src/cpp/client/secure_credentials.cc - external/github.com/grpc/grpc - Git at Google

 //
 //
 // Copyright 2015 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 //

 #include "src/cpp/client/secure_credentials.h"

 #include <string.h>

 #include <map>
 #include <memory>
 #include <utility>

 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/str_join.h"
 #include "absl/types/optional.h"

 #include <grpc/event_engine/event_engine.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/slice.h>
 #include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/time.h>
 #include <grpcpp/channel.h>
 #include <grpcpp/impl/grpc_library.h>
 #include <grpcpp/security/tls_credentials_options.h>
 #include <grpcpp/support/channel_arguments.h>
 #include <grpcpp/support/config.h>
 #include <grpcpp/support/slice.h>
 #include <grpcpp/support/status.h>

 #include "src/core/lib/event_engine/default_event_engine.h"
 #include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_reader.h"
 #include "src/core/lib/security/util/json_util.h"
 #include "src/cpp/common/secure_auth_context.h"
 #include "src/cpp/server/thread_pool_interface.h"

 namespace grpc {

 namespace {
 class WrappedCallCredentials : public CallCredentials {
  public:
   explicit WrappedCallCredentials(grpc_call_credentials* creds)
       : CallCredentials(creds) {}
 };

 std::shared_ptr<WrappedCallCredentials> WrapCallCredentials(
     grpc_call_credentials* creds) {
   return creds == nullptr ? nullptr
                           : std::make_shared<WrappedCallCredentials>(creds);
 }

 class WrappedChannelCredentials final : public ChannelCredentials {
  public:
   explicit WrappedChannelCredentials(grpc_channel_credentials* c_creds)
       : ChannelCredentials(c_creds) {}
 };

 std::shared_ptr<WrappedChannelCredentials> WrapChannelCredentials(
     grpc_channel_credentials* creds) {
   return creds == nullptr ? nullptr
                           : std::make_shared<WrappedChannelCredentials>(creds);
 }

 }  // namespace

 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapChannelCredentials(
       grpc_google_default_credentials_create(nullptr));
 }

 std::shared_ptr<CallCredentials> ExternalAccountCredentials(
     const grpc::string& json_string, const std::vector<grpc::string>& scopes) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapCallCredentials(grpc_external_account_credentials_create(
       json_string.c_str(), absl::StrJoin(scopes, ",").c_str()));
 }

 // Builds SSL Credentials given SSL specific options
 std::shared_ptr<ChannelCredentials> SslCredentials(
     const SslCredentialsOptions& options) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
       options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
   return WrapChannelCredentials(grpc_ssl_credentials_create(
       options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
       options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr,
       nullptr));
 }

 namespace experimental {

 namespace {

 void ClearStsCredentialsOptions(StsCredentialsOptions* options) {
   if (options == nullptr) return;
   options->token_exchange_service_uri.clear();
   options->resource.clear();
   options->audience.clear();
   options->scope.clear();
   options->requested_token_type.clear();
   options->subject_token_path.clear();
   options->subject_token_type.clear();
   options->actor_token_path.clear();
   options->actor_token_type.clear();
 }

 }  // namespace

 // Builds STS credentials options from JSON.
 grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,
                                            StsCredentialsOptions* options) {
   if (options == nullptr) {
     return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
                         "options cannot be nullptr.");
   }
   ClearStsCredentialsOptions(options);
   auto json = grpc_core::JsonParse(json_string.c_str());
   if (!json.ok() || json->type() != grpc_core::Json::Type::kObject) {
     return grpc::Status(
         grpc::StatusCode::INVALID_ARGUMENT,
         absl::StrCat("Invalid json: ", json.status().ToString()));
   }

   // Required fields.
   const char* value = grpc_json_get_string_property(
       *json, "token_exchange_service_uri", nullptr);
   if (value == nullptr) {
     ClearStsCredentialsOptions(options);
     return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
                         "token_exchange_service_uri must be specified.");
   }
   options->token_exchange_service_uri.assign(value);
   value = grpc_json_get_string_property(*json, "subject_token_path", nullptr);
   if (value == nullptr) {
     ClearStsCredentialsOptions(options);
     return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
                         "subject_token_path must be specified.");
   }
   options->subject_token_path.assign(value);
   value = grpc_json_get_string_property(*json, "subject_token_type", nullptr);
   if (value == nullptr) {
     ClearStsCredentialsOptions(options);
     return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
                         "subject_token_type must be specified.");
   }
   options->subject_token_type.assign(value);

   // Optional fields.
   value = grpc_json_get_string_property(*json, "resource", nullptr);
   if (value != nullptr) options->resource.assign(value);
   value = grpc_json_get_string_property(*json, "audience", nullptr);
   if (value != nullptr) options->audience.assign(value);
   value = grpc_json_get_string_property(*json, "scope", nullptr);
   if (value != nullptr) options->scope.assign(value);
   value = grpc_json_get_string_property(*json, "requested_token_type", nullptr);
   if (value != nullptr) options->requested_token_type.assign(value);
   value = grpc_json_get_string_property(*json, "actor_token_path", nullptr);
   if (value != nullptr) options->actor_token_path.assign(value);
   value = grpc_json_get_string_property(*json, "actor_token_type", nullptr);
   if (value != nullptr) options->actor_token_type.assign(value);

   return grpc::Status();
 }

 // Builds STS credentials Options from the $STS_CREDENTIALS env var.
 grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options) {
   if (options == nullptr) {
     return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
                         "options cannot be nullptr.");
   }
   ClearStsCredentialsOptions(options);
   auto sts_creds_path = grpc_core::GetEnv("STS_CREDENTIALS");
   if (!sts_creds_path.has_value()) {
     return grpc::Status(grpc::StatusCode::NOT_FOUND,
                         "STS_CREDENTIALS environment variable not set.");
   }
   auto json_slice =
       grpc_core::LoadFile(*sts_creds_path, /*add_null_terminator=*/true);
   if (!json_slice.ok()) {
     return grpc::Status(grpc::StatusCode::NOT_FOUND,
                         json_slice.status().ToString());
   }
   return StsCredentialsOptionsFromJson(json_slice->as_string_view().data(),
                                        options);
 }

 // C++ to Core STS Credentials options.
 grpc_sts_credentials_options StsCredentialsCppToCoreOptions(
     const StsCredentialsOptions& options) {
   grpc_sts_credentials_options opts;
   memset(&opts, 0, sizeof(opts));
   opts.token_exchange_service_uri = options.token_exchange_service_uri.c_str();
   opts.resource = options.resource.c_str();
   opts.audience = options.audience.c_str();
   opts.scope = options.scope.c_str();
   opts.requested_token_type = options.requested_token_type.c_str();
   opts.subject_token_path = options.subject_token_path.c_str();
   opts.subject_token_type = options.subject_token_type.c_str();
   opts.actor_token_path = options.actor_token_path.c_str();
   opts.actor_token_type = options.actor_token_type.c_str();
   return opts;
 }

 // Builds STS credentials.
 std::shared_ptr<CallCredentials> StsCredentials(
     const StsCredentialsOptions& options) {
   auto opts = StsCredentialsCppToCoreOptions(options);
   return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr));
 }

 // Builds ALTS Credentials given ALTS specific options
 std::shared_ptr<ChannelCredentials> AltsCredentials(
     const AltsCredentialsOptions& options) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   grpc_alts_credentials_options* c_options =
       grpc_alts_credentials_client_options_create();
   for (const auto& service_account : options.target_service_accounts) {
     grpc_alts_credentials_client_options_add_target_service_account(
         c_options, service_account.c_str());
   }
   grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
   grpc_alts_credentials_options_destroy(c_options);
   return WrapChannelCredentials(c_creds);
 }

 // Builds Local Credentials
 std::shared_ptr<ChannelCredentials> LocalCredentials(
     grpc_local_connect_type type) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapChannelCredentials(grpc_local_credentials_create(type));
 }

