fix(auth): Migrate IAM SignBlob to IAMCredentials SignBlob (#480)

kentengjin · web-flow · commit fba507bd4cff · 2020-09-30T11:41:22.000-07:00
* Migrate IAM SignBlob to IAMCredentials SignBlob

Point all SignBlob calls to IAMCredentials

* Fix FirebaseToken tests

Change proto field to fix the test
diff --git a/src/main/java/com/google/firebase/auth/internal/CryptoSigners.java b/src/main/java/com/google/firebase/auth/internal/CryptoSigners.java
@@ -65,13 +65,13 @@ public String getAccount() {
 
   /**
    * @ {@link CryptoSigner} implementation that uses the
-   * <a href="https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob">
-   * Google IAM service</a> to sign data.
+   * <a href=https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob">
+   * Google IAMCredentials service</a> to sign data.
    */
   static class IAMCryptoSigner implements CryptoSigner {
 
     private static final String IAM_SIGN_BLOB_URL =
-        "https://iam.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
+        "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
 
     private final String serviceAccount;
     private final ErrorHandlingHttpClient<FirebaseAuthException> httpClient;
@@ -95,11 +95,11 @@ void setInterceptor(HttpResponseInterceptor interceptor) {
     @Override
     public byte[] sign(byte[] payload) throws FirebaseAuthException {
       String encodedPayload = BaseEncoding.base64().encode(payload);
-      Map<String, String> content = ImmutableMap.of("bytesToSign", encodedPayload);
+      Map<String, String> content = ImmutableMap.of("payload", encodedPayload);
       String encodedUrl = String.format(IAM_SIGN_BLOB_URL, serviceAccount);
       HttpRequestInfo requestInfo = HttpRequestInfo.buildJsonPostRequest(encodedUrl, content);
       GenericJson parsed = httpClient.sendAndParse(requestInfo, GenericJson.class);
-      return BaseEncoding.base64().decode((String) parsed.get("signature"));
+      return BaseEncoding.base64().decode((String) parsed.get("signedBlob"));
     }
 
     @Override
diff --git a/src/test/java/com/google/firebase/auth/FirebaseCustomTokenTest.java b/src/test/java/com/google/firebase/auth/FirebaseCustomTokenTest.java
@@ -92,7 +92,7 @@ public void testCreateCustomTokenWithDeveloperClaims() throws Exception {
   public void testCreateCustomTokenWithoutServiceAccountCredentials() throws Exception {
     MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
     String content = Utils.getDefaultJsonFactory().toString(
-        ImmutableMap.of("signature", BaseEncoding.base64().encode("test-signature".getBytes())));
+        ImmutableMap.of("signedBlob", BaseEncoding.base64().encode("test-signature".getBytes())));
     response.setContent(content);
     MockHttpTransport transport = new MultiRequestMockHttpTransport(ImmutableList.of(response));
 
@@ -117,7 +117,7 @@ public void testCreateCustomTokenWithoutServiceAccountCredentials() throws Excep
   @Test
   public void testCreateCustomTokenWithDiscoveredServiceAccount() throws Exception {
     String content = Utils.getDefaultJsonFactory().toString(
-        ImmutableMap.of("signature", BaseEncoding.base64().encode("test-signature".getBytes())));
+        ImmutableMap.of("signedBlob", BaseEncoding.base64().encode("test-signature".getBytes())));
     List<MockLowLevelHttpResponse> responses = ImmutableList.of(
         // Service account discovery response
         new MockLowLevelHttpResponse().setContent("test@service.account"),
diff --git a/src/test/java/com/google/firebase/auth/internal/CryptoSignersTest.java b/src/test/java/com/google/firebase/auth/internal/CryptoSignersTest.java
@@ -71,7 +71,7 @@ public void testInvalidServiceAccountCryptoSigner() {
   public void testIAMCryptoSigner() throws Exception {
     String signature = BaseEncoding.base64().encode("signed-bytes".getBytes());
     String response = Utils.getDefaultJsonFactory().toString(
-        ImmutableMap.of("signature", signature));
+        ImmutableMap.of("signedBlob", signature));
     MockHttpTransport transport = new MockHttpTransport.Builder()
         .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent(response))
         .build();
@@ -84,7 +84,7 @@ public void testIAMCryptoSigner() throws Exception {
 
     byte[] data = signer.sign("foo".getBytes());
     assertArrayEquals("signed-bytes".getBytes(), data);
-    final String url = "https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
+    final String url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/"
         + "test-service-account@iam.gserviceaccount.com:signBlob";
     assertEquals(url, interceptor.getResponse().getRequest().getUrl().toString());
   }
@@ -150,7 +150,7 @@ public void testInvalidIAMCryptoSigner() {
   public void testMetadataService() throws Exception {
     String signature = BaseEncoding.base64().encode("signed-bytes".getBytes());
     String response = Utils.getDefaultJsonFactory().toString(
-        ImmutableMap.of("signature", signature));
+        ImmutableMap.of("signedBlob", signature));
     MockHttpTransport transport = new MultiRequestMockHttpTransport(
         ImmutableList.of(
             new MockLowLevelHttpResponse().setContent("metadata-server@iam.gserviceaccount.com"),
@@ -168,7 +168,7 @@ public void testMetadataService() throws Exception {
 
     byte[] data = signer.sign("foo".getBytes());
     assertArrayEquals("signed-bytes".getBytes(), data);
-    final String url = "https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
+    final String url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/"
         + "metadata-server@iam.gserviceaccount.com:signBlob";
     HttpRequest request = interceptor.getResponse().getRequest();
     assertEquals(url, request.getUrl().toString());
@@ -179,7 +179,7 @@ public void testMetadataService() throws Exception {
   public void testExplicitServiceAccountEmail() throws Exception {
     String signature = BaseEncoding.base64().encode("signed-bytes".getBytes());
     String response = Utils.getDefaultJsonFactory().toString(
-        ImmutableMap.of("signature", signature));
+        ImmutableMap.of("signedBlob", signature));
 
     // Explicit service account should get precedence
     MockHttpTransport transport = new MultiRequestMockHttpTransport(
@@ -198,7 +198,7 @@ public void testExplicitServiceAccountEmail() throws Exception {
 
     byte[] data = signer.sign("foo".getBytes());
     assertArrayEquals("signed-bytes".getBytes(), data);
-    final String url = "https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
+    final String url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/"
         + "explicit-service-account@iam.gserviceaccount.com:signBlob";
     HttpRequest request = interceptor.getResponse().getRequest();
     assertEquals(url, request.getUrl().toString());
