doc: Added more documentation an updated README, moving away from gopkg.in and will just update master branch

Author: someone1

.travis.yml

@@ -1,6 +1,5 @@
 language: go
 sudo: false
-go_import_path: gopkg.in/someone1/gcp-jwt-go.v2
 go:
   - 1.10.x
   - 1.11.x
@@ -9,8 +8,8 @@ addons:
     packages:
       - python-rsa
 env:
-  - GOOGLE_APPLICATION_CREDENTIALS="$GOPATH/src/gopkg.in/someone1/gcp-jwt-go.v2/credentials.json"
-    KMS_TEST_KEYS="$GOPATH/src/gopkg.in/someone1/gcp-jwt-go.v2/kms-test-keys.json"
+  - GOOGLE_APPLICATION_CREDENTIALS="$GOPATH/src/github.com/someone1/gcp-jwt-go/credentials.json"
+    KMS_TEST_KEYS="$GOPATH/src/github.com/someone1/gcp-jwt-go/kms-test-keys.json"
 before_install:
   - openssl aes-256-cbc -K $encrypted_b9c0b4811a94_key -iv $encrypted_b9c0b4811a94_iv -in secrets.tar.enc -out secrets.tar -d
   - tar xvf secrets.tar

README.md

@@ -1,145 +1,30 @@
-# gcp-jwt-go (v2) [![GoDoc](https://godoc.org/gopkg.in/someone1/gcp-jwt-go.v2?status.svg)](https://godoc.org/gopkg.in/someone1/gcp-jwt-go.v2) [![Go Report Card](https://goreportcard.com/badge/gopkg.in/someone1/gcp-jwt-go.v2)](https://goreportcard.com/report/gopkg.in/someone1/gcp-jwt-go.v2) [![Build Status](https://travis-ci.org/someone1/gcp-jwt-go.svg?branch=v2)](https://travis-ci.org/someone1/gcp-jwt-go) [![Coverage Status](https://coveralls.io/repos/github/someone1/gcp-jwt-go/badge.svg?branch=v2)](https://coveralls.io/github/someone1/gcp-jwt-go?branch=v2)
+# gcp-jwt-go [![GoDoc](https://godoc.org/github.com/someone1/gcp-jwt-go?status.svg)](https://godoc.org/github.com/someone1/gcp-jwt-go) [![Go Report Card](https://goreportcard.com/badge/github.com/someone1/gcp-jwt-go)](https://goreportcard.com/report/github.com/someone1/gcp-jwt-go) [![Build Status](https://travis-ci.org/someone1/gcp-jwt-go.svg)](https://travis-ci.org/someone1/gcp-jwt-go) [![Coverage Status](https://coveralls.io/repos/github/someone1/gcp-jwt-go/badge.svg)](https://coveralls.io/github/someone1/gcp-jwt-go)
 
 Google Cloud Platform (KMS, IAM & AppEngine) jwt-go implementations
 
-## New with V2:
+## New with v2:
 
 Google Cloud KMS [now supports signatures](https://cloud.google.com/kms/docs/create-validate-signatures) and support has been added to gcp-jwt-go!
 
-## Breaking Changes with V2
+## Breaking Changes with v2
 
 - Package name changed from gcp_jwt to gcpjwt
 - Refactoring of code (including exported functions/structs)
 - Certificate caching is now opt-in vs opt-out
 
 To continue using the older version, please import as follows: `import "gopkg.in/someone1/gcp-jwt-go.v1"`
 
-### Other Features
+### Features
 
-gcp-jwt-go has a basic implementation of using the [IAM SignJwt API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt) on Google Cloud Platform to sign JWT tokens using the dgrijalva/jwt-go package. Should work across most environments (including AppEngine)!
+gcp-jwt-go has basic implementations of using [Google Cloud KMS](https://cloud.google.com/kms/docs/create-validate-signatures), Google IAM API (both [signJwt](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt) and [signBlob](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob)), and the [App Identity API](https://cloud.google.com/appengine/docs/go/appidentity/) from AppEngine Standard on Google Cloud Platform to sign JWT tokens using the [dgrijalva/jwt-go](https://github.com/dgrijalva/jwt-go) package. Should work across virtually all environments, on or off of Google's Cloud Platform.
 
-The old method of using the [IAM SignBlob API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob) is still supported.
+## Getting Started
 
-## AppEngine Only (legacy)
-
-Basic implementation of using the built-in [App Identity API](https://cloud.google.com/appengine/docs/go/appidentity/) of AppEngine to sign JWT tokens using the dgrijalva/jwt-go package.
-
-## Basic usage (using the IAM API):
-
-### Setup
-
-```go
-import (
-    "gopkg.in/someone1/gcp-jwt-go.v2"
-)
-
-func init() {
-    // Unless we want to keep the original RS256 implementation alive, override it (recommended)
-    gcpjwt.SigningMethodIAMJWT.Override() // For signJwt
-    // OR
-    gcpjwt.SigningMethodIAMBlob.Override() // For signBlob
-}
-```
-
-### Create a Token
-
-```go
-import (
-    "context"
-
-    "github.com/dgrijalva/jwt-go"
-    "gopkg.in/someone1/gcp-jwt-go.v2"
-)
-
-func makeToken() string {
-    token := jwt.New(gcpjwt.SigningMethodGCPJWT)
-    config := &gcpjwt.IAMConfig{
-        ServiceAccount: "[email protected]",
-        IAMType:        gcpjwt.IAMJwtType, // or gcpjwt.IAMBlobType
-    }
-    ctx := gcpjwt.NewIAMContext(context.Background(), config)
-    token.Method = gcpjwt.SigningMethodIAMJWT // or gcpjwt.SigningMethodIAMBlob
-
-    // Fill in Token claims
-
-    // For signBlob
-    tokenString, err := token.SignedString(ctx)
-
-    // For signJwt
-    // !!IMPORTANT!! Due to the way the signJwt API returns tokens, we can't use the standard signing process
-    // to sign
-    signingString, err := token.SigningString()
-    // handle err
-    tokenString, terr := token.Method.Sign(signingString, ctx)
-    // handle terr
-
-    return tokenString
-}
-```
-
-### Validate a Token
-
-```go
-import (
-    "context"
-    "strings"
-
-    "github.com/dgrijalva/jwt-go"
-    "gopkg.in/someone1/gcp-jwt-go.v2"
-)
-
-func validateToken(tokenString string) {
-    config := &gcpjwt.IAMConfig{
-        ServiceAccount: "[email protected]",
-        IAMType:        gcpjwt.IAMJwtType, // or gcpjwt.IAMBlobType
-    }
-    config.EnableCache = true // Enable certificates cache
-
-    // To Verify (if we called Override() for our method type prior)
-    token, err := jwt.Parse(tokenString, gcpjwt.VerfiyKeyfunc(context.Background(), config))
-
-    // If we DID NOT call the Override() function
-    // This is basically copying the https://github.com/dgrijalva/jwt-go/blob/master/parser.go#L23 ParseWithClaims function here but forcing our own method vs getting one based on the Alg field
-    // Or Try and parse, Ignore the result and try with the proper method:
-    token, _ := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-        return nil, nil
-    })
-    parts := strings.Split(token.Raw, ".")
-    token.Method = gcpjwt.SigningMethodIAMJWT // or gcpjwt.SigningMethodIAMBlob
-    if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, ctx); err != nil {
-        // handle error
-    } else {
-        token.Valid = true
-    }
-}
-```
-
-## Basic usage (old - use with AppEngine Standard):
-
-```go
-import (
-    "github.com/dgrijalva/jwt-go"
-    "gopkg.in/someone1/gcp-jwt-go.v2"
-)
-
-// AppEngine Only Method
-token := jwt.New(gcpjwt.SigningMethodAppEngine)
-
-// OR
-
-token := jwt.New(gcpjwt.SigningMethodGCP)
-config := &gcpjwt.IAMSignBlobConfig{
-    ServiceAccount: "[email protected]",
-}
-ctx := gcpjwt.NewContext(ctx, config)
-
-// Pass in a context.Context as the key for Sign/Verify
-// Same process as any other signing method in the jwt-go package
-```
+Please read the documentation at [https://godoc.org/github.com/someone1/gcp-jwt-go](https://godoc.org/github.com/someone1/gcp-jwt-go)
 
 ## Tips
 
-- Create a separate service account to sign on behalf of for your projects unless you NEED to use your default service account (e.g. the AppEngine service account). This way you can limit the scope of access for any leaked credentials. You'll have to grant the `roles/iam.serviceAccountTokenCreator` role to any user/group/serviceaccount you want to be able to sign on behalf of the new service account (resource: `projects/-/serviceAccounts/<serviceaccount>`).
+- If using the IAM API - create a separate service account to sign on behalf of for your projects unless you NEED to use your default service account (e.g. the AppEngine service account). This way you can limit the scope of access for any leaked credentials. You'll have to grant the `roles/iam.serviceAccountTokenCreator` role to any user/group/serviceaccount you want to be able to sign on behalf of the new service account (resource: `projects/-/serviceAccounts/<serviceaccount>`). For example, create an api-signer service account, do NOT furnish any keys for it, [grant](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/setIamPolicy) your AppEngine/GCE/etc. default service account the proper role for that serviceAccount, and use the api-signer@... service account address in your configuration.
 - If using outside of GCP, be sure to put credentials for an account that can access the service account for signing tokens in a well known location:
   1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.
   2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.

doc.go

@@ -0,0 +1,175 @@
+/*
+Package gcp-jwt-go has basic implementations of using Google Cloud KMS, Google IAM API (both signJwt and signBlob),
+and the App Identity API from AppEngine Standard to sign JWT tokens using the package
+"github.com/dgrijalva/jwt-go". Should work across virtually all environments, on or off of Google's Cloud Platform.
+
+Getting Started
+
+It is highly reccomended that you override the default algorithm implementations that you want to leverage a GCP service
+for in dgrijalva/jwt-go. You otherwise will have to manually pick the verification method for your JWTs and they will
+place non-standard headers in the rendered JWT (with the exception of signJwt from the IAM API which overwrites the
+header with its own).
+
+You should only need to override the algorithm(s) you plan to use. It is also incorrect to override overlapping,
+algorithms such as `gcpjwt.SigningMethodKMSRS256.Override()` and `gcpjwt.SigningMethodIAMJWT.Override()`
+
+Example:
+
+	import (
+		"github.com/someone1/gcp-jwt-go"
+	)
+
+	func init() {
+		// Pick one or more of the following to override
+
+		// Cloud KMS
+		gcpjwt.SigningMethodKMSRS256.Override() // RS256
+		gcpjwt.SigningMethodKMSPS256.Override() // PS256
+		gcpjwt.SigningMethodKMSES256.Override() // ES256
+		gcpjwt.SigningMethodKMSES384.Override() // ES384
+
+		// IAM API - This implements RS256 exclusively
+		gcpjwt.SigningMethodIAMJWT.Override() // For signJwt
+		gcpjwt.SigningMethodIAMBlob.Override() // For signBlob
+
+		// AppEngine - Standard runtime only, does not apply to Flexible runtime, implements RS256 exclusively
+		// You can also use any of the above methods on AppEngine Standard
+		gcpjwt.SigningMethodAppEngine.Override()
+	}
+
+As long as a you override a default algorithm implementation as shown above, using the dgrijalva/jwt-go is mostly unchanged.
+
+Create a Token
+
+Token creation is more/less done the same way as in the dgrijalva/jwt-go package. The key that you need to provide is
+always going to be a context.Context, usuaully with a configuration object loaded in:
+	- use gcpjwt.IAMConfig for the SigningMethodIAMJWT and SigningMethodIAMBlob signing methods
+	- use an appengine.NewContext for the SigningMethodAppEngine signing method
+	- use gcpjwt.KMSConfig for any of the KMS signing methods
+
+Example:
+
+
+	import (
+		"context"
+		"net/http"
+
+		"github.com/dgrijalva/jwt-go"
+		"github.com/someone1/gcp-jwt-go"
+		"google.golang.org/appengine" // only on AppEngine Standard when using the SigningMethodAppEngine signing method
+	)
+
+	func makeToken(ctx context.Context) (string, error) string {
+		// Important - if on AppEngine standard, even if you aren't useing the SigningMethodAppEngine signing method
+		// you must pass around the appengine.NewContext context as it is required for the API calls all methods must
+		// make.
+
+		var key interface{}
+		claims := &jwt.StandardClaims{
+			ExpiresAt: 15000,
+			Issuer:    "test",
+		}
+		token := jwt.NewWithClaims(gcpjwt.SigningMethodGCPJWT, claims)
+
+		// Prepare your signing key
+
+		// For SigningMethodIAMJWT or SigningMethodIAMBlob
+		config := &gcpjwt.IAMConfig{
+			ServiceAccount: "[email protected]",
+			IAMType:        gcpjwt.IAMJwtType, // or gcpjwt.IAMBlobType
+		}
+		key = gcpjwt.NewIAMContext(ctx, config)
+
+		// For any KMS signing method
+		config := &gcpjwt.KMSConfig{
+			KeyPath: "name=projects/<project-id>/locations/<location>/keyRings/<key-ring-name>/cryptoKeys/<key-name>/cryptoKeyVersions/<key-version>",
+		}
+		key = gcpjwt.NewKMSContext(ctx, config)
+
+		// For SigningMethodAppEngine
+		key = ctx
+
+		// For all signing methods EXCEPT signJWT
+		return token.SignedString(key)
+
+		// For signJwt
+		// !!IMPORTANT!! Due to the way the signJwt API returns tokens, we can't use the standard signing process
+		// to sign
+		signingString, err := token.SigningString()
+		if err != nil {
+			return "", err
+		}
+
+		return token.Method.Sign(signingString, key)
+	}
+
+Validate a Token
+
+Finally, the steps to validate a token should be straight forward. This library provides you with helper jwt.Keyfunc
+implementations to do the heavy lifting around getting the public certificates for verification:
+
+	- gcpjwt.IAMVerfiyKeyfunc can be used for the IAM API and the AppEngine Standard signing methods
+	- gcpjwt.AppEngineVerfiyKeyfunc is only available on AppEngine standard and can only be used on JWT signed from the same default service account as the running application
+	- gcp.KMSVerfiyKeyfunc can be used for the Cloud KMS signing methods
+
+Example:
+
+	import (
+		"context"
+		"time"
+		"strings"
+
+		"github.com/dgrijalva/jwt-go"
+		"github.com/someone1/gcp-jwt-go"
+	)
+
+	func validateToken(ctx context.Context, tokenString string) (*jwt.Token, error) {
+		// Important - if on AppEngine standard, even if you aren't useing the SigningMethodAppEngine signing method
+		// you must pass around the appengine.NewContext context as it is required for the API calls all methods must
+		// make.
+
+		var keyFunc jwt.Keyfunc
+
+		// Prepare your key function
+
+		// For SigningMethodIAMJWT or SigningMethodIAMBlob or SigningMethodAppEngine
+		config := &gcpjwt.IAMConfig{
+			ServiceAccount: "[email protected]",
+			IAMType:        gcpjwt.IAMJwtType, // or gcpjwt.IAMBlobType (use the Blob type if you used the SigningMethodAppEngine before)
+			EnableCache:    true, // Enable the certificate cache so we don't fetch it on every verification - RECOMMENDED
+		}
+		keyFunc = gcpjwt.IAMVerfiyKeyfunc(ctx, config)
+
+		// For any KMS signing method
+		config := &gcpjwt.KMSConfig{
+			KeyPath: "name=projects/<project-id>/locations/<location>/keyRings/<key-ring-name>/cryptoKeys/<key-name>/cryptoKeyVersions/<key-version>",
+		}
+		keyFunc = gcpjwt.KMSVerfiyKeyfunc(ctx, config)
+
+		// For SigningMethodAppEngine only on AppEngine Standard
+		keyFunc = gcpjwt.AppEngineVerfiyKeyfunc(ctx, true, time.Hour)
+
+		// If you called an Override function as recommended above, for both signing and verifying a token, you can use
+		// the regular verification steps - and the same goes if you did NOT call it for both signing and verifying (using non-standard 'alg' headers)
+		// EXCEPT for the signJwt IAM API signing method which overwrites the header's alg to RS256
+		return jwt.Parse(tokenString, keyFunc)
+
+		// The following is an extreme and advanced use-case - it is NOT recommended but here for those who need it.
+		//
+		// If we need to manually override the detected jwt.SigningMethod based on the 'alg' header
+		// This is basically copying the https://github.com/dgrijalva/jwt-go/blob/master/parser.go#L23 ParseWithClaims function here but forcing our own method vs getting one based on the Alg field
+		// Or Try and parse, Ignore the result and try with the proper method:
+		token, _ := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			return nil, nil
+		})
+		parts := strings.Split(token.Raw, ".")
+		token.Method = gcpjwt.SigningMethodIAMJWT // or whichever method you want to force
+		if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, keyFunc); err != nil {
+			return nil, err
+		} else {
+			token.Valid = true
+		}
+		return token, nil
+	}
+*/
+package gcpjwt

jwtmiddleware/helpers_test.go

@@ -17,8 +17,8 @@ import (
 	"google.golang.org/appengine"
 	"google.golang.org/appengine/aetest"
 
-	"gopkg.in/someone1/gcp-jwt-go.v2"
-	goauth2 "gopkg.in/someone1/gcp-jwt-go.v2/oauth2"
+	"github.com/someone1/gcp-jwt-go"
+	goauth2 "github.com/someone1/gcp-jwt-go/oauth2"
 )
 
 var jwtConfig *gjwt.Config

jwtmiddleware/middleware.go

@@ -10,7 +10,7 @@ import (
 	"github.com/dgrijalva/jwt-go"
 	"github.com/dgrijalva/jwt-go/request"
 
-	"gopkg.in/someone1/gcp-jwt-go.v2"
+	"github.com/someone1/gcp-jwt-go"
 )
 
 // NewHandler will return a middleware that will try and validate tokens in incoming HTTP requests.
@@ -19,7 +19,7 @@ import (
 // Audience claim to the one provided, or use https:// + request.Host if blank. NOTE: If using the signJwt method,
 // you MUST call gcpjwt.SigningMethodIAMJWT.Override().
 //
-// Complimentary to https://gopkg.in/someone1/gcp-jwt-go.v2/oauth2
+// Complimentary to https://github.com/someone1/gcp-jwt-go/oauth2
 func NewHandler(ctx context.Context, config *gcpjwt.IAMConfig, audience string) func(http.Handler) http.Handler {
 	ctx = gcpjwt.NewIAMContext(ctx, config)
 

jwtmiddleware/middleware_appengine.go

@@ -11,15 +11,15 @@ import (
 	"github.com/dgrijalva/jwt-go/request"
 	"google.golang.org/appengine"
 
-	"gopkg.in/someone1/gcp-jwt-go.v2"
+	"github.com/someone1/gcp-jwt-go"
 )
 
 // NewHandler will return a middleware that will try and validate tokens in incoming HTTP requests.
 // The token is expected as a Bearer token in the Authorization header and expected to have an Issuer
 // claim equal to the ServiceAccount the provided IAMConfig is configured for. This will also validate the
 // Audience claim to the one provided, or use https:// + request.Host if blank.
 //
-// Complimentary to https://gopkg.in/someone1/gcp-jwt-go.v2/oauth2
+// Complimentary to https://github.com/someone1/gcp-jwt-go/oauth2
 func NewHandler(_ context.Context, config *gcpjwt.IAMConfig, audience string) func(http.Handler) http.Handler {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {