peridot/vendor/google.golang.org/api/internal/creds.go

// Copyright 2017 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package internal

import (
	"context"
	"crypto/tls"
	"encoding/json"
	"errors"
	"fmt"
	"net"
	"net/http"
	"os"
	"time"

	"golang.org/x/oauth2"
	"google.golang.org/api/internal/cert"
	"google.golang.org/api/internal/impersonate"

	"golang.org/x/oauth2/google"
)

const quotaProjectEnvVar = "GOOGLE_CLOUD_QUOTA_PROJECT"

// Creds returns credential information obtained from DialSettings, or if none, then
// it returns default credential information.
func Creds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
	creds, err := baseCreds(ctx, ds)
	if err != nil {
		return nil, err
	}
	if ds.ImpersonationConfig != nil {
		return impersonateCredentials(ctx, creds, ds)
	}
	return creds, nil
}

func baseCreds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
	if ds.InternalCredentials != nil {
		return ds.InternalCredentials, nil
	}
	if ds.Credentials != nil {
		return ds.Credentials, nil
	}
	if ds.CredentialsJSON != nil {
		return credentialsFromJSON(ctx, ds.CredentialsJSON, ds)
	}
	if ds.CredentialsFile != "" {
		data, err := os.ReadFile(ds.CredentialsFile)
		if err != nil {
			return nil, fmt.Errorf("cannot read credentials file: %v", err)
		}
		return credentialsFromJSON(ctx, data, ds)
	}
	if ds.TokenSource != nil {
		return &google.Credentials{TokenSource: ds.TokenSource}, nil
	}
	cred, err := google.FindDefaultCredentials(ctx, ds.GetScopes()...)
	if err != nil {
		return nil, err
	}
	if len(cred.JSON) > 0 {
		return credentialsFromJSON(ctx, cred.JSON, ds)
	}
	// For GAE and GCE, the JSON is empty so return the default credentials directly.
	return cred, nil
}

// JSON key file type.
const (
	serviceAccountKey = "service_account"
)

// credentialsFromJSON returns a google.Credentials from the JSON data
//
// - A self-signed JWT flow will be executed if the following conditions are
// met:
//
//	(1) At least one of the following is true:
//	    (a) Scope for self-signed JWT flow is enabled
//	    (b) Audiences are explicitly provided by users
//	(2) No service account impersontation
//
// - Otherwise, executes standard OAuth 2.0 flow
// More details: google.aip.dev/auth/4111
func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
	var params google.CredentialsParams
	params.Scopes = ds.GetScopes()

	// Determine configurations for the OAuth2 transport, which is separate from the API transport.
	// The OAuth2 transport and endpoint will be configured for mTLS if applicable.
	clientCertSource, err := getClientCertificateSource(ds)
	if err != nil {
		return nil, err
	}
	params.TokenURL = oAuth2Endpoint(clientCertSource)
	if clientCertSource != nil {
		tlsConfig := &tls.Config{
			GetClientCertificate: clientCertSource,
		}
		ctx = context.WithValue(ctx, oauth2.HTTPClient, customHTTPClient(tlsConfig))
	}

	// By default, a standard OAuth 2.0 token source is created
	cred, err := google.CredentialsFromJSONWithParams(ctx, data, params)
	if err != nil {
		return nil, err
	}

	// Override the token source to use self-signed JWT if conditions are met
	isJWTFlow, err := isSelfSignedJWTFlow(data, ds)
	if err != nil {
		return nil, err
	}
	if isJWTFlow {
		ts, err := selfSignedJWTTokenSource(data, ds)
		if err != nil {
			return nil, err
		}
		cred.TokenSource = ts
	}

	return cred, err
}

func oAuth2Endpoint(clientCertSource cert.Source) string {
	if isMTLS(clientCertSource) {
		return google.MTLSTokenURL
	}
	return google.Endpoint.TokenURL
}

func isSelfSignedJWTFlow(data []byte, ds *DialSettings) (bool, error) {
	// For non-GDU universe domains, token exchange is impossible and services
	// must support self-signed JWTs with scopes.
	if !ds.IsUniverseDomainGDU() {
		return typeServiceAccount(data)
	}
	if (ds.EnableJwtWithScope || ds.HasCustomAudience()) && ds.ImpersonationConfig == nil {
		return typeServiceAccount(data)
	}
	return false, nil
}

// typeServiceAccount checks if JSON data is for a service account.
func typeServiceAccount(data []byte) (bool, error) {
	var f struct {
		Type string `json:"type"`
		// The remaining JSON fields are omitted because they are not used.
	}
	if err := json.Unmarshal(data, &f); err != nil {
		return false, err
	}
	return f.Type == serviceAccountKey, nil
}

func selfSignedJWTTokenSource(data []byte, ds *DialSettings) (oauth2.TokenSource, error) {
	if len(ds.GetScopes()) > 0 && !ds.HasCustomAudience() {
		// Scopes are preferred in self-signed JWT unless the scope is not available
		// or a custom audience is used.
		return google.JWTAccessTokenSourceWithScope(data, ds.GetScopes()...)
	} else if ds.GetAudience() != "" {
		// Fallback to audience if scope is not provided
		return google.JWTAccessTokenSourceFromJSON(data, ds.GetAudience())
	} else {
		return nil, errors.New("neither scopes or audience are available for the self-signed JWT")
	}
}

// GetQuotaProject retrieves quota project with precedence being: client option,
// environment variable, creds file.
func GetQuotaProject(creds *google.Credentials, clientOpt string) string {
	if clientOpt != "" {
		return clientOpt
	}
	if env := os.Getenv(quotaProjectEnvVar); env != "" {
		return env
	}
	if creds == nil {
		return ""
	}
	var v struct {
		QuotaProject string `json:"quota_project_id"`
	}
	if err := json.Unmarshal(creds.JSON, &v); err != nil {
		return ""
	}
	return v.QuotaProject
}

func impersonateCredentials(ctx context.Context, creds *google.Credentials, ds *DialSettings) (*google.Credentials, error) {
	if len(ds.ImpersonationConfig.Scopes) == 0 {
		ds.ImpersonationConfig.Scopes = ds.GetScopes()
	}
	ts, err := impersonate.TokenSource(ctx, creds.TokenSource, ds.ImpersonationConfig)
	if err != nil {
		return nil, err
	}
	return &google.Credentials{
		TokenSource: ts,
		ProjectID:   creds.ProjectID,
	}, nil
}

// customHTTPClient constructs an HTTPClient using the provided tlsConfig, to support mTLS.
func customHTTPClient(tlsConfig *tls.Config) *http.Client {
	trans := baseTransport()
	trans.TLSClientConfig = tlsConfig
	return &http.Client{Transport: trans}
}

func baseTransport() *http.Transport {
	return &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		DialContext: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).DialContext,
		MaxIdleConns:          100,
		MaxIdleConnsPerHost:   100,
		IdleConnTimeout:       90 * time.Second,
		TLSHandshakeTimeout:   10 * time.Second,
		ExpectContinueTimeout: 1 * time.Second,
	}
}

// ErrUniverseNotMatch composes an error string from the provided universe
// domain sources (DialSettings and Credentials, respectively).
func ErrUniverseNotMatch(settingsUD, credsUD string) error {
	return fmt.Errorf(
		"the configured universe domain (%q) does not match the universe "+
			"domain found in the credentials (%q). If you haven't configured "+
			"WithUniverseDomain explicitly, \"googleapis.com\" is the default",
		settingsUD,
		credsUD)
}
Initial commit 2022-07-07 20:11:50 +00:00			`// Copyright 2017 Google LLC.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package internal`

			`import (`
			`"context"`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`"crypto/tls"`
Initial commit 2022-07-07 20:11:50 +00:00			`"encoding/json"`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`"errors"`
Initial commit 2022-07-07 20:11:50 +00:00			`"fmt"`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`"net"`
			`"net/http"`
			`"os"`
			`"time"`
Initial commit 2022-07-07 20:11:50 +00:00
			`"golang.org/x/oauth2"`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`"google.golang.org/api/internal/cert"`
Initial commit 2022-07-07 20:11:50 +00:00			`"google.golang.org/api/internal/impersonate"`

			`"golang.org/x/oauth2/google"`
			`)`

Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`const quotaProjectEnvVar = "GOOGLE_CLOUD_QUOTA_PROJECT"`

Initial commit 2022-07-07 20:11:50 +00:00			`// Creds returns credential information obtained from DialSettings, or if none, then`
			`// it returns default credential information.`
			`func Creds(ctx context.Context, ds DialSettings) (google.Credentials, error) {`
			`creds, err := baseCreds(ctx, ds)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if ds.ImpersonationConfig != nil {`
			`return impersonateCredentials(ctx, creds, ds)`
			`}`
			`return creds, nil`
			`}`

			`func baseCreds(ctx context.Context, ds DialSettings) (google.Credentials, error) {`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`if ds.InternalCredentials != nil {`
			`return ds.InternalCredentials, nil`
			`}`
Initial commit 2022-07-07 20:11:50 +00:00			`if ds.Credentials != nil {`
			`return ds.Credentials, nil`
			`}`
			`if ds.CredentialsJSON != nil {`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`return credentialsFromJSON(ctx, ds.CredentialsJSON, ds)`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
			`if ds.CredentialsFile != "" {`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`data, err := os.ReadFile(ds.CredentialsFile)`
Initial commit 2022-07-07 20:11:50 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("cannot read credentials file: %v", err)`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`return credentialsFromJSON(ctx, data, ds)`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
			`if ds.TokenSource != nil {`
			`return &google.Credentials{TokenSource: ds.TokenSource}, nil`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`cred, err := google.FindDefaultCredentials(ctx, ds.GetScopes()...)`
Initial commit 2022-07-07 20:11:50 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if len(cred.JSON) > 0 {`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`return credentialsFromJSON(ctx, cred.JSON, ds)`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
			`// For GAE and GCE, the JSON is empty so return the default credentials directly.`
			`return cred, nil`
			`}`

			`// JSON key file type.`
			`const (`
			`serviceAccountKey = "service_account"`
			`)`

Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`// credentialsFromJSON returns a google.Credentials from the JSON data`
			`//`
			`// - A self-signed JWT flow will be executed if the following conditions are`
			`// met:`
Initial commit 2022-07-07 20:11:50 +00:00			`//`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`// (1) At least one of the following is true:`
			`// (a) Scope for self-signed JWT flow is enabled`
			`// (b) Audiences are explicitly provided by users`
			`// (2) No service account impersontation`
			`//`
			`// - Otherwise, executes standard OAuth 2.0 flow`
			`// More details: google.aip.dev/auth/4111`
			`func credentialsFromJSON(ctx context.Context, data []byte, ds DialSettings) (google.Credentials, error) {`
			`var params google.CredentialsParams`
			`params.Scopes = ds.GetScopes()`

			`// Determine configurations for the OAuth2 transport, which is separate from the API transport.`
			`// The OAuth2 transport and endpoint will be configured for mTLS if applicable.`
			`clientCertSource, err := getClientCertificateSource(ds)`
Initial commit 2022-07-07 20:11:50 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`params.TokenURL = oAuth2Endpoint(clientCertSource)`
			`if clientCertSource != nil {`
			`tlsConfig := &tls.Config{`
			`GetClientCertificate: clientCertSource,`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`ctx = context.WithValue(ctx, oauth2.HTTPClient, customHTTPClient(tlsConfig))`
			`}`

			`// By default, a standard OAuth 2.0 token source is created`
			`cred, err := google.CredentialsFromJSONWithParams(ctx, data, params)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Override the token source to use self-signed JWT if conditions are met`
			`isJWTFlow, err := isSelfSignedJWTFlow(data, ds)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if isJWTFlow {`
			`ts, err := selfSignedJWTTokenSource(data, ds)`
			`if err != nil {`
Initial commit 2022-07-07 20:11:50 +00:00			`return nil, err`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`cred.TokenSource = ts`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00
Initial commit 2022-07-07 20:11:50 +00:00			`return cred, err`
			`}`

Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`func oAuth2Endpoint(clientCertSource cert.Source) string {`
			`if isMTLS(clientCertSource) {`
			`return google.MTLSTokenURL`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`return google.Endpoint.TokenURL`
Initial commit 2022-07-07 20:11:50 +00:00			`}`

Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`func isSelfSignedJWTFlow(data []byte, ds *DialSettings) (bool, error) {`
			`// For non-GDU universe domains, token exchange is impossible and services`
			`// must support self-signed JWTs with scopes.`
			`if !ds.IsUniverseDomainGDU() {`
			`return typeServiceAccount(data)`
			`}`
			`if (ds.EnableJwtWithScope \|\| ds.HasCustomAudience()) && ds.ImpersonationConfig == nil {`
			`return typeServiceAccount(data)`
			`}`
			`return false, nil`
			`}`

