feat: Add the generated ClientSideAccessBoundaryProto class for the Client-Side CAB feature #1571
Conversation
|
Will move the generated code to the new package #1562 creates |
huangjiahua
force-pushed
the
main
branch
3 times, most recently
from
a8a5a97 to
cefb612
Compare
|
Moved to the new package. Ready for review |
| // Generated by the protocol buffer compiler. DO NOT EDIT! | ||
| // source: client_side_access_boundary.proto |
There was a problem hiding this comment.
How we plan on on keeping this up to date? Where does this client_side_access_boundary.proto file live and how does it get updated?
There was a problem hiding this comment.
I got the suggestion from @aeitzman to manually generate this class first and not include the source proto file for now. We do have a task to figure out a way to automate the protobuf workflow later in the project.
There was a problem hiding this comment.
The proto lives in google3 right now, and we do not expect it to get updated very often. For context, the credential access boundary definition used by the existing online cab feature is also based off a Google3 protobuf file, and has not changed since launch in 2021.
There was a problem hiding this comment.
We do have a task to figure out a way to automate the protobuf workflow later in the project.
Sure, I think that's fine for now to unblock development.
Regarding this generated file, was this generated with an older Protoc version? I think the later versions have a comment that describes the protoc version (i.e. // Protobuf Java Version: 3.25.5). If so, can we generate this with Protoc 25.5?
There was a problem hiding this comment.
The proto lives in google3 right now, and we do not expect it to get updated very often
Agree that this is fine for now to unblock the development. But I want to emphasize that introducing a new dependency protobuf-java in auth and a protoc gen code without a .proto file will cause frictions to the overall protobuf maintenance strategy in Java Client Libraries. Even if the content do not update at all, we may need to regenerate it with a newer version of protoc due to compatibility issues.
For example, if we want to upgrade protobuf-java to a version that is not compatible with 3.25.5 gen code anymore, we would need to manually regenerate this file from somewhere.
That being said, we have a lot of experience in automating proto generation process, please let us know when you start the task, it would be great if it can be integrated into our existing client library generation process.
|
pom.xml
Outdated
| @@ -77,6 +77,8 @@ | |||
| <project.findbugs.version>3.0.2</project.findbugs.version> | |||
| <deploy.autorelease>false</deploy.autorelease> | |||
| <project.error-prone.version>2.35.1</project.error-prone.version> | |||
| <project.protobuf.version>4.28.3</project.protobuf.version> | |||
There was a problem hiding this comment.
The Java SDK protos are generated with Protoc 25.5. Libraries-Bom will set the Protobuf-Java runtime version to 4.28.3. I think this should be 3.25.5 since this is part of the BOM.
There was a problem hiding this comment.
Actually downgrading it to 3.25.5 causes RequireUpperBoundDeps issue since CEL depends on 4.28.2:
[ERROR] Rule 2: org.apache.maven.enforcer.rules.dependency.RequireUpperBoundDeps failed with message:
[ERROR] Failed while enforcing RequireUpperBoundDeps. The error(s) are [
[ERROR] Require upper bound dependencies error for com.google.protobuf:protobuf-java:3.25.5 paths to dependency are:
[ERROR] +-com.google.auth:cab-token-generator:1.29.1-SNAPSHOT
[ERROR] +-com.google.protobuf:protobuf-java:3.25.5
[ERROR] and
[ERROR] +-com.google.auth:cab-token-generator:1.29.1-SNAPSHOT
[ERROR] +-dev.cel:cel:0.8.0
[ERROR] +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:4.28.2
[ERROR] and
[ERROR] +-com.google.auth:cab-token-generator:1.29.1-SNAPSHOT
[ERROR] +-dev.cel:cel:0.8.0
[ERROR] +-com.google.protobuf:protobuf-java-util:4.28.2
[ERROR] +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:4.28.2
[ERROR] ]
Would you be able to share the build issues? I'm curious what the issues are cause off the top of my mind, I don't think we need to exclude them |
Sure, let me reproduce the errors. If we don't exclude If we don't exclude |
|
Took a look at the logs above. I'm not entirely sure why CEL is bringing in findbugs-annotations instead of findbug-jsr305. Either way, I think that should be fine to ignore since we don't depend on it in the auth library at all. For Guava, I think the issue is due to the guava flavor. It looks to be treating guava-android and guava-jre as two different versions and can't tell that they're actually the same version. I think we are also fine to exclude this. I'll do a bit more digging to confirm this. If the above is confirmed, a few small comments to explain the exclusion would be great |
huangjiahua
force-pushed
the
main
branch
2 times, most recently
from
d1b7682 to
3ce542a
Compare
I added a comment here. I also added the protobuf to the exclusion list because CEL is using 4.28.2 which will trigger |
| @@ -77,6 +77,8 @@ | |||
| <project.findbugs.version>3.0.2</project.findbugs.version> | |||
| <deploy.autorelease>false</deploy.autorelease> | |||
| <project.error-prone.version>2.35.1</project.error-prone.version> | |||
| <project.protobuf.version>3.25.5</project.protobuf.version> | |||
There was a problem hiding this comment.
Thanks, I will need to double check this because I know CEL brings in Protobuf-Java 4.x.
I just need to confirm compatibility. I'll coordinate with CEL and confirm.
Are we making a grpc call or rest call? If it is not a grpc call, I don't think we have to introduce the proto gen code into auth. Especially at the cost of maintaining a new |
The proto here is not for grpc call. This proto is for serializing the CAB restriction for the CAB token generation, so protobuf is still required. |
If that's the case, I don't think protobuf is required. We can use Gson for serialization as well. |
@blakeli0 Does Gson support serializing to protobuf wire format? I couldn't find any documentation on this use case. |
I might be missing some context. If it is not used for making gRPC calls, why do we have to serialize it to protobuf wire format? |
Yeah, I should've included the context: The client-side CAB token is designed to include an encrypted protobuf wired format. One of the reasons the token need to be a protobuf wired format is because it needs to carry a compiled CEL expression in AST format. The server will need to verify the token using the same protobuf. More on go/client-side-cab-design-doc. |
I see, that makes sense. It might be too late to change the design, why does it have to be protobuf wired format? Can JSON format suffice? I think all other types of tokens are sent as Strings directly through rest calls. |
…t-Side CAB feature. Change-Id: Ic7ef3cbd80b2ad778d61b9ccabf780561d3cc709
…ality (#1629) * feat: Implement ClientSideCredentialAccessBoundaryFactory (#1562) * feat: Implement ClientSideCredentialAccessBoundaryFactory.refreshCredentials() Set up the ClientSideCredentialAccessBoundaryFactory class and module. Implement the function to fetch and refresh intermediary tokens from STS. * feat: Add the generated ClientSideAccessBoundaryProto class for Client-Side CAB feature. (#1571) Change-Id: Ic7ef3cbd80b2ad778d61b9ccabf780561d3cc709 * feat: Implement refreshCredentialsIfRequired for intermediate token r… (#1583) * feat: Implement refreshCredentialsIfRequired for intermediate token refresh Implement `refreshCredentialsIfRequired`, called by `generateToken()`, to handle token refresh. It uses `refreshMargin` and `minimumTokenLifetime` to decide on synchronous or asynchronous refresh * Add unit tests for the builder and refreshCredentials() * Improve concurrency handling during credential refresh. Introduced a refresh task to manage concurrent refresh requests, preventing redundant attempts and potential race conditions. This aligns the refresh mechanism with the pattern used in OAuth2Credentials and ensures more robust credential management. * Update existing unit tests for compatibility and readability. * Add unit tests for refreshCredentialsIfRequired. * Fix a merge issue. * Temporary add sonatype-snapshots repository and cel version to fix the build error. * Remove duplicated code. * Fix lint issue. * Fix: Propagate credential refresh exceptions in blocking refresh. * Change cel version * Change cel version * Add jsr305 dependency * Fix Javadoc error * Minor code readability enhancements. * Revert "Fix Javadoc error" This reverts commit 2157fdb. * Address comments (add javadoc and use assertThrows in tests) * Run format script * feat: Implement Client-Side CAB token generation. (#1598) * feat: Implement Client-Side CAB token generation. Change-Id: I2c217656584cf5805297f02340cbbabca471f609 * Use IllegalStateException(String, Throwable) to capture upstream exception during Tink initialization Change-Id: I12af5b84eae4dcec5865adfdad1f9396d54c0200 * Rethrow exceptions from tink and CEL Change-Id: If8c94c786ee39201029d9c27856fd2eafb61e51c * Add tests for invalid keys from upstream, and rename test cases. Change-Id: Ib41cb81c779534fc6efd74d66bf4728efd743906 * Add additional throws comment for generatToken method. Change-Id: I9cfc589ade8a91040fc9c447740493fd49e392af * Refactor tests for better readability. Change-Id: Icfd0bc24c1694f220bcbffc6cde41462c59119c4 * Catch and rethrow the exception of session key not being base64 encoded. Change-Id: I5fa0c25fe020e9612735e4ac5df2b85a2a5aab11 * Format the code using mvn com.coveo:fmt-maven-plugin:format. Change-Id: I46572488dcd28de450a6b1b2f732bee5baa86910 * Fix a typo in the javadoc comment. Change-Id: Icef9ef5f7c3567224ec507303543b78e61f43ec1 * chore: Update version tag in cab-token-generator pom.xml This commit updates the version tag in the pom.xml file. * feat: Add integration test for the client side cab * Remove volatile keyword and use refreshLock when reading intermediateCredentials. * Define new default values for refreshMargin and minimumTokenLifetime. * Update version in pom.xml * Run formatter to resolve lint errors * add missing dependency * Swap the assertEquals parameters so the expected value is first. * Docs: Added javadocs Improvements: Cleaned up code, resolved readability enhancements --------- Co-authored-by: Jiahua Huang <[email protected]> Co-authored-by: aeitzman <[email protected]>
See: go/client-side-cab-client-library-java
This PR introduces the
ClientSideAccessBoundaryProtoProtobuf Java class, necessary for serializing the Client-Side Access Boundary (CAB) token. Following the Auth SDK team's recommendation, the Protobuf definition itself isn't included in the repository, as it's anticipated to remain stable.To support this generated class and the Client-Side CAB functionality, two new dependencies,
protobufandcel, have been added to thecab-token-generatorpackage.To address Maven build issues, I've excluded
findbugsandguavafrom the cel dependency.Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly: