File size: 7,966 Bytes
7b715bc | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 | /*
Copyright 2025 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
using Google.Apis.Http;
using Google.Apis.Util;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
namespace Google.Apis.Auth.OAuth2;
/// <summary>
/// External account credentials that rely on user-provided code to obtain the third-party token.
/// </summary>
/// <remarks>
/// This credential type does not validate the credential configuration. A security
/// risk occurs when a credential configuration configured with malicious urls
/// is used.
/// You should validate credential configurations provided by untrusted sources.
/// See <see href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">
/// Security requirements when using credential configurations from an external source
/// </see> for more details.
/// </remarks>
public sealed class ProgrammaticExternalAccountCredential : ExternalAccountCredential, IGoogleCredential
{
/// <summary>
/// Subject token provider which is passed to a <see cref="ProgrammaticExternalAccountCredential"/> as the means
/// to obtain the third-party or external credentials token to include on the STS token exchange request.
/// </summary>
public interface ISubjectTokenProvider
{
/// <summary>
/// Obtains the subject token for the third-party credentials that will be inclded on the STS token exchange request.
/// The returned value will be included on the STS token exchange request as is.
/// This method will only be called when no Google access token has been obtained or it has (or is about to) expired,
/// </summary>
/// <param name="caller">
/// The credential calling this subject token provider. This may be useful to use state stored in the credential for
/// obtaining the subject token, but should be ignored otherwise. Will not be null.
/// </param>
/// <param name="taskCancellationToken">
/// The cancellation token for the operation.
/// </param>
Task<string> GetSubjectTokenAsync(ProgrammaticExternalAccountCredential caller, CancellationToken taskCancellationToken);
}
/// <summary>
/// Initializer for <see cref="ProgrammaticExternalAccountCredential"/>.
/// </summary>
new public class Initializer : ExternalAccountCredential.Initializer
{
/// <summary>
/// Builds an initializer for <see cref="ProgrammaticExternalAccountCredential"/>.
/// </summary>
/// <param name="tokenUrl">
/// The STS token exchange endpoint. Must not be null or empty.
/// </param>
/// <param name="audience">
/// The STS audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
/// Must not be null or empty.
/// </param>
/// <param name="subjectTokenType">
/// The STS subject token type based on the <see href="https://datatracker.ietf.org/doc/html/rfc8693#section-3">OAuth 2.0 token exchange specification</see>.
/// Must not be null or empty.
/// </param>
/// <param name="subjectTokenProvider">
/// The provider of the third-party token that's included on the STS token exchange request.
/// Must not be null.
/// </param>
public Initializer(string tokenUrl, string audience, string subjectTokenType, ISubjectTokenProvider subjectTokenProvider) : base(
tokenUrl.ThrowIfNullOrEmpty(nameof(tokenUrl)),
audience.ThrowIfNullOrEmpty(nameof(audience)),
subjectTokenType.ThrowIfNullOrEmpty(nameof(subjectTokenType))) =>
SubjectTokenProvider = subjectTokenProvider.ThrowIfNull(nameof(subjectTokenProvider));
/// <summary>
/// Builds and initializer for <see cref="ProgrammaticExternalAccountCredential"/> from the given initializer.
/// </summary>
public Initializer(Initializer other)
: base(other.ThrowIfNull(nameof(other))) =>
SubjectTokenProvider = other.SubjectTokenProvider;
/// <summary>
/// Builds and initializer for <see cref="ProgrammaticExternalAccountCredential"/> from the given credential.
/// </summary>
public Initializer(ProgrammaticExternalAccountCredential credential)
: base(credential.ThrowIfNull(nameof(credential))) =>
SubjectTokenProvider = credential.SubjectTokenProvider;
/// <summary>
/// The provider of the third-party token that's included on the STS token exchange request.
/// Will not be null.
/// </summary>
public ISubjectTokenProvider SubjectTokenProvider { get; }
}
/// <summary>
/// The provider of the third-party token that's included on the STS token exchange request.
/// Will not be null.
/// </summary>
public ISubjectTokenProvider SubjectTokenProvider { get; }
/// <inheritdoc/>
bool IGoogleCredential.HasExplicitScopes => HasExplicitScopes;
/// <inheritdoc/>
bool IGoogleCredential.SupportsExplicitScopes => SupportsExplicitScopes;
/// <summary>
/// Builds a <see cref="ProgrammaticExternalAccountCredential"/> instace from the given initializer.
/// </summary>
public ProgrammaticExternalAccountCredential(Initializer initializer)
: base(initializer.ThrowIfNull(nameof(initializer))) =>
SubjectTokenProvider = initializer.SubjectTokenProvider;
/// <inheritdoc/>
protected override Task<string> GetSubjectTokenAsyncImpl(CancellationToken taskCancellationToken) =>
SubjectTokenProvider.GetSubjectTokenAsync(this, taskCancellationToken);
/// <inheritdoc/>
private protected override GoogleCredential WithoutImpersonationConfigurationImpl() =>
ServiceAccountImpersonationUrl is null
? new GoogleCredential(this)
: new GoogleCredential(new ProgrammaticExternalAccountCredential(new Initializer(this)
{
ServiceAccountImpersonationUrl = null
}));
/// <inheritdoc/>
public GoogleCredential ToGoogleCredential() => new GoogleCredential(this);
/// <inheritdoc/>
IGoogleCredential IGoogleCredential.WithQuotaProject(string quotaProject) =>
new ProgrammaticExternalAccountCredential(new Initializer(this) { QuotaProject = quotaProject });
/// <inheritdoc/>
Task<string> IGoogleCredential.GetUniverseDomainAsync(CancellationToken cancellationToken) => Task.FromResult(UniverseDomain);
/// <inheritdoc/>
string IGoogleCredential.GetUniverseDomain() => UniverseDomain;
/// <inheritdoc/>
IGoogleCredential IGoogleCredential.MaybeWithScopes(IEnumerable<string> scopes) =>
new ProgrammaticExternalAccountCredential(new Initializer(this) { Scopes = scopes });
/// <inheritdoc/>
IGoogleCredential IGoogleCredential.WithUserForDomainWideDelegation(string user) => WithUserForDomainWideDelegation(user);
/// <inheritdoc/>
IGoogleCredential IGoogleCredential.WithHttpClientFactory(IHttpClientFactory httpClientFactory) =>
new ProgrammaticExternalAccountCredential(new Initializer(this) { HttpClientFactory = httpClientFactory });
/// <inheritdoc/>
IGoogleCredential IGoogleCredential.WithUniverseDomain(string universeDomain) =>
new ProgrammaticExternalAccountCredential(new Initializer(this) { UniverseDomain = universeDomain });
}
|