From e15136c67a513233784a47fc379e02a4668a7791 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 23 Jan 2024 14:49:10 -0800 Subject: [PATCH] responding to CL comments --- google/externalaccount/aws.go | 36 +++++++++---------- google/externalaccount/basecredentials.go | 16 ++++----- google/externalaccount/err.go | 18 ---------- google/externalaccount/err_test.go | 19 ---------- .../programmaticrefreshcredsource.go | 2 +- .../programmaticrefreshcredsource_test.go | 8 +---- 6 files changed, 28 insertions(+), 71 deletions(-) delete mode 100644 google/externalaccount/err.go delete mode 100644 google/externalaccount/err_test.go diff --git a/google/externalaccount/aws.go b/google/externalaccount/aws.go index 61e3c7fcc..57c92d255 100644 --- a/google/externalaccount/aws.go +++ b/google/externalaccount/aws.go @@ -257,12 +257,12 @@ func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp } type awsCredentialSource struct { - EnvironmentID string - RegionURL string - RegionalCredVerificationURL string - CredVerificationURL string - IMDSv2SessionTokenURL string - TargetResource string + environmentID string + regionURL string + regionalCredVerificationURL string + credVerificationURL string + imdsv2SessionTokenURL string + targetResource string requestSigner *awsRequestSigner region string ctx context.Context @@ -312,8 +312,8 @@ func (cs awsCredentialSource) credentialSourceType() string { func (cs awsCredentialSource) subjectToken() (string, error) { // Set Defaults - if cs.RegionalCredVerificationURL == "" { - cs.RegionalCredVerificationURL = defaultRegionalCredentialVerificationUrl + if cs.regionalCredVerificationURL == "" { + cs.regionalCredVerificationURL = defaultRegionalCredentialVerificationUrl } if cs.requestSigner == nil { headers := make(map[string]string) @@ -345,7 +345,7 @@ func (cs awsCredentialSource) subjectToken() (string, error) { // Generate the signed request to AWS STS GetCallerIdentity API. // Use the required regional endpoint. Otherwise, the request will fail. - req, err := http.NewRequest("POST", strings.Replace(cs.RegionalCredVerificationURL, "{region}", cs.region, 1), nil) + req, err := http.NewRequest("POST", strings.Replace(cs.regionalCredVerificationURL, "{region}", cs.region, 1), nil) if err != nil { return "", err } @@ -353,8 +353,8 @@ func (cs awsCredentialSource) subjectToken() (string, error) { // provider, with or without the HTTPS prefix. // Including this header as part of the signature is recommended to // ensure data integrity. - if cs.TargetResource != "" { - req.Header.Add("x-goog-cloud-target-resource", cs.TargetResource) + if cs.targetResource != "" { + req.Header.Add("x-goog-cloud-target-resource", cs.targetResource) } cs.requestSigner.SignRequest(req) @@ -401,11 +401,11 @@ func (cs awsCredentialSource) subjectToken() (string, error) { } func (cs *awsCredentialSource) getAWSSessionToken() (string, error) { - if cs.IMDSv2SessionTokenURL == "" { + if cs.imdsv2SessionTokenURL == "" { return "", nil } - req, err := http.NewRequest("PUT", cs.IMDSv2SessionTokenURL, nil) + req, err := http.NewRequest("PUT", cs.imdsv2SessionTokenURL, nil) if err != nil { return "", err } @@ -442,11 +442,11 @@ func (cs *awsCredentialSource) getRegion(headers map[string]string) (string, err return getenv("AWS_DEFAULT_REGION"), nil } - if cs.RegionURL == "" { + if cs.regionURL == "" { return "", errors.New("oauth2/google: unable to determine AWS region") } - req, err := http.NewRequest("GET", cs.RegionURL, nil) + req, err := http.NewRequest("GET", cs.regionURL, nil) if err != nil { return "", err } @@ -518,7 +518,7 @@ func (cs *awsCredentialSource) getSecurityCredentials(headers map[string]string) func (cs *awsCredentialSource) getMetadataSecurityCredentials(roleName string, headers map[string]string) (AwsSecurityCredentials, error) { var result AwsSecurityCredentials - req, err := http.NewRequest("GET", fmt.Sprintf("%s/%s", cs.CredVerificationURL, roleName), nil) + req, err := http.NewRequest("GET", fmt.Sprintf("%s/%s", cs.credVerificationURL, roleName), nil) if err != nil { return result, err } @@ -548,11 +548,11 @@ func (cs *awsCredentialSource) getMetadataSecurityCredentials(roleName string, h } func (cs *awsCredentialSource) getMetadataRoleName(headers map[string]string) (string, error) { - if cs.CredVerificationURL == "" { + if cs.credVerificationURL == "" { return "", errors.New("oauth2/google: unable to determine the AWS metadata server security credentials endpoint") } - req, err := http.NewRequest("GET", cs.CredVerificationURL, nil) + req, err := http.NewRequest("GET", cs.credVerificationURL, nil) if err != nil { return "", err } diff --git a/google/externalaccount/basecredentials.go b/google/externalaccount/basecredentials.go index 38b8c7f19..96e6df98d 100644 --- a/google/externalaccount/basecredentials.go +++ b/google/externalaccount/basecredentials.go @@ -176,9 +176,9 @@ func (c *ExternalAccountConfig) parse(ctx context.Context) (baseCredentialSource if c.AwsSecurityCredentialsSupplier != nil { awsCredSource := awsCredentialSource{ - RegionalCredVerificationURL: c.CredentialSource.RegionalCredVerificationURL, + regionalCredVerificationURL: c.CredentialSource.RegionalCredVerificationURL, awsSecurityCredentialsSupplier: c.AwsSecurityCredentialsSupplier, - TargetResource: c.Audience, + targetResource: c.Audience, } return awsCredSource, nil } else if c.SubjectTokenSupplier != nil { @@ -190,15 +190,15 @@ func (c *ExternalAccountConfig) parse(ctx context.Context) (baseCredentialSource } awsCredSource := awsCredentialSource{ - EnvironmentID: c.CredentialSource.EnvironmentID, - RegionURL: c.CredentialSource.RegionURL, - RegionalCredVerificationURL: c.CredentialSource.RegionalCredVerificationURL, - CredVerificationURL: c.CredentialSource.URL, - TargetResource: c.Audience, + environmentID: c.CredentialSource.EnvironmentID, + regionURL: c.CredentialSource.RegionURL, + regionalCredVerificationURL: c.CredentialSource.RegionalCredVerificationURL, + credVerificationURL: c.CredentialSource.URL, + targetResource: c.Audience, ctx: ctx, } if c.CredentialSource.IMDSv2SessionTokenURL != "" { - awsCredSource.IMDSv2SessionTokenURL = c.CredentialSource.IMDSv2SessionTokenURL + awsCredSource.imdsv2SessionTokenURL = c.CredentialSource.IMDSv2SessionTokenURL } return awsCredSource, nil diff --git a/google/externalaccount/err.go b/google/externalaccount/err.go deleted file mode 100644 index 233a78cef..000000000 --- a/google/externalaccount/err.go +++ /dev/null @@ -1,18 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package externalaccount - -import "fmt" - -// Error for handling OAuth related error responses as stated in rfc6749#5.2. -type Error struct { - Code string - URI string - Description string -} - -func (err *Error) Error() string { - return fmt.Sprintf("got error code %s from %s: %s", err.Code, err.URI, err.Description) -} diff --git a/google/externalaccount/err_test.go b/google/externalaccount/err_test.go deleted file mode 100644 index 687380d71..000000000 --- a/google/externalaccount/err_test.go +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package externalaccount - -import "testing" - -func TestError(t *testing.T) { - e := Error{ - "42", - "http:thisIsAPlaceholder", - "The Answer!", - } - want := "got error code 42 from http:thisIsAPlaceholder: The Answer!" - if got := e.Error(); got != want { - t.Errorf("Got error message %q; want %q", got, want) - } -} diff --git a/google/externalaccount/programmaticrefreshcredsource.go b/google/externalaccount/programmaticrefreshcredsource.go index 6808930e1..f7c795fea 100644 --- a/google/externalaccount/programmaticrefreshcredsource.go +++ b/google/externalaccount/programmaticrefreshcredsource.go @@ -1,4 +1,4 @@ -// Copyright 2023 The Go Authors. All rights reserved. +// Copyright 2024 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. diff --git a/google/externalaccount/programmaticrefreshcredsource_test.go b/google/externalaccount/programmaticrefreshcredsource_test.go index dc9d2333e..ae9e4d801 100644 --- a/google/externalaccount/programmaticrefreshcredsource_test.go +++ b/google/externalaccount/programmaticrefreshcredsource_test.go @@ -1,4 +1,4 @@ -// Copyright 2020 The Go Authors. All rights reserved. +// Copyright 2024 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -18,12 +18,6 @@ func TestRetrieveSubjectToken_ProgrammaticAuth(t *testing.T) { return "subjectToken", nil } - oldNow := now - defer func() { - now = oldNow - }() - now = setTime(defaultTime) - base, err := tfc.parse(context.Background()) if err != nil { t.Fatalf("parse() failed %v", err)