Example 1 with ServiceAccountJwtAccessCredentials
use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.
the class EnhancedBigtableStub method patchCredentials.
private static void patchCredentials(EnhancedBigtableStubSettings.Builder settings) throws IOException {
int i = settings.getEndpoint().lastIndexOf(":");
String host = settings.getEndpoint().substring(0, i);
String audience = settings.getJwtAudienceMapping().get(host);
if (audience == null) {
return;
}
URI audienceUri = null;
try {
audienceUri = new URI(audience);
} catch (URISyntaxException e) {
throw new IllegalStateException("invalid JWT audience override", e);
}
CredentialsProvider credentialsProvider = settings.getCredentialsProvider();
if (credentialsProvider == null) {
return;
}
Credentials credentials = credentialsProvider.getCredentials();
if (credentials == null) {
return;
}
if (!(credentials instanceof ServiceAccountJwtAccessCredentials)) {
return;
}
ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials;
JwtCredentialsWithAudience patchedCreds = new JwtCredentialsWithAudience(jwtCreds, audienceUri);
settings.setCredentialsProvider(FixedCredentialsProvider.create(patchedCreds));
}
Also used :
JwtCredentialsWithAudience(com.google.cloud.bigtable.data.v2.internal.JwtCredentialsWithAudience)
ByteString(com.google.protobuf.ByteString)
URISyntaxException(java.net.URISyntaxException)
FixedCredentialsProvider(com.google.api.gax.core.FixedCredentialsProvider)
CredentialsProvider(com.google.api.gax.core.CredentialsProvider)
URI(java.net.URI)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
Credentials(com.google.auth.Credentials)
Example 2 with ServiceAccountJwtAccessCredentials
use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.
the class EnhancedBigtableStubTest method testBatchJwtAudience.
@Test
public void testBatchJwtAudience() throws InterruptedException, IOException, NoSuchAlgorithmException, ExecutionException {
// close default stub - need to create custom one
enhancedBigtableStub.close();
// Create fake jwt creds
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.genKeyPair();
ServiceAccountJwtAccessCredentials jwtCreds = ServiceAccountJwtAccessCredentials.newBuilder().setClientId("fake-id").setClientEmail("fake@example.com").setPrivateKey(keyPair.getPrivate()).setPrivateKeyId("fake-private-key").build();
// Create a fixed channel that will ignore the default endpoint and connect to the emulator
ManagedChannel emulatorChannel = ManagedChannelBuilder.forAddress("localhost", serviceHelper.getPort()).usePlaintext().build();
Metadata metadata;
try {
EnhancedBigtableStubSettings settings = EnhancedBigtableStubSettings.newBuilder().setProjectId("fake-project").setInstanceId("fake-instance").setEndpoint("batch-bigtable.googleapis.com:443").setCredentialsProvider(FixedCredentialsProvider.create(jwtCreds)).setTransportChannelProvider(FixedTransportChannelProvider.create(GrpcTransportChannel.create(emulatorChannel))).build();
enhancedBigtableStub = EnhancedBigtableStub.create(settings);
// Send rpc and grab the credentials sent
enhancedBigtableStub.readRowCallable().futureCall(Query.create("fake-table")).get();
metadata = metadataInterceptor.headers.take();
} finally {
emulatorChannel.shutdown();
}
String authValue = metadata.get(Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));
String expectedPrefix = "Bearer ";
assertThat(authValue).startsWith(expectedPrefix);
String jwtStr = authValue.substring(expectedPrefix.length());
JsonWebSignature parsed = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), jwtStr);
assertThat(parsed.getPayload().getAudience()).isEqualTo("https://bigtable.googleapis.com/");
}
Also used :
KeyPair(java.security.KeyPair)
JsonWebSignature(com.google.api.client.json.webtoken.JsonWebSignature)
Metadata(io.grpc.Metadata)
ManagedChannel(io.grpc.ManagedChannel)
KeyPairGenerator(java.security.KeyPairGenerator)
ByteString(com.google.protobuf.ByteString)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
Test(org.junit.Test)
Example 3 with ServiceAccountJwtAccessCredentials
use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable by googleapis.
the class EnhancedBigtableStubTest method testJwtAudience.
