Enable ESP to invoke Firebase Security rules. (#54)

* Enable ESP to invoke Firebase Security rules. * Address code review comments. * Remove some debug logs * Add proto file to capture TestRulesetRequest. * clang-format files * Resolve a merge issue with previous commit * Allow security rules to disabled via serverconfig * format file * Addressed Wayne's review comments. * Add firebase server to Server Config. * Address Lizan's review comments * Address review comments. * Disable check rules service by default. * Address more review comments. * Fix a check. * Delete unwanted constant. * Address Wayne's comments and add a simple config test. * Address a review comment. * Add negative test case for config * Address code review * Remove unwanted const std::string
istio · Feb 2, 2017 · df8c69c · df8c69c
1 parent fe30dc1
commit df8c69c
Show file tree

Hide file tree

Showing 14 changed files with 462 additions and 46 deletions.
diff --git a/contrib/endpoints/src/api_manager/BUILD b/contrib/endpoints/src/api_manager/BUILD
@@ -38,6 +38,19 @@ cc_proto_library(
     visibility = ["//visibility:public"],
 )
 
+cc_proto_library(
+    name = "security_rules_proto",
+    srcs = [
+        "proto/security_rules.proto",
+    ],
+    default_runtime = "//external:protobuf",
+    protoc = "//external:protoc",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//external:cc_wkt_protos",
+    ],
+)
+
 cc_library(
     name = "auth_headers",
     hdrs = [
@@ -99,6 +112,7 @@ cc_library(
         ":auth_headers",
         ":impl_headers",
         ":server_config_proto",
+        ":security_rules_proto",
         "//contrib/endpoints/src/api_manager/auth",
         "//contrib/endpoints/src/api_manager/cloud_trace",
         "//contrib/endpoints/src/api_manager/context",

diff --git a/contrib/endpoints/src/api_manager/auth.h b/contrib/endpoints/src/api_manager/auth.h
@@ -40,6 +40,8 @@ struct UserInfo {
   // Authorized party of the incoming JWT.
   // See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
   std::string authorized_party;
+  // String of claims
+  std::string claims;
 
   // Returns audiences as a comma separated strings.
   std::string AudiencesAsString() const {

diff --git a/contrib/endpoints/src/api_manager/auth/lib/auth_jwt_validator.cc b/contrib/endpoints/src/api_manager/auth/lib/auth_jwt_validator.cc
@@ -699,12 +699,19 @@ grpc_jwt_verifier_status JwtValidatorImpl::FillUserInfoAndSetExp(
 
   // Optional field.
   const grpc_json *grpc_json = grpc_jwt_claims_json(claims_);
+
+  char *json_str =
+      grpc_json_dump_to_string(const_cast<::grpc_json *>(grpc_json), 0);
+  if (json_str != nullptr) {
+    user_info->claims = json_str;
+    gpr_free(json_str);
+  }
+
   const char *email = GetStringValue(grpc_json, "email");
   user_info->email = email == nullptr ? "" : email;
   const char *authorized_party = GetStringValue(grpc_json, "azp");
   user_info->authorized_party =
       authorized_party == nullptr ? "" : authorized_party;
-
   exp_ = system_clock::from_time_t(grpc_jwt_claims_expires_at(claims_).tv_sec);
 
   return GRPC_JWT_VERIFIER_OK;

diff --git a/contrib/endpoints/src/api_manager/auth/service_account_token.h b/contrib/endpoints/src/api_manager/auth/service_account_token.h
@@ -64,6 +64,7 @@ class ServiceAccountToken {
   enum JWT_TOKEN_TYPE {
     JWT_TOKEN_FOR_SERVICE_CONTROL = 0,
     JWT_TOKEN_FOR_CLOUD_TRACING,
+    JWT_TOKEN_FOR_FIREBASE,
     JWT_TOKEN_TYPE_MAX,
   };
   // Set audience.  Only calcualtes JWT token with specified audience.

diff --git a/contrib/endpoints/src/api_manager/check_auth.cc b/contrib/endpoints/src/api_manager/check_auth.cc
@@ -243,6 +243,8 @@ void AuthChecker::CheckAudience(bool cache_hit) {
   context_->set_auth_audience(audience);
   context_->set_auth_authorized_party(user_info_.authorized_party);
 
+  context_->set_auth_claims(user_info_.claims);
+
   // Remove http/s header and trailing '/' for issuer.
   std::string issuer = utils::GetUrlContent(user_info_.issuer);
   if (!context_->method()->isIssuerAllowed(issuer)) {