Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: downscope credentials used for IAM AuthN login #999

Merged
merged 15 commits into from
Nov 2, 2022
Merged

fix: downscope credentials used for IAM AuthN login #999

merged 15 commits into from
Nov 2, 2022

Conversation

shubha-rajan
Copy link
Contributor

@shubha-rajan shubha-rajan requested a review from a team September 30, 2022 16:35
@shubha-rajan
Copy link
Contributor Author

Looks like the Code Coverage check wants me to add a test

@shubha-rajan shubha-rajan marked this pull request as draft September 30, 2022 16:54
@enocom
Copy link
Member

enocom commented Sep 30, 2022

One option for writing a test: extract the logic here into a method that accepts a Credentials object. Then you could test what happens when that token does not supported GoogleCredentials, what happens when the credentials are scoped, etc.

kurtisvg
kurtisvg suggested changes Sep 30, 2022
View reviewed changes
core/src/main/java/com/google/cloud/sql/core/CloudSqlInstance.java Outdated
@@ -526,7 +528,17 @@ private Certificate fetchEphemeralCertificate(KeyPair keyPair) {
if (enableIamAuth) {
try {
credentials.get().refresh();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we refresh after we downscope?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately no, we get a nullpointer if we do that.

@shubha-rajan shubha-rajan force-pushed the downscoping branch 3 times, most recently from c52260a to 53e4480 Compare October 8, 2022 01:58
@shubha-rajan shubha-rajan marked this pull request as ready for review October 10, 2022 16:16
@kurtisvg kurtisvg self-requested a review October 25, 2022 20:41
@shubha-rajan shubha-rajan added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 27, 2022
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 27, 2022
@shubha-rajan shubha-rajan added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 27, 2022
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 27, 2022
@shubha-rajan shubha-rajan force-pushed the downscoping branch 5 times, most recently from 6e24cb5 to f670014 Compare October 28, 2022 06:20
kurtisvg
kurtisvg suggested changes Oct 31, 2022
View reviewed changes
core/src/test/java/com/google/cloud/sql/core/CloudSqlInstanceTest.java Show resolved Hide resolved
core/src/main/java/com/google/cloud/sql/core/CloudSqlInstance.java Outdated
Comment on lines 530 to 531
OAuth2Credentials creds = credentials.get();
creds.refresh();
GoogleCredentials downscoped = getDownscopedCredentials(creds);
downscoped.refresh();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to better understand why we need to refresh twice here?

@shubha-rajan shubha-rajan force-pushed the downscoping branch 2 times, most recently from f4d0267 to ace1c22 Compare November 1, 2022 17:37
@shubha-rajan shubha-rajan merged commit acb57cb into main Nov 2, 2022
@shubha-rajan shubha-rajan deleted the downscoping branch November 2, 2022 19:48
@github-actions github-actions bot mentioned this pull request Nov 2, 2022
Merged
@johanblumenberg johanblumenberg mentioned this pull request Dec 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kurtisvg kurtisvg kurtisvg approved these changes

@enocom enocom enocom approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Downscope OAuth2 token included in ephemeral certificate
4 participants
@shubha-rajan @enocom @kurtisvg @kokoro-team