Expose ALTS client/server credentials on Python layer

examples/BUILD

@@ -245,3 +245,33 @@ proto_library(
     name = "route_guide_proto",
     srcs = ["protos/route_guide.proto"],
 )
+
+py_binary(
+    name = "data_transmission_server",
+    python_version = "PY3",
+    srcs_version = "PY2AND3",
+    main = "alts_server.py",
+    srcs = [
+        "python/data_transmission/alts_server.py",
+        "python/data_transmission/demo_pb2.py",
+        "python/data_transmission/demo_pb2_grpc.py",
+    ],
+    deps = [
+        "//src/python/grpcio/grpc:grpcio",
+    ],
+)
+
+py_binary(
+    name = "data_transmission_client",
+    python_version = "PY3",
+    srcs_version = "PY2AND3",
+    main = "alts_client.py",
+    srcs = [
+        "python/data_transmission/alts_client.py",
+        "python/data_transmission/demo_pb2.py",
+        "python/data_transmission/demo_pb2_grpc.py",
+    ],
+    deps = [
+        "//src/python/grpcio/grpc:grpcio",
+    ],
+)

examples/python/data_transmission/alts_client.py

@@ -0,0 +1,118 @@
+# Copyright 2019 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""The example of four ways of data transmission using gRPC in Python."""
+
+import time
+import grpc
+
+import demo_pb2_grpc
+import demo_pb2
+
+SERVER_ADDRESS = "localhost:23333"
+CLIENT_ID = 1
+
+# 中文注释和英文翻译
+# Note that this example was contributed by an external user using Chinese comments.
+# In all cases, the Chinese comment text is translated to English just below it.
+
+
+# 一元模式(在一次调用中, 客户端只能向服务器传输一次请求数据, 服务器也只能返回一次响应)
+# unary-unary(In a single call, the client can only send request once, and the server can
+# only respond once.)
+def simple_method(stub):
+    print("--------------Call SimpleMethod Begin--------------")
+    request = demo_pb2.Request(client_id=CLIENT_ID,
+                               request_data="called by Python client")
+    response = stub.SimpleMethod(request)
+    print("resp from server(%d), the message=%s" %
+          (response.server_id, response.response_data))
+    print("--------------Call SimpleMethod Over---------------")
+
+
+# 客户端流模式（在一次调用中, 客户端可以多次向服务器传输数据, 但是服务器只能返回一次响应）
+# stream-unary (In a single call, the client can transfer data to the server several times,
+# but the server can only return a response once.)
+def client_streaming_method(stub):
+    print("--------------Call ClientStreamingMethod Begin--------------")
+
+    # 创建一个生成器
+    # create a generator
+    def request_messages():
+        for i in range(5):
+            request = demo_pb2.Request(
+                client_id=CLIENT_ID,
+                request_data=("called by Python client, message:%d" % i))
+            yield request
+
+    response = stub.ClientStreamingMethod(request_messages())
+    print("resp from server(%d), the message=%s" %
+          (response.server_id, response.response_data))
+    print("--------------Call ClientStreamingMethod Over---------------")
+
+
+# 服务端流模式（在一次调用中, 客户端只能一次向服务器传输数据, 但是服务器可以多次返回响应）
+# unary-stream (In a single call, the client can only transmit data to the server at one time,
+# but the server can return the response many times.)
+def server_streaming_method(stub):
+    print("--------------Call ServerStreamingMethod Begin--------------")
+    request = demo_pb2.Request(client_id=CLIENT_ID,
+                               request_data="called by Python client")
+    response_iterator = stub.ServerStreamingMethod(request)
+    for response in response_iterator:
+        print("recv from server(%d), message=%s" %
+              (response.server_id, response.response_data))
+
+    print("--------------Call ServerStreamingMethod Over---------------")
+
+
+# 双向流模式 (在一次调用中, 客户端和服务器都可以向对方多次收发数据)
+# stream-stream (In a single call, both client and server can send and receive data
+# to each other multiple times.)
+def bidirectional_streaming_method(stub):
+    print(
+        "--------------Call BidirectionalStreamingMethod Begin---------------")
+
+    # 创建一个生成器
+    # create a generator
+    def request_messages():
+        for i in range(5):
+            request = demo_pb2.Request(
+                client_id=CLIENT_ID,
+                request_data=("called by Python client, message: %d" % i))
+            yield request
+            time.sleep(1)
+
+    response_iterator = stub.BidirectionalStreamingMethod(request_messages())
+    for response in response_iterator:
+        print("recv from server(%d), message=%s" %
+              (response.server_id, response.response_data))
+
+    print("--------------Call BidirectionalStreamingMethod Over---------------")
+
+
+def main():
+    with grpc.secure_channel(SERVER_ADDRESS, credentials=grpc.alts_channel_credentials()) as channel:
+        stub = demo_pb2_grpc.GRPCDemoStub(channel)
+
+        simple_method(stub)
+
+        client_streaming_method(stub)
+
+        server_streaming_method(stub)
+
+        bidirectional_streaming_method(stub)
+
+
+if __name__ == '__main__':
+    main()

examples/python/data_transmission/alts_server.py

@@ -0,0 +1,114 @@
+# Copyright 2019 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""The example of four ways of data transmission using gRPC in Python."""
+
+from threading import Thread
+from concurrent import futures
+
+import grpc
+import demo_pb2_grpc
+import demo_pb2
+
+SERVER_ADDRESS = 'localhost:23333'
+SERVER_ID = 1
+
+
+class DemoServer(demo_pb2_grpc.GRPCDemoServicer):
+
+    # 一元模式(在一次调用中, 客户端只能向服务器传输一次请求数据, 服务器也只能返回一次响应)
+    # unary-unary(In a single call, the client can only send request once, and the server can
+    # only respond once.)
+    def SimpleMethod(self, request, context):
+        print("SimpleMethod called by client(%d) the message: %s" %
+              (request.client_id, request.request_data))
+        response = demo_pb2.Response(
+            server_id=SERVER_ID,
+            response_data="Python server SimpleMethod Ok!!!!")
+        return response
+
+    # 客户端流模式（在一次调用中, 客户端可以多次向服务器传输数据, 但是服务器只能返回一次响应）
+    # stream-unary (In a single call, the client can transfer data to the server several times,
+    # but the server can only return a response once.)
+    def ClientStreamingMethod(self, request_iterator, context):
+        print("ClientStreamingMethod called by client...")
+        for request in request_iterator:
+            print("recv from client(%d), message= %s" %
+                  (request.client_id, request.request_data))
+        response = demo_pb2.Response(
+            server_id=SERVER_ID,
+            response_data="Python server ClientStreamingMethod ok")
+        return response
+
+    # 服务端流模式（在一次调用中, 客户端只能一次向服务器传输数据, 但是服务器可以多次返回响应）
+    # unary-stream (In a single call, the client can only transmit data to the server at one time,
+    # but the server can return the response many times.)
+    def ServerStreamingMethod(self, request, context):
+        print("ServerStreamingMethod called by client(%d), message= %s" %
+              (request.client_id, request.request_data))
+
+        # 创建一个生成器
+        # create a generator
+        def response_messages():
+            for i in range(5):
+                response = demo_pb2.Response(
+                    server_id=SERVER_ID,
+                    response_data=("send by Python server, message=%d" % i))
+                yield response
+
+        return response_messages()
+
+    # 双向流模式 (在一次调用中, 客户端和服务器都可以向对方多次收发数据)
+    # stream-stream (In a single call, both client and server can send and receive data
+    # to each other multiple times.)
+    def BidirectionalStreamingMethod(self, request_iterator, context):
+        print("BidirectionalStreamingMethod called by client...")
+
+        # 开启一个子线程去接收数据
+        # Open a sub thread to receive data
+        def parse_request():
+            for request in request_iterator:
+                print("recv from client(%d), message= %s" %
+                      (request.client_id, request.request_data))
+
+        t = Thread(target=parse_request)
+        t.start()
+
+        for i in range(5):
+            yield demo_pb2.Response(
+                server_id=SERVER_ID,
+                response_data=("send by Python server, message= %d" % i))
+
+        t.join()
+
+
+def main():
+    server = grpc.server(futures.ThreadPoolExecutor())
+
+    demo_pb2_grpc.add_GRPCDemoServicer_to_server(DemoServer(), server)
+
+    server.add_secure_port(SERVER_ADDRESS, server_credentials=grpc.alts_server_credentials())
+    print("------------------start Python GRPC server with ALTS encryption")
+    server.start()
+    server.wait_for_termination()
+
+    # If raise Error:
+    #   AttributeError: '_Server' object has no attribute 'wait_for_termination'
+    # You can use the following code instead:
+    # import time
+    # while 1:
+    #     time.sleep(10)
+
+
+if __name__ == '__main__':
+    main()

