feat: ComputeCredentials implements IBlobSigner #2308
Merged
+326
−158
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amanda-tarafa
added
the
do not merge
|
I've set the |
jskeet
approved these changes
Jan 16, 2023
| { | ||
| Content = new StringContent(dummyServiceAccountEmail) | ||
| }); | ||
| } |
There was a problem hiding this comment.
Yep, this was fixed on a later commit on the same PR.
| /// instance if that happens so fetching the service account default email is re-attempted. | ||
| /// </para> | ||
| /// </remarks> | ||
| public Task<string> DefaultServiceAccountEmailTask => _defaultServiceAccountEmailCache.Value; |
There was a problem hiding this comment.
It feels slightly odd to have a property that kicks of an HTTP request.
Could we make this a method? It can still be lazy, but GetDefaultServiceAccountEmailAsync() feels a little cleaner to me.
| /// The effective Compute Engine default service account email URL. | ||
| /// This takes account of the GCE_METADATA_HOST environment variable. | ||
| /// </summary> | ||
| internal static string EffectiveComputeDefaultServiceAccountEmailUrl => GetEffectiveMetadataUrl(ComputeDefaultServiceAccountEmailSuffix, DefaultMetadataServerUrl + ComputeDefaultServiceAccountEmailSuffix); |
|
|
||
| /// <summary> | ||
| /// Creates and HTTP form from <paramref name="request"/> and posts it to <paramref name="url"/>. | ||
| /// If <paramref name="authenticationHeaderValue"/> is not null, it's value it's included as the |
There was a problem hiding this comment.
"it's value it's => "its value is"
| { | ||
| Content = ParameterUtils.CreateFormUrlEncodedContent(request) | ||
| }; | ||
| httpRequest.Headers.Authorization = authenticationHeaderValue; |
There was a problem hiding this comment.
Is this still okay if authenticationHeaderValue is null?
There was a problem hiding this comment.
Oh nice catch. It is OK now because there's no default value for the Auth header, but best to only change it if there's something to change it to.
| var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored") | ||
| { | ||
| HttpClientFactory = new MockHttpClientFactory(messageHandler), | ||
| Clock= clock |
| @@ -693,14 +693,5 @@ public async Task SignBlobAsync() | |||
| var signature = await credential.SignBlobAsync(Encoding.ASCII.GetBytes("toSign")); | |||
| Assert.Equal("VvQqmCec5sESTXmt3ojPodmqZhV30MffzuyCvz6DatyW4uO9IMLWbUmynPYNNnn6w0EIVV0CyrARd56VLxgL+DVdsX726W3dfY13nNJo7i8PyV8R2i8yRLimqqraa1fDb29V2n+FsS0OzBPibDscViQHVlu0PBRApsVsjGG+eB4=", signature); | |||
| } | |||
|
|
|||
| [Fact] | |||
| public async Task SignBlobAsync_UnsupportedCredential() | |||
There was a problem hiding this comment.
Keep the test, just change the credential type?
| /// For instance, to perform IAM API calls for signing blobs of data. | ||
| /// </summary> | ||
| /// <remarks>Lazy to build one HtppClient only if it is needed.</remarks> | ||
| private readonly Lazy<ConfigurableHttpClient> _authenticatedHtppClient; |
| @@ -234,6 +244,13 @@ private async Task<string> GetDefaultServiceAccountEmail() | |||
| return await response.Content.ReadAsStringAsync().ConfigureAwait(false); | |||
| } | |||
|
|
|||
| private ConfigurableHttpClient BuildAuthenticatedHttpClient() | |||
| { | |||
| var httpClietnArgs = BuildCreateHtppClientArgs(); | |||
| /// </remarks> | ||
| public async Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default) | ||
| { | ||
| var request = new IamSignBlobRequest |
There was a problem hiding this comment.
Possibly unwrap to a single line?
amanda-tarafa
force-pushed
the
signer-credentials
branch
from
9f767d6 to
c9211a3
Compare
amanda-tarafa
commented
Jan 16, 2023
| { | ||
| Content = new StringContent(dummyServiceAccountEmail) | ||
| }); | ||
| } |
There was a problem hiding this comment.
Yep, this was fixed on a later commit on the same PR.
| /// instance if that happens so fetching the service account default email is re-attempted. | ||
| /// </para> | ||
| /// </remarks> | ||
| public Task<string> DefaultServiceAccountEmailTask => _defaultServiceAccountEmailCache.Value; |
| /// The effective Compute Engine default service account email URL. | ||
| /// This takes account of the GCE_METADATA_HOST environment variable. | ||
| /// </summary> | ||
| internal static string EffectiveComputeDefaultServiceAccountEmailUrl => GetEffectiveMetadataUrl(ComputeDefaultServiceAccountEmailSuffix, DefaultMetadataServerUrl + ComputeDefaultServiceAccountEmailSuffix); |
|
|
||
| /// <summary> | ||
| /// Creates and HTTP form from <paramref name="request"/> and posts it to <paramref name="url"/>. | ||
| /// If <paramref name="authenticationHeaderValue"/> is not null, it's value it's included as the |
| { | ||
| Content = ParameterUtils.CreateFormUrlEncodedContent(request) | ||
| }; | ||
| httpRequest.Headers.Authorization = authenticationHeaderValue; |
There was a problem hiding this comment.
