Add Python wrapper

5 years ago · 23dacfc0b4
parent c8a8a6aea4
commit 23dacfc0b4
5 changed files with 40 additions and 31 deletions
--- a/src/core/lib/security/credentials/google_default/google_default_credentials.cc
+++ b/src/core/lib/security/credentials/google_default/google_default_credentials.cc
@ -273,11 +273,29 @@ end:
  return error;
 }

+static void update_tenancy() {
+  gpr_once_init(&g_once, init_default_credentials);
+  gpr_mu_lock(&g_state_mu);
+
+  /* Try a platform-provided hint for GCE. */
+  if (!g_metadata_server_available) {
+    g_is_on_gce = g_gce_tenancy_checker();
+    g_metadata_server_available = g_is_on_gce;
+  }
+  /* TODO: Add a platform-provided hint for GAE. */
+
+  /* Do a network test for metadata server. */
+  if (!g_metadata_server_available) {
+    g_metadata_server_available = is_metadata_server_reachable();
+  }
+  gpr_mu_unlock(&g_state_mu);
+
+}
+
 static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>* call_creds,
                               grpc_error* error)
 {
  grpc_error* err;
-  gpr_once_init(&g_once, init_default_credentials);

  /* First, try the environment variable. */
  err = create_default_creds_from_path(
@ -291,21 +309,6 @@ static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>*
  if (err == GRPC_ERROR_NONE) return;
  error = grpc_error_add_child(error, err);

-  gpr_mu_lock(&g_state_mu);
-
-  /* Try a platform-provided hint for GCE. */
-  if (!g_metadata_server_available) {
-    g_is_on_gce = g_gce_tenancy_checker();
-    g_metadata_server_available = g_is_on_gce;
-  }
-  /* TODO: Add a platform-provided hint for GAE. */
-
-  /* Do a network test for metadata server. */
-  if (!g_metadata_server_available) {
-    g_metadata_server_available = is_metadata_server_reachable();
-  }
-  gpr_mu_unlock(&g_state_mu);
-
  if (g_metadata_server_available) {
    *call_creds = grpc_core::RefCountedPtr<grpc_call_credentials>(
        grpc_google_compute_engine_credentials_create(nullptr));
@ -326,6 +329,8 @@ grpc_channel_credentials* grpc_google_default_credentials_create(grpc_call_crede

  GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1, (call_credentials));

+  update_tenancy();
+
  if (call_credentials == nullptr) {
    default_call_creds(&call_creds, error);
  }
--- a/src/python/grpcio/grpc/init.py
+++ b/src/python/grpcio/grpc/init.py
@ -1868,10 +1868,9 @@ def alts_server_credentials():
    return ServerCredentials(_cygrpc.server_credentials_alts())


-def compute_engine_channel_credentials():
+def compute_engine_channel_credentials(call_credentials):
    """Creates a compute engine channel credential.

-    This is an EXPERIMENAL API.
    This credential can only be used in a GCP environment as ir relies on
    a handshaker service. For more infor about ALTS, see
    https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security
@ -1881,7 +1880,7 @@ def compute_engine_channel_credentials():
    with any other call credential, the connection may suddenly and unexpectedly
    begin failing RPCs.
    """
-    return ChannelCredentials(_cygrpc.channel_credentials_compute_engine())
+    return ChannelCredentials(_cygrpc.channel_credentials_compute_engine(call_credentials._credentials))


 def channel_ready_future(channel):
--- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
@ -384,14 +384,18 @@ def server_credentials_alts():

 cdef class ComputeEngineChannelCredentials(ChannelCredentials):
  cdef grpc_channel_credentials* _c_creds
+  cdef grpc_call_credentials* _call_creds

-  def __cinit__(self):
+  def __cinit__(self, CallCredentials call_creds):
    self._c_creds = NULL
+    self._call_creds = call_creds.c()
+    if self._call_creds == NULL:
+      raise ValueError("Call credentials may not be NULL.")

  cdef grpc_channel_credentials *c(self) except *:
-    self._c_creds = grpc_compute_engine_channel_credentials_create(NULL)
+    self._c_creds = grpc_google_default_credentials_create(self._call_creds)
    return self._c_creds


-def channel_credentials_compute_engine():
-  return ComputeEngineChannelCredentials()
+def channel_credentials_compute_engine(call_creds):
+  return ComputeEngineChannelCredentials(call_creds)
--- a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
@ -504,8 +504,7 @@ cdef extern from "grpc/grpc_security.h":
  void grpc_set_ssl_roots_override_callback(
      grpc_ssl_roots_override_callback cb) nogil

-  grpc_channel_credentials *grpc_google_default_credentials_create() nogil
-  grpc_channel_credentials *grpc_compute_engine_channel_credentials_create(void* reserved) nogil
+  grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
  grpc_channel_credentials *grpc_ssl_credentials_create(
      const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
      verify_peer_options *verify_options, void *reserved) nogil
--- a/src/python/grpcio_tests/tests/interop/client.py
+++ b/src/python/grpcio_tests/tests/interop/client.py
@ -109,19 +109,21 @@ def get_secure_channel_parameters(args):
            % args.grpc_test_use_grpclb_with_child_policy),)
    if args.custom_credentials_type is not None:
        if args.custom_credentials_type == "compute_engine_channel_creds":
+            # channel_credentials = grpc.google_default_channel_credentials()
            if call_credentials is not None:
-                raise ValueError(
-                    "Cannot use both compute_engine_creds " +
-                    "and {} as call creds.".format(call_credentials))
+                raise ValueError("What? That's not true! That's impossible!")
            google_credentials, unused_project_id = google_auth.default(
                scopes=[args.oauth_scope])
            call_creds = grpc.metadata_call_credentials(
                google_auth.transport.grpc.AuthMetadataPlugin(
                    credentials=google_credentials,
                    request=google_auth.transport.requests.Request()))
-            channel_credentials = grpc.compute_engine_channel_credentials()
-            channel_credentials = grpc.composite_channel_credentials(
-                channel_credentials, call_creds)
+            # TODO: Is there any reason why it actually had to take this argument?
+            # Couldn't we just as easily have created a composite channel credential?
+            channel_credentials = grpc.compute_engine_channel_credentials(call_creds)
+            # channel_credentials = grpc.composite_channel_credentials(channel_credent)
+            #     channel_credentials = grpc.composite_channel_credentials(
+            #         channel_credentials, call_credentials)
        else:
            raise ValueError("Unknown credentials type '{}'".format(
                args.custom_credentials_type))