feat(auth): port external account changes (#8697)

- golang/oauth2@18352fc - golang/oauth2@43b6a7b
googleapis · Oct 18, 2023 · 5823db5 · 5823db5
1 parent 74b1547
commit 5823db5
Show file tree

Hide file tree

Showing 25 changed files with 771 additions and 87 deletions.
diff --git a/auth/detect/detect_test.go b/auth/detect/detect_test.go
@@ -538,6 +538,64 @@ func TestDefaultCredentials_ExternalAccountKey(t *testing.T) {
 		t.Fatalf("got %q, want %q", tok.Type, want)
 	}
 }
+func TestDefaultCredentials_ExternalAccountAuthorizedUserKey(t *testing.T) {
+	b, err := os.ReadFile("../internal/testdata/exaccount_user.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	f, err := internaldetect.ParseExternalAccountAuthorizedUser(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		if got, want := r.URL.Path, "/sts"; got != want {
+			t.Errorf("got %q, want %q", got, want)
+		}
+		r.ParseForm()
+		if got, want := r.Form.Get("refresh_token"), "refreshing"; got != want {
+			t.Errorf("got %q, want %q", got, want)
+		}
+		if got, want := r.Form.Get("grant_type"), "refresh_token"; got != want {
+			t.Errorf("got %q, want %q", got, want)
+		}
+
+		resp := &struct {
+			AccessToken string `json:"access_token"`
+			ExpiresIn   int    `json:"expires_in"`
+		}{
+			AccessToken: "a_fake_token",
+			ExpiresIn:   60,
+		}
+		if err := json.NewEncoder(w).Encode(&resp); err != nil {
+			t.Error(err)
+		}
+	}))
+	f.TokenURL = ts.URL + "/sts"
+	b, err = json.Marshal(f)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	creds, err := DefaultCredentials(&Options{
+		CredentialsJSON:  b,
+		Scopes:           []string{"https://www.googleapis.com/auth/cloud-platform"},
+		UseSelfSignedJWT: true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	tok, err := creds.Token(context.Background())
+	if err != nil {
+		t.Fatalf("creds.Token() = %v", err)
+	}
+	if want := "a_fake_token"; tok.Value != want {
+		t.Fatalf("got %q, want %q", tok.Value, want)
+	}
+	if want := internal.TokenTypeBearer; tok.Type != want {
+		t.Fatalf("got %q, want %q", tok.Type, want)
+	}
+}
 
 func TestDefaultCredentials_Fails(t *testing.T) {
 	t.Setenv("GOOGLE_APPLICATION_CREDENTIALS", "nothingToSeeHere")

diff --git a/auth/detect/doc.go b/auth/detect/doc.go
@@ -64,6 +64,8 @@
 // executable-sourced credentials), please check out:
 // https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#generate_a_configuration_file_for_non-interactive_sign-in
 //
+// # Security considerations
+//
 // Note that this library does not perform any validation on the token_url,
 // token_info_url, or service_account_impersonation_url fields of the credential
 // configuration. It is not recommended to use a credential configuration that

diff --git a/auth/detect/filetypes.go b/auth/detect/filetypes.go
@@ -20,6 +20,7 @@ import (
 
 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/detect/internal/externalaccount"
+	"cloud.google.com/go/auth/detect/internal/externalaccountuser"
 	"cloud.google.com/go/auth/detect/internal/gdch"
 	"cloud.google.com/go/auth/detect/internal/impersonate"
 	"cloud.google.com/go/auth/internal/internaldetect"
@@ -66,6 +67,16 @@ func fileCredentials(b []byte, opts *Options) (*Credentials, error) {
 		}
 		quotaProjectID = f.QuotaProjectID
 		universeDomain = f.UniverseDomain
+	case internaldetect.ExternalAccountAuthorizedUserKey:
+		f, err := internaldetect.ParseExternalAccountAuthorizedUser(b)
+		if err != nil {
+			return nil, err
+		}
+		tp, err = handleExternalAccountAuthorizedUser(f, opts)
+		if err != nil {
+			return nil, err
+		}
+		quotaProjectID = f.QuotaProjectID
 	case internaldetect.ImpersonatedServiceAccountKey:
 		f, err := internaldetect.ParseImpersonatedServiceAccount(b)
 		if err != nil {
@@ -145,6 +156,20 @@ func handleExternalAccount(f *internaldetect.ExternalAccountFile, opts *Options)
 	return externalaccount.NewTokenProvider(externalOpts)
 }
 
+func handleExternalAccountAuthorizedUser(f *internaldetect.ExternalAccountAuthorizedUserFile, opts *Options) (auth.TokenProvider, error) {
+	externalOpts := &externalaccountuser.Options{
+		Audience:     f.Audience,
+		RefreshToken: f.RefreshToken,
+		TokenURL:     f.TokenURL,
+		TokenInfoURL: f.TokenInfoURL,
+		ClientID:     f.ClientID,
+		ClientSecret: f.ClientSecret,
+		Scopes:       opts.scopes(),
+		Client:       opts.client(),
+	}
+	return externalaccountuser.NewTokenProvider(externalOpts)
+}
+
 func handleImpersonatedServiceAccount(f *internaldetect.ImpersonatedServiceAccountFile, opts *Options) (auth.TokenProvider, error) {
 	if f.ServiceAccountImpersonationURL == "" || f.CredSource == nil {
 		return nil, errors.New("missing 'source_credentials' field or 'service_account_impersonation_url' in credentials")

diff --git a/auth/detect/internal/externalaccount/aws_provider.go b/auth/detect/internal/externalaccount/aws_provider.go
@@ -69,6 +69,7 @@ const (
 
 	awsTimeFormatLong  = "20060102T150405Z"
 	awsTimeFormatShort = "20060102"
+	awsProviderType    = "aws"
 )
 
 type awsSubjectProvider struct {
@@ -168,6 +169,10 @@ func (sp *awsSubjectProvider) subjectToken(ctx context.Context) (string, error)
 	return url.QueryEscape(string(result)), nil
 }
 
+func (sp *awsSubjectProvider) providerType() string {
+	return awsProviderType
+}
+
 func (cs *awsSubjectProvider) getAWSSessionToken(ctx context.Context) (string, error) {
 	if cs.IMDSv2SessionTokenURL == "" {
 		return "", nil

diff --git a/auth/detect/internal/externalaccount/aws_provider_test.go b/auth/detect/internal/externalaccount/aws_provider_test.go
@@ -574,6 +574,10 @@ func TestAWSCredential_BasicRequest(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() failed: %v", err)
 	}
 
+	if got, want := base.providerType(), awsProviderType; got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}
+
 	want := getExpectedSubjectToken(
 		"https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
 		"us-east-2",

diff --git a/auth/detect/internal/externalaccount/executable_provider.go b/auth/detect/internal/externalaccount/executable_provider.go
@@ -34,6 +34,7 @@ const (
 	executableSupportedMaxVersion = 1
 	executableDefaultTimeout      = 30 * time.Second
 	executableSource              = "response"
+	executableProviderType        = "executable"
 	outputFileSource              = "output file"
 
 	allowExecutablesEnvVar = "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
@@ -175,6 +176,10 @@ func (cs *executableSubjectProvider) subjectToken(ctx context.Context) (string,
 	return cs.getTokenFromExecutableCommand(ctx)
 }
 
+func (cs *executableSubjectProvider) providerType() string {
+	return executableProviderType
+}
+
 func (cs *executableSubjectProvider) getTokenFromOutputFile() (token string, err error) {
 	if cs.OutputFile == "" {
 		// This ExecutableCredentialSource doesn't use an OutputFile.

diff --git a/auth/detect/internal/externalaccount/executable_provider_test.go b/auth/detect/internal/externalaccount/executable_provider_test.go
@@ -445,6 +445,9 @@ func TestRetrieveExecutableSubjectTokenExecutableErrors(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			ecs.env = &tt.testEnvironment
 
+			if got, want := ecs.providerType(), executableProviderType; got != want {
+				t.Fatalf("got %q, want %q", got, want)
+			}
 			if _, err = ecs.subjectToken(context.Background()); err == nil {
 				t.Fatalf("got nil, want an error")
 			} else if tt.skipErrorEquals {

diff --git a/auth/detect/internal/externalaccount/externalaccount.go b/auth/detect/internal/externalaccount/externalaccount.go
@@ -25,13 +25,11 @@ import (
 
 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/detect/internal/impersonate"
+	"cloud.google.com/go/auth/detect/internal/stsexchange"
 	"cloud.google.com/go/auth/internal/internaldetect"
 )
 
 const (
-	stsGrantType = "urn:ietf:params:oauth:grant-type:token-exchange"
-	stsTokenType = "urn:ietf:params:oauth:token-type:access_token"
-
 	timeoutMinimum = 5 * time.Second
 	timeoutMaximum = 120 * time.Second
 )
@@ -127,6 +125,7 @@ func NewTokenProvider(opts *Options) (auth.TokenProvider, error) {
 
 type subjectTokenProvider interface {
 	subjectToken(ctx context.Context) (string, error)
+	providerType() string
 }
 
 // tokenProvider is the provider that handles external credentials. It is used to retrieve Tokens.
@@ -142,17 +141,18 @@ func (tp *tokenProvider) Token(ctx context.Context) (*auth.Token, error) {
 		return nil, err
 	}
 
-	stsRequest := &stsTokenExchangeRequest{
-		GrantType:          stsGrantType,
+	stsRequest := &stsexchange.TokenRequest{
+		GrantType:          stsexchange.GrantType,
 		Audience:           tp.opts.Audience,
 		Scope:              tp.opts.Scopes,
-		RequestedTokenType: stsTokenType,
+		RequestedTokenType: stsexchange.TokenType,
 		SubjectToken:       subjectToken,
 		SubjectTokenType:   tp.opts.SubjectTokenType,
 	}
 	header := make(http.Header)
 	header.Set("Content-Type", "application/x-www-form-urlencoded")
-	clientAuth := clientAuthentication{
+	header.Add("x-goog-api-client", getGoogHeaderValue(tp.opts, tp.stp))
+	clientAuth := stsexchange.ClientAuthentication{
 		AuthStyle:    auth.StyleInHeader,
 		ClientID:     tp.opts.ClientID,
 		ClientSecret: tp.opts.ClientSecret,
@@ -165,13 +165,13 @@ func (tp *tokenProvider) Token(ctx context.Context) (*auth.Token, error) {
 			"userProject": tp.opts.WorkforcePoolUserProject,
 		}
 	}
-	stsResp, err := exchangeToken(ctx, &exchangeOptions{
-		client:         tp.client,
-		endpoint:       tp.opts.TokenURL,
-		request:        stsRequest,
-		authentication: clientAuth,
-		headers:        header,
-		extraOpts:      options,
+	stsResp, err := stsexchange.ExchangeToken(ctx, &stsexchange.Options{
+		Client:         tp.client,
+		Endpoint:       tp.opts.TokenURL,
+		Request:        stsRequest,
+		Authentication: clientAuth,
+		Headers:        header,
+		ExtraOpts:      options,
 	})
 	if err != nil {
 		return nil, err
@@ -240,3 +240,12 @@ func newSubjectTokenProvider(o *Options) (subjectTokenProvider, error) {
 	}
 	return nil, errors.New("detect: unable to parse credential source")
 }
+
+func getGoogHeaderValue(conf *Options, p subjectTokenProvider) string {
+	return fmt.Sprintf("gl-go/%s auth/%s google-byoid-sdk source/%s sa-impersonation/%t config-lifetime/%t",
+		goVersion(),
+		"unknown",
+		p.providerType(),
+		conf.ServiceAccountImpersonationURL != "",
+		conf.ServiceAccountImpersonationLifetimeSeconds != 0)
+}
diff --git a/auth/detect/internal/externalaccount/externalaccount_test.go b/auth/detect/internal/externalaccount/externalaccount_test.go
@@ -16,6 +16,7 @@ package externalaccount
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -72,6 +73,7 @@ func TestToken(t *testing.T) {
 		contentType:   "application/x-www-form-urlencoded",
 		body:          baseCredsRequestBody,
 		response:      baseCredsResponseBody,
+		metricsHeader: expectedMetricsHeader("file", false, false),
 	}
 
 	tok, err := run(t, opts, server)
@@ -98,6 +100,7 @@ func TestWorkforcePoolTokenWithClientID(t *testing.T) {
 		contentType:   "application/x-www-form-urlencoded",
 		body:          workforcePoolRequestBodyWithClientID,
 		response:      baseCredsResponseBody,
+		metricsHeader: expectedMetricsHeader("file", false, false),
 	}
 
 	tok, err := run(t, &opts, &server)
@@ -123,6 +126,7 @@ func TestWorkforcePoolTokenWithoutClientID(t *testing.T) {
 		contentType:   "application/x-www-form-urlencoded",
 		body:          workforcePoolRequestBodyWithoutClientID,
 		response:      baseCredsResponseBody,
+		metricsHeader: expectedMetricsHeader("file", false, false),
 	}
 
 	tok, err := run(t, &opts, &server)
@@ -196,6 +200,7 @@ type testExchangeTokenServer struct {
 	contentType   string
 	body          string
 	response      string
+	metricsHeader string
 }
 
 func run(t *testing.T, opts *Options, tets *testExchangeTokenServer) (*auth.Token, error) {
@@ -211,6 +216,10 @@ func run(t *testing.T, opts *Options, tets *testExchangeTokenServer) (*auth.Toke
 		if got, want := headerContentType, tets.contentType; got != want {
 			t.Errorf("got %v, want %v", got, want)
 		}
+		headerMetrics := r.Header.Get("x-goog-api-client")
+		if got, want := headerMetrics, tets.metricsHeader; got != want {
+			t.Errorf("got %v but want %v", got, want)
+		}
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			t.Fatalf("Failed reading request body: %s.", err)
@@ -266,3 +275,7 @@ func cloneTestOpts() *Options {
 		Client:                         internal.CloneDefaultClient(),
 	}
 }
+
+func expectedMetricsHeader(source string, saImpersonation bool, configLifetime bool) string {
+	return fmt.Sprintf("gl-go/%s auth/unknown google-byoid-sdk source/%s sa-impersonation/%t config-lifetime/%t", goVersion(), source, saImpersonation, configLifetime)
+}
diff --git a/auth/detect/internal/externalaccount/file_provider.go b/auth/detect/internal/externalaccount/file_provider.go
@@ -26,6 +26,10 @@ import (
 	"cloud.google.com/go/auth/internal/internaldetect"
 )
 
+const (
+	fileProviderType = "file"
+)
+
 type fileSubjectProvider struct {
 	File   string
 	Format internaldetect.Format
@@ -64,3 +68,7 @@ func (sp *fileSubjectProvider) subjectToken(context.Context) (string, error) {
 		return "", errors.New("detect: invalid credential_source file format type: " + sp.Format.Type)
 	}
 }
+
+func (sp *fileSubjectProvider) providerType() string {
+	return fileProviderType
+}
diff --git a/auth/detect/internal/externalaccount/file_provider_test.go b/auth/detect/internal/externalaccount/file_provider_test.go
@@ -67,7 +67,9 @@ func TestRetrieveFileSubjectToken(t *testing.T) {
 			} else if test.want != out {
 				t.Errorf("got %v, want %v", out, test.want)
 			}
-
+			if got, want := base.providerType(), fileProviderType; got != want {
+				t.Fatalf("got %q, want %q", got, want)
+			}
 		})
 	}
 }
diff --git a/auth/detect/internal/externalaccount/impersonate_test.go b/auth/detect/internal/externalaccount/impersonate_test.go
@@ -31,9 +31,10 @@ var (
 
 func TestImpersonation(t *testing.T) {
 	var impersonationTests = []struct {
-		name     string
-		opts     *Options
-		wantBody string
+		name          string
+		opts          *Options
+		wantBody      string
+		metricsHeader string
 	}{
 		{
 			name: "Base Impersonation",
@@ -46,7 +47,8 @@ func TestImpersonation(t *testing.T) {
 				CredentialSource: testBaseCredSource,
 				Scopes:           []string{"https://www.googleapis.com/auth/devstorage.full_control"},
 			},
-			wantBody: "{\"lifetime\":\"3600s\",\"scope\":[\"https://www.googleapis.com/auth/devstorage.full_control\"]}",
+			wantBody:      "{\"lifetime\":\"3600s\",\"scope\":[\"https://www.googleapis.com/auth/devstorage.full_control\"]}",
+			metricsHeader: expectedMetricsHeader("file", true, false),
 		},
 		{
 			name: "With TokenLifetime Set",
@@ -60,7 +62,8 @@ func TestImpersonation(t *testing.T) {
 				Scopes:           []string{"https://www.googleapis.com/auth/devstorage.full_control"},
 				ServiceAccountImpersonationLifetimeSeconds: 10000,
 			},
-			wantBody: "{\"lifetime\":\"10000s\",\"scope\":[\"https://www.googleapis.com/auth/devstorage.full_control\"]}",
+			wantBody:      "{\"lifetime\":\"10000s\",\"scope\":[\"https://www.googleapis.com/auth/devstorage.full_control\"]}",
+			metricsHeader: expectedMetricsHeader("file", true, false),
 		},
 	}
 	for _, tt := range impersonationTests {