Merge pull request #21277 from jboeuf/sts_creds_fix

Fixing bug where subject token was used instead of the actor token.
5 years ago · 7fa653dbfb
parent cfc8fbbef5 cedf76ee9a
commit 7fa653dbfb
2 changed files with 22 additions and 13 deletions
--- a/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
+++ b/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
@ -616,7 +616,7 @@ class StsTokenFetcherCredentials
      if (err != GRPC_ERROR_NONE) return cleanup();
      MaybeAddToBody(
          &body_strvec, "actor_token",
-          reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(subject_token)));
+          reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(actor_token)));
      MaybeAddToBody(&body_strvec, "actor_token_type", actor_token_type_.get());
    }
    return cleanup();
--- a/test/core/security/credentials_test.cc
+++ b/test/core/security/credentials_test.cc
@ -115,6 +115,11 @@ static const char test_signed_jwt[] =
    "U0MDcyZTViYTdmZDkwODg2YzcifQ";
 static const char test_signed_jwt_token_type[] =
    "urn:ietf:params:oauth:token-type:id_token";
+static const char test_signed_jwt2[] =
+    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW"
+    "U2MDcyZTViYTdnZDkwODg5YzcifQ";
+static const char test_signed_jwt_token_type2[] =
+    "urn:ietf:params:oauth:token-type:jwt";
 static const char test_signed_jwt_path_prefix[] = "test_sign_jwt";

 static const char test_service_url[] = "https://foo.com/foo.v1";
@ -859,8 +864,10 @@ static void validate_sts_token_http_request(const grpc_httpcli_request* request,
                    test_signed_jwt) == 0);
  GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "subject_token_type"),
                    test_signed_jwt_token_type) == 0);
-  GPR_ASSERT(grpc_uri_get_query_arg(url, "actor_token") == nullptr);
-  GPR_ASSERT(grpc_uri_get_query_arg(url, "actor_token_type") == nullptr);
+  GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "actor_token"),
+                    test_signed_jwt2) == 0);
+  GPR_ASSERT(strcmp(grpc_uri_get_query_arg(url, "actor_token_type"),
+                    test_signed_jwt_token_type2) == 0);
  grpc_uri_destroy(url);
  gpr_free(get_url_equivalent);

@ -884,13 +891,13 @@ static int sts_token_httpcli_post_success(const grpc_httpcli_request* request,
  return 1;
 }

-static char* write_tmp_jwt_file(void) {
+static char* write_tmp_jwt_file(const char* jwt_contents) {
  char* path;
  FILE* tmp = gpr_tmpfile(test_signed_jwt_path_prefix, &path);
  GPR_ASSERT(path != nullptr);
  GPR_ASSERT(tmp != nullptr);
-  size_t jwt_length = strlen(test_signed_jwt);
-  GPR_ASSERT(fwrite(test_signed_jwt, 1, jwt_length, tmp) == jwt_length);
+  size_t jwt_length = strlen(jwt_contents);
+  GPR_ASSERT(fwrite(jwt_contents, 1, jwt_length, tmp) == jwt_length);
  fclose(tmp);
  return path;
 }
@ -901,17 +908,18 @@ static void test_sts_creds_success(void) {
      {"authorization", "Bearer ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_"}};
  grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
                                            nullptr, nullptr};
-  char* test_signed_jwt_path = write_tmp_jwt_file();
+  char* subject_token_path = write_tmp_jwt_file(test_signed_jwt);
+  char* actor_token_path = write_tmp_jwt_file(test_signed_jwt2);
  grpc_sts_credentials_options valid_options = {
      test_sts_endpoint_url,       // sts_endpoint_url
      "resource",                  // resource
      "audience",                  // audience
      "scope",                     // scope
      "requested_token_type",      // requested_token_type
-      test_signed_jwt_path,        // subject_token_path
+      subject_token_path,          // subject_token_path
      test_signed_jwt_token_type,  // subject_token_type
-      nullptr,                     // actor_token_path
-      nullptr                      // actor_token_type
+      actor_token_path,            // actor_token_path
+      test_signed_jwt_token_type2  // actor_token_type
  };
  grpc_call_credentials* creds =
      grpc_sts_credentials_create(&valid_options, nullptr);
@ -934,7 +942,8 @@ static void test_sts_creds_success(void) {

  creds->Unref();
  grpc_httpcli_set_override(nullptr, nullptr);
-  gpr_free(test_signed_jwt_path);
+  gpr_free(subject_token_path);
+  gpr_free(actor_token_path);
 }

 static void test_sts_creds_load_token_failure(void) {
@ -945,7 +954,7 @@ static void test_sts_creds_load_token_failure(void) {
      nullptr, 0);
  grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
                                            nullptr, nullptr};
-  char* test_signed_jwt_path = write_tmp_jwt_file();
+  char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
  grpc_sts_credentials_options options = {
      test_sts_endpoint_url,       // sts_endpoint_url
      "resource",                  // resource
@ -974,7 +983,7 @@ static void test_sts_creds_http_failure(void) {
      nullptr, 0);
  grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
                                            nullptr, nullptr};
-  char* test_signed_jwt_path = write_tmp_jwt_file();
+  char* test_signed_jwt_path = write_tmp_jwt_file(test_signed_jwt);
  grpc_sts_credentials_options valid_options = {
      test_sts_endpoint_url,       // sts_endpoint_url
      "resource",                  // resource