Skip to content

Commit

Permalink
Merge dev into master
Browse files Browse the repository at this point in the history
  • Loading branch information
google-oss-bot authored Jun 16, 2020
2 parents 54b8114 + e921fe9 commit cef91ac
Show file tree
Hide file tree
Showing 65 changed files with 2,342 additions and 990 deletions.
2 changes: 1 addition & 1 deletion .github/scripts/run_all_tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@ gpg --quiet --batch --yes --decrypt --passphrase="${FIREBASE_SERVICE_ACCT_KEY}"

echo "${FIREBASE_API_KEY}" > testdata/integration_apikey.txt

go test -v -race firebase.google.com/go/...
go test -v -race ./...
49 changes: 32 additions & 17 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,41 +2,33 @@ name: Continuous Integration
on: pull_request
jobs:

build:
name: Build
module:
name: Module build
runs-on: ubuntu-latest
env:
GOPATH: ${{ github.workspace }}/go
strategy:
matrix:
go: [1.12, 1.13, 1.14]
steps:

steps:
- name: Set up Go ${{ matrix.go }}
uses: actions/setup-go@v1
with:
go-version: ${{ matrix.go }}
id: go

- name: Check out code into GOPATH
- name: Check out code
uses: actions/checkout@v2
with:
path: go/src/firebase.google.com/go

- name: Get dependencies
run: go get -t -v $(go list ./... | grep -v integration)

- name: Run Linter
run: |
go get golang.org/x/lint/golint
$GOPATH/bin/golint -set_exit_status firebase.google.com/go/...
go get -u golang.org/x/lint/golint
GOLINT=`go list -f {{.Target}} golang.org/x/lint/golint`
$GOLINT -set_exit_status ./...
- name: Run Unit Tests
if: success() || failure()
run: go test -v -race -test.short firebase.google.com/go/...
run: go test -v -race -test.short ./...

- name: Run Formatter
working-directory: ./go/src/firebase.google.com/go
run: |
if [[ ! -z "$(gofmt -l -s .)" ]]; then
echo "Go code is not formatted:"
Expand All @@ -45,4 +37,27 @@ jobs:
fi
- name: Run Static Analyzer
run: go vet -v firebase.google.com/go/...
run: go vet -v ./...

gopath:
name: Gopath build
runs-on: ubuntu-latest
env:
GOPATH: ${{ github.workspace }}/go

steps:
- name: Set up Go 1.12
uses: actions/setup-go@v1
with:
go-version: 1.12

- name: Check out code into GOPATH
uses: actions/checkout@v2
with:
path: go/src/firebase.google.com/go

- name: Get dependencies
run: go get -t -v $(go list ./... | grep -v integration)

- name: Run Unit Tests
run: go test -v -race -test.short firebase.google.com/go/...
24 changes: 8 additions & 16 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,34 +36,26 @@ jobs:

runs-on: ubuntu-latest

env:
GOPATH: ${{ github.workspace }}/go

# When manually triggering the build, the requester can specify a target branch or a tag
# via the 'ref' client parameter.
steps:
- name: Check out code into GOPATH
uses: actions/checkout@v2
with:
path: go/src/firebase.google.com/go
ref: ${{ github.event.client_payload.ref || github.ref }}

- name: Set up Go
uses: actions/setup-go@v1
with:
go-version: 1.11
go-version: 1.12

- name: Get dependencies
run: go get -t -v $(go list ./... | grep -v integration)
- name: Check out code
uses: actions/checkout@v2
with:
ref: ${{ github.event.client_payload.ref || github.ref }}

- name: Run Linter
run: |
echo
go get golang.org/x/lint/golint
$GOPATH/bin/golint -set_exit_status firebase.google.com/go/...
go get -u golang.org/x/lint/golint
GOLINT=`go list -f {{.Target}} golang.org/x/lint/golint`
$GOLINT -set_exit_status ./...
- name: Run Tests
working-directory: ./go/src/firebase.google.com/go
run: ./.github/scripts/run_all_tests.sh
env:
FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }}
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,9 @@ requests, code review feedback, and also pull requests.

## Supported Go Versions

We support Go v1.11 and higher.
We support Go v1.12 and higher.
[Continuous integration](https://github.com/firebase/firebase-admin-go/actions) system
tests the code on Go v1.11 through v1.13.
tests the code on Go v1.12 through v1.14.

## Documentation

Expand Down
66 changes: 61 additions & 5 deletions auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,19 @@ import (
"strings"
"time"

"firebase.google.com/go/internal"
"firebase.google.com/go/v4/internal"
"google.golang.org/api/transport"
)

const (
authErrorCode = "authErrorCode"
firebaseAudience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
oneHourInSeconds = 3600

// SDK-generated error codes
idTokenRevoked = "ID_TOKEN_REVOKED"
sessionCookieRevoked = "SESSION_COOKIE_REVOKED"
tenantIDMismatch = "TENANT_ID_MISMATCH"
)

var reservedClaims = []string{
Expand Down Expand Up @@ -102,7 +108,6 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)

hc := internal.WithDefaultRetryConfig(transport)
hc.CreateErrFn = handleHTTPError
hc.SuccessFn = internal.HasSuccessStatus
hc.Opts = []internal.HTTPOption{
internal.WithHeader("X-Client-Version", fmt.Sprintf("Go/Admin/%s", conf.Version)),
}
Expand Down Expand Up @@ -261,12 +266,23 @@ func (c *baseClient) withTenantID(tenantID string) *baseClient {
func (c *baseClient) VerifyIDToken(ctx context.Context, idToken string) (*Token, error) {
decoded, err := c.idTokenVerifier.VerifyToken(ctx, idToken)
if err == nil && c.tenantID != "" && c.tenantID != decoded.Firebase.Tenant {
return nil, internal.Errorf(tenantIDMismatch, "invalid tenant id: %q", decoded.Firebase.Tenant)
return nil, &internal.FirebaseError{
ErrorCode: internal.InvalidArgument,
String: fmt.Sprintf("invalid tenant id: %q", decoded.Firebase.Tenant),
Ext: map[string]interface{}{
authErrorCode: tenantIDMismatch,
},
}
}

return decoded, err
}

// IsTenantIDMismatch checks if the given error was due to a mismatched tenant ID in a JWT.
func IsTenantIDMismatch(err error) bool {
return hasAuthErrorCode(err, tenantIDMismatch)
}

// VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the
// token has not been revoked.
//
Expand All @@ -284,12 +300,27 @@ func (c *baseClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken s
if err != nil {
return nil, err
}

if revoked {
return nil, internal.Error(idTokenRevoked, "ID token has been revoked")
return nil, &internal.FirebaseError{
ErrorCode: internal.InvalidArgument,
String: "ID token has been revoked",
Ext: map[string]interface{}{
authErrorCode: idTokenRevoked,
},
}
}

return decoded, nil
}

// IsIDTokenRevoked checks if the given error was due to a revoked ID token.
//
// When IsIDTokenRevoked returns true, IsIDTokenInvalid is guranteed to return true.
func IsIDTokenRevoked(err error) bool {
return hasAuthErrorCode(err, idTokenRevoked)
}

// VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.
//
// VerifySessionCookie accepts a signed JWT token string, and verifies that it is current, issued for the
Expand Down Expand Up @@ -324,12 +355,27 @@ func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, session
if err != nil {
return nil, err
}

if revoked {
return nil, internal.Error(sessionCookieRevoked, "session cookie has been revoked")
return nil, &internal.FirebaseError{
ErrorCode: internal.InvalidArgument,
String: "session cookie has been revoked",
Ext: map[string]interface{}{
authErrorCode: sessionCookieRevoked,
},
}
}

return decoded, nil
}

// IsSessionCookieRevoked checks if the given error was due to a revoked session cookie.
//
// When IsSessionCookieRevoked returns true, IsSessionCookieInvalid is guranteed to return true.
func IsSessionCookieRevoked(err error) bool {
return hasAuthErrorCode(err, sessionCookieRevoked)
}

func (c *baseClient) checkRevoked(ctx context.Context, token *Token) (bool, error) {
user, err := c.GetUser(ctx, token.UID)
if err != nil {
Expand All @@ -338,3 +384,13 @@ func (c *baseClient) checkRevoked(ctx context.Context, token *Token) (bool, erro

return token.IssuedAt*1000 < user.TokensValidAfterMillis, nil
}

func hasAuthErrorCode(err error, code string) bool {
fe, ok := err.(*internal.FirebaseError)
if !ok {
return false
}

got, ok := fe.Ext[authErrorCode]
return ok && got == code
}
2 changes: 1 addition & 1 deletion auth/auth_appengine.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ package auth
import (
"context"

"firebase.google.com/go/internal"
"firebase.google.com/go/v4/internal"
"google.golang.org/appengine"
)

Expand Down
4 changes: 2 additions & 2 deletions auth/auth_std.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@
// See the License for the specific language governing permissions and
// limitations under the License.

package auth // import "firebase.google.com/go/auth"
package auth

import (
"context"

"firebase.google.com/go/internal"
"firebase.google.com/go/v4/internal"
)

func newCryptoSigner(ctx context.Context, conf *internal.AuthConfig) (cryptoSigner, error) {
Expand Down
Loading

0 comments on commit cef91ac

Please sign in to comment.