Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth): add universe domain support to idtoken #11059

Merged
merged 30 commits into from
Jan 7, 2025
+394 −159
Merged

feat(auth): add universe domain support to idtoken #11059

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
260aaaa
feat(auth): add universe domain support to idtoken
quartzmo Oct 29, 2024
06969bb
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 30, 2024
2a8bf0b
use base creds universe_domain instead of UseIAMEndpoint flag
quartzmo Oct 30, 2024
285045c
add impersonate.IDTokenOptions.UniverseDomain
quartzmo Oct 30, 2024
5ec1a27
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 30, 2024
17a8752
add universe domain tests to impersonate/idtoken_test.go
quartzmo Oct 30, 2024
8baddf9
fix idtoken_test
quartzmo Oct 30, 2024
599a9ce
Add idtoken.Options.UniverseDomain
quartzmo Oct 30, 2024
4bdb8fc
fix test error handling
quartzmo Oct 30, 2024
6af13c6
refactor idtoken_test.go
quartzmo Oct 31, 2024
3a4a039
fix idtoken_test.go
quartzmo Oct 31, 2024
eb264ce
update idtoken/idtoken_test.go
quartzmo Oct 31, 2024
111992e
refactor JSON request handling to internal
quartzmo Oct 31, 2024
00a963e
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 31, 2024
11139ff
small fixes per codyoss
quartzmo Oct 31, 2024
95ebfa9
refactor idtoken RPC duplication to internal
quartzmo Oct 31, 2024
8da4df3
fix vet
quartzmo Oct 31, 2024
f35e9ee
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Oct 31, 2024
3be9480
fix docs for vet
quartzmo Oct 31, 2024
bfce866
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Nov 6, 2024
24f58a4
fix credentials/idtoken/file.go
quartzmo Nov 7, 2024
e44f7ba
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 3, 2025
3e5e31e
add logging support
quartzmo Jan 3, 2025
deefd9d
fix header year
quartzmo Jan 3, 2025
4d0a43a
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 3, 2025
050fffc
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 6, 2025
8a5c39c
remove unused func
quartzmo Jan 6, 2025
221739c
rename IDTokenOptions to IDTokenIAMOptions
quartzmo Jan 6, 2025
0e67649
Merge branch 'main' into auth-idtoken-universe-domain
quartzmo Jan 6, 2025
80f0aa4
refactor to IDTokenIAMOptions as TokenProvider
quartzmo Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 5 additions & 15 deletions auth/credentials/idtoken/iam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
package idtoken

import (
"bytes"
"context"
"encoding/json"
"fmt"
Expand Down Expand Up @@ -62,26 +61,17 @@ func (i iamIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
Audience: i.audience,
IncludeEmail: true,
}
bodyBytes, err := json.Marshal(tokenReq)
if err != nil {
return nil, fmt.Errorf("idtoken: unable to marshal request: %w", err)
}

endpoint := strings.Replace(iamCredentialsUniverseDomainEndpoint, universeDomainPlaceholder, i.universeDomain, 1)
url := fmt.Sprintf("%s/v1/%s:generateIdToken", endpoint, internal.FormatIAMServiceAccountName(i.signerEmail))
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))

bodyBytes, err := json.Marshal(tokenReq)
if err != nil {
return nil, fmt.Errorf("idtoken: unable to create request: %w", err)
return nil, fmt.Errorf("idtoken: unable to marshal request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
resp, body, err := internal.DoRequest(i.client, req)
body, err := internal.DoJSONRequest(ctx, i.client, url, bodyBytes, "idtoken")
if err != nil {
return nil, fmt.Errorf("idtoken: unable to generate ID token: %w", err)
return nil, err
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("idtoken: status code %d: %s", c, body)
}

var tokenResp generateIAMIDTokenResponse
if err := json.Unmarshal(body, &tokenResp); err != nil {
return nil, fmt.Errorf("idtoken: unable to parse response: %w", err)
Expand Down
19 changes: 5 additions & 14 deletions auth/credentials/impersonate/idtoken.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
package impersonate

import (
"bytes"
"context"
"encoding/json"
"errors"
Expand Down Expand Up @@ -159,29 +158,21 @@ func (i impersonatedIDTokenProvider) Token(ctx context.Context) (*auth.Token, er
IncludeEmail: i.includeEmail,
Delegates: i.delegates,
}
bodyBytes, err := json.Marshal(genIDTokenReq)
if err != nil {
return nil, fmt.Errorf("impersonate: unable to marshal request: %w", err)
}
universeDomain, err := i.universeDomainProvider.GetProperty(ctx)
if err != nil {
return nil, err
}
endpoint := strings.Replace(iamCredentialsUniverseDomainEndpoint, universeDomainPlaceholder, universeDomain, 1)
url := fmt.Sprintf("%s/v1/%s:generateIdToken", endpoint, internal.FormatIAMServiceAccountName(i.targetPrincipal))
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))

bodyBytes, err := json.Marshal(genIDTokenReq)
if err != nil {
return nil, fmt.Errorf("impersonate: unable to create request: %w", err)
return nil, fmt.Errorf("impersonate: unable to marshal request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
resp, body, err := internal.DoRequest(i.client, req)
body, err := internal.DoJSONRequest(ctx, i.client, url, bodyBytes, "impersonate")
if err != nil {
return nil, fmt.Errorf("impersonate: unable to generate ID token: %w", err)
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
return nil, err
}

var generateIDTokenResp generateIDTokenResponse
if err := json.Unmarshal(body, &generateIDTokenResp); err != nil {
return nil, fmt.Errorf("impersonate: unable to parse response: %w", err)
Expand Down
19 changes: 19 additions & 0 deletions auth/internal/internal.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package internal

import (
"bytes"
"context"
"crypto/rsa"
"crypto/x509"
Expand Down Expand Up @@ -141,6 +142,24 @@ func GetProjectID(b []byte, override string) string {
return v.Project
}

// DoJSONRequest sends the provided JSON bytes with the client. It reads the response
// body, checks the status code for errors, and returns the body.
func DoJSONRequest(ctx context.Context, c *http.Client, url string, bodyBytes []byte, pkg string) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))
quartzmo marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return nil, fmt.Errorf("%s: unable to create request: %w", pkg, err)
}
req.Header.Set("Content-Type", "application/json")
resp, body, err := DoRequest(c, req)
if err != nil {
return nil, fmt.Errorf("%s: request to %s failed: %w", pkg, url, err)
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("%s: status code %d: %s", pkg, c, body)
}
return body, nil
}

// DoRequest executes the provided req with the client. It reads the response
// body, closes it, and returns it.
func DoRequest(client *http.Client, req *http.Request) (*http.Response, []byte, error) {
Expand Down
Loading