Oh nice catch. It is OK now because there's no default value for the Auth header, but best to only change it if there's something to change it to.
| var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored") | ||
| { | ||
| HttpClientFactory = new MockHttpClientFactory(messageHandler), | ||
| Clock= clock |
| @@ -693,14 +693,5 @@ public async Task SignBlobAsync() | |||
| var signature = await credential.SignBlobAsync(Encoding.ASCII.GetBytes("toSign")); | |||
| Assert.Equal("VvQqmCec5sESTXmt3ojPodmqZhV30MffzuyCvz6DatyW4uO9IMLWbUmynPYNNnn6w0EIVV0CyrARd56VLxgL+DVdsX726W3dfY13nNJo7i8PyV8R2i8yRLimqqraa1fDb29V2n+FsS0OzBPibDscViQHVlu0PBRApsVsjGG+eB4=", signature); | |||
| } | |||
|
|
|||
| [Fact] | |||
| public async Task SignBlobAsync_UnsupportedCredential() | |||
| /// For instance, to perform IAM API calls for signing blobs of data. | ||
| /// </summary> | ||
| /// <remarks>Lazy to build one HtppClient only if it is needed.</remarks> | ||
| private readonly Lazy<ConfigurableHttpClient> _authenticatedHtppClient; |
| @@ -234,6 +244,13 @@ private async Task<string> GetDefaultServiceAccountEmail() | |||
| return await response.Content.ReadAsStringAsync().ConfigureAwait(false); | |||
| } | |||
|
|
|||
| private ConfigurableHttpClient BuildAuthenticatedHttpClient() | |||
| { | |||
| var httpClietnArgs = BuildCreateHtppClientArgs(); | |||
| /// </remarks> | ||
| public async Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default) | ||
| { | ||
| var request = new IamSignBlobRequest |
jskeet
approved these changes
Jan 17, 2023
| /// </para> | ||
| /// <para> | ||
| /// Note that if, when fetching this value, an exception is thrown, the exception is cached and | ||
| /// will be rethrown every time this property is accessed. You can create a new <see cref="ComputeCredential"/> |
There was a problem hiding this comment.
the exception is cached and will be rethrown by the task returned by any future call to this method
There was a problem hiding this comment.
Ah yes, true.
| /// The private key associated with the Compute service account is not known locally | ||
| /// by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API | ||
| /// which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first | ||
| /// time a ComputeCredential is used to sign data, a request to the metadata server is execute to |
There was a problem hiding this comment.
execute => executed (or just "made")
| public async Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default) | ||
| { | ||
| var request = new IamSignBlobRequest { Payload = blob }; | ||
| var signBlobUrl = string.Format(GoogleAuthConsts.IamSignEndpointFormatString, await GetDefaultServiceAccountEmailAsync(cancellationToken).ConfigureAwait(false)); |
There was a problem hiding this comment.
I wonder whether for the sake of both readability and debugging it's worth separating this out:
var request = new IamSignBlobRequest { Payload = blob };
var serviceAccountEmail = await GetDefaultServiceAccountEmailAsync(cancellationToken).ConfigureAwait(false);
var signBlobUrl = string.Format(GoogleAuthConsts.IamSignEndpointFormatString, serviceAccountEmail);
...There was a problem hiding this comment.
Yep, will do that.
amanda-tarafa
force-pushed
the
signer-credentials
branch
from
c9211a3 to
4c57b70
Compare
amanda-tarafa
commented
Jan 18, 2023
| /// </para> | ||
| /// <para> | ||
| /// Note that if, when fetching this value, an exception is thrown, the exception is cached and | ||
| /// will be rethrown every time this property is accessed. You can create a new <see cref="ComputeCredential"/> |
There was a problem hiding this comment.
Ah yes, true.
| /// The private key associated with the Compute service account is not known locally | ||
| /// by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API | ||
| /// which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first | ||
| /// time a ComputeCredential is used to sign data, a request to the metadata server is execute to |
| public async Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default) | ||
| { | ||
| var request = new IamSignBlobRequest { Payload = blob }; | ||
| var signBlobUrl = string.Format(GoogleAuthConsts.IamSignEndpointFormatString, await GetDefaultServiceAccountEmailAsync(cancellationToken).ConfigureAwait(false)); |
There was a problem hiding this comment.
Yep, will do that.
- This has been commented for a while. - It was not a unit test to start with as detecting Compute residency executes requests against the metadata server.
amanda-tarafa
force-pushed
the
signer-credentials
branch
2 times, most recently
from
f59d8e6 to
98a104c
Compare
amanda-tarafa
removed
the
do not merge
Only TokeRequestExtensions.ExecuteAsync remains as it was public. But it does rely on the newly generalized ones.
Useful for credentials that require differently configured HttpClients but with the same base configuration.
For which, fetches service account email associated to a ComputeCredential. Closes googleapis#1857 Towards googleapis/google-cloud-dotnet#8413
amanda-tarafa
force-pushed
the
signer-credentials
branch
from
98a104c to
5b2d850
Compare
amanda-tarafa
added a commit
to amanda-tarafa/google-api-dotnet-client
that referenced
this pull request
Jan 19, 2023
And support libraries from 1.59.0-alpha01 => 1.59.0 Features: googleapis#2308 ComputeCredential implements IBlobSigner
amanda-tarafa
added a commit
to amanda-tarafa/google-api-dotnet-client
that referenced
this pull request
Jan 19, 2023
And support libraries from 1.59.0-alpha01 => 1.59.0 Features: - googleapis#2308 ComputeCredential implements IBlobSigner
amanda-tarafa
added a commit
that referenced
this pull request
Jan 19, 2023
And support libraries from 1.59.0-alpha01 => 1.59.0 Features: - #2308 ComputeCredential implements IBlobSigner
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.