forked from remote/oauth2
Changes requested by @codyoss
This commit is contained in:
Ryan Kohler
@@ -65,15 +65,15 @@ func executableError(err error) error {
|
||||
}
|
||||
|
||||
func executablesDisallowedError() error {
|
||||
return errors.New("oauth2/google: Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run")
|
||||
return errors.New("oauth2/google: executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run")
|
||||
}
|
||||
|
||||
func timeoutRangeError() error {
|
||||
return errors.New("oauth2/google: Invalid `timeout_millis` field. Executable timeout must be between 5 and 120 seconds.")
|
||||
return errors.New("oauth2/google: invalid `timeout_millis` field. Executable timeout must be between 5 and 120 seconds")
|
||||
}
|
||||
|
||||
func commandMissingError() error {
|
||||
return errors.New("oauth2/google: Missing `command` field. Executable command must be provided.")
|
||||
return errors.New("oauth2/google: missing `command` field. Executable command must be provided")
|
||||
}
|
||||
|
||||
// baseEnv is an alias of os.Environ used for testing
|
||||
@@ -90,14 +90,14 @@ var runCommand = func(ctx context.Context, command string, env []string) ([]byte
|
||||
}
|
||||
|
||||
if err == context.DeadlineExceeded {
|
||||
return []byte{}, timeoutError()
|
||||
return nil, timeoutError()
|
||||
}
|
||||
|
||||
if exitError, ok := err.(*exec.ExitError); ok {
|
||||
return []byte{}, exitCodeError(exitError.ExitCode())
|
||||
return nil, exitCodeError(exitError.ExitCode())
|
||||
}
|
||||
|
||||
return []byte{}, executableError(err)
|
||||
return nil, executableError(err)
|
||||
}
|
||||
|
||||
type executableCredentialSource struct {
|
||||
@@ -131,14 +131,14 @@ func CreateExecutableCredential(ctx context.Context, ec *ExecutableConfig, confi
|
||||
}
|
||||
|
||||
type executableResponse struct {
|
||||
Version *int `json:"version,omitempty"`
|
||||
Success *bool `json:"success,omitempty"`
|
||||
TokenType *string `json:"token_type,omitempty"`
|
||||
ExpirationTime *int64 `json:"expiration_time,omitempty"`
|
||||
IdToken *string `json:"id_token,omitempty"`
|
||||
SamlResponse *string `json:"saml_response,omitempty"`
|
||||
Code string `json:"code,omitempty"`
|
||||
Message string `json:"message,omitempty"`
|
||||
Version int `json:"version,omitempty"`
|
||||
Success *bool `json:"success,omitempty"`
|
||||
TokenType string `json:"token_type,omitempty"`
|
||||
ExpirationTime int64 `json:"expiration_time,omitempty"`
|
||||
IdToken string `json:"id_token,omitempty"`
|
||||
SamlResponse string `json:"saml_response,omitempty"`
|
||||
Code string `json:"code,omitempty"`
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
||||
func parseSubjectToken(response []byte) (string, error) {
|
||||
@@ -147,7 +147,7 @@ func parseSubjectToken(response []byte) (string, error) {
|
||||
return "", jsonParsingError()
|
||||
}
|
||||
|
||||
if result.Version == nil {
|
||||
if result.Version == 0 {
|
||||
return "", missingFieldError("version")
|
||||
}
|
||||
|
||||
@@ -162,34 +162,34 @@ func parseSubjectToken(response []byte) (string, error) {
|
||||
return "", userDefinedError(result.Code, result.Message)
|
||||
}
|
||||
|
||||
if *result.Version > executableSupportedMaxVersion {
|
||||
return "", unsupportedVersionError(*result.Version)
|
||||
if result.Version > executableSupportedMaxVersion || result.Version < 0 {
|
||||
return "", unsupportedVersionError(result.Version)
|
||||
}
|
||||
|
||||
if result.ExpirationTime == nil {
|
||||
if result.ExpirationTime == 0 {
|
||||
return "", missingFieldError("expiration_time")
|
||||
}
|
||||
|
||||
if result.TokenType == nil {
|
||||
if result.TokenType == "" {
|
||||
return "", missingFieldError("token_type")
|
||||
}
|
||||
|
||||
if *result.ExpirationTime < now().Unix() {
|
||||
if result.ExpirationTime < now().Unix() {
|
||||
return "", tokenExpiredError()
|
||||
}
|
||||
|
||||
if *result.TokenType == "urn:ietf:params:oauth:token-type:jwt" || *result.TokenType == "urn:ietf:params:oauth:token-type:id_token" {
|
||||
if result.IdToken == nil {
|
||||
if result.TokenType == "urn:ietf:params:oauth:token-type:jwt" || result.TokenType == "urn:ietf:params:oauth:token-type:id_token" {
|
||||
if result.IdToken == "" {
|
||||
return "", missingFieldError("id_token")
|
||||
}
|
||||
return *result.IdToken, nil
|
||||
return result.IdToken, nil
|
||||
}
|
||||
|
||||
if *result.TokenType == "urn:ietf:params:oauth:token-type:saml2" {
|
||||
if result.SamlResponse == nil {
|
||||
if result.TokenType == "urn:ietf:params:oauth:token-type:saml2" {
|
||||
if result.SamlResponse == "" {
|
||||
return "", missingFieldError("saml_response")
|
||||
}
|
||||
return *result.SamlResponse, nil
|
||||
return result.SamlResponse, nil
|
||||
}
|
||||
|
||||
return "", tokenTypeError()
|
||||
@@ -218,8 +218,9 @@ func (cs executableCredentialSource) getEnvironment() []string {
|
||||
|
||||
func (cs executableCredentialSource) getNewEnvironmentVariables() map[string]string {
|
||||
result := map[string]string{
|
||||
"GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE": cs.config.Audience,
|
||||
"GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE": cs.config.SubjectTokenType,
|
||||
"GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE": cs.config.Audience,
|
||||
"GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE": cs.config.SubjectTokenType,
|
||||
"GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "0",
|
||||
}
|
||||
|
||||
if cs.config.ServiceAccountImpersonationURL != "" {
|
||||
@@ -229,8 +230,6 @@ func (cs executableCredentialSource) getNewEnvironmentVariables() map[string]str
|
||||
}
|
||||
}
|
||||
|
||||
result["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "0"
|
||||
|
||||
if cs.OutputFile != "" {
|
||||
result["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = cs.OutputFile
|
||||
}
|
||||
|
||||
@@ -396,7 +396,7 @@ func TestRetrieveExecutableSubjectTokenMissingSuccess(t *testing.T) {
|
||||
runCommand = func(ctx context.Context, command string, env []string) ([]byte, error) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Version: Int(1),
|
||||
Version: 1,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -443,7 +443,7 @@ func TestRetrieveExecutableSubjectTokenUnsuccessfulResponseWithFields(t *testing
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(false),
|
||||
Version: Int(1),
|
||||
Version: 1,
|
||||
Code: "404",
|
||||
Message: "Token Not Found",
|
||||
})
|
||||
@@ -492,7 +492,7 @@ func TestRetrieveExecutableSubjectTokenUnsuccessfulResponseWithCode(t *testing.T
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(false),
|
||||
Version: Int(1),
|
||||
Version: 1,
|
||||
Code: "404",
|
||||
})
|
||||
}
|
||||
@@ -540,7 +540,7 @@ func TestRetrieveExecutableSubjectTokenUnsuccessfulResponseWithMessage(t *testin
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(false),
|
||||
Version: Int(1),
|
||||
Version: 1,
|
||||
Message: "Token Not Found",
|
||||
})
|
||||
}
|
||||
@@ -588,7 +588,7 @@ func TestRetrieveExecutableSubjectTokenUnsuccessfulResponseWithoutFields(t *test
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(false),
|
||||
Version: Int(1),
|
||||
Version: 1,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -635,7 +635,7 @@ func TestRetrieveExecutableSubjectTokenNewerVersion(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(2),
|
||||
Version: 2,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -682,8 +682,8 @@ func TestRetrieveExecutableSubjectTokenMissingExpiration(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:jwt"),
|
||||
Version: 1,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -730,8 +730,8 @@ func TestRetrieveExecutableSubjectTokenTokenTypeMissing(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix()),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix(),
|
||||
})
|
||||
}
|
||||
|
||||
@@ -778,9 +778,9 @@ func TestRetrieveExecutableSubjectTokenInvalidTokenType(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix()),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:invalid"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix(),
|
||||
TokenType: "urn:ietf:params:oauth:token-type:invalid",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -827,9 +827,9 @@ func TestRetrieveExecutableSubjectTokenExpired(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() - 1),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:jwt"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() - 1,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -876,10 +876,10 @@ func TestRetrieveExecutableSubjectTokenJwt(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() + 3600),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:jwt"),
|
||||
IdToken: String("tokentokentoken"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() + 3600,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||
IdToken: "tokentokentoken",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -927,9 +927,9 @@ func TestRetrieveExecutableSubjectTokenJwtMissingIdToken(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() + 3600),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:jwt"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() + 3600,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -976,10 +976,10 @@ func TestRetrieveExecutableSubjectTokenIdToken(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() + 3600),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:id_token"),
|
||||
IdToken: String("tokentokentoken"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() + 3600,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:id_token",
|
||||
IdToken: "tokentokentoken",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1027,10 +1027,10 @@ func TestRetrieveExecutableSubjectTokenSaml(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() + 3600),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:saml2"),
|
||||
SamlResponse: String("tokentokentoken"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() + 3600,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:saml2",
|
||||
SamlResponse: "tokentokentoken",
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1078,9 +1078,9 @@ func TestRetrieveExecutableSubjectTokenSamlMissingResponse(t *testing.T) {
|
||||
deadline, deadlineSet = ctx.Deadline()
|
||||
return json.Marshal(executableResponse{
|
||||
Success: Bool(true),
|
||||
Version: Int(1),
|
||||
ExpirationTime: Int64(now().Unix() + 3600),
|
||||
TokenType: String("urn:ietf:params:oauth:token-type:saml2"),
|
||||
Version: 1,
|
||||
ExpirationTime: now().Unix() + 3600,
|
||||
TokenType: "urn:ietf:params:oauth:token-type:saml2",
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user