 // Builds TLS Credentials given TLS options.
 std::shared_ptr<ChannelCredentials> TlsCredentials(
     const TlsChannelCredentialsOptions& options) {
   return WrapChannelCredentials(
       grpc_tls_credentials_create(options.c_credentials_options()));
 }

 }  // namespace experimental

 // Builds credentials for use when running in GCE
 std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapCallCredentials(
       grpc_google_compute_engine_credentials_create(nullptr));
 }

 // Builds JWT credentials.
 std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
     const std::string& json_key, long token_lifetime_seconds) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   if (token_lifetime_seconds <= 0) {
     gpr_log(GPR_ERROR,
             "Trying to create JWTCredentials with non-positive lifetime");
     return WrapCallCredentials(nullptr);
   }
   gpr_timespec lifetime =
       gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
   return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create(
       json_key.c_str(), lifetime, nullptr));
 }

 // Builds refresh token credentials.
 std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
     const std::string& json_refresh_token) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapCallCredentials(grpc_google_refresh_token_credentials_create(
       json_refresh_token.c_str(), nullptr));
 }

 // Builds access token credentials.
 std::shared_ptr<CallCredentials> AccessTokenCredentials(
     const std::string& access_token) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapCallCredentials(
       grpc_access_token_credentials_create(access_token.c_str(), nullptr));
 }

 // Builds IAM credentials.
 std::shared_ptr<CallCredentials> GoogleIAMCredentials(
     const std::string& authorization_token,
     const std::string& authority_selector) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   return WrapCallCredentials(grpc_google_iam_credentials_create(
       authorization_token.c_str(), authority_selector.c_str(), nullptr));
 }

 // Combines one channel credentials and one call credentials into a channel
 // composite credentials.
 std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
     const std::shared_ptr<ChannelCredentials>& channel_creds,
     const std::shared_ptr<CallCredentials>& call_creds) {
   // Note that we are not saving shared_ptrs to the two credentials passed in
   // here. This is OK because the underlying C objects (i.e., channel_creds and
   // call_creds) into grpc_composite_credentials_create will see their refcounts
   // incremented.
   return channel_creds->c_creds_ == nullptr
              ? nullptr
              : WrapChannelCredentials(grpc_composite_channel_credentials_create(
                    channel_creds->c_creds_, call_creds->c_creds_, nullptr));
 }

 class CompositeCallCredentialsImpl : public CallCredentials {
  public:
   CompositeCallCredentialsImpl(const std::shared_ptr<CallCredentials>& creds1,
                                const std::shared_ptr<CallCredentials>& creds2)
       : CallCredentials(grpc_composite_call_credentials_create(
             creds1->c_creds_, creds2->c_creds_, nullptr)) {}
 };

 std::shared_ptr<CallCredentials> CompositeCallCredentials(
     const std::shared_ptr<CallCredentials>& creds1,
     const std::shared_ptr<CallCredentials>& creds2) {
   return std::make_shared<CompositeCallCredentialsImpl>(creds1, creds2);
 }

 namespace {

 void UnrefMetadata(const std::vector<grpc_metadata>& md) {
   for (const auto& metadatum : md) {
     grpc_slice_unref(metadatum.key);
     grpc_slice_unref(metadatum.value);
   }
 }

 class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
  public:
   static void Destroy(void* wrapper) {
     if (wrapper == nullptr) return;
     grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
       grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
       grpc_core::ExecCtx exec_ctx;
       delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
     });
   }

   static int GetMetadata(
       void* wrapper, grpc_auth_metadata_context context,
       grpc_credentials_plugin_metadata_cb cb, void* user_data,
       grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
       size_t* num_creds_md, grpc_status_code* status,
       const char** error_details) {
     GPR_ASSERT(wrapper);
     MetadataCredentialsPluginWrapper* w =
         static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
     if (!w->plugin_) {
       *num_creds_md = 0;
       *status = GRPC_STATUS_OK;
       *error_details = nullptr;
       return 1;
     }
     if (w->plugin_->IsBlocking()) {
       // The internals of context may be destroyed if GetMetadata is cancelled.
       // Make a copy for InvokePlugin.
       grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
       grpc_auth_metadata_context_copy(&context, &context_copy);
       // Asynchronous return.
       // TODO(hork): replace with EventEngine::Run
       w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
         w->MetadataCredentialsPluginWrapper::InvokePlugin(
             context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
         grpc_auth_metadata_context_reset(&context_copy);
       });
       return 0;
     } else {
       // Synchronous return.
       w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
                       error_details);
       return 1;
     }
   }

   static char* DebugString(void* wrapper) {
     GPR_ASSERT(wrapper);
     MetadataCredentialsPluginWrapper* w =
         static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
     return gpr_strdup(w->plugin_->DebugString().c_str());
   }

   explicit MetadataCredentialsPluginWrapper(
       std::unique_ptr<MetadataCredentialsPlugin> plugin)
       : plugin_(std::move(plugin)) {
     if (plugin_->IsBlocking()) {
       thread_pool_.reset(CreateDefaultThreadPool());
     }
   }

  private:
   void InvokePlugin(
       grpc_auth_metadata_context context,
       grpc_credentials_plugin_metadata_cb cb, void* user_data,
       grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
       size_t* num_creds_md, grpc_status_code* status_code,
       const char** error_details) {
     std::multimap<std::string, std::string> metadata;

     // const_cast is safe since the SecureAuthContext only inc/dec the refcount
     // and the object is passed as a const ref to plugin_->GetMetadata.
     SecureAuthContext cpp_channel_auth_context(
         const_cast<grpc_auth_context*>(context.channel_auth_context));

     Status status =
         plugin_->GetMetadata(context.service_url, context.method_name,
                              cpp_channel_auth_context, &metadata);
     std::vector<grpc_metadata> md;
     for (auto& metadatum : metadata) {
       grpc_metadata md_entry;
       md_entry.key = SliceFromCopiedString(metadatum.first);
       md_entry.value = SliceFromCopiedString(metadatum.second);
       md.push_back(md_entry);
     }
     if (creds_md != nullptr) {
       // Synchronous return.
       if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
         *num_creds_md = 0;
         *status_code = GRPC_STATUS_INTERNAL;
         *error_details = gpr_strdup(
             "blocking plugin credentials returned too many metadata keys");
         UnrefMetadata(md);
       } else {
         for (const auto& elem : md) {
           creds_md[*num_creds_md].key = elem.key;
           creds_md[*num_creds_md].value = elem.value;
           ++(*num_creds_md);
         }
         *status_code = static_cast<grpc_status_code>(status.error_code());
         *error_details =
             status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
       }
     } else {
       // Asynchronous return.
       cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
          static_cast<grpc_status_code>(status.error_code()),
          status.error_message().c_str());
       UnrefMetadata(md);
     }
   }

   std::unique_ptr<ThreadPoolInterface> thread_pool_;
   std::unique_ptr<MetadataCredentialsPlugin> plugin_;
 };

 }  // namespace

 namespace experimental {
 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
     std::unique_ptr<MetadataCredentialsPlugin> plugin,
     grpc_security_level min_security_level) {
   grpc::internal::GrpcLibrary init;  // To call grpc_init().
   const char* type = plugin->GetType();
   MetadataCredentialsPluginWrapper* wrapper =
       new MetadataCredentialsPluginWrapper(std::move(plugin));
   grpc_metadata_credentials_plugin c_plugin = {
       MetadataCredentialsPluginWrapper::GetMetadata,
       MetadataCredentialsPluginWrapper::DebugString,
       MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
   return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
       c_plugin, min_security_level, nullptr));
 }

 }  // namespace experimental

 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
     std::unique_ptr<MetadataCredentialsPlugin> plugin) {
   return experimental::MetadataCredentialsFromPlugin(
       std::move(plugin), GRPC_PRIVACY_AND_INTEGRITY);
 }

 }  // namespace grpc
	//
	//
	// Copyright 2015 gRPC authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	//

	#include "src/cpp/client/secure_credentials.h"

	#include <string.h>

	#include <map>
	#include <memory>
	#include <utility>

	#include "absl/status/status.h"
	#include "absl/status/statusor.h"
	#include "absl/strings/str_join.h"
	#include "absl/types/optional.h"

