feat: Implement ClientSideCredentialAccessBoundaryFactory #1562
Conversation
|
🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use -- conventional-commit-lint bot |
Set up the ClientSideCredentialAccessBoundaryFactory class and module. Implement the function to fetch intermediary tokens from STS.
nbayati
changed the title
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
…some minor refactoring.
product-auto-label
bot
added
size: l
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/CredentialAccessBoundary.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
|
|
||
| /** Internal utilities for the com.google.auth.oauth2 namespace. */ | ||
| class OAuth2Utils { | ||
| public class OAuth2Utils { |
There was a problem hiding this comment.
Not sure if it makes sense for this to be public @lqiu96
There was a problem hiding this comment.
One option for this to see if we can keep this package-private and move some of these constants to STSRequestHandler. It looks like TOKEN_TYPE_ACCESS_BOUNDARY_INTERMEDIARY_TOKEN and TOKEN_EXCHANGE_URL_FORMAT are new additions could live in the individual classes (i.e StsREquestHandler or DownscopedCredentials).
TOKEN_TYPE_ACCESS_TOKEN is used in a few places, but if it makes sense we can move them around. I don't know if TOKEN_TYPE_ACCESS_TOKEN` applies to non-CAB use cases/ if we rather keep it in this Utils class.
Otherwise, I think I'm ok with making it public given the module constraints we have.
There was a problem hiding this comment.
I'm going to leave this comment open and keep it as-is for now so I can merge this PR and unblock #1571. I'll address this comment in the next PR.
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeResponse.java
Outdated
Show resolved
Hide resolved
| try { | ||
| this.sourceCredential.refreshIfExpired(); | ||
| } catch (IOException e) { | ||
| throw new IOException("Unable to refresh the provided source credential.", e); | ||
| } |
There was a problem hiding this comment.
Can you remind me why we are re-throwing this exception? If there is no reason, I think we should have refreshIfExpired() throw the exception instead of catching and then re-throw
There was a problem hiding this comment.
From @aeitzman: It's just to give more easily readable details about what part of the auth flow broke vs just returning the stack trace. I don't think its strictly necessary but it makes the library easier to debug.
There was a problem hiding this comment.
Ok, I'm fine with this for now, but I'd rather have this be captured via logs (that is probably a separate project).
CC: @zhumin8
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Outdated
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
| this.tokenExchangeEndpoint = builder.tokenExchangeEndpoint; | ||
| } | ||
|
|
||
| private void refreshCredentials() throws IOException { |
There was a problem hiding this comment.
Would you be able to write some quick comments that describes some of the behavior regarding the source access token and the response access token and how they form the intermediate access token?
From what I gather from the code, but it would be helpful for a comment to help confirm:
Intermediate access token is usually the STS response, unless the response doesn't have an expiration time. If not, then a new access token is created with the source access token's expiration time unless that value also doesn't exist.
What happens when both access tokens don't have an expiration time? Will this end up failing downstream? Will this just live forever?
There was a problem hiding this comment.
Added documentation to the function. Please let me know if additional clarification is needed.
There was a problem hiding this comment.
Thanks, that makes sense! Is there any issue if the intermediary token doesn't have an expiration time?
There was a problem hiding this comment.
I believe the intermediary token should still work as expected without any issues even if there's no expiration time.
There was a problem hiding this comment.
Sounds good, would it be possible confirm that? If does end up failing, could you document that or link to docs that detail that?
...java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
Show resolved
Hide resolved
| <version>1.29.1-SNAPSHOT | ||
| </version><!-- {x-version-update:google-auth-library-parent:current} --> |
There was a problem hiding this comment.
| <version>1.29.1-SNAPSHOT | |
| </version><!-- {x-version-update:google-auth-library-parent:current} --> | |
| <version>1.30.0</version><!-- {x-version-update:google-auth-library-parent:current} --> |
This version is going to change as we cut new releases of auth. Last thing before we merge will be to update this to the latest version.
There was a problem hiding this comment.
I'll leave this comment open as a reminder to update the version before the feature is merged to the main branch.
|
|
|
||
| // Ensure source credential's universe domain matches. | ||
| try { | ||
| if (!universeDomain.equals(sourceCredential.getUniverseDomain())) { |
There was a problem hiding this comment.
qq, does CAB plan to restrict the sourceCredentials to a subset of GoogleCredentials (i.e. only Compute or SA)?
Or can any GoogleCredential be used?
There was a problem hiding this comment.
Currently, client-side CAB only works with service account tokens. In the future we might add support for other types of tokens.
There was a problem hiding this comment.
I think it would be helpful to add validation for that. One reason is that universe_domain retrieval should never throw an IOException for SACredentials. It was added for ComputeEngineCredentials because of MDS.
Also it could be helpful to get an error message earlier, rather than finding out when trying to refreshCredentials
lqiu96
left a comment
lqiu96
left a comment
There was a problem hiding this comment.
LGTM. This PR's changes are going into the client-side-cab feature branch and not main. The unimplemented methods and additional changes will be addressed in future PRs.
…ality (#1629) * feat: Implement ClientSideCredentialAccessBoundaryFactory (#1562) * feat: Implement ClientSideCredentialAccessBoundaryFactory.refreshCredentials() Set up the ClientSideCredentialAccessBoundaryFactory class and module. Implement the function to fetch and refresh intermediary tokens from STS. * feat: Add the generated ClientSideAccessBoundaryProto class for Client-Side CAB feature. (#1571) Change-Id: Ic7ef3cbd80b2ad778d61b9ccabf780561d3cc709 * feat: Implement refreshCredentialsIfRequired for intermediate token r… (#1583) * feat: Implement refreshCredentialsIfRequired for intermediate token refresh Implement `refreshCredentialsIfRequired`, called by `generateToken()`, to handle token refresh. It uses `refreshMargin` and `minimumTokenLifetime` to decide on synchronous or asynchronous refresh * Add unit tests for the builder and refreshCredentials() * Improve concurrency handling during credential refresh. Introduced a refresh task to manage concurrent refresh requests, preventing redundant attempts and potential race conditions. This aligns the refresh mechanism with the pattern used in OAuth2Credentials and ensures more robust credential management. * Update existing unit tests for compatibility and readability. * Add unit tests for refreshCredentialsIfRequired. * Fix a merge issue. * Temporary add sonatype-snapshots repository and cel version to fix the build error. * Remove duplicated code. * Fix lint issue. * Fix: Propagate credential refresh exceptions in blocking refresh. * Change cel version * Change cel version * Add jsr305 dependency * Fix Javadoc error * Minor code readability enhancements. * Revert "Fix Javadoc error" This reverts commit 2157fdb. * Address comments (add javadoc and use assertThrows in tests) * Run format script * feat: Implement Client-Side CAB token generation. (#1598) * feat: Implement Client-Side CAB token generation. Change-Id: I2c217656584cf5805297f02340cbbabca471f609 * Use IllegalStateException(String, Throwable) to capture upstream exception during Tink initialization Change-Id: I12af5b84eae4dcec5865adfdad1f9396d54c0200 * Rethrow exceptions from tink and CEL Change-Id: If8c94c786ee39201029d9c27856fd2eafb61e51c * Add tests for invalid keys from upstream, and rename test cases. Change-Id: Ib41cb81c779534fc6efd74d66bf4728efd743906 * Add additional throws comment for generatToken method. Change-Id: I9cfc589ade8a91040fc9c447740493fd49e392af * Refactor tests for better readability. Change-Id: Icfd0bc24c1694f220bcbffc6cde41462c59119c4 * Catch and rethrow the exception of session key not being base64 encoded. Change-Id: I5fa0c25fe020e9612735e4ac5df2b85a2a5aab11 * Format the code using mvn com.coveo:fmt-maven-plugin:format. Change-Id: I46572488dcd28de450a6b1b2f732bee5baa86910 * Fix a typo in the javadoc comment. Change-Id: Icef9ef5f7c3567224ec507303543b78e61f43ec1 * chore: Update version tag in cab-token-generator pom.xml This commit updates the version tag in the pom.xml file. * feat: Add integration test for the client side cab * Remove volatile keyword and use refreshLock when reading intermediateCredentials. * Define new default values for refreshMargin and minimumTokenLifetime. * Update version in pom.xml * Run formatter to resolve lint errors * add missing dependency * Swap the assertEquals parameters so the expected value is first. * Docs: Added javadocs Improvements: Cleaned up code, resolved readability enhancements --------- Co-authored-by: Jiahua Huang <[email protected]> Co-authored-by: aeitzman <[email protected]>
4 participants
See: go/client-side-cab-client-library-java
This PR creates the ClientSideCredentialAccessBoundaryFactory class, and implements the function to fetch the intermediary token and session key from the STS endpoint. It completes the item
Fetching and parsing intermediate tokensin the execution plan. go/offline-cab-sdk-execution-plan