Add TokenProvider::email() method

Author: djc

src/config_default_credentials.rs

@@ -89,6 +89,12 @@ impl TokenProvider for ConfigDefaultCredentials {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        let token = self.token(&[]).await?;
+        let info = self.client.token_info(&token).await?;
+        Ok(info.email)
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         self.credentials
             .quota_project_id

src/custom_service_account.rs

@@ -132,6 +132,10 @@ impl TokenProvider for CustomServiceAccount {
         return Ok(token);
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        Ok(self.credentials.client_email.clone())
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         match &self.credentials.project_id {
             Some(pid) => Ok(pid.clone()),

src/gcloud_authorized_user.rs

@@ -51,6 +51,10 @@ impl TokenProvider for GCloudAuthorizedUser {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        run(&["auth", "print-identity-token"])
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         self.project_id
             .clone()

src/lib.rs

@@ -167,6 +167,8 @@ pub trait TokenProvider: Send + Sync {
     /// the current token (for the given scopes) has expired.
     async fn token(&self, scopes: &[&str]) -> Result<Arc<Token>, Error>;
 
+    async fn email(&self) -> Result<String, Error>;
+
     /// Get the project ID for the authentication context
     async fn project_id(&self) -> Result<Arc<str>, Error>;
 }

src/metadata_service_account.rs

@@ -78,6 +78,15 @@ impl TokenProvider for MetadataServiceAccount {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        let email = self
+            .client
+            .request(metadata_request(DEFAULT_SERVICE_ACCOUNT_EMAIL_URI))
+            .await?;
+
+        String::from_utf8(email.to_vec()).map_err(|_| Error::Str("invalid UTF-8 email"))
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         Ok(self.project_id.clone())
     }
@@ -97,3 +106,5 @@ const DEFAULT_PROJECT_ID_GCP_URI: &str =
     "http://metadata.google.internal/computeMetadata/v1/project/project-id";
 const DEFAULT_TOKEN_GCP_URI: &str =
     "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+const DEFAULT_SERVICE_ACCOUNT_EMAIL_URI: &str =
+    "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email";

src/types.rs

@@ -7,6 +7,7 @@ use std::{env, fmt};
 
 use bytes::Buf;
 use chrono::{DateTime, Utc};
+use http::Method;
 use http_body_util::{BodyExt, Full};
 use hyper::body::Bytes;
 use hyper::Request;
@@ -69,6 +70,25 @@ impl HttpClient {
             .map_err(|err| Error::Json("failed to deserialize token from response", err))
     }
 
+    pub(crate) async fn token_info(&self, token: &Token) -> Result<TokenInfo, Error> {
+        let req = Request::builder()
+            .method(Method::GET)
+            .uri(format!(
+                "https://oauth2.googleapis.com/tokeninfo?access_token={}",
+                token.as_str()
+            ))
+            .body(Full::from(Bytes::new()))
+            .map_err(|err| Error::Other("failed to build HTTP request", Box::new(err)))?;
+
+        let body = self
+            .request(req)
+            .await
+            .map_err(|err| Error::Other("failed to fetch token info", Box::new(err)))?;
+
+        serde_json::from_slice(&body)
+            .map_err(|err| Error::Json("failed to deserialize token info from response", err))
+    }
+
     pub(crate) async fn request(&self, req: Request<Full<Bytes>>) -> Result<Bytes, Error> {
         debug!(url = ?req.uri(), "requesting token");
         let (parts, body) = self
@@ -296,6 +316,11 @@ impl fmt::Debug for AuthorizedUserRefreshToken {
     }
 }
 
+#[derive(Deserialize)]
+pub(crate) struct TokenInfo {
+    pub(crate) email: String,
+}
+
 /// How many times to attempt to fetch a token from the set credentials token endpoint.
 const RETRY_COUNT: u8 = 5;