add trust boundary for ExternalAccountCredentials

Author: bshaffer

src/Credentials/ExternalAccountCredentials.php

@@ -30,10 +30,12 @@
 use Google\Auth\HttpHandler\HttpHandlerFactory;
 use Google\Auth\OAuth2;
 use Google\Auth\ProjectIdProviderInterface;
+use Google\Auth\TrustBoundaryTrait;
 use Google\Auth\UpdateMetadataInterface;
 use Google\Auth\UpdateMetadataTrait;
 use GuzzleHttp\Psr7\Request;
 use InvalidArgumentException;
+use LogicException;
 
 /**
  * **IMPORTANT**:
@@ -51,7 +53,12 @@ class ExternalAccountCredentials implements
     GetUniverseDomainInterface,
     ProjectIdProviderInterface
 {
-    use UpdateMetadataTrait;
+    use UpdateMetadataTrait {
+        updateMetadata as traitUpdateMetadata;
+    }
+    use TrustBoundaryTrait {
+        buildTrustBoundaryLookupUrl as traitBuildTrustBoundaryLookupUrl;
+    }
 
     private const EXTERNAL_ACCOUNT_TYPE = 'external_account';
     private const CLOUD_RESOURCE_MANAGER_URL = 'https://cloudresourcemanager.UNIVERSE_DOMAIN/v1/projects/%s';
@@ -69,10 +76,12 @@ class ExternalAccountCredentials implements
      * @param string|string[] $scope   The scope of the access request, expressed either as an array
      *                                 or as a space-delimited string.
      * @param array<mixed>    $jsonKey JSON credentials as an associative array.
+     * @param bool $enableTrustBoundary Lookup and include the trust boundary header.
      */
     public function __construct(
         $scope,
-        array $jsonKey
+        array $jsonKey,
+        bool $enableTrustBoundary = false
     ) {
         if (!array_key_exists('type', $jsonKey)) {
             throw new InvalidArgumentException('json key is missing the type field');
@@ -114,6 +123,7 @@ public function __construct(
         $this->quotaProject = $jsonKey['quota_project_id'] ?? null;
         $this->workforcePoolUserProject = $jsonKey['workforce_pool_user_project'] ?? null;
         $this->universeDomain = $jsonKey['universe_domain'] ?? GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN;
+        $this->enableTrustBoundary = $enableTrustBoundary;
 
         $this->auth = new OAuth2([
             'tokenCredentialUri' => $jsonKey['token_url'],
@@ -200,11 +210,8 @@ private static function buildCredentialSource(array $jsonKey): ExternalAccountCr
             }
 
             if ($serviceAccountImpersonationUrl = $jsonKey['service_account_impersonation_url'] ?? null) {
-                // Parse email from URL. The formal looks as follows:
-                // https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/name@project-id.iam.gserviceaccount.com:generateAccessToken
-                $regex = '/serviceAccounts\/(?<email>[^:]+):generateAccessToken$/';
-                if (preg_match($regex, $serviceAccountImpersonationUrl, $matches)) {
-                    $env['GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL'] = $matches['email'];
+                if ($email = self::getServiceAccountImpersonationEmail($serviceAccountImpersonationUrl)) {
+                    $env['GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL'] = $email;
                 }
             }
 
@@ -220,6 +227,18 @@ private static function buildCredentialSource(array $jsonKey): ExternalAccountCr
         throw new InvalidArgumentException('Unable to determine credential source from json key.');
     }
 
+    private static function getServiceAccountImpersonationEmail(string $serviceAccountImpersonationUrl): string|null
+    {
+        // Parse email from URL. The formal looks as follows:
+        // https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/name@project-id.iam.gserviceaccount.com:generateAccessToken
+        $regex = '/serviceAccounts\/(?<email>[^:]+):generateAccessToken$/';
+        if (preg_match($regex, $serviceAccountImpersonationUrl, $matches)) {
+            return $matches['email'];
+        }
+
+        return null;
+    }
+
     /**
      * @param string $stsToken
      * @param callable|null $httpHandler
@@ -290,6 +309,37 @@ public function fetchAuthToken(?callable $httpHandler = null, array $headers = [
         return $stsToken;
     }
 
