Added task handler authorization

marickvantuil · marickvantuil · commit acb6d01b8268 · 2020-06-14T23:10:55.000+02:00
diff --git a/src/CloudTasksQueue.php b/src/CloudTasksQueue.php
@@ -6,11 +6,13 @@
 use Google\Cloud\Tasks\V2\CloudTasksClient;
 use Google\Cloud\Tasks\V2\HttpMethod;
 use Google\Cloud\Tasks\V2\HttpRequest;
+use Google\Cloud\Tasks\V2\OidcToken;
 use Google\Cloud\Tasks\V2\Task;
 use Google\Protobuf\Timestamp;
 use Illuminate\Contracts\Queue\Queue as QueueContract;
 use Illuminate\Queue\Queue as LaravelQueue;
 use Illuminate\Support\InteractsWithTime;
+use Illuminate\Support\Str;
 
 class CloudTasksQueue extends LaravelQueue implements QueueContract
 {
@@ -55,14 +57,18 @@ protected function pushToCloudTasks($queue, $payload, $delay = 0, $attempts = 0)
         $queueName = $this->client->queueName(Config::project(), Config::location(), $queue);
         $availableAt = $this->availableAt($delay);
 
-        $httpRequest = app(HttpRequest::class);
+        $httpRequest = $this->createHttpRequest();
         $httpRequest->setUrl(Config::handler());
         $httpRequest->setHttpMethod(HttpMethod::POST);
         $httpRequest->setBody($payload);
 
-        $task = app(Task::class);
+        $task = $this->createTask();
+        $randomString = Str::random();
+        $task->setName($queueName . '/tasks/' . $randomString);
         $task->setHttpRequest($httpRequest);
 
+        $httpRequest->setHeaders(['X-Stackkit-Auth-Token' => encrypt($randomString)]);
+
         if ($availableAt > time()) {
             $task->setScheduleTime(new Timestamp(['seconds' => $availableAt]));
         }
@@ -79,4 +85,20 @@ private function getQueue($queue = null)
     {
         return $queue ?: $this->default;
     }
+
+    /**
+     * @return HttpRequest
+     */
+    private function createHttpRequest()
+    {
+        return app(HttpRequest::class);
+    }
+
+    /**
+     * @return Task
+     */
+    private function createTask()
+    {
+        return app(Task::class);
+    }
 }
diff --git a/src/CloudTasksServiceProvider.php b/src/CloudTasksServiceProvider.php
@@ -2,6 +2,7 @@
 
 namespace Stackkit\LaravelGoogleCloudTasksQueue;
 
+use Google\Cloud\Tasks\V2\CloudTasksClient;
 use Illuminate\Queue\QueueManager;
 use Illuminate\Routing\Router;
 use Illuminate\Support\ServiceProvider as LaravelServiceProvider;
@@ -10,10 +11,20 @@ class CloudTasksServiceProvider extends LaravelServiceProvider
 {
     public function boot(QueueManager $queue, Router $router)
     {
+        $this->registerClient();
         $this->registerConnector($queue);
         $this->registerRoutes($router);
     }
 
+    private function registerClient()
+    {
+        $this->app->singleton(CloudTasksClient::class, function () {
+            return new CloudTasksClient([
+                'credentials' => Config::credentials(),
+            ]);
+        });
+    }
+
     private function registerConnector(QueueManager $queue)
     {
         $queue->addConnector('cloudtasks', function () {
diff --git a/src/TaskHandler.php b/src/TaskHandler.php
@@ -2,23 +2,76 @@
 
 namespace Stackkit\LaravelGoogleCloudTasksQueue;
 
+use Ahc\Jwt\JWT;
+use Google\Cloud\Tasks\V2\CloudTasksClient;
+use Illuminate\Http\Request;
 use Illuminate\Queue\Worker;
 use Illuminate\Queue\WorkerOptions;
 use Throwable;
 
 class TaskHandler
 {
+    private $client;
+    private $request;
+
+    public function __construct(CloudTasksClient $client, Request $request)
+    {
+        $this->client = $client;
+        $this->request = $request;
+    }
+
     /**
      * @param $task
      * @throws CloudTasksException
      */
     public function handle($task = null)
     {
+        $this->authorizeRequest();
+
         $task = $task ?: $this->captureTask();
 
         $this->handleTask($task);
     }
 
+    /**
+     * @throws CloudTasksException
+     */
+    private function authorizeRequest()
+    {
+        $this->checkForRequiredHeaders();
+
+        $taskName = $this->request->header('X-Cloudtasks-Taskname');
+        $queueName = $this->request->header('X-Cloudtasks-Queuename');
+        $authToken = $this->request->header('X-Stackkit-Auth-Token');
+
+        $fullQueueName = $this->client->queueName(Config::project(), Config::location(), $queueName);
+
+        try {
+            $this->client->getTask($fullQueueName . '/tasks/' . $taskName);
+        } catch (Throwable $e) {
+            throw new CloudTasksException('Could not find task');
+        }
+
+        if (decrypt($authToken) != $taskName) {
+            throw new CloudTasksException('Auth token is not valid');
+        }
+    }
+
+    private function checkForRequiredHeaders()
+    {
+        $headers = [
+            'X-Cloudtasks-Taskname',
+            'X-Cloudtasks-Queuename',
+            'X-Stackkit-Auth-Token',
+        ];
+
+        foreach ($headers as $header) {
+            if (!$this->request->hasHeader($header)) {
+                throw new CloudTasksException('Missing [' . $header . '] header');
+            }
+        }
+    }
+
     /**
      * @throws CloudTasksException
      */
@@ -49,11 +102,7 @@ private function handleTask($task)
 
         $worker = $this->getQueueWorker();
 
-        try {
-            $worker->process('cloudtasks', $job, new WorkerOptions());
-        } catch (Throwable $e) {
-            throw new CloudTasksException('Failed handling task');
-        }
+        $worker->process('cloudtasks', $job, new WorkerOptions());
     }
 
     /**
diff --git a/tests/TaskHandlerTest.php b/tests/TaskHandlerTest.php
@@ -2,20 +2,107 @@
 
 namespace Tests;
 
+use Google\Cloud\Tasks\V2\CloudTasksClient;
 use Illuminate\Support\Facades\Mail;
+use Stackkit\LaravelGoogleCloudTasksQueue\CloudTasksException;
 use Stackkit\LaravelGoogleCloudTasksQueue\TaskHandler;
 use Tests\Support\TestMailable;
 
 class TaskHandlerTest extends TestCase
 {
+    /**
+     * @var TaskHandler
+     */
+    private $handler;
+
+    private $client;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->client = \Mockery::mock(CloudTasksClient::class)->makePartial();
+        $this->handler = new TaskHandler(
+            $this->client,
+            request()
+        );
+    }
+
+    /** @test */
+    public function it_needs_a_task_name_header()
+    {
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('Missing [X-Cloudtasks-Taskname] header');
+
+        $this->handler->handle();
+    }
+
+    /** @test */
+    public function it_needs_a_queue_name_header()
+    {
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('Missing [X-Cloudtasks-Queuename] header');
+
+        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
+        $this->handler->handle();
+    }
+
+    /** @test */
+    public function it_needs_a_stackkit_auth_token_header()
+    {
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('Missing [X-Stackkit-Auth-Token] header');
+
+        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
+        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
+        $this->handler->handle();
+    }
+
+    /** @test */
+    public function it_will_check_if_the_incoming_task_exists()
+    {
+        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
+        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
+        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('test')]);
+
+        Mail::fake();
+
+        $this->client
+            ->shouldReceive('getTask')
+            ->once()
+            ->with('projects/test-project/locations/europe-west6/queues/test/tasks/test')
+            ->andReturnNull();
+
+        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
+    }
+
+    /** @test */
+    public function it_will_check_the_auth_token()
+    {
+        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
+        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
+        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('does not match the task name')]);
+
+        $this->client->shouldReceive('getTask')->andReturnNull();
+
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('Auth token is not valid');
+
+        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
+    }
+
     /** @test */
     public function it_runs_the_incoming_job()
     {
         Mail::fake();
 
-        $handler = new TaskHandler();
+        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
+        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
+        request()->headers->add(['X-Stackkit-Auth-Token' => encrypt('test')]);
+
+        $this->client->shouldReceive('getTask')->andReturnNull();
 
-        $handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
+        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
 
         Mail::assertSent(TestMailable::class);
     }
