mirror of
https://github.com/google/nomulus.git
synced 2025-07-30 22:46:26 +02:00
fdfbb9572d
This PR changes the two flavors of OIDC authentication mechanisms to verify the same audience. This allows the same token to pass both mechanisms. Previously the regular OIDC flavor uses the project id as its required audience, which does not work for local user credentials (such as ones used by the nomulus tool), which requires a valid OAuth client ID as audience when minting the token (project id is NOT a valid OAuth client ID). I considered allowing multiple audiences, but the result is not as clean as just using the same everywhere, because the fall-through logic would have generated a lot of noises for failed attempts. This PR also changes the client side to solely use OIDC token whenever possible, including the proxy, cloud scheduler and cloud tasks. The nomulus tool still uses OAuth access token by default because it requires USER level authentication, which in turn requires us to fill the User table with objects corresponding to the email address of everyone needing access to the tool. TESTED=verified each client is able to make authenticated calls on QA with or without IAP.
42 lines
1.7 KiB
Docker
42 lines
1.7 KiB
Docker
# Copyright 2019 The Nomulus Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# This Dockerfile builds an image that can be used in Google Cloud Build.
|
|
# We need the following programs to build the Nomulus app and the proxy:
|
|
# 1. Java 8 for compilation.
|
|
# 2. Node.js/NPM for JavaScript compilation.
|
|
# 3. Google Cloud SDK for generating the WARs.
|
|
# 4. Git to manipulate the private and the merged repos.
|
|
# 5. Docker to build and push images.
|
|
# 6. deployerForSchedulerAndTasks for deploying cloud scheduler and cloud tasks
|
|
|
|
FROM golang:1.19 as deployCloudSchedulerAndQueueBuilder
|
|
WORKDIR /usr/src/deployCloudSchedulerAndQueue
|
|
COPY deployCloudSchedulerAndQueue.go ./
|
|
COPY go.sum ./
|
|
COPY go.mod ./
|
|
RUN go build -o /deployCloudSchedulerAndQueue
|
|
|
|
FROM marketplace.gcr.io/google/debian10
|
|
ENV DEBIAN_FRONTEND=noninteractive LANG=en_US.UTF-8
|
|
# Add script for cloud scheduler and cloud tasks deployment
|
|
COPY --from=deployCloudSchedulerAndQueueBuilder /deployCloudSchedulerAndQueue /usr/local/bin/deployCloudSchedulerAndQueue
|
|
# Add Cloud sql connector
|
|
ADD https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 \
|
|
/usr/local/bin/cloud_sql_proxy
|
|
RUN chmod +x /usr/local/bin/cloud_sql_proxy
|
|
|
|
ADD ./build.sh .
|
|
RUN ["bash", "./build.sh"]
|
|
|