GoogleCloudPlatform · Tulsishah · Jul 11, 2023 · May 24, 2023 · May 24, 2023 · May 26, 2023
@@ -20,6 +20,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/creds_tests"
 	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/mounting/only_dir_mounting"
 	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/mounting/static_mounting"
 	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/setup"
@@ -107,5 +108,10 @@ func TestMain(m *testing.M) {
 		successCode = only_dir_mounting.RunTests(flags, m)
 	}
 
+	if successCode == 0 {
+		// Test for admin permission on test bucket.
+		successCode = creds_tests.RunTestsForKeyFileAndGoogleApplicationCredentialsEnvVarSet(flags, "objectAdmin", m)
+	}
+
 	os.Exit(successCode)
 }
@@ -0,0 +1,104 @@
+// Copyright 2023 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Run tests for --key-file flag and GOOGLE_APPLICATION_CREDENTIALS env variable
+
+package creds_tests
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path"
+	"testing"
+
+	"cloud.google.com/go/compute/metadata"
+	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/mounting/static_mounting"
+	"github.com/googlecloudplatform/gcsfuse/tools/integration_tests/util/setup"
+)
+
+const NameOfServiceAccount = "creds-test-gcsfuse"
+
+func setPermission(permission string, serviceAccount string) {
+	// Provide permission to the bucket.
+	setup.RunScriptForTestData("../util/creds_tests/testdata/provide_permission.sh", setup.TestBucket(), serviceAccount, permission)
+}
+
+func RunTestsForKeyFileAndGoogleApplicationCredentialsEnvVarSet(testFlagSet [][]string, permission string, m *testing.M) (successCode int) {
+	// Fetching project-id to get service account id.
+	id, err := metadata.ProjectID()
+	if err != nil {
+		log.Printf("Error in fetching project id: %v", err)
+	}
+
+	// Service account id format is name@project-id.iam.gserviceaccount.com
+	serviceAccount := NameOfServiceAccount + "@" + id + ".iam.gserviceaccount.com"
+
+	// Create service account
+	setup.RunScriptForTestData("../util/creds_tests/testdata/create_service_account.sh", NameOfServiceAccount, serviceAccount)
+
+	key_file_path := path.Join(os.Getenv("HOME"), "creds.json")
+
+	// Create credentials
+	setup.RunScriptForTestData("../util/creds_tests/testdata/create_key_file.sh", key_file_path, serviceAccount)
+
+	// Provide permission to service account for testing.
+	setPermission(permission, serviceAccount)
+
+	// Revoke the permission and delete creds and service account after testing.
+	defer setup.RunScriptForTestData("../util/creds_tests/testdata/revoke_permission_and_delete_service_account_and_creds.sh", serviceAccount, key_file_path)
+
+	// Without –key-file flag and GOOGLE_APPLICATION_CREDENTIALS
+	// This case will not get covered as gcsfuse internally authenticates from a metadata server on GCE VM.
+	// https://github.com/golang/oauth2/blob/master/google/default.go#L160
+
+	// Testing with GOOGLE_APPLICATION_CREDENTIALS env variable
+	err = os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", key_file_path)
+	if err != nil {
+		setup.LogAndExit(fmt.Sprintf("Error in setting environment variable: %v", err))
+	}
+
+	successCode = static_mounting.RunTests(testFlagSet, m)
+
+	if successCode != 0 {
+		return
+	}
+
+	// Testing with --key-file and GOOGLE_APPLICATION_CREDENTIALS env variable set
+	keyFileFlag := "--key-file=" + key_file_path
+
+	for i := 0; i < len(testFlagSet); i++ {
+		testFlagSet[i] = append(testFlagSet[i], keyFileFlag)
+	}
+
+	successCode = static_mounting.RunTests(testFlagSet, m)
+
+	if successCode != 0 {
+		return
+	}
+
+	err = os.Unsetenv("GOOGLE_APPLICATION_CREDENTIALS")
+	if err != nil {
+		setup.LogAndExit(fmt.Sprintf("Error in unsetting environment variable: %v", err))
+	}
+
+	// Testing with --key-file flag only
+	successCode = static_mounting.RunTests(testFlagSet, m)
+
+	if successCode != 0 {
+		return
+	}
+
+	return successCode
+}
@@ -0,0 +1,17 @@
+# Copyright 2023 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+KEY_FILE_PATH=$1
+SERVICE_ACCOUNT=$2
+gcloud iam service-accounts keys create $KEY_FILE_PATH --iam-account=$SERVICE_ACCOUNT
@@ -0,0 +1,22 @@
+# Copyright 2023 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SERVICE_ACCOUNT=$1
+SERVICE_ACCOUNT_ID=$2
+# Delete service account if already exist.
+gcloud iam service-accounts delete $SERVICE_ACCOUNT_ID
+if [ $? -eq 1 ]; then
+  echo "Service account does not exist."
+fi
+gcloud iam service-accounts create $SERVICE_ACCOUNT --description="$SERVICE_ACCOUNT" --display-name="$SERVICE_ACCOUNT"
@@ -0,0 +1,20 @@
+# Copyright 2023 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Provide permission to the bucket.
+TEST_BUCKET=$1
+SERVICE_ACCOUNT=$2
+PERMISSION=$3
+
+gsutil iam ch serviceAccount:$SERVICE_ACCOUNT:$PERMISSION gs://$TEST_BUCKET
@@ -0,0 +1,20 @@
+# Copyright 2023 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Delete service account after testing
+SERVICE_ACCOUNT=$1
+KEY_FILE=$2
+gcloud auth revoke $SERVICE_ACCOUNT
+gcloud iam service-accounts delete $SERVICE_ACCOUNT
+rm $KEY_FILE