github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpsak/gcpsak.go

github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpsak/gcpsak.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package gcpsak contains a Veles Secret type, a Detector, and a Validator for
    16  // GCP service account keys.
    17  package gcpsak
    18  
    19  // GCPSAK is a Veles Secret that holds relevant information for a GCP Service
    20  // Account Key.
    21  // It only contains fields necessary for identification and validation.
    22  type GCPSAK struct {
    23  	// PrivateKeyID is the globally unique identifier of the service account key.
    24  	PrivateKeyID string
    25  	// ServiceAccount is the identifier of the service account the key belongs to.
    26  	// It has the structure of an email and is called the "client_email" in the
    27  	// SAK JSON representation.
    28  	ServiceAccount string
    29  	// Signature is a cryptographic signature obtained by using a found GCP SAK's
    30  	// private key to sign a static payload. This is used for out-of-band
    31  	// validation.
    32  	Signature []byte
    33  
    34  	// Extra contains optional fields that a Detector can extract but that are not
    35  	// technically required to validate a GCPSAK.
    36  	Extra *ExtraFields
    37  }
    38  
    39  // ExtraFields are optional fields for a GCPSAK that a Detector can extract but
    40  // that are not technically required to validate the key.
    41  type ExtraFields struct {
    42  	Type                    string // should always be "service_account"
    43  	ProjectID               string
    44  	ClientID                string
    45  	AuthURI                 string
    46  	TokenURI                string
    47  	AuthProviderX509CertURL string
    48  	ClientX509CertURL       string
    49  	UniverseDomain          string
    50  
    51  	// PrivateKey contains the raw private key for the GCP SAK. This field is not
    52  	// populated by default because it creates the risk of accidentally leaking
    53  	// the key.
    54  	PrivateKey string
    55  }