Skip to content

Commit

Permalink
Fix: Make derived classes of CredentialSource public (#1236)
Browse files Browse the repository at this point in the history
* fix: Make derived classes of Credential Source public

* fix: Lint

* move nested public class outside

* make CredentialSource public

* Rename CredentialSource to ExternalAccountCredentialSource

* fix format

* Move ExternalAccountCredentialSource back to ExternalAccountCredential

* Fix comment

* optimize imports

* chore(deps): update dependency com.google.auto.service:auto-service-annotations to v1.1.1 (#1253)

Co-authored-by: Lawrence Qiu <lqiu96@gmail.com>

---------

Co-authored-by: aeitzman <12433791+aeitzman@users.noreply.github.com>
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Lawrence Qiu <lqiu96@gmail.com>
  • Loading branch information
5 people authored Jul 25, 2023
1 parent b081ebb commit 9bb9e0a
Show file tree
Hide file tree
Showing 11 changed files with 370 additions and 279 deletions.
98 changes: 98 additions & 0 deletions oauth2_http/java/com/google/auth/oauth2/AwsCredentialSource.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
/*
* Copyright 2023 Google LLC
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of Google LLC nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

package com.google.auth.oauth2;

import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/** The AWS credential source. Stores data required to retrieve the AWS credential. */
public class AwsCredentialSource extends ExternalAccountCredentials.CredentialSource {

static final String IMDSV2_SESSION_TOKEN_URL_FIELD_NAME = "imdsv2_session_token_url";
static final long serialVersionUID = -4180558200808134436L;

final String regionUrl;
final String url;
final String regionalCredentialVerificationUrl;
final String imdsv2SessionTokenUrl;

/**
* The source of the AWS credential. The credential source map must contain the
* `regional_cred_verification_url` field.
*
* <p>The `regional_cred_verification_url` is the regional GetCallerIdentity action URL, used to
* determine the account ID and its roles.
*
* <p>The `environment_id` is the environment identifier, in the format “aws${version}”. This
* indicates whether breaking changes were introduced to the underlying AWS implementation.
*
* <p>The `region_url` identifies the targeted region. Optional.
*
* <p>The `url` locates the metadata server used to retrieve the AWS credentials. Optional.
*/
public AwsCredentialSource(Map<String, Object> credentialSourceMap) {
super(credentialSourceMap);
if (!credentialSourceMap.containsKey("regional_cred_verification_url")) {
throw new IllegalArgumentException(
"A regional_cred_verification_url representing the"
+ " GetCallerIdentity action URL must be specified.");
}

String environmentId = (String) credentialSourceMap.get("environment_id");

// Environment version is prefixed by "aws". e.g. "aws1".
Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher(environmentId);
if (!matcher.matches()) {
throw new IllegalArgumentException("Invalid AWS environment ID.");
}

int environmentVersion = Integer.parseInt(matcher.group(2));
if (environmentVersion != 1) {
throw new IllegalArgumentException(
String.format(
"AWS version %s is not supported in the current build.", environmentVersion));
}

this.regionUrl = (String) credentialSourceMap.get("region_url");
this.url = (String) credentialSourceMap.get("url");
this.regionalCredentialVerificationUrl =
(String) credentialSourceMap.get("regional_cred_verification_url");

if (credentialSourceMap.containsKey(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME)) {
this.imdsv2SessionTokenUrl =
(String) credentialSourceMap.get(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME);
} else {
this.imdsv2SessionTokenUrl = null;
}
}
}
67 changes: 0 additions & 67 deletions oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,6 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;

/**
Expand All @@ -73,71 +71,6 @@ public class AwsCredentials extends ExternalAccountCredentials {
static final String AWS_IMDSV2_SESSION_TOKEN_TTL = "300";
private static final long serialVersionUID = -3670131891574618105L;

/**
* The AWS credential source. Stores data required to retrieve the AWS credential from the AWS
* metadata server.
*/
static class AwsCredentialSource extends CredentialSource {

private static final String IMDSV2_SESSION_TOKEN_URL_FIELD_NAME = "imdsv2_session_token_url";
private static final long serialVersionUID = -4180558200808134436L;

private final String regionUrl;
private final String url;
private final String regionalCredentialVerificationUrl;
private final String imdsv2SessionTokenUrl;

/**
* The source of the AWS credential. The credential source map must contain the
* `regional_cred_verification_url` field.
*
* <p>The `regional_cred_verification_url` is the regional GetCallerIdentity action URL, used to
* determine the account ID and its roles.
*
* <p>The `environment_id` is the environment identifier, in the format “aws${version}”. This
* indicates whether breaking changes were introduced to the underlying AWS implementation.
*
* <p>The `region_url` identifies the targeted region. Optional.
*
* <p>The `url` locates the metadata server used to retrieve the AWS credentials. Optional.
*/
AwsCredentialSource(Map<String, Object> credentialSourceMap) {
super(credentialSourceMap);
if (!credentialSourceMap.containsKey("regional_cred_verification_url")) {
throw new IllegalArgumentException(
"A regional_cred_verification_url representing the"
+ " GetCallerIdentity action URL must be specified.");
}

String environmentId = (String) credentialSourceMap.get("environment_id");

// Environment version is prefixed by "aws". e.g. "aws1".
Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher(environmentId);
if (!matcher.matches()) {
throw new IllegalArgumentException("Invalid AWS environment ID.");
}

int environmentVersion = Integer.parseInt(matcher.group(2));
if (environmentVersion != 1) {
throw new IllegalArgumentException(
String.format(
"AWS version %s is not supported in the current build.", environmentVersion));
}

this.regionUrl = (String) credentialSourceMap.get("region_url");
this.url = (String) credentialSourceMap.get("url");
this.regionalCredentialVerificationUrl =
(String) credentialSourceMap.get("regional_cred_verification_url");

if (credentialSourceMap.containsKey(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME)) {
this.imdsv2SessionTokenUrl =
(String) credentialSourceMap.get(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME);
} else {
this.imdsv2SessionTokenUrl = null;
}
}
}

private final AwsCredentialSource awsCredentialSource;

/** Internal constructor. See {@link AwsCredentials.Builder}. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@
import com.google.api.client.json.JsonObjectParser;
import com.google.auth.RequestMetadataCallback;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.AwsCredentials.AwsCredentialSource;
import com.google.auth.oauth2.IdentityPoolCredentials.IdentityPoolCredentialSource;
import com.google.auth.oauth2.PluggableAuthCredentials.PluggableAuthCredentialSource;
import com.google.common.base.MoreObjects;
import java.io.IOException;
import java.io.InputStream;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
/*
* Copyright 2023 Google LLC
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of Google LLC nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

package com.google.auth.oauth2;

import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import javax.annotation.Nullable;

/**
* The IdentityPool credential source. Dictates the retrieval method of the external credential,
* which can either be through a metadata server or a local file.
*/
public class IdentityPoolCredentialSource extends ExternalAccountCredentials.CredentialSource {

private static final long serialVersionUID = -745855247050085694L;
IdentityPoolCredentialSourceType credentialSourceType;
CredentialFormatType credentialFormatType;
String credentialLocation;
@Nullable String subjectTokenFieldName;
@Nullable Map<String, String> headers;

/**
* The source of the 3P credential.
*
* <p>If this is a file based 3P credential, the credentials file can be retrieved using the
* `file` key.
*
* <p>If this is URL-based 3p credential, the metadata server URL can be retrieved using the `url`
* key.
*
* <p>The third party credential can be provided in different formats, such as text or JSON. The
* format can be specified using the `format` header, which returns a map with keys `type` and
* `subject_token_field_name`. If the `type` is json, the `subject_token_field_name` must be
* provided. If no format is provided, we expect the token to be in the raw text format.
*
* <p>Optional headers can be present, and should be keyed by `headers`.
*/
public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
super(credentialSourceMap);

if (credentialSourceMap.containsKey("file") && credentialSourceMap.containsKey("url")) {
throw new IllegalArgumentException(
"Only one credential source type can be set, either file or url.");
}

if (credentialSourceMap.containsKey("file")) {
credentialLocation = (String) credentialSourceMap.get("file");
credentialSourceType = IdentityPoolCredentialSourceType.FILE;
} else if (credentialSourceMap.containsKey("url")) {
credentialLocation = (String) credentialSourceMap.get("url");
credentialSourceType = IdentityPoolCredentialSourceType.URL;
} else {
throw new IllegalArgumentException(
"Missing credential source file location or URL. At least one must be specified.");
}

Map<String, String> headersMap = (Map<String, String>) credentialSourceMap.get("headers");
if (headersMap != null && !headersMap.isEmpty()) {
headers = new HashMap<>();
headers.putAll(headersMap);
}

// If the format is not provided, we expect the token to be in the raw text format.
credentialFormatType = CredentialFormatType.TEXT;

Map<String, String> formatMap = (Map<String, String>) credentialSourceMap.get("format");
if (formatMap != null && formatMap.containsKey("type")) {
String type = formatMap.get("type");

if (type != null && "json".equals(type.toLowerCase(Locale.US))) {
// For JSON, the subject_token field name must be provided.
if (!formatMap.containsKey("subject_token_field_name")) {
throw new IllegalArgumentException(
"When specifying a JSON credential type, the subject_token_field_name must be set.");
}
credentialFormatType = CredentialFormatType.JSON;
subjectTokenFieldName = formatMap.get("subject_token_field_name");
} else if (type != null && "text".equals(type.toLowerCase(Locale.US))) {
credentialFormatType = CredentialFormatType.TEXT;
} else {
throw new IllegalArgumentException(
String.format("Invalid credential source format type: %s.", type));
}
}
}

boolean hasHeaders() {
return headers != null && !headers.isEmpty();
}

enum IdentityPoolCredentialSourceType {
FILE,
URL
}

enum CredentialFormatType {
TEXT,
JSON
}
}
Loading

0 comments on commit 9bb9e0a

Please sign in to comment.