2021-06-09 13:46:53 -04:00
|
|
|
package downscoped
|
|
|
|
|
|
|
|
import (
|
2021-06-09 17:25:06 -04:00
|
|
|
"context"
|
2021-06-09 13:46:53 -04:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2021-06-09 17:25:06 -04:00
|
|
|
identityBindingEndpoint = "https://sts.googleapis.com/v1beta/token"
|
2021-06-09 13:46:53 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// Defines an upper bound of permissions available for a GCP credential for one or more resources
|
|
|
|
type AccessBoundary struct {
|
2021-06-09 17:25:06 -04:00
|
|
|
// One or more AccessBoundaryRules are required to define permissions for the new downscoped token
|
2021-06-09 13:46:53 -04:00
|
|
|
AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type AvailabilityCondition struct {
|
|
|
|
Title string `json:"title,omitempty"`
|
|
|
|
Expression string `json:"expression"`
|
|
|
|
Description string `json:"description,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type AccessBoundaryRule struct {
|
|
|
|
AvailableResource string `json:"availableResource"`
|
|
|
|
AvailablePermissions []string `json:"availablePermissions"`
|
|
|
|
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
|
|
|
|
}
|
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
type downscopedTokenResponse struct {
|
2021-06-09 13:46:53 -04:00
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
IssuedTokenType string `json:"issued_token_type"`
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
ExpiresIn int `json:"expires_in"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type DownscopingConfig struct {
|
|
|
|
RootSource oauth2.TokenSource
|
|
|
|
CredentialAccessBoundary AccessBoundary
|
|
|
|
}
|
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig, endpoint string) (oauth2.TokenSource, error) {
|
2021-06-09 13:46:53 -04:00
|
|
|
if config.RootSource == nil {
|
2021-06-09 17:25:06 -04:00
|
|
|
return nil, fmt.Errorf("oauth2/google/downscoped: rootTokenSource cannot be nil")
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|
|
|
|
if len(config.CredentialAccessBoundary.AccessBoundaryRules) == 0 {
|
2021-06-09 17:25:06 -04:00
|
|
|
return nil, fmt.Errorf("oauth2/google/downscoped: length of AccessBoundaryRules must be at least 1")
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
downscopedOptions := struct {
|
|
|
|
Boundary AccessBoundary `json:"accessBoundary"`
|
|
|
|
}{
|
|
|
|
Boundary: config.CredentialAccessBoundary,
|
|
|
|
}
|
|
|
|
|
|
|
|
tok, err := config.RootSource.Token()
|
|
|
|
if err != nil {
|
2021-06-09 17:25:06 -04:00
|
|
|
return nil, fmt.Errorf("oauth2/google/downscoped: unable to refresh root token %v", err)
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
b, err := json.Marshal(downscopedOptions)
|
2021-06-09 13:46:53 -04:00
|
|
|
if err != nil {
|
2021-06-09 17:25:06 -04:00
|
|
|
return nil, fmt.Errorf("oauth2/google/downscoped: Unable to marshall AccessBoundary payload %v", err)
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
form := url.Values{}
|
|
|
|
form.Add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
|
|
|
|
form.Add("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
|
|
|
|
form.Add("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
|
|
|
|
form.Add("subject_token", tok.AccessToken)
|
|
|
|
form.Add("options", url.QueryEscape(string(b)))
|
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
myClient := oauth2.NewClient(ctx, nil)
|
|
|
|
resp, err := myClient.PostForm(endpoint, form)
|
2021-06-09 13:46:53 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("unable to generate POST Request %v", err)
|
|
|
|
}
|
2021-06-09 17:25:06 -04:00
|
|
|
defer resp.Body.Close()
|
2021-06-09 13:46:53 -04:00
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
var tresp downscopedTokenResponse
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(&tresp)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("unable to unmarshal response body: %v", err)
|
|
|
|
}
|
2021-06-09 13:46:53 -04:00
|
|
|
if resp.StatusCode != http.StatusOK {
|
2021-06-09 17:25:06 -04:00
|
|
|
return nil, fmt.Errorf("unable to exchange token %v", tresp)
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// an exchanged token that is derived from a service account (2LO) has an expired_in value
|
|
|
|
// a token derived from a users token (3LO) does not.
|
|
|
|
// The following code uses the time remaining on rootToken for a user as the value for the
|
|
|
|
// derived token's lifetime
|
|
|
|
var expiry_time time.Time
|
|
|
|
if tresp.ExpiresIn > 0 {
|
|
|
|
expiry_time = time.Now().Add(time.Duration(time.Duration(tresp.ExpiresIn) * time.Second))
|
|
|
|
} else {
|
|
|
|
expiry_time = tok.Expiry
|
|
|
|
}
|
|
|
|
|
|
|
|
newToken := &oauth2.Token{
|
|
|
|
AccessToken: tresp.AccessToken,
|
|
|
|
TokenType: tresp.TokenType,
|
|
|
|
Expiry: expiry_time,
|
|
|
|
}
|
|
|
|
return oauth2.StaticTokenSource(newToken), nil
|
|
|
|
}
|
|
|
|
|
2021-06-09 17:25:06 -04:00
|
|
|
func NewDownscopedTokenSource(ctx context.Context, config DownscopingConfig) (oauth2.TokenSource, error) {
|
|
|
|
return downscopedTokenWithEndpoint(ctx, config, identityBindingEndpoint)
|
2021-06-09 13:46:53 -04:00
|
|
|
}
|