github.com/thiagoyeds/go-cloud@v0.26.0/blob/gcsblob/iam.go (about) 1 // Copyright 2020 The Go Cloud Development Kit Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // This is an implementation for Options.MakeSignBytes 16 // that serves as example for how to keep a private key in a separate 17 // process, service, or HSM/TPM, yet use it as signer for blob.Bucket. 18 19 package gcsblob 20 21 import ( 22 "context" 23 "sync" 24 25 credentials "cloud.google.com/go/iam/credentials/apiv1" 26 gax "github.com/googleapis/gax-go/v2" 27 credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1" 28 ) 29 30 // credentialsClient wraps the IAM Credentials API client for a lazy initialization 31 // and expresses it in the reduced format expected by SignBytes. 32 // See https://cloud.google.com/iam/docs/reference/credentials/rest 33 type credentialsClient struct { 34 init sync.Once 35 err error 36 37 // client as reduced surface of credentials.IamCredentialsClient 38 // enables us to use a mock in tests. 39 client interface { 40 SignBlob(context.Context, *credentialspb.SignBlobRequest, ...gax.CallOption) (*credentialspb.SignBlobResponse, error) 41 } 42 } 43 44 // CreateMakeSignBytesWith produces a MakeSignBytes variant from an expanded parameter set. 45 // It essentially adapts a remote call to the IAM Credentials API 46 // to the function signature expected by storage.SignedURLOptions.SignBytes. 47 func (c *credentialsClient) CreateMakeSignBytesWith(lifetimeCtx context.Context, googleAccessID string) func(context.Context) SignBytesFunc { 48 return func(requestCtx context.Context) SignBytesFunc { 49 c.init.Do(func() { 50 if c.client != nil { 51 // Set previously, likely to a mock implementation for tests. 52 return 53 } 54 c.client, c.err = credentials.NewIamCredentialsClient(lifetimeCtx) 55 }) 56 57 return func(p []byte) ([]byte, error) { 58 if c.err != nil { 59 return nil, c.err 60 } 61 62 resp, err := c.client.SignBlob( 63 requestCtx, 64 &credentialspb.SignBlobRequest{ 65 Name: googleAccessID, 66 Payload: p, 67 }) 68 if err != nil { 69 return nil, err 70 } 71 return resp.GetSignedBlob(), nil 72 } 73 } 74 }