Store primary key in secret, generate token each request

Author: Alex-Monahan

CMakeLists.txt

@@ -21,6 +21,7 @@ set(EXTENSION_SOURCES
     src/gsheets_requests.cpp
     src/gsheets_read.cpp
     src/gsheets_utils.cpp
+    src/gsheets_get_token.cpp
 )
 
 build_static_extension(${TARGET_NAME} ${EXTENSION_SOURCES})

src/gsheets_auth.cpp

@@ -6,6 +6,9 @@
 #include "duckdb/main/extension_util.hpp"
 #include <fstream>
 #include <cstdlib>
+#include <json.hpp>
+
+using json = nlohmann::json;
 
 namespace duckdb
 {
@@ -78,6 +81,23 @@ namespace duckdb
         return std::move(result);
     }
 
+    // TODO: Maybe this should be a KeyValueSecret
+    static unique_ptr<BaseSecret> CreateGsheetSecretFromPrivateKey(ClientContext &context, CreateSecretInput &input) {
+        auto scope = input.scope;
+
+        auto result = make_uniq<KeyValueSecret>(scope, input.type, input.provider, input.name);
+
+        // Manage specific secret option
+        CopySecret("secret", input, *result);
+        CopySecret("email", input, *result);
+
+        // Redact sensible keys
+        RedactCommonKeys(*result);
+        result->redact_keys.insert("secret");
+
+        return std::move(result);
+    }
+
     void CreateGsheetSecretFunctions::Register(DatabaseInstance &instance)
     {
         string type = "gsheet";
@@ -100,6 +120,13 @@ namespace duckdb
         oauth_function.named_parameters["use_oauth"] = LogicalType::BOOLEAN;
         RegisterCommonSecretParameters(oauth_function);
         ExtensionUtil::RegisterFunction(instance, oauth_function);
+
+        // Register the private key secret provider
+        CreateSecretFunction private_key_function = {type, "private_key", CreateGsheetSecretFromPrivateKey};
+        private_key_function.named_parameters["email"] = LogicalType::VARCHAR;
+        private_key_function.named_parameters["secret"] = LogicalType::VARCHAR;
+        RegisterCommonSecretParameters(private_key_function);
+        ExtensionUtil::RegisterFunction(instance, private_key_function);
     }
 
     std::string InitiateOAuthFlow()

src/gsheets_copy.cpp

@@ -7,6 +7,9 @@
 #include "duckdb/common/file_system.hpp"
 #include "duckdb/main/secret/secret_manager.hpp"
 #include <json.hpp>
+#include <regex>
+#include "gsheets_get_token.hpp"
+#include <iostream>
 
 using json = nlohmann::json;
 
@@ -49,12 +52,39 @@ namespace duckdb
             throw InvalidInputException("Invalid secret format for 'gsheet' secret");
         }
 
-        Value token_value;
-        if (!kv_secret->TryGetValue("token", token_value)) {
-            throw InvalidInputException("'token' not found in 'gsheet' secret");
-        }
+        std::string token;
+
+        if (secret.GetProvider() == "private_key") {
+            // If using a private key, retrieve the private key from the secret, but convert it 
+            // into a token before use. This is an extra request per Google Sheet read or copy.
+            Value email_value;
+            if (!kv_secret->TryGetValue("email", email_value)) {
+                throw InvalidInputException("'email' not found in 'gsheet' secret");
+            }
+            std::string email_string = email_value.ToString();
 
-        std::string token = token_value.ToString();
+            Value secret_value;
+            if (!kv_secret->TryGetValue("secret", secret_value)) {
+                throw InvalidInputException("'secret' not found in 'gsheet' secret");
+            }
+            std::string secret_string = std::regex_replace(secret_value.ToString(), std::regex(R"(\\n)"), "\n");
+            
+            json token_json = parseJson(get_token(email_string, secret_string));
+            
+            json failure_string = "failure";
+            if (token_json["status"] == failure_string) {
+                throw InvalidInputException("Conversion from private key to token failed. Check key format (-----BEGIN PRIVATE KEY-----\\n ... -----END PRIVATE KEY-----\\n) and expiration date.");
+            }
+
+            token = token_json["access_token"].get<std::string>();
+        } else {
+            Value token_value;
+            if (!kv_secret->TryGetValue("token", token_value)) {
+                throw InvalidInputException("'token' not found in 'gsheet' secret");
+            }
+
+            token = token_value.ToString();
+        }
         std::string spreadsheet_id = extract_spreadsheet_id(file_path);
         std::string sheet_id = extract_sheet_id(file_path);
         std::string sheet_name = "Sheet1";

src/gsheets_get_token.cpp

@@ -0,0 +1,142 @@
+// Taken with modifications from https://gist.github.com/niuk/6365b819a86a7e0b92d82328fcf87da5
+#include <stdio.h>  
+#include <string.h>
+#include <stdlib.h>
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+#define CPPHTTPLIB_OPENSSL_SUPPORT
+#include <httplib.hpp>
+
+#include <json.hpp>
+using json = nlohmann::json;
+namespace duckdb
+{
+
+    char get_base64_char(char byte) {
+        if (byte < 26) {
+            return 'A' + byte;
+        } else if (byte < 52) {
+            return 'a' + byte - 26;
+        } else if (byte < 62) {
+            return '0' + byte - 52;
+        } else if (byte == 62) {
+            return '-';
+        } else if (byte == 63) {
+            return '_';
+        } else {
+            fprintf(stderr, "BAD BYTE: %02x\n", byte);
+            exit(1);
+            return 0;
+        }
+    }
+
+    // To execute C, please define "int main()"
+    void base64encode(char *output, const char *input, size_t input_length) {
+        size_t input_index = 0;
+        size_t output_index = 0;
+        for (; input_index < input_length; ++output_index) {
+            switch (output_index % 4) {
+            case 0:
+                output[output_index] = get_base64_char((0xfc & input[input_index]) >> 2);
+                break;
+            case 1:
+                output[output_index] = get_base64_char(((0x03 & input[input_index]) << 4) | ((0xf0 & input[input_index + 1]) >> 4));
+                ++input_index;
+                break;
+            case 2:
+                output[output_index] = get_base64_char(((0x0f & input[input_index]) << 2) | ((0xc0 & input[input_index + 1]) >> 6));
+                ++input_index;
+                break;
+            case 3:
+                output[output_index] = get_base64_char(0x3f & input[input_index]);
+                ++input_index;
+                break;
+            default:
+                exit(1);
+            }
+        }
+
+        output[output_index] = '\0';
+    }
+
+    std::string get_token(const std::string& email, const std::string& private_key) {
+        const char *header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
+
+        const int iat = time(NULL);
+        const int exp = iat + 60 * 60 - 1;
+
+        char claim_set[1024];
+
+        /* Create jwt claim set */
+        json jwt_claim_set;
+        std::time_t t = std::time(NULL);
+        jwt_claim_set["iss"] = email; /* service account email address */
+        jwt_claim_set["scope"] = "https://www.googleapis.com/auth/spreadsheets" /* scope of requested access token */;
+        jwt_claim_set["aud"] = "https://accounts.google.com/o/oauth2/token"; /* intended target of the assertion for an access token */
+        jwt_claim_set["iat"] = std::to_string(t); /* issued time */
+        // Since we get a new token on every request (and max request time is 3 minutes), 
+        // set the limit to 10 minutes. (Max that Google allows is 1 hour)
+        jwt_claim_set["exp"] = std::to_string(t+600); /* expire time*/
+
+        std::copy(jwt_claim_set.dump().cbegin(), jwt_claim_set.dump().cend(), claim_set);
+
+        char header_64[1024];
+        base64encode(header_64, header, strlen(header));
+
+        char claim_set_64[1024];
+        base64encode(claim_set_64, claim_set, strlen(claim_set));
+
+        char input[1024];
+        int input_length = sprintf(input, "%s.%s", header_64, claim_set_64);
+
+        unsigned char *digest = SHA256((const unsigned char *)input, input_length, NULL);
+        char digest_str[1024];
+        for (int i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
+            sprintf(digest_str + i * 2, "%02x", digest[i]);
+        }
+        
+        digest_str[SHA256_DIGEST_LENGTH * 2] = '\0';
+
+        // This works, but requires a file. The in-memory version is below.
+        // FILE *key_file = fopen("credentials.key.pem", "r");
+        // RSA *rsa = PEM_read_RSAPrivateKey(key_file, NULL, NULL, NULL);
+
+        BIO *bufio;
+        RSA *rsa;
+
+        bufio = BIO_new_mem_buf(private_key.c_str(), -1); 
+        PEM_read_bio_RSAPrivateKey(bufio, &rsa, 0, NULL);
+
+        if (rsa != NULL) {
+            unsigned char sigret[4096];
+            unsigned int siglen;
+            if (RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH, sigret, &siglen, rsa)) {
+                if (RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, sigret, siglen, rsa)) {
+                    char signature_64[1024];
+                    base64encode(signature_64, (const char *)sigret, siglen);
+                    
+                    char jwt[1024];
+                    sprintf(jwt, "%s.%s", input, signature_64);
+
+                    duckdb_httplib_openssl::Client cli("https://oauth2.googleapis.com");
+                    duckdb_httplib_openssl::Params params;
+                    params.emplace("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
+                    params.emplace("assertion", jwt);
+                    auto result = cli.Post("/token", params);
+                    return (result -> body);
+                } else {
+                    printf("Could not verify RSA signature.");
+                }
+            } else {
+                unsigned long err = ERR_get_error();
+                printf("RSA_sign failed: %lu, %s\n", err, ERR_error_string(err, NULL));
+            }
+
+            RSA_free(rsa);
+        }
+        std::string failure_message = "{\"status\":\"failed\"}";
+        return failure_message;
+    }
+}

src/gsheets_read.cpp

@@ -5,6 +5,9 @@
 #include "duckdb/main/secret/secret_manager.hpp"
 #include "gsheets_requests.hpp"
 #include <json.hpp>
+#include <regex>
+#include "gsheets_get_token.hpp"
+#include <iostream>
 
 namespace duckdb {
 
@@ -113,13 +116,39 @@ unique_ptr<FunctionData> ReadSheetBind(ClientContext &context, TableFunctionBind
         throw InvalidInputException("Invalid secret format for 'gsheet' secret");
     }
 
-    Value token_value;
-    if (!kv_secret->TryGetValue("token", token_value)) {
-        throw InvalidInputException("'token' not found in 'gsheet' secret");
-    }
+    std::string token;
+
+    if (secret.GetProvider() == "private_key") {
+        // If using a private key, retrieve the private key from the secret, but convert it 
+        // into a token before use. This is an extra request per Google Sheet read or copy.
+        Value email_value;
+        if (!kv_secret->TryGetValue("email", email_value)) {
+            throw InvalidInputException("'email' not found in 'gsheet' secret");
+        }
+        std::string email_string = email_value.ToString();
+
+        Value secret_value;
+        if (!kv_secret->TryGetValue("secret", secret_value)) {
+            throw InvalidInputException("'secret' not found in 'gsheet' secret");
+        }
+        std::string secret_string = std::regex_replace(secret_value.ToString(), std::regex(R"(\\n)"), "\n");
+        
+        json token_json = parseJson(get_token(email_string, secret_string));
+        
+        json failure_string = "failure";
+        if (token_json["status"] == failure_string) {
+            throw InvalidInputException("Conversion from private key to token failed. Check key format (-----BEGIN PRIVATE KEY-----\\n ... -----END PRIVATE KEY-----\\n) and expiration date.");
+        }
 
-    std::string token = token_value.ToString();
+        token = token_json["access_token"].get<std::string>();
+    } else {
+        Value token_value;
+        if (!kv_secret->TryGetValue("token", token_value)) {
+            throw InvalidInputException("'token' not found in 'gsheet' secret");
+        }
 
+        token = token_value.ToString();
+    }
     // Get sheet name from URL
     std::string sheet_id = extract_sheet_id(sheet_input);
     sheet_name = get_sheet_name_from_id(spreadsheet_id, sheet_id, token);

src/include/gsheets_get_token.hpp

@@ -0,0 +1,14 @@
+#pragma once
+
+#include <string>
+#include <stdlib.h>
+
+namespace duckdb {
+
+    char get_base64_char(char byte);
+
+    void base64encode(char *output, const char *input, size_t input_length) ;
+
+    std::string get_token(const std::string& email, const std::string& private_key) ;
+
+}

third_party/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 yhirose
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+