ci: add 3PI(workforce) to SA impersonation integration tests for universe domain (#14878)

cuiy0006 · web-flow · commit 541516110d87 · 2024-12-12T13:26:14.000-05:00
* ci: add 3PI(workforce) to SA impersonation integration tests for universe domain

* format

* disable SC2046
diff --git a/ci/cloudbuild/builds/lib/universe_domain.sh b/ci/cloudbuild/builds/lib/universe_domain.sh
@@ -32,6 +32,24 @@ if [[ -n "${UD_SERVICE_ACCOUNT}" ]]; then
   io::log "Created SA key file ${UD_SA_KEY_FILE}"
 fi
 
+# Only create the EA key file if the secret is available.
+if [[ -n "${UD_EXTERNAL_ACCOUNT_CRED}" ]]; then
+  ORIG_UMASK=$(umask)
+  umask 077
+  UD_EA_KEY_FILE=$(mktemp)
+  external_account_cred_template="${UD_EXTERNAL_ACCOUNT_CRED}"
+
+  response=$(eval "${UD_FETCH_OIDC_TOKEN}")
+  id_token=$(echo "${response}" | jq -r '.id_token')
+  id_token_file=$(mktemp)
+  echo "${id_token}" >"${id_token_file}"
+
+  # shellcheck disable=SC2059
+  printf "${external_account_cred_template}" "${id_token_file}" >"${UD_EA_KEY_FILE}"
+  umask "${ORIG_UMASK}"
+  io::log "Created EA key file ${UD_EA_KEY_FILE}"
+fi
+
 # Only create the IdToken SA key file if the secret is available.
 if [[ -n "${UD_IDTOKEN_SA_IMPERSONATION_CRED}" ]]; then
   ORIG_UMASK=$(umask)
@@ -52,6 +70,7 @@ function ud::bazel_test() {
   io::log "Executing bazel test $1 with obscured arguments:"
   bazel test "${args[@]}" --sandbox_add_mount_pair=/tmp \
     --test_env=UD_SA_KEY_FILE="${UD_SA_KEY_FILE}" \
+    --test_env=UD_EA_KEY_FILE="${UD_EA_KEY_FILE}" \
     --test_env=UD_REGION="${UD_REGION}" \
     --test_env=UD_ZONE="${UD_ZONE}" \
     --test_env=UD_IMPERSONATED_SERVICE_ACCOUNT_NAME="${UD_IMPERSONATED_SERVICE_ACCOUNT_NAME}" \
diff --git a/ci/cloudbuild/cloudbuild.yaml b/ci/cloudbuild/cloudbuild.yaml
@@ -80,6 +80,10 @@ availableSecrets:
     env: 'UD_IMPERSONATED_SERVICE_ACCOUNT_NAME'
   - versionName: 'projects/${PROJECT_ID}/secrets/UD_IDTOKEN_SA_IMPERSONATION_CRED/versions/latest'
     env: 'UD_IDTOKEN_SA_IMPERSONATION_CRED'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_EXTERNAL_ACCOUNT_CRED/versions/latest'
+    env: 'UD_EXTERNAL_ACCOUNT_CRED'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_FETCH_OIDC_TOKEN/versions/latest'
+    env: 'UD_FETCH_OIDC_TOKEN'
 
 logsBucket: 'gs://${_LOGS_BUCKET}/logs/google-cloud-cpp/${_TRIGGER_SOURCE}/${COMMIT_SHA}/${_DISTRO}-${_BUILD_NAME}-${_SHARD}'
 
@@ -117,7 +121,7 @@ steps:
 - name: '${_POOL_REGION}-docker.pkg.dev/${PROJECT_ID}/gcb/${_IMAGE}:${BUILD_ID}'
   entrypoint: 'ci/cloudbuild/build.sh'
   args: [ '--local', '--build', '${_BUILD_NAME}' ]
-  secretEnv: ['CODECOV_TOKEN', 'UD', 'UD_PROJECT', 'UD_REGION', 'UD_ZONE', 'UD_SERVICE_ACCOUNT', 'UD_SERVICE_ACCOUNT_NAME', 'UD_IMPERSONATED_SERVICE_ACCOUNT_NAME', 'UD_IDTOKEN_SA_IMPERSONATION_CRED']
+  secretEnv: ['CODECOV_TOKEN', 'UD', 'UD_PROJECT', 'UD_REGION', 'UD_ZONE', 'UD_SERVICE_ACCOUNT', 'UD_SERVICE_ACCOUNT_NAME', 'UD_IMPERSONATED_SERVICE_ACCOUNT_NAME', 'UD_IDTOKEN_SA_IMPERSONATION_CRED', 'UD_FETCH_OIDC_TOKEN', 'UD_EXTERNAL_ACCOUNT_CRED']
   env: [
     'BAZEL_REMOTE_CACHE=https://storage.googleapis.com/${_CACHE_BUCKET}/bazel-cache/${_DISTRO}-${_BUILD_NAME}',
     'LIBRARIES=${_LIBRARIES}',
diff --git a/ci/cloudbuild/dockerfiles/fedora-latest-bazel.Dockerfile b/ci/cloudbuild/dockerfiles/fedora-latest-bazel.Dockerfile
@@ -18,7 +18,7 @@ ARG ARCH=amd64
 
 # Install the minimal packages needed to install Bazel, and then compile our
 # code.
-RUN dnf install -y clang diffutils findutils gcc-c++ git lcov libcxx-devel \
+RUN dnf install -y clang diffutils findutils gcc-c++ git jq lcov libcxx-devel \
         libcxxabi-devel libasan libubsan libtsan llvm patch python python3 \
         python-pip tar unzip w3m wget which zip zlib-devel
 
diff --git a/google/cloud/universe_domain/integration_tests/impersonation_tests.cc b/google/cloud/universe_domain/integration_tests/impersonation_tests.cc
@@ -71,15 +71,34 @@ class ServiceAccountImpersonationTest : public DomainUniverseImpersonationTest {
     auto is = std::ifstream(key_file);
     is.exceptions(std::ios::badbit);
     credential_ = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
+  }
+
+  std::string impersonated_sa_;
+  std::string credential_;
+};
+
+class ExternalAccountImpersonationTest
+    : public DomainUniverseImpersonationTest {
+ protected:
+  void SetUp() override {
+    DomainUniverseImpersonationTest::SetUp();
+
+    impersonated_sa_ =
+        gc::internal::GetEnv("UD_IMPERSONATED_SERVICE_ACCOUNT_NAME")
+            .value_or("");
+    ASSERT_FALSE(impersonated_sa_.empty());
 
-    id_token_key_file_ =
-        gc::internal::GetEnv("UD_IDTOKEN_SA_KEY_FILE").value_or("");
-    ASSERT_FALSE(id_token_key_file_.empty());
+    std::string const key_file =
+        gc::internal::GetEnv("UD_EA_KEY_FILE").value_or("");
+    ASSERT_FALSE(key_file.empty());
+
+    auto is = std::ifstream(key_file);
+    is.exceptions(std::ios::badbit);
+    credential_ = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
   }
 
   std::string impersonated_sa_;
   std::string credential_;
-  std::string id_token_key_file_;
 };
 
 TEST_F(ServiceAccountImpersonationTest, SAToSAImpersonationRest) {
@@ -122,10 +141,53 @@ TEST_F(ServiceAccountImpersonationTest, SAToSAImpersonationGrpc) {
   }
 }
 
-TEST_F(ServiceAccountImpersonationTest, IdTokenSAToSAImpersonationRest) {
+TEST_F(ExternalAccountImpersonationTest, EAToSAImpersonationRest) {
+  namespace disks = ::google::cloud::compute_disks_v1;
+
+  gc::Options options;
+  options.set<google::cloud::UnifiedCredentialsOption>(
+      google::cloud::MakeImpersonateServiceAccountCredentials(
+          google::cloud::MakeExternalAccountCredentials(credential_),
+          impersonated_sa_));
+
+  auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options);
+  ASSERT_STATUS_OK(ud_options);
+
+  auto client = disks::DisksClient(disks::MakeDisksConnectionRest(*ud_options));
+
+  for (auto disk : client.ListDisks(project_id_, zone_id_)) {
+    EXPECT_STATUS_OK(disk);
+  }
+}
+
+TEST_F(ExternalAccountImpersonationTest, EAToSAImpersonationGrpc) {
+  namespace kms = ::google::cloud::kms_v1;
+
+  auto const location = gc::Location(project_id_, region_id_);
+  gc::Options options;
+  options.set<google::cloud::UnifiedCredentialsOption>(
+      google::cloud::MakeImpersonateServiceAccountCredentials(
+          google::cloud::MakeExternalAccountCredentials(credential_),
+          impersonated_sa_));
+
+  auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options);
+  ASSERT_STATUS_OK(ud_options);
+
+  auto client = kms::KeyManagementServiceClient(
+      kms::MakeKeyManagementServiceConnection(*ud_options));
+
+  for (auto kr : client.ListKeyRings(location.FullName())) {
+    EXPECT_STATUS_OK(kr);
+  }
+}
+
+TEST_F(DomainUniverseImpersonationTest, IdTokenSAToSAImpersonationRest) {
   namespace disks = ::google::cloud::compute_disks_v1;
+  auto id_token_key_file =
+      gc::internal::GetEnv("UD_IDTOKEN_SA_KEY_FILE").value_or("");
+  ASSERT_FALSE(id_token_key_file.empty());
   // Use ADC credential
-  ScopedEnvironment env("GOOGLE_APPLICATION_CREDENTIALS", id_token_key_file_);
+  ScopedEnvironment env("GOOGLE_APPLICATION_CREDENTIALS", id_token_key_file);
 
   auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{});
   ASSERT_STATUS_OK(ud_options);
