Skip to content

Commit

Permalink
fix(internal): don't use self-signed JWT with impersonation (#788)
Browse files Browse the repository at this point in the history 
The limited audience of the base credential will could cause
failures as it would not be able to comunicate with the iam
credentials api if just default scopes were passed.
  • Loading branch information
@codyoss
codyoss committed Jan 29, 2021
1 parent 3b9d19d commit 1dc7dac
Showing 1 changed file with 25 additions and 15 deletions.
40 changes: 25 additions & 15 deletions internal/creds.go
View file
Expand Up @@ -64,28 +64,38 @@ const (

// credentialsFromJSON returns a google.Credentials based on the input.
//
// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow
// - Otherwise, returns OAuth 2.0 flow.
// - A self-signed JWT auth flow will be executed if: the data file is a service
// account, no user are scopes provided, an audience is provided, and
// credentials will not be impersonated.
//
// - Otherwise, executes a stanard OAuth 2.0 flow.
func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
cred, err := google.CredentialsFromJSON(ctx, data, ds.GetScopes()...)
if err != nil {
return nil, err
}
if len(data) > 0 && len(ds.Scopes) == 0 && (ds.DefaultAudience != "" || len(ds.Audiences) > 0) {
var f struct {
Type string `json:"type"`
// The rest JSON fields are omitted because they are not used.
}
if err := json.Unmarshal(cred.JSON, &f); err != nil {
// Standard OAuth 2.0 Flow
if len(data) == 0 ||
len(ds.Scopes) > 0 ||
(ds.DefaultAudience == "" && len(ds.Audiences) == 0) ||
ds.ImpersonationConfig != nil {
return cred, nil
}

// Check if JSON is a service account and if so create a self-signed JWT.
var f struct {
Type string `json:"type"`
// The rest JSON fields are omitted because they are not used.
}
if err := json.Unmarshal(cred.JSON, &f); err != nil {
return nil, err
}
if f.Type == serviceAccountKey {
ts, err := selfSignedJWTTokenSource(data, ds.DefaultAudience, ds.Audiences)
if err != nil {
return nil, err
}
if f.Type == serviceAccountKey {
ts, err := selfSignedJWTTokenSource(data, ds.DefaultAudience, ds.Audiences)
if err != nil {
return nil, err
}
cred.TokenSource = ts
}
cred.TokenSource = ts
}
return cred, err
}
Expand Down

0 comments on commit 1dc7dac

Please sign in to comment.