Beispiel #1
0
    def __init__(
        self,
        hostname,
        port=50051,
        cacert=SERVER_CA,
        username=None,
        password=None,
        sessionid=None,
    ):
        super(SecureClient, self).__init__(hostname, port)

        server_ca = open(cacert, "r").read()
        if sessionid:
            call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
        else:
            call_creds = metadata_call_credentials(
                UsernamePasswordCallCredentials(username, password)
            )
        chan_creds = ssl_channel_credentials(server_ca)
        chan_creds = composite_channel_credentials(chan_creds, call_creds)

        self.channel = grpc.secure_channel(
            "%s:%d" % (self.hostname, self.port), chan_creds
        )
        self.stub = xos_pb2_grpc.xosStub(self.channel)
        self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel)
        self.utility = utility_pb2_grpc.utilityStub(self.channel)

        self.xos_orm = orm.ORMStub(self.stub, "xos")
Beispiel #2
0
    def __init__(self,
                 hostname,
                 port=50051,
                 cacert=SERVER_CA,
                 username=None,
                 password=None,
                 sessionid=None):
        super(SecureClient, self).__init__(hostname, port)

        server_ca = open(cacert, "r").read()
        if (sessionid):
            call_creds = metadata_call_credentials(
                SessionIdCallCredentials(sessionid))
        else:
            call_creds = metadata_call_credentials(
                UsernamePasswordCallCredentials(username, password))
        chan_creds = ssl_channel_credentials(server_ca)
        chan_creds = composite_channel_credentials(chan_creds, call_creds)

        self.channel = grpc.secure_channel(
            "%s:%d" % (self.hostname, self.port), chan_creds)
        self.stub = xos_pb2_grpc.xosStub(self.channel)
        self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel)
        self.utility = utility_pb2_grpc.utilityStub(self.channel)

        self.xos_orm = orm.ORMStub(self.stub, "xos")
Beispiel #3
0
    def __init__(
        self,
        consul_endpoint=None,
        work_dir="/tmp/xos_grpc_protos",
        endpoint="localhost:50055",
        reconnect_callback=None,
        cacert=SERVER_CA,
        username=None,
        password=None,
        sessionid=None,
    ):
        server_ca = open(cacert, "r").read()
        if sessionid:
            call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
        else:
            call_creds = metadata_call_credentials(
                UsernamePasswordCallCredentials(username, password)
            )
        chan_creds = ssl_channel_credentials(server_ca)
        chan_creds = composite_channel_credentials(chan_creds, call_creds)

        super(SecureClient, self).__init__(
            consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds
        )

        self.reconnect_callback2 = reconnect_callback
Beispiel #4
0
    def __init__(
        self,
        consul_endpoint=None,
        work_dir="/tmp/xos_grpc_protos",
        endpoint="localhost:50055",
        reconnect_callback=None,
        cacert=SERVER_CA,
        username=None,
        password=None,
        sessionid=None,
    ):
        server_ca = open(cacert, "r").read()
        if sessionid:
            call_creds = metadata_call_credentials(
                SessionIdCallCredentials(sessionid))
        else:
            call_creds = metadata_call_credentials(
                UsernamePasswordCallCredentials(username, password))
        chan_creds = ssl_channel_credentials(server_ca)
        chan_creds = composite_channel_credentials(chan_creds, call_creds)

        super(SecureClient, self).__init__(consul_endpoint, work_dir, endpoint,
                                           self.reconnected, chan_creds)

        self.reconnect_callback2 = reconnect_callback
Beispiel #5
0
def _stub(args):
    target = '{}:{}'.format(args.server_host, args.server_port)
    if args.test_case == 'oauth2_auth_token':
        google_credentials, unused_project_id = google_auth.default(
            scopes=[args.oauth_scope])
        google_credentials.refresh(google_auth.transport.requests.Request())
        call_credentials = grpc.access_token_call_credentials(
            google_credentials.token)
    elif args.test_case == 'compute_engine_creds':
        google_credentials, unused_project_id = google_auth.default(
            scopes=[args.oauth_scope])
        call_credentials = grpc.metadata_call_credentials(
            google_auth.transport.grpc.AuthMetadataPlugin(
                credentials=google_credentials,
                request=google_auth.transport.requests.Request()))
    elif args.test_case == 'jwt_token_creds':
        google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file(
            os.environ[google_auth.environment_vars.CREDENTIALS])
        call_credentials = grpc.metadata_call_credentials(
            google_auth.transport.grpc.AuthMetadataPlugin(
                credentials=google_credentials, request=None))
    else:
        call_credentials = None
    if args.use_tls:
        if args.use_test_ca:
            root_certificates = resources.test_root_certificates()
        else:
            root_certificates = None  # will load default roots.

        channel_credentials = grpc.ssl_channel_credentials(root_certificates)
        if call_credentials is not None:
            channel_credentials = grpc.composite_channel_credentials(
                channel_credentials, call_credentials)

        channel_opts = None
        if args.server_host_override:
            channel_opts = ((
                'grpc.ssl_target_name_override',
                args.server_host_override,
            ), )
        channel = grpc.secure_channel(target, channel_credentials,
                                      channel_opts)
    else:
        channel = grpc.insecure_channel(target)
    if args.test_case == "unimplemented_service":
        return test_pb2_grpc.UnimplementedServiceStub(channel)
    else:
        return test_pb2_grpc.TestServiceStub(channel)
Beispiel #6
0
    def _get_stub(self):  # pragma: no cover
        url = "{}:{}".format(self.host, self.port)

        # Lnd cert is at ~/.lnd/tls.cert on Linux and
        # ~/Library/Application Support/Lnd/tls.cert on Mac
        cert = open(os.path.expanduser(self.tls_cert_path), "rb").read()
        cert_creds = grpc.ssl_channel_credentials(cert)

        # Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and
        # ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac
        with open(os.path.expanduser(self.macaroon_path), "rb") as f:
            macaroon_bytes = f.read()
            macaroon = codecs.encode(macaroon_bytes, "hex")
            self.macaroon = codecs.encode(macaroon_bytes, "hex")

        def metadata_callback(context, callback):
            # for more info see grpc docs
            callback([("macaroon", macaroon)], None)

        # now build meta data credentials
        auth_creds = grpc.metadata_call_credentials(metadata_callback)

        # combine the cert credentials and the macaroon auth credentials
        # such that every call is properly encrypted and authenticated
        combined_creds = grpc.composite_channel_credentials(
            cert_creds, auth_creds)

        # finally pass in the combined credentials when creating a channel
        channel = grpc.secure_channel(url, combined_creds)
        return lnd_pb2_grpc.LightningStub(channel)
Beispiel #7
0
 async def _authenticate(self):
     async with self._auth_lock:  # Avoiding concurrent authentications for the client instance
         if self._metadata is not None:  # Avoiding double authentication
             return
         token = await self.authenticate(username=self.username, password=self.password)
         self._metadata = (("token", token),)
         self._call_credentials = metadata_call_credentials(_EtcdTokenCallCredentials(token))
Beispiel #8
0
def MakeSecureChannel(target):
  """Creates grpc secure channel.

  Args:
    target: str, The server address, for example:
      bigtableadmin.googleapis.com:443.

  Returns:
    grpc.secure channel.
  """

  credentials = cred_store.Load()
  # ssl_channel_credentials() loads root certificates from
  # `grpc/_adapter/credentials/roots.pem`.
  transport_creds = grpc.ssl_channel_credentials()
  custom_metadata_plugin = _MetadataPlugin(credentials)
  auth_creds = grpc.metadata_call_credentials(
      custom_metadata_plugin, name='google_creds')
  channel_creds = grpc.composite_channel_credentials(
      transport_creds, auth_creds)
  channel_args = (
      ('grpc.primary_user_agent',
       http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())),
  )
  return grpc.secure_channel(target, channel_creds,
                             options=channel_args)
Beispiel #9
0
def run():

    # Read exported (PEM formatted) server TLS certificate from disk
    certificate = open('<< ADD PATH TO EXPORTED SERVER CERTIFICATE >>',
                       'rb').read()
    tls_credentials = grpc.ssl_channel_credentials(certificate)

    # Apply the api key to every request that is made with the client
    apikey_credentials = grpc.metadata_call_credentials(
        ApiKeyCallCredentials('<< ADD API KEY >>'))

    combined_credentials = grpc.composite_channel_credentials(
        tls_credentials, apikey_credentials)

    # gRPC channel setup to connect to ibaHD-API endpoint in ibaHD-Server
    # Increasing the default message size (~4MB) is recommended (c int32 max = 2147483647)
    with grpc.secure_channel('127.0.0.1:9003',
                             combined_credentials,
                             options=[('grpc.max_receive_message_length',
                                       2147483647)]) as channel:

        # Instantiate ibaHD-API client on the gRPC channel
        client = ibaHD_API_pb2_grpc.HdApiServiceStub(channel)

        # Simple request to retrieve stores
        response = client.GetHdStores(
            request=ibaHD_API_pb2.GetHdStoresRequest())

        # Clean channel shutdown
        channel.close()

        print(response)
Beispiel #10
0
def create_channel(config: "Config") -> "Channel":
    """
    Create a :class:`Channel` for the specified configuration.
    """
    u = urlparse(config.url.url)

    options = [
        ("grpc.max_send_message_length", -1),
        ("grpc.max_receive_message_length", -1),
    ]
    if not config.url.use_http_proxy:
        options.append(("grpc.enable_http_proxy", 0))

    if (u.scheme in ("https", "grpcs")) or config.ssl:
        credentials = ssl_channel_credentials(
            root_certificates=config.ssl.ca,
            private_key=config.ssl.cert_key,
            certificate_chain=config.ssl.cert,
        )
        if config.access.token:
            # The grpc Credential objects do not actually define a formal interface, and are
            # used interchangeably in the code.
            #
            # Additionally there are some incorrect rules in the grpc-stubs typing rules that force
            # us to work around the type system.
            credentials = cast(
                ChannelCredentials,
                composite_channel_credentials(
                    credentials, metadata_call_credentials(GrpcAuth(config))),
            )
        return secure_channel(u.netloc, credentials, options)
    else:
        return insecure_channel(u.netloc, options)
Beispiel #11
0
    def __init__(self,
                 address: str,
                 port: int,
                 use_ssl: bool = False,
                 access_token: str = "",
                 channel_shutdown_timeout: timedelta = timedelta(minutes=2)):
        if (address is None):
            raise ValueError("address")

        if (port is None):
            raise ValueError("port")

        host = "{0}:{1}".format(address, port)
        metadata_transormer = (lambda x: [('authorization', access_token)])
        grpc.composite_channel_credentials(
            grpc.ssl_channel_credentials(),
            grpc.metadata_call_credentials(metadata_transormer))

        if use_ssl:
            self._channel_func = lambda: grpc.secure_channel(
                host, grpc.ssl_channel_credentials())
        else:
            self._channel_func = lambda: grpc.insecure_channel(host)

        self.__channel_shutdown_timeout = channel_shutdown_timeout
        self.__channel_usable_until = None
        self.__channel = None
Beispiel #12
0
    def __init__(self, rpchost, tlscertpath, adminmacaroonpath):
        os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA"

        with open(tlscertpath, "rb") as f:
            cert = f.read()
        cert_creds = grpc.ssl_channel_credentials(cert)

        with open(adminmacaroonpath, "rb") as f:
            macaroon = f.read()
            macaroon = codecs.encode(macaroon, "hex")

        # for more info see grpc docs
        metadata_callback = lambda ctx, callback: callback([("macaroon",
                                                             macaroon)], None)

        # now build meta data credentials
        auth_creds = grpc.metadata_call_credentials(metadata_callback)

        # combine the cert credentials and the macaroon auth credentials
        # such that every call is properly encrypted and authenticated
        combined_creds = grpc.composite_channel_credentials(
            cert_creds, auth_creds)

        channel = grpc.secure_channel(rpchost, combined_creds)
        self.rpchost = rpchost
        self.lnd = lnrpc.LightningStub(channel)
        self.wallet = walletrpc.WalletKitStub(channel)
        self.router = routerrpc.RouterStub(channel)
        self.signer = signrpc.SignerStub(channel)
Beispiel #13
0
def getCredentials():
    with open('ca-bundle.pem', 'rb') as f:
        trusted_certs = f.read()

    sslCred = grpc.ssl_channel_credentials(root_certificates=trusted_certs)
    authCred = grpc.metadata_call_credentials(credentials)
    return grpc.composite_channel_credentials(sslCred, authCred)
Beispiel #14
0
def getChannel(server, port, pem_file_path, username=None, password=None, accesstoken='default'):
    """
    Get a channel object.

    :param str server: grpc server
    :param int port: grpc server port
    :param str pem_file_path: path to pem file
    :param str username: grpc username
    :param str password: grpc password
    :param str accesstoken: grpc accesstoken
    :return: channel
    """
    # Build channel credentials. If file is not present, throw error.
    with open(pem_file_path, 'r') as myfile:
        pem_data = myfile.read()
    channel_cerdentials = grpc.ssl_channel_credentials(pem_data)
    # Now also build call credentials. These will add the authtokens as metadata to each call.
    if username is not None and password is not None:
        call_credentials = grpc.metadata_call_credentials(lambda context, callback: callback([(DstoreMetadata.USERNAME_KEY, username),
                                                                                              (DstoreMetadata.PASSWORD_KEY, password),
                                                                                              (DstoreMetadata.ACCESS_TOKEN_KEY, accesstoken)], None),
                                                          name='dstoreio_credentials')
        # Merge both credentials.
        channel_cerdentials = grpc.composite_channel_credentials(channel_cerdentials, call_credentials)

    channel = grpc.secure_channel('%s:%s' % (server, port), channel_cerdentials)
    return channel
Beispiel #15
0
    def construct(self):
        """Constructs and returns the desired Client object.
        The instance of this class will reset to default values for further building.

        Returns
        -------
        Client or XRClient
        """
        channel = None
        channel_ssl_creds = None
        channel_metadata_creds = None
        channel_creds = None
        channel_ssl_creds = grpc.ssl_channel_credentials(
            self.__root_certificates, self.__private_key,
            self.__certificate_chain)
        if self.__username and self.__password:
            channel_metadata_creds = grpc.metadata_call_credentials(
                CiscoAuthPlugin(self.__username, self.__password))
            logging.debug("Using username/password call authentication.")
        if channel_ssl_creds and channel_metadata_creds:
            channel_creds = grpc.composite_channel_credentials(
                channel_ssl_creds, channel_metadata_creds)
            logging.debug(
                "Using SSL/metadata authentication composite credentials.")
        else:
            channel_creds = channel_ssl_creds
            logging.debug("Using SSL credentials, no metadata authentication.")
        channel = grpc.secure_channel(self.__target_netloc.netloc,
                                      channel_creds, self.__channel_options)
        if self.__client_class is None:
            self.set_os()
        client = self.__client_class(channel)
        self._reset()
        return client
Beispiel #16
0
def real_jail_session(token):
    """
    Create a Jail service for testing, using TCP sockets, uses the token for auth
    """
    auth_interceptor = Auth().get_auth_interceptor(allow_jailed=True)

    with futures.ThreadPoolExecutor(1) as executor:
        server = grpc.server(executor, interceptors=[auth_interceptor])
        port = server.add_secure_port("localhost:0",
                                      grpc.local_server_credentials())
        servicer = Jail()
        jail_pb2_grpc.add_JailServicer_to_server(servicer, server)
        server.start()

        call_creds = grpc.metadata_call_credentials(
            CookieMetadataPlugin(token))
        comp_creds = grpc.composite_channel_credentials(
            grpc.local_channel_credentials(), call_creds)

        try:
            with grpc.secure_channel(f"localhost:{port}",
                                     comp_creds) as channel:
                yield jail_pb2_grpc.JailStub(channel)
        finally:
            server.stop(None).wait()
Beispiel #17
0
    def channel(self, endpoint):
        if not self._channels:
            self._unauthenticated_channel = grpc.secure_channel(
                self._endpoint,
                self._channel_creds,
                options=self.channel_options())
            endpoint_service = ApiEndpointServiceStub(
                self._unauthenticated_channel)
            resp = endpoint_service.List(ListApiEndpointsRequest())
            endpoints = resp.endpoints

            plugin = _auth_plugin.Credentials(self._token_requester,
                                              lambda: self._channels["iam"])
            call_creds = grpc.metadata_call_credentials(plugin)
            creds = grpc.composite_channel_credentials(self._channel_creds,
                                                       call_creds)