			`// typeServiceAccount checks if JSON data is for a service account.`
			`func typeServiceAccount(data []byte) (bool, error) {`
			`var f struct {`
			Type string `json:"type"`
			`// The remaining JSON fields are omitted because they are not used.`
			`}`
			`if err := json.Unmarshal(data, &f); err != nil {`
			`return false, err`
			`}`
			`return f.Type == serviceAccountKey, nil`
			`}`

			`func selfSignedJWTTokenSource(data []byte, ds *DialSettings) (oauth2.TokenSource, error) {`
			`if len(ds.GetScopes()) > 0 && !ds.HasCustomAudience() {`
			`// Scopes are preferred in self-signed JWT unless the scope is not available`
			`// or a custom audience is used.`
			`return google.JWTAccessTokenSourceWithScope(data, ds.GetScopes()...)`
			`} else if ds.GetAudience() != "" {`
			`// Fallback to audience if scope is not provided`
			`return google.JWTAccessTokenSourceFromJSON(data, ds.GetAudience())`
			`} else {`
			`return nil, errors.New("neither scopes or audience are available for the self-signed JWT")`
			`}`
			`}`

			`// GetQuotaProject retrieves quota project with precedence being: client option,`
			`// environment variable, creds file.`
			`func GetQuotaProject(creds *google.Credentials, clientOpt string) string {`
			`if clientOpt != "" {`
			`return clientOpt`
			`}`
			`if env := os.Getenv(quotaProjectEnvVar); env != "" {`
			`return env`
			`}`
			`if creds == nil {`
			`return ""`
			`}`
Initial commit 2022-07-07 20:11:50 +00:00			`var v struct {`
			QuotaProject string `json:"quota_project_id"`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`if err := json.Unmarshal(creds.JSON, &v); err != nil {`
Initial commit 2022-07-07 20:11:50 +00:00			`return ""`
			`}`
			`return v.QuotaProject`
			`}`

			`func impersonateCredentials(ctx context.Context, creds google.Credentials, ds DialSettings) (*google.Credentials, error) {`
			`if len(ds.ImpersonationConfig.Scopes) == 0 {`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00			`ds.ImpersonationConfig.Scopes = ds.GetScopes()`
Initial commit 2022-07-07 20:11:50 +00:00			`}`
			`ts, err := impersonate.TokenSource(ctx, creds.TokenSource, ds.ImpersonationConfig)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &google.Credentials{`
			`TokenSource: ts,`
			`ProjectID: creds.ProjectID,`
			`}, nil`
			`}`
Major upgrades Upgrade to Go 1.20.5, Hydra v2 SDK, rules-go v0.44.2 (with proper resolves), protobuf v25.3 and mass upgrade of Go dependencies. 2024-02-24 00:34:55 +00:00
			`// customHTTPClient constructs an HTTPClient using the provided tlsConfig, to support mTLS.`
			`func customHTTPClient(tlsConfig tls.Config) http.Client {`
			`trans := baseTransport()`
			`trans.TLSClientConfig = tlsConfig`
			`return &http.Client{Transport: trans}`
			`}`

			`func baseTransport() *http.Transport {`
			`return &http.Transport{`
			`Proxy: http.ProxyFromEnvironment,`
			`DialContext: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`DualStack: true,`
			`}).DialContext,`
			`MaxIdleConns: 100,`
			`MaxIdleConnsPerHost: 100,`
			`IdleConnTimeout: 90 * time.Second,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`ExpectContinueTimeout: 1 * time.Second,`
			`}`
			`}`

			`// ErrUniverseNotMatch composes an error string from the provided universe`
			`// domain sources (DialSettings and Credentials, respectively).`
			`func ErrUniverseNotMatch(settingsUD, credsUD string) error {`
			`return fmt.Errorf(`
			`"the configured universe domain (%q) does not match the universe "+`
			`"domain found in the credentials (%q). If you haven't configured "+`
			`"WithUniverseDomain explicitly, \"googleapis.com\" is the default",`
			`settingsUD,`
			`credsUD)`
			`}`