Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth): add universe domain support to idtoken #11059

Merged
merged 30 commits into from
Jan 7, 2025
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
260aaaa
feat(auth): add universe domain support to idtoken
quartzmo Oct 29, 2024
06969bb
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 30, 2024
2a8bf0b
use base creds universe_domain instead of UseIAMEndpoint flag
quartzmo Oct 30, 2024
285045c
add impersonate.IDTokenOptions.UniverseDomain
quartzmo Oct 30, 2024
5ec1a27
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 30, 2024
17a8752
add universe domain tests to impersonate/idtoken_test.go
quartzmo Oct 30, 2024
8baddf9
fix idtoken_test
quartzmo Oct 30, 2024
599a9ce
Add idtoken.Options.UniverseDomain
quartzmo Oct 30, 2024
4bdb8fc
fix test error handling
quartzmo Oct 30, 2024
6af13c6
refactor idtoken_test.go
quartzmo Oct 31, 2024
3a4a039
fix idtoken_test.go
quartzmo Oct 31, 2024
eb264ce
update idtoken/idtoken_test.go
quartzmo Oct 31, 2024
111992e
refactor JSON request handling to internal
quartzmo Oct 31, 2024
00a963e
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 31, 2024
11139ff
small fixes per codyoss
quartzmo Oct 31, 2024
95ebfa9
refactor idtoken RPC duplication to internal
quartzmo Oct 31, 2024
8da4df3
fix vet
quartzmo Oct 31, 2024
f35e9ee
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 31, 2024
3be9480
fix docs for vet
quartzmo Oct 31, 2024
bfce866
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Nov 6, 2024
24f58a4
fix credentials/idtoken/file.go
quartzmo Nov 7, 2024
e44f7ba
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 3, 2025
3e5e31e
add logging support
quartzmo Jan 3, 2025
deefd9d
fix header year
quartzmo Jan 3, 2025
4d0a43a
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 3, 2025
050fffc
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 6, 2025
8a5c39c
remove unused func
quartzmo Jan 6, 2025
221739c
rename IDTokenOptions to IDTokenIAMOptions
quartzmo Jan 6, 2025
0e67649
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 6, 2025
80f0aa4
refactor to IDTokenIAMOptions as TokenProvider
quartzmo Jan 6, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 94 additions & 24 deletions auth/credentials/idtoken/file.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,17 @@
package idtoken

import (
"context"
"encoding/json"
"fmt"
"net/http"
"path/filepath"
"strings"

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/credentials"
"cloud.google.com/go/auth/credentials/impersonate"
"cloud.google.com/go/auth/httptransport"
"cloud.google.com/go/auth/internal"
"cloud.google.com/go/auth/internal/credsfile"
)
Expand Down Expand Up @@ -50,38 +53,24 @@ func credsFromBytes(b []byte, opts *Options) (*auth.Credentials, error) {
if err != nil {
return nil, err
}
opts2LO := &auth.Options2LO{
Email: f.ClientEmail,
PrivateKey: []byte(f.PrivateKey),
PrivateKeyID: f.PrivateKeyID,
TokenURL: f.TokenURL,
UseIDToken: true,
var tp auth.TokenProvider
universeDomain := resolveUniverseDomain(f)
if universeDomain != internal.DefaultUniverseDomain {
tp, err = newIAMIDTokenProvider(b, f, opts)
} else {
tp, err = new2LOTokenProvider(f, opts)
}
if opts2LO.TokenURL == "" {
opts2LO.TokenURL = jwtTokenURL
}

var customClaims map[string]interface{}
if opts != nil {
customClaims = opts.CustomClaims
}
if customClaims == nil {
customClaims = make(map[string]interface{})
}
customClaims["target_audience"] = opts.Audience

opts2LO.PrivateClaims = customClaims
tp, err := auth.New2LOTokenProvider(opts2LO)
if err != nil {
return nil, err
}
tp = auth.NewCachedTokenProvider(tp, nil)
return auth.NewCredentials(&auth.CredentialsOptions{
creds := auth.NewCredentials(&auth.CredentialsOptions{
codyoss marked this conversation as resolved.
Show resolved Hide resolved
TokenProvider: tp,
JSON: b,
ProjectIDProvider: internal.StaticCredentialsProperty(f.ProjectID),
UniverseDomainProvider: internal.StaticCredentialsProperty(f.UniverseDomain),
}), nil
})
return creds, nil
case credsfile.ImpersonatedServiceAccountKey, credsfile.ExternalAccountKey:
type url struct {
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
Expand All @@ -102,13 +91,18 @@ func credsFromBytes(b []byte, opts *Options) (*auth.Credentials, error) {
if err != nil {
return nil, err
}

// Hard pull of the provider is OK with file-based creds.
universeDomain, err := baseCreds.UniverseDomain(context.Background())
if err != nil {
return nil, err
}
config := impersonate.IDTokenOptions{
Audience: opts.Audience,
TargetPrincipal: account,
IncludeEmail: true,
Client: opts.client(),
Credentials: baseCreds,
UniverseDomain: universeDomain,
}
creds, err := impersonate.NewIDTokenCredentials(&config)
if err != nil {
Expand All @@ -125,3 +119,79 @@ func credsFromBytes(b []byte, opts *Options) (*auth.Credentials, error) {
return nil, fmt.Errorf("idtoken: unsupported credentials type: %v", t)
}
}

func new2LOTokenProvider(f *credsfile.ServiceAccountFile, opts *Options) (auth.TokenProvider, error) {
opts2LO := &auth.Options2LO{
Email: f.ClientEmail,
PrivateKey: []byte(f.PrivateKey),
PrivateKeyID: f.PrivateKeyID,
TokenURL: f.TokenURL,
UseIDToken: true,
}
if opts2LO.TokenURL == "" {
opts2LO.TokenURL = jwtTokenURL
}

var customClaims map[string]interface{}
if opts != nil {
customClaims = opts.CustomClaims
}
if customClaims == nil {
customClaims = make(map[string]interface{})
}
customClaims["target_audience"] = opts.Audience

opts2LO.PrivateClaims = customClaims
return auth.New2LOTokenProvider(opts2LO)
}

// newIAMIDTokenProvider creates a TokenProvider that performs an authenticated
// RPC with the IAM service to obtain an ID token. The provided service account
// must have the iam.serviceAccountTokenCreator role. If a fully-authenticated
// client is not provided, the service account must support a self-signed JWT.
// This TokenProvider is primarily intended for use in non-GDU universes, which
// do not have access to the oauth2.googleapis.com/token endpoint, and thus must
// use IAM generateIdToken instead.
func newIAMIDTokenProvider(b []byte, f *credsfile.ServiceAccountFile, opts *Options) (auth.TokenProvider, error) {
var client *http.Client
var creds *auth.Credentials
var err error
universeDomain := resolveUniverseDomain(f)
if opts.Client == nil {
creds, err = credentials.DetectDefault(&credentials.DetectOptions{
CredentialsJSON: b,
Scopes: []string{"https://www.googleapis.com/auth/iam"},
UseSelfSignedJWT: true,
UniverseDomain: universeDomain,
})
if err != nil {
return nil, err
}
client, err = httptransport.NewClient(&httptransport.Options{
Credentials: creds,
UniverseDomain: universeDomain,
})
if err != nil {
return nil, err
}
} else {
client = opts.Client
}
its := iamIDTokenProvider{
codyoss marked this conversation as resolved.
Show resolved Hide resolved
client: client,
universeDomain: universeDomain,
signerEmail: f.ClientEmail,
audience: opts.Audience,
}
return its, nil
}

// resolveUniverseDomain returns the default service domain for a given
// Cloud universe. This is the universe domain configured for the credentials,
// which will be used in endpoint.
func resolveUniverseDomain(f *credsfile.ServiceAccountFile) string {
codyoss marked this conversation as resolved.
Show resolved Hide resolved
if f.UniverseDomain != "" {
return f.UniverseDomain
}
return internal.DefaultUniverseDomain
}
93 changes: 93 additions & 0 deletions auth/credentials/idtoken/iam.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package idtoken

import (
"bytes"
"context"
"encoding/json"
"fmt"
"net/http"
"strings"
"time"

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/internal"
)

var (
universeDomainPlaceholder = "UNIVERSE_DOMAIN"
iamCredentialsUniverseDomainEndpoint = "https://iamcredentials.UNIVERSE_DOMAIN"
)

type generateIAMIDTokenRequest struct {
Audience string `json:"audience"`
IncludeEmail bool `json:"includeEmail"`
}

type generateIAMIDTokenResponse struct {
Token string `json:"token"`
}

// iamIDTokenProvider performs an authenticated RPC with the IAM service to
// obtain an ID token. The provided client must be fully authenticated and
// authorized with the iam.serviceAccountTokenCreator role.
//
// This TokenProvider is primarily intended for use in non-GDU universes, which
// do not have access to the oauth2.googleapis.com/token endpoint, and thus must
// use IAM generateIdToken instead.
type iamIDTokenProvider struct {
quartzmo marked this conversation as resolved.
Show resolved Hide resolved
quartzmo marked this conversation as resolved.
Show resolved Hide resolved
client *http.Client
universeDomain string
// signerEmail is the service account client email used to form the IAM generateIdToken endpoint.
signerEmail string
audience string
}

func (i iamIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
tokenReq := generateIAMIDTokenRequest{
Audience: i.audience,
IncludeEmail: true,
}
bodyBytes, err := json.Marshal(tokenReq)
if err != nil {
return nil, fmt.Errorf("idtoken: unable to marshal request: %w", err)
}

endpoint := strings.Replace(iamCredentialsUniverseDomainEndpoint, universeDomainPlaceholder, i.universeDomain, 1)
url := fmt.Sprintf("%s/v1/%s:generateIdToken", endpoint, internal.FormatIAMServiceAccountName(i.signerEmail))
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))
if err != nil {
return nil, fmt.Errorf("idtoken: unable to create request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
resp, body, err := internal.DoRequest(i.client, req)
if err != nil {
return nil, fmt.Errorf("idtoken: unable to generate ID token: %w", err)
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("idtoken: status code %d: %s", c, body)
}

var tokenResp generateIAMIDTokenResponse
if err := json.Unmarshal(body, &tokenResp); err != nil {
return nil, fmt.Errorf("idtoken: unable to parse response: %w", err)
}
return &auth.Token{
Value: tokenResp.Token,
// Generated ID tokens are good for one hour.
Expiry: time.Now().Add(1 * time.Hour),
}, nil
}
63 changes: 35 additions & 28 deletions auth/credentials/impersonate/idtoken.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"errors"
"fmt"
"net/http"
"strings"
"time"

"cloud.google.com/go/auth"
Expand Down Expand Up @@ -55,6 +56,11 @@ type IDTokenOptions struct {
// when fetching tokens. If provided the client should provide it's own
// base credentials at call time. Optional.
Client *http.Client
// UniverseDomain is the default service domain for a given Cloud universe.
// The default value is "googleapis.com". This is the universe domain
// configured for the client, which will be compared to the universe domain
// that is separately configured for the credentials. Optional.
UniverseDomain string
}

func (o *IDTokenOptions) validate() error {
Expand Down Expand Up @@ -85,49 +91,45 @@ func NewIDTokenCredentials(opts *IDTokenOptions) (*auth.Credentials, error) {
}
var client *http.Client
var creds *auth.Credentials
if opts.Client == nil && opts.Credentials == nil {
if opts.Client == nil {
var err error
// TODO: test not signed jwt more
creds, err = credentials.DetectDefault(&credentials.DetectOptions{
Scopes: []string{defaultScope},
UseSelfSignedJWT: true,
})
if err != nil {
return nil, err
if opts.Credentials == nil {
creds, err = credentials.DetectDefault(&credentials.DetectOptions{
Scopes: []string{defaultScope},
UseSelfSignedJWT: true,
})
if err != nil {
return nil, err
}
} else {
creds = opts.Credentials
codyoss marked this conversation as resolved.
Show resolved Hide resolved
}
client, err = httptransport.NewClient(&httptransport.Options{
Credentials: creds,
Credentials: creds,
UniverseDomain: opts.UniverseDomain,
})
if err != nil {
return nil, err
}
} else if opts.Client == nil {
creds = opts.Credentials
client = internal.DefaultClient()
if err := httptransport.AddAuthorizationMiddleware(client, opts.Credentials); err != nil {
return nil, err
}
} else {
client = opts.Client
}

universeDomainProvider := resolveUniverseDomainProvider(creds)
itp := impersonatedIDTokenProvider{
client: client,
targetPrincipal: opts.TargetPrincipal,
audience: opts.Audience,
includeEmail: opts.IncludeEmail,
client: client,
universeDomainProvider: universeDomainProvider,
codyoss marked this conversation as resolved.
Show resolved Hide resolved
targetPrincipal: opts.TargetPrincipal,
audience: opts.Audience,
includeEmail: opts.IncludeEmail,
}
for _, v := range opts.Delegates {
itp.delegates = append(itp.delegates, formatIAMServiceAccountName(v))
itp.delegates = append(itp.delegates, internal.FormatIAMServiceAccountName(v))
}

var udp auth.CredentialsPropertyProvider
if creds != nil {
udp = auth.CredentialsPropertyFunc(creds.UniverseDomain)
}
return auth.NewCredentials(&auth.CredentialsOptions{
TokenProvider: auth.NewCachedTokenProvider(itp, nil),
UniverseDomainProvider: udp,
UniverseDomainProvider: universeDomainProvider,
}), nil
}

Expand All @@ -142,7 +144,8 @@ type generateIDTokenResponse struct {
}

type impersonatedIDTokenProvider struct {
client *http.Client
client *http.Client
quartzmo marked this conversation as resolved.
Show resolved Hide resolved
universeDomainProvider auth.CredentialsPropertyProvider

targetPrincipal string
audience string
Expand All @@ -160,8 +163,12 @@ func (i impersonatedIDTokenProvider) Token(ctx context.Context) (*auth.Token, er
if err != nil {
return nil, fmt.Errorf("impersonate: unable to marshal request: %w", err)
}

url := fmt.Sprintf("%s/v1/%s:generateIdToken", iamCredentialsEndpoint, formatIAMServiceAccountName(i.targetPrincipal))
universeDomain, err := i.universeDomainProvider.GetProperty(ctx)
if err != nil {
return nil, err
}
endpoint := strings.Replace(iamCredentialsUniverseDomainEndpoint, universeDomainPlaceholder, universeDomain, 1)
url := fmt.Sprintf("%s/v1/%s:generateIdToken", endpoint, internal.FormatIAMServiceAccountName(i.targetPrincipal))
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))
if err != nil {
return nil, fmt.Errorf("impersonate: unable to create request: %w", err)
Expand Down
Loading
Loading