// newClient creates http.Client with a jwt service account when
// jsonFile flag is specified, otherwise by obtaining the GCE service
// account's access token.
func newClient(jsonFile string) (*http.Client, error) {
if jsonFile != "" {
jsonKey, err := ioutil.ReadFile(jsonFile)
if err != nil {
return nil, err
}
conf, err := google.JWTConfigFromJSON(jsonKey, pubsub.ScopePubSub)
if err != nil {
return nil, err
}
return conf.Client(oauth2.NoContext), nil
}
if metadata.OnGCE() {
c := &http.Client{
Transport: &oauth2.Transport{
Source: google.ComputeTokenSource(""),
},
}
if *projID == "" {
projectID, err := metadata.ProjectID()
if err != nil {
return nil, fmt.Errorf("ProjectID failed, %v", err)
}
*projID = projectID
}
return c, nil
}
return nil, errors.New("Could not create an authenticated client.")
}
func (h *DeployHandler) refreshZones() error {
h.zonesMu.Lock()
defer h.zonesMu.Unlock()
defer func() {
h.regions = make([]string, 0, len(h.zones))
for r, _ := range h.zones {
h.regions = append(h.regions, r)
}
}()
// TODO(mpl): get projectID and access tokens from metadata once camweb is on GCE.
accountFile := os.Getenv("CAMLI_GCE_SERVICE_ACCOUNT")
if accountFile == "" {
h.Printf("No service account to query for the zones, using hard-coded ones instead.")
h.zones = backupZones
return nil
}
project := os.Getenv("CAMLI_GCE_PROJECT")
if project == "" {
h.Printf("No project we can query on to get the zones, using hard-coded ones instead.")
h.zones = backupZones
return nil
}
data, err := ioutil.ReadFile(accountFile)
if err != nil {
return err
}
conf, err := google.JWTConfigFromJSON(data, "https://www.googleapis.com/auth/compute.readonly")
if err != nil {
return err
}
s, err := compute.New(conf.Client(oauth2.NoContext))
if err != nil {
return err
}
rl, err := compute.NewRegionsService(s).List(project).Do()
if err != nil {
return fmt.Errorf("could not get a list of regions: %v", err)
}
h.zones = make(map[string][]string)
for _, r := range rl.Items {
zones := make([]string, 0, len(r.Zones))
for _, z := range r.Zones {
zone := path.Base(z)
if zone == "europe-west1-a" {
// Because even though the docs mark it as deprecated, it still shows up here, go figure.
continue
}
zone = strings.Replace(zone, r.Name, "", 1)
zones = append(zones, zone)
}
h.zones[r.Name] = zones
}
return nil
}
func Context(scopes ...string) context.Context {
key, projID := os.Getenv(envPrivateKey), os.Getenv(envProjID)
if key == "" || projID == "" {
log.Fatal("GCLOUD_TESTS_GOLANG_KEY and GCLOUD_TESTS_GOLANG_PROJECT_ID must be set. See CONTRIBUTING.md for details.")
}
jsonKey, err := ioutil.ReadFile(key)
if err != nil {
log.Fatalf("Cannot read the JSON key file, err: %v", err)
}
conf, err := google.JWTConfigFromJSON(jsonKey, scopes...)
if err != nil {
log.Fatal(err)
}
return cloud.NewContext(projID, conf.Client(oauth2.NoContext))
}
// ProjectTokenSource returns an OAuth2 TokenSource for the given Google Project ID.
func ProjectTokenSource(proj string, scopes ...string) (oauth2.TokenSource, error) {
// TODO(bradfitz): try different strategies too, like
// three-legged flow if the service account doesn't exist, and
// then cache the token file on disk somewhere. Or maybe that should be an
// option, for environments without stdin/stdout available to the user.
// We'll figure it out as needed.
fileName := filepath.Join(homedir(), "keys", proj+".key.json")
jsonConf, err := ioutil.ReadFile(fileName)
if err != nil {
if os.IsNotExist(err) {
return nil, fmt.Errorf("Missing JSON key configuration. Download the Service Account JSON key from https://console.developers.google.com/project/%s/apiui/credential and place it at %s", proj, fileName)
}
return nil, err
}
conf, err := google.JWTConfigFromJSON(jsonConf, scopes...)
if err != nil {
return nil, fmt.Errorf("reading JSON config from %s: %v", fileName, err)
}
return conf.TokenSource(oauth2.NoContext), nil
}
func Example_auth() context.Context {
// Initialize an authorized context with Google Developers Console
// JSON key. Read the google package examples to learn more about
// different authorization flows you can use.
// http://godoc.org/golang.org/x/oauth2/google
jsonKey, err := ioutil.ReadFile("/path/to/json/keyfile.json")
if err != nil {
log.Fatal(err)
}
conf, err := google.JWTConfigFromJSON(
jsonKey,
pubsub.ScopeCloudPlatform,
pubsub.ScopePubSub,
)
if err != nil {
log.Fatal(err)
}
ctx := cloud.NewContext("project-id", conf.Client(oauth2.NoContext))
// See the other samples to learn how to use the context.
return ctx
}