Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Open Subsurface Data Universe Software
Platform
Domain Data Management Services
Seismic
Seismic DMS Suite
seismic-dms-service
Commits
5a24ba4a
Commit
5a24ba4a
authored
Feb 26, 2021
by
Diego Molteni
Browse files
fixed downscope token
parent
9a8d3c0f
Pipeline
#28839
failed with stages
in 16 minutes and 42 seconds
Changes
1
Pipelines
5
Hide whitespace changes
Inline
Side-by-side
src/cloud/providers/google/credentials.ts
View file @
5a24ba4a
...
...
@@ -30,6 +30,7 @@ interface IDownScopedToken {
access_token
:
string
;
token_type
:
string
;
issued_token_type
:
string
;
expires_in
:
string
;
}
const
KExpiresMargin
=
300
;
// 5 minutes
...
...
@@ -40,12 +41,15 @@ export class Credentials extends AbstractCredentials {
public
async
getStorageCredentials
(
tenant
:
string
,
subproject
:
string
,
bucket
:
string
,
readonly
:
boolean
,
_partition
:
string
):
Promise
<
IAccessTokenModel
>
{
const
serviceAccessToken
=
await
this
.
getServiceAccountAccessToken
(
false
);
const
serviceAccessTokenDownscoped
=
await
this
.
exchangeJwtWithDownScopedAccessToken
(
serviceAccessToken
.
access_token
,
bucket
,
readonly
);
return
{
access_token
:
(
await
this
.
exchangeJwtWithDownScopedAccessToken
(
(
await
this
.
getServiceAccountAccessToken
()).
access_token
,
bucket
,
readonly
)).
access_token
,
expires_in
:
3599
,
token_type
:
'
Bearer
'
,
access_token
:
serviceAccessTokenDownscoped
.
access_token
,
expires_in
:
+
serviceAccessTokenDownscoped
.
expires_in
,
token_type
:
serviceAccessTokenDownscoped
.
token_type
,
};
}
...
...
@@ -54,20 +58,20 @@ export class Credentials extends AbstractCredentials {
try
{
return
JSON
.
parse
(
await
request
.
post
({
form
:
{
access_boundary
:
JSON
.
stringify
({
accessBoundaryRules
:
[{
availablePermissions
:
[
'
inRole:roles/
'
+
(
readonly
?
'
storage.objectViewer
'
:
'
storage.objectAdmin
'
)
],
availableResource
:
'
//storage.googleapis.com/projects/_/buckets/
'
+
bucket
,
}],
}),
grant_type
:
'
urn:ietf:params:oauth:grant-type:token-exchange
'
,
requested_token_type
:
'
urn:ietf:params:oauth:token-type:access_token
'
,
subject_token
:
accessToken
,
subject_token_type
:
'
urn:ietf:params:oauth:token-type:access_token
'
,
access_boundary
:
JSON
.
stringify
({
accessBoundaryRules
:
[{
availablePermissions
:
[
'
inRole:roles/
'
+
(
readonly
?
'
storage.objectViewer
'
:
'
storage.objectAdmin
'
)],
availableResource
:
'
//storage.googleapis.com/projects/_/buckets/
'
+
bucket
,
}],
}),
grant_type
:
'
urn:ietf:params:oauth:grant-type:token-exchange
'
,
requested_token_type
:
'
urn:ietf:params:oauth:token-type:access_token
'
,
subject_token
:
accessToken
,
subject_token_type
:
'
urn:ietf:params:oauth:token-type:access_token
'
,
},
headers
:
{
'
Content-Type
'
:
'
application/x-www-form-urlencoded
'
,
'
Content-Type
'
:
'
application/x-www-form-urlencoded
'
,
},
url
:
'
https://securetoken.googleapis.com/v2beta1/token
'
,
}));
...
...
@@ -79,11 +83,11 @@ export class Credentials extends AbstractCredentials {
public
async
getServiceCredentials
():
Promise
<
string
>
{
const
now
=
Math
.
floor
(
Date
.
now
()
/
1000
);
if
(
thi
s
.
serviceAccountIdTokenExpiresIn
>
now
)
{
return
thi
s
.
serviceAccountIdToken
;
if
(
Credential
s
.
serviceAccountIdTokenExpiresIn
>
now
)
{
return
Credential
s
.
serviceAccountIdToken
;
}
thi
s
.
serviceAccountEmail
=
await
this
.
getServiceAccountEmail
();
Credential
s
.
serviceAccountEmail
=
await
this
.
getServiceAccountEmail
();
const
svcToken
=
(
await
this
.
getServiceAccountAccessToken
()).
access_token
;
const
options
=
{
...
...
@@ -92,7 +96,7 @@ export class Credentials extends AbstractCredentials {
aud
:
ConfigGoogle
.
GOOGLE_EP_OAUTH2
+
'
/token
'
,
exp
:
(
now
+
3600
),
iat
:
now
,
iss
:
thi
s
.
serviceAccountEmail
,
iss
:
Credential
s
.
serviceAccountEmail
,
target_audience
:
ConfigGoogle
.
DES_SERVICE_TARGET_AUDIENCE
,
}),
},
...
...
@@ -101,18 +105,18 @@ export class Credentials extends AbstractCredentials {
'
Content-Type
'
:
'
application/json
'
,
},
url
:
ConfigGoogle
.
GOOGLE_EP_IAM
+
'
/projects/
'
+
ConfigGoogle
.
SERVICE_CLOUD_PROJECT
+
'
/serviceAccounts/
'
+
thi
s
.
serviceAccountEmail
+
'
:signJwt
'
,
ConfigGoogle
.
SERVICE_CLOUD_PROJECT
+
'
/serviceAccounts/
'
+
Credential
s
.
serviceAccountEmail
+
'
:signJwt
'
,
};
try
{
const
idToken
=
await
this
.
signJWT
(
JSON
.
parse
(
await
request
.
post
(
options
)).
signedJwt
)
as
IDTokenModel
;
thi
s
.
serviceAccountIdToken
=
idToken
.
id_token
;
thi
s
.
serviceAccountIdTokenExpiresIn
=
Utils
.
getExpTimeFromPayload
(
thi
s
.
serviceAccountIdToken
)
-
KExpiresMargin
;
Credential
s
.
serviceAccountIdToken
=
idToken
.
id_token
;
Credential
s
.
serviceAccountIdTokenExpiresIn
=
Utils
.
getExpTimeFromPayload
(
Credential
s
.
serviceAccountIdToken
)
-
KExpiresMargin
;
return
thi
s
.
serviceAccountIdToken
;
return
Credential
s
.
serviceAccountIdToken
;
}
catch
(
error
)
{
throw
(
Error
.
makeForHTTPRequest
(
error
));
...
...
@@ -120,11 +124,12 @@ export class Credentials extends AbstractCredentials {
}
public
async
getServiceAccountAccessToken
():
Promise
<
IAccessTokenModel
>
{
public
async
getServiceAccountAccessToken
(
useCached
=
true
):
Promise
<
IAccessTokenModel
>
{
const
now
=
Math
.
floor
(
Date
.
now
()
/
1000
);
if
(
this
.
serviceAccountAccessToken
&&
this
.
serviceAccountAccessTokenExpiresIn
>
now
)
{
return
this
.
serviceAccountAccessToken
;
if
(
useCached
&&
Credentials
.
serviceAccountAccessToken
&&
Credentials
.
serviceAccountAccessTokenExpiresIn
>
now
)
{
return
Credentials
.
serviceAccountAccessToken
;
}
if
(
ConfigGoogle
.
SERVICE_IDENTITY_PRIVATE_KEY
)
{
...
...
@@ -142,10 +147,10 @@ export class Credentials extends AbstractCredentials {
},
});
thi
s
.
serviceAccountAccessToken
=
await
this
.
signJWT
(
jwt
)
as
IAccessTokenModel
;
thi
s
.
serviceAccountAccessTokenExpiresIn
=
Math
.
floor
(
Date
.
now
()
/
1000
)
+
thi
s
.
serviceAccountAccessToken
.
expires_in
-
KExpiresMargin
;
return
thi
s
.
serviceAccountAccessToken
;
Credential
s
.
serviceAccountAccessToken
=
await
this
.
signJWT
(
jwt
)
as
IAccessTokenModel
;
Credential
s
.
serviceAccountAccessTokenExpiresIn
=
Math
.
floor
(
Date
.
now
()
/
1000
)
+
Credential
s
.
serviceAccountAccessToken
.
expires_in
-
KExpiresMargin
;
return
Credential
s
.
serviceAccountAccessToken
;
}
const
options
=
{
...
...
@@ -154,10 +159,10 @@ export class Credentials extends AbstractCredentials {
};
try
{
thi
s
.
serviceAccountAccessToken
=
JSON
.
parse
(
await
request
.
get
(
options
));
thi
s
.
serviceAccountAccessTokenExpiresIn
=
Math
.
floor
(
Date
.
now
()
/
1000
)
+
thi
s
.
serviceAccountAccessToken
.
expires_in
-
KExpiresMargin
;
return
thi
s
.
serviceAccountAccessToken
;
Credential
s
.
serviceAccountAccessToken
=
JSON
.
parse
(
await
request
.
get
(
options
));
Credential
s
.
serviceAccountAccessTokenExpiresIn
=
Math
.
floor
(
Date
.
now
()
/
1000
)
+
Credential
s
.
serviceAccountAccessToken
.
expires_in
-
KExpiresMargin
;
return
Credential
s
.
serviceAccountAccessToken
;
}
catch
(
error
)
{
throw
(
Error
.
makeForHTTPRequest
(
error
));
}
...
...
@@ -165,11 +170,11 @@ export class Credentials extends AbstractCredentials {
public
async
getServiceAccountEmail
():
Promise
<
string
>
{
if
(
thi
s
.
serviceAccountEmail
)
{
return
thi
s
.
serviceAccountEmail
;
}
if
(
Credential
s
.
serviceAccountEmail
)
{
return
Credential
s
.
serviceAccountEmail
;
}
if
(
ConfigGoogle
.
SERVICE_IDENTITY_EMAIL
)
{
thi
s
.
serviceAccountEmail
=
ConfigGoogle
.
SERVICE_IDENTITY_EMAIL
;
return
thi
s
.
serviceAccountEmail
;
Credential
s
.
serviceAccountEmail
=
ConfigGoogle
.
SERVICE_IDENTITY_EMAIL
;
return
Credential
s
.
serviceAccountEmail
;
}
const
options
=
{
...
...
@@ -198,11 +203,11 @@ export class Credentials extends AbstractCredentials {
}
// cache the services tokens
private
serviceAccountEmail
:
string
;
private
serviceAccountAccessToken
:
IAccessTokenModel
;
private
serviceAccountAccessTokenExpiresIn
=
0
;
private
serviceAccountIdToken
:
string
;
private
serviceAccountIdTokenExpiresIn
=
0
;
private
static
serviceAccountEmail
:
string
;
private
static
serviceAccountAccessToken
:
IAccessTokenModel
;
private
static
serviceAccountAccessTokenExpiresIn
=
0
;
private
static
serviceAccountIdToken
:
string
;
private
static
serviceAccountIdTokenExpiresIn
=
0
;
public
async
signJWT
(
jwt
:
string
):
Promise
<
IDTokenModel
|
IAccessTokenModel
>
{
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment