...

Source file src/google.golang.org/api/impersonate/idtoken.go

Documentation: google.golang.org/api/impersonate 

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package impersonate
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"encoding/json"
    11  	"fmt"
    12  	"io"
    13  	"net/http"
    14  	"time"
    15  
    16  	"golang.org/x/oauth2"
    17  	"google.golang.org/api/option"
    18  	htransport "google.golang.org/api/transport/http"
    19  )
    20  
    21  // IDTokenConfig for generating an impersonated ID token.
    22  type IDTokenConfig struct {
    23  	// Audience is the `aud` field for the token, such as an API endpoint the
    24  	// token will grant access to. Required.
    25  	Audience string
    26  	// TargetPrincipal is the email address of the service account to
    27  	// impersonate. Required.
    28  	TargetPrincipal string
    29  	// IncludeEmail includes the service account's email in the token. The
    30  	// resulting token will include both an `email` and `email_verified`
    31  	// claim.
    32  	IncludeEmail bool
    33  	// Delegates are the service account email addresses in a delegation chain.
    34  	// Each service account must be granted roles/iam.serviceAccountTokenCreator
    35  	// on the next service account in the chain. Optional.
    36  	Delegates []string
    37  }
    38  
    39  // IDTokenSource creates an impersonated TokenSource that returns ID tokens
    40  // configured with the provided config and using credentials loaded from
    41  // Application Default Credentials as the base credentials. The tokens provided
    42  // by the source are valid for one hour and are automatically refreshed.
    43  func IDTokenSource(ctx context.Context, config IDTokenConfig, opts ...option.ClientOption) (oauth2.TokenSource, error) {
    44  	if config.Audience == "" {
    45  		return nil, fmt.Errorf("impersonate: an audience must be provided")
    46  	}
    47  	if config.TargetPrincipal == "" {
    48  		return nil, fmt.Errorf("impersonate: a target service account must be provided")
    49  	}
    50  
    51  	clientOpts := append(defaultClientOptions(), opts...)
    52  	client, _, err := htransport.NewClient(ctx, clientOpts...)
    53  	if err != nil {
    54  		return nil, err
    55  	}
    56  
    57  	its := impersonatedIDTokenSource{
    58  		client:          client,
    59  		targetPrincipal: config.TargetPrincipal,
    60  		audience:        config.Audience,
    61  		includeEmail:    config.IncludeEmail,
    62  	}
    63  	for _, v := range config.Delegates {
    64  		its.delegates = append(its.delegates, formatIAMServiceAccountName(v))
    65  	}
    66  	return oauth2.ReuseTokenSource(nil, its), nil
    67  }
    68  
    69  type generateIDTokenRequest struct {
    70  	Audience     string   `json:"audience"`
    71  	IncludeEmail bool     `json:"includeEmail"`
    72  	Delegates    []string `json:"delegates,omitempty"`
    73  }
    74  
    75  type generateIDTokenResponse struct {
    76  	Token string `json:"token"`
    77  }
    78  
    79  type impersonatedIDTokenSource struct {
    80  	client *http.Client
    81  
    82  	targetPrincipal string
    83  	audience        string
    84  	includeEmail    bool
    85  	delegates       []string
    86  }
    87  
    88  func (i impersonatedIDTokenSource) Token() (*oauth2.Token, error) {
    89  	now := time.Now()
    90  	genIDTokenReq := generateIDTokenRequest{
    91  		Audience:     i.audience,
    92  		IncludeEmail: i.includeEmail,
    93  		Delegates:    i.delegates,
    94  	}
    95  	bodyBytes, err := json.Marshal(genIDTokenReq)
    96  	if err != nil {
    97  		return nil, fmt.Errorf("impersonate: unable to marshal request: %v", err)
    98  	}
    99  
   100  	url := fmt.Sprintf("%s/v1/%s:generateIdToken", iamCredentailsEndpoint, formatIAMServiceAccountName(i.targetPrincipal))
   101  	req, err := http.NewRequest("POST", url, bytes.NewReader(bodyBytes))
   102  	if err != nil {
   103  		return nil, fmt.Errorf("impersonate: unable to create request: %v", err)
   104  	}
   105  	req.Header.Set("Content-Type", "application/json")
   106  	resp, err := i.client.Do(req)
   107  	if err != nil {
   108  		return nil, fmt.Errorf("impersonate: unable to generate ID token: %v", err)
   109  	}
   110  	defer resp.Body.Close()
   111  	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
   112  	if err != nil {
   113  		return nil, fmt.Errorf("impersonate: unable to read body: %v", err)
   114  	}
   115  	if c := resp.StatusCode; c < 200 || c > 299 {
   116  		return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
   117  	}
   118  
   119  	var generateIDTokenResp generateIDTokenResponse
   120  	if err := json.Unmarshal(body, &generateIDTokenResp); err != nil {
   121  		return nil, fmt.Errorf("impersonate: unable to parse response: %v", err)
   122  	}
   123  	return &oauth2.Token{
   124  		AccessToken: generateIDTokenResp.Token,
   125  		// Generated ID tokens are good for one hour.
   126  		Expiry: now.Add(1 * time.Hour),
   127  	}, nil
   128  }
   129  

View as plain text