Merge branch 'main' of github.com:GoogleCloudPlatform/nodejs-docs-samples into remove-old-tests

Author: David Cavazos

.github/config/README.md

@@ -50,6 +50,7 @@ Additionally to the environment variables you define in the `ci-setup.json` file
 
 - `PROJECT_ID`: The project used by the testing infrastructure.
 - `RUN_ID`: A random unique identifier, different on every test run.
+- `SERVICE_ACCOUNT`: The email of the testing service account.
 
 > **Note**: An environment variable explicitly defined under `env` with the same name as an automatic variable overrides the automatic variable.
 
@@ -98,6 +99,67 @@ For example:
 
 The test infrastructure then fetches the actual secret data and exports them as environment variables.
 
+### Automatic secret values
+
+Additional to any secret values you define in the `ci-setup.json` file, the test infrastructure always exports the following secret value:
+
+- `ID_TOKEN`: an ID token for interacting with private Cloud Run services.
+
+
+<details>
+<summary>
+Adapting <b>`ID_TOKEN`</b> use in system testing
+</summary>
+
+Due to organization policies, Cloud Run services cannot be deployed with public
+access. This means authentication is required in order to perform integration
+testing. We do this by using ID Tokens (JWT) provided by [Google GitHub Actions
+Auth](https://github.com/google-github-actions/auth/blob/main/docs/EXAMPLES.md#generating-an-id-token-jwt).
+
+By default, the audience of a Cloud Run service is [the full URL of the service
+itself](https://cloud.google.com/run/docs/configuring/custom-audiences#:~:text=By%20convention%2C%20the%20audience%20is).
+Since we cannot know all the URLs for all samples ahead of time (since unique
+IDs are in use), we instead define a custom audience in the GitHub Action, then
+apply that as an additional audience to all Cloud Run services.
+
+To use this method, some changes are required:
+
+1. As part of testing setup, add a step to customize the Cloud Run service to have the custom audience `https://action.test/`
+
+    ```shell
+    gcloud run services deploy ${_SERVICE} \
+      ... \
+      --add-custom-audiences="https://action.test/" 
+    ```
+
+1. Use the environment variable ID_TOKEN in any Authorization: Bearer calls.
+
+	 For example, a curl command:
+
+    ```shell
+    # ❌ Previous version: calls gcloud
+    curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://my-service-hash.a.run.app
+
+    # ✅ New version: uses environment variable
+    curl -H "Authorization: Bearer ${ID_TOKEN}" https://my-service-hash.a.run.app
+    ```
+
+    For example, a Node.JS script:
+
+    ```javascript
+    // ❌ Previous version: auth.getIdTokenClient()
+    const client = await auth.getIdTokenClient(BASE_URL);
+    const clientHeaders = await client.getRequestHeaders();
+    ID_TOKEN = clientHeaders['Authorization'].trim();
+    if (!ID_TOKEN) throw Error('Unable to acquire an ID token.');
+
+    // ✅ New version: uses environment variable
+    {ID_TOKEN} = process.env;
+    if (!ID_TOKEN) throw Error('"ID_TOKEN" not found in environment variables.');
+    ```
+
+</details>
+
 ### Secrets vs environment variables
 
 Most configuration should be directly set with environment variables.

.github/config/nodejs-dev.jsonc

@@ -191,6 +191,7 @@
     "run/logging-manual",
     "run/markdown-preview/renderer",
     "run/pubsub",
+    "run/system-package",
     "run/websockets",
     "secret-manager",
     "security-center/snippets",

.github/config/nodejs-prod.jsonc

@@ -98,7 +98,6 @@
     "recaptcha_enterprise/snippets", // Cannot use import statement outside a module
     "run/idp-sql", // (untested) Error: Invalid contents in the credentials file
     "run/markdown-preview/editor", // (untested) Error: could not create an identity token: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file
-    "run/system-package", // (untested) Error: ENOENT: no such file or directory, access '/usr/bin/dot'
     "scheduler", // SyntaxError: Cannot use import statement outside a module
     "speech", // AssertionError: expected 'Transcription:  Okay, I\'m here.\n Hi…' to match /Terrific. It's on the way./
     "storagetransfer", // CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

run/system-package/Dockerfile

@@ -20,7 +20,7 @@ FROM node:20-alpine
 WORKDIR /usr/src/app
 
 # [START cloudrun_system_package_alpine]
-RUN apk --no-cache add graphviz ttf-ubuntu-font-family
+RUN apk --no-cache add graphviz
 # [END cloudrun_system_package_alpine]
 
 # Copy application dependency manifests to the container image.

run/system-package/ci-setup.json

@@ -0,0 +1,6 @@
+{
+    "env": {
+        "SERVICE_NAME": "run-idp-sql-$RUN_ID",
+        "SAMPLE_VERSION": "${RUN_ID}"
+    }
+}

run/system-package/package.json

@@ -6,9 +6,10 @@
   "private": true,
   "scripts": {
     "start": "node index.js",
-    "test": "c8 mocha -p -j 2 test/app.test.js --check-leaks",
-    "system-test": "echo 'SKIPPING E2E TEST: SEE b/358734748'",
-    "FIXME-system-test": "c8 mocha -p -j 2 test/system.test.js --timeout=360000 --exit"
+    "test": "npm -- run all-test",
+    "all-test": "npm run unit-test && npm run system-test",
+    "unit-test": "c8 mocha -p -j 2 test/app.test.js --check-leaks",
+    "system-test": "c8 mocha -p -j 2 test/system.test.js --timeout=360000 --exit"
   },
   "engines": {
     "node": ">=18.0.0"

run/system-package/test/app.test.js

@@ -14,9 +14,13 @@
 
 'use strict';
 
+const {execSync} = require('child_process');
 const path = require('path');
 const supertest = require('supertest');
 
+// Manually install system package in testing environment
+execSync('sudo apt install graphviz -y');
+
 describe('Unit Tests', () => {
   const app = require(path.join(__dirname, '..', 'app'));
   const request = supertest(app);

run/system-package/test/e2e_test_cleanup.yaml

@@ -1,3 +1,18 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
 steps:
 
 - id: 'Delete image and service'
@@ -9,11 +24,16 @@ steps:
       ./test/retry.sh "gcloud container images describe gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}" \
         "gcloud container images delete gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} --quiet"
 
-      ./test/retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM}" \
-        "gcloud run services delete ${_SERVICE} --region ${_REGION} --platform ${_PLATFORM} --quiet"
+      ./test/retry.sh "gcloud run services describe ${_SERVICE} --region ${_REGION}" \
+        "gcloud run services delete ${_SERVICE} --region ${_REGION} --quiet"
 
 substitutions:
   _SERVICE: system-package
   _VERSION: manual
   _REGION: us-central1
-  _PLATFORM: managed
+  _SERVICE_ACCOUNT: ${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com
+
+serviceAccount: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT}'
+options:
+    logging: CLOUD_LOGGING_ONLY
+    dynamicSubstitutions: true

run/system-package/test/e2e_test_setup.yaml

@@ -1,3 +1,18 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
 steps:
 
 - id: 'Build Container Image'
@@ -25,8 +40,9 @@ steps:
     ./test/retry.sh "gcloud run deploy ${_SERVICE} \
       --image gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} \
       --no-allow-unauthenticated \
+      --add-custom-audiences 'https://action.test/' \
       --region ${_REGION} \
-      --platform ${_PLATFORM}"
+      --service-account ${_SERVICE_ACCOUNT}"
 
 
 images:
@@ -36,4 +52,9 @@ substitutions:
   _SERVICE: system-package
   _VERSION: manual
   _REGION: us-central1
-  _PLATFORM: managed
+  _SERVICE_ACCOUNT: ${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com
+
+serviceAccount: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT}'
+options:
+    logging: CLOUD_LOGGING_ONLY
+    dynamicSubstitutions: true

run/system-package/test/system.test.js

@@ -15,13 +15,11 @@
 const assert = require('assert');
 const got = require('got');
 const {execSync} = require('child_process');
-const {GoogleAuth} = require('google-auth-library');
-const auth = new GoogleAuth();
 
 const request = (method, route, base_url, id_token) => {
   return got(new URL(route, base_url.trim()), {
     headers: {
-      Authorization: id_token.trim(),
+      Authorization: `Bearer ${id_token.trim()}`,
     },
     method: method || 'get',
     throwHttpErrors: false,
@@ -33,6 +31,10 @@ describe('End-to-End Tests', () => {
   if (!GOOGLE_CLOUD_PROJECT) {
     throw Error('"GOOGLE_CLOUD_PROJECT" env var not found.');
   }
+  const {ID_TOKEN} = process.env;
+  if (!ID_TOKEN) {
+    throw Error('"ID_TOKEN" env var not found.');
+  }
   let {SERVICE_NAME} = process.env;
   if (!SERVICE_NAME) {
     SERVICE_NAME = 'system-package';
@@ -41,17 +43,19 @@ describe('End-to-End Tests', () => {
     );
   }
   const {SAMPLE_VERSION} = process.env;
+  const {SERVICE_ACCOUNT} = process.env;
   const PLATFORM = 'managed';
   const REGION = 'us-central1';
 
-  let BASE_URL, ID_TOKEN;
+  let BASE_URL;
   before(async () => {
     // Deploy service using Cloud Build
     let buildCmd =
       `gcloud builds submit --project ${GOOGLE_CLOUD_PROJECT} ` +
       '--config ./test/e2e_test_setup.yaml ' +
-      `--substitutions _SERVICE=${SERVICE_NAME},_PLATFORM=${PLATFORM},_REGION=${REGION}`;
+      `--substitutions _SERVICE=${SERVICE_NAME},_REGION=${REGION}`;
     if (SAMPLE_VERSION) buildCmd += `,_VERSION=${SAMPLE_VERSION}`;
+    if (SERVICE_ACCOUNT) buildCmd += `,_SERVICE_ACCOUNT=${SERVICE_ACCOUNT}`;
 
     console.log('Starting Cloud Build...');
     execSync(buildCmd, {timeout: 240000}); // timeout at 4 mins
@@ -65,20 +69,15 @@ describe('End-to-End Tests', () => {
 
     BASE_URL = url.toString('utf-8').trim();
     if (!BASE_URL) throw Error('Cloud Run service URL not found');
-
-    // Retrieve ID token for testing
-    const client = await auth.getIdTokenClient(BASE_URL);
-    const clientHeaders = await client.getRequestHeaders();
-    ID_TOKEN = clientHeaders['Authorization'].trim();
-    if (!ID_TOKEN) throw Error('Unable to acquire an ID token.');
   });
 
   after(() => {
     let cleanUpCmd =
       `gcloud builds submit --project ${GOOGLE_CLOUD_PROJECT} ` +
       '--config ./test/e2e_test_cleanup.yaml ' +
-      `--substitutions _SERVICE=${SERVICE_NAME},_PLATFORM=${PLATFORM},_REGION=${REGION}`;
+      `--substitutions _SERVICE=${SERVICE_NAME},_REGION=${REGION}`;
     if (SAMPLE_VERSION) cleanUpCmd += `,_VERSION=${SAMPLE_VERSION}`;
+    if (SERVICE_ACCOUNT) cleanUpCmd += `,_SERVICE_ACCOUNT=${SERVICE_ACCOUNT}`;
 
     execSync(cleanUpCmd);
   });