1 files changed, 96 insertions, 10 deletions

diff --git a/test/cpp/util/cli_credentials.cc b/test/cpp/util/cli_credentials.cc
index acf4ef8ef1..91acc904aa 100644
--- a/test/cpp/util/cli_credentials.cc
+++ b/test/cpp/util/cli_credentials.cc
@@ -19,6 +19,11 @@
 #include "test/cpp/util/cli_credentials.h"
 
 #include <gflags/gflags.h>
+#include <grpc/slice.h>
+#include <grpc/support/log.h>
+#include <grpcpp/impl/codegen/slice.h>
+
+#include "src/core/lib/iomgr/load_file.h"
 
 DEFINE_bool(
     enable_ssl, false,
@@ -28,19 +33,52 @@ DEFINE_bool(use_auth, false,
             "--channel_creds_type=gdc.");
 DEFINE_string(
     access_token, "",
-    "The access token that will be sent to the server to authenticate RPCs.");
+    "The access token that will be sent to the server to authenticate RPCs. "
+    "Deprecated. Use --call_creds=access_token=<token>.");
 DEFINE_string(
     ssl_target, "",
     "If not empty, treat the server host name as this for ssl/tls certificate "
     "validation.");
 DEFINE_string(
+    ssl_client_cert, "",
+    "If not empty, load this PEM formated client certificate file. Requires "
+    "use of --ssl_client_key.");
+DEFINE_string(
+    ssl_client_key, "",
+    "If not empty, load this PEM formated private key. Requires use of "
+    "--ssl_client_cert");
+DEFINE_string(
     channel_creds_type, "",
     "The channel creds type: insecure, ssl, gdc (Google Default Credentials) "
     "or alts.");
+DEFINE_string(
+    call_creds, "",
+    "Call credentials to use: none (default), or access_token=<token>. If "
+    "provided, the call creds are composited on top of channel creds.");
 
 namespace grpc {
 namespace testing {
 
+namespace {
+
+const char ACCESS_TOKEN_PREFIX[] = "access_token=";
+constexpr int ACCESS_TOKEN_PREFIX_LEN =
+    sizeof(ACCESS_TOKEN_PREFIX) / sizeof(*ACCESS_TOKEN_PREFIX) - 1;
+
+bool IsAccessToken(const grpc::string& auth) {
+  return auth.length() > ACCESS_TOKEN_PREFIX_LEN &&
+         auth.compare(0, ACCESS_TOKEN_PREFIX_LEN, ACCESS_TOKEN_PREFIX) == 0;
+}
+
+grpc::string AccessToken(const grpc::string& auth) {
+  if (!IsAccessToken(auth)) {
+    return "";
+  }
+  return grpc::string(auth, ACCESS_TOKEN_PREFIX_LEN);
+}
+
+}  // namespace
+
 grpc::string CliCredentials::GetDefaultChannelCredsType() const {
   // Compatibility logic for --enable_ssl.
   if (FLAGS_enable_ssl) {
@@ -59,12 +97,42 @@ grpc::string CliCredentials::GetDefaultChannelCredsType() const {
   return "insecure";
 }
 
+grpc::string CliCredentials::GetDefaultCallCreds() const {
+  if (!FLAGS_access_token.empty()) {
+    fprintf(stderr,
+            "warning: --access_token is deprecated. Use "
+            "--call_creds=access_token=<token>.\n");
+    return grpc::string("access_token=") + FLAGS_access_token;
+  }
+  return "none";
+}
+
 std::shared_ptr<grpc::ChannelCredentials>
 CliCredentials::GetChannelCredentials() const {
   if (FLAGS_channel_creds_type.compare("insecure") == 0) {
     return grpc::InsecureChannelCredentials();
   } else if (FLAGS_channel_creds_type.compare("ssl") == 0) {
-    return grpc::SslCredentials(grpc::SslCredentialsOptions());
+    grpc::SslCredentialsOptions ssl_creds_options;
+    // TODO(@Capstan): This won't affect Google Default Credentials using SSL.
+    if (!FLAGS_ssl_client_cert.empty()) {
+      grpc_slice cert_slice = grpc_empty_slice();
+      GRPC_LOG_IF_ERROR(
+          "load_file",
+          grpc_load_file(FLAGS_ssl_client_cert.c_str(), 1, &cert_slice));
+      ssl_creds_options.pem_cert_chain =
+          grpc::StringFromCopiedSlice(cert_slice);
+      grpc_slice_unref(cert_slice);
+    }
+    if (!FLAGS_ssl_client_key.empty()) {
+      grpc_slice key_slice = grpc_empty_slice();
+      GRPC_LOG_IF_ERROR(
+          "load_file",
+          grpc_load_file(FLAGS_ssl_client_key.c_str(), 1, &key_slice));
+      ssl_creds_options.pem_private_key =
+          grpc::StringFromCopiedSlice(key_slice);
+      grpc_slice_unref(key_slice);
+    }
+    return grpc::SslCredentials(ssl_creds_options);
   } else if (FLAGS_channel_creds_type.compare("gdc") == 0) {
     return grpc::GoogleDefaultCredentials();
   } else if (FLAGS_channel_creds_type.compare("alts") == 0) {
@@ -80,18 +148,30 @@ CliCredentials::GetChannelCredentials() const {
 
