1 // Copyright 2025 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 15 package impersonate
16 17 import (
18 "bytes"
19 "context"
20 "encoding/json"
21 "fmt"
22 "log/slog"
23 "net/http"
24 "strings"
25 "time"
26 27 "cloud.google.com/go/auth"
28 "cloud.google.com/go/auth/internal"
29 "github.com/googleapis/gax-go/v2/internallog"
30 )
31 32 var (
33 universeDomainPlaceholder = "UNIVERSE_DOMAIN"
34 iamCredentialsUniverseDomainEndpoint = "https://iamcredentials.UNIVERSE_DOMAIN"
35 )
36 37 // IDTokenIAMOptions provides configuration for [IDTokenIAMOptions.Token].
38 type IDTokenIAMOptions struct {
39 // Client is required.
40 Client *http.Client
41 // Logger is required.
42 Logger *slog.Logger
43 UniverseDomain auth.CredentialsPropertyProvider
44 ServiceAccountEmail string
45 GenerateIDTokenRequest
46 }
47 48 // GenerateIDTokenRequest holds the request to the IAM generateIdToken RPC.
49 type GenerateIDTokenRequest struct {
50 Audience string `json:"audience"`
51 IncludeEmail bool `json:"includeEmail"`
52 // Delegates are the ordered, fully-qualified resource name for service
53 // accounts in a delegation chain. Each service account must be granted
54 // roles/iam.serviceAccountTokenCreator on the next service account in the
55 // chain. The delegates must have the following format:
56 // projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard
57 // character is required; replacing it with a project ID is invalid.
58 // Optional.
59 Delegates []string `json:"delegates,omitempty"`
60 }
61 62 // GenerateIDTokenResponse holds the response from the IAM generateIdToken RPC.
63 type GenerateIDTokenResponse struct {
64 Token string `json:"token"`
65 }
66 67 // Token call IAM generateIdToken with the configuration provided in [IDTokenIAMOptions].
68 func (o IDTokenIAMOptions) Token(ctx context.Context) (*auth.Token, error) {
69 universeDomain, err := o.UniverseDomain.GetProperty(ctx)
70 if err != nil {
71 return nil, err
72 }
73 endpoint := strings.Replace(iamCredentialsUniverseDomainEndpoint, universeDomainPlaceholder, universeDomain, 1)
74 url := fmt.Sprintf("%s/v1/%s:generateIdToken", endpoint, internal.FormatIAMServiceAccountResource(o.ServiceAccountEmail))
75 76 bodyBytes, err := json.Marshal(o.GenerateIDTokenRequest)
77 if err != nil {
78 return nil, fmt.Errorf("impersonate: unable to marshal request: %w", err)
79 }
80 81 req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyBytes))
82 if err != nil {
83 return nil, fmt.Errorf("impersonate: unable to create request: %w", err)
84 }
85 req.Header.Set("Content-Type", "application/json")
86 o.Logger.DebugContext(ctx, "impersonated idtoken request", "request", internallog.HTTPRequest(req, bodyBytes))
87 resp, body, err := internal.DoRequest(o.Client, req)
88 if err != nil {
89 return nil, fmt.Errorf("impersonate: unable to generate ID token: %w", err)
90 }
91 o.Logger.DebugContext(ctx, "impersonated idtoken response", "response", internallog.HTTPResponse(resp, body))
92 if c := resp.StatusCode; c < 200 || c > 299 {
93 return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
94 }
95 96 var tokenResp GenerateIDTokenResponse
97 if err := json.Unmarshal(body, &tokenResp); err != nil {
98 return nil, fmt.Errorf("impersonate: unable to parse response: %w", err)
99 }
100 return &auth.Token{
101 Value: tokenResp.Token,
102 // Generated ID tokens are good for one hour.
103 Expiry: time.Now().Add(1 * time.Hour),
104 }, nil
105 }
106