auth: verify information in decoded JWT token instead of comparing hashing values, which involves creds issue and expiration time. (#6137)

2019-09-10 11:09:36 -07:00 · 2019-09-10 11:09:36 -07:00 · 252ca2a7df
parent e866d3539c
commit 252ca2a7df
3 changed files with 14 additions and 17 deletions
--- a/auth/build.gradle
+++ b/auth/build.gradle
@ -3,7 +3,8 @@ dependencies {
    compile project(':grpc-api'),
            libraries.google_auth_credentials
    testCompile project(':grpc-testing'),
-            libraries.google_auth_oauth2_http
+            libraries.google_auth_oauth2_http,
+            libraries.jwt
    signature "org.codehaus.mojo.signature:java17:1.0@signature"
    signature "net.sf.androidscents.signature:android-api-level-14:4.0_r4@signature"
 }
--- a/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java
+++ b/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java
@ -28,13 +28,14 @@ import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.google.auth.Credentials;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.OAuth2Credentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
-import com.google.auth.oauth2.ServiceAccountJwtAccessCredentials;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.LinkedListMultimap;
 import com.google.common.collect.ListMultimap;
@ -42,7 +43,6 @@ import com.google.common.collect.Multimaps;
 import io.grpc.Attributes;
 import io.grpc.CallCredentials;
 import io.grpc.CallCredentials.MetadataApplier;
-import io.grpc.CallCredentials.RequestInfo;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
 import io.grpc.SecurityLevel;
@ -393,17 +393,6 @@ public class GoogleAuthLibraryCallCredentialsTest {
  @Test
  public void jwtAccessCredentialsInRequestMetadata() throws Exception {
    KeyPair pair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-    RequestInfo requestInfo = new RequestInfoImpl("example.com:123");
-
-    ServiceAccountJwtAccessCredentials jwtCreds =
-        ServiceAccountJwtAccessCredentials.newBuilder()
-            .setClientId("test-client")
-            .setClientEmail("test-email@example.com")
-            .setPrivateKey(pair.getPrivate())
-            .setPrivateKeyId("test-private-key-id")
-            .build();
-    List<String> expectedAuthMetadata = jwtCreds
-        .getRequestMetadata(new URI("https://example.com:123/a.service")).get("Authorization");

    ServiceAccountCredentials credentials =
        ServiceAccountCredentials.newBuilder()
@ -414,12 +403,18 @@ public class GoogleAuthLibraryCallCredentialsTest {
            .build();
    GoogleAuthLibraryCallCredentials callCredentials =
        new GoogleAuthLibraryCallCredentials(credentials);
-    callCredentials.applyRequestMetadata(requestInfo, executor, applier);
+    callCredentials.applyRequestMetadata(new RequestInfoImpl("example.com:123"), executor, applier);

    verify(applier).apply(headersCaptor.capture());
    Metadata headers = headersCaptor.getValue();
-    assertArrayEquals(Iterables.toArray(expectedAuthMetadata, String.class),
-        Iterables.toArray(headers.getAll(AUTHORIZATION), String.class));
+    String token =
+        Iterables.getOnlyElement(headers.getAll(AUTHORIZATION)).substring("Bearer".length());
+    DecodedJWT decoded = JWT.decode(token);
+    assertEquals("test-private-key-id", decoded.getKeyId());
+    assertEquals("https://example.com:123/a.service",
+        Iterables.getOnlyElement(decoded.getAudience()));
+    assertEquals("test-email@example.com", decoded.getIssuer());
+    assertEquals("test-email@example.com", decoded.getSubject());
  }

  private int runPendingRunnables() {
--- a/build.gradle
+++ b/build.gradle
@ -191,6 +191,7 @@ subprojects {
            hpack: 'com.twitter:hpack:0.10.1',
            javax_annotation: 'javax.annotation:javax.annotation-api:1.2',
            jsr305: 'com.google.code.findbugs:jsr305:3.0.2',
+            jwt: 'com.auth0:java-jwt:3.8.2',
            google_api_protos: 'com.google.api.grpc:proto-google-common-protos:1.12.0',
            google_auth_credentials: "com.google.auth:google-auth-library-credentials:${googleauthVersion}",
            google_auth_oauth2_http: "com.google.auth:google-auth-library-oauth2-http:${googleauthVersion}",