From c20fa3f09365b2d1bc172df35c06110c989f688e Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Wed, 27 May 2020 22:32:12 -0700 Subject: [PATCH] feat: add mtls support and resource path parse methods (via synth) (#4) --- .coveragerc | 27 +-- .../recaptcha_enterprise_service/client.py | 98 +++++++- .../transports/grpc.py | 55 ++++- mypy.ini | 2 +- setup.py | 4 +- synth.metadata | 3 +- .../test_recaptcha_enterprise_service.py | 220 ++++++++++++++++-- 7 files changed, 351 insertions(+), 58 deletions(-) diff --git a/.coveragerc b/.coveragerc index 4ad9707..410d25c 100644 --- a/.coveragerc +++ b/.coveragerc @@ -1,39 +1,18 @@ -# -*- coding: utf-8 -*- -# -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Generated by synthtool. DO NOT EDIT! [run] branch = True [report] fail_under = 100 show_missing = True +omit = + google/cloud/recaptchaenterprise/__init__.py exclude_lines = # Re-enable the standard pragma pragma: NO COVER # Ignore debug-only repr def __repr__ - # Ignore abstract methods - raise NotImplementedError + # Ignore pkg_resources exceptions. # This is added at the module level as a safeguard for if someone # generates the code and tries to run it without pip installing. This # makes it virtually impossible to test properly. except pkg_resources.DistributionNotFound -omit = - */gapic/*.py - */proto/*.py - */core/*.py - */site-packages/*.py \ No newline at end of file diff --git a/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/client.py b/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/client.py index 62b4f50..f6840d7 100644 --- a/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/client.py +++ b/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/client.py @@ -16,7 +16,8 @@ # from collections import OrderedDict -from typing import Dict, Sequence, Tuple, Type, Union +import re +from typing import Callable, Dict, Sequence, Tuple, Type, Union import pkg_resources import google.api_core.client_options as ClientOptions # type: ignore @@ -73,8 +74,38 @@ def get_transport_class( class RecaptchaEnterpriseServiceClient(metaclass=RecaptchaEnterpriseServiceClientMeta): """Service to determine the likelihood an event is legitimate.""" - DEFAULT_OPTIONS = ClientOptions.ClientOptions( - api_endpoint="recaptchaenterprise.googleapis.com" + @staticmethod + def _get_default_mtls_endpoint(api_endpoint): + """Convert api endpoint to mTLS endpoint. + Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to + "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. + Args: + api_endpoint (Optional[str]): the api endpoint to convert. + Returns: + str: converted mTLS api endpoint. + """ + if not api_endpoint: + return api_endpoint + + mtls_endpoint_re = re.compile( + r"(?P[^.]+)(?P\.mtls)?(?P\.sandbox)?(?P\.googleapis\.com)?" + ) + + m = mtls_endpoint_re.match(api_endpoint) + name, mtls, sandbox, googledomain = m.groups() + if mtls or not googledomain: + return api_endpoint + + if sandbox: + return api_endpoint.replace( + "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" + ) + + return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") + + DEFAULT_ENDPOINT = "recaptchaenterprise.googleapis.com" + DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore + DEFAULT_ENDPOINT ) @classmethod @@ -102,6 +133,12 @@ def key_path(project: str, key: str) -> str: """Return a fully-qualified key string.""" return "projects/{project}/keys/{key}".format(project=project, key=key) + @staticmethod + def parse_key_path(path: str) -> Dict[str, str]: + """Parse a key path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/keys/(?P.+?)$", path) + return m.groupdict() if m else {} + @staticmethod def assessment_path(project: str, assessment: str) -> str: """Return a fully-qualified assessment string.""" @@ -109,12 +146,20 @@ def assessment_path(project: str, assessment: str) -> str: project=project, assessment=assessment ) + @staticmethod + def parse_assessment_path(path: str) -> Dict[str, str]: + """Parse a assessment path into its component segments.""" + m = re.match( + r"^projects/(?P.+?)/assessments/(?P.+?)$", path + ) + return m.groupdict() if m else {} + def __init__( self, *, credentials: credentials.Credentials = None, transport: Union[str, RecaptchaEnterpriseServiceTransport] = None, - client_options: ClientOptions = DEFAULT_OPTIONS, + client_options: ClientOptions = None, ) -> None: """Instantiate the recaptcha enterprise service client. @@ -128,6 +173,17 @@ def __init__( transport to use. If set to None, a transport is chosen automatically. client_options (ClientOptions): Custom options for the client. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. + (2) If ``transport`` argument is None, ``client_options`` can be + used to create a mutual TLS transport. If ``client_cert_source`` + is provided, mutual TLS transport will be created with the given + ``api_endpoint`` or the default mTLS endpoint, and the client + SSL credentials obtained from ``client_cert_source``. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. """ if isinstance(client_options, dict): client_options = ClientOptions.from_dict(client_options) @@ -136,18 +192,46 @@ def __init__( # Ordinarily, we provide the transport, but allowing a custom transport # instance provides an extensibility point for unusual situations. if isinstance(transport, RecaptchaEnterpriseServiceTransport): + # transport is a RecaptchaEnterpriseServiceTransport instance. if credentials: raise ValueError( "When providing a transport instance, " "provide its credentials directly." ) self._transport = transport - else: + elif client_options is None or ( + client_options.api_endpoint is None + and client_options.client_cert_source is None + ): + # Don't trigger mTLS if we get an empty ClientOptions. Transport = type(self).get_transport_class(transport) self._transport = Transport( + credentials=credentials, host=self.DEFAULT_ENDPOINT + ) + else: + # We have a non-empty ClientOptions. If client_cert_source is + # provided, trigger mTLS with user provided endpoint or the default + # mTLS endpoint. + if client_options.client_cert_source: + api_mtls_endpoint = ( + client_options.api_endpoint + if client_options.api_endpoint + else self.DEFAULT_MTLS_ENDPOINT + ) + else: + api_mtls_endpoint = None + + api_endpoint = ( + client_options.api_endpoint + if client_options.api_endpoint + else self.DEFAULT_ENDPOINT + ) + + self._transport = RecaptchaEnterpriseServiceGrpcTransport( credentials=credentials, - host=client_options.api_endpoint - or "recaptchaenterprise.googleapis.com", + host=api_endpoint, + api_mtls_endpoint=api_mtls_endpoint, + client_cert_source=client_options.client_cert_source, ) def create_assessment( diff --git a/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/transports/grpc.py b/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/transports/grpc.py index 92db2f6..bc16334 100644 --- a/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/transports/grpc.py +++ b/google/cloud/recaptchaenterprise_v1/services/recaptcha_enterprise_service/transports/grpc.py @@ -15,10 +15,12 @@ # limitations under the License. # -from typing import Callable, Dict +from typing import Callable, Dict, Tuple from google.api_core import grpc_helpers # type: ignore from google.auth import credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore + import grpc # type: ignore @@ -46,7 +48,9 @@ def __init__( *, host: str = "recaptchaenterprise.googleapis.com", credentials: credentials.Credentials = None, - channel: grpc.Channel = None + channel: grpc.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None ) -> None: """Instantiate the transport. @@ -60,20 +64,55 @@ def __init__( This argument is ignored if ``channel`` is provided. channel (Optional[grpc.Channel]): A ``Channel`` instance through which to make calls. + api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If + provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A + callback to provide client SSL certificate bytes and private key + bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` + is None. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. """ - # Sanity check: Ensure that channel and credentials are not both - # provided. if channel: + # Sanity check: Ensure that channel and credentials are not both + # provided. credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + elif api_mtls_endpoint: + host = ( + api_mtls_endpoint + if ":" in api_mtls_endpoint + else api_mtls_endpoint + ":443" + ) + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + ssl_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + ssl_credentials = SslCredentials().ssl_credentials + + # create a new channel. The provided one is ignored. + self._grpc_channel = grpc_helpers.create_channel( + host, + credentials=credentials, + ssl_credentials=ssl_credentials, + scopes=self.AUTH_SCOPES, + ) + # Run the base constructor. super().__init__(host=host, credentials=credentials) self._stubs = {} # type: Dict[str, Callable] - # If a channel was explicitly provided, set it. - if channel: - self._grpc_channel = channel - @classmethod def create_channel( cls, diff --git a/mypy.ini b/mypy.ini index f23e6b5..4505b48 100644 --- a/mypy.ini +++ b/mypy.ini @@ -1,3 +1,3 @@ [mypy] -python_version = 3.5 +python_version = 3.6 namespace_packages = True diff --git a/setup.py b/setup.py index 0c9d100..7a78623 100644 --- a/setup.py +++ b/setup.py @@ -40,9 +40,7 @@ platforms="Posix; MacOS X; Windows", include_package_data=True, install_requires=( - "google-api-core >= 1.8.0, < 2.0.0dev", - "googleapis-common-protos >= 1.5.8", - "grpcio >= 1.10.0", + "google-api-core[grpc] >= 1.17.0, < 2.0.0dev", "proto-plus >= 0.4.0", ), python_requires=">=3.6", diff --git a/synth.metadata b/synth.metadata index 694154b..66fd777 100644 --- a/synth.metadata +++ b/synth.metadata @@ -3,7 +3,8 @@ { "git": { "name": ".", - "remote": "sso://devrel/cloud/libraries/python/python-recaptcha-enterprise" + "remote": "https://github.com/googleapis/python-recaptcha-enterprise.git", + "sha": "4292038216cb9e2cf20194189f49f22e0c06cb41" } }, { diff --git a/tests/unit/recaptchaenterprise_v1/test_recaptcha_enterprise_service.py b/tests/unit/recaptchaenterprise_v1/test_recaptcha_enterprise_service.py index 104953e..17b5921 100644 --- a/tests/unit/recaptchaenterprise_v1/test_recaptcha_enterprise_service.py +++ b/tests/unit/recaptchaenterprise_v1/test_recaptcha_enterprise_service.py @@ -23,6 +23,7 @@ from google import auth from google.api_core import client_options +from google.api_core import grpc_helpers from google.auth import credentials from google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service import ( RecaptchaEnterpriseServiceClient, @@ -39,6 +40,42 @@ from google.protobuf import timestamp_pb2 as timestamp # type: ignore +def client_cert_source_callback(): + return b"cert bytes", b"key bytes" + + +def test__get_default_mtls_endpoint(): + api_endpoint = "example.googleapis.com" + api_mtls_endpoint = "example.mtls.googleapis.com" + sandbox_endpoint = "example.sandbox.googleapis.com" + sandbox_mtls_endpoint = "example.mtls.sandbox.googleapis.com" + non_googleapi = "api.example.com" + + assert RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint(None) is None + assert ( + RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint(api_endpoint) + == api_mtls_endpoint + ) + assert ( + RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint(api_mtls_endpoint) + == api_mtls_endpoint + ) + assert ( + RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint(sandbox_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint( + sandbox_mtls_endpoint + ) + == sandbox_mtls_endpoint + ) + assert ( + RecaptchaEnterpriseServiceClient._get_default_mtls_endpoint(non_googleapi) + == non_googleapi + ) + + def test_recaptcha_enterprise_service_client_from_service_account_file(): creds = credentials.AnonymousCredentials() with mock.patch.object( @@ -59,31 +96,89 @@ def test_recaptcha_enterprise_service_client_from_service_account_file(): def test_recaptcha_enterprise_service_client_client_options(): - # Check the default options have their expected values. - assert ( - RecaptchaEnterpriseServiceClient.DEFAULT_OPTIONS.api_endpoint - == "recaptchaenterprise.googleapis.com" - ) + # Check that if channel is provided we won't create a new one. + with mock.patch( + "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.RecaptchaEnterpriseServiceClient.get_transport_class" + ) as gtc: + transport = transports.RecaptchaEnterpriseServiceGrpcTransport( + credentials=credentials.AnonymousCredentials() + ) + client = RecaptchaEnterpriseServiceClient(transport=transport) + gtc.assert_not_called() - # Check that options can be customized. - options = client_options.ClientOptions(api_endpoint="squid.clam.whelk") + # Check mTLS is not triggered with empty client options. + options = client_options.ClientOptions() with mock.patch( "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.RecaptchaEnterpriseServiceClient.get_transport_class" ) as gtc: transport = gtc.return_value = mock.MagicMock() client = RecaptchaEnterpriseServiceClient(client_options=options) - transport.assert_called_once_with(credentials=None, host="squid.clam.whelk") + transport.assert_called_once_with( + credentials=None, host=client.DEFAULT_ENDPOINT + ) + + # Check mTLS is not triggered if api_endpoint is provided but + # client_cert_source is None. + options = client_options.ClientOptions(api_endpoint="squid.clam.whelk") + with mock.patch( + "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.transports.RecaptchaEnterpriseServiceGrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = RecaptchaEnterpriseServiceClient(client_options=options) + grpc_transport.assert_called_once_with( + api_mtls_endpoint=None, + client_cert_source=None, + credentials=None, + host="squid.clam.whelk", + ) + + # Check mTLS is triggered if client_cert_source is provided. + options = client_options.ClientOptions( + client_cert_source=client_cert_source_callback + ) + with mock.patch( + "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.transports.RecaptchaEnterpriseServiceGrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = RecaptchaEnterpriseServiceClient(client_options=options) + grpc_transport.assert_called_once_with( + api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT, + client_cert_source=client_cert_source_callback, + credentials=None, + host=client.DEFAULT_ENDPOINT, + ) + + # Check mTLS is triggered if api_endpoint and client_cert_source are provided. + options = client_options.ClientOptions( + api_endpoint="squid.clam.whelk", client_cert_source=client_cert_source_callback + ) + with mock.patch( + "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.transports.RecaptchaEnterpriseServiceGrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = RecaptchaEnterpriseServiceClient(client_options=options) + grpc_transport.assert_called_once_with( + api_mtls_endpoint="squid.clam.whelk", + client_cert_source=client_cert_source_callback, + credentials=None, + host="squid.clam.whelk", + ) def test_recaptcha_enterprise_service_client_client_options_from_dict(): with mock.patch( - "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.RecaptchaEnterpriseServiceClient.get_transport_class" - ) as gtc: - transport = gtc.return_value = mock.MagicMock() + "google.cloud.recaptchaenterprise_v1.services.recaptcha_enterprise_service.transports.RecaptchaEnterpriseServiceGrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None client = RecaptchaEnterpriseServiceClient( client_options={"api_endpoint": "squid.clam.whelk"} ) - transport.assert_called_once_with(credentials=None, host="squid.clam.whelk") + grpc_transport.assert_called_once_with( + api_mtls_endpoint=None, + client_cert_source=None, + credentials=None, + host="squid.clam.whelk", + ) def test_create_assessment(transport: str = "grpc"): @@ -571,8 +666,87 @@ def test_recaptcha_enterprise_service_host_with_port(): def test_recaptcha_enterprise_service_grpc_transport_channel(): channel = grpc.insecure_channel("http://localhost/") - transport = transports.RecaptchaEnterpriseServiceGrpcTransport(channel=channel) - assert transport.grpc_channel is channel + + # Check that if channel is provided, mtls endpoint and client_cert_source + # won't be used. + callback = mock.MagicMock() + transport = transports.RecaptchaEnterpriseServiceGrpcTransport( + host="squid.clam.whelk", + channel=channel, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=callback, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert not callback.called + + +@mock.patch("grpc.ssl_channel_credentials", autospec=True) +@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True) +def test_recaptcha_enterprise_service_grpc_transport_channel_mtls_with_client_cert_source( + grpc_create_channel, grpc_ssl_channel_cred +): + # Check that if channel is None, but api_mtls_endpoint and client_cert_source + # are provided, then a mTLS channel will be created. + mock_cred = mock.Mock() + + mock_ssl_cred = mock.Mock() + grpc_ssl_channel_cred.return_value = mock_ssl_cred + + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + transport = transports.RecaptchaEnterpriseServiceGrpcTransport( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=client_cert_source_callback, + ) + grpc_ssl_channel_cred.assert_called_once_with( + certificate_chain=b"cert bytes", private_key=b"key bytes" + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + ssl_credentials=mock_ssl_cred, + scopes=("https://www.googleapis.com/auth/cloud-platform",), + ) + assert transport.grpc_channel == mock_grpc_channel + + +@pytest.mark.parametrize( + "api_mtls_endpoint", ["mtls.squid.clam.whelk", "mtls.squid.clam.whelk:443"] +) +@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True) +def test_recaptcha_enterprise_service_grpc_transport_channel_mtls_with_adc( + grpc_create_channel, api_mtls_endpoint +): + # Check that if channel and client_cert_source are None, but api_mtls_endpoint + # is provided, then a mTLS channel will be created with SSL ADC. + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + # Mock google.auth.transport.grpc.SslCredentials class. + mock_ssl_cred = mock.Mock() + with mock.patch.multiple( + "google.auth.transport.grpc.SslCredentials", + __init__=mock.Mock(return_value=None), + ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), + ): + mock_cred = mock.Mock() + transport = transports.RecaptchaEnterpriseServiceGrpcTransport( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint=api_mtls_endpoint, + client_cert_source=None, + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + ssl_credentials=mock_ssl_cred, + scopes=("https://www.googleapis.com/auth/cloud-platform",), + ) + assert transport.grpc_channel == mock_grpc_channel def test_key_path(): @@ -584,6 +758,15 @@ def test_key_path(): assert expected == actual +def test_parse_key_path(): + expected = {"project": "whelk", "key": "octopus"} + path = RecaptchaEnterpriseServiceClient.key_path(**expected) + + # Check that the path construction is reversible. + actual = RecaptchaEnterpriseServiceClient.parse_key_path(path) + assert expected == actual + + def test_assessment_path(): project = "squid" assessment = "clam" @@ -593,3 +776,12 @@ def test_assessment_path(): ) actual = RecaptchaEnterpriseServiceClient.assessment_path(project, assessment) assert expected == actual + + +def test_parse_assessment_path(): + expected = {"project": "whelk", "assessment": "octopus"} + path = RecaptchaEnterpriseServiceClient.assessment_path(**expected) + + # Check that the path construction is reversible. + actual = RecaptchaEnterpriseServiceClient.parse_assessment_path(path) + assert expected == actual