peridot/vendor/cloud.google.com/go/auth/credentials/compute.go

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package credentials

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"net/url"
	"strings"
	"time"

	"cloud.google.com/go/auth"
	"cloud.google.com/go/compute/metadata"
)

var (
	computeTokenMetadata = map[string]interface{}{
		"auth.google.tokenSource":    "compute-metadata",
		"auth.google.serviceAccount": "default",
	}
	computeTokenURI = "instance/service-accounts/default/token"
)

// computeTokenProvider creates a [cloud.google.com/go/auth.TokenProvider] that
// uses the metadata service to retrieve tokens.
func computeTokenProvider(opts *DetectOptions) auth.TokenProvider {
	return auth.NewCachedTokenProvider(computeProvider{scopes: opts.Scopes}, &auth.CachedTokenProviderOptions{
		ExpireEarly:         opts.EarlyTokenRefresh,
		DisableAsyncRefresh: opts.DisableAsyncRefresh,
	})
}

// computeProvider fetches tokens from the google cloud metadata service.
type computeProvider struct {
	scopes []string
}

type metadataTokenResp struct {
	AccessToken  string `json:"access_token"`
	ExpiresInSec int    `json:"expires_in"`
	TokenType    string `json:"token_type"`
}

func (cs computeProvider) Token(ctx context.Context) (*auth.Token, error) {
	tokenURI, err := url.Parse(computeTokenURI)
	if err != nil {
		return nil, err
	}
	if len(cs.scopes) > 0 {
		v := url.Values{}
		v.Set("scopes", strings.Join(cs.scopes, ","))
		tokenURI.RawQuery = v.Encode()
	}
	tokenJSON, err := metadata.GetWithContext(ctx, tokenURI.String())
	if err != nil {
		return nil, fmt.Errorf("credentials: cannot fetch token: %w", err)
	}
	var res metadataTokenResp
	if err := json.NewDecoder(strings.NewReader(tokenJSON)).Decode(&res); err != nil {
		return nil, fmt.Errorf("credentials: invalid token JSON from metadata: %w", err)
	}
	if res.ExpiresInSec == 0 || res.AccessToken == "" {
		return nil, errors.New("credentials: incomplete token received from metadata")
	}
	return &auth.Token{
		Value:    res.AccessToken,
		Type:     res.TokenType,
		Expiry:   time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
		Metadata: computeTokenMetadata,
	}, nil

}
Upgrade deps and properly gitlabify target name 2024-10-16 10:54:40 +00:00			`// Copyright 2023 Google LLC`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package credentials`

			`import (`
			`"context"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"net/url"`
			`"strings"`
			`"time"`

			`"cloud.google.com/go/auth"`
			`"cloud.google.com/go/compute/metadata"`
			`)`

			`var (`
			`computeTokenMetadata = map[string]interface{}{`
			`"auth.google.tokenSource": "compute-metadata",`
			`"auth.google.serviceAccount": "default",`
			`}`
			`computeTokenURI = "instance/service-accounts/default/token"`
			`)`

			`// computeTokenProvider creates a [cloud.google.com/go/auth.TokenProvider] that`
			`// uses the metadata service to retrieve tokens.`
			`func computeTokenProvider(opts *DetectOptions) auth.TokenProvider {`
			`return auth.NewCachedTokenProvider(computeProvider{scopes: opts.Scopes}, &auth.CachedTokenProviderOptions{`
			`ExpireEarly: opts.EarlyTokenRefresh,`
			`DisableAsyncRefresh: opts.DisableAsyncRefresh,`
			`})`
			`}`

			`// computeProvider fetches tokens from the google cloud metadata service.`
			`type computeProvider struct {`
			`scopes []string`
			`}`

			`type metadataTokenResp struct {`
			AccessToken string `json:"access_token"`
			ExpiresInSec int `json:"expires_in"`
			TokenType string `json:"token_type"`
			`}`

			`func (cs computeProvider) Token(ctx context.Context) (*auth.Token, error) {`
			`tokenURI, err := url.Parse(computeTokenURI)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(cs.scopes) > 0 {`
			`v := url.Values{}`
			`v.Set("scopes", strings.Join(cs.scopes, ","))`
			`tokenURI.RawQuery = v.Encode()`
			`}`
			`tokenJSON, err := metadata.GetWithContext(ctx, tokenURI.String())`
			`if err != nil {`
			`return nil, fmt.Errorf("credentials: cannot fetch token: %w", err)`
			`}`
			`var res metadataTokenResp`
			`if err := json.NewDecoder(strings.NewReader(tokenJSON)).Decode(&res); err != nil {`
			`return nil, fmt.Errorf("credentials: invalid token JSON from metadata: %w", err)`
			`}`
			`if res.ExpiresInSec == 0 \|\| res.AccessToken == "" {`
			`return nil, errors.New("credentials: incomplete token received from metadata")`
			`}`
			`return &auth.Token{`
			`Value: res.AccessToken,`
			`Type: res.TokenType,`
			`Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),`
			`Metadata: computeTokenMetadata,`
			`}, nil`

			`}`