Using new http API for token generation

hiranya911 · hiranya911 · commit c6dac084ec44 · 2018-06-20T15:53:40.000-07:00
diff --git a/src/auth/token-generator.ts b/src/auth/token-generator.ts
@@ -17,7 +17,7 @@
 import { FirebaseApp } from '../firebase-app';
 import {Certificate} from './credential';
 import {AuthClientErrorCode, FirebaseAuthError, FirebaseError} from '../utils/error';
-import { SignedApiRequestHandler } from '../utils/api-request';
+import { AuthorizedHttpClient, HttpError, HttpRequestConfig, HttpClient } from '../utils/api-request';
 
 import * as validator from '../utils/validator';
 import { toWebSafeBase64 } from '../utils';
@@ -80,79 +80,68 @@ export class ServiceAccountSigner implements CryptoSigner {
 }
 
 export class IAMSigner implements CryptoSigner {
-  private readonly requestHandler_: SignedApiRequestHandler;
-  private serviceAccountId_: string;
+  private readonly httpClient: AuthorizedHttpClient;
+  private serviceAccountId: string;
 
-  constructor(requestHandler: SignedApiRequestHandler, serviceAccountId?: string) {
-    if (!requestHandler) {
+  constructor(httpClient: AuthorizedHttpClient, serviceAccountId?: string) {
+    if (!httpClient) {
       throw new FirebaseAuthError(
-        AuthClientErrorCode.INVALID_CREDENTIAL,
-        'INTERNAL ASSERT: Must provide a request handler to initialize IAMSigner.',
+        AuthClientErrorCode.INVALID_ARGUMENT,
+        'INTERNAL ASSERT: Must provide a HTTP client to initialize IAMSigner.',
       );
     }
-    this.requestHandler_ = requestHandler;
-    this.serviceAccountId_ = serviceAccountId;
+    this.httpClient = httpClient;
+    this.serviceAccountId = serviceAccountId;
   }
 
   public sign(buffer: Buffer): Promise<Buffer> {
     return this.getAccount().then((serviceAccount) => {
-      const request = {bytesToSign: buffer.toString('base64')};
-      return this.requestHandler_.sendRequest(
-        'iam.googleapis.com',
-        443,
-        `/v1/projects/-/serviceAccounts/${serviceAccount}:signBlob`,
-        'POST',
-        request);
+      const request: HttpRequestConfig = {
+        method: 'POST',
+        url: `https://iam.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccount}:signBlob`,
+        data: {bytesToSign: buffer.toString('base64')},
+      };
+      return this.httpClient.send(request);
     }).then((response: any) => {
       // Response from IAM is base64 encoded. Decode it into a buffer and return.
-      return new Buffer(response.signature, 'base64');
-    }).catch((response) => {
-      const error = (typeof response === 'object' && 'statusCode' in response) ?
-        response.error : response;
-      if (error instanceof FirebaseError) {
-        throw error;
-      }
-      let errorCode: string;
-      let errorMsg: string;
-      if (validator.isNonNullObject(error) && error.error) {
-        errorCode = error.error.status || null;
-        errorMsg = error.error.message || null;
+      return new Buffer(response.data.signature, 'base64');
+    }).catch((err) => {
+      if (err instanceof HttpError) {
+        const error = err.response.data;
+        let errorCode: string;
+        let errorMsg: string;
+        if (validator.isNonNullObject(error) && error.error) {
+          errorCode = error.error.status || null;
+          errorMsg = error.error.message || null;
+        }
+        throw FirebaseAuthError.fromServerError(errorCode, errorMsg, error);
       }
-      throw FirebaseAuthError.fromServerError(errorCode, errorMsg, error);
+      throw err;
     });
   }
 
   public getAccount(): Promise<string> {
-    if (validator.isNonEmptyString(this.serviceAccountId_)) {
-      return Promise.resolve(this.serviceAccountId_);
+    if (validator.isNonEmptyString(this.serviceAccountId)) {
+      return Promise.resolve(this.serviceAccountId);
     }
-    const options = {
+    const request: HttpRequestConfig = {
       method: 'GET',
-      host: 'metadata',
-      path: '/computeMetadata/v1/instance/service-accounts/default/email',
+      url: 'http://metadata/computeMetadata/v1/instance/service-accounts/default/email',
       headers: {
         'Metadata-Flavor': 'Google',
       },
     };
-    const http = require('http');
-    return new Promise((resolve, reject) => {
-      const req = http.request(options, (res) => {
-        const buffers: Buffer[] = [];
-        res.on('data', (buffer) => buffers.push(buffer));
-        res.on('end', () => {
-          this.serviceAccountId_ = Buffer.concat(buffers).toString();
-          resolve(this.serviceAccountId_);
-        });
-      });
-      req.on('error', (err) => {
-        reject(new FirebaseAuthError(
-          AuthClientErrorCode.INVALID_CREDENTIAL,
-          `Failed to determine service account: ${err.toString()}. Make sure to initialize ` +
-          `the SDK with a service account credential. Alternatively specify a service ` +
-          `account with iam.serviceAccounts.signBlob permission.`,
-        ));
-      });
-      req.end();
+    const client = new HttpClient();
+    return client.send(request).then((response) => {
+      this.serviceAccountId = response.text;
+      return this.serviceAccountId;
+    }).catch((err) => {
+      throw new FirebaseAuthError(
+        AuthClientErrorCode.INVALID_CREDENTIAL,
+        `Failed to determine service account: ${err.toString()}. Make sure to initialize ` +
+        `the SDK with a service account credential. Alternatively specify a service ` +
+        `account with iam.serviceAccounts.signBlob permission.`,
+      );
     });
   }
 }
@@ -162,7 +151,7 @@ export function signerFromApp(app: FirebaseApp): CryptoSigner {
   if (cert != null && validator.isNonEmptyString(cert.privateKey) && validator.isNonEmptyString(cert.clientEmail)) {
     return new ServiceAccountSigner(cert);
   }
-  return new IAMSigner(new SignedApiRequestHandler(app), app.options.serviceAccountId);
+  return new IAMSigner(new AuthorizedHttpClient(app), app.options.serviceAccountId);
 }
 
 /**
diff --git a/test/unit/auth/token-generator.spec.ts b/test/unit/auth/token-generator.spec.ts
@@ -26,10 +26,9 @@ import * as nock from 'nock';
 
 import * as mocks from '../../resources/mocks';
 import {FirebaseTokenGenerator, ServiceAccountSigner, IAMSigner} from '../../../src/auth/token-generator';
-import {FirebaseAuthError, AuthClientErrorCode} from '../../../src/utils/error';
 
 import {Certificate} from '../../../src/auth/credential';
-import { SignedApiRequestHandler, HttpRequestHandler } from '../../../src/utils/api-request';
+import { AuthorizedHttpClient, HttpClient } from '../../../src/utils/api-request';
 import { FirebaseApp } from '../../../src/firebase-app';
 import * as utils from '../utils';
 
@@ -111,11 +110,6 @@ describe('CryptoSigner', () => {
 
     before(() => {
       utils.mockFetchAccessTokenRequests(mockAccessToken);
-      nock('http://metadata')
-        .matchHeader('Metadata-Flavor', 'Google')
-        .persist()
-        .get('/computeMetadata/v1/instance/service-accounts/default/email')
-        .reply(200, 'discovered-service-account');
     });
 
     after(() => nock.cleanAll());
@@ -132,102 +126,115 @@ describe('CryptoSigner', () => {
       expect(() => {
         const anyIAMSigner: any = IAMSigner;
         return new anyIAMSigner();
-      }).to.throw('Must provide a request handler to initialize IAMSigner');
+      }).to.throw('Must provide a HTTP client to initialize IAMSigner');
     });
 
     describe('explicit service account', () => {
       const response = {signature: Buffer.from('testsignature').toString('base64')};
+      const input = Buffer.from('base64');
+      const signRequest = {
+        method: 'POST',
+        url: `https://iam.googleapis.com/v1/projects/-/serviceAccounts/test-service-account:signBlob`,
+        headers: {Authorization: `Bearer ${mockAccessToken}`},
+        data: {bytesToSign: input.toString('base64')},
+      };
       let stub: sinon.SinonStub;
 
       afterEach(() => {
         stub.restore();
       });
 
       it('should sign using the IAM service', () => {
-        stub = sinon.stub(HttpRequestHandler.prototype, 'sendRequest')
-          .returns(Promise.resolve(response));
-        const requestHandler = new SignedApiRequestHandler(mockApp);
+        const expectedResult = utils.responseFrom(response);
+        stub = sinon.stub(HttpClient.prototype, 'send').resolves(expectedResult);
+        const requestHandler = new AuthorizedHttpClient(mockApp);
         const signer = new IAMSigner(requestHandler, 'test-service-account');
-        const input = Buffer.from('base64');
         return signer.sign(input).then((signature) => {
           expect(signature.toString('base64')).to.equal(response.signature);
-          expect(stub).to.have.been.calledOnce.and.calledWith(
-            'iam.googleapis.com', 443,
-            '/v1/projects/-/serviceAccounts/test-service-account:signBlob',
-            'POST', {bytesToSign: input.toString('base64')},
-            {Authorization: `Bearer ${mockAccessToken}`}, undefined);
+          expect(stub).to.have.been.calledOnce.and.calledWith(signRequest);
         });
       });
 
       it('should fail if the IAM service responds with an error', () => {
-        stub = sinon.stub(HttpRequestHandler.prototype, 'sendRequest')
-          .throws({
-            statusCode: 500,
-            error: {error: {status: 'PROJECT_NOT_FOUND', message: 'test reason'}},
-          });
-        const requestHandler = new SignedApiRequestHandler(mockApp);
+        const expectedResult = utils.errorFrom({
+          error: {
+            status: 'PROJECT_NOT_FOUND',
+            message: 'test reason',
+          },
+        });
+        stub = sinon.stub(HttpClient.prototype, 'send').rejects(expectedResult);
+        const requestHandler = new AuthorizedHttpClient(mockApp);
         const signer = new IAMSigner(requestHandler, 'test-service-account');
-        const input = Buffer.from('base64');
         return signer.sign(input).catch((err) => {
           expect(err.message).to.equal('test reason');
-          expect(stub).to.have.been.calledOnce.and.calledWith(
-            'iam.googleapis.com', 443,
-            '/v1/projects/-/serviceAccounts/test-service-account:signBlob',
-            'POST', {bytesToSign: input.toString('base64')},
-            {Authorization: `Bearer ${mockAccessToken}`}, undefined);
+          expect(stub).to.have.been.calledOnce.and.calledWith(signRequest);
         });
       });
 
       it('should return the explicitly specified service account', () => {
-        const signer = new IAMSigner(new SignedApiRequestHandler(mockApp), 'test-service-account');
+        const signer = new IAMSigner(new AuthorizedHttpClient(mockApp), 'test-service-account');
         return signer.getAccount().should.eventually.equal('test-service-account');
       });
     });
 
     describe('auto discovered service account', () => {
       const input = Buffer.from('base64');
       const response = {signature: Buffer.from('testsignature').toString('base64')};
+      const metadataRequest = {
+        method: 'GET',
+        url: `http://metadata/computeMetadata/v1/instance/service-accounts/default/email`,
+        headers: {'Metadata-Flavor': 'Google'},
+      };
+      const signRequest = {
+        method: 'POST',
+        url: `https://iam.googleapis.com/v1/projects/-/serviceAccounts/discovered-service-account:signBlob`,
+        headers: {Authorization: `Bearer ${mockAccessToken}`},
+        data: {bytesToSign: input.toString('base64')},
+      };
       let stub: sinon.SinonStub;
 
       afterEach(() => {
         stub.restore();
       });
 
       it('should sign using the IAM service', () => {
-        stub = sinon.stub(HttpRequestHandler.prototype, 'sendRequest')
-          .returns(Promise.resolve(response));
-        const requestHandler = new SignedApiRequestHandler(mockApp);
+        stub = sinon.stub(HttpClient.prototype, 'send');
+        stub.onCall(0).resolves(utils.responseFrom('discovered-service-account'));
+        stub.onCall(1).resolves(utils.responseFrom(response));
+        const requestHandler = new AuthorizedHttpClient(mockApp);
         const signer = new IAMSigner(requestHandler);
         return signer.sign(input).then((signature) => {
           expect(signature.toString('base64')).to.equal(response.signature);
-          expect(stub).to.have.been.calledOnce.and.calledWith(
-            'iam.googleapis.com', 443,
-            '/v1/projects/-/serviceAccounts/discovered-service-account:signBlob',
-            'POST', {bytesToSign: input.toString('base64')},
-            {Authorization: `Bearer ${mockAccessToken}`}, undefined);
+          expect(stub).to.have.been.calledTwice;
+          expect(stub.getCall(0).args[0]).to.deep.equal(metadataRequest);
+          expect(stub.getCall(1).args[0]).to.deep.equal(signRequest);
         });
       });
 
       it('should fail if the IAM service responds with an error', () => {
-        stub = sinon.stub(HttpRequestHandler.prototype, 'sendRequest')
-          .throws({
-            statusCode: 500,
-            error: {error: {status: 'PROJECT_NOT_FOUND', message: 'test reason'}},
-          });
-        const requestHandler = new SignedApiRequestHandler(mockApp);
+        const expectedResult = {
+          error: {
+            status: 'PROJECT_NOT_FOUND',
+            message: 'test reason',
+          },
+        };
+        stub = sinon.stub(HttpClient.prototype, 'send');
+        stub.onCall(0).resolves(utils.responseFrom('discovered-service-account'));
+        stub.onCall(1).rejects(utils.errorFrom(expectedResult));
+        const requestHandler = new AuthorizedHttpClient(mockApp);
         const signer = new IAMSigner(requestHandler);
         return signer.sign(input).catch((err) => {
           expect(err.message).to.equal('test reason');
-          expect(stub).to.have.been.calledOnce.and.calledWith(
-            'iam.googleapis.com', 443,
-            '/v1/projects/-/serviceAccounts/discovered-service-account:signBlob',
-            'POST', {bytesToSign: input.toString('base64')},
-            {Authorization: `Bearer ${mockAccessToken}`}, undefined);
+          expect(stub).to.have.been.calledTwice;
+          expect(stub.getCall(0).args[0]).to.deep.equal(metadataRequest);
+          expect(stub.getCall(1).args[0]).to.deep.equal(signRequest);
         });
       });
 
       it('should return the discovered service account', () => {
-        const signer = new IAMSigner(new SignedApiRequestHandler(mockApp));
+        stub = sinon.stub(HttpClient.prototype, 'send');
+        stub.onCall(0).resolves(utils.responseFrom('discovered-service-account'));
+        const signer = new IAMSigner(new AuthorizedHttpClient(mockApp));
         return signer.getAccount().should.eventually.equal('discovered-service-account');
       });
     });
diff --git a/test/unit/utils.ts b/test/unit/utils.ts
@@ -71,17 +71,30 @@ export function generateRandomAccessToken(): string {
 /**
  * Creates a mock HTTP response from the given data and parameters.
  *
- * @param {*} data Data to be included in the response body.
+ * @param {object | string} data Data to be included in the response body.
  * @param {number=} status HTTP status code (defaults to 200).
  * @param {*=} headers HTTP headers to be included in the ersponse.
  * @returns {HttpResponse} An HTTP response object.
  */
-export function responseFrom(data: any, status: number = 200, headers: any = {}): HttpResponse {
+export function responseFrom(data: object | string, status: number = 200, headers: any = {}): HttpResponse {
+  let responseData: any;
+  let responseText: string;
+  if (typeof data === 'object') {
+    responseData = data;
+    responseText = JSON.stringify(data);
+  } else {
+    try {
+      responseData = JSON.parse(data);
+    } catch (error) {
+      responseData = null;
+    }
+    responseText = data as string;
+  }
   return {
     status,
     headers,
-    data,
-    text: JSON.stringify(data),
+    data: responseData,
+    text: responseText,
   };
 }
 
