Move Claims type into custom_service_account

djc · djc · commit d1e8e4e5e190 · 2024-04-09T23:03:08.000+02:00
diff --git a/src/custom_service_account.rs b/src/custom_service_account.rs
@@ -4,6 +4,8 @@ use std::path::{Path, PathBuf};
 use std::sync::RwLock;
 
 use async_trait::async_trait;
+use base64::{engine::general_purpose::URL_SAFE, Engine};
+use chrono::Utc;
 use serde::{Deserialize, Serialize};
 use tracing::{instrument, Level};
 
@@ -95,8 +97,6 @@ impl ServiceAccount for CustomServiceAccount {
 
     #[instrument(level = Level::DEBUG)]
     async fn refresh_token(&self, client: &HyperClient, scopes: &[&str]) -> Result<Token, Error> {
-        use crate::jwt::Claims;
-        use crate::jwt::GRANT_TYPE;
         use hyper::header;
         use url::form_urlencoded;
 
@@ -136,6 +136,57 @@ impl ServiceAccount for CustomServiceAccount {
     }
 }
 
+/// Permissions requested for a JWT.
+/// See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests.
+#[derive(Serialize, Debug)]
+pub(crate) struct Claims<'a> {
+    iss: &'a str,
+    aud: &'a str,
+    exp: i64,
+    iat: i64,
+    sub: Option<&'a str>,
+    scope: String,
+}
+
+impl<'a> Claims<'a> {
+    pub(crate) fn new(
+        key: &'a ApplicationCredentials,
+        scopes: &[&str],
+        sub: Option<&'a str>,
+    ) -> Self {
+        let mut scope = String::with_capacity(16);
+        for (i, s) in scopes.iter().enumerate() {
+            if i != 0 {
+                scope.push(' ');
+            }
+
+            scope.push_str(s);
+        }
+
+        let iat = Utc::now().timestamp();
+        Claims {
+            iss: &key.client_email,
+            aud: &key.token_uri,
+            exp: iat + 3600 - 5, // Max validity is 1h
+            iat,
+            sub,
+            scope,
+        }
+    }
+
+    pub(crate) fn to_jwt(&self, signer: &Signer) -> Result<String, Error> {
+        let mut jwt = String::new();
+        URL_SAFE.encode_string(GOOGLE_RS256_HEAD, &mut jwt);
+        jwt.push('.');
+        URL_SAFE.encode_string(&serde_json::to_string(self).unwrap(), &mut jwt);
+
+        let signature = signer.sign(jwt.as_bytes())?;
+        jwt.push('.');
+        URL_SAFE.encode_string(&signature, &mut jwt);
+        Ok(jwt)
+    }
+}
+
 #[derive(Serialize, Deserialize, Clone)]
 pub(crate) struct ApplicationCredentials {
     pub(crate) r#type: Option<String>,
@@ -168,5 +219,8 @@ impl fmt::Debug for ApplicationCredentials {
     }
 }
 
+pub(crate) const GRANT_TYPE: &str = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+const GOOGLE_RS256_HEAD: &str = r#"{"alg":"RS256","typ":"JWT"}"#;
+
 /// How many times to attempt to fetch a token from the set credentials token endpoint.
 const RETRY_COUNT: u8 = 5;
diff --git a/src/jwt.rs b/src/jwt.rs
diff --git a/src/lib.rs b/src/lib.rs
@@ -95,7 +95,6 @@ mod default_authorized_user;
 mod default_service_account;
 mod error;
 mod gcloud_authorized_user;
-mod jwt;
 mod types;
 mod util;
 
