Merge pull request #1282 from tbetbetbe/grpc_ruby_add_jwt_auth_interop

Grpc ruby enable jwt auth and and an interop test for it

5 files changed, 52 insertions, 11 deletions

diff --git a/src/ruby/bin/apis/pubsub_demo.rb b/src/ruby/bin/apis/pubsub_demo.rb
index 9bb324ff64..6d69b0f21e 100755
--- a/src/ruby/bin/apis/pubsub_demo.rb
+++ b/src/ruby/bin/apis/pubsub_demo.rb
@@ -71,7 +71,7 @@ end
 
 # Builds the metadata authentication update proc.
 def auth_proc(opts)
-  auth_creds = Google::Auth.get_application_default(opts.oauth_scope)
+  auth_creds = Google::Auth.get_application_default
   return auth_creds.updater_proc
 end
 
@@ -213,17 +213,14 @@ class NamedActions
 end
 
 # Args is used to hold the command line info.
-Args = Struct.new(:host, :oauth_scope, :port, :action, :project_id, :topic_name,
+Args = Struct.new(:host, :port, :action, :project_id, :topic_name,
                   :sub_name)
 
 # validates the the command line options, returning them as an Arg.
 def parse_args
   args = Args.new('pubsub-staging.googleapis.com',
-                  'https://www.googleapis.com/auth/pubsub',
                    443, 'list_some_topics', 'stoked-keyword-656')
   OptionParser.new do |opts|
-    opts.on('--oauth_scope scope',
-            'Scope for OAuth tokens') { |v| args['oauth_scope'] = v }
     opts.on('--server_host SERVER_HOST', 'server hostname') do |v|
       args.host = v
     end
@@ -250,7 +247,7 @@ def parse_args
 end
 
 def _check_args(args)
-  %w(host port action oauth_scope).each do |a|
+  %w(host port action).each do |a|
     if args[a].nil?
       raise OptionParser::MissingArgument.new("please specify --#{a}")
     end
diff --git a/src/ruby/bin/interop/interop_client.rb b/src/ruby/bin/interop/interop_client.rb
index b2a8711c79..af7a1d5b15 100755
--- a/src/ruby/bin/interop/interop_client.rb
+++ b/src/ruby/bin/interop/interop_client.rb
@@ -110,6 +110,11 @@ def create_stub(opts)
       end
     end
 
+    if opts.test_case == 'jwt_token_creds'  # don't use a scope
+      auth_creds = Google::Auth.get_application_default
+      stub_opts[:update_metadata] = auth_creds.updater_proc
+    end
+
     logger.info("... connecting securely to #{address}")
     Grpc::Testing::TestService::Stub.new(address, **stub_opts)
   else
@@ -201,6 +206,15 @@ class NamedTests
     p 'OK: service_account_creds'
   end
 
+  def jwt_token_creds
+    json_key = File.read(ENV[AUTH_ENV])
+    wanted_email = MultiJson.load(json_key)['client_email']
+    resp = perform_large_unary(fill_username: true)
+    assert_equal(wanted_email, resp.username,
+                 'service_account_creds: incorrect username')
+    p 'OK: jwt_token_creds'
+  end
+
   def compute_engine_creds
     resp = perform_large_unary(fill_username: true,
                                fill_oauth_scope: true)
diff --git a/src/ruby/lib/grpc/generic/client_stub.rb b/src/ruby/lib/grpc/generic/client_stub.rb
index 6547a1499e..dc7672d359 100644
--- a/src/ruby/lib/grpc/generic/client_stub.rb
+++ b/src/ruby/lib/grpc/generic/client_stub.rb
@@ -52,6 +52,14 @@ module GRPC
       Core::Channel.new(host, kw, creds)
     end
 
+    def self.update_with_jwt_aud_uri(a_hash, host, method)
+      last_slash_idx, res = method.rindex('/'), a_hash.clone
+      return res if last_slash_idx.nil?
+      service_name = method[0..(last_slash_idx - 1)]
+      res[:jwt_aud_uri] = "https://#{host}#{service_name}"
+      res
+    end
+
     # check_update_metadata is used by #initialize verify that it's a Proc.
     def self.check_update_metadata(update_metadata)
       return update_metadata if update_metadata.nil?
@@ -147,7 +155,8 @@ module GRPC
     def request_response(method, req, marshal, unmarshal, timeout = nil,
                          return_op: false, **kw)
       c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
       return c.request_response(req, **md) unless return_op
 
