all: add GRPC gomote server

This change:
- Adds a simple GRPC gomote server.
- Updates the documentation for the audiance required for IAP authentication.
- Adds a field for the backend service id in the build enviornment package.
- Creates middleware for the GRPC server use in the existing HTTP servers.

Updates golang/go#47521
Updates golang/go#48742

Change-Id: I2a56e39b96bf1b429f807f79c58aee3f72a45a33
Reviewed-on: https://go-review.googlesource.com/c/build/+/361098
Trust: Carlos Amedee <[email protected]>
Run-TryBot: Carlos Amedee <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Alexander Rakoczy <[email protected]>

Author: cagedmantis

buildenv/envs.go

@@ -138,6 +138,11 @@ type Environment struct {
 
 	// AWSRegion is the region where AWS resources are deployed.
 	AWSRegion string
+
+	// iapServiceIDs is a map of service-backends to service IDs for the backend
+	// services used by IAP enabled HTTP paths.
+	// map[backend-service-name]service_id
+	iapServiceIDs map[string]string
 }
 
 // ComputePrefix returns the URI prefix for Compute Engine resources in a project.
@@ -202,6 +207,15 @@ func (e Environment) Credentials(ctx context.Context) (*google.Credentials, erro
 	return creds, nil
 }
 
+// IAPServiceID returns the service id for the backend service. If a path does not exist for a
+// backend, the service id will be an empty string.
+func (e Environment) IAPServiceID(backendServiceName string) string {
+	if v, ok := e.iapServiceIDs[backendServiceName]; ok {
+		return v
+	}
+	return ""
+}
+
 // ByProjectID returns an Environment for the specified
 // project ID. It is currently limited to the symbolic-datum-552
 // and go-dashboard-dev projects.
@@ -254,6 +268,7 @@ var Staging = &Environment{
 	COSServiceAccount: "[email protected]",
 	AWSSecurityGroup:  "staging-go-builders",
 	AWSRegion:         "us-east-1",
+	iapServiceIDs:     map[string]string{},
 }
 
 // Production defines the environment that the coordinator and build
@@ -285,6 +300,10 @@ var Production = &Environment{
 	COSServiceAccount: "[email protected]",
 	AWSSecurityGroup:  "go-builders",
 	AWSRegion:         "us-east-2",
+	iapServiceIDs: map[string]string{
+		"coordinator-internal-iap": "5961904996536591018",
+		"relui-internal":           "5124132661507612124",
+	},
 }
 
 var Development = &Environment{

cmd/coordinator/coordinator.go

@@ -40,6 +40,9 @@ import (
 	builddash "golang.org/x/build/cmd/coordinator/internal/dashboard"
 	"golang.org/x/build/cmd/coordinator/internal/legacydash"
 	"golang.org/x/build/cmd/coordinator/protos"
+	"golang.org/x/build/internal/access"
+	"golang.org/x/build/internal/gomote"
+	gomoteprotos "golang.org/x/build/internal/gomote/protos"
 	"google.golang.org/grpc"
 	grpc4 "grpc.go4.org"
 
@@ -55,6 +58,7 @@ import (
 	"golang.org/x/build/internal/buildstats"
 	"golang.org/x/build/internal/cloud"
 	"golang.org/x/build/internal/coordinator/pool"
+	"golang.org/x/build/internal/coordinator/remote"
 	"golang.org/x/build/internal/https"
 	"golang.org/x/build/internal/secret"
 	"golang.org/x/build/maintner/maintnerd/apipb"
@@ -236,9 +240,6 @@ func (r *linkRewriter) Flush() {
 	r.buf = nil
 }
 
-// grpcServer is a shared gRPC server. It is global, as it needs to be used in places that aren't factored otherwise.
-var grpcServer = grpc.NewServer()
-
 func main() {
 	https.RegisterFlags(flag.CommandLine)
 	flag.Parse()
@@ -330,12 +331,26 @@ func main() {
 		log.Printf("Failed to load static resources: %v", err)
 	}
 
