google: base account credential support

2020-12-03 11:24:11 -08:00
parent 08078c50e5
commit 9d330345dc
7 changed files with 365 additions and 0 deletions
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@@ -0,0 +1,147 @@
+package externalaccount
+
+import (
+	"context"
+	"fmt"
+	"golang.org/x/oauth2"
+	"net/http"
+	"time"
+)
+
+// The configuration for fetching tokens with external credentials.
+type Config struct {
+	Audience                       string
+	SubjectTokenType               string
+	TokenURL                       string
+	TokenInfoURL                   string
+	ServiceAccountImpersonationURL string
+	ClientSecret                   string
+	ClientID                       string
+	CredentialSource               CredentialSource
+	QuotaProjectID                 string
+
+	Scopes []string
+}
+
+// Returns an external account TokenSource. This is to be called by package google to construct a google.Credentials.
+func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
+	ts := tokenSource{
+		ctx:  ctx,
+		conf: c,
+	}
+	return oauth2.ReuseTokenSource(nil, ts)
+}
+
+//Subject token file types
+const (
+	fileTypeText = "text"
+	fileTypeJSON = "json"
+)
+
+type format struct {
+	// Either "text" or "json".  When not provided "text" type is assumed.
+	Type string `json:"type"`
+	// Only required for JSON.
+	// This would be "access_token" for azure.
+	SubjectTokenFieldName string `json:"subject_token_field_name"`
+}
+
+type CredentialSource struct {
+	File string `json:"file"`
+
+	URL     string            `json:"url"`
+	Headers map[string]string `json:"headers"`
+
+	EnvironmentID               string `json:"environment_id"`
+	RegionURL                   string `json:"region_url"`
+	RegionalCredVerificationURL string `json:"regional_cred_verification_url"`
+	CredVerificationURL         string `json:"cred_verification_url"`
+	Format                      format `json:"format"`
+}
+
+func (cs CredentialSource) instance() baseCredentialSource {
+	if cs.EnvironmentID == "awsX" {
+		return nil
+		//return awsCredentialSource{EnvironmentID:cs.EnvironmentID, RegionURL:cs.RegionURL, RegionalCredVerificationURL: cs.RegionalCredVerificationURL, CredVerificationURL:cs.CredVerificationURL}
+	} else if cs.File == "internalTestingFile" {
+		return testCredentialSource{}
+	} else if cs.File != "" {
+		return fileCredentialSource{File: cs.File}
+	} else if cs.URL != "" {
+		//return urlCredentialSource{URL:cs.URL, Headers:cs.Headers}
+		return nil
+	} else {
+		return nil
+	}
+}
+
+type baseCredentialSource interface {
+	retrieveSubjectToken(c *Config) (string, error)
+}
+
+// tokenSource is the source that handles 3PI credentials.
+type tokenSource struct {
+	ctx  context.Context
+	conf *Config
+}
+
+// This method is implemented so that tokenSource conforms to oauth2.TokenSource.
+func (ts tokenSource) Token() (*oauth2.Token, error) {
+	conf := ts.conf
+
+	subjectToken, err := conf.CredentialSource.instance().retrieveSubjectToken(conf)
+	if err != nil {
+		return &oauth2.Token{}, err
+	}
+	stsRequest := STSTokenExchangeRequest{
+		GrantType:          "urn:ietf:params:oauth:grant-type:token-exchange",
+		Audience:           conf.Audience,
+		Scope:              conf.Scopes,
+		RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
+		SubjectToken:       subjectToken,
+		SubjectTokenType:   conf.SubjectTokenType,
+	}
+	header := make(http.Header)
+	header.Add("Content-Type", "application/x-www-form-urlencoded")
+	clientAuth := ClientAuthentication{
+		AuthStyle:    oauth2.AuthStyleInHeader,
+		ClientID:     conf.ClientID,
+		ClientSecret: conf.ClientSecret,
+	}
+	stsResp, err := ExchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, nil)
+	if err != nil {
+		fmt.Errorf("oauth2/google: %s", err.Error())
+		return &oauth2.Token{}, err
+	}
+
+	accessToken := &oauth2.Token{
+		AccessToken: stsResp.AccessToken,
+		TokenType:   stsResp.TokenType,
+	}
+	if stsResp.ExpiresIn < 0 {
+		fmt.Errorf("google/oauth2: got invalid expiry from security token service")
+		// REVIEWERS: Should I return the Token that I actually got back here so that people could inspect the result even with a improper ExpiresIn response?
+		// Or is it more appropriate to still return an empty token: &oauth2.Token{} so that anybody who checks for an empty token as a sign of failure doesn't get confused.
+		return accessToken, nil
+	} else if stsResp.ExpiresIn > 0 {
+		accessToken.Expiry = time.Now().Add(time.Duration(stsResp.ExpiresIn) * time.Second)
+	}
+
+	if stsResp.RefreshToken != "" {
+		accessToken.RefreshToken = stsResp.RefreshToken
+	}
+
+	return accessToken, nil
+}
+
+// NOTE: this method doesn't exist yet. It is being investigated to add this method to oauth2.TokenSource.
+//func (ts tokenSource) TokenInfo() (*oauth2.TokenInfo, error)
+
+// testCredentialSource is only used for testing, but must be defined here in order to avoid undefined errors when testing.
+type testCredentialSource struct {
+	File string
+}
+
+func (cs testCredentialSource) retrieveSubjectToken(c *Config) (string, error) {
+	return "Sample.Subject.Token", nil
+}