Use Google SDK open id verification library

marickvantuil · marickvantuil · commit 26129e63e151 · 2022-04-23T17:06:21.000+02:00
diff --git a/composer.json b/composer.json
@@ -10,7 +10,6 @@
     "require": {
         "ext-json": "*",
         "google/cloud-scheduler": "^1.5",
-        "firebase/php-jwt": "^5.5",
         "phpseclib/phpseclib": "~2.0"
     },
     "require-dev": {
diff --git a/src/CloudSchedulerServiceProvider.php b/src/CloudSchedulerServiceProvider.php
@@ -10,6 +10,7 @@ class CloudSchedulerServiceProvider extends LaravelServiceProvider
     public function boot(Router $router)
     {
         $this->registerRoutes($router);
+        $this->registerClient();
     }
 
     public function register()
@@ -21,4 +22,9 @@ private function registerRoutes(Router $router)
     {
         $router->post('cloud-scheduler-job', [TaskHandler::class, 'handle']);
     }
+
+    private function registerClient()
+    {
+        $this->app->bind('open-id-verificator', OpenIdVerificatorConcrete::class);
+    }
 }
diff --git a/src/OpenIdVerificator.php b/src/OpenIdVerificator.php
@@ -2,148 +2,17 @@
 
 namespace Stackkit\LaravelGoogleCloudScheduler;
 
-use Carbon\Carbon;
-use Firebase\JWT\JWT;
-use Firebase\JWT\SignatureInvalidException;
-use GuzzleHttp\Client;
-use GuzzleHttp\Exception\ServerException;
-use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Cache;
-use phpseclib\Crypt\RSA;
-use phpseclib\Math\BigInteger;
-use Throwable;
+use Illuminate\Support\Facades\Facade;
 
-class OpenIdVerificator
+class OpenIdVerificator extends Facade
 {
-    private const V3_CERTS = 'GOOGLE_V3_CERTS';
-    private const URL_OPENID_CONFIG = 'https://accounts.google.com/.well-known/openid-configuration';
-    private const URL_TOKEN_INFO = 'https://www.googleapis.com/oauth2/v3/tokeninfo';
-
-    private $guzzle;
-    private $rsa;
-    private $jwt;
-    private $maxAge = [];
-
-    public function __construct(Client $guzzle, RSA $rsa, JWT $jwt)
-    {
-        $this->guzzle = $guzzle;
-        $this->rsa = $rsa;
-        $this->jwt = $jwt;
-    }
-
-    public function guardAgainstInvalidOpenIdToken($decodedToken)
-    {
-        /**
-         * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
-         */
-        if (!in_array($decodedToken->iss, ['https://accounts.google.com', 'accounts.google.com'])) {
-            throw new CloudSchedulerException('The given OpenID token is not valid');
-        }
-
-        if ($decodedToken->exp < time()) {
-            throw new CloudSchedulerException('The given OpenID token has expired');
-        }
-
-        if ($decodedToken->aud !== config('laravel-google-cloud-scheduler.app_url')) {
-            throw new CloudSchedulerException('The given OpenID token is not valid');
-        }
-    }
-
-    public function decodeOpenIdToken($openIdToken, $kid, $cache = true)
-    {
-        if (!$cache) {
-            $this->forgetFromCache();
-        }
-
-        $publicKey = $this->getPublicKey($kid);
-
-        try {
-            return $this->jwt->decode($openIdToken, $publicKey, ['RS256']);
-        } catch (SignatureInvalidException $e) {
-            if (!$cache) {
-                throw $e;
-            }
-
-            return $this->decodeOpenIdToken($openIdToken, $kid, false);
-        }
-    }
-
-    public function getPublicKey($kid = null)
-    {
-        if (Cache::has(self::V3_CERTS)) {
-            $v3Certs = Cache::get(self::V3_CERTS);
-        } else {
-            $v3Certs = $this->getFreshCertificates();
-            Cache::put(self::V3_CERTS, $v3Certs, Carbon::now()->addSeconds($this->maxAge[self::URL_OPENID_CONFIG]));
-        }
-
-        $cert = $kid ? collect($v3Certs)->firstWhere('kid', '=', $kid) : $v3Certs[0];
-
-        return $this->extractPublicKeyFromCertificate($cert);
-    }
-
-    private function getFreshCertificates()
-    {
-        $jwksUri =  $this->callApiAndReturnValue(self::URL_OPENID_CONFIG, 'jwks_uri');
-
-        return $this->callApiAndReturnValue($jwksUri, 'keys');
-    }
-
-    private function extractPublicKeyFromCertificate($certificate)
-    {
-        $modulus = new BigInteger(JWT::urlsafeB64Decode($certificate['n']), 256);
-        $exponent = new BigInteger(JWT::urlsafeB64Decode($certificate['e']), 256);
-
-        $this->rsa->loadKey(compact('modulus', 'exponent'));
-
-        return $this->rsa->getPublicKey();
-    }
-
-    public function getKidFromOpenIdToken($openIdToken)
-    {
-        return $this->callApiAndReturnValue(self::URL_TOKEN_INFO . '?id_token=' . $openIdToken, 'kid');
-    }
-
-    private function callApiAndReturnValue($url, $value)
-    {
-        $attempts = 0;
-
-        while (true) {
-            try {
-                $response = $this->guzzle->get($url);
-
-                break;
-            } catch (ServerException $e) {
-                $attempts++;
-
-                if ($attempts >= 3) {
-                    throw $e;
-                }
-
-                sleep(1);
-            }
-        }
-
-        $data = json_decode($response->getBody(), true);
-
-        $maxAge = 0;
-        foreach ($response->getHeader('Cache-Control') as $line) {
-            preg_match('/max-age=(\d+)/', $line, $matches);
-            $maxAge = isset($matches[1]) ? (int) $matches[1] : 0;
-        }
-
-        $this->maxAge[$url] = $maxAge;
-
-        return Arr::get($data, $value);
-    }
-
-    public function isCached()
+    protected static function getFacadeAccessor()
     {
-        return Cache::has(self::V3_CERTS);
+        return 'open-id-verificator';
     }
 
-    public function forgetFromCache()
+    public static function fake(): void
     {
-        Cache::forget(self::V3_CERTS);
+        self::swap(new OpenIdVerificatorFake());
     }
 }
diff --git a/src/OpenIdVerificatorConcrete.php b/src/OpenIdVerificatorConcrete.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Stackkit\LaravelGoogleCloudScheduler;
+
+use Google\Auth\AccessToken;
+use Illuminate\Support\Facades\Facade;
+
+class OpenIdVerificatorConcrete extends Facade
+{
+    public function verify(?string $token, array $config): void
+    {
+        if (!$token) {
+            throw new CloudSchedulerException('Missing [Authorization] header');
+        }
+
+        (new AccessToken())->verify(
+            $token,
+            [
+                'audience' => config('laravel-google-cloud-scheduler.app_url'),
+                'throwException' => true,
+            ]
+        );
+    }
+}
diff --git a/src/OpenIdVerificatorFake.php b/src/OpenIdVerificatorFake.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Stackkit\LaravelGoogleCloudScheduler;
+
+class OpenIdVerificatorFake
+{
+    public function verify(?string $token, array $config): void
+    {
+        //
+    }
+}
diff --git a/src/TaskHandler.php b/src/TaskHandler.php
@@ -4,31 +4,20 @@
 
 use Illuminate\Console\Scheduling\Schedule;
 use Illuminate\Container\Container;
-use Illuminate\Contracts\Console\Kernel;
-use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Artisan;
 
 class TaskHandler
 {
     private $command;
-    private $request;
-    private $openId;
-    private $kernel;
     private $schedule;
     private $container;
 
     public function __construct(
         Command $command,
-        Request $request,
-        OpenIdVerificator $openId,
-        Kernel $kernel,
         Schedule $schedule,
         Container $container
     ) {
         $this->command = $command;
-        $this->request = $request;
-        $this->openId = $openId;
-        $this->kernel = $kernel;
         $this->schedule = $schedule;
         $this->container = $container;
     }
@@ -38,7 +27,7 @@ public function __construct(
      */
     public function handle()
     {
-        $this->authorizeRequest();
+        OpenIdVerificator::verify(request()->bearerToken(), []);
 
         set_time_limit(0);
 
@@ -47,24 +36,6 @@ public function handle()
         return $this->cleanOutput($output);
     }
 
-    /**
-     * @throws CloudSchedulerException
-     */
-    private function authorizeRequest()
-    {
-        if (!$this->request->hasHeader('Authorization')) {
-            throw new CloudSchedulerException('Unauthorized');
-        }
-
-        $openIdToken = $this->request->bearerToken();
-
-        $kid = $this->openId->getKidFromOpenIdToken($openIdToken);
-
-        $decodedToken = $this->openId->decodeOpenIdToken($openIdToken, $kid);
-
-        $this->openId->guardAgainstInvalidOpenIdToken($decodedToken);
-    }
-
     private function runCommand($command)
     {
         if ($this->isScheduledCommand($command)) {
diff --git a/tests/GooglePublicKeyTest.php b/tests/GooglePublicKeyTest.php
diff --git a/tests/TaskHandlerTest.php b/tests/TaskHandlerTest.php
diff --git a/tests/TestCase.php b/tests/TestCase.php

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ class CloudSchedulerServiceProvider extends LaravelServiceProvider`
`10`	`10`	`public function boot(Router $router)`
`11`	`11`	`{`
`12`	`12`	`$this->registerRoutes($router);`
	`13`	`+ $this->registerClient();`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`public function register()`
`@@ -21,4 +22,9 @@ private function registerRoutes(Router $router)`
`21`	`22`	`{`
`22`	`23`	`$router->post('cloud-scheduler-job', [TaskHandler::class, 'handle']);`
`23`	`24`	`}`
	`25`	`+`
	`26`	`+ private function registerClient()`
	`27`	`+ {`
	`28`	`+ $this->app->bind('open-id-verificator', OpenIdVerificatorConcrete::class);`
	`29`	`+ }`
`24`	`30`	`}`