Last active
March 31, 2021 01:28
-
-
Save salrashid123/17d36368fc720c09b4acf4a7bdc9f340 to your computer and use it in GitHub Desktop.
go samle app to test id_tokens with "equire google.golang.org/api v0.44.0-impersonate-preview"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"io/ioutil" | |
"log" | |
"net/http" | |
"os" | |
"cloud.google.com/go/storage" | |
"golang.org/x/oauth2" | |
"google.golang.org/api/impersonate" | |
"google.golang.org/api/iterator" | |
"google.golang.org/api/option" | |
"crypto/tls" | |
pb "echo" | |
"io" | |
"time" | |
admin "google.golang.org/api/admin/directory/v1" | |
"golang.org/x/net/context" | |
"google.golang.org/grpc" | |
"google.golang.org/grpc/credentials" | |
"google.golang.org/grpc/credentials/oauth" | |
"google.golang.org/grpc/metadata" | |
) | |
type grpcTokenSource struct { | |
oauth.TokenSource | |
// Additional metadata attached as headers. | |
quotaProject string | |
requestReason string | |
} | |
var ( | |
scopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/cloud-platform"} | |
) | |
const ( | |
projectID = "fabled-ray-104117" | |
iapHost = "https://fabled-ray-104117.appspot.com/" | |
impersonatedAccount = "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com" | |
iapAudience = "248066739582-e5nl93thh4sglii6joampni57ldb6i1h.apps.googleusercontent.com" | |
grpcImpersonatedAccount = "gateway-client-sa@mineral-minutia-820.iam.gserviceaccount.com" | |
grpcAudience = "grpcs://grpc-gateway-1" | |
grpcHost = "grpc-gateway-1-do52xz04.uc.gateway.dev" | |
dwdTargetAccount = "adminapi@fooo.iam.gserviceaccount.com" | |
dwdUser = "admin@blah.com" | |
cx = "C023zw3y9" | |
) | |
func main() { | |
ctx := context.Background() | |
// TEST access_token with Domain-wide delegation | |
dwdScopes := []string{admin.AdminDirectoryUserReadonlyScope, admin.AdminDirectoryGroupReadonlyScope} | |
dwdts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ | |
TargetPrincipal: dwdTargetAccount, | |
Scopes: dwdScopes, | |
Subject: dwdUser, | |
}) | |
if err != nil { | |
log.Printf("Unable to create Impersonated TokenSource %v ", err) | |
os.Exit(1) | |
} | |
adminClient := oauth2.NewClient(ctx, dwdts) | |
adminService, err := admin.New(adminClient) | |
if err != nil { | |
log.Printf("Unable to create Impersonated TokenSource %v ", err) | |
os.Exit(1) | |
} | |
usersReport, err := adminService.Users.List().Customer(cx).MaxResults(10).OrderBy("email").Do() | |
if err != nil { | |
log.Fatal(err) | |
} | |
if len(usersReport.Users) == 0 { | |
fmt.Print("No users found.\n") | |
} else { | |
fmt.Print("Users:\n") | |
for _, u := range usersReport.Users { | |
fmt.Printf("%s (%s)\n", u.PrimaryEmail, u.Name.FullName) | |
} | |
} | |
// TEST access_token with GCS | |
ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ | |
TargetPrincipal: impersonatedAccount, | |
Scopes: scopes, | |
}) | |
if err != nil { | |
log.Printf("Unable to create Impersonated TokenSource %v ", err) | |
os.Exit(1) | |
} | |
tok, err := ts.Token() | |
if err != nil { | |
log.Fatalf("%v", err) | |
} | |
log.Printf("access_token %v", tok.AccessToken) | |
storageClient, err := storage.NewClient(ctx, option.WithTokenSource(ts)) | |
if err != nil { | |
log.Fatal(err) | |
} | |
sit := storageClient.Buckets(ctx, projectID) | |
for { | |
battrs, err := sit.Next() | |
if err == iterator.Done { | |
break | |
} | |
if err != nil { | |
log.Fatal(err) | |
} | |
log.Printf(battrs.Name) | |
} | |
// TEST IDTOKEN with IAP | |
idTokenSource, err := impersonate.IDTokenSource(ctx, | |
impersonate.IDTokenConfig{ | |
TargetPrincipal: impersonatedAccount, | |
Audience: iapAudience, | |
IncludeEmail: true, | |
}, | |
) | |
idtok, err := idTokenSource.Token() | |
if err != nil { | |
log.Fatalf("%v", err) | |
} | |
log.Printf("id_token %v", idtok.AccessToken) | |
client := &http.Client{ | |
Transport: &oauth2.Transport{ | |
Source: idTokenSource, | |
}, | |
} | |
resp, err := client.Get(iapHost) | |
if err != nil { | |
log.Fatal(err) | |
} | |
defer resp.Body.Close() | |
log.Println("Response status:", resp.Status) | |
bodyBytes, err := ioutil.ReadAll(resp.Body) | |
if err != nil { | |
log.Fatal(err) | |
} | |
bodyString := string(bodyBytes) | |
log.Printf("%s", bodyString) | |
// gRPC | |
// https://github.com/salrashid123/cloud_run_grpc_auth | |
var conn *grpc.ClientConn | |
tlsCfg := &tls.Config{ | |
ServerName: grpcHost, | |
} | |
gRPCidTokenSource, err := impersonate.IDTokenSource(ctx, | |
impersonate.IDTokenConfig{ | |
TargetPrincipal: grpcImpersonatedAccount, | |
Audience: grpcAudience, | |
IncludeEmail: true, | |
}, | |
) | |
grpcIdtok, err := gRPCidTokenSource.Token() | |
if err != nil { | |
log.Fatalf("%v", err) | |
} | |
log.Printf("id_token %v", grpcIdtok.AccessToken) | |
ce := credentials.NewTLS(tlsCfg) | |
conn, err = grpc.Dial(grpcHost+":443", | |
grpc.WithTransportCredentials(ce), | |
grpc.WithPerRPCCredentials(oauth.TokenSource{ | |
TokenSource: gRPCidTokenSource, | |
}), | |
) | |
if err != nil { | |
log.Fatalf("did not connect: %v", err) | |
} | |
defer conn.Close() | |
c := pb.NewEchoServerClient(conn) | |
var testMetadata = metadata.MD{ | |
"sal": []string{"value1"}, | |
"key2": []string{"value2"}, | |
} | |
ctx = metadata.NewOutgoingContext(context.Background(), testMetadata) | |
var header, trailer metadata.MD | |
for i := 0; i < 10; i++ { | |
r, err := c.SayHello(ctx, &pb.EchoRequest{Name: "unary RPC msg "}, grpc.Header(&header), grpc.Trailer(&trailer)) | |
if err != nil { | |
log.Fatalf("could not greet: %v", err) | |
} | |
time.Sleep(1 * time.Second) | |
log.Printf("RPC Response: %v %v", i, r) | |
} | |
stream, err := c.SayHelloStream(ctx, &pb.EchoRequest{Name: "Stream RPC msg"}, grpc.Header(&header)) | |
if err != nil { | |
log.Fatalf("SayHelloStream(_) = _, %v", err) | |
} | |
for { | |
m, err := stream.Recv() | |
if err == io.EOF { | |
break | |
} | |
if err != nil { | |
log.Fatalf("SayHelloStream(_) = _, %v", err) | |
} | |
log.Printf("Message: %s", m.Message) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment