def __init__(self, server, config, hist): # Create the stub if config.HasField('security_params'): creds = grpc.ssl_channel_credentials( resources.test_root_certificates()) channel = test_common.test_secure_channel( server, creds, config.security_params.server_host_override) else: channel = grpc.insecure_channel(server) # waits for the channel to be ready before we start sending messages grpc.channel_ready_future(channel).result() if config.payload_config.WhichOneof('payload') == 'simple_params': self._generic = False self._stub = services_pb2.BenchmarkServiceStub(channel) payload = messages_pb2.Payload( body='\0' * config.payload_config.simple_params.req_size) self._request = messages_pb2.SimpleRequest( payload=payload, response_size=config.payload_config.simple_params.resp_size) else: self._generic = True self._stub = GenericStub(channel) self._request = '\0' * config.payload_config.bytebuf_params.req_size self._hist = hist self._response_callbacks = []
def MakeSecureChannel(target): """Creates grpc secure channel. Args: target: str, The server address, for example: bigtableadmin.googleapis.com:443. Returns: grpc.secure channel. """ credentials = cred_store.Load() # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = _MetadataPlugin(credentials) auth_creds = grpc.metadata_call_credentials( custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials( transport_creds, auth_creds) channel_args = ( ('grpc.primary_user_agent', http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())), ) return grpc.secure_channel(target, channel_creds, options=channel_args)
def testSecureNoCert(self): handler = grpc.method_handlers_generic_handler('test', { 'UnaryUnary': grpc.unary_unary_rpc_method_handler(handle_unary_unary) }) server = test_common.test_server() server.add_generic_rpc_handlers((handler,)) server_cred = grpc.ssl_server_credentials(_SERVER_CERTS) port = server.add_secure_port('[::]:0', server_cred) server.start() channel_creds = grpc.ssl_channel_credentials( root_certificates=_TEST_ROOT_CERTIFICATES) channel = grpc.secure_channel( 'localhost:{}'.format(port), channel_creds, options=_PROPERTY_OPTIONS) response = channel.unary_unary(_UNARY_UNARY)(_REQUEST) channel.close() server.stop(None) auth_data = pickle.loads(response) self.assertIsNone(auth_data[_ID]) self.assertIsNone(auth_data[_ID_KEY]) self.assertDictEqual({ 'transport_security_type': [b'ssl'], 'ssl_session_reused': [b'false'], }, auth_data[_AUTH_CTX])
def testSessionResumption(self): # Set up a secure server handler = grpc.method_handlers_generic_handler('test', { 'UnaryUnary': grpc.unary_unary_rpc_method_handler(handle_unary_unary) }) server = test_common.test_server() server.add_generic_rpc_handlers((handler,)) server_cred = grpc.ssl_server_credentials(_SERVER_CERTS) port = server.add_secure_port('[::]:0', server_cred) server.start() # Create a cache for TLS session tickets cache = session_cache.ssl_session_cache_lru(1) channel_creds = grpc.ssl_channel_credentials( root_certificates=_TEST_ROOT_CERTIFICATES) channel_options = _PROPERTY_OPTIONS + ( ('grpc.ssl_session_cache', cache),) # Initial connection has no session to resume self._do_one_shot_client_rpc( channel_creds, channel_options, port, expect_ssl_session_reused=[b'false']) # Subsequent connections resume sessions self._do_one_shot_client_rpc( channel_creds, channel_options, port, expect_ssl_session_reused=[b'true']) server.stop(None)
def __init__( self, hostname, port=50051, cacert=SERVER_CA, username=None, password=None, sessionid=None, ): super(SecureClient, self).__init__(hostname, port) server_ca = open(cacert, "r").read() if sessionid: call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password) ) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) self.channel = grpc.secure_channel( "%s:%d" % (self.hostname, self.port), chan_creds ) self.stub = xos_pb2_grpc.xosStub(self.channel) self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel) self.utility = utility_pb2_grpc.utilityStub(self.channel) self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__( self, consul_endpoint=None, work_dir="/tmp/xos_grpc_protos", endpoint="localhost:50055", reconnect_callback=None, cacert=SERVER_CA, username=None, password=None, sessionid=None, ): server_ca = open(cacert, "r").read() if sessionid: call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid)) else: call_creds = metadata_call_credentials( UsernamePasswordCallCredentials(username, password) ) chan_creds = ssl_channel_credentials(server_ca) chan_creds = composite_channel_credentials(chan_creds, call_creds) super(SecureClient, self).__init__( consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds ) self.reconnect_callback2 = reconnect_callback
def __init__(self, server, config, hist): # Create the stub if config.HasField('security_params'): creds = grpc.ssl_channel_credentials(resources.test_root_certificates()) channel = test_common.test_secure_channel( server, creds, config.security_params.server_host_override) else: channel = grpc.insecure_channel(server) connected_event = threading.Event() def wait_for_ready(connectivity): if connectivity == grpc.ChannelConnectivity.READY: connected_event.set() channel.subscribe(wait_for_ready, try_to_connect=True) connected_event.wait() if config.payload_config.WhichOneof('payload') == 'simple_params': self._generic = False self._stub = services_pb2.BenchmarkServiceStub(channel) payload = messages_pb2.Payload( body='\0' * config.payload_config.simple_params.req_size) self._request = messages_pb2.SimpleRequest( payload=payload, response_size=config.payload_config.simple_params.resp_size) else: self._generic = True self._stub = GenericStub(channel) self._request = '\0' * config.payload_config.bytebuf_params.req_size self._hist = hist self._response_callbacks = []
def make_secure_stub(credentials, user_agent, stub_class, host): """Makes a secure stub for an RPC service. Uses / depends on gRPC. :type credentials: :class:`oauth2client.client.OAuth2Credentials` :param credentials: The OAuth2 Credentials to use for creating access tokens. :type user_agent: str :param user_agent: (Optional) The user agent to be used with API requests. :type stub_class: type :param stub_class: A gRPC stub type for a given service. :type host: str :param host: The host for the service. :rtype: object, instance of ``stub_class`` :returns: The stub object used to make gRPC requests to a given API. """ # ssl_channel_credentials() loads root certificates from # `grpc/_adapter/credentials/roots.pem`. transport_creds = grpc.ssl_channel_credentials() custom_metadata_plugin = MetadataPlugin(credentials, user_agent) auth_creds = grpc.metadata_call_credentials( custom_metadata_plugin, name='google_creds') channel_creds = grpc.composite_channel_credentials( transport_creds, auth_creds) target = '%s:%d' % (host, http_client.HTTPS_PORT) channel = grpc.secure_channel(target, channel_creds) return stub_class(channel)
def testSecureClientCert(self): handler = grpc.method_handlers_generic_handler('test', { 'UnaryUnary': grpc.unary_unary_rpc_method_handler(handle_unary_unary) }) server = test_common.test_server() server.add_generic_rpc_handlers((handler,)) server_cred = grpc.ssl_server_credentials( _SERVER_CERTS, root_certificates=_TEST_ROOT_CERTIFICATES, require_client_auth=True) port = server.add_secure_port('[::]:0', server_cred) server.start() channel_creds = grpc.ssl_channel_credentials( root_certificates=_TEST_ROOT_CERTIFICATES, private_key=_PRIVATE_KEY, certificate_chain=_CERTIFICATE_CHAIN) channel = grpc.secure_channel( 'localhost:{}'.format(port), channel_creds, options=_PROPERTY_OPTIONS) response = channel.unary_unary(_UNARY_UNARY)(_REQUEST) channel.close() server.stop(None) auth_data = pickle.loads(response) auth_ctx = auth_data[_AUTH_CTX] six.assertCountEqual(self, _CLIENT_IDS, auth_data[_ID]) self.assertEqual('x509_subject_alternative_name', auth_data[_ID_KEY]) self.assertSequenceEqual([b'ssl'], auth_ctx['transport_security_type']) self.assertSequenceEqual([b'*.test.google.com'], auth_ctx['x509_common_name'])
def _channel(args): target = '{}:{}'.format(args.server_host, args.server_port) if args.use_tls: channel_credentials = grpc.ssl_channel_credentials() channel = grpc.secure_channel(target, channel_credentials) else: channel = grpc.insecure_channel(target) return channel
def getGRPCChannel(ipAddress, port, root_certificates, ssl_target_name_override): # channel = grpc.insecure_channel("{0}:{1}".format(ipAddress, 7051), options = [('grpc.max_message_length', 100*1024*1024)]) # creds = grpc.ssl_channel_credentials(root_certificates=root_certificates, private_key=private_key, certificate_chain=certificate_chain) creds = grpc.ssl_channel_credentials(root_certificates=root_certificates) channel = grpc.secure_channel("{0}:{1}".format(ipAddress, port), creds, options=(('grpc.ssl_target_name_override', ssl_target_name_override,),('grpc.default_authority', ssl_target_name_override,),)) print("Returning GRPC for address: {0}".format(ipAddress)) return channel
def secure_authorized_channel( credentials, request, target, ssl_credentials=None, **kwargs): """Creates a secure authorized gRPC channel. This creates a channel with SSL and :class:`AuthMetadataPlugin`. This channel can be used to create a stub that can make authorized requests. Example:: import google.auth import google.auth.transport.grpc import google.auth.transport.requests from google.cloud.speech.v1 import cloud_speech_pb2 # Get credentials. credentials, _ = google.auth.default() # Get an HTTP request function to refresh credentials. request = google.auth.transport.requests.Request() # Create a channel. channel = google.auth.transport.grpc.secure_authorized_channel( credentials, 'speech.googleapis.com:443', request) # Use the channel to create a stub. cloud_speech.create_Speech_stub(channel) Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. Even though gRPC is a separate transport, there's no way to refresh the credentials without using a standard http transport. target (str): The host and port of the service. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. kwargs: Additional arguments to pass to :func:`grpc.secure_channel`. Returns: grpc.Channel: The created gRPC channel. """ # Create the metadata plugin for inserting the authorization header. metadata_plugin = AuthMetadataPlugin(credentials, request) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials) return grpc.secure_channel(target, composite_credentials, **kwargs)
def Main(): try: parser = argparse.ArgumentParser() parser.add_argument('-d','--device', help='Input hostname', required=True) parser.add_argument('-t','--timeout', help='Input time_out value', required=True,type=int) parser.add_argument('-u', '--user', help='Input username', required=True) parser.add_argument('-pw', '--password', help='Input password', required=True) args = parser.parse_args() #Establish grpc channel to jet router creds = grpc.ssl_channel_credentials(open('/tmp/RSA2048.pem').read(), None, None) channel = grpc.secure_channel(args.device + ":32767", creds, options=(('grpc.ssl_target_name_override', _HOST_OVERRIDE,),)) #create stub for authentication services stub = authentication_service_pb2.LoginStub(channel) #Authenticate login_request = authentication_service_pb2.LoginRequest( user_name=args.user, password=args.password, client_id="SampleApp") login_response = stub.LoginCheck(login_request, args.timeout) #Check if authentication is successful if login_response.result == True: print "[INFO] Connected to gRPC Server:" print login_response.result else: print "[ERROR] gRPC Server Connection failed!!!" print login_response.result #Create stub for management services stub = management_service_pb2.ManagementRpcApiStub(channel) print "[INFO] Connected to JSD and created handle to mgd services" for i in range(1): #Provide API request details op_xml_command = "<get-system-uptime-information>" \ "</get-system-uptime-information>" op = management_service_pb2.ExecuteOpCommandRequest( xml_command=op_xml_command, out_format=2, request_id=1000) # Invoke API result = stub.ExecuteOpCommand(op, 100) # Check API response like status and output for i in result: print "[INFO] Invoked ExecuteOpCommand API return code = " print i.status print "[INFO] Return output in CLI format = " print i.data except Exception as ex: print ex
def open_grpc_channel(endpoint): """ open grpc channel: - for http:// we open insecure_channel - for https:// we open secure_channel (with default credentials) - without prefix we open insecure_channel """ if (endpoint.startswith("https://")): return grpc.secure_channel(remove_http_https_prefix(endpoint), grpc.ssl_channel_credentials()) return grpc.insecure_channel(remove_http_https_prefix(endpoint))
def secure_authorized_channel( credentials, target, ssl_credentials=None): """Creates a secure authorized gRPC channel.""" if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() metadata_plugin = AuthMetadataPlugin(credentials) call_credentials = grpc.metadata_call_credentials(metadata_plugin) channel_creds = grpc.composite_channel_credentials( ssl_credentials, call_credentials) return grpc.secure_channel(target, channel_creds)
def _do_one_shot_client_rpc(self, expect_success, root_certificates=None, private_key=None, certificate_chain=None): credentials = grpc.ssl_channel_credentials( root_certificates=root_certificates, private_key=private_key, certificate_chain=certificate_chain) with _create_channel(self.port, credentials) as client_channel: client_stub = _create_client_stub(client_channel, expect_success) self._perform_rpc(client_stub, expect_success)
def create_channel( target, credentials=None, scopes=None, ssl_credentials=None, **kwargs ): """Create a secure channel with credentials. Args: target (str): The target service address in the format 'hostname:port'. credentials (google.auth.credentials.Credentials): The credentials. If not specified, then this function will attempt to ascertain the credentials from the environment using :func:`google.auth.default`. scopes (Sequence[str]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. kwargs: Additional key-word args passed to :func:`grpc_gcp.secure_channel` or :func:`grpc.secure_channel`. Returns: grpc.Channel: The created channel. """ if credentials is None: credentials, _ = google.auth.default(scopes=scopes) else: credentials = google.auth.credentials.with_scopes_if_required( credentials, scopes ) request = google.auth.transport.requests.Request() # Create the metadata plugin for inserting the authorization header. metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request ) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials ) if HAS_GRPC_GCP: # If grpc_gcp module is available use grpc_gcp.secure_channel, # otherwise, use grpc.secure_channel to create grpc channel. return grpc_gcp.secure_channel(target, composite_credentials, **kwargs) else: return grpc.secure_channel(target, composite_credentials, **kwargs)
def _get_channel(target, args): if args.use_tls: if args.use_test_ca: root_certificates = resources.test_root_certificates() else: root_certificates = None # will load default roots. channel_credentials = grpc.ssl_channel_credentials( root_certificates=root_certificates) options = (('grpc.ssl_target_name_override', args.server_host_override,),) return grpc.secure_channel( target, channel_credentials, options=options) else: return grpc.insecure_channel(target)
def Main(): """ This function handles connections to Sites, Routers and JET firewall and management services """ try: "connection handles to site is optional in case polling to sites on SNMP/DyCOS server" for i in range(1, n+1): creds = grpc.ssl_channel_credentials(open('{}.pem'.format(globals()['S%s_IP' %i])).read()) channel = grpc.secure_channel(globals()['S%s_IP' %i]+':'+PORT, creds) res = _authenticateChannel(channel, USER, PASSWORD, CLIENT_ID) print "Authentication "+('success' if res else 'failure')+' for '+globals()['S%s_IP' %i] if res is False: return S_mgmt_stub = mgd_service_pb2.ManagementRpcApiStub(channel) globals()['mgmt_S%s' % i] = S_mgmt_stub "MX router connection and JET service handles" for i in range(1, n-1): creds = grpc.ssl_channel_credentials(open('{}.pem'.format(globals()['R%s_IP' %i])).read()) channel = grpc.secure_channel(globals()['R%s_IP' %i]+':'+PORT, creds) res = _authenticateChannel(channel, USER, PASSWORD, CLIENT_ID) print "Authentication "+('success' if res else 'failure')+' for '+globals()['R%s_IP' %i] if res is False: return R_fw_stub = firewall_service_pb2.AclServiceStub(channel) R_mgmt_stub = mgd_service_pb2.ManagementRpcApiStub(channel) globals()['mgmt_R%s' % i] = R_mgmt_stub globals()['fw_R%s' % i] = R_fw_stub Initial_Cos_Configs() Get_Site_Latest_Data() except KeyboardInterrupt: pass except Exception as tx: print '%s' % (tx.message) return
def setUp(self): self.server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) test_pb2.add_TestServiceServicer_to_server( methods.TestService(), self.server) port = self.server.add_secure_port( '[::]:0', grpc.ssl_server_credentials( [(resources.private_key(), resources.certificate_chain())])) self.server.start() self.stub = test_pb2.TestServiceStub( grpc.secure_channel( 'localhost:{}'.format(port), grpc.ssl_channel_credentials(resources.test_root_certificates()), (('grpc.ssl_target_name_override', _SERVER_HOST_OVERRIDE,),)))
def _get_channel(self): try: creds = grpc.ssl_channel_credentials( root_certificates=self.cert_context) self.channel = \ grpc.secure_channel('{}:{}'.format( self.host, self.port), creds, options=(('grpc.ssl_target_name_override', self.ssl_target_name,), ('grpc.default_authority', self.default_authority),)) except Exception as e: self._logger.error( 'failed to create connection exception: {}'.format( ';'.join(str(e).split('\n\t'))))
def get_auth(): client_key_file = open("../../auth/client.key") client_key = client_key_file.read() client_key_file.close() client_crt_file = open("../../auth/client.crt") client_crt = client_crt_file.read() client_crt_file.close() ca_crt_file = open("../../auth/ca.crt") ca_crt = ca_crt_file.read() ca_crt_file.close() return grpc.ssl_channel_credentials(root_certificates=ca_crt, private_key=client_key, certificate_chain=client_crt)
def dial(self): if self.stub: self.stub.close() p = urlparse('http://' + self.addr) target = '%s:%s' % (p.hostname, p.port) if self.root_certificates or self.private_key or self.certificate_chain: creds = grpc.ssl_channel_credentials( self.root_certificates, self.private_key, self.certificate_chain) channel = grpc.secure_channel(target, creds) else: channel = grpc.insecure_channel(target) self.stub = vtgateservice_pb2.VitessStub(channel)
def _create_client_stub( port, expect_success, root_certificates=None, private_key=None, certificate_chain=None,): channel = grpc.secure_channel('localhost:{}'.format(port), grpc.ssl_channel_credentials( root_certificates=root_certificates, private_key=private_key, certificate_chain=certificate_chain)) if expect_success: # per Nathaniel: there's some robustness issue if we start # using a channel without waiting for it to be actually ready grpc.channel_ready_future(channel).result(timeout=10) return services_pb2_grpc.FirstServiceStub(channel)
def dial(self): if self.stub: self.stub.close() p = urlparse('http://' + self.addr) target = '%s:%s' % (p.hostname, p.port) if self.root_certificates or self.private_key or self.certificate_chain: creds = grpc.ssl_channel_credentials( self.root_certificates, self.private_key, self.certificate_chain) channel = grpc.secure_channel(target, creds) else: channel = grpc.insecure_channel(target) if self.auth_static_client_creds is not None: channel = grpc_with_metadata.GRPCWithMetadataChannel(channel, self.get_auth_static_client_creds) self.stub = vtgateservice_pb2.VitessStub(channel)
def test_create_channel_implicit_with_ssl_creds( grpc_secure_channel, default, composite_creds_call ): target = "example.com:443" ssl_creds = grpc.ssl_channel_credentials() grpc_helpers.create_channel(target, ssl_credentials=ssl_creds) default.assert_called_once_with(scopes=None) composite_creds_call.assert_called_once_with(ssl_creds, mock.ANY) composite_creds = composite_creds_call.return_value if grpc_helpers.HAS_GRPC_GCP: grpc_secure_channel.assert_called_once_with(target, composite_creds, None) else: grpc_secure_channel.assert_called_once_with(target, composite_creds)
def setUp(self): self.server = test_common.test_server() test_pb2_grpc.add_TestServiceServicer_to_server(service.TestService(), self.server) port = self.server.add_secure_port( '[::]:0', grpc.ssl_server_credentials([(resources.private_key(), resources.certificate_chain())])) self.server.start() self.stub = test_pb2_grpc.TestServiceStub( grpc.secure_channel('localhost:{}'.format(port), grpc.ssl_channel_credentials( resources.test_root_certificates()), (( 'grpc.ssl_target_name_override', _SERVER_HOST_OVERRIDE, ),)))
def _stub(args): target = '{}:{}'.format(args.server_host, args.server_port) if args.test_case == 'oauth2_auth_token': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) google_credentials.refresh(google_auth.transport.requests.Request()) call_credentials = grpc.access_token_call_credentials( google_credentials.token) elif args.test_case == 'compute_engine_creds': google_credentials, unused_project_id = google_auth.default( scopes=[args.oauth_scope]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=google_auth.transport.requests.Request())) elif args.test_case == 'jwt_token_creds': google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file( os.environ[google_auth.environment_vars.CREDENTIALS]) call_credentials = grpc.metadata_call_credentials( google_auth.transport.grpc.AuthMetadataPlugin( credentials=google_credentials, request=None)) else: call_credentials = None if args.use_tls: if args.use_test_ca: root_certificates = resources.test_root_certificates() else: root_certificates = None # will load default roots. channel_credentials = grpc.ssl_channel_credentials(root_certificates) if call_credentials is not None: channel_credentials = grpc.composite_channel_credentials( channel_credentials, call_credentials) channel_opts = None if args.server_host_override: channel_opts = (( 'grpc.ssl_target_name_override', args.server_host_override, ),) channel = grpc.secure_channel(target, channel_credentials, channel_opts) else: channel = grpc.insecure_channel(target) if args.test_case == "unimplemented_service": return test_pb2_grpc.UnimplementedServiceStub(channel) else: return test_pb2_grpc.TestServiceStub(channel)
def test_channel_credentials_composition(self): first_call_credentials = grpc.access_token_call_credentials('abc') second_call_credentials = grpc.access_token_call_credentials('def') third_call_credentials = grpc.access_token_call_credentials('ghi') channel_credentials = grpc.ssl_channel_credentials() channel_and_first = grpc.composite_channel_credentials( channel_credentials, first_call_credentials) channel_first_and_second = grpc.composite_channel_credentials( channel_credentials, first_call_credentials, second_call_credentials) channel_first_second_and_third = grpc.composite_channel_credentials( channel_credentials, first_call_credentials, second_call_credentials, third_call_credentials) self.assertIsInstance(channel_and_first, grpc.ChannelCredentials) self.assertIsInstance(channel_first_and_second, grpc.ChannelCredentials) self.assertIsInstance( channel_first_second_and_third, grpc.ChannelCredentials)
def _get_channel(target, args): if args.use_tls: if args.use_test_ca: root_certificates = resources.test_root_certificates() else: root_certificates = None # will load default roots. channel_credentials = grpc.ssl_channel_credentials( root_certificates=root_certificates) options = (('grpc.ssl_target_name_override', args.server_host_override,),) channel = grpc.secure_channel( target, channel_credentials, options=options) else: channel = grpc.insecure_channel(target) # waits for the channel to be ready before we start sending messages grpc.channel_ready_future(channel).result() return channel
try: from python.tulipsolutions.api.auth import jwt_interceptor except ImportError: from tulipsolutions.api.auth import jwt_interceptor try: from python.tulipsolutions.api.auth import message_authentication_interceptor except ImportError: from tulipsolutions.api.auth import message_authentication_interceptor if __name__ == '__main__': args = sys.argv if len(args) == 1: # Use system CA trust store to connect to public MockGrpc service. address = 'mockgrpc.test.tulipsolutions.nl:443' creds = grpc.ssl_channel_credentials() elif len(args) == 3: # Use Mock CA certificates from this repository # The server cert is set up to accept connections to localhost ca_cert_path = 'mockgrpc/src/main/resources/certs/mock_ca.crt' if not os.path.exists(ca_cert_path): # If this file is run from the examples workspace, the cert file will be placed here by Bazel ca_cert_path = "external/nl_tulipsolutions_tecl/" + ca_cert_path with open(ca_cert_path, 'rb') as ca_cert_file: trust_cert_collection = ca_cert_file.read() creds = grpc.ssl_channel_credentials(trust_cert_collection) address = '%s:%s' % (args[1], args[2]) elif len(args) == 4: # Use command line provided CA certificate bundle address = '%s:%s' % (args[1], args[2]) with open(args[3], 'rb') as ca_cert_file:
def build_credentials(self): self.cert_creds = grpc.ssl_channel_credentials(self.tls_cert_key) self.auth_creds = grpc.metadata_call_credentials( self.metadata_callback) self.combined_creds = grpc.composite_channel_credentials( self.cert_creds, self.auth_creds)
def construct(self, return_channel=False): """Constructs and returns the desired Client object. The instance of this class will reset to default values for further building. Returns ------- Client or NXClient or XEClient or XRClient """ channel = None if self.__secure: LOGGER.debug("Using secure channel.") channel_metadata_creds = None if self.__username and self.__password: LOGGER.debug("Using username/password call authentication.") channel_metadata_creds = grpc.metadata_call_credentials( CiscoAuthPlugin(self.__username, self.__password)) channel_ssl_creds = grpc.ssl_channel_credentials( self.__root_certificates, self.__private_key, self.__certificate_chain) channel_creds = None if channel_ssl_creds and channel_metadata_creds: LOGGER.debug( "Using SSL/metadata authentication composite credentials.") channel_creds = grpc.composite_channel_credentials( channel_ssl_creds, channel_metadata_creds) else: LOGGER.debug( "Using SSL credentials, no channel metadata authentication." ) channel_creds = channel_ssl_creds if self.__ssl_target_name_override is not False: if self.__ssl_target_name_override is None: if not self.__root_certificates: raise Exception( "Deriving override requires root certificate!") self.__ssl_target_name_override = get_cn_from_cert( self.__root_certificates) LOGGER.warning( "Overriding SSL option from certificate could increase MITM susceptibility!" ) self.set_channel_option("grpc.ssl_target_name_override", self.__ssl_target_name_override) channel = grpc.secure_channel(self.__target_netloc.netloc, channel_creds, self.__channel_options) else: LOGGER.warning( "Insecure gRPC channel is against gNMI specification, personal data may be compromised." ) channel = grpc.insecure_channel(self.__target_netloc.netloc) if self.__client_class is None: self.set_os() client = None if self.__secure: client = self.__client_class(channel) else: client = self.__client_class( channel, default_call_metadata=[ ("username", self.__username), ("password", self.__password), ], ) self._reset() if return_channel: return client, channel else: return client
# coding: utf-8 from dialog_bot_sdk.bot import DialogBot import grpc import os def on_msg(*params): print('on msg', params) d.messaging.send_message( params[0].peer, str(params[0].message.textMessage.text) ) if __name__ == '__main__': d = DialogBot.get_secure_bot( 'grpc-test.transmit.im:8080', # bot endpoint grpc.ssl_channel_credentials(), # SSL credentials os.environ.get('BOT_TOKEN') # bot token ) d.messaging.on_message(on_msg)
def run(args, schema, secret): try: if tn_globals.IsInteractive: tn_globals.Prompt = PromptSession() # Create secure channel with default credentials. channel = None if args.ssl: opts = (('grpc.ssl_target_name_override', args.ssl_host),) if args.ssl_host else None channel = grpc.secure_channel(args.host, grpc.ssl_channel_credentials(), opts) else: channel = grpc.insecure_channel(args.host) # Call the server stream = pbx.NodeStub(channel).MessageLoop(gen_message(schema, secret, args)) # Read server responses for msg in stream: if msg.HasField("ctrl"): handle_ctrl(msg.ctrl) elif msg.HasField("meta"): what = [] if len(msg.meta.sub) > 0: what.append("sub") if msg.meta.HasField("desc"): what.append("desc") if msg.meta.HasField("del"): what.append("del") if len(msg.meta.tags) > 0: what.append("tags") stdoutln("\r<= meta " + ",".join(what) + " " + msg.meta.topic) if tn_globals.WaitingFor and tn_globals.WaitingFor.await_id == msg.meta.id: if 'varname' in tn_globals.WaitingFor: tn_globals.Variables[tn_globals.WaitingFor.varname] = msg.meta tn_globals.WaitingFor = None elif msg.HasField("data"): stdoutln("\n\rFrom: " + msg.data.from_user_id) stdoutln("Topic: " + msg.data.topic) stdoutln("Seq: " + str(msg.data.seq_id)) if msg.data.head: stdoutln("Headers:") for key in msg.data.head: stdoutln("\t" + key + ": "+str(msg.data.head[key])) stdoutln(json.loads(msg.data.content)) elif msg.HasField("pres"): pass elif msg.HasField("info"): what = "unknown" if msg.info.what == pb.READ: what = "read" elif msg.info.what == pb.RECV: what = "recv" elif msg.info.what == pb.KP: what = "kp" stdoutln("\rMessage #" + str(msg.info.seq_id) + " " + what + " by " + msg.info.from_user_id + "; topic=" + msg.info.topic + " (" + msg.topic + ")") else: stdoutln("\rMessage type not handled" + str(msg)) except grpc.RpcError as err: # print(err) printerr("gRPC failed with {0}: {1}".format(err.code(), err.details())) except Exception as ex: printerr("Request failed: {0}".format(ex)) # print(traceback.format_exc()) finally: printout('Shutting down...') channel.close() if tn_globals.InputThread != None: tn_globals.InputThread.join(0.3)
