Add the ability to use Google Compute Engine Service Account for Authentication (#505)

* GCE Authentication test

* Added support for GCE Service accounts to Apigee Hybrid

Update composer.json

Fixed issues

Fixed logic errors

Fix form structure

Provide endpoint to ngsaas

Version change to add new Service Account Key Type

object to array

Added a checkbox for allowing GCP default service accounts to be used on the GCP platform

removed changes to composer.json

removed changes to composer.json

fixed Imports

if GCE service account is available use that by default

Fix Code Sniffer Errors

Fix Code Sniffer Errors

Fix Code Sniffer Errors

Fix Code Sniffer Errors

Fix Code Sniffer Errors

Fix the headers key

Changes after the code review.

* Moved the GCE Service Account class to the Apigee PHP SDK

* Require apigee/apigee-client-php 2.0.6, minor cleanup.

Co-authored-by: Arlina Espinoza <[email protected]>

Author: giteshk

src/Connector/GceServiceAccountAuthentication.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * Copyright 2020 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+
+namespace Drupal\apigee_edge\Connector;
+
+use Apigee\Edge\ClientInterface;
+use Apigee\Edge\HttpClient\Plugin\Authentication\GceServiceAccount;
+
+/**
+ * Decorator for Hybrid authentication plugin.
+ */
+class GceServiceAccountAuthentication extends GceServiceAccount {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function authClient(): ClientInterface {
+    /** @var \Drupal\apigee_edge\SDKConnectorInterface $sdk_connector */
+    $sdk_connector = \Drupal::service('apigee_edge.sdk_connector');
+    return $sdk_connector->buildClient($this->getAuthHeader(), $this->getAuthServer());
+  }
+
+}

src/Connector/HybridCredentials.php

@@ -42,7 +42,10 @@ class HybridCredentials extends Credentials {
   public function __construct(KeyInterface $key) {
     if ($key->getKeyType() instanceof EdgeKeyTypeInterface
       && ($auth_type = $key->getKeyType()->getAuthenticationType($key))
-      && $auth_type === EdgeKeyTypeInterface::EDGE_AUTH_TYPE_JWT
+      && (
+        $auth_type === EdgeKeyTypeInterface::EDGE_AUTH_TYPE_JWT ||
+        $auth_type === EdgeKeyTypeInterface::EDGE_AUTH_TYPE_DEFAULT_GCE_SERVICE_ACCOUNT
+      )
     ) {
       parent::__construct($key);
     }

src/Plugin/EdgeKeyTypeBase.php

@@ -51,9 +51,13 @@ public function unserialize($value) {
    */
   public function getAuthenticationType(KeyInterface $key): string {
     if ($this->getInstanceType($key) === EdgeKeyTypeInterface::INSTANCE_TYPE_HYBRID) {
-      return EdgeKeyTypeInterface::EDGE_AUTH_TYPE_JWT;
+      if ($this->useGcpDefaultServiceAccount($key)) {
+        return EdgeKeyTypeInterface::EDGE_AUTH_TYPE_DEFAULT_GCE_SERVICE_ACCOUNT;
+      }
+      else {
+        return EdgeKeyTypeInterface::EDGE_AUTH_TYPE_JWT;
+      }
     }
-
     if (!isset($key->getKeyValues()['auth_type'])) {
       throw new AuthenticationKeyValueMalformedException('auth_type');
     }
@@ -166,4 +170,11 @@ public function getAccountKey(KeyInterface $key): array {
     return $json;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function useGcpDefaultServiceAccount(KeyInterface $key): bool {
+    return !empty($key->getKeyValues()['gcp_hosted']);
+  }
+
 }

src/Plugin/EdgeKeyTypeInterface.php

@@ -68,6 +68,7 @@ interface EdgeKeyTypeInterface extends KeyTypeMultivalueInterface, KeyTypeAuthen
    */
   const EDGE_AUTH_TYPE_JWT = 'jwt';
 
+  const EDGE_AUTH_TYPE_DEFAULT_GCE_SERVICE_ACCOUNT = 'gce-service-account';
   /**
    * The endpoint type for default.
    *
@@ -220,4 +221,17 @@ public function getClientSecret(KeyInterface $key): string;
    */
   public function getAccountKey(KeyInterface $key): array;
 
+  /**
+   * Return if you should use the Default Service account.
+   *
+   * This applies to portals hosted on Google Compute Engine.
+   *
+   * @param \Drupal\key\KeyInterface $key
+   *   The key entity.
+   *
+   * @return bool
+   *   The account key as an array.
+   */
+  public function useGcpDefaultServiceAccount(KeyInterface $key): bool;
+
 }

src/Plugin/KeyInput/ApigeeAuthKeyInput.php

@@ -20,6 +20,7 @@
 namespace Drupal\apigee_edge\Plugin\KeyInput;
 
 use Apigee\Edge\HttpClient\Plugin\Authentication\Oauth;
+use Drupal\apigee_edge\Connector\GceServiceAccountAuthentication;
 use Drupal\apigee_edge\Plugin\EdgeKeyTypeInterface;
 use Drupal\Component\Serialization\Json;
 use Drupal\Core\Form\FormStateInterface;
@@ -92,9 +93,11 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
       '#type' => 'textfield',
       '#title' => $this->t('Organization'),
       '#description' => $this->t('Name of the organization on Apigee Edge. Changing this value could make your site stop working.'),
-      '#required' => TRUE,
       '#default_value' => $values['organization'] ?? '',
+      '#required' => TRUE,
       '#attributes' => ['autocomplete' => 'off'],
+      '#prefix' => '<div id="edit-organization-field">',
+      '#suffix' => '</div>',
     ];
     $form['username'] = [
       '#type' => 'textfield',
@@ -123,15 +126,33 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
     if (empty($values['organization'])) {
       $form['password']['#states']['required'] = [$state_for_public, $state_for_private];
     }
+
+    $state_for_not_gcp_hosted = [];
+    $gceServiceAccountAuth = new GceServiceAccountAuthentication(\Drupal::service('apigee_edge.authentication.oauth_token_storage'));
+    if ($gceServiceAccountAuth->isAvailable()) {
+      $form['gcp_hosted'] = [
+        '#type' => 'checkbox',
+        '#title' => $this->t('Use the default service account if this portal is hosted on GCP'),
+        '#description' => $this->t("Please ensure you have added 'Apigee Developer Administrator' role to the default compute engine service account hosting this portal."),
+        '#default_value' => $values['gcp_hosted'] ?? TRUE,
+        '#states' => [
+          'visible' => $state_for_hybrid,
+        ],
+      ];
+      $state_for_not_gcp_hosted = [
+        ':input[name="key_input_settings[gcp_hosted]"]' => ['checked' => FALSE],
+      ];
+    }
+
     $form['account_json_key'] = [
       '#type' => 'textarea',
       '#title' => $this->t('GCP service account key'),
       '#description' => $this->t("Paste the contents of the GCP service account key JSON file."),
       '#default_value' => $values['account_json_key'] ?? '',
       '#rows' => '8',
       '#states' => [
-        'visible' => $state_for_hybrid,
-        'required' => $state_for_hybrid,
+        'visible' => $state_for_hybrid + $state_for_not_gcp_hosted,
+        'required' => $state_for_hybrid + $state_for_not_gcp_hosted,
       ],
     ];
     $form['endpoint'] = [
@@ -232,8 +253,8 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
    */
   public function validateConfigurationForm(array &$form, FormStateInterface $form_state) {
     $input_values = $form_state->getUserInput()['key_input_settings'];
-
-    if ($input_values['instance_type'] == EdgeKeyTypeInterface::INSTANCE_TYPE_HYBRID) {
+    if ($input_values['instance_type'] == EdgeKeyTypeInterface::INSTANCE_TYPE_HYBRID &&
+      empty($input_values['gcp_hosted'])) {
       $account_key = $input_values['account_json_key'] ?? '';
       $json = json_decode($account_key, TRUE);
       if (empty($json['private_key']) || empty($json['client_email'])) {
@@ -270,11 +291,16 @@ public function processSubmittedKeyValue(FormStateInterface $form_state) {
         $input_values['authorization_server'] = '';
         $input_values['client_id'] = '';
         $input_values['client_secret'] = '';
+        if (!empty($input_values['gcp_hosted'])) {
+          $input_values['account_json_key'] = '';
+        }
       }
       else {
         // Remove unneeded values if on a Public or Private instance.
         $input_values['account_json_key'] = '';
-
+        if (!empty($input_values['gcp_hosted'])) {
+          unset($input_values['gcp_hosted']);
+        }
         // If password field is empty we just skip it and preserve the initial
         // password if there is one already.
         if (empty($input_values['password']) && !empty($form_state->get('key_value')['current'])) {

src/Plugin/KeyType/ApigeeAuthKeyType.php

@@ -19,6 +19,7 @@
 
 namespace Drupal\apigee_edge\Plugin\KeyType;
 
+use Drupal\apigee_edge\Connector\GceServiceAccountAuthentication;
 use Drupal\apigee_edge\Connector\HybridAuthentication;
 use Drupal\apigee_edge\OauthAuthentication;
 use Drupal\apigee_edge\Plugin\EdgeKeyTypeBase;
@@ -81,6 +82,10 @@
  *       "account_json_key" = {
  *         "label" = @Translation("Account JSON key"),
  *         "required" = false
+ *       },
+ *       "gcp_hosted" = {
+ *         "label" = @Translation("Use default service account if hosted on GCP"),
+ *         "required" = false
  *       }
  *     }
  *   }
@@ -130,12 +135,15 @@ public function validateKeyValue(array $form, FormStateInterface $form_state, $k
    */
   public function getAuthenticationMethod(KeyInterface $key): Authentication {
     $values = $key->getKeyValues();
-
     if ($this->getInstanceType($key) === EdgeKeyTypeInterface::INSTANCE_TYPE_HYBRID) {
-      $account_key = $this->getAccountKey($key);
-      return new HybridAuthentication($account_key['client_email'], $account_key['private_key'], \Drupal::service('apigee_edge.authentication.oauth_token_storage'));
+      if ($this->useGcpDefaultServiceAccount($key)) {
+        return new GceServiceAccountAuthentication(\Drupal::service('apigee_edge.authentication.oauth_token_storage'));
+      }
+      else {
+        $account_key = $this->getAccountKey($key);
+        return new HybridAuthentication($account_key['client_email'], $account_key['private_key'], \Drupal::service('apigee_edge.authentication.oauth_token_storage'));
+      }
     }
-
     elseif ($values['auth_type'] === EdgeKeyTypeInterface::EDGE_AUTH_TYPE_OAUTH) {
       // Use Oauth authentication.
       return new OauthAuthentication($this->getUsername($key), $this->getPassword($key), \Drupal::service('apigee_edge.authentication.oauth_token_storage'), NULL, $this->getClientId($key), $this->getClientSecret($key), NULL, $this->getAuthorizationServer($key));