chore(bigtable): removes test proxy credentials (#6992)

* chore(bigtable): removes test proxy credentials * iter
googleapis · Nov 3, 2022 · a56dece · a56dece
1 parent 020aaa1
commit a56dece
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 151 deletions.
diff --git a/bigtable/go.mod b/bigtable/go.mod
@@ -8,11 +8,11 @@ require (
 	github.com/golang/protobuf v1.5.2
 	github.com/google/btree v1.1.2
 	github.com/google/go-cmp v0.5.9
-	github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221012214650-1d7ae69b0110
+	github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221026222555-5b86a501bb0d
 	github.com/googleapis/gax-go/v2 v2.6.0
 	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783
+	google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71
 	google.golang.org/api v0.102.0
-	google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e
 	google.golang.org/grpc v1.50.1
 	google.golang.org/protobuf v1.28.1
 	rsc.io/binaryregexp v0.2.0

diff --git a/bigtable/go.sum b/bigtable/go.sum
@@ -67,8 +67,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221012214650-1d7ae69b0110 h1:7b5OjwaXZXLWlelmqKCp2pBBD0dgXwKawcTD54L1kKY=
-github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221012214650-1d7ae69b0110/go.mod h1:EpIlz+Q8rera5LV8JXtACO1HbHg2W0PxL1wU2tJL0uY=
+github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221026222555-5b86a501bb0d h1:tT1wygWeB73Y2Lqw6FJJAiOhGI+Pm1WIQpIHmMpl7qk=
+github.com/googleapis/cloud-bigtable-clients-test v0.0.0-20221026222555-5b86a501bb0d/go.mod h1:QxwNemPUPvwkeIHFM36i517LJxC3Gd4oNlRbX/UAR6g=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
 github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU=
@@ -142,8 +142,8 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e h1:S9GbmC1iCgvbLyAokVCwiO6tVIrU9Y7c5oMx1V/ki/Y=
-google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
+google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71 h1:GEgb2jF5zxsFJpJfg9RoDDWm7tiwc/DDSTE2BtLUkXU=
+google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=

diff --git a/bigtable/internal/testproxy/proxy.go b/bigtable/internal/testproxy/proxy.go
@@ -16,7 +16,6 @@ package main
 
 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
@@ -29,15 +28,12 @@ import (
 	"cloud.google.com/go/bigtable"
 	"github.com/golang/protobuf/ptypes/duration"
 	pb "github.com/googleapis/cloud-bigtable-clients-test/testproxypb"
-	gauth "golang.org/x/oauth2/google"
 	"google.golang.org/api/option"
 	btpb "google.golang.org/genproto/googleapis/bigtable/v2"
 	statpb "google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
-	oauth "google.golang.org/grpc/credentials/oauth"
 	stat "google.golang.org/grpc/status"
 )
 
@@ -334,8 +330,9 @@ func filterFromProto(rfPb *btpb.RowFilter) *bigtable.Filter {
 
 // statusFromError converts an error into a Status code.
 func statusFromError(err error) *statpb.Status {
+	log.Printf("error: %v\n", err)
 	st := &statpb.Status{
-		Code:    int32(codes.Internal),
+		Code:    int32(codes.Unknown),
 		Message: fmt.Sprintf("%v", err),
 	}
 	if s, ok := stat.FromError(err); ok {
@@ -375,7 +372,6 @@ type testClient struct {
 	c                   *bigtable.Client   // c stores the Bigtable client under test
 	appProfileID        string             // appProfileID is currently unused
 	perOperationTimeout *duration.Duration // perOperationTimeout sets a custom timeout for methods calls on this client
-	isOpen              bool               // isOpen indicates whether this client is open for new requests
 }
 
 // timeout adds a timeout setting to a context if perOperationTimeout is set on
@@ -387,138 +383,15 @@ func (tc *testClient) timeout(ctx context.Context) (context.Context, context.Can
 	return context.WithCancel(ctx)
 }
 
-// credentialsBundle implements credentials.Bundle interface
-// [See documentation for usage](https://pkg.go.dev/google.golang.org/grpc/credentials#Bundle).
-type credentialsBundle struct {
-	channel credentials.TransportCredentials
-	call    credentials.PerRPCCredentials
-}
-
-// TransportCredentials gets the channel credentials as TransportCredentials
-func (c credentialsBundle) TransportCredentials() credentials.TransportCredentials {
-	return c.channel
-}
-
-// PerRPCCredentials gets the call credentials ars PerRPCCredentials
-func (c credentialsBundle) PerRPCCredentials() credentials.PerRPCCredentials {
-	return c.call
-}
-
-// NewWithMode is not used. Always returns nil
-func (c credentialsBundle) NewWithMode(mode string) (credentials.Bundle, error) {
-	return nil, nil
-}
-
-// getCredentialsOptions extracts the authentication details--SSL name override,
-// call credentials, channel credentials--from a CreateClientRequest object.
-//
-// There are three base cases to address:
-//  1. CreateClientRequest specifies no unique credentials; so ADC will be used.
-//     This method returns an empty slice.
-//  2. CreateClientRequest specifies only a channel credential.
-//  3. CreateClientRequest specifies both call and channel credentials. In
-//     this case, we need to create a combined credential (Bundle).
+// getCredentialsOptions provides credentials for a Bigtable client.
 //
-// Discussed [here](https://github.com/grpc/grpc-go/tree/master/examples/features/authentication).
-// Note that the Go client libraries don't explicitly have the concept of
-// channel credentials, call credentials, or composite call credentials per
-// [gRPC documentation](https://grpc.io/docs/guides/auth/).
-func getCredentialsOptions(req *pb.CreateClientRequest) ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
-
-	if req.CallCredential == nil &&
-		req.ChannelCredential == nil &&
-		req.OverrideSslTargetName == "" {
-		opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
-		return opts, nil
-	}
-
-	// If you have call credentials, then you must have channel credentials too
-	if req.CallCredential != nil && req.ChannelCredential == nil {
-		return nil, fmt.Errorf("%s: must supply channel credentials with call credentials", logLabel)
-	}
-
-	// This may not be needed--OverrideSslTargetName is provided to when
-	// creating the channel credentials.
-	if req.OverrideSslTargetName != "" {
-		d := grpc.WithAuthority(req.OverrideSslTargetName)
-		opts = append(opts, d)
-	}
-
-	// Case 1: No additional credentials provided
-	chc := req.GetChannelCredential()
-	if chc == nil {
-		return opts, nil
-	}
-	channelCreds, err := getChannelCredentials(chc, req.OverrideSslTargetName)
-	if err != nil {
-		return nil, err
-	}
-
-	// Case 2: Only channel credentials provided
-	cc := req.CallCredential
-	if cc == nil {
-		d := grpc.WithTransportCredentials(channelCreds)
-		opts = append(opts, d)
-		return opts, nil
-	}
-
-	// Case 3: Both channel & call credentials provided
-	sa := cc.GetJsonServiceAccount()
-	clc, err := oauth.NewJWTAccessFromKey([]byte(sa))
-	if err != nil {
-		return nil, err
-	}
-
-	b := credentialsBundle{
-		channel: channelCreds,
-		call:    clc,
-	}
-
-	d := grpc.WithCredentialsBundle(b)
-	opts = append(opts, d)
-
+// Note: this proxy uses insecure credentials. This function may need to be
+// expanded to support different credential types.
+func getCredentialsOptions(req *pb.CreateClientRequest) (opts []grpc.DialOption, _ error) {
+	opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	return opts, nil
 }
 
-// getChannelCredentials extracts the channel credentials (credentials for use)
-// with all calls on this client.
-func getChannelCredentials(credsProto *pb.ChannelCredential, sslTargetName string) (credentials.TransportCredentials, error) {
-	var creds credentials.TransportCredentials
-	v := credsProto.GetValue()
-	switch t := v.(type) {
-	case *pb.ChannelCredential_Ssl:
-		pem := t.Ssl.GetPemRootCerts()
-
-		cert, err := x509.ParseCertificate([]byte(pem))
-		if err != nil {
-			return nil, err
-		}
-
-		pool := x509.NewCertPool()
-		pool.AddCert(cert)
-
-		creds = credentials.NewClientTLSFromCert(pool, sslTargetName)
-		if err != nil {
-			return nil, err
-		}
-	case *pb.ChannelCredential_None:
-		creds = insecure.NewCredentials()
-	default:
-		ctx := context.Background()
-		c, err := gauth.FindDefaultCredentials(ctx, "https://www.googleapis.com/auth/cloud-platform")
-		if err != nil {
-			return nil, err
-		}
-
-		// TODO(developer): Determine how to pass this call option back to caller
-		option.WithTokenSource(c.TokenSource)
-
-		return nil, nil
-	}
-	return creds, nil
-}
-
 // goTestProxyServer represents an instance of the test proxy server. It keeps
 // a reference to individual clients instances (stored in a testClient object).
 type goTestProxyServer struct {
@@ -534,9 +407,6 @@ func (s *goTestProxyServer) client(clientID string) (*testClient, error) {
 	if !ok {
 		return nil, fmt.Errorf("client ID %s does not exist", clientID)
 	}
-	if !client.isOpen {
-		return nil, fmt.Errorf("client ID %s is closed to new requests", clientID)
-	}
 	return client, nil
 }
 
@@ -580,7 +450,6 @@ func (s *goTestProxyServer) CreateClient(ctx context.Context, req *pb.CreateClie
 		c:                   c,
 		appProfileID:        req.AppProfileId,
 		perOperationTimeout: req.PerOperationTimeout,
-		isOpen:              true,
 	}
 
 	return &pb.CreateClientResponse{}, nil
@@ -597,7 +466,7 @@ func (s *goTestProxyServer) CloseClient(ctx context.Context, req *pb.CloseClient
 	if err != nil {
 		return nil, err
 	}
-	btc.isOpen = false
+	btc.c.Close()
 
 	return &pb.CloseClientResponse{}, nil
 }
@@ -611,15 +480,11 @@ func (s *goTestProxyServer) RemoveClient(ctx context.Context, req *pb.RemoveClie
 	defer s.clientsLock.Unlock()
 
 	// RemoveClient can ignore whether the client accepts new requests
-	btc, exists := s.clientIDs[clientID]
-	if !exists {
+	_, err := s.client(clientID)
+	if err != nil {
 		return nil, stat.Error(codes.InvalidArgument,
 			fmt.Sprintf("%s: ClientID does not exist", logLabel))
 	}
-
-	// this closes every ClientConn in the pool.
-	btc.isOpen = false
-	btc.c.Close()
 	delete(s.clientIDs, clientID)
 
 	return &pb.RemoveClientResponse{}, nil