-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow HTTP functions in firebase rules to specify audience #244
Changes from 1 commit
1c472a9
f78d039
46bb6cc
e47d0f2
aa1ddc8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,11 +59,12 @@ void ServiceAccountToken::SetAudience(JWT_TOKEN_TYPE type, | |
jwt_tokens_[type].set_audience(audience); | ||
} | ||
|
||
const std::string& ServiceAccountToken::GetAuthToken(JWT_TOKEN_TYPE type) { | ||
const std::string& ServiceAccountToken::GetAuthToken(JWT_TOKEN_TYPE type, | ||
bool ignore_cache) { | ||
// Uses authentication secret if available. | ||
if (!client_auth_secret_.empty()) { | ||
GOOGLE_CHECK(type >= 0 && type < JWT_TOKEN_TYPE_MAX); | ||
if (!jwt_tokens_[type].is_valid(0)) { | ||
if (ignore_cache || !jwt_tokens_[type].is_valid(0)) { | ||
Status status = jwt_tokens_[type].GenerateJwtToken(client_auth_secret_); | ||
if (!status.ok()) { | ||
if (env_) { | ||
|
@@ -79,9 +80,9 @@ const std::string& ServiceAccountToken::GetAuthToken(JWT_TOKEN_TYPE type) { | |
} | ||
|
||
const std::string& ServiceAccountToken::GetAuthToken( | ||
JWT_TOKEN_TYPE type, const std::string& audience) { | ||
JWT_TOKEN_TYPE type, const std::string& audience, bool ignore_cache) { | ||
SetAudience(type, audience); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Token is cached, you have to clear the cache if audience is different. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see. Thank you for pointing this out. |
||
return GetAuthToken(type); | ||
return GetAuthToken(type, ignore_cache); | ||
} | ||
|
||
Status ServiceAccountToken::JwtTokenInfo::GenerateJwtToken( | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -77,14 +77,18 @@ class ServiceAccountToken { | |
// Gets the auth token to access Google services. | ||
// If client auth secret is specified, use it to calcualte JWT token. | ||
// Otherwise, use the access token fetched from metadata server. | ||
const std::string& GetAuthToken(JWT_TOKEN_TYPE type); | ||
// If ignore_cache is true then a JWT token is regenerated even if the current | ||
// cached JWT token is valid. | ||
const std::string& GetAuthToken(JWT_TOKEN_TYPE type, | ||
bool ignore_cache = false); | ||
|
||
// Gets the auth token to access Google services. This method accepts an | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The target service does not have to be Google services. Correct? |
||
// audience parameter to set when generating JWT token. | ||
// If client auth secret is specified, use it to calcualte JWT token. | ||
// Otherwise, use the access token fetched from metadata server. | ||
const std::string& GetAuthToken(JWT_TOKEN_TYPE type, | ||
const std::string& audience); | ||
const std::string& audience, | ||
bool ignore_cache = false); | ||
|
||
private: | ||
// Stores base token info. Used for both OAuth and JWT tokens. | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -310,7 +310,8 @@ Status FirebaseRequest::SetNextRequest() { | |
auto call = *func_call_iter_; | ||
external_http_request_.url = call.args(0).string_value(); | ||
external_http_request_.method = call.args(1).string_value(); | ||
external_http_request_.audience = call.args(call.args_size()-1).string_value(); | ||
external_http_request_.audience = | ||
call.args(call.args_size() - 1).string_value(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "audience" is an optional field here. For datastore, we provide a default audience if not specified. How do you handle the case that "audience" field is provided by in the rules for datastore? Do you overwrite the audience field with the default datastore audience? How do you handle the case that "audience" is not provided? What is the default audience? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is not optional right now since there is no default behavior implemented right now. There is no default audience being specified at all. |
||
std::string body; | ||
status = | ||
utils::ProtoToJson(call.args(2), &body, utils::JsonOptions::DEFAULT); | ||
|
@@ -354,11 +355,12 @@ Status FirebaseRequest::CheckFuncCallArgs(const FunctionCall &func) { | |
std::string(func.function() + " Arguments 1 and 2 should be strings")); | ||
} | ||
|
||
if (func.args(func.args_size()-1).kind_case() != google::protobuf::Value::kStringValue) { | ||
if (func.args(func.args_size() - 1).kind_case() != | ||
google::protobuf::Value::kStringValue) { | ||
return Status( | ||
Code::INVALID_ARGUMENT, | ||
std::string(func.function() + "The last argument should be a string" | ||
"that specifies audience")); | ||
"that specifies audience")); | ||
} | ||
|
||
if (!utils::IsHttpRequest(func.args(0).string_value())) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is better to compare the new audience with old audience, if diff, wipe out the cache.