Add some files for grpc auth tutorial (#712)

* Add api config_auth, and rename http_api_config to api_config_http.
* Use google.auth for jwt_token_gen.py.
* updated README.

Author: qiwzhang

endpoints/bookstore-grpc/README.md

@@ -28,6 +28,14 @@ To run the client:
 As with the server, the `-h` command line flag shows the various settings
 available.
 
+## Generating a JWT token from a service account file
+
+To run the script:
+
+    python jwt_token_gen.py --file=account_file --audiences=audiences --issuer=issuer
+
+The output can be used as "--auth_token" for bookstore_client.py
+
 ## Regenerating the API stubs
 
 The bookstore gRPC API is defined by `bookstore.proto`

endpoints/bookstore-grpc/api_config_auth.yaml

@@ -0,0 +1,48 @@
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# A Bookstore example API configuration.
+#
+# Below, replace MY_PROJECT_ID with your Google Cloud Project ID.
+#
+
+# The configuration schema is defined by service.proto file
+# https://github.com/googleapis/googleapis/blob/master/google/api/service.proto
+type: google.api.Service
+config_version: 3
+
+#
+# Name of the service configuration.
+#
+name: bookstore.MY_PROJECT_ID.appspot.com
+
+#
+# API title to appear in the user interface (Google Cloud Console).
+#
+title: Bookstore gRPC API
+apis:
+- name: endpoints.examples.bookstore.Bookstore
+
+authentication:
+  providers:
+  - id: google_service_account
+    # Replace SERVICE-ACCOUNT-EMAIL with your service account's email address.
+    issuer: SERVICE-ACCOUNT-EMAI
+    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE-ACCOUNT-EMAI
+  rules:
+  # This auth rule will apply to all methods.
+  - selector: "*"
+    requirements:
+      - provider_id: google_service_account

endpoints/bookstore-grpc/http_api_config.yaml renamed to endpoints/bookstore-grpc/api_config_http.yaml

@@ -0,0 +1,71 @@
+#!/usr/bin/env python
+
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Example of generateing a JWT signed from a service account file."""
+
+import argparse
+import json
+import time
+
+import google.auth.crypt
+import google.auth.jwt
+
+"""Max lifetime of the token (one hour, in seconds)."""
+MAX_TOKEN_LIFETIME_SECS = 3600
+
+
+def generate_jwt(service_account_file, issuer, audiences):
+    """Generates a signed JSON Web Token using a Google API Service Account."""
+    with open(service_account_file, 'r') as fh:
+        service_account_info = json.load(fh)
+
+    signer = google.auth.crypt.Signer.from_string(
+        service_account_info['private_key'],
+        service_account_info['private_key_id'])
+
+    now = int(time.time())
+
+    payload = {
+        'iat': now,
+        'exp': now + MAX_TOKEN_LIFETIME_SECS,
+        # aud must match 'audience' in the security configuration in your
+        # swagger spec. It can be any string.
+        'aud': audiences,
+        # iss must match 'issuer' in the security configuration in your
+        # swagger spec. It can be any string.
+        'iss': issuer,
+        # sub and email are mapped to the user id and email respectively.
+        'sub': '12345678',
+        'email': '[email protected]'
+    }
+
+    signed_jwt = google.auth.jwt.encode(signer, payload)
+    return signed_jwt
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+    parser.add_argument('--file',
+                        help='The path to your service account json file.')
+    parser.add_argument('--issuer', default='', help='issuer')
+    parser.add_argument('--audiences', default='', help='audiences')
+
+    args = parser.parse_args()
+
+    signed_jwt = generate_jwt(args.file, args.issuer, args.audiences)
+    print(signed_jwt)

endpoints/bookstore-grpc/jwt_token_gen.py

@@ -1 +1,2 @@
 grpcio==1.0.1
+google-auth==0.3.1