tokenserver/appengine/backend/main.go - infra/luci/luci-go - Git at Google

 // Copyright 2017 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 // Binary backend implements HTTP server that handles requests to 'backend'
 // module.
 package main

 import (
 	"context"
 	"fmt"
 	"sync"

 	"google.golang.org/protobuf/types/known/emptypb"

 	"go.chromium.org/luci/auth/identity"
 	"go.chromium.org/luci/common/errors"
 	"go.chromium.org/luci/common/logging"
 	"go.chromium.org/luci/grpc/grpcutil"
 	"go.chromium.org/luci/server"
 	"go.chromium.org/luci/server/auth"
 	"go.chromium.org/luci/server/auth/openid"
 	"go.chromium.org/luci/server/cron"
 	"go.chromium.org/luci/server/router"

 	"go.chromium.org/luci/tokenserver/api/admin/v1"

 	"go.chromium.org/luci/tokenserver/appengine/impl"
 	"go.chromium.org/luci/tokenserver/appengine/impl/utils/bq"
 )

 func main() {
 	impl.Main(func(srv *server.Server, services *impl.Services) error {
 		bqInserter, err := bq.NewInserter(srv.Context, srv.Options.CloudProject)
 		if err != nil {
 			return err
 		}

 		// GAE crons.
 		cron.RegisterHandler("read-config", func(ctx context.Context) error {
 			return readConfigCron(ctx, services.Admin)
 		})
 		cron.RegisterHandler("fetch-crl", func(ctx context.Context) error {
 			return fetchCRLCron(ctx, services.Certs)
 		})

 		// PubSub push handler processing messages produced by impl/utils/bq.
 		oidcMW := router.NewMiddlewareChain(
 			auth.Authenticate(&openid.GoogleIDTokenAuthMethod{
 				AudienceCheck: openid.AudienceMatchesHost,
 			}),
 		)
 		// bigquery-log-pubsub@ is a part of the PubSub Push subscription config.
 		pusherID := identity.Identity(fmt.Sprintf("user:bigquery-log-pubsub@%s.iam.gserviceaccount.com", srv.Options.CloudProject))
 		srv.Routes.POST("/internal/pubsub/bigquery-log", oidcMW, func(c *router.Context) {
 			if got := auth.CurrentIdentity(c.Request.Context()); got != pusherID {
 				logging.Errorf(c.Request.Context(), "Expecting ID token of %q, got %q", pusherID, got)
 				c.Writer.WriteHeader(403)
 			} else {
 				err := bqInserter.HandlePubSubPush(c.Request.Context(), c.Request.Body)
 				if err != nil {
 					logging.Errorf(c.Request.Context(), "Failed to process the message: %s", err)
 					c.Writer.WriteHeader(500)
 				}
 			}
 		})

 		return nil
 	})
 }

 // readConfigCron is a handler for the "read-config" cron.
 func readConfigCron(ctx context.Context, adminServer admin.AdminServer) error {
 	// All config fetching callbacks to call in parallel.
 	fetchers := []struct {
 		name string
 		cb   func(context.Context, *emptypb.Empty) (*admin.ImportedConfigs, error)
 	}{
 		{"ImportCAConfigs", adminServer.ImportCAConfigs},
 		{"ImportDelegationConfigs", adminServer.ImportDelegationConfigs},
 		{"ImportProjectIdentityConfigs", adminServer.ImportProjectIdentityConfigs},
 		{"ImportProjectOwnedAccountsConfigs", adminServer.ImportProjectOwnedAccountsConfigs},
 	}

 	errs := errors.NewLazyMultiError(len(fetchers))

 	wg := sync.WaitGroup{}
 	wg.Add(len(fetchers))
 	for idx, fetcher := range fetchers {
 		idx := idx
 		fetcher := fetcher
 		go func() {
 			defer wg.Done()
 			if _, err := fetcher.cb(ctx, nil); err != nil {
 				logging.Errorf(ctx, "%s failed - %s", fetcher.name, err)
 				errs.Assign(idx, grpcutil.WrapIfTransient(err))
 			}
 		}()
 	}
 	wg.Wait()

 	return errs.Get()
 }

 // fetchCRLCron is a handler for the "fetch-crl" cron.
 func fetchCRLCron(ctx context.Context, caServer admin.CertificateAuthoritiesServer) error {
 	list, err := caServer.ListCAs(ctx, nil)
 	if err != nil {
 		return err
 	}

 	errs := errors.NewLazyMultiError(len(list.Cn))

 	// Fetch CRL of each active CA in parallel. In practice there are very few
 	// CAs there (~= 1), so the risk of OOM is small.
 	wg := sync.WaitGroup{}
 	wg.Add(len(list.Cn))
 	for idx, cn := range list.Cn {
 		idx := idx
 		cn := cn
 		go func() {
 			defer wg.Done()
 			if _, err := caServer.FetchCRL(ctx, &admin.FetchCRLRequest{Cn: cn}); err != nil {
 				logging.Errorf(ctx, "FetchCRL(%q) failed - %s", cn, err)
 				errs.Assign(idx, grpcutil.WrapIfTransient(err))
 			}
 		}()
 	}
 	wg.Wait()

 	return errs.Get()
 }
	// Copyright 2017 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	// Binary backend implements HTTP server that handles requests to 'backend'
	// module.
	package main

	import (
	"context"
	"fmt"
	"sync"

	"google.golang.org/protobuf/types/known/emptypb"

	"go.chromium.org/luci/auth/identity"
	"go.chromium.org/luci/common/errors"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/grpc/grpcutil"
	"go.chromium.org/luci/server"
	"go.chromium.org/luci/server/auth"
	"go.chromium.org/luci/server/auth/openid"
	"go.chromium.org/luci/server/cron"
	"go.chromium.org/luci/server/router"

	"go.chromium.org/luci/tokenserver/api/admin/v1"

	"go.chromium.org/luci/tokenserver/appengine/impl"
	"go.chromium.org/luci/tokenserver/appengine/impl/utils/bq"
	)

	func main() {
	impl.Main(func(srv server.Server, services impl.Services) error {
	bqInserter, err := bq.NewInserter(srv.Context, srv.Options.CloudProject)
	if err != nil {
	return err
	}

	// GAE crons.
	cron.RegisterHandler("read-config", func(ctx context.Context) error {
	return readConfigCron(ctx, services.Admin)
	})
	cron.RegisterHandler("fetch-crl", func(ctx context.Context) error {
	return fetchCRLCron(ctx, services.Certs)
	})

	// PubSub push handler processing messages produced by impl/utils/bq.
	oidcMW := router.NewMiddlewareChain(
	auth.Authenticate(&openid.GoogleIDTokenAuthMethod{
	AudienceCheck: openid.AudienceMatchesHost,
	}),
	)
	// bigquery-log-pubsub@ is a part of the PubSub Push subscription config.
	pusherID := identity.Identity(fmt.Sprintf("user:bigquery-log-pubsub@%s.iam.gserviceaccount.com", srv.Options.CloudProject))
	srv.Routes.POST("/internal/pubsub/bigquery-log", oidcMW, func(c *router.Context) {
	if got := auth.CurrentIdentity(c.Request.Context()); got != pusherID {
	logging.Errorf(c.Request.Context(), "Expecting ID token of %q, got %q", pusherID, got)
	c.Writer.WriteHeader(403)
	} else {
	err := bqInserter.HandlePubSubPush(c.Request.Context(), c.Request.Body)
	if err != nil {
	logging.Errorf(c.Request.Context(), "Failed to process the message: %s", err)
	c.Writer.WriteHeader(500)
	}
	}
	})

	return nil
	})
	}

	// readConfigCron is a handler for the "read-config" cron.
	func readConfigCron(ctx context.Context, adminServer admin.AdminServer) error {
	// All config fetching callbacks to call in parallel.
	fetchers := []struct {
	name string
	cb func(context.Context, emptypb.Empty) (admin.ImportedConfigs, error)
	}{
	{"ImportCAConfigs", adminServer.ImportCAConfigs},
	{"ImportDelegationConfigs", adminServer.ImportDelegationConfigs},
	{"ImportProjectIdentityConfigs", adminServer.ImportProjectIdentityConfigs},
	{"ImportProjectOwnedAccountsConfigs", adminServer.ImportProjectOwnedAccountsConfigs},
	}

	errs := errors.NewLazyMultiError(len(fetchers))

	wg := sync.WaitGroup{}
	wg.Add(len(fetchers))
	for idx, fetcher := range fetchers {
	idx := idx
	fetcher := fetcher
	go func() {
	defer wg.Done()
	if _, err := fetcher.cb(ctx, nil); err != nil {
	logging.Errorf(ctx, "%s failed - %s", fetcher.name, err)
	errs.Assign(idx, grpcutil.WrapIfTransient(err))
	}
	}()
	}
	wg.Wait()

	return errs.Get()
	}

	// fetchCRLCron is a handler for the "fetch-crl" cron.
	func fetchCRLCron(ctx context.Context, caServer admin.CertificateAuthoritiesServer) error {
	list, err := caServer.ListCAs(ctx, nil)
	if err != nil {
	return err
	}

	errs := errors.NewLazyMultiError(len(list.Cn))

	// Fetch CRL of each active CA in parallel. In practice there are very few
	// CAs there (~= 1), so the risk of OOM is small.
	wg := sync.WaitGroup{}
	wg.Add(len(list.Cn))
	for idx, cn := range list.Cn {
	idx := idx
	cn := cn
	go func() {
	defer wg.Done()
	if _, err := caServer.FetchCRL(ctx, &admin.FetchCRLRequest{Cn: cn}); err != nil {
	logging.Errorf(ctx, "FetchCRL(%q) failed - %s", cn, err)
	errs.Assign(idx, grpcutil.WrapIfTransient(err))
	}
	}()
	}
	wg.Wait()

	return errs.Get()
	}