1// Copyright 2023 Google LLC
  2//
  3// Licensed under the Apache License, Version 2.0 (the "License");
  4// you may not use this file except in compliance with the License.
  5// You may obtain a copy of the License at
  6//
  7//      http://www.apache.org/licenses/LICENSE-2.0
  8//
  9// Unless required by applicable law or agreed to in writing, software
 10// distributed under the License is distributed on an "AS IS" BASIS,
 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12// See the License for the specific language governing permissions and
 13// limitations under the License.
 14
 15package impersonate
 16
 17import (
 18	"bytes"
 19	"context"
 20	"encoding/json"
 21	"errors"
 22	"fmt"
 23	"log/slog"
 24	"net/http"
 25	"time"
 26
 27	"cloud.google.com/go/auth"
 28	"cloud.google.com/go/auth/internal"
 29	"github.com/googleapis/gax-go/v2/internallog"
 30)
 31
 32const (
 33	defaultTokenLifetime = "3600s"
 34	authHeaderKey        = "Authorization"
 35)
 36
 37// generateAccesstokenReq is used for service account impersonation
 38type generateAccessTokenReq struct {
 39	Delegates []string `json:"delegates,omitempty"`
 40	Lifetime  string   `json:"lifetime,omitempty"`
 41	Scope     []string `json:"scope,omitempty"`
 42}
 43
 44type impersonateTokenResponse struct {
 45	AccessToken string `json:"accessToken"`
 46	ExpireTime  string `json:"expireTime"`
 47}
 48
 49// NewTokenProvider uses a source credential, stored in Ts, to request an access token to the provided URL.
 50// Scopes can be defined when the access token is requested.
 51func NewTokenProvider(opts *Options) (auth.TokenProvider, error) {
 52	if err := opts.validate(); err != nil {
 53		return nil, err
 54	}
 55	return opts, nil
 56}
 57
 58// Options for [NewTokenProvider].
 59type Options struct {
 60	// Tp is the source credential used to generate a token on the
 61	// impersonated service account. Required.
 62	Tp auth.TokenProvider
 63
 64	// URL is the endpoint to call to generate a token
 65	// on behalf of the service account. Required.
 66	URL string
 67	// Scopes that the impersonated credential should have. Required.
 68	Scopes []string
 69	// Delegates are the service account email addresses in a delegation chain.
 70	// Each service account must be granted roles/iam.serviceAccountTokenCreator
 71	// on the next service account in the chain. Optional.
 72	Delegates []string
 73	// TokenLifetimeSeconds is the number of seconds the impersonation token will
 74	// be valid for. Defaults to 1 hour if unset. Optional.
 75	TokenLifetimeSeconds int
 76	// Client configures the underlying client used to make network requests
 77	// when fetching tokens. Required.
 78	Client *http.Client
 79	// Logger is used for debug logging. If provided, logging will be enabled
 80	// at the loggers configured level. By default logging is disabled unless
 81	// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default
 82	// logger will be used. Optional.
 83	Logger *slog.Logger
 84}
 85
 86func (o *Options) validate() error {
 87	if o.Tp == nil {
 88		return errors.New("credentials: missing required 'source_credentials' field in impersonated credentials")
 89	}
 90	if o.URL == "" {
 91		return errors.New("credentials: missing required 'service_account_impersonation_url' field in impersonated credentials")
 92	}
 93	return nil
 94}
 95
 96// Token performs the exchange to get a temporary service account token to allow access to GCP.
 97func (o *Options) Token(ctx context.Context) (*auth.Token, error) {
 98	logger := internallog.New(o.Logger)
 99	lifetime := defaultTokenLifetime
100	if o.TokenLifetimeSeconds != 0 {
101		lifetime = fmt.Sprintf("%ds", o.TokenLifetimeSeconds)
102	}
103	reqBody := generateAccessTokenReq{
104		Lifetime:  lifetime,
105		Scope:     o.Scopes,
106		Delegates: o.Delegates,
107	}
108	b, err := json.Marshal(reqBody)
109	if err != nil {
110		return nil, fmt.Errorf("credentials: unable to marshal request: %w", err)
111	}
112	req, err := http.NewRequestWithContext(ctx, "POST", o.URL, bytes.NewReader(b))
113	if err != nil {
114		return nil, fmt.Errorf("credentials: unable to create impersonation request: %w", err)
115	}
116	req.Header.Set("Content-Type", "application/json")
117	if err := setAuthHeader(ctx, o.Tp, req); err != nil {
118		return nil, err
119	}
120	logger.DebugContext(ctx, "impersonated token request", "request", internallog.HTTPRequest(req, b))
121	resp, body, err := internal.DoRequest(o.Client, req)
122	if err != nil {
123		return nil, fmt.Errorf("credentials: unable to generate access token: %w", err)
124	}
125	logger.DebugContext(ctx, "impersonated token response", "response", internallog.HTTPResponse(resp, body))
126	if c := resp.StatusCode; c < http.StatusOK || c >= http.StatusMultipleChoices {
127		return nil, fmt.Errorf("credentials: status code %d: %s", c, body)
128	}
129
130	var accessTokenResp impersonateTokenResponse
131	if err := json.Unmarshal(body, &accessTokenResp); err != nil {
132		return nil, fmt.Errorf("credentials: unable to parse response: %w", err)
133	}
134	expiry, err := time.Parse(time.RFC3339, accessTokenResp.ExpireTime)
135	if err != nil {
136		return nil, fmt.Errorf("credentials: unable to parse expiry: %w", err)
137	}
138	return &auth.Token{
139		Value:  accessTokenResp.AccessToken,
140		Expiry: expiry,
141		Type:   internal.TokenTypeBearer,
142	}, nil
143}
144
145func setAuthHeader(ctx context.Context, tp auth.TokenProvider, r *http.Request) error {
146	t, err := tp.Token(ctx)
147	if err != nil {
148		return err
149	}
150	typ := t.Type
151	if typ == "" {
152		typ = internal.TokenTypeBearer
153	}
154	r.Header.Set(authHeaderKey, typ+" "+t.Value)
155	return nil
156}