Closed msdrigg closed 1 year ago
Also wondering if there are any documentation you would like to see for these items, and any automated tests.
The existing do tests pass with this PR though.
This seems to be centralizing/rewriting a lot of the logic into the FlexibleSource
implementation, which makes the library more monolithic (and thereby, in my opinion, harder to understand). I think the design I proposed in https://github.com/hrvolapeter/gcp_auth/issues/56#issuecomment-1669404489 would keep things more similar to how they were before, except that some of the discovery logic for the AuthenticationManager
would hang off of the deserialized enum from the contents of the file referenced in GOOGLE_APPLICATION_CREDENTIALS
.
Also in order to make large changes like these easy to review for the maintainers (at least, for me), these should be cleaned up and split up into smaller commits. For example, I would suggest improving ConfigDefaultCredentials
and CustomServiceAccount
in place, each in a separate commit or maybe even separate PRs.
Okay this morning I tested this in the real world
GOOGLE_APPLICATION_CREDENTIALS
and ~/.config/gcloud/application_default_credentials.json
gcloud auth application-default login --impersonate-service-account <account>
)gcloud auth application-default login
)Had to make some changes, but everything is working now
I also added tests to parse all the key formats I added here.
I added some documentation of why I am doing things the way I do them. Since this is an internal module, I believe this documentation should be sufficient.
I would appreciate if someone interested in this PR to give this a whirl in their environment, but other than that I think this PR is ready
@djc Sorry I had typed up that comment before seeing your response.
Firstly, there is a problem with just checking GOOGLE_APPLICATION_CREDENTIALS
and only using the FlexibleCredentialSource
approach in that case. The problem is that we also need to check ~/.config/gcloud/application_default_credentials.json
because I can run gcloud auth application-default login --impersonate-service-account <account>
.
So here's what I propose to break this down into manageable chunks.
FlexibleTokenSource
that instead of handling the token refreshes itself, would use existing code from ConfigDefaultCredentials
or CustomServiceAccount
.application_manager.rs
to check both the ~/.config/gcloud/application_default_credentials.json
file and the GOOGLE_APPLICATION_CREDENTIALS
and then throw off to the existing ConfigDefaultCredentials
or CustomServiceAccount
code.ConfigDefaultCredentials
or CustomServiceAccount
to support service account impersonation.Box<dyn ServiceAccount>
to handle getting the source credentials (does this sound okay?)FlexibleTokenSource
to support service account impersonationtoken_uri
).Yes, breaking down into those three chunks sounds good!
See you in a future pr :)
Solves #56.
This PR adds a new ServiceAccount implementation called
FlexibleTokenSource
.FlexibleTokenSource
combines the functionality currently supplied byConfigDefaultCredentials
andCustomServiceAccount
, and it improves the flexibility of each, currently supporting the service account, the user default credential account, and service account impersonation. All three of these approaches will work withGOOGLE_APPLICATION_CREDENTIALS
and~/.config/gcloud/application_default_credentials
.In
AuthenticationManager::new()
, I replaceConfigDefaultCredentials
andCustomServiceAccount
parsing attempts with the newFlexibleTokenSource
, because gives these improvements to both cases.Additionally, I removed the
ConfigDefaultCredentials
struct altogether. I was not able to removeCustomServiceAccount
because it is exposed in the public API for this crate. It also seems likeCustomServiceAccount
serves a specialized use case because it exposes methods likeCustomServiceAccount::signer()
, which is only possible when using the credential format with aprivate_key
field.I am leaving this as a draft for now because I want to get feedback on if this is the kind of PR you are looking for before I do the necessary testing in the real world.