dex/vendor/google.golang.org/api/internal/creds.go

// Copyright 2017 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package internal

import (
	"context"
	"encoding/json"
	"fmt"
	"io/ioutil"

	"golang.org/x/oauth2"

	"golang.org/x/oauth2/google"
)

// Creds returns credential information obtained from DialSettings, or if none, then
// it returns default credential information.
func Creds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
	if ds.Credentials != nil {
		return ds.Credentials, nil
	}
	if ds.CredentialsJSON != nil {
		return credentialsFromJSON(ctx, ds.CredentialsJSON, ds.Endpoint, ds.Scopes, ds.Audiences)
	}
	if ds.CredentialsFile != "" {
		data, err := ioutil.ReadFile(ds.CredentialsFile)
		if err != nil {
			return nil, fmt.Errorf("cannot read credentials file: %v", err)
		}
		return credentialsFromJSON(ctx, data, ds.Endpoint, ds.Scopes, ds.Audiences)
	}
	if ds.TokenSource != nil {
		return &google.Credentials{TokenSource: ds.TokenSource}, nil
	}
	cred, err := google.FindDefaultCredentials(ctx, ds.Scopes...)
	if err != nil {
		return nil, err
	}
	if len(cred.JSON) > 0 {
		return credentialsFromJSON(ctx, cred.JSON, ds.Endpoint, ds.Scopes, ds.Audiences)
	}
	// For GAE and GCE, the JSON is empty so return the default credentials directly.
	return cred, nil
}

// JSON key file type.
const (
	serviceAccountKey = "service_account"
)

// credentialsFromJSON returns a google.Credentials based on the input.
//
// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow
// - Otherwise, returns OAuth 2.0 flow.
func credentialsFromJSON(ctx context.Context, data []byte, endpoint string, scopes []string, audiences []string) (*google.Credentials, error) {
	cred, err := google.CredentialsFromJSON(ctx, data, scopes...)
	if err != nil {
		return nil, err
	}
	if len(data) > 0 && len(scopes) == 0 {
		var f struct {
			Type string `json:"type"`
			// The rest JSON fields are omitted because they are not used.
		}
		if err := json.Unmarshal(cred.JSON, &f); err != nil {
			return nil, err
		}
		if f.Type == serviceAccountKey {
			ts, err := selfSignedJWTTokenSource(data, endpoint, audiences)
			if err != nil {
				return nil, err
			}
			cred.TokenSource = ts
		}
	}
	return cred, err
}

func selfSignedJWTTokenSource(data []byte, endpoint string, audiences []string) (oauth2.TokenSource, error) {
	// Use the API endpoint as the default audience
	audience := endpoint
	if len(audiences) > 0 {
		// TODO(shinfan): Update golang oauth to support multiple audiences.
		if len(audiences) > 1 {
			return nil, fmt.Errorf("multiple audiences support is not implemented")
		}
		audience = audiences[0]
	}
	return google.JWTAccessTokenSourceFromJSON(data, audience)
}
Vendor dependencies 2020-01-31 15:02:00 +05:30			`// Copyright 2017 Google LLC.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`
vendor: make revendor 2018-02-07 03:57:49 +05:30
			`package internal`

			`import (`
			`"context"`
			`"encoding/json"`
			`"fmt"`
			`"io/ioutil"`

			`"golang.org/x/oauth2"`

			`"golang.org/x/oauth2/google"`
			`)`

			`// Creds returns credential information obtained from DialSettings, or if none, then`
			`// it returns default credential information.`
			`func Creds(ctx context.Context, ds DialSettings) (google.Credentials, error) {`
			`if ds.Credentials != nil {`
			`return ds.Credentials, nil`
			`}`
			`if ds.CredentialsJSON != nil {`
			`return credentialsFromJSON(ctx, ds.CredentialsJSON, ds.Endpoint, ds.Scopes, ds.Audiences)`
			`}`
			`if ds.CredentialsFile != "" {`
			`data, err := ioutil.ReadFile(ds.CredentialsFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot read credentials file: %v", err)`
			`}`
			`return credentialsFromJSON(ctx, data, ds.Endpoint, ds.Scopes, ds.Audiences)`
			`}`
			`if ds.TokenSource != nil {`
			`return &google.Credentials{TokenSource: ds.TokenSource}, nil`
			`}`
			`cred, err := google.FindDefaultCredentials(ctx, ds.Scopes...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(cred.JSON) > 0 {`
			`return credentialsFromJSON(ctx, cred.JSON, ds.Endpoint, ds.Scopes, ds.Audiences)`
			`}`
			`// For GAE and GCE, the JSON is empty so return the default credentials directly.`
			`return cred, nil`
			`}`

			`// JSON key file type.`
			`const (`
			`serviceAccountKey = "service_account"`
			`)`

			`// credentialsFromJSON returns a google.Credentials based on the input.`
			`//`
			`// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow`
			`// - Otherwise, returns OAuth 2.0 flow.`
			`func credentialsFromJSON(ctx context.Context, data []byte, endpoint string, scopes []string, audiences []string) (*google.Credentials, error) {`
			`cred, err := google.CredentialsFromJSON(ctx, data, scopes...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(data) > 0 && len(scopes) == 0 {`
			`var f struct {`
			Type string `json:"type"`
			`// The rest JSON fields are omitted because they are not used.`
			`}`
			`if err := json.Unmarshal(cred.JSON, &f); err != nil {`
			`return nil, err`
			`}`
			`if f.Type == serviceAccountKey {`
			`ts, err := selfSignedJWTTokenSource(data, endpoint, audiences)`
			`if err != nil {`
			`return nil, err`
			`}`
			`cred.TokenSource = ts`
			`}`
			`}`
			`return cred, err`
			`}`

			`func selfSignedJWTTokenSource(data []byte, endpoint string, audiences []string) (oauth2.TokenSource, error) {`
			`// Use the API endpoint as the default audience`
			`audience := endpoint`
			`if len(audiences) > 0 {`
			`// TODO(shinfan): Update golang oauth to support multiple audiences.`
			`if len(audiences) > 1 {`
			`return nil, fmt.Errorf("multiple audiences support is not implemented")`
			`}`
			`audience = audiences[0]`
			`}`
			`return google.JWTAccessTokenSourceFromJSON(data, audience)`
			`}`