def __init__( self, hostname, port=50051, cacert=SERVER_CA, username=None, password=None, sessionid=None, ): super(SecureClient, self).__init__(hostname, port) server_ca = open(cacert, "r").read() if sessionid: call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password) ) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) self.channel = grpc.secure_channel( "%s:%d" % (self.hostname, self.port), chan_creds ) self.stub = xos_pb2_grpc.xosStub(self.channel) self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel) self.utility = utility_pb2_grpc.utilityStub(self.channel) self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__(self, hostname, port=50051, cacert=SERVER_CA, username=None, password=None, sessionid=None): super(SecureClient, self).__init__(hostname, port) server_ca = open(cacert, "r").read() if (sessionid): call_creds = metadata_call_credentials( SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password)) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) self.channel = grpc.secure_channel( "%s:%d" % (self.hostname, self.port), chan_creds) self.stub = xos_pb2_grpc.xosStub(self.channel) self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel) self.utility = utility_pb2_grpc.utilityStub(self.channel) self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__( self, consul_endpoint=None, work_dir="/tmp/xos_grpc_protos", endpoint="localhost:50055", reconnect_callback=None, cacert=SERVER_CA, username=None, password=None, sessionid=None, ): server_ca = open(cacert, "r").read() if sessionid: call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password) ) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) super(SecureClient, self).__init__( consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds ) self.reconnect_callback2 = reconnect_callback
def __init__( self, consul_endpoint=None, work_dir="/tmp/xos_grpc_protos", endpoint="localhost:50055", reconnect_callback=None, cacert=SERVER_CA, username=None, password=None, sessionid=None, ): server_ca = open(cacert, "r").read() if sessionid: call_creds = metadata_call_credentials( SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password)) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) super(SecureClient, self).__init__(consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds) self.reconnect_callback2 = reconnect_callback
def _stub(args): target = '{}:{}'.format(args.server_host, args.server_port) if args.test_case == 'oauth2_auth_token': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) google_credentials.refresh(google_auth.transport.requests.Request()) call_credentials = grpc.access_token_call_credentials( google_credentials.token) elif args.test_case == 'compute_engine_creds': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=google_auth.transport.requests.Request())) elif args.test_case == 'jwt_token_creds': google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file( os.environ[google_auth.environment_vars.CREDENTIALS]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=None)) else: call_credentials = None if args.use_tls: if args.use_test_ca: root_certificates = resources.test_root_certificates() else: root_certificates = None # will load default roots. channel_credentials = grpc.ssl_channel_credentials(root_certificates) if call_credentials is not None: channel_credentials = grpc.composite_channel_credentials( channel_credentials, call_credentials) channel_opts = None if args.server_host_override: channel_opts = (( 'grpc.ssl_target_name_override', args.server_host_override, ), ) channel = grpc.secure_channel(target, channel_credentials, channel_opts) else: channel = grpc.insecure_channel(target) if args.test_case == "unimplemented_service": return test_pb2_grpc.UnimplementedServiceStub(channel) else: return test_pb2_grpc.TestServiceStub(channel)
def _get_stub(self): # pragma: no cover url = "{}:{}".format(self.host, self.port) # Lnd cert is at ~/.lnd/tls.cert on Linux and # ~/Library/Application Support/Lnd/tls.cert on Mac cert = open(os.path.expanduser(self.tls_cert_path), "rb").read() cert_creds = grpc.ssl_channel_credentials(cert) # Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and # ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac with open(os.path.expanduser(self.macaroon_path), "rb") as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, "hex") self.macaroon = codecs.encode(macaroon_bytes, "hex") def metadata_callback(context, callback): # for more info see grpc docs callback([("macaroon", macaroon)], None) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials( cert_creds, auth_creds) # finally pass in the combined credentials when creating a channel channel = grpc.secure_channel(url, combined_creds) return lnd_pb2_grpc.LightningStub(channel)
