mirror of
https://github.com/rocky-linux/peridot.git
synced 2024-11-24 14:11:25 +00:00
263 lines
8.9 KiB
Go
263 lines
8.9 KiB
Go
|
// Copyright 2023 Google LLC
|
|||
|
//
|
|||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|||
|
// you may not use this file except in compliance with the License.
|
|||
|
// You may obtain a copy of the License at
|
|||
|
//
|
|||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|||
|
//
|
|||
|
// Unless required by applicable law or agreed to in writing, software
|
|||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|||
|
// See the License for the specific language governing permissions and
|
|||
|
// limitations under the License.
|
|||
|
|
|||
|
package credentials
|
|||
|
|
|||
|
import (
|
|||
|
"context"
|
|||
|
"encoding/json"
|
|||
|
"errors"
|
|||
|
"fmt"
|
|||
|
"net/http"
|
|||
|
"os"
|
|||
|
"time"
|
|||
|
|
|||
|
"cloud.google.com/go/auth"
|
|||
|
"cloud.google.com/go/auth/internal"
|
|||
|
"cloud.google.com/go/auth/internal/credsfile"
|
|||
|
"cloud.google.com/go/compute/metadata"
|
|||
|
)
|
|||
|
|
|||
|
const (
|
|||
|
// jwtTokenURL is Google's OAuth 2.0 token URL to use with the JWT(2LO) flow.
|
|||
|
jwtTokenURL = "https://oauth2.googleapis.com/token"
|
|||
|
|
|||
|
// Google's OAuth 2.0 default endpoints.
|
|||
|
googleAuthURL = "https://accounts.google.com/o/oauth2/auth"
|
|||
|
googleTokenURL = "https://oauth2.googleapis.com/token"
|
|||
|
|
|||
|
// GoogleMTLSTokenURL is Google's default OAuth2.0 mTLS endpoint.
|
|||
|
GoogleMTLSTokenURL = "https://oauth2.mtls.googleapis.com/token"
|
|||
|
|
|||
|
// Help on default credentials
|
|||
|
adcSetupURL = "https://cloud.google.com/docs/authentication/external/set-up-adc"
|
|||
|
)
|
|||
|
|
|||
|
var (
|
|||
|
// for testing
|
|||
|
allowOnGCECheck = true
|
|||
|
)
|
|||
|
|
|||
|
// OnGCE reports whether this process is running in Google Cloud.
|
|||
|
func OnGCE() bool {
|
|||
|
// TODO(codyoss): once all libs use this auth lib move metadata check here
|
|||
|
return allowOnGCECheck && metadata.OnGCE()
|
|||
|
}
|
|||
|
|
|||
|
// DetectDefault searches for "Application Default Credentials" and returns
|
|||
|
// a credential based on the [DetectOptions] provided.
|
|||
|
//
|
|||
|
// It looks for credentials in the following places, preferring the first
|
|||
|
// location found:
|
|||
|
//
|
|||
|
// - A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
|
|||
|
// environment variable. For workload identity federation, refer to
|
|||
|
// https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
|
|||
|
// on how to generate the JSON configuration file for on-prem/non-Google
|
|||
|
// cloud platforms.
|
|||
|
// - A JSON file in a location known to the gcloud command-line tool. On
|
|||
|
// Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On
|
|||
|
// other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
|||
|
// - On Google Compute Engine, Google App Engine standard second generation
|
|||
|
// runtimes, and Google App Engine flexible environment, it fetches
|
|||
|
// credentials from the metadata server.
