add support for impersonated service accounts

Author: maerlyn5

Core/Sources/Configuration/Credentials/GoogleCloudCredentials.swift

@@ -71,6 +71,43 @@ public struct GoogleServiceAccountCredentials: Codable {
     }
 }
 
+public struct SourceCredentials: Codable {
+    public let clientId: String
+    public let clientSecret: String
+    public let refreshToken: String
+    public let type: String
+}
+
+public struct ImpersonatedServiceAccountCredentials: Codable {
+    public let delegates: [String]
+    public let serviceAccountImpersonationUrl: String
+    public let sourceCredentials: SourceCredentials
+    public let type: String
+
+    // Initializer to load from a JSON string
+    public init(fromJsonString json: String) throws {
+        let decoder = JSONDecoder()
+        decoder.keyDecodingStrategy = .convertFromSnakeCase
+        if let data = json.data(using: .utf8) {
+            self = try decoder.decode(ImpersonatedServiceAccountCredentials.self, from: data)
+        } else {
+            throw CredentialLoadError.jsonLoadError
+        }
+    }
+
+    // Initializer to load from a file path
+    public init(fromFilePath path: String) throws {
+        let decoder = JSONDecoder()
+        decoder.keyDecodingStrategy = .convertFromSnakeCase
+        if let contents = try String(contentsOfFile: path).data(using: .utf8) {
+            self = try decoder.decode(ImpersonatedServiceAccountCredentials.self, from: contents)
+        } else {
+            throw CredentialLoadError.fileLoadError(path)
+        }
+    }
+}
+
+
 public class OAuthCredentialLoader {
     public static func getRefreshableToken(credentials: GoogleCloudCredentialsConfiguration,
                                            withConfig config: GoogleCloudAPIConfiguration,
@@ -86,6 +123,13 @@ public class OAuthCredentialLoader {
                                        eventLoop: eventLoop)
         }
 
+        if let impersonatedServiceAccount = credentials.impersonatedServiceAccountCredentials {
+            return OAuthImpersonatedServiceAccount(credentials: impersonatedServiceAccount,
+                                       scopes: config.scope,
+                                       httpClient: client,
+                                       eventLoop: eventLoop)
+        }
+        
         // Check Default application credentials next.
         if let appDefaultCredentials = credentials.applicationDefaultCredentials {
             return OAuthApplicationDefault(credentials: appDefaultCredentials,

Core/Sources/Configuration/GoogleCloudCredentialsConfiguration.swift

@@ -10,6 +10,7 @@ import Foundation
 public struct GoogleCloudCredentialsConfiguration {
     public let project: String?
     public var serviceAccountCredentials: GoogleServiceAccountCredentials?
+    public var impersonatedServiceAccountCredentials: ImpersonatedServiceAccountCredentials?
     public var applicationDefaultCredentials: GoogleApplicationDefaultCredentials?
 
     public init(projectId: String? = nil, credentialsFile: String? = nil) throws {
@@ -32,6 +33,12 @@ public struct GoogleCloudCredentialsConfiguration {
             self.serviceAccountCredentials = try? GoogleServiceAccountCredentials(fromJsonString: serviceAccountCredentialsPath)
         }
 
+        if let impersonatedServiceaccount = try? ImpersonatedServiceAccountCredentials(fromFilePath: serviceAccountCredentialsPath) {
+            self.impersonatedServiceAccountCredentials = impersonatedServiceaccount
+        } else {
+            self.impersonatedServiceAccountCredentials = try? ImpersonatedServiceAccountCredentials(fromJsonString: serviceAccountCredentialsPath)
+        }
+        
         if let defaultcredentials = try? GoogleApplicationDefaultCredentials(fromFilePath: serviceAccountCredentialsPath) {
             self.applicationDefaultCredentials = defaultcredentials
         } else {

Core/Sources/Configuration/GoogleCloudError.swift

@@ -25,17 +25,19 @@ enum CredentialLoadError: GoogleCloudError {
 
 enum OauthRefreshError: GoogleCloudError {
     case noResponse(HTTPResponseStatus)
+    case invalidExpiryDate
 
     var localizedDescription: String {
         switch self {
         case .noResponse(let status):
             return "A request to the OAuth authorization server failed with response status \(status.code)."
+        case .invalidExpiryDate:
+            return "Authorization server returned an invalid expiry"
         }
     }
 }
 
 
-
 public struct GoogleCloudAPIErrorMain: GoogleCloudError, GoogleCloudModel {
     /// A container for the error information.
     public var error: GoogleCloudAPIErrorBody

Core/Sources/Configuration/OAuth/OAuthApplicationDefault.swift

@@ -13,12 +13,26 @@ import Foundation
 
 public class OAuthApplicationDefault: OAuthRefreshable {
     let httpClient: HTTPClient
-    let credentials: GoogleApplicationDefaultCredentials
+    let clientId: String
+    let clientSecret: String
+    let refreshToken: String
+    
     private let decoder = JSONDecoder()
     private let eventLoop: EventLoop
 
     init(credentials: GoogleApplicationDefaultCredentials, httpClient: HTTPClient, eventLoop: EventLoop) {
-        self.credentials = credentials
+        self.clientId = credentials.clientId
+        self.clientSecret = credentials.clientSecret
+        self.refreshToken = credentials.refreshToken
+        self.httpClient = httpClient
+        self.eventLoop = eventLoop
+        decoder.keyDecodingStrategy = .convertFromSnakeCase
+    }
+    
+    init(clientId: String, clientSecret:String, refreshToken:String, httpClient: HTTPClient, eventLoop: EventLoop) {
+        self.clientId = clientId
+        self.clientSecret = clientSecret
+        self.refreshToken = refreshToken
         self.httpClient = httpClient
         self.eventLoop = eventLoop
         decoder.keyDecodingStrategy = .convertFromSnakeCase
@@ -29,7 +43,7 @@ public class OAuthApplicationDefault: OAuthRefreshable {
         do {
             let headers: HTTPHeaders = ["Content-Type": "application/x-www-form-urlencoded"]
 
-            let body: HTTPClient.Body = .string("client_id=\(credentials.clientId)&client_secret=\(credentials.clientSecret)&refresh_token=\(credentials.refreshToken)&grant_type=refresh_token")
+            let body: HTTPClient.Body = .string("client_id=\(clientId)&client_secret=\(clientSecret)&refresh_token=\(refreshToken)&grant_type=refresh_token")
 
             let request = try HTTPClient.Request(url: GoogleOAuthTokenUrl, method: .POST, headers: headers, body: body)
 

Core/Sources/Configuration/OAuth/OAuthImpersonated.swift

@@ -0,0 +1,97 @@
+import Foundation
+import NIOHTTP1
+import AsyncHTTPClient
+import Foundation
+import NIO
+
+struct ImpersonateTokenResponse: Decodable {
+    let accessToken: String
+    let expireTime: String
+}
+
+public class OAuthImpersonatedServiceAccount: OAuthRefreshable {
+    let httpClient: HTTPClient
+    let credentials: ImpersonatedServiceAccountCredentials
+    let tokenLifetimeSeconds: Int?
+    public let scope: String
+    private let decoder = JSONDecoder()
+    private let eventLoop: EventLoop
+
+    init(credentials: ImpersonatedServiceAccountCredentials, scopes: [GoogleCloudAPIScope], httpClient: HTTPClient, eventLoop: EventLoop, tokenLifetimeSeconds: Int? = nil) {
+        self.credentials = credentials
+        self.scope = scopes.map { $0.value }.joined(separator: " ")
+        self.httpClient = httpClient
+        self.eventLoop = eventLoop
+        self.tokenLifetimeSeconds = tokenLifetimeSeconds
+        decoder.keyDecodingStrategy = .convertFromSnakeCase
+    }
+
+    public func refresh() -> EventLoopFuture<OAuthAccessToken> {
+
+        let tokenRefresher = OAuthApplicationDefault(
+            clientId: credentials.sourceCredentials.clientId,
+            clientSecret: credentials.sourceCredentials.clientSecret,
+            refreshToken: credentials.sourceCredentials.refreshToken,
+            httpClient: httpClient,
+            eventLoop: eventLoop)
+        
+        // Use flatMap to handle the future returned by tokenRefresher.refresh()
+        return tokenRefresher.refresh().flatMap { accessToken in
+            do {
+                // Construct the request body
+                let lifetimeString = "\(self.tokenLifetimeSeconds ?? 3600)s"
+                let requestBody: [String: Any] = [
+                    "lifetime": lifetimeString,
+                    "scope": self.scope,
+                    "delegates": self.credentials.delegates
+                ]
+                
+                let requestBodyData = try JSONSerialization.data(withJSONObject: requestBody, options: [])
+                
+                // Prepare the HTTP request
+                let authToken = "Bearer \(accessToken.accessToken)"
+                let headers: HTTPHeaders = ["Content-Type": "application/json", "Authorization": authToken]
+                
+                let request = try HTTPClient.Request(
+                    url: self.credentials.serviceAccountImpersonationUrl,
+                    method: .POST,
+                    headers: headers,
+                    body: .data(requestBodyData)
+                )
+                
+                // Execute the request
+                return self.httpClient.execute(request: request, eventLoop: .delegate(on: self.eventLoop)).flatMap { response in
+                    
+                    guard var byteBuffer = response.body,
+                          let responseData = byteBuffer.readData(length: byteBuffer.readableBytes),
+                          response.status == .ok else {
+                        return self.eventLoop.makeFailedFuture(OauthRefreshError.noResponse(response.status))
+                    }
+                    
+                    do {
+                        let accessTokenResponse = try self.decoder.decode(ImpersonateTokenResponse.self, from: responseData)
+                        // Parse expiry time
+                        guard let expiry = ISO8601DateFormatter().date(from: accessTokenResponse.expireTime) else {
+                            return self.eventLoop.makeFailedFuture(OauthRefreshError.invalidExpiryDate)
+                        }
+                        let currentDate = Date()
+                        let expiresIn = Int(expiry.timeIntervalSince(currentDate))
+                        
+                        let oauthAccessToken = OAuthAccessToken(
+                            accessToken: accessTokenResponse.accessToken,
+                            tokenType: "Bearer",
+                            expiresIn: expiresIn
+                        )
+                        
+                        return self.eventLoop.makeSucceededFuture(oauthAccessToken)
+                    } catch {
+                        return self.eventLoop.makeFailedFuture(error)
+                    }
+                }
+            } catch {
+                return self.eventLoop.makeFailedFuture(error)
+            }
+        }
+    }
+
+}