def __init__(
self,
hostname,
port=50051,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None,
):
super(SecureClient, self).__init__(hostname, port)
server_ca = open(cacert, "r").read()
if sessionid:
call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password)
)
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
self.channel = grpc.secure_channel(
"%s:%d" % (self.hostname, self.port), chan_creds
)
self.stub = xos_pb2_grpc.xosStub(self.channel)
self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel)
self.utility = utility_pb2_grpc.utilityStub(self.channel)
self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__(self,
hostname,
port=50051,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None):
super(SecureClient, self).__init__(hostname, port)
server_ca = open(cacert, "r").read()
if (sessionid):
call_creds = metadata_call_credentials(
SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password))
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
self.channel = grpc.secure_channel(
"%s:%d" % (self.hostname, self.port), chan_creds)
self.stub = xos_pb2_grpc.xosStub(self.channel)
self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel)
self.utility = utility_pb2_grpc.utilityStub(self.channel)
self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__(
self,
consul_endpoint=None,
work_dir="/tmp/xos_grpc_protos",
endpoint="localhost:50055",
reconnect_callback=None,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None,
):
server_ca = open(cacert, "r").read()
if sessionid:
call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password)
)
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
super(SecureClient, self).__init__(
consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds
)
self.reconnect_callback2 = reconnect_callback
def __init__(
self,
consul_endpoint=None,
work_dir="/tmp/xos_grpc_protos",
endpoint="localhost:50055",
reconnect_callback=None,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None,
):
server_ca = open(cacert, "r").read()
if sessionid:
call_creds = metadata_call_credentials(
SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password))
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
super(SecureClient, self).__init__(consul_endpoint, work_dir, endpoint,
self.reconnected, chan_creds)
self.reconnect_callback2 = reconnect_callback
def _stub(args):
target = '{}:{}'.format(args.server_host, args.server_port)
if args.test_case == 'oauth2_auth_token':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
google_credentials.refresh(google_auth.transport.requests.Request())
call_credentials = grpc.access_token_call_credentials(
google_credentials.token)
elif args.test_case == 'compute_engine_creds':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials,
request=google_auth.transport.requests.Request()))
elif args.test_case == 'jwt_token_creds':
google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file(
os.environ[google_auth.environment_vars.CREDENTIALS])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials, request=None))
else:
call_credentials = None
if args.use_tls:
if args.use_test_ca:
root_certificates = resources.test_root_certificates()
else:
root_certificates = None # will load default roots.
channel_credentials = grpc.ssl_channel_credentials(root_certificates)
if call_credentials is not None:
channel_credentials = grpc.composite_channel_credentials(
channel_credentials, call_credentials)
channel_opts = None
if args.server_host_override:
channel_opts = ((
'grpc.ssl_target_name_override',
args.server_host_override,
), )
channel = grpc.secure_channel(target, channel_credentials,
channel_opts)
else:
channel = grpc.insecure_channel(target)
if args.test_case == "unimplemented_service":
return test_pb2_grpc.UnimplementedServiceStub(channel)
else:
return test_pb2_grpc.TestServiceStub(channel)
def _get_stub(self): # pragma: no cover
url = "{}:{}".format(self.host, self.port)
# Lnd cert is at ~/.lnd/tls.cert on Linux and
# ~/Library/Application Support/Lnd/tls.cert on Mac
cert = open(os.path.expanduser(self.tls_cert_path), "rb").read()
cert_creds = grpc.ssl_channel_credentials(cert)
# Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and
# ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac
with open(os.path.expanduser(self.macaroon_path), "rb") as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, "hex")
self.macaroon = codecs.encode(macaroon_bytes, "hex")
def metadata_callback(context, callback):
# for more info see grpc docs
callback([("macaroon", macaroon)], None)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(
cert_creds, auth_creds)
# finally pass in the combined credentials when creating a channel
channel = grpc.secure_channel(url, combined_creds)
return lnd_pb2_grpc.LightningStub(channel)
async def _authenticate(self):
async with self._auth_lock: # Avoiding concurrent authentications for the client instance
if self._metadata is not None: # Avoiding double authentication
return
token = await self.authenticate(username=self.username, password=self.password)
self._metadata = (("token", token),)
self._call_credentials = metadata_call_credentials(_EtcdTokenCallCredentials(token))
def MakeSecureChannel(target):
"""Creates grpc secure channel.
Args:
target: str, The server address, for example:
bigtableadmin.googleapis.com:443.
Returns:
grpc.secure channel.
"""
credentials = cred_store.Load()
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = _MetadataPlugin(credentials)
auth_creds = grpc.metadata_call_credentials(
custom_metadata_plugin, name='google_creds')
channel_creds = grpc.composite_channel_credentials(
transport_creds, auth_creds)
channel_args = (
('grpc.primary_user_agent',
http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())),
)
return grpc.secure_channel(target, channel_creds,
options=channel_args)
def run():
# Read exported (PEM formatted) server TLS certificate from disk
certificate = open('<< ADD PATH TO EXPORTED SERVER CERTIFICATE >>',
'rb').read()
tls_credentials = grpc.ssl_channel_credentials(certificate)
# Apply the api key to every request that is made with the client
apikey_credentials = grpc.metadata_call_credentials(
ApiKeyCallCredentials('<< ADD API KEY >>'))
combined_credentials = grpc.composite_channel_credentials(
tls_credentials, apikey_credentials)
# gRPC channel setup to connect to ibaHD-API endpoint in ibaHD-Server
# Increasing the default message size (~4MB) is recommended (c int32 max = 2147483647)
with grpc.secure_channel('127.0.0.1:9003',
combined_credentials,
options=[('grpc.max_receive_message_length',
2147483647)]) as channel:
# Instantiate ibaHD-API client on the gRPC channel
client = ibaHD_API_pb2_grpc.HdApiServiceStub(channel)
# Simple request to retrieve stores
response = client.GetHdStores(
request=ibaHD_API_pb2.GetHdStoresRequest())
# Clean channel shutdown
channel.close()
print(response)
def create_channel(config: "Config") -> "Channel":
"""
Create a :class:`Channel` for the specified configuration.
"""
u = urlparse(config.url.url)
options = [
("grpc.max_send_message_length", -1),
("grpc.max_receive_message_length", -1),
]
if not config.url.use_http_proxy:
options.append(("grpc.enable_http_proxy", 0))
if (u.scheme in ("https", "grpcs")) or config.ssl:
credentials = ssl_channel_credentials(
root_certificates=config.ssl.ca,
private_key=config.ssl.cert_key,
certificate_chain=config.ssl.cert,
)
if config.access.token:
# The grpc Credential objects do not actually define a formal interface, and are
# used interchangeably in the code.
#
# Additionally there are some incorrect rules in the grpc-stubs typing rules that force
# us to work around the type system.
credentials = cast(
ChannelCredentials,
composite_channel_credentials(
credentials, metadata_call_credentials(GrpcAuth(config))),
)
return secure_channel(u.netloc, credentials, options)
else:
return insecure_channel(u.netloc, options)
def __init__(self,
address: str,
port: int,
use_ssl: bool = False,
access_token: str = "",
channel_shutdown_timeout: timedelta = timedelta(minutes=2)):
if (address is None):
raise ValueError("address")
if (port is None):
raise ValueError("port")
host = "{0}:{1}".format(address, port)
metadata_transormer = (lambda x: [('authorization', access_token)])
grpc.composite_channel_credentials(
grpc.ssl_channel_credentials(),
grpc.metadata_call_credentials(metadata_transormer))
if use_ssl:
self._channel_func = lambda: grpc.secure_channel(
host, grpc.ssl_channel_credentials())
else:
self._channel_func = lambda: grpc.insecure_channel(host)
self.__channel_shutdown_timeout = channel_shutdown_timeout
self.__channel_usable_until = None
self.__channel = None
def __init__(self, rpchost, tlscertpath, adminmacaroonpath):
os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA"
with open(tlscertpath, "rb") as f:
cert = f.read()
cert_creds = grpc.ssl_channel_credentials(cert)
with open(adminmacaroonpath, "rb") as f:
macaroon = f.read()
macaroon = codecs.encode(macaroon, "hex")
# for more info see grpc docs
metadata_callback = lambda ctx, callback: callback([("macaroon",
macaroon)], None)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(
cert_creds, auth_creds)
channel = grpc.secure_channel(rpchost, combined_creds)
self.rpchost = rpchost
self.lnd = lnrpc.LightningStub(channel)
self.wallet = walletrpc.WalletKitStub(channel)
self.router = routerrpc.RouterStub(channel)
self.signer = signrpc.SignerStub(channel)
def getCredentials():
with open('ca-bundle.pem', 'rb') as f:
trusted_certs = f.read()
sslCred = grpc.ssl_channel_credentials(root_certificates=trusted_certs)
authCred = grpc.metadata_call_credentials(credentials)
return grpc.composite_channel_credentials(sslCred, authCred)
def getChannel(server, port, pem_file_path, username=None, password=None, accesstoken='default'):
"""
Get a channel object.
