Skip to content

Commit

Permalink
feat: integration tests for pluggable auth (googleapis#939)
Browse files Browse the repository at this point in the history
* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* fix: format

Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
Co-authored-by: lsirac <leosiracusa@google.com>
  • Loading branch information
3 people authored Jul 29, 2022
1 parent ca1f7a6 commit 22f37aa
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 2 deletions.
5 changes: 5 additions & 0 deletions .kokoro/nightly/integration.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ env_vars: {
key: "GCS_BUCKET"
value: "byoid-it-bucket"
}

env_vars: {
key: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
value: "1"
}
7 changes: 6 additions & 1 deletion .kokoro/presubmit/integration.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,9 @@ env_vars: {
env_vars: {
key: "GCS_BUCKET"
value: "byoid-it-bucket"
}
}

env_vars: {
key: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
value: "1"
}
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

Expand Down Expand Up @@ -86,7 +87,7 @@ void setup() throws IOException {
* using the iamcredentials generateIdToken API. This will use the service account client ID as
* the sub field of the token. This OIDC token will be used as the external subject token to be
* exchanged for a GCP access token via GCP STS endpoint and then to impersonate the original
* service account key.
* service account key. Retrieves the OIDC token from a file.
*/
@Test
void identityPoolCredentials() throws IOException {
Expand Down Expand Up @@ -150,6 +151,23 @@ void awsCredentials() throws Exception {
callGcs(awsCredential);
}

/**
* PluggableCredential (OIDC provider): Uses the service account to generate a Google ID token
* using the iamcredentials generateIdToken API. This will use the service account client ID as
* the sub field of the token. This OIDC token will be used as the external subject token to be
* exchanged for a GCP access token via GCP STS endpoint and then to impersonate the original
* service account key. Runs an executable to get the OIDC token.
*/
@Test
void pluggableAuthCredentials() throws IOException {
PluggableAuthCredentials pluggableAuthCredentials =
(PluggableAuthCredentials)
ExternalAccountCredentials.fromJson(
buildPluggableCredentialConfig(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);

callGcs(pluggableAuthCredentials);
}

private GenericJson buildIdentityPoolCredentialConfig() throws IOException {
String idToken = generateGoogleIdToken(OIDC_AUDIENCE);

Expand Down Expand Up @@ -178,6 +196,57 @@ private GenericJson buildIdentityPoolCredentialConfig() throws IOException {
return config;
}

private GenericJson buildPluggableCredentialConfig() throws IOException {
String idToken = generateGoogleIdToken(OIDC_AUDIENCE);

Instant expiration_time = Instant.now().plusSeconds(60 * 60);

GenericJson executableJson = new GenericJson();
executableJson.setFactory(OAuth2Utils.JSON_FACTORY);
executableJson.put("success", true);
executableJson.put("version", 1);
executableJson.put("expiration_time", expiration_time.toEpochMilli());
executableJson.put("token_type", "urn:ietf:params:oauth:token-type:jwt");
executableJson.put("id_token", idToken);

String fileContents =
"#!/bin/bash\n"
+ "echo \""
+ executableJson.toPrettyString().replace("\"", "\\\"")
+ "\"\n";

File file =
File.createTempFile(
"ITWorkloadIdentityFederation", /* suffix= */ null, /* directory= */ null);
file.deleteOnExit();
if (!file.setExecutable(true, true)) {
throw new IOException("Unable to make script executable");
}
OAuth2Utils.writeInputStreamToFile(
new ByteArrayInputStream(fileContents.getBytes(StandardCharsets.UTF_8)),
file.getAbsolutePath());

GenericJson config = new GenericJson();
config.put("type", "external_account");
config.put("audience", OIDC_AUDIENCE);
config.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
config.put("token_url", "https://sts.googleapis.com/v1/token");
config.put(
"service_account_impersonation_url",
String.format(
"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken",
clientEmail));

GenericJson credentialSource = new GenericJson();
config.put("credential_source", credentialSource);

GenericJson executableConfig = new GenericJson();
credentialSource.put("executable", executableConfig);
executableConfig.put("command", file.getAbsolutePath());

return config;
}

private GenericJson buildAwsCredentialConfig() {
GenericJson config = new GenericJson();
config.put("type", "external_account");
Expand Down

0 comments on commit 22f37aa

Please # to comment.