Skip to content
Permalink
Browse files
feat: allow set lifetime for service account creds (#516)
* feat: allow set lifetime for service account creds

* update

* update name

* update

* update

* change lifetime 0 to default

* update

* update

Co-authored-by: Jeff Ching <chingor@google.com>
  • Loading branch information
arithmetic1728 and chingor13 committed Jan 12, 2021
1 parent af21727 commit 427f2d5610f0e8184a21b24531d2549a68c0b546
@@ -93,6 +93,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
private static final long serialVersionUID = 7807543542681217978L;
private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
private static final int TWELVE_HOURS_IN_SECONDS = 43200;
private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;

private final String clientId;
private final String clientEmail;
@@ -104,6 +106,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
private final URI tokenServerUri;
private final Collection<String> scopes;
private final String quotaProjectId;
private final int lifetime;

private transient HttpTransportFactory transportFactory;

@@ -123,6 +126,10 @@ public class ServiceAccountCredentials extends GoogleCredentials
* authority to the service account.
* @param projectId the project used for billing
* @param quotaProjectId The project used for quota and billing purposes. May be null.
* @param lifetime number of seconds the access token should be valid for. The value should be at
* most 43200 (12 hours). If the token is used for calling a Google API, then the value should
* be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used
* when creating the credentials.
*/
ServiceAccountCredentials(
String clientId,
@@ -134,7 +141,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
URI tokenServerUri,
String serviceAccountUser,
String projectId,
String quotaProjectId) {
String quotaProjectId,
int lifetime) {
this.clientId = clientId;
this.clientEmail = Preconditions.checkNotNull(clientEmail);
this.privateKey = Preconditions.checkNotNull(privateKey);
@@ -149,6 +157,10 @@ public class ServiceAccountCredentials extends GoogleCredentials
this.serviceAccountUser = serviceAccountUser;
this.projectId = projectId;
this.quotaProjectId = quotaProjectId;
if (lifetime > TWELVE_HOURS_IN_SECONDS) {
throw new IllegalStateException("lifetime must be less than or equal to 43200");
}
this.lifetime = lifetime;
}

/**
@@ -325,7 +337,8 @@ static ServiceAccountCredentials fromPkcs8(
tokenServerUri,
serviceAccountUser,
projectId,
quotaProject);
quotaProject,
DEFAULT_LIFETIME_IN_SECONDS);
}

/** Helper to convert from a PKCS#8 String to an RSA private key */
@@ -513,7 +526,21 @@ public GoogleCredentials createScoped(Collection<String> newScopes) {
tokenServerUri,
serviceAccountUser,
projectId,
quotaProjectId);
quotaProjectId,
lifetime);
}

/**
* Clones the service account with a new lifetime value.
*
* @param lifetime life time value in seconds. The value should be at most 43200 (12 hours). If
* the token is used for calling a Google API, then the value should be at most 3600 (1 hour).
* If the given value is 0, then the default value 3600 will be used when creating the
* credentials.
* @return the cloned service account credentials with the given custom life time
*/
public ServiceAccountCredentials createWithCustomLifetime(int lifetime) {
return this.toBuilder().setLifetime(lifetime).build();
}

@Override
@@ -528,7 +555,8 @@ public GoogleCredentials createDelegated(String user) {
tokenServerUri,
user,
projectId,
quotaProjectId);
quotaProjectId,
lifetime);
}

public final String getClientId() {
@@ -563,6 +591,11 @@ public final URI getTokenServerUri() {
return tokenServerUri;
}

@VisibleForTesting
int getLifetime() {
return lifetime;
}

@Override
public String getAccount() {
return getClientEmail();
@@ -618,7 +651,8 @@ public int hashCode() {
transportFactoryClassName,
tokenServerUri,
scopes,
quotaProjectId);
quotaProjectId,
lifetime);
}

@Override
@@ -632,6 +666,7 @@ public String toString() {
.add("scopes", scopes)
.add("serviceAccountUser", serviceAccountUser)
.add("quotaProjectId", quotaProjectId)
.add("lifetime", lifetime)
.toString();
}

@@ -648,7 +683,8 @@ public boolean equals(Object obj) {
&& Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
&& Objects.equals(this.tokenServerUri, other.tokenServerUri)
&& Objects.equals(this.scopes, other.scopes)
&& Objects.equals(this.quotaProjectId, other.quotaProjectId);
&& Objects.equals(this.quotaProjectId, other.quotaProjectId)
&& Objects.equals(this.lifetime, other.lifetime);
}

String createAssertion(JsonFactory jsonFactory, long currentTime, String audience)
@@ -661,7 +697,7 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.setIssuer(clientEmail);
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
payload.setSubject(serviceAccountUser);
payload.put("scope", Joiner.on(' ').join(scopes));

@@ -693,7 +729,7 @@ String createAssertionForIdToken(
JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.setIssuer(clientEmail);
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
payload.setSubject(serviceAccountUser);

if (audience == null) {
@@ -746,6 +782,7 @@ public static class Builder extends GoogleCredentials.Builder {
private Collection<String> scopes;
private HttpTransportFactory transportFactory;
private String quotaProjectId;
private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;

protected Builder() {}

@@ -760,6 +797,7 @@ protected Builder(ServiceAccountCredentials credentials) {
this.serviceAccountUser = credentials.serviceAccountUser;
this.projectId = credentials.projectId;
this.quotaProjectId = credentials.quotaProjectId;
this.lifetime = credentials.lifetime;
}

public Builder setClientId(String clientId) {
@@ -812,6 +850,11 @@ public Builder setQuotaProjectId(String quotaProjectId) {
return this;
}

public Builder setLifetime(int lifetime) {
this.lifetime = lifetime == 0 ? DEFAULT_LIFETIME_IN_SECONDS : lifetime;
return this;
}

public String getClientId() {
return clientId;
}
@@ -852,6 +895,10 @@ public String getQuotaProjectId() {
return quotaProjectId;
}

public int getLifetime() {
return lifetime;
}

public ServiceAccountCredentials build() {
return new ServiceAccountCredentials(
clientId,
@@ -863,7 +910,8 @@ public ServiceAccountCredentials build() {
tokenServerUri,
serviceAccountUser,
projectId,
quotaProjectId);
quotaProjectId,
lifetime);
}
}
}
@@ -111,6 +111,54 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
+ "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+ ".redacted";
private static final String QUOTA_PROJECT = "sample-quota-project-id";
private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
private static final int INVALID_LIFETIME = 43210;

private ServiceAccountCredentials.Builder createDefaultBuilder() throws IOException {
PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
return ServiceAccountCredentials.newBuilder()
.setClientId(CLIENT_ID)
.setClientEmail(CLIENT_EMAIL)
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setScopes(SCOPES)
.setServiceAccountUser(USER)
.setProjectId(PROJECT_ID);
}

@Test
public void setLifetime() throws IOException {
ServiceAccountCredentials.Builder builder = createDefaultBuilder();
assertEquals(DEFAULT_LIFETIME_IN_SECONDS, builder.getLifetime());
assertEquals(DEFAULT_LIFETIME_IN_SECONDS, builder.build().getLifetime());

builder.setLifetime(4000);
assertEquals(4000, builder.getLifetime());
assertEquals(4000, builder.build().getLifetime());

builder.setLifetime(0);
assertEquals(DEFAULT_LIFETIME_IN_SECONDS, builder.build().getLifetime());
}

@Test
public void setLifetime_invalid_lifetime() throws IOException, IllegalStateException {
try {
createDefaultBuilder().setLifetime(INVALID_LIFETIME).build();
fail(
String.format(
"Should throw exception with message containing '%s'",
"lifetime must be less than or equal to 43200"));
} catch (IllegalStateException expected) {
assertTrue(expected.getMessage().contains("lifetime must be less than or equal to 43200"));
}
}

@Test
public void createWithCustomLifetime() throws IOException {
ServiceAccountCredentials credentials = createDefaultBuilder().build();
credentials = credentials.createWithCustomLifetime(4000);
assertEquals(4000, credentials.getLifetime());
}

@Test
public void createdScoped_clones() throws IOException {
@@ -202,6 +250,19 @@ public void createAssertion_correct() throws IOException {
assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
}

@Test
public void createAssertion_custom_lifetime() throws IOException {
ServiceAccountCredentials credentials = createDefaultBuilder().setLifetime(4000).build();

JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null);

JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
JsonWebToken.Payload payload = signature.getPayload();
assertEquals(currentTimeMillis / 1000 + 4000, (long) payload.getExpirationTimeSeconds());
}

@Test
public void createAssertionForIdToken_correct() throws IOException {

@@ -231,6 +292,22 @@ public void createAssertionForIdToken_correct() throws IOException {
assertEquals(USER, payload.getSubject());
}

@Test
public void createAssertionForIdToken_custom_lifetime() throws IOException {

ServiceAccountCredentials credentials = createDefaultBuilder().setLifetime(4000).build();

JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
String assertion =
credentials.createAssertionForIdToken(
jsonFactory, currentTimeMillis, null, "https://foo.com/bar");

JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
JsonWebToken.Payload payload = signature.getPayload();
assertEquals(currentTimeMillis / 1000 + 4000, (long) payload.getExpirationTimeSeconds());
}

@Test
public void createAssertionForIdToken_incorrect() throws IOException {

@@ -904,7 +981,7 @@ public void toString_containsFields() throws IOException {
String.format(
"ServiceAccountCredentials{clientId=%s, clientEmail=%s, privateKeyId=%s, "
+ "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, serviceAccountUser=%s, "
+ "quotaProjectId=%s}",
+ "quotaProjectId=%s, lifetime=3600}",
CLIENT_ID,
CLIENT_EMAIL,
PRIVATE_KEY_ID,

0 comments on commit 427f2d5

Please sign in to comment.