Skip to content

Add optional signed_audience flag #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Jul 2, 2023
Merged

Add optional signed_audience flag #114

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
2857ba1
Make audience signing optional
Tarpsvo Jun 29, 2023
aa2a345
Add additional reporting just in case
Tarpsvo Jun 29, 2023
e185f2c
Theoretical fixes
Tarpsvo Jun 29, 2023
7db3174
Fix return value
Tarpsvo Jun 29, 2023
226f9bd
Fix docs
Tarpsvo Jun 29, 2023
9ab5a81
Fix type
Tarpsvo Jun 29, 2023
9591b39
Remove debug reports
Tarpsvo Jun 29, 2023
bce2a7c
Undo style change
Tarpsvo Jun 29, 2023
f356dc2
Undo introduced variable
Tarpsvo Jun 29, 2023
964ddd4
Fix task name sanitization
Tarpsvo Jun 30, 2023
e24bbee
Enable signed audience by default
marickvantuil Jul 2, 2023
aad2d5d
Refactor
marickvantuil Jul 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas
'handler' => env('STACKKIT_CLOUD_TASKS_HANDLER', ''),
'queue' => env('STACKKIT_CLOUD_TASKS_QUEUE', 'default'),
'service_account_email' => env('STACKKIT_CLOUD_TASKS_SERVICE_EMAIL', ''),
'signed_audience' => env('STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE', false),
// Optional: The deadline in seconds for requests sent to the worker. If the worker
// does not respond by this deadline then the request is cancelled and the attempt
// is marked as a DEADLINE_EXCEEDED failure.
Expand All @@ -70,6 +71,7 @@ Please check the table below on what the values mean and what their value should
| `STACKKIT_CLOUD_TASKS_QUEUE` | The default queue a job will be added to |`emails`
| `STACKKIT_CLOUD_TASKS_SERVICE_EMAIL` | The email address of the service account. Important, it should have the correct roles. See the section below which roles. |`[email protected]`
| `STACKKIT_CLOUD_TASKS_HANDLER` (optional) | The URL that Cloud Tasks will call to process a job. This should be the URL to your Laravel app. By default we will use the URL that dispatched the job. |`https://<your website>.com`
| `STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE` (optional) | True or false depending if you want extra security by signing the audience of your tasks. May misbehave in certain Cloud Run setups. Defaults to false. | `false`
</details>
<details>
<summary>
Expand Down
9 changes: 7 additions & 2 deletions src/CloudTasksQueue.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,14 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0)

$token = new OidcToken;
$token->setServiceAccountEmail($this->config['service_account_email']);
$token->setAudience(hash_hmac('sha256', $this->getHandler(), config('app.key')));
if ($audience = $this->getAudience()) $token->setAudience($audience);
$httpRequest->setOidcToken($token);

if ($availableAt > time()) {
$task->setScheduleTime(new Timestamp(['seconds' => $availableAt]));
}

$createdTask = CloudTasksApi::createTask($queueName, $task);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This variable was unused.

CloudTasksApi::createTask($queueName, $task);

event((new TaskCreated)->queue($queue)->task($task));

Expand Down Expand Up @@ -268,4 +268,9 @@ public function getHandler(): string
{
return Config::getHandler($this->config['handler']);
}

public function getAudience(): ?string
{
return Config::getAudience($this->config);
}
}
11 changes: 11 additions & 0 deletions src/Config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,15 @@ public static function getHandler($handler): string
);
}
}

/**
* @param array $config
* @return string|null The audience as an hash or null if not needed
*/
public static function getAudience(array $config): ?string
{
return $config['signed_audience'] ?? false
? hash_hmac('sha256', self::getHandler($config['handler']), config('app.key'))
: null;
}
}
2 changes: 1 addition & 1 deletion src/OpenIdVerificatorConcrete.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ public function verify(?string $token, array $config): void
(new AccessToken())->verify(
$token,
[
'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),
'audience' => Config::getAudience($config),
'throwException' => true,
]
);
Expand Down
2 changes: 1 addition & 1 deletion src/OpenIdVerificatorFake.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ public function verify(?string $token, array $config): void
(new AccessToken())->verify(
$token,
[
'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),
'audience' => Config::getAudience($config),
'throwException' => true,
'certsLocation' => __DIR__ . '/../tests/Support/self-signed-public-key-as-jwk.json',
]
Expand Down