Allow HTTP functions in firebase rules to specify audience

contrib/endpoints/src/api_manager/auth/service_account_token.cc

@@ -60,10 +60,21 @@ void ServiceAccountToken::SetAudience(JWT_TOKEN_TYPE type,
 }
 
 const std::string& ServiceAccountToken::GetAuthToken(JWT_TOKEN_TYPE type) {
+  return GetAuthToken(type, jwt_tokens_[type].audience());
+}
+
+const std::string& ServiceAccountToken::GetAuthToken(
+    JWT_TOKEN_TYPE type, const std::string& audience) {
+  bool ignore_cache = false;
+  if (jwt_tokens_[type].audience() != audience) {
+    SetAudience(type, audience);
+    ignore_cache = true;
+  }
+
   // Uses authentication secret if available.
   if (!client_auth_secret_.empty()) {
     GOOGLE_CHECK(type >= 0 && type < JWT_TOKEN_TYPE_MAX);
-    if (!jwt_tokens_[type].is_valid(0)) {
+    if (ignore_cache || !jwt_tokens_[type].is_valid(0)) {
       Status status = jwt_tokens_[type].GenerateJwtToken(client_auth_secret_);
       if (!status.ok()) {
         if (env_) {

contrib/endpoints/src/api_manager/auth/service_account_token.h

@@ -77,8 +77,17 @@ class ServiceAccountToken {
   // Gets the auth token to access Google services.
   // If client auth secret is specified, use it to calcualte JWT token.
   // Otherwise, use the access token fetched from metadata server.
+  // If ignore_cache is true then a JWT token is regenerated even if the current
+  // cached JWT token is valid.
   const std::string& GetAuthToken(JWT_TOKEN_TYPE type);
 
+  // Gets the auth token to access Google services. This method accepts an
+  // audience parameter to set when generating JWT token.
+  // If client auth secret is specified, use it to calcualte JWT token.
+  // Otherwise, use the access token fetched from metadata server.
+  const std::string& GetAuthToken(JWT_TOKEN_TYPE type,
+                                  const std::string& audience);
+
  private:
   // Stores base token info. Used for both OAuth and JWT tokens.
   class TokenInfo {

contrib/endpoints/src/api_manager/check_security_rules.cc

@@ -23,6 +23,9 @@
 using ::google::api_manager::auth::GetStringValue;
 using ::google::api_manager::firebase_rules::FirebaseRequest;
 using ::google::api_manager::utils::Status;
+const char kFirebaseAudience[] =
+    "https://staging-firebaserules.sandbox.googleapis.com/"
+    "google.firebase.rules.v1.FirebaseRulesService";
 
 namespace google {
 namespace api_manager {
@@ -77,6 +80,7 @@ class AuthzChecker : public std::enable_shared_from_this<AuthzChecker> {
   void HttpFetch(const std::string &url, const std::string &method,
                  const std::string &request_body,
                  auth::ServiceAccountToken::JWT_TOKEN_TYPE token_type,
+                 const std::string &audience,
                  std::function<void(Status, std::string &&)> continuation);
 
   std::shared_ptr<AuthzChecker> GetPtr() { return shared_from_this(); }
@@ -107,8 +111,8 @@ void AuthzChecker::Check(
   auto checker = GetPtr();
   HttpFetch(GetReleaseUrl(*context), kHttpGetMethod, "",
             auth::ServiceAccountToken::JWT_TOKEN_FOR_FIREBASE,
-            [context, final_continuation, checker](Status status,
-                                                   std::string &&body) {
+            kFirebaseAudience, [context, final_continuation, checker](
+                                   Status status, std::string &&body) {
               std::string ruleset_id;
               if (status.ok()) {
                 checker->env_->LogDebug(
@@ -143,7 +147,7 @@ void AuthzChecker::CallNextRequest(
   auto checker = GetPtr();
   firebase_rules::HttpRequest http_request = request_handler_->GetHttpRequest();
   HttpFetch(http_request.url, http_request.method, http_request.body,
-            http_request.token_type,
+            http_request.token_type, http_request.audience,
             [continuation, checker](Status status, std::string &&body) {
 
               checker->env_->LogError(std::string("Response Body = ") + body);
@@ -187,6 +191,7 @@ void AuthzChecker::HttpFetch(
     const std::string &url, const std::string &method,
     const std::string &request_body,
     auth::ServiceAccountToken::JWT_TOKEN_TYPE token_type,
+    const std::string &audience,
     std::function<void(Status, std::string &&)> continuation) {
   env_->LogDebug(std::string("Issue HTTP Request to url :") + url +
                  " method : " + method + " body: " + request_body);
@@ -201,7 +206,7 @@ void AuthzChecker::HttpFetch(
   }
 
   request->set_method(method).set_url(url).set_auth_token(
-      sa_token_->GetAuthToken(token_type));
+      sa_token_->GetAuthToken(token_type, audience));
 
   if (!request_body.empty()) {
     request->set_header(kContentType, kApplication).set_body(request_body);

contrib/endpoints/src/api_manager/check_security_rules_test.cc

@@ -43,7 +43,7 @@ using ::google::protobuf::RepeatedPtrField;
 // Tuple with arg<0> = function name
 // arg<1> = url, arg<2> = method, arg<3> = body.
 using FuncTuple =
-    std::tuple<std::string, std::string, std::string, std::string>;
+    std::tuple<std::string, std::string, std::string, std::string, std::string>;
 using ::google::api_manager::proto::TestRulesetResponse;
 using FunctionCall = TestRulesetResponse::TestResult::FunctionCall;
 
@@ -157,14 +157,16 @@ static const char kDummyBody[] = R"(
   "key" : "value"
 })";
 
+static const char kDummyAudience[] = "test-audience";
+
 const char kFirstRequest[] =
     R"({"testSuite":{"testCases":[{"expectation":"ALLOW","request":{"method":"get","path":"/ListShelves","auth":{"token":{"email":"limin-429@appspot.gserviceaccount.com","email_verified":true,"azp":"limin-429@appspot.gserviceaccount.com","aud":"https://myfirebaseapp.appspot.com","sub":"113424383671131376652","iat":1486575396,"iss":"https://accounts.google.com","exp":1486578996}}}}]}})";
 
 const char kSecondRequest[] =
-    R"({"testSuite":{"testCases":[{"expectation":"ALLOW","request":{"auth":{"token":{"email":"limin-429@appspot.gserviceaccount.com","azp":"limin-429@appspot.gserviceaccount.com","aud":"https://myfirebaseapp.appspot.com","sub":"113424383671131376652","iss":"https://accounts.google.com","email_verified":true,"iat":1486575396,"exp":1486578996}},"method":"get","path":"/ListShelves"},"functionMocks":[{"function":"f1","args":[{"exactValue":"http://url1"},{"exactValue":"POST"},{"exactValue":{"key":"value"}}],"result":{"value":{"key":"value"}}}]}]}})";
+    R"({"testSuite":{"testCases":[{"expectation":"ALLOW","request":{"auth":{"token":{"email":"limin-429@appspot.gserviceaccount.com","azp":"limin-429@appspot.gserviceaccount.com","aud":"https://myfirebaseapp.appspot.com","sub":"113424383671131376652","iss":"https://accounts.google.com","email_verified":true,"iat":1486575396,"exp":1486578996}},"method":"get","path":"/ListShelves"},"functionMocks":[{"function":"f1","args":[{"exactValue":"http://url1"},{"exactValue":"POST"},{"exactValue":{"key":"value"}},{"exactValue":"test-audience"}],"result":{"value":{"key":"value"}}}]}]}})";
 
 const char kThirdRequest[] =
-    R"({"testSuite":{"testCases":[{"expectation":"ALLOW","request":{"method":"get","path":"/ListShelves","auth":{"token":{"email":"limin-429@appspot.gserviceaccount.com","iat":1486575396,"azp":"limin-429@appspot.gserviceaccount.com","exp":1486578996,"email_verified":true,"sub":"113424383671131376652","aud":"https://myfirebaseapp.appspot.com","iss":"https://accounts.google.com"}}},"functionMocks":[{"function":"f2","args":[{"exactValue":"http://url2"},{"exactValue":"GET"},{"exactValue":{"key":"value"}}],"result":{"value":{"key":"value"}}},{"function":"f3","args":[{"exactValue":"https://url3"},{"exactValue":"GET"},{"exactValue":{"key":"value"}}],"result":{"value":{"key":"value"}}},{"function":"f1","args":[{"exactValue":"http://url1"},{"exactValue":"POST"},{"exactValue":{"key":"value"}}],"result":{"value":{"key":"value"}}}]}]}})";
+    R"({"testSuite":{"testCases":[{"expectation":"ALLOW","request":{"method":"get","path":"/ListShelves","auth":{"token":{"email":"limin-429@appspot.gserviceaccount.com","iat":1486575396,"azp":"limin-429@appspot.gserviceaccount.com","exp":1486578996,"email_verified":true,"sub":"113424383671131376652","aud":"https://myfirebaseapp.appspot.com","iss":"https://accounts.google.com"}}},"functionMocks":[{"function":"f2","args":[{"exactValue":"http://url2"},{"exactValue":"GET"},{"exactValue":{"key":"value"}},{"exactValue":"test-audience"}],"result":{"value":{"key":"value"}}},{"function":"f3","args":[{"exactValue":"https://url3"},{"exactValue":"GET"},{"exactValue":{"key":"value"}},{"exactValue":"test-audience"}],"result":{"value":{"key":"value"}}},{"function":"f1","args":[{"exactValue":"http://url1"},{"exactValue":"POST"},{"exactValue":{"key":"value"}},{"exactValue":"test-audience"}],"result":{"value":{"key":"value"}}}]}]}})";
 
 ::google::protobuf::Value ToValue(const std::string &arg) {
   ::google::protobuf::Value value;
@@ -197,7 +199,8 @@ MATCHER_P3(HTTPRequestMatches, url, method, body, "") {
 }
 
 FunctionCall BuildCall(const std::string &name, const std::string &url,
-                       const std::string &method, const std::string &body) {
+                       const std::string &method, const std::string &body,
+                       const std::string &audience) {
   FunctionCall func_call;
   func_call.set_function(name);
 
@@ -213,6 +216,10 @@ FunctionCall BuildCall(const std::string &name, const std::string &url,
     *(func_call.add_args()) = ToValue(body);
   }
 
+  if (!audience.empty()) {
+    *(func_call.add_args()) = ToValue(audience);
+  }
+
   return func_call;
 }
 
@@ -386,6 +393,10 @@ class CheckSecurityRulesTest : public ::testing::Test {
         Status status = utils::JsonToProto(std::get<3>(http), &body);
         *(func->add_args()) = body;
       }
+
+      if (!std::get<4>(http).empty()) {
+        func->add_args()->set_string_value(std::get<4>(http));
+      }
     }
 
     std::string json_str;
@@ -526,26 +537,30 @@ class CheckSecurityRulesFunctions : public CheckSecurityRulesTest,
     InSequence s;
 
     ExpectCall(release_url_, "GET", "", kRelease);
-    ExpectCall(
-        ruleset_test_url_, "POST", kFirstRequest,
-        BuildTestRulesetResponse(
-            false, {std::make_tuple("f1", "http://url1", "POST", kDummyBody)}));
+    ExpectCall(ruleset_test_url_, "POST", kFirstRequest,
+               BuildTestRulesetResponse(
+                   false, {std::make_tuple("f1", "http://url1", "POST",
+                                           kDummyBody, kDummyAudience)}));
 
