This repository has been archived by the owner on Apr 23, 2024. It is now read-only.
forked from simonswine/vault-plugin-auth-google
/
provider.go
98 lines (78 loc) · 2.6 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package google
import (
"context"
"errors"
"fmt"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
admin "google.golang.org/api/admin/directory/v1"
goauth "google.golang.org/api/oauth2/v2"
)
type googleProvider struct {
}
// UserProvider does the authentication of user with oauth2
type UserProvider interface {
authUser(ctx context.Context, config *oauth2.Config, token *oauth2.Token) (*goauth.Userinfoplus, error)
oauth2Exchange(ctx context.Context, code string, config *oauth2.Config) (*oauth2.Token, error)
}
// GroupsProvider maps a user to its groups
type GroupsProvider interface {
groupsPerUser(ctx context.Context, config *config, userKey string) ([]*admin.Group, error)
}
var _ UserProvider = &googleProvider{}
var _ GroupsProvider = &googleProvider{}
func (p *googleProvider) oauth2Exchange(ctx context.Context, code string, config *oauth2.Config) (*oauth2.Token, error) {
return config.Exchange(ctx, code)
}
func (p *googleProvider) authUser(ctx context.Context, config *oauth2.Config, token *oauth2.Token) (*goauth.Userinfoplus, error) {
client := config.Client(ctx, token)
userService, err := goauth.New(client)
if err != nil {
return nil, err
}
user, err := goauth.NewUserinfoV2MeService(userService).Get().Do()
if err != nil {
return nil, err
}
return user, nil
}
func (p *googleProvider) directoryService(ctx context.Context, config *config) (*admin.Service, error) {
if config == nil {
return nil, errors.New("missing config")
}
// TODO: Handle unconfigured service account
jwtConfig, err := google.JWTConfigFromJSON([]byte(config.DirectoryServiceAccounyKey), admin.AdminDirectoryUserReadonlyScope, admin.AdminDirectoryGroupReadonlyScope)
if err != nil {
return nil, err
}
jwtConfig.Subject = config.DirectoryImpersonateUser
client := jwtConfig.Client(ctx)
srv, err := admin.New(client)
if err != nil {
return nil, fmt.Errorf("Unable to create directory service %v", err)
}
return srv, nil
}
func (p *googleProvider) groupsPerUser(ctx context.Context, config *config, userKey string) (groups []*admin.Group, err error) {
// skip groups check if service account is not configured
if len(config.DirectoryImpersonateUser) == 0 || len(config.DirectoryServiceAccounyKey) == 0 {
return []*admin.Group{}, nil
}
svc, err := p.directoryService(ctx, config)
if err != nil {
return []*admin.Group{}, err
}
query := svc.Groups.List().UserKey(userKey)
for {
resp, err := query.Do()
if err != nil {
return []*admin.Group{}, err
}
groups = append(groups, resp.Groups...)
if resp.NextPageToken == "" {
break
}
query.PageToken(resp.NextPageToken)
}
return groups, nil
}