feat(auth): add grpctransport package (#8625)

This package is the analog to https://pkg.go.dev/google.golang.org/api/transport/grpc.
googleapis · Oct 2, 2023 · 69a8347 · 69a8347
1 parent 852a230
commit 69a8347
Show file tree

Hide file tree

Showing 17 changed files with 1,652 additions and 63 deletions.
diff --git a/auth/go.mod b/auth/go.mod
@@ -10,15 +10,18 @@ require (
 	go.opencensus.io v0.24.0
 	golang.org/x/net v0.14.0
 	google.golang.org/grpc v1.57.0
+	google.golang.org/protobuf v1.31.0
 )
 
 require (
 	cloud.google.com/go/compute v1.19.1 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/text v0.12.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
 )
diff --git a/auth/go.sum b/auth/go.sum
@@ -18,6 +18,7 @@ github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18h
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -66,21 +67,26 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
@@ -92,6 +98,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=

diff --git a/auth/grpctransport/dial_socketopt.go b/auth/grpctransport/dial_socketopt.go
@@ -0,0 +1,62 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux
+// +build linux
+
+package grpctransport
+
+import (
+	"context"
+	"net"
+	"syscall"
+
+	"google.golang.org/grpc"
+)
+
+const (
+	// defaultTCPUserTimeout is the default TCP_USER_TIMEOUT socket option. By
+	// default is 20 seconds.
+	tcpUserTimeoutMilliseconds = 20000
+
+	// Copied from golang.org/x/sys/unix.TCP_USER_TIMEOUT.
+	tcpUserTimeoutOp = 0x12
+)
+
+func init() {
+	// timeoutDialerOption is a grpc.DialOption that contains dialer with
+	// socket option TCP_USER_TIMEOUT. This dialer requires go versions 1.11+.
+	timeoutDialerOption = grpc.WithContextDialer(dialTCPUserTimeout)
+}
+
+func dialTCPUserTimeout(ctx context.Context, addr string) (net.Conn, error) {
+	control := func(network, address string, c syscall.RawConn) error {
+		var syscallErr error
+		controlErr := c.Control(func(fd uintptr) {
+			syscallErr = syscall.SetsockoptInt(
+				int(fd), syscall.IPPROTO_TCP, tcpUserTimeoutOp, tcpUserTimeoutMilliseconds)
+		})
+		if syscallErr != nil {
+			return syscallErr
+		}
+		if controlErr != nil {
+			return controlErr
+		}
+		return nil
+	}
+	d := &net.Dialer{
+		Control: control,
+	}
+	return d.DialContext(ctx, "tcp", addr)
+}
diff --git a/auth/grpctransport/dial_socketopt_test.go b/auth/grpctransport/dial_socketopt_test.go
@@ -0,0 +1,124 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux
+// +build linux
+
+package grpctransport
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"syscall"
+	"testing"
+	"time"
+
+	"google.golang.org/grpc"
+)
+
+func TestDialTCPUserTimeout(t *testing.T) {
+	l, err := net.Listen("tcp", ":3000")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	acceptErrCh := make(chan error, 1)
+
+	go func() {
+		conn, err := l.Accept()
+		if err != nil {
+			acceptErrCh <- err
+			return
+		}
+		defer conn.Close()
+
+		if err := conn.Close(); err != nil {
+			acceptErrCh <- err
+		}
+	}()
+
+	conn, err := dialTCPUserTimeout(context.Background(), ":3000")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer conn.Close()
+
+	timeout, err := getTCPUserTimeout(conn)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if timeout != tcpUserTimeoutMilliseconds {
+		t.Fatalf("expected %v, got %v", tcpUserTimeoutMilliseconds, timeout)
+	}
+
+	select {
+	case err := <-acceptErrCh:
+		t.Fatalf("Accept failed with: %v", err)
+	default:
+	}
+}
+
+func getTCPUserTimeout(conn net.Conn) (int, error) {
+	tcpConn, ok := conn.(*net.TCPConn)
+	if !ok {
+		return 0, fmt.Errorf("conn is not *net.TCPConn. got %T", conn)
+	}
+	rawConn, err := tcpConn.SyscallConn()
+	if err != nil {
+		return 0, err
+	}
+	var timeout int
+	var syscallErr error
+	controlErr := rawConn.Control(func(fd uintptr) {
+		timeout, syscallErr = syscall.GetsockoptInt(int(fd), syscall.IPPROTO_TCP, tcpUserTimeoutOp)
+	})
+	if syscallErr != nil {
+		return 0, syscallErr
+	}
+	if controlErr != nil {
+		return 0, controlErr
+	}
+	return timeout, nil
+}
+
+// Check that tcp timeout dialer overwrites user defined dialer.
+func TestDialWithDirectPathEnabled(t *testing.T) {
+	t.Skip("https://github.com/googleapis/google-api-go-client/issues/790")
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
+
+	userDialer := grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
