Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(samples): added auth samples and tests #927

Merged
merged 30 commits into from Aug 4, 2022
Merged

docs(samples): added auth samples and tests #927

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
3bd604d
docs(samples): added client code for idtoken, adc and metadata server
Sita04 Jun 6, 2022
bd1bc55
docs(samples): added authexplicit and copyright
Sita04 Jun 8, 2022
ece1c56
docs(samples): add auth with metadata server
Sita04 Jun 8, 2022
0c26c33
docs(samples): minor refactoring and added tests
Sita04 Jun 8, 2022
45449b2
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Jun 8, 2022
7ef36df
Merge branch 'main' into auth-samples
Shabirmean Jun 14, 2022
b2f367e
refactored acc to review comments
Sita04 Jul 18, 2022
01b57ad
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Jul 18, 2022
b9dee60
Merge branch 'main' into auth-samples
Sita04 Jul 18, 2022
3ed6be0
refactored acc to review comments
Sita04 Jul 22, 2022
dd39fd4
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Jul 22, 2022
a46ccc4
Merge branch 'main' into auth-samples
Sita04 Jul 25, 2022
5eb6506
refactored acc to review comments
Sita04 Jul 28, 2022
cc6a5a5
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Jul 28, 2022
7c68634
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Jul 28, 2022
1baeebe
minor comment update
Sita04 Jul 28, 2022
9fc3a7a
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Jul 28, 2022
b8c5f3f
Merge branch 'main' into auth-samples
Sita04 Jul 29, 2022
680cfdd
modified google id token verification and removed third party dependency
Sita04 Jul 29, 2022
1944e5d
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Jul 29, 2022
a943290
removed third party deps from pom
Sita04 Jul 29, 2022
d7d6257
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Jul 29, 2022
cf11754
Merge branch 'auth-samples' of https://github.com/googleapis/google-a…
gcf-owl-bot[bot] Jul 29, 2022
b910be5
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Jul 29, 2022
e23fe35
Merge branch 'auth-samples' of https://github.com/googleapis/google-a…
gcf-owl-bot[bot] Jul 29, 2022
ada91fb
Merge branch 'main' into auth-samples
Sita04 Jul 29, 2022
8573bb3
Merge branch 'main' into auth-samples
Sita04 Aug 4, 2022
591d0e6
included comment about verifying Google ID tokens
Sita04 Aug 4, 2022
82d7350
Merge remote-tracking branch 'origin/auth-samples' into auth-samples
Sita04 Aug 4, 2022
54013b5
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Aug 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
101 changes: 101 additions & 0 deletions samples/snippets/pom.xml
View file
Open in desktop
@@ -0,0 +1,101 @@
<project xmlns="http://maven.apache.org/POM/4.0.0">
<modelVersion>4.0.0</modelVersion>
<groupId>com.google.auth.samples</groupId>
<artifactId>authsamples</artifactId>
<version>1.0.0</version>
<name>auth-samples</name>


<!--
The parent pom defines common style checks and testing strategies for our samples.
Removing or replacing it should not affect the execution of the samples in any way.
-->
<parent>
<groupId>com.google.cloud.samples</groupId>
<artifactId>shared-configuration</artifactId>
<version>1.2.0</version>
</parent>

<properties>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<!-- START dependencies -->
<!-- Using libraries-bom to manage versions.
See https://github.com/GoogleCloudPlatform/cloud-opensource-java/wiki/The-Google-Cloud-Platform-Libraries-BOM -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>libraries-bom</artifactId>
<version>25.0.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>


<dependencies>
<!-- OAuth dependency-->
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
<version>1.3.0</version>
</dependency>

<!-- IAM dependency-->
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-iam</artifactId>
<version>v1-rev20220509-1.32.1</version>
</dependency>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-iamcredentials</artifactId>
<version>v1-rev20211203-1.32.1</version>
</dependency>

<!-- JWT dependency-->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.16.0</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.18.0</version>
</dependency>

<!-- GCloud dependency-->
<dependency>
<artifactId>google-cloud-compute</artifactId>
<groupId>com.google.cloud</groupId>
<version>1.8.1</version>
Sita04 marked this conversation as resolved.
Show resolved Hide resolved
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-storage</artifactId>
</dependency>

<!-- Test dependencies-->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.1</version>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>truth</artifactId>
<groupId>com.google.truth</groupId>
<scope>test</scope>
<version>1.1.3</version>
</dependency>

</dependencies>

</project>

74 changes: 74 additions & 0 deletions samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
View file
Open in desktop
@@ -0,0 +1,74 @@
/*
* Copyright 2022 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

// [START auth_cloud_metadata_server]

import com.google.api.gax.paging.Page;
import com.google.auth.oauth2.ComputeEngineCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class AuthWithCredentialsFromMetadataServer {

public static void main(String[] args) throws IOException, GeneralSecurityException {
// TODO(Developer):
// 1. Replace the project variable below.
// 2. Make sure you have the necessary permission to list storage buckets
// "storage.buckets.list"
String projectId = "your-google-cloud-project-id";

authWithCredentialsFromMetadataServer(projectId);
}

// In this snippet, we demonstrate "Authentication with account credentials
// obtained from a metadata server".
public static void authWithCredentialsFromMetadataServer(String project) {

// This snippet demonstrates how to initialize Cloud Storage and list buckets.
// Note that the credentials are requested from the ComputeEngine metadata server.
Storage storage = initService(project);
Sita04 marked this conversation as resolved.
Show resolved Hide resolved

System.out.println("Buckets:");
Page<Bucket> buckets = storage.list();
for (Bucket bucket : buckets.iterateAll()) {
System.out.println(bucket.toString());
}
System.out.println("Authentication complete.");
Sita04 marked this conversation as resolved.
Show resolved Hide resolved
}

// Initialize the Storage client by getting the credentials
// from a Metadata server.
private static Storage initService(String projectId) {
// Explicitly request the credentials from the ComputeEngine metadata server.
GoogleCredentials credentials = ComputeEngineCredentials.create();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the past, we haven't wanted to encourage folks to explicitly pick the credential type -- the code won't work on other environments (like development).

GoogleCredentials.getApplicationDefault() will give you ComputeEngineCredentials if you are on a GCE (or other metadata server supported environments).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to ADC. Can we also demonstrate how the user specifies a scope?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree.. modified to use ADC and also added a comment.

@kurtisvg we didn't want to demonstrate scopes as we thought it had a limited usecase for GCP and primarily only workspace products need it. @piaxc can you weigh in on the "scopes" part?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To chingor13@'s comment: the idea here was to specifically get credentials from the Metadata server. This is in keeping with previous samples that have been provided, although this sample won't be included in the docs. Sita04@, how will this differ from the implicit flow now? Maybe we could just remove it?

kurtisvg@: for Cloud APIs, the best practice as communicated by the IAM team is to use the cloud-wide scope "https://www.googleapis.com/auth/cloud-platform" and use IAM only to restrict access. That is the guidance I'm providing in the Authentication documentation. Maybe we could provide more color?

For Cloud APIs, you can let the library use the default scope of https://www.googleapis.com/auth/cloud-platform because IAM provides fine-grained access control.

Or something like that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's best to remove the sample as there is very minute difference between this one and the ADC explicit.
I'll add an extra comment in that sample that @chingor13 mentioned "GoogleCredentials.getApplicationDefault() will give you ComputeEngineCredentials if you are on a GCE (or other metadata server supported environments)." ?


// Alternately, if executing within AppEngine, you can get credentials as follows:
// GoogleCredentials credentials = AppEngineCredentials.getApplicationDefault();

// Construct the Storage client.
// Note that, here we explicitly specify the service account to use.
Sita04 marked this conversation as resolved.
Show resolved Hide resolved
return StorageOptions.newBuilder()
.setCredentials(credentials)
.setProjectId(projectId)
.build()
.getService();
}
}
// [END auth_cloud_metadata_server]
77 changes: 77 additions & 0 deletions samples/snippets/src/main/java/AuthenticateExplicit.java
View file
Open in desktop
@@ -0,0 +1,77 @@
/*
* Copyright 2022 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

// [START auth_cloud_explicit_adc]

import com.google.api.gax.paging.Page;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class AuthenticateExplicit {
Sita04 marked this conversation as resolved.
Show resolved Hide resolved

public static void main(String[] args) throws IOException, GeneralSecurityException {
// TODO(Developer):
// 1. Replace the project variable below.
// 2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"

