Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: respect token_uri from json in UserCredentials creation. #1630

Merged
merged 3 commits into from
Feb 3, 2025
Merged

fix: respect token_uri from json in UserCredentials creation. #1630

merged 3 commits into from
Feb 3, 2025

Conversation

zhumin8
Copy link
Contributor

@zhumin8 zhumin8 commented Jan 24, 2025
edited
Loading

context: b/382442857

@zhumin8
fix: respect token_uri from json in UserCredentials creation.

Verified

This commit was signed with the committer’s verified signature.
RedL0tus Jiangjin Wang
GPG key ID: 792E2F224CADAB1B
Verified
Learn about vigilant mode
04cf1c2
@zhumin8 zhumin8 requested review from a team as code owners January 24, 2025 14:59
@product-auto-label product-auto-label bot added the size: s Pull request size is small. label Jan 24, 2025
@zhumin8 zhumin8 requested a review from lqiu96 January 24, 2025 15:02
sai-sunder-s
sai-sunder-s approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@sai-sunder-s sai-sunder-s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the quick fix!

lqiu96
lqiu96 reviewed Jan 27, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
Comment on lines +127 to +128
String tokenUrl = (String) json.get("token_uri");
URI tokenUri = (tokenUrl == null || tokenUrl.isEmpty()) ? null : URI.create(tokenUrl);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

qq, is this a value that exists? I was looking at my credentials.json file in the well known ADC path and I don't think I see an entry for tokenUri. Perhaps I needed additional flags for gcloud application-default login?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this exists in the standard credentials.json file. Rather iiuc, we are providing a workaround that if user edit their json file and add this field, we use value from it. (ref: http://b/382442857#comment73)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add that as a quick comment above? I'm not entirely sure that this is going to be permanent/ how long we intend to support this.

And given the prior stuff about malicious URIs, perhaps a warning about modifying the token_uri/ using a JSON with a malicious token_uri?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Although in this case, user has to explicitly provide this. @sai-sunder-s do we need to add similar warning here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think we need a warning here because even if url is malicious, we will be sending it a token that is built purely using the data in the json.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@zhumin8 zhumin8 merged commit f92cc4f into main Feb 3, 2025
19 of 20 checks passed
@zhumin8 zhumin8 deleted the usercd_tokenuri_fromjson branch February 3, 2025 22:05
@release-please release-please bot mentioned this pull request Feb 3, 2025
Merged
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Feb 5, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
e697dee 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
| org.flywaydb.flyway | plugin | misk/gradle/libs.versions.toml | gradle
| patch | `11.3.0` -> `11.3.1` |
|
[com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.31.0` -> `1.32.0` |
|
[com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.31.0` -> `1.32.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |

---

### Release Notes

<details>
<summary>googleapis/google-auth-library-java
(com.google.auth:google-auth-library-oauth2-http)</summary>

###
[`v1.32.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1320-2025-02-04)

##### Features

- Introduce Client-Side Credential Access Boundary (CAB) functionality
([#&#8203;1629](googleapis/google-auth-library-java#1629))
([f481123](googleapis/google-auth-library-java@f481123))

##### Bug Fixes

- Handle 404 and non 200 Status Code from MDS Identity Token calls
([#&#8203;1636](googleapis/google-auth-library-java#1636))
([152c851](googleapis/google-auth-library-java@152c851))
- Respect token_uri from json in UserCredentials creation.
([#&#8203;1630](googleapis/google-auth-library-java#1630))
([f92cc4f](googleapis/google-auth-library-java@f92cc4f))

##### Documentation

- Re-organize the README + Add a section on migrating to
GoogleCredentials
([#&#8203;1644](googleapis/google-auth-library-java#1644))
([30b26b2](googleapis/google-auth-library-java@30b26b2))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: f984e57edb0f670423a82dec1bcfe012849eb91d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sai-sunder-s sai-sunder-s

@lqiu96 lqiu96

Assignees
No one assigned
Labels
size: s Pull request size is small.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zhumin8 @sai-sunder-s @lqiu96