Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
bshaffer authored Jul 10, 2024
2 parents b90a963 + 1043ea1 commit 584019d
Show file tree
Hide file tree
Showing 19 changed files with 241 additions and 17 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

* [feat]: add support for Firebase v6.0 (#391)

## [1.41.0](https://github.com/googleapis/google-auth-library-php/compare/v1.40.0...v1.41.0) (2024-07-10)


### Features

* Change getCacheKey implementation for more unique keys ([#560](https://github.com/googleapis/google-auth-library-php/issues/560)) ([a35c4db](https://github.com/googleapis/google-auth-library-php/commit/a35c4dbb52e01faedacd09d23634939ced4a8a63))

## [1.40.0](https://github.com/googleapis/google-auth-library-php/compare/v1.39.0...v1.40.0) (2024-05-31)


Expand Down
31 changes: 31 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,37 @@ $auth->verify($idToken, [
[google-id-tokens]: https://developers.google.com/identity/sign-in/web/backend-auth
[iap-id-tokens]: https://cloud.google.com/iap/docs/signed-headers-howto

## Caching
Caching is enabled by passing a PSR-6 `CacheItemPoolInterface`
instance to the constructor when instantiating the credentials.

We offer some caching classes out of the box under the `Google\Auth\Cache` namespace.

```php
use Google\Auth\ApplicationDefaultCredentials;
use Google\Auth\Cache\MemoryCacheItemPool;

// Cache Instance
$memoryCache = new MemoryCacheItemPool;

// Get the credentials
// From here, the credentials will cache the access token
$middleware = ApplicationDefaultCredentials::getCredentials($scope, cache: $memoryCache);
```

### Integrating with a third party cache
You can use a third party that follows the `PSR-6` interface of your choice.

```php
use Symphony\Component\Cache\Adapter\FileststenAdapter;

// Create the cache instance
$filesystemCache = new FilesystemAdapter();

// Create Get the credentials
$credentials = ApplicationDefaultCredentials::getCredentials($targetAudience, cache: $filesystemCache);
```

## License

This library is licensed under Apache 2.0. Full license text is
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.40.0
1.41.0
15 changes: 15 additions & 0 deletions src/CredentialSource/AwsNativeSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,21 @@ public static function getSigningVarsFromEnv(): ?array
return null;
}

/**
* Gets the unique key for caching
* For AwsNativeSource the values are:
* Imdsv2SessionTokenUrl.SecurityCredentialsUrl.RegionUrl.RegionalCredVerificationUrl
*
* @return string
*/
public function getCacheKey(): string
{
return ($this->imdsv2SessionTokenUrl ?? '') .
'.' . ($this->securityCredentialsUrl ?? '') .
'.' . $this->regionUrl .
'.' . $this->regionalCredVerificationUrl;
}

/**
* Return HMAC hash in binary string
*/
Expand Down
12 changes: 12 additions & 0 deletions src/CredentialSource/ExecutableSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,18 @@ public function __construct(
$this->executableHandler = $executableHandler ?: new ExecutableHandler();
}

/**
* Gets the unique key for caching
* The format for the cache key is:
* Command.OutputFile
*
* @return ?string
*/
public function getCacheKey(): ?string
{
return $this->command . '.' . $this->outputFile;
}

/**
* @param callable $httpHandler unused.
* @return string
Expand Down
12 changes: 12 additions & 0 deletions src/CredentialSource/FileSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -72,4 +72,16 @@ public function fetchSubjectToken(callable $httpHandler = null): string

return $contents;
}

/**
* Gets the unique key for caching.
* The format for the cache key one of the following:
* Filename
*
* @return string
*/
public function getCacheKey(): ?string
{
return $this->file;
}
}
12 changes: 12 additions & 0 deletions src/CredentialSource/UrlSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -94,4 +94,16 @@ public function fetchSubjectToken(callable $httpHandler = null): string

return $body;
}

/**
* Get the cache key for the credentials.
* The format for the cache key is:
* URL
*
* @return ?string
*/
public function getCacheKey(): ?string
{
return $this->url;
}
}
26 changes: 21 additions & 5 deletions src/Credentials/ExternalAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,7 @@ public function __construct(
);
}

if (array_key_exists('service_account_impersonation_url', $jsonKey)) {
$this->serviceAccountImpersonationUrl = $jsonKey['service_account_impersonation_url'];
}
$this->serviceAccountImpersonationUrl = $jsonKey['service_account_impersonation_url'] ?? null;

