Merge pull request #22 from openconfig/alts-support

Add ALTS support
openconfig · Jan 16, 2025 · 56f0de3 · 56f0de3
2 parents c4a7f06 + fa83c16
commit 56f0de3
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 5 deletions.
diff --git a/gnmi/security.go b/gnmi/security.go
@@ -22,6 +22,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/alts"
 	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
 	"google.golang.org/grpc/security/advancedtls"
 )
@@ -50,8 +51,10 @@ func gRPCSecurityOption(cfg *Config) ([]grpc.ServerOption, error) {
 		opts, err = optionTLS(cfg)
 	case "mtls":
 		opts, err = optionMutualTLS(cfg)
+	case "alts":
+		opts, err = optionALTS(cfg)
 	default:
-		return nil, fmt.Errorf("unsupported transport security: %q; must be one of: insecure, tls, mtls", cfg.TpSec)
+		return nil, fmt.Errorf("unsupported transport security: %q; must be one of: insecure, alts,tls, mtls", cfg.TpSec)
 	}
 
 	if err != nil {
@@ -61,6 +64,11 @@ func gRPCSecurityOption(cfg *Config) ([]grpc.ServerOption, error) {
 	return opts, nil
 }
 
+func optionALTS(cfg *Config) ([]grpc.ServerOption, error) {
+	creds := alts.NewServerCreds(alts.DefaultServerOptions())
+	return []grpc.ServerOption{grpc.Creds(creds)}, nil
+}
+
 func optionTLS(cfg *Config) ([]grpc.ServerOption, error) {
 	// Check that all needed files actually exist.
 	for _, f := range []string{cfg.CertFile, cfg.KeyFile} {
@@ -77,7 +85,6 @@ func optionTLS(cfg *Config) ([]grpc.ServerOption, error) {
 }
 
 func optionMutualTLS(cfg *Config) ([]grpc.ServerOption, error) {
-
 	// Check that all needed files actually exist.
 	for _, f := range []string{cfg.CertFile, cfg.KeyFile, cfg.CAFile} {
 		if _, err := os.Stat(f); f == "" || errors.Is(err, os.ErrNotExist) {

diff --git a/gnmi/security_test.go b/gnmi/security_test.go
@@ -15,7 +15,15 @@
 package gnmi
 
 import (
+	"context"
+	"strings"
 	"testing"
+
+	gpb "github.com/openconfig/gnmi/proto/gnmi"
+
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/alts"
 )
 
 var (
@@ -53,6 +61,13 @@ func TestGRPCSecurityOption(t *testing.T) {
 			},
 			wantCnt: 1,
 		},
+		{
+			name: "alts",
+			cfg: &Config{
+				TpSec: "alts",
+			},
+			wantCnt: 1,
+		},
 	}
 
 	for _, tc := range tests {
@@ -145,3 +160,47 @@ func TestGRPCSecurityOptionErrors(t *testing.T) {
 		})
 	}
 }
+
+// TestALTSConnection tests that we can connect to a gNMI server using ALTS.
+func TestALTSConnection(t *testing.T) {
+	// Set up ALTS config & logger.
+	cfg := &Config{
+		TpSec: "alts",
+	}
+	logger, err := zap.NewProduction()
+	if err != nil {
+		t.Errorf("failed to create logger: %v", err)
+	}
+	defer logger.Sync()
+
+	// Start the exporter.
+	exporter, err := NewGNMIExporter(logger, cfg)
+	if err != nil {
+		t.Errorf("NewGNMIExporter returned error: %v", err)
+	}
+	if err := exporter.Start(context.Background(), nil); err != nil {
+		t.Errorf("Start returned error: %v", err)
+	}
+	defer exporter.Stop(context.Background())
+
+	// Connect to the exporter.
+	addr := exporter.lis.Addr()
+	altsTC := alts.NewClientCreds(alts.DefaultClientOptions())
+	conn, err := grpc.NewClient(addr.String(), grpc.WithTransportCredentials(altsTC))
+	if err != nil {
+		t.Errorf("failed to connect to gNMI server: %v", err)
+	}
+	defer conn.Close()
+
+	// Subscribe to the exporter and see whether we get an error.
+	gnmiClient := gpb.NewGNMIClient(conn)
+	if _, err = gnmiClient.Subscribe(context.Background()); err != nil {
+		// ALTS is only supported on GCE-based platforms. If we are running on a
+		// non-GCE platform, we expect to get an error complaining about the
+		// untrusted platform.
+		if strings.Contains(err.Error(), alts.ErrUntrustedPlatform.Error()) {
+			return
+		}
+		t.Fatalf("%v", err)
+	}
+}
diff --git a/go.mod b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/docker v26.1.4+incompatible // indirect
+	github.com/docker/docker v26.1.5+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect

diff --git a/go.sum b/go.sum
@@ -1399,8 +1399,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=