UNPKG

google-auth-library

Version:

Google APIs Authentication Client Library for Node.js

github.com/googleapis/google-auth-library-nodejs

googleapis/google-auth-library-nodejs

190 lines 8.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
"use strict"; /** * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ Object.defineProperty(exports, "__esModule", { value: true }); exports.Impersonated = exports.IMPERSONATED_ACCOUNT_TYPE = void 0; const oauth2client_1 = require("./oauth2client"); const gaxios_1 = require("gaxios"); const util_1 = require("../util"); exports.IMPERSONATED_ACCOUNT_TYPE = 'impersonated_service_account'; class Impersonated extends oauth2client_1.OAuth2Client { sourceClient; targetPrincipal; targetScopes; delegates; lifetime; endpoint; /** * Impersonated service account credentials. * * Create a new access token by impersonating another service account. * * Impersonated Credentials allowing credentials issued to a user or * service account to impersonate another. The source project using * Impersonated Credentials must enable the "IAMCredentials" API. * Also, the target service account must grant the orginating principal * the "Service Account Token Creator" IAM role. * * @param {object} options - The configuration object. * @param {object} [options.sourceClient] the source credential used as to * acquire the impersonated credentials. * @param {string} [options.targetPrincipal] the service account to * impersonate. * @param {string[]} [options.delegates] the chained list of delegates * required to grant the final access_token. If set, the sequence of * identities must have "Service Account Token Creator" capability granted to * the preceding identity. For example, if set to [serviceAccountB, * serviceAccountC], the sourceCredential must have the Token Creator role on * serviceAccountB. serviceAccountB must have the Token Creator on * serviceAccountC. Finally, C must have Token Creator on target_principal. * If left unset, sourceCredential must have that role on targetPrincipal. * @param {string[]} [options.targetScopes] scopes to request during the * authorization grant. * @param {number} [options.lifetime] number of seconds the delegated * credential should be valid for up to 3600 seconds by default, or 43,200 * seconds by extending the token's lifetime, see: * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth * @param {string} [options.endpoint] api endpoint override. */ constructor(options = {}) { super(options); // Start with an expired refresh token, which will automatically be // refreshed before the first API call is made. this.credentials = { expiry_date: 1, refresh_token: 'impersonated-placeholder', }; this.sourceClient = options.sourceClient ?? new oauth2client_1.OAuth2Client(); this.targetPrincipal = options.targetPrincipal ?? ''; this.delegates = options.delegates ?? []; this.targetScopes = options.targetScopes ?? []; this.lifetime = options.lifetime ?? 3600; const usingExplicitUniverseDomain = !!(0, util_1.originalOrCamelOptions)(options).get('universe_domain'); if (!usingExplicitUniverseDomain) { // override the default universe with the source's universe this.universeDomain = this.sourceClient.universeDomain; } else if (this.sourceClient.universeDomain !== this.universeDomain) { // non-default universe and is not matching the source - this could be a credential leak throw new RangeError(`Universe domain ${this.sourceClient.universeDomain} in source credentials does not match ${this.universeDomain} universe domain set for impersonated credentials.`); } this.endpoint = options.endpoint ?? `https://iamcredentials.${this.universeDomain}`; } /** * Signs some bytes. * * {@link https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob Reference Documentation} * @param blobToSign String to sign. * * @returns A {@link SignBlobResponse} denoting the keyID and signedBlob in base64 string */ async sign(blobToSign) { await this.sourceClient.getAccessToken(); const name = `projects/-/serviceAccounts/${this.targetPrincipal}`; const u = `${this.endpoint}/v1/${name}:signBlob`; const body = { delegates: this.delegates, payload: Buffer.from(blobToSign).toString('base64'), }; const res = await this.sourceClient.request({ ...Impersonated.RETRY_CONFIG, url: u, data: body, method: 'POST', }); return res.data; } /** The service account email to be impersonated. */ getTargetPrincipal() { return this.targetPrincipal; } /** * Refreshes the access token. */ async refreshToken() { try { await this.sourceClient.getAccessToken(); const name = 'projects/-/serviceAccounts/' + this.targetPrincipal; const u = `${this.endpoint}/v1/${name}:generateAccessToken`; const body = { delegates: this.delegates, scope: this.targetScopes, lifetime: this.lifetime + 's', }; const res = await this.sourceClient.request({ ...Impersonated.RETRY_CONFIG, url: u, data: body, method: 'POST', }); const tokenResponse = res.data; this.credentials.access_token = tokenResponse.accessToken; this.credentials.expiry_date = Date.parse(tokenResponse.expireTime); return { tokens: this.credentials, res, }; } catch (error) { if (!(error instanceof Error)) throw error; let status = 0; let message = ''; if (error instanceof gaxios_1.GaxiosError) { status = error?.response?.data?.error?.status; message = error?.response?.data?.error?.message; } if (status && message) { error.message = `${status}: unable to impersonate: ${message}`; throw error; } else { error.message = `unable to impersonate: ${error}`; throw error; } } } /** * Generates an OpenID Connect ID token for a service account. * * {@link https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken Reference Documentation} * * @param targetAudience the audience for the fetched ID token. * @param options the for the request * @return an OpenID Connect ID token */ async fetchIdToken(targetAudience, options) { await this.sourceClient.getAccessToken(); const name = `projects/-/serviceAccounts/${this.targetPrincipal}`; const u = `${this.endpoint}/v1/${name}:generateIdToken`; const body = { delegates: this.delegates, audience: targetAudience, includeEmail: options?.includeEmail ?? true, useEmailAzp: options?.includeEmail ?? true, }; const res = await this.sourceClient.request({ ...Impersonated.RETRY_CONFIG, url: u, data: body, method: 'POST', }); return res.data.token; } } exports.Impersonated = Impersonated; //# sourceMappingURL=impersonated.js.map