ci: add impersonation integration tests for universe domain

Author: cuiy0006

ci/cloudbuild/builds/lib/universe_domain.sh

@@ -43,5 +43,7 @@ function ud::bazel_test() {
   bazel test "${args[@]}" --sandbox_add_mount_pair=/tmp \
     --test_env=UD_SA_KEY_FILE="${UD_SA_KEY_FILE}" \
     --test_env=UD_REGION="${UD_REGION}" \
+    --test_env=UD_ZONE="${UD_ZONE}" \
+    --test_env=UD_IMPERSONATED_SERVICE_ACCOUNT_NAME="${UD_IMPERSONATED_SERVICE_ACCOUNT_NAME}" \
     --test_env=UD_PROJECT="${UD_PROJECT}" -- "$@"
 }

…loudbuild/builds/universe-domain-demo.sh ci/cloudbuild/builds/universe-domain.shci/cloudbuild/builds/universe-domain-demo.sh renamed to ci/cloudbuild/builds/universe-domain.sh ci/cloudbuild/builds/universe-domain-demo.sh renamed to ci/cloudbuild/builds/universe-domain.sh

@@ -29,6 +29,7 @@ if [[ -n "${UD_SA_KEY_FILE}" ]]; then
   ud::bazel_run //google/cloud/universe_domain/demo:kms_demo \
     "${UD_PROJECT}" "${UD_REGION}" "${UD_SA_KEY_FILE}"
   ud::bazel_test //google/cloud/storage/tests:universe_domain_integration_test
+  ud::bazel_test //google/cloud/universe_domain/integration_tests:impersonation_tests
 else
   source module ci/etc/integration-tests-config.sh
   bazel run -- //google/cloud/universe_domain/demo:kms_demo \

ci/cloudbuild/cloudbuild.yaml

@@ -70,11 +70,14 @@ availableSecrets:
     env: 'UD_PROJECT'
   - versionName: 'projects/${PROJECT_ID}/secrets/UD_REGION/versions/latest'
     env: 'UD_REGION'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_ZONE/versions/latest'
+    env: 'UD_ZONE'
   - versionName: 'projects/${PROJECT_ID}/secrets/UD_SERVICE_ACCOUNT/versions/latest'
     env: 'UD_SERVICE_ACCOUNT'
   - versionName: 'projects/${PROJECT_ID}/secrets/UD_SERVICE_ACCOUNT_NAME/versions/latest'
     env: 'UD_SERVICE_ACCOUNT_NAME'
-
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_IMPERSONATED_SERVICE_ACCOUNT_NAME/versions/latest'
+    env: 'UD_IMPERSONATED_SERVICE_ACCOUNT_NAME'
 
 logsBucket: 'gs://${_LOGS_BUCKET}/logs/google-cloud-cpp/${_TRIGGER_SOURCE}/${COMMIT_SHA}/${_DISTRO}-${_BUILD_NAME}-${_SHARD}'
 
@@ -112,7 +115,7 @@ steps:
 - name: '${_POOL_REGION}-docker.pkg.dev/${PROJECT_ID}/gcb/${_IMAGE}:${BUILD_ID}'
   entrypoint: 'ci/cloudbuild/build.sh'
   args: [ '--local', '--build', '${_BUILD_NAME}' ]
-  secretEnv: ['CODECOV_TOKEN', 'UD', 'UD_PROJECT', 'UD_REGION', 'UD_SERVICE_ACCOUNT', 'UD_SERVICE_ACCOUNT_NAME']
+  secretEnv: ['CODECOV_TOKEN', 'UD', 'UD_PROJECT', 'UD_REGION', 'UD_ZONE', 'UD_SERVICE_ACCOUNT', 'UD_SERVICE_ACCOUNT_NAME', 'UD_IMPERSONATED_SERVICE_ACCOUNT_NAME']
   env: [
     'BAZEL_REMOTE_CACHE=https://storage.googleapis.com/${_CACHE_BUCKET}/bazel-cache/${_DISTRO}-${_BUILD_NAME}',
     'LIBRARIES=${_LIBRARIES}',

…ld/triggers/universe-domain-demo-ci.yaml …udbuild/triggers/universe-domain-ci.yamlci/cloudbuild/triggers/universe-domain-demo-ci.yaml renamed to ci/cloudbuild/triggers/universe-domain-ci.yaml ci/cloudbuild/triggers/universe-domain-demo-ci.yaml renamed to ci/cloudbuild/triggers/universe-domain-ci.yaml

@@ -18,9 +18,9 @@ github:
   owner: googleapis
   push:
     branch: ^main$
-name: universe-domain-demo-ci
+name: universe-domain-ci
 substitutions:
-  _BUILD_NAME: universe-domain-demo
+  _BUILD_NAME: universe-domain
   _DISTRO: fedora-latest-bazel
   _TRIGGER_TYPE: ci
 includeBuildLogs: INCLUDE_BUILD_LOGS_WITH_STATUS

…ld/triggers/universe-domain-demo-pr.yaml …udbuild/triggers/universe-domain-pr.yamlci/cloudbuild/triggers/universe-domain-demo-pr.yaml renamed to ci/cloudbuild/triggers/universe-domain-pr.yaml ci/cloudbuild/triggers/universe-domain-demo-pr.yaml renamed to ci/cloudbuild/triggers/universe-domain-pr.yaml

@@ -19,9 +19,9 @@ github:
   pullRequest:
     branch: ^main$
     commentControl: COMMENTS_ENABLED_FOR_EXTERNAL_CONTRIBUTORS_ONLY
-name: universe-domain-demo-pr
+name: universe-domain-pr
 substitutions:
-  _BUILD_NAME: universe-domain-demo
+  _BUILD_NAME: universe-domain
   _DISTRO: fedora-latest-bazel
   _TRIGGER_TYPE: pr
 includeBuildLogs: INCLUDE_BUILD_LOGS_WITH_STATUS

google/cloud/universe_domain/integration_tests/BUILD.bazel

@@ -0,0 +1,34 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package(default_visibility = ["//visibility:private"])
+
+licenses(["notice"])  # Apache 2.0
+
+cc_test(
+    name = "impersonation_tests",
+    timeout = "long",
+    srcs = ["impersonation_tests.cc"],
+    tags = [
+        "integration-test",
+    ],
+    deps = [
+        "//:common",
+        "//:experimental-universe_domain",
+        "//google/cloud/testing_util:google_cloud_cpp_testing_private",
+        "@com_google_googletest//:gtest_main",
+        "@google_cloud_cpp//:compute",
+        "@google_cloud_cpp//:kms",
+    ],
+)

google/cloud/universe_domain/integration_tests/impersonation_tests.cc

@@ -0,0 +1,96 @@
+#include "google/cloud/compute/disks/v1/disks_client.h"
+#include "google/cloud/compute/disks/v1/disks_options.h"
+#include "google/cloud/kms/v1/key_management_client.h"
+#include "google/cloud/kms/v1/key_management_options.h"
+#include "google/cloud/internal/getenv.h"
+#include "google/cloud/internal/rest_options.h"
+#include "google/cloud/location.h"
+#include "google/cloud/testing_util/integration_test.h"
+#include "google/cloud/universe_domain.h"
+#include "google/cloud/universe_domain_options.h"
+#include <gmock/gmock.h>
+#include <fstream>
+
+namespace google {
+namespace cloud {
+namespace universe_domain {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+namespace gc = ::google::cloud;
+
+class DomainUniverseImpersonationTest
+    : public ::google::cloud::testing_util::IntegrationTest {
+ protected:
+  void SetUp() override {
+    project_id_ = gc::internal::GetEnv("UD_PROJECT").value_or("");
+    ASSERT_FALSE(project_id_.empty());
+    zone_id_ = gc::internal::GetEnv("UD_ZONE").value_or("");
+    ASSERT_FALSE(zone_id_.empty());
+    region_id_ = gc::internal::GetEnv("UD_REGION").value_or("");
+    ASSERT_FALSE(region_id_.empty());
+    impersonated_sa_ =
+        gc::internal::GetEnv("UD_IMPERSONATED_SERVICE_ACCOUNT_NAME")
+            .value_or("");
+    ASSERT_FALSE(impersonated_sa_.empty());
+    std::string const sa_key_file =
+        gc::internal::GetEnv("UD_SA_KEY_FILE").value_or("");
+    ASSERT_FALSE(sa_key_file.empty());
+
+    auto is = std::ifstream(sa_key_file);
+    is.exceptions(std::ios::badbit);
+    credential_ = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
+  }
+
+  std::string project_id_;
+  std::string zone_id_;
+  std::string region_id_;
+  std::string impersonated_sa_;
+  std::string credential_;
+};
+
+TEST_F(DomainUniverseImpersonationTest, SAToSAImpersonationRest) {
+  namespace disks = ::google::cloud::compute_disks_v1;
+
+  gc::Options options;
+  options.set<google::cloud::UnifiedCredentialsOption>(
+      google::cloud::MakeImpersonateServiceAccountCredentials(
+          google::cloud::MakeServiceAccountCredentials(credential_),
+          impersonated_sa_));
+
+  auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options);
+  if (!ud_options.ok()) throw std::move(ud_options).status();
+
+  auto client = disks::DisksClient(disks::MakeDisksConnectionRest(*ud_options));
+
+  for (auto disk : client.ListDisks(project_id_, zone_id_)) {
+    if (!disk) throw std::move(disk).status();
+  }
+}
+
+TEST_F(DomainUniverseImpersonationTest, SAToSAImpersonationGrpc) {
+  namespace kms = ::google::cloud::kms_v1;
+
+  auto const location = gc::Location(project_id_, region_id_);
+  gc::Options options;
+  options.set<google::cloud::UnifiedCredentialsOption>(
+      google::cloud::MakeImpersonateServiceAccountCredentials(
+          google::cloud::MakeServiceAccountCredentials(credential_),
+          impersonated_sa_));
+
+  auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options);
+  if (!ud_options.ok()) throw std::move(ud_options).status();
+
+  auto client = kms::KeyManagementServiceClient(
+      kms::MakeKeyManagementServiceConnection(*ud_options));
+
+  for (auto kr : client.ListKeyRings(location.FullName())) {
+    if (!kr) throw std::move(kr).status();
+  }
+}
+
+}  // namespace
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace universe_domain
+}  // namespace cloud
+}  // namespace google