Validate and log instance identity tokens in CloudHostStarter
The current impl attempts to retrieve an instance identity token and passes it along w/o validation. For troubleshooting purposes, it would be better if the jwt received was validated and logged. Bug: 388886766 Change-Id: Idf4835f72911005d4614f0ea423deb35d0f7a325 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6318821 Reviewed-by: Gary Kacmarcik <garykac@chromium.org> Commit-Queue: Joe Downing <joedow@chromium.org> Cr-Commit-Position: refs/heads/main@{#1427346}
This commit is contained in:
Joe Downing
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
ccede60ffe
commit
f29fa5254a
@ -18,6 +18,8 @@
|
||||
#include "remoting/base/cloud_service_client.h"
|
||||
#include "remoting/base/compute_engine_service_client.h"
|
||||
#include "remoting/base/http_status.h"
|
||||
#include "remoting/base/instance_identity_token.h"
|
||||
#include "remoting/base/logging.h"
|
||||
#include "remoting/base/oauth_token_info.h"
|
||||
#include "remoting/base/passthrough_oauth_token_getter.h"
|
||||
#include "remoting/base/service_urls.h"
|
||||
@ -99,8 +101,13 @@ void CloudHostStarter::RetrieveApiAccessToken() {
|
||||
}
|
||||
|
||||
void CloudHostStarter::OnIdentityTokenRetrieved(const HttpStatus& status) {
|
||||
if (status.ok() && !status.response_body().empty()) {
|
||||
instance_identity_token_ = status.response_body();
|
||||
if (status.ok()) {
|
||||
auto jwt = status.response_body();
|
||||
auto validated_token = InstanceIdentityToken::Create(jwt);
|
||||
if (validated_token.has_value()) {
|
||||
HOST_LOG << "Retrieved instance identity token:\n" << *validated_token;
|
||||
instance_identity_token_ = std::move(jwt);
|
||||
}
|
||||
} else {
|
||||
int error_code = static_cast<int>(status.error_code());
|
||||
LOG(WARNING) << "Failed to retrieve an Instance Identity token.\n"
|
||||
@ -111,7 +118,7 @@ void CloudHostStarter::OnIdentityTokenRetrieved(const HttpStatus& status) {
|
||||
|
||||
// The two modes to configure a Cloud host are to generate an API_KEY and use
|
||||
// that to access the provisioning RPC or to generate an access token using
|
||||
// the default service-account. If an API_KEY is being used, we can skip the
|
||||
// the default service account. If an API_KEY is being used, we can skip the
|
||||
// access token request since it won't be used.
|
||||
if (params().api_key.empty()) {
|
||||
compute_engine_service_client_->GetServiceAccountAccessToken(
|
||||
|
||||
Reference in New Issue
Block a user