Enabling the use of App Engine's SignBytes, ServiceAccount and PublicCertificates (#18)

* Release 1.0.1 (#16)

* Using the ClientOptions provided at App initialization to create the … (#12)

* Using the ClientOptions provided at App initialization to create the HTTPClient in auth package.

* Fixed context import

* Updated test case

* Fixing a test failure; Calling transport.NewHTTPClient() only when ctx and opts are available to avoid an unnecessary default credentials lookup.

* Passing a non-nil context to AuthConfig during testing; Replacing Print+Exit calls with log.Fatal() (#13)

* Bumped version to 1.0.1 (#15)

* adding native app engine support via build tags

* missing files

* adding ability to use standard signer locally with GAE

* allowing for std signer on GAE production env, fixing opts check

* fixing env var name

* removing test log

* giving the key source the same treatment as the signer

* missing files

* removing unneeded build tag

* code review feedback

* missing file

* adjusting constructor per review feedback

* file rename per feedback

* reverting more changes

* review feedback, fixing test

Author: jprobinson

auth/auth.go

@@ -16,15 +16,14 @@
 package auth
 
 import (
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"strings"
 
-	"crypto/rsa"
-	"crypto/x509"
-
 	"firebase.google.com/go/internal"
 )
 
@@ -62,45 +61,60 @@ type Token struct {
 type Client struct {
 	ks        keySource
 	projectID string
-	email     string
-	pk        *rsa.PrivateKey
+	snr       signer
+}
+
+type signer interface {
+	Email() (string, error)
+	Sign(b []byte) ([]byte, error)
 }
 
 // NewClient creates a new instance of the Firebase Auth Client.
 //
 // This function can only be invoked from within the SDK. Client applications should access the
 // the Auth service through firebase.App.
 func NewClient(c *internal.AuthConfig) (*Client, error) {
+	var (
+		err   error
+		email string
+		pk    *rsa.PrivateKey
+	)
+	if c.Creds != nil && len(c.Creds.JSON) > 0 {
+		var svcAcct struct {
+			ClientEmail string `json:"client_email"`
+			PrivateKey  string `json:"private_key"`
+		}
+		if err := json.Unmarshal(c.Creds.JSON, &svcAcct); err != nil {
+			return nil, err
+		}
+		if svcAcct.PrivateKey != "" {
+			pk, err = parseKey(svcAcct.PrivateKey)
+			if err != nil {
+				return nil, err
+			}
+		}
+		email = svcAcct.ClientEmail
+	}
+	var snr signer
+	if email != "" && pk != nil {
+		snr = serviceAcctSigner{email: email, pk: pk}
+	} else {
+		snr, err = newSigner(c.Ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	ks, err := newHTTPKeySource(c.Ctx, googleCertURL, c.Opts...)
 	if err != nil {
 		return nil, err
 	}
 
-	client := &Client{
+	return &Client{
 		ks:        ks,
 		projectID: c.ProjectID,
-	}
-	if c.Creds == nil || len(c.Creds.JSON) == 0 {
-		return client, nil
-	}
-
-	var svcAcct struct {
-		ClientEmail string `json:"client_email"`
-		PrivateKey  string `json:"private_key"`
-	}
-	if err := json.Unmarshal(c.Creds.JSON, &svcAcct); err != nil {
-		return nil, err
-	}
-
-	if svcAcct.PrivateKey != "" {
-		pk, err := parseKey(svcAcct.PrivateKey)
-		if err != nil {
-			return nil, err
-		}
-		client.pk = pk
-	}
-	client.email = svcAcct.ClientEmail
-	return client, nil
+		snr:       snr,
+	}, nil
 }
 
 // CustomToken creates a signed custom authentication token with the specified user ID. The resulting
@@ -114,11 +128,9 @@ func (c *Client) CustomToken(uid string) (string, error) {
 // CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes
 // all the key-value pairs in the provided map as claims in the resulting JWT.
 func (c *Client) CustomTokenWithClaims(uid string, devClaims map[string]interface{}) (string, error) {
-	if c.email == "" {
-		return "", errors.New("service account email not available")
-	}
-	if c.pk == nil {
-		return "", errors.New("private key not available")
+	iss, err := c.snr.Email()
+	if err != nil {
+		return "", err
 	}
 
 	if len(uid) == 0 || len(uid) > 128 {
@@ -139,15 +151,15 @@ func (c *Client) CustomTokenWithClaims(uid string, devClaims map[string]interfac
 
 	now := clk.Now().Unix()
 	payload := &customToken{
-		Iss:    c.email,
-		Sub:    c.email,
+		Iss:    iss,
+		Sub:    iss,
 		Aud:    firebaseAudience,
 		UID:    uid,
 		Iat:    now,
 		Exp:    now + tokenExpSeconds,
 		Claims: devClaims,
 	}
-	return encodeToken(defaultHeader(), payload, c.pk)
+	return encodeToken(c.snr, defaultHeader(), payload)
 }
 
 // VerifyIDToken verifies the signature	and payload of the provided ID token.

auth/auth_appengine.go

@@ -0,0 +1,40 @@
+// +build appengine
+
+// Copyright 2017 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"golang.org/x/net/context"
+
+	"google.golang.org/appengine"
+)
+
+type aeSigner struct {
+	ctx context.Context
+}
+
+func newSigner(ctx context.Context) (signer, error) {
+	return aeSigner{ctx}, nil
+}
+
+func (s aeSigner) Email() (string, error) {
+	return appengine.ServiceAccount(s.ctx)
+}
+
+func (s aeSigner) Sign(ss []byte) ([]byte, error) {
+	_, sig, err := appengine.SignBytes(s.ctx, ss)
+	return sig, err
+}

auth/auth_std.go

@@ -0,0 +1,23 @@
+// +build !appengine
+
+// Copyright 2017 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import "context"
+
+func newSigner(ctx context.Context) (signer, error) {
+	return serviceAcctSigner{}, nil
+}

auth/auth_test.go

@@ -27,6 +27,8 @@ import (
 
 	"google.golang.org/api/option"
 	"google.golang.org/api/transport"
+	"google.golang.org/appengine"
+	"google.golang.org/appengine/aetest"
 
 	"firebase.google.com/go/internal"
 )
@@ -75,7 +77,10 @@ func getIDTokenWithKid(kid string, p mockIDTokenPayload) string {
 	}
 	h := defaultHeader()
 	h.KeyID = kid
-	token, _ := encodeToken(h, pCopy, client.pk)
+	token, err := encodeToken(client.snr, h, pCopy)
+	if err != nil {
+		log.Fatalln(err)
+	}
 	return token
 }
 
@@ -95,22 +100,44 @@ func (t *mockKeySource) Keys() ([]*publicKey, error) {
 }
 
 func TestMain(m *testing.M) {
-	var err error
-	opt := option.WithCredentialsFile("../testdata/service_account.json")
-	creds, err = transport.Creds(context.Background(), opt)
-	if err != nil {
-		log.Fatalln(err)
+	var (
+		err   error
+		ks    keySource
+		ctx   context.Context
+		creds *google.DefaultCredentials
+	)
+
+	if appengine.IsDevAppServer() {
+		aectx, aedone, err := aetest.NewContext()
+		if err != nil {
+			log.Fatalln(err)
+		}
+		ctx = aectx
+		defer aedone()
+
+		ks, err = newAEKeySource(ctx)
+		if err != nil {
+			log.Fatalln(err)
+		}
+	} else {
+		opt := option.WithCredentialsFile("../testdata/service_account.json")
+		creds, err = transport.Creds(context.Background(), opt)
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		ks = &fileKeySource{FilePath: "../testdata/public_certs.json"}
 	}
 
 	client, err = NewClient(&internal.AuthConfig{
-		Ctx:       context.Background(),
+		Ctx:       ctx,
 		Creds:     creds,
 		ProjectID: "mock-project-id",
 	})
 	if err != nil {
 		log.Fatalln(err)
 	}
-	client.ks = &fileKeySource{FilePath: "../testdata/public_certs.json"}
+	client.ks = ks
 
 	testIDToken = getIDToken(nil)
 	os.Exit(m.Run())
@@ -259,3 +286,28 @@ func TestCertificateRequestError(t *testing.T) {
 		t.Error("VeridyIDToken() = nil; want error")
 	}
 }
+
+type aeKeySource struct {
+	keys []*publicKey
+}
+
+func newAEKeySource(ctx context.Context) (keySource, error) {
+	certs, err := appengine.PublicCertificates(ctx)
+	if err != nil {
+		return nil, err
+	}
+	keys := make([]*publicKey, len(certs))
+	for i, cert := range certs {
+		pk, err := parsePublicKey("mock-key-id-1", cert.Data)
+		if err != nil {
+			return nil, err
+		}
+		keys[i] = pk
+	}
+	return aeKeySource{keys}, nil
+}
+
+// Keys returns the RSA Public Keys managed by App Engine.
+func (k aeKeySource) Keys() ([]*publicKey, error) {
+	return k.keys, nil
+}

auth/crypto.go

@@ -16,6 +16,7 @@ package auth
 
 import (
 	"crypto"
+	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
@@ -189,20 +190,28 @@ func parsePublicKeys(keys []byte) ([]*publicKey, error) {
 
 	var result []*publicKey
 	for kid, key := range m {
-		block, _ := pem.Decode([]byte(key))
-		cert, err := x509.ParseCertificate(block.Bytes)
+		pubKey, err := parsePublicKey(kid, []byte(key))
 		if err != nil {
 			return nil, err
 		}
-		pk, ok := cert.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			return nil, errors.New("Certificate is not a RSA key")
-		}
-		result = append(result, &publicKey{kid, pk})
+		result = append(result, pubKey)
 	}
 	return result, nil
 }
 
+func parsePublicKey(kid string, key []byte) (*publicKey, error) {
+	block, _ := pem.Decode(key)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	pk, ok := cert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		return nil, errors.New("Certificate is not a RSA key")
+	}
+	return &publicKey{kid, pk}, nil
+}
+
 func verifySignature(parts []string, k *publicKey) error {
 	content := parts[0] + "." + parts[1]
 	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
@@ -214,3 +223,24 @@ func verifySignature(parts []string, k *publicKey) error {
 	h.Write([]byte(content))
 	return rsa.VerifyPKCS1v15(k.Key, crypto.SHA256, h.Sum(nil), []byte(signature))
 }
+
+type serviceAcctSigner struct {
+	email string
+	pk    *rsa.PrivateKey
+}
+
+func (s serviceAcctSigner) Email() (string, error) {
+	if s.email == "" {
+		return "", errors.New("service account email not available")
+	}
+	return s.email, nil
+}
+
+func (s serviceAcctSigner) Sign(ss []byte) ([]byte, error) {
+	if s.pk == nil {
+		return nil, errors.New("private key not available")
+	}
+	hash := sha256.New()
+	hash.Write([]byte(ss))
+	return rsa.SignPKCS1v15(rand.Reader, s.pk, crypto.SHA256, hash.Sum(nil))
+}