Merge pull request #1321 from UgnineSirdis/init-oauth2-credentials-from-config

Load OAuth 2.0 token exchange credentials provider from config file

Author: asmyasnikov

CHANGELOG.md

@@ -1,4 +1,6 @@
 * Added `query.ResultSet.Index()` method
+* Support loading OAuth 2.0 token exchange credentials provider from config file
+* Added options for JWT tokens for loading EC private keys and HMAC secrets
 
 ## v3.74.5
 * Fixed bug with reading empty result set parts.
@@ -8,11 +10,11 @@
 * Fixed bug with fail cast of grpc response to `operation.{Response,Status}`
 
 ## v3.74.3
-* Removed check the node is available for query and table service sessions 
+* Removed check the node is available for query and table service sessions
 * Refactored the `balancers.PreferLocations()` function - it is a clean/pure function
 * Added experimental `balancers.WithNodeID()` context modifier for define per request the YDB endpoint by NodeID
 * Reverted the allowing the casts from signed YDB types to unsigned destination types if source value is not negative
-* Replaced internal query session pool by default to stub for exclude impact from internal/pool 
+* Replaced internal query session pool by default to stub for exclude impact from internal/pool
 
 ## v3.74.2
 * Added description to scan errors with use query service client scanner
@@ -61,7 +63,7 @@
 ## v3.68.0
 * Added experimental `ydb.{Register,Unregister}DsnParser` global funcs for register/unregister external custom DSN parser for `ydb.Open` and `sql.Open` driver constructor
 * Simple implement option WithReaderWithoutConsumer
-* Fixed bug: topic didn't send specified partition number to a server 
+* Fixed bug: topic didn't send specified partition number to a server
 
 ## v3.67.2
 * Fixed incorrect formatting of decimal. Implementation of decimal has been reverted to latest working version
@@ -86,12 +88,12 @@
 * Added Flush method for topic writer
 
 ## v3.66.0
-* Added experimental package `retry/budget` for limit second and subsequent retry attempts 
+* Added experimental package `retry/budget` for limit second and subsequent retry attempts
 * Refactored internals for enabling `containedctx` linter
 * Fixed the hanging semaphore issue on coordination session reconnect
 
 ## v3.65.3
-* Fixed data race in `internal/conn.grpcClientStream` 
+* Fixed data race in `internal/conn.grpcClientStream`
 
 ## v3.65.2
 * Fixed data race using `log.WithNames`

credentials/credentials.go

@@ -43,6 +43,57 @@ func NewOauth2TokenExchangeCredentials(
 	return credentials.NewOauth2TokenExchangeCredentials(opts...)
 }
 
+/*
+NewOauth2TokenExchangeCredentialsFile makes OAuth 2.0 token exchange protocol credentials object from config file
+https://www.rfc-editor.org/rfc/rfc8693
+Config file must be a valid json file
+
+Fields of json file
+
+	grant-type:           [string] Grant type option (default: "urn:ietf:params:oauth:grant-type:token-exchange")
+	res:                  [string] Resource option (optional)
+	aud:                  [string | list of strings] Audience option for token exchange request (optional)
+	scope:                [string | list of strings] Scope option (optional)
+	requested-token-type: [string] Requested token type option (default: "urn:ietf:params:oauth:token-type:access_token")
+	subject-credentials:  [creds_json] Subject credentials options (optional)
+	actor-credentials:    [creds_json] Actor credentials options (optional)
+	token-endpoint:       [string] Token endpoint
+
+Fields of creds_json (JWT):
+
+	type:                 [string] Token source type. Set JWT
+	alg:                  [string] Algorithm for JWT signature.
+								   Supported algorithms can be listed
+								   with GetSupportedOauth2TokenExchangeJwtAlgorithms()
+	private-key:          [string] (Private) key in PEM format (RSA, EC) or Base64 format (HMAC) for JWT signature
+	kid:                  [string] Key id JWT standard claim (optional)
+	iss:                  [string] Issuer JWT standard claim (optional)
+	sub:                  [string] Subject JWT standard claim (optional)
+	aud:                  [string | list of strings] Audience JWT standard claim (optional)
+	jti:                  [string] JWT ID JWT standard claim (optional)
+	ttl:                  [string] Token TTL (default: 1h)
+
+Fields of creds_json (FIXED):
+
+	type:                 [string] Token source type. Set FIXED
+	token:                [string] Token value
+	token-type:           [string] Token type value. It will become
+								   subject_token_type/actor_token_type parameter
+								   in token exchange request (https://www.rfc-editor.org/rfc/rfc8693)
+*/
+func NewOauth2TokenExchangeCredentialsFile(
+	configFilePath string,
+	opts ...credentials.Oauth2TokenExchangeCredentialsOption,
+) (Credentials, error) {
+	return credentials.NewOauth2TokenExchangeCredentialsFile(configFilePath, opts...)
+}
+
+// GetSupportedOauth2TokenExchangeJwtAlgorithms returns supported algorithms for
+// initializing OAuth 2.0 token exchange protocol credentials from config file
+func GetSupportedOauth2TokenExchangeJwtAlgorithms() []string {
+	return credentials.GetSupportedOauth2TokenExchangeJwtAlgorithms()
+}
+
 // NewJWTTokenSource makes JWT token source for OAuth 2.0 token exchange credentials
 func NewJWTTokenSource(opts ...credentials.JWTTokenSourceOption) (credentials.TokenSource, error) {
 	return credentials.NewJWTTokenSource(opts...)

credentials/options.go

@@ -115,14 +115,19 @@ func WithTokenTTL(ttl time.Duration) credentials.JWTTokenSourceOption {
 	return credentials.WithTokenTTL(ttl)
 }
 
+// KeyID
+func WithKeyID(id string) credentials.JWTTokenSourceOption {
+	return credentials.WithKeyID(id)
+}
+
 // SigningMethod
 func WithSigningMethod(method jwt.SigningMethod) credentials.JWTTokenSourceOption {
 	return credentials.WithSigningMethod(method)
 }
 
-// KeyID
-func WithKeyID(id string) credentials.JWTTokenSourceOption {
-	return credentials.WithKeyID(id)
+// SigningMethod
+func WithSigningMethodName(method string) credentials.JWTTokenSourceOption {
+	return credentials.WithSigningMethodName(method)
 }
 
 // PrivateKey
@@ -131,11 +136,49 @@ func WithPrivateKey(key interface{}) credentials.JWTTokenSourceOption {
 }
 
 // PrivateKey
+// For RSA signing methods: RS256, RS384, RS512, PS256, PS384, PS512
 func WithRSAPrivateKeyPEMContent(key []byte) credentials.JWTTokenSourceOption {
 	return credentials.WithRSAPrivateKeyPEMContent(key)
 }
 
 // PrivateKey
+// For RSA signing methods: RS256, RS384, RS512, PS256, PS384, PS512
 func WithRSAPrivateKeyPEMFile(path string) credentials.JWTTokenSourceOption {
 	return credentials.WithRSAPrivateKeyPEMFile(path)
 }
+
+// PrivateKey
+// For EC signing methods: ES256, ES384, ES512
+func WithECPrivateKeyPEMContent(key []byte) credentials.JWTTokenSourceOption {
+	return credentials.WithECPrivateKeyPEMContent(key)
+}
+
+// PrivateKey
+// For EC signing methods: ES256, ES384, ES512
+func WithECPrivateKeyPEMFile(path string) credentials.JWTTokenSourceOption {
+	return credentials.WithECPrivateKeyPEMFile(path)
+}
+
+// Key
+// For HMAC signing methods: HS256, HS384, HS512
+func WithHMACSecretKey(key []byte) credentials.JWTTokenSourceOption {
+	return credentials.WithHMACSecretKey(key)
+}
+
+// Key
+// For HMAC signing methods: HS256, HS384, HS512
+func WithHMACSecretKeyBase64Content(base64KeyContent string) credentials.JWTTokenSourceOption {
+	return credentials.WithHMACSecretKeyBase64Content(base64KeyContent)
+}
+
+// Key
+// For HMAC signing methods: HS256, HS384, HS512
+func WithHMACSecretKeyFile(path string) credentials.JWTTokenSourceOption {
+	return credentials.WithHMACSecretKeyFile(path)
+}
+
+// Key
+// For HMAC signing methods: HS256, HS384, HS512
+func WithHMACSecretKeyBase64File(path string) credentials.JWTTokenSourceOption {
+	return credentials.WithHMACSecretKeyBase64File(path)
+}