	#include <grpc/event_engine/event_engine.h>
	#include <grpc/grpc.h>
	#include <grpc/grpc_security_constants.h>
	#include <grpc/slice.h>
	#include <grpc/support/json.h>
	#include <grpc/support/log.h>
	#include <grpc/support/string_util.h>
	#include <grpc/support/time.h>
	#include <grpcpp/channel.h>
	#include <grpcpp/impl/grpc_library.h>
	#include <grpcpp/security/tls_credentials_options.h>
	#include <grpcpp/support/channel_arguments.h>
	#include <grpcpp/support/config.h>
	#include <grpcpp/support/slice.h>
	#include <grpcpp/support/status.h>

	#include "src/core/lib/event_engine/default_event_engine.h"
	#include "src/core/lib/gprpp/env.h"
	#include "src/core/lib/gprpp/load_file.h"
	#include "src/core/lib/json/json.h"
	#include "src/core/lib/json/json_reader.h"
	#include "src/core/lib/security/util/json_util.h"
	#include "src/cpp/common/secure_auth_context.h"
	#include "src/cpp/server/thread_pool_interface.h"

	namespace grpc {

	namespace {
	class WrappedCallCredentials : public CallCredentials {
	public:
	explicit WrappedCallCredentials(grpc_call_credentials* creds)
	: CallCredentials(creds) {}
	};

	std::shared_ptr<WrappedCallCredentials> WrapCallCredentials(
	grpc_call_credentials* creds) {
	return creds == nullptr ? nullptr
	: std::make_shared<WrappedCallCredentials>(creds);
	}

	class WrappedChannelCredentials final : public ChannelCredentials {
	public:
	explicit WrappedChannelCredentials(grpc_channel_credentials* c_creds)
	: ChannelCredentials(c_creds) {}
	};

	std::shared_ptr<WrappedChannelCredentials> WrapChannelCredentials(
	grpc_channel_credentials* creds) {
	return creds == nullptr ? nullptr
	: std::make_shared<WrappedChannelCredentials>(creds);
	}

	} // namespace

	std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapChannelCredentials(
	grpc_google_default_credentials_create(nullptr));
	}

	std::shared_ptr<CallCredentials> ExternalAccountCredentials(
	const grpc::string& json_string, const std::vector<grpc::string>& scopes) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapCallCredentials(grpc_external_account_credentials_create(
	json_string.c_str(), absl::StrJoin(scopes, ",").c_str()));
	}

	// Builds SSL Credentials given SSL specific options
	std::shared_ptr<ChannelCredentials> SslCredentials(
	const SslCredentialsOptions& options) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
	options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
	return WrapChannelCredentials(grpc_ssl_credentials_create(
	options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
	options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr,
	nullptr));
	}

	namespace experimental {

	namespace {

	void ClearStsCredentialsOptions(StsCredentialsOptions* options) {
	if (options == nullptr) return;
	options->token_exchange_service_uri.clear();
	options->resource.clear();
	options->audience.clear();
	options->scope.clear();
	options->requested_token_type.clear();
	options->subject_token_path.clear();
	options->subject_token_type.clear();
	options->actor_token_path.clear();
	options->actor_token_type.clear();
	}

	} // namespace

	// Builds STS credentials options from JSON.
	grpc::Status StsCredentialsOptionsFromJson(const std::string& json_string,
	StsCredentialsOptions* options) {
	if (options == nullptr) {
	return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
	"options cannot be nullptr.");
	}
	ClearStsCredentialsOptions(options);
	auto json = grpc_core::JsonParse(json_string.c_str());
	if (!json.ok() \|\| json->type() != grpc_core::Json::Type::kObject) {
	return grpc::Status(
	grpc::StatusCode::INVALID_ARGUMENT,
	absl::StrCat("Invalid json: ", json.status().ToString()));
	}

	// Required fields.
	const char* value = grpc_json_get_string_property(
	*json, "token_exchange_service_uri", nullptr);
	if (value == nullptr) {
	ClearStsCredentialsOptions(options);
	return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
	"token_exchange_service_uri must be specified.");
	}
	options->token_exchange_service_uri.assign(value);
	value = grpc_json_get_string_property(*json, "subject_token_path", nullptr);
	if (value == nullptr) {
	ClearStsCredentialsOptions(options);
	return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
	"subject_token_path must be specified.");
	}
	options->subject_token_path.assign(value);
	value = grpc_json_get_string_property(*json, "subject_token_type", nullptr);
	if (value == nullptr) {
	ClearStsCredentialsOptions(options);
	return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
	"subject_token_type must be specified.");
	}
	options->subject_token_type.assign(value);

	// Optional fields.
	value = grpc_json_get_string_property(*json, "resource", nullptr);
	if (value != nullptr) options->resource.assign(value);
	value = grpc_json_get_string_property(*json, "audience", nullptr);
	if (value != nullptr) options->audience.assign(value);
	value = grpc_json_get_string_property(*json, "scope", nullptr);
	if (value != nullptr) options->scope.assign(value);
	value = grpc_json_get_string_property(*json, "requested_token_type", nullptr);
	if (value != nullptr) options->requested_token_type.assign(value);
	value = grpc_json_get_string_property(*json, "actor_token_path", nullptr);
	if (value != nullptr) options->actor_token_path.assign(value);
	value = grpc_json_get_string_property(*json, "actor_token_type", nullptr);
	if (value != nullptr) options->actor_token_type.assign(value);

	return grpc::Status();
	}

	// Builds STS credentials Options from the $STS_CREDENTIALS env var.
	grpc::Status StsCredentialsOptionsFromEnv(StsCredentialsOptions* options) {
	if (options == nullptr) {
	return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT,
	"options cannot be nullptr.");
	}
	ClearStsCredentialsOptions(options);
	auto sts_creds_path = grpc_core::GetEnv("STS_CREDENTIALS");
	if (!sts_creds_path.has_value()) {
	return grpc::Status(grpc::StatusCode::NOT_FOUND,
	"STS_CREDENTIALS environment variable not set.");
	}
	auto json_slice =
	grpc_core::LoadFile(sts_creds_path, /add_null_terminator=*/true);
	if (!json_slice.ok()) {
	return grpc::Status(grpc::StatusCode::NOT_FOUND,
	json_slice.status().ToString());
	}
	return StsCredentialsOptionsFromJson(json_slice->as_string_view().data(),
	options);
	}

	// C++ to Core STS Credentials options.
	grpc_sts_credentials_options StsCredentialsCppToCoreOptions(
	const StsCredentialsOptions& options) {
	grpc_sts_credentials_options opts;
	memset(&opts, 0, sizeof(opts));
	opts.token_exchange_service_uri = options.token_exchange_service_uri.c_str();
	opts.resource = options.resource.c_str();
	opts.audience = options.audience.c_str();
	opts.scope = options.scope.c_str();
	opts.requested_token_type = options.requested_token_type.c_str();
	opts.subject_token_path = options.subject_token_path.c_str();
	opts.subject_token_type = options.subject_token_type.c_str();
	opts.actor_token_path = options.actor_token_path.c_str();
	opts.actor_token_type = options.actor_token_type.c_str();
	return opts;
	}

	// Builds STS credentials.
	std::shared_ptr<CallCredentials> StsCredentials(
	const StsCredentialsOptions& options) {
	auto opts = StsCredentialsCppToCoreOptions(options);
	return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr));
	}

	// Builds ALTS Credentials given ALTS specific options
	std::shared_ptr<ChannelCredentials> AltsCredentials(
	const AltsCredentialsOptions& options) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	grpc_alts_credentials_options* c_options =
	grpc_alts_credentials_client_options_create();
	for (const auto& service_account : options.target_service_accounts) {
	grpc_alts_credentials_client_options_add_target_service_account(
	c_options, service_account.c_str());
	}
	grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
	grpc_alts_credentials_options_destroy(c_options);
	return WrapChannelCredentials(c_creds);
	}