async def _authenticate(self): async with self._auth_lock: # Avoiding concurrent authentications for the client instance if self._metadata is not None: # Avoiding double authentication return token = await self.authenticate(username=self.username, password=self.password) self._metadata = (("token", token),) self._call_credentials = metadata_call_credentials(_EtcdTokenCallCredentials(token))
def MakeSecureChannel(target): """Creates grpc secure channel. Args: target: str, The server address, for example: bigtableadmin.googleapis.com:443. Returns: grpc.secure channel. """ credentials = cred_store.Load() # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = _MetadataPlugin(credentials) auth_creds = grpc.metadata_call_credentials( custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials( transport_creds, auth_creds) channel_args = ( ('grpc.primary_user_agent', http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())), ) return grpc.secure_channel(target, channel_creds, options=channel_args)
def run(): # Read exported (PEM formatted) server TLS certificate from disk certificate = open('<< ADD PATH TO EXPORTED SERVER CERTIFICATE >>', 'rb').read() tls_credentials = grpc.ssl_channel_credentials(certificate) # Apply the api key to every request that is made with the client apikey_credentials = grpc.metadata_call_credentials( ApiKeyCallCredentials('<< ADD API KEY >>')) combined_credentials = grpc.composite_channel_credentials( tls_credentials, apikey_credentials) # gRPC channel setup to connect to ibaHD-API endpoint in ibaHD-Server # Increasing the default message size (~4MB) is recommended (c int32 max = 2147483647) with grpc.secure_channel('127.0.0.1:9003', combined_credentials, options=[('grpc.max_receive_message_length', 2147483647)]) as channel: # Instantiate ibaHD-API client on the gRPC channel client = ibaHD_API_pb2_grpc.HdApiServiceStub(channel) # Simple request to retrieve stores response = client.GetHdStores( request=ibaHD_API_pb2.GetHdStoresRequest()) # Clean channel shutdown channel.close() print(response)
def create_channel(config: "Config") -> "Channel": """ Create a :class:`Channel` for the specified configuration. """ u = urlparse(config.url.url) options = [ ("grpc.max_send_message_length", -1), ("grpc.max_receive_message_length", -1), ] if not config.url.use_http_proxy: options.append(("grpc.enable_http_proxy", 0)) if (u.scheme in ("https", "grpcs")) or config.ssl: credentials = ssl_channel_credentials( root_certificates=config.ssl.ca, private_key=config.ssl.cert_key, certificate_chain=config.ssl.cert, ) if config.access.token: # The grpc Credential objects do not actually define a formal interface, and are # used interchangeably in the code. # # Additionally there are some incorrect rules in the grpc-stubs typing rules that force # us to work around the type system. credentials = cast( ChannelCredentials, composite_channel_credentials( credentials, metadata_call_credentials(GrpcAuth(config))), ) return secure_channel(u.netloc, credentials, options) else: return insecure_channel(u.netloc, options)
def __init__(self, address: str, port: int, use_ssl: bool = False, access_token: str = "", channel_shutdown_timeout: timedelta = timedelta(minutes=2)): if (address is None): raise ValueError("address") if (port is None): raise ValueError("port") host = "{0}:{1}".format(address, port) metadata_transormer = (lambda x: [('authorization', access_token)]) grpc.composite_channel_credentials( grpc.ssl_channel_credentials(), grpc.metadata_call_credentials(metadata_transormer)) if use_ssl: self._channel_func = lambda: grpc.secure_channel( host, grpc.ssl_channel_credentials()) else: self._channel_func = lambda: grpc.insecure_channel(host) self.__channel_shutdown_timeout = channel_shutdown_timeout self.__channel_usable_until = None self.__channel = None
def __init__(self, rpchost, tlscertpath, adminmacaroonpath): os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA" with open(tlscertpath, "rb") as f: cert = f.read() cert_creds = grpc.ssl_channel_credentials(cert) with open(adminmacaroonpath, "rb") as f: macaroon = f.read() macaroon = codecs.encode(macaroon, "hex") # for more info see grpc docs metadata_callback = lambda ctx, callback: callback([("macaroon", macaroon)], None) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials( cert_creds, auth_creds) channel = grpc.secure_channel(rpchost, combined_creds) self.rpchost = rpchost self.lnd = lnrpc.LightningStub(channel) self.wallet = walletrpc.WalletKitStub(channel) self.router = routerrpc.RouterStub(channel) self.signer = signrpc.SignerStub(channel)
def getCredentials(): with open('ca-bundle.pem', 'rb') as f: trusted_certs = f.read() sslCred = grpc.ssl_channel_credentials(root_certificates=trusted_certs) authCred = grpc.metadata_call_credentials(credentials) return grpc.composite_channel_credentials(sslCred, authCred)
def getChannel(server, port, pem_file_path, username=None, password=None, accesstoken='default'): """ Get a channel object. :param str server: grpc server :param int port: grpc server port :param str pem_file_path: path to pem file :param str username: grpc username :param str password: grpc password :param str accesstoken: grpc accesstoken :return: channel """ # Build channel credentials. If file is not present, throw error. with open(pem_file_path, 'r') as myfile: pem_data = myfile.read() channel_cerdentials = grpc.ssl_channel_credentials(pem_data) # Now also build call credentials. These will add the authtokens as metadata to each call. if username is not None and password is not None: call_credentials = grpc.metadata_call_credentials(lambda context, callback: callback([(DstoreMetadata.USERNAME_KEY, username), (DstoreMetadata.PASSWORD_KEY, password), (DstoreMetadata.ACCESS_TOKEN_KEY, accesstoken)], None), name='dstoreio_credentials') # Merge both credentials. channel_cerdentials = grpc.composite_channel_credentials(channel_cerdentials, call_credentials) channel = grpc.secure_channel('%s:%s' % (server, port), channel_cerdentials) return channel
def construct(self): """Constructs and returns the desired Client object. The instance of this class will reset to default values for further building. Returns ------- Client or XRClient """ channel = None channel_ssl_creds = None channel_metadata_creds = None channel_creds = None channel_ssl_creds = grpc.ssl_channel_credentials( self.__root_certificates, self.__private_key, self.__certificate_chain) if self.__username and self.__password: channel_metadata_creds = grpc.metadata_call_credentials( CiscoAuthPlugin(self.__username, self.__password)) logging.debug("Using username/password call authentication.") if channel_ssl_creds and channel_metadata_creds: channel_creds = grpc.composite_channel_credentials( channel_ssl_creds, channel_metadata_creds) logging.debug( "Using SSL/metadata authentication composite credentials.") else: channel_creds = channel_ssl_creds logging.debug("Using SSL credentials, no metadata authentication.") channel = grpc.secure_channel(self.__target_netloc.netloc, channel_creds, self.__channel_options) if self.__client_class is None: self.set_os() client = self.__client_class(channel) self._reset() return client
def real_jail_session(token): """ Create a Jail service for testing, using TCP sockets, uses the token for auth """ auth_interceptor = Auth().get_auth_interceptor(allow_jailed=True) with futures.ThreadPoolExecutor(1) as executor: server = grpc.server(executor, interceptors=[auth_interceptor]) port = server.add_secure_port("localhost:0", grpc.local_server_credentials()) servicer = Jail() jail_pb2_grpc.add_JailServicer_to_server(servicer, server) server.start() call_creds = grpc.metadata_call_credentials( CookieMetadataPlugin(token)) comp_creds = grpc.composite_channel_credentials( grpc.local_channel_credentials(), call_creds) try: with grpc.secure_channel(f"localhost:{port}", comp_creds) as channel: yield jail_pb2_grpc.JailStub(channel) finally: server.stop(None).wait()
def channel(self, endpoint): if not self._channels: self._unauthenticated_channel = grpc.secure_channel( self._endpoint, self._channel_creds, options=self.channel_options()) endpoint_service = ApiEndpointServiceStub( self._unauthenticated_channel) resp = endpoint_service.List(ListApiEndpointsRequest()) endpoints = resp.endpoints plugin = _auth_plugin.Credentials(self._token_requester, lambda: self._channels["iam"]) call_creds = grpc.metadata_call_credentials(plugin) creds = grpc.composite_channel_credentials(self._channel_creds, call_creds) self._channels = { ep.id: grpc.secure_channel(ep.address, creds, options=self.channel_options()) for ep in endpoints } if endpoint not in self._channels: raise RuntimeError("Unknown endpoint: {}".format(endpoint)) return self._channels[endpoint]
def main(): # Due to updated ECDSA generated tls.cert we need to let gprc know that # we need to use that cipher suite otherwise there will be a handshake # error when we communicate with the lnd rpc server. os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA' with open('/home/lnd/.lnd/tls.cert', 'rb') as f: cert = f.read() with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, 'hex') def metadata_callback(context, callback): # for more info see grpc docs callback([('macaroon', macaroon)], None) # build ssl credentials using the cert the same as before cert_creds = grpc.ssl_channel_credentials(cert) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds) # finally pass in the combined credentials when creating a channel channel = grpc.secure_channel('localhost:10009', combined_creds) stub = lnrpc.LightningStub(channel) invoice = stub.AddInvoice(ln.Invoice(memo="Donation for Mempool")) print("Content-Type: application/json; charset=UTF-8") print("") print('{"r_hash":"%s","payment_request":"%s","add_index":%d}' % (binascii.hexlify(invoice.r_hash),invoice.payment_request,invoice.add_index))
def get_stub(self): def metadata_callback(context, callback): with open('resources/admin.macaroon', 'rb') as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, 'hex') callback([('macaroon', macaroon)], None) os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH+ECDSA" cert = open('resources/tls.cert').read() # build ssl credentials using the cert the same as before cert_creds = grpc.ssl_channel_credentials(cert) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials( cert_creds, auth_creds) # finally pass in the combined credentials when creating a channel channel = grpc.secure_channel('projects.koshikraj.com:10009', combined_creds) stub = lnrpc.LightningStub(channel) return stub
def make_secure_stub(credentials, user_agent, stub_class, host): """Makes a secure stub for an RPC service. Uses / depends on gRPC. :type credentials: :class:`oauth2client.client.OAuth2Credentials` :param credentials: The OAuth2 Credentials to use for creating access tokens. :type user_agent: str :param user_agent: (Optional) The user agent to be used with API requests. :type stub_class: type :param stub_class: A gRPC stub type for a given service. :type host: str :param host: The host for the service. :rtype: object, instance of ``stub_class`` :returns: The stub object used to make gRPC requests to a given API. """ # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = MetadataPlugin(credentials, user_agent) auth_creds = grpc.metadata_call_credentials( custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials( transport_creds, auth_creds) target = '%s:%d' % (host, http_client.HTTPS_PORT) channel = grpc.secure_channel(target, channel_creds) return stub_class(channel)
def get_credentials(lnd_dir): tls_certificate = open(lnd_dir + '/tls.cert', 'rb').read() ssl_credentials = grpc.ssl_channel_credentials(tls_certificate) macaroon = codecs.encode(open(lnd_dir + '/data/chain/bitcoin/mainnet/admin.macaroon', 'rb').read(), 'hex') auth_credentials = grpc.metadata_call_credentials(lambda _, callback: callback([('macaroon', macaroon)], None)) combined_credentials = grpc.composite_channel_credentials(ssl_credentials, auth_credentials) return combined_credentials
def _local_composite_credentials(self): """ Creates the credentials for the local emulator channel :return: grpc.ChannelCredentials """ credentials = google.auth.credentials.with_scopes_if_required( self._credentials, None ) request = google.auth.transport.requests.Request() # Create the metadata plugin for inserting the authorization header. metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request ) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) # Using the local_credentials to allow connection to emulator local_credentials = grpc.local_channel_credentials() # Combine the local credentials and the authorization credentials. return grpc.composite_channel_credentials( local_credentials, google_auth_credentials )