String projectId = "your-google-cloud-project-id";

// If you are authenticating to a Cloud API, you do not need to specify a scope;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is mixing together two different choices, I think.
One is "If you are authenticating to a Cloud API, you can use ADC (much easier) but if you really want to specify your credentials, go to town"... and... "Most Cloud APIs accept "https://www.googleapis.com/auth/cloud-platform" and use IAM for access control." But ADC doesn't really have much to do with scopes.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think additionally, scopes are a best security practice (following the principle of least permission). "you do not need to specify a scope;" feels like we don't think it's worthwhile to specify a scope, which I don't think is the case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using scopes to limit access is not a best practice for Cloud-- IAM team wants everyone to use IAM and simply specify the cloud-wide scope.
So it's true, we don't think it's worthwhile to specify a scope. :-)
That said, maybe the comment could make that more clear, because for non-Cloud workflows, scopes are indeed important.
How about
"If you are authenticating to a Cloud API, you can let the library include the default scope, https://www.googleapis.com/auth/cloud-platform, because IAM is used to provide fine-grained
permissions for Cloud".
Too wordy? Something like that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've taken a middle ground here and have demonstrated both (with and wo scopes) in the sample with comments on where to use them. PTAL.

// use Application Default Credentials as described in
// https://cloud.google.com/docs/authentication/external/set-up-adc.
// If you need to provide a scope, specify it here.
// For more information on scopes to use,
// see: https://developers.google.com/identity/protocols/oauth2/scopes
String scope = "https://www.googleapis.com/auth/PRODUCT_NAME";

authenticateExplicit(projectId, scope);
}

// List storage buckets by authenticating with ADC.
public static void authenticateExplicit(String project, String scope)
throws IOException {

// Initialize the storage client.
Storage storage = initService(project, scope);

System.out.println("Buckets:");
Page<Bucket> buckets = storage.list();
for (Bucket bucket : buckets.iterateAll()) {
System.out.println(bucket.toString());
}
System.out.println("Authentication complete.");
}

// Initialize the Storage client using ADC (Application Default Credentials).
private static Storage initService(String projectId, String scope)
throws IOException {
// Construct the GoogleCredentials object which obtains the default configuration from your
// working environment.
GoogleCredentials credentials = GoogleCredentials.getApplicationDefault().createScoped(scope);

// Construct the Storage client.
return StorageOptions.newBuilder()
.setCredentials(credentials)
.setProjectId(projectId)
.build()
.getService();
}
}
// [END auth_cloud_explicit_adc]
56 changes: 56 additions & 0 deletions samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
View file
Open in desktop
@@ -0,0 +1,56 @@
/*
* Copyright 2022 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

// [START auth_cloud_implicit_adc]

import com.google.cloud.compute.v1.Instance;
import com.google.cloud.compute.v1.InstancesClient;
import java.io.IOException;

public class AuthenticateImplicitWithAdc {

public static void main(String[] args) throws IOException {
// TODO(Developer):
Sita04 marked this conversation as resolved.
Show resolved Hide resolved
// 1. Before running this sample,
// set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
// 2. Replace the project variable below.
// 3. Make sure that the user account or service account that you are using
// has the required permissions. For this sample, you must have "compute.instances.list".
String projectId = "your-google-cloud-project-id";
authenticateImplicitWithAdc(projectId);
}

// When interacting with Google Cloud Client libraries, the library can auto-detect the
// credentials to use.
public static void authenticateImplicitWithAdc(String project) throws IOException {

String zone = "us-central1-a";
// This snippet demonstrates how to list instances.
// *NOTE*: Replace the client created below with the client required for your application.
//
// Note that the credentials are not specified when constructing the client.
// Hence, the client library will look for credentials using ADC.
try (InstancesClient instancesClient = InstancesClient.create()) {
Sita04 marked this conversation as resolved.
Show resolved Hide resolved
// Set the project and zone to retrieve instances present in the zone.
System.out.printf("Listing instances from %s in %s:", project, zone);
for (Instance zoneInstance : instancesClient.list(project, zone).iterateAll()) {
System.out.println(zoneInstance.getName());
}
System.out.println("####### Listing instances complete #######");
}
}
}
// [END auth_cloud_implicit_adc]