     ExpectCall("http://url1", "POST", kDummyBody, kDummyBody);
-    ExpectCall(
-        ruleset_test_url_, "POST", kSecondRequest,
-        BuildTestRulesetResponse(
-            false, {std::make_tuple("f2", "http://url2", "GET", kDummyBody),
-                    std::make_tuple("f3", "https://url3", "GET", kDummyBody),
-                    std::make_tuple("f1", "http://url1", "POST", kDummyBody)}));
+    ExpectCall(ruleset_test_url_, "POST", kSecondRequest,
+               BuildTestRulesetResponse(
+                   false, {std::make_tuple("f2", "http://url2", "GET",
+                                           kDummyBody, kDummyAudience),
+                           std::make_tuple("f3", "https://url3", "GET",
+                                           kDummyBody, kDummyAudience),
+                           std::make_tuple("f1", "http://url1", "POST",
+                                           kDummyBody, kDummyAudience)}));
     ExpectCall("http://url2", "GET", kDummyBody, kDummyBody);
     ExpectCall("https://url3", "GET", kDummyBody, kDummyBody);
     ExpectCall(ruleset_test_url_, "POST", kThirdRequest,
                BuildTestRulesetResponse(
-                   GetParam(),
-                   {std::make_tuple("f2", "http://url2", "GET", kDummyBody),
-                    std::make_tuple("f3", "https://url3", "GET", kDummyBody),
-                    std::make_tuple("f1", "http://url1", "POST", kDummyBody)}));
+                   GetParam(), {std::make_tuple("f2", "http://url2", "GET",
+                                                kDummyBody, kDummyAudience),
+                                std::make_tuple("f3", "https://url3", "GET",
+                                                kDummyBody, kDummyAudience),
+                                std::make_tuple("f1", "http://url1", "POST",
+                                                kDummyBody, kDummyAudience)}));
   }
 };
 
@@ -611,18 +626,19 @@ TEST_P(CheckSecurityRulesBadFunctions, CheckBadFunctionArguments) {
   });
 }
 
-INSTANTIATE_TEST_CASE_P(CheckSecurityRulesBadFunctionArguments,
-                        CheckSecurityRulesBadFunctions,
-                        ::testing::Values(
-                            // Empty function name
-                            std::make_tuple("", "http://url1", "POST",
-                                            kDummyBody),
-                            // Argument count less than 2
-                            std::make_tuple("f1", "", "", ""),
-                            // The url is not set
-                            std::make_tuple("f1", "", "POST", kDummyBody),
-                            // The url is not a http or https protocol
-                            std::make_tuple("f1", "ftp://url1", "BODY", "")));
+INSTANTIATE_TEST_CASE_P(
+    CheckSecurityRulesBadFunctionArguments, CheckSecurityRulesBadFunctions,
+    ::testing::Values(
+        // Empty function name
+        std::make_tuple("", "http://url1", "POST", kDummyBody, kDummyAudience),
+        // Argument count less than 3
+        std::make_tuple("f1", "http://url1", "", "", kDummyAudience),
+        // The url is not set
+        std::make_tuple("f1", "", "POST", kDummyBody, kDummyAudience),
+        // The url is not a http or https protocol
+        std::make_tuple("f1", "ftp://url1", "POST", kDummyBody, kDummyAudience),
+        // The audience is not present
+        std::make_tuple("f1", "http://url1", "GET", kDummyBody, "")));
 }
 }  // namespace api_manager
 }  // namespace google

contrib/endpoints/src/api_manager/context/service_context.cc

@@ -73,21 +73,6 @@ ServiceContext::ServiceContext(std::unique_ptr<ApiManagerEnvInterface> env,
                                         ->service_control_config()
                                         .intermediate_report_min_interval();
   }
-
-  service_account_token_.SetAudience(
-      auth::ServiceAccountToken::JWT_TOKEN_FOR_FIREBASE, kFirebaseAudience);
-
-  if (config_->server_config() &&
-      !config_->server_config()
-           ->api_check_security_rules_config()
-           .authorization_service_audience()
-           .empty()) {
-    service_account_token_.SetAudience(
-        auth::ServiceAccountToken::JWT_TOKEN_FOR_AUTHORIZATION_SERVICE,
-        config_->server_config()
-            ->api_check_security_rules_config()
-            .authorization_service_audience());
-  }
 }
 
 MethodCallInfo ServiceContext::GetMethodCallInfo(

contrib/endpoints/src/api_manager/firebase_rules/firebase_request.cc

@@ -49,6 +49,9 @@ const std::string kFirebaseDeleteMethod = "delete";
 const std::string kFirebaseUpdateMethod = "update";
 const std::string kV1 = "/v1";
 const std::string kTestQuery = ":test?alt=json";
+const char kFirebaseAudience[] =
+    "https://staging-firebaserules.sandbox.googleapis.com/"
+    "google.firebase.rules.v1.FirebaseRulesService";
 
 void SetProtoValue(const std::string &key,
                    const ::google::protobuf::Value &value,
@@ -94,6 +97,8 @@ FirebaseRequest::FirebaseRequest(
   firebase_http_request_.method = kHttpPostMethod;
   firebase_http_request_.token_type =
       auth::ServiceAccountToken::JWT_TOKEN_FOR_FIREBASE;
+  firebase_http_request_.audience = kFirebaseAudience;
+
   external_http_request_.token_type =
       auth::ServiceAccountToken::JWT_TOKEN_FOR_AUTHORIZATION_SERVICE;
 
@@ -305,6 +310,8 @@ Status FirebaseRequest::SetNextRequest() {
       auto call = *func_call_iter_;
       external_http_request_.url = call.args(0).string_value();
       external_http_request_.method = call.args(1).string_value();
+      external_http_request_.audience =
+          call.args(call.args_size() - 1).string_value();
       std::string body;
       status =
           utils::ProtoToJson(call.args(2), &body, utils::JsonOptions::DEFAULT);
@@ -334,9 +341,9 @@ Status FirebaseRequest::CheckFuncCallArgs(const FunctionCall &func) {
 
   // We only support functions that call with three argument: HTTP URL, HTTP
   // method and body. The body can be empty
-  if (func.args_size() < 2 || func.args_size() > 3) {
+  if (func.args_size() < 3 || func.args_size() > 4) {
     std::ostringstream os;
-    os << func.function() << " Require 2 or 3 arguments. But has "
+    os << func.function() << " Require 3 or 4 arguments. But has "
        << func.args_size();
     return Status(Code::INVALID_ARGUMENT, os.str());
   }
@@ -348,6 +355,14 @@ Status FirebaseRequest::CheckFuncCallArgs(const FunctionCall &func) {
         std::string(func.function() + " Arguments 1 and 2 should be strings"));
   }
 
+  if (func.args(func.args_size() - 1).kind_case() !=
+      google::protobuf::Value::kStringValue) {
+    return Status(
+        Code::INVALID_ARGUMENT,
+        std::string(func.function() + "The last argument should be a string"
+                                      "that specifies audience"));
+  }
+
   if (!utils::IsHttpRequest(func.args(0).string_value())) {
     return Status(
         Code::INVALID_ARGUMENT,

contrib/endpoints/src/api_manager/firebase_rules/firebase_request.h

@@ -74,6 +74,7 @@ struct HttpRequest {
   std::string method;
   std::string body;
   auth::ServiceAccountToken::JWT_TOKEN_TYPE token_type;
+  std::string audience;
 };
 
 // A FirebaseRequest object understands the various http requests that need

contrib/endpoints/src/api_manager/proto/server_config.proto

@@ -164,7 +164,6 @@ message ApiAuthenticationConfig {
 message ApiCheckSecurityRulesConfig {
   // Firebase server to use.
   string firebase_server = 1;
-  string authorization_service_audience = 2;
 }
 
 message Experimental {