From 8bc6814b42863a2a315e0098504b84fbe15f12d2 Mon Sep 17 00:00:00 2001 From: Jay Lee Date: Thu, 6 Apr 2023 09:36:23 +0000 Subject: [PATCH] Use TLS 1.2 for SignJWT --- src/gam/__init__.py | 8 +++++--- src/gam/auth/signjwt.py | 11 ++++++++++- src/gam/var.py | 2 +- src/requirements.txt | 2 +- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/gam/__init__.py b/src/gam/__init__.py index bd2fc975..4f83b647 100755 --- a/src/gam/__init__.py +++ b/src/gam/__init__.py @@ -7195,8 +7195,10 @@ def enable_apis(): controlflow.invalid_argument_exit(sys.argv[i], 'gam enable apis') GAMProjectAPIs = getGAMProjectFile('project-apis.txt').splitlines() + request = signjwt.get_request() try: - _, projectId = google.auth.default() + _, projectId = google.auth.default(scopes=signjwt._IAM_SCOPES, + request=request) except google.auth.exceptions.DefaultCredentialsError as e: projectId = input('Please enter your project ID: ') while a_or_m not in ['a', 'm']: @@ -7962,9 +7964,9 @@ def create_signjwt_serviceaccount(): 'key_type': 'signjwt', 'token_uri': 'https://oauth2.googleapis.com/token' } - request = transport.create_request() + request = signjwt.get_request() try: - creds, sa_info['project_id'] = google.auth.default(scopes=['https://www.googleapis.com/auth/iam'], + creds, sa_info['project_id'] = google.auth.default(scopes=signjwt._IAM_SCOPES, request=request) except google.auth.exceptions.DefaultCredentialsError as e: controlflow.system_error_exit(2, e) diff --git a/src/gam/auth/signjwt.py b/src/gam/auth/signjwt.py index c26557f3..4658f055 100644 --- a/src/gam/auth/signjwt.py +++ b/src/gam/auth/signjwt.py @@ -14,6 +14,13 @@ from gam.var import GM_Globals, GM_CACHE_DIR _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" +_IAM_SCOPES = ['https://www.googleapis.com/auth/iam'] + +# Some Workforce Identity Federation endpoints such as GitHub Actions +# only allow TLS 1.2 as of April 2023. +def get_request(): + httpc = transport.create_http(override_min_tls='TLSv1_2') + return transport.create_request(httpc) class JWTCredentials(google.auth.jwt.Credentials): @@ -73,8 +80,10 @@ class SignJwt(google.auth.crypt.Signer): def sign(self, message): ''' Call IAM Credentials SignJWT API to get our signed JWT ''' + request = get_request() try: - credentials, _ = google.auth.default(scopes=['https://www.googleapis.com/auth/iam']) + credentials, _ = google.auth.default(scopes=_IAM_SCOPES, + request=request) except google.auth.exceptions.DefaultCredentialsError as e: controlflow.system_error_exit(2, e) httpObj = transport.AuthorizedHttp( diff --git a/src/gam/var.py b/src/gam/var.py index bb39b58d..7ee2e14a 100644 --- a/src/gam/var.py +++ b/src/gam/var.py @@ -1347,7 +1347,7 @@ GC_TLS_MAX_VERSION = 'tls_max_ver' # Path to certificate authority file for validating TLS hosts GC_CA_FILE = 'ca_file' -TLS_MIN = 'TLSv1_3' if hasattr(ssl.SSLContext(), 'minimum_version') else None +TLS_MIN = 'TLSv1_3' GC_Defaults = { GC_ADMIN_EMAIL: '', GC_AUTO_BATCH_MIN: 0, diff --git a/src/requirements.txt b/src/requirements.txt index a3ba3788..9c35b05d 100644 --- a/src/requirements.txt +++ b/src/requirements.txt @@ -4,7 +4,7 @@ filelock google-api-python-client>=2.1 google-auth-httplib2 google-auth-oauthlib>=0.4.1 -google-auth[reauth]>=2.3.2 +google-auth>=2.3.2 httplib2>=0.17.0 passlib>=1.7.2 pathvalidate