use PubSub JWT auth for security instead of the hardcoded static key

JoshuaFox · JoshuaFox · commit 2068c2316441 · 2024-02-22T13:11:16.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -1,13 +1,18 @@
 
-# See config.yaml.original in git; the others are dynamic and so not put in git.
+# See config.yaml.original and cron_.*.yaml in git;
+# the below are dynamic and so not put in git.
 config-test.yaml
 config-dev.yaml
 config.yaml
 cron.yaml
+#
+
 #
 __pycache__/
 *.bak
 .DS_Store
+*.swp
+
 TEMP*
 .idea/
 
diff --git a/iris-custom-role.yaml b/iris-custom-role.yaml
@@ -3,7 +3,7 @@ description: >
   Permissions needed by the custom role used by the Iris App Engine app's service account.
   A nondefault name for this role can be passed as env variable IRIS_CUSTOM_ROLE 
   into the deployment and uninstall scripts.
-# TODO For DRY, embed the following values in the Python class, then call these classes to construct this.
+# TODO Each Python plugin class should expose these and we should pull it from there,to have the info in one place.
 #
 # TODO: Not clear that `setTags` is really needed.
 stage: "GA"
diff --git a/main.py b/main.py
@@ -235,7 +235,7 @@ def label_one():
 
 def __check_pubsub_jwt():
     try:
-        #TODO the sample https://github.com/GoogleCloudPlatform/python-docs-samples/blob/ff4c1d55bb5b6995c63383469535604002dc9ba2/appengine/standard_python3/pubsub/main.py#L69
+        # TODO the sample https://github.com/GoogleCloudPlatform/python-docs-samples/blob/ff4c1d55bb5b6995c63383469535604002dc9ba2/appengine/standard_python3/pubsub/main.py#L69
         # has this. I am not sure why or how the token arg gets there.
         # if request.args.get("token", "") != current_app.config["PUBSUB_VERIFICATION_TOKEN"]:
         #     return "Invalid request", 400
diff --git a/plugins/bigquery.py b/plugins/bigquery.py
@@ -23,7 +23,6 @@ def _discovery_api():
     @lru_cache(maxsize=500)  # cached per project
     def _cloudclient(cls, project_id=None):
         assert project_id, "'None' is only for the signature"
-        logging.info("_cloudclient for %s", cls.__name__)
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/buckets.py b/plugins/buckets.py
@@ -20,7 +20,6 @@ def method_names():
     @lru_cache(maxsize=500)  # cached per project
     def _cloudclient(cls, project_id=None):
         assert project_id, "'None' is only for the signature"
-        logging.info("_cloudclient for %s", cls.__name__)
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/cloudsql.py b/plugins/cloudsql.py
@@ -18,7 +18,6 @@ def method_names():
 
     @classmethod
     def _cloudclient(cls, _=None):
-        logging.info("_cloudclient for %s", cls.__name__)
         raise NotImplementedError(
             "There is no Cloud Client library for " + cls.__name__
         )
diff --git a/plugins/disks.py b/plugins/disks.py
@@ -22,7 +22,6 @@ class Disks(GceZonalBase):
     @staticmethod
     @lru_cache(maxsize=1)
     def _create_cloudclient():
-        logging.info("_cloudclient for %s", "Disks")
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/instances.py b/plugins/instances.py
@@ -17,8 +17,6 @@ class Instances(GceZonalBase):
     @staticmethod
     @lru_cache(maxsize=1)
     def _create_cloudclient():
-
-        logging.info("_cloudclient for %s", "Instances")
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/snapshots.py b/plugins/snapshots.py
@@ -13,8 +13,6 @@ class Snapshots(GceBase):
     @classmethod
     @lru_cache(maxsize=1)
     def _cloudclient(cls, _=None):
-
-        logging.info("_cloudclient for %s", cls.__name__)
         # Local import to avoid burdening AppEngine memory. Loading all
         # Client libraries would be 100MB  means that the default AppEngine
         # Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/subscriptions.py b/plugins/subscriptions.py
@@ -17,7 +17,6 @@ class Subscriptions(Plugin):
     @classmethod
     @lru_cache(maxsize=1)
     def _cloudclient(cls, _=None):
-        logging.info("_cloudclient for %s", cls.__name__)
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/plugins/topics.py b/plugins/topics.py
@@ -17,7 +17,7 @@ class Topics(Plugin):
     @classmethod
     @lru_cache(maxsize=1)
     def _cloudclient(cls, _=None):
-        logging.info("_cloudclient for %s", cls.__name__)
+
         # Local import to avoid burdening AppEngine memory.
         # Loading all Cloud Client libraries would be 100MB  means that
         # the default AppEngine Instance crashes on out-of-memory even before actually serving a request.
diff --git a/scripts/_deploy-org.sh b/scripts/_deploy-org.sh
@@ -79,7 +79,7 @@ else
   fi
 
   # Add methodName filter to the log sink
-  #TODO get this directly from the Python class to avoid duplication
+  #TODO Each Python plugin class should expose these and we should pull it from there,to have the info in one place.
   log_filter+=('protoPayload.methodName:(')
   log_filter+=('"storage.buckets.create"')
   log_filter+=('OR "compute.instances.insert" OR "compute.instances.start" OR "datasetservice.insert"')
diff --git a/scripts/_deploy-project.sh b/scripts/_deploy-project.sh
@@ -114,7 +114,7 @@ set -e
 MSGSENDER_SERVICE_ACCOUNT=${msg_sender_sa_name}@${PROJECT_ID}.iam.gserviceaccount.com
 
 gcloud projects add-iam-policy-binding ${PROJECT_ID} \
- --member="serviceAccount:${MSGSENDER_SERVICE_ACCOUNT}"\
+ --member="serviceAccount:${PUBSUB_SERVICE_ACCOUNT}"\
  --role='roles/iam.serviceAccountTokenCreator'
 
 set +e
@@ -173,10 +173,9 @@ fi
 
 # Allow Pubsub to delete failed message from this sub
 gcloud pubsub subscriptions add-iam-policy-binding $DO_LABEL_SUBSCRIPTION \
-    --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT"\
+    --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT" \
     --role="roles/pubsub.subscriber" --project $PROJECT_ID >/dev/null
 
-
 if [[ "$LABEL_ON_CREATION_EVENT" != "true" ]]; then
   echo >&2 "Will not label on creation event."
   gcloud pubsub subscriptions delete "$LABEL_ONE_SUBSCRIPTION" --project="$PROJECT_ID" 2>/dev/null || true
diff --git a/test_scripts/integration_test.py b/test_scripts/integration_test.py
@@ -294,7 +294,7 @@ def pause_for_user_input():
         print("Type ENTER to proceed to clean up resources ")
         _ = sys.stdin.readline()
 
-    #pause_for_user_input()# Use this in debugging, to keep the test resources alive until you hit E
+    # pause_for_user_input()# Use this in debugging, to keep the test resources alive until you hit E
 
     remove_config_file()
     commands = [
diff --git a/uninstall_scripts/_uninstall-for-project.sh b/uninstall_scripts/_uninstall-for-project.sh
@@ -31,9 +31,12 @@ gcloud pubsub subscriptions remove-iam-policy-binding $LABEL_ONE_SUBSCRIPTION \
     --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT"\
     --role="roles/pubsub.subscriber" --project $PROJECT_ID ||true
 
-gcloud projects remove-iam-policy-binding ${PROJECT_ID}  \
-    --member="serviceAccount:${MSGSENDER_SERVICE_ACCOUNT}"\
-    --role='roles/iam.serviceAccountTokenCreator' ||true
+# We don't do the following to avoid disrupting PubSub more generally in the proect.
+#gcloud projects remove-iam-policy-binding ${PROJECT_ID}  \
+#    --member="serviceAccount:${PUBSUB_SERVICE_ACCOUNT}"\
+#    --role='roles/iam.serviceAccountTokenCreator' ||true
+
+
 
 gcloud pubsub subscriptions delete $DEADLETTER_SUB --project="$PROJECT_ID" -q || true
 gcloud pubsub subscriptions delete "$DO_LABEL_SUBSCRIPTION" -q --project="$PROJECT_ID" ||true
diff --git a/util/utils.py b/util/utils.py
@@ -252,7 +252,7 @@ def run_command(command_s, extra_env: typing.Dict[str, str] = None):
     command = command_s.split(" ")
     env = os.environ
     if extra_env is not None:
-        env = env | extra_env
+        env |= extra_env
     result = subprocess.run(command, stdout=subprocess.PIPE, check=True, env=env)
     output = result.stdout.decode("utf-8")
     return output.strip("\n")

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ description: >`
`3`	`3`	`Permissions needed by the custom role used by the Iris App Engine app's service account.`
`4`	`4`	`A nondefault name for this role can be passed as env variable IRIS_CUSTOM_ROLE`
`5`	`5`	`into the deployment and uninstall scripts.`
`6`		`-# TODO For DRY, embed the following values in the Python class, then call these classes to construct this.`
	`6`	`+# TODO Each Python plugin class should expose these and we should pull it from there,to have the info in one place.`
`7`	`7`	`#`
`8`	`8`	# TODO: Not clear that `setTags` is really needed.
`9`	`9`	`stage: "GA"`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,6 @@ def method_names():`
`18`	`18`
`19`	`19`	`@classmethod`
`20`	`20`	`def _cloudclient(cls, _=None):`
`21`		`- logging.info("_cloudclient for %s", cls.__name__)`
`22`	`21`	`raise NotImplementedError(`
`23`	`22`	`"There is no Cloud Client library for " + cls.__name__`
`24`	`23`	`)`