Add service key to client RPC calls

google · Feb 13, 2017 · 9563733 · 9563733
1 parent 601ede8
commit 9563733
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 3 deletions.
diff --git a/.keytransparency.yaml b/.keytransparency.yaml
@@ -6,3 +6,4 @@ kt-sig: "testdata/p256-pubkey.pem"
 domain: "example.com"
 kt-url: "104.199.112.76:5001"
 client-secret: "client_secret.json"
+service-key: ""
diff --git a/cmd/keytransparency-client/cmd/root.go b/cmd/keytransparency-client/cmd/root.go
@@ -166,6 +166,14 @@ func getCreds(clientSecretFile string) (credentials.PerRPCCredentials, error) {
 	return oauth.NewOauthAccess(tok), nil
 }
 
+func getServiceCreds(serviceKeyFile string) (credentials.PerRPCCredentials, error) {
+	b, err := ioutil.ReadFile(serviceKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	return oauth.NewServiceAccountFromKey(b, authentication.RequiredScopes...)
+}
+
 func readSignatureVerifier(ktPEM string) (signatures.Verifier, error) {
 	pem, err := ioutil.ReadFile(ktPEM)
 	if err != nil {
@@ -212,7 +220,7 @@ func getClient(cc *grpc.ClientConn, mapID, vrfPubFile, ktSig, ctURL, ctPEM strin
 	return grpcc.New(mapID, cli, vrfKey, verifier, ctClient), nil
 }
 
-func dial(ktURL, caFile, clientSecretFile string) (*grpc.ClientConn, error) {
+func dial(ktURL, caFile, clientSecretFile string, serviceKeyFile string) (*grpc.ClientConn, error) {
 	var opts []grpc.DialOption
 	if true {
 		host, _, err := net.SplitHostPort(ktURL)
@@ -233,12 +241,21 @@ func dial(ktURL, caFile, clientSecretFile string) (*grpc.ClientConn, error) {
 		opts = append(opts, grpc.WithTransportCredentials(creds))
 	}
 
+	// Add client credentials otherwise add service credentials. Client
+	// credentials take priority over service credentials. Only one of the
+	// two should exist in an RPC call.
 	if clientSecretFile != "" {
 		creds, err := getCreds(clientSecretFile)
 		if err != nil {
 			return nil, err
 		}
 		opts = append(opts, grpc.WithPerRPCCredentials(creds))
+	} else if serviceKeyFile != "" {
+		creds, err := getServiceCreds(serviceKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, grpc.WithPerRPCCredentials(creds))
 	}
 	cc, err := grpc.Dial(ktURL, opts...)
 	if err != nil {
@@ -257,7 +274,8 @@ func GetClient(clientSecretFile string) (*grpcc.Client, error) {
 	ctURL := viper.GetString("ct-url")
 	ctPEM := viper.GetString("ct-key")
 	vrfFile := viper.GetString("vrf")
-	cc, err := dial(ktURL, ktPEM, clientSecretFile)
+	serviceKeyFile := viper.GetString("service-key")
+	cc, err := dial(ktURL, ktPEM, clientSecretFile, serviceKeyFile)
 	if err != nil {
 		return nil, fmt.Errorf("Error Dialing %v: %v", ktURL, err)
 	}

diff --git a/scripts/prepare_client.sh b/scripts/prepare_client.sh
@@ -25,6 +25,7 @@ DOMAIN=""
 KTURLDEFAULT="104.199.112.76:5001"
 KTURL=""
 CLIENTSECRET=""
+SERVICEKEY=""
 
 ##################################
 ##### Collecting information #####
@@ -56,6 +57,7 @@ if [[ -z "${KTURL}" ]]; then
 fi
 
 read -p "Path to client secret file: " CLIENTSECRET
+read -p "Path to service key file: " SERVICEKEY
 
 
 #####################
@@ -75,6 +77,7 @@ kt-key: \"${KTKEY}\"
 kt-sig: \"${SIGKEY}\"
 domain: \"${DOMAIN}\"
 kt-url: \"${KTURL}\"
-client-secret: \"${CLIENTSECRET}\""
+client-secret: \"${CLIENTSECRET}\"
+service-key: \"${SERVICEKEY}\""
 
 printf "%s\n" "${KTYAML}" > .keytransparency.yaml