docs(samples): add auth samples and tests (#1102)

* docs(samples): add auth samples and tests

* refactored verifying google token and lint fixed test file

* Modified comment acc to review

* renamed method acc to review comment

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* added comment acc to review

* add samples tests as required checks

* use GOOGLE_CLOUD_PROJECT

* test new config 1

* adding refresh token for sys test

* updating all py verion configs

* update 3

* update 4

* update 5 - trimming nox

* update 6 - fixing requirements.txt

* update 7 - fixing pytest flags

* update 8 - fixing sa test cred

* update 9- reading sa path from env

* update 10- testing explicit

* update 11 - fix multi reference

* update 12 - remove project id from client params

* update 13 - use projectid from default

* update 14 - remove project param

* update 15- fix assert

* update 16 - updating other py versions

* update 17: try replacing compute with storage

* update 18: fix assert and pass project

* update 19: fixing comments

* update 20: remove unused

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>
Co-authored-by: Sai Sunder Srinivasan <saisunder@google.com>

Author: 4 people

auth/cloud-client-temp/authenticate_explicit_with_adc.py

@@ -0,0 +1,55 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START auth_cloud_explicit_adc]
+
+from google.cloud import storage
+
+import google.oauth2.credentials
+import google.auth
+
+
+def authenticate_explicit_with_adc():
+    """
+    List storage buckets by authenticating with ADC.
+
+    // TODO(Developer):
+    //  1. Before running this sample,
+    //  set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
+    //  2. Replace the project variable.
+    //  3. Make sure you have the necessary permission to list storage buckets: "storage.buckets.list"
+    """
+
+    # Construct the Google credentials object which obtains the default configuration from your
+    # working environment.
+    # google.auth.default() will give you ComputeEngineCredentials
+    # if you are on a GCE (or other metadata server supported environments).
+    credentials, project_id = google.auth.default()
+    # If you are authenticating to a Cloud API, you can let the library include the default scope,
+    # https://www.googleapis.com/auth/cloud-platform, because IAM is used to provide fine-grained
+    # permissions for Cloud.
+    # If you need to provide a scope, specify it as follows:
+    # credentials = google.auth.default(scopes=scope)
+    # For more information on scopes to use,
+    # see: https://developers.google.com/identity/protocols/oauth2/scopes
+
+    # Construct the Storage client.
+    storage_client = storage.Client(credentials=credentials, project=project_id)
+    buckets = storage_client.list_buckets()
+    print("Buckets:")
+    for bucket in buckets:
+        print(bucket.name)
+    print("Listed all storage buckets.")
+
+# [END auth_cloud_explicit_adc]

auth/cloud-client-temp/authenticate_implicit_with_adc.py

@@ -0,0 +1,46 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START auth_cloud_implicit_adc]
+
+from google.cloud import storage
+
+
+def authenticate_implicit_with_adc(project_id="your-google-cloud-project-id"):
+    """
+    When interacting with Google Cloud Client libraries, the library can auto-detect the
+    credentials to use.
+
+    // TODO(Developer):
+    //  1. Before running this sample,
+    //  set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
+    //  2. Replace the project variable.
+    //  3. Make sure that the user account or service account that you are using
+    //  has the required permissions. For this sample, you must have "storage.buckets.list".
+    Args:
+        project_id: The project id of your Google Cloud project.
+    """
+
+    # This snippet demonstrates how to list buckets.
+    # *NOTE*: Replace the client created below with the client required for your application.
+    # Note that the credentials are not specified when constructing the client.
+    # Hence, the client library will look for credentials using ADC.
+    storage_client = storage.Client(project=project_id)
+    buckets = storage_client.list_buckets()
+    print("Buckets:")
+    for bucket in buckets:
+        print(bucket.name)
+    print("Listed all storage buckets.")
+
+# [END auth_cloud_implicit_adc]

auth/cloud-client-temp/idtoken_from_impersonated_credentials.py

@@ -0,0 +1,75 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [auth_cloud_idtoken_impersonated_credentials]
+
+import google
+from google.auth import impersonated_credentials
+import google.auth.transport.requests
+
+
+def idtoken_from_impersonated_credentials(
+        impersonated_service_account: str, scope: str, target_audience: str):
+    """
+      Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
+      for the impersonated account.
+      To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
+      on SA2.
+
+    Args:
+        impersonated_service_account: The name of the privilege-bearing service account for whom the credential is created.
+            Examples: name@project.service.gserviceaccount.com
+
+        scope: Provide the scopes that you might need to request to access Google APIs,
+            depending on the level of access you need.
+            For this example, we use the cloud-wide scope and use IAM to narrow the permissions.
+            https://cloud.google.com/docs/authentication#authorization_for_services
+            For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+
+        target_audience: The service name for which the id token is requested. Service name refers to the
+            logical identifier of an API service, such as "iap.googleapis.com".
+            Examples: iap.googleapis.com
+    """
+
+    # Construct the GoogleCredentials object which obtains the default configuration from your
+    # working environment.
+    credentials, project_id = google.auth.default()
+
+    # Create the impersonated credential.
+    target_credentials = impersonated_credentials.Credentials(
+        source_credentials=credentials,
+        target_principal=impersonated_service_account,
+        # delegates: The chained list of delegates required to grant the final accessToken.
+        # For more information, see:
+        # https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
+        # Delegate is NOT USED here.
+        delegates=[],
+        target_scopes=[scope],
+        lifetime=300)
+
+    # Set the impersonated credential, target audience and token options.
+    id_creds = impersonated_credentials.IDTokenCredentials(
+        target_credentials,
+        target_audience=target_audience,
+        include_email=True)
+
+    # Get the ID token.
+    # Once you've obtained the ID token, use it to make an authenticated call
+    # to the target audience.
+    request = google.auth.transport.requests.Request()
+    id_creds.refresh(request)
+    # token = id_creds.token
+    print("Generated ID token.")
+
+# [auth_cloud_idtoken_impersonated_credentials]

auth/cloud-client-temp/idtoken_from_metadata_server.py

@@ -0,0 +1,50 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START auth_cloud_idtoken_metadata_server]
+
+import google
+import google.oauth2.credentials
+from google.auth import compute_engine
+import google.auth.transport.requests
+
+
+def idtoken_from_metadata_server(url: str):
+    """
+    Use the Google Cloud metadata server in the Cloud Run (or AppEngine or Kubernetes etc.,)
+    environment to create an identity token and add it to the HTTP request as part of an
+    Authorization header.
+
+    Args:
+        url: The url or target audience to obtain the ID token for.
+            Examples: http://www.abc.com
+    """
+
+    request = google.auth.transport.requests.Request()
+    # Set the target audience.
+    # Setting "use_metadata_identity_endpoint" to "True" will make the request use the default application
+    # credentials. Optionally, you can also specify a specific service account to use by mentioning
+    # the service_account_email.
+    credentials = compute_engine.IDTokenCredentials(
+        request=request, target_audience=url, use_metadata_identity_endpoint=True
+    )
+
+    # Get the ID token.
+    # Once you've obtained the ID token, use it to make an authenticated call
+    # to the target audience.
+    credentials.refresh(request)
+    # print(credentials.token)
+    print("Generated ID token.")
+
+# [END auth_cloud_idtoken_metadata_server]

auth/cloud-client-temp/idtoken_from_service_account.py

@@ -0,0 +1,50 @@
+# Copyright 2022 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START auth_cloud_idtoken_service_account]
+
+import google.auth
+import google.auth.transport.requests
+
+from google.oauth2 import service_account
+
+
+def get_idToken_from_serviceaccount(json_credential_path: str, target_audience: str):
+    """
+    TODO(Developer): Replace the below variables before running the code.
+
+    *NOTE*:
+    Using service account keys introduces risk; they are long-lived, and can be used by anyone
+    that obtains the key. Proper rotation and storage reduce this risk but do not eliminate it.
+    For these reasons, you should consider an alternative approach that
+    does not use a service account key. Several alternatives to service account keys
+    are described here:
+    https://cloud.google.com/docs/authentication/external/set-up-adc
+
+    Args:
+        json_credential_path: Path to the service account json credential file.
+        target_audience: The url or target audience to obtain the ID token for.
+                        Examples: http://www.abc.com
+    """
+
+    # Obtain the id token by providing the json file path and target audience.
+    credentials = service_account.IDTokenCredentials.from_service_account_file(
+        filename=json_credential_path,
+        target_audience=target_audience)
+
+    request = google.auth.transport.requests.Request()
+    credentials.refresh(request)
+    print("Generated ID token.")
+
+# [END auth_cloud_idtoken_service_account]

auth/cloud-client-temp/noxfile.py

@@ -0,0 +1,48 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import pathlib
+import shutil
+
+import nox
+
+CURRENT_DIRECTORY = pathlib.Path(__file__).parent.absolute()
+
+# https://github.com/psf/black/issues/2964, pin click version to 8.0.4 to
+# avoid incompatiblity with black.
+CLICK_VERSION = "click==8.0.4"
+BLACK_VERSION = "black==19.3b0"
+BLACK_PATHS = [
+    "google",
+    "tests",
+    "tests_async",
+    "noxfile.py",
+    "setup.py",
+    "docs/conf.py",
+]
+
+@nox.session(python=["3.7", "3.8", "3.9", "3.10"])
+def unit(session):
+    # constraints_path = str(
+    #     CURRENT_DIRECTORY / "testing" / f"constraints-{session.python}.txt"
+    # )
+    session.install("-r", "requirements.txt")
+    # session.install("-e", ".")
+    session.run(
+        "pytest",
+        f"--junitxml=unit_{session.python}_sponge_log.xml",
+        "snippets_test.py",
+        # "tests_async",
+    )

auth/cloud-client-temp/noxfile_config.py

@@ -0,0 +1,38 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be inported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": True,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    # "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}

auth/cloud-client-temp/requirements.txt

@@ -0,0 +1,4 @@
+google-cloud-compute==1.3.2
+google-cloud-storage==2.3.0
+google-auth==2.10.0
+pytest==7.1.2