Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/main.go

Last active March 31, 2021 01:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save salrashid123/17d36368fc720c09b4acf4a7bdc9f340 to your computer and use it in GitHub Desktop.
Save salrashid123/17d36368fc720c09b4acf4a7bdc9f340 to your computer and use it in GitHub Desktop.
Download ZIP
go samle app to test id_tokens with "equire google.golang.org/api v0.44.0-impersonate-preview"
Raw
main.go
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"cloud.google.com/go/storage"
"golang.org/x/oauth2"
"google.golang.org/api/impersonate"
"google.golang.org/api/iterator"
"google.golang.org/api/option"
"crypto/tls"
pb "echo"
"io"
"time"
admin "google.golang.org/api/admin/directory/v1"
"golang.org/x/net/context"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/oauth"
"google.golang.org/grpc/metadata"
)
type grpcTokenSource struct {
oauth.TokenSource
// Additional metadata attached as headers.
quotaProject string
requestReason string
}
var (
scopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/cloud-platform"}
)
const (
projectID = "fabled-ray-104117"
iapHost = "https://fabled-ray-104117.appspot.com/"
impersonatedAccount = "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com"
iapAudience = "248066739582-e5nl93thh4sglii6joampni57ldb6i1h.apps.googleusercontent.com"
grpcImpersonatedAccount = "gateway-client-sa@mineral-minutia-820.iam.gserviceaccount.com"
grpcAudience = "grpcs://grpc-gateway-1"
grpcHost = "grpc-gateway-1-do52xz04.uc.gateway.dev"
dwdTargetAccount = "adminapi@fooo.iam.gserviceaccount.com"
dwdUser = "admin@blah.com"
cx = "C023zw3y9"
)
func main() {
ctx := context.Background()
// TEST access_token with Domain-wide delegation
dwdScopes := []string{admin.AdminDirectoryUserReadonlyScope, admin.AdminDirectoryGroupReadonlyScope}
dwdts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
TargetPrincipal: dwdTargetAccount,
Scopes: dwdScopes,
Subject: dwdUser,
})
if err != nil {
log.Printf("Unable to create Impersonated TokenSource %v ", err)
os.Exit(1)
}
adminClient := oauth2.NewClient(ctx, dwdts)
adminService, err := admin.New(adminClient)
if err != nil {
log.Printf("Unable to create Impersonated TokenSource %v ", err)
os.Exit(1)
}
usersReport, err := adminService.Users.List().Customer(cx).MaxResults(10).OrderBy("email").Do()
if err != nil {
log.Fatal(err)
}
if len(usersReport.Users) == 0 {
fmt.Print("No users found.\n")
} else {
fmt.Print("Users:\n")
for _, u := range usersReport.Users {
fmt.Printf("%s (%s)\n", u.PrimaryEmail, u.Name.FullName)
}
}
// TEST access_token with GCS
ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
TargetPrincipal: impersonatedAccount,
Scopes: scopes,
})
if err != nil {
log.Printf("Unable to create Impersonated TokenSource %v ", err)
os.Exit(1)
}
tok, err := ts.Token()
if err != nil {
log.Fatalf("%v", err)
}
log.Printf("access_token %v", tok.AccessToken)
storageClient, err := storage.NewClient(ctx, option.WithTokenSource(ts))
if err != nil {
log.Fatal(err)
}
sit := storageClient.Buckets(ctx, projectID)
for {
battrs, err := sit.Next()
if err == iterator.Done {
break
}
if err != nil {
log.Fatal(err)
}
log.Printf(battrs.Name)
}
// TEST IDTOKEN with IAP
idTokenSource, err := impersonate.IDTokenSource(ctx,
impersonate.IDTokenConfig{
TargetPrincipal: impersonatedAccount,
Audience: iapAudience,
IncludeEmail: true,
},
)
idtok, err := idTokenSource.Token()
if err != nil {
log.Fatalf("%v", err)
}
log.Printf("id_token %v", idtok.AccessToken)
client := &http.Client{
Transport: &oauth2.Transport{
Source: idTokenSource,
},
}
resp, err := client.Get(iapHost)
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
log.Println("Response status:", resp.Status)
bodyBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatal(err)
}
bodyString := string(bodyBytes)
log.Printf("%s", bodyString)
// gRPC
// https://github.com/salrashid123/cloud_run_grpc_auth
var conn *grpc.ClientConn
tlsCfg := &tls.Config{
ServerName: grpcHost,
}
gRPCidTokenSource, err := impersonate.IDTokenSource(ctx,
impersonate.IDTokenConfig{
TargetPrincipal: grpcImpersonatedAccount,
Audience: grpcAudience,
IncludeEmail: true,
},
)
grpcIdtok, err := gRPCidTokenSource.Token()
if err != nil {
log.Fatalf("%v", err)
}
log.Printf("id_token %v", grpcIdtok.AccessToken)
ce := credentials.NewTLS(tlsCfg)
conn, err = grpc.Dial(grpcHost+":443",
grpc.WithTransportCredentials(ce),
grpc.WithPerRPCCredentials(oauth.TokenSource{
TokenSource: gRPCidTokenSource,
}),
)
if err != nil {
log.Fatalf("did not connect: %v", err)
}
defer conn.Close()
c := pb.NewEchoServerClient(conn)
var testMetadata = metadata.MD{
"sal": []string{"value1"},
"key2": []string{"value2"},
}
ctx = metadata.NewOutgoingContext(context.Background(), testMetadata)
var header, trailer metadata.MD
for i := 0; i < 10; i++ {
r, err := c.SayHello(ctx, &pb.EchoRequest{Name: "unary RPC msg "}, grpc.Header(&header), grpc.Trailer(&trailer))
if err != nil {
log.Fatalf("could not greet: %v", err)
}
time.Sleep(1 * time.Second)
log.Printf("RPC Response: %v %v", i, r)
}
stream, err := c.SayHelloStream(ctx, &pb.EchoRequest{Name: "Stream RPC msg"}, grpc.Header(&header))
if err != nil {
log.Fatalf("SayHelloStream(_) = _, %v", err)
}
for {
m, err := stream.Recv()
if err == io.EOF {
break
}
if err != nil {
log.Fatalf("SayHelloStream(_) = _, %v", err)
}
log.Printf("Message: %s", m.Message)
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment