idtoken.go raw

   1  // Copyright 2021 The Go Authors. All rights reserved.
   2  // Use of this source code is governed by a BSD-style
   3  // license that can be found in the LICENSE file.
   4  
   5  package impersonate
   6  
   7  import (
   8  	"bytes"
   9  	"context"
  10  	"encoding/json"
  11  	"fmt"
  12  	"io"
  13  	"net/http"
  14  	"time"
  15  
  16  	"golang.org/x/oauth2"
  17  	"google.golang.org/api/option"
  18  	htransport "google.golang.org/api/transport/http"
  19  )
  20  
  21  // IDTokenConfig for generating an impersonated ID token.
  22  type IDTokenConfig struct {
  23  	// Audience is the `aud` field for the token, such as an API endpoint the
  24  	// token will grant access to. Required.
  25  	Audience string
  26  	// TargetPrincipal is the email address of the service account to
  27  	// impersonate. Required.
  28  	TargetPrincipal string
  29  	// IncludeEmail includes the service account's email in the token. The
  30  	// resulting token will include both an `email` and `email_verified`
  31  	// claim.
  32  	IncludeEmail bool
  33  	// Delegates are the service account email addresses in a delegation chain.
  34  	// Each service account must be granted roles/iam.serviceAccountTokenCreator
  35  	// on the next service account in the chain. Optional.
  36  	Delegates []string
  37  }
  38  
  39  // IDTokenSource creates an impersonated TokenSource that returns ID tokens
  40  // configured with the provided config and using credentials loaded from
  41  // Application Default Credentials as the base credentials. The tokens provided
  42  // by the source are valid for one hour and are automatically refreshed.
  43  func IDTokenSource(ctx context.Context, config IDTokenConfig, opts ...option.ClientOption) (oauth2.TokenSource, error) {
  44  	if config.Audience == "" {
  45  		return nil, fmt.Errorf("impersonate: an audience must be provided")
  46  	}
  47  	if config.TargetPrincipal == "" {
  48  		return nil, fmt.Errorf("impersonate: a target service account must be provided")
  49  	}
  50  
  51  	clientOpts := append(defaultClientOptions(), opts...)
  52  	client, _, err := htransport.NewClient(ctx, clientOpts...)
  53  	if err != nil {
  54  		return nil, err
  55  	}
  56  
  57  	its := impersonatedIDTokenSource{
  58  		client:          client,
  59  		targetPrincipal: config.TargetPrincipal,
  60  		audience:        config.Audience,
  61  		includeEmail:    config.IncludeEmail,
  62  	}
  63  	for _, v := range config.Delegates {
  64  		its.delegates = append(its.delegates, formatIAMServiceAccountName(v))
  65  	}
  66  	return oauth2.ReuseTokenSource(nil, its), nil
  67  }
  68  
  69  type generateIDTokenRequest struct {
  70  	Audience     string   `json:"audience"`
  71  	IncludeEmail bool     `json:"includeEmail"`
  72  	Delegates    []string `json:"delegates,omitempty"`
  73  }
  74  
  75  type generateIDTokenResponse struct {
  76  	Token string `json:"token"`
  77  }
  78  
  79  type impersonatedIDTokenSource struct {
  80  	client *http.Client
  81  
  82  	targetPrincipal string
  83  	audience        string
  84  	includeEmail    bool
  85  	delegates       []string
  86  }
  87  
  88  func (i impersonatedIDTokenSource) Token() (*oauth2.Token, error) {
  89  	now := time.Now()
  90  	genIDTokenReq := generateIDTokenRequest{
  91  		Audience:     i.audience,
  92  		IncludeEmail: i.includeEmail,
  93  		Delegates:    i.delegates,
  94  	}
  95  	bodyBytes, err := json.Marshal(genIDTokenReq)
  96  	if err != nil {
  97  		return nil, fmt.Errorf("impersonate: unable to marshal request: %v", err)
  98  	}
  99  
 100  	url := fmt.Sprintf("%s/v1/%s:generateIdToken", iamCredentailsEndpoint, formatIAMServiceAccountName(i.targetPrincipal))
 101  	req, err := http.NewRequest("POST", url, bytes.NewReader(bodyBytes))
 102  	if err != nil {
 103  		return nil, fmt.Errorf("impersonate: unable to create request: %v", err)
 104  	}
 105  	req.Header.Set("Content-Type", "application/json")
 106  	resp, err := i.client.Do(req)
 107  	if err != nil {
 108  		return nil, fmt.Errorf("impersonate: unable to generate ID token: %v", err)
 109  	}
 110  	defer resp.Body.Close()
 111  	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
 112  	if err != nil {
 113  		return nil, fmt.Errorf("impersonate: unable to read body: %v", err)
 114  	}
 115  	if c := resp.StatusCode; c < 200 || c > 299 {
 116  		return nil, fmt.Errorf("impersonate: status code %d: %s", c, body)
 117  	}
 118  
 119  	var generateIDTokenResp generateIDTokenResponse
 120  	if err := json.Unmarshal(body, &generateIDTokenResp); err != nil {
 121  		return nil, fmt.Errorf("impersonate: unable to parse response: %v", err)
 122  	}
 123  	return &oauth2.Token{
 124  		AccessToken: generateIDTokenResp.Token,
 125  		// Generated ID tokens are good for one hour.
 126  		Expiry: now.Add(1 * time.Hour),
 127  	}, nil
 128  }
 129