Merge branch 'fix/urllib3-proxy' into 'main' (ee551905) · Commits · to be continuous... / tools / gcp-auth-provider

.gitlab-ci.yml

+41 −3

Original line number	Diff line number	Diff line
		@@ -22,10 +22,11 @@ stages:
		variables:
		PYTHON_IMAGE: "registry.hub.docker.com/library/python:3.11"
		PYTHON_SBOM_DISABLED: "true"
		GCP_OIDC_PROVIDER: $GCP_OIDC_PROVIDER
		GCP_OIDC_ACCOUNT: $GCP_OIDC_ACCOUNT
		VALID_GCP_OIDC_PROVIDER: $GCP_OIDC_PROVIDER
		VALID_GCP_OIDC_ACCOUNT: $GCP_OIDC_ACCOUNT
		DOCKER_BUILD_ARGS: "--cache-ttl=6h"
		DOCKER_PROD_PUBLISH_STRATEGY: "auto"
		PROXYPY_IMAGE: "registry.hub.docker.com/abhinavsingh/proxy.py:v2.4.3"

		.test-scripts: &test-scripts \|
		# BEGSCRIPT
		@@ -127,6 +128,15 @@ test-token-succeeds:
		extends: .test-base
		variables:
		CI_JOB_JWT_V2: $CI_JOB_JWT_V2
		FF_NETWORK_PER_BUILD: 1

		services:
		- name: "$DOCKER_SNAPSHOT_IMAGE"
		alias: "gcp-auth-provider"
		variables:
		GCP_OIDC_PROVIDER: $VALID_GCP_OIDC_PROVIDER
		GCP_OIDC_ACCOUNT: $VALID_GCP_OIDC_ACCOUNT

		script:
		- \|
		response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")
		@@ -141,3 +151,31 @@ test-token-succeeds:
		- if: $CI_SERVER_HOST != "gitlab.com"
		when: never
		- if: '$GCP_OIDC_ACCOUNT && $GCP_OIDC_PROVIDER'

		# test: get token with valid OIDC account and provider through proxy shall succeed
		test-token-with-proxy-succeeds:
		extends: test-token-succeeds
		services:
		- name: "$DOCKER_SNAPSHOT_IMAGE"
		alias: "gcp-auth-provider"
		variables:
		GCP_OIDC_PROVIDER: $VALID_GCP_OIDC_PROVIDER
		GCP_OIDC_ACCOUNT: $VALID_GCP_OIDC_ACCOUNT
		https_proxy: "http://proxy:8899"
		- name: "$PROXYPY_IMAGE"
		alias: "proxy"

		# test: get token with valid OIDC with proxy not available should fail
		test-token-with-proxy-unavail-fails:
		extends: test-token-succeeds
		services:
		- name: "$DOCKER_SNAPSHOT_IMAGE"
		alias: "gcp-auth-provider"
		variables:
		GCP_OIDC_PROVIDER: $VALID_GCP_OIDC_PROVIDER
		GCP_OIDC_ACCOUNT: $VALID_GCP_OIDC_ACCOUNT
		https_proxy: "http://no-proxy-host"
		script:
		- \|
		response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")
		assert_eq "500" $response_status "$(cat resp.txt)"

gcp_auth_provider/gcp_client.py

+25 −3

Original line number	Diff line number	Diff line
		import os

		from urllib.parse import urlparse

		import certifi
		import urllib3
		from starlette.exceptions import HTTPException

		http = urllib3.PoolManager(cert_reqs="CERT_REQUIRED", ca_certs=certifi.where())
		cert_kw = {
		"cert_reqs": "CERT_REQUIRED",
		"ca_certs": certifi.where(),
		}

		var_names = ["https_proxy", "HTTPS_PROXY", "http_proxy", "HTTP_PROXY"]
		proxy_var = next(filter(bool, map(os.environ.get, var_names)), None)

		if proxy_var:
		if not proxy_var.startswith("http"):
		proxy_var = f"http://{proxy_var}"

		url = urlparse(proxy_var)
		proxy_auth = (
		f"{url.username}:{url.password}" if url.username and url.password else None
		)
		headers = urllib3.make_headers(proxy_basic_auth=proxy_auth)
		proxy_url = f'{url.scheme}://{url.hostname}:{url.port or "80"}/'
		http = urllib3.ProxyManager(proxy_url, proxy_headers=headers, **cert_kw)
		else:
		http = urllib3.PoolManager(**cert_kw)

		JWT_TOKEN = os.environ.get("GCP_JWT") or os.environ.get("CI_JOB_JWT_V2")


		def get_iam_credentials(service_account, federated_token):
		resp = urllib3.request(
		resp = http.request(
		method="POST",
		url=f"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{service_account}:generateAccessToken",
		headers={
		@@ -34,7 +56,7 @@ def get_sts_token(audience):
		status_code=401, detail="Missing $CI_JOB_JWT_V2 or $GCP_JWT token"
		)

		resp = urllib3.request(
		resp = http.request(
		method="POST",
		url="https://sts.googleapis.com/v1/token",
		headers={"Accept": "application/json", "Content-Type": "application/json"},

gcp_auth_provider/main.py

+1 −1

File changed.

Contains only whitespace changes.