djc · msdrigg · Aug 18, 2023 · Aug 18, 2023
diff --git a/Cargo.toml b/Cargo.toml
@@ -26,7 +26,7 @@ rustls-pemfile = "1.0.0"
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
 thiserror = "1.0"
-time = { version = "0.3.5", features = ["serde"] }
+time = { version = "0.3.5", features = ["serde", "parsing"] }
 tokio = { version = "1.1", features = ["fs", "sync"] }
 tracing = "0.1.29"
 tracing-futures = "0.2.5"

diff --git a/src/authentication_manager.rs b/src/authentication_manager.rs
@@ -2,9 +2,9 @@ use async_trait::async_trait;
 use tokio::sync::Mutex;
 
 use crate::custom_service_account::CustomServiceAccount;
-use crate::default_authorized_user::ConfigDefaultCredentials;
 use crate::default_service_account::MetadataServiceAccount;
 use crate::error::Error;
+use crate::flexible_credential_source::FlexibleCredentialSource;
 use crate::gcloud_authorized_user::GCloudAuthorizedUser;
 use crate::types::{self, HyperClient, Token};
 
@@ -43,15 +43,25 @@ impl AuthenticationManager {
     #[tracing::instrument]
     pub async fn new() -> Result<Self, Error> {
         tracing::debug!("Initializing gcp_auth");
-        if let Some(service_account) = CustomServiceAccount::from_env()? {
-            return Ok(service_account.into());
+        let client = types::client();
+        if let Some(service_account) = FlexibleCredentialSource::from_env().await? {
+            tracing::debug!("Using GOOGLE_APPLICATION_CREDENTIALS env");
+
+            return Ok(Self {
+                service_account: service_account.try_into_service_account(&client).await?,
+                client,
+                refresh_mutex: Mutex::new(()),
+            });
         }
 
-        let client = types::client();
-        let default_user_error = match ConfigDefaultCredentials::new(&client).await {
+        let default_user_error = match FlexibleCredentialSource::from_default_credentials().await {
             Ok(service_account) => {
                 tracing::debug!("Using ConfigDefaultCredentials");
-                return Ok(Self::build(client, service_account));
+                return Ok(Self {
+                    service_account: service_account.try_into_service_account(&client).await?,
+                    client,
+                    refresh_mutex: Mutex::new(()),
+                });
             }
             Err(e) => e,
         };

diff --git a/src/custom_service_account.rs b/src/custom_service_account.rs
@@ -54,7 +54,7 @@ impl CustomServiceAccount {
         }
     }
 
-    fn new(credentials: ApplicationCredentials) -> Result<Self, Error> {
+    pub(crate) fn new(credentials: ApplicationCredentials) -> Result<Self, Error> {
         Ok(Self {
             signer: Signer::new(&credentials.private_key)?,
             credentials,
@@ -137,7 +137,6 @@ impl ServiceAccount for CustomServiceAccount {
 
 #[derive(Serialize, Deserialize, Clone)]
 pub(crate) struct ApplicationCredentials {
-    pub(crate) r#type: Option<String>,
     /// project_id
     pub(crate) project_id: Option<String>,
     /// private_key_id

diff --git a/src/default_authorized_user.rs b/src/default_authorized_user.rs
@@ -1,4 +1,3 @@
-use std::fs;
 use std::sync::RwLock;
 
 use async_trait::async_trait;
@@ -19,18 +18,11 @@ pub(crate) struct ConfigDefaultCredentials {
 
 impl ConfigDefaultCredentials {
     const DEFAULT_TOKEN_GCP_URI: &'static str = "https://accounts.google.com/o/oauth2/token";
-    const USER_CREDENTIALS_PATH: &'static str =
-        ".config/gcloud/application_default_credentials.json";
-
-    pub(crate) async fn new(client: &HyperClient) -> Result<Self, Error> {
-        tracing::debug!("Loading user credentials file");
-        let mut home = dirs_next::home_dir().ok_or(Error::NoHomeDir)?;
-        home.push(Self::USER_CREDENTIALS_PATH);
-
-        let file = fs::File::open(home).map_err(Error::UserProfilePath)?;
-        let credentials = serde_json::from_reader::<_, UserCredentials>(file)
-            .map_err(Error::UserProfileFormat)?;
 
+    pub(crate) async fn from_user_credentials(
+        credentials: UserCredentials,
+        client: &HyperClient,
+    ) -> Result<Self, Error> {
         Ok(Self {
             token: RwLock::new(Self::get_token(&credentials, client).await?),
             credentials,
@@ -105,7 +97,7 @@ struct RefreshRequest<'a> {
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
-struct UserCredentials {
+pub(crate) struct UserCredentials {
     /// Client id
     pub(crate) client_id: String,
     /// Client secret
@@ -114,8 +106,6 @@ struct UserCredentials {
     pub(crate) quota_project_id: Option<String>,
     /// Refresh Token
     pub(crate) refresh_token: String,
-    /// Type
-    pub(crate) r#type: String,
 }
 
 /// How many times to attempt to fetch a token from the GCP token endpoint.

diff --git a/src/error.rs b/src/error.rs
@@ -96,6 +96,10 @@ pub enum Error {
     #[error("Failed to parse output of GCloud")]
     GCloudParseError,
 
+    /// Currently, nested service account impersonation is not supported
+    #[error("Nested impersonation is not supported")]
+    NestedImpersonation,
+
     /// Represents all other cases of `std::io::Error`.
     #[error(transparent)]
     IOError(#[from] std::io::Error),