:param str server: grpc server
:param int port: grpc server port
:param str pem_file_path: path to pem file
:param str username: grpc username
:param str password: grpc password
:param str accesstoken: grpc accesstoken
:return: channel
"""
# Build channel credentials. If file is not present, throw error.
with open(pem_file_path, 'r') as myfile:
pem_data = myfile.read()
channel_cerdentials = grpc.ssl_channel_credentials(pem_data)
# Now also build call credentials. These will add the authtokens as metadata to each call.
if username is not None and password is not None:
call_credentials = grpc.metadata_call_credentials(lambda context, callback: callback([(DstoreMetadata.USERNAME_KEY, username),
(DstoreMetadata.PASSWORD_KEY, password),
(DstoreMetadata.ACCESS_TOKEN_KEY, accesstoken)], None),
name='dstoreio_credentials')
# Merge both credentials.
channel_cerdentials = grpc.composite_channel_credentials(channel_cerdentials, call_credentials)
channel = grpc.secure_channel('%s:%s' % (server, port), channel_cerdentials)
return channel
def construct(self):
"""Constructs and returns the desired Client object.
The instance of this class will reset to default values for further building.
Returns
-------
Client or XRClient
"""
channel = None
channel_ssl_creds = None
channel_metadata_creds = None
channel_creds = None
channel_ssl_creds = grpc.ssl_channel_credentials(
self.__root_certificates, self.__private_key,
self.__certificate_chain)
if self.__username and self.__password:
channel_metadata_creds = grpc.metadata_call_credentials(
CiscoAuthPlugin(self.__username, self.__password))
logging.debug("Using username/password call authentication.")
if channel_ssl_creds and channel_metadata_creds:
channel_creds = grpc.composite_channel_credentials(
channel_ssl_creds, channel_metadata_creds)
logging.debug(
"Using SSL/metadata authentication composite credentials.")
else:
channel_creds = channel_ssl_creds
logging.debug("Using SSL credentials, no metadata authentication.")
channel = grpc.secure_channel(self.__target_netloc.netloc,
channel_creds, self.__channel_options)
if self.__client_class is None:
self.set_os()
client = self.__client_class(channel)
self._reset()
return client
def real_jail_session(token):
"""
Create a Jail service for testing, using TCP sockets, uses the token for auth
"""
auth_interceptor = Auth().get_auth_interceptor(allow_jailed=True)
with futures.ThreadPoolExecutor(1) as executor:
server = grpc.server(executor, interceptors=[auth_interceptor])
port = server.add_secure_port("localhost:0",
grpc.local_server_credentials())
servicer = Jail()
jail_pb2_grpc.add_JailServicer_to_server(servicer, server)
server.start()
call_creds = grpc.metadata_call_credentials(
CookieMetadataPlugin(token))
comp_creds = grpc.composite_channel_credentials(
grpc.local_channel_credentials(), call_creds)
try:
with grpc.secure_channel(f"localhost:{port}",
comp_creds) as channel:
yield jail_pb2_grpc.JailStub(channel)
finally:
server.stop(None).wait()
def channel(self, endpoint):
if not self._channels:
self._unauthenticated_channel = grpc.secure_channel(
self._endpoint,
self._channel_creds,
options=self.channel_options())
endpoint_service = ApiEndpointServiceStub(
self._unauthenticated_channel)
resp = endpoint_service.List(ListApiEndpointsRequest())
endpoints = resp.endpoints
plugin = _auth_plugin.Credentials(self._token_requester,
lambda: self._channels["iam"])
call_creds = grpc.metadata_call_credentials(plugin)
creds = grpc.composite_channel_credentials(self._channel_creds,
call_creds)
self._channels = {
ep.id: grpc.secure_channel(ep.address,
creds,
options=self.channel_options())
for ep in endpoints
}
if endpoint not in self._channels:
raise RuntimeError("Unknown endpoint: {}".format(endpoint))
return self._channels[endpoint]
def main():
# Due to updated ECDSA generated tls.cert we need to let gprc know that
# we need to use that cipher suite otherwise there will be a handshake
# error when we communicate with the lnd rpc server.
os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'
with open('/home/lnd/.lnd/tls.cert', 'rb') as f:
cert = f.read()
with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, 'hex')
def metadata_callback(context, callback):
# for more info see grpc docs
callback([('macaroon', macaroon)], None)
# build ssl credentials using the cert the same as before
cert_creds = grpc.ssl_channel_credentials(cert)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds)
# finally pass in the combined credentials when creating a channel
channel = grpc.secure_channel('localhost:10009', combined_creds)
stub = lnrpc.LightningStub(channel)
invoice = stub.AddInvoice(ln.Invoice(memo="Donation for Mempool"))
print("Content-Type: application/json; charset=UTF-8")
print("")
print('{"r_hash":"%s","payment_request":"%s","add_index":%d}' % (binascii.hexlify(invoice.r_hash),invoice.payment_request,invoice.add_index))
def get_stub(self):
def metadata_callback(context, callback):
with open('resources/admin.macaroon', 'rb') as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, 'hex')
callback([('macaroon', macaroon)], None)
os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA"
cert = open('resources/tls.cert').read()
# build ssl credentials using the cert the same as before
cert_creds = grpc.ssl_channel_credentials(cert)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(
cert_creds, auth_creds)
# finally pass in the combined credentials when creating a channel
channel = grpc.secure_channel('projects.koshikraj.com:10009',
combined_creds)
stub = lnrpc.LightningStub(channel)
return stub
def make_secure_stub(credentials, user_agent, stub_class, host):
"""Makes a secure stub for an RPC service.
Uses / depends on gRPC.
:type credentials: :class:`oauth2client.client.OAuth2Credentials`
:param credentials: The OAuth2 Credentials to use for creating
access tokens.
:type user_agent: str
:param user_agent: (Optional) The user agent to be used with API requests.
:type stub_class: type
:param stub_class: A gRPC stub type for a given service.
:type host: str
:param host: The host for the service.
:rtype: object, instance of ``stub_class``
:returns: The stub object used to make gRPC requests to a given API.
"""
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = MetadataPlugin(credentials, user_agent)
auth_creds = grpc.metadata_call_credentials(
custom_metadata_plugin, name='google_creds')
channel_creds = grpc.composite_channel_credentials(
transport_creds, auth_creds)
target = '%s:%d' % (host, http_client.HTTPS_PORT)
channel = grpc.secure_channel(target, channel_creds)
return stub_class(channel)
def get_credentials(lnd_dir):
tls_certificate = open(lnd_dir + '/tls.cert', 'rb').read()
ssl_credentials = grpc.ssl_channel_credentials(tls_certificate)
macaroon = codecs.encode(open(lnd_dir + '/data/chain/bitcoin/mainnet/admin.macaroon', 'rb').read(), 'hex')
auth_credentials = grpc.metadata_call_credentials(lambda _, callback: callback([('macaroon', macaroon)], None))
combined_credentials = grpc.composite_channel_credentials(ssl_credentials, auth_credentials)
return combined_credentials
def MakeSecureChannel(target):
"""Creates grpc secure channel.
Args:
target: str, The server address, for example:
bigtableadmin.googleapis.com:443.
Returns:
grpc.secure channel.
"""
credentials = cred_store.Load()
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = _MetadataPlugin(credentials)
auth_creds = grpc.metadata_call_credentials(
custom_metadata_plugin, name='google_creds')
channel_creds = grpc.composite_channel_credentials(
transport_creds, auth_creds)
channel_args = (
('grpc.primary_user_agent',
http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())),
)
return grpc.secure_channel(target, channel_creds,
options=channel_args)
def _local_composite_credentials(self):
"""
Creates the credentials for the local emulator channel
:return: grpc.ChannelCredentials
"""
credentials = google.auth.credentials.with_scopes_if_required(
self._credentials, None
)
request = google.auth.transport.requests.Request()
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
credentials, request
)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
# Using the local_credentials to allow connection to emulator
local_credentials = grpc.local_channel_credentials()
# Combine the local credentials and the authorization credentials.
return grpc.composite_channel_credentials(
local_credentials, google_auth_credentials
)
def make_secure_channel(credentials, user_agent, host):
"""Makes a secure channel for an RPC service.
Uses / depends on gRPC.
:type credentials: :class:`oauth2client.client.OAuth2Credentials`
:param credentials: The OAuth2 Credentials to use for creating
access tokens.
:type user_agent: str
:param user_agent: The user agent to be used with API requests.
:type host: str
:param host: The host for the service.
:rtype: :class:`grpc._channel.Channel`
:returns: gRPC secure channel with credentials attached.
"""
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = MetadataPlugin(credentials)
auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin,
name='google_creds')
channel_creds = grpc.composite_channel_credentials(transport_creds,
auth_creds)
target = '%s:%d' % (host, http_client.HTTPS_PORT)
channel_args = (('grpc.primary_user_agent', user_agent), )
return grpc.secure_channel(target, channel_creds, options=channel_args)
def connect():
# Due to updated ECDSA generated tls.cert we need to let gprc know that
# we need to use that cipher suite otherwise there will be a handshake
# error when we communicate with the lnd rpc server.
os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'
with open('/home/lnd/.lnd/tls.cert', 'rb') as f:
cert = f.read()
with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, 'hex')
def metadata_callback(_context, callback):
# for more info see grpc docs
callback([('macaroon', macaroon)], None)
# build ssl credentials using the cert the same as before
cert_creds = grpc.ssl_channel_credentials(cert)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds)
# finally pass in the combined credentials when creating a channel
channel = grpc.secure_channel('localhost:10009', combined_creds)
stub = lnrpc.LightningStub(channel)
return stub
def run():
with open("kyma.pem", "rb") as fp:
channel_credential = grpc.ssl_channel_credentials(fp.read())
call_credentials = grpc.metadata_call_credentials(AuthGateway(),
name='auth gateway')
composite_credentials = grpc.composite_channel_credentials(
channel_credential,
call_credentials,
)
if os.environ.get("_DEV_") == "true":
print("-------------- insecure_channel --------------")
channel = grpc.insecure_channel('127.0.0.1:50051')
else:
print("-------------- secure_channel --------------")
channel = grpc.secure_channel(os.environ.get(
"_GRPC_SERVER_"), composite_credentials)
stub = orders_pb2_grpc.OrderStub(channel)
print("-------------- RecordOrder--------------")
record_orders(stub)
print("-------------- GetOrders --------------")
get_orders(stub)
channel.close()
def _conn(host: str = "localhost", rpc_port: int = 50051, conf_address: str = "http://localhost/auth", client_id: str = None,
client_secret: str = None, pkey=None, cert=None, ca=None):
"""
`host` The host to connect to.
`rpc_port` The gRPC port for host.
`conf_address` The complete address for the auth configuration endpoint.
`client_id` Your client id for your OAuth Auth provider.
`client_secret` Corresponding client secret.
`pkey` Private key for client authentication
`cert` Corresponding signed certificate. CN must reflect your hosts FQDN, and must be signed by the servers
CA.
`ca` CA trust for the server.
`secure_conf` Whether the server hosting configuration is secured (https)
Returns A gRPC channel
"""
# TODO: make this more robust so it can handle SSL without client verification
if pkey and cert and client_id and client_secret:
call_credentials = grpc.metadata_call_credentials(AuthTokenPlugin(host, conf_address, client_id, client_secret))
# Channel credential will be valid for the entire channel
channel_credentials = grpc.ssl_channel_credentials(ca, pkey, cert)
# Combining channel credentials and call credentials together
composite_credentials = grpc.composite_channel_credentials(
channel_credentials,
call_credentials,
)
channel = grpc.secure_channel(f"{host}:{rpc_port}", composite_credentials)
else:
channel = grpc.insecure_channel(f"{host}:{rpc_port}")
return channel
def create_channel(config: "Config") -> "Channel":
"""
Create a :class:`Channel` for the specified configuration.