+		t.Error("did not expect a call to user dialer, got one")
+		cancel()
+		return nil, errors.New("not expected")
+	})
+
+	pool, err := Dial(ctx, true, &Options{
+		TokenProvider: staticTP("hey"),
+		GRPCDialOpts:  []grpc.DialOption{userDialer},
+		Endpoint:      "example.google.com:443",
+		InternalOptions: &InternalOptions{
+			EnableDirectPath: true,
+		},
+	})
+	if err != nil {
+		t.Errorf("DialGRPC: error %v, want nil", err)
+	}
+	defer pool.Close()
+
+	// gRPC doesn't connect before the first call.
+	grpc.Invoke(ctx, "foo", nil, nil, pool.Connection())
+}
diff --git a/auth/grpctransport/directpath.go b/auth/grpctransport/directpath.go
@@ -0,0 +1,123 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package grpctransport
+
+import (
+	"context"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+
+	"cloud.google.com/go/auth"
+	"cloud.google.com/go/compute/metadata"
+	"google.golang.org/grpc"
+	grpcgoogle "google.golang.org/grpc/credentials/google"
+)
+
+func isDirectPathEnabled(endpoint string, opts *Options) bool {
+	if opts.InternalOptions != nil && !opts.InternalOptions.EnableDirectPath {
+		return false
+	}
+	if !checkDirectPathEndPoint(endpoint) {
+		return false
+	}
+	if b, _ := strconv.ParseBool(os.Getenv(disableDirectPathEnvVar)); b {
+		return false
+	}
+	return true
+}
+
+func checkDirectPathEndPoint(endpoint string) bool {
+	// Only [dns:///]host[:port] is supported, not other schemes (e.g., "tcp://" or "unix://").
+	// Also don't try direct path if the user has chosen an alternate name resolver
+	// (i.e., via ":///" prefix).
+	if strings.Contains(endpoint, "://") && !strings.HasPrefix(endpoint, "dns:///") {
+		return false
+	}
+
+	if endpoint == "" {
+		return false
+	}
+
+	return true
+}
+
+func isTokenProviderDirectPathCompatible(tp auth.TokenProvider, opts *Options) bool {
+	if tp == nil {
+		return false
+	}
+	tok, err := tp.Token(context.Background())
+	if err != nil {
+		return false
+	}
+	if tok == nil {
+		return false
+	}
+	if source, _ := tok.Metadata["auth.google.tokenSource"].(string); source != "compute-metadata" {
+		return false
+	}
+	if acct, _ := tok.Metadata["auth.google.serviceAccount"].(string); acct != "default" {
+		return false
+	}
+	return true
+}
+
+func isDirectPathXdsUsed(o *Options) bool {
+	// Method 1: Enable DirectPath xDS by env;
+	if b, _ := strconv.ParseBool(os.Getenv(enableDirectPathXdsEnvVar)); b {
+		return true
+	}
+	// Method 2: Enable DirectPath xDS by option;
+	if o.InternalOptions != nil && o.InternalOptions.EnableDirectPathXds {
+		return true
+	}
+	return false
+}
+
+// configureDirectPath returns some dial options and an endpoint to use if the
+// configuration allows the use of direct path. If it does not the provided
+// grpcOpts and endpoint are returned.
+func configureDirectPath(grpcOpts []grpc.DialOption, opts *Options, endpoint string, creds auth.TokenProvider) ([]grpc.DialOption, string) {
+	if isDirectPathEnabled(endpoint, opts) && metadata.OnGCE() && isTokenProviderDirectPathCompatible(creds, opts) {
+		// Overwrite all of the previously specific DialOptions, DirectPath uses its own set of credentials and certificates.
+		grpcOpts = []grpc.DialOption{
+			grpc.WithCredentialsBundle(grpcgoogle.NewDefaultCredentialsWithOptions(grpcgoogle.DefaultCredentialsOptions{PerRPCCreds: &grpcTokenProvider{TokenProvider: creds}}))}
+		if timeoutDialerOption != nil {
+			grpcOpts = append(grpcOpts, timeoutDialerOption)
+		}
+		// Check if google-c2p resolver is enabled for DirectPath
+		if isDirectPathXdsUsed(opts) {
+			// google-c2p resolver target must not have a port number
+			if addr, _, err := net.SplitHostPort(endpoint); err == nil {
+				endpoint = "google-c2p:///" + addr
+			} else {
+				endpoint = "google-c2p:///" + endpoint
+			}
+		} else {
+			if !strings.HasPrefix(endpoint, "dns:///") {
+				endpoint = "dns:///" + endpoint
+			}
+			grpcOpts = append(grpcOpts,
+				// For now all DirectPath go clients will be using the following lb config, but in future
+				// when different services need different configs, then we should change this to a
+				// per-service config.
+				grpc.WithDisableServiceConfig(),
+				grpc.WithDefaultServiceConfig(`{"loadBalancingConfig":[{"grpclb":{"childPolicy":[{"pick_first":{}}]}}]}`))
+		}
+		// TODO: add support for system parameters (quota project, request reason) via chained interceptor.
+	}
+	return grpcOpts, endpoint
+}