internal/auth/auth.go - pkgsite - Git at Google

 // Copyright 2019 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // Package auth authorizes programs to make HTTP requests to the discovery site.
 package auth

 import (
 	"context"
 	"fmt"
 	"net/http"

 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"golang.org/x/pkgsite/internal/derrors"
 )

 // clientID is the OAuth 2.0 Client ID.
 // See https://cloud.google.com/iap/docs/authentication-howto for more details.
 const clientID = "117187402928-nl3u0qo5l2c2hhsuf2qj8irsfb3l6hfc.apps.googleusercontent.com"

 // NewClient creates an http.Client for accessing go-discovery services.
 // Its argument is the JSON contents of a service account credentials file.
 func NewClient(jsonCreds []byte) (_ *http.Client, err error) {
 	defer derrors.Wrap(&err, "auth.NewClient(jsonCreds)")

 	ts, err := TokenSource(jsonCreds)
 	if err != nil {
 		return nil, err
 	}
 	return oauth2.NewClient(context.Background(), ts), nil
 }

 // TokenSource creates an oauth2.TokenSource for accessing go-discovery services.
 // Its argument is the JSON contents of a service account credentials file.
 func TokenSource(json []byte) (_ oauth2.TokenSource, err error) {
 	defer derrors.Wrap(&err, "auth.TokenSource(jsonCreds)")
 	config, err := google.JWTConfigFromJSON(json)
 	if err != nil {
 		return nil, fmt.Errorf("JWTConfigFromJSON: %v", err)
 	}
 	config.PrivateClaims = map[string]interface{}{"target_audience": clientID}
 	// This is required: the docstring says "specifies whether ID token should be
 	// used instead of access token when the server returns both", but the
 	// implementation says differently.
 	config.UseIDToken = true
 	// Use the background context, in case the token source stores and re-uses it
 	// to refresh the token from a server.
 	return config.TokenSource(context.Background()), nil
 }

 // Header returns a header value (typically a Bearer token) to be used in the
 // HTTP 'Authorization' header.
 func Header(jsonCreds []byte) (_ string, err error) {
 	defer derrors.Wrap(&err, "auth.Header(jsonCreds)")
 	ts, err := TokenSource(jsonCreds)
 	if err != nil {
 		return "", err
 	}
 	token, err := ts.Token()
 	if err != nil {
 		return "", fmt.Errorf("TokenSource.Token(): %v", err)
 	}
 	// This is a dummy request to get the authorization header.
 	req, err := http.NewRequest("GET", "http://localhost", nil)
 	if err != nil {
 		return "", fmt.Errorf("http.NewRequest(): %v", err)
 	}
 	token.SetAuthHeader(req)
 	return req.Header.Get("Authorization"), nil
 }
	// Copyright 2019 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// Package auth authorizes programs to make HTTP requests to the discovery site.
	package auth

	import (
	"context"
	"fmt"
	"net/http"

	"golang.org/x/oauth2"
	"golang.org/x/oauth2/google"
	"golang.org/x/pkgsite/internal/derrors"
	)

	// clientID is the OAuth 2.0 Client ID.
	// See https://cloud.google.com/iap/docs/authentication-howto for more details.
	const clientID = "117187402928-nl3u0qo5l2c2hhsuf2qj8irsfb3l6hfc.apps.googleusercontent.com"

	// NewClient creates an http.Client for accessing go-discovery services.
	// Its argument is the JSON contents of a service account credentials file.
	func NewClient(jsonCreds []byte) (_ *http.Client, err error) {
	defer derrors.Wrap(&err, "auth.NewClient(jsonCreds)")

	ts, err := TokenSource(jsonCreds)
	if err != nil {
	return nil, err
	}
	return oauth2.NewClient(context.Background(), ts), nil
	}

	// TokenSource creates an oauth2.TokenSource for accessing go-discovery services.
	// Its argument is the JSON contents of a service account credentials file.
	func TokenSource(json []byte) (_ oauth2.TokenSource, err error) {
	defer derrors.Wrap(&err, "auth.TokenSource(jsonCreds)")
	config, err := google.JWTConfigFromJSON(json)
	if err != nil {
	return nil, fmt.Errorf("JWTConfigFromJSON: %v", err)
	}
	config.PrivateClaims = map[string]interface{}{"target_audience": clientID}
	// This is required: the docstring says "specifies whether ID token should be
	// used instead of access token when the server returns both", but the
	// implementation says differently.
	config.UseIDToken = true
	// Use the background context, in case the token source stores and re-uses it
	// to refresh the token from a server.
	return config.TokenSource(context.Background()), nil
	}

	// Header returns a header value (typically a Bearer token) to be used in the
	// HTTP 'Authorization' header.
	func Header(jsonCreds []byte) (_ string, err error) {
	defer derrors.Wrap(&err, "auth.Header(jsonCreds)")
	ts, err := TokenSource(jsonCreds)
	if err != nil {
	return "", err
	}
	token, err := ts.Token()
	if err != nil {
	return "", fmt.Errorf("TokenSource.Token(): %v", err)
	}
	// This is a dummy request to get the authorization header.
	req, err := http.NewRequest("GET", "http://localhost", nil)
	if err != nil {
	return "", fmt.Errorf("http.NewRequest(): %v", err)
	}
	token.SetAuthHeader(req)
	return req.Header.Get("Authorization"), nil
	}