// Copyright 2022 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package externalaccount import ( "bytes" "context" "encoding/json" "errors" "fmt" "io" "io/ioutil" "os" "os/exec" "regexp" "strings" "time" ) var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken") const ( executableSupportedMaxVersion = 1 defaultTimeout = 30 * time.Second timeoutMinimum = 5 * time.Second timeoutMaximum = 120 * time.Second executableSource = "response" outputFileSource = "output file" ) type nonCacheableError struct { message string } func (nce nonCacheableError) Error() string { return nce.message } func missingFieldError(source, field string) error { return fmt.Errorf("oauth2/google: %v missing `%q` field", source, field) } func jsonParsingError(source, data string) error { return fmt.Errorf("oauth2/google: unable to parse %v\nResponse: %v", source, data) } func malformedFailureError() error { return nonCacheableError{"oauth2/google: response must include `error` and `message` fields when unsuccessful"} } func userDefinedError(code, message string) error { return nonCacheableError{fmt.Sprintf("oauth2/google: response contains unsuccessful response: (%v) %v", code, message)} } func unsupportedVersionError(source string, version int) error { return fmt.Errorf("oauth2/google: %v contains unsupported version: %v", source, version) } func tokenExpiredError() error { return nonCacheableError{"oauth2/google: the token returned by the executable is expired"} } func tokenTypeError(source string) error { return fmt.Errorf("oauth2/google: %v contains unsupported token type", source) } func exitCodeError(exitCode int) error { return fmt.Errorf("oauth2/google: executable command failed with exit code %v", exitCode) } func executableError(err error) error { return fmt.Errorf("oauth2/google: executable command failed: %v", err) } func executablesDisallowedError() error { return errors.New("oauth2/google: executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run") } func timeoutRangeError() error { return errors.New("oauth2/google: invalid `timeout_millis` field — executable timeout must be between 5 and 120 seconds") } func commandMissingError() error { return errors.New("oauth2/google: missing `command` field — executable command must be provided") } type environment interface { existingEnv() []string getenv(string) string run(ctx context.Context, command string, env []string) ([]byte, error) now() time.Time } type runtimeEnvironment struct{} func (r runtimeEnvironment) existingEnv() []string { return os.Environ() } func (r runtimeEnvironment) getenv(key string) string { return os.Getenv(key) } func (r runtimeEnvironment) now() time.Time { return time.Now().UTC() } func (r runtimeEnvironment) run(ctx context.Context, command string, env []string) ([]byte, error) { splitCommand := strings.Fields(command) cmd := exec.CommandContext(ctx, splitCommand[0], splitCommand[1:]...) cmd.Env = env var stdout, stderr bytes.Buffer cmd.Stdout = &stdout cmd.Stderr = &stderr if err := cmd.Run(); err != nil { if ctx.Err() == context.DeadlineExceeded { return nil, context.DeadlineExceeded } if exitError, ok := err.(*exec.ExitError); ok { return nil, exitCodeError(exitError.ExitCode()) } return nil, executableError(err) } bytesStdout := bytes.TrimSpace(stdout.Bytes()) if len(bytesStdout) > 0 { return bytesStdout, nil } return bytes.TrimSpace(stderr.Bytes()), nil } type executableCredentialSource struct { Command string Timeout time.Duration OutputFile string ctx context.Context config *Config env environment } // CreateExecutableCredential creates an executableCredentialSource given an ExecutableConfig. // It also performs defaulting and type conversions. func CreateExecutableCredential(ctx context.Context, ec *ExecutableConfig, config *Config) (executableCredentialSource, error) { if ec.Command == "" { return executableCredentialSource{}, commandMissingError() } result := executableCredentialSource{} result.Command = ec.Command if ec.TimeoutMillis == nil { result.Timeout = defaultTimeout } else { result.Timeout = time.Duration(*ec.TimeoutMillis) * time.Millisecond if result.Timeout < timeoutMinimum || result.Timeout > timeoutMaximum { return executableCredentialSource{}, timeoutRangeError() } } result.OutputFile = ec.OutputFile result.ctx = ctx result.config = config result.env = runtimeEnvironment{} return result, nil } type executableResponse struct { Version int `json:"version,omitempty"` Success *bool `json:"success,omitempty"` TokenType string `json:"token_type,omitempty"` ExpirationTime int64 `json:"expiration_time,omitempty"` IdToken string `json:"id_token,omitempty"` SamlResponse string `json:"saml_response,omitempty"` Code string `json:"code,omitempty"` Message string `json:"message,omitempty"` } func (cs executableCredentialSource) parseSubjectTokenFromSource(response []byte, source string, now int64) (string, error) { var result executableResponse if err := json.Unmarshal(response, &result); err != nil { return "", jsonParsingError(source, string(response)) } if result.Version == 0 { return "", missingFieldError(source, "version") } if result.Success == nil { return "", missingFieldError(source, "success") } if !*result.Success { if result.Code == "" || result.Message == "" { return "", malformedFailureError() } return "", userDefinedError(result.Code, result.Message) } if result.Version > executableSupportedMaxVersion || result.Version < 0 { return "", unsupportedVersionError(source, result.Version) } if result.ExpirationTime == 0 && cs.OutputFile != "" { return "", missingFieldError(source, "expiration_time") } if result.TokenType == "" { return "", missingFieldError(source, "token_type") } if result.ExpirationTime != 0 && result.ExpirationTime < now { return "", tokenExpiredError() } if result.TokenType == "urn:ietf:params:oauth:token-type:jwt" || result.TokenType == "urn:ietf:params:oauth:token-type:id_token" { if result.IdToken == "" { return "", missingFieldError(source, "id_token") } return result.IdToken, nil } if result.TokenType == "urn:ietf:params:oauth:token-type:saml2" { if result.SamlResponse == "" { return "", missingFieldError(source, "saml_response") } return result.SamlResponse, nil } return "", tokenTypeError(source) } func (cs executableCredentialSource) subjectToken() (string, error) { if token, err := cs.getTokenFromOutputFile(); token != "" || err != nil { return token, err } return cs.getTokenFromExecutableCommand() } func (cs executableCredentialSource) getTokenFromOutputFile() (token string, err error) { if cs.OutputFile == "" { // This ExecutableCredentialSource doesn't use an OutputFile. return "", nil } file, err := os.Open(cs.OutputFile) if err != nil { // No OutputFile found. Hasn't been created yet, so skip it. return "", nil } defer file.Close() data, err := ioutil.ReadAll(io.LimitReader(file, 1<<20)) if err != nil || len(data) == 0 { // Cachefile exists, but no data found. Get new credential. return "", nil } token, err = cs.parseSubjectTokenFromSource(data, outputFileSource, cs.env.now().Unix()) if err != nil { if _, ok := err.(nonCacheableError); ok { // If the cached token is expired we need a new token, // and if the cache contains a failure, we need to try again. return "", nil } // There was an error in the cached token, and the developer should be aware of it. return "", err } // Token parsing succeeded. Use found token. return token, nil } func (cs executableCredentialSource) executableEnvironment() []string { result := cs.env.existingEnv() result = append(result, fmt.Sprintf("GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE=%v", cs.config.Audience)) result = append(result, fmt.Sprintf("GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE=%v", cs.config.SubjectTokenType)) result = append(result, "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE=0") if cs.config.ServiceAccountImpersonationURL != "" { matches := serviceAccountImpersonationRE.FindStringSubmatch(cs.config.ServiceAccountImpersonationURL) if matches != nil { result = append(result, fmt.Sprintf("GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL=%v", matches[1])) } } if cs.OutputFile != "" { result = append(result, fmt.Sprintf("GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE=%v", cs.OutputFile)) } return result } func (cs executableCredentialSource) getTokenFromExecutableCommand() (string, error) { // For security reasons, we need our consumers to set this environment variable to allow executables to be run. if cs.env.getenv("GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES") != "1" { return "", executablesDisallowedError() } ctx, cancel := context.WithDeadline(cs.ctx, cs.env.now().Add(cs.Timeout)) defer cancel() output, err := cs.env.run(ctx, cs.Command, cs.executableEnvironment()) if err != nil { return "", err } return cs.parseSubjectTokenFromSource(output, executableSource, cs.env.now().Unix()) }