+    /**
+     * Updates metadata with the authorization token.
+     *
+     * @param array<mixed> $metadata metadata hashmap
+     * @param string $authUri optional auth uri
+     * @param callable|null $httpHandler callback which delivers psr7 request
+     * @return array<mixed> updated metadata hashmap
+     */
+    public function updateMetadata(
+        $metadata,
+        $authUri = null,
+        ?callable $httpHandler = null
+    ) {
+        $metadata = $this->traitUpdateMetadata($metadata, $authUri, $httpHandler);
+
+        if ($this->enableTrustBoundary) {
+            $clientName = $this->serviceAccountImpersonationUrl
+                ? self::getServiceAccountImpersonationEmail($this->serviceAccountImpersonationUrl)
+                : ''; // @TODO: What do we do when this is empty?
+
+            $metadata = $this->updateTrustBoundaryMetadata(
+                $metadata,
+                $this->buildTrustBoundaryLookupUrl(),
+                $this->getUniverseDomain($httpHandler),
+                $httpHandler,
+            );
+        }
+
+        return $metadata;
+    }
+
     /**
      * Get the cache token key for the credentials.
      * The cache token key format depends on the type of source
@@ -391,4 +441,32 @@ private function isWorkforcePool(): bool
         $regex = '#//iam\.googleapis\.com/locations/[^/]+/workforcePools/#';
         return preg_match($regex, $this->auth->getAudience()) === 1;
     }
+
+    /**
+     * Builds and returns the URL for the trust boundary lookup API.
+     */
+    private function buildTrustBoundaryLookupUrl(): string
+    {
+        // Try to parse as a workload identity pool.
+        // Audience format: //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
+        $regex = '/projects\/([^\/]+)\/locations\/global\/workloadIdentityPools\/([^\/]+)/';
+        if (preg_match($regex, $this->auth->getAudience(), $matches)) {
+            [$_, $projectNumber, $poolId] = $matches;
+
+            return $this->traitBuildTrustBoundaryLookupUrl(
+                poolId: $poolId,
+                projectNumber: $projectNumber,
+            );
+        }
+
+        // If that fails, try to parse as a workforce pool.
+        // Audience format: //iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID
+        if (preg_match('/locations\/[^\/]+\/workforcePools\/([^\/]+)/', $this->auth->getAudience(), $matches)) {
+            return $this->traitBuildTrustBoundaryLookupUrl(
+                poolId: $matches[1],
+            );
+        }
+
+        throw new LogicException("Invalid audience format.");
+    }
 }

src/Credentials/GCECredentials.php

@@ -652,7 +652,9 @@ public function updateMetadata(
         if ($this->enableTrustBoundary) {
             $metadata = $this->updateTrustBoundaryMetadata(
                 $metadata,
-                $this->getClientName($httpHandler),
+                $this->buildTrustBoundaryLookupUrl(
+                    serviceAccountEmail: $this->getClientName($httpHandler)
+                ),
                 $this->getUniverseDomain($httpHandler),
                 $httpHandler,
             );

src/Credentials/ImpersonatedServiceAccountCredentials.php

@@ -327,7 +327,9 @@ public function updateMetadata(
 
         $metatadata = $this->updateTrustBoundaryMetadata(
             $metatadata,
-            $this->impersonatedServiceAccountName,
+            $this->buildTrustBoundaryLookupUrl(
+                serviceAccountEmail: $this->impersonatedServiceAccountName
+            ),
             $this->getUniverseDomain(),
             $httpHandler,
         );

src/Credentials/ServiceAccountCredentials.php

@@ -332,7 +332,9 @@ public function updateMetadata(
 
         $metadata = $this->updateTrustBoundaryMetadata(
             $metadata,
-            $this->auth->getIssuer(),
+            $this->buildTrustBoundaryLookupUrl(
+                serviceAccountEmail: $this->auth->getIssuer()
+            ),
             $this->getUniverseDomain(),
             $httpHandler,
         );

src/CredentialsLoader.php

@@ -186,7 +186,7 @@ public static function makeCredentials(
 
         if ($jsonKey['type'] == 'external_account') {
             $anyScope = $scope ?: $defaultScope;
-            return new ExternalAccountCredentials($anyScope, $jsonKey);
+            return new ExternalAccountCredentials($anyScope, $jsonKey, $enableTrustBoundary);
         }
 
         throw new \InvalidArgumentException('invalid value in the type field');

src/TrustBoundaryTrait.php

@@ -6,6 +6,7 @@
 use Google\Auth\HttpHandler\HttpHandlerFactory;
 use GuzzleHttp\Exception\ClientException;
 use GuzzleHttp\Psr7\Request;
+use InvalidArgumentException;
 
 /**
  * @internal
@@ -23,7 +24,7 @@ trait TrustBoundaryTrait
     private function getTrustBoundary(
         string $universeDomain,
         callable $httpHandler,
-        string $serviceAccountEmail,
+        string $trustBoundaryUrl,
         array $headers,
     ): array|null {
         if (!$this->enableTrustBoundary) {
@@ -48,7 +49,7 @@ private function getTrustBoundary(
 
         $trustBoundary = $this->lookupTrustBoundary(
             $httpHandler,
-            $serviceAccountEmail,
+            $trustBoundaryUrl,
             $headers['authorization']
         );
 
@@ -62,44 +63,13 @@ private function getTrustBoundary(
         return $trustBoundary;
     }
 
-    /**
-     * @param array<string> $authHeader
-     * @return null|array{locations: array<string>, encodedLocations: string}
-     */
-    private function lookupTrustBoundary(
-        callable $httpHandler,
-        string $serviceAccountEmail,
-        array $authHeader
-    ): array|null {
-        $url = $this->buildTrustBoundaryLookupUrl($serviceAccountEmail);
-        $request = new Request('GET', $url);
-        $request = $request->withHeader('authorization', $authHeader);
-        try {
-            $response = $httpHandler($request);
-            return json_decode((string) $response->getBody(), true);
-        } catch (ClientException $e) {
-            // We swallow all errors here - a failed trust boundary lookup
-            // should not disrupt client authentication.
-        }
-        return null;
-    }
-
-    private function buildTrustBoundaryLookupUrl(string $serviceAccountEmail): string
-    {
-        return sprintf(
-            'https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations',
-            $this->getUniverseDomain(),
-            $serviceAccountEmail
-        );
-    }
-
     /**
      * @param array<mixed> $headers
      * @return array<mixed>
      */
     private function updateTrustBoundaryMetadata(
         array $headers,
-        string $serviceAccountEmail,
+        string $trustBoundaryUrl,
         string $universeDomain,
         ?callable $httpHandler,
     ): array {
@@ -109,7 +79,7 @@ private function updateTrustBoundaryMetadata(
         $trustBoundaryInfo = $this->getTrustBoundary(
             $universeDomain,
             $httpHandler,
-            $serviceAccountEmail,
+            $trustBoundaryUrl,
             $headers
         );
 
@@ -119,4 +89,63 @@ private function updateTrustBoundaryMetadata(
 
         return $headers;
     }
+
+    /**
+     * Return the trust boundary lookup URL.
+     */
+    private function buildTrustBoundaryLookupUrl(
+        ?string $serviceAccountEmail = null,
+        ?string $poolId = null,
+        ?string $projectNumber = null,
+    ): string {
+        $baseUrl = 'https://iamcredentials.googleapis.com/v1';
+        if ($serviceAccountEmail) {
+            if (is_null($projectNumber) && is_null($poolId)) {
+                return sprintf(
+                    '%s/projects/-/serviceAccounts/%s/allowedLocations',
+                    $baseUrl,
+                    $serviceAccountEmail
+                );
+            }
+        } elseif ($poolId) {
+            if (is_null($projectNumber)) {
+                // Workforce Identity Pools
+                return sprintf(
+                    '%s/locations/global/workforcePools/%s/allowedLocations',
+                    $baseUrl,
+                    $poolId
+                );
+            }
+            // Workload Identity Pools
+            return sprintf(
+                '%s/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations',
+                $baseUrl,
+                $projectNumber,
+                $poolId
+            );
+        }
+
+        throw new InvalidArgumentException('Must supply $serviceAccountEmail, $poolId, or both $poolId and $projectId');
+    }
+
+    /**
+     * @param array<string> $authHeader
+     * @return null|array{locations: array<string>, encodedLocations: string}
+     */
+    private function lookupTrustBoundary(
+        callable $httpHandler,
+        string $trustBoundaryUrl,
+        array $authHeader
+    ): array|null {
+        $request = new Request('GET', $trustBoundaryUrl);
+        $request = $request->withHeader('authorization', $authHeader);
+        try {
+            $response = $httpHandler($request);
+            return json_decode((string) $response->getBody(), true);
+        } catch (ClientException $e) {
+            // We swallow all errors here - a failed trust boundary lookup
+            // should not disrupt client authentication.
+        }
+        return null;
+    }
 }

tests/ApplicationDefaultCredentialsTest.php

@@ -909,8 +909,8 @@ public function testTrustBoundaryLookupIntegration()
     {
         if ('true' !== getenv('RUN_TRUST_BOUNDARY_TESTS')) {
             $this->markTestSkipped(
-                'This test requires RUN_TRUST_BOUNDARY_TESTS=true and a set of credentials with' .
-                'Trust boundaries enabled'
+                'This test requires RUN_TRUST_BOUNDARY_TESTS=true and a set of credentials with ' .
+                'trust boundaries enabled'
             );
         }
 

tests/TrustBoundaryTraitTest.php

@@ -21,9 +21,9 @@ public function setUp(): void
 
     public function testBuildTrustBoundaryLookupUrl()
     {
-        $url = $this->impl->buildTrustBoundaryLookupUrl('test@example.com');
+        $url = $this->impl->buildTrustBoundaryLookupUrl(serviceAccountEmail: 'test@example.com');
         $this->assertEquals(
-            'https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/test@example.com/allowedLocations',
+            'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test@example.com/allowedLocations',
             $url
         );
     }
@@ -101,9 +101,4 @@ public function setCache($cache)
     {
         $this->cache = $cache;
     }
-
-    public function getUniverseDomain()
-    {
-        return 'foo.bar';
-    }
 }