private static String getSignedJwt(ServiceAccountCredentials credentials, String iapClientId) throws Exception { Instant now = Instant.now(clock); long expirationTime = now.getEpochSecond() + EXPIRATION_TIME_IN_SECONDS; // generate jwt signed by service account // header must contain algorithm ("alg") and key ID ("kid") JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(credentials.getPrivateKeyId()).build(); // set required claims JWTClaimsSet claims = new JWTClaimsSet.Builder() .audience(OAUTH_TOKEN_URI) .issuer(credentials.getClientEmail()) .subject(credentials.getClientEmail()) .issueTime(Date.from(now)) .expirationTime(Date.from(Instant.ofEpochSecond(expirationTime))) .claim("target_audience", iapClientId) .build(); // sign using service account private key JWSSigner signer = new RSASSASigner(credentials.getPrivateKey()); SignedJWT signedJwt = new SignedJWT(jwsHeader, claims); signedJwt.sign(signer); return signedJwt.serialize(); }
private static Credentials getJwtToken(ServiceAccountCredentials serviceAccount) { return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } }
@Override public Credentials getCredentials() throws IOException { GoogleCredentials credentials = GoogleCredentials.getApplicationDefault(); // Check if the current scopes permit JWT token use boolean hasJwtEnabledScope = false; for (String scope : getJwtEnabledScopes()) { if (getScopesToApply().contains(scope)) { hasJwtEnabledScope = true; break; } } // Use JWT tokens when using a service account with an appropriate scope. if (credentials instanceof ServiceAccountCredentials && hasJwtEnabledScope) { ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials; return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } if (credentials.createScopedRequired()) { credentials = credentials.createScoped(getScopesToApply()); } return credentials; }
assertThat(serviceAccountCredentials2.getClientEmail()) .isEqualTo(serviceAccountCredentials.getClientEmail()); assertThat(serviceAccountCredentials2.getPrivateKeyId()) .isEqualTo(serviceAccountCredentials.getPrivateKeyId()); assertThat(serviceAccountCredentials2.getPrivateKey()) .isEqualTo(serviceAccountCredentials.getPrivateKey());
@Override public Credentials getCredentials() throws IOException { GoogleCredentials credentials = GoogleCredentials.getApplicationDefault(); // Check if the current scopes permit JWT token use boolean hasJwtEnabledScope = false; for (String scope : getJwtEnabledScopes()) { if (getScopesToApply().contains(scope)) { hasJwtEnabledScope = true; break; } } // Use JWT tokens when using a service account with an appropriate scope. if (credentials instanceof ServiceAccountCredentials && hasJwtEnabledScope) { ServiceAccountCredentials serviceAccount = (ServiceAccountCredentials) credentials; return ServiceAccountJwtAccessCredentials.newBuilder() .setClientEmail(serviceAccount.getClientEmail()) .setClientId(serviceAccount.getClientId()) .setPrivateKey(serviceAccount.getPrivateKey()) .setPrivateKeyId(serviceAccount.getPrivateKeyId()) .build(); } if (credentials.createScopedRequired()) { credentials = credentials.createScoped(getScopesToApply()); } return credentials; }
@Test public void serviceAccountReplacedWithJwtTokens() throws Exception { ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.newBuilder() .setClientId("fake-client-id") .setClientEmail("fake@example.com") .setPrivateKeyId("fake-private-key") .setPrivateKey(Mockito.mock(PrivateKey.class)) .build(); PowerMockito.mockStatic(GoogleCredentials.class); Mockito.when(GoogleCredentials.getApplicationDefault()).thenReturn(serviceAccountCredentials); GoogleCredentialsProvider provider = GoogleCredentialsProvider.newBuilder() .setScopesToApply(ImmutableList.of("scope1", "scope2")) .setJwtEnabledScopes(ImmutableList.of("scope1")) .build(); Credentials credentials = provider.getCredentials(); assertThat(credentials).isInstanceOf(ServiceAccountJwtAccessCredentials.class); ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials; assertThat(jwtCreds.getClientId()).isEqualTo(serviceAccountCredentials.getClientId()); assertThat(jwtCreds.getClientEmail()).isEqualTo(serviceAccountCredentials.getClientEmail()); assertThat(jwtCreds.getPrivateKeyId()).isEqualTo(serviceAccountCredentials.getPrivateKeyId()); assertThat(jwtCreds.getPrivateKey()).isEqualTo(serviceAccountCredentials.getPrivateKey()); }
@Test public void createdScoped_clones() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); GoogleCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(SCOPES) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); List<String> newScopes = Arrays.asList("scope1", "scope2"); ServiceAccountCredentials newCredentials = (ServiceAccountCredentials) credentials.createScoped(newScopes); assertEquals(SA_CLIENT_ID, newCredentials.getClientId()); assertEquals(SA_CLIENT_EMAIL, newCredentials.getClientEmail()); assertEquals(privateKey, newCredentials.getPrivateKey()); assertEquals(SA_PRIVATE_KEY_ID, newCredentials.getPrivateKeyId()); assertArrayEquals(newScopes.toArray(), newCredentials.getScopes().toArray()); assertEquals(SERVICE_ACCOUNT_USER, newCredentials.getServiceAccountUser()); assertEquals(PROJECT_ID, newCredentials.getProjectId()); assertArrayEquals(SCOPES.toArray(), ((ServiceAccountCredentials)credentials).getScopes().toArray()); }
@Test public void createdDelegated_clones() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); ServiceAccountCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(SCOPES) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); String newServiceAccountUser = "stranger@other.org"; ServiceAccountCredentials newCredentials = (ServiceAccountCredentials) credentials.createDelegated(newServiceAccountUser); assertEquals(SA_CLIENT_ID, newCredentials.getClientId()); assertEquals(SA_CLIENT_EMAIL, newCredentials.getClientEmail()); assertEquals(privateKey, newCredentials.getPrivateKey()); assertEquals(SA_PRIVATE_KEY_ID, newCredentials.getPrivateKeyId()); assertArrayEquals(SCOPES.toArray(), newCredentials.getScopes().toArray()); assertEquals(newServiceAccountUser, newCredentials.getServiceAccountUser()); assertEquals(PROJECT_ID, newCredentials.getProjectId()); assertEquals(SERVICE_ACCOUNT_USER, ((ServiceAccountCredentials)credentials).getServiceAccountUser()); }