Allow ALTS to run on untrusted platforms/handshakers

[nickjenkin]

Use case(s) - what problem will this feature solve?

Allow reuse of built in ALTS TransportCredentials. Currently alts.newALTS checks if the environment is running on GCP. This prevents custom handshakers from running in non-GCP environments.

Proposed Solution

Allow for running outside GCP with a custom handshaker. Using the alts.ClientOptions/ServerOptions, an additional option to override the GCP check (AllowUntrustedPlatform?)

Alternatives Considered

Additional Context

Custom ALTS handshakers can be created via implementation of the handshaker grpc/protobuf proto.

[menghanl]

ping @cesarghali
What do you think of this?

[cesarghali]

In principle, this is ok. We need to make sure that this check will be used to bypass the GCP check.

We should also have feature parity with other languages. @yihuazhang and @menghanl you know more about this than me. What do you think?

[yihuazhang]

In C-core, we have an API that allows to bypass the GCP check. We need to expose it in C++ though. It is not clear to me though how a user can use a custom ALTS handshaker with the built-in credential API as we does not provide any hook to use an external handshaker.

[dfawley]

@ZhenLian what do you think about this feature request now? Who would be a good assignee for this if we keep it open?

[ZhenLian]

Maybe @erm-g can make the call here. Would you mind taking a look at this please? Thank you!

[easwars]

The team does not have the cycles to work on this at the moment. We are happy to accept a PR for this, or will work on this when this becomes a priority.

[CemGurhan]

Hey everyone, I wouldn't mind trying to give this a go. So we'd like to give users the ability to work with custom ALTS handshakers in an untrusted platform (one outside of GCP) right?

[dfawley]

@matthewstevenson88 / @erm-g / @gtcooke94 / @rockspore - any advice on this one? Per #4596 (comment) there was a way to do it in c-core but not C++. I'm not sure about Java. I agree with that comment's sentiments that we should have similar functionality (or plans for similar functionality) in all languages. So does this make sense to implement for users?

@CemGurhan thanks for volunteering. Do you need this feature for yourself, or are you just interested in helping out with the gRPC-Go project generally? If the latter, there are probably other things we need that are ready to work on now, vs. this which I don't believe we've ever gotten agreement from our security folks that it's desirable. If the former, explaining your use case might be helpful.

Thanks!

[CemGurhan]

@dfawley Id just like to help out with the gRPC-Go project yes.

I'll have a look at some of the other issues that are open and that require some more immediate help, thanks!

[dfawley]

@CemGurhan #6748 or #6583 might be good options?

@matthewstevenson88 et al, please advise on this issue, still. Thanks.

[matthewstevenson88]

To the best of my knowledge, we've not had any serious asks for using ALTS off-GCP, so I recommend that we close this issue. I'll wait a couple of days for someone to respond and correct me, and otherwise close.

[nickjenkin]

Agree - this can be implemented with a small patch for anyone who needs