Commit 48d5402

authored

Merge pull request #114 from Tarpsvo/feature/optional-audience-hash

Add optional signed_audience flag

2 parents 9e11378 + aad2d5d commit 48d5402Copy full SHA for 48d5402

File tree

6 files changed

+37

-5

lines changed

README.md
src
tests
- TestCase.php

6 files changed

+37

-5

lines changed

`‎README.md‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ Please check the [Laravel support policy](https://laravel.com/docs/master/releas`
`45`	`45`	`'handler' => env('STACKKIT_CLOUD_TASKS_HANDLER', ''),`
`46`	`46`	`'queue' => env('STACKKIT_CLOUD_TASKS_QUEUE', 'default'),`
`47`	`47`	`'service_account_email' => env('STACKKIT_CLOUD_TASKS_SERVICE_EMAIL', ''),`
	`48`	`+ 'signed_audience' => env('STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE', true),`
`48`	`49`	`// Optional: The deadline in seconds for requests sent to the worker. If the worker`
`49`	`50`	`// does not respond by this deadline then the request is cancelled and the attempt`
`50`	`51`	`// is marked as a DEADLINE_EXCEEDED failure.`
`@@ -70,6 +71,7 @@ Please check the table below on what the values mean and what their value should`
`70`	`71`	\| `STACKKIT_CLOUD_TASKS_QUEUE` \| The default queue a job will be added to \|`emails`
`71`	`72`	\| `STACKKIT_CLOUD_TASKS_SERVICE_EMAIL` \| The email address of the service account. Important, it should have the correct roles. See the section below which roles. \|`my-service-account@appspot.gserviceaccount.com`
`72`	`73`	\| `STACKKIT_CLOUD_TASKS_HANDLER` (optional) \| The URL that Cloud Tasks will call to process a job. This should be the URL to your Laravel app. By default we will use the URL that dispatched the job. \|`https://<your website>.com`
	`74`	+\| `STACKKIT_CLOUD_TASKS_SIGNED_AUDIENCE` (optional) \| True or false depending if you want extra security by signing the audience of your tasks. May misbehave in certain Cloud Run setups. Defaults to true. \| `true`
`73`	`75`	`</details>`
`74`	`76`	`<details>`
`75`	`77`	`<summary>`

`‎src/CloudTasksQueue.php‎`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,14 +167,16 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0)`
`167`	`167`
`168`	`168`	`$token = new OidcToken;`
`169`	`169`	`$token->setServiceAccountEmail($this->config['service_account_email']);`
`170`		`- $token->setAudience(hash_hmac('sha256', $this->getHandler(), config('app.key')));`
	`170`	`+ if ($audience = $this->getAudience()) {`
	`171`	`+ $token->setAudience($audience);`
	`172`	`+ }`
`171`	`173`	`$httpRequest->setOidcToken($token);`
`172`	`174`
`173`	`175`	`if ($availableAt > time()) {`
`174`	`176`	`$task->setScheduleTime(new Timestamp(['seconds' => $availableAt]));`
`175`	`177`	`}`
`176`	`178`
`177`		`- $createdTask = CloudTasksApi::createTask($queueName, $task);`
	`179`	`+ CloudTasksApi::createTask($queueName, $task);`
`178`	`180`
`179`	`181`	`event((new TaskCreated)->queue($queue)->task($task));`
`180`	`182`
`@@ -192,7 +194,7 @@ private function withUuid(array $payload): array`
`192`	`194`
`193`	`195`	`private function taskName(string $queueName, array $payload): string`
`194`	`196`	`{`
`195`		`- $displayName = str_replace("\\", '-', $payload['displayName']);`
	`197`	`+ $displayName = $this->sanitizeTaskName($payload['displayName']);`
`196`	`198`
`197`	`199`	`return CloudTasksClient::taskName(`
`198`	`200`	`$this->config['project'],`
`@@ -202,6 +204,17 @@ private function taskName(string $queueName, array $payload): string`
`202`	`204`	`);`
`203`	`205`	`}`
`204`	`206`
	`207`	`+ private function sanitizeTaskName(string $taskName)`
	`208`	`+ {`
	`209`	`+ // Remove all characters that are not -, letters, numbers, or whitespace`
	`210`	`+ $sanitizedName = preg_replace('![^-\pL\pN\s]+!u', '-', $taskName);`
	`211`	`+`
	`212`	`+ // Replace all separator characters and whitespace by a -`
	`213`	`+ $sanitizedName = preg_replace('![-\s]+!u', '-', $sanitizedName);`
	`214`	`+`
	`215`	`+ return trim($sanitizedName, '-');`
	`216`	`+ }`
	`217`	`+`
`205`	`218`	`private function withAttempts(array $payload): array`
`206`	`219`	`{`
`207`	`220`	`if (!isset($payload['internal']['attempts'])) {`
`@@ -268,4 +281,9 @@ public function getHandler(): string`
`268`	`281`	`{`
`269`	`282`	`return Config::getHandler($this->config['handler']);`
`270`	`283`	`}`
	`284`	`+`
	`285`	`+ public function getAudience(): ?string`
	`286`	`+ {`
	`287`	`+ return Config::getAudience($this->config);`
	`288`	`+ }`
`271`	`289`	`}`

`‎src/Config.php‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,4 +82,15 @@ public static function getHandler($handler): string`
`82`	`82`	`);`
`83`	`83`	`}`
`84`	`84`	`}`
	`85`	`+`
	`86`	`+ /**`
	`87`	`+ * @param array $config`
	`88`	`+ * @return string\|null The audience as an hash or null if not needed`
	`89`	`+ */`
	`90`	`+ public static function getAudience(array $config): ?string`
	`91`	`+ {`
	`92`	`+ return $config['signed_audience'] ?? true`
	`93`	`+ ? hash_hmac('sha256', self::getHandler($config['handler']), config('app.key'))`
	`94`	`+ : null;`
	`95`	`+ }`
`85`	`96`	`}`

`‎src/OpenIdVerificatorConcrete.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ public function verify(?string $token, array $config): void`
`18`	`18`	`(new AccessToken())->verify(`
`19`	`19`	`$token,`
`20`	`20`	`[`
`21`		`- 'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),`
	`21`	`+ 'audience' => Config::getAudience($config),`
`22`	`22`	`'throwException' => true,`
`23`	`23`	`]`
`24`	`24`	`);`

`‎src/OpenIdVerificatorFake.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ public function verify(?string $token, array $config): void`
`17`	`17`	`(new AccessToken())->verify(`
`18`	`18`	`$token,`
`19`	`19`	`[`
`20`		`- 'audience' => hash_hmac('sha256', app('queue')->getHandler(), config('app.key')),`
	`20`	`+ 'audience' => Config::getAudience($config),`
`21`	`21`	`'throwException' => true,`
`22`	`22`	`'certsLocation' => __DIR__ . '/../tests/Support/self-signed-public-key-as-jwk.json',`
`23`	`23`	`]`

`‎tests/TestCase.php‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,7 @@ protected function getEnvironmentSetUp($app)`
`103`	`103`	`'location' => 'europe-west6',`
`104`	`104`	`'handler' => env('CLOUD_TASKS_HANDLER', 'https://docker.for.mac.localhost:8080'),`
`105`	`105`	`'service_account_email' => 'info@stackkit.io',`
	`106`	`+ 'signed_audience' => true,`
`106`	`107`	`]);`
`107`	`108`	`$app['config']->set('queue.failed.driver', 'database-uuids');`
`108`	`109`	`$app['config']->set('queue.failed.database', 'testbench');`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 48d5402

File tree

6 files changed

6 files changed

`‎README.md‎`

`‎src/CloudTasksQueue.php‎`

`‎src/Config.php‎`

`‎src/OpenIdVerificatorConcrete.php‎`

`‎src/OpenIdVerificatorFake.php‎`

`‎tests/TestCase.php‎`

0 commit comments