 std::shared_ptr<grpc::CallCredentials> CliCredentials::GetCallCredentials()
     const {
-  if (!FLAGS_access_token.empty()) {
-    if (FLAGS_use_auth) {
-      fprintf(stderr,
-              "warning: use_auth is ignored when access_token is provided.");
-    }
-    return grpc::AccessTokenCredentials(FLAGS_access_token);
+  if (IsAccessToken(FLAGS_call_creds)) {
+    return grpc::AccessTokenCredentials(AccessToken(FLAGS_call_creds));
+  }
+  if (FLAGS_call_creds.compare("none") == 0) {
+    // Nothing to do; creds, if any, are baked into the channel.
+    return std::shared_ptr<grpc::CallCredentials>();
   }
+  fprintf(stderr,
+          "--call_creds=%s invalid; must be none "
+          "or access_token=<token>.\n",
+          FLAGS_call_creds.c_str());
   return std::shared_ptr<grpc::CallCredentials>();
 }
 
 std::shared_ptr<grpc::ChannelCredentials> CliCredentials::GetCredentials()
     const {
+  if (FLAGS_call_creds.empty()) {
+    FLAGS_call_creds = GetDefaultCallCreds();
+  } else if (!FLAGS_access_token.empty() && !IsAccessToken(FLAGS_call_creds)) {
+    fprintf(stderr,
+            "warning: ignoring --access_token because --call_creds "
+            "already set to %s.\n",
+            FLAGS_call_creds.c_str());
+  }
   if (FLAGS_channel_creds_type.empty()) {
     FLAGS_channel_creds_type = GetDefaultChannelCredsType();
   } else if (FLAGS_enable_ssl && FLAGS_channel_creds_type.compare("ssl") != 0) {
@@ -106,7 +186,7 @@ std::shared_ptr<grpc::ChannelCredentials> CliCredentials::GetCredentials()
             FLAGS_channel_creds_type.c_str());
   }
   // Legacy transport upgrade logic for insecure requests.
-  if (!FLAGS_access_token.empty() &&
+  if (IsAccessToken(FLAGS_call_creds) &&
       FLAGS_channel_creds_type.compare("insecure") == 0) {
     fprintf(stderr,
             "warning: --channel_creds_type=insecure upgraded to ssl because "
@@ -126,10 +206,16 @@ const grpc::string CliCredentials::GetCredentialUsage() const {
   return "    --enable_ssl             ; Set whether to use ssl (deprecated)\n"
          "    --use_auth               ; Set whether to create default google"
          " credentials\n"
+         "                             ; (deprecated)\n"
          "    --access_token           ; Set the access token in metadata,"
          " overrides --use_auth\n"
+         "                             ; (deprecated)\n"
          "    --ssl_target             ; Set server host for ssl validation\n"
-         "    --channel_creds_type     ; Set to insecure, ssl, gdc, or alts\n";
+         "    --ssl_client_cert        ; Client cert for ssl\n"
+         "    --ssl_client_key         ; Client private key for ssl\n"
+         "    --channel_creds_type     ; Set to insecure, ssl, gdc, or alts\n"
+         "    --call_creds             ; Set to none, or"
+         " access_token=<token>\n";
 }
 
 const grpc::string CliCredentials::GetSslTargetNameOverride() const {