feat(auth): add external account url sourced credentials #2217
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2217 +/- ##
==========================================
+ Coverage 89.08% 89.58% +0.49%
==========================================
Files 62 64 +2
Lines 2392 2449 +57
==========================================
+ Hits 2131 2194 +63
+ Misses 261 255 -6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
src/auth/src/credentials/external_account_sources/url_sourced_account.rs
Outdated
Show resolved
Hide resolved
| let token = Token { | ||
| token: token_res.access_token, | ||
| token_type: token_res.token_type, | ||
| expires_at: Some(Instant::now() + Duration::from_secs(token_res.expires_in)), | ||
| metadata: None, |
There was a problem hiding this comment.
Can We instead make the exchange_token method return the Token itself?
src/auth/src/credentials/external_account_sources/url_sourced_account.rs
Outdated
Show resolved
Hide resolved
src/auth/src/credentials/external_account_sources/url_sourced_account.rs
Outdated
Show resolved
Hide resolved
src/auth/src/credentials/external_account_sources/url_sourced_account.rs
Outdated
Show resolved
Hide resolved
| @@ -17,6 +17,9 @@ pub mod mds; | |||
| pub mod service_account; | |||
| pub mod user_account; | |||
|
|
|||
| pub mod external_account; | |||
There was a problem hiding this comment.
Lets keep this private until we figure out twosigma's requirements regarding openssl and custom request client.
There was a problem hiding this comment.
The problem is that by doing that, I can't use the module on the auth integration tests.
| } | ||
|
|
||
| #[derive(Serialize, Deserialize, Debug, Clone, PartialEq)] | ||
| pub struct CredentialSourceFormat { |
There was a problem hiding this comment.
Does CredentialSourceFormat, CredentialSourceHeaders, ExecutableConfig, CredentialSource need to be public?
| Some(format) => { | ||
| let json_response: Value = serde_json::from_str(&response_text).unwrap(); | ||
| let subject_token = json_response | ||
| .get(&format.subject_token_field_name) |
There was a problem hiding this comment.
Please add the format of the response in comments or link to a source. If not this is hard to understand.
There was a problem hiding this comment.
the response from the subject token provider is dynamic and have a field named defined by the subject_token_field_name. So it's something like { "{subject_token_field_name}": "a token" }
| /// Creates a new builder using [external_account_config] JSON value. | ||
| /// | ||
| /// [external_account_config]: https://cloud.google.com/iam/docs/workload-download-cred-and-grant-access#download-configuration | ||
| pub fn new(external_account_config: Value) -> Self { |
There was a problem hiding this comment.
With this design, if for whatever reason the user wants to build a workload credential through code instead of loading from config, they have no way of doing it.
Can we design in such a way that every workload cred type has its own builder.
There was a problem hiding this comment.
I can create a URLSourcedExternalAccountCredential struct and that would provide a builder interface. Under the hood it would use an ExternalAccountCredential, so it's mostly a wrapper and more direct way of creating the type
There was a problem hiding this comment.
The builder for url sourced cred should also allow user to override scopes atleast. When user is building a cred, they could override scopes. If you do not have scopes in byoid builders, user would call with_scopes and it would do nothing for some cred types.
google-cloud-rust/src/auth/src/credentials.rs
Line 424 in dee6b3f
There was a problem hiding this comment.
This will also solve your macro problem
| ) | ||
| } | ||
| _ => { | ||
| unreachable!("expected Url Sourced credential") |
| } | ||
|
|
||
| #[async_trait::async_trait] | ||
| impl SubjectTokenProvider for UrlSourcedCredentials { |
There was a problem hiding this comment.
unit test for UrlSourcedCredentials?
Fixes #2079