@Test
public void testJwtAudience() throws InterruptedException, IOException, NoSuchAlgorithmException, ExecutionException {
// close default stub - need to create custom one
enhancedBigtableStub.close();
// Create fake jwt creds
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.genKeyPair();
ServiceAccountJwtAccessCredentials jwtCreds = ServiceAccountJwtAccessCredentials.newBuilder().setClientId("fake-id").setClientEmail("fake@example.com").setPrivateKey(keyPair.getPrivate()).setPrivateKeyId("fake-private-key").build();
// Create a stub with overridden audience
String expectedAudience = "http://localaudience";
EnhancedBigtableStubSettings settings = defaultSettings.toBuilder().setJwtAudienceMapping(ImmutableMap.of("localhost", expectedAudience)).setCredentialsProvider(FixedCredentialsProvider.create(jwtCreds)).build();
enhancedBigtableStub = EnhancedBigtableStub.create(settings);
// Send rpc and grab the credentials sent
enhancedBigtableStub.readRowCallable().futureCall(Query.create("fake-table")).get();
Metadata metadata = metadataInterceptor.headers.take();
String authValue = metadata.get(Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));
String expectedPrefix = "Bearer ";
assertThat(authValue).startsWith(expectedPrefix);
String jwtStr = authValue.substring(expectedPrefix.length());
JsonWebSignature parsed = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), jwtStr);
assertThat(parsed.getPayload().getAudience()).isEqualTo(expectedAudience);
}
Also used :
KeyPair(java.security.KeyPair)
JsonWebSignature(com.google.api.client.json.webtoken.JsonWebSignature)
Metadata(io.grpc.Metadata)
KeyPairGenerator(java.security.KeyPairGenerator)
ByteString(com.google.protobuf.ByteString)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
Test(org.junit.Test)
Example 4 with ServiceAccountJwtAccessCredentials
use of com.google.auth.oauth2.ServiceAccountJwtAccessCredentials in project java-bigtable-hbase by googleapis.
the class TestAuth method testBatchJwt.
@Test
public void testBatchJwt() throws IOException {
Assume.assumeTrue("Batch JWT can only run against Bigtable", sharedTestEnv.isBigtable());
String currentEndpoint = sharedTestEnv.getConfiguration().get("google.bigtable.endpoint.host");
Assume.assumeTrue("Batch JWT test can only run in prod", currentEndpoint == null || "bigtable.googleapis.com".equals(currentEndpoint));
Credentials credentials = GoogleCredentials.getApplicationDefault();
if (credentials instanceof ServiceAccountCredentials) {
ServiceAccountCredentials svcCreds = (ServiceAccountCredentials) credentials;
credentials = ServiceAccountJwtAccessCredentials.newBuilder().setClientId(svcCreds.getClientId()).setClientEmail(svcCreds.getClientEmail()).setPrivateKeyId(svcCreds.getPrivateKeyId()).setPrivateKey(svcCreds.getPrivateKey()).build();
}
Assume.assumeTrue("Service account credentials are required", credentials instanceof ServiceAccountJwtAccessCredentials);
BigtableExtendedConfiguration config = new BigtableExtendedConfiguration(sharedTestEnv.getConfiguration(), credentials);
config.set("google.bigtable.use.batch", "true");
// Prevent the test from hanging if auth fails
config.set("google.bigtable.rpc.use.timeouts", "true");
config.set("google.bigtable.rpc.timeout.ms", "10000");
config.set("google.bigtable.grpc.channel.count", "1");
// Create a new connection using JWT auth & batch settings
try (Connection connection = BigtableConfiguration.connect(config)) {
// Reuse the default test table
Table table = connection.getTable(sharedTestEnv.getDefaultTableName());
Exception actualError = null;
// Perform any RPC
try {
table.get(new Get("any-key".getBytes()));
} catch (Exception e) {
actualError = e;
}
// Verify that it succeeded.
Assert.assertNull("No error when getting a key with JWT", actualError);
}
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
Get(org.apache.hadoop.hbase.client.Get)
Connection(org.apache.hadoop.hbase.client.Connection)
ServiceAccountCredentials(com.google.auth.oauth2.ServiceAccountCredentials)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
GoogleCredentials(com.google.auth.oauth2.GoogleCredentials)
ServiceAccountJwtAccessCredentials(com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)
Credentials(com.google.auth.Credentials)
ServiceAccountCredentials(com.google.auth.oauth2.ServiceAccountCredentials)
IOException(java.io.IOException)
Test(org.junit.Test)
Aggregations
ServiceAccountJwtAccessCredentials (com.google.auth.oauth2.ServiceAccountJwtAccessCredentials)4
ByteString (com.google.protobuf.ByteString)3
Test (org.junit.Test)3
JsonWebSignature (com.google.api.client.json.webtoken.JsonWebSignature)2
Credentials (com.google.auth.Credentials)2
Metadata (io.grpc.Metadata)2
KeyPair (java.security.KeyPair)2
KeyPairGenerator (java.security.KeyPairGenerator)2
CredentialsProvider (com.google.api.gax.core.CredentialsProvider)1
FixedCredentialsProvider (com.google.api.gax.core.FixedCredentialsProvider)1
GoogleCredentials (com.google.auth.oauth2.GoogleCredentials)1
ServiceAccountCredentials (com.google.auth.oauth2.ServiceAccountCredentials)1
JwtCredentialsWithAudience (com.google.cloud.bigtable.data.v2.internal.JwtCredentialsWithAudience)1
ManagedChannel (io.grpc.ManagedChannel)1
IOException (java.io.IOException)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
Connection (org.apache.hadoop.hbase.client.Connection)1
Get (org.apache.hadoop.hbase.client.Get)1
Table (org.apache.hadoop.hbase.client.Table)1