       # return the operation view of the active_call; define #execute as a
@@ -204,7 +213,8 @@ module GRPC
     def client_streamer(method, requests, marshal, unmarshal, timeout = nil,
                         return_op: false, **kw)
       c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
       return c.client_streamer(requests, **md) unless return_op
 
       # return the operation view of the active_call; define #execute as a
@@ -270,7 +280,8 @@ module GRPC
     def server_streamer(method, req, marshal, unmarshal, timeout = nil,
                         return_op: false, **kw, &blk)
       c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
       return c.server_streamer(req, **md, &blk) unless return_op
 
       # return the operation view of the active_call; define #execute
@@ -375,7 +386,8 @@ module GRPC
     def bidi_streamer(method, requests, marshal, unmarshal, timeout = nil,
                       return_op: false, **kw, &blk)
       c = new_active_call(method, marshal, unmarshal, timeout)
-      md = @update_metadata.nil? ? kw : @update_metadata.call(kw.clone)
+      kw_with_jwt_uri = self.class.update_with_jwt_aud_uri(kw, @host, method)
+      md = @update_metadata.nil? ? kw : @update_metadata.call(kw_with_jwt_uri)
       return c.bidi_streamer(requests, **md, &blk) unless return_op
 
       # return the operation view of the active_call; define #execute
diff --git a/src/ruby/spec/generic/rpc_server_spec.rb b/src/ruby/spec/generic/rpc_server_spec.rb
index f409d73e2f..245999ea03 100644
--- a/src/ruby/spec/generic/rpc_server_spec.rb
+++ b/src/ruby/spec/generic/rpc_server_spec.rb
@@ -400,7 +400,8 @@ describe GRPC::RpcServer do
         end
         stub = EchoStub.new(@host, **@client_opts)
         expect(stub.an_rpc(req, k1: 'v1', k2: 'v2')).to be_a(EchoMsg)
-        wanted_md = [{ 'k1' => 'updated-v1', 'k2' => 'v2' }]
+        wanted_md = [{ 'k1' => 'updated-v1', 'k2' => 'v2',
+                       'jwt_aud_uri' => "https://#{@host}/EchoService" }]
         expect(service.received_md).to eq(wanted_md)
         @srv.stop
         t.join
diff --git a/tools/gce_setup/grpc_docker.sh b/tools/gce_setup/grpc_docker.sh
index d142432ef4..c8481c4211 100755
--- a/tools/gce_setup/grpc_docker.sh
+++ b/tools/gce_setup/grpc_docker.sh
@@ -1163,6 +1163,23 @@ grpc_cloud_prod_auth_compute_engine_creds_gen_ruby_cmd() {
   echo $the_cmd
 }
 
+# constructs the full dockerized ruby jwt_tokens auth interop test cmd.
+#
+# call-seq:
+#   flags= .... # generic flags to include the command
+#   cmd=$($grpc_gen_test_cmd $flags)
+grpc_cloud_prod_auth_jwt_token_creds_gen_ruby_cmd() {
+  local cmd_prefix="sudo docker run grpc/ruby bin/bash -l -c";
+  local test_script="/var/local/git/grpc/src/ruby/bin/interop/interop_client.rb"
+  local test_script+=" --use_tls"
+  local gfe_flags=$(_grpc_prod_gfe_flags)
+  local added_gfe_flags=$(_grpc_jwt_token_test_flags)
+  local env_prefix="SSL_CERT_FILE=/cacerts/roots.pem"
+  env_prefix+=" GOOGLE_APPLICATION_CREDENTIALS=/service_account/stubbyCloudTestingTest-7dd63462c60c.json"
+  local the_cmd="$cmd_prefix '$env_prefix ruby $test_script $gfe_flags $added_gfe_flags $@'"
+  echo $the_cmd
+}
+
 # constructs the full dockerized Go interop test cmd.
 #
 # call-seq: