Search in sources :

Example 1 with ServiceAccountJwtAccessCredentials

use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.

the class EnhancedBigtableStub method patchCredentials.

private static void patchCredentials(EnhancedBigtableStubSettings.Builder settings) throws IOException {
    int i = settings.getEndpoint().lastIndexOf(":");
    String host = settings.getEndpoint().substring(0, i);
    String audience = settings.getJwtAudienceMapping().get(host);
    if (audience == null) {
        return;
    }
    URI audienceUri = null;
    try {
        audienceUri = new URI(audience);
    } catch (URISyntaxException e) {
        throw new IllegalStateException("invalid JWT audience override", e);
    }
    CredentialsProvider credentialsProvider = settings.getCredentialsProvider();
    if (credentialsProvider == null) {
        return;
    }
    Credentials credentials = credentialsProvider.getCredentials();
    if (credentials == null) {
        return;
    }
    if (!(credentials instanceof ServiceAccountJwtAccessCredentials)) {
        return;
    }
    ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials;
    JwtCredentialsWithAudience patchedCreds = new JwtCredentialsWithAudience(jwtCreds, audienceUri);
    settings.setCredentialsProvider(FixedCredentialsProvider.create(patchedCreds));
}
Also used : JwtCredentialsWithAudience(com.google.cloud.bigtable.data.v2.internal.JwtCredentialsWithAudience) ByteString(com.google.protobuf.ByteString) URISyntaxException(java.net.URISyntaxException) FixedCredentialsProvider(com.google.api.gax.core.FixedCredentialsProvider) CredentialsProvider(com.google.api.gax.core.CredentialsProvider) URI(java.net.URI) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) Credentials(com.google.auth.Credentials)

Example 2 with ServiceAccountJwtAccessCredentials

use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.

the class EnhancedBigtableStubTest method testBatchJwtAudience.

@Test
public void testBatchJwtAudience() throws InterruptedException, IOException, NoSuchAlgorithmException, ExecutionException {
    // close default stub - need to create custom one
    enhancedBigtableStub.close();
    // Create fake jwt creds
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    KeyPair keyPair = keyGen.genKeyPair();
    ServiceAccountJwtAccessCredentials jwtCreds = ServiceAccountJwtAccessCredentials.newBuilder().setClientId("fake-id").setClientEmail("fake@example.com").setPrivateKey(keyPair.getPrivate()).setPrivateKeyId("fake-private-key").build();
    // Create a fixed channel that will ignore the default endpoint and connect to the emulator
    ManagedChannel emulatorChannel = ManagedChannelBuilder.forAddress("localhost", serviceHelper.getPort()).usePlaintext().build();
    Metadata metadata;
    try {
        EnhancedBigtableStubSettings settings = EnhancedBigtableStubSettings.newBuilder().setProjectId("fake-project").setInstanceId("fake-instance").setEndpoint("batch-bigtable.googleapis.com:443").setCredentialsProvider(FixedCredentialsProvider.create(jwtCreds)).setTransportChannelProvider(FixedTransportChannelProvider.create(GrpcTransportChannel.create(emulatorChannel))).build();
        enhancedBigtableStub = EnhancedBigtableStub.create(settings);
        // Send rpc and grab the credentials sent
        enhancedBigtableStub.readRowCallable().futureCall(Query.create("fake-table")).get();
        metadata = metadataInterceptor.headers.take();
    } finally {
        emulatorChannel.shutdown();
    }
    String authValue = metadata.get(Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));
    String expectedPrefix = "Bearer ";
    assertThat(authValue).startsWith(expectedPrefix);
    String jwtStr = authValue.substring(expectedPrefix.length());
    JsonWebSignature parsed = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), jwtStr);
    assertThat(parsed.getPayload().getAudience()).isEqualTo("https://bigtable.googleapis.com/");
}
Also used : KeyPair(java.security.KeyPair) JsonWebSignature(com.google.api.client.json.webtoken.JsonWebSignature) Metadata(io.grpc.Metadata) ManagedChannel(io.grpc.ManagedChannel) KeyPairGenerator(java.security.KeyPairGenerator) ByteString(com.google.protobuf.ByteString) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) Test(org.junit.Test)

Example 3 with ServiceAccountJwtAccessCredentials

use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.

the class EnhancedBigtableStubTest method testJwtAudience.

@Test
public void testJwtAudience() throws InterruptedException, IOException, NoSuchAlgorithmException, ExecutionException {
    // close default stub - need to create custom one
    enhancedBigtableStub.close();
    // Create fake jwt creds
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    KeyPair keyPair = keyGen.genKeyPair();
    ServiceAccountJwtAccessCredentials jwtCreds = ServiceAccountJwtAccessCredentials.newBuilder().setClientId("fake-id").setClientEmail("fake@example.com").setPrivateKey(keyPair.getPrivate()).setPrivateKeyId("fake-private-key").build();
    // Create a stub with overridden audience
    String expectedAudience = "http://localaudience";
    EnhancedBigtableStubSettings settings = defaultSettings.toBuilder().setJwtAudienceMapping(ImmutableMap.of("localhost", expectedAudience)).setCredentialsProvider(FixedCredentialsProvider.create(jwtCreds)).build();
    enhancedBigtableStub = EnhancedBigtableStub.create(settings);
    // Send rpc and grab the credentials sent
    enhancedBigtableStub.readRowCallable().futureCall(Query.create("fake-table")).get();
    Metadata metadata = metadataInterceptor.headers.take();
    String authValue = metadata.get(Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));
    String expectedPrefix = "Bearer ";
    assertThat(authValue).startsWith(expectedPrefix);
    String jwtStr = authValue.substring(expectedPrefix.length());
    JsonWebSignature parsed = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), jwtStr);
    assertThat(parsed.getPayload().getAudience()).isEqualTo(expectedAudience);
}
Also used : KeyPair(java.security.KeyPair) JsonWebSignature(com.google.api.client.json.webtoken.JsonWebSignature) Metadata(io.grpc.Metadata) KeyPairGenerator(java.security.KeyPairGenerator) ByteString(com.google.protobuf.ByteString) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) Test(org.junit.Test)

Example 4 with ServiceAccountJwtAccessCredentials

use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable-hbase by googleapis.

the class TestAuth method testBatchJwt.

@Test
public void testBatchJwt() throws IOException {
    Assume.assumeTrue("Batch JWT can only run against Bigtable", sharedTestEnv.isBigtable());
    String currentEndpoint = sharedTestEnv.getConfiguration().get("google.bigtable.endpoint.host");
    Assume.assumeTrue("Batch JWT test can only run in prod", currentEndpoint == null || "bigtable.googleapis.com".equals(currentEndpoint));
    Credentials credentials = GoogleCredentials.getApplicationDefault();
    if (credentials instanceof ServiceAccountCredentials) {
        ServiceAccountCredentials svcCreds = (ServiceAccountCredentials) credentials;
        credentials = ServiceAccountJwtAccessCredentials.newBuilder().setClientId(svcCreds.getClientId()).setClientEmail(svcCreds.getClientEmail()).setPrivateKeyId(svcCreds.getPrivateKeyId()).setPrivateKey(svcCreds.getPrivateKey()).build();
    }
    Assume.assumeTrue("Service account credentials are required", credentials instanceof ServiceAccountJwtAccessCredentials);
    BigtableExtendedConfiguration config = new BigtableExtendedConfiguration(sharedTestEnv.getConfiguration(), credentials);
    config.set("google.bigtable.use.batch", "true");
    // Prevent the test from hanging if auth fails
    config.set("google.bigtable.rpc.use.timeouts", "true");
    config.set("google.bigtable.rpc.timeout.ms", "10000");
    config.set("google.bigtable.grpc.channel.count", "1");
    // Create a new connection using JWT auth & batch settings
    try (Connection connection = BigtableConfiguration.connect(config)) {
        // Reuse the default test table
        Table table = connection.getTable(sharedTestEnv.getDefaultTableName());
        Exception actualError = null;
        // Perform any RPC
        try {
            table.get(new Get("any-key".getBytes()));
        } catch (Exception e) {
            actualError = e;
        }
        // Verify that it succeeded.
        Assert.assertNull("No error when getting a key with JWT", actualError);
    }
}
Also used : Table(org.apache.hadoop.hbase.client.Table) Get(org.apache.hadoop.hbase.client.Get) Connection(org.apache.hadoop.hbase.client.Connection) ServiceAccountCredentials(com.google.auth.oauth2.ServiceAccountCredentials) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) GoogleCredentials(com.google.auth.oauth2.GoogleCredentials) ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials) Credentials(com.google.auth.Credentials) ServiceAccountCredentials(com.google.auth.oauth2.ServiceAccountCredentials) IOException(java.io.IOException) Test(org.junit.Test)

Aggregations

ServiceAccountJwtAccessCredentials (com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)4 ByteString (com.google.protobuf.ByteString)3 Test (org.junit.Test)3 JsonWebSignature (com.google.api.client.json.webtoken.JsonWebSignature)2 Credentials (com.google.auth.Credentials)2 Metadata (io.grpc.Metadata)2 KeyPair (java.security.KeyPair)2 KeyPairGenerator (java.security.KeyPairGenerator)2 CredentialsProvider (com.google.api.gax.core.CredentialsProvider)1 FixedCredentialsProvider (com.google.api.gax.core.FixedCredentialsProvider)1 GoogleCredentials (com.google.auth.oauth2.GoogleCredentials)1 ServiceAccountCredentials (com.google.auth.oauth2.ServiceAccountCredentials)1 JwtCredentialsWithAudience (com.google.cloud.bigtable.data.v2.internal.JwtCredentialsWithAudience)1 ManagedChannel (io.grpc.ManagedChannel)1 IOException (java.io.IOException)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 Connection (org.apache.hadoop.hbase.client.Connection)1 Get (org.apache.hadoop.hbase.client.Get)1 Table (org.apache.hadoop.hbase.client.Table)1