def make_secure_channel(credentials, user_agent, host): """Makes a secure channel for an RPC service. Uses / depends on gRPC. :type credentials: :class:`oauth2client.client.OAuth2Credentials` :param credentials: The OAuth2 Credentials to use for creating access tokens. :type user_agent: str :param user_agent: The user agent to be used with API requests. :type host: str :param host: The host for the service. :rtype: :class:`grpc._channel.Channel` :returns: gRPC secure channel with credentials attached. """ # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = MetadataPlugin(credentials) auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials(transport_creds, auth_creds) target = '%s:%d' % (host, http_client.HTTPS_PORT) channel_args = (('grpc.primary_user_agent', user_agent), ) return grpc.secure_channel(target, channel_creds, options=channel_args)
def connect(): # Due to updated ECDSA generated tls.cert we need to let gprc know that # we need to use that cipher suite otherwise there will be a handshake # error when we communicate with the lnd rpc server. os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA' with open('/home/lnd/.lnd/tls.cert', 'rb') as f: cert = f.read() with open('/home/lnd/.lnd/data/chain/smartcash/mainnet/invoice.macaroon', 'rb') as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, 'hex') def metadata_callback(_context, callback): # for more info see grpc docs callback([('macaroon', macaroon)], None) # build ssl credentials using the cert the same as before cert_creds = grpc.ssl_channel_credentials(cert) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds) # finally pass in the combined credentials when creating a channel channel = grpc.secure_channel('localhost:10009', combined_creds) stub = lnrpc.LightningStub(channel) return stub
def run(): with open("kyma.pem", "rb") as fp: channel_credential = grpc.ssl_channel_credentials(fp.read()) call_credentials = grpc.metadata_call_credentials(AuthGateway(), name='auth gateway') composite_credentials = grpc.composite_channel_credentials( channel_credential, call_credentials, ) if os.environ.get("_DEV_") == "true": print("-------------- insecure_channel --------------") channel = grpc.insecure_channel('127.0.0.1:50051') else: print("-------------- secure_channel --------------") channel = grpc.secure_channel(os.environ.get( "_GRPC_SERVER_"), composite_credentials) stub = orders_pb2_grpc.OrderStub(channel) print("-------------- RecordOrder--------------") record_orders(stub) print("-------------- GetOrders --------------") get_orders(stub) channel.close()
def _conn(host: str = "localhost", rpc_port: int = 50051, conf_address: str = "http://localhost/auth", client_id: str = None, client_secret: str = None, pkey=None, cert=None, ca=None): """ `host` The host to connect to. `rpc_port` The gRPC port for host. `conf_address` The complete address for the auth configuration endpoint. `client_id` Your client id for your OAuth Auth provider. `client_secret` Corresponding client secret. `pkey` Private key for client authentication `cert` Corresponding signed certificate. CN must reflect your hosts FQDN, and must be signed by the servers CA. `ca` CA trust for the server. `secure_conf` Whether the server hosting configuration is secured (https) Returns A gRPC channel """ # TODO: make this more robust so it can handle SSL without client verification if pkey and cert and client_id and client_secret: call_credentials = grpc.metadata_call_credentials(AuthTokenPlugin(host, conf_address, client_id, client_secret)) # Channel credential will be valid for the entire channel channel_credentials = grpc.ssl_channel_credentials(ca, pkey, cert) # Combining channel credentials and call credentials together composite_credentials = grpc.composite_channel_credentials( channel_credentials, call_credentials, ) channel = grpc.secure_channel(f"{host}:{rpc_port}", composite_credentials) else: channel = grpc.insecure_channel(f"{host}:{rpc_port}") return channel
def create_channel(config: "Config") -> "Channel": """ Create a :class:`Channel` for the specified configuration. """ u = urlparse(config.url.url) options = [ ("grpc.max_send_message_length", -1), ("grpc.max_receive_message_length", -1), ] if not config.url.use_http_proxy: options.append(("grpc.enable_http_proxy", 0)) if (u.scheme in ("https", "grpcs")) or config.ssl: credentials = ssl_channel_credentials( root_certificates=config.ssl.ca, private_key=config.ssl.cert_key, certificate_chain=config.ssl.cert, ) if config.access.token: credentials = composite_channel_credentials( credentials, metadata_call_credentials(GrpcAuth(config)) ) return secure_channel(u.netloc, credentials, options) else: return insecure_channel(u.netloc, options)
async def initialization(self): cred_params = [c is not None for c in (self._user, self._password)] if all(cred_params): self.auth_stub = AuthStub(self.channel) auth_request = AuthenticateRequest(name=self._user, password=self._password) resp = await self.auth_stub.Authenticate(auth_request, self.timeout) self.call_credentials = grpc.metadata_call_credentials( EtcdTokenCallCredentials(resp.token)) elif any(cred_params): raise Exception( 'if using authentication credentials both user and password ' 'must be specified.') self.kvstub = KVStub(self.channel) self.watcher = watch.Watcher( WatchStub(self.channel), timeout=self.timeout, call_credentials=self.call_credentials, ) loop = asyncio.get_event_loop() self.watchtask = loop.create_task(self.watcher.run()) self.clusterstub = ClusterStub(self.channel) self.leasestub = LeaseStub(self.channel) self.maintenancestub = MaintenanceStub(self.channel) self.transactions = Transactions()
def get_ln_stub(): def metadata_callback(context, callback): # for more info see grpc docs callback([('macaroon', macaroon)], None) os.environ["GRPC_SSL_CIPHER_SUITES"] = 'HIGH+ECDSA' # Lnd admin macaroon is at ~/.lnd/data/chain/bitcoin/simnet/admin.macaroon on Linux and # ~/Library/Application Support/Lnd/data/chain/bitcoin/simnet/admin.macaroon on Mac with open(os.path.expanduser(settings.MACAROON_PATH), 'rb') as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, 'hex') cert = open(settings.CERT_PATH, 'rb').read() creds = grpc.ssl_channel_credentials(cert) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials # such that every call is properly encrypted and authenticated combined_creds = grpc.composite_channel_credentials(creds, auth_creds) # channel = grpc.secure_channel(settings.LND_RPCHOST, creds) channel = grpc.secure_channel(settings.LND_RPCHOST, combined_creds) # stub.GetInfo(ln.GetInfoRequest(), metadata=[('macaroon', macaroon)]) stub = lnrpc.LightningStub(channel) return stub
def make_secure_stub(credentials, user_agent, stub_class, host): """Makes a secure stub for an RPC service. Uses / depends on gRPC. :type credentials: :class:`oauth2client.client.OAuth2Credentials` :param credentials: The OAuth2 Credentials to use for creating access tokens. :type user_agent: str :param user_agent: (Optional) The user agent to be used with API requests. :type stub_class: type :param stub_class: A gRPC stub type for a given service. :type host: str :param host: The host for the service. :rtype: object, instance of ``stub_class`` :returns: The stub object used to make gRPC requests to a given API. """ # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = MetadataPlugin(credentials) auth_creds = grpc.metadata_call_credentials(custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials(transport_creds, auth_creds) target = '%s:%d' % (host, http_client.HTTPS_PORT) channel_args = (('grpc.primary_user_agent', user_agent), ) channel = grpc.secure_channel(target, channel_creds, options=channel_args) return stub_class(channel)
def _stub(args): target = '{}:{}'.format(args.server_host, args.server_port) if args.test_case == 'oauth2_auth_token': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) google_credentials.refresh(google_auth.transport.requests.Request()) call_credentials = grpc.access_token_call_credentials( google_credentials.token) elif args.test_case == 'compute_engine_creds': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=google_auth.transport.requests.Request())) elif args.test_case == 'jwt_token_creds': google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file( os.environ[google_auth.environment_vars.CREDENTIALS]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=None)) else: call_credentials = None if args.use_tls: if args.use_test_ca: root_certificates = resources.test_root_certificates() else: root_certificates = None # will load default roots. channel_credentials = grpc.ssl_channel_credentials(root_certificates) if call_credentials is not None: channel_credentials = grpc.composite_channel_credentials( channel_credentials, call_credentials) channel_opts = None if args.server_host_override: channel_opts = (( 'grpc.ssl_target_name_override', args.server_host_override, ),) channel = grpc.secure_channel(target, channel_credentials, channel_opts) else: channel = grpc.insecure_channel(target) if args.test_case == "unimplemented_service": return test_pb2_grpc.UnimplementedServiceStub(channel) else: return test_pb2_grpc.TestServiceStub(channel)