-	dashV1 := legacydash.Handler(gce.GoDSClient(), maintnerClient, string(masterKey()))
+	var opts []grpc.ServerOption
+	if env := buildenv.FromFlags(); env == buildenv.Production {
+		var coordinatorBackend, serviceID = "coordinator-internal-iap", ""
+		if serviceID = env.IAPServiceID(coordinatorBackend); serviceID == "" {
+			log.Fatalf("unable to retrieve Service ID for backend service=%q", coordinatorBackend)
+		}
+		opts = append(opts, grpc.UnaryInterceptor(access.RequireIAPAuthUnaryInterceptor(access.IAPAudienceGCE(env.ProjectNumber, serviceID))))
+		opts = append(opts, grpc.StreamInterceptor(access.RequireIAPAuthStreamInterceptor(access.IAPAudienceGCE(env.ProjectNumber, serviceID))))
+	}
+	// grpcServer is a shared gRPC server. It is global, as it needs to be used in places that aren't factored otherwise.
+	grpcServer := grpc.NewServer(opts...)
+
+	dashV1 := legacydash.Handler(gce.GoDSClient(), maintnerClient, string(masterKey()), grpcServer)
 	dashV2 := &builddash.Handler{Datastore: gce.GoDSClient(), Maintner: maintnerClient}
 	gs := &gRPCServer{dashboardURL: "https://build.golang.org"}
+	gomoteServer := gomote.New(remote.NewSessionPool(context.Background()))
 	protos.RegisterCoordinatorServer(grpcServer, gs)
-	http.HandleFunc("/", handleStatus)       // Serve a status page at farmer.golang.org.
-	http.Handle("build.golang.org/", dashV1) // Serve a build dashboard at build.golang.org.
+	gomoteprotos.RegisterGomoteServiceServer(grpcServer, gomoteServer)
+	http.HandleFunc("/", grpcHandlerFunc(grpcServer, handleStatus)) // Serve a status page at farmer.golang.org.
+	http.Handle("build.golang.org/", dashV1)                        // Serve a build dashboard at build.golang.org.
 	http.Handle("build-staging.golang.org/", dashV1)
 	http.HandleFunc("/builders", handleBuilders)
 	http.HandleFunc("/temporarylogs", handleLogs)

cmd/coordinator/internal/legacydash/dash.go

@@ -18,11 +18,13 @@ import (
 	"embed"
 	"net/http"
 	"sort"
+	"strings"
 
 	"cloud.google.com/go/datastore"
 	"github.com/NYTimes/gziphandler"
 	"golang.org/x/build/maintner/maintnerd/apipb"
 	"golang.org/x/build/repos"
+	"google.golang.org/grpc"
 )
 
 var (
@@ -44,12 +46,13 @@ var (
 // fakeResults controls whether to make up fake random results. If true, datastore is not used.
 const fakeResults = false
 
-// Handler sets a datastore client, maintner client, and builder master key
-// at the package scope, and returns an HTTP mux for the legacy dashboard.
-func Handler(dc *datastore.Client, mc apipb.MaintnerServiceClient, key string) http.Handler {
+// Handler sets a datastore client, maintner client, builder master key and
+// GRPC server at the package scope, and returns an HTTP mux for the legacy dashboard.
+func Handler(dc *datastore.Client, mc apipb.MaintnerServiceClient, key string, grpcServer *grpc.Server) http.Handler {
 	datastoreClient = dc
 	maintnerClient = mc
 	masterKey = key
+	grpcServer = grpcServer
 
 	mux := http.NewServeMux()
 
@@ -58,7 +61,7 @@ func Handler(dc *datastore.Client, mc apipb.MaintnerServiceClient, key string) h
 	mux.Handle("/result", hstsGzip(AuthHandler(resultHandler)))              // called by coordinator after build
 
 	// public handlers
-	mux.Handle("/", hstsGzip(http.HandlerFunc(uiHandler)))
+	mux.Handle("/", GRPCHandler(grpcServer, hstsGzip(http.HandlerFunc(uiHandler)))) // enables GRPC server for build.golang.org
 	mux.Handle("/log/", hstsGzip(http.HandlerFunc(logHandler)))
 
 	// static handler
@@ -71,6 +74,18 @@ func Handler(dc *datastore.Client, mc apipb.MaintnerServiceClient, key string) h
 //go:embed static
 var static embed.FS
 
+// GRPCHandler creates handler which intercepts requests intended for a GRPC server and directs the calls to the server.
+// All other requests are directed toward the passed in handler.
+func GRPCHandler(gs *grpc.Server, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") {
+			gs.ServeHTTP(w, r)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
 // hstsGzip is short for hstsHandler(GzipHandler(h)).
 func hstsGzip(h http.Handler) http.Handler {
 	return hstsHandler(gziphandler.GzipHandler(h))

cmd/coordinator/status.go

@@ -39,6 +39,7 @@ import (
 	"golang.org/x/build/internal/secret"
 	"golang.org/x/build/kubernetes/api"
 	"golang.org/x/oauth2"
+	"google.golang.org/grpc"
 )
 
 // status
@@ -628,13 +629,19 @@ func healthCheckerHandler(hc *healthChecker) http.Handler {
 
 func uptime() time.Duration { return time.Since(processStartTime).Round(time.Second) }
 
-func handleStatus(w http.ResponseWriter, r *http.Request) {
-	// Support gRPC handlers. handleStatus is our toplevel ("/") handler, so reroute to the gRPC server for
-	// matching requests.
-	if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") {
-		grpcServer.ServeHTTP(w, r)
-		return
+// grpcHandlerFunc creates handler which intercepts requests intended for a GRPC server and directs the calls to the server.
+// All other requests are directed toward the passed in handler.
+func grpcHandlerFunc(gs *grpc.Server, h http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") {
+			gs.ServeHTTP(w, r)
+			return
+		}
+		h(w, r)
 	}
+}
+
+func handleStatus(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path != "/" {
 		http.NotFound(w, r)
 		return

internal/access/access.go

@@ -55,6 +55,7 @@ func IAPFromContext(ctx context.Context) (*IAPFields, error) {
 // It ensures that the caller has successfully authenticated via IAP. If the caller
 // has authenticated, the headers created by IAP will be added to the request scope
 // context passed down to the server implementation.
+// https://cloud.google.com/iap/docs/signed-headers-howto
 func iapAuthFunc(audience string, validatorFn validator) grpcauth.AuthFunc {
 	return func(ctx context.Context) (context.Context, error) {
 		md, ok := metadata.FromIncomingContext(ctx)
@@ -117,11 +118,17 @@ func RequireIAPAuthStreamInterceptor(audience string) grpc.StreamServerIntercept
 type validator func(ctx context.Context, token, audiance string) (*idtoken.Payload, error)
 
 // IAPAudienceGCE returns the jwt audience for GCE and GKE services.
+// The project number is the numerical GCP project number the service is deployed in.
+// The service ID is the identifier for the backend service used to route IAP requests.
+// https://cloud.google.com/iap/docs/signed-headers-howto
 func IAPAudienceGCE(projectNumber int64, serviceID string) string {
 	return fmt.Sprintf("/projects/%d/global/backendServices/%s", projectNumber, serviceID)
 }
 
 // IAPAudienceAppEngine returns the JWT audience for App Engine services.
+// The project number is the numerical GCP project number the service is deployed in.
+// The project ID is the textual identifier for the GCP project that the App Engine instance is deployed in.
+// https://cloud.google.com/iap/docs/signed-headers-howto
 func IAPAudienceAppEngine(projectNumber int64, projectID string) string {
 	return fmt.Sprintf("/projects/%d/apps/%s", projectNumber, projectID)
 }

internal/gomote/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// package gomote contains all of the necessary components to implement
+// and use the gomote funcitonality. Gomotes are instances which are dedicated
+// to an individual user or service.
+package gomote

internal/gomote/gomote.go

@@ -0,0 +1,25 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gomote
+
+import (
+	"golang.org/x/build/internal/coordinator/remote"
+	"golang.org/x/build/internal/gomote/protos"
+)
+
+// Server is a gomote server implementation.
+type Server struct {
+	// embed the unimplemented server.
+	protos.UnimplementedGomoteServiceServer
+
+	buildlets *remote.SessionPool
+}
+
+// New creates a gomote server.
+func New(rsp *remote.SessionPool) *Server {
+	return &Server{
+		buildlets: rsp,
+	}
+}