Skip to content

Commit

Permalink
Address requested changes
Browse files Browse the repository at this point in the history
  • Loading branch information
adrianajg committed Jan 3, 2023
1 parent 5267088 commit 79b862a
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 93 deletions.
42 changes: 30 additions & 12 deletions idtoken/idtoken.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ import (
// ClientOption is for configuring a Google API client or transport.
type ClientOption = option.ClientOption

type credentialsType int

const (
unknownCredType credentialsType = iota
serviceAccount
impersonatedServiceAccount
)

// NewClient creates a HTTP Client that automatically adds an ID token to each
// request via an Authorization header. The token will have the audience
// provided and be configured with the supplied options. The parameter audience
Expand Down Expand Up @@ -71,7 +79,6 @@ func NewClient(ctx context.Context, audience string, opts ...ClientOption) (*htt
// provided and configured with the supplied options. The parameter audience may
// not be empty.
func NewTokenSource(ctx context.Context, audience string, opts ...ClientOption) (oauth2.TokenSource, error) {
option.WithScopes()
if audience == "" {
return nil, fmt.Errorf("idtoken: must supply a non-empty audience")
}
Expand Down Expand Up @@ -112,7 +119,8 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
if err != nil {
return nil, err
}
if allowedType == "service_account" {
switch allowedType {
case serviceAccount:
cfg, err := google.JWTConfigFromJSON(data, ds.GetScopes()...)
if err != nil {
return nil, err
Expand All @@ -132,8 +140,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
return nil, err
}
return oauth2.ReuseTokenSource(tok, ts), nil
} else {
// if allowedType is "impersonated_service_account":
case impersonatedServiceAccount:
type url struct {
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
}
Expand All @@ -154,26 +161,37 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
log.Println(err)
}
return ts, nil
default:
return nil, fmt.Errorf("idtoken: unsupported credentials type")
}
}

// isOfAllowedType returns the credentials type as a string, and an error.
// getAllowedType returns the credentials type of type credentialsType, and an error.
// allowed types are "service_account" and "impersonated_service_account"
func getAllowedType(data []byte) (string, error) {
func getAllowedType(data []byte) (credentialsType, error) {
var t credentialsType
if len(data) == 0 {
return "", fmt.Errorf("idtoken: credential provided is 0 bytes")
return t, fmt.Errorf("idtoken: credential provided is 0 bytes")
}
var f struct {
Type string `json:"type"`
}
// if not service account return an error
if err := json.Unmarshal(data, &f); err != nil {
return "", err
return t, err
}
if f.Type != "service_account" && f.Type != "impersonated_service_account" {
return "", fmt.Errorf("idtoken: credential must be service_account or impersonated_service_account, found %q", f.Type)
t = parseCredType(f.Type)
return t, nil
}

func parseCredType(typeString string) credentialsType {
switch typeString {
case "service_account":
return serviceAccount
case "impersonated_service_account":
return impersonatedServiceAccount
default:
return unknownCredType
}
return f.Type, nil
}

// WithCustomClaims optionally specifies custom private claims for an ID token.
Expand Down
80 changes: 0 additions & 80 deletions idtoken/idtoken_test.go

This file was deleted.

3 changes: 2 additions & 1 deletion idtoken/integration_test.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
// Copyright 2020 Google LLC.
// Copyright 2023 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package idtoken_test

import (
"context"
"encoding/json"
"net/http"
"os"
"strings"
Expand Down

0 comments on commit 79b862a

Please sign in to comment.