	// Builds Local Credentials
	std::shared_ptr<ChannelCredentials> LocalCredentials(
	grpc_local_connect_type type) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapChannelCredentials(grpc_local_credentials_create(type));
	}

	// Builds TLS Credentials given TLS options.
	std::shared_ptr<ChannelCredentials> TlsCredentials(
	const TlsChannelCredentialsOptions& options) {
	return WrapChannelCredentials(
	grpc_tls_credentials_create(options.c_credentials_options()));
	}

	} // namespace experimental

	// Builds credentials for use when running in GCE
	std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapCallCredentials(
	grpc_google_compute_engine_credentials_create(nullptr));
	}

	// Builds JWT credentials.
	std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
	const std::string& json_key, long token_lifetime_seconds) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	if (token_lifetime_seconds <= 0) {
	gpr_log(GPR_ERROR,
	"Trying to create JWTCredentials with non-positive lifetime");
	return WrapCallCredentials(nullptr);
	}
	gpr_timespec lifetime =
	gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
	return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create(
	json_key.c_str(), lifetime, nullptr));
	}

	// Builds refresh token credentials.
	std::shared_ptr<CallCredentials> GoogleRefreshTokenCredentials(
	const std::string& json_refresh_token) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapCallCredentials(grpc_google_refresh_token_credentials_create(
	json_refresh_token.c_str(), nullptr));
	}

	// Builds access token credentials.
	std::shared_ptr<CallCredentials> AccessTokenCredentials(
	const std::string& access_token) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapCallCredentials(
	grpc_access_token_credentials_create(access_token.c_str(), nullptr));
	}

	// Builds IAM credentials.
	std::shared_ptr<CallCredentials> GoogleIAMCredentials(
	const std::string& authorization_token,
	const std::string& authority_selector) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	return WrapCallCredentials(grpc_google_iam_credentials_create(
	authorization_token.c_str(), authority_selector.c_str(), nullptr));
	}

	// Combines one channel credentials and one call credentials into a channel
	// composite credentials.
	std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
	const std::shared_ptr<ChannelCredentials>& channel_creds,
	const std::shared_ptr<CallCredentials>& call_creds) {
	// Note that we are not saving shared_ptrs to the two credentials passed in
	// here. This is OK because the underlying C objects (i.e., channel_creds and
	// call_creds) into grpc_composite_credentials_create will see their refcounts
	// incremented.
	return channel_creds->c_creds_ == nullptr
	? nullptr
	: WrapChannelCredentials(grpc_composite_channel_credentials_create(
	channel_creds->c_creds_, call_creds->c_creds_, nullptr));
	}

	class CompositeCallCredentialsImpl : public CallCredentials {
	public:
	CompositeCallCredentialsImpl(const std::shared_ptr<CallCredentials>& creds1,
	const std::shared_ptr<CallCredentials>& creds2)
	: CallCredentials(grpc_composite_call_credentials_create(
	creds1->c_creds_, creds2->c_creds_, nullptr)) {}
	};

	std::shared_ptr<CallCredentials> CompositeCallCredentials(
	const std::shared_ptr<CallCredentials>& creds1,
	const std::shared_ptr<CallCredentials>& creds2) {
	return std::make_shared<CompositeCallCredentialsImpl>(creds1, creds2);
	}

	namespace {

	void UnrefMetadata(const std::vector<grpc_metadata>& md) {
	for (const auto& metadatum : md) {
	grpc_slice_unref(metadatum.key);
	grpc_slice_unref(metadatum.value);
	}
	}

	class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
	public:
	static void Destroy(void* wrapper) {
	if (wrapper == nullptr) return;
	grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
	grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
	grpc_core::ExecCtx exec_ctx;
	delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
	});
	}

	static int GetMetadata(
	void* wrapper, grpc_auth_metadata_context context,
	grpc_credentials_plugin_metadata_cb cb, void* user_data,
	grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
	size_t* num_creds_md, grpc_status_code* status,
	const char** error_details) {
	GPR_ASSERT(wrapper);
	MetadataCredentialsPluginWrapper* w =
	static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
	if (!w->plugin_) {
	*num_creds_md = 0;
	*status = GRPC_STATUS_OK;
	*error_details = nullptr;
	return 1;
	}
	if (w->plugin_->IsBlocking()) {
	// The internals of context may be destroyed if GetMetadata is cancelled.
	// Make a copy for InvokePlugin.
	grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
	grpc_auth_metadata_context_copy(&context, &context_copy);
	// Asynchronous return.
	// TODO(hork): replace with EventEngine::Run
	w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
	w->MetadataCredentialsPluginWrapper::InvokePlugin(
	context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
	grpc_auth_metadata_context_reset(&context_copy);
	});
	return 0;
	} else {
	// Synchronous return.
	w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
	error_details);
	return 1;
	}
	}

	static char* DebugString(void* wrapper) {
	GPR_ASSERT(wrapper);
	MetadataCredentialsPluginWrapper* w =
	static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
	return gpr_strdup(w->plugin_->DebugString().c_str());
	}

	explicit MetadataCredentialsPluginWrapper(
	std::unique_ptr<MetadataCredentialsPlugin> plugin)
	: plugin_(std::move(plugin)) {
	if (plugin_->IsBlocking()) {
	thread_pool_.reset(CreateDefaultThreadPool());
	}
	}

	private:
	void InvokePlugin(
	grpc_auth_metadata_context context,
	grpc_credentials_plugin_metadata_cb cb, void* user_data,
	grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
	size_t* num_creds_md, grpc_status_code* status_code,
	const char** error_details) {
	std::multimap<std::string, std::string> metadata;

	// const_cast is safe since the SecureAuthContext only inc/dec the refcount
	// and the object is passed as a const ref to plugin_->GetMetadata.
	SecureAuthContext cpp_channel_auth_context(
	const_cast<grpc_auth_context*>(context.channel_auth_context));

	Status status =
	plugin_->GetMetadata(context.service_url, context.method_name,
	cpp_channel_auth_context, &metadata);
	std::vector<grpc_metadata> md;
	for (auto& metadatum : metadata) {
	grpc_metadata md_entry;
	md_entry.key = SliceFromCopiedString(metadatum.first);
	md_entry.value = SliceFromCopiedString(metadatum.second);
	md.push_back(md_entry);
	}
	if (creds_md != nullptr) {
	// Synchronous return.
	if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
	*num_creds_md = 0;
	*status_code = GRPC_STATUS_INTERNAL;
	*error_details = gpr_strdup(
	"blocking plugin credentials returned too many metadata keys");
	UnrefMetadata(md);
	} else {
	for (const auto& elem : md) {
	creds_md[*num_creds_md].key = elem.key;
	creds_md[*num_creds_md].value = elem.value;
	++(*num_creds_md);
	}
	*status_code = static_cast<grpc_status_code>(status.error_code());
	*error_details =
	status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
	}
	} else {
	// Asynchronous return.
	cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
	static_cast<grpc_status_code>(status.error_code()),
	status.error_message().c_str());
	UnrefMetadata(md);
	}
	}

	std::unique_ptr<ThreadPoolInterface> thread_pool_;
	std::unique_ptr<MetadataCredentialsPlugin> plugin_;
	};

	} // namespace

	namespace experimental {
	std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
	std::unique_ptr<MetadataCredentialsPlugin> plugin,
	grpc_security_level min_security_level) {
	grpc::internal::GrpcLibrary init; // To call grpc_init().
	const char* type = plugin->GetType();
	MetadataCredentialsPluginWrapper* wrapper =
	new MetadataCredentialsPluginWrapper(std::move(plugin));
	grpc_metadata_credentials_plugin c_plugin = {
	MetadataCredentialsPluginWrapper::GetMetadata,
	MetadataCredentialsPluginWrapper::DebugString,
	MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
	return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
	c_plugin, min_security_level, nullptr));
	}

	} // namespace experimental

	std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
	std::unique_ptr<MetadataCredentialsPlugin> plugin) {
	return experimental::MetadataCredentialsFromPlugin(
	std::move(plugin), GRPC_PRIVACY_AND_INTEGRITY);
	}

	} // namespace grpc