-
Notifications
You must be signed in to change notification settings - Fork 388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Impersonated Universe Domain Support #1875
Merged
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
e7f759e
feat: Impersonated w/ Universe Support
d-goog 4f47c98
Merge branch 'main' of github.com:googleapis/google-auth-library-node…
d-goog f592c8e
docs: jsdoc/tsdoc fix
d-goog 4f184ac
feat: `useEmailAzp`
d-goog cbd89db
chore: compodoc nonsense
d-goog d3d3569
chore: for compodoc nonsense
d-goog 310fe18
chore: typo
d-goog 7167c05
Merge branch 'main' into impersonated-universe
d-goog 2d156ca
refactor: Explicit Universe Domains should throw for `Impersonated`
d-goog ad030e7
Merge branch 'impersonated-universe' of github.com:googleapis/google-…
d-goog 5939664
Merge branch 'main' of github.com:googleapis/google-auth-library-node…
d-goog 056c066
feat: Support `external_account` in `fromImpersonatedJSON`
d-goog dc043ce
feat: Improve `Impersonated` Support
d-goog File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -41,6 +41,7 @@ import { | |
| ExternalAccountClientOptions, | ||
| RefreshOptions, | ||
| Impersonated, | ||
| IdentityPoolClient, | ||
| } from '../src'; | ||
| import {CredentialBody} from '../src/auth/credentials'; | ||
| import * as envDetect from '../src/auth/envDetect'; | ||
|
|
@@ -52,11 +53,16 @@ import { | |
| mockStsTokenExchange, | ||
| saEmail, | ||
| } from './externalclienthelper'; | ||
| import {BaseExternalAccountClient} from '../src/auth/baseexternalclient'; | ||
| import { | ||
| BaseExternalAccountClient, | ||
| EXTERNAL_ACCOUNT_TYPE, | ||
| } from '../src/auth/baseexternalclient'; | ||
| import {AuthClient, DEFAULT_UNIVERSE} from '../src/auth/authclient'; | ||
| import {ExternalAccountAuthorizedUserClient} from '../src/auth/externalAccountAuthorizedUserClient'; | ||
| import {stringify} from 'querystring'; | ||
| import {GoogleAuthExceptionMessages} from '../src/auth/googleauth'; | ||
| import {IMPERSONATED_ACCOUNT_TYPE} from '../src/auth/impersonated'; | ||
| import {USER_REFRESH_ACCOUNT_TYPE} from '../src/auth/refreshclient'; | ||
|
|
||
| nock.disableNetConnect(); | ||
|
|
||
|
|
@@ -1656,6 +1662,86 @@ describe('googleauth', () => { | |
| .reply(200, {}); | ||
| } | ||
| describe('for impersonated types', () => { | ||
| describe('source clients', () => { | ||
| it('should support a variety of source clients', async () => { | ||
| const serviceAccountImpersonationURLBase = | ||
| 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateToken'; | ||
| const samples: { | ||
| creds: { | ||
| type: typeof IMPERSONATED_ACCOUNT_TYPE; | ||
| service_account_impersonation_url: string; | ||
| source_credentials: {}; | ||
| }; | ||
| expectedSource: typeof AuthClient; | ||
| }[] = [ | ||
| // USER_TO_SERVICE_ACCOUNT_JSON | ||
| { | ||
| creds: { | ||
| type: IMPERSONATED_ACCOUNT_TYPE, | ||
| service_account_impersonation_url: new URL( | ||
| './[email protected]:generateAccessToken', | ||
| serviceAccountImpersonationURLBase | ||
| ).toString(), | ||
| source_credentials: { | ||
| client_id: 'client', | ||
| client_secret: 'secret', | ||
| refresh_token: 'refreshToken', | ||
| type: USER_REFRESH_ACCOUNT_TYPE, | ||
| }, | ||
| }, | ||
| expectedSource: UserRefreshClient, | ||
| }, | ||
| // SERVICE_ACCOUNT_TO_SERVICE_ACCOUNT_JSON | ||
| { | ||
| creds: { | ||
| type: IMPERSONATED_ACCOUNT_TYPE, | ||
| service_account_impersonation_url: new URL( | ||
| './[email protected]:generateIdToken', | ||
| serviceAccountImpersonationURLBase | ||
| ).toString(), | ||
| source_credentials: { | ||
| type: 'service_account', | ||
| client_email: '[email protected]', | ||
| private_key: privateKey, | ||
| }, | ||
| }, | ||
| expectedSource: JWT, | ||
| }, | ||
| // EXTERNAL_ACCOUNT_TO_SERVICE_ACCOUNT_JSON | ||
| { | ||
| creds: { | ||
| type: IMPERSONATED_ACCOUNT_TYPE, | ||
| service_account_impersonation_url: new URL( | ||
| './[email protected]:generateIdToken', | ||
| serviceAccountImpersonationURLBase | ||
| ).toString(), | ||
| source_credentials: { | ||
| type: EXTERNAL_ACCOUNT_TYPE, | ||
| audience: 'audience', | ||
| subject_token_type: 'access_token', | ||
| token_url: 'https://sts.googleapis.com/v1/token', | ||
| credential_source: {url: 'https://example.com/token'}, | ||
| }, | ||
| }, | ||
| expectedSource: IdentityPoolClient, | ||
| }, | ||
| ]; | ||
|
|
||
| const auth = new GoogleAuth(); | ||
| for (const {creds, expectedSource} of samples) { | ||
| const client = auth.fromJSON(creds); | ||
|
|
||
| assert(client instanceof Impersonated); | ||
|
|
||
| // This is a private prop - we will refactor/remove in the future | ||
| assert( | ||
| (client as unknown as {sourceClient: {}}).sourceClient instanceof | ||
| expectedSource | ||
| ); | ||
| } | ||
| }); | ||
| }); | ||
|
|
||
| describe('for impersonated credentials signing', () => { | ||
| const now = new Date().getTime(); | ||
| const saSuccessResponse = { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -97,6 +97,76 @@ describe('impersonated', () => { | |
| scopes.forEach(s => s.done()); | ||
| }); | ||
|
|
||
| it('should inherit a `universeDomain` from the source client', async () => { | ||
| const universeDomain = 'my.universe.com'; | ||
|
|
||
| const tomorrow = new Date(); | ||
| tomorrow.setDate(tomorrow.getDate() + 1); | ||
|
|
||
| const scopes = [ | ||
| nock(url).get('/').reply(200), | ||
| createGTokenMock({ | ||
| access_token: 'abc123', | ||
| }), | ||
| nock(`https://iamcredentials.${universeDomain}`) | ||
| .post( | ||
| '/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken', | ||
| (body: ImpersonatedCredentialRequest) => { | ||
| assert.strictEqual(body.lifetime, '30s'); | ||
| assert.deepStrictEqual(body.delegates, []); | ||
| assert.deepStrictEqual(body.scope, [ | ||
| 'https://www.googleapis.com/auth/cloud-platform', | ||
| ]); | ||
| return true; | ||
| } | ||
| ) | ||
| .reply(200, { | ||
| accessToken: 'universe-token', | ||
| expireTime: tomorrow.toISOString(), | ||
| }), | ||
| ]; | ||
|
|
||
| const sourceClient = createSampleJWTClient(); | ||
|
|
||
| // Use a simple API key for this test. No need to get too fancy. | ||
| sourceClient.apiKey = 'ABC'; | ||
| delete sourceClient.subject; | ||
|
|
||
| sourceClient.universeDomain = universeDomain; | ||
|
|
||
| const impersonated = new Impersonated({ | ||
| sourceClient, | ||
| targetPrincipal: '[email protected]', | ||
| lifetime: 30, | ||
| delegates: [], | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'], | ||
| }); | ||
|
|
||
| await impersonated.request({url}); | ||
| assert.strictEqual(impersonated.credentials.access_token, 'universe-token'); | ||
|
|
||
| scopes.forEach(s => s.done()); | ||
| }); | ||
|
|
||
| it("should throw if an explicit `universeDomain` does not equal the source's `universeDomain`", async () => { | ||
| const universeDomain = 'my.universe.com'; | ||
| const otherUniverseDomain = 'not-my.universe.com'; | ||
|
|
||
| const sourceClient = createSampleJWTClient(); | ||
| sourceClient.universeDomain = otherUniverseDomain; | ||
|
|
||
| assert.throws(() => { | ||
| new Impersonated({ | ||
| sourceClient, | ||
| targetPrincipal: '[email protected]', | ||
| lifetime: 30, | ||
| delegates: [], | ||
| targetScopes: ['https://www.googleapis.com/auth/cloud-platform'], | ||
| universeDomain, | ||
| }); | ||
| }, /does not match/); | ||
| }); | ||
|
|
||
| it('should not request impersonated credentials on second request', async () => { | ||
| const tomorrow = new Date(); | ||
| tomorrow.setDate(tomorrow.getDate() + 1); | ||
|
|
@@ -383,10 +453,12 @@ describe('impersonated', () => { | |
| delegates: string[]; | ||
| audience: string; | ||
| includeEmail: boolean; | ||
| useEmailAzp: true; | ||
| }) => { | ||
| assert.strictEqual(body.audience, expectedAudience); | ||
| assert.strictEqual(body.includeEmail, expectedIncludeEmail); | ||
| assert.deepStrictEqual(body.delegates, expectedDeligates); | ||
| assert.strictEqual(body.useEmailAzp, true); | ||
| return true; | ||
| } | ||
| ) | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is intentional to allow for impersonating any arbitrary type of source clients instead of just UserRefreshClient() right? Just for my own understanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep! Other clients are able to use impersonation and its required in TPC (e.g. for external accounts)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha, only note I have is that the impersonation is handled directly by the external account client itself in this library (this already works for TPC, the inmpersonation URL gets generated with the universe domain when the create-credential-config is run in gCloud): https://github.com/googleapis/google-auth-library-nodejs/blob/a65d8a11450fdc0f69ea228def462e5a77beecd5/src/auth/baseexternalclient.ts#L602C4-L605C9
This PR adds support for a different type of credential configuration file which we should support, but just wanted to point out I don't think this is a path we would expect people to normally use for BYOID creds.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Important call-out.