src/python/grpcio/grpc/__init__.py

@@ -1832,6 +1832,28 @@ def local_server_credentials(local_connect_type=LocalConnectionType.LOCAL_TCP):
     return ServerCredentials(
         _cygrpc.server_credentials_local(local_connect_type.value))
 
+    
+def alts_channel_credentials():
+    """Creates a ChannelCredentials for use with an ALTS-enabled Channel.
+
+    This is an EXPERIMENTAL API.
+
+    Returns:
+      A ChannelCredentials for use with a ALTS-enabled Channel
+    """
+    return ChannelCredentials(_cygrpc.channel_credentials_alts())
+
+
+def alts_server_credentials():
+    """Creates a ServerCredentials for use with an ALTS-enabled connections.
+
+    This is an EXPERIMENTAL API.
+
+    Returns:
+      A ServerCredentials for use with a local Server
+    """
+    return ServerCredentials(_cygrpc.server_credentials_alts())
+
 
 def channel_ready_future(channel):
     """Creates a Future that tracks when a Channel is ready.
@@ -2036,6 +2058,8 @@ __all__ = (
     'composite_channel_credentials',
     'local_channel_credentials',
     'local_server_credentials',
+    'alts_channel_credentials',
+    'alts_server_credentials',
     'ssl_server_credentials',
     'ssl_server_certificate_configuration',
     'dynamic_ssl_server_credentials',

src/python/grpcio/grpc/_cython/_cygrpc/credentials.pxd.pxi

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
 cdef class CallCredentials:
 
   cdef grpc_call_credentials *c(self) except *
@@ -102,3 +101,9 @@ cdef class ServerCredentials:
 cdef class LocalChannelCredentials(ChannelCredentials):
 
   cdef grpc_local_connect_type _local_connect_type
+
+
+cdef class ALTSChannelCredentials(ChannelCredentials):
+  cdef grpc_alts_credentials_options *c_options
+
+  cdef grpc_channel_credentials *c(self) except *

src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
 def _spawn_callback_in_thread(cb_func, args):
   t = ForkManagedThread(target=cb_func, args=args)
   t.setDaemon(True)
@@ -351,3 +350,29 @@ def server_credentials_local(grpc_local_connect_type local_connect_type):
   cdef ServerCredentials credentials = ServerCredentials()
   credentials.c_credentials = grpc_local_server_credentials_create(local_connect_type)
   return credentials
+
+
+cdef class ALTSChannelCredentials(ChannelCredentials):
+
+  def __cinit__(self):
+    self.c_options = grpc_alts_credentials_client_options_create()
+ 
+  def __dealloc__(self):
+    if self.c_options != NULL:
+      grpc_alts_credentials_options_destroy(self.c_options)
+
+  cdef grpc_channel_credentials *c(self) except *:
+    return grpc_alts_credentials_create(self.c_options)
+    
+
+def channel_credentials_alts():
+  return ALTSChannelCredentials()
+
+
+def server_credentials_alts():
+  cdef ServerCredentials credentials = ServerCredentials()
+  cdef grpc_alts_credentials_options* c_options = grpc_alts_credentials_server_options_create()
+  credentials.c_credentials = grpc_alts_server_credentials_create(c_options)
+  # Options can be destroyed as deep copy was performed.
+  grpc_alts_credentials_options_destroy(c_options)
+  return credentials

src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi

@@ -606,6 +606,20 @@ cdef extern from "grpc/grpc_security.h":
   grpc_server_credentials *grpc_local_server_credentials_create(
     grpc_local_connect_type type)
 
+  ctypedef struct grpc_alts_credentials_options:
+    # We don't care about the internals (and in fact don't know them)
+    pass
+ 
+  grpc_channel_credentials *grpc_alts_credentials_create(
+    const grpc_alts_credentials_options *options)
+  grpc_server_credentials *grpc_alts_server_credentials_create(
+    const grpc_alts_credentials_options *options)
+
+  grpc_alts_credentials_options* grpc_alts_credentials_client_options_create()
+  grpc_alts_credentials_options* grpc_alts_credentials_server_options_create()
+  void grpc_alts_credentials_options_destroy(grpc_alts_credentials_options *options)
+
+
 
 cdef extern from "grpc/compression.h":
 

src/python/grpcio_tests/commands.py

@@ -220,6 +220,7 @@ class TestGevent(setuptools.Command):
         'unit._cython._channel_test.ChannelTest.test_negative_deadline_connectivity',
         # TODO(https://github.com/grpc/grpc/issues/15411) enable this test
         'unit._local_credentials_test.LocalCredentialsTest',
+        'unit._alts_credentials_test.ALTSCredentialsTest',
         'testing._time_test.StrictRealTimeTest',
     )
     BANNED_WINDOWS_TESTS = (

src/python/grpcio_tests/tests/tests.json

@@ -24,6 +24,7 @@
   "testing._time_test.StrictFakeTimeTest",
   "testing._time_test.StrictRealTimeTest",
   "unit._abort_test.AbortTest",
+  "unit._alts_credentials_test.ALTSCredentialsTest",
   "unit._api_test.AllTest",
   "unit._api_test.ChannelConnectivityTest",
   "unit._api_test.ChannelTest",

src/python/grpcio_tests/tests/unit/BUILD.bazel

@@ -4,6 +4,7 @@ package(default_visibility = ["//visibility:public"])
 
 GRPCIO_TESTS_UNIT = [
     "_abort_test.py",
+    "_alts_credentials_test.py",
     "_api_test.py",
     "_auth_context_test.py",
     "_auth_test.py",

src/python/grpcio_tests/tests/unit/_alts_credentials_test.py

@@ -0,0 +1,56 @@
+# Copyright 2020 The gRPC Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Test of RPCs made using ALTS credentials."""
+
+import unittest
+import os
+from concurrent.futures import ThreadPoolExecutor
+import grpc
+
+
+class _GenericHandler(grpc.GenericRpcHandler):
+
+    def service(self, handler_call_details):
+        return grpc.unary_unary_rpc_method_handler(
+            lambda request, unused_context: request)
+
+
+class ALTSCredentialsTest(unittest.TestCase):
+
+    def _create_server(self):
+        server = grpc.server(ThreadPoolExecutor())
+        server.add_generic_rpc_handlers((_GenericHandler(),))
+        return server
+
+    @unittest.skipIf(os.name == 'nt',
+                     'TODO(https://github.com/grpc/grpc/issues/20078)')
+    def test_alts(self):
+        server_addr = 'localhost:{}'
+        channel_creds = grpc.alts_channel_credentials()
+        server_creds = grpc.alts_server_credentials()
+
+        server = self._create_server()
+        port = server.add_secure_port(server_addr.format(0), server_creds)
+        server.start()
+        with grpc.secure_channel(server_addr.format(port),
+                                 channel_creds) as channel:
+            self.assertEqual(
+                b'abc',
+                channel.unary_unary('/test/method')(b'abc',
+                                                    wait_for_ready=True))
+        server.stop(None)
+
+
+if __name__ == '__main__':
+    unittest.main()

src/python/grpcio_tests/tests/unit/_api_test.py

@@ -63,6 +63,8 @@ class AllTest(unittest.TestCase):
             'LocalConnectionType',
             'local_channel_credentials',
             'local_server_credentials',
+            'alts_channel_credentials',
+            'alts_server_credentials',
             'unary_unary_rpc_method_handler',
             'unary_stream_rpc_method_handler',
             'stream_unary_rpc_method_handler',