"""
u = urlparse(config.url.url)
options = [
("grpc.max_send_message_length", -1),
("grpc.max_receive_message_length", -1),
]
if not config.url.use_http_proxy:
options.append(("grpc.enable_http_proxy", 0))
if (u.scheme in ("https", "grpcs")) or config.ssl:
credentials = ssl_channel_credentials(
root_certificates=config.ssl.ca,
private_key=config.ssl.cert_key,
certificate_chain=config.ssl.cert,
)
if config.access.token:
credentials = composite_channel_credentials(
credentials, metadata_call_credentials(GrpcAuth(config))
)
return secure_channel(u.netloc, credentials, options)
else:
return insecure_channel(u.netloc, options)
async def initialization(self):
cred_params = [c is not None for c in (self._user, self._password)]
if all(cred_params):
self.auth_stub = AuthStub(self.channel)
auth_request = AuthenticateRequest(name=self._user,
password=self._password)
resp = await self.auth_stub.Authenticate(auth_request,
self.timeout)
self.call_credentials = grpc.metadata_call_credentials(
EtcdTokenCallCredentials(resp.token))
elif any(cred_params):
raise Exception(
'if using authentication credentials both user and password '
'must be specified.')
self.kvstub = KVStub(self.channel)
self.watcher = watch.Watcher(
WatchStub(self.channel),
timeout=self.timeout,
call_credentials=self.call_credentials,
)
loop = asyncio.get_event_loop()
self.watchtask = loop.create_task(self.watcher.run())
self.clusterstub = ClusterStub(self.channel)
self.leasestub = LeaseStub(self.channel)
self.maintenancestub = MaintenanceStub(self.channel)
self.transactions = Transactions()
def get_ln_stub():
def metadata_callback(context, callback):
# for more info see grpc docs
callback([('macaroon', macaroon)], None)
os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA'
# Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and
# ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac
with open(os.path.expanduser(settings.MACAROON_PATH), 'rb') as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, 'hex')
cert = open(settings.CERT_PATH, 'rb').read()
creds = grpc.ssl_channel_credentials(cert)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
# such that every call is properly encrypted and authenticated
combined_creds = grpc.composite_channel_credentials(creds, auth_creds)
# channel = grpc.secure_channel(settings.LND_RPCHOST, creds)
channel = grpc.secure_channel(settings.LND_RPCHOST, combined_creds)
# stub.GetInfo(ln.GetInfoRequest(), metadata=[('macaroon', macaroon)])
stub = lnrpc.LightningStub(channel)
return stub
def make_secure_stub(credentials, user_agent, stub_class, host):
"""Makes a secure stub for an RPC service.
Uses / depends on gRPC.
:type credentials: :class:`oauth2client.client.OAuth2Credentials`
:param credentials: The OAuth2 Credentials to use for creating
access tokens.
:type user_agent: str
:param user_agent: (Optional) The user agent to be used with API requests.
:type stub_class: type
:param stub_class: A gRPC stub type for a given service.
:type host: str
:param host: The host for the service.
:rtype: object, instance of ``stub_class``
:returns: The stub object used to make gRPC requests to a given API.
"""
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = MetadataPlugin(credentials)
auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin,
name='google_creds')
channel_creds = grpc.composite_channel_credentials(transport_creds,
auth_creds)
target = '%s:%d' % (host, http_client.HTTPS_PORT)
channel_args = (('grpc.primary_user_agent', user_agent), )
channel = grpc.secure_channel(target, channel_creds, options=channel_args)
return stub_class(channel)
def _stub(args):
target = '{}:{}'.format(args.server_host, args.server_port)
if args.test_case == 'oauth2_auth_token':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
google_credentials.refresh(google_auth.transport.requests.Request())
call_credentials = grpc.access_token_call_credentials(
google_credentials.token)
elif args.test_case == 'compute_engine_creds':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials,
request=google_auth.transport.requests.Request()))
elif args.test_case == 'jwt_token_creds':
google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file(
os.environ[google_auth.environment_vars.CREDENTIALS])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials, request=None))
else:
call_credentials = None
if args.use_tls:
if args.use_test_ca:
root_certificates = resources.test_root_certificates()
else:
root_certificates = None # will load default roots.