def secure_authorized_channel(credentials, request, target, ssl_credentials=None, **kwargs): """Creates a secure authorized gRPC channel. This creates a channel with SSL and :class:`AuthMetadataPlugin`. This channel can be used to create a stub that can make authorized requests. Example:: import google.auth import google.auth.transport.grpc import google.auth.transport.requests from google.cloud.speech.v1 import cloud_speech_pb2 # Get credentials. credentials, _ = google.auth.default() # Get an HTTP request function to refresh credentials. request = google.auth.transport.requests.Request() # Create a channel. channel = google.auth.transport.grpc.secure_authorized_channel( credentials, 'speech.googleapis.com:443', request) # Use the channel to create a stub. cloud_speech.create_Speech_stub(channel) Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. Even though gRPC is a separate transport, there's no way to refresh the credentials without using a standard http transport. target (str): The host and port of the service. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. kwargs: Additional arguments to pass to :func:`grpc.secure_channel`. Returns: grpc.Channel: The created gRPC channel. """ # Create the metadata plugin for inserting the authorization header. metadata_plugin = AuthMetadataPlugin(credentials, request) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials) return grpc.secure_channel(target, composite_credentials, **kwargs)
def _create_composite_credentials(credentials=None, credentials_file=None, scopes=None, ssl_credentials=None, quota_project_id=None): """Create the composite credentials for secure channels. Args: credentials (google.auth.credentials.Credentials): The credentials. If not specified, then this function will attempt to ascertain the credentials from the environment using :func:`google.auth.default`. credentials_file (str): A file with credentials that can be loaded with :func:`google.auth.load_credentials_from_file`. This argument is mutually exclusive with credentials. scopes (Sequence[str]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. quota_project_id (str): An optional project to use for billing and quota. Returns: grpc.ChannelCredentials: The composed channel credentials object. Raises: google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed. """ if credentials and credentials_file: raise exceptions.DuplicateCredentialArgs( "'credentials' and 'credentials_file' are mutually exclusive.") if credentials_file: credentials, _ = google.auth.load_credentials_from_file( credentials_file, scopes=scopes) elif credentials: credentials = google.auth.credentials.with_scopes_if_required( credentials, scopes) else: credentials, _ = google.auth.default(scopes=scopes) if quota_project_id and isinstance( credentials, google.auth.credentials.CredentialsWithQuotaProject): credentials = credentials.with_quota_project(quota_project_id) request = google.auth.transport.requests.Request() # Create the metadata plugin for inserting the authorization header. metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. return grpc.composite_channel_credentials(ssl_credentials, google_auth_credentials)
def get_protocol_token_credentials(): token = os.environ.get("PROTOCOL_TOKEN") if token: return grpc.metadata_call_credentials(ProtocolTokenCredentials(token)) else: logger.debug("No protocol token found") return None
def secure_authorized_channel( credentials, request, target, ssl_credentials=None, **kwargs): """Creates a secure authorized gRPC channel. This creates a channel with SSL and :class:`AuthMetadataPlugin`. This channel can be used to create a stub that can make authorized requests. Example:: import google.auth import google.auth.transport.grpc import google.auth.transport.requests from google.cloud.speech.v1 import cloud_speech_pb2 # Get credentials. credentials, _ = google.auth.default() # Get an HTTP request function to refresh credentials. request = google.auth.transport.requests.Request() # Create a channel. channel = google.auth.transport.grpc.secure_authorized_channel( credentials, 'speech.googleapis.com:443', request) # Use the channel to create a stub. cloud_speech.create_Speech_stub(channel) Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. Even though gRPC is a separate transport, there's no way to refresh the credentials without using a standard http transport. target (str): The host and port of the service. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. kwargs: Additional arguments to pass to :func:`grpc.secure_channel`. Returns: grpc.Channel: The created gRPC channel. """ # Create the metadata plugin for inserting the authorization header. metadata_plugin = AuthMetadataPlugin(credentials, request) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials) return grpc.secure_channel(target, composite_credentials, **kwargs)
def metadata_call_credentials(metadata_plugin, name=None): def plugin(context, callback): def wrapped_callback(beta_metadata, error): callback(_metadata.unbeta(beta_metadata), error) metadata_plugin(context, wrapped_callback) return grpc.metadata_call_credentials(plugin, name=name)
def secure_authorized_channel( credentials, target, ssl_credentials=None): """Creates a secure authorized gRPC channel.""" if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() metadata_plugin = AuthMetadataPlugin(credentials) call_credentials = grpc.metadata_call_credentials(metadata_plugin) channel_creds = grpc.composite_channel_credentials( ssl_credentials, call_credentials) return grpc.secure_channel(target, channel_creds)
def create_channel( target, credentials=None, scopes=None, ssl_credentials=None, **kwargs ): """Create a secure channel with credentials. Args: target (str): The target service address in the format 'hostname:port'. credentials (google.auth.credentials.Credentials): The credentials. If not specified, then this function will attempt to ascertain the credentials from the environment using :func:`google.auth.default`. scopes (Sequence[str]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. kwargs: Additional key-word args passed to :func:`grpc_gcp.secure_channel` or :func:`grpc.secure_channel`. Returns: grpc.Channel: The created channel. """ if credentials is None: credentials, _ = google.auth.default(scopes=scopes) else: credentials = google.auth.credentials.with_scopes_if_required( credentials, scopes ) request = google.auth.transport.requests.Request() # Create the metadata plugin for inserting the authorization header. metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request ) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials ) if HAS_GRPC_GCP: # If grpc_gcp module is available use grpc_gcp.secure_channel, # otherwise, use grpc.secure_channel to create grpc channel. return grpc_gcp.secure_channel(target, composite_credentials, **kwargs) else: return grpc.secure_channel(target, composite_credentials, **kwargs)
def _per_rpc_creds(stub, args): json_key_filename = os.environ[google_auth_environment_vars.CREDENTIALS] wanted_email = json.load(open(json_key_filename, 'rb'))['client_email'] google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) call_credentials = grpc.metadata_call_credentials( google_auth_transport_grpc.AuthMetadataPlugin( credentials=google_credentials, request=google_auth_transport_requests.Request())) response = _large_unary_common_behavior(stub, True, False, call_credentials) if wanted_email != response.username: raise ValueError('expected username %s, got %s' % (wanted_email, response.username))
def __init__(self, rpc_uri: str, peer_uri: str): self.peer_uri = peer_uri if LND_AUTH_DATA_PATH != 'default': path = LND_AUTH_DATA_PATH elif platform == "linux" or platform == "linux2": path = '~/.lnd/' elif platform == "darwin": path = '~/Library/Application Support/Lnd/' else: raise Exception(f"What's the {platform} path for the lnd tls cert?") self.main_lnd_path = os.path.expanduser(path) lnd_tls_cert_path = os.path.join(self.main_lnd_path, 'tls.cert') self.lnd_tls_cert = open(lnd_tls_cert_path, 'rb').read() cert_credentials = grpc.ssl_channel_credentials(self.lnd_tls_cert) admin_macaroon_path = os.path.join(self.main_lnd_path, 'admin.macaroon') with open(admin_macaroon_path, 'rb') as f: macaroon_bytes = f.read() self.macaroon = codecs.encode(macaroon_bytes, 'hex') def metadata_callback(context: _AuthMetadataPluginCallback, callback: _AuthMetadataContext): callback([('macaroon', self.macaroon)], None) auth_credentials = grpc.metadata_call_credentials(metadata_callback) self.credentials = grpc.composite_channel_credentials(cert_credentials, auth_credentials) self.grpc_channel = grpc.secure_channel(rpc_uri, self.credentials ) self.lnd_client = lnrpc.LightningStub(self.grpc_channel)