Merge pull request #190 from secrethub/release/v0.29.0

Release v0.29.0

go.mod

@@ -2,6 +2,7 @@ module github.com/secrethub/secrethub-go
 
 require (
 	bitbucket.org/zombiezen/cardcpx v0.0.0-20150417151802-902f68ff43ef
+	cloud.google.com/go v0.56.0
 	github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
 	github.com/aws/aws-sdk-go v1.25.49
 	github.com/docker/docker v1.13.1
@@ -13,9 +14,9 @@ require (
 	github.com/mattn/go-shellwords v1.0.6 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
-	github.com/stretchr/testify v1.3.0 // indirect
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/net v0.0.0-20190522155817-f3200d17e092 // indirect
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
+	google.golang.org/api v0.26.0
+	google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940
 )
 
 go 1.13

internals/api/auth.go

@@ -10,7 +10,8 @@ import (
 
 // AuthMethod options
 const (
-	AuthMethodAWSSTS = "aws-sts"
+	AuthMethodAWSSTS            = "aws-sts"
+	AuthMethodGCPServiceAccount = "gcp-service-account"
 )
 
 // SessionType options
@@ -20,18 +21,13 @@ const (
 
 // Errors
 var (
-	ErrInvalidSessionType    = errAPI.Code("invalid_session_type").StatusError("invalid session type provided for authentication request", http.StatusBadRequest)
-	ErrInvalidPayload        = errAPI.Code("invalid_payload").StatusError("invalid payload provided for authentication request", http.StatusBadRequest)
-	ErrInvalidAuthMethod     = errAPI.Code("invalid_auth_method").StatusError("invalid auth method", http.StatusBadRequest)
-	ErrMissingField          = errAPI.Code("missing_field").StatusErrorPref("request is missing field %s", http.StatusBadRequest)
-	ErrSessionNotFound       = errAPI.Code("session_not_found").StatusError("session could not be found, it might have expired", http.StatusForbidden)
-	ErrSessionExpired        = errAPI.Code("session_expired").StatusError("session has expired", http.StatusForbidden)
-	ErrAuthFailed            = errAPI.Code("auth_failed").StatusError("authentication failed", http.StatusForbidden)
-	ErrCouldNotGetEndpoint   = errAPI.Code("aws_endpoint_not_found").StatusError("could not find an AWS endpoint for the provided region", http.StatusBadRequest)
-	ErrAWSException          = errAPI.Code("aws_exception").StatusError("encountered an unexpected problem while verifying your identity on AWS. Please try again later.", http.StatusFailedDependency)
-	ErrNoServiceWithRole     = errAPI.Code("no_service_with_role").StatusErrorPref("no service account found that is linked to the IAM role '%s'", http.StatusNotFound)
-	ErrNoAWSCredentials      = errAPI.Code("missing_aws_credentials").StatusError("request was not signed with AWS credentials", http.StatusUnauthorized)
-	ErrInvalidAWSCredentials = errAPI.Code("invalid_aws_credentials").StatusError("credentials were not accepted by AWS", http.StatusUnauthorized)
+	ErrInvalidSessionType = errAPI.Code("invalid_session_type").StatusError("invalid session type provided for authentication request", http.StatusBadRequest)
+	ErrInvalidPayload     = errAPI.Code("invalid_payload").StatusError("invalid payload provided for authentication request", http.StatusBadRequest)
+	ErrInvalidAuthMethod  = errAPI.Code("invalid_auth_method").StatusError("invalid auth method", http.StatusBadRequest)
+	ErrMissingField       = errAPI.Code("missing_field").StatusErrorPref("request is missing field %s", http.StatusBadRequest)
+	ErrSessionNotFound    = errAPI.Code("session_not_found").StatusError("session could not be found, it might have expired", http.StatusForbidden)
+	ErrSessionExpired     = errAPI.Code("session_expired").StatusError("session has expired", http.StatusForbidden)
+	ErrAuthFailed         = errAPI.Code("auth_failed").StatusError("authentication failed", http.StatusForbidden)
 )
 
 // SessionType defines how a session can be used.
@@ -44,24 +40,6 @@ type AuthRequest struct {
 	Payload     interface{} `json:"payload"`
 }
 
-// AuthPayloadAWSSTS is the authentication payload used for authenticating with AWS STS.
-type AuthPayloadAWSSTS struct {
-	Region  string `json:"region"`
-	Request []byte `json:"request"`
-}
-
-// NewAuthRequestAWSSTS returns a new AuthRequest for authentication using AWS STS.
-func NewAuthRequestAWSSTS(sessionType SessionType, region string, stsRequest []byte) AuthRequest {
-	return AuthRequest{
-		Method:      AuthMethodAWSSTS,
-		SessionType: sessionType,
-		Payload: &AuthPayloadAWSSTS{
-			Region:  region,
-			Request: stsRequest,
-		},
-	}
-}
-
 // UnmarshalJSON converts a JSON representation into a AuthRequest with the correct Payload.
 func (r *AuthRequest) UnmarshalJSON(b []byte) error {
 	// Declare a private type to avoid recursion into this function.
@@ -84,6 +62,8 @@ func (r *AuthRequest) UnmarshalJSON(b []byte) error {
 	switch dec.Method {
 	case AuthMethodAWSSTS:
 		dec.Payload = &AuthPayloadAWSSTS{}
+	case AuthMethodGCPServiceAccount:
+		dec.Payload = &AuthPayloadGCPServiceAccount{}
 	default:
 		return ErrInvalidAuthMethod
 	}
@@ -118,23 +98,20 @@ func (r *AuthRequest) Validate() error {
 		if err := authPayload.Validate(); err != nil {
 			return err
 		}
+	case AuthMethodGCPServiceAccount:
+		authPayload, ok := r.Payload.(*AuthPayloadGCPServiceAccount)
+		if !ok {
+			return ErrInvalidPayload
+		}
+		if err := authPayload.Validate(); err != nil {
+			return err
+		}
 	default:
 		return ErrInvalidAuthMethod
 	}
 	return nil
 }
 
-// Validate whether the AuthPayloadAWSSTS is valid.
-func (pl AuthPayloadAWSSTS) Validate() error {
-	if pl.Region == "" {
-		return ErrMissingField("region")
-	}
-	if pl.Request == nil {
-		return ErrMissingField("request")
-	}
-	return nil
-}
-
 // NewSessionHMAC returns a HMAC type api.Session.
 func NewSessionHMAC(sessionID uuid.UUID, expiration time.Time, secretKey string) *Session {
 	return &Session{

internals/api/auth_aws.go

@@ -0,0 +1,41 @@
+package api
+
+import "net/http"
+
+// Errors
+var (
+	ErrCouldNotGetEndpoint   = errAPI.Code("aws_endpoint_not_found").StatusError("could not find an AWS endpoint for the provided region", http.StatusBadRequest)
+	ErrAWSException          = errAPI.Code("aws_exception").StatusError("encountered an unexpected problem while verifying your identity on AWS. Please try again later.", http.StatusFailedDependency)
+	ErrNoServiceWithRole     = errAPI.Code("no_service_with_role").StatusErrorPref("no service account found that is linked to the IAM role '%s'", http.StatusNotFound)
+	ErrNoAWSCredentials      = errAPI.Code("missing_aws_credentials").StatusError("request was not signed with AWS credentials", http.StatusUnauthorized)
+	ErrInvalidAWSCredentials = errAPI.Code("invalid_aws_credentials").StatusError("credentials were not accepted by AWS", http.StatusUnauthorized)
+)
+
+// AuthPayloadAWSSTS is the authentication payload used for authenticating with AWS STS.
+type AuthPayloadAWSSTS struct {
+	Region  string `json:"region"`
+	Request []byte `json:"request"`
+}
+
+// NewAuthRequestAWSSTS returns a new AuthRequest for authentication using AWS STS.
+func NewAuthRequestAWSSTS(sessionType SessionType, region string, stsRequest []byte) AuthRequest {
+	return AuthRequest{
+		Method:      AuthMethodAWSSTS,
+		SessionType: sessionType,
+		Payload: &AuthPayloadAWSSTS{
+			Region:  region,
+			Request: stsRequest,
+		},
+	}
+}
+
+// Validate whether the AuthPayloadAWSSTS is valid.
+func (pl AuthPayloadAWSSTS) Validate() error {
+	if pl.Region == "" {
+		return ErrMissingField("region")
+	}
+	if pl.Request == nil {
+		return ErrMissingField("request")
+	}
+	return nil
+}

internals/api/auth_gcp.go

@@ -0,0 +1,32 @@
+package api
+
+import "net/http"
+
+// Errors
+var (
+	ErrInvalidGCPIDToken     = errAPI.Code("invalid_id_token").StatusError("provided id_token is invalid", http.StatusBadRequest)
+	ErrNoGCPServiceWithEmail = errAPI.Code("no_service_with_email").StatusErrorPref("no service account found that is linked to the GCP Service Account %s'", http.StatusUnauthorized)
+)
+
+// AuthPayloadGCPServiceAccount is the authentication payload used for authenticating with a GCP Service Account.
+type AuthPayloadGCPServiceAccount struct {
+	IDToken string `json:"id_token"`
+}
+
+// NewAuthRequestGCPServiceAccount returns a new AuthRequest for authentication using a GCP Service Account.
+func NewAuthRequestGCPServiceAccount(sessionType SessionType, idToken string) AuthRequest {
+	return AuthRequest{
+		Method:      AuthMethodGCPServiceAccount,
+		SessionType: sessionType,
+		Payload: &AuthPayloadGCPServiceAccount{
+			IDToken: idToken,
+		},
+	}
+}
+
+func (pl AuthPayloadGCPServiceAccount) Validate() error {
+	if pl.IDToken == "" {
+		return ErrMissingField("id_token")
+	}
+	return nil
+}