Initial GCP auth backend implementation

Author: seanmalloy

README.md

@@ -75,6 +75,19 @@ client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.
 # GitHub
 client.auth_github('MY_GITHUB_TOKEN')
 
+# GCP (from GCE instance)
+import requests
+
+VAULT_ADDR="https://vault.example.com:8200"
+ROLE="example"
+AUDIENCE_URL =  VAULT_ADDR + "/vault/" + ROLE
+METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
+FORMAT = 'full'
+
+url = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format={}'.format(AUDIENCE_URL, FORMAT)
+r = requests.get(url, headers=METADATA_HEADERS)
+client.auth_gcp(ROLE, r.text)
+
 # LDAP, Username & Password
 client.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
 client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')

hvac/tests/test_gcp_methods.py

@@ -0,0 +1,64 @@
+from unittest import TestCase
+
+import requests_mock
+from parameterized import parameterized
+
+from hvac import Client
+
+
+class TestGcpMethods(TestCase):
+    """Unit tests providing coverage for GCP auth backend-related methods/routes."""
+
+    @parameterized.expand([
+        ("default mount point", "custom_role", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", None),
+        ("custom mount point", "custom_role", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", "gcp-not-default")
+    ])
+    @requests_mock.Mocker()
+    def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point, requests_mocker):
+        mock_response = {
+            'auth': {
+                'accessor': 'accessor-1234-5678-9012-345678901234',
+                'client_token': 'cltoken-1234-5678-9012-345678901234',
+                'lease_duration': 10000,
+                'metadata': {
+                    'role': 'custom_role',
+                    'service_account_email': '[email protected]',
+                    'service_account_id': '111111111111111111111'
+                },
+                'policies': [
+                    'default',
+                    'custom_role'
+                ],
+                'renewable': True
+            },
+            'data': None,
+            'lease_duration': 0,
+            'lease_id': '',
+            'renewable': False,
+            'request_id': 'requesti-1234-5678-9012-345678901234',
+            'warnings': [],
+            'wrap_info': None
+        }
+        mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
+                'gcp' if mount_point is None else mount_point)
+        requests_mocker.register_uri(
+            method='POST',
+            url=mock_url,
+            json=mock_response
+        )
+        client = Client()
+
+        if mount_point is None:
+            actual_response = client.auth_gcp(
+                role=test_role,
+                jwt=test_jwt
+            )
+        else:
+            actual_response = client.auth_gcp(
+                role=test_role,
+                jwt=test_jwt,
+                mount_point=mount_point
+            )
+
+        # ensure we received our mock response data back successfully
+        self.assertEqual(mock_response, actual_response)

hvac/tests/test_integration.py

@@ -1244,6 +1244,34 @@ def test_auth_ec2_alternate_mount_point_with_no_client_token(self):
         self.client.token = self.root_token()
         self.client.disable_auth_backend(mount_point=test_mount_point)
 
+    def test_auth_gcp_alternate_mount_point_with_no_client_token_exception(self):
+        test_mount_point = 'gcp-custom-path'
+        # Turn on the gcp backend with a custom mount_point path specified.
+        if '{0}/'.format(test_mount_point) in self.client.list_auth_backends():
+            self.client.disable_auth_backend(test_mount_point)
+        self.client.enable_auth_backend('gcp', mount_point=test_mount_point)
+
+        # Drop the client's token to replicate a typical end user's use of any auth method.
+        # I.e., its reasonable to expect the method is being called to _retrieve_ a token in the first place.
+        self.client.token = None
+
+        # Load a mock JWT stand in for a real document from GCP.
+        with open('test/example.jwt') as fp:
+            jwt = fp.read()
+
+        # When attempting to auth (POST) to an auth backend mounted at a different path than the default, we expect a
+        # generic 'missing client token' response from Vault.
+        with self.assertRaises(exceptions.InvalidRequest) as assertRaisesContext:
+            self.client.auth_gcp('example-role', jwt)
+
+        expected_exception_message = 'missing client token'
+        actual_exception_message = str(assertRaisesContext.exception)
+        self.assertEqual(expected_exception_message, actual_exception_message)
+
+        # Reset test state.
+        self.client.token = self.root_token()
+        self.client.disable_auth_backend(mount_point=test_mount_point)
+
     def test_tune_auth_backend(self):
         test_backend_type = 'approle'
         test_mount_point = 'tune-approle'

hvac/v1/__init__.py

@@ -691,6 +691,24 @@ def auth_ec2(self, pkcs7, nonce=None, role=None, use_token=True, mount_point='aw
 
         return self.auth('/v1/auth/{0}/login'.format(mount_point), json=params, use_token=use_token)
 
+    def auth_gcp(self, role, jwt, mount_point='gcp', use_token=True):
+        """
+        POST /auth/<mount point>/login
+        :param role: str, identifier for the GCP auth backend role being requested
+        :param jwt: str, JSON Web Token from the GCP metadata service
+        :param mount_point: str, The "path" the GCP auth backend was mounted on. Vault currently defaults to "gcp".
+        :param use_token: bool, if True, uses the token in the response received from the auth request to set the "token"
+        attribute on the current Client class instance.
+        :return: dict, parsed JSON response from the auth POST request
+        """
+
+        params = {
+            'role': role,
+            'jwt': jwt
+        }
+
+        return self.auth('/v1/auth/{0}/login'.format(mount_point), json=params, use_token=use_token)
+
     def create_userpass(self, username, password, policies, mount_point='userpass', **kwargs):
         """
         POST /auth/<mount point>/users/<username>

test/example.jwt

@@ -0,0 +1 @@
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c