Merge pull request #4413 from jtattermusch/remove_ssl_cert_file_env

Get rid of SSL_CERT_FILE env entirely

src/python/grpcio/tests/interop/client.py

@@ -90,7 +90,7 @@ def _stub(args):
     if args.use_test_ca:
       root_certificates = resources.test_root_certificates()
     else:
-      root_certificates = resources.prod_root_certificates()
+      root_certificates = None  # will load default roots.
 
     channel = test_utilities.not_really_secure_channel(
         args.server_host, args.server_port,

src/python/grpcio/tests/interop/resources.py

@@ -44,10 +44,6 @@ def test_root_certificates():
       __name__, _ROOT_CERTIFICATES_RESOURCE_PATH)
 
 
-def prod_root_certificates():
-  return open(os.environ['SSL_CERT_FILE'], mode='rb').read()
-
-
 def private_key():
   return pkg_resources.resource_string(__name__, _PRIVATE_KEY_RESOURCE_PATH)
 

src/python/grpcio/tests/unit/resources.py

@@ -43,10 +43,6 @@ def test_root_certificates():
       __name__, _ROOT_CERTIFICATES_RESOURCE_PATH)
 
 
-def prod_root_certificates():
-  return open(os.environ['SSL_CERT_FILE'], mode='rb').read()
-
-
 def private_key():
   return pkg_resources.resource_string(__name__, _PRIVATE_KEY_RESOURCE_PATH)
 

src/ruby/bin/apis/pubsub_demo.rb

@@ -32,7 +32,6 @@
 # pubsub_demo demos accesses the Google PubSub API via its gRPC interface
 #
 # $ GOOGLE_APPLICATION_CREDENTIALS=<path_to_service_account_key_file> \
-#   SSL_CERT_FILE=<path/to/ssl/certs> \
 #   path/to/pubsub_demo.rb \
 #   [--action=<chosen_demo_action> ]
 #
@@ -55,18 +54,9 @@ require 'google/protobuf/empty'
 require 'tech/pubsub/proto/pubsub'
 require 'tech/pubsub/proto/pubsub_services'
 
-# loads the certificates used to access the test server securely.
-def load_prod_cert
-  fail 'could not find a production cert' if ENV['SSL_CERT_FILE'].nil?
-  p "loading prod certs from #{ENV['SSL_CERT_FILE']}"
-  File.open(ENV['SSL_CERT_FILE']) do |f|
-    return f.read
-  end
-end
-
 # creates a SSL Credentials from the production certificates.
 def ssl_creds
-  GRPC::Core::ChannelCredentials.new(load_prod_cert)
+  GRPC::Core::ChannelCredentials.new()
 end
 
 # Builds the metadata authentication update proc.

src/ruby/ext/grpc/rb_channel_credentials.c

@@ -148,11 +148,13 @@ static ID id_pem_cert_chain;
 
 /*
   call-seq:
-    creds1 = Credentials.new(pem_root_certs)
+    creds1 = Credentials.new()
     ...
-    creds2 = Credentials.new(pem_root_certs, pem_private_key,
+    creds2 = Credentials.new(pem_root_certs)
+    ...
+    creds3 = Credentials.new(pem_root_certs, pem_private_key,
                              pem_cert_chain)
-    pem_root_certs: (required) PEM encoding of the server root certificate
+    pem_root_certs: (optional) PEM encoding of the server root certificate
     pem_private_key: (optional) PEM encoding of the client's private key
     pem_cert_chain: (optional) PEM encoding of the client's cert chain
     Initializes Credential instances. */
@@ -163,26 +165,23 @@ static VALUE grpc_rb_channel_credentials_init(int argc, VALUE *argv, VALUE self)
   grpc_rb_channel_credentials *wrapper = NULL;
   grpc_channel_credentials *creds = NULL;
   grpc_ssl_pem_key_cert_pair key_cert_pair;
+  const char *pem_root_certs_cstr = NULL;
   MEMZERO(&key_cert_pair, grpc_ssl_pem_key_cert_pair, 1);
-  /* TODO: Remove mandatory arg when we support default roots. */
-  /* "12" == 1 mandatory arg, 2 (credentials) is optional */
-  rb_scan_args(argc, argv, "12", &pem_root_certs, &pem_private_key,
+  /* "03" == no mandatory arg, 3 optional */
+  rb_scan_args(argc, argv, "03", &pem_root_certs, &pem_private_key,
                &pem_cert_chain);
 
   TypedData_Get_Struct(self, grpc_rb_channel_credentials,
                        &grpc_rb_channel_credentials_data_type, wrapper);
-  if (pem_root_certs == Qnil) {
-    rb_raise(rb_eRuntimeError,
-             "could not create a credential: nil pem_root_certs");
-    return Qnil;
+  if (pem_root_certs != Qnil) {
+    pem_root_certs_cstr = RSTRING_PTR(pem_root_certs);
   }
   if (pem_private_key == Qnil && pem_cert_chain == Qnil) {
-    creds =
-        grpc_ssl_credentials_create(RSTRING_PTR(pem_root_certs), NULL, NULL);
+    creds = grpc_ssl_credentials_create(pem_root_certs_cstr, NULL, NULL);
   } else {
     key_cert_pair.private_key = RSTRING_PTR(pem_private_key);
     key_cert_pair.cert_chain = RSTRING_PTR(pem_cert_chain);
-    creds = grpc_ssl_credentials_create(RSTRING_PTR(pem_root_certs),
+    creds = grpc_ssl_credentials_create(pem_root_certs_cstr,
                                         &key_cert_pair, NULL);
   }
   if (creds == NULL) {

src/ruby/pb/test/client.rb

@@ -93,13 +93,6 @@ def load_test_certs
   files.map { |f| File.open(File.join(data_dir, f)).read }
 end
 
-# loads the certificates used to access the test server securely.
-def load_prod_cert
-  fail 'could not find a production cert' if ENV['SSL_CERT_FILE'].nil?
-  GRPC.logger.info("loading prod certs from #{ENV['SSL_CERT_FILE']}")
-  File.open(ENV['SSL_CERT_FILE']).read
-end
-
 # creates SSL Credentials from the test certificates.
 def test_creds
   certs = load_test_certs
@@ -108,8 +101,7 @@ end
 
 # creates SSL Credentials from the production certificates.
 def prod_creds
-  cert_text = load_prod_cert
-  GRPC::Core::ChannelCredentials.new(cert_text)
+  GRPC::Core::ChannelCredentials.new()
 end
 
 # creates the SSL Credentials.

src/ruby/spec/channel_credentials_spec.rb

@@ -54,10 +54,15 @@ describe GRPC::Core::ChannelCredentials do
       expect { ChannelCredentials.new(root_cert) }.not_to raise_error
     end
 
-    it 'cannot be constructed with a nil server roots' do
+    it 'can be constructed with a nil server roots' do
       _, client_key, client_chain = load_test_certs
       blk = proc { ChannelCredentials.new(nil, client_key, client_chain) }
-      expect(&blk).to raise_error
+      expect(&blk).not_to raise_error
+    end
+
+    it 'can be constructed with no params' do
+      blk = proc { ChannelCredentials.new(nil) }
+      expect(&blk).not_to raise_error
     end
   end
 end

tools/run_tests/run_interop_tests.py

@@ -54,11 +54,6 @@ os.chdir(ROOT)
 
 _DEFAULT_SERVER_PORT=8080
 
-# TOOD(jtattermusch) wrapped languages use this variable for location
-# of roots.pem. We might want to use GRPC_DEFAULT_SSL_ROOTS_FILE_PATH
-# supported by C core SslCredentials instead.
-_SSL_CERT_ENV = { 'SSL_CERT_FILE':'/usr/local/share/grpc/roots.pem' }
-
 _SKIP_COMPRESSION = ['large_compressed_unary',
                      'server_compressed_streaming']
 
@@ -105,7 +100,7 @@ class CSharpLanguage:
     return ['mono', 'Grpc.IntegrationTesting.Client.exe'] + args
 
   def cloud_to_prod_env(self):
-    return _SSL_CERT_ENV
+    return {}
 
   def server_cmd(self, args):
     return ['mono', 'Grpc.IntegrationTesting.Server.exe', '--use_tls=true'] + args
@@ -222,7 +217,7 @@ class NodeLanguage:
     return ['node', 'src/node/interop/interop_client.js'] + args
 
   def cloud_to_prod_env(self):
-    return _SSL_CERT_ENV
+    return {}
 
   def server_cmd(self, args):
     return ['node', 'src/node/interop/interop_server.js', '--use_tls=true'] + args
@@ -250,7 +245,7 @@ class PHPLanguage:
     return ['src/php/bin/interop_client.sh'] + args
 
   def cloud_to_prod_env(self):
-    return _SSL_CERT_ENV
+    return {}
 
   def global_env(self):
     return {}
@@ -276,7 +271,7 @@ class RubyLanguage:
     return ['ruby', 'src/ruby/bin/interop/interop_client.rb'] + args
 
   def cloud_to_prod_env(self):
-    return _SSL_CERT_ENV
+    return {}
 
   def server_cmd(self, args):
     return ['ruby', 'src/ruby/bin/interop/interop_server.rb', '--use_tls=true'] + args
@@ -311,7 +306,7 @@ class PythonLanguage:
     ]
 
   def cloud_to_prod_env(self):
-    return _SSL_CERT_ENV
+    return {}
 
   def server_cmd(self, args):
     return [