go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/gce/vmtoken/client/client.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/gce/vmtoken/client/client.go (about)

     1  // Copyright 2019 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package client implements client-side fetch and transmission of signed GCE VM
    16  // metadata tokens.
    17  package client
    18  
    19  import (
    20  	"fmt"
    21  	"net/http"
    22  	"net/url"
    23  
    24  	"cloud.google.com/go/compute/metadata"
    25  
    26  	"go.chromium.org/luci/auth"
    27  
    28  	"go.chromium.org/luci/gce/vmtoken"
    29  )
    30  
    31  // NewClient returns an *http.Client which sets a GCE VM metadata token in the
    32  // Header of an *http.Request during Do. The audience for the token is the
    33  // *http.Request.URL.Host.
    34  func NewClient(meta *metadata.Client, acc string) *http.Client {
    35  	return &http.Client{
    36  		Transport: newRoundTripper(meta, acc),
    37  	}
    38  }
    39  
    40  func newRoundTripper(meta *metadata.Client, acc string) http.RoundTripper {
    41  	return auth.NewModifyingTransport(http.DefaultTransport, newTokenInjector(meta, acc))
    42  }
    43  
    44  // tokMetadata is the metadata path which returns VM tokens.
    45  const tokMetadata = "instance/service-accounts/%s/identity?audience=%s&format=full"
    46  
    47  // newTokenInjector returns a function which can modify the Header of an
    48  // *http.Request to include a GCE VM metadata token for the given account.
    49  func newTokenInjector(meta *metadata.Client, acc string) func(*http.Request) error {
    50  	if acc == "" {
    51  		acc = "default"
    52  	}
    53  	acc = url.PathEscape(acc)
    54  	return func(req *http.Request) error {
    55  		aud := fmt.Sprintf("%s://%s", req.URL.Scheme, req.URL.Host)
    56  		aud = url.QueryEscape(aud)
    57  		// TODO(smut): Cache the token and reuse if not yet expired.
    58  		// Currently the only user of this package only makes one
    59  		// request per boot so caching isn't too important yet.
    60  		tok, err := meta.Get(fmt.Sprintf(tokMetadata, acc, aud))
    61  		if err != nil {
    62  			return err
    63  		}
    64  		req.Header.Set(vmtoken.Header, tok)
    65  		return nil
    66  	}
    67  }