def get_cert_credentials(self): if self.cert_credentials is None: lnd_tls_cert_path = os.path.join(self.lnd.lnddir, 'tls.cert') lnd_tls_cert = open(lnd_tls_cert_path, 'rb').read() self.cert_credentials = grpc.ssl_channel_credentials(lnd_tls_cert) return self.cert_credentials
@pytest.fixture def event_loop(): asyncio.set_event_loop(_test_event_loop) return asyncio.get_event_loop() dir = os.path.dirname(__file__) with open(os.path.join(dir, "../cert/mtls.crt"), "rb") as fh: cert = fh.read() with open(os.path.join(dir, "../cert/mtls.key"), "rb") as fh: key = fh.read() ssl_credentials = grpc.ssl_channel_credentials(root_certificates=cert, certificate_chain=cert, private_key=key) def callback(): return cert, key client_options = ClientOptions.ClientOptions() client_options.client_cert_source = callback def pytest_addoption(parser): parser.addoption("--mtls", action="store_true", help="Run system test with mutual TLS channel")
cert = open(os.path.expanduser("~/.lnd/tls.cert"), "rb").read() def metadata_callback(context, callback): with open( os.path.expanduser( "~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon"), "rb") as f: macaroon_bytes = f.read() macaroon = codecs.encode(macaroon_bytes, "hex") callback([("macaroon", macaroon)], None) # build ssl credentials using the cert the same as before cert_creds = grpc.ssl_channel_credentials(cert) # now build meta data credentials auth_creds = grpc.metadata_call_credentials(metadata_callback) # combine the cert credentials and the macaroon auth credentials combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds) # finally pass in the combined credentials when creating a channel channel = grpc.secure_channel("localhost:10009", combined_creds) stub = lnrpc.LightningStub(channel) # now every call will be made with the macaroon already included list_req = ln.ListInvoiceRequest(pending_only=True, num_max_invoices=1, reversed=True) invoice_num = stub.ListInvoices(list_req).invoices[-1].add_index
get_padded_frame_size(frame_samples, f.getframerate()) * 2, b'\0') request = stt_pb2.StreamingRecognizeRequest() request.audio_content = opus_encoder.encode( data, len(data) >> 1) yield request except Exception as e: print("Got exception in generate_requests", e) raise def print_streaming_recognition_responses(responses): for response in responses: for result in response.results: print("Channel", result.recognition_result.channel) print("Phrase start:", result.recognition_result.start_time.ToTimedelta()) print("Phrase end: ", result.recognition_result.end_time.ToTimedelta()) for alternative in result.recognition_result.alternatives: print('"' + alternative.transcript + '"') print("------------------") stub = stt_pb2_grpc.SpeechToTextStub( grpc.secure_channel(endpoint, grpc.ssl_channel_credentials())) metadata = authorization_metadata(api_key, secret_key, "tinkoff.cloud.stt") responses = stub.StreamingRecognize(generate_requests(), metadata=metadata) print_streaming_recognition_responses(responses)
# -*- coding: utf-8 -*- import grpc from pb.authentication import authenticationService_pb2_grpc from pb.common import replyInfo_pb2 from authService import auth import unittest import os auth_host_staging = os.environ.get("AUTH_HOST_STAGING", "") auth_host_production = os.environ.get("AUTH_HOST_PRODUCTION", "") creds = grpc.ssl_channel_credentials() staging_auth_channel = grpc.secure_channel(auth_host_staging, credentials=creds) staging_auth_client = authenticationService_pb2_grpc.AuthenticationServiceStub( staging_auth_channel) prod_auth_channel = grpc.secure_channel(auth_host_production, credentials=creds) prod_auth_client = authenticationService_pb2_grpc.AuthenticationServiceStub( prod_auth_channel) authenticator = auth.AdminAuthenticator( username=os.environ.get("AUTH_USERNAME", ""), password=os.environ.get("AUTH_PASSWORD", ""), company_id=os.environ.get("AUTH_COMPANY_ID", "")) class AuthTestSuite(unittest.TestCase): """Basic authentication test cases.""" @staticmethod def test_staging_authentication(): assert authenticator is not None
def _run(flags, experiment_url_callback=None): """Runs the main uploader program given parsed flags. Args: flags: An `argparse.Namespace`. experiment_url_callback: A function accepting a single string argument containing the full TB.dev URL of the uploaded experiment. """ logging.set_stderrthreshold(logging.WARNING) intent = _get_intent(flags, experiment_url_callback) store = auth.CredentialsStore() if isinstance(intent, _AuthRevokeIntent): store.clear() sys.stderr.write("Logged out of uploader.\n") sys.stderr.flush() return # TODO(b/141723268): maybe reconfirm Google Account prior to reuse. credentials = store.read_credentials() if not credentials: _prompt_for_user_ack(intent) client_config = json.loads(auth.OAUTH_CLIENT_CONFIG) flow = auth.build_installed_app_flow(client_config) credentials = flow.run(force_console=flags.auth_force_console) sys.stderr.write("\n") # Extra newline after auth flow messages. store.write_credentials(credentials) channel_options = None if flags.grpc_creds_type == "local": channel_creds = grpc.local_channel_credentials() elif flags.grpc_creds_type == "ssl": channel_creds = grpc.ssl_channel_credentials() elif flags.grpc_creds_type == "ssl_dev": # Configure the dev cert to use by passing the environment variable # GRPC_DEFAULT_SSL_ROOTS_FILE_PATH=path/to/cert.crt channel_creds = grpc.ssl_channel_credentials() channel_options = [("grpc.ssl_target_name_override", "localhost")] else: msg = "Invalid --grpc_creds_type %s" % flags.grpc_creds_type raise base_plugin.FlagsError(msg) try: server_info = _get_server_info(flags) except server_info_lib.CommunicationError as e: _die(str(e)) _handle_server_info(server_info) logging.info("Received server info: <%r>", server_info) if not server_info.api_server.endpoint: logging.error("Server info response: %s", server_info) _die("Internal error: frontend did not specify an API server") composite_channel_creds = grpc.composite_channel_credentials( channel_creds, auth.id_token_call_credentials(credentials) ) # TODO(@nfelt): In the `_UploadIntent` case, consider waiting until # logdir exists to open channel. channel = grpc.secure_channel( server_info.api_server.endpoint, composite_channel_creds, options=channel_options, ) with channel: intent.execute(server_info, channel)
def __init__(self, *, host: str = "jobs.googleapis.com", credentials: credentials.Credentials = None, credentials_file: str = None, scopes: Sequence[str] = None, channel: grpc.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, quota_project_id: Optional[str] = None) -> None: """Instantiate the transport. Args: host (Optional[str]): The hostname to connect to. credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. This argument is ignored if ``channel`` is provided. credentials_file (Optional[str]): A file with credentials that can be loaded with :func:`google.auth.load_credentials_from_file`. This argument is ignored if ``channel`` is provided. scopes (Optional(Sequence[str])): A list of scopes. This argument is ignored if ``channel`` is provided. channel (Optional[grpc.Channel]): A ``Channel`` instance through which to make calls. api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or applicatin default SSL credentials. client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A callback to provide client SSL certificate bytes and private key bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` is None. quota_project_id (Optional[str]): An optional project to use for billing and quota. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport creation failed for any reason. google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` and ``credentials_file`` are passed. """ if channel: # Sanity check: Ensure that channel and credentials are not both # provided. credentials = False # If a channel was explicitly provided, set it. self._grpc_channel = channel elif api_mtls_endpoint: host = (api_mtls_endpoint if ":" in api_mtls_endpoint else api_mtls_endpoint + ":443") if credentials is None: credentials, _ = auth.default( scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id) # Create SSL credentials with client_cert_source or application # default SSL credentials. if client_cert_source: cert, key = client_cert_source() ssl_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key) else: ssl_credentials = SslCredentials().ssl_credentials # create a new channel. The provided one is ignored. self._grpc_channel = type(self).create_channel( host, credentials=credentials, credentials_file=credentials_file, ssl_credentials=ssl_credentials, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, ) self._stubs = {} # type: Dict[str, Callable] # Run the base constructor. super().__init__( host=host, credentials=credentials, credentials_file=credentials_file, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, )
