From c2f6109f1ce4eb5d20411a529112d774c7658dfa Mon Sep 17 00:00:00 2001
From: guillaume blaquiere <guillaume.blaquiere@gmail.com>
Date: Sat, 4 Sep 2021 21:11:51 +0200
Subject: [PATCH] fix: Add delegates support

Get the delegates from the input JSON and use them in the refreshToken requests.

Updates #515
---
 google/google.go                               | 11 ++++++-----
 google/internal/externalaccount/impersonate.go |  7 +++++--
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/google/google.go b/google/google.go
index eeeb4e1..15f8f32 100644
--- a/google/google.go
+++ b/google/google.go
@@ -122,6 +122,7 @@ type credentialsFile struct {
 	TokenURLExternal               string                           `json:"token_url"`
 	TokenInfoURL                   string                           `json:"token_info_url"`
 	ServiceAccountImpersonationURL string                           `json:"service_account_impersonation_url"`
+	Delegates                      []string                         `json:"delegates"`
 	CredentialSource               externalaccount.CredentialSource `json:"credential_source"`
 	QuotaProjectID                 string                           `json:"quota_project_id"`
 
@@ -192,11 +193,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 			return nil, err
 		}
 		imp := externalaccount.ImpersonateTokenSource{
-			Ctx:    ctx,
-			Url:    f.ServiceAccountImpersonationURL,
-			Scopes: params.Scopes,
-			Ts:     oauth2.ReuseTokenSource(nil, sourceToken),
-			// Delegates?? -> I don't know how to manage and how to use them here
+			Ctx:       ctx,
+			Url:       f.ServiceAccountImpersonationURL,
+			Scopes:    params.Scopes,
+			Ts:        oauth2.ReuseTokenSource(nil, sourceToken),
+			Delegates: f.Delegates,
 		}
 		return oauth2.ReuseTokenSource(nil, imp), nil
 	case "":
diff --git a/google/internal/externalaccount/impersonate.go b/google/internal/externalaccount/impersonate.go
index cea9458..0d476d1 100644
--- a/google/internal/externalaccount/impersonate.go
+++ b/google/internal/externalaccount/impersonate.go
@@ -41,13 +41,16 @@ type ImpersonateTokenSource struct {
 	Url string
 	// scopes to include in the access token request
 	Scopes []string
+	// Delegates for impersonation to include in the access token request
+	Delegates []string
 }
 
 // Token performs the exchange to get a temporary service account token to allow access to GCP.
 func (its ImpersonateTokenSource) Token() (*oauth2.Token, error) {
 	reqBody := generateAccessTokenReq{
-		Lifetime: "3600s",
-		Scope:    its.Scopes,
+		Lifetime:  "3600s",
+		Scope:     its.Scopes,
+		Delegates: its.Delegates,
 	}
 	b, err := json.Marshal(reqBody)
 	if err != nil {