Skip to content
Permalink
Browse files
feat: add UseJwtAccessWithScope to GoogleCredentialsProvider (#1420)
  • Loading branch information
arithmetic1728 committed Aug 16, 2021
1 parent 0fe20f3 commit ed39c34693783460fc03effb47e7027914cfb5bc
@@ -34,7 +34,7 @@ version.io_grpc=1.37.0
# 2) Replace all characters which are neither alphabetic nor digits with the underscore ('_') character
maven.com_google_api_grpc_proto_google_common_protos=com.google.api.grpc:proto-google-common-protos:2.0.1
maven.com_google_api_grpc_grpc_google_common_protos=com.google.api.grpc:grpc-google-common-protos:2.0.1
maven.com_google_auth_google_auth_library_oauth2_http=com.google.auth:google-auth-library-oauth2-http:0.24.0
maven.com_google_auth_google_auth_library_oauth2_http=com.google.auth:google-auth-library-oauth2-http:0.27.0
maven.com_google_auth_google_auth_library_credentials=com.google.auth:google-auth-library-credentials:1.0.0
maven.io_opencensus_opencensus_api=io.opencensus:opencensus-api:0.28.0
maven.io_opencensus_opencensus_contrib_grpc_metrics=io.opencensus:opencensus-contrib-grpc-metrics:0.28.0
@@ -56,6 +56,9 @@ public abstract class GoogleCredentialsProvider implements CredentialsProvider {
@BetaApi
public abstract List<String> getJwtEnabledScopes();

@BetaApi
public abstract boolean getUseJwtAccessWithScope();

@VisibleForTesting
@Nullable
abstract GoogleCredentials getOAuth2Credentials();
@@ -91,12 +94,19 @@ public Credentials getCredentials() throws IOException {
if (credentials.createScopedRequired()) {
credentials = credentials.createScoped(getScopesToApply());
}

if (getUseJwtAccessWithScope() && credentials instanceof ServiceAccountCredentials) {
// See https://google.aip.dev/auth/4111 for self signed JWT.
ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials;
return serviceAccount.createWithUseJwtAccessWithScope(true);
}
return credentials;
}

public static Builder newBuilder() {
return new AutoValue_GoogleCredentialsProvider.Builder()
.setJwtEnabledScopes(ImmutableList.<String>of());
.setJwtEnabledScopes(ImmutableList.<String>of())
.setUseJwtAccessWithScope(false);
}

public abstract Builder toBuilder();
@@ -134,9 +144,18 @@ public abstract static class Builder {
@BetaApi
public abstract List<String> getJwtEnabledScopes();

/** Whether self signed JWT with scopes should be used for service account credentials. */
@BetaApi
public abstract Builder setUseJwtAccessWithScope(boolean val);

/** The UseJwtAccessWithScope value previously provided. */
@BetaApi
public abstract boolean getUseJwtAccessWithScope();

public GoogleCredentialsProvider build() {
setScopesToApply(ImmutableList.copyOf(getScopesToApply()));
setJwtEnabledScopes(ImmutableList.copyOf(getJwtEnabledScopes()));
setUseJwtAccessWithScope(getUseJwtAccessWithScope());
return autoBuild();
}

@@ -30,6 +30,7 @@
package com.google.api.gax.core;

import static com.google.common.truth.Truth.assertThat;
import static org.junit.Assert.assertTrue;

import com.google.auth.Credentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
@@ -43,15 +44,18 @@

@RunWith(JUnit4.class)
public class GoogleCredentialsProviderTest {
ServiceAccountCredentials CreateServiceAccountCredentials() {
return ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
}

@Test
public void serviceAccountReplacedWithJwtTokens() throws Exception {
ServiceAccountCredentials serviceAccountCredentials =
ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
@@ -71,13 +75,7 @@ public void serviceAccountReplacedWithJwtTokens() throws Exception {

@Test
public void noJwtWithoutScopeMatch() throws Exception {
ServiceAccountCredentials serviceAccountCredentials =
ServiceAccountCredentials.newBuilder()
.setClientId("fake-client-id")
.setClientEmail("fake@example.com")
.setPrivateKeyId("fake-private-key")
.setPrivateKey(Mockito.mock(PrivateKey.class))
.build();
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
@@ -100,4 +98,30 @@ public void noJwtWithoutScopeMatch() throws Exception {
.isEqualTo(serviceAccountCredentials.getPrivateKey());
assertThat(serviceAccountCredentials2.getScopes()).containsExactly("scope1", "scope2");
}

@Test
public void useJwtAccessWithScope() throws Exception {
ServiceAccountCredentials serviceAccountCredentials = CreateServiceAccountCredentials();

GoogleCredentialsProvider provider =
GoogleCredentialsProvider.newBuilder()
.setScopesToApply(ImmutableList.of("scope1", "scope2"))
.setOAuth2Credentials(serviceAccountCredentials)
.setUseJwtAccessWithScope(true)
.build();

Credentials credentials = provider.getCredentials();
assertThat(credentials).isInstanceOf(ServiceAccountCredentials.class);

ServiceAccountCredentials serviceAccountCredentials2 = (ServiceAccountCredentials) credentials;
assertThat(serviceAccountCredentials2.getClientId())
.isEqualTo(serviceAccountCredentials.getClientId());
assertThat(serviceAccountCredentials2.getClientEmail())
.isEqualTo(serviceAccountCredentials.getClientEmail());
assertThat(serviceAccountCredentials2.getPrivateKeyId())
.isEqualTo(serviceAccountCredentials.getPrivateKeyId());
assertThat(serviceAccountCredentials2.getPrivateKey())
.isEqualTo(serviceAccountCredentials.getPrivateKey());
assertTrue(serviceAccountCredentials2.getUseJwtAccessWithScope());
}
}

0 comments on commit ed39c34

Please sign in to comment.