forked from mystiq/dex
155 lines
4.8 KiB
Go
155 lines
4.8 KiB
Go
// Copyright 2015 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package google
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
|
|
"golang.org/x/net/context"
|
|
"golang.org/x/oauth2"
|
|
"golang.org/x/oauth2/jwt"
|
|
"google.golang.org/cloud/compute/metadata"
|
|
)
|
|
|
|
// DefaultClient returns an HTTP Client that uses the
|
|
// DefaultTokenSource to obtain authentication credentials.
|
|
//
|
|
// This client should be used when developing services
|
|
// that run on Google App Engine or Google Compute Engine
|
|
// and use "Application Default Credentials."
|
|
//
|
|
// For more details, see:
|
|
// https://developers.google.com/accounts/docs/application-default-credentials
|
|
//
|
|
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
|
|
ts, err := DefaultTokenSource(ctx, scope...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return oauth2.NewClient(ctx, ts), nil
|
|
}
|
|
|
|
// DefaultTokenSource is a token source that uses
|
|
// "Application Default Credentials".
|
|
//
|
|
// It looks for credentials in the following places,
|
|
// preferring the first location found:
|
|
//
|
|
// 1. A JSON file whose path is specified by the
|
|
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
|
// 2. A JSON file in a location known to the gcloud command-line tool.
|
|
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
|
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
|
// 3. On Google App Engine it uses the appengine.AccessToken function.
|
|
// 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
|
|
// credentials from the metadata server.
|
|
// (In this final case any provided scopes are ignored.)
|
|
//
|
|
// For more details, see:
|
|
// https://developers.google.com/accounts/docs/application-default-credentials
|
|
//
|
|
func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error) {
|
|
// First, try the environment variable.
|
|
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
|
if filename := os.Getenv(envVar); filename != "" {
|
|
ts, err := tokenSourceFromFile(ctx, filename, scope)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("google: error getting credentials using %v environment variable: %v", envVar, err)
|
|
}
|
|
return ts, nil
|
|
}
|
|
|
|
// Second, try a well-known file.
|
|
filename := wellKnownFile()
|
|
_, err := os.Stat(filename)
|
|
if err == nil {
|
|
ts, err2 := tokenSourceFromFile(ctx, filename, scope)
|
|
if err2 == nil {
|
|
return ts, nil
|
|
}
|
|
err = err2
|
|
} else if os.IsNotExist(err) {
|
|
err = nil // ignore this error
|
|
}
|
|
if err != nil {
|
|
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
|
|
}
|
|
|
|
// Third, if we're on Google App Engine use those credentials.
|
|
if appengineTokenFunc != nil && !appengineVM {
|
|
return AppEngineTokenSource(ctx, scope...), nil
|
|
}
|
|
|
|
// Fourth, if we're on Google Compute Engine use the metadata server.
|
|
if metadata.OnGCE() {
|
|
return ComputeTokenSource(""), nil
|
|
}
|
|
|
|
// None are found; return helpful error.
|
|
const url = "https://developers.google.com/accounts/docs/application-default-credentials"
|
|
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
|
|
}
|
|
|
|
func wellKnownFile() string {
|
|
const f = "application_default_credentials.json"
|
|
if runtime.GOOS == "windows" {
|
|
return filepath.Join(os.Getenv("APPDATA"), "gcloud", f)
|
|
}
|
|
return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f)
|
|
}
|
|
|
|
func tokenSourceFromFile(ctx context.Context, filename string, scopes []string) (oauth2.TokenSource, error) {
|
|
b, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var d struct {
|
|
// Common fields
|
|
Type string
|
|
ClientID string `json:"client_id"`
|
|
|
|
// User Credential fields
|
|
ClientSecret string `json:"client_secret"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
// Service Account fields
|
|
ClientEmail string `json:"client_email"`
|
|
PrivateKeyID string `json:"private_key_id"`
|
|
PrivateKey string `json:"private_key"`
|
|
}
|
|
if err := json.Unmarshal(b, &d); err != nil {
|
|
return nil, err
|
|
}
|
|
switch d.Type {
|
|
case "authorized_user":
|
|
cfg := &oauth2.Config{
|
|
ClientID: d.ClientID,
|
|
ClientSecret: d.ClientSecret,
|
|
Scopes: append([]string{}, scopes...), // copy
|
|
Endpoint: Endpoint,
|
|
}
|
|
tok := &oauth2.Token{RefreshToken: d.RefreshToken}
|
|
return cfg.TokenSource(ctx, tok), nil
|
|
case "service_account":
|
|
cfg := &jwt.Config{
|
|
Email: d.ClientEmail,
|
|
PrivateKey: []byte(d.PrivateKey),
|
|
Scopes: append([]string{}, scopes...), // copy
|
|
TokenURL: JWTTokenURL,
|
|
}
|
|
return cfg.TokenSource(ctx), nil
|
|
case "":
|
|
return nil, errors.New("missing 'type' field in credentials")
|
|
default:
|
|
return nil, fmt.Errorf("unknown credential type: %q", d.Type)
|
|
}
|
|
}
|