auth/credentials/compute.go - gocloud - Git at Google

 // Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package credentials

 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/url"
 	"strings"
 	"time"

 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/compute/metadata"
 )

 var (
 	computeTokenMetadata = map[string]interface{}{
 		"auth.google.tokenSource":    "compute-metadata",
 		"auth.google.serviceAccount": "default",
 	}
 	computeTokenURI = "instance/service-accounts/default/token"
 )

 // computeTokenProvider creates a [cloud.google.com/go/auth.TokenProvider] that
 // uses the metadata service to retrieve tokens.
 func computeTokenProvider(earlyExpiry time.Duration, scope ...string) auth.TokenProvider {
 	return auth.NewCachedTokenProvider(computeProvider{scopes: scope}, &auth.CachedTokenProviderOptions{
 		ExpireEarly: earlyExpiry,
 	})
 }

 // computeProvider fetches tokens from the google cloud metadata service.
 type computeProvider struct {
 	scopes []string
 }

 type metadataTokenResp struct {
 	AccessToken  string `json:"access_token"`
 	ExpiresInSec int    `json:"expires_in"`
 	TokenType    string `json:"token_type"`
 }

 func (cs computeProvider) Token(ctx context.Context) (*auth.Token, error) {
 	tokenURI, err := url.Parse(computeTokenURI)
 	if err != nil {
 		return nil, err
 	}
 	if len(cs.scopes) > 0 {
 		v := url.Values{}
 		v.Set("scopes", strings.Join(cs.scopes, ","))
 		tokenURI.RawQuery = v.Encode()
 	}
 	tokenJSON, err := metadata.Get(tokenURI.String())
 	if err != nil {
 		return nil, err
 	}
 	var res metadataTokenResp
 	if err := json.NewDecoder(strings.NewReader(tokenJSON)).Decode(&res); err != nil {
 		return nil, fmt.Errorf("credentials: invalid token JSON from metadata: %w", err)
 	}
 	if res.ExpiresInSec == 0 || res.AccessToken == "" {
 		return nil, errors.New("credentials: incomplete token received from metadata")
 	}
 	return &auth.Token{
 		Value:    res.AccessToken,
 		Type:     res.TokenType,
 		Expiry:   time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
 		Metadata: computeTokenMetadata,
 	}, nil

 }
	// Copyright 2023 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package credentials

	import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"net/url"
	"strings"
	"time"

	"cloud.google.com/go/auth"
	"cloud.google.com/go/compute/metadata"
	)

	var (
	computeTokenMetadata = map[string]interface{}{
	"auth.google.tokenSource": "compute-metadata",
	"auth.google.serviceAccount": "default",
	}
	computeTokenURI = "instance/service-accounts/default/token"
	)

	// computeTokenProvider creates a [cloud.google.com/go/auth.TokenProvider] that
	// uses the metadata service to retrieve tokens.
	func computeTokenProvider(earlyExpiry time.Duration, scope ...string) auth.TokenProvider {
	return auth.NewCachedTokenProvider(computeProvider{scopes: scope}, &auth.CachedTokenProviderOptions{
	ExpireEarly: earlyExpiry,
	})
	}

	// computeProvider fetches tokens from the google cloud metadata service.
	type computeProvider struct {
	scopes []string
	}

	type metadataTokenResp struct {
	AccessToken string `json:"access_token"`
	ExpiresInSec int `json:"expires_in"`
	TokenType string `json:"token_type"`
	}

	func (cs computeProvider) Token(ctx context.Context) (*auth.Token, error) {
	tokenURI, err := url.Parse(computeTokenURI)
	if err != nil {
	return nil, err
	}
	if len(cs.scopes) > 0 {
	v := url.Values{}
	v.Set("scopes", strings.Join(cs.scopes, ","))
	tokenURI.RawQuery = v.Encode()
	}
	tokenJSON, err := metadata.Get(tokenURI.String())
	if err != nil {
	return nil, err
	}
	var res metadataTokenResp
	if err := json.NewDecoder(strings.NewReader(tokenJSON)).Decode(&res); err != nil {
	return nil, fmt.Errorf("credentials: invalid token JSON from metadata: %w", err)
	}
	if res.ExpiresInSec == 0 \|\| res.AccessToken == "" {
	return nil, errors.New("credentials: incomplete token received from metadata")
	}
	return &auth.Token{
	Value: res.AccessToken,
	Type: res.TokenType,
	Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
	Metadata: computeTokenMetadata,
	}, nil

	}