mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 12:21:35 +00:00
Use TLS 1.2 for SignJWT
This commit is contained in:
@@ -7195,8 +7195,10 @@ def enable_apis():
|
|||||||
controlflow.invalid_argument_exit(sys.argv[i],
|
controlflow.invalid_argument_exit(sys.argv[i],
|
||||||
'gam enable apis')
|
'gam enable apis')
|
||||||
GAMProjectAPIs = getGAMProjectFile('project-apis.txt').splitlines()
|
GAMProjectAPIs = getGAMProjectFile('project-apis.txt').splitlines()
|
||||||
|
request = signjwt.get_request()
|
||||||
try:
|
try:
|
||||||
_, projectId = google.auth.default()
|
_, projectId = google.auth.default(scopes=signjwt._IAM_SCOPES,
|
||||||
|
request=request)
|
||||||
except google.auth.exceptions.DefaultCredentialsError as e:
|
except google.auth.exceptions.DefaultCredentialsError as e:
|
||||||
projectId = input('Please enter your project ID: ')
|
projectId = input('Please enter your project ID: ')
|
||||||
while a_or_m not in ['a', 'm']:
|
while a_or_m not in ['a', 'm']:
|
||||||
@@ -7962,9 +7964,9 @@ def create_signjwt_serviceaccount():
|
|||||||
'key_type': 'signjwt',
|
'key_type': 'signjwt',
|
||||||
'token_uri': 'https://oauth2.googleapis.com/token'
|
'token_uri': 'https://oauth2.googleapis.com/token'
|
||||||
}
|
}
|
||||||
request = transport.create_request()
|
request = signjwt.get_request()
|
||||||
try:
|
try:
|
||||||
creds, sa_info['project_id'] = google.auth.default(scopes=['https://www.googleapis.com/auth/iam'],
|
creds, sa_info['project_id'] = google.auth.default(scopes=signjwt._IAM_SCOPES,
|
||||||
request=request)
|
request=request)
|
||||||
except google.auth.exceptions.DefaultCredentialsError as e:
|
except google.auth.exceptions.DefaultCredentialsError as e:
|
||||||
controlflow.system_error_exit(2, e)
|
controlflow.system_error_exit(2, e)
|
||||||
|
|||||||
@@ -14,6 +14,13 @@ from gam.var import GM_Globals, GM_CACHE_DIR
|
|||||||
|
|
||||||
_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
|
_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
|
||||||
_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
|
_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
|
||||||
|
_IAM_SCOPES = ['https://www.googleapis.com/auth/iam']
|
||||||
|
|
||||||
|
# Some Workforce Identity Federation endpoints such as GitHub Actions
|
||||||
|
# only allow TLS 1.2 as of April 2023.
|
||||||
|
def get_request():
|
||||||
|
httpc = transport.create_http(override_min_tls='TLSv1_2')
|
||||||
|
return transport.create_request(httpc)
|
||||||
|
|
||||||
|
|
||||||
class JWTCredentials(google.auth.jwt.Credentials):
|
class JWTCredentials(google.auth.jwt.Credentials):
|
||||||
@@ -73,8 +80,10 @@ class SignJwt(google.auth.crypt.Signer):
|
|||||||
|
|
||||||
def sign(self, message):
|
def sign(self, message):
|
||||||
''' Call IAM Credentials SignJWT API to get our signed JWT '''
|
''' Call IAM Credentials SignJWT API to get our signed JWT '''
|
||||||
|
request = get_request()
|
||||||
try:
|
try:
|
||||||
credentials, _ = google.auth.default(scopes=['https://www.googleapis.com/auth/iam'])
|
credentials, _ = google.auth.default(scopes=_IAM_SCOPES,
|
||||||
|
request=request)
|
||||||
except google.auth.exceptions.DefaultCredentialsError as e:
|
except google.auth.exceptions.DefaultCredentialsError as e:
|
||||||
controlflow.system_error_exit(2, e)
|
controlflow.system_error_exit(2, e)
|
||||||
httpObj = transport.AuthorizedHttp(
|
httpObj = transport.AuthorizedHttp(
|
||||||
|
|||||||
@@ -1347,7 +1347,7 @@ GC_TLS_MAX_VERSION = 'tls_max_ver'
|
|||||||
# Path to certificate authority file for validating TLS hosts
|
# Path to certificate authority file for validating TLS hosts
|
||||||
GC_CA_FILE = 'ca_file'
|
GC_CA_FILE = 'ca_file'
|
||||||
|
|
||||||
TLS_MIN = 'TLSv1_3' if hasattr(ssl.SSLContext(), 'minimum_version') else None
|
TLS_MIN = 'TLSv1_3'
|
||||||
GC_Defaults = {
|
GC_Defaults = {
|
||||||
GC_ADMIN_EMAIL: '',
|
GC_ADMIN_EMAIL: '',
|
||||||
GC_AUTO_BATCH_MIN: 0,
|
GC_AUTO_BATCH_MIN: 0,
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ filelock
|
|||||||
google-api-python-client>=2.1
|
google-api-python-client>=2.1
|
||||||
google-auth-httplib2
|
google-auth-httplib2
|
||||||
google-auth-oauthlib>=0.4.1
|
google-auth-oauthlib>=0.4.1
|
||||||
google-auth[reauth]>=2.3.2
|
google-auth>=2.3.2
|
||||||
httplib2>=0.17.0
|
httplib2>=0.17.0
|
||||||
passlib>=1.7.2
|
passlib>=1.7.2
|
||||||
pathvalidate
|
pathvalidate
|
||||||
|
|||||||
Reference in New Issue
Block a user