|
|||
|
func DetectDefault(opts *DetectOptions) (*auth.Credentials, error) {
|
|||
|
if err := opts.validate(); err != nil {
|
|||
|
return nil, err
|
|||
|
}
|
|||
|
if len(opts.CredentialsJSON) > 0 {
|
|||
|
return readCredentialsFileJSON(opts.CredentialsJSON, opts)
|
|||
|
}
|
|||
|
if opts.CredentialsFile != "" {
|
|||
|
return readCredentialsFile(opts.CredentialsFile, opts)
|
|||
|
}
|
|||
|
if filename := os.Getenv(credsfile.GoogleAppCredsEnvVar); filename != "" {
|
|||
|
creds, err := readCredentialsFile(filename, opts)
|
|||
|
if err != nil {
|
|||
|
return nil, err
|
|||
|
}
|
|||
|
return creds, nil
|
|||
|
}
|
|||
|
|
|||
|
fileName := credsfile.GetWellKnownFileName()
|
|||
|
if b, err := os.ReadFile(fileName); err == nil {
|
|||
|
return readCredentialsFileJSON(b, opts)
|
|||
|
}
|
|||
|
|
|||
|
if OnGCE() {
|
|||
|
return auth.NewCredentials(&auth.CredentialsOptions{
|
|||
|
TokenProvider: computeTokenProvider(opts),
|
|||
|
ProjectIDProvider: auth.CredentialsPropertyFunc(func(context.Context) (string, error) {
|
|||
|
return metadata.ProjectID()
|
|||
|
}),
|
|||
|
UniverseDomainProvider: &internal.ComputeUniverseDomainProvider{},
|
|||
|
}), nil
|
|||
|
}
|
|||
|
|
|||
|
return nil, fmt.Errorf("credentials: could not find default credentials. See %v for more information", adcSetupURL)
|
|||
|
}
|
|||
|
|
|||
|
// DetectOptions provides configuration for [DetectDefault].
|
|||
|
type DetectOptions struct {
|
|||
|
// Scopes that credentials tokens should have. Example:
|
|||
|
// https://www.googleapis.com/auth/cloud-platform. Required if Audience is
|
|||
|
// not provided.
|
|||
|
Scopes []string
|
|||
|
// Audience that credentials tokens should have. Only applicable for 2LO
|
|||
|
// flows with service accounts. If specified, scopes should not be provided.
|
|||
|
Audience string
|
|||
|
// Subject is the user email used for [domain wide delegation](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).
|
|||
|
// Optional.
|
|||
|
Subject string
|
|||
|
// EarlyTokenRefresh configures how early before a token expires that it
|
|||
|
// should be refreshed. Once the token’s time until expiration has entered
|
|||
|
// this refresh window the token is considered valid but stale. If unset,
|
|||
|
// the default value is 3 minutes and 45 seconds. Optional.
|
|||
|
EarlyTokenRefresh time.Duration
|
|||
|
// DisableAsyncRefresh configures a synchronous workflow that refreshes
|
|||
|
// stale tokens while blocking. The default is false. Optional.
|
|||
|
DisableAsyncRefresh bool
|
|||
|
// AuthHandlerOptions configures an authorization handler and other options
|
|||
|
// for 3LO flows. It is required, and only used, for client credential
|
|||
|
// flows.
|
|||
|
AuthHandlerOptions *auth.AuthorizationHandlerOptions
|
|||
|
// TokenURL allows to set the token endpoint for user credential flows. If
|
|||
|
// unset the default value is: https://oauth2.googleapis.com/token.
|
|||
|
// Optional.
|
|||
|
TokenURL string
|
|||
|
// STSAudience is the audience sent to when retrieving an STS token.
|
|||
|
// Currently this only used for GDCH auth flow, for which it is required.
|
|||
|
STSAudience string
|
|||
|
// CredentialsFile overrides detection logic and sources a credential file
|
|||
|
// from the provided filepath. If provided, CredentialsJSON must not be.
|
|||
|
// Optional.
|
|||
|
CredentialsFile string
|
|||
|
// CredentialsJSON overrides detection logic and uses the JSON bytes as the
|
|||
|
// source for the credential. If provided, CredentialsFile must not be.
|
|||
|
// Optional.
|
|||
|
CredentialsJSON []byte
|
|||
|
// UseSelfSignedJWT directs service account based credentials to create a
|
|||
|
// self-signed JWT with the private key found in the file, skipping any
|
|||
|
// network requests that would normally be made. Optional.
|
|||
|
UseSelfSignedJWT bool
|
|||
|
// Client configures the underlying client used to make network requests
|
|||
|
// when fetching tokens. Optional.
|
|||
|
Client *http.Client
|
|||
|
// UniverseDomain is the default service domain for a given Cloud universe.
|
|||
|
// The default value is "googleapis.com". This option is ignored for
|
|||
|
// authentication flows that do not support universe domain. Optional.
|
|||
|
UniverseDomain string
|
|||
|
}
|
|||
|
|
|||
|
func (o *DetectOptions) validate() error {
|
|||
|
if o == nil {
|
|||
|
return errors.New("credentials: options must be provided")
|
|||
|
}
|
|||
|
if len(o.Scopes) > 0 && o.Audience != "" {
|
|||
|
return errors.New("credentials: both scopes and audience were provided")
|
|||
|
}
|
|||
|
if len(o.CredentialsJSON) > 0 && o.CredentialsFile != "" {
|
|||
|
return errors.New("credentials: both credentials file and JSON were provided")
|
|||
|
}
|
|||
|
return nil
|
|||
|
}
|
|||
|
|
|||
|
func (o *DetectOptions) tokenURL() string {
|
|||
|
if o.TokenURL != "" {
|
|||
|
return o.TokenURL
|
|||
|
}
|
|||
|
return googleTokenURL
|
|||
|
}
|
|||
|
|
|||
|
func (o *DetectOptions) scopes() []string {
|
|||
|
scopes := make([]string, len(o.Scopes))
|
|||
|
copy(scopes, o.Scopes)
|
|||
|
return scopes
|
|||
|
}
|
|||
|
|
|||
|
func (o *DetectOptions) client() *http.Client {
|
|||
|
if o.Client != nil {
|
|||
|
return o.Client
|
|||
|
}
|
|||
|
return internal.CloneDefaultClient()
|
|||
|
}
|
|||
|
|
|||
|
func readCredentialsFile(filename string, opts *DetectOptions) (*auth.Credentials, error) {
|
|||
|
b, err := os.ReadFile(filename)
|
|||
|
if err != nil {
|
|||
|
return nil, err
|
|||
|
}
|
|||
|
return readCredentialsFileJSON(b, opts)
|
|||
|
}
|
|||
|
|
|||
|
func readCredentialsFileJSON(b []byte, opts *DetectOptions) (*auth.Credentials, error) {
|
|||
|
// attempt to parse jsonData as a Google Developers Console client_credentials.json.
|
|||
|
config := clientCredConfigFromJSON(b, opts)
|
|||
|
if config != nil {
|
|||
|
if config.AuthHandlerOpts == nil {
|
|||
|
return nil, errors.New("credentials: auth handler must be specified for this credential filetype")
|
|||
|
}
|
|||
|
tp, err := auth.New3LOTokenProvider(config)
|
|||
|
if err != nil {
|
|||
|
return nil, err
|
|||
|
}
|
|||
|
return auth.NewCredentials(&auth.CredentialsOptions{
|
|||
|
TokenProvider: tp,
|
|||
|
JSON: b,
|
|||
|
}), nil
|
|||
|
}
|
|||
|
return fileCredentials(b, opts)
|
|||
|
}
|
|||
|
|
|||
|
func clientCredConfigFromJSON(b []byte, opts *DetectOptions) *auth.Options3LO {
|
|||
|
var creds credsfile.ClientCredentialsFile
|
|||
|
var c *credsfile.Config3LO
|
|||
|
if err := json.Unmarshal(b, &creds); err != nil {
|
|||
|
return nil
|
|||
|
}
|
|||
|
switch {
|
|||
|
case creds.Web != nil:
|
|||
|
c = creds.Web
|
|||
|
case creds.Installed != nil:
|
|||
|
c = creds.Installed
|
|||
|
default:
|
|||
|
return nil
|
|||
|
}
|
|||
|
if len(c.RedirectURIs) < 1 {
|
|||
|
return nil
|
|||
|
}
|
|||
|
var handleOpts *auth.AuthorizationHandlerOptions
|
|||
|
if opts.AuthHandlerOptions != nil {
|
|||
|
handleOpts = &auth.AuthorizationHandlerOptions{
|
|||
|
Handler: opts.AuthHandlerOptions.Handler,
|
|||
|
State: opts.AuthHandlerOptions.State,
|
|||
|
PKCEOpts: opts.AuthHandlerOptions.PKCEOpts,
|
|||
|
}
|
|||
|
}
|
|||
|
return &auth.Options3LO{
|
|||
|
ClientID: c.ClientID,
|
|||
|
ClientSecret: c.ClientSecret,
|
|||
|
RedirectURL: c.RedirectURIs[0],
|
|||
|
Scopes: opts.scopes(),
|
|||
|
AuthURL: c.AuthURI,
|
|||
|
TokenURL: c.TokenURI,
|
|||
|
Client: opts.client(),
|
|||
|
EarlyTokenExpiry: opts.EarlyTokenRefresh,
|
|||
|
AuthHandlerOpts: handleOpts,
|
|||
|
// TODO(codyoss): refactor this out. We need to add in auto-detection
|
|||
|
// for this use case.
|
|||
|
AuthStyle: auth.StyleInParams,
|
|||
|
}
|
|||
|
}
|