channel_credentials = grpc.ssl_channel_credentials(root_certificates)
if call_credentials is not None:
channel_credentials = grpc.composite_channel_credentials(
channel_credentials, call_credentials)
channel_opts = None
if args.server_host_override:
channel_opts = ((
'grpc.ssl_target_name_override',
args.server_host_override,
),)
channel = grpc.secure_channel(target, channel_credentials, channel_opts)
else:
channel = grpc.insecure_channel(target)
if args.test_case == "unimplemented_service":
return test_pb2_grpc.UnimplementedServiceStub(channel)
else:
return test_pb2_grpc.TestServiceStub(channel)
def secure_authorized_channel(credentials,
request,
target,
ssl_credentials=None,
**kwargs):
"""Creates a secure authorized gRPC channel.
This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
channel can be used to create a stub that can make authorized requests.
Example::
import google.auth
import google.auth.transport.grpc
import google.auth.transport.requests
from google.cloud.speech.v1 import cloud_speech_pb2
# Get credentials.
credentials, _ = google.auth.default()
# Get an HTTP request function to refresh credentials.
request = google.auth.transport.requests.Request()
# Create a channel.
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, 'speech.googleapis.com:443', request)
# Use the channel to create a stub.
cloud_speech.create_Speech_stub(channel)
Args:
credentials (google.auth.credentials.Credentials): The credentials to
add to requests.
request (google.auth.transport.Request): A HTTP transport request
object used to refresh credentials as needed. Even though gRPC
is a separate transport, there's no way to refresh the credentials
without using a standard http transport.
target (str): The host and port of the service.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created gRPC channel.
"""
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = AuthMetadataPlugin(credentials, request)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials)
return grpc.secure_channel(target, composite_credentials, **kwargs)
def _create_composite_credentials(credentials=None,
credentials_file=None,
scopes=None,
ssl_credentials=None,
quota_project_id=None):
"""Create the composite credentials for secure channels.
Args:
credentials (google.auth.credentials.Credentials): The credentials. If
not specified, then this function will attempt to ascertain the
credentials from the environment using :func:`google.auth.default`.
credentials_file (str): A file with credentials that can be loaded with
:func:`google.auth.load_credentials_from_file`. This argument is
mutually exclusive with credentials.
scopes (Sequence[str]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
quota_project_id (str): An optional project to use for billing and quota.
Returns:
grpc.ChannelCredentials: The composed channel credentials object.
Raises:
google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed.
"""
if credentials and credentials_file:
raise exceptions.DuplicateCredentialArgs(
"'credentials' and 'credentials_file' are mutually exclusive.")
if credentials_file:
credentials, _ = google.auth.load_credentials_from_file(
credentials_file, scopes=scopes)
elif credentials:
credentials = google.auth.credentials.with_scopes_if_required(
credentials, scopes)
else:
credentials, _ = google.auth.default(scopes=scopes)
if quota_project_id and isinstance(
credentials, google.auth.credentials.CredentialsWithQuotaProject):
credentials = credentials.with_quota_project(quota_project_id)
request = google.auth.transport.requests.Request()
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
credentials, request)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
return grpc.composite_channel_credentials(ssl_credentials,
google_auth_credentials)
def get_protocol_token_credentials():
token = os.environ.get("PROTOCOL_TOKEN")
if token:
return grpc.metadata_call_credentials(ProtocolTokenCredentials(token))
else:
logger.debug("No protocol token found")
return None
def secure_authorized_channel(
credentials, request, target, ssl_credentials=None, **kwargs):
"""Creates a secure authorized gRPC channel.
This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
channel can be used to create a stub that can make authorized requests.
Example::
import google.auth
import google.auth.transport.grpc
import google.auth.transport.requests
from google.cloud.speech.v1 import cloud_speech_pb2
# Get credentials.
credentials, _ = google.auth.default()
# Get an HTTP request function to refresh credentials.
request = google.auth.transport.requests.Request()
# Create a channel.
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, 'speech.googleapis.com:443', request)
# Use the channel to create a stub.
cloud_speech.create_Speech_stub(channel)
Args:
credentials (google.auth.credentials.Credentials): The credentials to
add to requests.
request (google.auth.transport.Request): A HTTP transport request
object used to refresh credentials as needed. Even though gRPC
is a separate transport, there's no way to refresh the credentials
without using a standard http transport.
target (str): The host and port of the service.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created gRPC channel.
