Skip to content
Snippets Groups Projects
Unverified Commit 7fa653db authored by jboeuf's avatar jboeuf Committed by GitHub
Browse files

Merge pull request #21277 from jboeuf/sts_creds_fix 

Fixing bug where subject token was used instead of the actor token.
parents cfc8fbbe cedf76ee
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
+ 1
1
View file @ 7fa653db
...@@ -616,7 +616,7 @@ class StsTokenFetcherCredentials ...@@ -616,7 +616,7 @@ class StsTokenFetcherCredentials
if (err != GRPC_ERROR_NONE) return cleanup(); if (err != GRPC_ERROR_NONE) return cleanup();
MaybeAddToBody( MaybeAddToBody(
&body_strvec, "actor_token", &body_strvec, "actor_token",
reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(subject_token))); reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(actor_token)));
MaybeAddToBody(&body_strvec, "actor_token_type", actor_token_type_.get()); MaybeAddToBody(&body_strvec, "actor_token_type", actor_token_type_.get());
} }
return cleanup(); return cleanup();
......
test/core/security/credentials_test.cc
+ 21
12
View file @ 7fa653db
...@@ -115,6 +115,11 @@ static const char test_signed_jwt[] = ...@@ -115,6 +115,11 @@ static const char test_signed_jwt[] =
"U0MDcyZTViYTdmZDkwODg2YzcifQ"; "U0MDcyZTViYTdmZDkwODg2YzcifQ";
static const char test_signed_jwt_token_type[] = static const char test_signed_jwt_token_type[] =
"urn:ietf:params:oauth:token-type:id_token"; "urn:ietf:params:oauth:token-type:id_token";
static const char test_signed_jwt2[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW"
"U2MDcyZTViYTdnZDkwODg5YzcifQ";
static const char test_signed_jwt_token_type2[] =
"urn:ietf:params:oauth:token-type:jwt";
static const char test_signed_jwt_path_prefix[] = "test_sign_jwt"; static const char test_signed_jwt_path_prefix[] = "test_sign_jwt";
static const char test_service_url[] = "https://foo.com/foo.v1"; static const char test_service_url[] = "https://foo.com/foo.v1";
...@@ -859,8 +864,10 @@ static void validate_sts_token_http_request(const grpc_httpcli_request* request, ...@@ -859,8 +864,10 @@ static void validate_sts_token_http_request(const grpc_httpcli_request* request,
test_signed_jwt) == 0); test_signed_jwt) == 0);
GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "subject_token_type"), GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "subject_token_type"),
test_signed_jwt_token_type) == 0); test_signed_jwt_token_type) == 0);
GPR_ASSERT(grpc_uri_get_query_arg(url, "actor_token") == nullptr); GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "actor_token"),
GPR_ASSERT(grpc_uri_get_query_arg(url, "actor_token_type") == nullptr); test_signed_jwt2) == 0);
GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "actor_token_type"),
test_signed_jwt_token_type2) == 0);
grpc_uri_destroy(url); grpc_uri_destroy(url);
gpr_free(get_url_equivalent); gpr_free(get_url_equivalent);
...@@ -884,13 +891,13 @@ static int sts_token_httpcli_post_success(const grpc_httpcli_request* request, ...@@ -884,13 +891,13 @@ static int sts_token_httpcli_post_success(const grpc_httpcli_request* request,
return 1; return 1;
} }
static char* write_tmp_jwt_file(void) { static char* write_tmp_jwt_file(const char* jwt_contents) {
char* path; char* path;
FILE* tmp = gpr_tmpfile(test_signed_jwt_path_prefix, &path); FILE* tmp = gpr_tmpfile(test_signed_jwt_path_prefix, &path);
GPR_ASSERT(path != nullptr); GPR_ASSERT(path != nullptr);
GPR_ASSERT(tmp != nullptr); GPR_ASSERT(tmp != nullptr);
size_t jwt_length = strlen(test_signed_jwt); size_t jwt_length = strlen(jwt_contents);
GPR_ASSERT(fwrite(test_signed_jwt, 1, jwt_length, tmp) == jwt_length); GPR_ASSERT(fwrite(jwt_contents, 1, jwt_length, tmp) == jwt_length);
fclose(tmp); fclose(tmp);
return path; return path;
} }
...@@ -901,17 +908,18 @@ static void test_sts_creds_success(void) { ...@@ -901,17 +908,18 @@ static void test_sts_creds_success(void) {
{"authorization", "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_"}}; {"authorization", "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_"}};
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method, grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr}; nullptr, nullptr};
char* test_signed_jwt_path = write_tmp_jwt_file(); char* subject_token_path = write_tmp_jwt_file(test_signed_jwt);
char* actor_token_path = write_tmp_jwt_file(test_signed_jwt2);
grpc_sts_credentials_options valid_options = { grpc_sts_credentials_options valid_options = {
test_sts_endpoint_url, // sts_endpoint_url test_sts_endpoint_url, // sts_endpoint_url
"resource", // resource "resource", // resource
"audience", // audience "audience", // audience
"scope", // scope "scope", // scope
"requested_token_type", // requested_token_type "requested_token_type", // requested_token_type
test_signed_jwt_path, // subject_token_path subject_token_path, // subject_token_path
test_signed_jwt_token_type, // subject_token_type test_signed_jwt_token_type, // subject_token_type
nullptr, // actor_token_path actor_token_path, // actor_token_path
nullptr // actor_token_type test_signed_jwt_token_type2 // actor_token_type
}; };
grpc_call_credentials* creds = grpc_call_credentials* creds =
grpc_sts_credentials_create(&valid_options, nullptr); grpc_sts_credentials_create(&valid_options, nullptr);
...@@ -934,7 +942,8 @@ static void test_sts_creds_success(void) { ...@@ -934,7 +942,8 @@ static void test_sts_creds_success(void) {
creds->Unref(); creds->Unref();
grpc_httpcli_set_override(nullptr, nullptr); grpc_httpcli_set_override(nullptr, nullptr);
gpr_free(test_signed_jwt_path); gpr_free(subject_token_path);
gpr_free(actor_token_path);
} }
static void test_sts_creds_load_token_failure(void) { static void test_sts_creds_load_token_failure(void) {
...@@ -945,7 +954,7 @@ static void test_sts_creds_load_token_failure(void) { ...@@ -945,7 +954,7 @@ static void test_sts_creds_load_token_failure(void) {
nullptr, 0); nullptr, 0);
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method, grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr}; nullptr, nullptr};
char* test_signed_jwt_path = write_tmp_jwt_file(); char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
grpc_sts_credentials_options options = { grpc_sts_credentials_options options = {
test_sts_endpoint_url, // sts_endpoint_url test_sts_endpoint_url, // sts_endpoint_url
"resource", // resource "resource", // resource
...@@ -974,7 +983,7 @@ static void test_sts_creds_http_failure(void) { ...@@ -974,7 +983,7 @@ static void test_sts_creds_http_failure(void) {
nullptr, 0); nullptr, 0);
grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method, grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
nullptr, nullptr}; nullptr, nullptr};
char* test_signed_jwt_path = write_tmp_jwt_file(); char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
grpc_sts_credentials_options valid_options = { grpc_sts_credentials_options valid_options = {
test_sts_endpoint_url, // sts_endpoint_url test_sts_endpoint_url, // sts_endpoint_url
"resource", // resource "resource", // resource
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment