[f9c482b] | 1 | <?php
|
---|
| 2 |
|
---|
| 3 | /*
|
---|
| 4 | * Copyright 2022 Google Inc.
|
---|
| 5 | *
|
---|
| 6 | * Licensed under the Apache License, Version 2.0 (the "License");
|
---|
| 7 | * you may not use this file except in compliance with the License.
|
---|
| 8 | * You may obtain a copy of the License at
|
---|
| 9 | *
|
---|
| 10 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
| 11 | *
|
---|
| 12 | * Unless required by applicable law or agreed to in writing, software
|
---|
| 13 | * distributed under the License is distributed on an "AS IS" BASIS,
|
---|
| 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
| 15 | * See the License for the specific language governing permissions and
|
---|
| 16 | * limitations under the License.
|
---|
| 17 | */
|
---|
| 18 |
|
---|
| 19 | namespace Google\Auth\Credentials;
|
---|
| 20 |
|
---|
| 21 | use Google\Auth\CredentialsLoader;
|
---|
| 22 | use Google\Auth\IamSignerTrait;
|
---|
| 23 | use Google\Auth\SignBlobInterface;
|
---|
| 24 |
|
---|
| 25 | class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface
|
---|
| 26 | {
|
---|
| 27 | use IamSignerTrait;
|
---|
| 28 |
|
---|
| 29 | private const CRED_TYPE = 'imp';
|
---|
| 30 |
|
---|
| 31 | /**
|
---|
| 32 | * @var string
|
---|
| 33 | */
|
---|
| 34 | protected $impersonatedServiceAccountName;
|
---|
| 35 |
|
---|
| 36 | /**
|
---|
| 37 | * @var UserRefreshCredentials
|
---|
| 38 | */
|
---|
| 39 | protected $sourceCredentials;
|
---|
| 40 |
|
---|
| 41 | /**
|
---|
| 42 | * Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that
|
---|
| 43 | * has be created with the --impersonated-service-account flag.
|
---|
| 44 | *
|
---|
| 45 | * @param string|string[] $scope The scope of the access request, expressed either as an
|
---|
| 46 | * array or as a space-delimited string.
|
---|
| 47 | * @param string|array<mixed> $jsonKey JSON credential file path or JSON credentials
|
---|
| 48 | * as an associative array.
|
---|
| 49 | */
|
---|
| 50 | public function __construct(
|
---|
| 51 | $scope,
|
---|
| 52 | $jsonKey
|
---|
| 53 | ) {
|
---|
| 54 | if (is_string($jsonKey)) {
|
---|
| 55 | if (!file_exists($jsonKey)) {
|
---|
| 56 | throw new \InvalidArgumentException('file does not exist');
|
---|
| 57 | }
|
---|
| 58 | $json = file_get_contents($jsonKey);
|
---|
| 59 | if (!$jsonKey = json_decode((string) $json, true)) {
|
---|
| 60 | throw new \LogicException('invalid json for auth config');
|
---|
| 61 | }
|
---|
| 62 | }
|
---|
| 63 | if (!array_key_exists('service_account_impersonation_url', $jsonKey)) {
|
---|
| 64 | throw new \LogicException(
|
---|
| 65 | 'json key is missing the service_account_impersonation_url field'
|
---|
| 66 | );
|
---|
| 67 | }
|
---|
| 68 | if (!array_key_exists('source_credentials', $jsonKey)) {
|
---|
| 69 | throw new \LogicException('json key is missing the source_credentials field');
|
---|
| 70 | }
|
---|
| 71 |
|
---|
| 72 | $this->impersonatedServiceAccountName = $this->getImpersonatedServiceAccountNameFromUrl(
|
---|
| 73 | $jsonKey['service_account_impersonation_url']
|
---|
| 74 | );
|
---|
| 75 |
|
---|
| 76 | $this->sourceCredentials = new UserRefreshCredentials(
|
---|
| 77 | $scope,
|
---|
| 78 | $jsonKey['source_credentials']
|
---|
| 79 | );
|
---|
| 80 | }
|
---|
| 81 |
|
---|
| 82 | /**
|
---|
| 83 | * Helper function for extracting the Server Account Name from the URL saved in the account
|
---|
| 84 | * credentials file.
|
---|
| 85 | *
|
---|
| 86 | * @param $serviceAccountImpersonationUrl string URL from "service_account_impersonation_url"
|
---|
| 87 | * @return string Service account email or ID.
|
---|
| 88 | */
|
---|
| 89 | private function getImpersonatedServiceAccountNameFromUrl(
|
---|
| 90 | string $serviceAccountImpersonationUrl
|
---|
| 91 | ): string {
|
---|
| 92 | $fields = explode('/', $serviceAccountImpersonationUrl);
|
---|
| 93 | $lastField = end($fields);
|
---|
| 94 | $splitter = explode(':', $lastField);
|
---|
| 95 | return $splitter[0];
|
---|
| 96 | }
|
---|
| 97 |
|
---|
| 98 | /**
|
---|
| 99 | * Get the client name from the keyfile
|
---|
| 100 | *
|
---|
| 101 | * In this implementation, it will return the issuers email from the oauth token.
|
---|
| 102 | *
|
---|
| 103 | * @param callable|null $unusedHttpHandler not used by this credentials type.
|
---|
| 104 | * @return string Token issuer email
|
---|
| 105 | */
|
---|
| 106 | public function getClientName(?callable $unusedHttpHandler = null)
|
---|
| 107 | {
|
---|
| 108 | return $this->impersonatedServiceAccountName;
|
---|
| 109 | }
|
---|
| 110 |
|
---|
| 111 | /**
|
---|
| 112 | * @param callable|null $httpHandler
|
---|
| 113 | *
|
---|
| 114 | * @return array<mixed> {
|
---|
| 115 | * A set of auth related metadata, containing the following
|
---|
| 116 | *
|
---|
| 117 | * @type string $access_token
|
---|
| 118 | * @type int $expires_in
|
---|
| 119 | * @type string $scope
|
---|
| 120 | * @type string $token_type
|
---|
| 121 | * @type string $id_token
|
---|
| 122 | * }
|
---|
| 123 | */
|
---|
| 124 | public function fetchAuthToken(?callable $httpHandler = null)
|
---|
| 125 | {
|
---|
| 126 | // We don't support id token endpoint requests as of now for Impersonated Cred
|
---|
| 127 | return $this->sourceCredentials->fetchAuthToken(
|
---|
| 128 | $httpHandler,
|
---|
| 129 | $this->applyTokenEndpointMetrics([], 'at')
|
---|
| 130 | );
|
---|
| 131 | }
|
---|
| 132 |
|
---|
| 133 | /**
|
---|
| 134 | * Returns the Cache Key for the credentials
|
---|
| 135 | * The cache key is the same as the UserRefreshCredentials class
|
---|
| 136 | *
|
---|
| 137 | * @return string
|
---|
| 138 | */
|
---|
| 139 | public function getCacheKey()
|
---|
| 140 | {
|
---|
| 141 | return $this->sourceCredentials->getCacheKey();
|
---|
| 142 | }
|
---|
| 143 |
|
---|
| 144 | /**
|
---|
| 145 | * @return array<mixed>
|
---|
| 146 | */
|
---|
| 147 | public function getLastReceivedToken()
|
---|
| 148 | {
|
---|
| 149 | return $this->sourceCredentials->getLastReceivedToken();
|
---|
| 150 | }
|
---|
| 151 |
|
---|
| 152 | protected function getCredType(): string
|
---|
| 153 | {
|
---|
| 154 | return self::CRED_TYPE;
|
---|
| 155 | }
|
---|
| 156 | }
|
---|