[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 13 c

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

859c0fa8

by Finn at 2018-11-27T15:25:25Z

buildgrid/utils.py: New `get_hash_type` function.

Returns the hash type.

e1091b04

by Finn at 2018-11-27T15:25:25Z

Execution instance can now return hash type.

1dc5d2d2

by Finn at 2018-11-27T15:25:25Z

Adding cache capabilities to CAS instance.

Hash type, batch size and symlink strategy.

35c901bd
by Finn at 2018-11-27T16:23:49Z
```
Adding capabilities service.
```

5cb38e2a

by Finn at 2018-11-27T16:23:52Z

Adding capabilities instance of service.

32ad653d

by Finn at 2018-11-27T16:23:52Z

Adding client interface for capabilities service.

e15a9c91

by Finn at 2018-11-27T16:23:52Z

Capabilities service can now be added to server.

bd5587ea

by Finn at 2018-11-27T16:23:52Z

tests/utils/capabilities.py: Adding service for tests.

d94fa258

by Finn at 2018-11-27T16:23:52Z

tests/integration/capabilities_service.py: Creating tests.

6f90a553

by Finn at 2018-11-27T16:23:52Z

buildgrid/_app/commands/cmd_capabilities.py: New command.

db65c5ec

by Raoul Hidalgo Charman at 2018-11-28T12:23:41Z

test_storage.py: change import order to appease pylint

Newer versions of pylint complain.

52a45470

by Martin Blanchard at 2018-11-28T14:52:03Z

server/_authentication.py: New JWT based gRPC interceptor

d0444a61

by Martin Blanchard at 2018-11-28T14:52:03Z

server/instance.py: Register authentication gRPC interceptor

13 changed files:

+ buildgrid/_app/commands/cmd_capabilities.py
+ buildgrid/client/capabilities.py
+ buildgrid/server/_authentication.py
+ buildgrid/server/capabilities/__init__.py
+ buildgrid/server/capabilities/instance.py
+ buildgrid/server/capabilities/service.py
buildgrid/server/cas/instance.py
buildgrid/server/execution/instance.py
buildgrid/server/instance.py
buildgrid/utils.py
tests/cas/test_storage.py
+ tests/integration/capabilities_service.py
+ tests/utils/capabilities.py

Changes:

buildgrid/_app/commands/cmd_capabilities.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import sys
 +from urllib.parse import urlparse
++
 +import click
 +import grpc
++
 +from buildgrid.client.capabilities import CapabilitiesInterface
++
 +from ..cli import pass_context
++
++
 +@click.command(name='capabilities', short_help="Capabilities service.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--instance-name', type=click.STRING, default='main', show_default=True,
 +              help="Targeted farm instance name.")
 +@pass_context
 +def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 +    click.echo("Getting capabilities...")
 +    url = urlparse(remote)
++
 +    remote = '{}:{}'.format(url.hostname, url.port or 50051)
 +    instance_name = instance_name
++
 +    if url.scheme == 'http':
 +        channel = grpc.insecure_channel(remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 +            sys.exit(-1)
++
 +        channel = grpc.secure_channel(remote, credentials)
++
 +    interface = CapabilitiesInterface(channel)
 +    response = interface.get_capabilities(instance_name)
 +    click.echo(response)

buildgrid/client/capabilities.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import logging
 +import grpc
++
 +from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
++
++
 +class CapabilitiesInterface:
 +    """Interface for calls the the Capabilities Service."""
++
 +    def __init__(self, channel):
 +        """Initialises an instance of the capabilities service.
++
 +        Args:
 +            channel (grpc.Channel): A gRPC channel to the CAS endpoint.
 +        """
 +        self.__logger = logging.getLogger(__name__)
 +        self.__stub = remote_execution_pb2_grpc.CapabilitiesStub(channel)
++
 +    def get_capabilities(self, instance_name):
 +        """Returns the capabilities or the server to the user.
++
 +        Args:
 +            instance_name (str): The name of the instance."""
++
 +        request = remote_execution_pb2.GetCapabilitiesRequest(instance_name=instance_name)
 +        try:
 +            return self.__stub.GetCapabilities(request)
++
 +        except grpc.RpcError as e:
 +            self.__logger.error(e)
 +            raise

buildgrid/server/_authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from datetime import datetime
 +from enum import Enum
++
 +import grpc
 +import jwt
++
 +from buildgrid._exceptions import InvalidArgumentError
++
++
 +class JwtAlgorithm(Enum):
 +    # HMAC algorithms:
 +    HS256 = 'HS256'
 +    HS384 = 'HS384'
 +    HS512 = 'HS512'
++
 +    # RSASSA-PKCS algorithms:
 +    RS256 = 'RS256'
 +    RS384 = 'RS384'
 +    RS512 = 'RS512'
++
 +    # RSASSA-PSS algorithms:
 +    PS256 = 'PS256'
 +    PS384 = 'PS384'
 +    PS512 = 'PS512'
++
 +    # ECDSA algorithms:
 +    ES256 = 'ES256'
 +    ES384 = 'ES384'
 +    ES521 = 'ES521'
 +    ES512 = 'ES512'
++
++
 +class JwtAuthMetadataInterceptor(grpc.ServerInterceptor):
++
 +    __auth_errors = {
 +        'missing-bearer': 'Missing authentication header field.',
 +        'invalid-bearer': 'Invalid authentication header field.',
 +        'invalid-token': 'Invalid authentication token.',
 +        'expired-token': 'Expired authentication token.',
 +        'unbounded-token': 'Unbounded authentication token.',
 +    }
++
 +    def __init__(self, secret, algorithm):
 +        """Initialises a new :class:`JwtAuthMetadataInterceptor`.
++
 +        Args:
 +            secret (str): Symetric secret key or asymetric public key.
 +            algorithm (JwtAlgorithm): Algorithm used to encode `secret`.
++
 +        Raises:
 +            InvalidArgumentError: If `algorithm` is not supported.
 +        """
 +        self.__bearer_cache = {}
 +        self.__terminators = {}
 +        self.__secret = secret
++
 +        self._algorithm = algorithm.value
++
 +        try:
 +            jwt.register_algorithm(self._algorithm, None)
++
 +        except TypeError:
 +            raise InvalidArgumentError('Algorithm not supported for JWT decoding: [{}]'
 +                                       .format(self._algorithm))
++
 +        except ValueError:
 +            pass
++
 +        for code, message in self.__auth_errors.items():
 +            self.__terminators[code] = _unary_unary_rpc_terminator(message)
++
 +    @property
 +    def algorithm(self):
 +        return JwtAlgorithm(self._algorithm)
++
 +    def intercept_service(self, continuation, handler_call_details):
 +        try:
 +            # Reject requests not carrying a token:
 +            bearer = dict(handler_call_details.invocation_metadata)['Authorization']
++
 +        except KeyError:
 +            return self.__terminators['missing-bearer']  # Rejected
++
 +        # Reject requests with malformated bearer:
 +        if not bearer.startswith('Bearer '):
 +            return self.__terminators['invalid-bearer']  # Rejected
++
 +        try:
 +            # Hit the cache for already validated token:
 +            expiration_time = self.__bearer_cache[bearer]
++
 +            # Accept request if cached token hasn't expired yet:
 +            if expiration_time < datetime.utcnow():
 +                return continuation(handler_call_details)  # Accepted
++
 +        except KeyError:
 +            pass
++
 +        try:
 +            # Decode and validate the new token:
 +            payload = jwt.decode(bearer[7:], self.__secret, algorithm=self._algorithm)
++
 +        except jwt.exceptions.ExpiredSignatureError:
 +            return self.__terminators['expired-token']  # Rejected
++
 +        except jwt.exceptions.InvalidTokenError:
 +            return self.__terminators['invalid-token']  # Rejected
++
 +        # Do not accept token without an expiration time:
 +        if 'exp' not in payload or isinstance(payload['exp'], int):
 +            return self.__terminators['unbounded-token']  # Rejected
++
 +        # Cache the validated token and store expiration time:
 +        self.__bearer_cache[bearer] = datetime.fromtimestamp(payload['exp'])
++
 +        return continuation(handler_call_details)  # Accepted
++
++
 +def _unary_unary_rpc_terminator(details):
++
 +    def terminate(ignored_request, context):
 +        context.abort(grpc.StatusCode.UNAUTHENTICATED, details)
++
 +    return grpc.unary_unary_rpc_method_handler(terminate)

buildgrid/server/capabilities/__init__.py

buildgrid/server/capabilities/instance.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import logging
++
 +from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
++
++
 +class CapabilitiesInstance:
++
 +    def __init__(self, cas_instance=None, action_cache_instance=None, execution_instance=None):
 +        self.__logger = logging.getLogger(__name__)
 +        self.__cas_instance = cas_instance
 +        self.__action_cache_instance = action_cache_instance
 +        self.__execution_instance = execution_instance
++
 +    def register_instance_with_server(self, instance_name, server):
 +        server.add_capabilities_instance(self, instance_name)
++
 +    def add_cas_instance(self, cas_instance):
 +        self.__cas_instance = cas_instance
++
 +    def add_action_cache_instance(self, action_cache_instance):
 +        self.__action_cache_instance = action_cache_instance
++
 +    def add_execution_instance(self, execution_instance):
 +        self.__execution_instance = execution_instance
++
 +    def get_capabilities(self):
 +        server_capabilities = remote_execution_pb2.ServerCapabilities()
 +        server_capabilities.cache_capabilities.CopyFrom(self._get_cache_capabilities())
 +        server_capabilities.execution_capabilities.CopyFrom(self._get_capabilities_execution())
 +        # TODO
 +        # When API is stable, fill out SemVer values
 +        # server_capabilities.deprecated_api_version =
 +        # server_capabilities.low_api_version =
 +        # server_capabilities.low_api_version =
 +        # server_capabilities.hig_api_version =
 +        return server_capabilities
++
 +    def _get_cache_capabilities(self):
 +        capabilities = remote_execution_pb2.CacheCapabilities()
 +        action_cache_update_capabilities = remote_execution_pb2.ActionCacheUpdateCapabilities()
++
 +        if self.__cas_instance:
 +            capabilities.digest_function.extend([self.__cas_instance.hash_type()])
 +            capabilities.max_batch_total_size_bytes = self.__cas_instance.max_batch_total_size_bytes()
 +            capabilities.symlink_absolute_path_strategy = self.__cas_instance.symlink_absolute_path_strategy()
 +            # TODO: execution priority #102
 +            # capabilities.cache_priority_capabilities =
++
 +        if self.__action_cache_instance:
 +            action_cache_update_capabilities.update_enabled = self.__action_cache_instance.allow_updates
++
 +        capabilities.action_cache_update_capabilities.CopyFrom(action_cache_update_capabilities)
 +        return capabilities
++
 +    def _get_capabilities_execution(self):
 +        capabilities = remote_execution_pb2.ExecutionCapabilities()
 +        if self.__execution_instance:
 +            capabilities.exec_enabled = True
 +            capabilities.digest_function = self.__execution_instance.hash_type()
 +            # TODO: execution priority #102
 +            # capabilities.execution_priority =
++
 +        else:
 +            capabilities.exec_enabled = False
++
 +        return capabilities

buildgrid/server/capabilities/service.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +import logging
++
 +import grpc
++
 +from buildgrid._exceptions import InvalidArgumentError
 +from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
++
++
 +class CapabilitiesService(remote_execution_pb2_grpc.CapabilitiesServicer):
++
 +    def __init__(self, server):
 +        self.__logger = logging.getLogger(__name__)
 +        self.__instances = {}
 +        remote_execution_pb2_grpc.add_CapabilitiesServicer_to_server(self, server)
++
 +    def add_instance(self, name, instance):
 +        self.__instances[name] = instance
++
 +    def add_cas_instance(self, name, instance):
 +        self.__instances[name].add_cas_instance(instance)
++
 +    def add_action_cache_instance(self, name, instance):
 +        self.__instances[name].add_action_cache_instance(instance)
++
 +    def add_execution_instance(self, name, instance):
 +        self.__instances[name].add_execution_instance(instance)
++
 +    def GetCapabilities(self, request, context):
 +        try:
 +            instance = self._get_instance(request.instance_name)
 +            return instance.get_capabilities()
++
 +        except InvalidArgumentError as e:
 +            self.__logger.error(e)
 +            context.set_details(str(e))
 +            context.set_code(grpc.StatusCode.INVALID_ARGUMENT)
++
 +        return remote_execution_pb2.ServerCapabilities()
++
 +    def _get_instance(self, name):
 +        try:
 +            return self.__instances[name]
++
 +        except KeyError:
 +            raise InvalidArgumentError("Instance doesn't exist on server: [{}]".format(name))

buildgrid/server/cas/instance.py

@@ -25,6 +25,7 @@ from buildgrid._exceptions import InvalidArgumentError, NotFoundError, OutOfRang
  from buildgrid._protos.google.bytestream import bytestream_pb2
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2 as re_pb2
  from buildgrid.settings import HASH, HASH_LENGTH
 +from buildgrid.utils import get_hash_type
  class ContentAddressableStorageInstance:
@@ -37,6 +38,19 @@ class ContentAddressableStorageInstance:
      def register_instance_with_server(self, instance_name, server):
          server.add_cas_instance(self, instance_name)
 +    def hash_type(self):
 +        return get_hash_type()
++
 +    def max_batch_total_size_bytes(self):
 +        # TODO: link with max size
 +        # Should be added from settings in MR !119
 +        return 2000000
++
 +    def symlink_absolute_path_strategy(self):
 +        # Currently this strategy is hardcoded into BuildGrid
 +        # With no setting to reference
 +        return re_pb2.CacheCapabilities().DISALLOWED
++
      def find_missing_blobs(self, blob_digests):
          storage = self._storage
          return re_pb2.FindMissingBlobsResponse(

buildgrid/server/execution/instance.py

@@ -25,6 +25,7 @@ from buildgrid._exceptions import FailedPreconditionError, InvalidArgumentError
  from buildgrid._protos.build.bazel.remote.execution.v2.remote_execution_pb2 import Action
  from ..job import Job
 +from ...utils import get_hash_type
  class ExecutionInstance:
@@ -38,6 +39,9 @@ class ExecutionInstance:
      def register_instance_with_server(self, instance_name, server):
          server.add_execution_instance(self, instance_name)
 +    def hash_type(self):
 +        return get_hash_type()
++
      def execute(self, action_digest, skip_cache_lookup, message_queue=None):
          """ Sends a job for execution.
          Queues an action and creates an Operation instance to be associated with

buildgrid/server/instance.py

@@ -22,12 +22,15 @@ import signal
  import grpc
  from buildgrid.server.actioncache.service import ActionCacheService
 +from buildgrid.server._authentication import JwtAlgorithm, JwtAuthMetadataInterceptor
  from buildgrid.server.bots.service import BotsService
  from buildgrid.server.cas.service import ByteStreamService, ContentAddressableStorageService
  from buildgrid.server.execution.service import ExecutionService
  from buildgrid.server._monitoring import MonitoringBus, MonitoringOutputType, MonitoringOutputFormat
  from buildgrid.server.operations.service import OperationsService
  from buildgrid.server.referencestorage.service import ReferenceStorageService
 +from buildgrid.server.capabilities.instance import CapabilitiesInstance
 +from buildgrid.server.capabilities.service import CapabilitiesService
  class BuildGridServer:
@@ -50,11 +53,16 @@ class BuildGridServer:
              max_workers = (os.cpu_count() or 1) * 5
          self.__grpc_executor = futures.ThreadPoolExecutor(max_workers)
 -        self.__grpc_server = grpc.server(self.__grpc_executor)
 +        self.__grpc_auth_interceptor = JwtAuthMetadataInterceptor('your-256-bit-secret', JwtAlgorithm.HS256)
 +        self.__grpc_server = grpc.server(
 +            self.__grpc_executor, interceptors=(self.__grpc_auth_interceptor,))
          self.__main_loop = asyncio.get_event_loop()
          self.__monitoring_bus = None
 +        # We always want a capabilities service
 +        self._capabilities_service = CapabilitiesService(self.__grpc_server)
++
          self._execution_service = None
          self._bots_service = None
          self._operations_service = None
@@ -128,6 +136,7 @@ class BuildGridServer:
              self._execution_service = ExecutionService(self.__grpc_server)
          self._execution_service.add_instance(instance_name, instance)
 +        self._add_capabilities_instance(instance_name, execution_instance=instance)
      def add_bots_interface(self, instance, instance_name):
          """Adds a :obj:`BotsInterface` to the service.
@@ -184,9 +193,10 @@ class BuildGridServer:
              self._action_cache_service = ActionCacheService(self.__grpc_server)
          self._action_cache_service.add_instance(instance_name, instance)
 +        self._add_capabilities_instance(instance_name, action_cache_instance=instance)
      def add_cas_instance(self, instance, instance_name):
 -        """Stores a :obj:`ContentAddressableStorageInstance` to the service.
 +        """Adds a :obj:`ContentAddressableStorageInstance` to the service.
          If no service exists, it creates one.
@@ -198,9 +208,10 @@ class BuildGridServer:
              self._cas_service = ContentAddressableStorageService(self.__grpc_server)
          self._cas_service.add_instance(instance_name, instance)
 +        self._add_capabilities_instance(instance_name, cas_instance=instance)
      def add_bytestream_instance(self, instance, instance_name):
 -        """Stores a :obj:`ByteStreamInstance` to the service.
 +        """Adds a :obj:`ByteStreamInstance` to the service.
          If no service exists, it creates one.
@@ -213,6 +224,31 @@ class BuildGridServer:
          self._bytestream_service.add_instance(instance_name, instance)
 +    def _add_capabilities_instance(self, instance_name,
 +                                   cas_instance=None,
 +                                   action_cache_instance=None,
 +                                   execution_instance=None):
 +        """Adds a :obj:`CapabilitiesInstance` to the service.
++
 +        Args:
 +            instance (:obj:`CapabilitiesInstance`): Instance to add.
 +            instance_name (str): Instance name.
 +        """
++
 +        try:
 +            if cas_instance:
 +                self._capabilities_service.add_cas_instance(instance_name, cas_instance)
 +            if action_cache_instance:
 +                self._capabilities_service.add_action_cache_instance(instance_name, action_cache_instance)
 +            if execution_instance:
 +                self._capabilities_service.add_execution_instance(instance_name, execution_instance)
++
 +        except KeyError:
 +            capabilities_instance = CapabilitiesInstance(cas_instance,
 +                                                         action_cache_instance,
 +                                                         execution_instance)
 +            self._capabilities_service.add_instance(instance_name, capabilities_instance)
++
      # --- Public API: Monitoring ---
      @property

buildgrid/utils.py

@@ -30,6 +30,14 @@ def get_hostname():
      return socket.gethostname()
 +def get_hash_type():
 +    """Returns the hash type."""
 +    hash_name = HASH().name
 +    if hash_name == "sha256":
 +        return remote_execution_pb2.SHA256
 +    return remote_execution_pb2.UNKNOWN
++
++
  def create_digest(bytes_to_digest):
      """Computes the :obj:`Digest` of a piece of data.

tests/cas/test_storage.py

@@ -21,8 +21,8 @@ import tempfile
  import boto3
  import grpc
 -import pytest
  from moto import mock_s3
 +import pytest
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid.server.cas.storage.remote import RemoteStorage

tests/integration/capabilities_service.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
 +# pylint: disable=redefined-outer-name
++
++
 +import grpc
 +import pytest
++
 +from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
 +from buildgrid.client.capabilities import CapabilitiesInterface
 +from buildgrid.server.controller import ExecutionController
 +from buildgrid.server.actioncache.storage import ActionCache
 +from buildgrid.server.cas.instance import ContentAddressableStorageInstance
 +from buildgrid.server.cas.storage.lru_memory_cache import LRUMemoryCache
++
 +from ..utils.utils import run_in_subprocess
 +from ..utils.capabilities import serve_capabilities_service
++
++
 +INSTANCES = ['', 'instance']
++
++
 +# Use subprocess to avoid creation of gRPC threads in main process
 +# See https://github.com/grpc/grpc/blob/master/doc/fork_support.md
 +# Multiprocessing uses pickle which protobufs don't work with
 +# Workaround wrapper to send messages as strings
 +class ServerInterface:
++
 +    def __init__(self, remote):
 +        self.__remote = remote
++
 +    def get_capabilities(self, instance_name):
++
 +        def __get_capabilities(queue, remote, instance_name):
 +            interface = CapabilitiesInterface(grpc.insecure_channel(remote))
++
 +            result = interface.get_capabilities(instance_name)
 +            queue.put(result.SerializeToString())
++
 +        result = run_in_subprocess(__get_capabilities,
 +                                   self.__remote, instance_name)
++
 +        capabilities = remote_execution_pb2.ServerCapabilities()
 +        capabilities.ParseFromString(result)
 +        return capabilities
++
++
 +@pytest.mark.parametrize('instance', INSTANCES)
 +def test_execution_not_available_capabilities(instance):
 +    with serve_capabilities_service([instance]) as server:
 +        server_interface = ServerInterface(server.remote)
 +        response = server_interface.get_capabilities(instance)
++
 +        assert not response.execution_capabilities.exec_enabled
++
++
 +@pytest.mark.parametrize('instance', INSTANCES)
 +def test_execution_available_capabilities(instance):
 +    controller = ExecutionController()
++
 +    with serve_capabilities_service([instance],
 +                                    execution_instance=controller.execution_instance) as server:
 +        server_interface = ServerInterface(server.remote)
 +        response = server_interface.get_capabilities(instance)
++
 +        assert response.execution_capabilities.exec_enabled
 +        assert response.execution_capabilities.digest_function
++
++
 +@pytest.mark.parametrize('instance', INSTANCES)
 +def test_action_cache_allow_updates_capabilities(instance):
 +    storage = LRUMemoryCache(limit=256)
 +    action_cache = ActionCache(storage, max_cached_refs=256, allow_updates=True)
++
 +    with serve_capabilities_service([instance],
 +                                    action_cache_instance=action_cache) as server:
 +        server_interface = ServerInterface(server.remote)
 +        response = server_interface.get_capabilities(instance)
++
 +        assert response.cache_capabilities.action_cache_update_capabilities.update_enabled
++
++
 +@pytest.mark.parametrize('instance', INSTANCES)
 +def test_action_cache_not_allow_updates_capabilities(instance):
 +    storage = LRUMemoryCache(limit=256)
 +    action_cache = ActionCache(storage, max_cached_refs=256, allow_updates=False)
++
 +    with serve_capabilities_service([instance],
 +                                    action_cache_instance=action_cache) as server:
 +        server_interface = ServerInterface(server.remote)
 +        response = server_interface.get_capabilities(instance)
++
 +        assert not response.cache_capabilities.action_cache_update_capabilities.update_enabled
++
++
 +@pytest.mark.parametrize('instance', INSTANCES)
 +def test_cas_capabilities(instance):
 +    cas = ContentAddressableStorageInstance(None)
++
 +    with serve_capabilities_service([instance],
 +                                    cas_instance=cas) as server:
 +        server_interface = ServerInterface(server.remote)
 +        response = server_interface.get_capabilities(instance)
++
 +        assert len(response.cache_capabilities.digest_function) == 1
 +        assert response.cache_capabilities.digest_function[0]
 +        assert response.cache_capabilities.symlink_absolute_path_strategy
 +        assert response.cache_capabilities.max_batch_total_size_bytes

tests/utils/capabilities.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from concurrent import futures
 +from contextlib import contextmanager
 +import multiprocessing
 +import os
 +import signal
++
 +import grpc
 +import pytest_cov
++
 +from buildgrid.server.capabilities.service import CapabilitiesService
 +from buildgrid.server.capabilities.instance import CapabilitiesInstance
++
++
 +@contextmanager
 +def serve_capabilities_service(instances,
 +                               cas_instance=None,
 +                               action_cache_instance=None,
 +                               execution_instance=None):
 +    server = Server(instances,
 +                    cas_instance,
 +                    action_cache_instance,
 +                    execution_instance)
 +    try:
 +        yield server
 +    finally:
 +        server.quit()
++
++
 +class Server:
++
 +    def __init__(self, instances,
 +                 cas_instance=None,
 +                 action_cache_instance=None,
 +                 execution_instance=None):
 +        self.instances = instances
++
 +        self.__queue = multiprocessing.Queue()
 +        self.__process = multiprocessing.Process(
 +            target=Server.serve,
 +            args=(self.__queue, self.instances, cas_instance, action_cache_instance, execution_instance))
 +        self.__process.start()
++
 +        self.port = self.__queue.get(timeout=1)
 +        self.remote = 'localhost:{}'.format(self.port)
++
 +    @staticmethod
 +    def serve(queue, instances, cas_instance, action_cache_instance, execution_instance):
 +        pytest_cov.embed.cleanup_on_sigterm()
++
 +        # Use max_workers default from Python 3.5+
 +        max_workers = (os.cpu_count() or 1) * 5
 +        server = grpc.server(futures.ThreadPoolExecutor(max_workers))
 +        port = server.add_insecure_port('localhost:0')
++
 +        capabilities_service = CapabilitiesService(server)
 +        for name in instances:
 +            capabilities_instance = CapabilitiesInstance(cas_instance, action_cache_instance, execution_instance)
 +            capabilities_service.add_instance(name, capabilities_instance)
++
 +        server.start()
 +        queue.put(port)
 +        signal.pause()
++
 +    def quit(self):
 +        if self.__process:
 +            self.__process.terminate()
 +            self.__process.join()

[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 13 commits: buildgrid/utils.py: New `get_hash_type` function.

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

13 changed files:

Changes: