forked from remote/oauth2
google: Add support for TokenSourceParams, Client ID json, and JWT Subject
This commit is contained in:
Andy Zhao
@@ -16,6 +16,7 @@ import (
|
||||
|
||||
"cloud.google.com/go/compute/metadata"
|
||||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/authhandler"
|
||||
)
|
||||
|
||||
// Credentials holds Google credentials, including "Application Default Credentials".
|
||||
@@ -41,6 +42,22 @@ type Credentials struct {
|
||||
// Deprecated: use Credentials instead.
|
||||
type DefaultCredentials = Credentials
|
||||
|
||||
// TokenSourceParams holds user supplied parameters that are
|
||||
// used for building a TokenSource.
|
||||
type TokenSourceParams struct {
|
||||
// List of OAuth scopes.
|
||||
Scopes []string
|
||||
|
||||
// User email used for domain wide delegation.
|
||||
Subject string
|
||||
|
||||
// AuthorizationHandler used for 3-legged OAuth flow.
|
||||
AuthHandler authhandler.AuthorizationHandler
|
||||
|
||||
// State used for AuthorizationHandler.
|
||||
State string
|
||||
}
|
||||
|
||||
// DefaultClient returns an HTTP Client that uses the
|
||||
// DefaultTokenSource to obtain authentication credentials.
|
||||
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
|
||||
@@ -81,11 +98,11 @@ func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSourc
|
||||
// 4. On Google Compute Engine, Google App Engine standard second generation runtimes
|
||||
// (>= Go 1.11), and Google App Engine flexible environment, it fetches
|
||||
// credentials from the metadata server.
|
||||
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
|
||||
func FindDefaultCredentialsWithParams(ctx context.Context, params TokenSourceParams) (*Credentials, error) {
|
||||
// First, try the environment variable.
|
||||
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
||||
if filename := os.Getenv(envVar); filename != "" {
|
||||
creds, err := readCredentialsFile(ctx, filename, scopes)
|
||||
creds, err := readCredentialsFile(ctx, filename, params)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("google: error getting credentials using %v environment variable: %v", envVar, err)
|
||||
}
|
||||
@@ -94,7 +111,7 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials
|
||||
|
||||
// Second, try a well-known file.
|
||||
filename := wellKnownFile()
|
||||
if creds, err := readCredentialsFile(ctx, filename, scopes); err == nil {
|
||||
if creds, err := readCredentialsFile(ctx, filename, params); err == nil {
|
||||
return creds, nil
|
||||
} else if !os.IsNotExist(err) {
|
||||
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
|
||||
@@ -106,7 +123,7 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials
|
||||
if appengineTokenFunc != nil {
|
||||
return &DefaultCredentials{
|
||||
ProjectID: appengineAppIDFunc(ctx),
|
||||
TokenSource: AppEngineTokenSource(ctx, scopes...),
|
||||
TokenSource: AppEngineTokenSource(ctx, params.Scopes...),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -116,7 +133,7 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials
|
||||
id, _ := metadata.ProjectID()
|
||||
return &DefaultCredentials{
|
||||
ProjectID: id,
|
||||
TokenSource: ComputeTokenSource("", scopes...),
|
||||
TokenSource: ComputeTokenSource("", params.Scopes...),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -125,18 +142,36 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials
|
||||
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
|
||||
}
|
||||
|
||||
// Deprecated: use FindDefaultCredentialsWithParams instead.
|
||||
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
|
||||
var params TokenSourceParams
|
||||
params.Scopes = scopes
|
||||
return FindDefaultCredentialsWithParams(ctx, params)
|
||||
}
|
||||
|
||||
// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can
|
||||
// represent either a Google Developers Console client_credentials.json file (as in
|
||||
// ConfigFromJSON), a Google Developers service account key file (as in
|
||||
// JWTConfigFromJSON) or the JSON configuration file for workload identity federation
|
||||
// in non-Google cloud platforms (see
|
||||
// ConfigFromJSON), a Google Developers service account key file, a gCloud-style
|
||||
// user credentials file (a.k.a. refresh token JSON), or the JSON configuration file
|
||||
// for workload identity federation in non-Google cloud platforms (see
|
||||
// https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).
|
||||
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
|
||||
func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params TokenSourceParams) (*Credentials, error) {
|
||||
// First, attempt to parse jsonData as a Google Developers Console client_credentials.json.
|
||||
config, err := ConfigFromJSON(jsonData, params.Scopes...)
|
||||
if err == nil {
|
||||
return &Credentials{
|
||||
ProjectID: "",
|
||||
TokenSource: authhandler.TokenSource(ctx, config, params.State, params.AuthHandler),
|
||||
JSON: jsonData,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Otherwise, parse jsonData as one of the other supported credential files.
|
||||
var f credentialsFile
|
||||
if err := json.Unmarshal(jsonData, &f); err != nil {
|
||||
if err = json.Unmarshal(jsonData, &f); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ts, err := f.tokenSource(ctx, append([]string(nil), scopes...))
|
||||
ts, err := f.tokenSource(ctx, params)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -147,6 +182,13 @@ func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string)
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Deprecated: use CredentialsFromJSONWithParams instead.
|
||||
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
|
||||
var params TokenSourceParams
|
||||
params.Scopes = scopes
|
||||
return CredentialsFromJSONWithParams(ctx, jsonData, params)
|
||||
}
|
||||
|
||||
func wellKnownFile() string {
|
||||
const f = "application_default_credentials.json"
|
||||
if runtime.GOOS == "windows" {
|
||||
@@ -155,10 +197,10 @@ func wellKnownFile() string {
|
||||
return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f)
|
||||
}
|
||||
|
||||
func readCredentialsFile(ctx context.Context, filename string, scopes []string) (*DefaultCredentials, error) {
|
||||
func readCredentialsFile(ctx context.Context, filename string, params TokenSourceParams) (*DefaultCredentials, error) {
|
||||
b, err := ioutil.ReadFile(filename)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return CredentialsFromJSON(ctx, b, scopes...)
|
||||
return CredentialsFromJSONWithParams(ctx, b, params)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user