Add support for scopes to the Token API

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

README.md

@@ -260,9 +260,10 @@ occupy port 80 in the network namespace of the Node.
 ### The `metadata.google.internal` DNS record
 
 Google has documented the `http://metadata.google.internal` endpoint as where to fetch
-metadata from. Some Google libraries may use this endpoint to fetch metadata from the
-emulator. If that's the case, you can configure your Pods with the following DNS
-configuration:
+metadata from, and that it should resolve to `http://169.254.169.254`. While some Google
+libraries hard-code the IP address and hit it directly without DNS resolution, others
+may use the DNS hostname to fetch metadata from the emulator. If that's your case, you
+can add to your Pods the following DNS configuration:
 
 ```yaml
 spec:
@@ -271,12 +272,6 @@ spec:
     ip: 169.254.169.254
 ```
 
-This IP address is also documented by Google as the address `metadata.google.internal`
-should resolve to. Not all Google libraries use the DNS hostname, some use this IP
-address directly in their code, so this configuration may not be necessary for all
-libraries (example: [Go](https://github.com/googleapis/google-cloud-go/blob/a961cb5e85ed07e2eaf088faa29ed9b60882212b/compute/metadata/metadata.go#L472-L485)).
-Pods running the `gcloud` CLI will require this configuration to work properly.
-
 ### Limitations and Security Risks
 
 #### Pod identification by IP address

internal/googlecredentials/google_credentials.go

@@ -66,13 +66,19 @@ func (c *Config) WorkloadIdentityProviderAudience() string {
 	return fmt.Sprintf("//iam.googleapis.com/%s", c.opts.WorkloadIdentityProvider)
 }
 
-func (c *Config) NewToken(ctx context.Context, subjectToken string, googleServiceAccountEmail *string) (*oauth2.Token, error) {
+func (c *Config) NewToken(ctx context.Context, subjectToken string,
+	googleServiceAccountEmail *string, scopes []string) (*oauth2.Token, error) {
+
+	if len(scopes) == 0 {
+		scopes = AccessScopes()
+	}
+
 	conf := externalaccount.Config{
 		UniverseDomain:       "googleapis.com",
 		Audience:             c.WorkloadIdentityProviderAudience(),
 		SubjectTokenType:     "urn:ietf:params:oauth:token-type:jwt",
 		TokenURL:             "https://sts.googleapis.com/v1/token",
-		Scopes:               AccessScopes(),
+		Scopes:               scopes,
 		SubjectTokenSupplier: tokenSupplier(subjectToken),
 	}
 

internal/server/gke_apis.go

@@ -105,7 +105,7 @@ Refer to https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identit
 		if err != nil {
 			return nil, err
 		}
-		accessTokens, _, r, err := s.getPodGoogleAccessTokens(w, r)
+		accessTokens, _, r, err := s.getPodGoogleAccessTokens(w, r, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -130,7 +130,13 @@ func (s *Server) gkeServiceAccountScopesAPI() pkghttp.MetadataHandlerFunc {
 
 func (s *Server) gkeServiceAccountTokenAPI() pkghttp.MetadataHandler {
 	mh := func(w http.ResponseWriter, r *http.Request) (any, error) {
-		tokens, expiresAt, _, err := s.getPodGoogleAccessTokens(w, r)
+		var scopes []string
+		for scope := range strings.SplitSeq(r.URL.Query().Get("scopes"), ",") {
+			if s := strings.TrimSpace(scope); s != "" {
+				scopes = append(scopes, s)
+			}
+		}
+		tokens, expiresAt, _, err := s.getPodGoogleAccessTokens(w, r, scopes)
 		if err != nil {
 			return nil, err
 		}

internal/server/gke_apis_test.go

@@ -43,6 +43,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/googleapi"
+	oauth2 "google.golang.org/api/oauth2/v2"
 )
 
 const (
@@ -55,6 +56,12 @@ var gkeHeaders = http.Header{
 	"Metadata-Flavor": []string{gkeMetadataFlavor},
 }
 
+func TestOnGCE(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	assert.True(t, metadata.OnGCEWithContext(ctx))
+}
+
 func TestGKEServiceAccountTokenAPI(t *testing.T) {
 	const url = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"
 
@@ -131,8 +138,6 @@ func TestGKEServiceAccountTokenAPI_Implicitly(t *testing.T) {
 	// GKE Service Account Token API. The Go library will internally
 	// call this API to get an Access Token for GCS operations.
 
-	require.True(t, metadata.OnGCE())
-
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
@@ -170,16 +175,25 @@ func TestGKEServiceAccountTokenAPI_Implicitly(t *testing.T) {
 }
 
 func TestGKEServiceAccountTokenAPI_DefaultTokenSource(t *testing.T) {
-	require.True(t, metadata.OnGCE())
-
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
-	ts, err := google.DefaultTokenSource(ctx)
+	const scope = "https://www.googleapis.com/auth/bigtable.admin.table"
+	ts, err := google.DefaultTokenSource(ctx, scope)
 	require.NoError(t, err)
+
 	token, err := ts.Token()
 	require.NoError(t, err)
-	assert.NotEmpty(t, token.AccessToken)
+	require.NotEmpty(t, token.AccessToken)
+
+	if os.Getenv("HOSTNAME") != "test-direct-access" {
+		svc, err := oauth2.NewService(ctx)
+		require.NoError(t, err)
+
+		tokenInfo, err := svc.Tokeninfo().AccessToken(token.AccessToken).Context(ctx).Do()
+		require.NoError(t, err)
+		assert.Equal(t, scope, tokenInfo.Scope)
+	}
 }
 
 func TestGKEServiceAccountIdentityAPI(t *testing.T) {

internal/server/pods.go

@@ -106,7 +106,7 @@ func (s *Server) listPodGoogleServiceAccounts(w http.ResponseWriter, r *http.Req
 // impersonation.
 // If there's an error this function sends the response to the client.
 func (s *Server) getPodGoogleAccessTokens(w http.ResponseWriter, r *http.Request,
-) (*serviceaccounttokens.AccessTokens, time.Time, *http.Request, error) {
+	scopes []string) (*serviceaccounttokens.AccessTokens, time.Time, *http.Request, error) {
 	saRef, r, err := s.getPodServiceAccountReference(w, r)
 	if err != nil {
 		return nil, time.Time{}, nil, err
@@ -122,7 +122,7 @@ func (s *Server) getPodGoogleAccessTokens(w http.ResponseWriter, r *http.Request
 		return nil, time.Time{}, nil, err
 	}
 	tokens, expiresAt, err := s.opts.ServiceAccountTokens.GetGoogleAccessTokens(
-		r.Context(), saToken, googleEmail)
+		r.Context(), saToken, googleEmail, scopes)
 	if err != nil {
 		respondGoogleAPIErrorf(w, r, "error getting google access token: %w", err)
 		return nil, time.Time{}, nil, err

internal/serviceaccounttokens/cache/provider.go

@@ -26,6 +26,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -38,18 +39,20 @@ import (
 )
 
 type Provider struct {
-	opts                  ProviderOptions
-	numTokens             prometheus.Gauge
-	cacheMisses           prometheus.Counter
-	serviceAccounts       map[serviceaccounts.Reference]*serviceAccount
-	googleIDTokens        map[googleIDTokenReference]*tokenAndExpiration[string]
-	nodeServiceAccountRef *serviceaccounts.Reference
-	ctx                   context.Context
-	cancelCtx             context.CancelFunc
-	serviceAccountsMutex  sync.Mutex
-	googleIDTokensMutex   sync.RWMutex
-	wg                    sync.WaitGroup
-	semaphore             chan struct{}
+	opts                          ProviderOptions
+	numTokens                     prometheus.Gauge
+	cacheMisses                   prometheus.Counter
+	serviceAccounts               map[serviceaccounts.Reference]*serviceAccount
+	googleIDTokens                map[googleIDTokenReference]*tokenAndExpiration[string]
+	googleScopedAccessTokens      map[googleScopedAccessTokenReference]*tokenAndExpiration[string]
+	nodeServiceAccountRef         *serviceaccounts.Reference
+	ctx                           context.Context
+	cancelCtx                     context.CancelFunc
+	serviceAccountsMutex          sync.Mutex
+	googleIDTokensMutex           sync.RWMutex
+	googleScopedAccessTokensMutex sync.RWMutex
+	wg                            sync.WaitGroup
+	semaphore                     chan struct{}
 }
 
 type ProviderOptions struct {
@@ -80,17 +83,18 @@ func NewProvider(ctx context.Context, opts ProviderOptions) *Provider {
 	backgroundCtx, cancel := context.WithCancel(backgroundCtx)
 
 	p := &Provider{
-		opts:            opts,
-		numTokens:       numTokens,
-		cacheMisses:     cacheMisses,
-		serviceAccounts: make(map[serviceaccounts.Reference]*serviceAccount),
-		googleIDTokens:  make(map[googleIDTokenReference]*tokenAndExpiration[string]),
-		ctx:             backgroundCtx,
-		cancelCtx:       cancel,
-		semaphore:       make(chan struct{}, opts.Concurrency),
+		opts:                     opts,
+		numTokens:                numTokens,
+		cacheMisses:              cacheMisses,
+		serviceAccounts:          make(map[serviceaccounts.Reference]*serviceAccount),
+		googleIDTokens:           make(map[googleIDTokenReference]*tokenAndExpiration[string]),
+		googleScopedAccessTokens: make(map[googleScopedAccessTokenReference]*tokenAndExpiration[string]),
+		ctx:                      backgroundCtx,
+		cancelCtx:                cancel,
+		semaphore:                make(chan struct{}, opts.Concurrency),
 	}
 
-	// start garbage collector for google ID tokens
+	// start garbage collector for input-dependant tokens
 	p.wg.Add(1)
 	go func() {
 		defer p.wg.Done()
@@ -108,6 +112,14 @@ func NewProvider(ctx context.Context, opts ProviderOptions) *Provider {
 					}
 				}
 				p.googleIDTokensMutex.Unlock()
+
+				p.googleScopedAccessTokensMutex.Lock()
+				for ref, token := range p.googleScopedAccessTokens {
+					if token.isExpired() {
+						delete(p.googleScopedAccessTokens, ref)
+					}
+				}
+				p.googleScopedAccessTokensMutex.Unlock()
 			}
 		}
 	}()
@@ -131,14 +143,65 @@ func (p *Provider) GetServiceAccountToken(ctx context.Context, ref *serviceaccou
 }
 
 func (p *Provider) GetGoogleAccessTokens(ctx context.Context, saToken string,
-	googleEmail *string) (*serviceaccounttokens.AccessTokens, time.Time, error) {
-	ref := serviceaccounts.ReferenceFromToken(saToken)
-	tokens, err := p.getTokens(ctx, ref)
+	googleEmail *string, scopes []string) (*serviceaccounttokens.AccessTokens, time.Time, error) {
+
+	saRef := serviceaccounts.ReferenceFromToken(saToken)
+
+	// easy case: no scopes
+	if len(scopes) == 0 {
+		tokens, err := p.getTokens(ctx, saRef)
+		if err != nil {
+			return nil, time.Time{}, err
+		}
+		token := tokens.googleAccessTokens
+		return token.token, token.expiration(), nil
+	}
+
+	// handle case with custom scopes
+
+	var email string
+	if googleEmail != nil {
+		email = *googleEmail
+	}
+	ref := googleScopedAccessTokenReference{*saRef, email, strings.Join(scopes, ",")}
+
+	// check cache first
+	p.googleScopedAccessTokensMutex.RLock()
+	token, ok := p.googleScopedAccessTokens[ref]
+	p.googleScopedAccessTokensMutex.RUnlock()
+	if ok && !token.isExpired() {
+		return &serviceaccounttokens.AccessTokens{DirectAccess: token.token}, token.expiration(), nil
+	}
+
+	// cache miss or token expired. need to cache a new token, so acquire semaphore to limit concurrency
+	select {
+	case p.semaphore <- struct{}{}:
+	case <-ctx.Done():
+		return nil, time.Time{}, fmt.Errorf("request context done while acquiring semaphore: %w", ctx.Err())
+	case <-p.ctx.Done():
+		return nil, time.Time{}, fmt.Errorf("process terminated while acquiring semaphore: %w", p.ctx.Err())
+	}
+
+	tokens, expiration, err := p.opts.Source.GetGoogleAccessTokens(ctx, saToken, googleEmail, scopes)
+
+	// release concurrency semaphore
+	<-p.semaphore
+
+	// check error
 	if err != nil {
 		return nil, time.Time{}, err
 	}
-	token := tokens.googleAccessTokens
-	return token.token, token.expiration(), nil
+
+	// token issued successfully. cache it and return
+	tokenString := tokens.DirectAccess
+	if tokenString == "" {
+		tokenString = tokens.Impersonated
+	}
+	token = newToken(tokenString, expiration)
+	p.googleScopedAccessTokensMutex.Lock()
+	p.googleScopedAccessTokens[ref] = token
+	p.googleScopedAccessTokensMutex.Unlock()
+	return &serviceaccounttokens.AccessTokens{DirectAccess: token.token}, token.expiration(), nil
 }
 
 func (p *Provider) GetGoogleIdentityToken(ctx context.Context, saRef *serviceaccounts.Reference,

internal/serviceaccounttokens/cache/tokens.go

@@ -53,6 +53,12 @@ type googleIDTokenReference struct {
 	audience               string
 }
 
+type googleScopedAccessTokenReference struct {
+	serviceAccountRefernce serviceaccounts.Reference
+	email                  string
+	scopes                 string
+}
+
 func (p *Provider) createTokens(ctx context.Context, saRef *serviceaccounts.Reference) (*tokens, *string, error) {
 	sa, err := p.opts.ServiceAccounts.Get(ctx, saRef)
 	if err != nil {
@@ -69,7 +75,7 @@ func (p *Provider) createTokens(ctx context.Context, saRef *serviceaccounts.Refe
 		return nil, nil, fmt.Errorf("error creating token for kubernetes service account: %w", err)
 	}
 
-	accessTokens, accessTokenExpiration, err := p.opts.Source.GetGoogleAccessTokens(ctx, saToken, email)
+	accessTokens, accessTokenExpiration, err := p.opts.Source.GetGoogleAccessTokens(ctx, saToken, email, nil)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error creating google access token: %w", err)
 	}

internal/serviceaccounttokens/create/provider.go

@@ -71,30 +71,40 @@ func (p *Provider) GetServiceAccountToken(ctx context.Context, ref *serviceaccou
 }
 
 func (p *Provider) GetGoogleAccessTokens(ctx context.Context, saToken string,
-	googleEmail *string) (*serviceaccounttokens.AccessTokens, time.Time, error) {
+	googleEmail *string, scopes []string) (*serviceaccounttokens.AccessTokens, time.Time, error) {
 
-	directAccess, err := p.opts.GoogleCredentialsConfig.NewToken(ctx, saToken, nil)
-	if err != nil {
-		return nil, time.Time{}, err
+	expiration := time.Now().Add(365 * 24 * time.Hour)
+
+	// Optimization: No need for a direct access token if the token was requested with custom
+	// scopes and a google service account email is configured for impersonation. Tokens with
+	// custom scopes are not used for fetching google identity tokens, so we only need to
+	// cache the token that was requested by a client pod.
+	var directAccess string
+	if !(googleEmail != nil && len(scopes) > 0) {
+		token, err := p.opts.GoogleCredentialsConfig.NewToken(ctx, saToken, nil, scopes)
+		if err != nil {
+			return nil, time.Time{}, err
+		}
+		directAccess = token.AccessToken
+		expiration = token.Expiry
 	}
-	expiry := directAccess.Expiry
 
 	var impersonated string
 	if googleEmail != nil {
-		token, err := p.opts.GoogleCredentialsConfig.NewToken(ctx, saToken, googleEmail)
+		token, err := p.opts.GoogleCredentialsConfig.NewToken(ctx, saToken, googleEmail, scopes)
 		if err != nil {
 			return nil, time.Time{}, err
 		}
 		impersonated = token.AccessToken
-		if token.Expiry.Before(expiry) {
-			expiry = token.Expiry
+		if token.Expiry.Before(expiration) {
+			expiration = token.Expiry
 		}
 	}
 
 	return &serviceaccounttokens.AccessTokens{
-		DirectAccess: directAccess.AccessToken,
+		DirectAccess: directAccess,
 		Impersonated: impersonated,
-	}, expiry, nil
+	}, expiration, nil
 }
 
 func (p *Provider) GetGoogleIdentityToken(ctx context.Context, _ *serviceaccounts.Reference,

internal/serviceaccounttokens/provider.go

@@ -36,7 +36,8 @@ type AccessTokens struct {
 
 type Provider interface {
 	GetServiceAccountToken(ctx context.Context, ref *serviceaccounts.Reference) (string, time.Time, error)
-	GetGoogleAccessTokens(ctx context.Context, saToken string, googleEmail *string) (*AccessTokens, time.Time, error)
+	GetGoogleAccessTokens(ctx context.Context, saToken string, googleEmail *string,
+		scopes []string) (*AccessTokens, time.Time, error)
 	GetGoogleIdentityToken(ctx context.Context, saRef *serviceaccounts.Reference,
 		accessToken, googleEmail, audience string) (string, time.Time, error)
 }