google: Address comments for CredentialsParams support

This commit is contained in:
Andy Zhao 2021-04-21 09:20:55 -07:00
parent debdcb489f
commit 3a734b4293
2 changed files with 38 additions and 23 deletions

View File

@ -42,22 +42,32 @@ type Credentials struct {
// Deprecated: use Credentials instead. // Deprecated: use Credentials instead.
type DefaultCredentials = Credentials type DefaultCredentials = Credentials
// TokenSourceParams holds user supplied parameters that are // CredentialsParams holds user supplied parameters that are used together
// used for building a TokenSource. // with a credentials file for building a Credentials object.
type TokenSourceParams struct { type CredentialsParams struct {
// List of OAuth scopes. // Scopes is the list OAuth scopes. Required.
// Example: cloud-platform
Scopes []string Scopes []string
// User email used for domain wide delegation. // Subject is the user email used for domain wide delegation (see
// https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).
// Optional.
Subject string Subject string
// AuthorizationHandler used for 3-legged OAuth flow. // AuthHandler is the AuthorizationHandler used for 3-legged OAuth flow. Optional.
AuthHandler authhandler.AuthorizationHandler AuthHandler authhandler.AuthorizationHandler
// State used for AuthorizationHandler. // State is a unique string used with AuthHandler. Optional.
State string State string
} }
func (params CredentialsParams) deepCopy() CredentialsParams {
paramsCopy := params
paramsCopy.Scopes = make([]string, len(params.Scopes))
copy(paramsCopy.Scopes, params.Scopes)
return paramsCopy
}
// DefaultClient returns an HTTP Client that uses the // DefaultClient returns an HTTP Client that uses the
// DefaultTokenSource to obtain authentication credentials. // DefaultTokenSource to obtain authentication credentials.
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) { func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
@ -79,7 +89,7 @@ func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSourc
return creds.TokenSource, nil return creds.TokenSource, nil
} }
// FindDefaultCredentials searches for "Application Default Credentials". // FindDefaultCredentialsWithParams searches for "Application Default Credentials".
// //
// It looks for credentials in the following places, // It looks for credentials in the following places,
// preferring the first location found: // preferring the first location found:
@ -98,7 +108,10 @@ func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSourc
// 4. On Google Compute Engine, Google App Engine standard second generation runtimes // 4. On Google Compute Engine, Google App Engine standard second generation runtimes
// (>= Go 1.11), and Google App Engine flexible environment, it fetches // (>= Go 1.11), and Google App Engine flexible environment, it fetches
// credentials from the metadata server. // credentials from the metadata server.
func FindDefaultCredentialsWithParams(ctx context.Context, params TokenSourceParams) (*Credentials, error) { func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsParams) (*Credentials, error) {
// Make defensive copy of the slices in params.
params = params.deepCopy()
// First, try the environment variable. // First, try the environment variable.
const envVar = "GOOGLE_APPLICATION_CREDENTIALS" const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" { if filename := os.Getenv(envVar); filename != "" {
@ -142,20 +155,22 @@ func FindDefaultCredentialsWithParams(ctx context.Context, params TokenSourcePar
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url) return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
} }
// Deprecated: use FindDefaultCredentialsWithParams instead. // FindDefaultCredentials invokes FindDefaultCredentialsWithParams with the specified scopes.
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) { func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
var params TokenSourceParams var params CredentialsParams
params.Scopes = scopes params.Scopes = scopes
return FindDefaultCredentialsWithParams(ctx, params) return FindDefaultCredentialsWithParams(ctx, params)
} }
// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can // CredentialsFromJSONWithParams obtains Google credentials from a JSON value. The JSON can
// represent either a Google Developers Console client_credentials.json file (as in // represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON),
// ConfigFromJSON), a Google Developers service account key file, a gCloud-style // a Google Developers service account key file, a gCloud-style user credentials file (a.k.a.
// user credentials file (a.k.a. refresh token JSON), or the JSON configuration file // refresh token JSON), or the JSON configuration file for workload identity federation in
// for workload identity federation in non-Google cloud platforms (see // non-Google cloud platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).
// https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation). func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error) {
func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params TokenSourceParams) (*Credentials, error) { // Make defensive copy of the slices in params.
params = params.deepCopy()
// First, attempt to parse jsonData as a Google Developers Console client_credentials.json. // First, attempt to parse jsonData as a Google Developers Console client_credentials.json.
config, err := ConfigFromJSON(jsonData, params.Scopes...) config, err := ConfigFromJSON(jsonData, params.Scopes...)
if err == nil { if err == nil {
@ -166,7 +181,7 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params
}, nil }, nil
} }
// Otherwise, parse jsonData as one of the other supported credential files. // Otherwise, parse jsonData as one of the other supported credentials files.
var f credentialsFile var f credentialsFile
if err = json.Unmarshal(jsonData, &f); err != nil { if err = json.Unmarshal(jsonData, &f); err != nil {
return nil, err return nil, err
@ -182,9 +197,9 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params
}, nil }, nil
} }
// Deprecated: use CredentialsFromJSONWithParams instead. // CredentialsFromJSON invokes CredentialsFromJSONWithParams with the specified scopes.
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) { func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
var params TokenSourceParams var params CredentialsParams
params.Scopes = scopes params.Scopes = scopes
return CredentialsFromJSONWithParams(ctx, jsonData, params) return CredentialsFromJSONWithParams(ctx, jsonData, params)
} }
@ -197,7 +212,7 @@ func wellKnownFile() string {
return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f) return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f)
} }
func readCredentialsFile(ctx context.Context, filename string, params TokenSourceParams) (*DefaultCredentials, error) { func readCredentialsFile(ctx context.Context, filename string, params CredentialsParams) (*DefaultCredentials, error) {
b, err := ioutil.ReadFile(filename) b, err := ioutil.ReadFile(filename)
if err != nil { if err != nil {
return nil, err return nil, err

View File

@ -140,7 +140,7 @@ func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config
return cfg return cfg
} }
func (f *credentialsFile) tokenSource(ctx context.Context, params TokenSourceParams) (oauth2.TokenSource, error) { func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsParams) (oauth2.TokenSource, error) {
switch f.Type { switch f.Type {
case serviceAccountKey: case serviceAccountKey:
cfg := f.jwtConfig(params.Scopes, params.Subject) cfg := f.jwtConfig(params.Scopes, params.Subject)