Add TokenProvider::email() method

djc · djc · commit 488627ce190c · 2024-07-11T13:48:09.000+02:00
diff --git a/src/config_default_credentials.rs b/src/config_default_credentials.rs
@@ -89,6 +89,12 @@ impl TokenProvider for ConfigDefaultCredentials {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        let token = self.token(&[]).await?;
+        let info = self.client.token_info(&token).await?;
+        Ok(info.email)
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         self.credentials
             .quota_project_id
diff --git a/src/custom_service_account.rs b/src/custom_service_account.rs
@@ -132,6 +132,10 @@ impl TokenProvider for CustomServiceAccount {
         return Ok(token);
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        Ok(self.credentials.client_email.clone())
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         match &self.credentials.project_id {
             Some(pid) => Ok(pid.clone()),
diff --git a/src/gcloud_authorized_user.rs b/src/gcloud_authorized_user.rs
@@ -51,6 +51,10 @@ impl TokenProvider for GCloudAuthorizedUser {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        run(&["auth", "print-identity-token"])
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         self.project_id
             .clone()
diff --git a/src/lib.rs b/src/lib.rs
@@ -167,6 +167,8 @@ pub trait TokenProvider: Send + Sync {
     /// the current token (for the given scopes) has expired.
     async fn token(&self, scopes: &[&str]) -> Result<Arc<Token>, Error>;
 
+    async fn email(&self) -> Result<String, Error>;
+
     /// Get the project ID for the authentication context
     async fn project_id(&self) -> Result<Arc<str>, Error>;
 }
diff --git a/src/metadata_service_account.rs b/src/metadata_service_account.rs
@@ -78,6 +78,17 @@ impl TokenProvider for MetadataServiceAccount {
         Ok(token)
     }
 
+    async fn email(&self) -> Result<String, Error> {
+        let email = self
+            .client
+            .request(
+                metadata_request(DEFAULT_SERVICE_ACCOUNT_EMAIL_URI),
+            )
+            .await?;
+
+        String::from_utf8(email.to_vec()).map_err(|_| Error::Str("invalid UTF-8 email"))
+    }
+
     async fn project_id(&self) -> Result<Arc<str>, Error> {
         Ok(self.project_id.clone())
     }
@@ -97,3 +108,5 @@ const DEFAULT_PROJECT_ID_GCP_URI: &str =
     "http://metadata.google.internal/computeMetadata/v1/project/project-id";
 const DEFAULT_TOKEN_GCP_URI: &str =
     "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+const DEFAULT_SERVICE_ACCOUNT_EMAIL_URI: &str =
+    "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email";
diff --git a/src/types.rs b/src/types.rs
@@ -7,6 +7,7 @@ use std::{env, fmt};
 
 use bytes::Buf;
 use chrono::{DateTime, Utc};
+use http::Method;
 use http_body_util::{BodyExt, Full};
 use hyper::body::Bytes;
 use hyper::Request;
@@ -69,10 +70,26 @@ impl HttpClient {
             .map_err(|err| Error::Json("failed to deserialize token from response", err))
     }
 
-    pub(crate) async fn request(
-        &self,
-        req: Request<Full<Bytes>>,
-    ) -> Result<Bytes, Error> {
+    pub(crate) async fn token_info(&self, token: &Token) -> Result<TokenInfo, Error> {
+        let req = Request::builder()
+            .method(Method::GET)
+            .uri(format!(
+                "https://oauth2.googleapis.com/tokeninfo?access_token={}",
+                token.as_str()
+            ))
+            .body(Full::from(Bytes::new()))
+            .map_err(|err| Error::Other("failed to build HTTP request", Box::new(err)))?;
+
+        let body = self
+            .request(req)
+            .await
+            .map_err(|err| Error::Other("failed to fetch token info", Box::new(err)))?;
+
+        serde_json::from_slice(&body)
+            .map_err(|err| Error::Json("failed to deserialize token info from response", err))
+    }
+
+    pub(crate) async fn request(&self, req: Request<Full<Bytes>>) -> Result<Bytes, Error> {
         debug!(url = ?req.uri(), "requesting token");
         let (parts, body) = self
             .inner
@@ -299,6 +316,11 @@ impl fmt::Debug for AuthorizedUserRefreshToken {
     }
 }
 
+#[derive(Deserialize)]
+pub(crate) struct TokenInfo {
+    pub(crate) email: String,
+}
+
 /// How many times to attempt to fetch a token from the set credentials token endpoint.
 const RETRY_COUNT: u8 = 5;
 

Original file line number	Diff line number	Diff line change
`@@ -167,6 +167,8 @@ pub trait TokenProvider: Send + Sync {`
`167`	`167`	`/// the current token (for the given scopes) has expired.`
`168`	`168`	`async fn token(&self, scopes: &[&str]) -> Result<Arc<Token>, Error>;`
`169`	`169`
	`170`	`+ async fn email(&self) -> Result<String, Error>;`
	`171`	`+`
`170`	`172`	`/// Get the project ID for the authentication context`
`171`	`173`	`async fn project_id(&self) -> Result<Arc<str>, Error>;`
`172`	`174`	`}`