impersonate.go

Documentation: google.golang.org/api/impersonate

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package impersonate
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"encoding/json"
    11  	"errors"
    12  	"fmt"
    13  	"io"
    14  	"net/http"
    15  	"time"
    16  
    17  	"golang.org/x/oauth2"
    18  	"google.golang.org/api/internal"
    19  	"google.golang.org/api/option"
    20  	"google.golang.org/api/option/internaloption"
    21  	htransport "google.golang.org/api/transport/http"
    22  )
    23  
    24  var (
    25  	iamCredentailsEndpoint                      = "https://iamcredentials.googleapis.com"
    26  	oauth2Endpoint                              = "https://oauth2.googleapis.com"
    27  	errMissingTargetPrincipal                   = errors.New("impersonate: a target service account must be provided")
    28  	errMissingScopes                            = errors.New("impersonate: scopes must be provided")
    29  	errLifetimeOverMax                          = errors.New("impersonate: max lifetime is 12 hours")
    30  	errUniverseNotSupportedDomainWideDelegation = errors.New("impersonate: service account user is configured for the credential. " +
    31  		"Domain-wide delegation is not supported in universes other than googleapis.com")
    32  )
    33  
    34  // CredentialsConfig for generating impersonated credentials.
    35  type CredentialsConfig struct {
    36  	// TargetPrincipal is the email address of the service account to
    37  	// impersonate. Required.
    38  	TargetPrincipal string
    39  	// Scopes that the impersonated credential should have. Required.
    40  	Scopes []string
    41  	// Delegates are the service account email addresses in a delegation chain.
    42  	// Each service account must be granted roles/iam.serviceAccountTokenCreator
    43  	// on the next service account in the chain. Optional.
    44  	Delegates []string
    45  	// Lifetime is the amount of time until the impersonated token expires. If
    46  	// unset the token's lifetime will be one hour and be automatically
    47  	// refreshed. If set the token may have a max lifetime of one hour and will
    48  	// not be refreshed. Service accounts that have been added to an org policy
    49  	// with constraints/iam.allowServiceAccountCredentialLifetimeExtension may
    50  	// request a token lifetime of up to 12 hours. Optional.
    51  	Lifetime time.Duration
    52  	// Subject is the sub field of a JWT. This field should only be set if you
    53  	// wish to impersonate as a user. This feature is useful when using domain
    54  	// wide delegation. Optional.
    55  	Subject string
    56  }
    57  
    58  // defaultClientOptions ensures the base credentials will work with the IAM
    59  // Credentials API if no scope or audience is set by the user.
    60  func defaultClientOptions() []option.ClientOption {
    61  	return []option.ClientOption{
    62  		internaloption.WithDefaultAudience("https://iamcredentials.googleapis.com/"),
    63  		internaloption.WithDefaultScopes("https://www.googleapis.com/auth/cloud-platform"),
    64  	}
    65  }
    66  
    67  // CredentialsTokenSource returns an impersonated CredentialsTokenSource configured with the provided
    68  // config and using credentials loaded from Application Default Credentials as
    69  // the base credentials.
    70  func CredentialsTokenSource(ctx context.Context, config CredentialsConfig, opts ...option.ClientOption) (oauth2.TokenSource, error) {
    71  	if config.TargetPrincipal == "" {
    72  		return nil, errMissingTargetPrincipal
    73  	}
    74  	if len(config.Scopes) == 0 {
    75  		return nil, errMissingScopes
    76  	}
    77  	if config.Lifetime.Hours() > 12 {
    78  		return nil, errLifetimeOverMax
    79  	}
    80  
    81  	var isStaticToken bool
    82  	// Default to the longest acceptable value of one hour as the token will
    83  	// be refreshed automatically if not set.
    84  	lifetime := 3600 * time.Second
    85  	if config.Lifetime != 0 {
    86  		lifetime = config.Lifetime
    87  		// Don't auto-refresh token if a lifetime is configured.
    88  		isStaticToken = true
    89  	}
    90  
    91  	clientOpts := append(defaultClientOptions(), opts...)
    92  	client, _, err := htransport.NewClient(ctx, clientOpts...)
    93  	if err != nil {
    94  		return nil, err
    95  	}
    96  	// If a subject is specified a domain-wide delegation auth-flow is initiated
    97  	// to impersonate as the provided subject (user).
    98  	if config.Subject != "" {
    99  		settings, err := newSettings(clientOpts)
   100  		if err != nil {
   101  			return nil, err
   102  		}
   103  		if !settings.IsUniverseDomainGDU() {
   104  			return nil, errUniverseNotSupportedDomainWideDelegation
   105  		}
   106  		return user(ctx, config, client, lifetime, isStaticToken)
   107  	}
   108  
   109  	its := impersonatedTokenSource{
   110  		client:          client,
   111  		targetPrincipal: config.TargetPrincipal,
   112  		lifetime:        fmt.Sprintf("%.fs", lifetime.Seconds()),
   113  	}
   114  	for _, v := range config.Delegates {
   115  		its.delegates = append(its.delegates, formatIAMServiceAccountName(v))
   116  	}
   117  	its.scopes = make([]string, len(config.Scopes))
   118  	copy(its.scopes, config.Scopes)
   119  
   120  	if isStaticToken {
   121  		tok, err := its.Token()
   122  		if err != nil {
   123  			return nil, err
   124  		}
   125  		return oauth2.StaticTokenSource(tok), nil
   126  	}
   127  	return oauth2.ReuseTokenSource(nil, its), nil
   128  }
   129  
   130  func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
   131  	var o internal.DialSettings
   132  	for _, opt := range opts {
   133  		opt.Apply(&o)
   134  	}
   135  	if err := o.Validate(); err != nil {
   136  		return nil, err
   137  	}
   138  
   139  	return &o, nil
   140  }
   141  
   142  func formatIAMServiceAccountName(name string) string {
   143  	return fmt.Sprintf("projects/-/serviceAccounts/%s", name)
   144  }
   145  
   146  type generateAccessTokenReq struct {
   147  	Delegates []string `json:"delegates,omitempty"`
   148  	Lifetime  string   `json:"lifetime,omitempty"`
   149  	Scope     []string `json:"scope,omitempty"`
   150  }
   151  
   152  type generateAccessTokenResp struct {
   153  	AccessToken string `json:"accessToken"`
   154  	ExpireTime  string `json:"expireTime"`
   155  }
   156  
   157  type impersonatedTokenSource struct {
   158  	client *http.Client
   159  
   160  	targetPrincipal string
   161  	lifetime        string
   162  	scopes          []string
   163  	delegates       []string
   164  }
   165  
   166  // Token returns an impersonated Token.
   167  func (i impersonatedTokenSource) Token() (*oauth2.Token, error) {
   168  	reqBody := generateAccessTokenReq{
   169  		Delegates: i.delegates,
   170  		Lifetime:  i.lifetime,
   171  		Scope:     i.scopes,
   172  	}
   173  	b, err := json.Marshal(reqBody)
   174  	if err != nil {
   175  		return nil, fmt.Errorf("impersonate: unable to marshal request: %v", err)
   176  	}
   177  	url := fmt.Sprintf("%s/v1/%s:generateAccessToken", iamCredentailsEndpoint, formatIAMServiceAccountName(i.targetPrincipal))
   178  	req, err := http.NewRequest("POST", url, bytes.NewReader(b))
   179  	if err != nil {
   180  		return nil, fmt.Errorf("impersonate: unable to create request: %v", err)
   181  	}
   182  	req.Header.Set("Content-Type", "application/json")
   183  
   184  	resp, err := i.client.Do(req)
   185  	if err != nil {
   186  		return nil, fmt.Errorf("impersonate: unable to generate access token: %v", err)
   187  	}
   188  	defer resp.Body.Close()
   189  	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
   190  	if err != nil {
   191  		return nil, fmt.Errorf("impersonate: unable to read body: %v", err)
   192  	}
   193  	if c := resp.StatusCode; c < 200 || c > 299 {
   194  		return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
   195  	}
   196  
   197  	var accessTokenResp generateAccessTokenResp
   198  	if err := json.Unmarshal(body, &accessTokenResp); err != nil {
   199  		return nil, fmt.Errorf("impersonate: unable to parse response: %v", err)
   200  	}
   201  	expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)
   202  	if err != nil {
   203  		return nil, fmt.Errorf("impersonate: unable to parse expiry: %v", err)
   204  	}
   205  	return &oauth2.Token{
   206  		AccessToken: accessTokenResp.AccessToken,
   207  		Expiry:      expiry,
   208  	}, nil
   209  }
   210
View as plain text