[Cloud Run] Identity Platform + Cloud SQL sample

run/idp-sql/Dockerfile

@@ -0,0 +1,26 @@
+# Copyright 2030 Google LLC. All rights reserved.
+# Use of this source code is governed by the Apache 2.0
+# license that can be found in the LICENSE file.
+
+# Use the official lightweight Node.js 10 image.
+# https://hub.docker.com/_/node
+FROM node:10-slim
+
+# Create and change to the app directory.
+WORKDIR /usr/src/app
+
+# Copy application dependency manifests to the container image.
+# A wildcard is used to ensure both package.json AND package-lock.json are copied.
+# Copying this separately prevents re-running npm install on every code change.
+COPY package*.json ./
+
+# Install dependencies.
+# If you add a package-lock.json speed your build by switching to 'npm ci'.
+# RUN npm ci --only=production
+RUN npm install --production
+
+# Copy local code to the container image.
+COPY . ./
+
+# Run the web service on container startup.
+CMD [ "npm", "start" ]

run/idp-sql/README.md

@@ -0,0 +1,34 @@
+# Cloud Run End User Authentication with PostgreSQL Database Sample
+
+This sample integrates with the Identity Platform to authenticate users to the
+application and connects to a Cloud SQL postgreSQL database for data storage.
+
+Use it with the [End user Authentication for Cloud Run](http://cloud.google.com/run/docs/tutorials/end-user).
+
+For more details on how to work with this sample read the [Google Cloud Run Node.js Samples README](https://github.com/GoogleCloudPlatform/nodejs-docs-samples/tree/master/run).
+
+## Dependencies
+
+* **express**: Web server framework
+* **@google-cloud/logging-winston** + **winston**: Logging library
+* **@google-cloud/secret-manager**: Google Secret Manager client library
+* **firebase-admin**: Verifying JWT token
+* **knex**: A SQL query builder library
+* **pug**: Template engine
+
+
+## Environment Variables
+
+Cloud Run services can be [configured with Environment Variables](https://cloud.google.com/run/docs/configuring/environment-variables).
+Required variables for this sample include:
+
+* `SECRETS`: The Cloud Run service will be notified of images uploaded to this Cloud Storage bucket. The service will then retreive and process the image.
+
+OR
+
+* `CLOUD_SQL_CONNECTION_NAME`='<MY-PROJECT>:<INSTANCE-REGION>:<MY-DATABASE>'
+* `DB_USER`='my-db-user'
+* `DB_PASS`='my-db-pass'
+* `DB_NAME`='my_db'
+
+Note: Saving credentials in environment variables is convenient, but not secure.

run/idp-sql/app.js

@@ -0,0 +1,141 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const admin = require('firebase-admin');
+const express = require('express');
+const { logger } = require('./logging');
+const { getVotes, getVoteCount, insertVote } = require('./cloud-sql');
+
+const app = express();
+app.set('view engine', 'pug');
+app.enable('trust proxy');
+app.use(express.static(__dirname + '/static'));
+
+// Automatically parse request body as form data.
+app.use(express.urlencoded({extended: false}));
+app.use(express.json());
+
+// Set Content-Type for all responses for these routes.
+app.use((req, res, next) => {
+  res.set('Content-Type', 'text/html');
+  next();
+});
+
+// Initialize Firebase Admin SDK
+admin.initializeApp();
+
+// [START run_user_auth_jwt]
+// Extract and verify Id Token from header
+const authenticateJWT = (req, res, next) => {
+  const authHeader = req.headers.authorization;
+  if (authHeader) {
+    const token = authHeader.split(' ')[1];
+    // If the provided ID token has the correct format, is not expired, and is
+    // properly signed, the method returns the decoded ID token
+    admin.auth().verifyIdToken(token).then(function(decodedToken) {
+      let uid = decodedToken.uid;
+      req.uid = uid;
+      next();
+    }).catch((err) => {
+      logger.error(`error with authentication: ` + err)
+      return res.sendStatus(403);
+    });
+  } else {
+    return res.sendStatus(401);
+  }
+}
+// [END run_user_auth_jwt]
+
+
+app.get('/', async (req, res) => {
+  try {
+    // Query the total count of "CATS" from the database.
+    const catsResult = await getVoteCount('CATS');
+    const catsTotalVotes = parseInt(catsResult[0].count);
+    // Query the total count of "DOGS" from the database.
+    const dogsResult = await getVoteCount('DOGS');
+    const dogsTotalVotes = parseInt(dogsResult[0].count);
+    // Query the last 5 votes from the database.
+    const votes = await getVotes();
+    // Calculate and set leader values.
+    let leadTeam = '';
+    let voteDiff = 0;
+    let leaderMessage = '';
+    if (catsTotalVotes !== dogsTotalVotes) {
+      if (catsTotalVotes > dogsTotalVotes) {
+        leadTeam = 'CATS';
+        voteDiff = catsTotalVotes - dogsTotalVotes;
+      } else {
+        leadTeam = 'DOGS';
+        voteDiff = dogsTotalVotes - catsTotalVotes;
+      }
+      leaderMessage = `${leadTeam} are winning by ${voteDiff} vote${voteDiff > 1 ? 's' : ''}.`;
+    } else {
+      leaderMessage = 'CATS and DOGS are evenly matched!';
+    }
+    res.render('index.pug', {
+      votes: votes,
+      catsCount: catsTotalVotes,
+      dogsCount: dogsTotalVotes,
+      leadTeam: leadTeam,
+      voteDiff: voteDiff,
+      leaderMessage: leaderMessage,
+    });
+  } catch(err) {
+    logger.error(`error while attempting to get vote: ${err}`);
+    res
+    .status(500)
+    .send('Unable to load page; see logs for more details.')
+    .end();
+  }
+
+});
+
+app.post('/', authenticateJWT, async (req, res) => {
+  // Get decoded Id Platform user id
+  const uid = req.uid;
+  // Get the team from the request and record the time of the vote.
+  const {team} = req.body;
+  const timestamp = new Date();
+
+  if (!team || (team !== 'CATS' && team !== 'DOGS')) {
+    res.status(400).send('Invalid team specified.').end();
+    return;
+  }
+
+  // Create a vote record to be stored in the database.
+  const vote = {
+    candidate: team,
+    time_cast: timestamp,
+    uid,
+  };
+
+  // Save the data to the database.
+  try {
+    await insertVote(vote);
+    logger.info({message: 'vote_inserted', vote})
+  } catch (err) {
+    logger.error(`error while attempting to submit vote: ${err}`);
+    res
+    .status(500)
+    .send('Unable to cast vote; see logs for more details.')
+    .end();
+    return;
+  }
+  res.status(200).send(`Successfully voted for ${team} at ${timestamp}`).end();
+});
+
+module.exports = app;

run/idp-sql/cloud-sql.js

@@ -0,0 +1,112 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const Knex = require('knex');
+const { getSecretConfig } = require('./secrets');
+
+// [START run_user_auth_knex]
+const connectWithUnixSockets = (config, secretConfig) => {
+  const dbSocketPath = process.env.DB_SOCKET_PATH || "/cloudsql"
+  // Establish a connection to the database
+  return Knex({
+    client: 'pg',
+    connection: {
+      user: secretConfig.DB_USER, // e.g. 'my-user'
+      password: secretConfig.DB_PASS, // e.g. 'my-user-password'
+      database: secretConfig.DB_NAME, // e.g. 'my-database'
+      host: `${dbSocketPath}/${secretConfig.CLOUD_SQL_CONNECTION_NAME}`,
+    },
+    // ... Specify additional properties here.
+    ...config
+  });
+}
+// [END run_user_auth_knex]
+
+const config = {
+  // Configure which instance and what database user to connect with.
+  // Remember - storing secrets in plaintext is potentially unsafe. Consider using
+  // something like https://cloud.google.com/kms/ to help keep secrets secret.
+  pool: {
+    // 'max' limits the total number of concurrent connections this pool will keep. Ideal
+    // values for this setting are highly variable on app design, infrastructure, and database.
+    max: 5,
+    // 'min' is the minimum number of idle connections Knex maintains in the pool.
+    // Additional connections will be established to meet this value unless the pool is full.
+    min: 5,
+    // 'acquireTimeoutMillis' is the number of milliseconds before a timeout occurs when acquiring a
+    // connection from the pool. This is slightly different from connectionTimeout, because acquiring
+    // a pool connection does not always involve making a new connection, and may include multiple retries.
+    // when making a connection
+    acquireTimeoutMillis: 60000, // 60 seconds
+  },
+  // 'createTimeoutMillis` is the maximum number of milliseconds to wait trying to establish an
+  // initial connection before retrying.
+  // After acquireTimeoutMillis has passed, a timeout exception will be thrown.
+  createTimeoutMillis: 30000, // 30 seconds
+  // 'idleTimeoutMillis' is the number of milliseconds a connection must sit idle in the pool
+  // and not be checked out before it is automatically closed.
+  idleTimeoutMillis: 600000, // 10 minutes
+  // 'knex' uses a built-in retry strategy which does not implement backoff.
+  // 'createRetryIntervalMillis' is how long to idle after failed connection creation before trying again
+  createRetryIntervalMillis: 200, // 0.2 seconds
+};
+
+let knex;
+let secrets = getSecretConfig();
+
+/**
+ * Insert a vote record into the database.
+ *
+ * @param {object} knex The Knex connection object.
+ * @param {object} vote The vote record to insert.
+ * @returns {Promise}
+ */
+const insertVote = async (vote) => {
+  if (!knex) knex = connectWithUnixSockets(config, await secrets);
+  return await knex('votes').insert(vote);
+};
+
+/**
+ * Retrieve the latest 5 vote records from the database.
+ *
+ * @param {object} knex The Knex connection object.
+ * @returns {Promise}
+ */
+const getVotes = async () => {
+  if (!knex) knex = connectWithUnixSockets(config, await secrets);
+  return await knex
+    .select('candidate', 'time_cast', 'uid')
+    .from('votes')
+    .orderBy('time_cast', 'desc')
+    .limit(5);
+};
+
+/**
+ * Retrieve the total count of records for a given candidate
+ * from the database.
+ *
+ * @param {object} knex The Knex connection object.
+ * @param {object} candidate The candidate for which to get the total vote count
+ * @returns {Promise}
+ */
+const getVoteCount = async (candidate) => {
+  if (!knex) knex = connectWithUnixSockets(config, await secrets);
+  return await knex('votes').count('vote_id').where('candidate', candidate);
+};
+
+module.exports = {
+  getVoteCount,
+  getVotes,
+  insertVote,
+}