forked from Mirrors/oauth2
Merge branch 'master' into master
This commit is contained in:
commit
3045b9f9df
|
@ -4,9 +4,9 @@
|
|||
|
||||
// Package google provides support for making OAuth2 authorized and authenticated
|
||||
// HTTP requests to Google APIs. It supports the Web server flow, client-side
|
||||
// credentials, service accounts, Google Compute Engine service accounts, Google
|
||||
// App Engine service accounts and workload identity federation from non-Google
|
||||
// cloud platforms.
|
||||
// credentials, service accounts, Google Compute Engine service accounts,
|
||||
// Google App Engine service accounts and workload identity federation
|
||||
// from non-Google cloud platforms.
|
||||
//
|
||||
// A brief overview of the package follows. For more information, please read
|
||||
// https://developers.google.com/accounts/docs/OAuth2
|
||||
|
|
|
@ -13,7 +13,6 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"golang.org/x/oauth2"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
|
@ -23,6 +22,8 @@ import (
|
|||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
type awsSecurityCredentials struct {
|
||||
|
@ -343,6 +344,9 @@ func (cs *awsCredentialSource) getRegion() (string, error) {
|
|||
if envAwsRegion := getenv("AWS_REGION"); envAwsRegion != "" {
|
||||
return envAwsRegion, nil
|
||||
}
|
||||
if envAwsRegion := getenv("AWS_DEFAULT_REGION"); envAwsRegion != "" {
|
||||
return envAwsRegion, nil
|
||||
}
|
||||
|
||||
if cs.RegionURL == "" {
|
||||
return "", errors.New("oauth2/google: unable to determine AWS region")
|
||||
|
|
|
@ -638,6 +638,81 @@ func TestAwsCredential_BasicRequestWithEnv(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestAwsCredential_BasicRequestWithDefaultEnv(t *testing.T) {
|
||||
server := createDefaultAwsTestServer()
|
||||
ts := httptest.NewServer(server)
|
||||
|
||||
tfc := testFileConfig
|
||||
tfc.CredentialSource = server.getCredentialSource(ts.URL)
|
||||
|
||||
oldGetenv := getenv
|
||||
defer func() { getenv = oldGetenv }()
|
||||
getenv = setEnvironment(map[string]string{
|
||||
"AWS_ACCESS_KEY_ID": "AKIDEXAMPLE",
|
||||
"AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
|
||||
"AWS_DEFAULT_REGION": "us-west-1",
|
||||
})
|
||||
|
||||
base, err := tfc.parse(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("parse() failed %v", err)
|
||||
}
|
||||
|
||||
out, err := base.subjectToken()
|
||||
if err != nil {
|
||||
t.Fatalf("retrieveSubjectToken() failed: %v", err)
|
||||
}
|
||||
expected := getExpectedSubjectToken(
|
||||
"https://sts.us-west-1.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
|
||||
"us-west-1",
|
||||
"AKIDEXAMPLE",
|
||||
"wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
|
||||
"",
|
||||
)
|
||||
|
||||
if got, want := out, expected; !reflect.DeepEqual(got, want) {
|
||||
t.Errorf("subjectToken = %q, want %q", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAwsCredential_BasicRequestWithTwoRegions(t *testing.T) {
|
||||
server := createDefaultAwsTestServer()
|
||||
ts := httptest.NewServer(server)
|
||||
|
||||
tfc := testFileConfig
|
||||
tfc.CredentialSource = server.getCredentialSource(ts.URL)
|
||||
|
||||
oldGetenv := getenv
|
||||
defer func() { getenv = oldGetenv }()
|
||||
getenv = setEnvironment(map[string]string{
|
||||
"AWS_ACCESS_KEY_ID": "AKIDEXAMPLE",
|
||||
"AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
|
||||
"AWS_REGION": "us-west-1",
|
||||
"AWS_DEFAULT_REGION": "us-east-1",
|
||||
})
|
||||
|
||||
base, err := tfc.parse(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("parse() failed %v", err)
|
||||
}
|
||||
|
||||
out, err := base.subjectToken()
|
||||
if err != nil {
|
||||
t.Fatalf("retrieveSubjectToken() failed: %v", err)
|
||||
}
|
||||
expected := getExpectedSubjectToken(
|
||||
"https://sts.us-west-1.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
|
||||
"us-west-1",
|
||||
"AKIDEXAMPLE",
|
||||
"wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
|
||||
"",
|
||||
)
|
||||
|
||||
if got, want := out, expected; !reflect.DeepEqual(got, want) {
|
||||
t.Errorf("subjectToken = %q, want %q", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAwsCredential_RequestWithBadVersion(t *testing.T) {
|
||||
server := createDefaultAwsTestServer()
|
||||
ts := httptest.NewServer(server)
|
||||
|
|
|
@ -20,15 +20,34 @@ var now = func() time.Time {
|
|||
|
||||
// Config stores the configuration for fetching tokens with external credentials.
|
||||
type Config struct {
|
||||
// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload
|
||||
// identity pool or the workforce pool and the provider identifier in that pool.
|
||||
Audience string
|
||||
// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec
|
||||
// e.g. `urn:ietf:params:oauth:token-type:jwt`.
|
||||
SubjectTokenType string
|
||||
// TokenURL is the STS token exchange endpoint.
|
||||
TokenURL string
|
||||
// TokenInfoURL is the token_info endpoint used to retrieve the account related information (
|
||||
// user attributes like account identifier, eg. email, username, uid, etc). This is
|
||||
// needed for gCloud session account identification.
|
||||
TokenInfoURL string
|
||||
// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only
|
||||
// required for workload identity pools when APIs to be accessed have not integrated with UberMint.
|
||||
ServiceAccountImpersonationURL string
|
||||
// ClientSecret is currently only required if token_info endpoint also
|
||||
// needs to be called with the generated GCP access token. When provided, STS will be
|
||||
// called with additional basic authentication using client_id as username and client_secret as password.
|
||||
ClientSecret string
|
||||
// ClientID is only required in conjunction with ClientSecret, as described above.
|
||||
ClientID string
|
||||
// CredentialSource contains the necessary information to retrieve the token itself, as well
|
||||
// as some environmental information.
|
||||
CredentialSource CredentialSource
|
||||
// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries
|
||||
// will set the x-goog-user-project which overrides the project associated with the credentials.
|
||||
QuotaProjectID string
|
||||
// Scopes contains the desired scopes for the returned access token.
|
||||
Scopes []string
|
||||
}
|
||||
|
||||
|
@ -66,6 +85,8 @@ type format struct {
|
|||
}
|
||||
|
||||
// CredentialSource stores the information necessary to retrieve the credentials for the STS exchange.
|
||||
// Either the File or the URL field should be filled, depending on the kind of credential in question.
|
||||
// The EnvironmentID should start with AWS if being used for an AWS credential.
|
||||
type CredentialSource struct {
|
||||
File string `json:"file"`
|
||||
|
||||
|
@ -107,7 +128,7 @@ type baseCredentialSource interface {
|
|||
subjectToken() (string, error)
|
||||
}
|
||||
|
||||
// tokenSource is the source that handles external credentials.
|
||||
// tokenSource is the source that handles external credentials. It is used to retrieve Tokens.
|
||||
type tokenSource struct {
|
||||
ctx context.Context
|
||||
conf *Config
|
||||
|
|
|
@ -19,6 +19,9 @@ type clientAuthentication struct {
|
|||
ClientSecret string
|
||||
}
|
||||
|
||||
// InjectAuthentication is used to add authentication to a Secure Token Service exchange
|
||||
// request. It modifies either the passed url.Values or http.Header depending on the desired
|
||||
// authentication format.
|
||||
func (c *clientAuthentication) InjectAuthentication(values url.Values, headers http.Header) {
|
||||
if c.ClientID == "" || c.ClientSecret == "" || values == nil || headers == nil {
|
||||
return
|
||||
|
|
|
@ -36,7 +36,7 @@ type impersonateTokenSource struct {
|
|||
scopes []string
|
||||
}
|
||||
|
||||
// Token performs the exchange to get a temporary service account
|
||||
// Token performs the exchange to get a temporary service account token to allow access to GCP.
|
||||
func (its impersonateTokenSource) Token() (*oauth2.Token, error) {
|
||||
reqBody := generateAccessTokenReq{
|
||||
Lifetime: "3600s",
|
||||
|
|
|
@ -7,7 +7,6 @@ package externalaccount
|
|||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
@ -20,7 +19,6 @@ func TestRetrieveURLSubjectToken_Text(t *testing.T) {
|
|||
if r.Method != "GET" {
|
||||
t.Errorf("Unexpected request method, %v is found", r.Method)
|
||||
}
|
||||
fmt.Println(r.Header)
|
||||
if r.Header.Get("Metadata") != "True" {
|
||||
t.Errorf("Metadata header not properly included.")
|
||||
}
|
||||
|
|
|
@ -7,6 +7,7 @@ package google
|
|||
import (
|
||||
"crypto/rsa"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
|
@ -24,6 +25,28 @@ import (
|
|||
// optimization supported by a few Google services.
|
||||
// Unless you know otherwise, you should use JWTConfigFromJSON instead.
|
||||
func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error) {
|
||||
return newJWTSource(jsonKey, audience, nil)
|
||||
}
|
||||
|
||||
// JWTAccessTokenSourceWithScope uses a Google Developers service account JSON
|
||||
// key file to read the credentials that authorize and authenticate the
|
||||
// requests, and returns a TokenSource that does not use any OAuth2 flow but
|
||||
// instead creates a JWT and sends that as the access token.
|
||||
// The scope is typically a list of URLs that specifies the scope of the
|
||||
// credentials.
|
||||
//
|
||||
// Note that this is not a standard OAuth flow, but rather an
|
||||
// optimization supported by a few Google services.
|
||||
// Unless you know otherwise, you should use JWTConfigFromJSON instead.
|
||||
func JWTAccessTokenSourceWithScope(jsonKey []byte, scope ...string) (oauth2.TokenSource, error) {
|
||||
return newJWTSource(jsonKey, "", scope)
|
||||
}
|
||||
|
||||
func newJWTSource(jsonKey []byte, audience string, scopes []string) (oauth2.TokenSource, error) {
|
||||
if len(scopes) == 0 && audience == "" {
|
||||
return nil, fmt.Errorf("google: missing scope/audience for JWT access token")
|
||||
}
|
||||
|
||||
cfg, err := JWTConfigFromJSON(jsonKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("google: could not parse JSON key: %v", err)
|
||||
|
@ -35,6 +58,7 @@ func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.Token
|
|||
ts := &jwtAccessTokenSource{
|
||||
email: cfg.Email,
|
||||
audience: audience,
|
||||
scopes: scopes,
|
||||
pk: pk,
|
||||
pkID: cfg.PrivateKeyID,
|
||||
}
|
||||
|
@ -47,6 +71,7 @@ func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.Token
|
|||
|
||||
type jwtAccessTokenSource struct {
|
||||
email, audience string
|
||||
scopes []string
|
||||
pk *rsa.PrivateKey
|
||||
pkID string
|
||||
}
|
||||
|
@ -54,12 +79,14 @@ type jwtAccessTokenSource struct {
|
|||
func (ts *jwtAccessTokenSource) Token() (*oauth2.Token, error) {
|
||||
iat := time.Now()
|
||||
exp := iat.Add(time.Hour)
|
||||
scope := strings.Join(ts.scopes, " ")
|
||||
cs := &jws.ClaimSet{
|
||||
Iss: ts.email,
|
||||
Sub: ts.email,
|
||||
Aud: ts.audience,
|
||||
Iat: iat.Unix(),
|
||||
Exp: exp.Unix(),
|
||||
Iss: ts.email,
|
||||
Sub: ts.email,
|
||||
Aud: ts.audience,
|
||||
Scope: scope,
|
||||
Iat: iat.Unix(),
|
||||
Exp: exp.Unix(),
|
||||
}
|
||||
hdr := &jws.Header{
|
||||
Algorithm: "RS256",
|
||||
|
|
|
@ -13,29 +13,21 @@ import (
|
|||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"golang.org/x/oauth2/jws"
|
||||
)
|
||||
|
||||
func TestJWTAccessTokenSourceFromJSON(t *testing.T) {
|
||||
// Generate a key we can use in the test data.
|
||||
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
var (
|
||||
privateKey *rsa.PrivateKey
|
||||
jsonKey []byte
|
||||
once sync.Once
|
||||
)
|
||||
|
||||
// Encode the key and substitute into our example JSON.
|
||||
enc := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
|
||||
})
|
||||
enc, err = json.Marshal(string(enc))
|
||||
if err != nil {
|
||||
t.Fatalf("json.Marshal: %v", err)
|
||||
}
|
||||
jsonKey := bytes.Replace(jwtJSONKey, []byte(`"super secret key"`), enc, 1)
|
||||
func TestJWTAccessTokenSourceFromJSON(t *testing.T) {
|
||||
setupDummyKey(t)
|
||||
|
||||
ts, err := JWTAccessTokenSourceFromJSON(jsonKey, "audience")
|
||||
if err != nil {
|
||||
|
@ -89,3 +81,80 @@ func TestJWTAccessTokenSourceFromJSON(t *testing.T) {
|
|||
t.Errorf("Header KeyID = %q, want %q", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func TestJWTAccessTokenSourceWithScope(t *testing.T) {
|
||||
setupDummyKey(t)
|
||||
|
||||
ts, err := JWTAccessTokenSourceWithScope(jsonKey, "scope1", "scope2")
|
||||
if err != nil {
|
||||
t.Fatalf("JWTAccessTokenSourceWithScope: %v\nJSON: %s", err, string(jsonKey))
|
||||
}
|
||||
|
||||
tok, err := ts.Token()
|
||||
if err != nil {
|
||||
t.Fatalf("Token: %v", err)
|
||||
}
|
||||
|
||||
if got, want := tok.TokenType, "Bearer"; got != want {
|
||||
t.Errorf("TokenType = %q, want %q", got, want)
|
||||
}
|
||||
if got := tok.Expiry; tok.Expiry.Before(time.Now()) {
|
||||
t.Errorf("Expiry = %v, should not be expired", got)
|
||||
}
|
||||
|
||||
err = jws.Verify(tok.AccessToken, &privateKey.PublicKey)
|
||||
if err != nil {
|
||||
t.Errorf("jws.Verify on AccessToken: %v", err)
|
||||
}
|
||||
|
||||
claim, err := jws.Decode(tok.AccessToken)
|
||||
if err != nil {
|
||||
t.Fatalf("jws.Decode on AccessToken: %v", err)
|
||||
}
|
||||
|
||||
if got, want := claim.Iss, "gopher@developer.gserviceaccount.com"; got != want {
|
||||
t.Errorf("Iss = %q, want %q", got, want)
|
||||
}
|
||||
if got, want := claim.Sub, "gopher@developer.gserviceaccount.com"; got != want {
|
||||
t.Errorf("Sub = %q, want %q", got, want)
|
||||
}
|
||||
if got, want := claim.Scope, "scope1 scope2"; got != want {
|
||||
t.Errorf("Aud = %q, want %q", got, want)
|
||||
}
|
||||
|
||||
// Finally, check the header private key.
|
||||
parts := strings.Split(tok.AccessToken, ".")
|
||||
hdrJSON, err := base64.RawURLEncoding.DecodeString(parts[0])
|
||||
if err != nil {
|
||||
t.Fatalf("base64 DecodeString: %v\nString: %q", err, parts[0])
|
||||
}
|
||||
var hdr jws.Header
|
||||
if err := json.Unmarshal([]byte(hdrJSON), &hdr); err != nil {
|
||||
t.Fatalf("json.Unmarshal: %v (%q)", err, hdrJSON)
|
||||
}
|
||||
|
||||
if got, want := hdr.KeyID, "268f54e43a1af97cfc71731688434f45aca15c8b"; got != want {
|
||||
t.Errorf("Header KeyID = %q, want %q", got, want)
|
||||
}
|
||||
}
|
||||
|
||||
func setupDummyKey(t *testing.T) {
|
||||
once.Do(func() {
|
||||
// Generate a key we can use in the test data.
|
||||
pk, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
privateKey = pk
|
||||
// Encode the key and substitute into our example JSON.
|
||||
enc := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
|
||||
})
|
||||
enc, err = json.Marshal(string(enc))
|
||||
if err != nil {
|
||||
t.Fatalf("json.Marshal: %v", err)
|
||||
}
|
||||
jsonKey = bytes.Replace(jwtJSONKey, []byte(`"super secret key"`), enc, 1)
|
||||
})
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue