2019-11-07 20:05:39 +01:00
|
|
|
// Copyright 2017 Google LLC.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
// Package internal supports the options and transport packages.
|
|
|
|
package internal
|
|
|
|
|
|
|
|
import (
|
2020-02-26 19:45:19 +01:00
|
|
|
"crypto/tls"
|
2019-11-07 20:05:39 +01:00
|
|
|
"errors"
|
|
|
|
"net/http"
|
2023-10-02 21:49:16 +02:00
|
|
|
"os"
|
|
|
|
"strconv"
|
2019-11-07 20:05:39 +01:00
|
|
|
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"golang.org/x/oauth2/google"
|
2020-09-17 00:43:19 +02:00
|
|
|
"google.golang.org/api/internal/impersonate"
|
2019-11-07 20:05:39 +01:00
|
|
|
"google.golang.org/grpc"
|
|
|
|
)
|
|
|
|
|
2023-10-02 21:49:16 +02:00
|
|
|
const (
|
|
|
|
newAuthLibEnVar = "GOOGLE_API_GO_EXPERIMENTAL_USE_NEW_AUTH_LIB"
|
|
|
|
)
|
|
|
|
|
2019-11-07 20:05:39 +01:00
|
|
|
// DialSettings holds information needed to establish a connection with a
|
|
|
|
// Google API service.
|
|
|
|
type DialSettings struct {
|
2021-08-31 10:09:55 +02:00
|
|
|
Endpoint string
|
|
|
|
DefaultEndpoint string
|
|
|
|
DefaultMTLSEndpoint string
|
|
|
|
Scopes []string
|
|
|
|
DefaultScopes []string
|
|
|
|
EnableJwtWithScope bool
|
|
|
|
TokenSource oauth2.TokenSource
|
|
|
|
Credentials *google.Credentials
|
|
|
|
CredentialsFile string // if set, Token Source is ignored.
|
|
|
|
CredentialsJSON []byte
|
2021-09-01 11:52:17 +02:00
|
|
|
InternalCredentials *google.Credentials
|
2021-08-31 10:09:55 +02:00
|
|
|
UserAgent string
|
|
|
|
APIKey string
|
|
|
|
Audiences []string
|
|
|
|
DefaultAudience string
|
|
|
|
HTTPClient *http.Client
|
|
|
|
GRPCDialOpts []grpc.DialOption
|
|
|
|
GRPCConn *grpc.ClientConn
|
|
|
|
GRPCConnPool ConnPool
|
|
|
|
GRPCConnPoolSize int
|
|
|
|
NoAuth bool
|
|
|
|
TelemetryDisabled bool
|
|
|
|
ClientCertSource func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
|
|
|
|
CustomClaims map[string]interface{}
|
|
|
|
SkipValidation bool
|
|
|
|
ImpersonationConfig *impersonate.Config
|
|
|
|
EnableDirectPath bool
|
2023-05-10 08:13:50 +02:00
|
|
|
EnableDirectPathXds bool
|
2023-10-02 21:49:16 +02:00
|
|
|
EnableNewAuthLibrary bool
|
2021-08-31 10:09:55 +02:00
|
|
|
AllowNonDefaultServiceAccount bool
|
2019-11-07 20:05:39 +01:00
|
|
|
|
|
|
|
// Google API system parameters. For more information please read:
|
|
|
|
// https://cloud.google.com/apis/docs/system-parameters
|
|
|
|
QuotaProject string
|
|
|
|
RequestReason string
|
|
|
|
}
|
|
|
|
|
2020-12-03 19:16:30 +01:00
|
|
|
// GetScopes returns the user-provided scopes, if set, or else falls back to the
|
|
|
|
// default scopes.
|
|
|
|
func (ds *DialSettings) GetScopes() []string {
|
|
|
|
if len(ds.Scopes) > 0 {
|
|
|
|
return ds.Scopes
|
|
|
|
}
|
|
|
|
return ds.DefaultScopes
|
|
|
|
}
|
|
|
|
|
2021-06-24 16:33:31 +02:00
|
|
|
// GetAudience returns the user-provided audience, if set, or else falls back to the default audience.
|
|
|
|
func (ds *DialSettings) GetAudience() string {
|
|
|
|
if ds.HasCustomAudience() {
|
|
|
|
return ds.Audiences[0]
|
|
|
|
}
|
|
|
|
return ds.DefaultAudience
|
|
|
|
}
|
|
|
|
|
|
|
|
// HasCustomAudience returns true if a custom audience is provided by users.
|
|
|
|
func (ds *DialSettings) HasCustomAudience() bool {
|
|
|
|
return len(ds.Audiences) > 0
|
|
|
|
}
|
|
|
|
|
2023-10-02 21:49:16 +02:00
|
|
|
func (ds *DialSettings) IsNewAuthLibraryEnabled() bool {
|
|
|
|
if ds.EnableNewAuthLibrary {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if b, err := strconv.ParseBool(os.Getenv(newAuthLibEnVar)); err == nil {
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2019-11-07 20:05:39 +01:00
|
|
|
// Validate reports an error if ds is invalid.
|
|
|
|
func (ds *DialSettings) Validate() error {
|
2020-08-05 10:10:10 +02:00
|
|
|
if ds.SkipValidation {
|
|
|
|
return nil
|
|
|
|
}
|
2019-11-07 20:05:39 +01:00
|
|
|
hasCreds := ds.APIKey != "" || ds.TokenSource != nil || ds.CredentialsFile != "" || ds.Credentials != nil
|
|
|
|
if ds.NoAuth && hasCreds {
|
|
|
|
return errors.New("options.WithoutAuthentication is incompatible with any option that provides credentials")
|
|
|
|
}
|
|
|
|
// Credentials should not appear with other options.
|
|
|
|
// We currently allow TokenSource and CredentialsFile to coexist.
|
|
|
|
// TODO(jba): make TokenSource & CredentialsFile an error (breaking change).
|
|
|
|
nCreds := 0
|
|
|
|
if ds.Credentials != nil {
|
|
|
|
nCreds++
|
|
|
|
}
|
|
|
|
if ds.CredentialsJSON != nil {
|
|
|
|
nCreds++
|
|
|
|
}
|
|
|
|
if ds.CredentialsFile != "" {
|
|
|
|
nCreds++
|
|
|
|
}
|
|
|
|
if ds.APIKey != "" {
|
|
|
|
nCreds++
|
|
|
|
}
|
|
|
|
if ds.TokenSource != nil {
|
|
|
|
nCreds++
|
|
|
|
}
|
|
|
|
if len(ds.Scopes) > 0 && len(ds.Audiences) > 0 {
|
|
|
|
return errors.New("WithScopes is incompatible with WithAudience")
|
|
|
|
}
|
|
|
|
// Accept only one form of credentials, except we allow TokenSource and CredentialsFile for backwards compatibility.
|
|
|
|
if nCreds > 1 && !(nCreds == 2 && ds.TokenSource != nil && ds.CredentialsFile != "") {
|
|
|
|
return errors.New("multiple credential options provided")
|
|
|
|
}
|
2020-02-10 22:28:15 +01:00
|
|
|
if ds.GRPCConn != nil && ds.GRPCConnPool != nil {
|
|
|
|
return errors.New("WithGRPCConn is incompatible with WithConnPool")
|
|
|
|
}
|
|
|
|
if ds.HTTPClient != nil && ds.GRPCConnPool != nil {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with WithConnPool")
|
|
|
|
}
|
2019-11-07 20:05:39 +01:00
|
|
|
if ds.HTTPClient != nil && ds.GRPCConn != nil {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with WithGRPCConn")
|
|
|
|
}
|
|
|
|
if ds.HTTPClient != nil && ds.GRPCDialOpts != nil {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with gRPC dial options")
|
|
|
|
}
|
|
|
|
if ds.HTTPClient != nil && ds.QuotaProject != "" {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with QuotaProject")
|
|
|
|
}
|
|
|
|
if ds.HTTPClient != nil && ds.RequestReason != "" {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with RequestReason")
|
|
|
|
}
|
2020-02-26 19:45:19 +01:00
|
|
|
if ds.HTTPClient != nil && ds.ClientCertSource != nil {
|
|
|
|
return errors.New("WithHTTPClient is incompatible with WithClientCertSource")
|
|
|
|
}
|
|
|
|
if ds.ClientCertSource != nil && (ds.GRPCConn != nil || ds.GRPCConnPool != nil || ds.GRPCConnPoolSize != 0 || ds.GRPCDialOpts != nil) {
|
|
|
|
return errors.New("WithClientCertSource is currently only supported for HTTP. gRPC settings are incompatible")
|
|
|
|
}
|
2020-09-17 00:43:19 +02:00
|
|
|
if ds.ImpersonationConfig != nil && len(ds.ImpersonationConfig.Scopes) == 0 && len(ds.Scopes) == 0 {
|
|
|
|
return errors.New("WithImpersonatedCredentials requires scopes being provided")
|
|
|
|
}
|
2019-11-07 20:05:39 +01:00
|
|
|
return nil
|
|
|
|
}
|