验证来自 Google Cloud Scheduler 的 HTTP 请求 [英] Verify HTTP request from Google Cloud Scheduler

问题描述

验证来自 Google Cloud 调度程序的 HTTP 请求的过程是什么?文档(https://cloud.google.com/scheduler/docs/creating)提及您可以使用任何公开可用的 HTTP 端点的目标创建作业，但不要提及服务器如何验证 cron/调度程序请求.

解决方案

[2019 年 5 月 28 日更新]

Google Cloud Scheduler 现在有两个命令行选项:

--oidc-service-account-email=--oidc-token-audience=<service_endpoint_being_ called>

这些选项向 Cloud Scheduler 发出的请求添加额外的标头:

 授权:Bearer ID_TOKEN

您可以处理端点代码中的 ID_TOKEN 以验证谁在呼叫您的端点.

例如，您可以发出 HTTP 请求来解码 ID Token:

https://oauth2.googleapis.com/tokeninfo?id_token=ID_TOKEN

这将返回这样的 JSON:

<代码>{"aud": "https://cloudtask-abcdefabcdef-uc.a.run.app","azp": "0123456789077420983142","email": "cloudtask@development.iam.gserviceaccount.com","email_verified": "true","exp": "1559029789","iat": "1559026189","iss": "https://accounts.google.com","sub": "012345678901234567892","alg": "RS256",孩子":0123456789012345678901234567890123456789c3"，类型":JWT"}

然后，您可以检查服务帐户电子邮件是否与您授权 Cloud Scheduler 使用的电子邮件相符，并且令牌是否未过期.

[结束更新]

您需要自己验证请求.

Google Cloud Scheduler 包含多个 Google 特定标头，例如 User-Agent: Google-Cloud-Scheduler.请参阅下面的文档链接.

但是，任何人都可以伪造 HTTP 标头.您需要创建一个自定义 something，将其包含为 HTTP 标头或包含在您知道如何验证的 HTTP 正文中.使用签名的 JWT 将是安全且易于创建和验证的.

当您创建 Google Cloud Scheduler 作业时，您可以对 headers 和 body 字段进行一些控制.您可以将自定义something 嵌入其中之一.

调度器作业

[更新]

这是一个使用 gcloud 的示例(Windows 命令行)，以便您可以设置 HTTP 标头和正文.此示例在每个触发器上调用 Cloud Functions，显示如何包含 APIKEY.Google 控制台尚不具备这种级别的支持.

gcloud beta 调度器 ^--项目制作^工作创建 http myfunction ^--时区美国/洛杉矶"^--schedule="0 0 * * 0" ^--uri="https://us-central1-production.cloudfunctions.net/myfunction" ^--description="工作描述" ^--headers="{ "Authorization": "APIKEY=AUTHKEY", "Content-Type": "application/json" }" ^--http-method="POST" ^--message-body="{"to":"/topics/allDevices","priority":"low","data":{"success":"行"}}"

What's the process for verifying the HTTP request from Google Cloud scheduler? The docs (https://cloud.google.com/scheduler/docs/creating) mention you can create a job with a target of any publicly available HTTP endpoint but do not mention how the server verifies the cron/scheduler request.

解决方案

[Update May 28, 2019]

Google Cloud Scheduler now has two command line options:

--oidc-service-account-email=<service_account_email>
--oidc-token-audience=<service_endpoint_being_called>

These options add an additional header to the request that Cloud Scheduler makes:

 Authorization: Bearer ID_TOKEN

You can process the ID_TOKEN inside your endpoint code to verify who is calling your endpoint.

For example, you can make an HTTP request to decode the ID Token:

https://oauth2.googleapis.com/tokeninfo?id_token=ID_TOKEN

This will return JSON like this:

{
  "aud": "https://cloudtask-abcdefabcdef-uc.a.run.app",
  "azp": "0123456789077420983142",
  "email": "cloudtask@development.iam.gserviceaccount.com",
  "email_verified": "true",
  "exp": "1559029789",
  "iat": "1559026189",
  "iss": "https://accounts.google.com",
  "sub": "012345678901234567892",
  "alg": "RS256",
  "kid": "0123456789012345678901234567890123456789c3",
  "typ": "JWT"
}

Then you can check that the service account email matches the one that you authorized Cloud Scheduler to use and that the token has not expired.

[End Update]

You will need to verify the request yourself.

Google Cloud Scheduler includes several Google specific headers such as User-Agent: Google-Cloud-Scheduler. Refer to the documentation link below.

However, anyone can forge HTTP headers. You need to create a custom something that you include as an HTTP Header or in the HTTP body that you know how to verify. Using a signed JWT would be secure and easy to create and verify.

When you create a Google Cloud Scheduler Job you have some control over the headers and body fields. You can embed your custom something in either one.

Scheduler Jobs

[Update]

Here is an example (Windows command line) using gcloud so that you can set HTTP headers and the body. This example calls Cloud Functions on each trigger showing how to include an APIKEY. The Google Console does not have this level of support yet.

gcloud beta scheduler ^
--project production ^
jobs create http myfunction ^
--time-zone "America/Los_Angeles" ^
--schedule="0 0 * * 0" ^
--uri="https://us-central1-production.cloudfunctions.net/myfunction" ^
--description="Job Description" ^
--headers="{ "Authorization": "APIKEY=AUTHKEY", "Content-Type": "application/json" }" ^
--http-method="POST" ^
--message-body="{"to":"/topics/allDevices","priority":"low","data":{"success":"ok"}}"

这篇关于验证来自 Google Cloud Scheduler 的 HTTP 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！