Add support for explicit java.security.Provider to ServiceAccountCred… #411
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
|
@googlebot I signed it! |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: yes
stian-svedenborg-gul-katt
force-pushed
the
explicit-provider
branch
from
7054a1a
to
2eb46f9
Compare
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
Show resolved
Hide resolved
| @@ -667,14 +691,8 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc | |||
| payload.setAudience(audience); | |||
| } | |||
|
|
|||
| String assertion; | |||
| try { | |||
| assertion = JsonWebSignature.signUsingRsaSha256(privateKey, jsonFactory, header, payload); | |||
There was a problem hiding this comment.
Critical: I'm not sure the new code is using this algorithm. I might need to patch this into an IDE and check.
There was a problem hiding this comment.
The signing algorithm is dictated by OAuth2Utils.SIGNATURE_ALGORITHM. Which is "SHA256withRSA"
There was a problem hiding this comment.
OK. Since this is security critical code I'm going to need go over this carefully and make sure of that. It might take a little time to review, or perhaps someone else can get to this before I do.
elharo
added
kokoro:run
kokoro-team
removed
the
kokoro:run
stian-svedenborg-gul-katt
force-pushed
the
explicit-provider
branch
from
2eb46f9
to
d75519b
Compare
Codecov Report
@@ Coverage Diff @@
## master #411 +/- ##
============================================
+ Coverage 79.53% 79.66% +0.13%
- Complexity 397 399 +2
============================================
Files 27 27
Lines 1803 1810 +7
Branches 188 188
============================================
+ Hits 1434 1442 +8
+ Misses 269 268 -1
Partials 100 100
Continue to review full report at Codecov.
|
|
@elharo Comments fixed or answered. |
| byte[] signature = this.sign(signedContentBytes); | ||
| return signedContentString + "." + Base64.encodeBase64URLSafeString(signature); | ||
|
|
||
| } catch (SigningException e) { |
There was a problem hiding this comment.
Is there a reason to convert this to an IOException instead of declaring this method to throw SigningException?
There was a problem hiding this comment.
No, not really, I just kept the pattern that was there before.
SigningException is unchecked. Whilst the api for refreshAccessToken declares that it throws IOException. (I'm not sure I agree that SigningException should be unchecked, but that is outside the scope of this change).
In any case I argue that a failing signature should be handled by the calling code, and as such it should be changed to an IOException before exiting refreshAccessToken.
As to whether I should keep the conversion inside signJsonWebSignature or move it to createAssertion (and duplicate it in createAssertionForIdToken) I'll follow ruling.
There was a problem hiding this comment.
@elharo I'll await your answer on this before I reupload. (I'm I doing this correctly with the --amends by the way?)
There was a problem hiding this comment.
I honestly do not have enough git-fu to tell. Whatever you're doing seems to work fine on my end. Just commit and upload as you need to. We'll squash the commits when we merge.
| @@ -667,14 +691,8 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc | |||
| payload.setAudience(audience); | |||
| } | |||
|
|
|||
| String assertion; | |||
| try { | |||
| assertion = JsonWebSignature.signUsingRsaSha256(privateKey, jsonFactory, header, payload); | |||
There was a problem hiding this comment.
OK. Since this is security critical code I'm going to need go over this carefully and make sure of that. It might take a little time to review, or perhaps someone else can get to this before I do.
oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
stian-svedenborg-gul-katt
force-pushed
the
explicit-provider
branch
from
d75519b
to
153f5e5
Compare
kokoro-team
removed
the
kokoro:run
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
…ntCredentials This enables the storage of service account credentials in external key storage such as remote KeyVaults or HSMs.
stian-svedenborg-gul-katt
force-pushed
the
explicit-provider
branch
from
153f5e5
to
256ffef
Compare
|
@elharo Hi any chance of this one getting some love soon? :) |
…entials
This enables the storage of service account credentials in external key
storage such as remote KeyVaults or HSMs.
Fixes #410