def __init__(self, *, host: str = 'pubsub.googleapis.com', credentials: credentials.Credentials = None, channel: grpc.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None) -> None: """Instantiate the transport. Args: host (Optional[str]): The hostname to connect to. credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. This argument is ignored if ``channel`` is provided. channel (Optional[grpc.Channel]): A ``Channel`` instance through which to make calls. api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or applicatin default SSL credentials. client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A callback to provide client SSL certificate bytes and private key bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` is None. Raises: google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport creation failed for any reason. """ if channel: # Sanity check: Ensure that channel and credentials are not both # provided. credentials = False # If a channel was explicitly provided, set it. self._grpc_channel = channel elif api_mtls_endpoint: host = api_mtls_endpoint if ":" in api_mtls_endpoint else api_mtls_endpoint + ":443" # Create SSL credentials with client_cert_source or application # default SSL credentials. if client_cert_source: cert, key = client_cert_source() ssl_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key ) else: ssl_credentials = SslCredentials().ssl_credentials # create a new channel. The provided one is ignored. self._grpc_channel = grpc_helpers.create_channel( host, credentials=credentials, ssl_credentials=ssl_credentials, scopes=self.AUTH_SCOPES, ) # Run the base constructor. super().__init__(host=host, credentials=credentials) self._stubs = {} # type: Dict[str, Callable]
request.streaming_config.config.num_channels = num_channels return request def generate_requests(): try: with wave.open("../../audio/sample_3.wav") as f: yield build_first_request(f.getframerate(), f.getnchannels()) frame_samples = f.getframerate()//10 # Send 100ms at a time for data in iter(lambda:f.readframes(frame_samples), b''): request = stt_pb2.StreamingRecognizeRequest() request.audio_content = data yield request except Exception as e: print("Got exception in generate_requests", e) raise def print_streaming_recognition_responses(responses): for response in responses: for result in response.results: print("Channel", result.recognition_result.channel) print("Phrase start:", result.recognition_result.start_time.ToTimedelta()) print("Phrase end: ", result.recognition_result.end_time.ToTimedelta()) for alternative in result.recognition_result.alternatives: print('"' + alternative.transcript + '"') print("------------------") stub = stt_pb2_grpc.SpeechToTextStub(grpc.secure_channel(endpoint, grpc.ssl_channel_credentials())) metadata = authorization_metadata(api_key, secret_key, "tinkoff.cloud.stt") responses = stub.StreamingRecognize(generate_requests(), metadata=metadata) print_streaming_recognition_responses(responses)
def __init__(self, rpc_port): self.port = rpc_port cred = grpc.ssl_channel_credentials(open('tls.cert', 'rb').read()) channel = grpc.secure_channel('localhost:{}'.format(rpc_port), cred) self.stub = lnrpc_grpc.LightningStub(channel)
def secure_authorized_channel( credentials, request, target, ssl_credentials=None, client_cert_callback=None, **kwargs ): """Creates a secure authorized gRPC channel. This creates a channel with SSL and :class:`AuthMetadataPlugin`. This channel can be used to create a stub that can make authorized requests. Users can configure client certificate or rely on device certificates to establish a mutual TLS channel, if the `GOOGLE_API_USE_CLIENT_CERTIFICATE` variable is explicitly set to `true`. Example:: import google.auth import google.auth.transport.grpc import google.auth.transport.requests from google.cloud.speech.v1 import cloud_speech_pb2 # Get credentials. credentials, _ = google.auth.default() # Get an HTTP request function to refresh credentials. request = google.auth.transport.requests.Request() # Create a channel. channel = google.auth.transport.grpc.secure_authorized_channel( credentials, regular_endpoint, request, ssl_credentials=grpc.ssl_channel_credentials()) # Use the channel to create a stub. cloud_speech.create_Speech_stub(channel) Usage: There are actually a couple of options to create a channel, depending on if you want to create a regular or mutual TLS channel. First let's list the endpoints (regular vs mutual TLS) to choose from:: regular_endpoint = 'speech.googleapis.com:443' mtls_endpoint = 'speech.mtls.googleapis.com:443' Option 1: create a regular (non-mutual) TLS channel by explicitly setting the ssl_credentials:: regular_ssl_credentials = grpc.ssl_channel_credentials() channel = google.auth.transport.grpc.secure_authorized_channel( credentials, regular_endpoint, request, ssl_credentials=regular_ssl_credentials) Option 2: create a mutual TLS channel by calling a callback which returns the client side certificate and the key (Note that `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable must be explicitly set to `true`):: def my_client_cert_callback(): code_to_load_client_cert_and_key() if loaded: return (pem_cert_bytes, pem_key_bytes) raise MyClientCertFailureException() try: channel = google.auth.transport.grpc.secure_authorized_channel( credentials, mtls_endpoint, request, client_cert_callback=my_client_cert_callback) except MyClientCertFailureException: # handle the exception Option 3: use application default SSL credentials. It searches and uses the command in a context aware metadata file, which is available on devices with endpoint verification support (Note that `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable must be explicitly set to `true`). See https://cloud.google.com/endpoint-verification/docs/overview:: try: default_ssl_credentials = SslCredentials() except: # Exception can be raised if the context aware metadata is malformed. # See :class:`SslCredentials` for the possible exceptions. # Choose the endpoint based on the SSL credentials type. if default_ssl_credentials.is_mtls: endpoint_to_use = mtls_endpoint else: endpoint_to_use = regular_endpoint channel = google.auth.transport.grpc.secure_authorized_channel( credentials, endpoint_to_use, request, ssl_credentials=default_ssl_credentials) Option 4: not setting ssl_credentials and client_cert_callback. For devices without endpoint verification support or `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not `true`, a regular TLS channel is created; otherwise, a mutual TLS channel is created, however, the call should be wrapped in a try/except block in case of malformed context aware metadata. The following code uses regular_endpoint, it works the same no matter the created channle is regular or mutual TLS. Regular endpoint ignores client certificate and key:: channel = google.auth.transport.grpc.secure_authorized_channel( credentials, regular_endpoint, request) The following code uses mtls_endpoint, if the created channle is regular, and API mtls_endpoint is confgured to require client SSL credentials, API calls using this channel will be rejected:: channel = google.auth.transport.grpc.secure_authorized_channel( credentials, mtls_endpoint, request) Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. Even though gRPC is a separate transport, there's no way to refresh the credentials without using a standard http transport. target (str): The host and port of the service. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. This argument is mutually exclusive with client_cert_callback; providing both will raise an exception. If ssl_credentials and client_cert_callback are None, application default SSL credentials are used if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is explicitly set to `true`, otherwise one way TLS SSL credentials are used. client_cert_callback (Callable[[], (bytes, bytes)]): Optional callback function to obtain client certicate and key for mutual TLS connection. This argument is mutually exclusive with ssl_credentials; providing both will raise an exception. This argument does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is explicitly set to `true`. kwargs: Additional arguments to pass to :func:`grpc.secure_channel`. Returns: grpc.Channel: The created gRPC channel. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel creation failed for any reason. """ # Create the metadata plugin for inserting the authorization header. metadata_plugin = AuthMetadataPlugin(credentials, request) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials and client_cert_callback: raise ValueError( "Received both ssl_credentials and client_cert_callback; " "these are mutually exclusive." ) # If SSL credentials are not explicitly set, try client_cert_callback and ADC. if not ssl_credentials: use_client_cert = os.getenv( environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false" ) if use_client_cert == "true" and client_cert_callback: # Use the callback if provided. cert, key = client_cert_callback() ssl_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key ) elif use_client_cert == "true": # Use application default SSL credentials. adc_ssl_credentils = SslCredentials() ssl_credentials = adc_ssl_credentils.ssl_credentials else: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. composite_credentials = grpc.composite_channel_credentials( ssl_credentials, google_auth_credentials ) return grpc.secure_channel(target, composite_credentials, **kwargs)
def testvarsAttempt(): try: import testvars except ImportError: common.conMsg('bot','Predefined test variables not found, continue with environment variables') return None else: common.conMsg('bot','Predefined test variables found, environment variables ignored') return None if __name__ == '__main__': common.conMsg('bot','Starting bot') testvarsAttempt() lang = os.environ['LANGUAGE'] mode = os.environ['ISSUE_TYPE_MODE'] bot = DialogBot.get_secure_bot(os.environ['ENDPOINT'],grpc.ssl_channel_credentials(),os.environ['BOT_API_KEY'], verbose=False) if checkEnvs(): credentials = common.parseCreds(os.environ['JIRA_CREDS']) link = credentials[2] projectId = jira.getProjectIdByProjectKey(credentials,os.environ['PROJECT_KEY']) if projectId: initializeBot() #dbInit() common.conMsg('bot','Started bot. Mode: ' + mode) while True: task_manager() else: common.conMsg('bot','Invalid JIRA Creds or JIRA Service Desk Project. Unable to start bot') else: common.conMsg('bot','Env variables error')
def _test(self): # things should work... self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # client should reject server... # fails because client trusts ca2 and so will reject server self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(False, root_certificates=CA_2_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(True, None) self._do_one_shot_client_rpc(True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertTrue(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # if with_client_auth, then client should be rejected by # server because client uses key/cert1, but server trusts ca2, # so server will reject self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(not self.require_client_auth(), root_certificates=CA_1_PEM, private_key=CLIENT_KEY_1_PEM, certificate_chain=CLIENT_CERT_CHAIN_1_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # now create the "persistent" clients self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) channel_A = _create_channel( self.port, grpc.ssl_channel_credentials( root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM)) persistent_client_stub_A = _create_client_stub(channel_A, True) self._perform_rpc(persistent_client_stub_A, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) channel_B = _create_channel( self.port, grpc.ssl_channel_credentials( root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM)) persistent_client_stub_B = _create_client_stub(channel_B, True) self._perform_rpc(persistent_client_stub_B, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # moment of truth!! client should reject server because the # server switch cert... cert_config = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_1_PEM) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, cert_config) self._do_one_shot_client_rpc(False, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertEqual(call.returned_cert_config, cert_config, 'i= {}'.format(i)) # now should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(True, root_certificates=CA_2_PEM, private_key=CLIENT_KEY_1_PEM, certificate_chain=CLIENT_CERT_CHAIN_1_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # client should be rejected by server if with_client_auth self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(not self.require_client_auth(), root_certificates=CA_2_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # here client should reject server... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc(False, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # persistent clients should continue to work self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._perform_rpc(persistent_client_stub_A, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 0) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._perform_rpc(persistent_client_stub_B, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 0) channel_A.close() channel_B.close()
def run_secure_loop(): logging.debug( "Remote: Starting a new connection loop for %s (%s:%d)" % (self.display_hostname, self.ip_address, self.port)) cert = auth.get_singleton().load_cert(self.hostname, self.ip_address) creds = grpc.ssl_channel_credentials(cert) with grpc.secure_channel("%s:%d" % (self.ip_address, self.port), creds) as channel: future = grpc.channel_ready_future(channel) try: future.result(timeout=4) self.stub = warp_pb2_grpc.WarpStub(channel) except grpc.FutureTimeoutError: self.set_remote_status(RemoteStatus.UNREACHABLE) future.cancel() if not self.ping_timer.is_set(): logging.debug( "Remote: Unable to establish secure connection with %s (%s:%d). Trying again in %ds" % (self.display_hostname, self.ip_address, self.port, CHANNEL_RETRY_WAIT_TIME)) self.ping_timer.wait(CHANNEL_RETRY_WAIT_TIME) return True # run_secure_loop() return False # run_secure_loop() duplex_fail_counter = 0 one_ping = False # A successful duplex response lets us finish setting things up. while not self.ping_timer.is_set(): if self.busy: logging.debug( "Remote Ping: Skipping keepalive ping to %s (%s:%d) (busy)" % (self.display_hostname, self.ip_address, self.port)) self.busy = False else: try: # t = GLib.get_monotonic_time() logging.debug("Remote Ping: to %s (%s:%d)" % (self.display_hostname, self.ip_address, self.port)) self.stub.Ping(warp_pb2.LookupName( id=self.local_ident, readable_name=util.get_hostname()), timeout=5) # logging.debug("Latency: %s (%s)" # % (util.precise_format_time_span(GLib.get_monotonic_time() - t), self.display_hostname)) if not one_ping: self.set_remote_status( RemoteStatus.AWAITING_DUPLEX) if self.check_duplex_connection(): logging.debug( "Remote: Connected to %s (%s:%d)" % (self.display_hostname, self.ip_address, self.port)) self.set_remote_status(RemoteStatus.ONLINE) self.rpc_call( self.update_remote_machine_info) self.rpc_call( self.update_remote_machine_avatar) one_ping = True else: duplex_fail_counter += 1 if duplex_fail_counter > DUPLEX_MAX_FAILURES: logging.debug( "Remote: CheckDuplexConnection to %s (%s:%d) failed too many times" % (self.display_hostname, self.ip_address, self.port)) self.ping_timer.wait( CHANNEL_RETRY_WAIT_TIME) return True except grpc.RpcError as e: logging.debug( "Remote: Ping failed, shutting down %s (%s:%d)" % (self.display_hostname, self.ip_address, self.port)) break self.ping_timer.wait( CONNECTED_PING_TIME if self.status == RemoteStatus.ONLINE else DUPLEX_WAIT_PING_TIME) # This is reached by the RpcError break above. If the remote is still discoverable, start # the secure loop over. This could have happened as a result of a quick disco/reconnect, # And we don't notice until it has already come back. In this case, try a new connection. if self.has_zc_presence and not self.ping_timer.is_set(): return True # run_secure_loop() # The ping timer has been triggered, this is an orderly shutdown. return False # run_secure_loop()
def create_client_channel(self): channel_credentials = grpc.ssl_channel_credentials(self.read_pem('tls/ca.pem'), self.read_pem('tls/client-key.pem'), self.read_pem('tls/client.pem')) return grpc.secure_channel('{}:{}'.format(self.client.args['address'], self.client.args['server_port']), channel_credentials)
def __init__(self, conn_str: str = "", secure: bool = False, metadata: List[Tuple[str, str]] = None, connection_retries: int = 3): """Initializes the worker side grpc client. Args: conn_str: The host:port connection string for the ray server. secure: whether to use SSL secure channel or not. metadata: additional metadata passed in the grpc request headers. connection_retries: Number of times to attempt to reconnect to the ray server if it doesn't respond immediately. Setting to 0 tries at least once. For infinite retries, catch the ConnectionError exception. """ self._client_id = make_client_id() self.metadata = [("client_id", self._client_id) ] + (metadata if metadata else []) self.channel = None self.server = None self._conn_state = grpc.ChannelConnectivity.IDLE self._converted: Dict[str, ClientStub] = {} if secure: credentials = grpc.ssl_channel_credentials() self.channel = grpc.secure_channel(conn_str, credentials, options=GRPC_OPTIONS) else: self.channel = grpc.insecure_channel(conn_str, options=GRPC_OPTIONS) self.channel.subscribe(self._on_channel_state_change) # Retry the connection until the channel responds to something # looking like a gRPC connection, though it may be a proxy. conn_attempts = 0 timeout = INITIAL_TIMEOUT_SEC service_ready = False while conn_attempts < max(connection_retries, 1): conn_attempts += 1 try: # Let gRPC wait for us to see if the channel becomes ready. # If it throws, we couldn't connect. grpc.channel_ready_future(self.channel).result(timeout=timeout) # The HTTP2 channel is ready. Wrap the channel with the # RayletDriverStub, allowing for unary requests. self.server = ray_client_pb2_grpc.RayletDriverStub( self.channel) service_ready = bool(self.ping_server()) if service_ready: break # Ray is not ready yet, wait a timeout time.sleep(timeout) except grpc.FutureTimeoutError: logger.info( f"Couldn't connect channel in {timeout} seconds, retrying") # Note that channel_ready_future constitutes its own timeout, # which is why we do not sleep here. except grpc.RpcError as e: logger.info("Ray client server unavailable, " f"retrying in {timeout}s...") logger.debug(f"Received when checking init: {e.details()}") # Ray is not ready yet, wait a timeout. time.sleep(timeout) # Fallthrough, backoff, and retry at the top of the loop logger.info("Waiting for Ray to become ready on the server, " f"retry in {timeout}s...") timeout = backoff(timeout) # If we made it through the loop without service_ready # it means we've used up our retries and # should error back to the user. if not service_ready: raise ConnectionError("ray client connection timeout") # Initialize the streams to finish protocol negotiation. self.data_client = DataClient(self.channel, self._client_id, self.metadata) self.reference_count: Dict[bytes, int] = defaultdict(int) self.log_client = LogstreamClient(self.channel, self.metadata) self.log_client.set_logstream_level(logging.INFO) self.closed = False # Track these values to raise a warning if many tasks are being # scheduled self.total_num_tasks_scheduled = 0 self.total_outbound_message_size_bytes = 0
def __init__( self, *, host: str = "secretmanager.googleapis.com", credentials: credentials.Credentials = None, credentials_file: Optional[str] = None, scopes: Optional[Sequence[str]] = None, channel: aio.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, ssl_channel_credentials: grpc.ChannelCredentials = None, quota_project_id=None, client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the transport. Args: host (Optional[str]): The hostname to connect to. credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. This argument is ignored if ``channel`` is provided. credentials_file (Optional[str]): A file with credentials that can be loaded with :func:`google.auth.load_credentials_from_file`. This argument is ignored if ``channel`` is provided. scopes (Optional[Sequence[str]]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. channel (Optional[aio.Channel]): A ``Channel`` instance through which to make calls. api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or applicatin default SSL credentials. client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): Deprecated. A callback to provide client SSL certificate bytes and private key bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` is None. ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials for grpc channel. It is ignored if ``channel`` is provided. quota_project_id (Optional[str]): An optional project to use for billing and quota. client_info (google.api_core.gapic_v1.client_info.ClientInfo): The client info used to send a user-agent string along with API requests. If ``None``, then default info will be used. Generally, you only need to set this if you're developing your own client library. Raises: google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport creation failed for any reason. google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` and ``credentials_file`` are passed. """ if channel: # Sanity check: Ensure that channel and credentials are not both # provided. credentials = False # If a channel was explicitly provided, set it. self._grpc_channel = channel elif api_mtls_endpoint: warnings.warn( "api_mtls_endpoint and client_cert_source are deprecated", DeprecationWarning, ) host = (api_mtls_endpoint if ":" in api_mtls_endpoint else api_mtls_endpoint + ":443") if credentials is None: credentials, _ = auth.default( scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id) # Create SSL credentials with client_cert_source or application # default SSL credentials. if client_cert_source: cert, key = client_cert_source() ssl_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key) else: ssl_credentials = SslCredentials().ssl_credentials # create a new channel. The provided one is ignored. self._grpc_channel = type(self).create_channel( host, credentials=credentials, credentials_file=credentials_file, ssl_credentials=ssl_credentials, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, ) else: host = host if ":" in host else host + ":443" if credentials is None: credentials, _ = auth.default( scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id) # create a new channel. The provided one is ignored. self._grpc_channel = type(self).create_channel( host, credentials=credentials, credentials_file=credentials_file, ssl_credentials=ssl_channel_credentials, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, ) # Run the base constructor. super().__init__( host=host, credentials=credentials, credentials_file=credentials_file, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, client_info=client_info, ) self._stubs = {}
API = GCaluAPI(SETTINGS["credentials_file"], SETTINGS["token_file"]) except: log.error("Can't initialize GoogleuAPI", exc_info=True) sys.exit(1) # Enable this flag and use this to obtain google calendar id if SETTINGS["show_calendars"]: for current_cal in API.get_calendars(): log.info("{0} => {1}".format(current_cal["id"], current_cal["summary"])) try: bot = DialogBot.get_secure_bot( os.environ.get('BOT_ENDPOINT'), # bot endpoint grpc.ssl_channel_credentials( ), # SSL credentials (empty by default!) os.environ.get('BOT_TOKEN') # bot token ) bot.messaging.on_message(on_msg, raw_callback=raw_call) except: log.error("Can't initialize bot", exc_info=True) sys.exit(1) else: log.error( "{0} not found. Create one using settings_default.json as reference." .format(SETTINGS_PATH), exc_info=True) sys.exit(1)
def __init__( self, *, credentials: Optional[credentials.Credentials] = None, transport: Union[str, KeywordPlanCampaignServiceTransport, None] = None, client_options: Optional[client_options_lib.ClientOptions] = None, client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the keyword plan campaign service client. Args: credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. transport (Union[str, ~.KeywordPlanCampaignServiceTransport]): The transport to use. If set to None, a transport is chosen automatically. client_options (google.api_core.client_options.ClientOptions): Custom options for the client. It won't take effect if a ``transport`` instance is provided. (1) The ``api_endpoint`` property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: "always" (always use the default mTLS endpoint), "never" (always use the default regular endpoint) and "auto" (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, the ``api_endpoint`` property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is "true", then the ``client_cert_source`` property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not set, no client certificate will be used. client_info (google.api_core.gapic_v1.client_info.ClientInfo): The client info used to send a user-agent string along with API requests. If ``None``, then default info will be used. Generally, you only need to set this if you're developing your own client library. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport creation failed for any reason. """ if isinstance(client_options, dict): client_options = client_options_lib.from_dict(client_options) if client_options is None: client_options = client_options_lib.ClientOptions() # Create SSL credentials for mutual TLS if needed. use_client_cert = bool( util.strtobool( os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false") ) ) ssl_credentials = None is_mtls = False if use_client_cert: if client_options.client_cert_source: import grpc # type: ignore cert, key = client_options.client_cert_source() ssl_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key ) is_mtls = True else: creds = SslCredentials() is_mtls = creds.is_mtls ssl_credentials = creds.ssl_credentials if is_mtls else None # Figure out which api endpoint to use. if client_options.api_endpoint is not None: api_endpoint = client_options.api_endpoint else: use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") if use_mtls_env == "never": api_endpoint = self.DEFAULT_ENDPOINT elif use_mtls_env == "always": api_endpoint = self.DEFAULT_MTLS_ENDPOINT elif use_mtls_env == "auto": api_endpoint = ( self.DEFAULT_MTLS_ENDPOINT if is_mtls else self.DEFAULT_ENDPOINT ) else: raise MutualTLSChannelError( "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted values: never, auto, always" ) # Save or instantiate the transport. # Ordinarily, we provide the transport, but allowing a custom transport # instance provides an extensibility point for unusual situations. if isinstance(transport, KeywordPlanCampaignServiceTransport): # transport is a KeywordPlanCampaignServiceTransport instance. if credentials: raise ValueError( "When providing a transport instance, " "provide its credentials directly." ) self._transport = transport elif isinstance(transport, str): Transport = type(self).get_transport_class(transport) self._transport = Transport( credentials=credentials, host=self.DEFAULT_ENDPOINT ) else: self._transport = KeywordPlanCampaignServiceGrpcTransport( credentials=credentials, host=api_endpoint, ssl_channel_credentials=ssl_credentials, client_info=client_info, )
def test_secure_channel(self): channel_credentials = grpc.ssl_channel_credentials() channel = grpc.secure_channel('google.com:443', channel_credentials) channel.close()
def __init__( self, *, host: str = "googleads.googleapis.com", credentials: ga_credentials.Credentials = None, credentials_file: str = None, scopes: Sequence[str] = None, channel: grpc.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, ssl_channel_credentials: grpc.ChannelCredentials = None, client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, quota_project_id: Optional[str] = None, client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, always_use_jwt_access: Optional[bool] = False, ) -> None: """Instantiate the transport. Args: host (Optional[str]): The hostname to connect to. credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. This argument is ignored if ``channel`` is provided. credentials_file (Optional[str]): A file with credentials that can be loaded with :func:`google.auth.load_credentials_from_file`. This argument is ignored if ``channel`` is provided. scopes (Optional(Sequence[str])): A list of scopes. This argument is ignored if ``channel`` is provided. channel (Optional[grpc.Channel]): A ``Channel`` instance through which to make calls. api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or application default SSL credentials. client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): Deprecated. A callback to provide client SSL certificate bytes and private key bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` is None. ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials for the grpc channel. It is ignored if ``channel`` is provided. client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): A callback to provide client certificate bytes and private key bytes, both in PEM format. It is used to configure a mutual TLS channel. It is ignored if ``channel`` or ``ssl_channel_credentials`` is provided. quota_project_id (Optional[str]): An optional project to use for billing and quota. client_info (google.api_core.gapic_v1.client_info.ClientInfo): The client info used to send a user-agent string along with API requests. If ``None``, then default info will be used. Generally, you only need to set this if you're developing your own client library. always_use_jwt_access (Optional[bool]): Whether self signed JWT should be used for service account credentials. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport creation failed for any reason. google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` and ``credentials_file`` are passed. """ self._grpc_channel = None self._ssl_channel_credentials = ssl_channel_credentials self._stubs: Dict[str, Callable] = {} if api_mtls_endpoint: warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) if client_cert_source: warnings.warn("client_cert_source is deprecated", DeprecationWarning) if channel: # Ignore credentials if a channel was passed. credentials = False # If a channel was explicitly provided, set it. self._grpc_channel = channel self._ssl_channel_credentials = None else: if api_mtls_endpoint: host = api_mtls_endpoint # Create SSL credentials with client_cert_source or application # default SSL credentials. if client_cert_source: cert, key = client_cert_source() self._ssl_channel_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key) else: self._ssl_channel_credentials = ( SslCredentials().ssl_credentials) else: if client_cert_source_for_mtls and not ssl_channel_credentials: cert, key = client_cert_source_for_mtls() self._ssl_channel_credentials = grpc.ssl_channel_credentials( certificate_chain=cert, private_key=key) # The base transport sets the host, credentials and scopes super().__init__( host=host, credentials=credentials, credentials_file=credentials_file, scopes=scopes, quota_project_id=quota_project_id, client_info=client_info, always_use_jwt_access=always_use_jwt_access, ) if not self._grpc_channel: self._grpc_channel = type(self).create_channel( self._host, # use the credentials which are saved credentials=self._credentials, # Set ``credentials_file`` to ``None`` here as # the credentials that we saved earlier should be used. credentials_file=None, scopes=self._scopes, ssl_credentials=self._ssl_channel_credentials, quota_project_id=quota_project_id, options=[ ("grpc.max_send_message_length", -1), ("grpc.max_receive_message_length", -1), ], ) # Wrap messages. This must be done after self._grpc_channel exists self._prep_wrapped_messages(client_info)
def main(): global dev_id host = ServerConfig.HOST server_port = ServerConfig.SERVER_PORT with open(ServerConfig.SERVER_CERTIFICATE, "rb") as file: trusted_certs = file.read() credentials = grpc.ssl_channel_credentials(root_certificates=trusted_certs) channel = grpc.secure_channel("{}:{}".format(host, server_port), credentials) client = P4RuntimeClient() streamC = client.StreamChannel() tables_initialized = False while True: try: packet = next(streamC) if packet.HasField("packet") and packet.packet.metadata[ 0].metadata_id == dev_id: print "Packet-in: server => router controller %.9f" % time.time( ) # Print packet information. ServerConfig.print_debug("Received packet:") ServerConfig.print_debug("Payload: {}".format( hexlify(packet.packet.payload))) ServerConfig.print_debug("Switch id: {}".format( packet.packet.metadata[0].metadata_id)) ServerConfig.print_debug("Input port: {}\n".format( hexlify(packet.packet.metadata[0].value))) # Extract packet. pkt = Ether(_pkt=packet.packet.payload) eth_src = pkt.getlayer(Ether).src eth_dst = pkt.getlayer(Ether).dst ether_type = pkt.getlayer(Ether).type ServerConfig.print_debug( "Received Ethernet frame {} => {} type_hex {}".format( eth_src, eth_dst, hex(ether_type))) # The packet can be either ipv4 or 802.1q (vlan). if ether_type == 2048 or ether_type == 33024: # Print packet data. ip_src = pkt[IP].src ip_dst = pkt[IP].dst ServerConfig.print_debug( "Ethernet frame has IPv4 packet {} => {}".format( ip_src, ip_dst)) # Call to write the entry into the table. client.WriteTableEntry(p4runtime_pb2.Update.INSERT, IPV4_NHOP, ip_dst, ipv4_nhop_dict[ip_dst]) # client.ReadTableEntry(IPV4_NHOP, ip_dst) # Packet out. client.streamChannelRequest = p4runtime_pb2.StreamMessageRequest( ) client.streamChannelRequest.packet.payload = packet.packet.payload metadata = client.streamChannelRequest.packet.metadata.add( ) metadata.metadata_id = packet.packet.metadata[ 0].metadata_id metadata.value = struct.pack("B", 1) client.sendRequest = True print "Packet-out: router controller => server %.9f" % time.time( ) if packet.HasField("other"): if tables_initialized is False: for ip in send_frame_dict: client.WriteTableEntry(p4runtime_pb2.Update.INSERT, SEND_FRAME, ip, send_frame_dict[ip]) # client.ReadTableEntry(SEND_FRAME, ip) for ip in forward_table_dict: client.WriteTableEntry(p4runtime_pb2.Update.INSERT, FORWARD, ip, forward_table_dict[ip]) # client.ReadTableEntry(FORWARD, ip) tables_initialized = True if packet.other.value == "\n\014Auth success": ServerConfig.print_debug( "Received authentication response from server:") ServerConfig.print_debug(packet) # Prepare an arbitration request. client.streamChannelRequest = p4runtime_pb2.StreamMessageRequest( ) client.streamChannelRequest.arbitration.device_id = dev_id client.streamChannelRequest.arbitration.role.id = 1 client.sendRequest = True if packet.HasField("arbitration"): ServerConfig.print_debug( "Received arbitration response from server:") ServerConfig.print_debug(packet) except IndexError: continue
def _create_composite_credentials( credentials=None, credentials_file=None, default_scopes=None, scopes=None, ssl_credentials=None, quota_project_id=None, default_host=None, ): """Create the composite credentials for secure channels. Args: credentials (google.auth.credentials.Credentials): The credentials. If not specified, then this function will attempt to ascertain the credentials from the environment using :func:`google.auth.default`. credentials_file (str): A file with credentials that can be loaded with :func:`google.auth.load_credentials_from_file`. This argument is mutually exclusive with credentials. default_scopes (Sequence[str]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. scopes (Sequence[str]): A optional list of scopes needed for this service. These are only used when credentials are not specified and are passed to :func:`google.auth.default`. ssl_credentials (grpc.ChannelCredentials): Optional SSL channel credentials. This can be used to specify different certificates. quota_project_id (str): An optional project to use for billing and quota. default_host (str): The default endpoint. e.g., "pubsub.googleapis.com". Returns: grpc.ChannelCredentials: The composed channel credentials object. Raises: google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed. """ if credentials and credentials_file: raise exceptions.DuplicateCredentialArgs( "'credentials' and 'credentials_file' are mutually exclusive.") if credentials_file: credentials, _ = google.auth.load_credentials_from_file( credentials_file, scopes=scopes, default_scopes=default_scopes) elif credentials: credentials = google.auth.credentials.with_scopes_if_required( credentials, scopes=scopes, default_scopes=default_scopes) else: credentials, _ = google.auth.default(scopes=scopes, default_scopes=default_scopes) if quota_project_id and isinstance( credentials, google.auth.credentials.CredentialsWithQuotaProject): credentials = credentials.with_quota_project(quota_project_id) request = google.auth.transport.requests.Request() # Create the metadata plugin for inserting the authorization header. metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request, default_host=default_host, ) # Create a set of grpc.CallCredentials using the metadata plugin. google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin) if ssl_credentials is None: ssl_credentials = grpc.ssl_channel_credentials() # Combine the ssl credentials and the authorization credentials. return grpc.composite_channel_credentials(ssl_credentials, google_auth_credentials)
def _create_cloud_channel(self) -> grpc.Channel: if self._channel_fn: return self._channel_fn(self._server_url) return grpc.secure_channel(self._server_url, grpc.ssl_channel_credentials())
def getCredentials(): with open('ca-bundle.pem', 'rb') as f: trusted_certs = f.read() sslCred = grpc.ssl_channel_credentials(root_certificates=trusted_certs) authCred = grpc.metadata_call_credentials(credentials) return grpc.composite_channel_credentials(sslCred, authCred)