Load client keys from GCS (#209)

* Load client keys from GCS

* s/loadtest/test-client/

* Updated deployed service config

.gitignore

@@ -9,3 +9,7 @@ CMakeLists.txt
 /bazel-*
 
 test/src/github.com
+
+client/custom/esp-test-client-secret-jwk.json
+client/custom/esp-test-client-secret-x509.json
+test/echo/esp-echo-client-secret-jwk.json

client/custom/gen-auth-token.sh

@@ -34,9 +34,6 @@ BUILD_AUTH_TOKEN_GEN=1
 
 . ${ROOT}/script/all-utilities || { echo 'Cannot load Bash utilities'; exit 1; }
 
-# By default, use jwk key. Can be switched to x509 or symmetric key.
-SECRET_FILE="${ROOT}/client/custom/esp-test-client-secret-jwk.json"
-
 # By default audience is service name,  use -a to change it to your service
 # name or other allowed audiences (check service swagger configuration).
 AUDIENCE="bookstore-esp-echo.cloudendpointsapis.com"
@@ -62,6 +59,9 @@ while getopts a:g:s:? arg; do
   esac
 done
 
+# By default, use jwk key. Can be switched to x509 or symmetric key.
+SECRET_FILE="${SECRET_FILE:-$(get_test_client_key ${ROOT}/client/custom/esp-test-client-secret-jwk.json)}"
+
 if [[ ! -x ${AUTH_TOKEN_GEN} ]]; then
   [[ ${BUILD_AUTH_TOKEN_GEN} -ne 0 ]] \
     || error_exit "Cannot find ${AUTH_TOKEN_GEN}"

doc/tutorial.md

@@ -265,8 +265,8 @@ Open `${ESP}/src/nginx/conf/bookstore.json` and replace the (initially empty)
  "providers": [
    {
      "id": "test-auth-provider",
-     "issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-     "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+     "issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+     "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
    }
  ],
  "rules": [

script/all-utilities

@@ -149,13 +149,22 @@ function retry() {
 # Download api Keys from Cloud storage and source the file.
 function set_api_keys() {
   local api_key_directory="$(mktemp -d)"
-  gsutil cp gs://client-secret-files/api_keys \
+  $GSUTIL cp gs://client-secret-files/api_keys \
         "${api_key_directory}/api_keys" \
           || error_exit "Failed to download API key file."
 
   source "${api_key_directory}/api_keys"
 }
 
+# Download test-client keys from Cloud storage
+function get_test_client_key() {
+  local key_path=$1
+  [[ -e $key_path ]] || $GSUTIL \
+    cp gs://client-secret-files/esp-test-client-434d3cb34a1c.json $key_path
+  echo -n $key_path
+  return 0
+}
+
 # Creates a simple Json Status file
 function create_status_file() {
   local OPTIND OPTARG ARG

script/linux-start-local-test

@@ -120,8 +120,8 @@ NGINX_ARGS=(-p "${PREFIX}" -c "${NGINX_CONFIG}" -g "pid ${PREFIX}/.nginx.pid;")
 
 echo 'Constructing test data.'
 JWT_TOKEN="$("${ROOT}/client/custom/gen-auth-token.sh" \
-    -s "${ROOT}/test/echo/esp-echo-client-secret-jwk.json" \
-    -a "${SERVICE_NAME}")"
+  -s "$(get_test_client_key ${ROOT}/test/echo/esp-echo-client-secret-jwk.json)" \
+  -a "${SERVICE_NAME}")"
 POST_FILE="${ROOT}/test/data/8k.json"
 HOST='http://127.0.0.1:8090'
 

script/linux-test-vm-bookstore

@@ -184,8 +184,8 @@ BOOKSTORE_FAILURES=0
 #   "kid": "f525b853cbd035cc6b2910bb87752311d32091b8"
 # }
 # {
-#   "iss": "loadtest@esp-test-client.iam.gserviceaccount.com",
-#   "sub": "loadtest@esp-test-client.iam.gserviceaccount.com",
+#   "iss": "test-client@esp-test-client.iam.gserviceaccount.com",
+#   "sub": "test-client@esp-test-client.iam.gserviceaccount.com",
 #   "aud": ["test", "esp-load-test.appspot.com"],
 #   "iat": 1457109765,
 #   "exp": 2457113365

script/linux-test-vm-echo

@@ -117,9 +117,9 @@ EXPECTED_RESPONSE=".*Method doesn't allow unregistered callers.*STATUS_CODE:401"
 
 SERVICE_NAME="echo-dot-${PROJECT_ID}.appspot.com"
 JWT_TOKEN="$("${ROOT}/client/custom/gen-auth-token.sh" \
-  -s "${ROOT}/test/echo/esp-echo-client-secret-jwk.json" \
+  -s "$(get_test_client_key ${ROOT}/test/echo/esp-echo-client-secret-jwk.json)" \
   -a "${SERVICE_NAME}")"
-POST_FILE="${ROOT}/test/echo/esp-echo-client-secret-x509.json"
+POST_FILE="${ROOT}/test/echo/package.json"
 
 echo "Start perf testing"
 pushd "${ROOT}/test/client" > /dev/null

test/bookstore/app_esp.yaml

@@ -38,7 +38,7 @@ manual_scaling:
 # Hard code the service name and config_id
 endpoints_api_service:
   name: "${MY_PROJECT_ID}.appspot.com"
-  config_id: "2017-05-25r0"
+  config_id: "2017-07-12r0"
 
 beta_settings:
   allow_ssh: true

test/bookstore/swagger.json

@@ -583,8 +583,8 @@
       "authorizationUrl": "",
       "flow": "implicit",
       "type": "oauth2",
-      "x-google-issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+      "x-google-issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
     },
     "test_symmetric": {
       "authorizationUrl": "",

test/bookstore/swagger_template.json

@@ -607,8 +607,8 @@
       "authorizationUrl": "",
       "flow": "implicit",
       "type": "oauth2",
-      "x-google-issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+      "x-google-issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
     },
     "test_symmetric": {
       "authorizationUrl": "",

test/data/35k.json

@@ -346,8 +346,8 @@
    },
    {
     "id": "test_jwk",
-    "issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+    "issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
    },
    {
     "id": "test_symmetric",
@@ -1082,8 +1082,8 @@
    },
    {
     "id": "test_jwk",
-    "issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+    "issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
    },
    {
     "id": "test_symmetric",

test/data/8k.json

@@ -69,8 +69,8 @@
   "providers": [
    {
     "id": "test_jwk",
-    "issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+    "issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+    "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
    },
    {
     "id": "test_symmetric",

test/echo/app_esp.yaml

@@ -38,7 +38,7 @@ manual_scaling:
 # Hard code the service name and config_id
 endpoints_api_service:
   name: "echo-dot-${MY_PROJECT_ID}.appspot.com"
-  config_id: "2017-05-26r0"
+  config_id: "2017-07-12r0"
 
 beta_settings:
   allow_ssh: true

test/echo/echo.json

@@ -16,8 +16,8 @@
             "type": "oauth2",
             "authorizationUrl": "",
             "flow": "implicit",
-            "x-google-issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-            "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+            "x-google-issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+            "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
         },
         "test_x509": {
             "type": "oauth2",

test/echo/esp-echo-client-secret-x509.json

@@ -1,7 +1,7 @@
 {
   "private_key_id": "33a681b36b8983913b05f8d5eab165c60694b6fc",
   "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDSgktXIdXYafwC\nF+yVbrT9Khnqy92eF3Ib7hpAT4INirSIj0lMgkwpntPk6xYvzTZK32iwoqkv5chS\nnKA9E0iTTAkicsIFMXwru75x+w3s9CmPsKfSC+jW1126HkJEB4wRkUKzBYOrZIWe\nkwC7X0vgDWCwkKzfKXSqlUmm73NUB9v4dEX1Co0hBxlnl/QShP7cg4sYV6shcowR\nZ1yTw3nDHe+Gg9PE6klSWR0eM3jF0NGtzRylqpBO5jWJcDYb1L69/9JUrNL91tiL\nG+gxmVfrC4NIdclpX5LxH0WIOlfQy1qG03TbTuAi0xUJ0eBNTaSOlh6I7C5c8wLM\nlFzTYvGVAgMBAAECggEBALD8EtPDAsPc95/a9XH9jfV7vCaIGF+eXrXUzgVb04AH\nKhnWPk4xDk+/1W8Vp6Ww5wC0LJS1bYFzs6ShQqeW2uHcf6GS0kUDgd5TDp9N8DtU\nXM0OPUp/8NcQYyDj59rCbaUnd+iDrlwfO6hC986RJH3PQYexW2aUuB3jPfU4RMJU\nAoL6runoFuE8UihvuJj1ZipJlFpc4Slm2CCFSkZW9qQkhHEbasaDqfPX7ZufUnsz\nQkw1AWMgLRndlETS1ozPB7zRC56sYvbTv71OoeooFBnV4KUwM2+TYm9Q3UXG/Iqn\nX7mHnJIndn3RYyupTYb1GfM61upZJ2bTERjMfnA+/1ECgYEA8sNHojTYWS2uQewv\ngvFI5FZCef7KUBSX05gixIb0o3Fl4hEKI7X96TOaPGN7Zn8cJNuOwWW32KZ2sfVw\nBUQ2kAtHny8FFfoHAGCrG9nkZmpm5dWRszWBx5hdnZU2ZBU0+2OHMi3Mdteycl95\nwC/eZxqPCLip/U00+vHw5nYk3C8CgYEA3fzIpZZ/UxLCJMokLTgj2uSW+F0/16Xg\n0+g/UlK3eNgIQpWIuRmUVssDoiOkZjqP472ZfKU1C0c6DitbLtF1iSrrdBnRIwJ6\n09SpogW0BbHh6dXBiRLicx0yXh6rQa/JZLC/LTRgTlJR+O3ldEhQqh1YrecUcoQM\n8LxWrNmoiXsCgYEAocvTD2HHG9CdRmSC2fO0UDLJhYNyFWNUOXs5GOCVZeVrMPuI\nVXqzKtzwm/T1xr9K46nNgEop+OQhUcQyD+CBuQk7h/WPnzEPv4muIRbc6gFaaS4p\nOFaeE4gSRLexE40qza1s6t2pWz+xOBc4DwYYZYFG+VoSObdeay4bD46ITJMCgYBF\nISh28KQcAbZ18IFNl7MKwq8FDz0Hcf/O3f+CKoI6XsRLv/eA9SdN1BEAmCrlLw2K\nNYwr1eLr7TV2HihaLx50JeqHEFchmO8ZMpvU+gOy1k9tG4UWo8vjX09FIjXg0dZc\nxfHzKOFo4pfmdmdDTBXatCLenRywANFq0qwHTgz/KwKBgQDq3ZyXVGmqpdndSxVe\nE8W2JNVvUMFnsWuW9py0XqyaZV3i4eBQdaUQ24Dojkc7nJ2aLvtVIa5X02C9HPdu\ngKbMjlwt+7ord0WiysX1OzYP6YuJJpeDtqHJQB8dZvfeOZf11RXuQEpN0NrCm8Yb\nI9AhDqa+2sl6kOtAlrlsRzF4CQ==\n-----END PRIVATE KEY-----\n",
-  "client_email": "loadtest@esp-test-client.iam.gserviceaccount.com",
+  "client_email": "test-client@esp-test-client.iam.gserviceaccount.com",
   "client_id": "101525312337747968935",
   "type": "service_account"
 }

test/echo/local.conf

@@ -16,7 +16,6 @@ http {
         # cp service.json.temp service.json and modify ${PROJECT}
         api service.json;
         consumer_project_id esp_echo;
-        servicecontrol_secret esp-echo-client-secret-x509.json;
       }
       # End Endpoints v2 Support
 

test/echo/swagger.json

@@ -163,8 +163,8 @@
       "authorizationUrl": "",
       "flow": "implicit",
       "type": "oauth2",
-      "x-google-issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com",
+      "x-google-issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com",
       "x-google-audiences": "echo-${MY_PROJECT_ID}.appspot.com"
     }
   }

test/grpc/grpc-test.yaml

@@ -11,8 +11,8 @@ authentication:
         - provider_id: test_jwk
   providers:
     - id: test_jwk
-      issuer: loadtest@esp-test-client.iam.gserviceaccount.com
-      jwks_uri: https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com
+      issuer: test-client@esp-test-client.iam.gserviceaccount.com
+      jwks_uri: https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com
 usage:
   rules:
     - selector: test.grpc.Test.Echo

test/grpc/local/service.json

@@ -1102,8 +1102,8 @@
     "providers": [
       {
         "id": "test_jwk",
-        "issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-        "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+        "issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+        "jwksUri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
       }
     ]
   },

tools/src/deploy/example/bookstore_swagger_template.json

@@ -561,8 +561,8 @@
       "authorizationUrl": "",
       "flow": "implicit",
       "type": "oauth2",
-      "x-google-issuer": "loadtest@esp-test-client.iam.gserviceaccount.com",
-      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/loadtest@esp-test-client.iam.gserviceaccount.com"
+      "x-google-issuer": "test-client@esp-test-client.iam.gserviceaccount.com",
+      "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/test-client@esp-test-client.iam.gserviceaccount.com"
     },
     "test_symmetric": {
       "authorizationUrl": "",