juicebox-systems
diff --git a/‎.gitignore
+2 b/‎.gitignore
+2
diff --git a/‎Cargo.toml
+27 b/‎Cargo.toml
+27
diff --git a/‎LICENSE
+63 b/‎LICENSE
+63
diff --git a/‎README.md
+42 b/‎README.md
+42
diff --git a/‎src/authentication_manager.rs
+32 b/‎src/authentication_manager.rs
+32
diff --git a/‎src/custom_service_account.rs
+95 b/‎src/custom_service_account.rs
+95
diff --git a/‎src/default_service_account.rs
+55 b/‎src/default_service_account.rs
+55
@@ -0,0 +1,2 @@
+target
+Cargo.lock
@@ -0,0 +1,27 @@
+[package]
+name = "gcp_auth"
+version = "0.1.0"
+authors = ["Peter Hrvola <[email protected]>"]
+repository = "https://github.com/hrvolapeter/gcp_auth"
+description = "Google cloud platform (GCP) authentication using default and custom service accounts"
+documentation = "https://docs.rs/gcp_auth/"
+keywords = ["authentication", "gcp", "google"]
+categories = ["asynchronous", "authentication"]
+readme = "README.md"
+license = "MIT"
+edition = "2018"
+
+[dependencies]
+base64 = "0.12"
+chrono = { version = "0.4", features = ["serde"] }
+hyper = "0.13.5"
+hyper-tls = "0.4"
+log = "0.4"
+rustls = "0.17"
+serde = {version = "1.0", features = ["derive"]}
+serde_json = "1.0"
+tokio = { version = "0.2", features = ["fs"] }
+url = "2"
+bytes = "0.5"
+async-trait = "0.1.31"
+thiserror = "1.0"
@@ -0,0 +1,63 @@
+Copyright (c) 2020 Peter Hrvola
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+[yup-oauth2]
+
+Copyright (c) 2015 The yup-oauth2 Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+[JWT]
+
+Copyright (c) 2016 Google Inc. ([email protected]) -- though not an official
+Google product or in any way related!
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
@@ -0,0 +1,42 @@
+# GCP Auth
+[![crates.io](https://img.shields.io/crates/v/gcp_auth.svg)](https://crates.io/crates/gcp_auth)
+
+GCP Auth is a simple, minimal authentication library for Google Cloud Platform (GCP) providing authentication using
+services accounts that are used to issues Bearer tokens that can be used to authenticate against GCP services.
+
+Library implements two authenticatiom methods:
+
+- Default service accounts - can be used inside GCP
+- Custom service account - provided using environenment variable
+
+Tokens should not be cached in the application and before every use a new token should be request. The GCP auth library decides
+if there is available token with appropriate scope or if a new token should be generated.
+
+## Default Service Account
+
+When running inside GCP the library can be asked directly without any further configuration to provide a Bearer token
+for the current service account of the service.
+
+```rust
+let authentication_manager = gcp_auth::init();
+let token = authentication_manager.get_token().await?;
+```
+
+## Custom Service Account
+
+When running outside of GCP e.g on development laptop to allow finer granularity for permission a
+custom service account can be used. To use a custom service account a configuration file containing key
+has to be downloaded in IAM service for the service account you intend to use. The configuration file has to
+be available to the application at run time. The path to the configuration file is specified by 
+`GOOGLE_APPLICATION_CREDENTIALS` environment variable.
+
+```no_run
+# GOOGLE_APPLICATION_CREDENTIALS environtment variable is set-up
+let authentication_manager = gcp_auth::init();
+let token = authentication_manager.get_token().await?;
+```
+
+# License
+Parts of implementatino have been sourced from [yup-oauth2](https://github.com/dermesser/yup-oauth2)
+
+Licensed under [MIT license](http://opensource.org/licenses/MIT).
@@ -0,0 +1,32 @@
+use crate::prelude::*;
+use tokio::sync::Mutex;
+
+#[async_trait]
+pub trait ServiceAccount: Send {
+    fn get_token(&self, scopes: &[&str]) -> Option<Token>;
+    async fn refresh_token(&mut self, client: &HyperClient, scopes: &[&str]) -> Result<(), GCPAuthError>;
+}
+
+/// Authentication manager is responsible for caching and obtaing credentials for the required scope
+/// 
+/// Cacheing for the full life time is ensured
+pub struct AuthenticationManager {
+    pub(crate) client: HyperClient,
+    pub(crate) service_account: Mutex<Box<dyn ServiceAccount>>,
+}
+
+impl AuthenticationManager {
+    /// Requests Bearer token for the provided scope
+    /// 
+    /// Token can be used in the request authorization header in format "Bearer {token}"
+    pub async fn get_token(&self, scopes: &[&str]) -> BoxResult<Token> {
+        let mut sa = self.service_account.lock().await;
+        let mut token = sa.get_token(scopes);
+        if token.is_none() {
+            sa.refresh_token(&self.client, scopes).await?;
+            token = sa.get_token(scopes);
+        }
+
+        Ok(token.expect("Token obtained with refresh or failed before"))
+    }
+}
@@ -0,0 +1,95 @@
+use crate::prelude::*;
+use crate::authentication_manager::ServiceAccount;
+use tokio::fs;
+
+#[derive(Debug)]
+pub struct CustomServiceAccount {
+    tokens: HashMap<Vec<String>, Token>,
+    credentials: ApplicationCredentials,
+}
+
+impl CustomServiceAccount {
+    const GOOGLE_APPLICATION_CREDENTIALS: &'static str = "GOOGLE_APPLICATION_CREDENTIALS";
+
+    pub async fn new() -> Result<Self, GCPAuthError> {
+        let path = std::env::var(Self::GOOGLE_APPLICATION_CREDENTIALS).map_err(|_| GCPAuthError::AplicationProfileMissing)?;
+        let credentials = ApplicationCredentials::from_file(path).await?;
+        Ok(Self {
+            credentials,
+            tokens: HashMap::new(),
+        })
+    }
+}
+
+#[async_trait]
+impl ServiceAccount for CustomServiceAccount {
+    fn get_token(&self, scopes: &[&str]) -> Option<Token> {
+        let key: Vec<_> = scopes.iter().map(|x| (*x).to_string()).collect();
+        let token = self
+            .tokens
+            .get(&key);
+        
+        if token.is_none() || token.unwrap().has_expired() {
+            return None;
+        }
+        Some(token.unwrap().clone())
+    }
+
+    async fn refresh_token(&mut self, client: &HyperClient, scopes: &[&str]) -> Result<(), GCPAuthError> {
+        use crate::jwt::Claims;
+        use crate::jwt::JWTSigner;
+        use crate::jwt::GRANT_TYPE;
+        use hyper::header;
+        use url::form_urlencoded;
+
+        let signer = JWTSigner::new(&self.credentials.private_key)?;
+
+        let claims = Claims::new(&self.credentials, scopes, None);
+        let signed = signer.sign_claims(&claims).map_err(GCPAuthError::TLSError)?;
+        let rqbody = form_urlencoded::Serializer::new(String::new())
+            .extend_pairs(&[("grant_type", GRANT_TYPE), ("assertion", signed.as_str())])
+            .finish();
+        let request = hyper::Request::post(&self.credentials.token_uri)
+            .header(header::CONTENT_TYPE, "application/x-www-form-urlencoded")
+            .body(hyper::Body::from(rqbody))
+            .unwrap();
+        log::debug!("requesting token from service account: {:?}", request);
+        let (head, body) = client.request(request).await.map_err(GCPAuthError::OAuthConnectionError)?.into_parts();
+        let body = hyper::body::to_bytes(body).await.map_err(GCPAuthError::OAuthConnectionError)?;
+        log::debug!("received response; head: {:?}, body: {:?}", head, body);
+        let token: Token = serde_json::from_slice(&body).map_err(GCPAuthError::OAuthParsingError)?;
+        let key = scopes.iter().map(|x| (*x).to_string()).collect();
+        self.tokens.insert(key, token);
+        Ok(())
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct ApplicationCredentials {
+    pub r#type: Option<String>,
+    /// project_id
+    pub project_id: Option<String>,
+    /// private_key_id
+    pub private_key_id: Option<String>,
+    /// private_key
+    pub private_key: String,
+    /// client_email
+    pub client_email: String,
+    /// client_id
+    pub client_id: Option<String>,
+    /// auth_uri
+    pub auth_uri: Option<String>,
+    /// token_uri
+    pub token_uri: String,
+    /// auth_provider_x509_cert_url
+    pub auth_provider_x509_cert_url: Option<String>,
+    /// client_x509_cert_url
+    pub client_x509_cert_url: Option<String>,
+}
+
+impl ApplicationCredentials {
+    async fn from_file<T: AsRef<Path>>(path: T) -> Result<ApplicationCredentials, GCPAuthError> {
+        let content = fs::read_to_string(path).await.map_err(GCPAuthError::AplicationProfilePath)?;
+        Ok(serde_json::from_str(&content).map_err(GCPAuthError::AplicationProfileFormat)?)
+    }
+}
@@ -0,0 +1,55 @@
+use crate::prelude::*;
+use crate::authentication_manager::ServiceAccount;
+use hyper::body::Body;
+use hyper::Method;
+
+#[derive(Debug)]
+pub struct DefaultServiceAccount {
+    token: Token,
+}
+
+impl DefaultServiceAccount {
+    const DEFAULT_TOKEN_GCP_URI: &'static str = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+
+    pub async fn new(client: &HyperClient) -> Result<Self, GCPAuthError> {
+        let token = Self::get_token(client).await?;
+        Ok(Self { token })
+    }
+
+    fn build_token_request() -> Request<Body> {
+        Request::builder()
+            .method(Method::GET)
+            .uri(Self::DEFAULT_TOKEN_GCP_URI)
+            .header("Metadata-Flavor", "Google")
+            .body(Body::empty()).unwrap()
+    }
+
+    async fn get_token(client: &HyperClient) -> Result<Token, GCPAuthError> {
+        log::debug!("Getting token from GCP instance metadata server");
+        let req = Self::build_token_request();
+        let resp = client.request(req).await.map_err(GCPAuthError::MetadataConnectionError)?;
+        if resp.status().is_success() {
+            let body = hyper::body::aggregate(resp).await.map_err(GCPAuthError::MetadataConnectionError)?;
+            let bytes = body.bytes();
+            let token = serde_json::from_slice(bytes).map_err(GCPAuthError::MetadataParsingError)?;
+            return Ok(token);
+        }
+        Err(GCPAuthError::MetadataServerUnavailable)
+    }
+}
+
+#[async_trait]
+impl ServiceAccount for DefaultServiceAccount {
+    fn get_token(&self, _scopes: &[&str]) -> Option<Token> {
+        if self.token.has_expired() {
+            return None;
+        }
+        Some(self.token.clone())
+    }
+
+    async fn refresh_token(&mut self, client: &HyperClient, _scopes: &[&str]) -> Result<(), GCPAuthError> {
+        let token = Self::get_token(client).await?;
+        self.token = token;
+        Ok(())
+    }
+}