Skip to content
This repository has been archived by the owner on Sep 26, 2023. It is now read-only.

feat: add self signed jwt support #1420

Merged
merged 2 commits into from
Aug 16, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dependencies.properties
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ version.io_grpc=1.37.0
# 2) Replace all characters which are neither alphabetic nor digits with the underscore ('_') character
maven.com_google_api_grpc_proto_google_common_protos=com.google.api.grpc:proto-google-common-protos:2.0.1
maven.com_google_api_grpc_grpc_google_common_protos=com.google.api.grpc:grpc-google-common-protos:2.0.1
maven.com_google_auth_google_auth_library_oauth2_http=com.google.auth:google-auth-library-oauth2-http:0.24.0
maven.com_google_auth_google_auth_library_oauth2_http=com.google.auth:google-auth-library-oauth2-http:0.27.0
maven.com_google_auth_google_auth_library_credentials=com.google.auth:google-auth-library-credentials:1.0.0
maven.io_opencensus_opencensus_api=io.opencensus:opencensus-api:0.28.0
maven.io_opencensus_opencensus_contrib_grpc_metrics=io.opencensus:opencensus-contrib-grpc-metrics:0.28.0
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,9 @@ public abstract class GoogleCredentialsProvider implements CredentialsProvider {
@BetaApi
public abstract List<String> getJwtEnabledScopes();

@BetaApi
public abstract boolean getUseJwtAccessWithScope();

@VisibleForTesting
@Nullable
abstract GoogleCredentials getOAuth2Credentials();
Expand Down Expand Up @@ -91,12 +94,19 @@ public Credentials getCredentials() throws IOException {
if (credentials.createScopedRequired()) {
credentials = credentials.createScoped(getScopesToApply());
}

if (getUseJwtAccessWithScope() && credentials instanceof ServiceAccountCredentials) {
// See https://google.aip.dev/auth/4111 for self signed JWT.
ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials;
return serviceAccount.createWithUseJwtAccessWithScope(true);
}
return credentials;
}

public static Builder newBuilder() {
return new AutoValue_GoogleCredentialsProvider.Builder()
.setJwtEnabledScopes(ImmutableList.<String>of());
.setJwtEnabledScopes(ImmutableList.<String>of())
.setUseJwtAccessWithScope(false);
}

public abstract Builder toBuilder();
Expand Down Expand Up @@ -134,9 +144,18 @@ public abstract static class Builder {
@BetaApi
public abstract List<String> getJwtEnabledScopes();

/** Whether self signed JWT with scopes should be used for service account credentials. */
@BetaApi
public abstract Builder setUseJwtAccessWithScope(boolean val);

/** The UseJwtAccessWithScope value previously provided. */
@BetaApi
public abstract boolean getUseJwtAccessWithScope();

public GoogleCredentialsProvider build() {
setScopesToApply(ImmutableList.copyOf(getScopesToApply()));
setJwtEnabledScopes(ImmutableList.copyOf(getJwtEnabledScopes()));
setUseJwtAccessWithScope(getUseJwtAccessWithScope());
return autoBuild();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
package com.google.api.gax.core;

import static com.google.common.truth.Truth.assertThat;
import static org.junit.Assert.assertTrue;

import com.google.auth.Credentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
Expand All @@ -43,15 +44,18 @@

@RunWith(JUnit4.class)
public class GoogleCredentialsProviderTest {
ServiceAccountCredentials CreateServiceAccountCredentials() {
return ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
}

@Test
public void serviceAccountReplacedWithJwtTokens() throws Exception {
ServiceAccountCredentials serviceAccountCredentials =
ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
Expand All @@ -71,13 +75,7 @@ public void serviceAccountReplacedWithJwtTokens() throws Exception {

@Test
public void noJwtWithoutScopeMatch() throws Exception {
ServiceAccountCredentials serviceAccountCredentials =
ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
Expand All @@ -100,4 +98,30 @@ public void noJwtWithoutScopeMatch() throws Exception {
.isEqualTo(serviceAccountCredentials.getPrivateKey());
assertThat(serviceAccountCredentials2.getScopes()).containsExactly("scope1", "scope2");
}

@Test
public void useJwtAccessWithScope() throws Exception {
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
.setScopesToApply(ImmutableList.of("scope1", "scope2"))
.setOAuth2Credentials(serviceAccountCredentials)
.setUseJwtAccessWithScope(true)
.build();

Credentials credentials = provider.getCredentials();
assertThat(credentials).isInstanceOf(ServiceAccountCredentials.class);

ServiceAccountCredentials serviceAccountCredentials2 = (ServiceAccountCredentials) credentials;
assertThat(serviceAccountCredentials2.getClientId())
.isEqualTo(serviceAccountCredentials.getClientId());
assertThat(serviceAccountCredentials2.getClientEmail())
.isEqualTo(serviceAccountCredentials.getClientEmail());
assertThat(serviceAccountCredentials2.getPrivateKeyId())
.isEqualTo(serviceAccountCredentials.getPrivateKeyId());
assertThat(serviceAccountCredentials2.getPrivateKey())
.isEqualTo(serviceAccountCredentials.getPrivateKey());
assertTrue(serviceAccountCredentials2.getUseJwtAccessWithScope());
}
}