public ContainerRegistryAuthSupplier build() { final GoogleCredentials credentials = this.credentials.createScoped(scopes); // log some sort of identifier for the credentials, which requires looking at the // instance type if (credentials instanceof ServiceAccountCredentials) { final String clientEmail = ((ServiceAccountCredentials) credentials).getClientEmail(); log.info("loaded credentials for service account with clientEmail={}", clientEmail); } else if (credentials instanceof UserCredentials) { final String clientId = ((UserCredentials) credentials).getClientId(); log.info("loaded credentials for user account with clientId={}", clientId); } final Clock clock = Clock.systemDefaultZone(); final DefaultCredentialRefresher refresher = new DefaultCredentialRefresher(); return new ContainerRegistryAuthSupplier(credentials, clock, minimumExpiryMillis, refresher); } }
private static String getSignedJwt(ServiceAccountCredentials credentials, String iapClientId) throws Exception { Instant now = Instant.now(clock); long expirationTime = now.getEpochSecond() + EXPIRATION_TIME_IN_SECONDS; // generate jwt signed by service account // header must contain algorithm ("alg") and key ID ("kid") JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(credentials.getPrivateKeyId()).build(); // set required claims JWTClaimsSet claims = new JWTClaimsSet.Builder() .audience(OAUTH_TOKEN_URI) .issuer(credentials.getClientEmail()) .subject(credentials.getClientEmail()) .issueTime(Date.from(now)) .expirationTime(Date.from(Instant.ofEpochSecond(expirationTime))) .claim("target_audience", iapClientId) .build(); // sign using service account private key JWSSigner signer = new RSASSASigner(credentials.getPrivateKey()); SignedJWT signedJwt = new SignedJWT(jwsHeader, claims); signedJwt.sign(signer); return signedJwt.serialize(); }
@Override public String getAccount() { return getClientEmail(); }
@Override public String getAccount() { return getClientEmail(); }
+ iapClientId + "with issuer : " + credentials.getClientEmail());
ServiceAccountAuthCredentials(ServiceAccountCredentials credentials) { this.credentials = checkNotNull(credentials); this.account = checkNotNull(credentials.getClientEmail()); this.privateKey = checkNotNull(credentials.getPrivateKey()); }
/** * Creates Service Account Credentials given a stream for credentials in JSON format. * * <p>For details on how to obtain Service Account Credentials in JSON format see * <a href="https://cloud.google.com/storage/docs/authentication?hl=en#service_accounts">Service * Account Authentication</a>. * </p> * * @param jsonCredentialStream stream for Service Account Credentials in JSON format * @return the credentials instance * @throws IOException if the credentials cannot be created from the stream */ public static ServiceAccountAuthCredentials createForJson(InputStream jsonCredentialStream) throws IOException { GoogleCredentials tempCredentials = GoogleCredentials.fromStream(jsonCredentialStream); if (tempCredentials instanceof ServiceAccountCredentials) { ServiceAccountCredentials tempServiceAccountCredentials = (ServiceAccountCredentials) tempCredentials; return new ServiceAccountAuthCredentials( tempServiceAccountCredentials.getClientEmail(), tempServiceAccountCredentials.getPrivateKey()); } throw new IOException( "The given JSON Credentials Stream is not for a service account credential."); } }
String signature = URLEncoder.encode(BaseEncoding.base64().encode(signer.sign()), UTF_8.name()); stBuilder.append("?GoogleAccessId=").append(cred.getClientEmail()); stBuilder.append("&Expires=").append(expiration); stBuilder.append("&Signature=").append(signature);
+ ((ServiceAccountCredentials) credentials).getClientEmail());
+ ((ServiceAccountCredentials) credentials).getClientEmail());
private static Credentials getJwtToken(ServiceAccountCredentials serviceAccount) { return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } }
@Override public Credentials getCredentials() throws IOException { GoogleCredentials credentials = GoogleCredentials.getApplicationDefault(); // Check if the current scopes permit JWT token use boolean hasJwtEnabledScope = false; for (String scope : getJwtEnabledScopes()) { if (getScopesToApply().contains(scope)) { hasJwtEnabledScope = true; break; } } // Use JWT tokens when using a service account with an appropriate scope. if (credentials instanceof ServiceAccountCredentials && hasJwtEnabledScope) { ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials; return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } if (credentials.createScopedRequired()) { credentials = credentials.createScoped(getScopesToApply()); } return credentials; }
assertThat(serviceAccountCredentials2.getClientId()) .isEqualTo(serviceAccountCredentials.getClientId()); assertThat(serviceAccountCredentials2.getClientEmail()) .isEqualTo(serviceAccountCredentials.getClientEmail()); assertThat(serviceAccountCredentials2.getPrivateKeyId()) .isEqualTo(serviceAccountCredentials.getPrivateKeyId());
@Override public Credentials getCredentials() throws IOException { GoogleCredentials credentials = GoogleCredentials.getApplicationDefault(); // Check if the current scopes permit JWT token use boolean hasJwtEnabledScope = false; for (String scope : getJwtEnabledScopes()) { if (getScopesToApply().contains(scope)) { hasJwtEnabledScope = true; break; } } // Use JWT tokens when using a service account with an appropriate scope. if (credentials instanceof ServiceAccountCredentials && hasJwtEnabledScope) { ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials; return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } if (credentials.createScopedRequired()) { credentials = credentials.createScoped(getScopesToApply()); } return credentials; }
@Test public void serviceAccountReplacedWithJwtTokens() throws Exception { ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.newBuilder() .setClientId("fake-client-id") .setClientEmail("fake@example.com") .setPrivateKeyId("fake-private-key") .setPrivateKey(Mockito.mock(PrivateKey.class)) .build(); PowerMockito.mockStatic(GoogleCredentials.class); Mockito.when(GoogleCredentials.getApplicationDefault()).thenReturn(serviceAccountCredentials); GoogleCredentialsProvider provider = GoogleCredentialsProvider.newBuilder() .setScopesToApply(ImmutableList.of("scope1", "scope2")) .setJwtEnabledScopes(ImmutableList.of("scope1")) .build(); Credentials credentials = provider.getCredentials(); assertThat(credentials).isInstanceOf(ServiceAccountJwtAccessCredentials.class); ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials; assertThat(jwtCreds.getClientId()).isEqualTo(serviceAccountCredentials.getClientId()); assertThat(jwtCreds.getClientEmail()).isEqualTo(serviceAccountCredentials.getClientEmail()); assertThat(jwtCreds.getPrivateKeyId()).isEqualTo(serviceAccountCredentials.getPrivateKeyId()); assertThat(jwtCreds.getPrivateKey()).isEqualTo(serviceAccountCredentials.getPrivateKey()); }
@Test public void createdScoped_clones() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); GoogleCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(SCOPES) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); List<String> newScopes = Arrays.asList("scope1", "scope2"); ServiceAccountCredentials newCredentials = (ServiceAccountCredentials) credentials.createScoped(newScopes); assertEquals(SA_CLIENT_ID, newCredentials.getClientId()); assertEquals(SA_CLIENT_EMAIL, newCredentials.getClientEmail()); assertEquals(privateKey, newCredentials.getPrivateKey()); assertEquals(SA_PRIVATE_KEY_ID, newCredentials.getPrivateKeyId()); assertArrayEquals(newScopes.toArray(), newCredentials.getScopes().toArray()); assertEquals(SERVICE_ACCOUNT_USER, newCredentials.getServiceAccountUser()); assertEquals(PROJECT_ID, newCredentials.getProjectId()); assertArrayEquals(SCOPES.toArray(), ((ServiceAccountCredentials)credentials).getScopes().toArray()); }
@Test public void createdDelegated_clones() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); ServiceAccountCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(SCOPES) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); String newServiceAccountUser = "stranger@other.org"; ServiceAccountCredentials newCredentials = (ServiceAccountCredentials) credentials.createDelegated(newServiceAccountUser); assertEquals(SA_CLIENT_ID, newCredentials.getClientId()); assertEquals(SA_CLIENT_EMAIL, newCredentials.getClientEmail()); assertEquals(privateKey, newCredentials.getPrivateKey()); assertEquals(SA_PRIVATE_KEY_ID, newCredentials.getPrivateKeyId()); assertArrayEquals(SCOPES.toArray(), newCredentials.getScopes().toArray()); assertEquals(newServiceAccountUser, newCredentials.getServiceAccountUser()); assertEquals(PROJECT_ID, newCredentials.getProjectId()); assertEquals(SERVICE_ACCOUNT_USER, ((ServiceAccountCredentials)credentials).getServiceAccountUser()); }