auth/credentials/idtoken/compute.go - gocloud - Git at Google

 // Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package idtoken

 import (
 	"context"
 	"fmt"
 	"net/url"
 	"time"

 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/internal"
 	"cloud.google.com/go/compute/metadata"
 )

 const identitySuffix = "instance/service-accounts/default/identity"

 // computeCredentials checks if this code is being run on GCE. If it is, it
 // will use the metadata service to build a Credentials that fetches ID
 // tokens.
 func computeCredentials(opts *Options) (*auth.Credentials, error) {
 	if opts.CustomClaims != nil {
 		return nil, fmt.Errorf("idtoken: Options.CustomClaims can't be used with the metadata service, please provide a service account if you would like to use this feature")
 	}
 	tp := computeIDTokenProvider{
 		audience: opts.Audience,
 		format:   opts.ComputeTokenFormat,
 		client:   *metadata.NewClient(opts.client()),
 	}
 	return auth.NewCredentials(&auth.CredentialsOptions{
 		TokenProvider: auth.NewCachedTokenProvider(tp, &auth.CachedTokenProviderOptions{
 			ExpireEarly: 5 * time.Minute,
 		}),
 		ProjectIDProvider: auth.CredentialsPropertyFunc(func(context.Context) (string, error) {
 			return metadata.ProjectID()
 		}),
 		UniverseDomainProvider: &internal.ComputeUniverseDomainProvider{},
 	}), nil
 }

 type computeIDTokenProvider struct {
 	audience string
 	format   ComputeTokenFormat
 	client   metadata.Client
 }

 func (c computeIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
 	v := url.Values{}
 	v.Set("audience", c.audience)
 	if c.format != ComputeTokenFormatStandard {
 		v.Set("format", "full")
 	}
 	if c.format == ComputeTokenFormatFullWithLicense {
 		v.Set("licenses", "TRUE")
 	}
 	urlSuffix := identitySuffix + "?" + v.Encode()
 	res, err := c.client.Get(urlSuffix)
 	if err != nil {
 		return nil, err
 	}
 	if res == "" {
 		return nil, fmt.Errorf("idtoken: invalid empty response from metadata service")
 	}
 	return &auth.Token{
 		Value: res,
 		Type:  internal.TokenTypeBearer,
 		// Compute tokens are valid for one hour:
 		// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#create-id
 		Expiry: time.Now().Add(1 * time.Hour),
 	}, nil
 }
	// Copyright 2023 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package idtoken

	import (
	"context"
	"fmt"
	"net/url"
	"time"

	"cloud.google.com/go/auth"
	"cloud.google.com/go/auth/internal"
	"cloud.google.com/go/compute/metadata"
	)

	const identitySuffix = "instance/service-accounts/default/identity"

	// computeCredentials checks if this code is being run on GCE. If it is, it
	// will use the metadata service to build a Credentials that fetches ID
	// tokens.
	func computeCredentials(opts Options) (auth.Credentials, error) {
	if opts.CustomClaims != nil {
	return nil, fmt.Errorf("idtoken: Options.CustomClaims can't be used with the metadata service, please provide a service account if you would like to use this feature")
	}
	tp := computeIDTokenProvider{
	audience: opts.Audience,
	format: opts.ComputeTokenFormat,
	client: *metadata.NewClient(opts.client()),
	}
	return auth.NewCredentials(&auth.CredentialsOptions{
	TokenProvider: auth.NewCachedTokenProvider(tp, &auth.CachedTokenProviderOptions{
	ExpireEarly: 5 * time.Minute,
	}),
	ProjectIDProvider: auth.CredentialsPropertyFunc(func(context.Context) (string, error) {
	return metadata.ProjectID()
	}),
	UniverseDomainProvider: &internal.ComputeUniverseDomainProvider{},
	}), nil
	}

	type computeIDTokenProvider struct {
	audience string
	format ComputeTokenFormat
	client metadata.Client
	}

	func (c computeIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
	v := url.Values{}
	v.Set("audience", c.audience)
	if c.format != ComputeTokenFormatStandard {
	v.Set("format", "full")
	}
	if c.format == ComputeTokenFormatFullWithLicense {
	v.Set("licenses", "TRUE")
	}
	urlSuffix := identitySuffix + "?" + v.Encode()
	res, err := c.client.Get(urlSuffix)
	if err != nil {
	return nil, err
	}
	if res == "" {
	return nil, fmt.Errorf("idtoken: invalid empty response from metadata service")
	}
	return &auth.Token{
	Value: res,
	Type: internal.TokenTypeBearer,
	// Compute tokens are valid for one hour:
	// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#create-id
	Expiry: time.Now().Add(1 * time.Hour),
	}, nil
	}