forked from Mirrors/oauth2
Merge branch 'master' of github.com:gIthuriel/oauth2
Change-Id: I01358c49fccd68b1a343efa2c80e9371d56b75b4
This commit is contained in:
commit
de6a73f796
|
@ -89,6 +89,14 @@ type tokenSource struct {
|
||||||
func (ts tokenSource) Token() (*oauth2.Token, error) {
|
func (ts tokenSource) Token() (*oauth2.Token, error) {
|
||||||
conf := ts.conf
|
conf := ts.conf
|
||||||
|
|
||||||
|
if conf.ServiceAccountImpersonationURL != "" {
|
||||||
|
token, err := ts.impersonate()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return token, err
|
||||||
|
}
|
||||||
|
|
||||||
credSource := conf.parse(ts.ctx)
|
credSource := conf.parse(ts.ctx)
|
||||||
if credSource == nil {
|
if credSource == nil {
|
||||||
return nil, fmt.Errorf("oauth2/google: unable to parse credential source")
|
return nil, fmt.Errorf("oauth2/google: unable to parse credential source")
|
||||||
|
@ -130,6 +138,5 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
|
||||||
if stsResp.RefreshToken != "" {
|
if stsResp.RefreshToken != "" {
|
||||||
accessToken.RefreshToken = stsResp.RefreshToken
|
accessToken.RefreshToken = stsResp.RefreshToken
|
||||||
}
|
}
|
||||||
|
|
||||||
return accessToken, nil
|
return accessToken, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,7 +22,6 @@ var testConfig = Config{
|
||||||
Audience: "32555940559.apps.googleusercontent.com",
|
Audience: "32555940559.apps.googleusercontent.com",
|
||||||
SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
|
SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||||
TokenInfoURL: "http://localhost:8080/v1/tokeninfo",
|
TokenInfoURL: "http://localhost:8080/v1/tokeninfo",
|
||||||
ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-gcs-admin@$PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
|
|
||||||
ClientSecret: "notsosecret",
|
ClientSecret: "notsosecret",
|
||||||
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
|
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
|
||||||
CredentialSource: testBaseCredSource,
|
CredentialSource: testBaseCredSource,
|
||||||
|
@ -55,7 +54,7 @@ func TestToken(t *testing.T) {
|
||||||
}
|
}
|
||||||
body, err := ioutil.ReadAll(r.Body)
|
body, err := ioutil.ReadAll(r.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Failed reading request body: %s.", err)
|
t.Fatalf("Failed reading request body: %s.", err)
|
||||||
}
|
}
|
||||||
if got, want := string(body), baseCredsRequestBody; got != want {
|
if got, want := string(body), baseCredsRequestBody; got != want {
|
||||||
t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)
|
t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)
|
||||||
|
|
|
@ -0,0 +1,80 @@
|
||||||
|
// Copyright 2020 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package externalaccount
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"golang.org/x/oauth2"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// generateAccesstokenReq is used for service account impersonation
|
||||||
|
type generateAccessTokenReq struct {
|
||||||
|
Delegates []string `json:"delegates,omitempty"`
|
||||||
|
Lifetime string `json:"lifetime,omitempty"`
|
||||||
|
Scope []string `json:"scope,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type impersonateTokenResponse struct {
|
||||||
|
AccessToken string `json:"accessToken"`
|
||||||
|
ExpireTime string `json:"expireTime"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// impersonate performs the exchange to get a temporary service account
|
||||||
|
func (ts tokenSource) impersonate() (*oauth2.Token, error) {
|
||||||
|
reqBody := generateAccessTokenReq{
|
||||||
|
Lifetime: "3600s",
|
||||||
|
Scope: ts.conf.Scopes,
|
||||||
|
}
|
||||||
|
b, err := json.Marshal(reqBody)
|
||||||
|
|
||||||
|
serviceAccountImpersonationURL := ts.conf.ServiceAccountImpersonationURL
|
||||||
|
ts.conf.ServiceAccountImpersonationURL = ""
|
||||||
|
ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
|
||||||
|
|
||||||
|
client := oauth2.NewClient(ts.ctx, ts)
|
||||||
|
if err != nil {
|
||||||
|
return &oauth2.Token{}, fmt.Errorf("google: unable to marshal request: %v", err)
|
||||||
|
}
|
||||||
|
req, err := http.NewRequest("POST", serviceAccountImpersonationURL, bytes.NewReader(b))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("impersonate: unable to create request: %v", err)
|
||||||
|
}
|
||||||
|
req = req.WithContext(ts.ctx)
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("impersonate: unable to generate access token: %v", err)
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("impersonate: unable to read body: %v", err)
|
||||||
|
}
|
||||||
|
if c := resp.StatusCode; c < 200 || c > 299 {
|
||||||
|
return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
|
||||||
|
}
|
||||||
|
|
||||||
|
var accessTokenResp impersonateTokenResponse
|
||||||
|
if err := json.Unmarshal(body, &accessTokenResp); err != nil {
|
||||||
|
return nil, fmt.Errorf("impersonate: unable to parse response: %v", err)
|
||||||
|
}
|
||||||
|
expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("impersonate: unable to parse expiry: %v", err)
|
||||||
|
}
|
||||||
|
return &oauth2.Token{
|
||||||
|
AccessToken: accessTokenResp.AccessToken,
|
||||||
|
Expiry: expiry,
|
||||||
|
TokenType: "Bearer",
|
||||||
|
}, nil
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,100 @@
|
||||||
|
// Copyright 2020 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package externalaccount
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
var testImpersonateConfig = Config{
|
||||||
|
Audience: "32555940559.apps.googleusercontent.com",
|
||||||
|
SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
|
||||||
|
TokenInfoURL: "http://localhost:8080/v1/tokeninfo",
|
||||||
|
ClientSecret: "notsosecret",
|
||||||
|
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
|
||||||
|
CredentialSource: testBaseCredSource,
|
||||||
|
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
baseImpersonateCredsReqBody = "audience=32555940559.apps.googleusercontent.com&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=null&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt"
|
||||||
|
baseImpersonateCredsRespBody = `{"accessToken":"Second.Access.Token","expireTime":"2020-12-28T15:01:23Z"}`
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestImpersonation(t *testing.T) {
|
||||||
|
impersonateServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if got, want := r.URL.String(), "/"; got != want {
|
||||||
|
t.Errorf("URL.String(): got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
headerAuth := r.Header.Get("Authorization")
|
||||||
|
if got, want := headerAuth, "Bearer Sample.Access.Token"; got != want {
|
||||||
|
t.Errorf("got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
headerContentType := r.Header.Get("Content-Type")
|
||||||
|
if got, want := headerContentType, "application/json"; got != want {
|
||||||
|
t.Errorf("got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
body, err := ioutil.ReadAll(r.Body)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Failed reading request body: %v.", err)
|
||||||
|
}
|
||||||
|
if got, want := string(body), "{\"lifetime\":\"3600s\",\"scope\":[\"https://www.googleapis.com/auth/devstorage.full_control\"]}"; got != want {
|
||||||
|
t.Errorf("Unexpected impersonation payload: got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
w.Write([]byte(baseImpersonateCredsRespBody))
|
||||||
|
}))
|
||||||
|
testImpersonateConfig.ServiceAccountImpersonationURL = impersonateServer.URL
|
||||||
|
targetServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if got, want := r.URL.String(), "/"; got != want {
|
||||||
|
t.Errorf("URL.String(): got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
headerAuth := r.Header.Get("Authorization")
|
||||||
|
if got, want := headerAuth, "Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ="; got != want {
|
||||||
|
t.Errorf("got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
headerContentType := r.Header.Get("Content-Type")
|
||||||
|
if got, want := headerContentType, "application/x-www-form-urlencoded"; got != want {
|
||||||
|
t.Errorf("got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
body, err := ioutil.ReadAll(r.Body)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Failed reading request body: %v.", err)
|
||||||
|
}
|
||||||
|
if got, want := string(body), baseImpersonateCredsReqBody; got != want {
|
||||||
|
t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)
|
||||||
|
}
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
w.Write([]byte(baseCredsResponseBody))
|
||||||
|
}))
|
||||||
|
defer targetServer.Close()
|
||||||
|
|
||||||
|
testImpersonateConfig.TokenURL = targetServer.URL
|
||||||
|
ourTS := tokenSource{
|
||||||
|
ctx: context.Background(),
|
||||||
|
conf: &testImpersonateConfig,
|
||||||
|
}
|
||||||
|
|
||||||
|
oldNow := now
|
||||||
|
defer func() { now = oldNow }()
|
||||||
|
now = testNow
|
||||||
|
|
||||||
|
tok, err := ourTS.Token()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Unexpected error: %e", err)
|
||||||
|
}
|
||||||
|
if got, want := tok.AccessToken, "Second.Access.Token"; got != want {
|
||||||
|
t.Errorf("Unexpected access token: got %v, but wanted %v", got, want)
|
||||||
|
}
|
||||||
|
if got, want := tok.TokenType, "Bearer"; got != want {
|
||||||
|
t.Errorf("Unexpected TokenType: got %v, but wanted %v", got, want)
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue