No public description

PiperOrigin-RevId: 602423856

Author: On Demand Rides and Deliveries

sample/src/main/java/com/google/fleetengine/auth/sample/LmfsConfiguration.java

@@ -25,6 +25,10 @@ public class LmfsConfiguration {
   public static final String DELIVERY_FLEET_READER_TOKEN_ACCOUNT =
       "<service account name>@<project id>.iam.gserviceaccount.com";
 
+  // Set to service account with the Fleet Engine Fleet Read SDK role.
+  public static final String FLEET_READER_TOKEN_ACCOUNT =
+      "<service account name>@<project id>.iam.gserviceaccount.com";
+
   // Provider Id is the same as your GCP Project Id.
     public static final String PROVIDER_ID = "<project id>";
 

sample/src/main/java/com/google/fleetengine/auth/sample/OdrdConfiguration.java

@@ -32,6 +32,10 @@ class OdrdConfiguration {
   public static final String DRIVER_TOKEN_ACCOUNT =
       "<service account name>@<project id>.iam.gserviceaccount.com";
 
+  // Set to service account with the Fleet Engine Fleet Read SDK role.
+  public static final String FLEET_READER_TOKEN_ACCOUNT =
+      "<service account name>@<project id>.iam.gserviceaccount.com";
+
 
   // Provider Id is the same as your GCP Project Id.
   public static final String PROVIDER_ID = "<project id>";

sample/src/main/java/com/google/fleetengine/auth/sample/ValidateLmfsRoles.java

@@ -1,7 +1,9 @@
 package com.google.fleetengine.auth.sample;
 
 import com.google.fleetengine.auth.AuthTokenMinter;
+import com.google.fleetengine.auth.sample.validation.DeliveryConsumerFleetReaderTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.DeliveryConsumerTokenValidationScript;
+import com.google.fleetengine.auth.sample.validation.DeliveryDriverFleetReaderTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.DeliveryFleetReaderTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.DeliveryServerTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.DeliveryServerTokenValidationScript.Ids;
@@ -18,6 +20,7 @@ public class ValidateLmfsRoles {
   private static final String CONSUMER = "deliver consumer";
   private static final String UNTRUSTED_DRIVER = "untrusted driver";
   private static final String TRUSTED_DRIVER = "trusted driver";
+  private static final String DELIVERY_FLEET_READER = "delivery fleet reader";
   private static final String FLEET_READER = "fleet reader";
 
   public static void run() throws Throwable {
@@ -34,6 +37,8 @@ public static void run() throws Throwable {
                     LmfsConfiguration.DELIVERY_UNTRUSTED_DRIVER_TOKEN_ACCOUNT))
             .setDeliveryFleetReaderSigner(
                 ImpersonatedSigner.create(LmfsConfiguration.DELIVERY_FLEET_READER_TOKEN_ACCOUNT))
+            .setFleetReaderSigner(
+                ImpersonatedSigner.create(LmfsConfiguration.FLEET_READER_TOKEN_ACCOUNT))
             .setTokenFactory(
                 new FleetEngineTokenFactory(
                     FleetEngineTokenFactorySettings.builder()
@@ -78,11 +83,27 @@ public static void run() throws Throwable {
     }
 
     if (configuration.getMinter().deliveryFleetReaderSigner() != null) {
-      CommandLineRuntime.printRunScriptMessage(FLEET_READER);
+      CommandLineRuntime.printRunScriptMessage(DELIVERY_FLEET_READER);
       new DeliveryFleetReaderTokenValidationScript(runtime, configuration, clientFactory)
           .run(ids.getDeliveryVehicleId());
     } else {
-      CommandLineRuntime.printSkipScriptMessage(TRUSTED_DRIVER);
+      CommandLineRuntime.printSkipScriptMessage(DELIVERY_FLEET_READER);
+    }
+
+    if (configuration.getMinter().deliveryFleetReaderSigner() != null) {
+      CommandLineRuntime.printRunScriptMessage(FLEET_READER);
+      new DeliveryConsumerFleetReaderTokenValidationScript(runtime, configuration, clientFactory)
+          .run(ids.getTrackingId());
+    } else {
+      CommandLineRuntime.printSkipScriptMessage(FLEET_READER);
+    }
+
+    if (configuration.getMinter().deliveryFleetReaderSigner() != null) {
+      CommandLineRuntime.printRunScriptMessage(FLEET_READER);
+      new DeliveryDriverFleetReaderTokenValidationScript(runtime, configuration, clientFactory)
+          .run(ids.getDeliveryVehicleId());
+    } else {
+      CommandLineRuntime.printSkipScriptMessage(FLEET_READER);
     }
   }
 }

sample/src/main/java/com/google/fleetengine/auth/sample/ValidateOdrdRoles.java

@@ -17,6 +17,7 @@
 import com.google.fleetengine.auth.AuthTokenMinter;
 import com.google.fleetengine.auth.sample.validation.ConsumerTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.DriverTokenValidationScript;
+import com.google.fleetengine.auth.sample.validation.ConsumerFleetReaderTokenValidationScript;
 import com.google.fleetengine.auth.sample.validation.SampleScriptConfiguration;
 import com.google.fleetengine.auth.sample.validation.SampleScriptRuntime;
 import com.google.fleetengine.auth.sample.validation.ServerTokenValidationScript;
@@ -30,13 +31,16 @@ final class ValidateOdrdRoles {
   private static final String SERVER = "server";
   private static final String CONSUMER = "consumer";
   private static final String DRIVER = "driver";
+  private static final String FLEET_READER = "fleet reader";
 
   public static void run() throws Throwable {
     AuthTokenMinter minter =
         AuthTokenMinter.builder()
             .setServerSigner(ImpersonatedSigner.create(OdrdConfiguration.SERVER_TOKEN_ACCOUNT))
             .setConsumerSigner(ImpersonatedSigner.create(OdrdConfiguration.CONSUMER_TOKEN_ACCOUNT))
             .setDriverSigner(ImpersonatedSigner.create(OdrdConfiguration.DRIVER_TOKEN_ACCOUNT))
+            .setFleetReaderSigner(
+                ImpersonatedSigner.create(OdrdConfiguration.FLEET_READER_TOKEN_ACCOUNT))
             .setTokenFactory(
                 new FleetEngineTokenFactory(
                     FleetEngineTokenFactorySettings.builder()
@@ -70,6 +74,14 @@ public static void run() throws Throwable {
     } else {
       CommandLineRuntime.printSkipScriptMessage(DRIVER);
     }
+
+    if (configuration.getMinter().fleetReaderSigner() != null) {
+      CommandLineRuntime.printRunScriptMessage(FLEET_READER);
+      new ConsumerFleetReaderTokenValidationScript(runtime, configuration, clientFactory)
+          .run(ids.getTripId());
+    } else {
+      CommandLineRuntime.printSkipScriptMessage(FLEET_READER);
+    }
   }
 
   private ValidateOdrdRoles() {}

sample/src/main/java/com/google/fleetengine/auth/sample/validation/ConsumerFleetReaderTokenValidationScript.java

@@ -0,0 +1,45 @@
+package com.google.fleetengine.auth.sample.validation;
+
+/** Validates that fleet reader tokens provide the correct access. */
+public class ConsumerFleetReaderTokenValidationScript {
+
+  private final SampleScriptRuntime runtime;
+  private final SampleScriptConfiguration configuration;
+  private final CommandsFactory commandsFactory;
+
+  public ConsumerFleetReaderTokenValidationScript(
+      SampleScriptRuntime runtime,
+      SampleScriptConfiguration configuration,
+      CommandsFactory commandsFactory) {
+    this.runtime = runtime;
+    this.configuration = configuration;
+    this.commandsFactory = commandsFactory;
+  }
+
+  /**
+   * Run validation script.
+   *
+   * @param tripId existing trip id
+   */
+  public void run(String tripId) throws Throwable {
+    // Tokens are minted with the fleet reader role and authorized to access tripId.
+    TripCommands tripCommands =
+        commandsFactory.createTripCommands(
+            configuration.getFleetEngineAddress(),
+            configuration.getProviderId(),
+            () -> configuration.getMinter().getFleetReaderToken());
+
+    VehicleCommands vehicleCommands =
+        commandsFactory.createVehicleCommands(
+            configuration.getFleetEngineAddress(),
+            configuration.getProviderId(),
+            () -> configuration.getMinter().getFleetReaderToken());
+
+    runtime.runCommand(
+        "Get trip with trip id on fleet reader token", () -> tripCommands.getTrip(tripId));
+
+    runtime.runCommand(
+        "Search for vehicles with fleet reader token",
+        () -> vehicleCommands.searchVehicles(tripId));
+  }
+}

sample/src/main/java/com/google/fleetengine/auth/sample/validation/DeliveryConsumerFleetReaderTokenValidationScript.java

@@ -0,0 +1,35 @@
+package com.google.fleetengine.auth.sample.validation;
+
+/** Validates that fleet reader tokens provide the correct access. */
+public class DeliveryConsumerFleetReaderTokenValidationScript {
+
+  private final SampleScriptRuntime runtime;
+  private final SampleScriptConfiguration configuration;
+  private final CommandsFactory commandsFactory;
+
+  public DeliveryConsumerFleetReaderTokenValidationScript(
+      SampleScriptRuntime runtime,
+      SampleScriptConfiguration configuration,
+      CommandsFactory commandsFactory) {
+    this.runtime = runtime;
+    this.configuration = configuration;
+    this.commandsFactory = commandsFactory;
+  }
+
+  /**
+   * Run validation script.
+   *
+   * @param trackingId existing tracking id
+   */
+  public void run(String trackingId) throws Throwable {
+    // Tokens are minted with the fleet reader role and authorized to access trackingId.
+    DeliveryServiceCommands commands =
+        commandsFactory.createDeliveryServiceCommands(
+            configuration.getFleetEngineAddress(),
+            configuration.getProviderId(),
+            () -> configuration.getMinter().getFleetReaderToken());
+
+    runtime.runCommand(
+        "Search tasks with fleet reader token", () -> commands.searchTasks(trackingId));
+  }
+}

sample/src/main/java/com/google/fleetengine/auth/sample/validation/DeliveryDriverFleetReaderTokenValidationScript.java

@@ -0,0 +1,36 @@
+package com.google.fleetengine.auth.sample.validation;
+
+/** Validates that fleet reader tokens provide the correct access. */
+public class DeliveryDriverFleetReaderTokenValidationScript {
+
+  private final SampleScriptRuntime runtime;
+  private final SampleScriptConfiguration configuration;
+  private final CommandsFactory commandsFactory;
+
+  public DeliveryDriverFleetReaderTokenValidationScript(
+      SampleScriptRuntime runtime,
+      SampleScriptConfiguration configuration,
+      CommandsFactory commandsFactory) {
+    this.runtime = runtime;
+    this.configuration = configuration;
+    this.commandsFactory = commandsFactory;
+  }
+
+  /**
+   * Run validation script.
+   *
+   * @param deliveryVehicleId existing delivery vehicle id
+   */
+  public void run(String deliveryVehicleId) throws Throwable {
+    // Tokens are minted with the fleet reader role and authorized to access deliveryVehicleId.
+    DeliveryServiceCommands commands =
+        commandsFactory.createDeliveryServiceCommands(
+            configuration.getFleetEngineAddress(),
+            configuration.getProviderId(),
+            () -> configuration.getMinter().getFleetReaderToken());
+
+    runtime.runCommand(
+        "Get delivery vehicle with fleet reader token",
+        () -> commands.getDeliveryVehicle(deliveryVehicleId));
+  }
+}

sample/src/main/java/com/google/fleetengine/auth/sample/validation/DeliveryFleetReaderTokenValidationScript.java

@@ -24,6 +24,6 @@ public void run(String trackingId) throws Throwable {
             () -> configuration.getMinter().getDeliveryFleetReaderToken());
 
     runtime.runCommand(
-        "Search tasks with fleet reader token", () -> commands.searchTasks(trackingId));
+        "Search tasks with delivery fleet reader token", () -> commands.searchTasks(trackingId));
   }
 }

src/main/java/com/google/fleetengine/auth/AuthTokenMinter.java

@@ -91,6 +91,10 @@ public abstract class AuthTokenMinter implements FleetEngineTokenProvider {
   @Nullable
   public abstract Signer deliveryFleetReaderSigner();
 
+  /** Signer responsible for signing JWTs with a fleet reader key. */
+  @Nullable
+  public abstract Signer fleetReaderSigner();
+
   /** Signer responsible for signing JWTs with that aren't tied to the standard role set. */
   @Nullable
   public abstract Signer customSigner();
@@ -345,6 +349,22 @@ public FleetEngineToken getDeliveryFleetReaderToken() throws SigningTokenExcepti
     return tokenStateManager().signToken(deliveryFleetReaderSigner(), unsignedToken);
   }
 
+  /**
+   * Returns a non expired Fleet Engine Token that was signed with the fleet reader signer.
+   *
+   * <p>Tokens will have an expiration of at least {@link
+   * FleetEngineAuthTokenStateManager#EXPIRATION_WINDOW_DURATION}.
+   *
+   * @throws SigningTokenException if the fleet reader server signer was not set, or if there is an
+   *     issue while signing the token.
+   * @return Fleet Engine token with the "Fleet Reader" role, guaranteed to be valid for {@link
+   *     FleetEngineAuthTokenStateManager#EXPIRATION_WINDOW_DURATION} minutes.
+   */
+  public FleetEngineToken getFleetReaderToken() throws SigningTokenException {
+    FleetEngineToken unsignedToken = tokenFactory().createFleetReaderToken();
+    return tokenStateManager().signToken(fleetReaderSigner(), unsignedToken);
+  }
+
   /**
    * Returns a non expired Fleet Engine Token that was signed with the custom signer
    * and authorized for use with entities matching the specified claim.
@@ -411,6 +431,9 @@ public abstract static class Builder {
     /** Sets the signer responsible for signing delivery fleet JWTs. */
     public abstract Builder setDeliveryFleetReaderSigner(Signer deliveryFleetReaderSigner);
 
+    /** Sets the signer responsible for signing fleet reader JWTs. */
+    public abstract Builder setFleetReaderSigner(Signer fleetReaderSigner);
+
     /**
      * Sets token factory that creates unsigned tokens.
      *

src/main/java/com/google/fleetengine/auth/token/FleetEngineTokenType.java

@@ -64,6 +64,12 @@ public enum FleetEngineTokenType {
    */
   DELIVERY_FLEET_READER,
 
+  /**
+   * Fleet reader tokens are usually service accounts associated with the Fleet Engine Fleet Reader
+   * User role on the Google Cloud project.
+   */
+  FLEET_READER,
+
   /** Custom token type associated with any Fleet Engine Role on the Google Cloud project. */
   CUSTOM,
 }