtattermusch): Rethink synchronous wait to obtain the result.
var accessToken = credential.GetAccessTokenForRequestAsync(authUri, CancellationToken.None)
.ConfigureAwait(false).GetAwaiter().GetResult();
metadata.Add(CreateBearerTokenHeader(accessToken));
}));
}
public static async Task <SpannerClient> AcquireClientAsync(
ITokenAccess credentials = null,
ServiceEndpoint endpoint = null)
{
var key = new ClientPoolKey(credentials, endpoint ?? SpannerClient.DefaultEndpoint);
var poolEntry = s_clientEntryPool.GetOrAdd(key, k => new ClientPoolEntry(key));
var result = await poolEntry.AcquireClientFromEntryAsync().ConfigureAwait(false);
Logger.LogPerformanceCounter("SpannerClient.Count", () => s_clientEntryPool.Count);
return(result);
}
public async Task <SpannerClient> AcquireClientAsync(
ITokenAccess credentials = null,
ServiceEndpoint endpoint = null)
{
var key = new ClientCredentialKey(credentials, endpoint);
var poolEntry = _clientPoolByCredential.GetOrAdd(key, k => new CredentialClientPool(k));
var result = await poolEntry.AcquireClientAsync(_clientFactory).ConfigureAwait(false);
Logger.LogPerformanceCounter("SpannerClient.TotalCount", () => _clientPoolByCredential.Count);
return(result);
}
/// <inheritdoc />
/// <summary>
/// Initializes a new instance of the <see cref="PlatformApiChannel" /> class with a given SpatialOS Platform API
/// endpoint and credential.
/// </summary>
/// <exception cref="NoCredentialInSecureConnectionException">
/// Thrown when no credential is provided for a secure connection.
/// </exception>
/// <param name="apiEndpoint">The endpoint of the SpatialOS Platform API.</param>
/// <param name="credential">The credential to authenticate with the API server.</param>
public PlatformApiChannel(ITokenAccess credential, PlatformApiEndpoint apiEndpoint) :
base(
apiEndpoint.Host,
apiEndpoint.Port,
ConstructChannelCredentials(credential, apiEndpoint.Insecure),
new List <ChannelOption>
{
new ChannelOption(ChannelOptions.PrimaryUserAgentString, AgentInfo)
})
{
}
/// <summary>
/// Creates an <see cref="AsyncAuthInterceptor"/> that will obtain access token from any credential type that implements
/// <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The interceptor.</returns>
public static AsyncAuthInterceptor FromCredential(ITokenAccess credential)
{
if (credential is ITokenAccessWithHeaders credentialWithHeaders)
{
return(FromCredential(credentialWithHeaders));
}
return(new AsyncAuthInterceptor(async(context, metadata) =>
{
var accessToken = await credential.GetAccessTokenForRequestAsync(context.ServiceUrl, CancellationToken.None).ConfigureAwait(false);
metadata.Add(CreateBearerTokenHeader(accessToken));
}));
}
private static ChannelCredentials ConstructChannelCredentials(ITokenAccess credential, bool insecure)
{
if (insecure)
{
return(ChannelCredentials.Insecure);
}
if (credential == null)
{
throw new NoCredentialInSecureConnectionException();
}
return(ChannelCredentials.Create(new SslCredentials(),
CallCredentials.FromInterceptor(GoogleAuthInterceptors.FromCredential(credential))));
}
public static async Task RunPerRpcCredsAsync(TestService.TestServiceClient client, string oauthScope)
{
Console.WriteLine("running per_rpc_creds");
ITokenAccess googleCredential = await GoogleCredential.GetApplicationDefaultAsync();
var credentials = googleCredential.ToCallCredentials();
var request = new SimpleRequest
{
FillUsername = true,
};
var response = client.UnaryCall(request, new CallOptions(credentials: credentials));
Assert.AreEqual(GetEmailFromServiceAccountFile(), response.Username);
Console.WriteLine("Passed!");
}
public void ReleaseClient(SpannerClient spannerClient,
ITokenAccess credentials = null,
ServiceEndpoint endpoint = null)
{
if (spannerClient != null)
{
var key = new ClientCredentialKey(credentials, endpoint);
CredentialClientPool poolEntry;
if (_clientPoolByCredential.TryGetValue(key, out poolEntry))
{
poolEntry.ReleaseClient(spannerClient);
}
else
{
Logger.Error(() => "An attempt was made to release an unrecognized spanner client to the pool.");
}
}
}
public static async Task RunOAuth2AuthTokenAsync(TestService.TestServiceClient client)
{
Console.WriteLine("running oauth2_auth_token");
ITokenAccess credential = (await GoogleCredential.GetApplicationDefaultAsync()).CreateScoped(new[] { AuthScope });
string oauth2Token = await credential.GetAccessTokenForRequestAsync();
client.HeaderInterceptor = OAuth2Interceptors.FromAccessToken(oauth2Token);
var request = SimpleRequest.CreateBuilder()
.SetFillUsername(true)
.SetFillOauthScope(true)
.Build();
var response = client.UnaryCall(request);
Assert.AreEqual(AuthScopeResponse, response.OauthScope);
Assert.AreEqual(ServiceAccountUser, response.Username);
Console.WriteLine("Passed!");
}
public static async Task RunOAuth2AuthTokenAsync(TestService.TestServiceClient client, string oauthScope)
{
Console.WriteLine("running oauth2_auth_token");
ITokenAccess credential = (await GoogleCredential.GetApplicationDefaultAsync()).CreateScoped(new[] { oauthScope });
string oauth2Token = await credential.GetAccessTokenForRequestAsync();
var credentials = GoogleGrpcCredentials.FromAccessToken(oauth2Token);
var request = new SimpleRequest
{
FillUsername = true,
FillOauthScope = true
};
var response = client.UnaryCall(request, new CallOptions(credentials: credentials));
Assert.False(string.IsNullOrEmpty(response.OauthScope));
Assert.True(oauthScope.Contains(response.OauthScope));
Assert.AreEqual(GetEmailFromServiceAccountFile(), response.Username);
Console.WriteLine("Passed!");
}
public async Task <string> GetToken()
{
GoogleCredential credential;
using (var stream = new System.IO.FileStream("serviceAccountKey.json", System.IO.FileMode.Open, System.IO.FileAccess.Read))
{
credential = GoogleCredential.FromStream(stream).CreateScoped(
new string[] {
"https://www.googleapis.com/auth/firebase.database",
"https://www.googleapis.com/auth/firebase.messaging",
"https://www.googleapis.com/auth/identitytoolkit",
"https://www.googleapis.com/auth/userinfo.email"
}
);
}
ITokenAccess c = credential as ITokenAccess;
return(await c.GetAccessTokenForRequestAsync());
}
public static async Task RunPerRpcCredsAsync(TestService.TestServiceClient client, string oauthScope)
{
#if !NETCOREAPP1_0
Console.WriteLine("running per_rpc_creds");
ITokenAccess googleCredential = await GoogleCredential.GetApplicationDefaultAsync();
var credentials = googleCredential.ToCallCredentials();
var request = new SimpleRequest
{
FillUsername = true,
};
var response = client.UnaryCall(request, new CallOptions(credentials: credentials));
Assert.AreEqual(GetEmailFromServiceAccountFile(), response.Username);
Console.WriteLine("Passed!");
#else
// TODO(jtattermusch): implement this
throw new NotImplementedException("Not supported on CoreCLR yet");
#endif
}
public static async Task RunOAuth2AuthTokenAsync(IChannelWrapper channel, ClientOptions options)
{
var client = CreateClient <TestService.TestServiceClient>(channel);
var oauthScope = options.OAuthScope !;
ITokenAccess credential = (await GoogleCredential.GetApplicationDefaultAsync()).CreateScoped(new[] { oauthScope });
var oauth2Token = await credential.GetAccessTokenForRequestAsync();
var credentials = GoogleGrpcCredentials.FromAccessToken(oauth2Token);
var request = new SimpleRequest
{
FillUsername = true,
FillOauthScope = true
};
var response = await client.UnaryCallAsync(request, new CallOptions(credentials : credentials));
Assert.IsFalse(string.IsNullOrEmpty(response.OauthScope));
Assert.IsTrue(oauthScope.Contains(response.OauthScope));
Assert.AreEqual(GetEmailFromServiceAccountFile(), response.Username);
}
public static async Task RunPerRpcCredsAsync(TestService.TestServiceClient client)
{
Console.WriteLine("running per_rpc_creds");
ITokenAccess credential = (await GoogleCredential.GetApplicationDefaultAsync()).CreateScoped(new[] { AuthScope });
string oauth2Token = await credential.GetAccessTokenForRequestAsync();
var headerInterceptor = AuthInterceptors.FromAccessToken(oauth2Token);
var request = SimpleRequest.CreateBuilder()
.SetFillUsername(true)
.SetFillOauthScope(true)
.Build();
var headers = new Metadata();
headerInterceptor(null, "", headers);
var response = client.UnaryCall(request, headers: headers);
Assert.AreEqual(AuthScopeResponse, response.OauthScope);
Assert.AreEqual(ServiceAccountUser, response.Username);
Console.WriteLine("Passed!");
}
/// <summary>
/// Convenience method to create a <see cref="ChannelCredentials"/> instance from
/// <c>ITokenAccess</c> credential and <c>SslCredentials</c> instance.
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <param name="sslCredentials">The <c>SslCredentials</c> instance.</param>
/// <returns>The channel credentials for access token based auth over a secure channel.</returns>
public static ChannelCredentials Create(ITokenAccess credential, SslCredentials sslCredentials)
{
return(ChannelCredentials.Create(sslCredentials, Create(credential)));
}
/// <summary>
/// Converts a <c>ITokenAccess</c> object into a <see cref="MetadataCredentials"/> object supported
/// by gRPC.
/// </summary>
/// <param name="credential"></param>
/// <returns></returns>
public static MetadataCredentials ToGrpcCredentials(this ITokenAccess credential)
{
return(GrpcCredentials.Create(credential));
}
public TokenService(ITokenAccess access)
{
_tokenAccess = access;
}
/// <summary>
/// Initialize a new instance of <see cref="OAuthTokenManager"/>
/// </summary>
/// <param name="credential">A <see cref="ITokenAccess"/></param>
public OAuthTokenManager(ITokenAccess credential)
{
_credential = credential ?? throw new ArgumentNullException(nameof(credential));
}
public OAuth2Interceptor(ITokenAccess credential, IClock clock)
{
this.credential = credential;
this.clock = clock;
}
/// <summary>
/// Convenience method to create a <see cref="ChannelCredentials"/> instance from
/// <c>ITokenAccess</c> credential and <c>SslCredentials</c> instance.
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <param name="sslCredentials">The <c>SslCredentials</c> instance.</param>
/// <returns>The channel credentials for access token based auth over a secure channel.</returns>
public static ChannelCredentials Create(ITokenAccess credential, SslCredentials sslCredentials)
{
return ChannelCredentials.Create(sslCredentials, Create(credential));
}
/// <summary>
/// Creates a <see cref="MetadataCredentials"/> instance that will obtain access tokens
/// from any credential that implements <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The <c>MetadataCredentials</c> instance.</returns>
public static MetadataCredentials Create(ITokenAccess credential)
{
return new MetadataCredentials(AuthInterceptors.FromCredential(credential));
}
/// <inheritdoc />
public async Task <SpannerClient> CreateClientAsync(ServiceEndpoint endpoint, ITokenAccess credential, IDictionary additionalOptions)
{
ChannelCredentials channelCredentials;
var allowImmediateTimeout = false;
if (additionalOptions.Contains(nameof(SpannerSettings.AllowImmediateTimeouts)))
{
allowImmediateTimeout = Convert.ToBoolean(additionalOptions[nameof(SpannerSettings.AllowImmediateTimeouts)]);
}
if (credential == null)
{
channelCredentials = await CreateDefaultChannelCredentialsAsync().ConfigureAwait(false);
}
else
{
channelCredentials = credential.ToChannelCredentials();
}
var channel = new Channel(
endpoint.Host,
endpoint.Port,
channelCredentials);
Logger.LogPerformanceCounterFn("SpannerClient.RawCreateCount", x => x + 1);
//Pull the timeout from spanner options.
