oauth2/google/internal/externalaccount/impersonate.go

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package externalaccount

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"time"

	"golang.org/x/oauth2"
)

// generateAccesstokenReq is used for service account impersonation
type generateAccessTokenReq struct {
	Delegates []string `json:"delegates,omitempty"`
	Lifetime  string   `json:"lifetime,omitempty"`
	Scope     []string `json:"scope,omitempty"`
}

type impersonateTokenResponse struct {
	AccessToken string `json:"accessToken"`
	ExpireTime  string `json:"expireTime"`
}

type impersonateTokenSource struct {
	ctx context.Context
	ts  oauth2.TokenSource

	url    string
	scopes []string
}

// Token performs the exchange to get a temporary service account token to allow access to GCP.
func (its impersonateTokenSource) Token() (*oauth2.Token, error) {
	reqBody := generateAccessTokenReq{
		Lifetime: "3600s",
		Scope:    its.scopes,
	}
	b, err := json.Marshal(reqBody)
	if err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to marshal request: %v", err)
	}
	client := oauth2.NewClient(its.ctx, its.ts)
	req, err := http.NewRequest("POST", its.url, bytes.NewReader(b))
	if err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to create impersonation request: %v", err)
	}
	req = req.WithContext(its.ctx)
	req.Header.Set("Content-Type", "application/json")

	resp, err := client.Do(req)
	if err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to generate access token: %v", err)
	}
	defer resp.Body.Close()
	body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
	if err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to read body: %v", err)
	}
	if c := resp.StatusCode; c < 200 || c > 299 {
		return nil, fmt.Errorf("oauth2/google: status code %d: %s", c, body)
	}

	var accessTokenResp impersonateTokenResponse
	if err := json.Unmarshal(body, &accessTokenResp); err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to parse response: %v", err)
	}
	expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)
	if err != nil {
		return nil, fmt.Errorf("oauth2/google: unable to parse expiry: %v", err)
	}
	return &oauth2.Token{
		AccessToken: accessTokenResp.AccessToken,
		Expiry:      expiry,
		TokenType:   "Bearer",
	}, nil
}
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-26 14:21:15 -05:00			`// Copyright 2021 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package externalaccount`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
			`"net/http"`
			`"time"`
google/externalaccount: validate tokenURL and ServiceAccountImpersonationURL Change-Id: Iab70cc967fd97ac8e349a14760df0f8b02ddf074 GitHub-Last-Rev: ddf4dbd0b7096a0d34677047b9c3992bb6ed359b GitHub-Pull-Request: golang/oauth2#514 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/340569 Reviewed-by: Patrick Jones <ithuriel@google.com> Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Chris Broadfoot <cbro@golang.org> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> 2021-08-12 18:59:38 -04:00
			`"golang.org/x/oauth2"`
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-26 14:21:15 -05:00			`)`

			`// generateAccesstokenReq is used for service account impersonation`
			`type generateAccessTokenReq struct {`
			Delegates []string `json:"delegates,omitempty"`
			Lifetime string `json:"lifetime,omitempty"`
			Scope []string `json:"scope,omitempty"`
			`}`

			`type impersonateTokenResponse struct {`
			AccessToken string `json:"accessToken"`
			ExpireTime string `json:"expireTime"`
			`}`

			`type impersonateTokenSource struct {`
			`ctx context.Context`
			`ts oauth2.TokenSource`

			`url string`
			`scopes []string`
			`}`

google: add external account documentation Adds some documentation to existing public structures for third-party authentication. Change-Id: I756f5cd5619fbd752c028e99176991139fd45c60 GitHub-Last-Rev: c846ea6748d2cc15bf496bbfc41f671c264d2220 GitHub-Pull-Request: golang/oauth2#485 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/301610 Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-06-22 17:08:18 -04:00			`// Token performs the exchange to get a temporary service account token to allow access to GCP.`
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-26 14:21:15 -05:00			`func (its impersonateTokenSource) Token() (*oauth2.Token, error) {`
			`reqBody := generateAccessTokenReq{`
			`Lifetime: "3600s",`
			`Scope: its.scopes,`
			`}`
			`b, err := json.Marshal(reqBody)`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to marshal request: %v", err)`
			`}`
			`client := oauth2.NewClient(its.ctx, its.ts)`
			`req, err := http.NewRequest("POST", its.url, bytes.NewReader(b))`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to create impersonation request: %v", err)`
			`}`
			`req = req.WithContext(its.ctx)`
			`req.Header.Set("Content-Type", "application/json")`

			`resp, err := client.Do(req)`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to generate access token: %v", err)`
			`}`
			`defer resp.Body.Close()`
			`body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to read body: %v", err)`
			`}`
			`if c := resp.StatusCode; c < 200 \|\| c > 299 {`
			`return nil, fmt.Errorf("oauth2/google: status code %d: %s", c, body)`
			`}`

			`var accessTokenResp impersonateTokenResponse`
			`if err := json.Unmarshal(body, &accessTokenResp); err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to parse response: %v", err)`
			`}`
			`expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2/google: unable to parse expiry: %v", err)`
			`}`
			`return &oauth2.Token{`
			`AccessToken: accessTokenResp.AccessToken,`
			`Expiry: expiry,`
			`TokenType: "Bearer",`
			`}, nil`
			`}`