-
Notifications
You must be signed in to change notification settings - Fork 18
/
IAMSigner.php
103 lines (87 loc) · 2.7 KB
/
IAMSigner.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<?php
declare(strict_types=1);
namespace AffordableMobiles\GServerlessSupportLaravel\Integration\JWT\Signer;
use Lcobucci\JWT\Signer;
use Lcobucci\JWT\Signer\Key;
/**
* Sign with a Google Service Account using the IAM API.
*
* You can grab the JWKS public key definition for a service account
* by visiting:
*
* https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}
*/
class IAMSigner implements Signer
{
/**
* Returns the algorithm id.
*/
public function algorithmId(): string
{
return 'RS256';
}
/**
* Apply changes on headers according with algorithm.
*/
public function modifyHeader(array &$headers): void
{
$headers['alg'] = $this->algorithmId();
}
/**
* Returns a signature for given data.
*
* @throws CannotSignPayload when payload signing fails
* @throws InvalidKeyProvided when issue key is invalid/incompatible
* @throws ConversionFailed when signature could not be converted
*/
public function sign(string $payload, Key $key): string
{
return $this->createHash($payload, $key);
}
/**
* Returns if the expected hash matches with the data and key.
*
* @throws InvalidKeyProvided when issue key is invalid/incompatible
* @throws ConversionFailed when signature could not be converted
*/
public function verify(string $expected, string $payload, Key $key): bool
{
return $this->doVerify($expected, $payload, $key);
}
/**
* Creates a hash with the given data.
*
* @internal
*
* @param string $payload
*
* @return string
*/
public function createHash($payload, Key $key)
{
$client = new \Google_Client();
$client->setApplicationName('GServerlessSupportLaravel-JWT/0.1');
$client->useApplicationDefaultCredentials();
$client->addScope('https://www.googleapis.com/auth/cloud-platform');
$service = new \Google_Service_IAMCredentials($client);
$keyID = sprintf('projects/-/serviceAccounts/%s', $key->contents());
$requestBody = new \Google_Service_IAMCredentials_SignBlobRequest();
$requestBody->setPayload(base64_encode($payload));
$response = $service->projects_serviceAccounts->signBlob($keyID, $requestBody);
return base64_decode($response->getSignedBlob(), true);
}
/**
* Performs the signature verification.
*
* @internal
*
* @param string $expected
* @param string $payload
*
* @return bool
*/
public function doVerify($expected, $payload, Key $key)
{
throw new \Exception('signature verification is currently unsupported');
}
}