Validate AddCallCredentials are used by client (#1756)

Author: JamesNK

src/Grpc.Net.Client/GrpcChannel.cs

@@ -205,8 +205,8 @@ private void ResolveCredentials(GrpcChannelOptions channelOptions, out bool isSe
                 {
                     throw new InvalidOperationException($"Unable to determine the TLS configuration of the channel from address '{Address}'. " +
                         $"{nameof(GrpcChannelOptions)}.{nameof(GrpcChannelOptions.Credentials)} must be specified when the address doesn't have a 'http' or 'https' scheme. " +
-                        "To call TLS endpoints, set credentials to 'new SslCredentials()'. " +
-                        "To call non-TLS endpoints, set credentials to 'ChannelCredentials.Insecure'.");
+                        $"To call TLS endpoints, set credentials to '{nameof(ChannelCredentials)}.{nameof(ChannelCredentials.SecureSsl)}'. " +
+                        $"To call non-TLS endpoints, set credentials to '{nameof(ChannelCredentials)}.{nameof(ChannelCredentials.Insecure)}'.");
                 }
                 callCredentials = null;
             }

src/Grpc.Net.Client/Internal/DefaultChannelCredentialsConfigurator.cs

@@ -20,7 +20,7 @@
 
 namespace Grpc.Net.Client.Internal
 {
-    internal class DefaultChannelCredentialsConfigurator : ChannelCredentialsConfiguratorBase
+    internal sealed class DefaultChannelCredentialsConfigurator : ChannelCredentialsConfiguratorBase
     {
         public bool? IsSecure { get; private set; }
         public List<CallCredentials>? CallCredentials { get; private set; }

src/Grpc.Net.ClientFactory/GrpcClientFactoryOptions.cs

@@ -58,6 +58,8 @@ public class GrpcClientFactoryOptions
         /// </summary>
         public Func<CallInvoker, object>? Creator { get; set; }
 
+        internal bool HasCallCredentials { get; set; }
+
         internal static CallInvoker BuildInterceptors(
             CallInvoker callInvoker,
             IServiceProvider serviceProvider,

src/Grpc.Net.ClientFactory/GrpcClientServiceExtensions.cs

@@ -341,7 +341,6 @@ private static IHttpClientBuilder AddGrpcHttpClient<TClient>(this IServiceCollec
                 });
             });
 
-
             var builder = new DefaultHttpClientBuilder(services, name);
 
             builder.Services.AddTransient<TClient>(s =>

src/Grpc.Net.ClientFactory/GrpcHttpClientBuilderExtensions.cs

@@ -151,6 +151,7 @@ public static IHttpClientBuilder AddCallCredentials(this IHttpClientBuilder buil
 
             builder.Services.Configure<GrpcClientFactoryOptions>(builder.Name, options =>
             {
+                options.HasCallCredentials = true;
                 options.CallOptionsActions.Add((callOptionsContext) =>
                 {
                     var credentials = CallCredentials.FromInterceptor((context, metadata) => authInterceptor(context, metadata));
@@ -184,6 +185,7 @@ public static IHttpClientBuilder AddCallCredentials(this IHttpClientBuilder buil
 
             builder.Services.Configure<GrpcClientFactoryOptions>(builder.Name, options =>
             {
+                options.HasCallCredentials = true;
                 options.CallOptionsActions.Add((callOptionsContext) =>
                 {
                     var credentials = CallCredentials.FromInterceptor((context, metadata) => authInterceptor(context, metadata, callOptionsContext.ServiceProvider));
@@ -217,6 +219,7 @@ public static IHttpClientBuilder AddCallCredentials(this IHttpClientBuilder buil
 
             builder.Services.Configure<GrpcClientFactoryOptions>(builder.Name, options =>
             {
+                options.HasCallCredentials = true;
                 options.CallOptionsActions.Add((callOptionsContext) =>
                 {
                     callOptionsContext.CallOptions = ResolveCallOptionsCredentials(callOptionsContext.CallOptions, credentials);

src/Grpc.Net.ClientFactory/Internal/GrpcCallInvokerFactory.cs

@@ -106,6 +106,15 @@ private CallInvoker CreateInvoker(EntryKey key)
                     throw new InvalidOperationException($@"Could not resolve the address for gRPC client '{name}'. Set an address when registering the client: services.AddGrpcClient<{type.Name}>(o => o.Address = new Uri(""https://localhost:5001""))");
                 }
 
+                if (clientFactoryOptions.HasCallCredentials && !AreCallCredentialsSupported(channelOptions, address))
+                {
+                    // Throw error to tell dev that call credentials will never be used.
+                    throw new InvalidOperationException(
+                        $"Call credential configured for gRPC client '{name}' requires TLS, and the client isn't configured to use TLS. " +
+                        $"Either configure a TLS address, or use the call credential without TLS by setting {nameof(GrpcChannelOptions)}.{nameof(GrpcChannelOptions.UnsafeUseInsecureChannelCallCredentials)} to true: " +
+                        @"client.AddCallCredentials((context, metadata) => {}).ConfigureChannel(o => o.UnsafeUseInsecureChannelCallCredentials = true)");
+                }
+
                 var channel = GrpcChannel.ForAddress(address, channelOptions);
 
                 var httpClientCallInvoker = channel.CreateCallInvoker();
@@ -125,5 +134,63 @@ private CallInvoker CreateInvoker(EntryKey key)
                 throw;
             }
         }
+
+        private static bool AreCallCredentialsSupported(GrpcChannelOptions channelOptions, Uri address)
+        {
+            bool isSecure;
+
+            if (address.Scheme == Uri.UriSchemeHttps)
+            {
+                isSecure = true;
+            }
+            else if (address.Scheme == Uri.UriSchemeHttp)
+            {
+                isSecure = false;
+            }
+            else
+            {
+                // Load balancing means the address won't have a standard scheme, e.g. dns:///
+                // Use call credentials to figure out whether the channel is secure.
+                isSecure = HasSecureCredentials(channelOptions.Credentials);
+            }
+
+            return isSecure || channelOptions.UnsafeUseInsecureChannelCallCredentials;
+
+            static bool HasSecureCredentials(ChannelCredentials? channelCredentials)
+            {
+                if (channelCredentials == null)
+                {
+                    return false;
+                }
+                if (channelCredentials is SslCredentials)
+                {
+                    return true;
+                }
+
+                var configurator = new ClientFactoryCredentialsConfigurator();
+                channelCredentials.InternalPopulateConfiguration(configurator, channelCredentials);
+
+                return configurator.IsSecure ?? false;
+            }
+        }
+
+        private sealed class ClientFactoryCredentialsConfigurator : ChannelCredentialsConfiguratorBase
+        {
+            public bool? IsSecure { get; private set; }
+
+            public override void SetInsecureCredentials(object state)
+            {
+                IsSecure = false;
+            }
+
+            public override void SetSslCredentials(object state, string? rootCertificates, KeyCertificatePair? keyCertificatePair, VerifyPeerCallback? verifyPeerCallback)
+            {
+                IsSecure = true;
+            }
+
+            public override void SetCompositeCredentials(object state, ChannelCredentials channelCredentials, CallCredentials callCredentials)
+            {
+            }
+        }
     }
 }

test/Grpc.Net.Client.Tests/GrpcChannelTests.cs

@@ -475,7 +475,7 @@ public void Resolver_NoChannelCredentials_Error()
             // Assert
             Assert.AreEqual("Unable to determine the TLS configuration of the channel from address 'test:///localhost'. " +
                 "GrpcChannelOptions.Credentials must be specified when the address doesn't have a 'http' or 'https' scheme. " +
-                "To call TLS endpoints, set credentials to 'new SslCredentials()'. " +
+                "To call TLS endpoints, set credentials to 'ChannelCredentials.SecureSsl'. " +
                 "To call non-TLS endpoints, set credentials to 'ChannelCredentials.Insecure'.", ex.Message);
         }
 

test/Grpc.Net.ClientFactory.Tests/GrpcHttpClientBuilderExtensionsTests.cs

@@ -19,6 +19,9 @@
 using System.Net;
 using Greet;
 using Grpc.Core;
+#if NET5_0_OR_GREATER
+using Grpc.Net.Client.Balancer;
+#endif
 using Grpc.Net.ClientFactory;
 using Grpc.Tests.Shared;
 using Microsoft.Extensions.DependencyInjection;
@@ -593,6 +596,118 @@ public async Task AddCallCredentials_CallCredentials_HeaderAdded()
             Assert.AreEqual("auth!", sentRequest!.Headers.GetValues("factory-authorize").Single());
         }
 
+        [Test]
+        public void AddCallCredentials_InsecureChannel_Error()
+        {
+            // Arrange
+            var services = new ServiceCollection();
+            services
+                .AddGrpcClient<Greeter.GreeterClient>(o =>
+                {
+                    o.Address = new Uri("http://localhost");
+                })
+                .AddCallCredentials(CallCredentials.FromInterceptor((context, metadata) =>
+                {
+                    metadata.Add("factory-authorize", "auth!");
+                    return Task.CompletedTask;
+                }))
+                .ConfigurePrimaryHttpMessageHandler(() => new TestHttpMessageHandler());
+
+            var serviceProvider = services.BuildServiceProvider(validateScopes: true);
+
+            // Act
+            var clientFactory = serviceProvider.GetRequiredService<GrpcClientFactory>();
+
+            var ex = Assert.Throws<InvalidOperationException>(() => clientFactory.CreateClient<Greeter.GreeterClient>(nameof(Greeter.GreeterClient)))!;
+
+            // Assert
+            Assert.AreEqual("Call credential configured for gRPC client 'GreeterClient' requires TLS, and the client isn't configured to use TLS. " +
+                "Either configure a TLS address, or use the call credential without TLS by setting GrpcChannelOptions.UnsafeUseInsecureChannelCallCredentials to true: " +
+                "client.AddCallCredentials((context, metadata) => {}).ConfigureChannel(o => o.UnsafeUseInsecureChannelCallCredentials = true)", ex.Message);
+        }
+
+#if NET5_0_OR_GREATER
+        [Test]
+        public void AddCallCredentials_StaticLoadBalancingSecureChannel_Success()
+        {
+            // Arrange
+            HttpRequestMessage? sentRequest = null;
+
+            var services = new ServiceCollection();
+            services.AddSingleton<ResolverFactory>(new StaticResolverFactory(_ => new[]
+            {
+                new BalancerAddress("localhost", 80)
+            }));
+
+            // Can't use ConfigurePrimaryHttpMessageHandler with load balancing because underlying
+            services
+                .AddGrpcClient<Greeter.GreeterClient>(o =>
+                {
+                    o.Address = new Uri("static:///localhost");
+                })
+                .ConfigureChannel(o =>
+                {
+                    o.Credentials = ChannelCredentials.SecureSsl;
+                })
+                .AddCallCredentials(CallCredentials.FromInterceptor((context, metadata) =>
+                {
+                    metadata.Add("factory-authorize", "auth!");
+                    return Task.CompletedTask;
+                }))
+                .AddHttpMessageHandler(() => new TestHttpMessageHandler(request =>
+                {
+                    sentRequest = request;
+                }));
+
+            var serviceProvider = services.BuildServiceProvider(validateScopes: true);
+
+            // Act & Assert
+            var clientFactory = serviceProvider.GetRequiredService<GrpcClientFactory>();
+            _ = clientFactory.CreateClient<Greeter.GreeterClient>(nameof(Greeter.GreeterClient));
+
+            // No call because there isn't an endpoint at localhost:80
+        }
+#endif
+
+        [Test]
+        public async Task AddCallCredentials_InsecureChannel_UnsafeUseInsecureChannelCallCredentials_Success()
+        {
+            // Arrange
+            HttpRequestMessage? sentRequest = null;
+
+            var services = new ServiceCollection();
+            services
+                .AddGrpcClient<Greeter.GreeterClient>(o =>
+                {
+                    o.Address = new Uri("http://localhost");
+                })
+                .AddCallCredentials(CallCredentials.FromInterceptor((context, metadata) =>
+                {
+                    metadata.Add("factory-authorize", "auth!");
+                    return Task.CompletedTask;
+                }))
+                .ConfigureChannel(o => o.UnsafeUseInsecureChannelCallCredentials = true)
+                .ConfigurePrimaryHttpMessageHandler(() => new TestHttpMessageHandler(request =>
+                {
+                    sentRequest = request;
+                }));
+
+            var serviceProvider = services.BuildServiceProvider(validateScopes: true);
+
+            // Act
+            var clientFactory = serviceProvider.GetRequiredService<GrpcClientFactory>();
+            var client = clientFactory.CreateClient<Greeter.GreeterClient>(nameof(Greeter.GreeterClient));
+
+            var response = await client.SayHelloAsync(
+                new HelloRequest(),
+                new CallOptions()).ResponseAsync.DefaultTimeout();
+
+            // Assert
+            Assert.NotNull(response);
+
+            Assert.AreEqual("auth!", sentRequest!.Headers.GetValues("factory-authorize").Single());
+        }
+
         [Test]
         public async Task AddCallCredentials_PassedInCallCredentials_Combine()
         {
@@ -664,7 +779,7 @@ public DerivedGreeterClient(CallInvoker callInvoker) : base(callInvoker)
             }
         }
 
-        private class TestHttpMessageHandler : HttpMessageHandler
+        private class TestHttpMessageHandler : DelegatingHandler
         {
             public bool Invoked { get; private set; }