budget-backend/vendor/cloud.google.com/go/auth/internal/transport/s2a.go

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package transport

import (
	"context"
	"encoding/json"
	"fmt"
	"log"
	"log/slog"
	"os"
	"strconv"
	"sync"

	"cloud.google.com/go/auth/internal/transport/cert"
	"cloud.google.com/go/compute/metadata"
)

const (
	configEndpointSuffix = "instance/platform-security/auto-mtls-configuration"
)

var (
	mtlsConfiguration *mtlsConfig

	mtlsOnce sync.Once
)

// GetS2AAddress returns the S2A address to be reached via plaintext connection.
// Returns empty string if not set or invalid.
func GetS2AAddress(logger *slog.Logger) string {
	getMetadataMTLSAutoConfig(logger)
	if !mtlsConfiguration.valid() {
		return ""
	}
	return mtlsConfiguration.S2A.PlaintextAddress
}

// GetMTLSS2AAddress returns the S2A address to be reached via MTLS connection.
// Returns empty string if not set or invalid.
func GetMTLSS2AAddress(logger *slog.Logger) string {
	getMetadataMTLSAutoConfig(logger)
	if !mtlsConfiguration.valid() {
		return ""
	}
	return mtlsConfiguration.S2A.MTLSAddress
}

// mtlsConfig contains the configuration for establishing MTLS connections with Google APIs.
type mtlsConfig struct {
	S2A *s2aAddresses `json:"s2a"`
}

func (c *mtlsConfig) valid() bool {
	return c != nil && c.S2A != nil
}

// s2aAddresses contains the plaintext and/or MTLS S2A addresses.
type s2aAddresses struct {
	// PlaintextAddress is the plaintext address to reach S2A
	PlaintextAddress string `json:"plaintext_address"`
	// MTLSAddress is the MTLS address to reach S2A
	MTLSAddress string `json:"mtls_address"`
}

func getMetadataMTLSAutoConfig(logger *slog.Logger) {
	var err error
	mtlsOnce.Do(func() {
		mtlsConfiguration, err = queryConfig(logger)
		if err != nil {
			log.Printf("Getting MTLS config failed: %v", err)
		}
	})
}

var httpGetMetadataMTLSConfig = func(logger *slog.Logger) (string, error) {
	metadataClient := metadata.NewWithOptions(&metadata.Options{
		Logger: logger,
	})
	return metadataClient.GetWithContext(context.Background(), configEndpointSuffix)
}

func queryConfig(logger *slog.Logger) (*mtlsConfig, error) {
	resp, err := httpGetMetadataMTLSConfig(logger)
	if err != nil {
		return nil, fmt.Errorf("querying MTLS config from MDS endpoint failed: %w", err)
	}
	var config mtlsConfig
	err = json.Unmarshal([]byte(resp), &config)
	if err != nil {
		return nil, fmt.Errorf("unmarshalling MTLS config from MDS endpoint failed: %w", err)
	}
	if config.S2A == nil {
		return nil, fmt.Errorf("returned MTLS config from MDS endpoint is invalid: %v", config)
	}
	return &config, nil
}

func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
	// If client cert is found, use that over S2A.
	if clientCertSource != nil {
		return false
	}
	// If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A.
	if !isGoogleS2AEnabled() {
		return false
	}
	// If DefaultMTLSEndpoint is not set or has endpoint override, skip S2A.
	if opts.DefaultMTLSEndpoint == "" || opts.Endpoint != "" {
		return false
	}
	// If custom HTTP client is provided, skip S2A.
	if opts.Client != nil {
		return false
	}
	// If directPath is enabled, skip S2A.
	return !opts.EnableDirectPath && !opts.EnableDirectPathXds
}

func isGoogleS2AEnabled() bool {
	b, err := strconv.ParseBool(os.Getenv(googleAPIUseS2AEnv))
	if err != nil {
		return false
	}
	return b
}