feat: integration tests for pluggable auth (#939)

ScruffyProdigy · lsirac · web-flow · commit 22f37aa687b7 · 2022-07-29T13:59:42.000-07:00
* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* feat: integration tests for pluggable auth

* fix: format

Co-authored-by: Leo &lt;39062083+lsirac@users.noreply.github.com&gt;
Co-authored-by: lsirac &lt;leosiracusa@google.com&gt;
diff --git a/.kokoro/nightly/integration.cfg b/.kokoro/nightly/integration.cfg
@@ -40,3 +40,8 @@ env_vars: {
   key: "GCS_BUCKET"
   value: "byoid-it-bucket"
 }
+
+env_vars: {
+  key: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
+  value: "1"
+}
diff --git a/.kokoro/presubmit/integration.cfg b/.kokoro/presubmit/integration.cfg
@@ -35,4 +35,9 @@ env_vars: {
 env_vars: {
   key: "GCS_BUCKET"
   value: "byoid-it-bucket"
-}
+}
+
+env_vars: {
+  key: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
+  value: "1"
+}
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ITWorkloadIdentityFederationTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ITWorkloadIdentityFederationTest.java
@@ -51,6 +51,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.time.Instant;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -86,7 +87,7 @@ void setup() throws IOException {
    * using the iamcredentials generateIdToken API. This will use the service account client ID as
    * the sub field of the token. This OIDC token will be used as the external subject token to be
    * exchanged for a GCP access token via GCP STS endpoint and then to impersonate the original
-   * service account key.
+   * service account key. Retrieves the OIDC token from a file.
    */
   @Test
   void identityPoolCredentials() throws IOException {
@@ -150,6 +151,23 @@ void awsCredentials() throws Exception {
     callGcs(awsCredential);
   }
 
+  /**
+   * PluggableCredential (OIDC provider): Uses the service account to generate a Google ID token
+   * using the iamcredentials generateIdToken API. This will use the service account client ID as
+   * the sub field of the token. This OIDC token will be used as the external subject token to be
+   * exchanged for a GCP access token via GCP STS endpoint and then to impersonate the original
+   * service account key. Runs an executable to get the OIDC token.
+   */
+  @Test
+  void pluggableAuthCredentials() throws IOException {
+    PluggableAuthCredentials pluggableAuthCredentials =
+        (PluggableAuthCredentials)
+            ExternalAccountCredentials.fromJson(
+                buildPluggableCredentialConfig(), OAuth2Utils.HTTP_TRANSPORT_FACTORY);
+
+    callGcs(pluggableAuthCredentials);
+  }
+
   private GenericJson buildIdentityPoolCredentialConfig() throws IOException {
     String idToken = generateGoogleIdToken(OIDC_AUDIENCE);
 
@@ -178,6 +196,57 @@ private GenericJson buildIdentityPoolCredentialConfig() throws IOException {
     return config;
   }
 
+  private GenericJson buildPluggableCredentialConfig() throws IOException {
+    String idToken = generateGoogleIdToken(OIDC_AUDIENCE);
+
+    Instant expiration_time = Instant.now().plusSeconds(60 * 60);
+
+    GenericJson executableJson = new GenericJson();
+    executableJson.setFactory(OAuth2Utils.JSON_FACTORY);
+    executableJson.put("success", true);
+    executableJson.put("version", 1);
+    executableJson.put("expiration_time", expiration_time.toEpochMilli());
+    executableJson.put("token_type", "urn:ietf:params:oauth:token-type:jwt");
+    executableJson.put("id_token", idToken);
+
+    String fileContents =
+        "#!/bin/bash\n"
+            + "echo \""
+            + executableJson.toPrettyString().replace("\"", "\\\"")
+            + "\"\n";
+
+    File file =
+        File.createTempFile(
+            "ITWorkloadIdentityFederation", /* suffix= */ null, /* directory= */ null);
+    file.deleteOnExit();
+    if (!file.setExecutable(true, true)) {
+      throw new IOException("Unable to make script executable");
+    }
+    OAuth2Utils.writeInputStreamToFile(
+        new ByteArrayInputStream(fileContents.getBytes(StandardCharsets.UTF_8)),
+        file.getAbsolutePath());
+
+    GenericJson config = new GenericJson();
+    config.put("type", "external_account");
+    config.put("audience", OIDC_AUDIENCE);
+    config.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+    config.put("token_url", "https://sts.googleapis.com/v1/token");
+    config.put(
+        "service_account_impersonation_url",
+        String.format(
+            "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken",
+            clientEmail));
+
+    GenericJson credentialSource = new GenericJson();
+    config.put("credential_source", credentialSource);
+
+    GenericJson executableConfig = new GenericJson();
+    credentialSource.put("executable", executableConfig);
+    executableConfig.put("command", file.getAbsolutePath());
+
+    return config;
+  }
+
   private GenericJson buildAwsCredentialConfig() {
     GenericJson config = new GenericJson();
     config.put("type", "external_account");

Original file line number	Diff line number	Diff line change
`@@ -40,3 +40,8 @@ env_vars: {`
`40`	`40`	`key: "GCS_BUCKET"`
`41`	`41`	`value: "byoid-it-bucket"`
`42`	`42`	`}`
	`43`	`+`
	`44`	`+env_vars: {`
	`45`	`+ key: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"`
	`46`	`+ value: "1"`
	`47`	`+}`