435c0d9fc8
This PR switches the Nomad repository from using govendor to Go modules for managing dependencies. Aspects of the Nomad workflow remain pretty much the same. The usual Makefile targets should continue to work as they always did. The API submodule simply defers to the parent Nomad version on the repository, keeping the semantics of API versioning that currently exists.
93 lines
2.7 KiB
Go
93 lines
2.7 KiB
Go
// Copyright 2017 Google LLC.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package internal
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"golang.org/x/oauth2/google"
|
|
)
|
|
|
|
// Creds returns credential information obtained from DialSettings, or if none, then
|
|
// it returns default credential information.
|
|
func Creds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
|
|
if ds.Credentials != nil {
|
|
return ds.Credentials, nil
|
|
}
|
|
if ds.CredentialsJSON != nil {
|
|
return credentialsFromJSON(ctx, ds.CredentialsJSON, ds.Endpoint, ds.Scopes, ds.Audiences)
|
|
}
|
|
if ds.CredentialsFile != "" {
|
|
data, err := ioutil.ReadFile(ds.CredentialsFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("cannot read credentials file: %v", err)
|
|
}
|
|
return credentialsFromJSON(ctx, data, ds.Endpoint, ds.Scopes, ds.Audiences)
|
|
}
|
|
if ds.TokenSource != nil {
|
|
return &google.Credentials{TokenSource: ds.TokenSource}, nil
|
|
}
|
|
cred, err := google.FindDefaultCredentials(ctx, ds.Scopes...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(cred.JSON) > 0 {
|
|
return credentialsFromJSON(ctx, cred.JSON, ds.Endpoint, ds.Scopes, ds.Audiences)
|
|
}
|
|
// For GAE and GCE, the JSON is empty so return the default credentials directly.
|
|
return cred, nil
|
|
}
|
|
|
|
// JSON key file type.
|
|
const (
|
|
serviceAccountKey = "service_account"
|
|
)
|
|
|
|
// credentialsFromJSON returns a google.Credentials based on the input.
|
|
//
|
|
// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow
|
|
// - Otherwise, returns OAuth 2.0 flow.
|
|
func credentialsFromJSON(ctx context.Context, data []byte, endpoint string, scopes []string, audiences []string) (*google.Credentials, error) {
|
|
cred, err := google.CredentialsFromJSON(ctx, data, scopes...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(data) > 0 && len(scopes) == 0 {
|
|
var f struct {
|
|
Type string `json:"type"`
|
|
// The rest JSON fields are omitted because they are not used.
|
|
}
|
|
if err := json.Unmarshal(cred.JSON, &f); err != nil {
|
|
return nil, err
|
|
}
|
|
if f.Type == serviceAccountKey {
|
|
ts, err := selfSignedJWTTokenSource(data, endpoint, audiences)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cred.TokenSource = ts
|
|
}
|
|
}
|
|
return cred, err
|
|
}
|
|
|
|
func selfSignedJWTTokenSource(data []byte, endpoint string, audiences []string) (oauth2.TokenSource, error) {
|
|
// Use the API endpoint as the default audience
|
|
audience := endpoint
|
|
if len(audiences) > 0 {
|
|
// TODO(shinfan): Update golang oauth to support multiple audiences.
|
|
if len(audiences) > 1 {
|
|
return nil, fmt.Errorf("multiple audiences support is not implemented")
|
|
}
|
|
audience = audiences[0]
|
|
}
|
|
return google.JWTAccessTokenSourceFromJSON(data, audience)
|
|
}
|