impersonate.go

Documentation: cloud.google.com/go/auth/credentials/internal/impersonate

     1  // Copyright 2023 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package impersonate
    16  
    17  import (
    18  	"bytes"
    19  	"context"
    20  	"encoding/json"
    21  	"errors"
    22  	"fmt"
    23  	"net/http"
    24  	"time"
    25  
    26  	"cloud.google.com/go/auth"
    27  	"cloud.google.com/go/auth/internal"
    28  )
    29  
    30  const (
    31  	defaultTokenLifetime = "3600s"
    32  	authHeaderKey        = "Authorization"
    33  )
    34  
    35  // generateAccesstokenReq is used for service account impersonation
    36  type generateAccessTokenReq struct {
    37  	Delegates []string `json:"delegates,omitempty"`
    38  	Lifetime  string   `json:"lifetime,omitempty"`
    39  	Scope     []string `json:"scope,omitempty"`
    40  }
    41  
    42  type impersonateTokenResponse struct {
    43  	AccessToken string `json:"accessToken"`
    44  	ExpireTime  string `json:"expireTime"`
    45  }
    46  
    47  // NewTokenProvider uses a source credential, stored in Ts, to request an access token to the provided URL.
    48  // Scopes can be defined when the access token is requested.
    49  func NewTokenProvider(opts *Options) (auth.TokenProvider, error) {
    50  	if err := opts.validate(); err != nil {
    51  		return nil, err
    52  	}
    53  	return opts, nil
    54  }
    55  
    56  // Options for [NewTokenProvider].
    57  type Options struct {
    58  	// Tp is the source credential used to generate a token on the
    59  	// impersonated service account. Required.
    60  	Tp auth.TokenProvider
    61  
    62  	// URL is the endpoint to call to generate a token
    63  	// on behalf of the service account. Required.
    64  	URL string
    65  	// Scopes that the impersonated credential should have. Required.
    66  	Scopes []string
    67  	// Delegates are the service account email addresses in a delegation chain.
    68  	// Each service account must be granted roles/iam.serviceAccountTokenCreator
    69  	// on the next service account in the chain. Optional.
    70  	Delegates []string
    71  	// TokenLifetimeSeconds is the number of seconds the impersonation token will
    72  	// be valid for. Defaults to 1 hour if unset. Optional.
    73  	TokenLifetimeSeconds int
    74  	// Client configures the underlying client used to make network requests
    75  	// when fetching tokens. Required.
    76  	Client *http.Client
    77  }
    78  
    79  func (o *Options) validate() error {
    80  	if o.Tp == nil {
    81  		return errors.New("credentials: missing required 'source_credentials' field in impersonated credentials")
    82  	}
    83  	if o.URL == "" {
    84  		return errors.New("credentials: missing required 'service_account_impersonation_url' field in impersonated credentials")
    85  	}
    86  	return nil
    87  }
    88  
    89  // Token performs the exchange to get a temporary service account token to allow access to GCP.
    90  func (o *Options) Token(ctx context.Context) (*auth.Token, error) {
    91  	lifetime := defaultTokenLifetime
    92  	if o.TokenLifetimeSeconds != 0 {
    93  		lifetime = fmt.Sprintf("%ds", o.TokenLifetimeSeconds)
    94  	}
    95  	reqBody := generateAccessTokenReq{
    96  		Lifetime:  lifetime,
    97  		Scope:     o.Scopes,
    98  		Delegates: o.Delegates,
    99  	}
   100  	b, err := json.Marshal(reqBody)
   101  	if err != nil {
   102  		return nil, fmt.Errorf("credentials: unable to marshal request: %w", err)
   103  	}
   104  	req, err := http.NewRequestWithContext(ctx, "POST", o.URL, bytes.NewReader(b))
   105  	if err != nil {
   106  		return nil, fmt.Errorf("credentials: unable to create impersonation request: %w", err)
   107  	}
   108  	req.Header.Set("Content-Type", "application/json")
   109  	if err := setAuthHeader(ctx, o.Tp, req); err != nil {
   110  		return nil, err
   111  	}
   112  	resp, err := o.Client.Do(req)
   113  	if err != nil {
   114  		return nil, fmt.Errorf("credentials: unable to generate access token: %w", err)
   115  	}
   116  	defer resp.Body.Close()
   117  	body, err := internal.ReadAll(resp.Body)
   118  	if err != nil {
   119  		return nil, fmt.Errorf("credentials: unable to read body: %w", err)
   120  	}
   121  	if c := resp.StatusCode; c < http.StatusOK || c >= http.StatusMultipleChoices {
   122  		return nil, fmt.Errorf("credentials: status code %d: %s", c, body)
   123  	}
   124  
   125  	var accessTokenResp impersonateTokenResponse
   126  	if err := json.Unmarshal(body, &accessTokenResp); err != nil {
   127  		return nil, fmt.Errorf("credentials: unable to parse response: %w", err)
   128  	}
   129  	expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)
   130  	if err != nil {
   131  		return nil, fmt.Errorf("credentials: unable to parse expiry: %w", err)
   132  	}
   133  	return &auth.Token{
   134  		Value:  accessTokenResp.AccessToken,
   135  		Expiry: expiry,
   136  		Type:   internal.TokenTypeBearer,
   137  	}, nil
   138  }
   139  
   140  func setAuthHeader(ctx context.Context, tp auth.TokenProvider, r *http.Request) error {
   141  	t, err := tp.Token(ctx)
   142  	if err != nil {
   143  		return err
   144  	}
   145  	typ := t.Type
   146  	if typ == "" {
   147  		typ = internal.TokenTypeBearer
   148  	}
   149  	r.Header.Set(authHeaderKey, typ+" "+t.Value)
   150  	return nil
   151  }
   152
View as plain text