Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: refactor verify to use firebase/jwt CachedKeySet #2596

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore: refactor verify to use firebase/jwt CachedKeySet #2596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5c55f13
chore: better id token tests
bshaffer May 20, 2024
cb90890
feat: use jwt CachedKeySet
bshaffer May 20, 2024
38354cf
remove phpseclib
bshaffer May 20, 2024
4b09dcb
fix phpstan
bshaffer May 20, 2024
73c404a
fix phpstan again
bshaffer May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@
"php": "^8.0",
"google/auth": "^1.37",
"google/apiclient-services": "~0.350",
"firebase/php-jwt": "^6.0",
"firebase/php-jwt": "^6.3",
"monolog/monolog": "^2.9||^3.0",
"phpseclib/phpseclib": "^3.0.36",
"guzzlehttp/guzzle": "^7.4.5",
"guzzlehttp/psr7": "^2.6"
},
Expand Down
196 changes: 34 additions & 162 deletions src/AccessToken/Verify.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,24 +18,20 @@

namespace Google\AccessToken;

use DateTime;
use DomainException;
use Exception;
use ExpiredException;
use Firebase\JWT\ExpiredException as ExpiredExceptionV3;
use Firebase\JWT\CachedKeySet;
use Firebase\JWT\ExpiredException;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Firebase\JWT\SignatureInvalidException;
use Google\Auth\Cache\MemoryCacheItemPool;
use Google\Exception as GoogleException;
use GuzzleHttp\Client;
use GuzzleHttp\ClientInterface;
use GuzzleHttp\ClientInterface as GuzzleClientInterface;
use GuzzleHttp\Psr7\HttpFactory;
use InvalidArgumentException;
use LogicException;
use phpseclib3\Crypt\AES;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Math\BigInteger;
use Psr\Cache\CacheItemPoolInterface;
use Psr\Http\Client\ClientInterface;

/**
* Wrapper around Google Access Tokens which provides convenience functions
Expand All @@ -48,26 +44,21 @@ class Verify
const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com';

/**
* @var ClientInterface The http client
*/
private $http;
* @var \Firebase\JWT\JWT
*/
public JWT $jwt;

/**
* @var CacheItemPoolInterface cache class
* @var \Firebase\JWT\CachedKeySet
*/
private $cache;

/**
* @var \Firebase\JWT\JWT
*/
public $jwt;
private CachedKeySet $keySet;

/**
* Instantiates the class, but does not initiate the login flow, leaving it
* to the discretion of the caller.
*/
public function __construct(
ClientInterface $http = null,
GuzzleClientInterface $http = null,
CacheItemPoolInterface $cache = null,
$jwt = null
) {
Expand All @@ -79,9 +70,17 @@ public function __construct(
$cache = new MemoryCacheItemPool();
}

$this->http = $http;
$this->cache = $cache;
if (!$http instanceof ClientInterface) {
throw new InvalidArgumentException('http client must implement ' . ClientInterface::class);
}

$this->jwt = $jwt ?: $this->getJwtService();
$this->keySet = new CachedKeySet(
self::FEDERATED_SIGNON_CERT_URL,
$http,
new HttpFactory(),
$cache
);
}

/**
Expand All @@ -100,123 +99,27 @@ public function verifyIdToken($idToken, $audience = null)
throw new LogicException('id_token cannot be null');
}

// set phpseclib constants if applicable
$this->setPhpsecConstants();

// Check signature
$certs = $this->getFederatedSignOnCerts();
foreach ($certs as $cert) {
try {
$args = [$idToken];
$publicKey = $this->getPublicKey($cert);
if (class_exists(Key::class)) {
$args[] = new Key($publicKey, 'RS256');
} else {
$args[] = $publicKey;
$args[] = ['RS256'];
}
$payload = \call_user_func_array([$this->jwt, 'decode'], $args);

if (property_exists($payload, 'aud')) {
if ($audience && $payload->aud != $audience) {
return false;
}
}

// support HTTP and HTTPS issuers
// @see https://developers.google.com/identity/sign-in/web/backend-auth
$issuers = [self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS];
if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) {
return false;
}

return (array) $payload;
} catch (ExpiredException $e) { // @phpstan-ignore-line
return false;
} catch (ExpiredExceptionV3 $e) {
return false;
} catch (SignatureInvalidException $e) {
// continue
} catch (DomainException $e) {
// continue
}
try {
$payload = ($this->jwt)->decode($idToken, $this->keySet);
} catch (ExpiredException | SignatureInvalidException | DomainException) {
return false;
}

return false;
}

private function getCache()
{
return $this->cache;
}

/**
* Retrieve and cache a certificates file.
*
* @param string $url location
* @throws \Google\Exception
* @return array certificates
*/
private function retrieveCertsFromLocation($url)
{
// If we're retrieving a local file, just grab it.
if (0 !== strpos($url, 'http')) {
if (!$file = file_get_contents($url)) {
throw new GoogleException(
"Failed to retrieve verification certificates: '" .
$url . "'."
);
}

return json_decode($file, true);
}

// @phpstan-ignore-next-line
$response = $this->http->get($url);

if ($response->getStatusCode() == 200) {
return json_decode((string) $response->getBody(), true);
}
throw new GoogleException(
sprintf(
'Failed to retrieve verification certificates: "%s".',
$response->getBody()->getContents()
),
$response->getStatusCode()
);
}

// Gets federated sign-on certificates to use for verifying identity tokens.
// Returns certs as array structure, where keys are key ids, and values
// are PEM encoded certificates.
private function getFederatedSignOnCerts()
{
$certs = null;
if ($cache = $this->getCache()) {
$cacheItem = $cache->getItem('federated_signon_certs_v3');
$certs = $cacheItem->get();
}


if (!$certs) {
$certs = $this->retrieveCertsFromLocation(
self::FEDERATED_SIGNON_CERT_URL
);

if ($cache) {
$cacheItem->expiresAt(new DateTime('+1 hour'));
$cacheItem->set($certs);
$cache->save($cacheItem);
if (property_exists($payload, 'aud')) {
if ($audience && $payload->aud != $audience) {
return false;
}
}

if (!isset($certs['keys'])) {
throw new InvalidArgumentException(
'federated sign-on certs expects "keys" to be set'
);
// support HTTP and HTTPS issuers
// @see https://developers.google.com/identity/sign-in/web/backend-auth
$issuers = [self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS];
if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) {
return false;
}

return $certs['keys'];
return (array) $payload;
}

private function getJwtService()
Expand All @@ -230,35 +133,4 @@ private function getJwtService()

return $jwt;
}

private function getPublicKey($cert)
{
$modulus = new BigInteger($this->jwt->urlsafeB64Decode($cert['n']), 256);
$exponent = new BigInteger($this->jwt->urlsafeB64Decode($cert['e']), 256);
$component = ['n' => $modulus, 'e' => $exponent];

$loader = PublicKeyLoader::load($component);

return $loader->toString('PKCS8');
}

/**
* phpseclib calls "phpinfo" by default, which requires special
* whitelisting in the AppEngine VM environment. This function
* sets constants to bypass the need for phpseclib to check phpinfo
*
* @see phpseclib/Math/BigInteger
* @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85
*/
private function setPhpsecConstants()
{
if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) {
if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) {
define('MATH_BIGINTEGER_OPENSSL_ENABLED', true);
}
if (!defined('CRYPT_RSA_MODE')) {
define('CRYPT_RSA_MODE', AES::ENGINE_OPENSSL);
}
}
}
}
26 changes: 12 additions & 14 deletions tests/BaseTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ class BaseTest extends TestCase
use ProphecyTrait;

private $key;
private $client;
protected $client;

public function getClient()
{
Expand All @@ -45,14 +45,14 @@ public function getClient()

public function getCache($path = null)
{
$path = $path ?: sys_get_temp_dir().'/google-api-php-client-tests/';
$path = sys_get_temp_dir() . '/google-api-php-client-tests/' . ($path ?: '');
$filesystemAdapter = new Local($path);
$filesystem = new Filesystem($filesystemAdapter);

return new FilesystemCachePool($filesystem);
}

private function createClient()
protected function createClient(array $scopes = null)
{
$options = [
'auth' => 'google_auth',
Expand All @@ -69,14 +69,14 @@ private function createClient()
$client = new Client();
$client->setApplicationName('google-api-php-client-tests');
$client->setHttpClient($httpClient);
$client->setScopes(
[
"https://www.googleapis.com/auth/tasks",
"https://www.googleapis.com/auth/adsense",
"https://www.googleapis.com/auth/youtube",
"https://www.googleapis.com/auth/drive",
]
);

$scopes = $scopes ?? [
'https://www.googleapis.com/auth/tasks',
'https://www.googleapis.com/auth/adsense',
'https://www.googleapis.com/auth/youtube',
'https://www.googleapis.com/auth/drive',
];
$client->setScopes($scopes);

if ($this->key) {
$client->setDeveloperKey($this->key);
Expand All @@ -85,9 +85,7 @@ private function createClient()
list($clientId, $clientSecret) = $this->getClientIdAndSecret();
$client->setClientId($clientId);
$client->setClientSecret($clientSecret);
if (version_compare(PHP_VERSION, '5.5', '>=')) {
$client->setCache($this->getCache());
}
$client->setCache($this->getCache(sha1(implode('', $scopes))));

return $client;
}
Expand Down
Loading
Loading