From 8200abe467bdf9f5b458f108e5f086bdfbfa2dd9 Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Thu, 20 Apr 2023 10:12:43 -0600
Subject: [PATCH] fix: disallow auto-iam-authn with gcloud-auth (#1762)

This combination is insecure because it puts an OAuth2 token with
broader scoped access than necessary into the ephemeral certificate.

Because gcloud-auth is a legacy flag, it is generally discouraged. This
commit also adds a note to make that clear and provides a clear
alternative using Application Default Credentials.

Fixes #1754

Co-authored-by: Jack Wotherspoon <jackwoth@google.com>
---
 cmd/root.go      | 11 ++++++++++-
 cmd/root_test.go |  6 ++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmd/root.go b/cmd/root.go
index 79fe1f0c7..65e79be4e 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -377,7 +377,11 @@ func NewCommand(opts ...Option) *Command {
 	pflags.StringVarP(&c.conf.CredentialsJSON, "json-credentials", "j", "",
 		"Use service account key JSON as a source of IAM credentials.")
 	pflags.BoolVarP(&c.conf.GcloudAuth, "gcloud-auth", "g", false,
-		"Use gcloud's user credentials as a source of IAM credentials.")
+		`Use gcloud's user credentials as a source of IAM credentials.
+NOTE: this flag is a legacy feature and generally should not be used.
+Instead prefer Application Default Credentials
+(enabled with: gcloud auth application-default login) which
+the Proxy will then pick-up automatically.`)
 	pflags.BoolVarP(&c.conf.StructuredLogs, "structured-logs", "l", false,
 		"Enable structured logging with LogEntry format")
 	pflags.Uint64Var(&c.conf.MaxConnections, "max-connections", 0,
@@ -522,6 +526,11 @@ func parseConfig(cmd *Command, conf *proxy.Config, args []string) error {
 	if conf.IAMAuthN && conf.Token != "" && conf.LoginToken == "" {
 		return newBadCommandError("cannot specify --auto-iam-authn and --token without --login-token")
 	}
+	if conf.IAMAuthN && conf.GcloudAuth {
+		return newBadCommandError(`cannot use --auto-iam-authn with --gcloud-auth.
+Instead use Application Default Credentials (enabled with: gcloud auth application-default login)
+and re-try with just --auto-iam-authn`)
+	}
 	if conf.LoginToken != "" && (conf.Token == "" || !conf.IAMAuthN) {
 		return newBadCommandError("cannot specify --login-token without --token and --auto-iam-authn")
 	}
diff --git a/cmd/root_test.go b/cmd/root_test.go
index a610a7019..540a88fe4 100644
--- a/cmd/root_test.go
+++ b/cmd/root_test.go
@@ -951,6 +951,12 @@ func TestNewCommandWithErrors(t *testing.T) {
 				"--token", "my-token",
 				"--gcloud-auth", "proj:region:inst"},
 		},
+		{
+			desc: "when both gcloud auth and auto-iam-authn are set",
+			args: []string{
+				"--auto-iam-authn",
+				"--gcloud-auth", "proj:region:inst"},
+		},
 		{
 			desc: "when both gcloud auth and credentials file are set",
 			args: []string{