Added ID token verification against server certificate.

2012-02-15 15:23:54 +03:00 · 2012-02-15 15:23:54 +03:00 · 17e540d0de
parent d021ed5503
commit 17e540d0de
2 changed files with 75 additions and 0 deletions
--- a/lib/google/api_client.rb
+++ b/lib/google/api_client.rb
@ -401,6 +401,76 @@ module Google
      end
    end
    ##
    # Verifies an ID token against a server certificate. Used to ensure that
    # an ID token supplied by an untrusted client-side mechanism is valid.
    # Raises an error if the token is invalid or missing.
    def verify_id_token!
      gem 'jwt', '~> 0.1.4'
      require 'jwt'
      require 'openssl'
      @certificates ||= {}
      if !self.authorization.respond_to?(:id_token)
        raise ArgumentError, (
          "Current authorization mechanism does not support ID tokens: " +
          "#{self.authorization.class.to_s}"
        )
      elsif !self.authorization.id_token
        raise ArgumentError, (
          "Could not verify ID token, ID token missing. " +
          "Scopes were: #{self.authorization.scope.inspect}"
        )
      else
        check_cached_certs = lambda do
          valid = false
          for key, cert in @certificates
            begin
              self.authorization.decoded_id_token(cert.public_key)
              valid = true
            rescue JWT::DecodeError, Signet::UnsafeOperationError
              # Expected exception. Ignore, ID token has not been validated.
            end
          end
          valid
        end
        if check_cached_certs.call()
          return true
        end
        request = self.generate_request(
          :http_method => :get,
          :uri => 'https://www.googleapis.com/oauth2/v1/certs',
          :authenticated => false
        )
        response = self.transmit(:request => request)
        if response.status >= 200 && response.status < 300
          @certificates.merge!(
            Hash[MultiJson.decode(response.body).map do |key, cert|
              [key, OpenSSL::X509::Certificate.new(cert)]
            end]
          )
        elsif response.status >= 400
          case response.status
          when 400...500
            exception_type = ClientError
          when 500...600
            exception_type = ServerError
          else
            exception_type = TransmissionError
          end
          url = request.to_env(Faraday.default_connection)[:url]
          raise exception_type,
            "Could not retrieve certificates from: #{url}"
        end
        if check_cached_certs.call()
          return true
        else
          raise InvalidIDTokenError,
            "Could not verify ID token against any available certificate."
        end
      end
      return nil
    end
    ##
    # Generates a request.
    #
--- a/lib/google/api_client/errors.rb
+++ b/lib/google/api_client/errors.rb
@ -36,5 +36,10 @@ module Google
    # A 5xx class HTTP error occurred.
    class ServerError < TransmissionError
    end
    ##
    # An exception that is raised if an ID token could not be validated.
    class InvalidIDTokenError < StandardError
    end
  end
 end