2019-11-07 20:05:39 +01:00
|
|
|
// Copyright 2017 Google LLC.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package internal
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
|
|
|
|
"golang.org/x/oauth2"
|
2020-09-17 00:44:08 +02:00
|
|
|
"google.golang.org/api/internal/impersonate"
|
2019-11-07 20:05:39 +01:00
|
|
|
|
|
|
|
"golang.org/x/oauth2/google"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Creds returns credential information obtained from DialSettings, or if none, then
|
|
|
|
// it returns default credential information.
|
|
|
|
func Creds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
|
2020-09-17 00:44:08 +02:00
|
|
|
creds, err := baseCreds(ctx, ds)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if ds.ImpersonationConfig != nil {
|
|
|
|
return impersonateCredentials(ctx, creds, ds)
|
|
|
|
}
|
|
|
|
return creds, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func baseCreds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
|
2019-11-07 20:05:39 +01:00
|
|
|
if ds.Credentials != nil {
|
|
|
|
return ds.Credentials, nil
|
|
|
|
}
|
|
|
|
if ds.CredentialsJSON != nil {
|
2020-12-03 19:21:38 +01:00
|
|
|
return credentialsFromJSON(ctx, ds.CredentialsJSON, ds)
|
2019-11-07 20:05:39 +01:00
|
|
|
}
|
|
|
|
if ds.CredentialsFile != "" {
|
|
|
|
data, err := ioutil.ReadFile(ds.CredentialsFile)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot read credentials file: %v", err)
|
|
|
|
}
|
2020-12-03 19:21:38 +01:00
|
|
|
return credentialsFromJSON(ctx, data, ds)
|
2019-11-07 20:05:39 +01:00
|
|
|
}
|
|
|
|
if ds.TokenSource != nil {
|
|
|
|
return &google.Credentials{TokenSource: ds.TokenSource}, nil
|
|
|
|
}
|
2020-12-03 19:21:38 +01:00
|
|
|
cred, err := google.FindDefaultCredentials(ctx, ds.GetScopes()...)
|
2019-11-07 20:05:39 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if len(cred.JSON) > 0 {
|
2020-12-03 19:21:38 +01:00
|
|
|
return credentialsFromJSON(ctx, cred.JSON, ds)
|
2019-11-07 20:05:39 +01:00
|
|
|
}
|
|
|
|
// For GAE and GCE, the JSON is empty so return the default credentials directly.
|
|
|
|
return cred, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// JSON key file type.
|
|
|
|
const (
|
|
|
|
serviceAccountKey = "service_account"
|
|
|
|
)
|
|
|
|
|
|
|
|
// credentialsFromJSON returns a google.Credentials based on the input.
|
|
|
|
//
|
|
|
|
// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow
|
|
|
|
// - Otherwise, returns OAuth 2.0 flow.
|
2020-12-03 19:21:38 +01:00
|
|
|
func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
|
|
|
|
cred, err := google.CredentialsFromJSON(ctx, data, ds.GetScopes()...)
|
2019-11-07 20:05:39 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-12-03 19:21:38 +01:00
|
|
|
if len(data) > 0 && len(ds.Scopes) == 0 && (ds.DefaultAudience != "" || len(ds.Audiences) > 0) {
|
2019-11-07 20:05:39 +01:00
|
|
|
var f struct {
|
|
|
|
Type string `json:"type"`
|
|
|
|
// The rest JSON fields are omitted because they are not used.
|
|
|
|
}
|
|
|
|
if err := json.Unmarshal(cred.JSON, &f); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if f.Type == serviceAccountKey {
|
2020-12-03 19:21:38 +01:00
|
|
|
ts, err := selfSignedJWTTokenSource(data, ds.DefaultAudience, ds.Audiences)
|
2019-11-07 20:05:39 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cred.TokenSource = ts
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return cred, err
|
|
|
|
}
|
|
|
|
|
2020-12-03 19:21:38 +01:00
|
|
|
func selfSignedJWTTokenSource(data []byte, defaultAudience string, audiences []string) (oauth2.TokenSource, error) {
|
|
|
|
audience := defaultAudience
|
2019-11-07 20:05:39 +01:00
|
|
|
if len(audiences) > 0 {
|
|
|
|
// TODO(shinfan): Update golang oauth to support multiple audiences.
|
|
|
|
if len(audiences) > 1 {
|
|
|
|
return nil, fmt.Errorf("multiple audiences support is not implemented")
|
|
|
|
}
|
|
|
|
audience = audiences[0]
|
|
|
|
}
|
|
|
|
return google.JWTAccessTokenSourceFromJSON(data, audience)
|
|
|
|
}
|
2020-02-10 22:35:08 +01:00
|
|
|
|
|
|
|
// QuotaProjectFromCreds returns the quota project from the JSON blob in the provided credentials.
|
|
|
|
//
|
|
|
|
// NOTE(cbro): consider promoting this to a field on google.Credentials.
|
|
|
|
func QuotaProjectFromCreds(cred *google.Credentials) string {
|
|
|
|
var v struct {
|
|
|
|
QuotaProject string `json:"quota_project_id"`
|
|
|
|
}
|
|
|
|
if err := json.Unmarshal(cred.JSON, &v); err != nil {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return v.QuotaProject
|
|
|
|
}
|
2020-09-17 00:44:08 +02:00
|
|
|
|
|
|
|
func impersonateCredentials(ctx context.Context, creds *google.Credentials, ds *DialSettings) (*google.Credentials, error) {
|
|
|
|
if len(ds.ImpersonationConfig.Scopes) == 0 {
|
2020-12-03 19:21:38 +01:00
|
|
|
ds.ImpersonationConfig.Scopes = ds.GetScopes()
|
2020-09-17 00:44:08 +02:00
|
|
|
}
|
|
|
|
ts, err := impersonate.TokenSource(ctx, creds.TokenSource, ds.ImpersonationConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &google.Credentials{
|
|
|
|
TokenSource: ts,
|
|
|
|
ProjectID: creds.ProjectID,
|
|
|
|
}, nil
|
|
|
|
}
|