From 23dacfc0b4150dc6e83db030f039f35ccff05dd5 Mon Sep 17 00:00:00 2001 From: Richard Belleville Date: Tue, 7 Jul 2020 01:10:12 +0000 Subject: [PATCH] Add Python wrapper --- .../google_default_credentials.cc | 37 +++++++++++-------- src/python/grpcio/grpc/__init__.py | 5 +-- .../grpc/_cython/_cygrpc/credentials.pyx.pxi | 12 ++++-- .../grpcio/grpc/_cython/_cygrpc/grpc.pxi | 3 +- .../grpcio_tests/tests/interop/client.py | 14 ++++--- 5 files changed, 40 insertions(+), 31 deletions(-) diff --git a/src/core/lib/security/credentials/google_default/google_default_credentials.cc b/src/core/lib/security/credentials/google_default/google_default_credentials.cc index 3b5530d2e1b..16db70040bb 100644 --- a/src/core/lib/security/credentials/google_default/google_default_credentials.cc +++ b/src/core/lib/security/credentials/google_default/google_default_credentials.cc @@ -273,11 +273,29 @@ end: return error; } +static void update_tenancy() { + gpr_once_init(&g_once, init_default_credentials); + gpr_mu_lock(&g_state_mu); + + /* Try a platform-provided hint for GCE. */ + if (!g_metadata_server_available) { + g_is_on_gce = g_gce_tenancy_checker(); + g_metadata_server_available = g_is_on_gce; + } + /* TODO: Add a platform-provided hint for GAE. */ + + /* Do a network test for metadata server. */ + if (!g_metadata_server_available) { + g_metadata_server_available = is_metadata_server_reachable(); + } + gpr_mu_unlock(&g_state_mu); + +} + static void default_call_creds(grpc_core::RefCountedPtr* call_creds, grpc_error* error) { grpc_error* err; - gpr_once_init(&g_once, init_default_credentials); /* First, try the environment variable. */ err = create_default_creds_from_path( @@ -291,21 +309,6 @@ static void default_call_creds(grpc_core::RefCountedPtr* if (err == GRPC_ERROR_NONE) return; error = grpc_error_add_child(error, err); - gpr_mu_lock(&g_state_mu); - - /* Try a platform-provided hint for GCE. */ - if (!g_metadata_server_available) { - g_is_on_gce = g_gce_tenancy_checker(); - g_metadata_server_available = g_is_on_gce; - } - /* TODO: Add a platform-provided hint for GAE. */ - - /* Do a network test for metadata server. */ - if (!g_metadata_server_available) { - g_metadata_server_available = is_metadata_server_reachable(); - } - gpr_mu_unlock(&g_state_mu); - if (g_metadata_server_available) { *call_creds = grpc_core::RefCountedPtr( grpc_google_compute_engine_credentials_create(nullptr)); @@ -326,6 +329,8 @@ grpc_channel_credentials* grpc_google_default_credentials_create(grpc_call_crede GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1, (call_credentials)); + update_tenancy(); + if (call_credentials == nullptr) { default_call_creds(&call_creds, error); } diff --git a/src/python/grpcio/grpc/__init__.py b/src/python/grpcio/grpc/__init__.py index f1eba51f59a..37ada3cb51c 100644 --- a/src/python/grpcio/grpc/__init__.py +++ b/src/python/grpcio/grpc/__init__.py @@ -1868,10 +1868,9 @@ def alts_server_credentials(): return ServerCredentials(_cygrpc.server_credentials_alts()) -def compute_engine_channel_credentials(): +def compute_engine_channel_credentials(call_credentials): """Creates a compute engine channel credential. - This is an EXPERIMENAL API. This credential can only be used in a GCP environment as ir relies on a handshaker service. For more infor about ALTS, see https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security @@ -1881,7 +1880,7 @@ def compute_engine_channel_credentials(): with any other call credential, the connection may suddenly and unexpectedly begin failing RPCs. """ - return ChannelCredentials(_cygrpc.channel_credentials_compute_engine()) + return ChannelCredentials(_cygrpc.channel_credentials_compute_engine(call_credentials._credentials)) def channel_ready_future(channel): diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi index 950373f303f..c75579cc04f 100644 --- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi +++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi @@ -384,14 +384,18 @@ def server_credentials_alts(): cdef class ComputeEngineChannelCredentials(ChannelCredentials): cdef grpc_channel_credentials* _c_creds + cdef grpc_call_credentials* _call_creds - def __cinit__(self): + def __cinit__(self, CallCredentials call_creds): self._c_creds = NULL + self._call_creds = call_creds.c() + if self._call_creds == NULL: + raise ValueError("Call credentials may not be NULL.") cdef grpc_channel_credentials *c(self) except *: - self._c_creds = grpc_compute_engine_channel_credentials_create(NULL) + self._c_creds = grpc_google_default_credentials_create(self._call_creds) return self._c_creds -def channel_credentials_compute_engine(): - return ComputeEngineChannelCredentials() +def channel_credentials_compute_engine(call_creds): + return ComputeEngineChannelCredentials(call_creds) diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi index 287817bd5ae..a7131355a07 100644 --- a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi +++ b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi @@ -504,8 +504,7 @@ cdef extern from "grpc/grpc_security.h": void grpc_set_ssl_roots_override_callback( grpc_ssl_roots_override_callback cb) nogil - grpc_channel_credentials *grpc_google_default_credentials_create() nogil - grpc_channel_credentials *grpc_compute_engine_channel_credentials_create(void* reserved) nogil + grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil grpc_channel_credentials *grpc_ssl_credentials_create( const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, verify_peer_options *verify_options, void *reserved) nogil diff --git a/src/python/grpcio_tests/tests/interop/client.py b/src/python/grpcio_tests/tests/interop/client.py index b638ceeb727..b56880c5c07 100644 --- a/src/python/grpcio_tests/tests/interop/client.py +++ b/src/python/grpcio_tests/tests/interop/client.py @@ -109,19 +109,21 @@ def get_secure_channel_parameters(args): % args.grpc_test_use_grpclb_with_child_policy),) if args.custom_credentials_type is not None: if args.custom_credentials_type == "compute_engine_channel_creds": + # channel_credentials = grpc.google_default_channel_credentials() if call_credentials is not None: - raise ValueError( - "Cannot use both compute_engine_creds " + - "and {} as call creds.".format(call_credentials)) + raise ValueError("What? That's not true! That's impossible!") google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) call_creds = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=google_auth.transport.requests.Request())) - channel_credentials = grpc.compute_engine_channel_credentials() - channel_credentials = grpc.composite_channel_credentials( - channel_credentials, call_creds) + # TODO: Is there any reason why it actually had to take this argument? + # Couldn't we just as easily have created a composite channel credential? + channel_credentials = grpc.compute_engine_channel_credentials(call_creds) + # channel_credentials = grpc.composite_channel_credentials(channel_credent) + # channel_credentials = grpc.composite_channel_credentials( + # channel_credentials, call_credentials) else: raise ValueError("Unknown credentials type '{}'".format( args.custom_credentials_type))