            self._channels = {
                ep.id: grpc.secure_channel(ep.address,
                                           creds,
                                           options=self.channel_options())
                for ep in endpoints
            }

        if endpoint not in self._channels:
            raise RuntimeError("Unknown endpoint: {}".format(endpoint))

        return self._channels[endpoint]
Beispiel #18
0
def main():
    # Due to updated ECDSA generated tls.cert we need to let gprc know that
    # we need to use that cipher suite otherwise there will be a handshake
    # error when we communicate with the lnd rpc server.
    os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'

    with open('/home/lnd/.lnd/tls.cert', 'rb') as f:
        cert = f.read()

    with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f:
        macaroon_bytes = f.read()
        macaroon = codecs.encode(macaroon_bytes, 'hex')

    def metadata_callback(context, callback):
        # for more info see grpc docs
        callback([('macaroon', macaroon)], None)

    # build ssl credentials using the cert the same as before
    cert_creds = grpc.ssl_channel_credentials(cert)
    # now build meta data credentials
    auth_creds = grpc.metadata_call_credentials(metadata_callback)
    # combine the cert credentials and the macaroon auth credentials
    # such that every call is properly encrypted and authenticated
    combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds)

    # finally pass in the combined credentials when creating a channel
    channel = grpc.secure_channel('localhost:10009', combined_creds)
    stub = lnrpc.LightningStub(channel)

    invoice = stub.AddInvoice(ln.Invoice(memo="Donation for Mempool"))
    print("Content-Type: application/json; charset=UTF-8")
    print("")
    print('{"r_hash":"%s","payment_request":"%s","add_index":%d}' % (binascii.hexlify(invoice.r_hash),invoice.payment_request,invoice.add_index))
Beispiel #19
0
    def get_stub(self):
        def metadata_callback(context, callback):

            with open('resources/admin.macaroon', 'rb') as f:
                macaroon_bytes = f.read()
                macaroon = codecs.encode(macaroon_bytes, 'hex')

            callback([('macaroon', macaroon)], None)

        os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA"
        cert = open('resources/tls.cert').read()

        # build ssl credentials using the cert the same as before
        cert_creds = grpc.ssl_channel_credentials(cert)

        # now build meta data credentials
        auth_creds = grpc.metadata_call_credentials(metadata_callback)

        # combine the cert credentials and the macaroon auth credentials
        # such that every call is properly encrypted and authenticated
        combined_creds = grpc.composite_channel_credentials(
            cert_creds, auth_creds)

        # finally pass in the combined credentials when creating a channel
        channel = grpc.secure_channel('projects.koshikraj.com:10009',
                                      combined_creds)
        stub = lnrpc.LightningStub(channel)
        return stub
Beispiel #20
0
def make_secure_stub(credentials, user_agent, stub_class, host):
    """Makes a secure stub for an RPC service.

    Uses / depends on gRPC.

    :type credentials: :class:`oauth2client.client.OAuth2Credentials`
    :param credentials: The OAuth2 Credentials to use for creating
                        access tokens.

    :type user_agent: str
    :param user_agent: (Optional) The user agent to be used with API requests.

    :type stub_class: type
    :param stub_class: A gRPC stub type for a given service.

    :type host: str
    :param host: The host for the service.

    :rtype: object, instance of ``stub_class``
    :returns: The stub object used to make gRPC requests to a given API.
    """
    # ssl_channel_credentials() loads root certificates from
    # `grpc/_adapter/credentials/roots.pem`.
    transport_creds = grpc.ssl_channel_credentials()
    custom_metadata_plugin = MetadataPlugin(credentials, user_agent)
    auth_creds = grpc.metadata_call_credentials(
        custom_metadata_plugin, name='google_creds')
    channel_creds = grpc.composite_channel_credentials(
        transport_creds, auth_creds)
    target = '%s:%d' % (host, http_client.HTTPS_PORT)
    channel = grpc.secure_channel(target, channel_creds)
    return stub_class(channel)
Beispiel #21
0
 def get_credentials(lnd_dir):
     tls_certificate = open(lnd_dir + '/tls.cert', 'rb').read()
     ssl_credentials = grpc.ssl_channel_credentials(tls_certificate)
     macaroon = codecs.encode(open(lnd_dir + '/data/chain/bitcoin/mainnet/admin.macaroon', 'rb').read(), 'hex')
     auth_credentials = grpc.metadata_call_credentials(lambda _, callback: callback([('macaroon', macaroon)], None))
     combined_credentials = grpc.composite_channel_credentials(ssl_credentials, auth_credentials)
     return combined_credentials
Beispiel #22
0
def MakeSecureChannel(target):
  """Creates grpc secure channel.

  Args:
    target: str, The server address, for example:
      bigtableadmin.googleapis.com:443.

  Returns:
    grpc.secure channel.
  """

  credentials = cred_store.Load()
  # ssl_channel_credentials() loads root certificates from
  # `grpc/_adapter/credentials/roots.pem`.
  transport_creds = grpc.ssl_channel_credentials()
  custom_metadata_plugin = _MetadataPlugin(credentials)
  auth_creds = grpc.metadata_call_credentials(
      custom_metadata_plugin, name='google_creds')
  channel_creds = grpc.composite_channel_credentials(
      transport_creds, auth_creds)
  channel_args = (
      ('grpc.primary_user_agent',
       http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())),
  )
  return grpc.secure_channel(target, channel_creds,
                             options=channel_args)
Beispiel #23
0
    def _local_composite_credentials(self):
        """
        Creates the credentials for the local emulator channel
        :return: grpc.ChannelCredentials
        """
        credentials = google.auth.credentials.with_scopes_if_required(
            self._credentials, None
        )
        request = google.auth.transport.requests.Request()

        # Create the metadata plugin for inserting the authorization header.
        metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
            credentials, request
        )

        # Create a set of grpc.CallCredentials using the metadata plugin.
        google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)

        # Using the local_credentials to allow connection to emulator
        local_credentials = grpc.local_channel_credentials()

        # Combine the local credentials and the authorization credentials.
        return grpc.composite_channel_credentials(
            local_credentials, google_auth_credentials
        )
def make_secure_channel(credentials, user_agent, host):
    """Makes a secure channel for an RPC service.

    Uses / depends on gRPC.

    :type credentials: :class:`oauth2client.client.OAuth2Credentials`
    :param credentials: The OAuth2 Credentials to use for creating
                        access tokens.

    :type user_agent: str
    :param user_agent: The user agent to be used with API requests.

    :type host: str
    :param host: The host for the service.

    :rtype: :class:`grpc._channel.Channel`
    :returns: gRPC secure channel with credentials attached.
    """
    # ssl_channel_credentials() loads root certificates from
    # `grpc/_adapter/credentials/roots.pem`.
    transport_creds = grpc.ssl_channel_credentials()
    custom_metadata_plugin = MetadataPlugin(credentials)
    auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin,
                                                name='google_creds')
    channel_creds = grpc.composite_channel_credentials(transport_creds,
                                                       auth_creds)
    target = '%s:%d' % (host, http_client.HTTPS_PORT)
    channel_args = (('grpc.primary_user_agent', user_agent), )
    return grpc.secure_channel(target, channel_creds, options=channel_args)
Beispiel #25
0
def connect():
    # Due to updated ECDSA generated tls.cert we need to let gprc know that
    # we need to use that cipher suite otherwise there will be a handshake
    # error when we communicate with the lnd rpc server.
    os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'

    with open('/home/lnd/.lnd/tls.cert', 'rb') as f:
        cert = f.read()

    with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f:
        macaroon_bytes = f.read()
        macaroon = codecs.encode(macaroon_bytes, 'hex')

    def metadata_callback(_context, callback):
        # for more info see grpc docs
        callback([('macaroon', macaroon)], None)

    # build ssl credentials using the cert the same as before
    cert_creds = grpc.ssl_channel_credentials(cert)
    # now build meta data credentials
    auth_creds = grpc.metadata_call_credentials(metadata_callback)
    # combine the cert credentials and the macaroon auth credentials
    # such that every call is properly encrypted and authenticated
    combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds)

    # finally pass in the combined credentials when creating a channel
    channel = grpc.secure_channel('localhost:10009', combined_creds)
    stub = lnrpc.LightningStub(channel)
    return stub
def run():
    with open("kyma.pem", "rb") as fp:
        channel_credential = grpc.ssl_channel_credentials(fp.read())

    call_credentials = grpc.metadata_call_credentials(AuthGateway(),
                                                      name='auth gateway')
    composite_credentials = grpc.composite_channel_credentials(
        channel_credential,
        call_credentials,
    )

    if os.environ.get("_DEV_") == "true":
        print("-------------- insecure_channel --------------")
        channel = grpc.insecure_channel('127.0.0.1:50051')
    else:
        print("-------------- secure_channel --------------")
        channel = grpc.secure_channel(os.environ.get(
            "_GRPC_SERVER_"), composite_credentials)

    stub = orders_pb2_grpc.OrderStub(channel)
    print("-------------- RecordOrder--------------")
    record_orders(stub)
    print("-------------- GetOrders --------------")
    get_orders(stub)
    channel.close()
Beispiel #27
0
def _conn(host: str = "localhost", rpc_port: int = 50051, conf_address: str = "http://localhost/auth", client_id: str = None,
          client_secret: str = None, pkey=None, cert=None, ca=None):
    """
    `host` The host to connect to.
    `rpc_port` The gRPC port for host.
    `conf_address` The complete address for the auth configuration endpoint.
    `client_id` Your client id for your OAuth Auth provider.
    `client_secret` Corresponding client secret.
    `pkey` Private key for client authentication
    `cert` Corresponding signed certificate. CN must reflect your hosts FQDN, and must be signed by the servers
                 CA.
    `ca` CA trust for the server.
    `secure_conf` Whether the server hosting configuration is secured (https)
    Returns A gRPC channel
    """
    # TODO: make this more robust so it can handle SSL without client verification
    if pkey and cert and client_id and client_secret:
        call_credentials = grpc.metadata_call_credentials(AuthTokenPlugin(host, conf_address, client_id, client_secret))
        # Channel credential will be valid for the entire channel
        channel_credentials = grpc.ssl_channel_credentials(ca, pkey, cert)
        # Combining channel credentials and call credentials together
        composite_credentials = grpc.composite_channel_credentials(
            channel_credentials,
            call_credentials,
        )
        channel = grpc.secure_channel(f"{host}:{rpc_port}", composite_credentials)
    else:
        channel = grpc.insecure_channel(f"{host}:{rpc_port}")

    return channel
Beispiel #28
0
def create_channel(config: "Config") -> "Channel":
    """
    Create a :class:`Channel` for the specified configuration.
    """
    u = urlparse(config.url.url)

    options = [
        ("grpc.max_send_message_length", -1),
        ("grpc.max_receive_message_length", -1),
    ]
    if not config.url.use_http_proxy:
        options.append(("grpc.enable_http_proxy", 0))

    if (u.scheme in ("https", "grpcs")) or config.ssl:
        credentials = ssl_channel_credentials(
            root_certificates=config.ssl.ca,
            private_key=config.ssl.cert_key,
            certificate_chain=config.ssl.cert,
        )
        if config.access.token:
            credentials = composite_channel_credentials(
                credentials, metadata_call_credentials(GrpcAuth(config))
            )
        return secure_channel(u.netloc, credentials, options)
    else:
        return insecure_channel(u.netloc, options)
Beispiel #29
0
    async def initialization(self):

        cred_params = [c is not None for c in (self._user, self._password)]

        if all(cred_params):
            self.auth_stub = AuthStub(self.channel)
            auth_request = AuthenticateRequest(name=self._user,
                                               password=self._password)

            resp = await self.auth_stub.Authenticate(auth_request,
                                                     self.timeout)
            self.call_credentials = grpc.metadata_call_credentials(
                EtcdTokenCallCredentials(resp.token))

        elif any(cred_params):
            raise Exception(
                'if using authentication credentials both user and password '
                'must be specified.')

        self.kvstub = KVStub(self.channel)
        self.watcher = watch.Watcher(
            WatchStub(self.channel),
            timeout=self.timeout,
            call_credentials=self.call_credentials,
        )
        loop = asyncio.get_event_loop()
        self.watchtask = loop.create_task(self.watcher.run())
        self.clusterstub = ClusterStub(self.channel)
        self.leasestub = LeaseStub(self.channel)
        self.maintenancestub = MaintenanceStub(self.channel)
        self.transactions = Transactions()
Beispiel #30
0
def get_ln_stub():
    def metadata_callback(context, callback):
        # for more info see grpc docs
        callback([('macaroon', macaroon)], None)

    os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'
    # Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and
    # ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac
    with open(os.path.expanduser(settings.MACAROON_PATH), 'rb') as f:
        macaroon_bytes = f.read()
        macaroon = codecs.encode(macaroon_bytes, 'hex')
    cert = open(settings.CERT_PATH, 'rb').read()
    creds = grpc.ssl_channel_credentials(cert)

    # now build meta data credentials
    auth_creds = grpc.metadata_call_credentials(metadata_callback)

    # combine the cert credentials and the macaroon auth credentials
    # such that every call is properly encrypted and authenticated
    combined_creds = grpc.composite_channel_credentials(creds, auth_creds)

    # channel = grpc.secure_channel(settings.LND_RPCHOST, creds)
    channel = grpc.secure_channel(settings.LND_RPCHOST, combined_creds)
    # stub.GetInfo(ln.GetInfoRequest(), metadata=[('macaroon', macaroon)])
    stub = lnrpc.LightningStub(channel)

    return stub
Beispiel #31
0
def make_secure_stub(credentials, user_agent, stub_class, host):
    """Makes a secure stub for an RPC service.

    Uses / depends on gRPC.

    :type credentials: :class:`oauth2client.client.OAuth2Credentials`
    :param credentials: The OAuth2 Credentials to use for creating
                        access tokens.

    :type user_agent: str
    :param user_agent: (Optional) The user agent to be used with API requests.

    :type stub_class: type
    :param stub_class: A gRPC stub type for a given service.

    :type host: str
    :param host: The host for the service.

    :rtype: object, instance of ``stub_class``
    :returns: The stub object used to make gRPC requests to a given API.
    """
    # ssl_channel_credentials() loads root certificates from
    # `grpc/_adapter/credentials/roots.pem`.
    transport_creds = grpc.ssl_channel_credentials()
    custom_metadata_plugin = MetadataPlugin(credentials)
    auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin,
                                                name='google_creds')
    channel_creds = grpc.composite_channel_credentials(transport_creds,
                                                       auth_creds)
    target = '%s:%d' % (host, http_client.HTTPS_PORT)
    channel_args = (('grpc.primary_user_agent', user_agent), )
    channel = grpc.secure_channel(target, channel_creds, options=channel_args)
    return stub_class(channel)
Beispiel #32
0
def _stub(args):
    target = '{}:{}'.format(args.server_host, args.server_port)
    if args.test_case == 'oauth2_auth_token':
        google_credentials, unused_project_id = google_auth.default(
            scopes=[args.oauth_scope])
        google_credentials.refresh(google_auth.transport.requests.Request())
        call_credentials = grpc.access_token_call_credentials(
            google_credentials.token)
    elif args.test_case == 'compute_engine_creds':
        google_credentials, unused_project_id = google_auth.default(
            scopes=[args.oauth_scope])
        call_credentials = grpc.metadata_call_credentials(
            google_auth.transport.grpc.AuthMetadataPlugin(
                credentials=google_credentials,
                request=google_auth.transport.requests.Request()))
    elif args.test_case == 'jwt_token_creds':
        google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file(
            os.environ[google_auth.environment_vars.CREDENTIALS])
        call_credentials = grpc.metadata_call_credentials(
            google_auth.transport.grpc.AuthMetadataPlugin(
                credentials=google_credentials, request=None))
    else:
        call_credentials = None
    if args.use_tls:
        if args.use_test_ca:
            root_certificates = resources.test_root_certificates()
        else:
            root_certificates = None  # will load default roots.

        channel_credentials = grpc.ssl_channel_credentials(root_certificates)
        if call_credentials is not None:
            channel_credentials = grpc.composite_channel_credentials(
                channel_credentials, call_credentials)

        channel_opts = None
        if args.server_host_override:
            channel_opts = ((
                'grpc.ssl_target_name_override',
                args.server_host_override,
            ),)
        channel = grpc.secure_channel(target, channel_credentials, channel_opts)
    else:
        channel = grpc.insecure_channel(target)
    if args.test_case == "unimplemented_service":
        return test_pb2_grpc.UnimplementedServiceStub(channel)
    else:
        return test_pb2_grpc.TestServiceStub(channel)
Beispiel #33
0
def secure_authorized_channel(credentials,
                              request,
                              target,
                              ssl_credentials=None,
                              **kwargs):
    """Creates a secure authorized gRPC channel.

    This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
    channel can be used to create a stub that can make authorized requests.

    Example::

        import google.auth
        import google.auth.transport.grpc
        import google.auth.transport.requests
        from google.cloud.speech.v1 import cloud_speech_pb2

        # Get credentials.
        credentials, _ = google.auth.default()

        # Get an HTTP request function to refresh credentials.
        request = google.auth.transport.requests.Request()

        # Create a channel.
        channel = google.auth.transport.grpc.secure_authorized_channel(
            credentials, 'speech.googleapis.com:443', request)

        # Use the channel to create a stub.
        cloud_speech.create_Speech_stub(channel)

    Args:
        credentials (google.auth.credentials.Credentials): The credentials to
            add to requests.
        request (google.auth.transport.Request): A HTTP transport request
            object used to refresh credentials as needed. Even though gRPC
            is a separate transport, there's no way to refresh the credentials
            without using a standard http transport.
        target (str): The host and port of the service.
        ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
            credentials. This can be used to specify different certificates.
        kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.

    Returns:
        grpc.Channel: The created gRPC channel.
    """
    # Create the metadata plugin for inserting the authorization header.
    metadata_plugin = AuthMetadataPlugin(credentials, request)

    # Create a set of grpc.CallCredentials using the metadata plugin.
    google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)

    if ssl_credentials is None:
        ssl_credentials = grpc.ssl_channel_credentials()

    # Combine the ssl credentials and the authorization credentials.
    composite_credentials = grpc.composite_channel_credentials(
        ssl_credentials, google_auth_credentials)

    return grpc.secure_channel(target, composite_credentials, **kwargs)
Beispiel #34
0
def _create_composite_credentials(credentials=None,
                                  credentials_file=None,
                                  scopes=None,
                                  ssl_credentials=None,
                                  quota_project_id=None):
    """Create the composite credentials for secure channels.

    Args:
        credentials (google.auth.credentials.Credentials): The credentials. If
            not specified, then this function will attempt to ascertain the
            credentials from the environment using :func:`google.auth.default`.
        credentials_file (str): A file with credentials that can be loaded with
            :func:`google.auth.load_credentials_from_file`. This argument is
            mutually exclusive with credentials.
        scopes (Sequence[str]): A optional list of scopes needed for this
            service. These are only used when credentials are not specified and
            are passed to :func:`google.auth.default`.
        ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
            credentials. This can be used to specify different certificates.
        quota_project_id (str): An optional project to use for billing and quota.

    Returns:
        grpc.ChannelCredentials: The composed channel credentials object.

    Raises:
        google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed.
    """
    if credentials and credentials_file:
        raise exceptions.DuplicateCredentialArgs(
            "'credentials' and 'credentials_file' are mutually exclusive.")

    if credentials_file:
        credentials, _ = google.auth.load_credentials_from_file(
            credentials_file, scopes=scopes)
    elif credentials:
        credentials = google.auth.credentials.with_scopes_if_required(
            credentials, scopes)
    else:
        credentials, _ = google.auth.default(scopes=scopes)

    if quota_project_id and isinstance(
            credentials, google.auth.credentials.CredentialsWithQuotaProject):
        credentials = credentials.with_quota_project(quota_project_id)

    request = google.auth.transport.requests.Request()

    # Create the metadata plugin for inserting the authorization header.
    metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
        credentials, request)

    # Create a set of grpc.CallCredentials using the metadata plugin.
    google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)

    if ssl_credentials is None:
        ssl_credentials = grpc.ssl_channel_credentials()

    # Combine the ssl credentials and the authorization credentials.
    return grpc.composite_channel_credentials(ssl_credentials,
                                              google_auth_credentials)
Beispiel #35
0
def get_protocol_token_credentials():
    token = os.environ.get("PROTOCOL_TOKEN")

    if token:
        return grpc.metadata_call_credentials(ProtocolTokenCredentials(token))
    else:
        logger.debug("No protocol token found")
        return None
Beispiel #36
0
def secure_authorized_channel(
        credentials, request, target, ssl_credentials=None, **kwargs):
    """Creates a secure authorized gRPC channel.

    This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
    channel can be used to create a stub that can make authorized requests.

    Example::

        import google.auth
        import google.auth.transport.grpc
        import google.auth.transport.requests
        from google.cloud.speech.v1 import cloud_speech_pb2

        # Get credentials.
        credentials, _ = google.auth.default()

        # Get an HTTP request function to refresh credentials.
        request = google.auth.transport.requests.Request()

        # Create a channel.
        channel = google.auth.transport.grpc.secure_authorized_channel(
            credentials, 'speech.googleapis.com:443', request)

        # Use the channel to create a stub.
        cloud_speech.create_Speech_stub(channel)

    Args:
        credentials (google.auth.credentials.Credentials): The credentials to
            add to requests.
        request (google.auth.transport.Request): A HTTP transport request
            object used to refresh credentials as needed. Even though gRPC
            is a separate transport, there's no way to refresh the credentials
            without using a standard http transport.
        target (str): The host and port of the service.
        ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
            credentials. This can be used to specify different certificates.
        kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.

    Returns:
        grpc.Channel: The created gRPC channel.
    """
    # Create the metadata plugin for inserting the authorization header.
    metadata_plugin = AuthMetadataPlugin(credentials, request)

    # Create a set of grpc.CallCredentials using the metadata plugin.
    google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)

    if ssl_credentials is None:
        ssl_credentials = grpc.ssl_channel_credentials()

    # Combine the ssl credentials and the authorization credentials.
    composite_credentials = grpc.composite_channel_credentials(
        ssl_credentials, google_auth_credentials)

    return grpc.secure_channel(target, composite_credentials, **kwargs)
Beispiel #37
0
def metadata_call_credentials(metadata_plugin, name=None):

    def plugin(context, callback):

        def wrapped_callback(beta_metadata, error):
            callback(_metadata.unbeta(beta_metadata), error)

        metadata_plugin(context, wrapped_callback)

    return grpc.metadata_call_credentials(plugin, name=name)
def secure_authorized_channel(
        credentials, target, ssl_credentials=None):
    """Creates a secure authorized gRPC channel."""
    if ssl_credentials is None:
        ssl_credentials = grpc.ssl_channel_credentials()

    metadata_plugin = AuthMetadataPlugin(credentials)
    call_credentials = grpc.metadata_call_credentials(metadata_plugin)
    channel_creds = grpc.composite_channel_credentials(
        ssl_credentials, call_credentials)

    return grpc.secure_channel(target, channel_creds)
def create_channel(
    target, credentials=None, scopes=None, ssl_credentials=None, **kwargs
):
    """Create a secure channel with credentials.

    Args:
        target (str): The target service address in the format 'hostname:port'.
        credentials (google.auth.credentials.Credentials): The credentials. If
            not specified, then this function will attempt to ascertain the
            credentials from the environment using :func:`google.auth.default`.
        scopes (Sequence[str]): A optional list of scopes needed for this
            service. These are only used when credentials are not specified and
            are passed to :func:`google.auth.default`.
        ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
            credentials. This can be used to specify different certificates.
        kwargs: Additional key-word args passed to
            :func:`grpc_gcp.secure_channel` or :func:`grpc.secure_channel`.

    Returns:
        grpc.Channel: The created channel.
    """
    if credentials is None:
        credentials, _ = google.auth.default(scopes=scopes)
    else:
        credentials = google.auth.credentials.with_scopes_if_required(
            credentials, scopes
        )

    request = google.auth.transport.requests.Request()

    # Create the metadata plugin for inserting the authorization header.
    metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
        credentials, request
    )

    # Create a set of grpc.CallCredentials using the metadata plugin.
    google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)

    if ssl_credentials is None:
        ssl_credentials = grpc.ssl_channel_credentials()

    # Combine the ssl credentials and the authorization credentials.
    composite_credentials = grpc.composite_channel_credentials(
        ssl_credentials, google_auth_credentials
    )

    if HAS_GRPC_GCP:
        # If grpc_gcp module is available use grpc_gcp.secure_channel,
        # otherwise, use grpc.secure_channel to create grpc channel.
        return grpc_gcp.secure_channel(target, composite_credentials, **kwargs)
    else:
        return grpc.secure_channel(target, composite_credentials, **kwargs)
Beispiel #40
0
def _per_rpc_creds(stub, args):
    json_key_filename = os.environ[google_auth_environment_vars.CREDENTIALS]
    wanted_email = json.load(open(json_key_filename, 'rb'))['client_email']
    google_credentials, unused_project_id = google_auth.default(
        scopes=[args.oauth_scope])
    call_credentials = grpc.metadata_call_credentials(
        google_auth_transport_grpc.AuthMetadataPlugin(
            credentials=google_credentials,
            request=google_auth_transport_requests.Request()))
    response = _large_unary_common_behavior(stub, True, False, call_credentials)
    if wanted_email != response.username:
        raise ValueError('expected username %s, got %s' % (wanted_email,
                                                           response.username))
    def __init__(self, rpc_uri: str, peer_uri: str):
        self.peer_uri = peer_uri

        if LND_AUTH_DATA_PATH != 'default':
            path = LND_AUTH_DATA_PATH
        elif platform == "linux" or platform == "linux2":
            path = '~/.lnd/'
        elif platform == "darwin":
            path = '~/Library/Application Support/Lnd/'
        else:
            raise Exception(f"What's the {platform} path for the lnd tls cert?")
        self.main_lnd_path = os.path.expanduser(path)

        lnd_tls_cert_path = os.path.join(self.main_lnd_path, 'tls.cert')
        self.lnd_tls_cert = open(lnd_tls_cert_path, 'rb').read()

        cert_credentials = grpc.ssl_channel_credentials(self.lnd_tls_cert)

        admin_macaroon_path = os.path.join(self.main_lnd_path, 'admin.macaroon')
        with open(admin_macaroon_path, 'rb') as f:
            macaroon_bytes = f.read()
            self.macaroon = codecs.encode(macaroon_bytes, 'hex')

        def metadata_callback(context: _AuthMetadataPluginCallback,
                              callback: _AuthMetadataContext):
            callback([('macaroon', self.macaroon)], None)

        auth_credentials = grpc.metadata_call_credentials(metadata_callback)

        self.credentials = grpc.composite_channel_credentials(cert_credentials,
                                                              auth_credentials)

        self.grpc_channel = grpc.secure_channel(rpc_uri,
                                                self.credentials

                                                  )
        self.lnd_client = lnrpc.LightningStub(self.grpc_channel)