1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
// Copyright 2021 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
package auth
import (
"encoding/base64"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net/http"
"strings"
"time"
)
const (
DashboardAudience = "https://syzkaller.appspot.com/api"
)
type ExpiringToken struct {
Token string
Expiration time.Time
}
// Returns the unverified expiration value from the given JWT token.
func extractJwtExpiration(token string) (time.Time, error) {
// https://datatracker.ietf.org/doc/html/rfc7519#section-3
pieces := strings.Split(token, ".")
if len(pieces) != 3 {
return time.Time{}, fmt.Errorf("unexpected number of JWT components %v", len(pieces))
}
decoded, err := base64.RawURLEncoding.DecodeString(pieces[1])
if err != nil {
return time.Time{}, err
}
claims := struct {
Expiration int64 `json:"exp"`
}{-123456} // Hopefully a notably broken value.
if err = json.Unmarshal(decoded, &claims); err != nil {
return time.Time{}, err
}
return time.Unix(claims.Expiration, 0), nil
}
// Queries the metadata server and returns the bearer token of the
// service account. The token is scoped for the official dashboard.
// The types of ctor and doer are the same as in http.NewRequest and
// http.DefaultClient.Do.
func RetrieveJwtToken(ctor func(method, url string, body io.Reader) (*http.Request, error),
doer func(req *http.Request) (*http.Response, error)) (*ExpiringToken, error) {
const v1meta = "http://metadata.google.internal/computeMetadata/v1"
req, err := ctor("GET", v1meta+"/instance/service-accounts/default/identity?audience="+DashboardAudience, nil)
if err != nil {
return nil, err
}
req.Header.Add("Metadata-Flavor", "Google")
resp, err := doer(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
token := string(data)
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("failed metadata get %v: %s", resp.Status, token)
}
expiration, err := extractJwtExpiration(token)
if err != nil {
return nil, err
}
return &ExpiringToken{token, expiration}, nil
}
|
