feat: add support for Impersonating ID Tokens (#580)

Author: bshaffer

src/ApplicationDefaultCredentials.php

@@ -20,6 +20,7 @@
 use DomainException;
 use Google\Auth\Credentials\AppIdentityCredentials;
 use Google\Auth\Credentials\GCECredentials;
+use Google\Auth\Credentials\ImpersonatedServiceAccountCredentials;
 use Google\Auth\Credentials\ServiceAccountCredentials;
 use Google\Auth\Credentials\UserRefreshCredentials;
 use Google\Auth\HttpHandler\HttpClientCache;
@@ -307,6 +308,7 @@ public static function getIdTokenCredentials(
 
             $creds = match ($jsonKey['type']) {
                 'authorized_user' => new UserRefreshCredentials(null, $jsonKey, $targetAudience),
+                'impersonated_service_account' => new ImpersonatedServiceAccountCredentials(null, $jsonKey, $targetAudience),
                 'service_account' => new ServiceAccountCredentials(null, $jsonKey, null, $targetAudience),
                 default => throw new InvalidArgumentException('invalid value in the type field')
             };

src/Credentials/ImpersonatedServiceAccountCredentials.php

@@ -21,6 +21,7 @@
 use Google\Auth\CacheTrait;
 use Google\Auth\CredentialsLoader;
 use Google\Auth\FetchAuthTokenInterface;
+use Google\Auth\GetUniverseDomainInterface;
 use Google\Auth\HttpHandler\HttpClientCache;
 use Google\Auth\HttpHandler\HttpHandlerFactory;
 use Google\Auth\IamSignerTrait;
@@ -29,12 +30,17 @@
 use InvalidArgumentException;
 use LogicException;
 
-class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface
+class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements
+    SignBlobInterface,
+    GetUniverseDomainInterface
 {
     use CacheTrait;
     use IamSignerTrait;
 
     private const CRED_TYPE = 'imp';
+    private const IAM_SCOPE = 'https://www.googleapis.com/auth/iam';
+    private const ID_TOKEN_IMPERSONATION_URL =
+        'https://iamcredentials.UNIVERSE_DOMAIN/v1/projects/-/serviceAccounts/%s:generateIdToken';
 
     /**
      * @var string
@@ -71,10 +77,12 @@ class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements
      *     @type int                            $lifetime The lifetime of the impersonated credentials
      *     @type string[]                       $delegates The delegates to impersonate
      * }
+     * @param string|null $targetAudience The audience to request an ID token.
      */
     public function __construct(
-        $scope,
-        $jsonKey
+        string|array|null $scope,
+        string|array $jsonKey,
+        private ?string $targetAudience = null
     ) {
         if (is_string($jsonKey)) {
             if (!file_exists($jsonKey)) {
@@ -93,10 +101,23 @@ public function __construct(
         if (!array_key_exists('source_credentials', $jsonKey)) {
             throw new LogicException('json key is missing the source_credentials field');
         }
+        if ($scope && $targetAudience) {
+            throw new InvalidArgumentException(
+                'Scope and targetAudience cannot both be supplied'
+            );
+        }
         if (is_array($jsonKey['source_credentials'])) {
             if (!array_key_exists('type', $jsonKey['source_credentials'])) {
                 throw new InvalidArgumentException('json key source credentials are missing the type field');
             }
+            if (
+                $targetAudience !== null
+                && $jsonKey['source_credentials']['type'] === 'service_account'
+            ) {
+                // Service account tokens MUST request a scope, and as this token is only used to impersonate
+                // an ID token, the narrowest scope we can request is `iam`.
+                $scope = self::IAM_SCOPE;
+            }
             $jsonKey['source_credentials'] = CredentialsLoader::makeCredentials($scope, $jsonKey['source_credentials']);
         }
 
@@ -171,28 +192,52 @@ public function fetchAuthToken(?callable $httpHandler = null)
             'Content-Type' => 'application/json',
             'Cache-Control' => 'no-store',
             'Authorization' => sprintf('Bearer %s', $authToken['access_token'] ?? $authToken['id_token']),
-        ], 'at');
+        ], $this->isIdTokenRequest() ? 'it' : 'at');
+
+        $body = match ($this->isIdTokenRequest()) {
+            true => [
+                'audience' => $this->targetAudience,
+                'includeEmail' => true,
+            ],
+            false => [
+                'scope' => $this->targetScope,
+                'delegates' => $this->delegates,
+                'lifetime' => sprintf('%ss', $this->lifetime),
+            ]
+        };
 
-        $body = [
-            'scope' => $this->targetScope,
-            'delegates' => $this->delegates,
-            'lifetime' => sprintf('%ss', $this->lifetime),
-        ];
+        $url = $this->serviceAccountImpersonationUrl;
+        if ($this->isIdTokenRequest()) {
+            $regex = '/serviceAccounts\/(?<email>[^:]+):generateAccessToken$/';
+            if (!preg_match($regex, $url, $matches)) {
+                throw new InvalidArgumentException(
+                    'Invalid service account impersonation URL - unable to parse service account email'
+                );
+            }
+            $url = str_replace(
+                'UNIVERSE_DOMAIN',
+                $this->getUniverseDomain(),
+                sprintf(self::ID_TOKEN_IMPERSONATION_URL, $matches['email'])
+            );
+        }
 
         $request = new Request(
             'POST',
-            $this->serviceAccountImpersonationUrl,
+            $url,
             $headers,
             (string) json_encode($body)
         );
 
         $response = $httpHandler($request);
         $body = json_decode((string) $response->getBody(), true);
 
-        return [
-            'access_token' => $body['accessToken'],
-            'expires_at' => strtotime($body['expireTime']),
-        ];
+        return match ($this->isIdTokenRequest()) {
+            true => ['id_token' => $body['token']],
+            false => [
+                'access_token' => $body['accessToken'],
+                'expires_at' => strtotime($body['expireTime']),
+            ]
+        };
     }
 
     /**
@@ -220,4 +265,16 @@ protected function getCredType(): string
     {
         return self::CRED_TYPE;
     }
+
+    private function isIdTokenRequest(): bool
+    {
+        return !is_null($this->targetAudience);
+    }
+
+    public function getUniverseDomain(): string
+    {
+        return $this->sourceCredentials instanceof GetUniverseDomainInterface
+            ? $this->sourceCredentials->getUniverseDomain()
+            : self::DEFAULT_UNIVERSE_DOMAIN;
+    }
 }

tests/ApplicationDefaultCredentialsTest.php

@@ -32,7 +32,6 @@
 use GuzzleHttp\Psr7;
 use GuzzleHttp\Psr7\Response;
 use GuzzleHttp\Psr7\Utils;
-use PHPUnit\Framework\Error\Notice;
 use PHPUnit\Framework\TestCase;
 use Prophecy\PhpUnit\ProphecyTrait;
 use Psr\Cache\CacheItemPoolInterface;
@@ -499,6 +498,13 @@ public function testGetIdTokenCredentialsFailsIfNotOnGceAndNoDefaultFileFound()
         );
     }
 
+    public function testGetIdTokenCredentialsWithImpersonatedServiceAccountCredentials()
+    {
+        putenv('HOME=' . __DIR__ . '/fixtures5');
+        $creds = ApplicationDefaultCredentials::getIdTokenCredentials('123@456.com');
+        $this->assertInstanceOf(ImpersonatedServiceAccountCredentials::class, $creds);
+    }
+
     public function testGetIdTokenCredentialsWithCacheOptions()
     {
         $keyFile = __DIR__ . '/fixtures' . '/private.json';
@@ -803,10 +809,16 @@ public function testGetDefaultLoggerReturnsNullIfNotEnvVar()
     public function testGetDefaultLoggerRaiseAWarningIfMisconfiguredAndReturnsNull()
     {
         putenv($this::SDK_DEBUG_ENV_VAR . '=invalid');
-        $this->expectException(Notice::class);
-        $logger = ApplicationDefaultCredentials::getDefaultLogger();
 
-        $this->assertNull($logger);
+        $this->expectExceptionMessage(
+            'The GOOGLE_SDK_PHP_LOGGING is set, but it is set to another value than false or true'
+        );
+
+        set_error_handler(static function (int $errno, string $errstr): never {
+            throw new \Exception($errstr, $errno);
+        }, E_USER_NOTICE);
+
+        ApplicationDefaultCredentials::getDefaultLogger();
     }
 
     public function provideExternalAccountCredentials()