-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
impl(common): token exchange for external accounts #10328
impl(common): token exchange for external accounts #10328
Conversation
Google Cloud Build Logs
ℹ️ NOTE: Kokoro logs are linked from "Details" below. |
Codecov ReportBase: 93.85% // Head: 93.86% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #10328 +/- ##
========================================
Coverage 93.85% 93.86%
========================================
Files 1597 1600 +3
Lines 145363 145763 +400
========================================
+ Hits 136437 136823 +386
- Misses 8926 8940 +14
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
c252da7
to
002e587
Compare
Google Cloud Build Logs
ℹ️ NOTE: Kokoro logs are linked from "Details" below. |
Rebased to resolve conflicts, PTAL. |
auto request = rest_internal::RestRequest(info_.token_url); | ||
|
||
auto client = client_factory_(options_); | ||
auto status = client->Post(request, form_data); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
optional: I call this thing a sor
... but I thought you didn't like that...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The conventional approach would be to just call this response
. That might complicate and/or simplify the code below where we introduce response
to hold the (moved) OK response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
auto client = client_factory_(options_); | ||
auto status = client->Post(request, form_data); | ||
if (!status) return std::move(status).status(); | ||
auto response = *std::move(status); | ||
if (MapHttpCodeToStatus(response->StatusCode()) != StatusCode::kOk) { | ||
return AsStatus(std::move(*response)); | ||
} | ||
auto payload = rest_internal::ReadAll(std::move(*response).ExtractPayload()); | ||
if (!payload) return std::move(payload.status()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: I am not the best reviewer of this chunk of code. Maybe @scotthart can give it the once-over?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. There is a lot of similar code elsewhere
google/cloud/internal/oauth2_external_account_credentials_test.cc
Outdated
Show resolved
Hide resolved
google/cloud/internal/oauth2_external_account_credentials_test.cc
Outdated
Show resolved
Hide resolved
google/cloud/internal/oauth2_external_account_credentials_test.cc
Outdated
Show resolved
Hide resolved
google/cloud/internal/oauth2_external_account_credentials_test.cc
Outdated
Show resolved
Hide resolved
To support external accounts we need to convert the "subject token" returned by the external account source (e.g. an Azure metadata service or a GitHub Actions OIDC source) into "access tokens" returned by GCP's "Security Token Service". In this change we introduce the code to perform such exchanges, including a small integration test on GitHub actions.
002e587
to
96bfdce
Compare
Google Cloud Build Logs
ℹ️ NOTE: Kokoro logs are linked from "Details" below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: I applied the do not merge
label, although I know you know better than to merge while the release is in progress
To support external accounts we need to convert the "subject token" returned by the external account source (e.g. an Azure metadata service or a GitHub Actions OIDC source) into "access tokens" returned by GCP's "Security Token Service". In this change we introduce the code to perform such exchanges, including a small integration test on GitHub actions.
Part of the work for #5915
This change is