From 13184d3f5c996a3a9d2a1de4dedd09f5b85728b2 Mon Sep 17 00:00:00 2001 From: Jesse Jackson <62044923+jessejacksonanz@users.noreply.github.com> Date: Sat, 8 Aug 2020 07:18:55 +1000 Subject: [PATCH 1/5] fix(fcm): Updated messaging code to take into account the custom endpoint setting for the FCM batch endpoint (#385) (#393) --- messaging/messaging.go | 19 ++++++++------ messaging/messaging_batch_test.go | 42 +++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 8 deletions(-) diff --git a/messaging/messaging.go b/messaging/messaging.go index 08335330..5fcfe168 100644 --- a/messaging/messaging.go +++ b/messaging/messaging.go @@ -32,8 +32,8 @@ import ( ) const ( - messagingEndpoint = "https://fcm.googleapis.com/v1" - batchEndpoint = "https://fcm.googleapis.com/batch" + defaultMessagingEndpoint = "https://fcm.googleapis.com/v1" + defaultBatchEndpoint = "https://fcm.googleapis.com/batch" firebaseClientHeader = "X-Firebase-Client" apiFormatVersionHeader = "X-GOOG-API-FORMAT-VERSION" @@ -862,17 +862,20 @@ func NewClient(ctx context.Context, c *internal.MessagingConfig) (*Client, error return nil, errors.New("project ID is required to access Firebase Cloud Messaging client") } - hc, endpoint, err := transport.NewHTTPClient(ctx, c.Opts...) + hc, messagingEndpoint, err := transport.NewHTTPClient(ctx, c.Opts...) if err != nil { return nil, err } - if endpoint == "" { - endpoint = messagingEndpoint + batchEndpoint := messagingEndpoint + + if messagingEndpoint == "" { + messagingEndpoint = defaultMessagingEndpoint + batchEndpoint = defaultBatchEndpoint } return &Client{ - fcmClient: newFCMClient(hc, c, endpoint), + fcmClient: newFCMClient(hc, c, messagingEndpoint, batchEndpoint), iidClient: newIIDClient(hc), }, nil } @@ -885,7 +888,7 @@ type fcmClient struct { httpClient *internal.HTTPClient } -func newFCMClient(hc *http.Client, conf *internal.MessagingConfig, endpoint string) *fcmClient { +func newFCMClient(hc *http.Client, conf *internal.MessagingConfig, messagingEndpoint string, batchEndpoint string) *fcmClient { client := internal.WithDefaultRetryConfig(hc) client.CreateErrFn = handleFCMError @@ -896,7 +899,7 @@ func newFCMClient(hc *http.Client, conf *internal.MessagingConfig, endpoint stri } return &fcmClient{ - fcmEndpoint: endpoint, + fcmEndpoint: messagingEndpoint, batchEndpoint: batchEndpoint, project: conf.ProjectID, version: version, diff --git a/messaging/messaging_batch_test.go b/messaging/messaging_batch_test.go index 8804342e..219ce2ce 100644 --- a/messaging/messaging_batch_test.go +++ b/messaging/messaging_batch_test.go @@ -27,6 +27,8 @@ import ( "net/http/httptest" "net/textproto" "testing" + + "google.golang.org/api/option" ) var testMessages = []*Message{ @@ -520,6 +522,46 @@ func TestSendMulticast(t *testing.T) { } } +func TestSendMulticastWithCustomEndpoint(t *testing.T) { + resp, err := createMultipartResponse(testSuccessResponse, nil) + if err != nil { + t.Fatal(err) + } + + var req []byte + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + req, _ = ioutil.ReadAll(r.Body) + w.Header().Set("Content-Type", wantMime) + w.Write(resp) + })) + defer ts.Close() + + ctx := context.Background() + + conf := *testMessagingConfig + customBatchEndpoint := fmt.Sprintf("%s/v1", ts.URL) + optEndpoint := option.WithEndpoint(customBatchEndpoint) + conf.Opts = append(conf.Opts, optEndpoint) + + client, err := NewClient(ctx, &conf) + if err != nil { + t.Fatal(err) + } + + if customBatchEndpoint != client.batchEndpoint { + t.Errorf("client.batchEndpoint = %q; want = %q", client.batchEndpoint, customBatchEndpoint) + } + + br, err := client.SendMulticast(ctx, testMulticastMessage) + if err != nil { + t.Fatal(err) + } + + if err := checkSuccessfulBatchResponse(br, req, false); err != nil { + t.Errorf("SendMulticast() = %v", err) + } +} + func TestSendMulticastDryRun(t *testing.T) { resp, err := createMultipartResponse(testSuccessResponse, nil) if err != nil { From bbf004ceb6535ed7688a1bac43bef917909d5973 Mon Sep 17 00:00:00 2001 From: Masahiro Furudate <178inaba.git@gmail.com> Date: Fri, 14 Aug 2020 02:46:19 +0900 Subject: [PATCH 2/5] docs: Move GitHub template to `.github` (#390) --- ISSUE_TEMPLATE.md => .github/issue_template.md | 0 PULL_REQUEST_TEMPLATE.md => .github/pull_request_template.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ISSUE_TEMPLATE.md => .github/issue_template.md (100%) rename PULL_REQUEST_TEMPLATE.md => .github/pull_request_template.md (100%) diff --git a/ISSUE_TEMPLATE.md b/.github/issue_template.md similarity index 100% rename from ISSUE_TEMPLATE.md rename to .github/issue_template.md diff --git a/PULL_REQUEST_TEMPLATE.md b/.github/pull_request_template.md similarity index 100% rename from PULL_REQUEST_TEMPLATE.md rename to .github/pull_request_template.md From 969e50e3996254cdb245d057bb2618fbd64ff425 Mon Sep 17 00:00:00 2001 From: Patrick Jones Date: Wed, 26 Aug 2020 14:43:33 -0700 Subject: [PATCH 3/5] feat(auth): Hash Order Fix (#392) * Allow users to specify hash input order (salt first or password first). Also updated CONTRIBUTING.md to explain why some tests will fail for a non-GCIP Firebase project. * Forgot to go fmt two files. * Updated type name for clarity. * Making requested alterations to tests. * Implementing linter recommendations. * Removed excess integration tests, cleaned up go.mod file * Removed one newline. * Fixed some test formatting, tried to corral go.mod * Naming tweaks. Co-authored-by: Patrick Jones --- CONTRIBUTING.md | 8 ++ auth/hash/hash.go | 79 +++++++---- auth/hash/hash_test.go | 241 ++++++++++++++++++++++++++++++---- auth/token_generator_test.go | 1 + go.mod | 1 + go.sum | 36 +++++ integration/auth/auth_test.go | 76 +++++++++++ 7 files changed, 390 insertions(+), 52 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b3672d3d..dcd613ab 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -137,6 +137,14 @@ required to ensure that exported user records contain the password hashes of the 3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'. 4. Click 'SAVE'. +Some of the integration tests require an +[Identity Platform](https://cloud.google.com/identity-platform/) project with multi-tenancy +[enabled](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy). +An existing Firebase project can be upgraded to an Identity Platform project without losing any +functionality via the +[Identity Platform Marketplace Page](https://console.cloud.google.com/customer-identity). Note that +charges may be incurred for active users beyond the Identity Platform free tier. + Now you can invoke the test suite as follows: ```bash diff --git a/auth/hash/hash.go b/auth/hash/hash.go index e93d7dfa..99e68912 100644 --- a/auth/hash/hash.go +++ b/auth/hash/hash.go @@ -25,6 +25,16 @@ import ( "firebase.google.com/go/v4/internal" ) +// InputOrderType specifies the order in which users' passwords/salts are hashed +type InputOrderType int + +// Available InputOrderType values +const ( + InputOrderUnspecified InputOrderType = iota + InputOrderSaltFirst + InputOrderPasswordFirst +) + // Bcrypt represents the BCRYPT hash algorithm. // // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_bcrypt_hashed_passwords @@ -96,12 +106,13 @@ func (s Scrypt) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords // for more details. Key is required. type HMACMD5 struct { - Key []byte + Key []byte + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h HMACMD5) Config() (internal.HashConfig, error) { - return hmacConfig("HMAC_MD5", h.Key) + return hmacConfig("HMAC_MD5", h.Key, h.InputOrder) } // HMACSHA1 represents the HMAC SHA512 hash algorithm. @@ -110,12 +121,13 @@ func (h HMACMD5) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords // for more details. type HMACSHA1 struct { - Key []byte + Key []byte + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h HMACSHA1) Config() (internal.HashConfig, error) { - return hmacConfig("HMAC_SHA1", h.Key) + return hmacConfig("HMAC_SHA1", h.Key, h.InputOrder) } // HMACSHA256 represents the HMAC SHA512 hash algorithm. @@ -124,12 +136,13 @@ func (h HMACSHA1) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords // for more details. type HMACSHA256 struct { - Key []byte + Key []byte + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h HMACSHA256) Config() (internal.HashConfig, error) { - return hmacConfig("HMAC_SHA256", h.Key) + return hmacConfig("HMAC_SHA256", h.Key, h.InputOrder) } // HMACSHA512 represents the HMAC SHA512 hash algorithm. @@ -138,12 +151,13 @@ func (h HMACSHA256) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords // for more details. type HMACSHA512 struct { - Key []byte + Key []byte + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h HMACSHA512) Config() (internal.HashConfig, error) { - return hmacConfig("HMAC_SHA512", h.Key) + return hmacConfig("HMAC_SHA512", h.Key, h.InputOrder) } // MD5 represents the MD5 hash algorithm. @@ -152,12 +166,13 @@ func (h HMACSHA512) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords // for more details. type MD5 struct { - Rounds int + Rounds int + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h MD5) Config() (internal.HashConfig, error) { - return basicConfig("MD5", h.Rounds) + return basicConfig("MD5", h.Rounds, h.InputOrder) } // PBKDF2SHA256 represents the PBKDF2SHA256 hash algorithm. @@ -171,7 +186,7 @@ type PBKDF2SHA256 struct { // Config returns the validated hash configuration. func (h PBKDF2SHA256) Config() (internal.HashConfig, error) { - return basicConfig("PBKDF2_SHA256", h.Rounds) + return basicConfig("PBKDF2_SHA256", h.Rounds, InputOrderUnspecified) } // PBKDFSHA1 represents the PBKDFSHA1 hash algorithm. @@ -185,7 +200,7 @@ type PBKDFSHA1 struct { // Config returns the validated hash configuration. func (h PBKDFSHA1) Config() (internal.HashConfig, error) { - return basicConfig("PBKDF_SHA1", h.Rounds) + return basicConfig("PBKDF_SHA1", h.Rounds, InputOrderUnspecified) } // SHA1 represents the SHA1 hash algorithm. @@ -194,12 +209,13 @@ func (h PBKDFSHA1) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords // for more details. type SHA1 struct { - Rounds int + Rounds int + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h SHA1) Config() (internal.HashConfig, error) { - return basicConfig("SHA1", h.Rounds) + return basicConfig("SHA1", h.Rounds, h.InputOrder) } // SHA256 represents the SHA256 hash algorithm. @@ -208,12 +224,13 @@ func (h SHA1) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords // for more details. type SHA256 struct { - Rounds int + Rounds int + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h SHA256) Config() (internal.HashConfig, error) { - return basicConfig("SHA256", h.Rounds) + return basicConfig("SHA256", h.Rounds, h.InputOrder) } // SHA512 represents the SHA512 hash algorithm. @@ -222,25 +239,32 @@ func (h SHA256) Config() (internal.HashConfig, error) { // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords // for more details. type SHA512 struct { - Rounds int + Rounds int + InputOrder InputOrderType } // Config returns the validated hash configuration. func (h SHA512) Config() (internal.HashConfig, error) { - return basicConfig("SHA512", h.Rounds) + return basicConfig("SHA512", h.Rounds, h.InputOrder) } -func hmacConfig(name string, key []byte) (internal.HashConfig, error) { +func hmacConfig(name string, key []byte, order InputOrderType) (internal.HashConfig, error) { if len(key) == 0 { return nil, errors.New("signer key not specified") } - return internal.HashConfig{ + conf := internal.HashConfig{ "hashAlgorithm": name, "signerKey": base64.RawURLEncoding.EncodeToString(key), - }, nil + } + if order == InputOrderSaltFirst { + conf["passwordHashOrder"] = "SALT_AND_PASSWORD" + } else if order == InputOrderPasswordFirst { + conf["passwordHashOrder"] = "PASSWORD_AND_SALT" + } + return conf, nil } -func basicConfig(name string, rounds int) (internal.HashConfig, error) { +func basicConfig(name string, rounds int, order InputOrderType) (internal.HashConfig, error) { minRounds := 0 maxRounds := 120000 switch name { @@ -253,8 +277,15 @@ func basicConfig(name string, rounds int) (internal.HashConfig, error) { if rounds < minRounds || maxRounds < rounds { return nil, fmt.Errorf("rounds must be between %d and %d", minRounds, maxRounds) } - return internal.HashConfig{ + + conf := internal.HashConfig{ "hashAlgorithm": name, "rounds": rounds, - }, nil + } + if order == InputOrderSaltFirst { + conf["passwordHashOrder"] = "SALT_AND_PASSWORD" + } else if order == InputOrderPasswordFirst { + conf["passwordHashOrder"] = "PASSWORD_AND_SALT" + } + return conf, nil } diff --git a/auth/hash/hash_test.go b/auth/hash/hash_test.go index 7817eb42..d3ea5d1f 100644 --- a/auth/hash/hash_test.go +++ b/auth/hash/hash_test.go @@ -67,112 +67,112 @@ var validHashes = []struct { }, }, { - alg: HMACMD5{signerKey}, + alg: HMACMD5{Key: signerKey}, want: internal.HashConfig{ "hashAlgorithm": "HMAC_MD5", "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), }, }, { - alg: HMACSHA1{signerKey}, + alg: HMACSHA1{Key: signerKey}, want: internal.HashConfig{ "hashAlgorithm": "HMAC_SHA1", "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), }, }, { - alg: HMACSHA256{signerKey}, + alg: HMACSHA256{Key: signerKey}, want: internal.HashConfig{ "hashAlgorithm": "HMAC_SHA256", "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), }, }, { - alg: HMACSHA512{signerKey}, + alg: HMACSHA512{Key: signerKey}, want: internal.HashConfig{ "hashAlgorithm": "HMAC_SHA512", "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), }, }, { - alg: MD5{0}, + alg: MD5{Rounds: 0}, want: internal.HashConfig{ "hashAlgorithm": "MD5", "rounds": 0, }, }, { - alg: MD5{8192}, + alg: MD5{Rounds: 8192}, want: internal.HashConfig{ "hashAlgorithm": "MD5", "rounds": 8192, }, }, { - alg: SHA1{1}, + alg: SHA1{Rounds: 1}, want: internal.HashConfig{ "hashAlgorithm": "SHA1", "rounds": 1, }, }, { - alg: SHA1{8192}, + alg: SHA1{Rounds: 8192}, want: internal.HashConfig{ "hashAlgorithm": "SHA1", "rounds": 8192, }, }, { - alg: SHA256{1}, + alg: SHA256{Rounds: 1}, want: internal.HashConfig{ "hashAlgorithm": "SHA256", "rounds": 1, }, }, { - alg: SHA256{8192}, + alg: SHA256{Rounds: 8192}, want: internal.HashConfig{ "hashAlgorithm": "SHA256", "rounds": 8192, }, }, { - alg: SHA512{1}, + alg: SHA512{Rounds: 1}, want: internal.HashConfig{ "hashAlgorithm": "SHA512", "rounds": 1, }, }, { - alg: SHA512{8192}, + alg: SHA512{Rounds: 8192}, want: internal.HashConfig{ "hashAlgorithm": "SHA512", "rounds": 8192, }, }, { - alg: PBKDFSHA1{0}, + alg: PBKDFSHA1{Rounds: 0}, want: internal.HashConfig{ "hashAlgorithm": "PBKDF_SHA1", "rounds": 0, }, }, { - alg: PBKDFSHA1{120000}, + alg: PBKDFSHA1{Rounds: 120000}, want: internal.HashConfig{ "hashAlgorithm": "PBKDF_SHA1", "rounds": 120000, }, }, { - alg: PBKDF2SHA256{0}, + alg: PBKDF2SHA256{Rounds: 0}, want: internal.HashConfig{ "hashAlgorithm": "PBKDF2_SHA256", "rounds": 0, }, }, { - alg: PBKDF2SHA256{120000}, + alg: PBKDF2SHA256{Rounds: 120000}, want: internal.HashConfig{ "hashAlgorithm": "PBKDF2_SHA256", "rounds": 120000, @@ -244,51 +244,51 @@ var invalidHashes = []struct { }, { name: "MD5: rounds too low", - alg: MD5{-1}, + alg: MD5{Rounds: -1}, }, { name: "SHA1: rounds too low", - alg: SHA1{0}, + alg: SHA1{Rounds: 0}, }, { name: "SHA256: rounds too low", - alg: SHA256{0}, + alg: SHA256{Rounds: 0}, }, { name: "SHA512: rounds too low", - alg: SHA512{0}, + alg: SHA512{Rounds: 0}, }, { name: "PBKDFSHA1: rounds too low", - alg: PBKDFSHA1{-1}, + alg: PBKDFSHA1{Rounds: -1}, }, { name: "PBKDF2SHA256: rounds too low", - alg: PBKDF2SHA256{-1}, + alg: PBKDF2SHA256{Rounds: -1}, }, { name: "MD5: rounds too high", - alg: MD5{8193}, + alg: MD5{Rounds: 8193}, }, { name: "SHA1: rounds too high", - alg: SHA1{8193}, + alg: SHA1{Rounds: 8193}, }, { name: "SHA256: rounds too high", - alg: SHA256{8193}, + alg: SHA256{Rounds: 8193}, }, { name: "SHA512: rounds too high", - alg: SHA512{8193}, + alg: SHA512{Rounds: 8193}, }, { name: "PBKDFSHA1: rounds too high", - alg: PBKDFSHA1{120001}, + alg: PBKDFSHA1{Rounds: 120001}, }, { name: "PBKDF2SHA256: rounds too high", - alg: PBKDF2SHA256{120001}, + alg: PBKDF2SHA256{Rounds: 120001}, }, } @@ -311,3 +311,188 @@ func TestInvalidHash(t *testing.T) { } } } + +var validHashesOrder = []struct { + alg auth.UserImportHash + want internal.HashConfig +}{ + { + alg: HMACMD5{Key: signerKey, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_MD5", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + }, + }, + { + alg: HMACMD5{Key: signerKey, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_MD5", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: HMACMD5{Key: signerKey, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_MD5", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: HMACSHA1{Key: signerKey, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA1", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + }, + }, + { + alg: HMACSHA1{Key: signerKey, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA1", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: HMACSHA1{Key: signerKey, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA1", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: HMACSHA256{Key: signerKey, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA256", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + }, + }, + { + alg: HMACSHA256{Key: signerKey, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA256", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: HMACSHA256{Key: signerKey, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA256", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: HMACSHA512{Key: signerKey, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA512", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + }, + }, + { + alg: HMACSHA512{Key: signerKey, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA512", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: HMACSHA512{Key: signerKey, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "HMAC_SHA512", + "signerKey": base64.RawURLEncoding.EncodeToString(signerKey), + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: SHA1{Rounds: 1, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA1", + "rounds": 1, + }, + }, + { + alg: SHA1{Rounds: 1, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA1", + "rounds": 1, + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: SHA1{Rounds: 1, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA1", + "rounds": 1, + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: SHA256{Rounds: 1, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA256", + "rounds": 1, + }, + }, + { + alg: SHA256{Rounds: 1, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA256", + "rounds": 1, + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: SHA256{Rounds: 1, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA256", + "rounds": 1, + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: SHA512{Rounds: 1, InputOrder: InputOrderUnspecified}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA512", + "rounds": 1, + }, + }, + { + alg: SHA512{Rounds: 1, InputOrder: InputOrderSaltFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA512", + "rounds": 1, + "passwordHashOrder": "SALT_AND_PASSWORD", + }, + }, + { + alg: SHA512{Rounds: 1, InputOrder: InputOrderPasswordFirst}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA512", + "rounds": 1, + "passwordHashOrder": "PASSWORD_AND_SALT", + }, + }, + { + alg: SHA512{Rounds: 8192}, + want: internal.HashConfig{ + "hashAlgorithm": "SHA512", + "rounds": 8192, + }, + }, +} + +func TestHashOrder(t *testing.T) { + for idx, tc := range validHashesOrder { + got, err := tc.alg.Config() + if err != nil { + t.Errorf("[%d] Config() = %v", idx, err) + } else if !reflect.DeepEqual(got, tc.want) { + t.Errorf("[%d] Config() = %#v; want = %#v", idx, got, tc.want) + } + } +} diff --git a/auth/token_generator_test.go b/auth/token_generator_test.go index fee005ab..34a3fe4c 100644 --- a/auth/token_generator_test.go +++ b/auth/token_generator_test.go @@ -251,6 +251,7 @@ func TestIAMSignerNoMetadataService(t *testing.T) { if err != nil { t.Fatal(err) } + signer.metadataHost = "http://non-existing.metadata.service" want := "failed to determine service account: " _, err = signer.Email(ctx) diff --git a/go.mod b/go.mod index c50a801a..bfe782d1 100644 --- a/go.mod +++ b/go.mod @@ -8,4 +8,5 @@ require ( golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d google.golang.org/api v0.17.0 google.golang.org/appengine v1.6.1 + google.golang.org/grpc v1.29.1 // indirect ) diff --git a/go.sum b/go.sum index 63bcc71d..e9451b38 100644 --- a/go.sum +++ b/go.sum @@ -16,25 +16,41 @@ cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9 h1:VpgP7xuJadIUuKccphEpTJnWhS2jkQyMt6Y7pJCD7fY= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802 h1:1BDTz0u9nC3//pOCMdNH+CiXJVYJh5UQNCOBG7jbELc= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrCgN8fCq8E5Xuty6jGbmSNEvSsU= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473 h1:4cmBvAEBNJaGARUEs3/suWRyfyBfhf7I60WBZq+bv2w= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELBIYWeBVh6wn+E= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72 h1:b+9H1GAsx5RsjvDFLoS5zkNBzIQMuVKUYQDmxU3N5XE= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3 h1:gyjaxf+svBWX08ZjK86iN9geUJF0H6gp2IRKX6Nf6/I= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= @@ -42,7 +58,9 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f h1:Jnx61latede7zDD3DiiP4gmNz33uK0U5HDUaF0a/HVQ= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= @@ -52,17 +70,24 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/go-internal v1.3.0 h1:RR9dF3JtopPvtkroDZuVD7qquD0bnHlKSqaQhgwt8yk= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5 h1:58fnuSXlxZmFdJyvtTFVmVhcMLU6v5fEb/ok4wyqtNU= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -71,6 +96,7 @@ golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm0 golang.org/x/exp v0.0.0-20191129062945-2f5052295587 h1:5Uz0rkjCFu9BC9gCRN7EkwVvhNyQgGWb8KNJrPwBoHY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b h1:+qEpEAPhDZ1o0x3tHzZTQDArnOixOzGD9HUJfcg0mb4= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -81,8 +107,10 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG1In4gJY5YRhtpDNeDeHWs= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0 h1:sfUMP1Gu8qASkorDVjnMuvgJzwFbTZSeXFiGBYAVdl4= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -120,6 +148,7 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -139,6 +168,7 @@ golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191206204035-259af5ff87bd h1:Zc7EU2PqpsNeIfOoVA7hvQX4cS3YDJEs5KlfatT3hLo= golang.org/x/tools v0.0.0-20191206204035-259af5ff87bd/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= @@ -166,9 +196,14 @@ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/errgo.v2 v2.1.0 h1:0vLT13EuvQ0hNvakwLuFZ/jYrLp5F3kcWHXdRggjCE8= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -176,4 +211,5 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/integration/auth/auth_test.go b/integration/auth/auth_test.go index 668b45be..37e016a0 100644 --- a/integration/auth/auth_test.go +++ b/integration/auth/auth_test.go @@ -18,6 +18,9 @@ package auth import ( "bytes" "context" + "crypto/hmac" + "crypto/sha1" + "crypto/sha256" "encoding/json" "flag" "fmt" @@ -31,6 +34,7 @@ import ( firebase "firebase.google.com/go/v4" "firebase.google.com/go/v4/auth" + "firebase.google.com/go/v4/auth/hash" "firebase.google.com/go/v4/integration/internal" "golang.org/x/oauth2/google" "google.golang.org/api/option" @@ -260,6 +264,78 @@ func signInWithPassword(email, password string) (string, error) { return respBody.IDToken, err } +func TestImportUserPasswordSaltOrder(t *testing.T) { + const ( + password = "pass123123" + key = "skeleton" + salt = "NaCl" + ) + tests := []struct { + name string + hashConfig auth.UserImportHash + localHash func() []byte + }{ + { + name: "SHA1_SaltFirst", + hashConfig: hash.SHA1{ + Rounds: 1, + InputOrder: hash.InputOrderSaltFirst, + }, + localHash: func() []byte { + h := sha1.New() + h.Write([]byte(salt + password)) + return h.Sum(nil) + }, + }, + { + name: "HMAC_SHA256_PasswordFirst", + hashConfig: hash.HMACSHA256{ + Key: []byte(key), + InputOrder: hash.InputOrderPasswordFirst, + }, + localHash: func() []byte { + h := hmac.New(sha256.New, []byte(key)) + h.Write([]byte(password + salt)) + return h.Sum(nil) + }, + }, + } + for _, test := range tests { + uid := randomUID() + email := randomEmail(uid) + user := (&auth.UserToImport{}). + UID(uid). + Email(email). + PasswordHash(test.localHash()). + PasswordSalt([]byte(salt)) + result, err := client.ImportUsers(context.Background(), []*auth.UserToImport{user}, auth.WithHash(test.hashConfig)) + if err != nil { + t.Fatal(err) + } + defer deleteUser(uid) + if result.SuccessCount != 1 || result.FailureCount != 0 { + t.Errorf("ImportUsers(%s) = %#v; want = {SuccessCount: 1, FailureCount: 0}", test.name, result) + } + + savedUser, err := client.GetUser(context.Background(), uid) + if err != nil { + t.Fatal(err) + } + if savedUser.Email != email { + t.Errorf("GetUser(imported) = %q; want = %q", savedUser.Email, email) + } + idToken, err := signInWithPassword(email, "pass123123") + if err != nil { + t.Errorf("Sign in failed with %+v\nError: %s", test, err) + continue + } + if idToken == "" { + t.Errorf("ID Token = empty; want = non-empty") + } + } + +} + func postRequest(url string, req []byte) ([]byte, error) { resp, err := http.Post(url, "application/json", bytes.NewBuffer(req)) if err != nil { From 3d5e560990d63709b08c1253fafd77cddc0d3a36 Mon Sep 17 00:00:00 2001 From: kentengjin Date: Wed, 30 Sep 2020 14:01:20 -0700 Subject: [PATCH 4/5] fix(auth): Migrate IAM SignBlob to IAMCredentials SignBlob (#404) * Migrate IAM SignBlob to IAMCredentials SignBlob Point all SignBlob to iamcredentials instead of iam * Minor documentation changes Correct and format some contents * Fix a trailing whitespace --- auth/auth.go | 4 ++-- auth/token_generator.go | 14 +++++++------- auth/token_generator_test.go | 12 ++++++------ 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 35600b84..e134d314 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -138,8 +138,8 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error) // - If the SDK was initialized with service account credentials, uses the private key present in // the credentials to sign tokens locally. // - If a service account email was specified during initialization (via firebase.Config struct), -// calls the IAM service with that email to sign tokens remotely. See -// https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob. +// calls the IAMCredentials service with that email to sign tokens remotely. See +// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob. // - If the code is deployed in the Google App Engine standard environment, uses the App Identity // service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes. // - If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine), diff --git a/auth/token_generator.go b/auth/token_generator.go index 83e12020..ca19892c 100644 --- a/auth/token_generator.go +++ b/auth/token_generator.go @@ -143,11 +143,11 @@ func (s serviceAccountSigner) Email(ctx context.Context) (string, error) { return s.clientEmail, nil } -// iamSigner is a cryptoSigner that signs data by sending them to the remote IAM service. See -// https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob for details -// regarding the REST API. +// iamSigner is a cryptoSigner that signs data by sending them to the IAMCredentials service. See +// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob +// for details regarding the REST API. // -// The IAM service requires the identity of a service account. This can be specified explicitly +// IAMCredentials requires the identity of a service account. This can be specified explicitly // at initialization. If not specified iamSigner attempts to discover a service account identity by // calling the local metadata service (works in environments like Google Compute Engine). type iamSigner struct { @@ -169,7 +169,7 @@ func newIAMSigner(ctx context.Context, config *internal.AuthConfig) (*iamSigner, httpClient: hc, serviceAcct: config.ServiceAccountID, metadataHost: "http://metadata.google.internal", - iamHost: "https://iam.googleapis.com", + iamHost: "https://iamcredentials.googleapis.com", }, nil } @@ -181,7 +181,7 @@ func (s iamSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { url := fmt.Sprintf("%s/v1/projects/-/serviceAccounts/%s:signBlob", s.iamHost, account) body := map[string]interface{}{ - "bytesToSign": base64.StdEncoding.EncodeToString(b), + "payload": base64.StdEncoding.EncodeToString(b), } req := &internal.Request{ Method: http.MethodPost, @@ -189,7 +189,7 @@ func (s iamSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { Body: internal.NewJSONEntity(body), } var signResponse struct { - Signature string `json:"signature"` + Signature string `json:"signedBlob"` } if _, err := s.httpClient.DoAndUnmarshal(ctx, req, &signResponse); err != nil { return nil, err diff --git a/auth/token_generator_test.go b/auth/token_generator_test.go index 34a3fe4c..2f49b090 100644 --- a/auth/token_generator_test.go +++ b/auth/token_generator_test.go @@ -60,8 +60,8 @@ func TestEncodeToken(t *testing.T) { if sig, err := base64.RawURLEncoding.DecodeString(parts[2]); err != nil { t.Fatal(err) - } else if string(sig) != "signature" { - t.Errorf("decode(signature) = %q; want = %q", string(sig), "signature") + } else if string(sig) != "signedBlob" { + t.Errorf("decode(signature) = %q; want = %q", string(sig), "signedBlob") } } @@ -277,12 +277,12 @@ func (s *mockSigner) Sign(ctx context.Context, b []byte) ([]byte, error) { if s.err != nil { return nil, s.err } - return []byte("signature"), nil + return []byte("signedBlob"), nil } func iamServer(t *testing.T, serviceAcct, signature string) *httptest.Server { resp := map[string]interface{}{ - "signature": base64.StdEncoding.EncodeToString([]byte(signature)), + "signedBlob": base64.StdEncoding.EncodeToString([]byte(signature)), } wantPath := fmt.Sprintf("/v1/projects/-/serviceAccounts/%s:signBlob", serviceAcct) handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -295,8 +295,8 @@ func iamServer(t *testing.T, serviceAcct, signature string) *httptest.Server { if err := json.Unmarshal(reqBody, &m); err != nil { t.Fatal(err) } - if m["bytesToSign"] == "" { - t.Fatal("BytesToSign = empty; want = non-empty") + if m["payload"] == "" { + t.Fatal("payload = empty; want = non-empty") } if r.URL.Path != wantPath { t.Errorf("Path = %q; want = %q", r.URL.Path, wantPath) From 7f59540988385b3d6b1132cd7b1de30653138704 Mon Sep 17 00:00:00 2001 From: Lahiru Maramba Date: Thu, 22 Oct 2020 15:58:55 -0400 Subject: [PATCH 5/5] [chore] Release 4.1.0 (#407) --- firebase.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firebase.go b/firebase.go index 4762eacb..e4c5fc5f 100644 --- a/firebase.go +++ b/firebase.go @@ -38,7 +38,7 @@ import ( var defaultAuthOverrides = make(map[string]interface{}) // Version of the Firebase Go Admin SDK. -const Version = "4.0.0" +const Version = "4.1.0" // firebaseEnvName is the name of the environment variable with the Config. const firebaseEnvName = "FIREBASE_CONFIG"