Initial implementation of gce_channel_creds

5 years ago · 330eaea53d
parent 1aae547e2c
commit 330eaea53d
5 changed files with 50 additions and 19 deletions
--- a/src/core/lib/security/credentials/google_default/gce_channel_credentials.cc
+++ b/src/core/lib/security/credentials/google_default/gce_channel_credentials.cc
@ -46,6 +46,11 @@

 grpc_channel_credentials*
 grpc_gce_channel_credentials_create(grpc_call_credentials* call_credentials, void* reserved) {
+  // If we haven't initialized the google_default_credentials singleton,
+  // then we don't know whether or not we're on GCE and can't safely
+  // created an ALTS connection.
+  // TODO: Fix.
+  auto default_warmer = grpc_google_default_credentials_create();
  grpc_channel_credentials* result = nullptr;
  grpc_error* error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
      "Failed to create GCE channel credentials");
@ -69,6 +74,8 @@ grpc_gce_channel_credentials_create(grpc_call_credentials* call_credentials, voi
          ssl_creds != nullptr ? ssl_creds->Ref() : nullptr);
  if (ssl_creds) ssl_creds->Unref();
  if (alts_creds) alts_creds->Unref();
+
+  // TODO: Why not let the wrapped language do this?
  result = grpc_composite_channel_credentials_create(
      creds.get(), call_credentials, nullptr);
  GPR_ASSERT(result != nullptr);
--- a/src/python/grpcio/grpc/init.py
+++ b/src/python/grpcio/grpc/init.py
@ -1868,11 +1868,12 @@ def alts_server_credentials():
    return ServerCredentials(_cygrpc.server_credentials_alts())


-def google_default_channel_credentials():
+def gce_channel_credentials(call_creds):
    """
    TODO: Document.
    """
-    return ChannelCredentials(_cygrpc.channel_credentials_google_default())
+    return ChannelCredentials(
+        _cygrpc.channel_credentials_gce(call_creds._credentials))


 def channel_ready_future(channel):
--- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
@ -381,15 +381,21 @@ def server_credentials_alts():
  grpc_alts_credentials_options_destroy(c_options)
  return credentials

-cdef class GoogleDefaultChannelCredentials(ChannelCredentials):
+cdef class GCEChannelCredentials(ChannelCredentials):
  cdef grpc_channel_credentials* _c_creds
+  cdef grpc_call_credentials* _c_call_creds

-  def __cinit__(self):
+  def __cinit__(self, CallCredentials call_creds):
    self._c_creds = NULL
+    self._c_call_creds = call_creds.c()

  cdef grpc_channel_credentials *c(self) except *:
-    self._c_creds = grpc_google_default_credentials_create()
+    self._c_creds = grpc_gce_channel_credentials_create(self._c_call_creds, NULL)
    return self._c_creds

-def channel_credentials_google_default():
-  return GoogleDefaultChannelCredentials()
+  # TODO: Does this thing need to be deleted?
+  # I suppose the reason the google default one doesn't need to be is
+  # because there's one per process. We'll see.
+
+def channel_credentials_gce(call_creds):
+  return GCEChannelCredentials(call_creds)
--- a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
@ -505,6 +505,7 @@ cdef extern from "grpc/grpc_security.h":
      grpc_ssl_roots_override_callback cb) nogil

  grpc_channel_credentials *grpc_google_default_credentials_create() nogil
+  grpc_channel_credentials *grpc_gce_channel_credentials_create(grpc_call_credentials* call_creds, void* reserved) nogil
  grpc_channel_credentials *grpc_ssl_credentials_create(
      const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
      verify_peer_options *verify_options, void *reserved) nogil
--- a/src/python/grpcio_tests/tests/interop/client.py
+++ b/src/python/grpcio_tests/tests/interop/client.py
@ -52,7 +52,7 @@ def parse_interop_client_args():
                        type=resources.parse_bool,
                        help='replace platform root CAs with ca.pem')
    parser.add_argument('--custom_credentials_type',
-                        choices=["google_default_credentials"],
+                        choices=["compute_engine_channel_creds"],
                        default=None,
                        help='use google default credentials')
    parser.add_argument('--server_host_override',
@ -64,12 +64,14 @@ def parse_interop_client_args():
    parser.add_argument('--default_service_account',
                        type=str,
                        help='email address of the default service account')
-    parser.add_argument("--grpc_test_use_grpclb_with_child_policy",
-                        type=str,
-                        help=("If non-empty, set a static service config on channels created by " +
-                        "grpc::CreateTestChannel, that configures the grpclb LB policy " +
-                        "with a child policy being the value of this flag (e.g. round_robin " +
-                        "or pick_first)."))
+    parser.add_argument(
+        "--grpc_test_use_grpclb_with_child_policy",
+        type=str,
+        help=(
+            "If non-empty, set a static service config on channels created by "
+            + "grpc::CreateTestChannel, that configures the grpclb LB policy " +
+            "with a child policy being the value of this flag (e.g. round_robin "
+            + "or pick_first)."))
    return parser.parse_args()


@ -101,13 +103,27 @@ def get_secure_channel_parameters(args):

    channel_opts = ()
    if args.grpc_test_use_grpclb_with_child_policy:
-        channel_opts += (("grpc.service_config", '{"loadBalancingConfig": [{"grpclb": {"childPolicy": [{"%s": {}}]}}]}' % args.grpc_test_use_grpclb_with_child_policy),)
+        channel_opts += ((
+            "grpc.service_config",
+            '{"loadBalancingConfig": [{"grpclb": {"childPolicy": [{"%s": {}}]}}]}'
+            % args.grpc_test_use_grpclb_with_child_policy),)
    if args.custom_credentials_type is not None:
-        if args.custom_credentials_type == "google_default_credentials":
-            channel_credentials = grpc.google_default_channel_credentials()
+        if args.custom_credentials_type == "compute_engine_channel_creds":
+            # channel_credentials = grpc.google_default_channel_credentials()
            if call_credentials is not None:
-                channel_credentials = grpc.composite_channel_credentials(
-                    channel_credentials, call_credentials)
+                raise ValueError("What? That's not true! That's impossible!")
+            google_credentials, unused_project_id = google_auth.default(
+                scopes=[args.oauth_scope])
+            call_creds = grpc.metadata_call_credentials(
+                google_auth.transport.grpc.AuthMetadataPlugin(
+                    credentials=google_credentials,
+                    request=google_auth.transport.requests.Request()))
+            # TODO: Is there any reason why it actually had to take this argument?
+            # Couldn't we just as easily have created a composite channel credential?
+            channel_credentials = grpc.gce_channel_credentials(call_creds)
+            # channel_credentials = grpc.composite_channel_credentials(channel_credent)
+            #     channel_credentials = grpc.composite_channel_credentials(
+            #         channel_credentials, call_credentials)
        else:
            raise ValueError("Unknown credentials type '{}'".format(
                args.custom_credentials_type))