credentials: implement file-based JWT Call Credentials (part 1 for A97) #8431
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #8431 +/- ##
==========================================
- Coverage 82.27% 81.97% -0.31%
==========================================
Files 414 414
Lines 40424 40587 +163
==========================================
+ Hits 33259 33271 +12
- Misses 5795 5930 +135
- Partials 1370 1386 +16
🚀 New features to boost your workflow:
|
dimpavloff
changed the title
|
@dfawley hey 👋 Given you approved A97, would you mind having a cursory look at the PR to confirm if at least at a high level the approach looks good? |
|
I will take a look at this , I need to go through the gRFC first. |
dfawley
requested review from
easwars and
eshitachandwani
and removed request for
dfawley
|
Sorry for the delay here. @easwars would you be able to review this change? I think you have more background into some of the things than I do, like the bootstrap integration. Thank you! |
|
Thank you for your contribution @dimpavloff. Yes, it would be nice if you can split this into smaller PRs. I will continue to use this PR to review the JWT call credentials implementation. If you can move the xDS implementation out to one or more PRs, I would greatly appreciate that and would be happy to review them as well. |
|
|
||
| // Verify cached expiration is 30 seconds before actual token expiration | ||
| impl := creds.(*jwtTokenFileCallCreds) | ||
| impl.mu.RLock() |
There was a problem hiding this comment.
Please only test the API surface. Relying on implementation internals in tests makes them brittle and would result in test changes when any changes to implementation is made.
There was a problem hiding this comment.
I assume you are referring to using a private field rather than obtaining mu specifically.
In general I agree -- white box tests may get fragile and break during a refactor. However, this test and the next couple of ones are about the caching behaviour -- it is meant to be transparent to the external API. If I don't make assertions about the private fields, the tests may pass trivially and become more flaky (e.g. when testing the backoff in the next test).
One alternative could be factoring out these behaviours out into a separate private struct with "public" functions which expose the same information. Given that it would require shifting the majority of the implementation into that struct, I'm not sure it is an improvement from the current approach.
Please do let me know your thoughts and if you have other suggestions.
There was a problem hiding this comment.
@easwars , I managed to iterate on top of your suggestion to simplify it further, we no longer need the condition variable, just one lock! LMK what you think
dimpavloff
changed the title
| if err == nil { | ||
| t.Fatalf("GetRequestMetadata() expected error, got nil") | ||
| } | ||
| if !strings.Contains(err.Error(), tt.wantErrContains) { |
There was a problem hiding this comment.
Here as well, we should be checking for the status code instead of the actual contents of the error string.
Also, using status.Code(err) would work with nil error and return status.OK which would make the test logic much simpler as it would mostly the same for success and failure cases.
There was a problem hiding this comment.
Nice point, updated.
Btw, this has helped uncover that credentials.CheckSecurityLevel and its call in GetRequestMetadata doesn't return a grpc code. This is also true in credentials/oauth/oauth.go and credentials/sts/sts.go. Therefore, this will map to codes.Unknown is this appropriate?
There was a problem hiding this comment.
Will check with folks on the team and will get back to you soon on this. Thanks.
| } | ||
| } | ||
|
|
||
| // createTestJWT creates a test JWT token with the specified audience and |
There was a problem hiding this comment.
Nit: remove mention of audience from the comment.
credentials/jwt/jwt_file_reader.go
Outdated
| } | ||
| } | ||
|
|
||
| // ReadToken reads and parses a JWT token from the configured file. |
There was a problem hiding this comment.
Will check with folks on the team and will get back to you soon on this. Thanks.
| if err == nil { | ||
| t.Fatalf("GetRequestMetadata() expected error, got nil") | ||
| } | ||
| if !strings.Contains(err.Error(), tt.wantErrContains) { |
There was a problem hiding this comment.
Will check with folks on the team and will get back to you soon on this. Thanks.
Part one for grpc/proposal#492 (A97).
This is done in a new
credentials/jwtpackage to provide file-based PerRPCCallCredentials. It can be used beyond XDS. The package handles token reloading, caching, and validation as per A97 .There will be a separate PR which uses it in
xds/bootstrap.Whilst implementing the above, I considered
credentials/oauthandcredentials/xdspackages instead of creating a new one. The former package hasNewJWTAccessFromKeyandjwtAccesswhich seem very relevant at first. However, I think thejwtAccessbehaviour seems more tailored towards Google services. Also, the refresh, caching, and error behaviour for A97 is quite different than what's already there and therefore a separate implementation would have still made sense.WRT
credentials/xds, it could have been extended to both handle transport and call credentials. However, this is a bit at odds with A97 which says that the implementation should be non-XDS specific and, from reading between the lines, usable beyond XDS.I think the current approach makes review easier but because of the similarities with the other two packages, it is a bit confusing to navigate. Please let me know whether the structure should change.
Relates to istio/istio#53532
RELEASE NOTES:
credentials/jwtpackage providing file-based JWT PerRPCCredentials (A97)