blob: c25e9317bcf9114389822a4962e617ec885f1aab [file] [log] [blame]
// Copyright 2016 The Goma Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <openssl/bio.h>
#include <openssl/digest.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <time.h>
#include <memory>
#include <string>
#include <vector>
#include "basictypes.h"
#include "glog/logging.h"
namespace devtools_goma {
// JsonWebToken creates JWT from claim set and key.
class JsonWebToken {
struct ClaimSet {
ClaimSet() : expires_in_sec(3600) {}
// The email address of the service account.
std::string iss;
// The email address of the user for which the application is
// requesting delegated access (if any).
std::string sub;
// The permissions that the application requests.
std::vector<std::string> scopes;
// The seconds until access token will expire (at most 1 hour).
int expires_in_sec;
// Key is private key to sign.
class Key {
~Key() {}
// Load loads PEM formatted text representation key.
// Returns nullptr if failed.
static std::unique_ptr<Key> Load(const std::string& pem_key);
// Sign signs input, and returns raw signature bytes.
std::string Sign(const std::string& input) const;
// TODO: create openssl_util?
template<typename T, void (*func)(T*)>
struct Deleter {
void operator()(T* obj) {
struct BIODeleter {
void operator()(BIO* obj) {
int r = BIO_free(obj);
LOG_IF(ERROR, r != 1) << "Failed to BIO_free " << obj;
typedef std::unique_ptr<BIO, BIODeleter> ScopedBIO;
typedef std::unique_ptr<EVP_PKEY, Deleter<EVP_PKEY, EVP_PKEY_free>>
typedef std::unique_ptr<EVP_MD_CTX,
Deleter<EVP_MD_CTX, EVP_MD_CTX_destroy>>
explicit Key(ScopedEVP_PKEY pkey) : pkey_(std::move(pkey)) {}
const ScopedEVP_PKEY pkey_;
explicit JsonWebToken(ClaimSet claim_set);
// LoadKey returns a Key from pem_key string.
// Returns nullptr if failed.
static std::unique_ptr<Key> LoadKey(const std::string& pem_key) {
return Key::Load(pem_key);
// Token generates JWT, including signature, signed by key.
std::string Token(const Key& key, time_t now) const;
static const char kGrantTypeEncoded[];
friend class JsonWebTokenTest;
// helper functions.
// CreateHeaderJson returns JSON representation of JWT header.
static std::string CreateHeaderJson();
// CreateClaimSetJson returns JSON representation of JWT claim set.
static std::string CreateClaimSetJson(const ClaimSet& cs, time_t now);
// CreateTokenBaseString returns JWT token's base string, which will be
// a base string, i.e. an input for Sign.
// i.e. {Base64url encoded header}.{Base64url encoded claim set}.
static std::string CreateTokenBaseString(
const std::string& header,
const std::string& claim_set);
// Sign returns signature bytes for base_string.
static std::string Sign(const std::string& base_string, const Key& key);
// CreateToken returns JWT token, from base_string and its signature bytes.
static std::string CreateToken(const std::string& base_string,
const std::string& signature_bytes);
const ClaimSet claim_set_;
} // namespace devtools_goma