2021-01-12 14:45:47 -05:00
|
|
|
// Copyright 2020 The Go Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package externalaccount
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
2021-08-12 18:59:38 -04:00
|
|
|
"net/url"
|
|
|
|
|
"regexp"
|
2021-02-01 11:26:06 -05:00
|
|
|
"strconv"
|
2021-08-12 18:59:38 -04:00
|
|
|
"strings"
|
2021-01-12 14:45:47 -05:00
|
|
|
"time"
|
2021-08-12 18:59:38 -04:00
|
|
|
|
|
|
|
|
"golang.org/x/oauth2"
|
2021-01-12 14:45:47 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// now aliases time.Now for testing
|
2021-03-11 10:33:11 -05:00
|
|
|
var now = func() time.Time {
|
|
|
|
|
return time.Now().UTC()
|
|
|
|
|
}
|
2021-01-12 14:45:47 -05:00
|
|
|
|
|
|
|
|
// Config stores the configuration for fetching tokens with external credentials.
|
|
|
|
|
type Config struct {
|
2021-06-22 17:08:18 -04:00
|
|
|
// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload
|
|
|
|
|
// identity pool or the workforce pool and the provider identifier in that pool.
|
2021-08-12 18:59:38 -04:00
|
|
|
Audience string
|
2021-06-22 17:08:18 -04:00
|
|
|
// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec
|
|
|
|
|
// e.g. `urn:ietf:params:oauth:token-type:jwt`.
|
2021-08-12 18:59:38 -04:00
|
|
|
SubjectTokenType string
|
2021-06-22 17:08:18 -04:00
|
|
|
// TokenURL is the STS token exchange endpoint.
|
2021-08-12 18:59:38 -04:00
|
|
|
TokenURL string
|
2021-06-22 17:08:18 -04:00
|
|
|
// TokenInfoURL is the token_info endpoint used to retrieve the account related information (
|
|
|
|
|
// user attributes like account identifier, eg. email, username, uid, etc). This is
|
|
|
|
|
// needed for gCloud session account identification.
|
2021-08-12 18:59:38 -04:00
|
|
|
TokenInfoURL string
|
2021-06-22 17:08:18 -04:00
|
|
|
// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only
|
|
|
|
|
// required for workload identity pools when APIs to be accessed have not integrated with UberMint.
|
2021-01-12 14:45:47 -05:00
|
|
|
ServiceAccountImpersonationURL string
|
2021-06-22 17:08:18 -04:00
|
|
|
// ClientSecret is currently only required if token_info endpoint also
|
|
|
|
|
// needs to be called with the generated GCP access token. When provided, STS will be
|
|
|
|
|
// called with additional basic authentication using client_id as username and client_secret as password.
|
2021-08-12 18:59:38 -04:00
|
|
|
ClientSecret string
|
2021-06-22 17:08:18 -04:00
|
|
|
// ClientID is only required in conjunction with ClientSecret, as described above.
|
2021-08-12 18:59:38 -04:00
|
|
|
ClientID string
|
2021-06-22 17:08:18 -04:00
|
|
|
// CredentialSource contains the necessary information to retrieve the token itself, as well
|
|
|
|
|
// as some environmental information.
|
2021-08-12 18:59:38 -04:00
|
|
|
CredentialSource CredentialSource
|
2021-06-22 17:08:18 -04:00
|
|
|
// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries
|
|
|
|
|
// will set the x-goog-user-project which overrides the project associated with the credentials.
|
2021-08-12 18:59:38 -04:00
|
|
|
QuotaProjectID string
|
2021-06-22 17:08:18 -04:00
|
|
|
// Scopes contains the desired scopes for the returned access token.
|
2021-08-12 18:59:38 -04:00
|
|
|
Scopes []string
|
2021-10-05 10:39:06 -04:00
|
|
|
// The optional workforce pool user project number when the credential
|
|
|
|
|
// corresponds to a workforce pool and not a workload identity pool.
|
|
|
|
|
// The underlying principal must still have serviceusage.services.use IAM
|
|
|
|
|
// permission to use the project for billing/quota.
|
|
|
|
|
WorkforcePoolUserProject string
|
2021-08-12 18:59:38 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Each element consists of a list of patterns. validateURLs checks for matches
|
|
|
|
|
// that include all elements in a given list, in that order.
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
validTokenURLPatterns = []*regexp.Regexp{
|
|
|
|
|
// The complicated part in the middle matches any number of characters that
|
|
|
|
|
// aren't period, spaces, or slashes.
|
|
|
|
|
regexp.MustCompile(`(?i)^[^\.\s\/\\]+\.sts\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`(?i)^sts\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`(?i)^sts\.[^\.\s\/\\]+\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`(?i)^[^\.\s\/\\]+-sts\.googleapis\.com$`),
|
|
|
|
|
}
|
|
|
|
|
validImpersonateURLPatterns = []*regexp.Regexp{
|
|
|
|
|
regexp.MustCompile(`^[^\.\s\/\\]+\.iamcredentials\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`^iamcredentials\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`^iamcredentials\.[^\.\s\/\\]+\.googleapis\.com$`),
|
|
|
|
|
regexp.MustCompile(`^[^\.\s\/\\]+-iamcredentials\.googleapis\.com$`),
|
|
|
|
|
}
|
2021-10-05 10:39:06 -04:00
|
|
|
validWorkforceAudiencePattern *regexp.Regexp = regexp.MustCompile(`//iam\.googleapis\.com/locations/[^/]+/workforcePools/`)
|
2021-08-12 18:59:38 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func validateURL(input string, patterns []*regexp.Regexp, scheme string) bool {
|
|
|
|
|
parsed, err := url.Parse(input)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
if !strings.EqualFold(parsed.Scheme, scheme) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
toTest := parsed.Host
|
|
|
|
|
|
|
|
|
|
for _, pattern := range patterns {
|
2021-10-05 10:39:06 -04:00
|
|
|
if pattern.MatchString(toTest) {
|
2021-08-12 18:59:38 -04:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
2021-01-12 14:45:47 -05:00
|
|
|
}
|
|
|
|
|
|
2021-10-05 10:39:06 -04:00
|
|
|
func validateWorkforceAudience(input string) bool {
|
|
|
|
|
return validWorkforceAudiencePattern.MatchString(input)
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-12 14:45:47 -05:00
|
|
|
// TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.
|
2021-08-12 18:59:38 -04:00
|
|
|
func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error) {
|
|
|
|
|
return c.tokenSource(ctx, validTokenURLPatterns, validImpersonateURLPatterns, "https")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// tokenSource is a private function that's directly called by some of the tests,
|
|
|
|
|
// because the unit test URLs are mocked, and would otherwise fail the
|
|
|
|
|
// validity check.
|
|
|
|
|
func (c *Config) tokenSource(ctx context.Context, tokenURLValidPats []*regexp.Regexp, impersonateURLValidPats []*regexp.Regexp, scheme string) (oauth2.TokenSource, error) {
|
|
|
|
|
valid := validateURL(c.TokenURL, tokenURLValidPats, scheme)
|
|
|
|
|
if !valid {
|
|
|
|
|
return nil, fmt.Errorf("oauth2/google: invalid TokenURL provided while constructing tokenSource")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.ServiceAccountImpersonationURL != "" {
|
|
|
|
|
valid := validateURL(c.ServiceAccountImpersonationURL, impersonateURLValidPats, scheme)
|
|
|
|
|
if !valid {
|
|
|
|
|
return nil, fmt.Errorf("oauth2/google: invalid ServiceAccountImpersonationURL provided while constructing tokenSource")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-05 10:39:06 -04:00
|
|
|
if c.WorkforcePoolUserProject != "" {
|
|
|
|
|
valid := validateWorkforceAudience(c.Audience)
|
|
|
|
|
if !valid {
|
|
|
|
|
return nil, fmt.Errorf("oauth2/google: workforce_pool_user_project should not be set for non-workforce pool credentials")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-12 14:45:47 -05:00
|
|
|
ts := tokenSource{
|
|
|
|
|
ctx: ctx,
|
|
|
|
|
conf: c,
|
|
|
|
|
}
|
2021-01-26 14:21:15 -05:00
|
|
|
if c.ServiceAccountImpersonationURL == "" {
|
2021-08-12 18:59:38 -04:00
|
|
|
return oauth2.ReuseTokenSource(nil, ts), nil
|
2021-01-26 14:21:15 -05:00
|
|
|
}
|
|
|
|
|
scopes := c.Scopes
|
|
|
|
|
ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
|
2021-08-23 04:52:40 -04:00
|
|
|
imp := ImpersonateTokenSource{
|
|
|
|
|
Ctx: ctx,
|
2021-09-15 04:15:15 -04:00
|
|
|
URL: c.ServiceAccountImpersonationURL,
|
2021-08-23 04:52:40 -04:00
|
|
|
Scopes: scopes,
|
|
|
|
|
Ts: oauth2.ReuseTokenSource(nil, ts),
|
2021-01-26 14:21:15 -05:00
|
|
|
}
|
2021-08-12 18:59:38 -04:00
|
|
|
return oauth2.ReuseTokenSource(nil, imp), nil
|
2021-01-12 14:45:47 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Subject token file types.
|
|
|
|
|
const (
|
|
|
|
|
fileTypeText = "text"
|
|
|
|
|
fileTypeJSON = "json"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type format struct {
|
2021-08-12 18:59:38 -04:00
|
|
|
// Type is either "text" or "json". When not provided "text" type is assumed.
|
2021-01-12 14:45:47 -05:00
|
|
|
Type string `json:"type"`
|
2021-08-12 18:59:38 -04:00
|
|
|
// SubjectTokenFieldName is only required for JSON format. This would be "access_token" for azure.
|
2021-01-12 14:45:47 -05:00
|
|
|
SubjectTokenFieldName string `json:"subject_token_field_name"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CredentialSource stores the information necessary to retrieve the credentials for the STS exchange.
|
2021-06-22 17:08:18 -04:00
|
|
|
// Either the File or the URL field should be filled, depending on the kind of credential in question.
|
|
|
|
|
// The EnvironmentID should start with AWS if being used for an AWS credential.
|
2021-01-12 14:45:47 -05:00
|
|
|
type CredentialSource struct {
|
|
|
|
|
File string `json:"file"`
|
|
|
|
|
|
|
|
|
|
URL string `json:"url"`
|
|
|
|
|
Headers map[string]string `json:"headers"`
|
|
|
|
|
|
|
|
|
|
EnvironmentID string `json:"environment_id"`
|
|
|
|
|
RegionURL string `json:"region_url"`
|
|
|
|
|
RegionalCredVerificationURL string `json:"regional_cred_verification_url"`
|
|
|
|
|
CredVerificationURL string `json:"cred_verification_url"`
|
|
|
|
|
Format format `json:"format"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parse determines the type of CredentialSource needed
|
2021-02-01 11:26:06 -05:00
|
|
|
func (c *Config) parse(ctx context.Context) (baseCredentialSource, error) {
|
|
|
|
|
if len(c.CredentialSource.EnvironmentID) > 3 && c.CredentialSource.EnvironmentID[:3] == "aws" {
|
|
|
|
|
if awsVersion, err := strconv.Atoi(c.CredentialSource.EnvironmentID[3:]); err == nil {
|
|
|
|
|
if awsVersion != 1 {
|
|
|
|
|
return nil, fmt.Errorf("oauth2/google: aws version '%d' is not supported in the current build", awsVersion)
|
|
|
|
|
}
|
|
|
|
|
return awsCredentialSource{
|
|
|
|
|
EnvironmentID: c.CredentialSource.EnvironmentID,
|
|
|
|
|
RegionURL: c.CredentialSource.RegionURL,
|
|
|
|
|
RegionalCredVerificationURL: c.CredentialSource.RegionalCredVerificationURL,
|
|
|
|
|
CredVerificationURL: c.CredentialSource.URL,
|
|
|
|
|
TargetResource: c.Audience,
|
|
|
|
|
ctx: ctx,
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
} else if c.CredentialSource.File != "" {
|
|
|
|
|
return fileCredentialSource{File: c.CredentialSource.File, Format: c.CredentialSource.Format}, nil
|
2021-01-13 15:38:24 -05:00
|
|
|
} else if c.CredentialSource.URL != "" {
|
2021-02-12 15:04:54 -05:00
|
|
|
return urlCredentialSource{URL: c.CredentialSource.URL, Headers: c.CredentialSource.Headers, Format: c.CredentialSource.Format, ctx: ctx}, nil
|
2021-01-12 14:45:47 -05:00
|
|
|
}
|
2021-02-01 11:26:06 -05:00
|
|
|
return nil, fmt.Errorf("oauth2/google: unable to parse credential source")
|
2021-01-12 14:45:47 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type baseCredentialSource interface {
|
|
|
|
|
subjectToken() (string, error)
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-12 18:59:38 -04:00
|
|
|
// tokenSource is the source that handles external credentials. It is used to retrieve Tokens.
|
2021-01-12 14:45:47 -05:00
|
|
|
type tokenSource struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
conf *Config
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Token allows tokenSource to conform to the oauth2.TokenSource interface.
|
|
|
|
|
func (ts tokenSource) Token() (*oauth2.Token, error) {
|
|
|
|
|
conf := ts.conf
|
|
|
|
|
|
2021-02-01 11:26:06 -05:00
|
|
|
credSource, err := conf.parse(ts.ctx)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2021-01-12 14:45:47 -05:00
|
|
|
}
|
|
|
|
|
subjectToken, err := credSource.subjectToken()
|
2021-02-01 11:26:06 -05:00
|
|
|
|
2021-01-12 14:45:47 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-02-18 15:18:54 -05:00
|
|
|
stsRequest := stsTokenExchangeRequest{
|
2021-01-12 14:45:47 -05:00
|
|
|
GrantType: "urn:ietf:params:oauth:grant-type:token-exchange",
|
|
|
|
|
Audience: conf.Audience,
|
|
|
|
|
Scope: conf.Scopes,
|
|
|
|
|
RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
|
|
|
|
|
SubjectToken: subjectToken,
|
|
|
|
|
SubjectTokenType: conf.SubjectTokenType,
|
|
|
|
|
}
|
|
|
|
|
header := make(http.Header)
|
|
|
|
|
header.Add("Content-Type", "application/x-www-form-urlencoded")
|
2021-02-18 15:18:54 -05:00
|
|
|
clientAuth := clientAuthentication{
|
2021-01-12 14:45:47 -05:00
|
|
|
AuthStyle: oauth2.AuthStyleInHeader,
|
|
|
|
|
ClientID: conf.ClientID,
|
|
|
|
|
ClientSecret: conf.ClientSecret,
|
|
|
|
|
}
|
2021-10-05 10:39:06 -04:00
|
|
|
var options map[string]interface{}
|
|
|
|
|
// Do not pass workforce_pool_user_project when client authentication is used.
|
|
|
|
|
// The client ID is sufficient for determining the user project.
|
|
|
|
|
if conf.WorkforcePoolUserProject != "" && conf.ClientID == "" {
|
|
|
|
|
options = map[string]interface{}{
|
|
|
|
|
"userProject": conf.WorkforcePoolUserProject,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, options)
|
2021-01-12 14:45:47 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessToken := &oauth2.Token{
|
|
|
|
|
AccessToken: stsResp.AccessToken,
|
|
|
|
|
TokenType: stsResp.TokenType,
|
|
|
|
|
}
|
|
|
|
|
if stsResp.ExpiresIn < 0 {
|
|
|
|
|
return nil, fmt.Errorf("oauth2/google: got invalid expiry from security token service")
|
|
|
|
|
} else if stsResp.ExpiresIn >= 0 {
|
|
|
|
|
accessToken.Expiry = now().Add(time.Duration(stsResp.ExpiresIn) * time.Second)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if stsResp.RefreshToken != "" {
|
|
|
|
|
accessToken.RefreshToken = stsResp.RefreshToken
|
|
|
|
|
}
|
|
|
|
|
return accessToken, nil
|
|
|
|
|
}
|
