[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 13 c

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

7e7d452c

by Martin Blanchard at 2018-12-04T17:34:57Z

setup.py: Introduce pyjwt dependency

Hosted at: https://github.com/jpadilla/pyjwt

The dependency is declared as part of a new 'auth' extra target so that
it is not installed by default, but only if requested.

https://gitlab.com/BuildGrid/buildgrid/issues/144

9f16fe87

by Martin Blanchard at 2018-12-04T17:35:21Z

server/_authentication.py: New JWT based gRPC interceptor

https://gitlab.com/BuildGrid/buildgrid/issues/144

59db55a8

by Martin Blanchard at 2018-12-05T09:18:03Z

client/authentication.py: New client gRPC channel helpers

https://gitlab.com/BuildGrid/buildgrid/issues/144

9d36d890

by Martin Blanchard at 2018-12-05T09:18:10Z

cmd_bot.py: Port‧to‧new‧client‧channel‧helpers

4697354e

by Martin Blanchard at 2018-12-05T09:18:10Z

cmd_capabilities.py: Port to new client channel helpers

https://gitlab.com/BuildGrid/buildgrid/issues/144

33b82765

by Martin Blanchard at 2018-12-05T09:18:10Z

cmd_cas.py: Port‧to‧new‧client‧channel‧helpers

https://gitlab.com/BuildGrid/buildgrid/issues/144

34a95646

by Martin Blanchard at 2018-12-05T09:18:10Z

cmd_execute.py: Port‧to‧new‧client‧channel‧helpers

https://gitlab.com/BuildGrid/buildgrid/issues/144

3eaaa391

by Martin Blanchard at 2018-12-05T09:18:10Z

cmd_operation.py: Port‧to‧new‧client‧channel‧helpers

https://gitlab.com/BuildGrid/buildgrid/issues/144

7e33f586

by Martin Blanchard at 2018-12-05T09:18:10Z

server/instance.py: Register authentication gRPC interceptor

https://gitlab.com/BuildGrid/buildgrid/issues/144

b963c4f1

by Martin Blanchard at 2018-12-05T09:18:10Z

tests/utils: Add a file reader helper

https://gitlab.com/BuildGrid/buildgrid/issues/144

2c2b6b61

by Martin Blanchard at 2018-12-05T09:18:10Z

tests/utils/dummy.py: New (dummy) server helper

https://gitlab.com/BuildGrid/buildgrid/issues/144

f706d301

by Martin Blanchard at 2018-12-05T09:19:50Z

tests/auth: Add client and sever interceptor tests

https://gitlab.com/BuildGrid/buildgrid/issues/144

dd6afa28

by Martin Blanchard at 2018-12-05T09:19:51Z

.gitlab-ci.yml: Install auth. dependencies for testing

https://gitlab.com/BuildGrid/buildgrid/issues/144

28 changed files:

.gitlab-ci.yml
.pylintrc
buildgrid/_app/commands/cmd_bot.py
buildgrid/_app/commands/cmd_capabilities.py
buildgrid/_app/commands/cmd_cas.py
buildgrid/_app/commands/cmd_execute.py
buildgrid/_app/commands/cmd_operation.py
+ buildgrid/client/authentication.py
+ buildgrid/server/_authentication.py
buildgrid/server/instance.py
docs/source/installation.rst
setup.py
+ tests/auth/__init__.py
+ tests/auth/data/jwt-hs256-conflicting.secret
+ tests/auth/data/jwt-hs256-expired.token
+ tests/auth/data/jwt-hs256-matching.secret
+ tests/auth/data/jwt-hs256-unbounded.token
+ tests/auth/data/jwt-hs256-valid.token
+ tests/auth/data/jwt-rs256-conflicting.pub.key
+ tests/auth/data/jwt-rs256-expired.token
+ tests/auth/data/jwt-rs256-matching.priv.key
+ tests/auth/data/jwt-rs256-matching.pub.key
+ tests/auth/data/jwt-rs256-unbounded.token
+ tests/auth/data/jwt-rs256-valid.token
+ tests/auth/test_client.py
+ tests/auth/test_interceptor.py
+ tests/utils/dummy.py
tests/utils/utils.py

Changes:

.gitlab-ci.yml

@@ -20,6 +20,7 @@ before_script:
    variables:
      PYTEST_ADDOPTS: "--color=yes"
    script:
 +    - python3 -m pip install --user --editable ".[auth]"
      - python3 setup.py test
      - mkdir -p coverage/
      - cp .coverage coverage/coverage."${CI_JOB_NAME}"

.pylintrc

@@ -186,7 +186,8 @@ ignore-on-opaque-inference=yes
  # qualified names.
  ignored-classes=google.protobuf.any_pb2.Any,
                  google.protobuf.duration_pb2.Duration,
 -                google.protobuf.timestamp_pb2.Timestamp
 +                google.protobuf.timestamp_pb2.Timestamp,
 +                jwt
  # List of module names for which member attributes should not be checked
  # (useful for modules/projects where namespaces are manipulated during runtime
@@ -462,6 +463,7 @@ known-third-party=boto3,
                    google,
                    grpc,
                    janus,
 +                  jwt,
                    moto,
                    yaml
@@ -525,4 +527,4 @@ valid-metaclass-classmethod-first-arg=mcs
  # Exceptions that will emit a warning when being caught. Defaults to
  # "Exception"
 -overgeneral-exceptions=Exception
 +overgeneral-exceptions=Exception
 \ No newline at end of file

buildgrid/_app/commands/cmd_bot.py

@@ -22,16 +22,15 @@ Create a bot interface and request work
  from pathlib import Path, PurePath
  import sys
 -from urllib.parse import urlparse
  import click
 -import grpc
  from buildgrid.bot import bot, interface, session
  from buildgrid.bot.hardware.interface import HardwareInterface
  from buildgrid.bot.hardware.device import Device
  from buildgrid.bot.hardware.worker import Worker
+-
 +from buildgrid.client.authentication import setup_channel
 +from buildgrid._exceptions import InvalidArgumentError
  from ..bots import buildbox, dummy, host
  from ..cli import pass_context, setup_logging
@@ -40,20 +39,22 @@ from ..cli import pass_context, setup_logging
  @click.group(name='bot', short_help="Create and register bot clients.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if not specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--remote-cas', type=click.STRING, default=None, show_default=True,
                help="Remote CAS server's URL (port defaults to 11001 if not specified).")
  @click.option('--cas-client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private CAS client key for TLS (PEM-encoded)")
 +              help="Private CAS client key for TLS (PEM-encoded).")
  @click.option('--cas-client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public CAS client certificate for TLS (PEM-encoded)")
 +              help="Public CAS client certificate for TLS (PEM-encoded).")
  @click.option('--cas-server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public CAS server certificate for TLS (PEM-encoded)")
 +              help="Public CAS server certificate for TLS (PEM-encoded).")
  @click.option('--update-period', type=click.FLOAT, default=0.5, show_default=True,
                help="Time period for bot updates to the server in seconds.")
  @click.option('--parent', type=click.STRING, default='main', show_default=True,
@@ -61,69 +62,31 @@ from ..cli import pass_context, setup_logging
  @click.option('-v', '--verbose', count=True,
                help='Increase log verbosity level.')
  @pass_context
 -def cli(context, parent, update_period, remote, client_key, client_cert, server_cert,
 +def cli(context, parent, update_period, remote, auth_token, client_key, client_cert, server_cert,
          remote_cas, cas_client_key, cas_client_cert, cas_server_cert, verbose):
      setup_logging(verbosity=verbose)
      # Setup the remote execution server channel:
 -    url = urlparse(remote)
+-
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.remote_url = remote
 -    context.update_period = update_period
 -    context.parent = parent
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
+-
 -        context.client_key = None
 -        context.client_cert = None
 -        context.server_cert = None
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
+-
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -        context.client_key = credentials.client_key
 -        context.client_cert = credentials.client_cert
 -        context.server_cert = credentials.server_cert
+-
 -    # Setup the remote CAS server channel, if separated:
 -    if remote_cas is not None and remote_cas != remote:
 -        cas_url = urlparse(remote_cas)
+-
 -        context.remote_cas = '{}:{}'.format(cas_url.hostname, cas_url.port or 11001)
 -        context.remote_cas_url = remote_cas
 +    try:
 +        context.channel, details = setup_channel(remote, auth_token=auth_token, server_cert=server_cert,
 +                                                 client_key=client_key, client_cert=client_cert)
 -        if cas_url.scheme == 'http':
 -            context.cas_channel = grpc.insecure_channel(context.remote_cas)
 +        if remote_cas is not None and remote_cas != remote:
 +            context.cas_channel, details = setup_channel(remote_cas, server_cert=cas_server_cert,
 +                                                         client_key=cas_client_key, client_cert=cas_client_cert)
 +            context.remote_cas_url = remote_cas
 -            context.cas_client_key = None
 -            context.cas_client_cert = None
 -            context.cas_server_cert = None
          else:
 -            cas_credentials = context.load_client_credentials(cas_client_key, cas_client_cert, cas_server_cert)
 -            if not cas_credentials:
 -                click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -                sys.exit(-1)
+-
 -            context.cas_channel = grpc.secure_channel(context.remote_cas, cas_credentials)
 +            context.cas_channel = context.channel
 +            context.remote_cas_url = remote
 -            context.cas_client_key = cas_credentials.client_key
 -            context.cas_client_cert = cas_credentials.client_cert
 -            context.cas_server_cert = cas_credentials.server_cert
 +        context.cas_client_key, context.cas_client_cert, context.cas_server_cert = details
 -    else:
 -        context.remote_cas = context.remote
 -        context.remote_cas_url = remote
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 +        sys.exit(-1)
 -        context.cas_channel = context.channel
+-
 -        context.cas_client_key = context.client_key
 -        context.cas_client_cert = context.client_cert
 -        context.cas_server_cert = context.server_cert
 +    context.update_period = update_period
 +    context.parent = parent
      bot_interface = interface.BotInterface(context.channel)

buildgrid/_app/commands/cmd_capabilities.py

@@ -13,13 +13,12 @@
  # limitations under the License.
 -import sys
 -from urllib.parse import urlparse
+-
  import click
 -import grpc
 +from google.protobuf import json_format
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.capabilities import CapabilitiesInterface
 +from buildgrid._exceptions import InvalidArgumentError
  from ..cli import pass_context
@@ -27,32 +26,29 @@ from ..cli import pass_context
  @click.command(name='capabilities', short_help="Capabilities service.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    click.echo("Getting capabilities...")
 -    url = urlparse(remote)
+-
 -    remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        channel = grpc.insecure_channel(remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
+-
 -        channel = grpc.secure_channel(remote, credentials)
+-
 -    interface = CapabilitiesInterface(channel)
 -    response = interface.get_capabilities(instance_name)
 -    click.echo(response)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-capabilities CLI command group."""
 +    try:
 +        context.channel, _ = setup_channel(remote, auth_token=auth_token,
 +                                           client_key=client_key, client_cert=client_cert)
++
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
++
 +    context.instance_name = instance_name
++
 +    interface = CapabilitiesInterface(context.channel)
 +    response = interface.get_capabilities(context.instance_name)
++
 +    click.echo(json_format.MessageToJson(response))

buildgrid/_app/commands/cmd_cas.py

@@ -21,13 +21,12 @@ Request work to be executed and monitor status of jobs.
  """
  import os
 -import sys
 -from urllib.parse import urlparse
  import click
 -import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid.utils import create_digest, merkle_tree_maker, read_file
@@ -37,32 +36,27 @@ from ..cli import pass_context
  @click.group(name='cas', short_help="Interact with the CAS server.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
                help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-cas CLI command group."""
 +    try:
 +        context.channel, _ = setup_channel(remote, auth_token=auth_token,
 +                                           client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('upload-dummy', short_help="Upload a dummy action. Should be used with `execute dummy-request`")

buildgrid/_app/commands/cmd_execute.py

@@ -23,12 +23,12 @@ Request work to be executed and monitor status of jobs.
  import os
  import stat
  import sys
 -from urllib.parse import urlparse
  import click
 -import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid.client.cas import download, upload
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid.utils import create_digest
@@ -38,32 +38,27 @@ from ..cli import pass_context
  @click.group(name='execute', short_help="Execute simple operations.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-execute CLI command group."""
 +    try:
 +        context.channel, _ = setup_channel(remote, auth_token=auth_token,
 +                                           client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  @cli.command('request-dummy', short_help="Send a dummy action.")

buildgrid/_app/commands/cmd_operation.py

@@ -22,15 +22,14 @@ Check the status of operations
  from collections import OrderedDict
  from operator import attrgetter
 -from urllib.parse import urlparse
 -import sys
  from textwrap import indent
  import click
  from google.protobuf import json_format
 -import grpc
 +from buildgrid.client.authentication import setup_channel
  from buildgrid._enums import OperationStage
 +from buildgrid._exceptions import InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid._protos.google.longrunning import operations_pb2, operations_pb2_grpc
  from buildgrid._protos.google.rpc import code_pb2
@@ -41,32 +40,27 @@ from ..cli import pass_context
  @click.group(name='operation', short_help="Long running operations commands.")
  @click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
                help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--auth-token', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Authorization token for the remote.")
  @click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Private client key for TLS (PEM-encoded)")
 +              help="Private client key for TLS (PEM-encoded).")
  @click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public client certificate for TLS (PEM-encoded)")
 +              help="Public client certificate for TLS (PEM-encoded).")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 -              help="Public server certificate for TLS (PEM-encoded)")
 +              help="Public server certificate for TLS (PEM-encoded).")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
  @pass_context
 -def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 -    url = urlparse(remote)
 +def cli(context, remote, instance_name, auth_token, client_key, client_cert, server_cert):
 +    """Entry point for the bgd-operation CLI command group."""
 +    try:
 +        context.channel, _ = setup_channel(remote, auth_token=auth_token,
 +                                           client_key=client_key, client_cert=client_cert)
 -    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 -    context.instance_name = instance_name
+-
 -    if url.scheme == 'http':
 -        context.channel = grpc.insecure_channel(context.remote)
 -    else:
 -        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 -        if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 -            sys.exit(-1)
 +    except InvalidArgumentError as e:
 +        click.echo("Error: {}.".format(e), err=True)
 -        context.channel = grpc.secure_channel(context.remote, credentials)
+-
 -    click.echo("Starting for remote=[{}]".format(context.remote))
 +    context.instance_name = instance_name
  def _print_operation_status(operation, print_details=False):

buildgrid/client/authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import base64
 +from collections import namedtuple
 +from urllib.parse import urlparse
 +import os
++
 +import grpc
++
 +from buildgrid._exceptions import InvalidArgumentError
 +from buildgrid.utils import read_file
++
++
 +def load_tls_channel_credentials(client_key=None, client_cert=None, server_cert=None):
 +    """Looks-up and loads TLS gRPC client channel credentials.
++
 +    Args:
 +        client_key(str, optional): Client certificate chain file path.
 +        client_cert(str, optional): Client private key file path.
 +        server_cert(str, optional): Serve root certificate file path.
++
 +    Returns:
 +        ChannelCredentials: Credentials to be used for a TLS-encrypted gRPC
 +            client channel.
 +    """
 +    if server_cert and os.path.exists(server_cert):
 +        server_cert_pem = read_file(server_cert)
 +    else:
 +        server_cert_pem = None
 +        server_cert = None
++
 +    if client_key and os.path.exists(client_key):
 +        client_key_pem = read_file(client_key)
 +    else:
 +        client_key_pem = None
 +        client_key = None
++
 +    if client_key_pem and client_cert and os.path.exists(client_cert):
 +        client_cert_pem = read_file(client_cert)
 +    else:
 +        client_cert_pem = None
 +        client_cert = None
++
 +    credentials = grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                               private_key=client_key_pem,
 +                                               certificate_chain=client_cert_pem)
++
 +    return credentials, (client_key, client_cert, server_cert,)
++
++
 +def load_channel_authorization_token(auth_token=None):
 +    """Looks-up and loads client authorization token.
++
 +    Args:
 +        auth_token (str, optional): Token file path.
++
 +    Returns:
 +        str: Encoded token string.
 +    """
 +    if auth_token and os.path.exists(auth_token):
 +        return read_file(auth_token).decode()
++
 +    # TODO: Try loading the token from a default location?
++
 +    return None
++
++
 +def setup_channel(remote_url, auth_token=None,
 +                  client_key=None, client_cert=None, server_cert=None):
 +    """Creates a new gRPC client communication chanel.
++
 +    If `remote_url` does not specifies a port number, defaults 50051.
++
 +    Args:
 +        remote_url (str): URL for the remote, including port and protocol.
 +        auth_token (str): Authorization token file path.
 +        server_cert(str): TLS certificate chain file path.
 +        client_key(str): TLS root certificate file path.
 +        client_cert(str): TLS private key file path.
++
 +    Returns:
 +        Channel: Client Channel to be used in order to access the server
 +            at `remote_url`.
++
 +    Raises:
 +        InvalidArgumentError: On any input parsing error.
 +    """
 +    url = urlparse(remote_url)
 +    remote = '{}:{}'.format(url.hostname, url.port or 50051)
 +    details = None, None, None
++
 +    if url.scheme == 'http':
 +        channel = grpc.insecure_channel(remote)
++
 +    elif url.scheme == 'https':
 +        credentials, details = load_tls_channel_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            raise InvalidArgumentError("Given TLS details (or defaults) could be loaded")
++
 +        channel = grpc.secure_channel(remote, credentials)
++
 +    else:
 +        raise InvalidArgumentError("Given remote does not specify a protocol")
++
 +    if auth_token is not None:
 +        token = load_channel_authorization_token(auth_token)
 +        if not token:
 +            raise InvalidArgumentError("Given authorization token could be loaded")
++
 +        interpector = AuthMetadataClientInterceptor(auth_token=token)
 +        channel = grpc.intercept_channel(channel, interpector)
++
 +    return channel, details
++
++
 +class AuthMetadataClientInterceptor(
 +        grpc.UnaryUnaryClientInterceptor, grpc.UnaryStreamClientInterceptor,
 +        grpc.StreamUnaryClientInterceptor, grpc.StreamStreamClientInterceptor):
++
 +    def __init__(self, auth_token=None, auth_secret=None):
 +        """Initialises a new :class:`AuthMetadataClientInterceptor`.
++
 +        Important:
 +            One of `auth_token` or `auth_secret` must be provided.
++
 +        Args:
 +            auth_token (str, optional): Authorization token as a string.
 +            auth_secret (str, optional): Authorization secret as a string.
 +        """
 +        if auth_token:
 +            self.__secret = auth_token.strip()
 +        else:
 +            self.__secret = base64.b64encode(auth_secret)
++
 +        self.__header_field_name = 'authorization'
 +        self.__header_field_value = 'Bearer {}'.format(self.__secret)
++
 +    # --- Public API ---
++
 +    def intercept_unary_unary(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_unary_stream(self, continuation, client_call_details, request):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request)
++
 +    def intercept_stream_unary(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    def intercept_stream_stream(self, continuation, client_call_details, request_iterator):
 +        new_details = self._amend_call_details(client_call_details)
++
 +        return continuation(new_details, request_iterator)
++
 +    # --- Private API ---
++
 +    def _amend_call_details(self, client_call_details):
 +        """Appends an authorization field to given client call details."""
 +        if client_call_details.metadata is not None:
 +            new_metadata = list(client_call_details.metadata)
 +        else:
 +            new_metadata = []
++
 +        new_metadata.append((self.__header_field_name, self.__header_field_value,))
++
 +        class _ClientCallDetails(
 +                namedtuple('_ClientCallDetails',
 +                           ('method', 'timeout', 'credentials', 'metadata')),
 +                grpc.ClientCallDetails):
 +            pass
++
 +        return _ClientCallDetails(client_call_details.method,
 +                                  client_call_details.timeout,
 +                                  client_call_details.credentials,
 +                                  new_metadata)

buildgrid/server/_authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from datetime import datetime
 +from enum import Enum
 +import logging
++
 +import grpc
++
 +from buildgrid._exceptions import InvalidArgumentError
++
++
 +try:
 +    import jwt
 +except ImportError:
 +    HAVE_JWT = False
 +else:
 +    HAVE_JWT = True
++
++
 +class AuthMetadataMethod(Enum):
 +    # No authentication:
 +    NONE = 'none'
 +    # JWT based authentication:
 +    JWT = 'JWT'
++
++
 +class AuthMetadataAlgorithm(Enum):
 +    # No encryption involved:
 +    NONE = 'none'
 +    # JWT related algorithms:
 +    JWT_ES256 = 'ES256'  # ECDSA signature algorithm using SHA-256 hash algorithm
 +    JWT_ES384 = 'ES384'  # ECDSA signature algorithm using SHA-384 hash algorithm
 +    JWT_ES512 = 'ES512'  # ECDSA signature algorithm using SHA-512 hash algorithm
 +    JWT_HS256 = 'HS256'  # HMAC using SHA-256 hash algorithm
 +    JWT_HS384 = 'HS384'  # HMAC using SHA-384 hash algorithm
 +    JWT_HS512 = 'HS512'  # HMAC using SHA-512 hash algorithm
 +    JWT_PS256 = 'PS256'  # RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
 +    JWT_PS384 = 'PS384'  # RSASSA-PSS signature using SHA-384 and MGF1 padding with SHA-384
 +    JWT_PS512 = 'PS512'  # RSASSA-PSS signature using SHA-512 and MGF1 padding with SHA-512
 +    JWT_RS256 = 'RS256'  # RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
 +    JWT_RS384 = 'RS384'  # RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
 +    JWT_RS512 = 'RS512'  # RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
++
++
 +class _InvalidTokenError(Exception):
 +    pass
++
++
 +class _ExpiredTokenError(Exception):
 +    pass
++
++
 +class _UnboundedTokenError(Exception):
 +    pass
++
++
 +class AuthMetadataServerInterceptor(grpc.ServerInterceptor):
++
 +    __auth_errors = {
 +        'missing-bearer': 'Missing authentication header field',
 +        'invalid-bearer': 'Invalid authentication header field',
 +        'invalid-token': 'Invalid authentication token',
 +        'expired-token': 'Expired authentication token',
 +        'unbounded-token': 'Unbounded authentication token',
 +    }
++
 +    def __init__(self, method, secret=None, algorithm=AuthMetadataAlgorithm.NONE):
 +        """Initialises a new :class:`AuthMetadataServerInterceptor`.
++
 +        Args:
 +            method (AuthMetadataMethod): Type of authorization method.
 +            secret (str): The secret or key to be used for validating request,
 +                depending on `method`. Defaults to ``None``.
 +            algorithm (AuthMetadataAlgorithm): The crytographic algorithm used
 +                to encode `secret`. Defaults to ``AuthMetadataAlgorithm.NONE``.
++
 +        Raises:
 +            InvalidArgumentError: If `method` is not supported or if `algorithm`
 +                is not supported for the given `method`.
 +        """
 +        self.__logger = logging.getLogger(__name__)
++
 +        self.__bearer_cache = {}
 +        self.__terminators = {}
 +        self.__validator = None
 +        self.__secret = secret
++
 +        self._method = method
 +        self._algorithm = algorithm
++
 +        if self._method == AuthMetadataMethod.JWT:
 +            if not HAVE_JWT:
 +                raise InvalidArgumentError("JWT authorization method requires PyJWT")
++
 +            try:
 +                jwt.register_algorithm(self._algorithm.value, None)
 +            except TypeError:
 +                raise InvalidArgumentError("Algorithm not supported for JWT decoding: [{}]"
 +                                           .format(self._algorithm))
 +            except ValueError:
 +                pass
++
 +            self.__validator = self._validate_jwt_token
++
 +        for code, message in self.__auth_errors.items():
 +            self.__terminators[code] = _unary_unary_rpc_terminator(message)
++
 +    # --- Public API ---
++
 +    @property
 +    def method(self):
 +        return self._method
++
 +    @property
 +    def algorithm(self):
 +        return self._algorithm
++
 +    def intercept_service(self, continuation, handler_call_details):
 +        try:
 +            # Reject requests not carrying a token:
 +            bearer = dict(handler_call_details.invocation_metadata)['authorization']
++
 +        except KeyError:
 +            self.__logger.error("Rejecting '{}' request: {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['missing-bearer']))
 +            return self.__terminators['missing-bearer']
++
 +        # Reject requests with malformated bearer:
 +        if not bearer.startswith('Bearer '):
 +            self.__logger.error("Rejecting '{}' request: {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['invalid-bearer']))
 +            return self.__terminators['invalid-bearer']
++
 +        try:
 +            # Hit the cache for already validated token:
 +            expiration_time = self.__bearer_cache[bearer]
++
 +            # Accept request if cached token hasn't expired yet:
 +            if expiration_time < datetime.utcnow():
 +                return continuation(handler_call_details)  # Accepted
++
 +        except KeyError:
 +            pass
++
 +        assert self.__validator is not None
++
 +        try:
 +            # Decode and validate the new token:
 +            expiration_time = self.__validator(bearer[7:])
++
 +        except _InvalidTokenError as e:
 +            self.__logger.error("Rejecting '{}' request: {}; {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['invalid-token'], str(e)))
 +            return self.__terminators['invalid-token']
++
 +        except _ExpiredTokenError as e:
 +            self.__logger.error("Rejecting '{}' request: {}; {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['expired-token'], str(e)))
 +            return self.__terminators['expired-token']
++
 +        except _UnboundedTokenError as e:
 +            self.__logger.error("Rejecting '{}' request: {}; {}"
 +                                .format(handler_call_details.method.split('/')[-1],
 +                                        self.__auth_errors['unbounded-token'], str(e)))
 +            return self.__terminators['unbounded-token']
++
 +        # Cache the validated token and store expiration time:
 +        self.__bearer_cache[bearer] = expiration_time
++
 +        return continuation(handler_call_details)  # Accepted
++
 +    # --- Private API ---
++
 +    def _validate_jwt_token(self, token):
 +        """Validates a JWT token and returns its expiry date."""
 +        try:
 +            payload = jwt.decode(
 +                token, self.__secret, algorithms=[self._algorithm.value])
++
 +        except jwt.exceptions.ExpiredSignatureError as e:
 +            raise _ExpiredTokenError(e)
++
 +        except jwt.exceptions.InvalidTokenError as e:
 +            raise _InvalidTokenError(e)
++
 +        if 'exp' not in payload or not isinstance(payload['exp'], int):
 +            raise _UnboundedTokenError("Missing 'exp' in payload")
++
 +        return datetime.fromtimestamp(payload['exp'])
++
++
 +def _unary_unary_rpc_terminator(details):
++
 +    def terminate(ignored_request, context):
 +        context.abort(grpc.StatusCode.UNAUTHENTICATED, details)
++
 +    return grpc.unary_unary_rpc_method_handler(terminate)

buildgrid/server/instance.py

@@ -29,6 +29,7 @@ import janus
  from buildgrid._enums import BotStatus, LogRecordLevel, MetricRecordDomain, MetricRecordType
  from buildgrid._protos.buildgrid.v2 import monitoring_pb2
  from buildgrid.server.actioncache.service import ActionCacheService
 +from buildgrid.server._authentication import AuthMetadataMethod, AuthMetadataAlgorithm, AuthMetadataServerInterceptor
  from buildgrid.server.bots.service import BotsService
  from buildgrid.server.capabilities.instance import CapabilitiesInstance
  from buildgrid.server.capabilities.service import CapabilitiesService
@@ -47,11 +48,21 @@ class BuildGridServer:
      requisite services.
      """
 -    def __init__(self, max_workers=None, monitor=False):
 +    def __init__(self, max_workers=None, monitor=False, auth_method=AuthMetadataMethod.NONE,
 +                 auth_secret=None, auth_algorithm=AuthMetadataAlgorithm.NONE):
          """Initializes a new :class:`BuildGridServer` instance.
          Args:
              max_workers (int, optional): A pool of max worker threads.
 +            monitor (bool, optional): Whether or not to globally activate server
 +                monitoring. Defaults to ``False``.
 +            auth_method (AuthMetadataMethod, optional): Authentication method to
 +                be used for request authorization. Defaults to ``NONE``.
 +            auth_secret (str, optional): The secret or key to be used for
 +                authorizing request using `auth_method`. Defaults to ``None``.
 +            auth_algorithm (AuthMetadataAlgorithm, optional): The crytographic
 +                algorithm to be uses in combination with `auth_secret` for
 +                authorizing request using `auth_method`. Defaults to ``NONE``.
          """
          self.__logger = logging.getLogger(__name__)
@@ -59,8 +70,17 @@ class BuildGridServer:
              # Use max_workers default from Python 3.5+
              max_workers = (os.cpu_count() or 1) * 5
 +        self.__grpc_auth_interceptor = None
 +        if auth_method != AuthMetadataMethod.NONE:
 +            self.__grpc_auth_interceptor = AuthMetadataServerInterceptor(
 +                method=auth_method, secret=auth_secret, algorithm=auth_algorithm)
          self.__grpc_executor = futures.ThreadPoolExecutor(max_workers)
 -        self.__grpc_server = grpc.server(self.__grpc_executor)
++
 +        if self.__grpc_auth_interceptor is not None:
 +            self.__grpc_server = grpc.server(
 +                self.__grpc_executor, interceptors=(self.__grpc_auth_interceptor,))
 +        else:
 +            self.__grpc_server = grpc.server(self.__grpc_executor)
          self.__main_loop = asyncio.get_event_loop()

docs/source/installation.rst

@@ -59,20 +59,20 @@ have to adjust your ``PATH``, in ``~/.bashrc``, with:
  .. note::
 -   The ``setup.py`` script defines two extra targets, ``docs`` and ``tests``,
 -   that declare required dependency for, respectively, generating documentation
 -   and running unit-tests. They can be use as helpers for setting up a
 -   development environment. To use them simply run:
 +   The ``setup.py`` script defines three extra targets, ``auth``, ``docs`` and
 +   ``tests``. They declare required dependency for, respectively, authentication
 +   and authorization management, generating documentation and running
 +   unit-tests. They can be use as helpers for setting up a development
 +   environment. To use them simply run:
     .. code-block:: sh
 -      pip3 install --user --editable ".[docs,tests]"
+-
 +      pip3 install --user --editable ".[auth,docs,tests]"
  .. install-docker:
 -Installation through docker
 +Installation through Docker
  ---------------------------
  How to build a Docker image that runs BuildGrid.

setup.py

@@ -85,6 +85,11 @@ def get_cmdclass():
+     }
      return cmdclass
 +auth_require = [
 +    'cryptography >= 1.8.0',  # Required by pyjwt for RSA
 +    'pyjwt >= 1.5.0',
 +]
++
  tests_require = [
      'coverage >= 4.5.0',
      'moto < 1.3.7',
@@ -130,6 +135,7 @@ setup(
      setup_requires=['pytest-runner'],
      tests_require=tests_require,
      extras_require={
 +        'auth': auth_require,
          'docs': docs_require,
          'tests': tests_require,
      },

tests/auth/__init__.py

tests/auth/data/jwt-hs256-conflicting.secret

	1	+not-your-256-bit-secret
		\ No newline at end of file

tests/auth/data/jwt-hs256-expired.token

	1	+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMiwiZXhwIjoxMzU1MzE0MzMyfQ.J-YxkvVbeZFwZ2_mK1d91Wb5vm481LkuehfkUoNpLb8
		\ No newline at end of file

tests/auth/data/jwt-hs256-matching.secret

+your-256-bit-secret

tests/auth/data/jwt-hs256-unbounded.token

	1	+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMn0.tEBYb8GM_4lmJCxrh6iMhdoxupgGTCaJR3atLxodZV8
		\ No newline at end of file

tests/auth/data/jwt-hs256-valid.token

	1	+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMiwiZXhwIjoyMzAxOTk5MTMyfQ.U__BJgksk65S0YuDZqU85tRWF3F03ITF9HXW1cd_Ci8
		\ No newline at end of file

tests/auth/data/jwt-rs256-conflicting.pub.key

 +-----BEGIN PUBLIC KEY-----
 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNGWI+5SgYIiGcS5UNQzZOs5As
 +QJRsKR7bBiMjJWnqrNExn0pYrecQsBy6zgwmN6MqEPFV5A1GOEeP3FAqlwD5y+rL
 +iO2tqq0naiFiJb27qsHzgjakw7pVqgJuGuLVIWWE1RlDnhfN+auNGWyl2YjF6N2+
 +Lsl0bBX8Q8zaOxbU3wIDAQAB
 +-----END PUBLIC KEY-----

tests/auth/data/jwt-rs256-expired.token

+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMiwiZXhwIjoxMzU1MzE0MzMyfQ.L9Wg6YDEV57_a_j_J2s6ug5eEGS80SvlwztdVFzU1ajqlfYmbF5oYq6IEMaiZq95aKkJ71xnwpGfpcuufH-xONiNoZhTg7r-lb99yvPZ8VEHwOIyt1EUEziffim9XRiuwM570fg7_HUC-ZhNJG536k1IM-6rPRnv-1Tu-MxLgvQ

\ No newline at end of file

tests/auth/data/jwt-rs256-matching.priv.key

 +-----BEGIN RSA PRIVATE KEY-----
 +MIICWwIBAAKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw
 +33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW
 ++jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQAB
 +AoGAD+onAtVye4ic7VR7V50DF9bOnwRwNXrARcDhq9LWNRrRGElESYYTQ6EbatXS
 +3MCyjjX2eMhu/aF5YhXBwkppwxg+EOmXeh+MzL7Zh284OuPbkglAaGhV9bb6/5Cp
 +uGb1esyPbYW+Ty2PC0GSZfIXkXs76jXAu9TOBvD0ybc2YlkCQQDywg2R/7t3Q2OE
 +2+yo382CLJdrlSLVROWKwb4tb2PjhY4XAwV8d1vy0RenxTB+K5Mu57uVSTHtrMK0
 +GAtFr833AkEA6avx20OHo61Yela/4k5kQDtjEf1N0LfI+BcWZtxsS3jDM3i1Hp0K
 +Su5rsCPb8acJo5RO26gGVrfAsDcIXKC+bQJAZZ2XIpsitLyPpuiMOvBbzPavd4gY
 +6Z8KWrfYzJoI/Q9FuBo6rKwl4BFoToD7WIUS+hpkagwWiz+6zLoX1dbOZwJACmH5
 +fSSjAkLRi54PKJ8TFUeOP15h9sQzydI8zJU+upvDEKZsZc/UhT/SySDOxQ4G/523
 +Y0sz/OZtSWcol/UMgQJALesy++GdvoIDLfJX5GBQpuFgFenRiRDabxrE9MNUZ2aP
 +FaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==
 +-----END RSA PRIVATE KEY-----
 \ No newline at end of file

tests/auth/data/jwt-rs256-matching.pub.key

 +-----BEGIN PUBLIC KEY-----
 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
 +UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
 +HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
 +o2kQ+X5xK9cipRgEKwIDAQAB
 +-----END PUBLIC KEY-----

tests/auth/data/jwt-rs256-unbounded.token

+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMn0.1_yoF5Vg1fXs2SmWhYm7LbLMGbZVgBjxZkzRlw87blSG6lRgEi_R-WXKcS4n_pGynkcahJ_AqLseyHduXZveI1nVQFATXVNQQPcvmkM6pYSHPm155iqZFdYAWWVKB9ND1F3oDrXLBzqF2a4HtLNXYTu5gDStdUPkrH_FiatX79g

\ No newline at end of file

tests/auth/data/jwt-rs256-valid.token

+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJCdWlsZEdyaWQgVGVzdCIsImlhdCI6MTM1NTMxNDMzMiwiZXhwIjoyMzAxOTk5MTMyfQ.RCbQNqPaF0mfFsUGwdb47Ga3DITAL7OjYlcWkJ2xWL61Fo9zURx_mSIVDYTgEY3nFW1cmf2r6Y2Z0rEUOY-qBl8B9Ww9jijGz7LMR4w_j8f967MjTxkyOCWZSUWazObg5jxNjLtfxPD28UbbrS_2R8BLgMQFf3ymSDXTX5lAdBY

\ No newline at end of file

tests/auth/test_client.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
 +# pylint: disable=redefined-outer-name
++
++
 +import os
++
 +import grpc
 +import pytest
++
 +from buildgrid.client.authentication import setup_channel
 +from buildgrid._protos.google.bytestream import bytestream_pb2, bytestream_pb2_grpc
 +from buildgrid.server._authentication import AuthMetadataMethod, AuthMetadataAlgorithm
++
 +from ..utils.dummy import serve_dummy
 +from ..utils.utils import run_in_subprocess
++
++
 +try:
 +    import jwt  # pylint: disable=unused-import
 +except ImportError:
 +    HAVE_JWT = False
 +else:
 +    HAVE_JWT = True
++
++
 +DATA_DIR = os.path.join(
 +    os.path.dirname(os.path.realpath(__file__)), 'data')
++
 +METHOD = AuthMetadataMethod.JWT
 +TOKEN = os.path.join(DATA_DIR, 'jwt-hs256-valid.token')
 +SECRET = 'your-256-bit-secret'
 +ALGORITHM = AuthMetadataAlgorithm.JWT_HS256
++
++
 +@pytest.mark.skipif(not HAVE_JWT, reason="No pyjwt")
 +def test_channel_token_authorization():
 +    # Actual test function, to be run in a subprocess:
 +    def __test_channel_token_authorization(queue, remote, token):
 +        channel, _ = setup_channel(remote, auth_token=token)
 +        stub = bytestream_pb2_grpc.ByteStreamStub(channel)
++
 +        request = bytestream_pb2.QueryWriteStatusRequest()
 +        status_code = grpc.StatusCode.OK
++
 +        try:
 +            next(stub.Read(request))
++
 +        except grpc.RpcError as e:
 +            status_code = e.code()
++
 +        queue.put(status_code)
++
 +    with serve_dummy(auth_method=METHOD, auth_secret=SECRET,
 +                     auth_algorithm=ALGORITHM) as server:
 +        status = run_in_subprocess(__test_channel_token_authorization,
 +                                   server.remote, TOKEN)
++
 +        assert status != grpc.StatusCode.UNAUTHENTICATED

tests/auth/test_interceptor.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
 +# pylint: disable=redefined-outer-name
++
++
 +from collections import namedtuple
 +from unittest import mock
 +import os
++
 +import grpc
 +from grpc._server import _Context
 +import pytest
++
 +from buildgrid.server._authentication import AuthMetadataMethod, AuthMetadataAlgorithm
 +from buildgrid.server._authentication import AuthMetadataServerInterceptor
++
 +from ..utils.utils import read_file
++
++
 +try:
 +    import jwt  # pylint: disable=unused-import
 +except ImportError:
 +    HAVE_JWT = False
 +else:
 +    HAVE_JWT = True
++
++
 +DATA_DIR = os.path.join(
 +    os.path.dirname(os.path.realpath(__file__)), 'data')
++
 +TOKENS = [None, 'not-a-token']
 +SECRETS = [None, None]
 +ALGORITHMS = [AuthMetadataAlgorithm.NONE, AuthMetadataAlgorithm.NONE]
 +VALIDITIES = [False, False]
 +# Generic test data: token, secret, algorithm, validity:
 +DATA = zip(TOKENS, SECRETS, ALGORITHMS, VALIDITIES)
++
 +JWT_TOKENS = [
 +    'jwt-hs256-expired.token',
 +    'jwt-hs256-unbounded.token',
 +    'jwt-hs256-valid.token',
 +    'jwt-hs256-valid.token',
++
 +    'jwt-rs256-expired.token',
 +    'jwt-rs256-unbounded.token',
 +    'jwt-rs256-valid.token',
 +    'jwt-rs256-valid.token']
 +JWT_SECRETS = [
 +    'jwt-hs256-matching.secret',
 +    'jwt-hs256-matching.secret',
 +    'jwt-hs256-matching.secret',
 +    'jwt-hs256-conflicting.secret',
++
 +    'jwt-rs256-matching.pub.key',
 +    'jwt-rs256-matching.pub.key',
 +    'jwt-rs256-matching.pub.key',
 +    'jwt-rs256-conflicting.pub.key']
 +JWT_ALGORITHMS = [
 +    AuthMetadataAlgorithm.JWT_HS256,
 +    AuthMetadataAlgorithm.JWT_HS256,
 +    AuthMetadataAlgorithm.JWT_HS256,
 +    AuthMetadataAlgorithm.JWT_HS256,
++
 +    AuthMetadataAlgorithm.JWT_RS256,
 +    AuthMetadataAlgorithm.JWT_RS256,
 +    AuthMetadataAlgorithm.JWT_RS256,
 +    AuthMetadataAlgorithm.JWT_RS256]
 +JWT_VALIDITIES = [
 +    False, False, True, False,
 +    False, False, True, False]
 +# JWT test data: token, secret, algorithm, validity:
 +JWT_DATA = zip(JWT_TOKENS, JWT_SECRETS, JWT_ALGORITHMS, JWT_VALIDITIES)
++
++
 +_MockHandlerCallDetails = namedtuple(
 +    '_MockHandlerCallDetails', ('method', 'invocation_metadata',))
 +_MockMetadatum = namedtuple(
 +    '_MockMetadatum', ('key', 'value',))
++
++
 +def _mock_call_details(token, method='TestMethod'):
 +    invocation_metadata = [
 +        _MockMetadatum(
 +            key='user-agent',
 +            value='grpc-c/6.0.0 (manylinux; chttp2; gao)')]
++
 +    if token and token.count('.') == 2:
 +        invocation_metadata.append(_MockMetadatum(
 +            key='authorization', value='Bearer {}'.format(token)))
++
 +    elif token:
 +        invocation_metadata.append(_MockMetadatum(
 +            key='authorization', value=token))
++
 +    return _MockHandlerCallDetails(
 +        method=method, invocation_metadata=invocation_metadata)
++
++
 +def _unary_unary_rpc_terminator(details):
++
 +    def terminate(ignored_request, context):
 +        context.set_code(grpc.StatusCode.OK)
++
 +    return grpc.unary_unary_rpc_method_handler(terminate)
++
++
 +@pytest.mark.parametrize('token,secret,algorithm,validity', DATA)
 +def test_authorization(token, secret, algorithm, validity):
 +    interceptor = AuthMetadataServerInterceptor(
 +        method=AuthMetadataMethod.NONE, secret=secret, algorithm=algorithm)
++
 +    call_details = _mock_call_details(token)
 +    context = mock.create_autospec(_Context, spec_set=True)
++
 +    try:
 +        handler = interceptor.intercept_service(None, call_details)
++
 +    except AssertionError:
 +        context.set_code(grpc.StatusCode.OK)
++
 +    else:
 +        handler.unary_unary(None, context)
++
 +    if validity:
 +        context.set_code.assert_called_once_with(grpc.StatusCode.OK)
 +        context.abort.assert_not_called()
++
 +    else:
 +        context.abort.assert_called_once_with(grpc.StatusCode.UNAUTHENTICATED, mock.ANY)
 +        context.set_code.assert_not_called()
++
++
 +@pytest.mark.skipif(not HAVE_JWT, reason="No pyjwt")
 +@pytest.mark.parametrize('token,secret,algorithm,validity', JWT_DATA)
 +def test_jwt_authorization(token, secret, algorithm, validity):
 +    token = read_file(os.path.join(DATA_DIR, token), text_mode=True).strip()
 +    secret = read_file(os.path.join(DATA_DIR, secret), text_mode=True).strip()
++
 +    interceptor = AuthMetadataServerInterceptor(
 +        method=AuthMetadataMethod.JWT, secret=secret, algorithm=algorithm)
++
 +    continuator = _unary_unary_rpc_terminator
 +    call_details = _mock_call_details(token)
 +    context = mock.create_autospec(_Context, spec_set=True)
++
 +    handler = interceptor.intercept_service(continuator, call_details)
 +    handler.unary_unary(None, context)
++
 +    if validity:
 +        context.set_code.assert_called_once_with(grpc.StatusCode.OK)
 +        context.abort.assert_not_called()
++
 +    else:
 +        context.abort.assert_called_once_with(grpc.StatusCode.UNAUTHENTICATED, mock.ANY)
 +        context.set_code.assert_not_called()

tests/utils/dummy.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from concurrent import futures
 +from contextlib import contextmanager
 +import multiprocessing
 +import os
 +import signal
++
 +import grpc
 +import pytest_cov
++
 +from buildgrid.server._authentication import AuthMetadataMethod, AuthMetadataAlgorithm
 +from buildgrid.server._authentication import AuthMetadataServerInterceptor
++
++
 +@contextmanager
 +def serve_dummy(auth_method=AuthMetadataMethod.NONE,
 +                auth_secret=None, auth_algorithm=AuthMetadataAlgorithm.NONE):
 +    server = Server(
 +        auth_method=auth_method, auth_secret=auth_secret, auth_algorithm=auth_algorithm)
 +    try:
 +        yield server
 +    finally:
 +        server.quit()
++
++
 +class Server:
++
 +    def __init__(self, auth_method=AuthMetadataMethod.NONE,
 +                 auth_secret=None, auth_algorithm=AuthMetadataAlgorithm.NONE):
++
 +        self.__queue = multiprocessing.Queue()
 +        self.__auth_interceptor = None
 +        if auth_method != AuthMetadataMethod.NONE:
 +            self.__auth_interceptor = AuthMetadataServerInterceptor(
 +                method=auth_method, secret=auth_secret, algorithm=auth_algorithm)
 +        self.__process = multiprocessing.Process(
 +            target=Server.serve, args=(self.__queue, self.__auth_interceptor))
 +        self.__process.start()
++
 +        self.port = self.__queue.get()
 +        self.remote = 'http://localhost:{}'.format(self.port)
++
 +    @classmethod
 +    def serve(cls, queue, auth_interceptor):
 +        pytest_cov.embed.cleanup_on_sigterm()
++
 +        # Use max_workers default from Python 3.5+
 +        max_workers = (os.cpu_count() or 1) * 5
 +        executor = futures.ThreadPoolExecutor(max_workers)
 +        if auth_interceptor is not None:
 +            server = grpc.server(executor, interceptors=(auth_interceptor,))
 +        else:
 +            server = grpc.server(executor)
 +        port = server.add_insecure_port('localhost:0')
++
 +        queue.put(port)
++
 +        server.start()
++
 +        signal.pause()
++
 +    def quit(self):
 +        if self.__process:
 +            self.__process.terminate()
 +            self.__process.join()

tests/utils/utils.py

@@ -34,6 +34,11 @@ def kill_process_tree(pid):
      kill_proc(proc)
 +def read_file(file_path, text_mode=False):
 +    with open(file_path, 'r' if text_mode else 'r') as in_file:
 +        return in_file.read()
++
++
  def run_in_subprocess(function, *arguments, timeout=1):
      queue = multiprocessing.Queue()
      # Use subprocess to avoid creation of gRPC threads in main process

[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 13 commits: setup.py: Introduce pyjwt dependency

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

28 changed files:

Changes: