feat: add workload identity federation support #547
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* feat: adds an internal token exchange utility based on https://tools.ietf.org/html/rfc8693 * fix: add copyright and address other comments * fix: fix formatting * fix: fixes copyright again * fix: revert pom changes * fix: revert auto-value changes * fix: remove gson and address other comments * fix: fixes to StsRequestHandlerTest
* feat: adds base external account credentials class and support for file/url based external credentials * fix: javadoc changes * fix: address review comments * fix: nits * fix: fix broken test * fix: format
* feat: implements AWS signature version 4 for signing requests * fix: fix javadoc * fix: address review comments * fix: changes to visibility and addresses other review comments * fix: removes sortedHeaderNames from AwsRequestSignature, uses MessageDigest, and misc changes * feat: generate authorization header in AwsRequestSigner * fix: address more review comments * fix: use RuntimeExceptions instead of invalid state/argument * fix: javadoc * fix: handle invalid input in Builder & misc fixes * fix: get dates at construction and no longer catch ParseException in AwsDates * fix: refactor AwsDates
* feat: adds text/json credential source support to IdentityPoolCredentials * fix: format * fix: format * fix: add missing changes to MockExternalAccountCredentialsTransport * fix: change parseToken to take an InputStream * fix: charsets * fix: broken build * fix: type null check
* feat: adds support for AWS credentials * fix: address nits * fix: remove Truth lib use in AwsCredentialsTest * fix: address more review comments * fix: assertEquals param order * feat: retrieve region from environment variable for AWS Lambda
…for 3pi (#501) * chore: use ImpersonatedCredentials for service account impersonation in ExternalAccountCredentials * chore: add test for invalid service account impersonation url
* fix: update AwsCredentials credential source logic * fix: remove TODOs * fix: cleanup * fix: code review nits * fix: fix broken test * fix: lint
google-cla
bot
added
the
cla: yes
Codecov Report
@@ Coverage Diff @@
## master #547 +/- ##
============================================
+ Coverage 79.92% 83.32% +3.39%
- Complexity 421 571 +150
============================================
Files 28 41 +13
Lines 1978 2645 +667
Branches 215 274 +59
============================================
+ Hits 1581 2204 +623
- Misses 284 301 +17
- Partials 113 140 +27
Continue to review full report at Codecov.
|
elharo
suggested changes
Jan 29, 2021
elharo
reviewed
Feb 2, 2021
oauth2_http/java/com/google/auth/oauth2/AwsRequestSignature.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeResponse.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
lsirac
changed the title
elharo
reviewed
Feb 12, 2021
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
elharo
reviewed
Feb 12, 2021
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java
Outdated
Show resolved
Hide resolved
elharo
reviewed
Feb 13, 2021
oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
Outdated
Show resolved
Hide resolved
elharo
reviewed
Feb 17, 2021
| * | ||
| * <p>By default, attempts to exchange the external credential for a GCP access token. | ||
| */ | ||
| public class AwsCredentials extends ExternalAccountCredentials { |
There was a problem hiding this comment.
does this class need to be public? It looks like the only public methods are overridden or visible for testing, so I'm guessing no. The less API we have to publish and support ever after the better.
There was a problem hiding this comment.
I'd prefer to keep this public. Developers can initialize an AwsCredential and use it directly, and other credentials follow that pattern. They also need to be able to create an AwsCredential with specific scopes.
| implements QuotaProjectIdProvider { | ||
|
|
||
| /** Base credential source class. Dictates the retrieval method of the external credential. */ | ||
| abstract static class CredentialSource { |
There was a problem hiding this comment.
could/should this be an outer class? ExternalAccountCredentials is so large github won't even display it by default, which suggests it might help to break it up.
There was a problem hiding this comment.
I don't think this makes sense as an outer class. It's required for all external credentials and not used in any other context. It's also confusing if you come across it outside of this class.
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeRequest.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeRequest.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeRequest.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/StsTokenExchangeResponse.java
Outdated
Show resolved
Hide resolved
elharo
reviewed
Feb 17, 2021
oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
Outdated
Show resolved
Hide resolved
elharo
reviewed
Feb 17, 2021
| throw new IllegalArgumentException("Invalid AWS environment ID."); | ||
| } | ||
|
|
||
| int environmentVersion = Integer.parseInt(matcher.group(2)); |
There was a problem hiding this comment.
more simply, this looks like the string simply equals the literal "aws1"
There was a problem hiding this comment.
hmm we have to parse the version anyway for the error message
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Outdated
Show resolved
Hide resolved
elharo
approved these changes
Feb 17, 2021
chingor13
approved these changes
Feb 18, 2021
chingor13
changed the title
gcf-merge-on-green bot
pushed a commit
that referenced
this pull request
Feb 22, 2021
🤖 I have created a release \*beep\* \*boop\* --- ## [0.24.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.23.0...v0.24.0) (2021-02-19) ### Features * add workload identity federation support ([#547](https://www.github.com/googleapis/google-auth-library-java/issues/547)) ([b8dde1e](https://www.github.com/googleapis/google-auth-library-java/commit/b8dde1e43f86a0a00741790c12d73f6cbda6251d)) ### Bug Fixes * don't log downloads ([#576](https://www.github.com/googleapis/google-auth-library-java/issues/576)) ([6181030](https://www.github.com/googleapis/google-auth-library-java/commit/61810306dc0e18500a4a6b2704e00842fbecd879)) ### Documentation * add instructions for using workload identity federation ([#564](https://www.github.com/googleapis/google-auth-library-java/issues/564)) ([2142db3](https://www.github.com/googleapis/google-auth-library-java/commit/2142db314666f298071ae30a7419b00d48d87476)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See go/guac-3pi-java.