auth-subject

Sumary:

- Support for `sub` field in auth context, denoting subject.
- Motivating use case is email address based impersonation of google users by service account principals.

Author: general-kroll-4-life

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stackql/any-sdk v0.0.3-beta09
+	github.com/stackql/any-sdk v0.0.3-beta11
 	github.com/stackql/go-suffix-map v0.0.1-alpha01
 	github.com/stackql/psql-wire v0.1.1-alpha07
 	github.com/stackql/stackql-parser v0.0.14-alpha04

go.sum

@@ -471,8 +471,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
 github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
-github.com/stackql/any-sdk v0.0.3-beta09 h1:1Ddl3cpkaLC+3XXkEyAkKeunhMbYwRkWE4iPnTr+TfE=
-github.com/stackql/any-sdk v0.0.3-beta09/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
+github.com/stackql/any-sdk v0.0.3-beta11 h1:9cqA3Rzwkkwb4kupO95sa0FK5pBvRWJW4AbqFK7u2Xk=
+github.com/stackql/any-sdk v0.0.3-beta11/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
 github.com/stackql/go-suffix-map v0.0.1-alpha01 h1:TDUDS8bySu41Oo9p0eniUeCm43mnRM6zFEd6j6VUaz8=
 github.com/stackql/go-suffix-map v0.0.1-alpha01/go.mod h1:QAi+SKukOyf4dBtWy8UMy+hsXXV+yyEE4vmBkji2V7g=
 github.com/stackql/psql-wire v0.1.1-alpha07 h1:LQWVUlx4Bougk6dztDNG5tmXxpIVeeTSsInTj801xCs=

internal/stackql/dto/auth_ctx.go

@@ -28,6 +28,7 @@ type AuthCtx struct {
 	EnvVarPassword          string         `json:"password_var" yaml:"password_var"`
 	EncodedBasicCredentials string         `json:"-" yaml:"-"`
 	Successor               *AuthCtx       `json:"successor" yaml:"successor"`
+	Subject                 string         `json:"sub" yaml:"sub"`
 	Active                  bool           `json:"-" yaml:"-"`
 	Location                string         `json:"location" yaml:"location"`
 	Name                    string         `json:"name" yaml:"name"`

internal/stackql/handler/handler.go

@@ -521,6 +521,7 @@ func GetHandlerCtx(
 func transformOpenapiStackqlAuthToLocal(authDTO anysdk.AuthDTO) *dto.AuthCtx {
 	rv := &dto.AuthCtx{
 		Scopes:                  authDTO.GetScopes(),
+		Subject:                 authDTO.GetSubject(),
 		Type:                    authDTO.GetType(),
 		ValuePrefix:             authDTO.GetValuePrefix(),
 		KeyID:                   authDTO.GetKeyID(),

internal/stackql/provider/auth_util.go

@@ -161,12 +161,19 @@ func parseServiceAccountFile(ac *dto.AuthCtx) (serviceAccount, error) {
 	return c, json.Unmarshal(b, &c)
 }
 
-func getJWTConfig(provider string, credentialsBytes []byte, scopes []string) (*jwt.Config, error) {
+func getJWTConfig(provider string, credentialsBytes []byte, scopes []string, subject string) (*jwt.Config, error) {
 	switch provider {
 	case "google", "googleads", "googleanalytics",
 		"googledevelopers", "googlemybusiness", "googleworkspace",
 		"youtube", "googleadmin":
-		return google.JWTConfigFromJSON(credentialsBytes, scopes...)
+		rv, err := google.JWTConfigFromJSON(credentialsBytes, scopes...)
+		if err != nil {
+			return nil, err
+		}
+		if subject != "" {
+			rv.Subject = subject
+		}
+		return rv, nil
 	default:
 		return nil, fmt.Errorf("service account auth for provider = '%s' currently not supported", provider)
 	}
@@ -182,7 +189,7 @@ func oauthServiceAccount(
 	if err != nil {
 		return nil, fmt.Errorf("service account credentials error: %w", err)
 	}
-	config, errToken := getJWTConfig(provider, b, scopes)
+	config, errToken := getJWTConfig(provider, b, scopes, authCtx.Subject)
 	if errToken != nil {
 		return nil, errToken
 	}