[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 6 co

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

302a1965

by Martin Blanchard at 2018-11-29T17:18:20Z

client/authentication.py: New client gRPC channel helpers

3fe9b1cb

by Martin Blanchard at 2018-11-29T17:18:25Z

cmd_capabilities.py: Port to new client channel helpers

17958869

by Martin Blanchard at 2018-11-29T17:18:25Z

cmd_cas.py: Port‧to‧new‧client‧channel‧helpers

550e581c

by Martin Blanchard at 2018-11-29T17:18:25Z

cmd_execute.py: Port‧to‧new‧client‧channel‧helpers

820c3a29

by Martin Blanchard at 2018-11-29T17:18:25Z

cmd_operation.py: Port‧to‧new‧client‧channel‧helpers

28f9c52e

by Martin Blanchard at 2018-11-29T17:18:25Z

server/instance.py: Register authentication gRPC interceptor

6 changed files:

buildgrid/_app/commands/cmd_capabilities.py
buildgrid/_app/commands/cmd_cas.py
buildgrid/_app/commands/cmd_execute.py
buildgrid/_app/commands/cmd_operation.py
+ buildgrid/client/authentication.py
buildgrid/server/instance.py

Changes:

buildgrid/_app/commands/cmd_capabilities.py

@@ -17,9 +17,12 @@ import sys
  from urllib.parse import urlparse
  import click
 +from google.protobuf import json_format
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.capabilities import CapabilitiesInterface
 +from buildgrid._exceptions import InvalidArgumentError
  from ..cli import pass_context
@@ -27,32 +30,29 @@ from ..cli import pass_context
  @click.command(name='capabilities', short_help="Capabilities service.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    click.echo("Getting capabilities...")
 -    url = urlparse(remote)
+-
 -    remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        channel = grpc.insecure_channel(remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
+-
 -        channel = grpc.secure_channel(remote, credentials)
+-
 -    interface = CapabilitiesInterface(channel)
 -    response = interface.get_capabilities(instance_name)
 -    click.echo(response)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-capabilities CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
++
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
++
 +    context.instance_name = instance_name
++
 +    interface = CapabilitiesInterface(context.channel)
 +    response = interface.get_capabilities(context.instance_name)
++
 +    click.echo(json_format.MessageToJson(response))

buildgrid/_app/commands/cmd_cas.py

@@ -27,7 +27,9 @@ from urllib.parse import urlparse
  import click
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid.utils import create_digest, merkle_tree_maker, read_file
@@ -37,32 +39,27 @@ from ..cli import pass_context
  @click.group(name='cas', short_help="Interact with the CAS server.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
                help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-cas CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('upload-dummy', short_help="Upload a dummy action. Should be used with `execute dummy-request`")

buildgrid/_app/commands/cmd_execute.py

@@ -28,7 +28,9 @@ from urllib.parse import urlparse
  import click
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid.utils import create_digest
@@ -38,32 +40,27 @@ from ..cli import pass_context
  @click.group(name='execute', short_help="Execute simple operations.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
  def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +    """Entry point for the bgd-execute CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('request-dummy', short_help="Send a dummy action.")

buildgrid/_app/commands/cmd_operation.py

@@ -30,7 +30,9 @@ import click
  from google.protobuf import json_format
  import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid._enums import OperationStage
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid._protos.google.longrunning import operations_pb2, operations_pb2_grpc
  from buildgrid._protos.google.rpc import code_pb2
@@ -41,32 +43,27 @@ from ..cli import pass_context
  @click.group(name='operation', short_help="Long running operations commands.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
  def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +    """Entry point for the bgd-operation CLI command group."""
 +    try:
 +        context.channel = setup_channel(remote, authorization_token=auth_token,
 +                                        client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  def _print_operation_status(operation, print_details=False):

buildgrid/client/authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import base64
 +from collections import namedtuple
 +from urllib.parse import urlparse
 +import os
++
 +import grpc
++
 +from buildgrid._exceptions import InvalidArgumentError
 +from buildgrid.utils import read_file
++
++
 +def load_tls_channel_credentials(client_key=None, client_cert=None, server_cert=None):
 +    """Looks-up and loads TLS gRPC client channel credentials.
++
 +    Args:
 +        client_key(str, optional): Client certificate chain file path.
 +        client_cert(str, optional): Client private key file path.
 +        server_cert(str, optional): Serve root certificate file path.
++
 +    Returns:
 +        ChannelCredentials: Credentials to be used for a TLS-encrypted gRPC
 +            client channel.
 +    """
 +    if server_cert and os.path.exists(server_cert):
 +        server_cert_pem = read_file(server_cert)
 +    else:
 +        server_cert_pem = None
++
 +    if client_key and os.path.exists(client_key):
 +        client_key_pem = read_file(client_key)
 +    else:
 +        client_key_pem = None
++
 +    if client_key_pem and client_cert and os.path.exists(client_cert):
 +        client_cert_pem = read_file(client_cert)
 +    else:
 +        client_cert_pem = None
++
 +    credentials = grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                               private_key=client_key_pem,
 +                                               certificate_chain=client_cert_pem)
 +    return credentials
++
++
 +def load_channel_authorization_token(auth_token=None):
 +    """Looks-up and loads client authorization token.
++
 +    Args:
 +        auth_token (str, optional): Token file path.
++
 +    Returns:
 +        str: Encoded token string.
 +    """
 +    if auth_token and os.path.exists(auth_token):
 +        return read_file(auth_token).decode()
++
 +    #TODO: Try loading the token from a default location?
++
 +    return None
++
++
 +def setup_channel(remote_url, authorization_token=None,
 +                  client_key=None, client_cert=None, server_cert=None):
 +    """Creates a new gRPC client communication chanel.
++
 +    If `remote_url` does not specifies a port number, defaults 50051.
++
 +    Args:
 +        remote_url (str): URL for the remote, including port and protocol.
 +        authorization_token (str): Authorization token file path.
 +        server_cert(str): TLS certificate chain file path.
 +        client_key(str): TLS root certificate file path.
 +        client_cert(str): TLS private key file path.
++
 +    Returns:
 +        (str, Channel):
++
 +    Raises:
 +        InvalidArgumentError: On any input parsing error.
 +    """
 +    url = urlparse(remote_url)
 +    remote = '{}:{}'.format(url.hostname, url.port or 50051)
++
 +    if url.scheme == 'http':
 +        channel = grpc.insecure_channel(remote)
++
 +    elif url.scheme == 'https':
 +        credentials = load_tls_channel_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            raise InvalidArgumentError("Given TLS details (or defaults) could be loaded")
++
 +        channel = grpc.secure_channel(remote, credentials)
++
 +    else:
 +        raise InvalidArgumentError("Given remote does not specify a protocol")
++
 +    if authorization_token is not None:
 +        token = load_channel_authorization_token(authorization_token)
 +        if not token:
 +            raise InvalidArgumentError("Given authorization token could be loaded")
++
 +        interpector =  AuthMetadataClientInterceptor(token)
 +        channel = grpc.intercept_channel(channel, interpector)
++
 +    return channel
++
++
 +class AuthMetadataClientInterceptor(
 +        grpc.UnaryUnaryClientInterceptor, grpc.UnaryStreamClientInterceptor,
 +        grpc.StreamUnaryClientInterceptor, grpc.StreamStreamClientInterceptor):
++
 +    def __init__(self, authorization_token=None, authorization_secret=None):
 +        """Initialises a new :class:`AuthMetadataClientInterceptor`.
++
 +        Args:
 +            authorization_token (str): Authorization token as a string.
 +        """
 +        if authorization_token:
 +            self.__secret = authorization_token.strip()
 +        else:
 +            self.__secret = base64.b64encode(authorization_secret)
++
 +        self.__header_field_name = 'authorization'
 +        self.__header_field_value = 'Bearer {}'.format(self.__secret)
++
 +    def intercept_unary_unary(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_unary_stream(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_stream_unary(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    def intercept_stream_stream(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    def _amend_call_details(self, client_call_details):
 +        if client_call_details.metadata is not None:
 +            new_metadata = list(client_call_details.metadata)
 +        else:
 +            new_metadata = []
++
 +        new_metadata.append((self.__header_field_name, self.__header_field_value,))
++
 +        class _ClientCallDetails(
 +                namedtuple('_ClientCallDetails',
 +                           ('method', 'timeout', 'credentials', 'metadata')),
 +                grpc.ClientCallDetails):
 +            pass
++
 +        return _ClientCallDetails(client_call_details.method,
 +                                  client_call_details.timeout,
 +                                  client_call_details.credentials,
 +                                  new_metadata)

buildgrid/server/instance.py

@@ -26,6 +26,7 @@ import grpc
  from buildgrid._enums import BotStatus, MetricRecordDomain, MetricRecordType
  from buildgrid._protos.buildgrid.v2 import monitoring_pb2
  from buildgrid.server.actioncache.service import ActionCacheService
 +from buildgrid.server._authentication import JwtAlgorithm, AuthMetadataServerInterceptor
  from buildgrid.server.bots.service import BotsService
  from buildgrid.server.cas.service import ByteStreamService, ContentAddressableStorageService
  from buildgrid.server.execution.service import ExecutionService
@@ -57,7 +58,9 @@ class BuildGridServer:
              max_workers = (os.cpu_count() or 1) * 5
          self.__grpc_executor = futures.ThreadPoolExecutor(max_workers)
 -        self.__grpc_server = grpc.server(self.__grpc_executor)
 +        self.__grpc_auth_interceptor = AuthMetadataServerInterceptor('your-256-bit-secret', JwtAlgorithm.HS256)
 +        self.__grpc_server = grpc.server(
 +            self.__grpc_executor, interceptors=(self.__grpc_auth_interceptor,))
          self.__main_loop = asyncio.get_event_loop()
          self.__monitoring_bus = None

[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 6 commits: client/authentication.py: New client gRPC channel helpers

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

6 changed files:

Changes: