Introducing Firebase Authentication module (spring-attic#2157)

* Firebase authentication principal extraction.
* starter
* sample app

Author: viniciusccarvalho

pom.xml

@@ -42,6 +42,7 @@
 		<module>spring-cloud-gcp-logging</module>
 		<module>spring-cloud-gcp-data-firestore</module>
 		<module>spring-cloud-gcp-bigquery</module>
+		<module>spring-cloud-gcp-security-firebase</module>
 	</modules>
 
 	<properties>

spring-cloud-gcp-autoconfigure/pom.xml

@@ -263,7 +263,13 @@
             <artifactId>spring-security-oauth2-resource-server</artifactId>
             <optional>true</optional>
         </dependency>
-				
+
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-gcp-security-firebase</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Actuator -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/security/FirebaseAuthenticationAutoConfiguration.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright 2020-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.security;
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.AutoConfigureBefore;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.cloud.gcp.autoconfigure.core.GcpContextAutoConfiguration;
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+import org.springframework.cloud.gcp.security.firebase.FirebaseJwtTokenDecoder;
+import org.springframework.cloud.gcp.security.firebase.FirebaseTokenValidator;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.web.client.RestOperations;
+import org.springframework.web.client.RestTemplate;
+
+/**
+ *
+ * @author Vinicius Carvalho
+ * @since 1.3
+ */
+@Configuration
+@ConditionalOnProperty(value = "spring.cloud.gcp.security.firebase.enabled", matchIfMissing = true)
+@AutoConfigureBefore(OAuth2ResourceServerAutoConfiguration.class)
+@AutoConfigureAfter(GcpContextAutoConfiguration.class)
+@EnableConfigurationProperties(FirebaseAuthenticationProperties.class)
+public class FirebaseAuthenticationAutoConfiguration {
+
+	private static final String ISSUER_TEMPLATE = "https://securetoken.google.com/%s";
+
+	@Bean
+	@ConditionalOnMissingBean(name = "firebaseJwtDelegatingValidator")
+	public DelegatingOAuth2TokenValidator<Jwt> firebaseJwtDelegatingValidator(JwtIssuerValidator jwtIssuerValidator, GcpProjectIdProvider gcpProjectIdProvider) {
+		List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
+		validators.add(new JwtTimestampValidator());
+		validators.add(jwtIssuerValidator);
+		validators.add(new FirebaseTokenValidator(gcpProjectIdProvider.getProjectId()));
+		return new DelegatingOAuth2TokenValidator<>(validators);
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public JwtDecoder firebaseAuthenticationJwtDecoder(
+			DelegatingOAuth2TokenValidator<Jwt> firebaseJwtDelegatingValidator,
+			FirebaseAuthenticationProperties properties) {
+		return new FirebaseJwtTokenDecoder(restOperations(), properties.getPublicKeysEndpoint(),
+				firebaseJwtDelegatingValidator);
+	}
+
+	@Bean
+	public JwtIssuerValidator jwtIssuerValidator(GcpProjectIdProvider gcpProjectIdProvider) {
+		return new JwtIssuerValidator(String.format(ISSUER_TEMPLATE, gcpProjectIdProvider.getProjectId()));
+	}
+
+	private RestOperations restOperations() {
+		SimpleClientHttpRequestFactory clientHttpRequestFactory = new SimpleClientHttpRequestFactory();
+		clientHttpRequestFactory.setConnectTimeout(5_000);
+		clientHttpRequestFactory.setReadTimeout(2_000);
+		return new RestTemplate(clientHttpRequestFactory);
+	}
+
+}

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/security/FirebaseAuthenticationProperties.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2020-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.security;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * Firebase Authentication application properties.
+ *
+ * @author Vinicius Carvalho
+ * @since 1.3
+ */
+@ConfigurationProperties("spring.cloud.gcp.security.firebase")
+public class FirebaseAuthenticationProperties {
+
+	/**
+	 * Link to Google's public endpoint containing Firebase public keys.
+	 */
+	private String publicKeysEndpoint = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]";
+
+
+	public String getPublicKeysEndpoint() {
+		return publicKeysEndpoint;
+	}
+
+	public void setPublicKeysEndpoint(String publicKeysEndpoint) {
+		this.publicKeysEndpoint = publicKeysEndpoint;
+	}
+}

spring-cloud-gcp-autoconfigure/src/main/resources/META-INF/spring.factories

@@ -14,6 +14,7 @@ org.springframework.cloud.gcp.autoconfigure.trace.StackdriverTraceAutoConfigurat
 org.springframework.cloud.gcp.autoconfigure.datastore.DatastoreRepositoriesAutoConfiguration,\
 org.springframework.cloud.gcp.autoconfigure.spanner.SpannerRepositoriesAutoConfiguration,\
 org.springframework.cloud.gcp.autoconfigure.security.IapAuthenticationAutoConfiguration,\
+org.springframework.cloud.gcp.autoconfigure.security.FirebaseAuthenticationAutoConfiguration,\
 org.springframework.cloud.gcp.autoconfigure.vision.CloudVisionAutoConfiguration,\
 org.springframework.cloud.gcp.autoconfigure.datastore.GcpDatastoreEmulatorAutoConfiguration,\
 org.springframework.cloud.gcp.autoconfigure.bigquery.GcpBigQueryAutoConfiguration,\

spring-cloud-gcp-autoconfigure/src/test/java/org/springframework/cloud/gcp/autoconfigure/security/FirebaseAuthenticationAutoConfigurationTests.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.security;
+
+import com.google.api.gax.core.CredentialsProvider;
+import com.google.auth.Credentials;
+import org.junit.Test;
+
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.test.context.runner.ApplicationContextRunner;
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+import org.springframework.cloud.gcp.security.firebase.FirebaseJwtTokenDecoder;
+import org.springframework.context.annotation.Bean;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.Mockito.mock;
+
+
+/**
+ * @author Vinicius Carvalho
+ * @since 1.3
+ */
+public class FirebaseAuthenticationAutoConfigurationTests {
+
+	private ApplicationContextRunner contextRunner = new ApplicationContextRunner()
+			.withConfiguration(
+					AutoConfigurations.of(FirebaseAuthenticationAutoConfiguration.class, TestConfig.class));
+
+	@Test
+	public void testAutoConfigurationLoaded() throws Exception {
+		this.contextRunner
+				.withPropertyValues("spring.cloud.gcp.security.firebase.enabled=true")
+				.run(context -> {
+					FirebaseJwtTokenDecoder decoder = context.getBean(FirebaseJwtTokenDecoder.class);
+					assertThat(decoder).isNotNull();
+				});
+	}
+
+	@Test
+	public void testAutoConfigurationNotLoaded() throws Exception {
+		this.contextRunner
+				.withPropertyValues("spring.cloud.gcp.security.firebase.enabled=false")
+				.run(context -> {
+					assertThatExceptionOfType(NoSuchBeanDefinitionException.class)
+							.isThrownBy(() -> context.getBean(FirebaseJwtTokenDecoder.class));
+				});
+	}
+
+
+
+	static class TestConfig {
+
+		@Bean
+		public GcpProjectIdProvider projectIdProvider() {
+			return () -> "spring-firebase-test-project";
+		}
+
+		@Bean
+		public CredentialsProvider googleCredentials() {
+			return () -> mock(Credentials.class);
+		}
+
+	}
+
+}

spring-cloud-gcp-dependencies/pom.xml

@@ -94,6 +94,11 @@
 				<artifactId>spring-cloud-gcp-bigquery</artifactId>
 				<version>${project.version}</version>
 			</dependency>
+			<dependency>
+				<groupId>org.springframework.cloud</groupId>
+				<artifactId>spring-cloud-gcp-security-firebase</artifactId>
+				<version>${project.version}</version>
+			</dependency>
 
 			<!--Starters-->
 			<dependency>
@@ -166,6 +171,11 @@
 				<artifactId>spring-cloud-gcp-starter-security-iap</artifactId>
 				<version>${project.version}</version>
 			</dependency>
+			<dependency>
+				<groupId>org.springframework.cloud</groupId>
+				<artifactId>spring-cloud-gcp-starter-security-firebase</artifactId>
+				<version>${project.version}</version>
+			</dependency>
 			<dependency>
 				<groupId>org.springframework.cloud</groupId>
 				<artifactId>spring-cloud-gcp-starter-vision</artifactId>

spring-cloud-gcp-samples/pom.xml

@@ -50,6 +50,7 @@
 		<module>spring-cloud-gcp-data-firestore-sample</module>
 		<module>spring-cloud-gcp-bigquery-sample</module>
 		<module>spring-cloud-gcp-pubsub-stream-binder-functional-sample</module>
+		<module>spring-cloud-gcp-security-firebase-sample</module>
 	</modules>
 
 	<!-- Checkstyle on samples invoked during CI or manually when running locally. -->

spring-cloud-gcp-samples/spring-cloud-gcp-security-firebase-sample/README.adoc

@@ -0,0 +1,49 @@
+= Spring Cloud GCP Firebase Authentication Sample application
+
+This sample application demonstrates how to use link:../../spring-cloud-gcp-starters/spring-cloud-gcp-starter-security-firebase[Spring Cloud GCP Firebase Authentication Starter] to extract user identity from a signed https://firebase.google.com/[Firebase] JWT token.
+
+The application provides a secured controller that can only be reached if a valid JWT token is sent as an HTTP Header.
+
+This sample app provides simple login page using https://github.com/firebase/firebaseui-web[firebase-ui] to fetch the JWT token.
+
+== Pre requisites
+
+1. Create a new firebase project as instructed https://firebase.google.com/docs/web/setup[here]
+2. Once you finish the process make sure you configure the following environment variables before running the app:
+    a. FIREBASE_CONFIG_API_KEY: Should be your "apiKey" value
+    b. FIREBASE_CONFIG_APP_ID: Should be your "appId" value
+3. Make sure that you are authenticated with `gcloud` and you have set the correct `projectId` to be the same project as your Firebase project.
+This app uses default login and will rely on that to extract the `projectId` using the `GcpProjectIdProvider`
+4. Go to your Firebase project, select the web application you have created and enable two providers: `Google` and `email`
+5. (Optional) : You can add a few users to try this out if you rather not use the Google Provider authentication
+
+== Running
+
+`Make sure you executed steps 2 & 3 from prerequisites section`
+
+----
+$ ./mvnw clean spring-boot:run
+----
+
+Open your browser at http://localhost:8080
+
+There's a single page app with an `ask` button, if you try to click it you should get an error message.
+
+Also try to access the secure endpoint via curl:
+
+----
+curl http://localhost:8080/answer
+----
+
+You should get a 403 error.
+
+Now login using the button at the top right corner. You can choose between using a valid Google credential, or a user you have added via the Firebase authentication users menu.
+
+Once you are logged in, you should see a panel with the `curl` command.
+
+Try clicking the button again.
+
+You can also copy the `curl` command and execute it now on your console and you should be able to access the endpoint.
+
+
+

spring-cloud-gcp-samples/spring-cloud-gcp-security-firebase-sample/pom.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <parent>
+        <!-- Your own application should inherit from spring-boot-starter-parent -->
+        <artifactId>spring-cloud-gcp-samples</artifactId>
+        <groupId>org.springframework.cloud</groupId>
+        <version>1.3.0.BUILD-SNAPSHOT</version>
+    </parent>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <java.version>1.8</java.version>
+    </properties>
+
+    <modelVersion>4.0.0</modelVersion>
+    <name>Spring Cloud GCP Security Firebase Sample</name>
+    <description>Spring Cloud Firebase Security Sample</description>
+    <artifactId>spring-cloud-gcp-security-firebase-sample</artifactId>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework.cloud</groupId>
+                <artifactId>spring-cloud-gcp-dependencies</artifactId>
+                <version>${project.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-freemarker</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-gcp-starter-security-firebase</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>