Skip to content

Commit d5a9824

Browse files
committed
add RAB to ExternalAccountAuthorizedUser
1 parent 533b387 commit d5a9824

1 file changed

Lines changed: 63 additions & 0 deletions

File tree

src/Credentials/ExternalAccountAuthorizedUserCredentials.php

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
use Google\Auth\GetQuotaProjectInterface;
2323
use Google\Auth\GetUniverseDomainInterface;
2424
use Google\Auth\OAuth2;
25+
use Google\Auth\UpdateMetadataTrait;
2526
use InvalidArgumentException;
2627

2728
/**
@@ -32,6 +33,13 @@
3233
*/
3334
class ExternalAccountAuthorizedUserCredentials extends CredentialsLoader implements GetQuotaProjectInterface
3435
{
36+
use RegionalAccessBoundaryTrait {
37+
buildRegionalAccessBoundaryLookupUrl as traitBuildRegionalAccessBoundaryLookupUrl;
38+
}
39+
use UpdateMetadataTrait {
40+
updateMetadata as traitUpdateMetadata;
41+
}
42+
3543
/**
3644
* Used in observability metric headers
3745
*
@@ -123,6 +131,33 @@ public function fetchAuthToken(?callable $httpHandler = null, array $headers = [
123131
);
124132
}
125133

134+
/**
135+
* Updates metadata with the authorization token.
136+
*
137+
* @param array<mixed> $metadata metadata hashmap
138+
* @param string $authUri optional auth uri
139+
* @param callable|null $httpHandler callback which delivers psr7 request
140+
* @return array<mixed> updated metadata hashmap
141+
*/
142+
public function updateMetadata(
143+
$metadata,
144+
$authUri = null,
145+
?callable $httpHandler = null
146+
) {
147+
$metadata = $this->traitUpdateMetadata($metadata, $authUri, $httpHandler);
148+
149+
if ($this->enableRegionalAccessBoundary) {
150+
$metadata = $this->updateRegionalAccessBoundaryMetadata(
151+
$metadata,
152+
$this->buildRegionalAccessBoundaryLookupUrl(),
153+
$this->getUniverseDomain(),
154+
$httpHandler,
155+
);
156+
}
157+
158+
return $metadata;
159+
}
160+
126161
/**
127162
* Return the Cache Key for the credentials.
128163
* The format for the Cache key is
@@ -181,4 +216,32 @@ protected function getCredType(): string
181216
{
182217
return self::CRED_TYPE;
183218
}
219+
220+
/**
221+
* Builds and returns the URL for the RAB lookup API.
222+
*/
223+
private function buildRegionalAccessBoundaryLookupUrl(): string
224+
{
225+
// Try to parse as a workload identity pool.
226+
// Audience format: //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
227+
$regex = '/projects\/([^\/]+)\/locations\/global\/workloadIdentityPools\/([^\/]+)/';
228+
if (preg_match($regex, $this->auth->getAudience(), $matches)) {
229+
[$_, $projectNumber, $poolId] = $matches;
230+
231+
return $this->traitBuildRegionalAccessBoundaryLookupUrl(
232+
poolId: $poolId,
233+
projectNumber: $projectNumber,
234+
);
235+
}
236+
237+
// If that fails, try to parse as a workforce pool.
238+
// Audience format: //iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID
239+
if (preg_match('/locations\/[^\/]+\/workforcePools\/([^\/]+)/', $this->auth->getAudience(), $matches)) {
240+
return $this->traitBuildRegionalAccessBoundaryLookupUrl(
241+
poolId: $matches[1],
242+
);
243+
}
244+
245+
throw new LogicException('Invalid audience format');
246+
}
184247
}

0 commit comments

Comments
 (0)