1// Copyright 2024 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package externalaccount
16
17import (
18 "context"
19 "crypto/tls"
20 "net/http"
21 "time"
22
23 "cloud.google.com/go/auth/internal/transport/cert"
24)
25
26// x509Provider implements the subjectTokenProvider type for
27// x509 workload identity credentials. Because x509 credentials
28// rely on an mTLS connection to represent the 3rd party identity
29// rather than a subject token, this provider will always return
30// an empty string when a subject token is requested by the external account
31// token provider.
32type x509Provider struct {
33}
34
35func (xp *x509Provider) providerType() string {
36 return x509ProviderType
37}
38
39func (xp *x509Provider) subjectToken(ctx context.Context) (string, error) {
40 return "", nil
41}
42
43// createX509Client creates a new client that is configured with mTLS, using the
44// certificate configuration specified in the credential source.
45func createX509Client(certificateConfigLocation string) (*http.Client, error) {
46 certProvider, err := cert.NewWorkloadX509CertProvider(certificateConfigLocation)
47 if err != nil {
48 return nil, err
49 }
50 trans := http.DefaultTransport.(*http.Transport).Clone()
51
52 trans.TLSClientConfig = &tls.Config{
53 GetClientCertificate: certProvider,
54 }
55
56 // Create a client with default settings plus the X509 workload cert and key.
57 client := &http.Client{
58 Transport: trans,
59 Timeout: 30 * time.Second,
60 }
61
62 return client, nil
63}