FilesExpand file tree

 fei-fireversion

/

credential.ts

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

372 lines (320 loc) · 12.2 KB

 fei-fireversion

/

credential.ts

Top

File metadata and controls

• Code
• Blame

372 lines (320 loc) · 12.2 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

/*!

* Copyright 2017 Google Inc.

*

* Licensed under the Apache License, Version 2.0 (the "License");

* you may not use this file except in compliance with the License.

* You may obtain a copy of the License at

*

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*/

// Use untyped import syntax for Node built-ins

import fs = require('fs');

import os = require('os');

import path = require('path');

import {AppErrorCodes, FirebaseAppError} from '../utils/error';

import {HttpClient, HttpRequestConfig} from '../utils/api-request';

const GOOGLE_TOKEN_AUDIENCE = 'https://accounts.google.com/o/oauth2/token';

const GOOGLE_AUTH_TOKEN_HOST = 'accounts.google.com';

const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';

// NOTE: the Google Metadata Service uses HTTP over a vlan

const GOOGLE_METADATA_SERVICE_HOST = 'metadata.google.internal';

const GOOGLE_METADATA_SERVICE_PATH = '/computeMetadata/v1beta1/instance/service-accounts/default/token';

const configDir = (() => {

// Windows has a dedicated low-rights location for apps at ~/Application Data

const sys = os.platform();

if (sys && sys.length >= 3 && sys.substring(0, 3).toLowerCase() === 'win') {

return process.env.APPDATA;

}

// On *nix the gcloud cli creates a . dir.

return process.env.HOME && path.resolve(process.env.HOME, '.config');

})();

const GCLOUD_CREDENTIAL_SUFFIX = 'gcloud/application_default_credentials.json';

const GCLOUD_CREDENTIAL_PATH = configDir && path.resolve(configDir, GCLOUD_CREDENTIAL_SUFFIX);

const REFRESH_TOKEN_HOST = 'www.googleapis.com';

const REFRESH_TOKEN_PATH = '/oauth2/v4/token';

const ONE_HOUR_IN_SECONDS = 60 * 60;

const JWT_ALGORITHM = 'RS256';

function copyAttr(to: object, from: object, key: string, alt: string) {

const tmp = from[key] || from[alt];

if (typeof tmp !== 'undefined') {

to[key] = tmp;

}

}

export class RefreshToken {

public clientId: string;

public clientSecret: string;

public refreshToken: string;

public type: string;

/*

* Tries to load a RefreshToken from a path. If the path is not present, returns null.

* Throws if data at the path is invalid.

*/

public static fromPath(filePath: string): RefreshToken {

let jsonString: string;

try {

jsonString = fs.readFileSync(filePath, 'utf8');

} catch (ignored) {

// Ignore errors if the file is not present, as this is sometimes an expected condition

return null;

}

try {

return new RefreshToken(JSON.parse(jsonString));

} catch (error) {

// Throw a nicely formed error message if the file contents cannot be parsed

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

'Failed to parse refresh token file: ' + error,

);

}

}

constructor(json: object) {

copyAttr(this, json, 'clientId', 'client_id');

copyAttr(this, json, 'clientSecret', 'client_secret');

copyAttr(this, json, 'refreshToken', 'refresh_token');

copyAttr(this, json, 'type', 'type');

let errorMessage;

if (typeof this.clientId !== 'string' || !this.clientId) {

errorMessage = 'Refresh token must contain a "client_id" property.';

} else if (typeof this.clientSecret !== 'string' || !this.clientSecret) {

errorMessage = 'Refresh token must contain a "client_secret" property.';

} else if (typeof this.refreshToken !== 'string' || !this.refreshToken) {

errorMessage = 'Refresh token must contain a "refresh_token" property.';

} else if (typeof this.type !== 'string' || !this.type) {

errorMessage = 'Refresh token must contain a "type" property.';

}

if (typeof errorMessage !== 'undefined') {

throw new FirebaseAppError(AppErrorCodes.INVALID_CREDENTIAL, errorMessage);

}

}

}

/**

* A struct containing the properties necessary to use service-account JSON credentials.

*/

export class Certificate {

public projectId: string;

public privateKey: string;

public clientEmail: string;

public static fromPath(filePath: string): Certificate {

// Node bug encountered in v6.x. fs.readFileSync hangs when path is a 0 or 1.

if (typeof filePath !== 'string') {

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

'Failed to parse certificate key file: TypeError: path must be a string',

);

}

try {

return new Certificate(JSON.parse(fs.readFileSync(filePath, 'utf8')));

} catch (error) {

// Throw a nicely formed error message if the file contents cannot be parsed

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

'Failed to parse certificate key file: ' + error,

);

}

}

constructor(json: object) {

if (typeof json !== 'object' || json === null) {

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

'Certificate object must be an object.',

);

}

copyAttr(this, json, 'projectId', 'project_id');

copyAttr(this, json, 'privateKey', 'private_key');

copyAttr(this, json, 'clientEmail', 'client_email');

let errorMessage;

if (typeof this.privateKey !== 'string' || !this.privateKey) {

errorMessage = 'Certificate object must contain a string "private_key" property.';

} else if (typeof this.clientEmail !== 'string' || !this.clientEmail) {

errorMessage = 'Certificate object must contain a string "client_email" property.';

}

if (typeof errorMessage !== 'undefined') {

throw new FirebaseAppError(AppErrorCodes.INVALID_CREDENTIAL, errorMessage);

}

const forge = require('node-forge');

try {

forge.pki.privateKeyFromPem(this.privateKey);

} catch (error) {

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

'Failed to parse private key: ' + error);

}

}

}

/**

* Interface for Google OAuth 2.0 access tokens.

*/

export interface GoogleOAuthAccessToken {

/* tslint:disable:variable-name */

access_token: string;

expires_in: number;

/* tslint:enable:variable-name */

}

/**

* Obtain a new OAuth2 token by making a remote service call.

*/

function requestAccessToken(client: HttpClient, request: HttpRequestConfig): Promise<GoogleOAuthAccessToken> {

return client.send(request).then((resp) => {

const json = resp.data;

if (json.error) {

let errorMessage = 'Error fetching access token: ' + json.error;

if (json.error_description) {

errorMessage += ' (' + json.error_description + ')';

}

throw new FirebaseAppError(AppErrorCodes.INVALID_CREDENTIAL, errorMessage);

} else if (!json.access_token || !json.expires_in) {

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

`Unexpected response while fetching access token: ${ JSON.stringify(json) }`,

);

} else {

return json;

}

}).catch((err) => {

throw new FirebaseAppError(

AppErrorCodes.INVALID_CREDENTIAL,

`Failed to parse access token response: ${err.toString()}`,

);

});

}

/**

* Implementation of Credential that uses a service account certificate.

*/

export class CertCredential implements Credential {

private readonly certificate: Certificate;

private readonly httpClient: HttpClient;

constructor(serviceAccountPathOrObject: string | object) {

this.certificate = (typeof serviceAccountPathOrObject === 'string') ?

Certificate.fromPath(serviceAccountPathOrObject) : new Certificate(serviceAccountPathOrObject);

this.httpClient = new HttpClient();

}

public getAccessToken(): Promise<GoogleOAuthAccessToken> {

const token = this.createAuthJwt_();

const postData = 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3A' +

'grant-type%3Ajwt-bearer&assertion=' + token;

const request: HttpRequestConfig = {

method: 'POST',

url: `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`,

headers: {

'Content-Type': 'application/x-www-form-urlencoded',

},

data: postData,

};

return requestAccessToken(this.httpClient, request);

}

public getCertificate(): Certificate {

return this.certificate;

}

private createAuthJwt_(): string {

const claims = {

scope: [

'https://www.googleapis.com/auth/cloud-platform',

'https://www.googleapis.com/auth/firebase.database',

'https://www.googleapis.com/auth/firebase.messaging',

'https://www.googleapis.com/auth/identitytoolkit',

'https://www.googleapis.com/auth/userinfo.email',

].join(' '),

};

const jwt = require('jsonwebtoken');

// This method is actually synchronous so we can capture and return the buffer.

return jwt.sign(claims, this.certificate.privateKey, {

audience: GOOGLE_TOKEN_AUDIENCE,

expiresIn: ONE_HOUR_IN_SECONDS,

issuer: this.certificate.clientEmail,

algorithm: JWT_ALGORITHM,

});

}

}

/**

* Interface for things that generate access tokens.

*/

export interface Credential {

getAccessToken(): Promise<GoogleOAuthAccessToken>;

getCertificate(): Certificate;

}

/**

* Implementation of Credential that gets access tokens from refresh tokens.

*/

export class RefreshTokenCredential implements Credential {

private readonly refreshToken: RefreshToken;

private readonly httpClient: HttpClient;

constructor(refreshTokenPathOrObject: string | object) {

this.refreshToken = (typeof refreshTokenPathOrObject === 'string') ?

RefreshToken.fromPath(refreshTokenPathOrObject) : new RefreshToken(refreshTokenPathOrObject);

this.httpClient = new HttpClient();

}

public getAccessToken(): Promise<GoogleOAuthAccessToken> {

const postData =

'client_id=' + this.refreshToken.clientId + '&' +

'client_secret=' + this.refreshToken.clientSecret + '&' +

'refresh_token=' + this.refreshToken.refreshToken + '&' +

'grant_type=refresh_token';

const request: HttpRequestConfig = {

method: 'POST',

url: `https://${REFRESH_TOKEN_HOST}${REFRESH_TOKEN_PATH}`,

headers: {

'Content-Type': 'application/x-www-form-urlencoded',

},

data: postData,

};

return requestAccessToken(this.httpClient, request);

}

public getCertificate(): Certificate {

return null;

}

}

/**

* Implementation of Credential that gets access tokens from the metadata service available

* in the Google Cloud Platform. This authenticates the process as the default service account

* of an App Engine instance or Google Compute Engine machine.

*/

export class MetadataServiceCredential implements Credential {

private readonly httpClient = new HttpClient();

public getAccessToken(): Promise<GoogleOAuthAccessToken> {

const request: HttpRequestConfig = {

method: 'GET',

url: `http://${GOOGLE_METADATA_SERVICE_HOST}${GOOGLE_METADATA_SERVICE_PATH}`,

};

return requestAccessToken(this.httpClient, request);

}

public getCertificate(): Certificate {

return null;

}

}

/**

* ApplicationDefaultCredential implements the process for loading credentials as

* described in https://developers.google.com/identity/protocols/application-default-credentials

*/

export class ApplicationDefaultCredential implements Credential {

private credential_: Credential;

constructor() {

if (process.env.GOOGLE_APPLICATION_CREDENTIALS) {

const serviceAccount = Certificate.fromPath(process.env.GOOGLE_APPLICATION_CREDENTIALS);

this.credential_ = new CertCredential(serviceAccount);

return;

}

// It is OK to not have this file. If it is present, it must be valid.

const refreshToken = RefreshToken.fromPath(GCLOUD_CREDENTIAL_PATH);

if (refreshToken) {

this.credential_ = new RefreshTokenCredential(refreshToken);

return;

}

this.credential_ = new MetadataServiceCredential();

}

public getAccessToken(): Promise<GoogleOAuthAccessToken> {

return this.credential_.getAccessToken();

}

public getCertificate(): Certificate {

return this.credential_.getCertificate();

}

// Used in testing to verify we are delegating to the correct implementation.

public getCredential(): Credential {

return this.credential_;

}

}