From 959f2e5ce912c108974ac6a0fae6381d376d978c Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Thu, 16 Jan 2025 14:48:08 -0500 Subject: [PATCH 1/4] chore: Update README with warnings about externally source credentials --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 5ea6fc028..e6f08ab31 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,11 @@ credentials. This artifact depends on the App Engine SDK. - [*google-auth-library-oauth2-http*](#google-auth-library-oauth2-http): contains a wide variety of credentials as well as utility methods to create them and to get Application Default Credentials +> ⚠️ Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for +authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing +an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more +information, refer to [documentation](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). + **Table of contents:** From 607770939252223c85f5a4f55ab0d78013e8aaa5 Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Thu, 16 Jan 2025 14:52:40 -0500 Subject: [PATCH 2/4] chore: Update method javadocs with warning --- .../java/com/google/auth/oauth2/GoogleCredentials.java | 7 +++++++ .../com/google/auth/oauth2/ServiceAccountCredentials.java | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java index 7d94d4e64..6ca8bd302 100644 --- a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java @@ -158,6 +158,13 @@ public static GoogleCredentials getApplicationDefault(HttpTransportFactory trans *

The stream can contain a Service Account key file in JSON format from the Google Developers * Console or a stored user credential using the format supported by the Cloud SDK. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java index d998ce671..4e570980a 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java @@ -154,6 +154,13 @@ public class ServiceAccountCredentials extends GoogleCredentials * Returns service account credentials defined by JSON using the format supported by the Google * Developers Console. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param json a map from the JSON representing the credentials. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens. From b3afcf5714e791520f377fdb6120515df0d9b499 Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Fri, 17 Jan 2025 12:36:09 -0500 Subject: [PATCH 3/4] chore: Add warnings to all fromStream() calls --- ...ernalAccountAuthorizedUserCredentials.java | 14 +++++++++++++ .../oauth2/ExternalAccountCredentials.java | 14 +++++++++++++ .../google/auth/oauth2/GoogleCredentials.java | 7 +++++++ .../oauth2/ServiceAccountCredentials.java | 21 ++++++++++++------- .../ServiceAccountJwtAccessCredentials.java | 14 +++++++++++++ .../google/auth/oauth2/UserCredentials.java | 14 +++++++++++++ 6 files changed, 77 insertions(+), 7 deletions(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java index 1e811caa4..a119f1e7b 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java @@ -127,6 +127,13 @@ private ExternalAccountAuthorizedUserCredentials(Builder builder) { /** * Returns external account authorized user credentials defined by a JSON file stream. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition * @return the credential defined by the credentialsStream * @throws IOException if the credential cannot be created from the stream @@ -140,6 +147,13 @@ public static ExternalAccountAuthorizedUserCredentials fromStream(InputStream cr /** * Returns external account authorized user credentials defined by a JSON file stream. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition * @param transportFactory the HTTP transport factory used to create the transport to get access * tokens diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java index a9b3ef9eb..8a5084b98 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java @@ -349,6 +349,13 @@ public Map> getRequestMetadata(URI uri) throws IOException * *

Returns {@link IdentityPoolCredentials} or {@link AwsCredentials}. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition * @return the credential defined by the credentialsStream * @throws IOException if the credential cannot be created from the stream @@ -363,6 +370,13 @@ public static ExternalAccountCredentials fromStream(InputStream credentialsStrea * *

Returns a {@link IdentityPoolCredentials} or {@link AwsCredentials}. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition * @param transportFactory the HTTP transport factory used to create the transport to get access * tokens diff --git a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java index 6ca8bd302..4bb5da9ec 100644 --- a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java @@ -179,6 +179,13 @@ public static GoogleCredentials fromStream(InputStream credentialsStream) throws *

The stream can contain a Service Account key file in JSON format from the Google Developers * Console or a stored user credential using the format supported by the Cloud SDK. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens. diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java index 4e570980a..2df5fc5cb 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java @@ -154,13 +154,6 @@ public class ServiceAccountCredentials extends GoogleCredentials * Returns service account credentials defined by JSON using the format supported by the Google * Developers Console. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. - * * @param json a map from the JSON representing the credentials. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens. @@ -453,6 +446,13 @@ static ServiceAccountCredentials fromPkcs8( * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. @@ -466,6 +466,13 @@ public static ServiceAccountCredentials fromStream(InputStream credentialsStream * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens. diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java index 6fc338405..efba6436a 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java @@ -227,6 +227,13 @@ static ServiceAccountJwtAccessCredentials fromPkcs8( * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. @@ -240,6 +247,13 @@ public static ServiceAccountJwtAccessCredentials fromStream(InputStream credenti * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @param defaultAudience Audience to use if not provided by transport. May be null. * @return the credential defined by the credentialsStream. diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java index a2ba5a52d..ddabee800 100644 --- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java @@ -138,6 +138,13 @@ static UserCredentials fromJson(Map json, HttpTransportFactory t /** * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. @@ -149,6 +156,13 @@ public static UserCredentials fromStream(InputStream credentialsStream) throws I /** * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK. * + *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an + * external source for authentication to Google Cloud Platform, you must validate it before + * providing it to any Google API or library. Providing an unvalidated credential configuration to + * Google APIs can compromise the security of your systems and data. For more information, refer + * to {@link documentation}. + * * @param credentialsStream the stream with the credential definition. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens. From 1862854dd362d0c6943fe24e35a0787997375ed6 Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Tue, 21 Jan 2025 15:31:03 -0500 Subject: [PATCH 4/4] chore: Remove warning from UserCredentials and ServiceAccounJwtAccessCredentials --- .../oauth2/ServiceAccountJwtAccessCredentials.java | 14 -------------- .../com/google/auth/oauth2/UserCredentials.java | 14 -------------- 2 files changed, 28 deletions(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java index efba6436a..6fc338405 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java @@ -227,13 +227,6 @@ static ServiceAccountJwtAccessCredentials fromPkcs8( * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. - * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. @@ -247,13 +240,6 @@ public static ServiceAccountJwtAccessCredentials fromStream(InputStream credenti * Returns credentials defined by a Service Account key file in JSON format from the Google * Developers Console. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. - * * @param credentialsStream the stream with the credential definition. * @param defaultAudience Audience to use if not provided by transport. May be null. * @return the credential defined by the credentialsStream. diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java index ddabee800..a2ba5a52d 100644 --- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java @@ -138,13 +138,6 @@ static UserCredentials fromJson(Map json, HttpTransportFactory t /** * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. - * * @param credentialsStream the stream with the credential definition. * @return the credential defined by the credentialsStream. * @throws IOException if the credential cannot be created from the stream. @@ -156,13 +149,6 @@ public static UserCredentials fromStream(InputStream credentialsStream) throws I /** * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. - * * @param credentialsStream the stream with the credential definition. * @param transportFactory HTTP transport factory, creates the transport used to get access * tokens.