From c570a7cd272e3fa4f18e29b7bd2714d1f87f7203 Mon Sep 17 00:00:00 2001 From: Reed Kinning Date: Fri, 9 Jul 2021 12:09:31 -0400 Subject: [PATCH 1/2] enable gcp auth Signed-off-by: Reed Kinning --- commands/check.go | 6 ++++++ go.mod | 1 + go.sum | 3 +++ types.go | 20 ++++++++++++++++++++ 4 files changed, 30 insertions(+) diff --git a/commands/check.go b/commands/check.go index 646ffba..09492a0 100644 --- a/commands/check.go +++ b/commands/check.go @@ -49,6 +49,12 @@ func (c *Check) Execute() error { return fmt.Errorf("invalid payload: %s", err) } + if req.Source.GcpAuth { + if !req.Source.AuthenticateToGCP() { + return fmt.Errorf("cannot authenticate with GCP") + } + } + if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" { if !req.Source.AuthenticateToECR() { return fmt.Errorf("cannot authenticate with ECR") diff --git a/go.mod b/go.mod index 67baa5a..b8a6a0a 100644 --- a/go.mod +++ b/go.mod @@ -20,6 +20,7 @@ require ( github.com/spf13/viper v1.7.0 // indirect github.com/vbauerster/mpb v3.4.0+incompatible golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect + golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect gopkg.in/ini.v1 v1.56.0 // indirect ) diff --git a/go.sum b/go.sum index 60567db..e87fc89 100644 --- a/go.sum +++ b/go.sum @@ -10,6 +10,7 @@ cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.57.0 h1:EpMNVUorLiZIELdMZbCYX/ByTFCdoYopYAGxaGVz9ms= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= @@ -541,6 +542,7 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -668,6 +670,7 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= diff --git a/types.go b/types.go index 9f77514..ed71d4f 100644 --- a/types.go +++ b/types.go @@ -24,6 +24,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/remote/transport" "github.com/sirupsen/logrus" + "golang.org/x/oauth2/google" ) type CheckRequest struct { @@ -95,6 +96,8 @@ type Source struct { DomainCerts []string `json:"ca_certs,omitempty"` Debug bool `json:"debug,omitempty"` + + GcpAuth bool `json:"gcp_auth,omitempty"` } func (source Source) Mirror() (Source, bool, error) { @@ -277,6 +280,23 @@ func (source *Source) Metadata() []MetadataField { } } +func (source *Source) AuthenticateToGCP() bool { + logrus.Warnln("GCP integration is experimental and untested") + logrus.Info("Using GCP service account credentials to authenticate to GCP") + + oauthToken := google.ComputeTokenSource("") + token, err := oauthToken.Token() + + if err != nil || token == nil { + logrus.Errorf("Failed to get access token for GCP: %s", err) + return false + } + + source.Username = "oauth2accesstoken" + source.Password = token.AccessToken + return true +} + func (source *Source) AuthenticateToECR() bool { logrus.Warnln("ECR integration is experimental and untested") From 743050aa47540eb636f15d6ca532275a3be48f39 Mon Sep 17 00:00:00 2001 From: Reed Kinning Date: Tue, 13 Jul 2021 14:33:45 -0400 Subject: [PATCH 2/2] add gcp flag to `in` and `out`, pull out token source as var Signed-off-by: Reed Kinning --- commands/check.go | 4 ++-- commands/in.go | 6 ++++++ commands/out.go | 6 ++++++ types.go | 6 +++--- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/commands/check.go b/commands/check.go index 09492a0..5a37f16 100644 --- a/commands/check.go +++ b/commands/check.go @@ -49,8 +49,8 @@ func (c *Check) Execute() error { return fmt.Errorf("invalid payload: %s", err) } - if req.Source.GcpAuth { - if !req.Source.AuthenticateToGCP() { + if req.Source.GcpTokenSource != nil { + if !req.Source.AuthenticateToGCP(*req.Source.GcpTokenSource) { return fmt.Errorf("cannot authenticate with GCP") } } diff --git a/commands/in.go b/commands/in.go index cbffa4e..e91b6ac 100644 --- a/commands/in.go +++ b/commands/in.go @@ -65,6 +65,12 @@ func (i *In) Execute() error { dest := i.args[1] + if req.Source.GcpTokenSource != nil { + if !req.Source.AuthenticateToGCP(*req.Source.GcpTokenSource) { + return fmt.Errorf("cannot authenticate with GCP") + } + } + if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" { if !req.Source.AuthenticateToECR() { return fmt.Errorf("cannot authenticate with ECR") diff --git a/commands/out.go b/commands/out.go index 03a8fa1..d3d837f 100644 --- a/commands/out.go +++ b/commands/out.go @@ -62,6 +62,12 @@ func (o *Out) Execute() error { src := o.args[1] + if req.Source.GcpTokenSource != nil { + if !req.Source.AuthenticateToGCP(*req.Source.GcpTokenSource) { + return fmt.Errorf("cannot authenticate with GCP") + } + } + if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" { if !req.Source.AuthenticateToECR() { return fmt.Errorf("cannot authenticate with ECR") diff --git a/types.go b/types.go index ed71d4f..1e5199e 100644 --- a/types.go +++ b/types.go @@ -97,7 +97,7 @@ type Source struct { Debug bool `json:"debug,omitempty"` - GcpAuth bool `json:"gcp_auth,omitempty"` + GcpTokenSource *string `json:"gcp_token_source,omitempty"` } func (source Source) Mirror() (Source, bool, error) { @@ -280,11 +280,11 @@ func (source *Source) Metadata() []MetadataField { } } -func (source *Source) AuthenticateToGCP() bool { +func (source *Source) AuthenticateToGCP(tokenSource string) bool { logrus.Warnln("GCP integration is experimental and untested") logrus.Info("Using GCP service account credentials to authenticate to GCP") - oauthToken := google.ComputeTokenSource("") + oauthToken := google.ComputeTokenSource(tokenSource) token, err := oauthToken.Token() if err != nil || token == nil {