def __init__(self, server, config, hist):
# Create the stub
if config.HasField('security_params'):
creds = grpc.ssl_channel_credentials(
resources.test_root_certificates())
channel = test_common.test_secure_channel(
server, creds, config.security_params.server_host_override)
else:
channel = grpc.insecure_channel(server)
# waits for the channel to be ready before we start sending messages
grpc.channel_ready_future(channel).result()
if config.payload_config.WhichOneof('payload') == 'simple_params':
self._generic = False
self._stub = services_pb2.BenchmarkServiceStub(channel)
payload = messages_pb2.Payload(
body='\0' * config.payload_config.simple_params.req_size)
self._request = messages_pb2.SimpleRequest(
payload=payload,
response_size=config.payload_config.simple_params.resp_size)
else:
self._generic = True
self._stub = GenericStub(channel)
self._request = '\0' * config.payload_config.bytebuf_params.req_size
self._hist = hist
self._response_callbacks = []
def MakeSecureChannel(target):
"""Creates grpc secure channel.
Args:
target: str, The server address, for example:
bigtableadmin.googleapis.com:443.
Returns:
grpc.secure channel.
"""
credentials = cred_store.Load()
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = _MetadataPlugin(credentials)
auth_creds = grpc.metadata_call_credentials(
custom_metadata_plugin, name='google_creds')
channel_creds = grpc.composite_channel_credentials(
transport_creds, auth_creds)
channel_args = (
('grpc.primary_user_agent',
http.MakeUserAgentString(properties.VALUES.metrics.command_name.Get())),
)
return grpc.secure_channel(target, channel_creds,
options=channel_args)
def testSecureNoCert(self):
handler = grpc.method_handlers_generic_handler('test', {
'UnaryUnary':
grpc.unary_unary_rpc_method_handler(handle_unary_unary)
})
server = test_common.test_server()
server.add_generic_rpc_handlers((handler,))
server_cred = grpc.ssl_server_credentials(_SERVER_CERTS)
port = server.add_secure_port('[::]:0', server_cred)
server.start()
channel_creds = grpc.ssl_channel_credentials(
root_certificates=_TEST_ROOT_CERTIFICATES)
channel = grpc.secure_channel(
'localhost:{}'.format(port),
channel_creds,
options=_PROPERTY_OPTIONS)
response = channel.unary_unary(_UNARY_UNARY)(_REQUEST)
channel.close()
server.stop(None)
auth_data = pickle.loads(response)
self.assertIsNone(auth_data[_ID])
self.assertIsNone(auth_data[_ID_KEY])
self.assertDictEqual({
'transport_security_type': [b'ssl'],
'ssl_session_reused': [b'false'],
}, auth_data[_AUTH_CTX])
def testSessionResumption(self):
# Set up a secure server
handler = grpc.method_handlers_generic_handler('test', {
'UnaryUnary':
grpc.unary_unary_rpc_method_handler(handle_unary_unary)
})
server = test_common.test_server()
server.add_generic_rpc_handlers((handler,))
server_cred = grpc.ssl_server_credentials(_SERVER_CERTS)
port = server.add_secure_port('[::]:0', server_cred)
server.start()
# Create a cache for TLS session tickets
cache = session_cache.ssl_session_cache_lru(1)
channel_creds = grpc.ssl_channel_credentials(
root_certificates=_TEST_ROOT_CERTIFICATES)
channel_options = _PROPERTY_OPTIONS + (
('grpc.ssl_session_cache', cache),)
# Initial connection has no session to resume
self._do_one_shot_client_rpc(
channel_creds,
channel_options,
port,
expect_ssl_session_reused=[b'false'])
# Subsequent connections resume sessions
self._do_one_shot_client_rpc(
channel_creds,
channel_options,
port,
expect_ssl_session_reused=[b'true'])
server.stop(None)
def __init__(
self,
hostname,
port=50051,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None,
):
super(SecureClient, self).__init__(hostname, port)
server_ca = open(cacert, "r").read()
if sessionid:
call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password)
)
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
self.channel = grpc.secure_channel(
"%s:%d" % (self.hostname, self.port), chan_creds
)
self.stub = xos_pb2_grpc.xosStub(self.channel)
self.modeldefs = modeldefs_pb2_grpc.modeldefsStub(self.channel)
self.utility = utility_pb2_grpc.utilityStub(self.channel)
self.xos_orm = orm.ORMStub(self.stub, "xos")
def __init__(
self,
consul_endpoint=None,
work_dir="/tmp/xos_grpc_protos",
endpoint="localhost:50055",
reconnect_callback=None,
cacert=SERVER_CA,
username=None,
password=None,
sessionid=None,
):
server_ca = open(cacert, "r").read()
if sessionid:
call_creds = metadata_call_credentials(SessionIdCallCredentials(sessionid))
else:
call_creds = metadata_call_credentials(
UsernamePasswordCallCredentials(username, password)
)
chan_creds = ssl_channel_credentials(server_ca)
chan_creds = composite_channel_credentials(chan_creds, call_creds)
super(SecureClient, self).__init__(
consul_endpoint, work_dir, endpoint, self.reconnected, chan_creds
)
self.reconnect_callback2 = reconnect_callback
def __init__(self, server, config, hist):
# Create the stub
if config.HasField('security_params'):
creds = grpc.ssl_channel_credentials(resources.test_root_certificates())
channel = test_common.test_secure_channel(
server, creds, config.security_params.server_host_override)
else:
channel = grpc.insecure_channel(server)
connected_event = threading.Event()
def wait_for_ready(connectivity):
if connectivity == grpc.ChannelConnectivity.READY:
connected_event.set()
channel.subscribe(wait_for_ready, try_to_connect=True)
connected_event.wait()
if config.payload_config.WhichOneof('payload') == 'simple_params':
self._generic = False
self._stub = services_pb2.BenchmarkServiceStub(channel)
payload = messages_pb2.Payload(
body='\0' * config.payload_config.simple_params.req_size)
self._request = messages_pb2.SimpleRequest(
payload=payload,
response_size=config.payload_config.simple_params.resp_size)
else:
self._generic = True
self._stub = GenericStub(channel)
self._request = '\0' * config.payload_config.bytebuf_params.req_size
self._hist = hist
self._response_callbacks = []
def make_secure_stub(credentials, user_agent, stub_class, host):
"""Makes a secure stub for an RPC service.
Uses / depends on gRPC.
:type credentials: :class:`oauth2client.client.OAuth2Credentials`
:param credentials: The OAuth2 Credentials to use for creating
access tokens.
:type user_agent: str
:param user_agent: (Optional) The user agent to be used with API requests.
:type stub_class: type
:param stub_class: A gRPC stub type for a given service.
:type host: str
:param host: The host for the service.
:rtype: object, instance of ``stub_class``
:returns: The stub object used to make gRPC requests to a given API.
"""
# ssl_channel_credentials() loads root certificates from
# `grpc/_adapter/credentials/roots.pem`.
transport_creds = grpc.ssl_channel_credentials()
custom_metadata_plugin = MetadataPlugin(credentials, user_agent)
auth_creds = grpc.metadata_call_credentials(
custom_metadata_plugin, name='google_creds')
channel_creds = grpc.composite_channel_credentials(
transport_creds, auth_creds)
target = '%s:%d' % (host, http_client.HTTPS_PORT)
channel = grpc.secure_channel(target, channel_creds)
return stub_class(channel)
def testSecureClientCert(self):
handler = grpc.method_handlers_generic_handler('test', {
'UnaryUnary':
grpc.unary_unary_rpc_method_handler(handle_unary_unary)
})
server = test_common.test_server()
server.add_generic_rpc_handlers((handler,))
server_cred = grpc.ssl_server_credentials(
_SERVER_CERTS,
root_certificates=_TEST_ROOT_CERTIFICATES,
require_client_auth=True)
port = server.add_secure_port('[::]:0', server_cred)
server.start()
channel_creds = grpc.ssl_channel_credentials(
root_certificates=_TEST_ROOT_CERTIFICATES,
private_key=_PRIVATE_KEY,
certificate_chain=_CERTIFICATE_CHAIN)
channel = grpc.secure_channel(
'localhost:{}'.format(port),
channel_creds,
options=_PROPERTY_OPTIONS)
response = channel.unary_unary(_UNARY_UNARY)(_REQUEST)
channel.close()
server.stop(None)
auth_data = pickle.loads(response)
auth_ctx = auth_data[_AUTH_CTX]
six.assertCountEqual(self, _CLIENT_IDS, auth_data[_ID])
self.assertEqual('x509_subject_alternative_name', auth_data[_ID_KEY])
self.assertSequenceEqual([b'ssl'], auth_ctx['transport_security_type'])
self.assertSequenceEqual([b'*.test.google.com'],
auth_ctx['x509_common_name'])
def _channel(args):
target = '{}:{}'.format(args.server_host, args.server_port)
if args.use_tls:
channel_credentials = grpc.ssl_channel_credentials()
channel = grpc.secure_channel(target, channel_credentials)
else:
channel = grpc.insecure_channel(target)
return channel
def getGRPCChannel(ipAddress, port, root_certificates, ssl_target_name_override):
# channel = grpc.insecure_channel("{0}:{1}".format(ipAddress, 7051), options = [('grpc.max_message_length', 100*1024*1024)])
# creds = grpc.ssl_channel_credentials(root_certificates=root_certificates, private_key=private_key, certificate_chain=certificate_chain)
creds = grpc.ssl_channel_credentials(root_certificates=root_certificates)
channel = grpc.secure_channel("{0}:{1}".format(ipAddress, port), creds,
options=(('grpc.ssl_target_name_override', ssl_target_name_override,),('grpc.default_authority', ssl_target_name_override,),))
print("Returning GRPC for address: {0}".format(ipAddress))
return channel
def secure_authorized_channel(
credentials, request, target, ssl_credentials=None, **kwargs):
"""Creates a secure authorized gRPC channel.
This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
channel can be used to create a stub that can make authorized requests.
Example::
import google.auth
import google.auth.transport.grpc
import google.auth.transport.requests
from google.cloud.speech.v1 import cloud_speech_pb2
# Get credentials.
credentials, _ = google.auth.default()
# Get an HTTP request function to refresh credentials.
request = google.auth.transport.requests.Request()
# Create a channel.
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, 'speech.googleapis.com:443', request)
# Use the channel to create a stub.
cloud_speech.create_Speech_stub(channel)
Args:
credentials (google.auth.credentials.Credentials): The credentials to
add to requests.
request (google.auth.transport.Request): A HTTP transport request
object used to refresh credentials as needed. Even though gRPC
is a separate transport, there's no way to refresh the credentials
without using a standard http transport.
target (str): The host and port of the service.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created gRPC channel.
"""
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = AuthMetadataPlugin(credentials, request)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials)
return grpc.secure_channel(target, composite_credentials, **kwargs)
def Main():
try:
parser = argparse.ArgumentParser()
parser.add_argument('-d','--device', help='Input hostname',
required=True)
parser.add_argument('-t','--timeout', help='Input time_out value',
required=True,type=int)
parser.add_argument('-u', '--user', help='Input username',
required=True)
parser.add_argument('-pw', '--password', help='Input password',
required=True)
args = parser.parse_args()
#Establish grpc channel to jet router
creds = grpc.ssl_channel_credentials(open('/tmp/RSA2048.pem').read(),
None, None)
channel = grpc.secure_channel(args.device + ":32767", creds,
options=(('grpc.ssl_target_name_override', _HOST_OVERRIDE,),))
#create stub for authentication services
stub = authentication_service_pb2.LoginStub(channel)
#Authenticate
login_request = authentication_service_pb2.LoginRequest(
user_name=args.user, password=args.password, client_id="SampleApp")
login_response = stub.LoginCheck(login_request, args.timeout)
#Check if authentication is successful
if login_response.result == True:
print "[INFO] Connected to gRPC Server:"
print login_response.result
else:
print "[ERROR] gRPC Server Connection failed!!!"
print login_response.result
#Create stub for management services
stub = management_service_pb2.ManagementRpcApiStub(channel)
print "[INFO] Connected to JSD and created handle to mgd services"
for i in range(1):
#Provide API request details
op_xml_command = "<get-system-uptime-information>" \
"</get-system-uptime-information>"
op = management_service_pb2.ExecuteOpCommandRequest(
xml_command=op_xml_command, out_format=2, request_id=1000)
# Invoke API
result = stub.ExecuteOpCommand(op, 100)
# Check API response like status and output
for i in result:
print "[INFO] Invoked ExecuteOpCommand API return code = "
print i.status
print "[INFO] Return output in CLI format = "
print i.data
except Exception as ex:
print ex
def open_grpc_channel(endpoint):
"""
open grpc channel:
- for http:// we open insecure_channel
- for https:// we open secure_channel (with default credentials)
- without prefix we open insecure_channel
"""
if (endpoint.startswith("https://")):
return grpc.secure_channel(remove_http_https_prefix(endpoint), grpc.ssl_channel_credentials())
return grpc.insecure_channel(remove_http_https_prefix(endpoint))
def secure_authorized_channel(
credentials, target, ssl_credentials=None):
"""Creates a secure authorized gRPC channel."""
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
metadata_plugin = AuthMetadataPlugin(credentials)
call_credentials = grpc.metadata_call_credentials(metadata_plugin)
channel_creds = grpc.composite_channel_credentials(
ssl_credentials, call_credentials)
return grpc.secure_channel(target, channel_creds)
def _do_one_shot_client_rpc(self,
expect_success,
root_certificates=None,
private_key=None,
certificate_chain=None):
credentials = grpc.ssl_channel_credentials(
root_certificates=root_certificates,
private_key=private_key,
certificate_chain=certificate_chain)
with _create_channel(self.port, credentials) as client_channel:
client_stub = _create_client_stub(client_channel, expect_success)
self._perform_rpc(client_stub, expect_success)
def create_channel(
target, credentials=None, scopes=None, ssl_credentials=None, **kwargs
):
"""Create a secure channel with credentials.
Args:
target (str): The target service address in the format 'hostname:port'.
credentials (google.auth.credentials.Credentials): The credentials. If
not specified, then this function will attempt to ascertain the
credentials from the environment using :func:`google.auth.default`.
scopes (Sequence[str]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
kwargs: Additional key-word args passed to
:func:`grpc_gcp.secure_channel` or :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created channel.
"""
if credentials is None:
credentials, _ = google.auth.default(scopes=scopes)
else:
credentials = google.auth.credentials.with_scopes_if_required(
credentials, scopes
)
request = google.auth.transport.requests.Request()
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
credentials, request
)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials
)
if HAS_GRPC_GCP:
# If grpc_gcp module is available use grpc_gcp.secure_channel,
# otherwise, use grpc.secure_channel to create grpc channel.
return grpc_gcp.secure_channel(target, composite_credentials, **kwargs)
else:
return grpc.secure_channel(target, composite_credentials, **kwargs)
def _get_channel(target, args):
if args.use_tls:
if args.use_test_ca:
root_certificates = resources.test_root_certificates()
else:
root_certificates = None # will load default roots.
channel_credentials = grpc.ssl_channel_credentials(
root_certificates=root_certificates)
options = (('grpc.ssl_target_name_override', args.server_host_override,),)
return grpc.secure_channel(
target, channel_credentials, options=options)
else:
return grpc.insecure_channel(target)
def Main():
"""
This function handles connections to Sites, Routers and JET firewall and management services
"""
try:
"connection handles to site is optional in case polling to sites on SNMP/DyCOS server"
for i in range(1, n+1):
creds = grpc.ssl_channel_credentials(open('{}.pem'.format(globals()['S%s_IP' %i])).read())
channel = grpc.secure_channel(globals()['S%s_IP' %i]+':'+PORT, creds)
res = _authenticateChannel(channel, USER, PASSWORD, CLIENT_ID)
print "Authentication "+('success' if res else 'failure')+' for '+globals()['S%s_IP' %i]
if res is False:
return
S_mgmt_stub = mgd_service_pb2.ManagementRpcApiStub(channel)
globals()['mgmt_S%s' % i] = S_mgmt_stub
"MX router connection and JET service handles"
for i in range(1, n-1):
creds = grpc.ssl_channel_credentials(open('{}.pem'.format(globals()['R%s_IP' %i])).read())
channel = grpc.secure_channel(globals()['R%s_IP' %i]+':'+PORT, creds)
res = _authenticateChannel(channel, USER, PASSWORD, CLIENT_ID)
print "Authentication "+('success' if res else 'failure')+' for '+globals()['R%s_IP' %i]
if res is False:
return
R_fw_stub = firewall_service_pb2.AclServiceStub(channel)
R_mgmt_stub = mgd_service_pb2.ManagementRpcApiStub(channel)
globals()['mgmt_R%s' % i] = R_mgmt_stub
globals()['fw_R%s' % i] = R_fw_stub
Initial_Cos_Configs()
Get_Site_Latest_Data()
except KeyboardInterrupt:
pass
except Exception as tx:
print '%s' % (tx.message)
return
def setUp(self):
self.server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
test_pb2.add_TestServiceServicer_to_server(
methods.TestService(), self.server)
port = self.server.add_secure_port(
'[::]:0', grpc.ssl_server_credentials(
[(resources.private_key(), resources.certificate_chain())]))
self.server.start()
self.stub = test_pb2.TestServiceStub(
grpc.secure_channel(
'localhost:{}'.format(port),
grpc.ssl_channel_credentials(resources.test_root_certificates()),
(('grpc.ssl_target_name_override', _SERVER_HOST_OVERRIDE,),)))
def _get_channel(self):
try:
creds = grpc.ssl_channel_credentials(
root_certificates=self.cert_context)
self.channel = \
grpc.secure_channel('{}:{}'.format(
self.host, self.port), creds,
options=(('grpc.ssl_target_name_override', self.ssl_target_name,),
('grpc.default_authority', self.default_authority),))
except Exception as e:
self._logger.error(
'failed to create connection exception: {}'.format(
';'.join(str(e).split('\n\t'))))
def get_auth():
client_key_file = open("../../auth/client.key")
client_key = client_key_file.read()
client_key_file.close()
client_crt_file = open("../../auth/client.crt")
client_crt = client_crt_file.read()
client_crt_file.close()
ca_crt_file = open("../../auth/ca.crt")
ca_crt = ca_crt_file.read()
ca_crt_file.close()
return grpc.ssl_channel_credentials(root_certificates=ca_crt, private_key=client_key, certificate_chain=client_crt)
def dial(self):
if self.stub:
self.stub.close()
p = urlparse('http://' + self.addr)
target = '%s:%s' % (p.hostname, p.port)
if self.root_certificates or self.private_key or self.certificate_chain:
creds = grpc.ssl_channel_credentials(
self.root_certificates, self.private_key, self.certificate_chain)
channel = grpc.secure_channel(target, creds)
else:
channel = grpc.insecure_channel(target)
self.stub = vtgateservice_pb2.VitessStub(channel)
def _create_client_stub(
port,
expect_success,
root_certificates=None,
private_key=None,
certificate_chain=None,):
channel = grpc.secure_channel('localhost:{}'.format(port),
grpc.ssl_channel_credentials(
root_certificates=root_certificates,
private_key=private_key,
certificate_chain=certificate_chain))
if expect_success:
# per Nathaniel: there's some robustness issue if we start
# using a channel without waiting for it to be actually ready
grpc.channel_ready_future(channel).result(timeout=10)
return services_pb2_grpc.FirstServiceStub(channel)
def dial(self):
if self.stub:
self.stub.close()
p = urlparse('http://' + self.addr)
target = '%s:%s' % (p.hostname, p.port)
if self.root_certificates or self.private_key or self.certificate_chain:
creds = grpc.ssl_channel_credentials(
self.root_certificates, self.private_key, self.certificate_chain)
channel = grpc.secure_channel(target, creds)
else:
channel = grpc.insecure_channel(target)
if self.auth_static_client_creds is not None:
channel = grpc_with_metadata.GRPCWithMetadataChannel(channel, self.get_auth_static_client_creds)
self.stub = vtgateservice_pb2.VitessStub(channel)
def test_create_channel_implicit_with_ssl_creds(
grpc_secure_channel, default, composite_creds_call
):
target = "example.com:443"
ssl_creds = grpc.ssl_channel_credentials()
grpc_helpers.create_channel(target, ssl_credentials=ssl_creds)
default.assert_called_once_with(scopes=None)
composite_creds_call.assert_called_once_with(ssl_creds, mock.ANY)
composite_creds = composite_creds_call.return_value
if grpc_helpers.HAS_GRPC_GCP:
grpc_secure_channel.assert_called_once_with(target, composite_creds, None)
else:
grpc_secure_channel.assert_called_once_with(target, composite_creds)
def setUp(self):
self.server = test_common.test_server()
test_pb2_grpc.add_TestServiceServicer_to_server(service.TestService(),
self.server)
port = self.server.add_secure_port(
'[::]:0',
grpc.ssl_server_credentials([(resources.private_key(),
resources.certificate_chain())]))
self.server.start()
self.stub = test_pb2_grpc.TestServiceStub(
grpc.secure_channel('localhost:{}'.format(port),
grpc.ssl_channel_credentials(
resources.test_root_certificates()), ((
'grpc.ssl_target_name_override',
_SERVER_HOST_OVERRIDE,
),)))
def _stub(args):
target = '{}:{}'.format(args.server_host, args.server_port)
if args.test_case == 'oauth2_auth_token':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
google_credentials.refresh(google_auth.transport.requests.Request())
call_credentials = grpc.access_token_call_credentials(
google_credentials.token)
elif args.test_case == 'compute_engine_creds':
google_credentials, unused_project_id = google_auth.default(
scopes=[args.oauth_scope])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials,
request=google_auth.transport.requests.Request()))
elif args.test_case == 'jwt_token_creds':
google_credentials = google_auth_jwt.OnDemandCredentials.from_service_account_file(
os.environ[google_auth.environment_vars.CREDENTIALS])
call_credentials = grpc.metadata_call_credentials(
google_auth.transport.grpc.AuthMetadataPlugin(
credentials=google_credentials, request=None))
else:
call_credentials = None
if args.use_tls:
if args.use_test_ca:
root_certificates = resources.test_root_certificates()
else:
root_certificates = None # will load default roots.
channel_credentials = grpc.ssl_channel_credentials(root_certificates)
if call_credentials is not None:
channel_credentials = grpc.composite_channel_credentials(
channel_credentials, call_credentials)
channel_opts = None
if args.server_host_override:
channel_opts = ((
'grpc.ssl_target_name_override',
args.server_host_override,
),)
channel = grpc.secure_channel(target, channel_credentials, channel_opts)
else:
channel = grpc.insecure_channel(target)
if args.test_case == "unimplemented_service":
return test_pb2_grpc.UnimplementedServiceStub(channel)
else:
return test_pb2_grpc.TestServiceStub(channel)
def test_channel_credentials_composition(self):
first_call_credentials = grpc.access_token_call_credentials('abc')
second_call_credentials = grpc.access_token_call_credentials('def')
third_call_credentials = grpc.access_token_call_credentials('ghi')
channel_credentials = grpc.ssl_channel_credentials()
channel_and_first = grpc.composite_channel_credentials(
channel_credentials, first_call_credentials)
channel_first_and_second = grpc.composite_channel_credentials(
channel_credentials, first_call_credentials, second_call_credentials)
channel_first_second_and_third = grpc.composite_channel_credentials(
channel_credentials, first_call_credentials, second_call_credentials,
third_call_credentials)
self.assertIsInstance(channel_and_first, grpc.ChannelCredentials)
self.assertIsInstance(channel_first_and_second, grpc.ChannelCredentials)
self.assertIsInstance(
channel_first_second_and_third, grpc.ChannelCredentials)
def _get_channel(target, args):
if args.use_tls:
if args.use_test_ca:
root_certificates = resources.test_root_certificates()
else:
root_certificates = None # will load default roots.
channel_credentials = grpc.ssl_channel_credentials(
root_certificates=root_certificates)
options = (('grpc.ssl_target_name_override',
args.server_host_override,),)
channel = grpc.secure_channel(
target, channel_credentials, options=options)
else:
channel = grpc.insecure_channel(target)
# waits for the channel to be ready before we start sending messages
grpc.channel_ready_future(channel).result()
return channel
try:
from python.tulipsolutions.api.auth import jwt_interceptor
except ImportError:
from tulipsolutions.api.auth import jwt_interceptor
try:
from python.tulipsolutions.api.auth import message_authentication_interceptor
except ImportError:
from tulipsolutions.api.auth import message_authentication_interceptor
if __name__ == '__main__':
args = sys.argv
if len(args) == 1:
# Use system CA trust store to connect to public MockGrpc service.
address = 'mockgrpc.test.tulipsolutions.nl:443'
creds = grpc.ssl_channel_credentials()
elif len(args) == 3:
# Use Mock CA certificates from this repository
# The server cert is set up to accept connections to localhost
ca_cert_path = 'mockgrpc/src/main/resources/certs/mock_ca.crt'
if not os.path.exists(ca_cert_path):
# If this file is run from the examples workspace, the cert file will be placed here by Bazel
ca_cert_path = "external/nl_tulipsolutions_tecl/" + ca_cert_path
with open(ca_cert_path, 'rb') as ca_cert_file:
trust_cert_collection = ca_cert_file.read()
creds = grpc.ssl_channel_credentials(trust_cert_collection)
address = '%s:%s' % (args[1], args[2])
elif len(args) == 4:
# Use command line provided CA certificate bundle
address = '%s:%s' % (args[1], args[2])
with open(args[3], 'rb') as ca_cert_file:
def build_credentials(self):
self.cert_creds = grpc.ssl_channel_credentials(self.tls_cert_key)
self.auth_creds = grpc.metadata_call_credentials(
self.metadata_callback)
self.combined_creds = grpc.composite_channel_credentials(
self.cert_creds, self.auth_creds)
def construct(self, return_channel=False):
"""Constructs and returns the desired Client object.
The instance of this class will reset to default values for further building.
Returns
-------
Client or NXClient or XEClient or XRClient
"""
channel = None
if self.__secure:
LOGGER.debug("Using secure channel.")
channel_metadata_creds = None
if self.__username and self.__password:
LOGGER.debug("Using username/password call authentication.")
channel_metadata_creds = grpc.metadata_call_credentials(
CiscoAuthPlugin(self.__username, self.__password))
channel_ssl_creds = grpc.ssl_channel_credentials(
self.__root_certificates, self.__private_key,
self.__certificate_chain)
channel_creds = None
if channel_ssl_creds and channel_metadata_creds:
LOGGER.debug(
"Using SSL/metadata authentication composite credentials.")
channel_creds = grpc.composite_channel_credentials(
channel_ssl_creds, channel_metadata_creds)
else:
LOGGER.debug(
"Using SSL credentials, no channel metadata authentication."
)
channel_creds = channel_ssl_creds
if self.__ssl_target_name_override is not False:
if self.__ssl_target_name_override is None:
if not self.__root_certificates:
raise Exception(
"Deriving override requires root certificate!")
self.__ssl_target_name_override = get_cn_from_cert(
self.__root_certificates)
LOGGER.warning(
"Overriding SSL option from certificate could increase MITM susceptibility!"
)
self.set_channel_option("grpc.ssl_target_name_override",
self.__ssl_target_name_override)
channel = grpc.secure_channel(self.__target_netloc.netloc,
channel_creds,
self.__channel_options)
else:
LOGGER.warning(
"Insecure gRPC channel is against gNMI specification, personal data may be compromised."
)
channel = grpc.insecure_channel(self.__target_netloc.netloc)
if self.__client_class is None:
self.set_os()
client = None
if self.__secure:
client = self.__client_class(channel)
else:
client = self.__client_class(
channel,
default_call_metadata=[
("username", self.__username),
("password", self.__password),
],
)
self._reset()
if return_channel:
return client, channel
else:
return client
# coding: utf-8
from dialog_bot_sdk.bot import DialogBot
import grpc
import os
def on_msg(*params):
print('on msg', params)
d.messaging.send_message(
params[0].peer, str(params[0].message.textMessage.text)
)
if __name__ == '__main__':
d = DialogBot.get_secure_bot(
'grpc-test.transmit.im:8080', # bot endpoint
grpc.ssl_channel_credentials(), # SSL credentials
os.environ.get('BOT_TOKEN') # bot token
)
d.messaging.on_message(on_msg)
def run(args, schema, secret):
try:
if tn_globals.IsInteractive:
tn_globals.Prompt = PromptSession()
# Create secure channel with default credentials.
channel = None
if args.ssl:
opts = (('grpc.ssl_target_name_override', args.ssl_host),) if args.ssl_host else None
channel = grpc.secure_channel(args.host, grpc.ssl_channel_credentials(), opts)
else:
channel = grpc.insecure_channel(args.host)
# Call the server
stream = pbx.NodeStub(channel).MessageLoop(gen_message(schema, secret, args))
# Read server responses
for msg in stream:
if msg.HasField("ctrl"):
handle_ctrl(msg.ctrl)
elif msg.HasField("meta"):
what = []
if len(msg.meta.sub) > 0:
what.append("sub")
if msg.meta.HasField("desc"):
what.append("desc")
if msg.meta.HasField("del"):
what.append("del")
if len(msg.meta.tags) > 0:
what.append("tags")
stdoutln("\r<= meta " + ",".join(what) + " " + msg.meta.topic)
if tn_globals.WaitingFor and tn_globals.WaitingFor.await_id == msg.meta.id:
if 'varname' in tn_globals.WaitingFor:
tn_globals.Variables[tn_globals.WaitingFor.varname] = msg.meta
tn_globals.WaitingFor = None
elif msg.HasField("data"):
stdoutln("\n\rFrom: " + msg.data.from_user_id)
stdoutln("Topic: " + msg.data.topic)
stdoutln("Seq: " + str(msg.data.seq_id))
if msg.data.head:
stdoutln("Headers:")
for key in msg.data.head:
stdoutln("\t" + key + ": "+str(msg.data.head[key]))
stdoutln(json.loads(msg.data.content))
elif msg.HasField("pres"):
pass
elif msg.HasField("info"):
what = "unknown"
if msg.info.what == pb.READ:
what = "read"
elif msg.info.what == pb.RECV:
what = "recv"
elif msg.info.what == pb.KP:
what = "kp"
stdoutln("\rMessage #" + str(msg.info.seq_id) + " " + what +
" by " + msg.info.from_user_id + "; topic=" + msg.info.topic + " (" + msg.topic + ")")
else:
stdoutln("\rMessage type not handled" + str(msg))
except grpc.RpcError as err:
# print(err)
printerr("gRPC failed with {0}: {1}".format(err.code(), err.details()))
except Exception as ex:
printerr("Request failed: {0}".format(ex))
# print(traceback.format_exc())
finally:
printout('Shutting down...')
channel.close()
if tn_globals.InputThread != None:
tn_globals.InputThread.join(0.3)
def get_cert_credentials(self):
if self.cert_credentials is None:
lnd_tls_cert_path = os.path.join(self.lnd.lnddir, 'tls.cert')
lnd_tls_cert = open(lnd_tls_cert_path, 'rb').read()
self.cert_credentials = grpc.ssl_channel_credentials(lnd_tls_cert)
return self.cert_credentials
@pytest.fixture
def event_loop():
asyncio.set_event_loop(_test_event_loop)
return asyncio.get_event_loop()
dir = os.path.dirname(__file__)
with open(os.path.join(dir, "../cert/mtls.crt"), "rb") as fh:
cert = fh.read()
with open(os.path.join(dir, "../cert/mtls.key"), "rb") as fh:
key = fh.read()
ssl_credentials = grpc.ssl_channel_credentials(root_certificates=cert,
certificate_chain=cert,
private_key=key)
def callback():
return cert, key
client_options = ClientOptions.ClientOptions()
client_options.client_cert_source = callback
def pytest_addoption(parser):
parser.addoption("--mtls",
action="store_true",
help="Run system test with mutual TLS channel")
cert = open(os.path.expanduser("~/.lnd/tls.cert"), "rb").read()
def metadata_callback(context, callback):
with open(
os.path.expanduser(
"~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon"),
"rb") as f:
macaroon_bytes = f.read()
macaroon = codecs.encode(macaroon_bytes, "hex")
callback([("macaroon", macaroon)], None)
# build ssl credentials using the cert the same as before
cert_creds = grpc.ssl_channel_credentials(cert)
# now build meta data credentials
auth_creds = grpc.metadata_call_credentials(metadata_callback)
# combine the cert credentials and the macaroon auth credentials
combined_creds = grpc.composite_channel_credentials(cert_creds, auth_creds)
# finally pass in the combined credentials when creating a channel
channel = grpc.secure_channel("localhost:10009", combined_creds)
stub = lnrpc.LightningStub(channel)
# now every call will be made with the macaroon already included
list_req = ln.ListInvoiceRequest(pending_only=True,
num_max_invoices=1,
reversed=True)
invoice_num = stub.ListInvoices(list_req).invoices[-1].add_index
get_padded_frame_size(frame_samples, f.getframerate())
* 2, b'\0')
request = stt_pb2.StreamingRecognizeRequest()
request.audio_content = opus_encoder.encode(
data,
len(data) >> 1)
yield request
except Exception as e:
print("Got exception in generate_requests", e)
raise
def print_streaming_recognition_responses(responses):
for response in responses:
for result in response.results:
print("Channel", result.recognition_result.channel)
print("Phrase start:",
result.recognition_result.start_time.ToTimedelta())
print("Phrase end: ",
result.recognition_result.end_time.ToTimedelta())
for alternative in result.recognition_result.alternatives:
print('"' + alternative.transcript + '"')
print("------------------")
stub = stt_pb2_grpc.SpeechToTextStub(
grpc.secure_channel(endpoint, grpc.ssl_channel_credentials()))
metadata = authorization_metadata(api_key, secret_key, "tinkoff.cloud.stt")
responses = stub.StreamingRecognize(generate_requests(), metadata=metadata)
print_streaming_recognition_responses(responses)
# -*- coding: utf-8 -*-
import grpc
from pb.authentication import authenticationService_pb2_grpc
from pb.common import replyInfo_pb2
from authService import auth
import unittest
import os
auth_host_staging = os.environ.get("AUTH_HOST_STAGING", "")
auth_host_production = os.environ.get("AUTH_HOST_PRODUCTION", "")
creds = grpc.ssl_channel_credentials()
staging_auth_channel = grpc.secure_channel(auth_host_staging,
credentials=creds)
staging_auth_client = authenticationService_pb2_grpc.AuthenticationServiceStub(
staging_auth_channel)
prod_auth_channel = grpc.secure_channel(auth_host_production,
credentials=creds)
prod_auth_client = authenticationService_pb2_grpc.AuthenticationServiceStub(
prod_auth_channel)
authenticator = auth.AdminAuthenticator(
username=os.environ.get("AUTH_USERNAME", ""),
password=os.environ.get("AUTH_PASSWORD", ""),
company_id=os.environ.get("AUTH_COMPANY_ID", ""))
class AuthTestSuite(unittest.TestCase):
"""Basic authentication test cases."""
@staticmethod
def test_staging_authentication():
assert authenticator is not None
def _run(flags, experiment_url_callback=None):
"""Runs the main uploader program given parsed flags.
Args:
flags: An `argparse.Namespace`.
experiment_url_callback: A function accepting a single string argument
containing the full TB.dev URL of the uploaded experiment.
"""
logging.set_stderrthreshold(logging.WARNING)
intent = _get_intent(flags, experiment_url_callback)
store = auth.CredentialsStore()
if isinstance(intent, _AuthRevokeIntent):
store.clear()
sys.stderr.write("Logged out of uploader.\n")
sys.stderr.flush()
return
# TODO(b/141723268): maybe reconfirm Google Account prior to reuse.
credentials = store.read_credentials()
if not credentials:
_prompt_for_user_ack(intent)
client_config = json.loads(auth.OAUTH_CLIENT_CONFIG)
flow = auth.build_installed_app_flow(client_config)
credentials = flow.run(force_console=flags.auth_force_console)
sys.stderr.write("\n") # Extra newline after auth flow messages.
store.write_credentials(credentials)
channel_options = None
if flags.grpc_creds_type == "local":
channel_creds = grpc.local_channel_credentials()
elif flags.grpc_creds_type == "ssl":
channel_creds = grpc.ssl_channel_credentials()
elif flags.grpc_creds_type == "ssl_dev":
# Configure the dev cert to use by passing the environment variable
# GRPC_DEFAULT_SSL_ROOTS_FILE_PATH=path/to/cert.crt
channel_creds = grpc.ssl_channel_credentials()
channel_options = [("grpc.ssl_target_name_override", "localhost")]
else:
msg = "Invalid --grpc_creds_type %s" % flags.grpc_creds_type
raise base_plugin.FlagsError(msg)
try:
server_info = _get_server_info(flags)
except server_info_lib.CommunicationError as e:
_die(str(e))
_handle_server_info(server_info)
logging.info("Received server info: <%r>", server_info)
if not server_info.api_server.endpoint:
logging.error("Server info response: %s", server_info)
_die("Internal error: frontend did not specify an API server")
composite_channel_creds = grpc.composite_channel_credentials(
channel_creds, auth.id_token_call_credentials(credentials)
)
# TODO(@nfelt): In the `_UploadIntent` case, consider waiting until
# logdir exists to open channel.
channel = grpc.secure_channel(
server_info.api_server.endpoint,
composite_channel_creds,
options=channel_options,
)
with channel:
intent.execute(server_info, channel)
def __init__(self,
*,
host: str = "jobs.googleapis.com",
credentials: credentials.Credentials = None,
credentials_file: str = None,
scopes: Sequence[str] = None,
channel: grpc.Channel = None,
api_mtls_endpoint: str = None,
client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
quota_project_id: Optional[str] = None) -> None:
"""Instantiate the transport.
Args:
host (Optional[str]): The hostname to connect to.
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
This argument is ignored if ``channel`` is provided.
credentials_file (Optional[str]): A file with credentials that can
be loaded with :func:`google.auth.load_credentials_from_file`.
This argument is ignored if ``channel`` is provided.
scopes (Optional(Sequence[str])): A list of scopes. This argument is
ignored if ``channel`` is provided.
channel (Optional[grpc.Channel]): A ``Channel`` instance through
which to make calls.
api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
provided, it overrides the ``host`` argument and tries to create
a mutual TLS channel with client SSL credentials from
``client_cert_source`` or applicatin default SSL credentials.
client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
callback to provide client SSL certificate bytes and private key
bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
is None.
quota_project_id (Optional[str]): An optional project to use for billing
and quota.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
creation failed for any reason.
google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
and ``credentials_file`` are passed.
"""
if channel:
# Sanity check: Ensure that channel and credentials are not both
# provided.
credentials = False
# If a channel was explicitly provided, set it.
self._grpc_channel = channel
elif api_mtls_endpoint:
host = (api_mtls_endpoint if ":" in api_mtls_endpoint else
api_mtls_endpoint + ":443")
if credentials is None:
credentials, _ = auth.default(
scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id)
# Create SSL credentials with client_cert_source or application
# default SSL credentials.
if client_cert_source:
cert, key = client_cert_source()
ssl_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key)
else:
ssl_credentials = SslCredentials().ssl_credentials
# create a new channel. The provided one is ignored.
self._grpc_channel = type(self).create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
ssl_credentials=ssl_credentials,
scopes=scopes or self.AUTH_SCOPES,
quota_project_id=quota_project_id,
)
self._stubs = {} # type: Dict[str, Callable]
# Run the base constructor.
super().__init__(
host=host,
credentials=credentials,
credentials_file=credentials_file,
scopes=scopes or self.AUTH_SCOPES,
quota_project_id=quota_project_id,
)
def __init__(self, *,
host: str = 'pubsub.googleapis.com',
credentials: credentials.Credentials = None,
channel: grpc.Channel = None,
api_mtls_endpoint: str = None,
client_cert_source: Callable[[], Tuple[bytes, bytes]] = None) -> None:
"""Instantiate the transport.
Args:
host (Optional[str]): The hostname to connect to.
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
This argument is ignored if ``channel`` is provided.
channel (Optional[grpc.Channel]): A ``Channel`` instance through
which to make calls.
api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
provided, it overrides the ``host`` argument and tries to create
a mutual TLS channel with client SSL credentials from
``client_cert_source`` or applicatin default SSL credentials.
client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
callback to provide client SSL certificate bytes and private key
bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
is None.
Raises:
google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
creation failed for any reason.
"""
if channel:
# Sanity check: Ensure that channel and credentials are not both
# provided.
credentials = False
# If a channel was explicitly provided, set it.
self._grpc_channel = channel
elif api_mtls_endpoint:
host = api_mtls_endpoint if ":" in api_mtls_endpoint else api_mtls_endpoint + ":443"
# Create SSL credentials with client_cert_source or application
# default SSL credentials.
if client_cert_source:
cert, key = client_cert_source()
ssl_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key
)
else:
ssl_credentials = SslCredentials().ssl_credentials
# create a new channel. The provided one is ignored.
self._grpc_channel = grpc_helpers.create_channel(
host,
credentials=credentials,
ssl_credentials=ssl_credentials,
scopes=self.AUTH_SCOPES,
)
# Run the base constructor.
super().__init__(host=host, credentials=credentials)
self._stubs = {} # type: Dict[str, Callable]
request.streaming_config.config.num_channels = num_channels
return request
def generate_requests():
try:
with wave.open("../../audio/sample_3.wav") as f:
yield build_first_request(f.getframerate(), f.getnchannels())
frame_samples = f.getframerate()//10 # Send 100ms at a time
for data in iter(lambda:f.readframes(frame_samples), b''):
request = stt_pb2.StreamingRecognizeRequest()
request.audio_content = data
yield request
except Exception as e:
print("Got exception in generate_requests", e)
raise
def print_streaming_recognition_responses(responses):
for response in responses:
for result in response.results:
print("Channel", result.recognition_result.channel)
print("Phrase start:", result.recognition_result.start_time.ToTimedelta())
print("Phrase end: ", result.recognition_result.end_time.ToTimedelta())
for alternative in result.recognition_result.alternatives:
print('"' + alternative.transcript + '"')
print("------------------")
stub = stt_pb2_grpc.SpeechToTextStub(grpc.secure_channel(endpoint, grpc.ssl_channel_credentials()))
metadata = authorization_metadata(api_key, secret_key, "tinkoff.cloud.stt")
responses = stub.StreamingRecognize(generate_requests(), metadata=metadata)
print_streaming_recognition_responses(responses)
def __init__(self, rpc_port):
self.port = rpc_port
cred = grpc.ssl_channel_credentials(open('tls.cert', 'rb').read())
channel = grpc.secure_channel('localhost:{}'.format(rpc_port), cred)
self.stub = lnrpc_grpc.LightningStub(channel)
def secure_authorized_channel(
credentials,
request,
target,
ssl_credentials=None,
client_cert_callback=None,
**kwargs
):
"""Creates a secure authorized gRPC channel.
This creates a channel with SSL and :class:`AuthMetadataPlugin`. This
channel can be used to create a stub that can make authorized requests.
Users can configure client certificate or rely on device certificates to
establish a mutual TLS channel, if the `GOOGLE_API_USE_CLIENT_CERTIFICATE`
variable is explicitly set to `true`.
Example::
import google.auth
import google.auth.transport.grpc
import google.auth.transport.requests
from google.cloud.speech.v1 import cloud_speech_pb2
# Get credentials.
credentials, _ = google.auth.default()
# Get an HTTP request function to refresh credentials.
request = google.auth.transport.requests.Request()
# Create a channel.
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, regular_endpoint, request,
ssl_credentials=grpc.ssl_channel_credentials())
# Use the channel to create a stub.
cloud_speech.create_Speech_stub(channel)
Usage:
There are actually a couple of options to create a channel, depending on if
you want to create a regular or mutual TLS channel.
First let's list the endpoints (regular vs mutual TLS) to choose from::
regular_endpoint = 'speech.googleapis.com:443'
mtls_endpoint = 'speech.mtls.googleapis.com:443'
Option 1: create a regular (non-mutual) TLS channel by explicitly setting
the ssl_credentials::
regular_ssl_credentials = grpc.ssl_channel_credentials()
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, regular_endpoint, request,
ssl_credentials=regular_ssl_credentials)
Option 2: create a mutual TLS channel by calling a callback which returns
the client side certificate and the key (Note that
`GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable must be explicitly
set to `true`)::
def my_client_cert_callback():
code_to_load_client_cert_and_key()
if loaded:
return (pem_cert_bytes, pem_key_bytes)
raise MyClientCertFailureException()
try:
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, mtls_endpoint, request,
client_cert_callback=my_client_cert_callback)
except MyClientCertFailureException:
# handle the exception
Option 3: use application default SSL credentials. It searches and uses
the command in a context aware metadata file, which is available on devices
with endpoint verification support (Note that
`GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable must be explicitly
set to `true`).
See https://cloud.google.com/endpoint-verification/docs/overview::
try:
default_ssl_credentials = SslCredentials()
except:
# Exception can be raised if the context aware metadata is malformed.
# See :class:`SslCredentials` for the possible exceptions.
# Choose the endpoint based on the SSL credentials type.
if default_ssl_credentials.is_mtls:
endpoint_to_use = mtls_endpoint
else:
endpoint_to_use = regular_endpoint
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, endpoint_to_use, request,
ssl_credentials=default_ssl_credentials)
Option 4: not setting ssl_credentials and client_cert_callback. For devices
without endpoint verification support or `GOOGLE_API_USE_CLIENT_CERTIFICATE`
environment variable is not `true`, a regular TLS channel is created;
otherwise, a mutual TLS channel is created, however, the call should be
wrapped in a try/except block in case of malformed context aware metadata.
The following code uses regular_endpoint, it works the same no matter the
created channle is regular or mutual TLS. Regular endpoint ignores client
certificate and key::
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, regular_endpoint, request)
The following code uses mtls_endpoint, if the created channle is regular,
and API mtls_endpoint is confgured to require client SSL credentials, API
calls using this channel will be rejected::
channel = google.auth.transport.grpc.secure_authorized_channel(
credentials, mtls_endpoint, request)
Args:
credentials (google.auth.credentials.Credentials): The credentials to
add to requests.
request (google.auth.transport.Request): A HTTP transport request
object used to refresh credentials as needed. Even though gRPC
is a separate transport, there's no way to refresh the credentials
without using a standard http transport.
target (str): The host and port of the service.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
This argument is mutually exclusive with client_cert_callback;
providing both will raise an exception.
If ssl_credentials and client_cert_callback are None, application
default SSL credentials are used if `GOOGLE_API_USE_CLIENT_CERTIFICATE`
environment variable is explicitly set to `true`, otherwise one way TLS
SSL credentials are used.
client_cert_callback (Callable[[], (bytes, bytes)]): Optional
callback function to obtain client certicate and key for mutual TLS
connection. This argument is mutually exclusive with
ssl_credentials; providing both will raise an exception.
This argument does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE`
environment variable is explicitly set to `true`.
kwargs: Additional arguments to pass to :func:`grpc.secure_channel`.
Returns:
grpc.Channel: The created gRPC channel.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
creation failed for any reason.
"""
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = AuthMetadataPlugin(credentials, request)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials and client_cert_callback:
raise ValueError(
"Received both ssl_credentials and client_cert_callback; "
"these are mutually exclusive."
)
# If SSL credentials are not explicitly set, try client_cert_callback and ADC.
if not ssl_credentials:
use_client_cert = os.getenv(
environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false"
)
if use_client_cert == "true" and client_cert_callback:
# Use the callback if provided.
cert, key = client_cert_callback()
ssl_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key
)
elif use_client_cert == "true":
# Use application default SSL credentials.
adc_ssl_credentils = SslCredentials()
ssl_credentials = adc_ssl_credentils.ssl_credentials
else:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
composite_credentials = grpc.composite_channel_credentials(
ssl_credentials, google_auth_credentials
)
return grpc.secure_channel(target, composite_credentials, **kwargs)
def testvarsAttempt():
try:
import testvars
except ImportError:
common.conMsg('bot','Predefined test variables not found, continue with environment variables')
return None
else:
common.conMsg('bot','Predefined test variables found, environment variables ignored')
return None
if __name__ == '__main__':
common.conMsg('bot','Starting bot')
testvarsAttempt()
lang = os.environ['LANGUAGE']
mode = os.environ['ISSUE_TYPE_MODE']
bot = DialogBot.get_secure_bot(os.environ['ENDPOINT'],grpc.ssl_channel_credentials(),os.environ['BOT_API_KEY'], verbose=False)
if checkEnvs():
credentials = common.parseCreds(os.environ['JIRA_CREDS'])
link = credentials[2]
projectId = jira.getProjectIdByProjectKey(credentials,os.environ['PROJECT_KEY'])
if projectId:
initializeBot()
#dbInit()
common.conMsg('bot','Started bot. Mode: ' + mode)
while True:
task_manager()
else:
common.conMsg('bot','Invalid JIRA Creds or JIRA Service Desk Project. Unable to start bot')
else:
common.conMsg('bot','Env variables error')
def _test(self):
# things should work...
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# client should reject server...
# fails because client trusts ca2 and so will reject server
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(False,
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(True, None)
self._do_one_shot_client_rpc(True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertTrue(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# if with_client_auth, then client should be rejected by
# server because client uses key/cert1, but server trusts ca2,
# so server will reject
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(not self.require_client_auth(),
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_1_PEM,
certificate_chain=CLIENT_CERT_CHAIN_1_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# now create the "persistent" clients
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
channel_A = _create_channel(
self.port,
grpc.ssl_channel_credentials(
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM))
persistent_client_stub_A = _create_client_stub(channel_A, True)
self._perform_rpc(persistent_client_stub_A, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
channel_B = _create_channel(
self.port,
grpc.ssl_channel_credentials(
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM))
persistent_client_stub_B = _create_client_stub(channel_B, True)
self._perform_rpc(persistent_client_stub_B, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# moment of truth!! client should reject server because the
# server switch cert...
cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_1_PEM)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, cert_config)
self._do_one_shot_client_rpc(False,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertEqual(call.returned_cert_config, cert_config,
'i= {}'.format(i))
# now should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(True,
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_1_PEM,
certificate_chain=CLIENT_CERT_CHAIN_1_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# client should be rejected by server if with_client_auth
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(not self.require_client_auth(),
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# here client should reject server...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(False,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# persistent clients should continue to work
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._perform_rpc(persistent_client_stub_A, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 0)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._perform_rpc(persistent_client_stub_B, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 0)
channel_A.close()
channel_B.close()
def run_secure_loop():
logging.debug(
"Remote: Starting a new connection loop for %s (%s:%d)" %
(self.display_hostname, self.ip_address, self.port))
cert = auth.get_singleton().load_cert(self.hostname,
self.ip_address)
creds = grpc.ssl_channel_credentials(cert)
with grpc.secure_channel("%s:%d" % (self.ip_address, self.port),
creds) as channel:
future = grpc.channel_ready_future(channel)
try:
future.result(timeout=4)
self.stub = warp_pb2_grpc.WarpStub(channel)
except grpc.FutureTimeoutError:
self.set_remote_status(RemoteStatus.UNREACHABLE)
future.cancel()
if not self.ping_timer.is_set():
logging.debug(
"Remote: Unable to establish secure connection with %s (%s:%d). Trying again in %ds"
% (self.display_hostname, self.ip_address,
self.port, CHANNEL_RETRY_WAIT_TIME))
self.ping_timer.wait(CHANNEL_RETRY_WAIT_TIME)
return True # run_secure_loop()
return False # run_secure_loop()
duplex_fail_counter = 0
one_ping = False # A successful duplex response lets us finish setting things up.
while not self.ping_timer.is_set():
if self.busy:
logging.debug(
"Remote Ping: Skipping keepalive ping to %s (%s:%d) (busy)"
% (self.display_hostname, self.ip_address,
self.port))
self.busy = False
else:
try:
# t = GLib.get_monotonic_time()
logging.debug("Remote Ping: to %s (%s:%d)" %
(self.display_hostname,
self.ip_address, self.port))
self.stub.Ping(warp_pb2.LookupName(
id=self.local_ident,
readable_name=util.get_hostname()),
timeout=5)
# logging.debug("Latency: %s (%s)"
# % (util.precise_format_time_span(GLib.get_monotonic_time() - t), self.display_hostname))
if not one_ping:
self.set_remote_status(
RemoteStatus.AWAITING_DUPLEX)
if self.check_duplex_connection():
logging.debug(
"Remote: Connected to %s (%s:%d)" %
(self.display_hostname,
self.ip_address, self.port))
self.set_remote_status(RemoteStatus.ONLINE)
self.rpc_call(
self.update_remote_machine_info)
self.rpc_call(
self.update_remote_machine_avatar)
one_ping = True
else:
duplex_fail_counter += 1
if duplex_fail_counter > DUPLEX_MAX_FAILURES:
logging.debug(
"Remote: CheckDuplexConnection to %s (%s:%d) failed too many times"
% (self.display_hostname,
self.ip_address, self.port))
self.ping_timer.wait(
CHANNEL_RETRY_WAIT_TIME)
return True
except grpc.RpcError as e:
logging.debug(
"Remote: Ping failed, shutting down %s (%s:%d)"
% (self.display_hostname, self.ip_address,
self.port))
break
self.ping_timer.wait(
CONNECTED_PING_TIME if self.status ==
RemoteStatus.ONLINE else DUPLEX_WAIT_PING_TIME)
# This is reached by the RpcError break above. If the remote is still discoverable, start
# the secure loop over. This could have happened as a result of a quick disco/reconnect,
# And we don't notice until it has already come back. In this case, try a new connection.
if self.has_zc_presence and not self.ping_timer.is_set():
return True # run_secure_loop()
# The ping timer has been triggered, this is an orderly shutdown.
return False # run_secure_loop()
def create_client_channel(self):
channel_credentials = grpc.ssl_channel_credentials(self.read_pem('tls/ca.pem'),
self.read_pem('tls/client-key.pem'),
self.read_pem('tls/client.pem'))
return grpc.secure_channel('{}:{}'.format(self.client.args['address'], self.client.args['server_port']),
channel_credentials)
def __init__(self,
conn_str: str = "",
secure: bool = False,
metadata: List[Tuple[str, str]] = None,
connection_retries: int = 3):
"""Initializes the worker side grpc client.
Args:
conn_str: The host:port connection string for the ray server.
secure: whether to use SSL secure channel or not.
metadata: additional metadata passed in the grpc request headers.
connection_retries: Number of times to attempt to reconnect to the
ray server if it doesn't respond immediately. Setting to 0 tries
at least once. For infinite retries, catch the ConnectionError
exception.
"""
self._client_id = make_client_id()
self.metadata = [("client_id", self._client_id)
] + (metadata if metadata else [])
self.channel = None
self.server = None
self._conn_state = grpc.ChannelConnectivity.IDLE
self._converted: Dict[str, ClientStub] = {}
if secure:
credentials = grpc.ssl_channel_credentials()
self.channel = grpc.secure_channel(conn_str,
credentials,
options=GRPC_OPTIONS)
else:
self.channel = grpc.insecure_channel(conn_str,
options=GRPC_OPTIONS)
self.channel.subscribe(self._on_channel_state_change)
# Retry the connection until the channel responds to something
# looking like a gRPC connection, though it may be a proxy.
conn_attempts = 0
timeout = INITIAL_TIMEOUT_SEC
service_ready = False
while conn_attempts < max(connection_retries, 1):
conn_attempts += 1
try:
# Let gRPC wait for us to see if the channel becomes ready.
# If it throws, we couldn't connect.
grpc.channel_ready_future(self.channel).result(timeout=timeout)
# The HTTP2 channel is ready. Wrap the channel with the
# RayletDriverStub, allowing for unary requests.
self.server = ray_client_pb2_grpc.RayletDriverStub(
self.channel)
service_ready = bool(self.ping_server())
if service_ready:
break
# Ray is not ready yet, wait a timeout
time.sleep(timeout)
except grpc.FutureTimeoutError:
logger.info(
f"Couldn't connect channel in {timeout} seconds, retrying")
# Note that channel_ready_future constitutes its own timeout,
# which is why we do not sleep here.
except grpc.RpcError as e:
logger.info("Ray client server unavailable, "
f"retrying in {timeout}s...")
logger.debug(f"Received when checking init: {e.details()}")
# Ray is not ready yet, wait a timeout.
time.sleep(timeout)
# Fallthrough, backoff, and retry at the top of the loop
logger.info("Waiting for Ray to become ready on the server, "
f"retry in {timeout}s...")
timeout = backoff(timeout)
# If we made it through the loop without service_ready
# it means we've used up our retries and
# should error back to the user.
if not service_ready:
raise ConnectionError("ray client connection timeout")
# Initialize the streams to finish protocol negotiation.
self.data_client = DataClient(self.channel, self._client_id,
self.metadata)
self.reference_count: Dict[bytes, int] = defaultdict(int)
self.log_client = LogstreamClient(self.channel, self.metadata)
self.log_client.set_logstream_level(logging.INFO)
self.closed = False
# Track these values to raise a warning if many tasks are being
# scheduled
self.total_num_tasks_scheduled = 0
self.total_outbound_message_size_bytes = 0
def __init__(
self,
*,
host: str = "secretmanager.googleapis.com",
credentials: credentials.Credentials = None,
credentials_file: Optional[str] = None,
scopes: Optional[Sequence[str]] = None,
channel: aio.Channel = None,
api_mtls_endpoint: str = None,
client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
ssl_channel_credentials: grpc.ChannelCredentials = None,
quota_project_id=None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
) -> None:
"""Instantiate the transport.
Args:
host (Optional[str]): The hostname to connect to.
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
This argument is ignored if ``channel`` is provided.
credentials_file (Optional[str]): A file with credentials that can
be loaded with :func:`google.auth.load_credentials_from_file`.
This argument is ignored if ``channel`` is provided.
scopes (Optional[Sequence[str]]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
channel (Optional[aio.Channel]): A ``Channel`` instance through
which to make calls.
api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint.
If provided, it overrides the ``host`` argument and tries to create
a mutual TLS channel with client SSL credentials from
``client_cert_source`` or applicatin default SSL credentials.
client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]):
Deprecated. A callback to provide client SSL certificate bytes and
private key bytes, both in PEM format. It is ignored if
``api_mtls_endpoint`` is None.
ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials
for grpc channel. It is ignored if ``channel`` is provided.
quota_project_id (Optional[str]): An optional project to use for billing
and quota.
client_info (google.api_core.gapic_v1.client_info.ClientInfo):
The client info used to send a user-agent string along with
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
Raises:
google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
creation failed for any reason.
google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
and ``credentials_file`` are passed.
"""
if channel:
# Sanity check: Ensure that channel and credentials are not both
# provided.
credentials = False
# If a channel was explicitly provided, set it.
self._grpc_channel = channel
elif api_mtls_endpoint:
warnings.warn(
"api_mtls_endpoint and client_cert_source are deprecated",
DeprecationWarning,
)
host = (api_mtls_endpoint if ":" in api_mtls_endpoint else
api_mtls_endpoint + ":443")
if credentials is None:
credentials, _ = auth.default(
scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id)
# Create SSL credentials with client_cert_source or application
# default SSL credentials.
if client_cert_source:
cert, key = client_cert_source()
ssl_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key)
else:
ssl_credentials = SslCredentials().ssl_credentials
# create a new channel. The provided one is ignored.
self._grpc_channel = type(self).create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
ssl_credentials=ssl_credentials,
scopes=scopes or self.AUTH_SCOPES,
quota_project_id=quota_project_id,
)
else:
host = host if ":" in host else host + ":443"
if credentials is None:
credentials, _ = auth.default(
scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id)
# create a new channel. The provided one is ignored.
self._grpc_channel = type(self).create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
ssl_credentials=ssl_channel_credentials,
scopes=scopes or self.AUTH_SCOPES,
quota_project_id=quota_project_id,
)
# Run the base constructor.
super().__init__(
host=host,
credentials=credentials,
credentials_file=credentials_file,
scopes=scopes or self.AUTH_SCOPES,
quota_project_id=quota_project_id,
client_info=client_info,
)
self._stubs = {}
API = GCaluAPI(SETTINGS["credentials_file"],
SETTINGS["token_file"])
except:
log.error("Can't initialize GoogleuAPI", exc_info=True)
sys.exit(1)
# Enable this flag and use this to obtain google calendar id
if SETTINGS["show_calendars"]:
for current_cal in API.get_calendars():
log.info("{0} => {1}".format(current_cal["id"],
current_cal["summary"]))
try:
bot = DialogBot.get_secure_bot(
os.environ.get('BOT_ENDPOINT'), # bot endpoint
grpc.ssl_channel_credentials(
), # SSL credentials (empty by default!)
os.environ.get('BOT_TOKEN') # bot token
)
bot.messaging.on_message(on_msg, raw_callback=raw_call)
except:
log.error("Can't initialize bot", exc_info=True)
sys.exit(1)
else:
log.error(
"{0} not found. Create one using settings_default.json as reference."
.format(SETTINGS_PATH),
exc_info=True)
sys.exit(1)
def __init__(
self,
*,
credentials: Optional[credentials.Credentials] = None,
transport: Union[str, KeywordPlanCampaignServiceTransport, None] = None,
client_options: Optional[client_options_lib.ClientOptions] = None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
) -> None:
"""Instantiate the keyword plan campaign service client.
Args:
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
transport (Union[str, ~.KeywordPlanCampaignServiceTransport]): The
transport to use. If set to None, a transport is chosen
automatically.
client_options (google.api_core.client_options.ClientOptions): Custom options for the
client. It won't take effect if a ``transport`` instance is provided.
(1) The ``api_endpoint`` property can be used to override the
default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT
environment variable can also be used to override the endpoint:
"always" (always use the default mTLS endpoint), "never" (always
use the default regular endpoint) and "auto" (auto switch to the
default mTLS endpoint if client certificate is present, this is
the default value). However, the ``api_endpoint`` property takes
precedence if provided.
(2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable
is "true", then the ``client_cert_source`` property can be used
to provide client certificate for mutual TLS transport. If
not provided, the default SSL client certificate will be used if
present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not
set, no client certificate will be used.
client_info (google.api_core.gapic_v1.client_info.ClientInfo):
The client info used to send a user-agent string along with
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
creation failed for any reason.
"""
if isinstance(client_options, dict):
client_options = client_options_lib.from_dict(client_options)
if client_options is None:
client_options = client_options_lib.ClientOptions()
# Create SSL credentials for mutual TLS if needed.
use_client_cert = bool(
util.strtobool(
os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")
)
)
ssl_credentials = None
is_mtls = False
if use_client_cert:
if client_options.client_cert_source:
import grpc # type: ignore
cert, key = client_options.client_cert_source()
ssl_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key
)
is_mtls = True
else:
creds = SslCredentials()
is_mtls = creds.is_mtls
ssl_credentials = creds.ssl_credentials if is_mtls else None
# Figure out which api endpoint to use.
if client_options.api_endpoint is not None:
api_endpoint = client_options.api_endpoint
else:
use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
if use_mtls_env == "never":
api_endpoint = self.DEFAULT_ENDPOINT
elif use_mtls_env == "always":
api_endpoint = self.DEFAULT_MTLS_ENDPOINT
elif use_mtls_env == "auto":
api_endpoint = (
self.DEFAULT_MTLS_ENDPOINT
if is_mtls
else self.DEFAULT_ENDPOINT
)
else:
raise MutualTLSChannelError(
"Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted values: never, auto, always"
)
# Save or instantiate the transport.
# Ordinarily, we provide the transport, but allowing a custom transport
# instance provides an extensibility point for unusual situations.
if isinstance(transport, KeywordPlanCampaignServiceTransport):
# transport is a KeywordPlanCampaignServiceTransport instance.
if credentials:
raise ValueError(
"When providing a transport instance, "
"provide its credentials directly."
)
self._transport = transport
elif isinstance(transport, str):
Transport = type(self).get_transport_class(transport)
self._transport = Transport(
credentials=credentials, host=self.DEFAULT_ENDPOINT
)
else:
self._transport = KeywordPlanCampaignServiceGrpcTransport(
credentials=credentials,
host=api_endpoint,
ssl_channel_credentials=ssl_credentials,
client_info=client_info,
)
def test_secure_channel(self):
channel_credentials = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('google.com:443', channel_credentials)
channel.close()
def __init__(
self,
*,
host: str = "googleads.googleapis.com",
credentials: ga_credentials.Credentials = None,
credentials_file: str = None,
scopes: Sequence[str] = None,
channel: grpc.Channel = None,
api_mtls_endpoint: str = None,
client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
ssl_channel_credentials: grpc.ChannelCredentials = None,
client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None,
quota_project_id: Optional[str] = None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
always_use_jwt_access: Optional[bool] = False,
) -> None:
"""Instantiate the transport.
Args:
host (Optional[str]):
The hostname to connect to.
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
This argument is ignored if ``channel`` is provided.
credentials_file (Optional[str]): A file with credentials that can
be loaded with :func:`google.auth.load_credentials_from_file`.
This argument is ignored if ``channel`` is provided.
scopes (Optional(Sequence[str])): A list of scopes. This argument is
ignored if ``channel`` is provided.
channel (Optional[grpc.Channel]): A ``Channel`` instance through
which to make calls.
api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint.
If provided, it overrides the ``host`` argument and tries to create
a mutual TLS channel with client SSL credentials from
``client_cert_source`` or application default SSL credentials.
client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]):
Deprecated. A callback to provide client SSL certificate bytes and
private key bytes, both in PEM format. It is ignored if
``api_mtls_endpoint`` is None.
ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials
for the grpc channel. It is ignored if ``channel`` is provided.
client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]):
A callback to provide client certificate bytes and private key bytes,
both in PEM format. It is used to configure a mutual TLS channel. It is
ignored if ``channel`` or ``ssl_channel_credentials`` is provided.
quota_project_id (Optional[str]): An optional project to use for billing
and quota.
client_info (google.api_core.gapic_v1.client_info.ClientInfo):
The client info used to send a user-agent string along with
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
always_use_jwt_access (Optional[bool]): Whether self signed JWT should
be used for service account credentials.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
creation failed for any reason.
google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials``
and ``credentials_file`` are passed.
"""
self._grpc_channel = None
self._ssl_channel_credentials = ssl_channel_credentials
self._stubs: Dict[str, Callable] = {}
if api_mtls_endpoint:
warnings.warn("api_mtls_endpoint is deprecated",
DeprecationWarning)
if client_cert_source:
warnings.warn("client_cert_source is deprecated",
DeprecationWarning)
if channel:
# Ignore credentials if a channel was passed.
credentials = False
# If a channel was explicitly provided, set it.
self._grpc_channel = channel
self._ssl_channel_credentials = None
else:
if api_mtls_endpoint:
host = api_mtls_endpoint
# Create SSL credentials with client_cert_source or application
# default SSL credentials.
if client_cert_source:
cert, key = client_cert_source()
self._ssl_channel_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key)
else:
self._ssl_channel_credentials = (
SslCredentials().ssl_credentials)
else:
if client_cert_source_for_mtls and not ssl_channel_credentials:
cert, key = client_cert_source_for_mtls()
self._ssl_channel_credentials = grpc.ssl_channel_credentials(
certificate_chain=cert, private_key=key)
# The base transport sets the host, credentials and scopes
super().__init__(
host=host,
credentials=credentials,
credentials_file=credentials_file,
scopes=scopes,
quota_project_id=quota_project_id,
client_info=client_info,
always_use_jwt_access=always_use_jwt_access,
)
if not self._grpc_channel:
self._grpc_channel = type(self).create_channel(
self._host,
# use the credentials which are saved
credentials=self._credentials,
# Set ``credentials_file`` to ``None`` here as
# the credentials that we saved earlier should be used.
credentials_file=None,
scopes=self._scopes,
ssl_credentials=self._ssl_channel_credentials,
quota_project_id=quota_project_id,
options=[
("grpc.max_send_message_length", -1),
("grpc.max_receive_message_length", -1),
],
)
# Wrap messages. This must be done after self._grpc_channel exists
self._prep_wrapped_messages(client_info)
def main():
global dev_id
host = ServerConfig.HOST
server_port = ServerConfig.SERVER_PORT
with open(ServerConfig.SERVER_CERTIFICATE, "rb") as file:
trusted_certs = file.read()
credentials = grpc.ssl_channel_credentials(root_certificates=trusted_certs)
channel = grpc.secure_channel("{}:{}".format(host, server_port),
credentials)
client = P4RuntimeClient()
streamC = client.StreamChannel()
tables_initialized = False
while True:
try:
packet = next(streamC)
if packet.HasField("packet") and packet.packet.metadata[
0].metadata_id == dev_id:
print "Packet-in: server => router controller %.9f" % time.time(
)
# Print packet information.
ServerConfig.print_debug("Received packet:")
ServerConfig.print_debug("Payload: {}".format(
hexlify(packet.packet.payload)))
ServerConfig.print_debug("Switch id: {}".format(
packet.packet.metadata[0].metadata_id))
ServerConfig.print_debug("Input port: {}\n".format(
hexlify(packet.packet.metadata[0].value)))
# Extract packet.
pkt = Ether(_pkt=packet.packet.payload)
eth_src = pkt.getlayer(Ether).src
eth_dst = pkt.getlayer(Ether).dst
ether_type = pkt.getlayer(Ether).type
ServerConfig.print_debug(
"Received Ethernet frame {} => {} type_hex {}".format(
eth_src, eth_dst, hex(ether_type)))
# The packet can be either ipv4 or 802.1q (vlan).
if ether_type == 2048 or ether_type == 33024:
# Print packet data.
ip_src = pkt[IP].src
ip_dst = pkt[IP].dst
ServerConfig.print_debug(
"Ethernet frame has IPv4 packet {} => {}".format(
ip_src, ip_dst))
# Call to write the entry into the table.
client.WriteTableEntry(p4runtime_pb2.Update.INSERT,
IPV4_NHOP, ip_dst,
ipv4_nhop_dict[ip_dst])
# client.ReadTableEntry(IPV4_NHOP, ip_dst)
# Packet out.
client.streamChannelRequest = p4runtime_pb2.StreamMessageRequest(
)
client.streamChannelRequest.packet.payload = packet.packet.payload
metadata = client.streamChannelRequest.packet.metadata.add(
)
metadata.metadata_id = packet.packet.metadata[
0].metadata_id
metadata.value = struct.pack("B", 1)
client.sendRequest = True
print "Packet-out: router controller => server %.9f" % time.time(
)
if packet.HasField("other"):
if tables_initialized is False:
for ip in send_frame_dict:
client.WriteTableEntry(p4runtime_pb2.Update.INSERT,
SEND_FRAME, ip,
send_frame_dict[ip])
# client.ReadTableEntry(SEND_FRAME, ip)
for ip in forward_table_dict:
client.WriteTableEntry(p4runtime_pb2.Update.INSERT,
FORWARD, ip,
forward_table_dict[ip])
# client.ReadTableEntry(FORWARD, ip)
tables_initialized = True
if packet.other.value == "\n\014Auth success":
ServerConfig.print_debug(
"Received authentication response from server:")
ServerConfig.print_debug(packet)
# Prepare an arbitration request.
client.streamChannelRequest = p4runtime_pb2.StreamMessageRequest(
)
client.streamChannelRequest.arbitration.device_id = dev_id
client.streamChannelRequest.arbitration.role.id = 1
client.sendRequest = True
if packet.HasField("arbitration"):
ServerConfig.print_debug(
"Received arbitration response from server:")
ServerConfig.print_debug(packet)
except IndexError:
continue
def _create_composite_credentials(
credentials=None,
credentials_file=None,
default_scopes=None,
scopes=None,
ssl_credentials=None,
quota_project_id=None,
default_host=None,
):
"""Create the composite credentials for secure channels.
Args:
credentials (google.auth.credentials.Credentials): The credentials. If
not specified, then this function will attempt to ascertain the
credentials from the environment using :func:`google.auth.default`.
credentials_file (str): A file with credentials that can be loaded with
:func:`google.auth.load_credentials_from_file`. This argument is
mutually exclusive with credentials.
default_scopes (Sequence[str]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
scopes (Sequence[str]): A optional list of scopes needed for this
service. These are only used when credentials are not specified and
are passed to :func:`google.auth.default`.
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
credentials. This can be used to specify different certificates.
quota_project_id (str): An optional project to use for billing and quota.
default_host (str): The default endpoint. e.g., "pubsub.googleapis.com".
Returns:
grpc.ChannelCredentials: The composed channel credentials object.
Raises:
google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed.
"""
if credentials and credentials_file:
raise exceptions.DuplicateCredentialArgs(
"'credentials' and 'credentials_file' are mutually exclusive.")
if credentials_file:
credentials, _ = google.auth.load_credentials_from_file(
credentials_file, scopes=scopes, default_scopes=default_scopes)
elif credentials:
credentials = google.auth.credentials.with_scopes_if_required(
credentials, scopes=scopes, default_scopes=default_scopes)
else:
credentials, _ = google.auth.default(scopes=scopes,
default_scopes=default_scopes)
if quota_project_id and isinstance(
credentials, google.auth.credentials.CredentialsWithQuotaProject):
credentials = credentials.with_quota_project(quota_project_id)
request = google.auth.transport.requests.Request()
# Create the metadata plugin for inserting the authorization header.
metadata_plugin = google.auth.transport.grpc.AuthMetadataPlugin(
credentials,
request,
default_host=default_host,
)
# Create a set of grpc.CallCredentials using the metadata plugin.
google_auth_credentials = grpc.metadata_call_credentials(metadata_plugin)
if ssl_credentials is None:
ssl_credentials = grpc.ssl_channel_credentials()
# Combine the ssl credentials and the authorization credentials.
return grpc.composite_channel_credentials(ssl_credentials,
google_auth_credentials)
def _create_cloud_channel(self) -> grpc.Channel:
if self._channel_fn:
return self._channel_fn(self._server_url)
return grpc.secure_channel(self._server_url,
grpc.ssl_channel_credentials())
def getCredentials():
with open('ca-bundle.pem', 'rb') as f:
trusted_certs = f.read()
sslCred = grpc.ssl_channel_credentials(root_certificates=trusted_certs)
authCred = grpc.metadata_call_credentials(credentials)
return grpc.composite_channel_credentials(sslCred, authCred)