//The option must be set before OpenAsync is called.
var idempotentCallSettings = CallSettings.FromCallTiming(
CallTiming.FromRetry(
new RetrySettings(
SpannerSettings.GetDefaultRetryBackoff(),
SpannerSettings.GetDefaultTimeoutBackoff(),
SpannerSettings.ConvertTimeoutToExpiration(SpannerOptions.Instance.Timeout, allowImmediateTimeout),
SpannerSettings.IdempotentRetryFilter
)));
return(SpannerClient.Create(
channel, new SpannerSettings
{
CreateSessionSettings = idempotentCallSettings,
GetSessionSettings = idempotentCallSettings,
DeleteSessionSettings = idempotentCallSettings,
ExecuteSqlSettings = idempotentCallSettings,
ReadSettings = idempotentCallSettings,
BeginTransactionSettings = idempotentCallSettings,
CommitSettings = idempotentCallSettings,
RollbackSettings = idempotentCallSettings,
AllowImmediateTimeouts = allowImmediateTimeout
}));
}
public ClientPoolKey(ITokenAccess tokenAccess, ServiceEndpoint serviceEndpoint) : this()
{
Credential = tokenAccess;
Endpoint = serviceEndpoint;
}
/// <summary>
/// Creates a <see cref="MetadataCredentials"/> instance that will obtain access tokens
/// from any credential that implements <c>ITokenAccess</c>. (e.g. <c>GoogleCredential</c>).
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The <c>MetadataCredentials</c> instance.</returns>
public static MetadataCredentials Create(ITokenAccess credential)
{
return(new MetadataCredentials(AuthInterceptors.FromCredential(credential)));
}
/// <summary>
/// Converts a <c>ITokenAccess</c> (e.g. <c>GoogleCredential</c>) object
/// into a gRPC <see cref="CallCredentials"/> object.
/// </summary>
/// <param name="credential">The credential to use to obtain access tokens.</param>
/// <returns>The <c>CallCredentials</c> instance.</returns>
public static CallCredentials ToCallCredentials(this ITokenAccess credential)
{
return(CallCredentials.FromInterceptor(GoogleAuthInterceptors.FromCredential(credential)));
}
public CredentialWrapper(ITokenAccess original) => _original = original;
/// <summary>
/// Converts a <c>ITokenAccess</c> (e.g. <c>GoogleCredential</c>) object
/// into a gRPC <see cref="ChannelCredentials"/> object.
/// Default SSL credentials are used.
/// </summary>
/// <param name="googleCredential">The credential to use to obtain access tokens.</param>
/// <returns>>The <c>ChannelCredentials</c> instance.</returns>
public static ChannelCredentials ToChannelCredentials(this ITokenAccess googleCredential)
{
return(ChannelCredentials.Create(new SslCredentials(), googleCredential.ToCallCredentials()));
}
public OAuth2Interceptor(ITokenAccess credential, IClock clock)
{
this.credential = credential;
this.clock = clock;
}
public ClientCredentialKey(ITokenAccess tokenAccess, ServiceEndpoint serviceEndpoint) : this()
{
Credential = tokenAccess;
Endpoint = serviceEndpoint ?? SpannerClient.DefaultEndpoint;
}
