1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
// Copyright 2017 The Bazel Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.devtools.build.lib.authandtls;
import com.google.auth.Credentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import io.grpc.CallCredentials;
import io.grpc.ClientInterceptor;
import io.grpc.ManagedChannel;
import io.grpc.auth.MoreCallCredentials;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NegotiationType;
import io.grpc.netty.NettyChannelBuilder;
import io.grpc.util.RoundRobinLoadBalancerFactory;
import io.netty.handler.ssl.SslContext;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import javax.annotation.Nullable;
/** Utility methods for using {@link AuthAndTLSOptions} with Google Cloud. */
public final class GoogleAuthUtils {
/**
* Create a new gRPC {@link ManagedChannel}.
*
* @throws IOException in case the channel can't be constructed.
*/
public static ManagedChannel newChannel(String target, AuthAndTLSOptions options,
ClientInterceptor... interceptors)
throws IOException {
Preconditions.checkNotNull(target);
Preconditions.checkNotNull(options);
Preconditions.checkNotNull(interceptors);
final SslContext sslContext =
options.tlsEnabled ? createSSlContext(options.tlsCertificate) : null;
try {
NettyChannelBuilder builder =
NettyChannelBuilder.forTarget(target)
.negotiationType(options.tlsEnabled ? NegotiationType.TLS : NegotiationType.PLAINTEXT)
.loadBalancerFactory(RoundRobinLoadBalancerFactory.getInstance())
.intercept(interceptors);
if (sslContext != null) {
builder.sslContext(sslContext);
if (options.tlsAuthorityOverride != null) {
builder.overrideAuthority(options.tlsAuthorityOverride);
}
}
return builder.build();
} catch (RuntimeException e) {
// gRPC might throw all kinds of RuntimeExceptions: StatusRuntimeException,
// IllegalStateException, NullPointerException, ...
String message = "Failed to connect to '%s': %s";
throw new IOException(String.format(message, target, e.getMessage()));
}
}
private static SslContext createSSlContext(@Nullable String rootCert) throws IOException {
if (rootCert == null) {
try {
return GrpcSslContexts.forClient().build();
} catch (Exception e) {
String message = "Failed to init TLS infrastructure: " + e.getMessage();
throw new IOException(message, e);
}
} else {
try {
return GrpcSslContexts.forClient().trustManager(new File(rootCert)).build();
} catch (Exception e) {
String message = "Failed to init TLS infrastructure using '%s' as root certificate: %s";
message = String.format(message, rootCert, e.getMessage());
throw new IOException(message, e);
}
}
}
/**
* Create a new {@link CallCredentials} object.
*
* @throws IOException in case the call credentials can't be constructed.
*/
public static CallCredentials newCallCredentials(AuthAndTLSOptions options) throws IOException {
Credentials creds = newCredentials(options);
if (creds != null) {
return MoreCallCredentials.from(creds);
}
return null;
}
@VisibleForTesting
public static CallCredentials newCallCredentials(
@Nullable InputStream credentialsFile, List<String> authScope) throws IOException {
Credentials creds = newCredentials(credentialsFile, authScope);
if (creds != null) {
return MoreCallCredentials.from(creds);
}
return null;
}
/**
* Create a new {@link Credentials} object, or {@code null} if no options are provided.
*
* @throws IOException in case the credentials can't be constructed.
*/
@Nullable
public static Credentials newCredentials(@Nullable AuthAndTLSOptions options) throws IOException {
if (options == null) {
return null;
} else if (options.googleCredentials != null) {
// Credentials from file
try (InputStream authFile = new FileInputStream(options.googleCredentials)) {
return newCredentials(authFile, options.googleAuthScopes);
} catch (FileNotFoundException e) {
String message =
String.format(
"Could not open auth credentials file '%s': %s",
options.googleCredentials, e.getMessage());
throw new IOException(message, e);
}
} else if (options.useGoogleDefaultCredentials) {
return newCredentials(
null /* Google Application Default Credentials */, options.googleAuthScopes);
}
return null;
}
private static Credentials newCredentials(
@Nullable InputStream credentialsFile, List<String> authScopes) throws IOException {
try {
GoogleCredentials creds =
credentialsFile == null
? GoogleCredentials.getApplicationDefault()
: GoogleCredentials.fromStream(credentialsFile);
if (!authScopes.isEmpty()) {
creds = creds.createScoped(authScopes);
}
return creds;
} catch (IOException e) {
String message = "Failed to init auth credentials: " + e.getMessage();
throw new IOException(message, e);
}
}
}
|
