mirror of
https://github.com/golang/oauth2.git
synced 2025-07-21 00:00:09 +08:00
Before AppEngine classic allowed "google.golang.org/appengine" imports, we used to maintain two hook files to choose either from "appengine" or "google.golang.org/appengine" namespaces. Now, both environments allow importing from "google.golang.org/appengine". Therefore, there is no need to set hooks in two separate files. Also note that Flex prefers to use metadata server, so we still need to be able to differentiate between these environments. Change-Id: I7478ebdfa1b062d466aaf2aca938f93d42b4c58a Reviewed-on: https://go-review.googlesource.com/37378 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
131 lines
4.2 KiB
Go
131 lines
4.2 KiB
Go
// Copyright 2015 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package google
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
|
|
"cloud.google.com/go/compute/metadata"
|
|
"golang.org/x/net/context"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
// DefaultCredentials holds "Application Default Credentials".
|
|
// For more details, see:
|
|
// https://developers.google.com/accounts/docs/application-default-credentials
|
|
type DefaultCredentials struct {
|
|
ProjectID string // may be empty
|
|
TokenSource oauth2.TokenSource
|
|
}
|
|
|
|
// DefaultClient returns an HTTP Client that uses the
|
|
// DefaultTokenSource to obtain authentication credentials.
|
|
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
|
|
ts, err := DefaultTokenSource(ctx, scope...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return oauth2.NewClient(ctx, ts), nil
|
|
}
|
|
|
|
// DefaultTokenSource returns the token source for
|
|
// "Application Default Credentials".
|
|
// It is a shortcut for FindDefaultCredentials(ctx, scope).TokenSource.
|
|
func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error) {
|
|
creds, err := FindDefaultCredentials(ctx, scope...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return creds.TokenSource, nil
|
|
}
|
|
|
|
// FindDefaultCredentials searches for "Application Default Credentials".
|
|
//
|
|
// It looks for credentials in the following places,
|
|
// preferring the first location found:
|
|
//
|
|
// 1. A JSON file whose path is specified by the
|
|
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
|
// 2. A JSON file in a location known to the gcloud command-line tool.
|
|
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
|
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
|
// 3. On Google App Engine it uses the appengine.AccessToken function.
|
|
// 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
|
|
// credentials from the metadata server.
|
|
// (In this final case any provided scopes are ignored.)
|
|
func FindDefaultCredentials(ctx context.Context, scope ...string) (*DefaultCredentials, error) {
|
|
// First, try the environment variable.
|
|
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
|
if filename := os.Getenv(envVar); filename != "" {
|
|
creds, err := readCredentialsFile(ctx, filename, scope)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("google: error getting credentials using %v environment variable: %v", envVar, err)
|
|
}
|
|
return creds, nil
|
|
}
|
|
|
|
// Second, try a well-known file.
|
|
filename := wellKnownFile()
|
|
if creds, err := readCredentialsFile(ctx, filename, scope); err == nil {
|
|
return creds, nil
|
|
} else if !os.IsNotExist(err) {
|
|
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
|
|
}
|
|
|
|
// Third, if we're on Google App Engine use those credentials.
|
|
if appengineTokenFunc != nil && !appengineFlex {
|
|
return &DefaultCredentials{
|
|
ProjectID: appengineAppIDFunc(ctx),
|
|
TokenSource: AppEngineTokenSource(ctx, scope...),
|
|
}, nil
|
|
}
|
|
|
|
// Fourth, if we're on Google Compute Engine use the metadata server.
|
|
if metadata.OnGCE() {
|
|
id, _ := metadata.ProjectID()
|
|
return &DefaultCredentials{
|
|
ProjectID: id,
|
|
TokenSource: ComputeTokenSource(""),
|
|
}, nil
|
|
}
|
|
|
|
// None are found; return helpful error.
|
|
const url = "https://developers.google.com/accounts/docs/application-default-credentials"
|
|
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
|
|
}
|
|
|
|
func wellKnownFile() string {
|
|
const f = "application_default_credentials.json"
|
|
if runtime.GOOS == "windows" {
|
|
return filepath.Join(os.Getenv("APPDATA"), "gcloud", f)
|
|
}
|
|
return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f)
|
|
}
|
|
|
|
func readCredentialsFile(ctx context.Context, filename string, scopes []string) (*DefaultCredentials, error) {
|
|
b, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var f credentialsFile
|
|
if err := json.Unmarshal(b, &f); err != nil {
|
|
return nil, err
|
|
}
|
|
ts, err := f.tokenSource(ctx, append([]string(nil), scopes...))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &DefaultCredentials{
|
|
ProjectID: f.ProjectID,
|
|
TokenSource: ts,
|
|
}, nil
|
|
}
|