From 7792988ab86a75c04e936419e8a2ac6d07ddf898 Mon Sep 17 00:00:00 2001
From: Patrick Jones <ithuriel@google.com>
Date: Tue, 6 Oct 2020 01:05:26 -0700
Subject: [PATCH] Add utilities supporting upcoming oauth2 functionality.

---
 .../internal/oauth2/clientAuthentication.go   |  39 +++++++
 .../oauth2/clientAuthentication_test.go       | 103 ++++++++++++++++++
 google/internal/oauth2/err.go                 |  14 +++
 google/internal/oauth2/err_test.go            |  15 +++
 4 files changed, 171 insertions(+)
 create mode 100644 google/internal/oauth2/clientAuthentication.go
 create mode 100644 google/internal/oauth2/clientAuthentication_test.go
 create mode 100644 google/internal/oauth2/err.go
 create mode 100644 google/internal/oauth2/err_test.go

diff --git a/google/internal/oauth2/clientAuthentication.go b/google/internal/oauth2/clientAuthentication.go
new file mode 100644
index 0000000..3cb6bad
--- /dev/null
+++ b/google/internal/oauth2/clientAuthentication.go
@@ -0,0 +1,39 @@
+package externalaccount
+
+import (
+	"encoding/base64"
+	"golang.org/x/oauth2"
+	"net/http"
+	"net/url"
+)
+
+// ClientAuthentication represents an OAuth client ID and secret and the mechanism for passing these credentials as stated in rfc6749#2.3.1
+type ClientAuthentication struct {
+	//Can be either basic or request-body
+	AuthStyle    oauth2.AuthStyle
+	ClientID     string
+	ClientSecret string
+}
+
+func (c *ClientAuthentication) InjectAuthentication(values *url.Values, headers *http.Header) {
+	if c.ClientID == "" || c.ClientSecret == "" || values == nil || headers == nil {
+		return
+	}
+
+	switch c.AuthStyle {
+	case oauth2.AuthStyleInHeader:
+		plainHeader := c.ClientID + ":" + c.ClientSecret
+		headers.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(plainHeader)))
+	case oauth2.AuthStyleInParams:
+		values.Set("client_id", c.ClientID)
+		values.Set("client_secret", c.ClientSecret)
+	case oauth2.AuthStyleAutoDetect:
+		values.Set("client_id", c.ClientID)
+		values.Set("client_secret", c.ClientSecret)
+	default:
+		values.Set("client_id", c.ClientID)
+		values.Set("client_secret", c.ClientSecret)
+	}
+
+	return
+}
\ No newline at end of file
diff --git a/google/internal/oauth2/clientAuthentication_test.go b/google/internal/oauth2/clientAuthentication_test.go
new file mode 100644
index 0000000..1e0d854
--- /dev/null
+++ b/google/internal/oauth2/clientAuthentication_test.go
@@ -0,0 +1,103 @@
+package externalaccount
+
+import (
+	"golang.org/x/oauth2"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+)
+
+
+var clientID = "rbrgnognrhongo3bi4gb9ghg9g"
+var clientSecret = "notsosecret"
+var valuesH = url.Values {
+	"audience": []string{"32555940559.apps.googleusercontent.com"},
+	"grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"},
+	"requested_token_type": []string{"urn:ietf:params:oauth:token-type:access_token"},
+	"subject_token_type": []string{"urn:ietf:params:oauth:token-type:jwt"},
+	"subject_token": []string{"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJjNmZhNmY1OTUwYTdjZTQ2NWZjZjI0N2FhMGIwOTQ4MjhhYzk1MmMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTEzMzE4NTQxMDA5MDU3Mzc4MzI4IiwiaGQiOiJnb29nbGUuY29tIiwiZW1haWwiOiJpdGh1cmllbEBnb29nbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI5OVJVYVFrRHJsVDFZOUV0SzdiYXJnIiwiaWF0IjoxNjAxNTgxMzQ5LCJleHAiOjE2MDE1ODQ5NDl9.SZ-4DyDcogDh_CDUKHqPCiT8AKLg4zLMpPhGQzmcmHQ6cJiV0WRVMf5Lq911qsvuekgxfQpIdKNXlD6yk3FqvC2rjBbuEztMF-OD_2B8CEIYFlMLGuTQimJlUQksLKM-3B2ITRDCxnyEdaZik0OVssiy1CBTsllS5MgTFqic7w8w0Cd6diqNkfPFZRWyRYsrRDRlHHbH5_TUnv2wnLVHBHlNvU4wU2yyjDIoqOvTRp8jtXdq7K31CDhXd47-hXsVFQn2ZgzuUEAkH2Q6NIXACcVyZOrjBcZiOQI9IRWz-g03LzbzPSecO7I8dDrhqUSqMrdNUz_f8Kr8JFhuVMfVug"},
+	"scope": []string{"https://www.googleapis.com/auth/devstorage.full_control"},
+}
+
+var headerH = http.Header {
+	"Content-Type": []string{"application/x-www-form-urlencoded"},
+}
+
+var valuesP = url.Values {
+	"audience": []string{"32555940559.apps.googleusercontent.com"},
+	"grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"},
+	"requested_token_type": []string{"urn:ietf:params:oauth:token-type:access_token"},
+	"subject_token_type": []string{"urn:ietf:params:oauth:token-type:jwt"},
+	"subject_token": []string{"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJjNmZhNmY1OTUwYTdjZTQ2NWZjZjI0N2FhMGIwOTQ4MjhhYzk1MmMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTEzMzE4NTQxMDA5MDU3Mzc4MzI4IiwiaGQiOiJnb29nbGUuY29tIiwiZW1haWwiOiJpdGh1cmllbEBnb29nbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI5OVJVYVFrRHJsVDFZOUV0SzdiYXJnIiwiaWF0IjoxNjAxNTgxMzQ5LCJleHAiOjE2MDE1ODQ5NDl9.SZ-4DyDcogDh_CDUKHqPCiT8AKLg4zLMpPhGQzmcmHQ6cJiV0WRVMf5Lq911qsvuekgxfQpIdKNXlD6yk3FqvC2rjBbuEztMF-OD_2B8CEIYFlMLGuTQimJlUQksLKM-3B2ITRDCxnyEdaZik0OVssiy1CBTsllS5MgTFqic7w8w0Cd6diqNkfPFZRWyRYsrRDRlHHbH5_TUnv2wnLVHBHlNvU4wU2yyjDIoqOvTRp8jtXdq7K31CDhXd47-hXsVFQn2ZgzuUEAkH2Q6NIXACcVyZOrjBcZiOQI9IRWz-g03LzbzPSecO7I8dDrhqUSqMrdNUz_f8Kr8JFhuVMfVug"},
+	"scope": []string{"https://www.googleapis.com/auth/devstorage.full_control"},
+}
+
+var headerP = http.Header {
+	"Content-Type": []string{"application/x-www-form-urlencoded"},
+}
+
+func TestClientAuthentication_InjectHeaderAuthentication(t *testing.T) {
+	headerAuthentication := ClientAuthentication{
+		AuthStyle: oauth2.AuthStyleInHeader,
+		ClientID: clientID,
+		ClientSecret: clientSecret,
+	}
+	headerAuthentication.InjectAuthentication(&valuesH, &headerH)
+
+	if got, want := valuesH["audience"], []string{"32555940559.apps.googleusercontent.com"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("audience = %q, want %q", got, want)
+	}
+	if got, want := valuesH["grant_type"], []string{"urn:ietf:params:oauth:grant-type:token-exchange"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("grant_type = %q, want %q", got, want)
+	}
+	if got, want := valuesH["requested_token_type"], []string{"urn:ietf:params:oauth:token-type:access_token"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("requested_token_type = %q, want %q", got, want)
+	}
+	if got, want := valuesH["subject_token_type"], []string{"urn:ietf:params:oauth:token-type:jwt"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("subject_token_type = %q, want %q", got, want)
+	}
+	if got, want := valuesH["subject_token"], []string{"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJjNmZhNmY1OTUwYTdjZTQ2NWZjZjI0N2FhMGIwOTQ4MjhhYzk1MmMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTEzMzE4NTQxMDA5MDU3Mzc4MzI4IiwiaGQiOiJnb29nbGUuY29tIiwiZW1haWwiOiJpdGh1cmllbEBnb29nbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI5OVJVYVFrRHJsVDFZOUV0SzdiYXJnIiwiaWF0IjoxNjAxNTgxMzQ5LCJleHAiOjE2MDE1ODQ5NDl9.SZ-4DyDcogDh_CDUKHqPCiT8AKLg4zLMpPhGQzmcmHQ6cJiV0WRVMf5Lq911qsvuekgxfQpIdKNXlD6yk3FqvC2rjBbuEztMF-OD_2B8CEIYFlMLGuTQimJlUQksLKM-3B2ITRDCxnyEdaZik0OVssiy1CBTsllS5MgTFqic7w8w0Cd6diqNkfPFZRWyRYsrRDRlHHbH5_TUnv2wnLVHBHlNvU4wU2yyjDIoqOvTRp8jtXdq7K31CDhXd47-hXsVFQn2ZgzuUEAkH2Q6NIXACcVyZOrjBcZiOQI9IRWz-g03LzbzPSecO7I8dDrhqUSqMrdNUz_f8Kr8JFhuVMfVug"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("subject_token = %q, want %q", got, want)
+	}
+	if got, want := valuesH["scope"], []string{"https://www.googleapis.com/auth/devstorage.full_control"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("scope = %q, want %q", got, want)
+	}
+	if got, want := headerH["Authorization"],[]string{"Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ="}; !reflect.DeepEqual(got, want) {
+		t.Errorf("Authorization in header = %q, want %q", got, want)
+	}
+}
+
+func TestClientAuthentication_ParamsAuthentication(t *testing.T) {
+	paramsAuthentication := ClientAuthentication{
+		AuthStyle: oauth2.AuthStyleInParams,
+		ClientID: clientID,
+		ClientSecret: clientSecret,
+	}
+	paramsAuthentication.InjectAuthentication(&valuesP, &headerP)
+
+	if got, want := valuesP["audience"], []string{"32555940559.apps.googleusercontent.com"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("audience = %q, want %q", got, want)
+	}
+	if got, want := valuesP["grant_type"], []string{"urn:ietf:params:oauth:grant-type:token-exchange"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("grant_type = %q, want %q", got, want)
+	}
+	if got, want := valuesP["requested_token_type"], []string{"urn:ietf:params:oauth:token-type:access_token"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("requested_token_type = %q, want %q", got, want)
+	}
+	if got, want := valuesP["subject_token_type"], []string{"urn:ietf:params:oauth:token-type:jwt"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("subject_token_type = %q, want %q", got, want)
+	}
+	if got, want := valuesP["subject_token"], []string{"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJjNmZhNmY1OTUwYTdjZTQ2NWZjZjI0N2FhMGIwOTQ4MjhhYzk1MmMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTEzMzE4NTQxMDA5MDU3Mzc4MzI4IiwiaGQiOiJnb29nbGUuY29tIiwiZW1haWwiOiJpdGh1cmllbEBnb29nbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI5OVJVYVFrRHJsVDFZOUV0SzdiYXJnIiwiaWF0IjoxNjAxNTgxMzQ5LCJleHAiOjE2MDE1ODQ5NDl9.SZ-4DyDcogDh_CDUKHqPCiT8AKLg4zLMpPhGQzmcmHQ6cJiV0WRVMf5Lq911qsvuekgxfQpIdKNXlD6yk3FqvC2rjBbuEztMF-OD_2B8CEIYFlMLGuTQimJlUQksLKM-3B2ITRDCxnyEdaZik0OVssiy1CBTsllS5MgTFqic7w8w0Cd6diqNkfPFZRWyRYsrRDRlHHbH5_TUnv2wnLVHBHlNvU4wU2yyjDIoqOvTRp8jtXdq7K31CDhXd47-hXsVFQn2ZgzuUEAkH2Q6NIXACcVyZOrjBcZiOQI9IRWz-g03LzbzPSecO7I8dDrhqUSqMrdNUz_f8Kr8JFhuVMfVug"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("subject_token = %q, want %q", got, want)
+	}
+	if got, want := valuesP["client_id"], []string{clientID}; !reflect.DeepEqual(got, want) {
+		t.Errorf("client_id = %q, want %q", got, want)
+	}
+	if got, want := valuesP["client_secret"], []string{clientSecret}; !reflect.DeepEqual(got, want) {
+		t.Errorf("client_secret = %q, want %q", got, want)
+	}
+	if got, want := valuesP["scope"], []string{"https://www.googleapis.com/auth/devstorage.full_control"}; !reflect.DeepEqual(got, want) {
+		t.Errorf("scope = %q, want %q", got, want)
+	}
+}
\ No newline at end of file
diff --git a/google/internal/oauth2/err.go b/google/internal/oauth2/err.go
new file mode 100644
index 0000000..594b19f
--- /dev/null
+++ b/google/internal/oauth2/err.go
@@ -0,0 +1,14 @@
+package externalaccount
+
+import "fmt"
+
+//Struct for handling OAuth related error responses as stated in rfc6749#5.2
+type Error struct {
+	Code        string
+	URI         string
+	Description string
+}
+
+func (err *Error) Error() string {
+	return fmt.Sprintf("got error code %s from %s: %s", err.Code, err.URI, err.Description)
+}
\ No newline at end of file
diff --git a/google/internal/oauth2/err_test.go b/google/internal/oauth2/err_test.go
new file mode 100644
index 0000000..3b6690d
--- /dev/null
+++ b/google/internal/oauth2/err_test.go
@@ -0,0 +1,15 @@
+package externalaccount
+
+import "testing"
+
+func TestError_Generator(t *testing.T) {
+	e := Error{
+		"42",
+		"http:thisIsAPlaceholder",
+		"The Answer!",
+	}
+	output := "got error code " + "42" + " from " + "http:thisIsAPlaceholder" + ": " + "The Answer!"
+	if got, want := e, output; e.Error() != output {
+		t.Errorf("Got error message %q; want %q", got, want)
+	}
+}
\ No newline at end of file