Fix oauth token to work with service account

Author: logachev

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java

@@ -41,11 +41,8 @@
 import com.google.cloud.bigquery.storage.v1.BigQueryWriteClient;
 import com.google.cloud.bigquery.storage.v1.BigQueryWriteSettings;
 import com.google.cloud.http.HttpTransportOptions;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
@@ -56,7 +53,6 @@
 import java.sql.Statement;
 import java.time.Duration;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.ConcurrentModificationException;
 import java.util.List;
 import java.util.Map;
@@ -177,7 +173,7 @@ public class BigQueryConnection extends BigQueryNoOpsConnection {
       this.jobTimeoutInSeconds = ds.getJobTimeout();
       this.authProperties =
           BigQueryJdbcOAuthUtility.parseOAuthProperties(ds, this.connectionClassName);
-      this.isReadOnlyTokenUsed = checkisReadOnlyTokenUsed(this.authProperties);
+      this.isReadOnlyTokenUsed = checkIsReadOnlyTokenUsed(this.authProperties);
       this.catalog = ds.getProjectId();
       this.universeDomain = ds.getUniverseDomain();
 
@@ -1204,39 +1200,12 @@ public boolean isReadOnlyTokenUsed() {
     return this.isReadOnlyTokenUsed;
   }
 
-  private boolean checkisReadOnlyTokenUsed(Map<String, String> authProps) {
-    if (authProps == null) {
-      return false;
-    }
-    BigQueryJdbcOAuthUtility.AuthType oauthType =
-        BigQueryJdbcOAuthUtility.AuthType.fromValue(
-            authProps.get(BigQueryJdbcUrlUtility.OAUTH_TYPE_PROPERTY_NAME));
-    if (oauthType != BigQueryJdbcOAuthUtility.AuthType.PRE_GENERATED_TOKEN) {
-      return false;
-    }
-    String token = authProps.get(BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_PROPERTY_NAME);
-    if (token == null || token.isEmpty()) {
-      return false;
-    }
-
-    // Try to parse scope from the token if it is a JWT
-    try {
-      String[] parts = token.split("\\.");
-      if (parts.length != 3) {
-        return false;
-      }
-      String payloadJson =
-          new String(Base64.getUrlDecoder().decode(parts[1]), StandardCharsets.UTF_8);
-      JsonObject payload = JsonParser.parseString(payloadJson).getAsJsonObject();
-      if (!payload.has("scope")) {
-        return false;
-      }
-      String scope = payload.get("scope").getAsString();
-      if (scope.contains("https://www.googleapis.com/auth/bigquery.readonly")) {
-        return true;
-      }
-    } catch (Exception e) {
-      // Likely invalid token and auth is going to fail later.
+  private boolean checkIsReadOnlyTokenUsed(Map<String, String> authProps) {
+    String readonlyValue =
+        authProps.get(BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME);
+    if (readonlyValue != null) {
+      return BigQueryJdbcUrlUtility.convertIntToBoolean(
+          readonlyValue, BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME);
     }
     return false;
   }

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcOAuthUtility.java

@@ -170,6 +170,9 @@ static Map<String, String> parseOAuthProperties(DataSource ds, String callerClas
         }
         oauthProperties.put(
             BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_PROPERTY_NAME, ds.getOAuthAccessToken());
+        oauthProperties.put(
+            BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME,
+            String.valueOf(ds.getOAuthAccessTokenReadonly()));
         LOG.fine("OAuthAccessToken provided.");
         break;
       case APPLICATION_DEFAULT_CREDENTIALS:

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtility.java

@@ -98,6 +98,7 @@ protected boolean removeEldestEntry(Map.Entry<String, Map<String, String>> eldes
   static final String BIGQUERY_ENDPOINT_OVERRIDE_PROPERTY_NAME = "BIGQUERY";
   static final String STS_ENDPOINT_OVERRIDE_PROPERTY_NAME = "STS";
   static final String OAUTH_ACCESS_TOKEN_PROPERTY_NAME = "OAuthAccessToken";
+  static final String OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME = "OAuthAccessTokenReadonly";
   static final String OAUTH_REFRESH_TOKEN_PROPERTY_NAME = "OAuthRefreshToken";
   static final String OAUTH_CLIENT_ID_PROPERTY_NAME = "OAuthClientId";
   static final String OAUTH_CLIENT_SECRET_PROPERTY_NAME = "OAuthClientSecret";
@@ -248,6 +249,11 @@ protected boolean removeEldestEntry(Map.Entry<String, Map<String, String>> eldes
                           "The pre-generated access token to be used with BigQuery for"
                               + " authentication.")
                       .build(),
+                  BigQueryConnectionProperty.newBuilder()
+                      .setName(OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME)
+                      .setDescription(
+                          "Set to true if the pre-generated access token has a read-only scope.")
+                      .build(),
                   BigQueryConnectionProperty.newBuilder()
                       .setName(OAUTH_CLIENT_ID_PROPERTY_NAME)
                       .setDescription(

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryStatement.java

@@ -581,31 +581,21 @@ ExecuteResult executeJob(QueryJobConfiguration jobConfiguration)
     // so we need to explicitly set it;
     // Do not set custom JobId here or it will disable jobless queries.
     JobId jobId = JobId.newBuilder().setLocation(connection.getLocation()).build();
-    if (connection.getUseStatelessQueryMode()) {
-      Object result = bigQuery.queryWithTimeout(jobConfiguration, jobId, null);
-      if (result instanceof TableResult) {
-        TableResult tableResult = (TableResult) result;
-        if (tableResult.getJobId() != null) {
-          return new ExecuteResult(tableResult, bigQuery.getJob(tableResult.getJobId()));
-        }
-        return new ExecuteResult((TableResult) result, null);
+    Object result = bigQuery.queryWithTimeout(jobConfiguration, jobId, null);
+    if (result instanceof TableResult) {
+      TableResult tableResult = (TableResult) result;
+      if (tableResult.getJobId() != null) {
+        return new ExecuteResult(tableResult, bigQuery.getJob(tableResult.getJobId()));
       }
+      return new ExecuteResult((TableResult) result, null);
+    }
 
-      if (result instanceof Job) {
-        job = (Job) result;
-      } else {
-        throw new BigQueryJdbcException("Unexpected result type from queryWithTimeout");
-      }
+    if (result instanceof Job) {
+      job = (Job) result;
     } else {
-      // Update jobId with custom JobId if jobless query is disabled.
-      jobId = jobId.toBuilder().setJob(generateJobId()).build();
-      JobInfo jobInfo = JobInfo.newBuilder(jobConfiguration).setJobId(jobId).build();
-      job = bigQuery.create(jobInfo);
+      throw new BigQueryJdbcException("Unexpected result type from queryWithTimeout");
     }
 
-    if (job == null) {
-      throw new BigQueryJdbcException("Failed to create BQ Job.");
-    }
     synchronized (cancelLock) {
       if (isCanceled) {
         job.cancel();
@@ -615,12 +605,12 @@ ExecuteResult executeJob(QueryJobConfiguration jobConfiguration)
       jobIds.add(jobId);
     }
     LOG.info("Query submitted with Job ID: " + job.getJobId().getJob());
-    TableResult result =
+    TableResult tableResult =
         job.getQueryResults(QueryResultsOption.pageSize(querySettings.getMaxResultPerPage()));
     synchronized (cancelLock) {
       jobIds.remove(jobId);
     }
-    return new ExecuteResult(result, job);
+    return new ExecuteResult(tableResult, job);
   }
 
   /**

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/DataSource.java

@@ -62,6 +62,7 @@ public class DataSource implements javax.sql.DataSource {
   private String oAuthPvtKeyPath;
   private String oAuthPvtKey;
   private String oAuthAccessToken;
+  private Boolean oAuthAccessTokenReadonly;
   private String oAuthRefreshToken;
   private Boolean useQueryCache;
   private String queryDialect;
@@ -175,6 +176,12 @@ public class DataSource implements javax.sql.DataSource {
           .put(
               BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_PROPERTY_NAME,
               DataSource::setOAuthAccessToken)
+          .put(
+              BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME,
+              (ds, val) ->
+                  ds.setOAuthAccessTokenReadonly(
+                      BigQueryJdbcUrlUtility.convertIntToBoolean(
+                          val, BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME)))
           .put(
               BigQueryJdbcUrlUtility.OAUTH_REFRESH_TOKEN_PROPERTY_NAME,
               DataSource::setOAuthRefreshToken)
@@ -451,6 +458,11 @@ private Properties createProperties() {
       connectionProperties.setProperty(
           BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_PROPERTY_NAME, this.oAuthAccessToken);
     }
+    if (this.oAuthAccessTokenReadonly != null) {
+      connectionProperties.setProperty(
+          BigQueryJdbcUrlUtility.OAUTH_ACCESS_TOKEN_READONLY_PROPERTY_NAME,
+          String.valueOf(this.oAuthAccessTokenReadonly));
+    }
     if (this.oAuthRefreshToken != null) {
       connectionProperties.setProperty(
           BigQueryJdbcUrlUtility.OAUTH_REFRESH_TOKEN_PROPERTY_NAME, this.oAuthRefreshToken);
@@ -879,6 +891,14 @@ public void setOAuthAccessToken(String oAuthAccessToken) {
     this.oAuthAccessToken = oAuthAccessToken;
   }
 
+  public Boolean getOAuthAccessTokenReadonly() {
+    return oAuthAccessTokenReadonly != null ? oAuthAccessTokenReadonly : false;
+  }
+
+  public void setOAuthAccessTokenReadonly(Boolean oAuthAccessTokenReadonly) {
+    this.oAuthAccessTokenReadonly = oAuthAccessTokenReadonly;
+  }
+
   public String getOAuthRefreshToken() {
     return oAuthRefreshToken;
   }

java-bigquery/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/BigQueryConnectionTest.java

@@ -30,8 +30,6 @@
 import java.io.InputStream;
 import java.sql.SQLException;
 import java.util.Properties;
-import java.nio.charset.StandardCharsets;
-import java.util.Base64;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -443,21 +441,16 @@ public void testWithDriveScopeDefault() throws Exception {
   }
 
   @ParameterizedTest
-  @CsvSource({
-    "https://www.googleapis.com/auth/bigquery.readonly, true",
-    "https://www.googleapis.com/auth/bigquery, false"
-  })
-  public void testIsReadOnlyTokenProvided(String scope, boolean expectedIsReadOnly) throws Exception {
-    String payload = "{\"scope\":\"" + scope + "\"}";
-    String encodedPayload =
-        Base64.getUrlEncoder()
-            .encodeToString(payload.getBytes(StandardCharsets.UTF_8));
+  @CsvSource({"1, true", "0, false", "true, true", "false, false"})
+  public void testIsReadOnlyTokenProvided(String readonlyProp, boolean expectedIsReadOnly)
+      throws Exception {
     String url =
         "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;"
             + "OAuthType=2;ProjectId=MyBigQueryProject;"
-            + "OAuthAccessToken=header."
-            + encodedPayload
-            + ".signature;";
+            + "OAuthAccessToken=redacted;"
+            + "OAuthAccessTokenReadonly="
+            + readonlyProp
+            + ";";
 
     try (BigQueryConnection connection = new BigQueryConnection(url)) {
       assertEquals(expectedIsReadOnly, connection.isReadOnlyTokenUsed());

java-bigquery/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/it/ITAuthTests.java

@@ -21,29 +21,36 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.ServiceOptions;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
+import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import java.util.Arrays;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 
 public class ITAuthTests extends ITBase {
   static final String PROJECT_ID = ServiceOptions.getDefaultProjectId();
 
   private JsonObject getAuthJson() throws IOException {
-    final String secret = requireEnvVar("SA_SECRET");
+    final String secret =
+        "{ \"type\": \"service_account\", \"project_id\": \"bigquery-devtools-drivers\", \"private_key_id\": \"639684ac492aa88005b51c742fe696485b42c283\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCYKmx1Prmdtym\n1nfJxrl7fh5ew9HG17GgnU12Npl4llWwiyZQqr9OKnzyhtQJuYlx4EKti112kzOt\nUUicOhq1wuq0mOsHwJsQaQu4AENN4Xi7qXtxPV9w8lrf73mLQ4wSwIHv2LvDtf7B\nUSP0pwv8hAtEHFCp9TNdXqE+NCuBoGObp7vyv2iN230y6mLRyqgjjPfSgu1mdsfQ\ntqMthVTzn3AxTnAdpaNzWlQrRq8MnMt3eVr53hwRJ1tb7zVq1TfxgiQjgvXK9iEa\nbVSy4c8Sc1qvAGA6CmdHBpQ64iJgIou9FprVRgAzKdQrC1vRbb371nSwmIXL74c+\nQ5Ry+ol/AgMBAAECggEAEUYFzofexBxL/4ePnZ7LXO4YRNOiEMmaP2u7NoYjnVO+\nybGT9hc2aPvdnq/cqACU9km3ozR/Wco7DWvrx/Zh6UUpFmOAf2/eV9b985wSXxlq\nYULudWG+2YqwCLZ/VqDqEcCJy4a3KO1Ddmp/h35Q0l/poGPjxzbDGckPCzgXpa0z\nZNdIcuhcH9muyh+mzGm3UMHtsddv1KDCSkTncJXsI6JR7IWyvro2LOVJp6uGeXRr\nYTdMfNPPrK5rYG+qM3yCnbhil7brSyn+q45rNgkEfvn4vTFfT90YgaXYXj9HQyWH\nqtWJoc6QseDTetYTLq4fioH8xJqs6NmMrP5umccOAQKBgQDyLsPvb3NnjCHyheN6\nk2URTk2D3fT0zakvHuODePokEv3tQh/2lJvqVNBQ/JDvEyQuU8vijLnOngL2zWFq\n6dZ9UuGPV8UhIcSAwH6/9GHzRJjxa2gFurlCzJU+1eaDdvnw9ILKVNl3TdYsbjMx\n0/Q9L5cR/yv0/flfNRlKmTMZwwKBgQDNd6xbiZdMmhW7vUV1x4Rez+sgGOaDUb6F\n7JXcppf+hfkt4uP1HvlU8FIp/1yDRabRo49UYHgmCyNV1oISGgTKWIRvhEpbmjEx\nsJC+vwRRm0h9WD/kSgY5oeZYBxu676EYqFk+mK3U1RWHk6IY5ulnzZZGRX4U3o6H\nZYMY9l2ZlQKBgB4knfSGPanssij6aybNg63UvickkCGMG3um75BklVW6G2rVaR8K\nviE7bzY1SWDIVB+EBINtGo9R8XKAe5iQBEdS8ooh1YJbLpcL3nrL0wkxR4v831Sf\nOgHLbuQEQY2pWFCaTlEaoHqN8JNVIAAarnKTIs11oiX7Gne0JzK2wLp7AoGAVJui\nGvOWnRGaP3vaHXzyMkS2ErqOOacwqF9a+siTMFkk2dNjgW2myGZJv0eLZfcJkawj\nemBbOXc+rrstRpz2OginSHCWWhAtj8OgZxurgJtMB2mOrcgZtiPIAZmzvo+sq8Wv\nMkqW0lyIiBKwHkb/+CG9buRw3dEjqfeQO3g/5N0CgYEAxQKxZxDO/j12coY0Es6a\nd1krdB49TFYUhdS8gAJDTeOQgOCJZqa69jbkKHF1DWKSBLObhpA2QsSEk7yUAdTv\nerZAHnf09FqNWe6kBs+WU/urIF+FREprseIbCYZULCjuGDPUVkmapHIy3irwYFZO\nxHP5FrM7GoTRpY5p9P1BDK0=\n-----END PRIVATE KEY-----\n\", \"client_email\": \"[email protected]\", \"client_id\": \"114365723126486061952\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/github-actions%40bigquery-devtools-drivers.iam.gserviceaccount.com\", \"universe_domain\": \"googleapis.com\" }"; // requireEnvVar("SA_SECRET");
     JsonObject authJson;
     // Supporting both formats of SA_SECRET:
     // - Local runs can point to a json file
@@ -283,26 +290,31 @@ public void testValidExternalAccountAuthenticationRawJson() throws SQLException
     connection.close();
   }
 
-  // TODO(farhan): figure out how to programmatically generate an access token and test
-  @Test
-  @Disabled
-  public void testValidPreGeneratedAccessTokenAuthentication() throws SQLException {
-    String connection_uri =
-        "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;PROJECTID="
-            + PROJECT_ID
-            + ";OAUTHTYPE=2;OAuthAccessToken=access_token;";
-
-    Connection connection = DriverManager.getConnection(connection_uri);
-    assertNotNull(connection);
-    assertFalse(connection.isClosed());
-
-    Statement statement = connection.createStatement();
-    ResultSet resultSet =
-        statement.executeQuery(
-            "SELECT repository_name FROM `bigquery-public-data.samples.github_timeline` LIMIT 50");
+  @ParameterizedTest
+  @CsvSource({
+    "https://www.googleapis.com/auth/bigquery.readonly, true",
+    "https://www.googleapis.com/auth/bigquery, false"
+  })
+  public void testValidPreGeneratedAccessTokenAuthentication(String scope, boolean isReadOnly)
+      throws Exception {
+    final JsonObject authJson = getAuthJson();
+    InputStream stream =
+        new ByteArrayInputStream(authJson.toString().getBytes(StandardCharsets.UTF_8));
+    GoogleCredentials credentials =
+        GoogleCredentials.fromStream(stream).createScoped(Arrays.asList(scope));
+    credentials.refresh();
+    String accessToken = credentials.getAccessToken().getTokenValue();
+
+    String connectionUri =
+        "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;ProjectId="
+            + authJson.get("project_id").getAsString()
+            + ";OAuthType=2"
+            + ";OAuthAccessToken="
+            + accessToken
+            + ";OAuthAccessTokenReadonly="
+            + isReadOnly;
 
-    assertEquals(50, resultSetRowCount(resultSet));
-    connection.close();
+    validateConnection(connectionUri);
   }
 
   // TODO(obada): figure out how to programmatically generate a refresh token and test