fix: Add delegates support

Get the delegates from the input JSON and use them in the refreshToken requests. Updates #515
2021-09-04 21:11:51 +02:00 · 2021-09-04 21:11:51 +02:00 · 8e4ea9fa54
parent 224dd43caf
commit 8e4ea9fa54
2 changed files with 11 additions and 7 deletions
--- a/google/google.go
+++ b/google/google.go
@ -122,6 +122,7 @@ type credentialsFile struct {
 	TokenURLExternal               string                           `json:"token_url"`
 	TokenInfoURL                   string                           `json:"token_info_url"`
 	ServiceAccountImpersonationURL string                           `json:"service_account_impersonation_url"`
+	Delegates                      []string                         `json:"delegates"`
 	CredentialSource               externalaccount.CredentialSource `json:"credential_source"`
 	QuotaProjectID                 string                           `json:"quota_project_id"`
 	WorkforcePoolUserProject       string                           `json:"workforce_pool_user_project"`
@ -194,11 +195,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 			return nil, err
 		}
 		imp := externalaccount.ImpersonateTokenSource{
-			Ctx:    ctx,
-			Url:    f.ServiceAccountImpersonationURL,
-			Scopes: params.Scopes,
-			Ts:     oauth2.ReuseTokenSource(nil, sourceToken),
-			// Delegates?? -> I don't know how to manage and how to use them here
+			Ctx:       ctx,
+			Url:       f.ServiceAccountImpersonationURL,
+			Scopes:    params.Scopes,
+			Ts:        oauth2.ReuseTokenSource(nil, sourceToken),
+			Delegates: f.Delegates,
 		}
 		return oauth2.ReuseTokenSource(nil, imp), nil
 	case "":
--- a/google/internal/externalaccount/impersonate.go
+++ b/google/internal/externalaccount/impersonate.go
@ -41,13 +41,16 @@ type ImpersonateTokenSource struct {
 	Url string
 	// scopes to include in the access token request
 	Scopes []string
+	// Delegates for impersonation to include in the access token request
+	Delegates []string
 }

 // Token performs the exchange to get a temporary service account token to allow access to GCP.
 func (its ImpersonateTokenSource) Token() (*oauth2.Token, error) {
 	reqBody := generateAccessTokenReq{
-		Lifetime: "3600s",
-		Scope:    its.Scopes,
+		Lifetime:  "3600s",
+		Scope:     its.Scopes,
+		Delegates: its.Delegates,
 	}
 	b, err := json.Marshal(reqBody)
 	if err != nil {