Merged master from upstream

Author: miott

scripts/Dockerfile

@@ -0,0 +1,4 @@
+FROM python:3-alpine
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev libffi-dev openssl-dev g++
+RUN pip install cisco-gnmi
+ENTRYPOINT [ "cisco-gnmi" ]

src/cisco_gnmi/__init__.py

@@ -30,4 +30,4 @@
 from .xe import XEClient
 from .builder import ClientBuilder
 
-__version__ = "1.0.8"
+__version__ = "1.0.10"

src/cisco_gnmi/builder.py

@@ -158,11 +158,25 @@ def set_secure(
         -------
         self
         """
+        self.__secure = True
         self.__root_certificates = root_certificates
         self.__private_key = private_key
         self.__certificate_chain = certificate_chain
         return self
 
+    def _set_insecure(self):
+        """Sets the flag to use an insecure channel.
+        THIS IS AGAINST SPECIFICATION and should not
+        be used unless necessary and secure transport
+        is already well understood. 
+
+        Returns
+        -------
+        self
+        """
+        self.__secure = False
+        return self
+
     def set_secure_from_file(
         self, root_certificates=None, private_key=None, certificate_chain=None
     ):
@@ -267,7 +281,7 @@ def set_channel_option(self, name, value):
                 self.__channel_options.append(new_option)
         return self
 
-    def construct(self):
+    def construct(self, return_channel=False):
         """Constructs and returns the desired Client object.
         The instance of this class will reset to default values for further building.
 
@@ -276,36 +290,36 @@ def construct(self):
         Client or NXClient or XEClient or XRClient
         """
         channel = None
-        channel_ssl_creds = None
-        channel_metadata_creds = None
-        channel_creds = None
-        channel_ssl_creds = None
-        if any((self.__root_certificates, self.__private_key, self.__certificate_chain)):
+        if self.__secure:
+            LOGGER.debug("Using secure channel.")
+            channel_metadata_creds = None
+            if self.__username and self.__password:
+                LOGGER.debug("Using username/password call authentication.")
+                channel_metadata_creds = grpc.metadata_call_credentials(
+                    CiscoAuthPlugin(self.__username, self.__password)
+                )
             channel_ssl_creds = grpc.ssl_channel_credentials(
                 self.__root_certificates, self.__private_key, self.__certificate_chain
             )
-        if self.__username and self.__password:
-            channel_metadata_creds = grpc.metadata_call_credentials(
-                CiscoAuthPlugin(self.__username, self.__password)
-            )
-            logging.debug("Using username/password call authentication.")
-        if channel_ssl_creds and channel_metadata_creds:
-            channel_creds = grpc.composite_channel_credentials(
-                channel_ssl_creds, channel_metadata_creds
-            )
-            logging.debug("Using SSL/metadata authentication composite credentials.")
-        elif channel_ssl_creds:
-            channel_creds = channel_ssl_creds
-            logging.debug("Using SSL credentials, no metadata authentication.")
-        if channel_creds:
+            channel_creds = None
+            if channel_ssl_creds and channel_metadata_creds:
+                LOGGER.debug("Using SSL/metadata authentication composite credentials.")
+                channel_creds = grpc.composite_channel_credentials(
+                    channel_ssl_creds, channel_metadata_creds
+                )
+            else:
+                LOGGER.debug(
+                    "Using SSL credentials, no channel metadata authentication."
+                )
+                channel_creds = channel_ssl_creds
             if self.__ssl_target_name_override is not False:
                 if self.__ssl_target_name_override is None:
                     if not self.__root_certificates:
                         raise Exception("Deriving override requires root certificate!")
                     self.__ssl_target_name_override = get_cn_from_cert(
                         self.__root_certificates
                     )
-                    logging.warning(
+                    LOGGER.warning(
                         "Overriding SSL option from certificate could increase MITM susceptibility!"
                     )
                 self.set_channel_option(
@@ -315,62 +329,28 @@ def construct(self):
                 self.__target_netloc.netloc, channel_creds, self.__channel_options
             )
         else:
+            LOGGER.warning(
+                "Insecure gRPC channel is against gNMI specification, personal data may be compromised."
+            )
             channel = grpc.insecure_channel(self.__target_netloc.netloc)
         if self.__client_class is None:
             self.set_os()
-        client = self.__client_class(channel)
-        self._reset()
-        return client
-
-    def save_construct(self):
-        """Constructs and returns the desired Client object.
-        The instance of this class will reset to default values for further building.
-
-        Returns
-        -------
-        Client or NXClient or XEClient or XRClient
-        """
-        channel = None
-        channel_ssl_creds = None
-        channel_metadata_creds = None
-        channel_creds = None
-        channel_ssl_creds = grpc.ssl_channel_credentials(
-            self.__root_certificates, self.__private_key, self.__certificate_chain
-        )
-        if self.__username and self.__password:
-            LOGGER.debug("Using username/password call authentication.")
-            channel_metadata_creds = grpc.metadata_call_credentials(
-                CiscoAuthPlugin(self.__username, self.__password)
-            )
-        if channel_ssl_creds and channel_metadata_creds:
-            LOGGER.debug("Using SSL/metadata authentication composite credentials.")
-            channel_creds = grpc.composite_channel_credentials(
-                channel_ssl_creds, channel_metadata_creds
-            )
+        client = None
+        if self.__secure:
+            client = self.__client_class(channel)
         else:
-            LOGGER.debug("Using SSL credentials, no metadata authentication.")
-            channel_creds = channel_ssl_creds
-        if self.__ssl_target_name_override is not False:
-            if self.__ssl_target_name_override is None:
-                if not self.__root_certificates:
-                    raise Exception("Deriving override requires root certificate!")
-                self.__ssl_target_name_override = get_cn_from_cert(
-                    self.__root_certificates
-                )
-                LOGGER.warning(
-                    "Overriding SSL option from certificate could increase MITM susceptibility!"
-                )
-            self.set_channel_option(
-                "grpc.ssl_target_name_override", self.__ssl_target_name_override
+            client = self.__client_class(
+                channel,
+                default_call_metadata=[
+                    ("username", self.__username),
+                    ("password", self.__password),
+                ],
             )
-        channel = grpc.secure_channel(
-            self.__target_netloc.netloc, channel_creds, self.__channel_options
-        )
-        if self.__client_class is None:
-            self.set_os()
-        client = self.__client_class(channel)
         self._reset()
-        return client
+        if return_channel:
+            return client, channel
+        else:
+            return client
 
     def _reset(self):
         """Resets the builder.
@@ -388,4 +368,5 @@ def _reset(self):
         self.__password = None
         self.__channel_options = None
         self.__ssl_target_name_override = False
+        self.__secure = True
         return self

src/cisco_gnmi/cli.py

@@ -293,7 +293,9 @@ def __gen_client(args):
     builder = ClientBuilder(args.netloc)
     builder.set_os(args.os)
     builder.set_call_authentication(args.username, args.password)
-    if not any([args.root_certificates, args.private_key, args.certificate_chain]):
+    if args.insecure:
+        builder._set_insecure()
+    elif not any([args.root_certificates, args.private_key, args.certificate_chain]):
         builder.set_secure_from_target()
     else:
         builder.set_secure_from_file(
@@ -339,6 +341,7 @@ def __common_args_handler(parser):
         action="store_true",
     )
     parser.add_argument("-debug", help="Print debug messages.", action="store_true")
+    parser.add_argument("-insecure", help=argparse.SUPPRESS, action="store_true")
     args = parser.parse_args(sys.argv[2:])
     logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
     args.username = input("Username: ")

src/cisco_gnmi/client.py

@@ -83,22 +83,22 @@ class Client(object):
     # gNMI uses nanoseconds, baseline to seconds
     _NS_IN_S = int(1e9)
 
-    def __init__(self, grpc_channel, timeout=_C_MAX_LONG):
+    def __init__(self, grpc_channel, timeout=_C_MAX_LONG, default_call_metadata=None):
         """gNMI initialization wrapper which simply wraps some aspects of the gNMI stub.
 
         Parameters
         ----------
         grpc_channel : grpc.Channel
             The gRPC channel to initialize the gNMI stub with.
             Use ClientBuilder if unfamiliar with gRPC.
-        username : str
-            Username to authenticate gNMI RPCs.
-        password : str
-            Password to authenticate gNMI RPCs.
         timeout : uint
             Timeout for gRPC functionality.
+        default_call_metadata : list
+            Metadata to be sent with each gRPC call.
         """
         self.service = proto.gnmi_pb2_grpc.gNMIStub(grpc_channel)
+        self.default_call_metadata = default_call_metadata
+        self._channel = grpc_channel
 
     def capabilities(self):
         """Capabilities allows the client to retrieve the set of capabilities that
@@ -114,7 +114,9 @@ def capabilities(self):
         """
         message = proto.gnmi_pb2.CapabilityRequest()
         LOGGER.debug(str(message))
-        response = self.service.Capabilities(message)
+        response = self.service.Capabilities(
+            message, metadata=self.default_call_metadata
+        )
         return response
 
     def get(
@@ -171,7 +173,7 @@ def get(
 
         LOGGER.debug(str(request))
 
-        get_response = self.service.Get(request)
+        get_response = self.service.Get(request, metadata=self.default_call_metadata)
         return get_response
 
     def set(
@@ -217,7 +219,8 @@ def set(
             request.extension.extend(extensions)
 
         LOGGER.debug(str(request))
-        response = self.service.Set(request)
+
+        response = self.service.Set(request, metadata=self.default_call_metadata)
         return response
 
     def subscribe(self, request_iter, extensions=None):
@@ -260,7 +263,8 @@ def validate_request(request):
             return subscribe_request
 
         response_stream = self.service.Subscribe(
-            (validate_request(request) for request in request_iter)
+            (validate_request(request) for request in request_iter),
+            metadata=self.default_call_metadata,
         )
         return response_stream