forked from Mirrors/oauth2
google: support url-sourced 3rd party credentials
Implements functionality to allow for URL-sourced 3rd party credentials, expanding the functionality added in #462 .
Change-Id: Ib7615fb618486612960d60bee6b9a1ecf5de1404
GitHub-Last-Rev: 95713928e4
GitHub-Pull-Request: golang/oauth2#466
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/283372
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
This commit is contained in:
parent
8b1d76fa04
commit
d3ed898aa8
|
@ -122,7 +122,6 @@ type credentialsFile struct {
|
|||
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
|
||||
CredentialSource externalaccount.CredentialSource `json:"credential_source"`
|
||||
QuotaProjectID string `json:"quota_project_id"`
|
||||
|
||||
}
|
||||
|
||||
func (f *credentialsFile) jwtConfig(scopes []string) *jwt.Config {
|
||||
|
|
|
@ -66,9 +66,11 @@ type CredentialSource struct {
|
|||
}
|
||||
|
||||
// parse determines the type of CredentialSource needed
|
||||
func (c *Config) parse() baseCredentialSource {
|
||||
func (c *Config) parse(ctx context.Context) baseCredentialSource {
|
||||
if c.CredentialSource.File != "" {
|
||||
return fileCredentialSource{File: c.CredentialSource.File, Format: c.CredentialSource.Format}
|
||||
} else if c.CredentialSource.URL != "" {
|
||||
return urlCredentialSource{URL: c.CredentialSource.URL, Format: c.CredentialSource.Format, ctx: ctx}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
@ -87,7 +89,7 @@ type tokenSource struct {
|
|||
func (ts tokenSource) Token() (*oauth2.Token, error) {
|
||||
conf := ts.conf
|
||||
|
||||
credSource := conf.parse()
|
||||
credSource := conf.parse(ts.ctx)
|
||||
if credSource == nil {
|
||||
return nil, fmt.Errorf("oauth2/google: unable to parse credential source")
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
package externalaccount
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
)
|
||||
|
||||
|
@ -55,7 +56,7 @@ func TestRetrieveFileSubjectToken(t *testing.T) {
|
|||
tfc.CredentialSource = test.cs
|
||||
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
out, err := tfc.parse().subjectToken()
|
||||
out, err := tfc.parse(context.Background()).subjectToken()
|
||||
if err != nil {
|
||||
t.Errorf("Method subjectToken() errored.")
|
||||
} else if test.want != out {
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
// Copyright 2020 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package externalaccount
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"golang.org/x/oauth2"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
type urlCredentialSource struct {
|
||||
URL string
|
||||
Headers map[string]string
|
||||
Format format
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func (cs urlCredentialSource) subjectToken() (string, error) {
|
||||
client := oauth2.NewClient(cs.ctx, nil)
|
||||
req, err := http.NewRequest("GET", cs.URL, nil)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("oauth2/google: HTTP request for URL-sourced credential failed: %v", err)
|
||||
}
|
||||
req = req.WithContext(cs.ctx)
|
||||
|
||||
for key, val := range cs.Headers {
|
||||
req.Header.Add(key, val)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("oauth2/google: invalid response when retrieving subject token: %v", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
tokenBytes, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("oauth2/google: invalid body in subject token URL query: %v", err)
|
||||
}
|
||||
|
||||
switch cs.Format.Type {
|
||||
case "json":
|
||||
jsonData := make(map[string]interface{})
|
||||
err = json.Unmarshal(tokenBytes, &jsonData)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("oauth2/google: failed to unmarshal subject token file: %v", err)
|
||||
}
|
||||
val, ok := jsonData[cs.Format.SubjectTokenFieldName]
|
||||
if !ok {
|
||||
return "", errors.New("oauth2/google: provided subject_token_field_name not found in credentials")
|
||||
}
|
||||
token, ok := val.(string)
|
||||
if !ok {
|
||||
return "", errors.New("oauth2/google: improperly formatted subject token")
|
||||
}
|
||||
return token, nil
|
||||
case "text":
|
||||
return string(tokenBytes), nil
|
||||
case "":
|
||||
return string(tokenBytes), nil
|
||||
default:
|
||||
return "", errors.New("oauth2/google: invalid credential_source file format type")
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,92 @@
|
|||
// Copyright 2020 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package externalaccount
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
)
|
||||
|
||||
var myURLToken = "testTokenValue"
|
||||
|
||||
func TestRetrieveURLSubjectToken_Text(t *testing.T) {
|
||||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != "GET" {
|
||||
t.Errorf("Unexpected request method, %v is found", r.Method)
|
||||
}
|
||||
w.Write([]byte("testTokenValue"))
|
||||
}))
|
||||
cs := CredentialSource{
|
||||
URL: ts.URL,
|
||||
Format: format{Type: fileTypeText},
|
||||
}
|
||||
tfc := testFileConfig
|
||||
tfc.CredentialSource = cs
|
||||
|
||||
out, err := tfc.parse(context.Background()).subjectToken()
|
||||
if err != nil {
|
||||
t.Fatalf("retrieveSubjectToken() failed: %v", err)
|
||||
}
|
||||
if out != myURLToken {
|
||||
t.Errorf("got %v but want %v", out, myURLToken)
|
||||
}
|
||||
}
|
||||
|
||||
// Checking that retrieveSubjectToken properly defaults to type text
|
||||
func TestRetrieveURLSubjectToken_Untyped(t *testing.T) {
|
||||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != "GET" {
|
||||
t.Errorf("Unexpected request method, %v is found", r.Method)
|
||||
}
|
||||
w.Write([]byte("testTokenValue"))
|
||||
}))
|
||||
cs := CredentialSource{
|
||||
URL: ts.URL,
|
||||
}
|
||||
tfc := testFileConfig
|
||||
tfc.CredentialSource = cs
|
||||
|
||||
out, err := tfc.parse(context.Background()).subjectToken()
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to retrieve URL subject token: %v", err)
|
||||
}
|
||||
if out != myURLToken {
|
||||
t.Errorf("got %v but want %v", out, myURLToken)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetrieveURLSubjectToken_JSON(t *testing.T) {
|
||||
type tokenResponse struct {
|
||||
TestToken string `json:"SubjToken"`
|
||||
}
|
||||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if got, want := r.Method, "GET"; got != want {
|
||||
t.Errorf("got %v, but want %v", r.Method, want)
|
||||
}
|
||||
resp := tokenResponse{TestToken: "testTokenValue"}
|
||||
jsonResp, err := json.Marshal(resp)
|
||||
if err != nil {
|
||||
t.Errorf("Failed to marshal values: %v", err)
|
||||
}
|
||||
w.Write(jsonResp)
|
||||
}))
|
||||
cs := CredentialSource{
|
||||
URL: ts.URL,
|
||||
Format: format{Type: fileTypeJSON, SubjectTokenFieldName: "SubjToken"},
|
||||
}
|
||||
tfc := testFileConfig
|
||||
tfc.CredentialSource = cs
|
||||
|
||||
out, err := tfc.parse(context.Background()).subjectToken()
|
||||
if err != nil {
|
||||
t.Fatalf("%v", err)
|
||||
}
|
||||
if out != myURLToken {
|
||||
t.Errorf("got %v but want %v", out, myURLToken)
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue