Example 16 with FleetEngineToken
use of com.google.fleetengine.auth.token.FleetEngineToken in project java-fleetengine-auth by googlemaps.
the class LocalSignerTest method sign_whenInvalidSignature_throwsSigningTokenException.
@Test
public void sign_whenInvalidSignature_throwsSigningTokenException() {
LocalSigner localSigner = LocalSigner.create(CLIENT_EMAIL, FAKE_PRIVATE_KEY_ID, FAKE_PRIVATE_INVALID_KEY);
FleetEngineToken token = FleetEngineToken.builder().setTokenType(FleetEngineTokenType.SERVER).setCreationTimestamp(Date.from(creation.instant())).setExpirationTimestamp(Date.from(expiration.instant())).setAuthorizationClaims(EmptyFleetEngineTokenClaims.INSTANCE).build();
Assert.assertThrows(SigningTokenException.class, () -> localSigner.sign(token));
}
Also used :
FleetEngineToken(com.google.fleetengine.auth.token.FleetEngineToken)
Test(org.junit.Test)
Example 17 with FleetEngineToken
use of com.google.fleetengine.auth.token.FleetEngineToken in project java-fleetengine-auth by googlemaps.
the class ImpersonatedSignerTest method sign_buildsJwtCorrectly.
@Test
public void sign_buildsJwtCorrectly() {
FleetEngineToken token = FleetEngineToken.builder().setTokenType(FleetEngineTokenType.SERVER).setCreationTimestamp(Date.from(creation.instant())).setExpirationTimestamp(Date.from(expiration.instant())).setAudience(TEST_AUDIENCE).setAuthorizationClaims(EmptyFleetEngineTokenClaims.INSTANCE).build();
// Mock impersonated credentials
ImpersonatedAccountSignerCredentials impersonatedCredentials = mock(ImpersonatedAccountSignerCredentials.class);
when(impersonatedCredentials.getAccount()).thenReturn(TEST_SERVICE_ACCOUNT);
when(impersonatedCredentials.sign(any(), any())).thenAnswer(invocation -> {
byte[] presignedHeaderJwt = invocation.getArgument(0, byte[].class);
byte[] presignedContentJwt = invocation.getArgument(0, byte[].class);
return Algorithm.none().sign(presignedHeaderJwt, presignedContentJwt);
});
ImpersonatedSigner signer = new ImpersonatedSigner(impersonatedCredentials);
// Sign the token with the "none" algorithm.
FleetEngineToken signedToken = signer.sign(token);
// Check that the payload matches what was expected
DecodedJWT decodedJWT = JWT.decode(signedToken.jwt());
String payload = new String(Base64.getDecoder().decode(decodedJWT.getPayload()), UTF_8);
Gson gson = new Gson();
JwtPayload jwtPayload = gson.fromJson(payload, JwtPayload.class);
assertThat(jwtPayload.audience).isEqualTo(TEST_AUDIENCE);
assertThat(jwtPayload.issuer).isEqualTo(TEST_SERVICE_ACCOUNT);
assertThat(jwtPayload.subject).isEqualTo(TEST_SERVICE_ACCOUNT);
assertThat(jwtPayload.issuedAt).isEqualTo(creation.instant().getEpochSecond());
assertThat(jwtPayload.expiredAt).isEqualTo(expiration.instant().getEpochSecond());
}
Also used :
Gson(com.google.gson.Gson)
DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)
FleetEngineToken(com.google.fleetengine.auth.token.FleetEngineToken)
ImpersonatedAccountSignerCredentials(com.google.fleetengine.auth.token.factory.signer.ImpersonatedSigner.ImpersonatedAccountSignerCredentials)
Test(org.junit.Test)
Example 18 with FleetEngineToken
use of com.google.fleetengine.auth.token.FleetEngineToken in project java-fleetengine-auth by googlemaps.
the class NaiveAuthStateManager method signToken.
/**
* {@inheritDoc}
*/
@Override
public FleetEngineToken signToken(Signer signer, FleetEngineToken token) throws SigningTokenException {
if (!token.authorizationClaims().isWildcard()) {
// Always sign tokens with claims that are not a wildcard.
return signer.sign(token);
}
FleetEngineToken cachedToken = cachedWildcardTokens.get(token.tokenType());
if (cachedToken != null && !tokenExpiryValidator.isTokenExpired(cachedToken, EXPIRATION_WINDOW_DURATION)) {
// Cached token exists and is not expired.
return cachedToken;
}
// The cached token is either null or expired, in either case, sign the token and cache it.
FleetEngineToken signedToken = signer.sign(token);
cachedWildcardTokens.put(signedToken.tokenType(), signedToken);
return signedToken;
}
Also used :
FleetEngineToken(com.google.fleetengine.auth.token.FleetEngineToken)
Example 19 with FleetEngineToken
use of com.google.fleetengine.auth.token.FleetEngineToken in project java-fleetengine-auth by googlemaps.
the class LocalSignerTest method sign_customClaims_returnsSameIds.
@Test
public void sign_customClaims_returnsSameIds() throws SigningTokenException {
LocalSigner localSigner = LocalSigner.create(CLIENT_EMAIL, FAKE_PRIVATE_KEY_ID, FAKE_PRIVATE_KEY);
when(claims.toMap()).thenReturn(ImmutableMap.of(CLAIM_KEY_1, CLAIM_VALUE_1, CLAIM_KEY_2, CLAIM_VALUE_2));
FleetEngineToken token = FleetEngineToken.builder().setTokenType(FleetEngineTokenType.CONSUMER).setCreationTimestamp(Date.from(creation.instant())).setExpirationTimestamp(Date.from(expiration.instant())).setAuthorizationClaims(claims).build();
FleetEngineToken signedToken = localSigner.sign(token);
DecodedJWT decodedJWT = JWT.decode(signedToken.jwt());
String payload = new String(Base64.getDecoder().decode(decodedJWT.getPayload()), UTF_8);
Gson gson = new Gson();
JwtPayload jwtPayload = gson.fromJson(payload, JwtPayload.class);
assertThat(jwtPayload.authorization.numberOne).isEqualTo(CLAIM_VALUE_1);
assertThat(jwtPayload.authorization.numberTwo).isEqualTo(CLAIM_VALUE_2);
}
Also used :
Gson(com.google.gson.Gson)
DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)
FleetEngineToken(com.google.fleetengine.auth.token.FleetEngineToken)
Test(org.junit.Test)
Example 20 with FleetEngineToken
use of com.google.fleetengine.auth.token.FleetEngineToken in project java-fleetengine-auth by googlemaps.
the class LocalSignerTest method sign_returnsValidSignature.
@Test
public void sign_returnsValidSignature() throws SigningTokenException, InvalidKeySpecException, NoSuchAlgorithmException, IOException {
LocalSigner localSigner = LocalSigner.create(CLIENT_EMAIL, FAKE_PRIVATE_KEY_ID, FAKE_PRIVATE_KEY);
FleetEngineToken token = FleetEngineToken.builder().setTokenType(FleetEngineTokenType.SERVER).setCreationTimestamp(Date.from(creation.instant())).setExpirationTimestamp(Date.from(expiration.instant())).setAuthorizationClaims(EmptyFleetEngineTokenClaims.INSTANCE).build();
FleetEngineToken signedToken = localSigner.sign(token);
DecodedJWT decodedJWT = JWT.decode(signedToken.jwt());
// Use the same type of algorithm used to sign the JWT to also validate the JWT
RSAPrivateKey privateKey = RSAPrivateKeyUtils.getPrivateKey(FAKE_PRIVATE_KEY);
RSAPublicKey publicKey = createPublicKey();
Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
// Throws SignatureVerificationException if the signature is incorrect
algorithm.verify(decodedJWT);
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Algorithm(com.auth0.jwt.algorithms.Algorithm)
FleetEngineToken(com.google.fleetengine.auth.token.FleetEngineToken)
Test(org.junit.Test)
Aggregations
FleetEngineToken (com.google.fleetengine.auth.token.FleetEngineToken)30
Test (org.junit.Test)27
DecodedJWT (com.auth0.jwt.interfaces.DecodedJWT)6
Gson (com.google.gson.Gson)5
Duration (java.time.Duration)3
Instant (java.time.Instant)3
SigningTokenException (com.google.fleetengine.auth.token.factory.signer.SigningTokenException)2
Algorithm (com.auth0.jwt.algorithms.Algorithm)1
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
FleetEngineTokenType (com.google.fleetengine.auth.token.FleetEngineTokenType)1
ImpersonatedAccountSignerCredentials (com.google.fleetengine.auth.token.factory.signer.ImpersonatedSigner.ImpersonatedAccountSignerCredentials)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