"""
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = AuthMetadataPlugin(credentials, request)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials)
return grpc.secure_channel(target, composite_credentials, **kwargs)
def metadata_call_credentials(metadata_plugin, name=None):
def plugin(context, callback):
def wrapped_callback(beta_metadata, error):
callback(_metadata.unbeta(beta_metadata), error)
metadata_plugin(context, wrapped_callback)
return grpc.metadata_call_credentials(plugin, name=name)
def secure_authorized_channel(
credentials, target, ssl_credentials=None):
"""Creates a secure authorized gRPC channel."""
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
metadata_plugin = AuthMetadataPlugin(credentials)
call_credentials = grpc.metadata_call_credentials(metadata_plugin)
channel_creds = grpc.composite_channel_credentials(
ssl_credentials, call_credentials)
return grpc.secure_channel(target, channel_creds)
def create_channel(
target, credentials=None, scopes=None, ssl_credentials=None, **kwargs
):
"""Create a secure channel with credentials.
Args:
target (str): The target service address in the format 'hostname:port'.
credentials (google.auth.credentials.Credentials): The credentials. If
not specified, then this function will attempt to ascertain the
credentials from the environment using :func:`google.auth.default`.
scopes (Sequence[str]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
kwargs: Additional key-word args passed to
:func:`grpc_gcp.secure_channel` or :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created channel.
"""
if credentials is None:
credentials, _ = google.auth.default(scopes=scopes)
else:
credentials = google.auth.credentials.with_scopes_if_required(
credentials, scopes
)
request = google.auth.transport.requests.Request()
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
credentials, request
)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials
)
if HAS_GRPC_GCP:
# If grpc_gcp module is available use grpc_gcp.secure_channel,
# otherwise, use grpc.secure_channel to create grpc channel.
return grpc_gcp.secure_channel(target, composite_credentials, **kwargs)
else:
return grpc.secure_channel(target, composite_credentials, **kwargs)
def _per_rpc_creds(stub, args):
json_key_filename = os.environ[google_auth_environment_vars.CREDENTIALS]
wanted_email = json.load(open(json_key_filename, 'rb'))['client_email']
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
call_credentials = grpc.metadata_call_credentials(
google_auth_transport_grpc.AuthMetadataPlugin(
credentials=google_credentials,
request=google_auth_transport_requests.Request()))
response = _large_unary_common_behavior(stub, True, False, call_credentials)
if wanted_email != response.username:
raise ValueError('expected username %s, got %s' % (wanted_email,
response.username))
def __init__(self, rpc_uri: str, peer_uri: str):
self.peer_uri = peer_uri
if LND_AUTH_DATA_PATH != 'default':
path = LND_AUTH_DATA_PATH
elif platform == "linux" or platform == "linux2":
path = '~/.lnd/'
elif platform == "darwin":
path = '~/Library/Application Support/Lnd/'
else:
raise Exception(f"What's the {platform} path for the lnd tls cert?")
self.main_lnd_path = os.path.expanduser(path)
lnd_tls_cert_path = os.path.join(self.main_lnd_path, 'tls.cert')
self.lnd_tls_cert = open(lnd_tls_cert_path, 'rb').read()
cert_credentials = grpc.ssl_channel_credentials(self.lnd_tls_cert)
admin_macaroon_path = os.path.join(self.main_lnd_path, 'admin.macaroon')
with open(admin_macaroon_path, 'rb') as f:
macaroon_bytes = f.read()
self.macaroon = codecs.encode(macaroon_bytes, 'hex')
def metadata_callback(context: _AuthMetadataPluginCallback,
callback: _AuthMetadataContext):
callback([('macaroon', self.macaroon)], None)
auth_credentials = grpc.metadata_call_credentials(metadata_callback)
self.credentials = grpc.composite_channel_credentials(cert_credentials,
auth_credentials)
self.grpc_channel = grpc.secure_channel(rpc_uri,
self.credentials
)
self.lnd_client = lnrpc.LightningStub(self.grpc_channel)