Skip to content

Commit

Permalink
fix credentials/idtoken/file.go
Browse files Browse the repository at this point in the history
  • Loading branch information
@quartzmo
quartzmo committed Nov 7, 2024
1 parent bfce866 commit 24f58a4
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 48 deletions.
58 changes: 13 additions & 45 deletions auth/credentials/idtoken/file.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/credentials/impersonate"
"cloud.google.com/go/auth/httptransport"
"cloud.google.com/go/auth/internal"
"cloud.google.com/go/auth/internal/credsfile"
)
Expand All @@ -47,18 +46,25 @@ func credsFromDefault(creds *auth.Credentials, opts *Options) (*auth.Credentials
var tp auth.TokenProvider
if resolveUniverseDomain(f) == internal.DefaultUniverseDomain {
tp, err = new2LOTokenProvider(f, opts)
if err != nil {
return nil, err
}
} else {
tp, err = newIAMIDTokenProvider(b, f, opts)
}
if err != nil {
return nil, err
// In case of non-GDU universe domain, use IAM.
tp = iamIDTokenProvider{
client: opts.client(),
// Pass the credentials universe domain to configure the endpoint.
universeDomain: auth.CredentialsPropertyFunc(creds.UniverseDomain),
signerEmail: f.ClientEmail,
audience: opts.Audience,
}
}
tp = auth.NewCachedTokenProvider(tp, nil)
return auth.NewCredentials(&auth.CredentialsOptions{
TokenProvider: tp,
JSON: b,
ProjectIDProvider: internal.StaticCredentialsProperty(f.ProjectID),
UniverseDomainProvider: internal.StaticCredentialsProperty(f.UniverseDomain),
ProjectIDProvider: auth.CredentialsPropertyFunc(creds.ProjectID),
UniverseDomainProvider: auth.CredentialsPropertyFunc(creds.UniverseDomain),
}), nil
case credsfile.ImpersonatedServiceAccountKey, credsfile.ExternalAccountKey:
type url struct {
Expand Down Expand Up @@ -119,44 +125,6 @@ func new2LOTokenProvider(f *credsfile.ServiceAccountFile, opts *Options) (auth.T
return auth.New2LOTokenProvider(opts2LO)
}

// newIAMIDTokenProvider creates a TokenProvider that performs an authenticated
// RPC with the IAM service to obtain an ID token. The provided service account
// must have the iam.serviceAccountTokenCreator role. If a fully-authenticated
// client is not provided, the service account must support a self-signed JWT.
// This TokenProvider is primarily intended for use in non-GDU universes, which
// do not have access to the oauth2.googleapis.com/token endpoint, and thus must
// use IAM generateIdToken instead.
func newIAMIDTokenProvider(b []byte, f *credsfile.ServiceAccountFile, opts *Options) (auth.TokenProvider, error) {
client := opts.Client
var creds *auth.Credentials
var err error
if client == nil {
creds, err = credentials.DetectDefault(&credentials.DetectOptions{
CredentialsJSON: b,
Scopes: []string{"https://www.googleapis.com/auth/iam"},
UseSelfSignedJWT: true,
})
if err != nil {
return nil, err
}
client, err = httptransport.NewClient(&httptransport.Options{
Credentials: creds,
UniverseDomain: opts.UniverseDomain,
})
if err != nil {
return nil, err
}
}
its := iamIDTokenProvider{
client: client,
// Pass the credentials universe domain to configure the endpoint.
universeDomain: resolveUniverseDomain(f),
signerEmail: f.ClientEmail,
audience: opts.Audience,
}
return its, nil
}

// resolveUniverseDomain returns the default service domain for a given
// Cloud universe. This is the universe domain configured for the credentials,
// which will be used in endpoint.
Expand Down
5 changes: 2 additions & 3 deletions auth/credentials/idtoken/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/credentials/internal/impersonate"
"cloud.google.com/go/auth/internal"
)

// iamIDTokenProvider performs an authenticated RPC with the IAM service to
Expand All @@ -33,7 +32,7 @@ import (
type iamIDTokenProvider struct {
client *http.Client
// universeDomain is used for endpoint construction.
universeDomain string
universeDomain auth.CredentialsPropertyProvider
// signerEmail is the service account client email used to form the IAM generateIdToken endpoint.
signerEmail string
audience string
Expand All @@ -42,7 +41,7 @@ type iamIDTokenProvider struct {
func (i iamIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
opts := impersonate.IDTokenOptions{
Client: i.client,
UniverseDomain: internal.StaticCredentialsProperty(i.universeDomain),
UniverseDomain: i.universeDomain,
ServiceAccountEmail: i.signerEmail,
GenerateIDTokenRequest: impersonate.GenerateIDTokenRequest{
Audience: i.audience,
Expand Down

0 comments on commit 24f58a4

Please sign in to comment.