1// Copyright 2017 Google Inc. All Rights Reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package internal
16
17import (
18	"encoding/json"
19	"fmt"
20	"io/ioutil"
21	"time"
22
23	"golang.org/x/net/context"
24	"golang.org/x/oauth2"
25	"golang.org/x/oauth2/google"
26)
27
28// Creds returns credential information obtained from DialSettings, or if none, then
29// it returns default credential information.
30func Creds(ctx context.Context, ds *DialSettings) (*google.DefaultCredentials, error) {
31	if ds.CredentialsFile != "" {
32		return credFileTokenSource(ctx, ds.CredentialsFile, ds.Scopes...)
33	}
34	if ds.TokenSource != nil {
35		return &google.DefaultCredentials{TokenSource: ds.TokenSource}, nil
36	}
37	return google.FindDefaultCredentials(ctx, ds.Scopes...)
38}
39
40// credFileTokenSource reads a refresh token file or a service account and returns
41// a TokenSource constructed from the config.
42func credFileTokenSource(ctx context.Context, filename string, scope ...string) (*google.DefaultCredentials, error) {
43	data, err := ioutil.ReadFile(filename)
44	if err != nil {
45		return nil, fmt.Errorf("cannot read credentials file: %v", err)
46	}
47	// See if it is a refresh token credentials file first.
48	ts, ok, err := refreshTokenTokenSource(ctx, data, scope...)
49	if err != nil {
50		return nil, err
51	}
52	if ok {
53		return &google.DefaultCredentials{
54			TokenSource: ts,
55			JSON:        data,
56		}, nil
57	}
58
59	// If not, it should be a service account.
60	cfg, err := google.JWTConfigFromJSON(data, scope...)
61	if err != nil {
62		return nil, fmt.Errorf("google.JWTConfigFromJSON: %v", err)
63	}
64	// jwt.Config does not expose the project ID, so re-unmarshal to get it.
65	var pid struct {
66		ProjectID string `json:"project_id"`
67	}
68	if err := json.Unmarshal(data, &pid); err != nil {
69		return nil, err
70	}
71	return &google.DefaultCredentials{
72		ProjectID:   pid.ProjectID,
73		TokenSource: cfg.TokenSource(ctx),
74		JSON:        data,
75	}, nil
76}
77
78func refreshTokenTokenSource(ctx context.Context, data []byte, scope ...string) (oauth2.TokenSource, bool, error) {
79	var c cred
80	if err := json.Unmarshal(data, &c); err != nil {
81		return nil, false, fmt.Errorf("cannot unmarshal credentials file: %v", err)
82	}
83	if c.ClientID == "" || c.ClientSecret == "" || c.RefreshToken == "" || c.Type != "authorized_user" {
84		return nil, false, nil
85	}
86	cfg := &oauth2.Config{
87		ClientID:     c.ClientID,
88		ClientSecret: c.ClientSecret,
89		Endpoint:     google.Endpoint,
90		RedirectURL:  "urn:ietf:wg:oauth:2.0:oob",
91		Scopes:       scope,
92	}
93	return cfg.TokenSource(ctx, &oauth2.Token{
94		RefreshToken: c.RefreshToken,
95		Expiry:       time.Now(),
96	}), true, nil
97}
98
99type cred struct {
100	ClientID     string `json:"client_id"`
101	ClientSecret string `json:"client_secret"`
102	RefreshToken string `json:"refresh_token"`
103	Type         string `json:"type"`
104}
105