fix: Add delegates support

Get the delegates from the input JSON and use them in the refreshToken requests.

Updates #515
This commit is contained in:
guillaume blaquiere 2021-09-04 21:11:51 +02:00
parent 2fca3adf8d
commit c2f6109f1c
2 changed files with 11 additions and 7 deletions

View File

@ -122,6 +122,7 @@ type credentialsFile struct {
TokenURLExternal string `json:"token_url"` TokenURLExternal string `json:"token_url"`
TokenInfoURL string `json:"token_info_url"` TokenInfoURL string `json:"token_info_url"`
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"` ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
Delegates []string `json:"delegates"`
CredentialSource externalaccount.CredentialSource `json:"credential_source"` CredentialSource externalaccount.CredentialSource `json:"credential_source"`
QuotaProjectID string `json:"quota_project_id"` QuotaProjectID string `json:"quota_project_id"`
@ -192,11 +193,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
return nil, err return nil, err
} }
imp := externalaccount.ImpersonateTokenSource{ imp := externalaccount.ImpersonateTokenSource{
Ctx: ctx, Ctx: ctx,
Url: f.ServiceAccountImpersonationURL, Url: f.ServiceAccountImpersonationURL,
Scopes: params.Scopes, Scopes: params.Scopes,
Ts: oauth2.ReuseTokenSource(nil, sourceToken), Ts: oauth2.ReuseTokenSource(nil, sourceToken),
// Delegates?? -> I don't know how to manage and how to use them here Delegates: f.Delegates,
} }
return oauth2.ReuseTokenSource(nil, imp), nil return oauth2.ReuseTokenSource(nil, imp), nil
case "": case "":

View File

@ -41,13 +41,16 @@ type ImpersonateTokenSource struct {
Url string Url string
// scopes to include in the access token request // scopes to include in the access token request
Scopes []string Scopes []string
// Delegates for impersonation to include in the access token request
Delegates []string
} }
// Token performs the exchange to get a temporary service account token to allow access to GCP. // Token performs the exchange to get a temporary service account token to allow access to GCP.
func (its ImpersonateTokenSource) Token() (*oauth2.Token, error) { func (its ImpersonateTokenSource) Token() (*oauth2.Token, error) {
reqBody := generateAccessTokenReq{ reqBody := generateAccessTokenReq{
Lifetime: "3600s", Lifetime: "3600s",
Scope: its.Scopes, Scope: its.Scopes,
Delegates: its.Delegates,
} }
b, err := json.Marshal(reqBody) b, err := json.Marshal(reqBody)
if err != nil { if err != nil {