Verify Google ID token

Author: marickvantuil

README.md

@@ -43,6 +43,7 @@ gcloud tasks queues create [QUEUE_ID]
     'location' => env('STACKKIT_CLOUD_TASKS_LOCATION', ''),
     'handler' => env('STACKKIT_CLOUD_TASKS_HANDLER', ''),
     'queue' => env('STACKKIT_CLOUD_TASKS_QUEUE', 'default'),
+    'service_account_email' => env('STACKKIT_CLOUD_TASKS_SERVICE_EMAIL', ''),
 ],
 ```
 

composer.json

@@ -9,7 +9,9 @@
     ],
     "require": {
         "ext-json": "*",
-        "google/cloud-tasks": "^1.6"
+        "google/cloud-tasks": "^1.6",
+        "firebase/php-jwt": "^5.2",
+        "phpseclib/phpseclib": "~2.0"
     },
     "require-dev": {
         "mockery/mockery": "^1.2",

src/CloudTasksQueue.php

@@ -2,7 +2,6 @@
 
 namespace Stackkit\LaravelGoogleCloudTasksQueue;
 
-use Carbon\Carbon;
 use Google\Cloud\Tasks\V2\CloudTasksClient;
 use Google\Cloud\Tasks\V2\HttpMethod;
 use Google\Cloud\Tasks\V2\HttpRequest;
@@ -63,11 +62,11 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0, $attempts = 0)
         $httpRequest->setBody($payload);
 
         $task = $this->createTask();
-        $randomString = Str::random();
-        $task->setName($queueName . '/tasks/' . $randomString);
         $task->setHttpRequest($httpRequest);
 
-        $httpRequest->setHeaders(['X-Stackkit-Auth-Token' => encrypt($randomString)]);
+        $token = new OidcToken;
+        $token->setServiceAccountEmail(Config::serviceAccountEmail());
+        $httpRequest->setOidcToken($token);
 
         if ($availableAt > time()) {
             $task->setScheduleTime(new Timestamp(['seconds' => $availableAt]));

src/Config.php

@@ -26,6 +26,11 @@ public static function handler()
         return config('queue.connections.cloudtasks.handler');
     }
 
+    public static function serviceAccountEmail()
+    {
+        return config('queue.connections.cloudtasks.service_account_email');
+    }
+
     public static function validate(array $config)
     {
         if (empty($config['credentials'])) {
@@ -47,5 +52,9 @@ public static function validate(array $config)
         if (empty($config['handler'])) {
             throw new Error(Errors::invalidHandler());
         }
+
+        if (empty($config['service_account_email'])) {
+            throw new Error(Errors::invalidServiceAccountEmail());
+        }
     }
 }

src/Errors.php

@@ -28,4 +28,9 @@ public static function invalidHandler()
     {
         return 'Google Cloud Tasks handler not provided. To fix this, set the STACKKIT_CLOUD_TASKS_HANDLER environment variable';
     }
+
+    public static function invalidServiceAccountEmail()
+    {
+        return 'Google Service Account email address not provided. This is needed to secure the handler so it is only accessible by Google. To fix this, set the STACKKIT_CLOUD_TASKS_SERVICE_EMAIL environment variable';
+    }
 }

src/TaskHandler.php

@@ -2,22 +2,30 @@
 
 namespace Stackkit\LaravelGoogleCloudTasksQueue;
 
-use Ahc\Jwt\JWT;
 use Google\Cloud\Tasks\V2\CloudTasksClient;
+use GuzzleHttp\Client;
 use Illuminate\Http\Request;
 use Illuminate\Queue\Worker;
 use Illuminate\Queue\WorkerOptions;
+use Illuminate\Support\Arr;
+use phpseclib\Crypt\RSA;
+use phpseclib\Math\BigInteger;
 use Throwable;
+use Firebase\JWT\JWT;
 
 class TaskHandler
 {
     private $client;
     private $request;
+    private $guzzle;
+    private $jwt;
 
-    public function __construct(CloudTasksClient $client, Request $request)
+    public function __construct(CloudTasksClient $client, Request $request, Client $guzzle, JWT $jwt)
     {
         $this->client = $client;
         $this->request = $request;
+        $this->guzzle = $guzzle;
+        $this->jwt = $jwt;
     }
 
     /**
@@ -36,39 +44,88 @@ public function handle($task = null)
     /**
      * @throws CloudTasksException
      */
-    private function authorizeRequest()
+    public function authorizeRequest()
     {
-        $this->checkForRequiredHeaders();
+        if (!$this->request->hasHeader('Authorization')) {
+            throw new CloudTasksException('Missing [Authorization] header');
+        }
 
-        $taskName = $this->request->header('X-Cloudtasks-Taskname');
-        $queueName = $this->request->header('X-Cloudtasks-Queuename');
-        $authToken = $this->request->header('X-Stackkit-Auth-Token');
+        // @todo - kill this check with a Mock
+        if (app()->environment('testing')) {
+            return;
+        }
 
-        $fullQueueName = $this->client->queueName(Config::project(), Config::location(), $queueName);
+        $openIdToken = $this->request->bearerToken();
+        $pubKey = $this->getGooglePublicKey();
 
-        try {
-            $this->client->getTask($fullQueueName . '/tasks/' . $taskName);
-        } catch (Throwable $e) {
-            throw new CloudTasksException('Could not find task');
-        }
+        $decodedToken = $this->jwt->decode($openIdToken, $pubKey, ['RS256']);
 
-        if (decrypt($authToken) != $taskName) {
-            throw new CloudTasksException('Auth token is not valid');
-        }
+        $this->validateToken($decodedToken);
+    }
+
+    private function getGooglePublicKey()
+    {
+        $jwksUri = $this->getJwksUri();
+
+        $keys = $this->getCertificateKeys($jwksUri);
+
+        $firstKey = $keys[1];
+
+        $modulus = $firstKey['n'];
+        $exponent = $firstKey['e'];
+
+        $rsa = new RSA();
+
+        $modulus = new BigInteger(JWT::urlsafeB64Decode($modulus), 256);
+        $exponent = new BigInteger(JWT::urlsafeB64Decode($exponent), 256);
+
+        $rsa->loadKey([
+            'n' => $modulus,
+            'e' => $exponent
+        ]);
+        $rsa->setPublicKey();
+
+        return $rsa->getPublicKey();
+    }
+
+    private function getJwksUri()
+    {
+        $discoveryEndpoint = 'https://accounts.google.com/.well-known/openid-configuration';
+
+        $configurationJson = $this->guzzle->get($discoveryEndpoint);
+
+        $configurations = json_decode($configurationJson->getBody(), true);
+
+        return Arr::get($configurations, 'jwks_uri');
+    }
+
+    private function getCertificateKeys($jwksUri)
+    {
+        $json = $this->guzzle->get($jwksUri);
+
+        $certificates = json_decode($json->getBody(), true);
+
+        return Arr::get($certificates, 'keys');
     }
 
-    private function checkForRequiredHeaders()
+    /**
+     * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+     *
+     * @param $openIdToken
+     * @throws CloudTasksException
+     */
+    protected function validateToken($openIdToken)
     {
-        $headers = [
-            'X-Cloudtasks-Taskname',
-            'X-Cloudtasks-Queuename',
-            'X-Stackkit-Auth-Token',
-        ];
-
-        foreach ($headers as $header) {
-            if (!$this->request->hasHeader($header)) {
-                throw new CloudTasksException('Missing [' . $header . '] header');
-            }
+        if (!in_array($openIdToken->iss, ['https://accounts.google.com', 'accounts.google.com'])) {
+            throw new CloudTasksException('The given OpenID token is not valid');
+        }
+
+        if ($openIdToken->aud != Config::handler()) {
+            throw new CloudTasksException('The given OpenID token is not valid');
+        }
+
+        if ($openIdToken->exp < time()) {
+            throw new CloudTasksException('The given OpenID token has expired');
         }
     }
 

tests/ConfigTest.php

@@ -62,4 +62,15 @@ public function handler_is_required()
 
         SimpleJob::dispatch();
     }
+
+    /** @test */
+    public function service_email_is_required()
+    {
+        $this->setConfigValue('service_account_email', '');
+
+        $this->expectException(Error::class);
+        $this->expectExceptionMessage(Errors::invalidServiceAccountEmail());
+
+        SimpleJob::dispatch();
+    }
 }

tests/QueueTest.php

@@ -22,7 +22,7 @@ protected function setUp(): void
         parent::setUp();
 
         $this->client = Mockery::mock(CloudTasksClient::class)->makePartial();
-        $this->http = Mockery::mock(HttpRequest::class)->makePartial();
+        $this->http = Mockery::mock(new HttpRequest)->makePartial();
         $this->task = Mockery::mock(new Task);
 
         $this->app->instance(CloudTasksClient::class, $this->client);

tests/TaskHandlerTest.php

@@ -2,7 +2,9 @@
 
 namespace Tests;
 
+use Firebase\JWT\JWT;
 use Google\Cloud\Tasks\V2\CloudTasksClient;
+use GuzzleHttp\Client;
 use Illuminate\Support\Facades\Mail;
 use Stackkit\LaravelGoogleCloudTasksQueue\CloudTasksException;
 use Stackkit\LaravelGoogleCloudTasksQueue\TaskHandler;
@@ -17,88 +19,47 @@ class TaskHandlerTest extends TestCase
 
     private $client;
 
+    private $jwt;
+
     protected function setUp(): void
     {
         parent::setUp();
 
         $this->client = \Mockery::mock(CloudTasksClient::class)->makePartial();
-        $this->handler = new TaskHandler(
-            $this->client,
-            request()
-        );
-    }
-
-    /** @test */
-    public function it_needs_a_task_name_header()
-    {
-        $this->expectException(CloudTasksException::class);
-        $this->expectExceptionMessage('Missing [X-Cloudtasks-Taskname] header');
-
-        $this->handler->handle();
-    }
 
-    /** @test */
-    public function it_needs_a_queue_name_header()
-    {
-        $this->expectException(CloudTasksException::class);
-        $this->expectExceptionMessage('Missing [X-Cloudtasks-Queuename] header');
+        $this->jwt = \Mockery::mock(JWT::class)->makePartial();
 
-        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
-        $this->handler->handle();
+        $this->handler = \Mockery::mock(new TaskHandler(
+            $this->client,
+            request(),
+            new Client(),
+            $this->jwt
+        ))->shouldAllowMockingProtectedMethods();
+        $this->app->instance(TaskHandler::class, $this->handler);
+
+        $this->jwt->shouldReceive('decode')->andReturnNull();
+        $this->handler->shouldReceive('authorizeRequest')->andReturnNull();
     }
 
     /** @test */
-    public function it_needs_a_stackkit_auth_token_header()
+    public function it_needs_an_authorization_header()
     {
         $this->expectException(CloudTasksException::class);
-        $this->expectExceptionMessage('Missing [X-Stackkit-Auth-Token] header');
+        $this->expectExceptionMessage('Missing [Authorization] header');
 
         request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
         request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
         $this->handler->handle();
     }
 
-    /** @test */
-    public function it_will_check_if_the_incoming_task_exists()
-    {
-        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
-        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
-        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('test')]);
-
-        Mail::fake();
-
-        $this->client
-            ->shouldReceive('getTask')
-            ->once()
-            ->with('projects/test-project/locations/europe-west6/queues/test/tasks/test')
-            ->andReturnNull();
-
-        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
-    }
-
-    /** @test */
-    public function it_will_check_the_auth_token()
-    {
-        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
-        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
-        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('does not match the task name')]);
-
-        $this->client->shouldReceive('getTask')->andReturnNull();
-
-        $this->expectException(CloudTasksException::class);
-        $this->expectExceptionMessage('Auth token is not valid');
-
-        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
-    }
-
     /** @test */
     public function it_runs_the_incoming_job()
     {
         Mail::fake();
 
         request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
         request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
-        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('test')]);
+        request()->headers->add(['Authorization' => 'Bearer 123']);
 
         $this->client->shouldReceive('getTask')->andReturnNull();
 

tests/TestCase.php

@@ -37,6 +37,7 @@ protected function getEnvironmentSetUp($app)
             'project' => 'test-project',
             'location' => 'europe-west6',
             'handler' => 'https://localhost/my-handler',
+            'service_account_email' => '[email protected]',
         ]);
     }