Merge pull request #9 from connectedcars/gcloud-auth-support

Troels Liebe Bentsen · web-flow · commit d2095c4f0034 · 2022-10-12T17:04:14.000+02:00
Gcloud auth support
diff --git a/README.md b/README.md
@@ -142,11 +142,95 @@ ssh-keygen -f build.key
 ssh-keygen -f build.key -m 'PEM' -e > build.pem
 ```
 
-# Release new version
+# Development
+
+## Release new version
 
 ``` bash
 export GITHUB_TOKEN="YOUR_GH_TOKEN"
 git tag -a v2.0.2 -m "Release 2.0.2"
 git push origin v2.0.2
 goreleaser release --rm-dist
-```
+```
+
+## VSCode setup
+
+settings.json
+``` json5
+{
+    // Golang
+    "go.useCodeSnippetsOnFunctionSuggest": true,
+    "go.useLanguageServer": true,
+    "go.alternateTools": {
+        "go-languageserver": "gopls"
+    },
+    "go.buildOnSave": "off",
+    "go.vetOnSave": "off",
+    "go.useCodeSnippetsOnFunctionSuggestWithoutType": true,
+    "go.docsTool": "gogetdoc",
+    "editor.codeActionsOnSave": {
+        "source.organizeImports": true
+    }
+}
+```
+
+launch.json
+``` json5
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch",
+            "type": "go",
+            "request": "launch",
+            "mode": "debug",
+            "program": "${workspaceFolder}/cmd/authwrapper",
+            "env": {
+                "SSH_KEY_PATH": "kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1",
+                "SSH_SIGNING_SERVER_URL": "http://localhost:3080",
+                //"SSH_PRINCIPALS": "tlb",
+
+                "SSH_SIGNING_SERVER_LISTEN_ADDRESS": ":3080",
+                "SSH_CA_KEY_PATH": "kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1",
+                "SSH_CA_AUTHORIZED_KEYS_PATH": "${workspaceFolder}/authorized_keys",
+                "SSH_SIGNING_LIFETIME": "60m",
+                
+                //"SSH_KEY_PATH": "kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1",
+                "GIT_SSH_COMMAND": "ssh -vvvv",
+                "DOCKER_BUILDKIT": "1",
+                "PROGRESS_NO_TRUNC": "1",
+                "SSH_AUTH_SOCK": ""
+            },
+            "args": [
+                "-principals", "tlb",
+                //"ssh-add", "-L"
+                "ssh", "-p", "22", "-vv", "-l" ,"tlb", "1.2.4.5", "hostname"
+                //"bash", "-c", "docker build --no-cache --progress=plain --ssh=default=$SSH_AUTH_SOCK .",
+                //"docker", "build", 
+                //"--add-host=metadata.google.internal:192.168.65.2", 
+                //"--no-cache", 
+                //"--progress=plain", 
+                //"--ssh=default=$SSH_AUTH_SOCK", 
+                //"--build-arg=WRAP_IMAGE=gcr.io/cloud-builders/docker",
+                //"--build-arg=WRAP_COMMAND=/usr/bin/docker",
+                //"--build-arg=WRAP_NAME=docker",
+                //"--build-arg=SSH_KEY_PATH=kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1",
+                //"."
+                //"git", "clone", "git@github.com:connectedcars/private-module.git"
+            ],
+            "showLog": true
+        },
+        {
+            "name": "Launch test function",
+            "type": "go",
+            "request": "launch",
+            "mode": "test",
+            "program": "${workspaceFolder}/cmd/main_test.go",
+            "args": ["-test.timeout", "999s"]
+        },
+    ]
+}
+```
diff --git a/go.mod b/go.mod
@@ -1,18 +1,28 @@
 module github.com/connectedcars/auth-wrapper
 
-go 1.13
+go 1.19
+
+require (
+	cloud.google.com/go/kms v1.4.0
+	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
+	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094
+	google.golang.org/api v0.95.0
+	google.golang.org/genproto v0.0.0-20220908141613-51c1cc9bc6d0
+)
 
 require (
 	cloud.google.com/go/compute v1.9.0 // indirect
 	cloud.google.com/go/iam v0.4.0 // indirect
-	cloud.google.com/go/kms v1.4.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
-	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
+	go.opencensus.io v0.23.0 // indirect
 	golang.org/x/net v0.0.0-20220907135653-1e95f45603a7 // indirect
 	golang.org/x/sys v0.0.0-20220908164124-27713097b956 // indirect
-	google.golang.org/api v0.95.0 // indirect
-	google.golang.org/genproto v0.0.0-20220908141613-51c1cc9bc6d0
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/grpc v1.49.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -30,8 +30,6 @@ cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
 cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0=
-cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
-cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -298,7 +296,6 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -328,7 +325,6 @@ golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 h1:2o1E+E8TpNLklK9nHiPiK1uzIYrIHt+cQx3ynCwq9V8=
 golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -402,7 +398,6 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956 h1:XeJjHH1KiLpKGb6lvMiksZ9l0fVUh+AmGcm0nOMEBOY=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -518,9 +513,6 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
-google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
 google.golang.org/api v0.95.0 h1:d1c24AAS01DYqXreBeuVV7ewY/U8Mnhh47pwtsgVtYg=
 google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
@@ -609,11 +601,7 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
-google.golang.org/genproto v0.0.0-20220804142021-4e6b2dfa6612/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
-google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
 google.golang.org/genproto v0.0.0-20220908141613-51c1cc9bc6d0 h1:bMz0aY2wd9TwUp9M7QfjBWuQqaFD/ZaTtvDpPDCo2Ow=
 google.golang.org/genproto v0.0.0-20220908141613-51c1cc9bc6d0/go.mod h1:rQWNQYp1kbHR3+n5cARSTCF5rlJOttUn8yIhRklGAWQ=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -647,7 +635,6 @@ google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
 google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
diff --git a/kms/google/auth.go b/kms/google/auth.go
@@ -0,0 +1,94 @@
+package google
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os/exec"
+	"time"
+
+	"golang.org/x/oauth2"
+	googleauth "golang.org/x/oauth2/google"
+)
+
+func FindTokenSource() (oauth2.TokenSource, error) {
+	tokenSource, errEnv := NewEnvTokenSource()
+	if errEnv == nil && tokenSource != nil {
+		return tokenSource, errEnv
+	}
+	tokenSource, errGcloud := NewGcloudTokenSource()
+	if errGcloud == nil && tokenSource != nil {
+		return tokenSource, errGcloud
+	}
+	return nil, fmt.Errorf("Failed to find credentials")
+}
+
+func NewEnvTokenSource() (oauth2.TokenSource, error) {
+	credentials, err := googleauth.FindDefaultCredentials(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+	if err == nil {
+		// Try to get a token so we know it works
+		token, err := credentials.TokenSource.Token()
+		if err != nil {
+			return nil, err
+		}
+		return oauth2.ReuseTokenSource(token, credentials.TokenSource), nil
+	}
+	return nil, fmt.Errorf("Failed to find credentials in the environment")
+}
+
+func NewGcloudTokenSource() (oauth2.TokenSource, error) {
+	if _, err := exec.LookPath("gcloud"); err != nil {
+		return nil, fmt.Errorf("Failed to find gcloud in path")
+	}
+
+	// Try to get a token so we know it works
+	ts := gcloudTokenSource{}
+
+	token, err := ts.Token()
+	if err != nil {
+		return nil, err
+	}
+
+	return oauth2.ReuseTokenSource(token, ts), nil
+}
+
+type gcloudTokenSource struct{}
+
+type gcloudOutput struct {
+	Credential struct {
+		AccessToken string `json:"access_token"`
+		TokenExpiry string `json:"token_expiry"`
+		IdToken     string `json:"id_token"`
+	} `json:"credential"`
+}
+
+func (gts gcloudTokenSource) Token() (*oauth2.Token, error) {
+	gcloudCmd := exec.Command("gcloud", "config", "config-helper", "--force-auth-refresh", "--format=json(credential)")
+	var out bytes.Buffer
+	gcloudCmd.Stdout = &out
+	gcloudCmd.Stderr = log.Writer()
+
+	if err := gcloudCmd.Run(); err != nil {
+		return nil, fmt.Errorf("error executing `gcloud config config-helper`: %w", err)
+	}
+
+	creds := gcloudOutput{}
+	if err := json.Unmarshal(out.Bytes(), &creds); err != nil {
+		return nil, fmt.Errorf("failed to parse `gcloud config config-helper` output: %w", err)
+	}
+
+	expiry, err := time.Parse(time.RFC3339, creds.Credential.TokenExpiry)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse gcloud token expiry: %w", err)
+	}
+
+	token := oauth2.Token{
+		TokenType:   "Bearer",
+		AccessToken: creds.Credential.AccessToken,
+		Expiry:      expiry,
+	}
+
+	return &token, nil
+}
diff --git a/kms/google/kms-signer.go b/kms/google/kms-signer.go
@@ -12,6 +12,7 @@ import (
 	"log"
 
 	cloudkms "cloud.google.com/go/kms/apiv1"
+	"google.golang.org/api/option"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
 )
 
@@ -56,9 +57,15 @@ var CryptoHashLookup = map[crypto.Hash]string{
 
 // NewKMSSigner creates a new instance
 func NewKMSSigner(keyName string, forceDigest bool) (signer KMSSigner, err error) {
+	// Try to find a token source in the environment
+	ts, err := FindTokenSource()
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	// Create the KMS client.
 	ctx := context.Background()
-	client, err := cloudkms.NewKeyManagementClient(ctx)
+	client, err := cloudkms.NewKeyManagementClient(ctx, option.WithTokenSource(ts))
 	if err != nil {
 		log.Fatal(err)
 	}
