Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: IdTokenCredentials should fetch license id claim when requested #1450

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix: IdTokenCredentials should fetch license id claim when requested #1450

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cfd2b87
fix: license id claim must be requested with licenses (plural) query …
sjvanrossum Jul 29, 2024
788d3f4
fix: license_id is a property of compute_engine claim
sjvanrossum Jul 29, 2024
d4c76d6
chore: use parameterized types
sjvanrossum Jul 29, 2024
5388635
fix: accurately mock value parser for licenses parameter
sjvanrossum Jul 29, 2024
d7ca3d4
Merge branch 'main' into main
sjvanrossum Oct 14, 2024
05b5f19
Merge branch 'main' into main
sjvanrossum Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,9 +327,9 @@ public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.O
documentUrl.set("format", "full");
}
if (options.contains(IdTokenProvider.Option.LICENSES_TRUE)) {
// license will only get returned if format is also full
// licenses will only get returned if format is also full
documentUrl.set("format", "full");
documentUrl.set("license", "TRUE");
documentUrl.set("licenses", "TRUE");
}
}
documentUrl.set("audience", targetAudience);
Expand Down
27 changes: 16 additions & 11 deletions oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,19 +100,19 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
+ "20iLCJzdWIiOiIxMTIxNzkwNjI3MjAzOTEzMDU4ODUifQ.redacted";

// Id Token which includes GCE extended claims and any VM License data (if applicable)
public static final String FULL_ID_TOKEN_WITH_LICENSE =
public static final String FULL_ID_TOKEN_WITH_LICENSES =
"eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOG"
+ "I3OTIyOTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.ew0KICAiYXVkIjogImh0dHBzOi8"
+ "vZm9vLmJhciIsDQogICJhenAiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1IiwNCiAgImVtYWlsIjogIjEyMzQ1Ni1"
+ "jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwNCiAgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSw"
+ "NCiAgImV4cCI6IDE1NjQ1MTk0OTYsDQogICJnb29nbGUiOiB7DQogICAgImNvbXB1dGVfZW5naW5lIjogew0KICA"
+ "gICAgImluc3RhbmNlX2NyZWF0aW9uX3RpbWVzdGFtcCI6IDE1NjMyMzA5MDcsDQogICAgICAiaW5zdGFuY2VfaWQ"
+ "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgInB"
+ "yb2plY3RfaWQiOiAiZm9vLWJhci04MjAiLA0KICAgICAgInByb2plY3RfbnVtYmVyIjogMTA3MTI4NDE4NDQzNiw"
+ "NCiAgICAgICJ6b25lIjogInVzLWNlbnRyYWwxLWEiDQogICAgfSwNCiAgICAibGljZW5zZSI6IFsNCiAgICAgICA"
+ "iTElDRU5TRV8xIiwNCiAgICAgICAiTElDRU5TRV8yIg0KICAgIF0NCiAgfSwNCiAgImlhdCI6IDE1NjQ1MTU4OTY"
+ "sDQogICJpc3MiOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwNCiAgInN1YiI6ICIxMTIxNzkwNjI3MjA"
+ "zOTEzMDU4ODUiDQp9.redacted";
+ "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgImx"
+ "pY2Vuc2VfaWQiOiBbDQogICAgICAgICIxMDAxMDAwIiwNCiAgICAgICAgIjEwMDEwMDEiLA0KICAgICAgICAiMTA"
+ "wMTAwOCINCiAgICAgIF0sDQogICAgICAicHJvamVjdF9pZCI6ICJmb28tYmFyLTgyMCIsDQogICAgICAicHJvamV"
+ "jdF9udW1iZXIiOiAxMDcxMjg0MTg0NDM2LA0KICAgICAgInpvbmUiOiAidXMtY2VudHJhbDEtYSINCiAgICB9DQo"
+ "gIH0sDQogICJpYXQiOiAxNTY0NTE1ODk2LA0KICAiaXNzIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSI"
+ "sDQogICJzdWIiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1Ig0KfQ.redacted";
private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
private static final List<String> SCOPES = Arrays.asList("foo", "bar");
private static final String ACCESS_TOKEN_WITH_SCOPES = "1/MkSJoj1xsli0AccessTokenScoped_NKPY2";
Expand Down Expand Up @@ -956,7 +956,8 @@ public void idTokenWithAudience_full() throws IOException {
tokenCredential.refresh();
Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
assertTrue("Full ID Token format not provided", p.containsKey("google"));
ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
ArrayMap<String, ArrayMap<String, ?>> googleClaim =
(ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
assertTrue(googleClaim.containsKey("compute_engine"));

// verify metrics header
Expand All @@ -966,7 +967,7 @@ public void idTokenWithAudience_full() throws IOException {

@Test
@SuppressWarnings("unchecked")
public void idTokenWithAudience_license() throws IOException {
public void idTokenWithAudience_licenses() throws IOException {
MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
ComputeEngineCredentials credentials =
ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
Expand All @@ -983,8 +984,12 @@ public void idTokenWithAudience_license() throws IOException {
tokenCredential.refresh();
Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
assertTrue("Full ID Token format not provided", p.containsKey("google"));
ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
assertTrue(googleClaim.containsKey("license"));
ArrayMap<String, ArrayMap<String, ?>> googleClaim =
(ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
assertTrue(googleClaim.containsKey("compute_engine"));
ArrayMap<String, ?> computeEngineClaim =
(ArrayMap<String, ?>) googleClaim.get("compute_engine");
assertTrue(computeEngineClaim.containsKey("license_id"));
}

static class MockMetadataServerTransportFactory implements HttpTransportFactory {
Expand Down
12 changes: 8 additions & 4 deletions oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,16 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;

/** Transport that simulates the GCE metadata server for access tokens. */
public class MockMetadataServerTransport extends MockHttpTransport {

private static final Pattern BOOL_PARAMETER_VALUE = Pattern.compile("on|1|(?i)y|yes|true");

// key are scopes as in request url string following "?scopes="
private Map<String, String> scopesToAccessToken;

private Integer requestStatusCode;

private String serviceAccountEmail;
Expand Down Expand Up @@ -254,14 +258,14 @@ public LowLevelHttpResponse execute() throws IOException {
if (queryPairs.containsKey("format")) {
if (((String) queryPairs.get("format")).equals("full")) {

// return license only if format=full is set
if (queryPairs.containsKey("license")) {
if (((String) queryPairs.get("license")).equals("TRUE")) {
// return licenses only if format=full is set
if (queryPairs.containsKey("licenses")) {
if (BOOL_PARAMETER_VALUE.matcher((String) queryPairs.get("licenses")).matches()) {
return new MockLowLevelHttpRequest(url) {
@Override
public LowLevelHttpResponse execute() throws IOException {
return new MockLowLevelHttpResponse()
.setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSE);
.setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSES);
}
};
}
Expand Down