From 6b384e81075419a9dc83d531e97dd9b513788336 Mon Sep 17 00:00:00 2001 From: kentengjin Date: Wed, 30 Sep 2020 13:00:21 -0700 Subject: [PATCH 1/3] Migrate IAM SignBlob to IAMCredentials SignBlob Point all SignBlob to iamcredentials instead of iam --- auth/auth.go | 2 +- auth/token_generator.go | 14 +++++++------- auth/token_generator_test.go | 12 ++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 35600b84..b8d7fa7f 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -139,7 +139,7 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error) // the credentials to sign tokens locally. // - If a service account email was specified during initialization (via firebase.Config struct), // calls the IAM service with that email to sign tokens remotely. See -// https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob. +// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob. // - If the code is deployed in the Google App Engine standard environment, uses the App Identity // service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes. // - If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine), diff --git a/auth/token_generator.go b/auth/token_generator.go index 83e12020..eaf00ae7 100644 --- a/auth/token_generator.go +++ b/auth/token_generator.go @@ -143,11 +143,11 @@ func (s serviceAccountSigner) Email(ctx context.Context) (string, error) { return s.clientEmail, nil } -// iamSigner is a cryptoSigner that signs data by sending them to the remote IAM service. See -// https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob for details -// regarding the REST API. +// iamSigner is a cryptoSigner that signs data by sending them to the remote IAMCredentials service. See +// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob +// for details regarding the REST API. // -// The IAM service requires the identity of a service account. This can be specified explicitly +// The IAMCredentials service requires the identity of a service account. This can be specified explicitly // at initialization. If not specified iamSigner attempts to discover a service account identity by // calling the local metadata service (works in environments like Google Compute Engine). type iamSigner struct { @@ -169,7 +169,7 @@ func newIAMSigner(ctx context.Context, config *internal.AuthConfig) (*iamSigner, httpClient: hc, serviceAcct: config.ServiceAccountID, metadataHost: "http://metadata.google.internal", - iamHost: "https://iam.googleapis.com", + iamHost: "https://iamcredentials.googleapis.com", }, nil } @@ -181,7 +181,7 @@ func (s iamSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { url := fmt.Sprintf("%s/v1/projects/-/serviceAccounts/%s:signBlob", s.iamHost, account) body := map[string]interface{}{ - "bytesToSign": base64.StdEncoding.EncodeToString(b), + "payload": base64.StdEncoding.EncodeToString(b), } req := &internal.Request{ Method: http.MethodPost, @@ -189,7 +189,7 @@ func (s iamSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { Body: internal.NewJSONEntity(body), } var signResponse struct { - Signature string `json:"signature"` + Signature string `json:"signedBlob"` } if _, err := s.httpClient.DoAndUnmarshal(ctx, req, &signResponse); err != nil { return nil, err diff --git a/auth/token_generator_test.go b/auth/token_generator_test.go index 34a3fe4c..2f49b090 100644 --- a/auth/token_generator_test.go +++ b/auth/token_generator_test.go @@ -60,8 +60,8 @@ func TestEncodeToken(t *testing.T) { if sig, err := base64.RawURLEncoding.DecodeString(parts[2]); err != nil { t.Fatal(err) - } else if string(sig) != "signature" { - t.Errorf("decode(signature) = %q; want = %q", string(sig), "signature") + } else if string(sig) != "signedBlob" { + t.Errorf("decode(signature) = %q; want = %q", string(sig), "signedBlob") } } @@ -277,12 +277,12 @@ func (s *mockSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { if s.err != nil { return nil, s.err } - return []byte("signature"), nil + return []byte("signedBlob"), nil } func iamServer(t *testing.T, serviceAcct, signature string) *httptest.Server { resp := map[string]interface{}{ - "signature": base64.StdEncoding.EncodeToString([]byte(signature)), + "signedBlob": base64.StdEncoding.EncodeToString([]byte(signature)), } wantPath := fmt.Sprintf("/v1/projects/-/serviceAccounts/%s:signBlob", serviceAcct) handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -295,8 +295,8 @@ func iamServer(t *testing.T, serviceAcct, signature string) *httptest.Server { if err := json.Unmarshal(reqBody, &m); err != nil { t.Fatal(err) } - if m["bytesToSign"] == "" { - t.Fatal("BytesToSign = empty; want = non-empty") + if m["payload"] == "" { + t.Fatal("payload = empty; want = non-empty") } if r.URL.Path != wantPath { t.Errorf("Path = %q; want = %q", r.URL.Path, wantPath) From 724b2cd82a510fab0479433ca3ee643cc3fdaa41 Mon Sep 17 00:00:00 2001 From: kentengjin Date: Wed, 30 Sep 2020 13:26:50 -0700 Subject: [PATCH 2/3] Minor documentation changes Correct and format some contents --- auth/auth.go | 2 +- auth/token_generator.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index b8d7fa7f..e134d314 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -138,7 +138,7 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error) // - If the SDK was initialized with service account credentials, uses the private key present in // the credentials to sign tokens locally. // - If a service account email was specified during initialization (via firebase.Config struct), -// calls the IAM service with that email to sign tokens remotely. See +// calls the IAMCredentials service with that email to sign tokens remotely. See // https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob. // - If the code is deployed in the Google App Engine standard environment, uses the App Identity // service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes. diff --git a/auth/token_generator.go b/auth/token_generator.go index eaf00ae7..9d3c31d0 100644 --- a/auth/token_generator.go +++ b/auth/token_generator.go @@ -143,11 +143,11 @@ func (s serviceAccountSigner) Email(ctx context.Context) (string, error) { return s.clientEmail, nil } -// iamSigner is a cryptoSigner that signs data by sending them to the remote IAMCredentials service. See +// iamSigner is a cryptoSigner that signs data by sending them to the IAMCredentials service. See // https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob // for details regarding the REST API. // -// The IAMCredentials service requires the identity of a service account. This can be specified explicitly +// IAMCredentials requires the identity of a service account. This can be specified explicitly // at initialization. If not specified iamSigner attempts to discover a service account identity by // calling the local metadata service (works in environments like Google Compute Engine). type iamSigner struct { From 262e3d5170677387be25ef7b6446e39499a4f7aa Mon Sep 17 00:00:00 2001 From: kentengjin Date: Wed, 30 Sep 2020 13:35:55 -0700 Subject: [PATCH 3/3] Fix a trailing whitespace --- auth/token_generator.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/token_generator.go b/auth/token_generator.go index 9d3c31d0..ca19892c 100644 --- a/auth/token_generator.go +++ b/auth/token_generator.go @@ -144,7 +144,7 @@ func (s serviceAccountSigner) Email(ctx context.Context) (string, error) { } // iamSigner is a cryptoSigner that signs data by sending them to the IAMCredentials service. See -// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob +// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob // for details regarding the REST API. // // IAMCredentials requires the identity of a service account. This can be specified explicitly