akillibulut
/
porter
зеркало из https://github.com/porter-dev/porter


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
							package integrations

import (
	"context"

	"golang.org/x/oauth2/google"
	"gorm.io/gorm"
)

// GCPIntegration is an auth mechanism that uses a GCP service account to
// authenticate
type GCPIntegration struct {
	gorm.Model

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The GCP project id where the service account for this auth mechanism persists
	GCPProjectID string `json:"gcp_project_id"`

	// The GCP user email that linked this service account
	GCPUserEmail string `json:"gcp-user-email"`

	// The GCP region, which may or may not be used by the integration
	GCPRegion string `json:"gcp_region"`

	// ------------------------------------------------------------------
	// All fields encrypted before storage.
	// ------------------------------------------------------------------

	// KeyData for a service account for GCP connectors
	GCPKeyData []byte `json:"gcp_key_data"`
}

// GCPIntegrationExternal is a GCPIntegration to be shared over REST
type GCPIntegrationExternal struct {
	ID uint `json:"id"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The GCP project id where the service account for this auth mechanism persists
	GCPProjectID string `json:"gcp-project-id"`

	// The GCP user email that linked this service account
	GCPUserEmail string `json:"gcp-user-email"`
}

// Externalize generates an external KubeIntegration to be shared over REST
func (g *GCPIntegration) Externalize() *GCPIntegrationExternal {
	return &GCPIntegrationExternal{
		ID:           g.ID,
		UserID:       g.UserID,
		ProjectID:    g.ProjectID,
		GCPProjectID: g.GCPProjectID,
		GCPUserEmail: g.GCPUserEmail,
	}
}

// ToProjectIntegration converts a gcp integration to a project integration
func (g *GCPIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration {
	return &ProjectIntegration{
		ID:            g.ID,
		ProjectID:     g.ProjectID,
		AuthMechanism: "gcp",
		Category:      category,
		Service:       service,
	}
}

// GetBearerToken retrieves a bearer token for a GCP account
func (g *GCPIntegration) GetBearerToken(
	getTokenCache GetTokenCacheFunc,
	setTokenCache SetTokenCacheFunc,
) (string, error) {
	cache, err := getTokenCache()

	// check the token cache for a non-expired token
	if cache != nil {
		if tok := cache.Token; err == nil && !cache.IsExpired() && len(tok) > 0 {
			return string(tok), nil
		}
	}

	creds, err := google.CredentialsFromJSON(
		context.Background(),
		g.GCPKeyData,
		"https://www.googleapis.com/auth/cloud-platform",
	)

	if err != nil {
		return "", err
	}

	tok, err := creds.TokenSource.Token()

	if err != nil {
		return "", err
	}

	// update the token cache
	setTokenCache(tok.AccessToken, tok.Expiry)

	return tok.AccessToken, nil
}