Merge pull request #1282 from tbetbetbe/grpc_ruby_add_jwt_auth_interop

Grpc ruby enable jwt auth and and an interop test for it
10 years ago · c547dcb547
parent 1ca373894c 2988e736df
commit c547dcb547
5 changed files with 52 additions and 11 deletions
--- a/src/ruby/bin/apis/pubsub_demo.rb
+++ b/src/ruby/bin/apis/pubsub_demo.rb
@ -71,7 +71,7 @@ end

 # Builds the metadata authentication update proc.
 def auth_proc(opts)
-  auth_creds = Google::Auth.get_application_default(opts.oauth_scope)
+  auth_creds = Google::Auth.get_application_default
  return auth_creds.updater_proc
 end

@ -213,17 +213,14 @@ class NamedActions
 end

 # Args is used to hold the command line info.
-Args = Struct.new(:host, :oauth_scope, :port, :action, :project_id, :topic_name,
+Args = Struct.new(:host, :port, :action, :project_id, :topic_name,
                  :sub_name)

 # validates the the command line options, returning them as an Arg.
 def parse_args
  args = Args.new('pubsub-staging.googleapis.com',
-                  'https://www.googleapis.com/auth/pubsub',
                   443, 'list_some_topics', 'stoked-keyword-656')
  OptionParser.new do |opts|
-    opts.on('--oauth_scope scope',
-            'Scope for OAuth tokens') { |v| args['oauth_scope'] = v }
    opts.on('--server_host SERVER_HOST', 'server hostname') do |v|
      args.host = v
    end
@ -250,7 +247,7 @@ def parse_args
 end

 def _check_args(args)
-  %w(host port action oauth_scope).each do |a|
+  %w(host port action).each do |a|
    if args[a].nil?
      raise OptionParser::MissingArgument.new("please specify --#{a}")
    end
--- a/src/ruby/bin/interop/interop_client.rb
+++ b/src/ruby/bin/interop/interop_client.rb
@ -110,6 +110,11 @@ def create_stub(opts)
      end
    end

+    if opts.test_case == 'jwt_token_creds'  # don't use a scope
+      auth_creds = Google::Auth.get_application_default
+      stub_opts[:update_metadata] = auth_creds.updater_proc
+    end
+
    logger.info("... connecting securely to #{address}")
    Grpc::Testing::TestService::Stub.new(address, **stub_opts)
  else
@ -201,6 +206,15 @@ class NamedTests
    p 'OK: service_account_creds'
  end

+  def jwt_token_creds
+    json_key = File.read(ENV[AUTH_ENV])
+    wanted_email = MultiJson.load(json_key)['client_email']
+    resp = perform_large_unary(fill_username: true)
+    assert_equal(wanted_email, resp.username,
+                 'service_account_creds: incorrect username')
+    p 'OK: jwt_token_creds'
+  end
+
  def compute_engine_creds
    resp = perform_large_unary(fill_username: true,
                               fill_oauth_scope: true)
--- a/src/ruby/lib/grpc/generic/client_stub.rb
+++ b/src/ruby/lib/grpc/generic/client_stub.rb
@ -52,6 +52,14 @@ module GRPC
      Core::Channel.new(host, kw, creds)
    end

+    def self.update_with_jwt_aud_uri(a_hash, host, method)
+      last_slash_idx, res = method.rindex('/'), a_hash.clone
+      return res if last_slash_idx.nil?
+      service_name = method[0..(last_slash_idx - 1)]
+      res[:jwt_aud_uri] = "https://#{host}#{service_name}"
+      res
+    end
+
    # check_update_metadata is used by #initialize verify that it's a Proc.
    def self.check_update_metadata(update_metadata)
      return update_metadata if update_metadata.nil?
@ -147,7 +155,8 @@ module GRPC
    def request_response(method, req, marshal, unmarshal, timeout = nil,
                         return_op: false, **kw)
      c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
      return c.request_response(req, **md) unless return_op

      # return the operation view of the active_call; define #execute as a
@ -204,7 +213,8 @@ module GRPC
    def client_streamer(method, requests, marshal, unmarshal, timeout = nil,
                        return_op: false, **kw)
      c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
      return c.client_streamer(requests, **md) unless return_op

      # return the operation view of the active_call; define #execute as a
@ -270,7 +280,8 @@ module GRPC
    def server_streamer(method, req, marshal, unmarshal, timeout = nil,
                        return_op: false, **kw, &blk)
      c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
      return c.server_streamer(req, **md, &blk) unless return_op

      # return the operation view of the active_call; define #execute
@ -375,7 +386,8 @@ module GRPC
    def bidi_streamer(method, requests, marshal, unmarshal, timeout = nil,
                      return_op: false, **kw, &blk)
      c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
      return c.bidi_streamer(requests, **md, &blk) unless return_op

      # return the operation view of the active_call; define #execute
--- a/src/ruby/spec/generic/rpc_server_spec.rb
+++ b/src/ruby/spec/generic/rpc_server_spec.rb
@ -400,7 +400,8 @@ describe GRPC::RpcServer do
        end
        stub = EchoStub.new(@host, **@client_opts)
        expect(stub.an_rpc(req, k1: 'v1', k2: 'v2')).to be_a(EchoMsg)
-        wanted_md = [{ 'k1' => 'updated-v1', 'k2' => 'v2' }]
+        wanted_md = [{ 'k1' => 'updated-v1', 'k2' => 'v2',
+                       'jwt_aud_uri' => "https://#{@host}/EchoService" }]
        expect(service.received_md).to eq(wanted_md)
        @srv.stop
        t.join
--- a/tools/gce_setup/grpc_docker.sh
+++ b/tools/gce_setup/grpc_docker.sh
@ -1163,6 +1163,23 @@ grpc_cloud_prod_auth_compute_engine_creds_gen_ruby_cmd() {
  echo $the_cmd
 }

+# constructs the full dockerized ruby jwt_tokens auth interop test cmd.
+#
+# call-seq:
+#   flags= .... # generic flags to include the command
+#   cmd=$($grpc_gen_test_cmd $flags)
+grpc_cloud_prod_auth_jwt_token_creds_gen_ruby_cmd() {
+  local cmd_prefix="sudo docker run grpc/ruby bin/bash -l -c";
+  local test_script="/var/local/git/grpc/src/ruby/bin/interop/interop_client.rb"
+  local test_script+=" --use_tls"
+  local gfe_flags=$(_grpc_prod_gfe_flags)
+  local added_gfe_flags=$(_grpc_jwt_token_test_flags)
+  local env_prefix="SSL_CERT_FILE=/cacerts/roots.pem"
+  env_prefix+=" GOOGLE_APPLICATION_CREDENTIALS=/service_account/stubbyCloudTestingTest-7dd63462c60c.json"
+  local the_cmd="$cmd_prefix '$env_prefix ruby $test_script $gfe_flags $added_gfe_flags $@'"
+  echo $the_cmd
+}
+
 # constructs the full dockerized Go interop test cmd.
 #
 # call-seq: