Documentation
¶
Overview ¶
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Contains authorization handler functions.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
browser implements helper functions to interact with the OS's default internet browser. MacOs, Windows and Linux are the only supported OS.
Copyright 2018 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
clientIdFile implements several helper functions (wrapping around google package) to manipulate the OAuth Client ID file.
Copyright 2019 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2021 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
loopback implements an authorization code localhost server that handles 3LO loopback flows. (see AuthorizationCodeServer interface)
Copyright 2022 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2021 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2018 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2018 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func BuildHeader(tokenType string, token string) string
- func BuildRefreshTokenJSON(refreshToken string, creds *google.Credentials) string
- func ClearCache() error
- func Curl(settings *Settings, taskSettings *TaskSettings)
- func CurlCommand(cli string, header string, url string, extraArgs ...string)
- func EncodeClaims(settings *Settings) string
- func Fetch(settings *Settings, taskSettings *TaskSettings)
- func FetchToken(ctx context.Context, settings *Settings) (*oauth2.Token, error)
- func FindJSONCredentials(ctx context.Context, settings *Settings) (*google.Credentials, error)
- func GeneratePKCEParams() *authhandler.PKCEParams
- func GenerateServiceAccountAccessToken(accessToken string, serviceAccount string, scope string) (*oauth2.Token, error)
- func Get3LOAuthorizationHandler(state string, consentSettings ConsentPageSettings, ...) authhandler.AuthorizationHandler
- func GetFirstRedirectURI(credentialsJSON string) (firstRedirectURI string, err error)
- func GetListener(address string) (listener *net.Listener, serverAddress string, err error)
- func GuessUnixHomeDir() string
- func Header(settings *Settings, taskSettings *TaskSettings)
- func Info(token string) int
- func InsertCache(settings *Settings, token *oauth2.Token) error
- func IsValidOauthClientIdFile(credentialsJSON string) (isValidCredFile bool)
- func JWTTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)
- func LookupCache(settings *Settings) (*oauth2.Token, error)
- func MarshalWithExtras(token *oauth2.Token, indent string) ([]byte, error)
- func OAuthJSONTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)
- func Reset()
- func SSOFetch(cli string, email string, scope string) (*oauth2.Token, error)
- func StsExchange(accessToken string, encodedClaims string) (*oauth2.Token, error)
- func Test(token string) int
- func UnmarshalWithExtras(data []byte) (*oauth2.Token, error)
- func Web()
- func WebStop()
- type AuthorizationCode
- type AuthorizationCodeLocalhost
- func (lh *AuthorizationCodeLocalhost) Close()
- func (lh *AuthorizationCodeLocalhost) GetAuthenticationCode() (authCode AuthorizationCode, err error)
- func (lh *AuthorizationCodeLocalhost) IsListeningAndServing() (isLisAndServ bool)
- func (lh *AuthorizationCodeLocalhost) ListenAndServe(address string) (serverAddress string, err error)
- func (lh *AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl() (err error)
- func (lh *AuthorizationCodeLocalhost) WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)
- type AuthorizationCodeRequestStatus
- type AuthorizationCodeServer
- type AuthorizationCodeStatus
- type Browser
- type CacheKey
- type ConsentPageSettings
- type Settings
- type TaskSettings
Constants ¶
const ( SERVER_STATUS_ENDPOINT_URL = "/status/get" SERVER_LOOPBACK_ENDPOINT_URL = "/" )
Loopback server endpoints
const CacheFileName = ".oauth2l"
const IamServiceAccountAccessTokenURL = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken"
IamServiceAccountAccessTokenURL is used for generating accesss token for a Service Account.
const StsURL = "https://securetoken.googleapis.com/v1alpha2/identitybindingtoken"
StsURL is Google's Secure Token Service endpoint used for obtaining STS token. TODO (andyzhao): Replace with https://sts.googleapis.com/v1/token when ready.
Variables ¶
var AuthTypeAPIKey = "apikey"
var AuthTypeJWT = "jwt"
var AuthTypeOAuth = "oauth"
var AuthTypeSSO = "sso"
var CacheLocation string = filepath.Join(GuessUnixHomeDir(), CacheFileName)
var DefaultScope = "https://www.googleapis.com/auth/cloud-platform"
var WebDirectory string = filepath.Join(GuessUnixHomeDir(), defaultWebPackageName)
Functions ¶
func BuildHeader ¶
Returns the given token in standard header format.
func BuildRefreshTokenJSON ¶ added in v1.2.0
func BuildRefreshTokenJSON(refreshToken string, creds *google.Credentials) string
BuildRefreshTokenJSON attempts to construct a gcloud refresh token JSON using a refreshToken and an OAuth Client ID Credentials object. Empty string is returned if this is not possible.
func ClearCache ¶
func ClearCache() error
func Curl ¶
func Curl(settings *Settings, taskSettings *TaskSettings)
Fetches token with the given settings using Google Authenticator and use the token as header to make curl request.
func CurlCommand ¶
Executes curl command with provided header and params.
func EncodeClaims ¶ added in v1.1.0
EncodeClaims base64 encodes supported STS claims in settings
func Fetch ¶
func Fetch(settings *Settings, taskSettings *TaskSettings)
Fetches and prints the token in plain text with the given settings using Google Authenticator.
func FetchToken ¶ added in v1.2.0
Returns a token from the given settings. Returns nil for API keys.
func FindJSONCredentials ¶ added in v1.2.0
FindJSONCredentials obtains credentials from settings or Application Default Credentials
func GeneratePKCEParams ¶ added in v1.3.0
func GeneratePKCEParams() *authhandler.PKCEParams
GeneratePKCEParams generates a unique PKCE challenge and verifier combination, using UUID, SHA256 encryption, and base64 URL encoding with no padding.
func GenerateServiceAccountAccessToken ¶ added in v1.2.0
func GenerateServiceAccountAccessToken(accessToken string, serviceAccount string, scope string) (*oauth2.Token, error)
GenerateServiceAccountAccessToken generates a Service Account access token using a User access token approved for at least one of the following scopes: * https://www.googleapis.com/auth/iam * https://www.googleapis.com/auth/cloud-platform
func Get3LOAuthorizationHandler ¶ added in v1.3.0
func Get3LOAuthorizationHandler(state string, consentSettings ConsentPageSettings, authCodeServer *AuthorizationCodeServer) authhandler.AuthorizationHandler
3LO authorization handler. Determines what algorithm to use to get the authorization code.
Note that the "state" parameter is used to prevent CSRF attacks.
func GetFirstRedirectURI ¶ added in v1.3.0
getFirstRedirectURI returns the the first URI in "redirect_uris"
credentialsJSON represents the credentials json file.
Returns firstRedirectURI: is the address of the first URI in "redirect_uris". Returns err: if unable to process the credentialsJSON file.
func GetListener ¶ added in v1.3.0
GetListener gets a listener on the port specified in the address. If no port is specified in the address, an available port is assigned.
Input address: represents a localhost address. Its format is http://localhost[:port]
Returns listener Returns serverAddress: is the address of the listener. Its format is http://localhost[:port] Returns err: if not nil an error occurred when creating the listener.
func GuessUnixHomeDir ¶ added in v1.2.0
func GuessUnixHomeDir() string
func Header ¶
func Header(settings *Settings, taskSettings *TaskSettings)
Fetches and prints the token in header format with the given settings using Google Authenticator.
func IsValidOauthClientIdFile ¶ added in v1.3.0
IsValidOauthClientIdFile determines if a valid OAuth Client ID file can be created from a credentials json file.
credentialsJSON represents the credentials json file.
Returns isValidCredFile: true if it can be recreated, false otherwise.
func JWTTokenSource ¶ added in v1.2.0
func MarshalWithExtras ¶ added in v1.2.2
Marshals the given oauth2.Token into a JSON bytearray and include Extra fields that normally would be omitted with default marshalling.
func OAuthJSONTokenSource ¶ added in v1.2.0
func StsExchange ¶ added in v1.1.0
Exchanges an OAuth Access Token to an Sts token with base64 encoded claims
func UnmarshalWithExtras ¶ added in v1.2.2
Unmarshals the given JSON bytearray into oauth2.Token and include Extra fields that normally would be omitted with default unmarshalling.
Types ¶
type AuthorizationCode ¶ added in v1.3.0
AuthorizationCode represents the authorization code
type AuthorizationCodeLocalhost ¶ added in v1.3.0
type AuthorizationCodeLocalhost struct {
AuthCodeReqStatus AuthorizationCodeStatus
ConsentPageSettings ConsentPageSettings
// contains filtered or unexported fields
}
AuthorizationCodeLocalhost implements AuthorizationCodeServer. See interface for description
func (*AuthorizationCodeLocalhost) Close ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) Close()
func (*AuthorizationCodeLocalhost) GetAuthenticationCode ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) GetAuthenticationCode() (authCode AuthorizationCode, err error)
func (*AuthorizationCodeLocalhost) IsListeningAndServing ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) IsListeningAndServing() (isLisAndServ bool)
func (*AuthorizationCodeLocalhost) ListenAndServe ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) ListenAndServe(address string) (serverAddress string, err error)
func (*AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl() (err error)
func (*AuthorizationCodeLocalhost) WaitForListeningAndServing ¶ added in v1.3.0
func (lh *AuthorizationCodeLocalhost) WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)
type AuthorizationCodeRequestStatus ¶ added in v1.3.0
type AuthorizationCodeRequestStatus int
const ( // Waiting for authorization code // (waiting for authorization code request to start, // or for authorization code request to complete) WAITING AuthorizationCodeRequestStatus = iota // Authorization code successfully granted. GRANTED // Failed to grant authorization code FAILED )
Phases of the authorization code
type AuthorizationCodeServer ¶ added in v1.3.0
type AuthorizationCodeServer interface {
// Starts listening and serving on the provided address.
// If no port is specified in the address, an available port is assigned.
//
// Input address: represents a localhost address. Its format is http://localhost[:port]
//
// Returns serverAddress: is the address of the listener. Its format is http://localhost[:port]
// Returns err: if server fails to listen or serve.
ListenAndServe(address string) (serverAddress string, err error)
// Stops listening and serving.
Close()
// IsListeningAndServing determines if the server is listening and serving.
//
// Returns isLisAndServ: true if this is listening and serving, false otherwise.
IsListeningAndServing() (isLisAndServ bool)
// WaitForListeningAndServing waits until the server is listening and serving,
// or until a timeout occurs.
//
// Input maxWaitTime: is the maximum time to wait for the server to start
// listening and serving.
//
// Returns isLisAndServ: true if the server is listening and serving.
// false if the server fails to listen and server before
// Returns err: if isLisAndServ is false.
WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)
// Returns the AuthorizationCode.
//
// Returns authCode: represents the authorization code.
// if not yet granted its value is an empty string.
// Returns err: is not nil if the code has not been granted.
GetAuthenticationCode() (authCode AuthorizationCode, err error)
// WaitForConsentPageToReturnControl waits until the consent page returns control.
//
// Returns err: if the consent page fails to return control
// within the maxWaitTime.
WaitForConsentPageToReturnControl() (err error)
}
AuthorizationCodeServer represents a localhost server that handles the Loopback 3LO authorization
type AuthorizationCodeStatus ¶ added in v1.3.0
type AuthorizationCodeStatus struct {
Status AuthorizationCodeRequestStatus
Details string
}
AuthorizationCodeStatus represents the state of the authorization code
type CacheKey ¶
type CacheKey struct {
// The JSON credentials content downloaded from Google Cloud Console.
CredentialsJSON string
// If specified, use OAuth. Otherwise, JWT.
Scope string
// The audience field for JWT auth and UAT
Audience string
// The email used for SSO and domain-wide delegation.
Email string
// The Google API key
APIKey string
// The QuotaProject field for STS
QuotaProject string
// If specified, performs STS exchange on top of base OAuth
Sts bool
// Exchange User access token for Service Account access token.
ServiceAccount string
}
The key struct that used to identify an auth token fetch operation.
type ConsentPageSettings ¶ added in v1.3.0
type ConsentPageSettings struct {
// DisableAutoOpenConsentPage controls the feature to automatically
// open the browser to vist the consent page
DisableAutoOpenConsentPage bool
// InteractionTimeout is the maximum time to wait for the user
// to interact with the consent page
InteractionTimeout time.Duration
}
ConsentPageSettings is a 3-legged-OAuth helper that contains the settings for the interaction with the consent page
type Settings ¶ added in v1.2.0
type Settings struct {
// The JSON credentials content downloaded from Google Cloud Console.
CredentialsJSON string
// The authentication type.
AuthType string
// If specified, use OAuth. Otherwise, JWT.
Scope string
// The audience field for JWT auth
Audience string
// The Google API key
APIKey string
// This is only used for domain-wide delegation.
// DEPRECATED
User string
// The email used for SSO and domain-wide delegation.
Email string
// A user specified project that is responsible for the request quota and
// billing charges.
QuotaProject string
// AuthHandler is the AuthorizationHandler used for 3-legged OAuth flow.
AuthHandler authhandler.AuthorizationHandler
// State is a unique string used with AuthHandler.
State string
// Indicates that STS token exchange should be performed.
Sts bool
// Used for Service Account Impersonation.
// Exchange User access token for Service Account access token.
ServiceAccount string
}
An extensible structure that holds the credentials for Google API authentication.
func (Settings) GetAuthType ¶ added in v1.2.2
type TaskSettings ¶ added in v1.1.0
type TaskSettings struct {
// AuthType determines which auth tool to use (sso vs sgauth)
AuthType string
// Output format for Fetch task
Format string
// CurlCli override for Curl task
CurlCli string
// Url endpoint for Curl task
Url string
// Extra args for Curl task
ExtraArgs []string
// SsoCli override for Sso task
SsoCli string
// Refresh expired access token in cache
Refresh bool
}
An extensible structure that holds the settings used by different oauth2l tasks. These settings are used by oauth2l only and are not part of GUAC settings.
Source Files