Let the wrapped language create the composite credential

include/grpc/grpc_security.h

@@ -303,17 +303,15 @@ GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create(
 
 /** Creates compute engine channel credentials to connect to a google gRPC service.
 
-   call_credentials is expected to be a gce_call_credentials object.
-
-   The grpc_call_credentials instance passed to this function is expected to
-   remain valid for the lifetime of the grpc_channel_credentials object
-   returned.
+   This channel credential is expected to be used within a composite credential
+   alongside a compute_engine_credential. If used in conjunction with any call
+   credential besides a compute_engine_credential, the connection may suddenly
+   and unexpectedly begin to fail RPCs.
 
    WARNING: Do NOT use this credentials to connect to a non-google service as
    this could result in an oauth2 token leak. The security level of the
    resulting connection is GRPC_PRIVACY_AND_INTEGRITY. */
-GRPCAPI grpc_channel_credentials* grpc_compute_engine_channel_credentials_create(
-    grpc_call_credentials* call_credentials, void* reserved);
+GRPCAPI grpc_channel_credentials* grpc_compute_engine_channel_credentials_create(void* reserved);
 
 GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void);
 

src/core/lib/security/credentials/google_default/compute_engine_channel_credentials.cc

@@ -44,20 +44,16 @@
 #include "src/core/lib/slice/slice_string_helpers.h"
 #include "src/core/lib/surface/api_trace.h"
 
-grpc_channel_credentials* grpc_compute_engine_channel_credentials_create(
-    grpc_call_credentials* call_credentials, void* reserved) {
+grpc_channel_credentials* grpc_compute_engine_channel_credentials_create(void* reserved) {
   // If we haven't initialized the google_default_credentials singleton,
   // then we don't know whether or not we're on GCE and can't safely
   // created an ALTS connection.
   // TODO: Fix.
   auto default_warmer = grpc_google_default_credentials_create();
-  grpc_channel_credentials* result = nullptr;
-  grpc_error* error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-      "Failed to create GCE channel credentials");
   grpc_core::ExecCtx exec_ctx;
 
-  GRPC_API_TRACE("grpc_gce_channel_credentials_create(%p, %p)", 2,
-                 (call_credentials, reserved));
+  GRPC_API_TRACE("grpc_gce_channel_credentials_create(%p)", 1,
+                 (reserved));
 
   // TODO: Should we cache this here?
   grpc_channel_credentials* ssl_creds =
@@ -69,16 +65,11 @@ grpc_channel_credentials* grpc_compute_engine_channel_credentials_create(
   grpc_alts_credentials_options_destroy(options);
 
   auto creds =
-      grpc_core::MakeRefCounted<grpc_google_default_channel_credentials>(
+      new grpc_google_default_channel_credentials(
           alts_creds != nullptr ? alts_creds->Ref() : nullptr,
           ssl_creds != nullptr ? ssl_creds->Ref() : nullptr);
   if (ssl_creds) ssl_creds->Unref();
   if (alts_creds) alts_creds->Unref();
 
-  // TODO: Why not let the wrapped language do this?
-  result = grpc_composite_channel_credentials_create(creds.get(),
-                                                     call_credentials, nullptr);
-  GPR_ASSERT(result != nullptr);
-  GRPC_ERROR_UNREF(error);
-  return result;
+  return creds;
 }

src/python/grpcio/grpc/__init__.py

@@ -1868,12 +1868,21 @@ def alts_server_credentials():
     return ServerCredentials(_cygrpc.server_credentials_alts())
 
 
-def compute_engine_channel_credentials(call_creds):
-    """
-    TODO: Document.
+def compute_engine_channel_credentials():
+    """Creates a compute engine channel credential.
+
+    This is an EXPERIMENAL API.
+    This credential can only be used in a GCP environment as ir relies on
+    a handshaker service. For more infor about ALTS, see
+    https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security
+
+    This channel credential is expected to be used as part of a composite
+    credential in conjunction with a compute_engine_call_credential. if used
+    with any other call credential, the connection may suddenly and unexpectedly
+    begin failing RPCs.
     """
     return ChannelCredentials(
-        _cygrpc.channel_credentials_compute_engine(call_creds._credentials))
+        _cygrpc.channel_credentials_compute_engine())
 
 
 def channel_ready_future(channel):

src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi

@@ -381,21 +381,17 @@ def server_credentials_alts():
   grpc_alts_credentials_options_destroy(c_options)
   return credentials
 
+
 cdef class ComputeEngineChannelCredentials(ChannelCredentials):
   cdef grpc_channel_credentials* _c_creds
-  cdef grpc_call_credentials* _c_call_creds
 
-  def __cinit__(self, CallCredentials call_creds):
+  def __cinit__(self):
     self._c_creds = NULL
-    self._c_call_creds = call_creds.c()
 
   cdef grpc_channel_credentials *c(self) except *:
-    self._c_creds = grpc_compute_engine_channel_credentials_create(self._c_call_creds, NULL)
+    self._c_creds = grpc_compute_engine_channel_credentials_create(NULL)
     return self._c_creds
 
-  # TODO: Does this thing need to be deleted?
-  # I suppose the reason the google default one doesn't need to be is
-  # because there's one per process. We'll see.
 
-def channel_credentials_compute_engine(call_creds):
-  return ComputeEngineChannelCredentials(call_creds)
+def channel_credentials_compute_engine():
+  return ComputeEngineChannelCredentials()

src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi

@@ -505,7 +505,7 @@ cdef extern from "grpc/grpc_security.h":
       grpc_ssl_roots_override_callback cb) nogil
 
   grpc_channel_credentials *grpc_google_default_credentials_create() nogil
-  grpc_channel_credentials *grpc_compute_engine_channel_credentials_create(grpc_call_credentials* call_creds, void* reserved) nogil
+  grpc_channel_credentials *grpc_compute_engine_channel_credentials_create(void* reserved) nogil
   grpc_channel_credentials *grpc_ssl_credentials_create(
       const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
       verify_peer_options *verify_options, void *reserved) nogil

src/python/grpcio_tests/tests/interop/client.py

@@ -109,21 +109,17 @@ def get_secure_channel_parameters(args):
             % args.grpc_test_use_grpclb_with_child_policy),)
     if args.custom_credentials_type is not None:
         if args.custom_credentials_type == "compute_engine_channel_creds":
-            # channel_credentials = grpc.google_default_channel_credentials()
             if call_credentials is not None:
-                raise ValueError("What? That's not true! That's impossible!")
+                raise ValueError("Cannot use both compute_engine_creds " +
+                                "and {} as call creds.".format(call_credentials))
             google_credentials, unused_project_id = google_auth.default(
                 scopes=[args.oauth_scope])
             call_creds = grpc.metadata_call_credentials(
                 google_auth.transport.grpc.AuthMetadataPlugin(
                     credentials=google_credentials,
                     request=google_auth.transport.requests.Request()))
-            # TODO: Is there any reason why it actually had to take this argument?
-            # Couldn't we just as easily have created a composite channel credential?
-            channel_credentials = grpc.compute_engine_channel_credentials(call_creds)
-            # channel_credentials = grpc.composite_channel_credentials(channel_credent)
-            #     channel_credentials = grpc.composite_channel_credentials(
-            #         channel_credentials, call_credentials)
+            channel_credentials = grpc.compute_engine_channel_credentials()
+            channel_credentials = grpc.composite_channel_credentials(channel_credentials, call_creds)
         else:
             raise ValueError("Unknown credentials type '{}'".format(
                 args.custom_credentials_type))