$this->quotaProject = $jsonKey['quota_project_id'] ?? null;
$this->workforcePoolUserProject = $jsonKey['workforce_pool_user_project'] ?? null;
Expand Down Expand Up @@ -276,9 +274,27 @@ public function fetchAuthToken(callable $httpHandler = null)
return $stsToken;
}

public function getCacheKey()
/**
* Get the cache token key for the credentials.
* The cache token key format depends on the type of source
* The format for the cache key one of the following:
* FetcherCacheKey.Scope.[ServiceAccount].[TokenType].[WorkforcePoolUserProject]
* FetcherCacheKey.Audience.[ServiceAccount].[TokenType].[WorkforcePoolUserProject]
*
* @return ?string;
*/
public function getCacheKey(): ?string
{
return $this->auth->getCacheKey();
$scopeOrAudience = $this->auth->getAudience();
if (!$scopeOrAudience) {
$scopeOrAudience = $this->auth->getScope();
}

return $this->auth->getSubjectTokenFetcher()->getCacheKey() .
'.' . $scopeOrAudience .
'.' . ($this->serviceAccountImpersonationUrl ?? '') .
'.' . ($this->auth->getSubjectTokenType() ?? '') .
'.' . ($this->workforcePoolUserProject ?? '');
}

public function getLastReceivedToken()
Expand Down
6 changes: 5 additions & 1 deletion src/Credentials/GCECredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -489,11 +489,15 @@ public function fetchAuthToken(callable $httpHandler = null)
}

/**
* Returns the Cache Key for the credential token.
* The format for the cache key is:
* TokenURI
*
* @return string
*/
public function getCacheKey()
{
return self::cacheKey;
return $this->tokenUri;
}

/**
Expand Down
3 changes: 3 additions & 0 deletions src/Credentials/ImpersonatedServiceAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ public function fetchAuthToken(callable $httpHandler = null)
}

/**
* Returns the Cache Key for the credentials
* The cache key is the same as the UserRefreshCredentials class
*
* @return string
*/
public function getCacheKey()
Expand Down
14 changes: 12 additions & 2 deletions src/Credentials/ServiceAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -219,13 +219,23 @@ public function fetchAuthToken(callable $httpHandler = null)
}

/**
* Return the Cache Key for the credentials.
* For the cache key format is one of the following:
* ClientEmail.Scope[.Sub]
* ClientEmail.Audience[.Sub]
*
* @return string
*/
public function getCacheKey()
{
$key = $this->auth->getIssuer() . ':' . $this->auth->getCacheKey();
$scopeOrAudience = $this->auth->getScope();
if (!$scopeOrAudience) {
$scopeOrAudience = $this->auth->getAudience();
}

$key = $this->auth->getIssuer() . '.' . $scopeOrAudience;
if ($sub = $this->auth->getSub()) {
$key .= ':' . $sub;
$key .= '.' . $sub;
}

return $key;
Expand Down
12 changes: 11 additions & 1 deletion src/Credentials/ServiceAccountJwtAccessCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -166,11 +166,21 @@ public function fetchAuthToken(callable $httpHandler = null)
}

/**
* Return the cache key for the credentials.
* The format for the Cache Key one of the following:
* ClientEmail.Scope
* ClientEmail.Audience
*
* @return string
*/
public function getCacheKey()
{
return $this->auth->getCacheKey();
$scopeOrAudience = $this->auth->getScope();
if (!$scopeOrAudience) {
$scopeOrAudience = $this->auth->getAudience();
}

return $this->auth->getIssuer() . '.' . $scopeOrAudience;
}

/**
Expand Down
12 changes: 11 additions & 1 deletion src/Credentials/UserRefreshCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -130,11 +130,21 @@ public function fetchAuthToken(callable $httpHandler = null, array $metricsHeade
}

/**
* Return the Cache Key for the credentials.
* The format for the Cache key is one of the following:
* ClientId.Scope
* ClientId.Audience
*
* @return string
*/
public function getCacheKey()
{
return $this->auth->getClientId() . ':' . $this->auth->getCacheKey();
$scopeOrAudience = $this->auth->getScope();
if (!$scopeOrAudience) {
$scopeOrAudience = $this->auth->getAudience();
}

return $this->auth->getClientId() . '.' . $scopeOrAudience;
}

/**
Expand Down
1 change: 1 addition & 0 deletions src/ExternalAccountCredentialSourceInterface.php
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,5 @@
interface ExternalAccountCredentialSourceInterface
{
public function fetchSubjectToken(callable $httpHandler = null): string;
public function getCacheKey(): ?string;
}
22 changes: 22 additions & 0 deletions src/OAuth2.php
Original file line number Diff line number Diff line change
Expand Up @@ -683,6 +683,8 @@ public function fetchAuthToken(callable $httpHandler = null, $headers = [])
}

/**
* @deprecated
*
* Obtains a key that can used to cache the results of #fetchAuthToken.
*
* The key is derived from the scopes.
Expand All @@ -703,6 +705,16 @@ public function getCacheKey()
return null;
}

/**
* Gets this instance's SubjectTokenFetcher
*
* @return null|ExternalAccountCredentialSourceInterface
*/
public function getSubjectTokenFetcher(): ?ExternalAccountCredentialSourceInterface
{
return $this->subjectTokenFetcher;
}

/**
* Parses the fetched tokens.
*
Expand Down Expand Up @@ -1020,6 +1032,16 @@ public function getScope()
return implode(' ', $this->scope);
}

/**
* Gets the subject token type
*
* @return ?string
*/
public function getSubjectTokenType(): ?string
{
return $this->subjectTokenType;
}

/**
* Sets the scope of the access request, expressed either as an Array or as
* a space-delimited String.
Expand Down
57 changes: 57 additions & 0 deletions tests/Credentials/ExternalAccountCredentialsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,63 @@ public function testFetchAuthTokenWithWorkforcePoolCredentials()
$this->assertEquals(strtotime($expiry), $authToken['expires_at']);
}

public function testFileSourceCacheKey()
{
$this->baseCreds['credential_source'] = ['file' => 'fakeFile'];
$credentials = new ExternalAccountCredentials('scope1', $this->baseCreds);
$cacheKey = $credentials->getCacheKey();
$expectedKey = 'fakeFile.scope1...';
$this->assertEquals($expectedKey, $cacheKey);
}

public function testAWSSourceCacheKey()
{
$this->baseCreds['credential_source'] = [
'environment_id' => 'aws1',
'regional_cred_verification_url' => 'us-east',
'region_url' => 'aws.us-east.com',
'url' => 'aws.us-east.token.com',
'imdsv2_session_token_url' => '12345'
];
$this->baseCreds['audience'] = 'audience1';
$credentials = new ExternalAccountCredentials('scope1', $this->baseCreds);
$cacheKey = $credentials->getCacheKey();
$expectedKey = '12345.aws.us-east.token.com.aws.us-east.com.us-east.audience1...';
$this->assertEquals($expectedKey, $cacheKey);
}

public function testUrlSourceCacheKey()
{
$this->baseCreds['credential_source'] = [
'url' => 'fakeUrl',
'format' => [
'type' => 'json',
'subject_token_field_name' => 'keyShouldBeHere'
]
];

$credentials = new ExternalAccountCredentials('scope1', $this->baseCreds);
$cacheKey = $credentials->getCacheKey();
$expectedKey = 'fakeUrl.scope1...';
$this->assertEquals($expectedKey, $cacheKey);
}

public function testExecutableSourceCacheKey()
{
$this->baseCreds['credential_source'] = [
'executable' => [
'command' => 'ls -al',
'output_file' => './output.txt'
]
];

$credentials = new ExternalAccountCredentials('scope1', $this->baseCreds);
$cacheKey = $credentials->getCacheKey();

$expectedCacheKey = 'ls -al../output.txt.scope1...';
$this->assertEquals($cacheKey, $expectedCacheKey);
}

/**
* @runInSeparateProcess
*/
Expand Down
Loading

0 comments on commit 584019d

Please sign in to comment.