/* * Copyright 2016, Google Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following disclaimer * in the documentation and/or other materials provided with the * distribution. * * * Neither the name of Google Inc. nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ package com.google.auth.oauth2; import com.google.auth.ServiceAccountSigner; import com.google.common.base.MoreObjects; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import java.io.IOException; import java.io.ObjectInputStream; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.Collection; import java.util.Date; import java.util.Objects; /** * OAuth2 credentials representing the built-in service account for Google App Engine. * *

Instances of this class use reflection to access AppIdentityService in AppEngine SDK. */ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSigner { private static final long serialVersionUID = -493219027336622194L; static final String APP_IDENTITY_SERVICE_FACTORY_CLASS = "com.google.appengine.api.appidentity.AppIdentityServiceFactory"; static final String APP_IDENTITY_SERVICE_CLASS = "com.google.appengine.api.appidentity.AppIdentityService"; static final String GET_ACCESS_TOKEN_RESULT_CLASS = "com.google.appengine.api.appidentity.AppIdentityService$GetAccessTokenResult"; static final String SIGNING_RESULT_CLASS = "com.google.appengine.api.appidentity.AppIdentityService$SigningResult"; private static final String GET_APP_IDENTITY_SERVICE_METHOD = "getAppIdentityService"; private static final String GET_ACCESS_TOKEN_RESULT_METHOD = "getAccessToken"; private static final String GET_ACCESS_TOKEN_METHOD = "getAccessToken"; private static final String GET_EXPIRATION_TIME_METHOD = "getExpirationTime"; private static final String GET_SERVICE_ACCOUNT_NAME_METHOD = "getServiceAccountName"; private static final String SIGN_FOR_APP_METHOD = "signForApp"; private static final String GET_SIGNATURE_METHOD = "getSignature"; private final Collection scopes; private final boolean scopesRequired; private transient Object appIdentityService; private transient Method getAccessToken; private transient Method getAccessTokenResult; private transient Method getExpirationTime; private transient Method signForApp; private transient Method getSignature; private transient String account; AppEngineCredentials(Collection scopes, Collection defaultScopes) throws IOException { // Use defaultScopes only when scopes don't exist. if (scopes == null || scopes.isEmpty()) { this.scopes = defaultScopes == null ? ImmutableList.of() : ImmutableList.copyOf(defaultScopes); } else { this.scopes = ImmutableList.copyOf(scopes); } this.scopesRequired = this.scopes.isEmpty(); init(); } AppEngineCredentials( Collection scopes, Collection defaultScopes, AppEngineCredentials unscoped) { this.appIdentityService = unscoped.appIdentityService; this.getAccessToken = unscoped.getAccessToken; this.getAccessTokenResult = unscoped.getAccessTokenResult; this.getExpirationTime = unscoped.getExpirationTime; // Use defaultScopes only when scopes don't exist. if (scopes == null || scopes.isEmpty()) { this.scopes = defaultScopes == null ? ImmutableSet.of() : ImmutableList.copyOf(defaultScopes); } else { this.scopes = ImmutableList.copyOf(scopes); } this.scopesRequired = this.scopes.isEmpty(); } private void init() throws IOException { try { Class factoryClass = forName(APP_IDENTITY_SERVICE_FACTORY_CLASS); Method method = factoryClass.getMethod(GET_APP_IDENTITY_SERVICE_METHOD); this.appIdentityService = method.invoke(null); Class serviceClass = forName(APP_IDENTITY_SERVICE_CLASS); Class tokenResultClass = forName(GET_ACCESS_TOKEN_RESULT_CLASS); this.getAccessTokenResult = serviceClass.getMethod(GET_ACCESS_TOKEN_RESULT_METHOD, Iterable.class); this.getAccessToken = tokenResultClass.getMethod(GET_ACCESS_TOKEN_METHOD); this.getExpirationTime = tokenResultClass.getMethod(GET_EXPIRATION_TIME_METHOD); this.account = (String) serviceClass.getMethod(GET_SERVICE_ACCOUNT_NAME_METHOD).invoke(appIdentityService); this.signForApp = serviceClass.getMethod(SIGN_FOR_APP_METHOD, byte[].class); Class signingResultClass = forName(SIGNING_RESULT_CLASS); this.getSignature = signingResultClass.getMethod(GET_SIGNATURE_METHOD); } catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException | InvocationTargetException ex) { throw new IOException( "Application Default Credentials failed to create the Google App Engine service account" + " credentials. Check that the App Engine SDK is deployed.", ex); } } /** Refresh the access token by getting it from the App Identity service. */ @Override public AccessToken refreshAccessToken() throws IOException { if (createScopedRequired()) { throw new IOException("AppEngineCredentials requires createScoped call before use."); } try { Object accessTokenResult = getAccessTokenResult.invoke(appIdentityService, scopes); String accessToken = (String) getAccessToken.invoke(accessTokenResult); Date expirationTime = (Date) getExpirationTime.invoke(accessTokenResult); return new AccessToken(accessToken, expirationTime); } catch (Exception e) { throw new IOException("Could not get the access token.", e); } } @Override public boolean createScopedRequired() { return scopesRequired; } @Override public GoogleCredentials createScoped(Collection scopes) { return new AppEngineCredentials(scopes, null, this); } @Override public GoogleCredentials createScoped( Collection scopes, Collection defaultScopes) { return new AppEngineCredentials(scopes, defaultScopes, this); } @Override public String getAccount() { return account; } @Override public byte[] sign(byte[] toSign) { try { Object signingResult = signForApp.invoke(appIdentityService, toSign); return (byte[]) getSignature.invoke(signingResult); } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) { throw new SigningException("Failed to sign the provided bytes", ex); } } @Override public int hashCode() { return Objects.hash(scopes, scopesRequired); } @Override public String toString() { return MoreObjects.toStringHelper(this) .add("scopes", scopes) .add("scopesRequired", scopesRequired) .toString(); } @Override public boolean equals(Object obj) { if (!(obj instanceof AppEngineCredentials)) { return false; } AppEngineCredentials other = (AppEngineCredentials) obj; return this.scopesRequired == other.scopesRequired && Objects.equals(this.scopes, other.scopes); } private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException { input.defaultReadObject(); init(); } /* * Start of methods to allow overriding in the test code to isolate from the environment. */ Class forName(String className) throws ClassNotFoundException { return Class.forName(className); } /* * End of methods to allow overriding in the test code to isolate from the environment. */ }