-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredentials.go
84 lines (72 loc) · 3.09 KB
/
credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package gosdk
import (
"github.com/nebius/gosdk/auth"
)
// Credentials are used to authenticate outgoing gRPC requests.
// To disable authentication for a specific request use the [auth.Disable] call option.
type Credentials interface {
credentials()
}
// NoCredentials is the default [Credentials] that disables authentication.
func NoCredentials() Credentials {
return credsNoCreds{}
}
// IAMToken is a [Credentials] that uses a predefined token for authentication.
func IAMToken(token string) Credentials {
return credsTokener{tokener: auth.StaticBearerToken(token)}
}
// CustomTokener allows the user to define its own [auth.BearerTokener] implementation for authentication.
func CustomTokener(tokener auth.BearerTokener) Credentials {
return credsTokener{tokener: tokener}
}
// CustomAuthenticator allows the user to define its own [auth.Authenticator] implementation.
func CustomAuthenticator(auth auth.Authenticator) Credentials {
return credsAuthenticator{auth: auth}
}
// ServiceAccount is the same as [ServiceAccountReader] but with constant [auth.ServiceAccount].
func ServiceAccount(account auth.ServiceAccount) Credentials {
return credsServiceAccount{reader: auth.StaticServiceAccount(account)}
}
// ServiceAccountReader authorizes gRPC requests using [auth.ServiceAccount].
// It receives an [auth.BearerToken] from the IAM by exchanging a JWT.
// The JWT is signed using the private key of the service account.
//
// The [SDK] ensures a continuously valid bearer token by caching the current token
// and asynchronously requesting a new one before expiration.
//
// Note: the reader is used only once as it is wrapped with [auth.CachedServiceAccount].
func ServiceAccountReader(reader auth.ServiceAccountReader) Credentials {
switch reader.(type) {
case *auth.CachedServiceAccount, auth.StaticServiceAccount:
return credsServiceAccount{reader: reader}
default:
cached := auth.NewCachedServiceAccount(reader)
return credsServiceAccount{reader: cached}
}
}
// OneOfCredentials allows you to use different credentials for different requests.
// Exactly one [auth.Selector] from creds map must be added to call options to choose one.
//
// You can use predefined [auth.Base] and [auth.Propagate] selectors as well as [auth.Select] with custom name.
func OneOfCredentials(creds map[auth.Selector]Credentials) Credentials {
return credsOneOf(creds)
}
// PropagateAuthorizationHeader uses [auth.AuthorizationHeader] from the incoming grpc metadata
// and puts it into the outgoing metadata.
func PropagateAuthorizationHeader() Credentials {
return credsPropagate{}
}
type (
credsNoCreds struct{}
credsTokener struct{ tokener auth.BearerTokener }
credsAuthenticator struct{ auth auth.Authenticator }
credsServiceAccount struct{ reader auth.ServiceAccountReader }
credsOneOf map[auth.Selector]Credentials
credsPropagate struct{}
)
func (credsNoCreds) credentials() {}
func (credsTokener) credentials() {}
func (credsAuthenticator) credentials() {}
func (credsServiceAccount) credentials() {}
func (credsOneOf) credentials() {}
func (credsPropagate) credentials() {}