feat: add gcloud-auth flag (#43)

This commit is based on:

GoogleCloudPlatform/cloud-sql-proxy@08d827c

Author: enocom

cmd/root.go

@@ -29,8 +29,10 @@ import (
 
 	"cloud.google.com/go/alloydbconn"
 	"github.com/GoogleCloudPlatform/alloydb-auth-proxy/alloydb"
+	"github.com/GoogleCloudPlatform/alloydb-auth-proxy/internal/gcloud"
 	"github.com/GoogleCloudPlatform/alloydb-auth-proxy/internal/proxy"
 	"github.com/spf13/cobra"
+	"golang.org/x/oauth2"
 )
 
 var (
@@ -122,6 +124,8 @@ without having to manage any client SSL certificates.`,
 		"Bearer token used for authorization.")
 	cmd.PersistentFlags().StringVarP(&c.conf.CredentialsFile, "credentials-file", "c", "",
 		"Path to a service account key to use for authentication.")
+	cmd.PersistentFlags().BoolVarP(&c.conf.GcloudAuth, "gcloud-auth", "g", false,
+		"Use gcloud's user configuration to retrieve a token for authentication.")
 
 	// Global and per instance flags
 	cmd.PersistentFlags().StringVarP(&c.conf.Addr, "address", "a", "127.0.0.1",
@@ -154,19 +158,41 @@ func parseConfig(cmd *cobra.Command, conf *proxy.Config, args []string) error {
 		return newBadCommandError(fmt.Sprintf("not a valid IP address: %q", conf.Addr))
 	}
 
-	// If both token and credentials file were set, error.
+	// If more than one auth method is set, error.
 	if conf.Token != "" && conf.CredentialsFile != "" {
-		return newBadCommandError("Cannot specify --token and --credentials-file flags at the same time")
+		return newBadCommandError("cannot specify --token and --credentials-file flags at the same time")
+	}
+	if conf.Token != "" && conf.GcloudAuth {
+		return newBadCommandError("cannot specify --token and --gcloud-auth flags at the same time")
+	}
+	if conf.CredentialsFile != "" && conf.GcloudAuth {
+		return newBadCommandError("cannot specify --credentials-file and --gcloud-auth flags at the same time")
+	}
+	opts := []alloydbconn.Option{
+		alloydbconn.WithUserAgent(userAgent),
 	}
-
 	switch {
 	case conf.Token != "":
 		cmd.Printf("Authorizing with the -token flag\n")
+		opts = append(opts, alloydbconn.WithTokenSource(
+			oauth2.StaticTokenSource(&oauth2.Token{AccessToken: conf.Token}),
+		))
 	case conf.CredentialsFile != "":
 		cmd.Printf("Authorizing with the credentials file at %q\n", conf.CredentialsFile)
+		opts = append(opts, alloydbconn.WithCredentialsFile(
+			conf.CredentialsFile,
+		))
+	case conf.GcloudAuth:
+		cmd.Println("Authorizing with gcloud user credentials")
+		ts, err := gcloud.TokenSource()
+		if err != nil {
+			return err
+		}
+		opts = append(opts, alloydbconn.WithTokenSource(ts))
 	default:
 		cmd.Println("Authorizing with Application Default Credentials")
 	}
+	conf.DialerOpts = opts
 
 	var ics []proxy.InstanceConnConfig
 	for _, a := range args {
@@ -269,9 +295,8 @@ func runSignalWrapper(cmd *Command) error {
 		// Otherwise, initialize a new one.
 		d := cmd.conf.Dialer
 		if d == nil {
-			opts := append(cmd.conf.DialerOpts(), alloydbconn.WithUserAgent(userAgent))
 			var err error
-			d, err = alloydbconn.NewDialer(ctx, opts...)
+			d, err = alloydbconn.NewDialer(ctx, cmd.conf.DialerOpts...)
 			if err != nil {
 				shutdownCh <- fmt.Errorf("error initializing dialer: %v", err)
 				return

cmd/root_test.go

@@ -179,13 +179,58 @@ func TestNewCommandArguments(t *testing.T) {
 				t.Fatalf("want error = nil, got = %v", err)
 			}
 
-			if got := c.conf; !cmp.Equal(tc.want, got, cmpopts.IgnoreUnexported(proxy.Config{})) {
+			opts := cmpopts.IgnoreFields(proxy.Config{}, "DialerOpts")
+			if got := c.conf; !cmp.Equal(tc.want, got, opts) {
 				t.Fatalf("want = %#v\ngot = %#v\ndiff = %v", tc.want, got, cmp.Diff(tc.want, got))
 			}
 		})
 	}
 }
 
+func TestNewCommandWithGcloudAuth(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping Gcloud auth test")
+	}
+	tcs := []struct {
+		desc string
+		args []string
+		want bool
+	}{
+		{
+			desc: "using the gcloud auth flag",
+			args: []string{"--gcloud-auth", "/projects/proj/locations/region/clusters/clust/instances/inst"},
+			want: true,
+		},
+		{
+			desc: "using the (short) gcloud auth flag",
+			args: []string{"-g", "/projects/proj/locations/region/clusters/clust/instances/inst"},
+			want: true,
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			c := NewCommand()
+			// Keep the test output quiet
+			c.SilenceUsage = true
+			c.SilenceErrors = true
+			// Disable execute behavior
+			c.RunE = func(*cobra.Command, []string) error {
+				return nil
+			}
+			c.SetArgs(tc.args)
+
+			err := c.Execute()
+			if err != nil {
+				t.Fatalf("want error = nil, got = %v", err)
+			}
+
+			if got := c.conf.GcloudAuth; got != tc.want {
+				t.Fatalf("want = %v, got = %v", tc.want, got)
+			}
+		})
+	}
+}
+
 func TestNewCommandWithErrors(t *testing.T) {
 	tcs := []struct {
 		desc string
@@ -228,11 +273,23 @@ func TestNewCommandWithErrors(t *testing.T) {
 			args: []string{"/projects/proj/locations/region/clusters/clust/instances/inst?port=hi"},
 		},
 		{
-			desc: "when both token and credentials file is set",
+			desc: "when both token and credentials file are set",
 			args: []string{
 				"--token", "my-token",
 				"--credentials-file", "/path/to/file", "/projects/proj/locations/region/clusters/clust/instances/inst"},
 		},
+		{
+			desc: "when both token and gcloud auth are set",
+			args: []string{
+				"--token", "my-token",
+				"--gcloud-auth", "proj:region:inst"},
+		},
+		{
+			desc: "when both gcloud auth and credentials file are set",
+			args: []string{
+				"--gcloud-auth",
+				"--credential-file", "/path/to/file", "proj:region:inst"},
+		},
 		{
 			desc: "when the unix socket query param contains multiple values",
 			args: []string{"/projects/proj/locations/region/clusters/clust/instances/inst?unix-socket=/one&unix-socket=/two"},

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	golang.org/x/net v0.0.0-20220517181318-183a9ca12b87 // indirect
 	golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401
-	golang.org/x/sys v0.0.0-20220519141025-dcacdad47464 // indirect
+	golang.org/x/sys v0.0.0-20220519141025-dcacdad47464
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	google.golang.org/api v0.80.0 // indirect
 	google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect

internal/gcloud/gcloud.go

@@ -0,0 +1,87 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcloud
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"runtime"
+	"time"
+
+	"golang.org/x/oauth2"
+	exec "golang.org/x/sys/execabs"
+)
+
+// config represents the credentials returned by `gcloud config config-helper`.
+type config struct {
+	Credential struct {
+		AccessToken string    `json:"access_token"`
+		TokenExpiry time.Time `json:"token_expiry"`
+	}
+}
+
+func (c *config) Token() *oauth2.Token {
+	return &oauth2.Token{
+		AccessToken: c.Credential.AccessToken,
+		Expiry:      c.Credential.TokenExpiry,
+	}
+}
+
+// Path returns the absolute path to the gcloud command. If the command is not
+// found it returns an error.
+func Path() (string, error) {
+	g := "gcloud"
+	if runtime.GOOS == "windows" {
+		g = g + ".cmd"
+	}
+	return exec.LookPath(g)
+}
+
+// configHelper implements oauth2.TokenSource via the `gcloud config config-helper` command.
+type configHelper struct{}
+
+// Token helps gcloudTokenSource implement oauth2.TokenSource.
+func (configHelper) Token() (*oauth2.Token, error) {
+	gcloudCmd, err := Path()
+	if err != nil {
+		return nil, err
+	}
+	buf, errbuf := new(bytes.Buffer), new(bytes.Buffer)
+	cmd := exec.Command(gcloudCmd, "--format", "json", "config", "config-helper", "--min-expiry", "1h")
+	cmd.Stdout = buf
+	cmd.Stderr = errbuf
+
+	if err := cmd.Run(); err != nil {
+		err = fmt.Errorf("error reading config: %v; stderr was:\n%v", err, errbuf)
+		return nil, err
+	}
+
+	c := &config{}
+	if err := json.Unmarshal(buf.Bytes(), c); err != nil {
+		return nil, err
+	}
+	return c.Token(), nil
+}
+
+// TokenSource returns an oauth2.TokenSource backed by the gcloud CLI.
+func TokenSource() (oauth2.TokenSource, error) {
+	h := configHelper{}
+	tok, err := h.Token()
+	if err != nil {
+		return nil, err
+	}
+	return oauth2.ReuseTokenSource(tok, h), nil
+}

internal/gcloud/gcloud_test.go

@@ -0,0 +1,39 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcloud_test
+
+import (
+	"testing"
+
+	"github.com/GoogleCloudPlatform/alloydb-auth-proxy/internal/gcloud"
+)
+
+func TestGcloud(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping gcloud integration tests")
+	}
+
+	// gcloud is now configured. Try to obtain a token from gcloud config
+	// helper.
+	ts, err := gcloud.TokenSource()
+	if err != nil {
+		t.Fatalf("failed to get token source: %v", err)
+	}
+
+	_, err = ts.Token()
+	if err != nil {
+		t.Fatalf("failed to get token: %v", err)
+	}
+}

internal/proxy/proxy.go

@@ -29,7 +29,6 @@ import (
 	"cloud.google.com/go/alloydbconn"
 	"github.com/GoogleCloudPlatform/alloydb-auth-proxy/alloydb"
 	"github.com/spf13/cobra"
-	"golang.org/x/oauth2"
 )
 
 // InstanceConnConfig holds the configuration for an individual instance
@@ -55,6 +54,10 @@ type Config struct {
 	// CredentialsFile is the path to a service account key.
 	CredentialsFile string
 
+	// GcloudAuth set whether to use Gcloud's config helper to retrieve a
+	// token for authentication.
+	GcloudAuth bool
+
 	// Addr is the address on which to bind all instances.
 	Addr string
 
@@ -73,21 +76,10 @@ type Config struct {
 	// Dialer specifies the dialer to use when connecting to AlloyDB
 	// instances.
 	Dialer alloydb.Dialer
-}
 
-func (c *Config) DialerOpts() []alloydbconn.Option {
-	var opts []alloydbconn.Option
-	switch {
-	case c.Token != "":
-		opts = append(opts, alloydbconn.WithTokenSource(
-			oauth2.StaticTokenSource(&oauth2.Token{AccessToken: c.Token}),
-		))
-	case c.CredentialsFile != "":
-		opts = append(opts, alloydbconn.WithCredentialsFile(
-			c.CredentialsFile,
-		))
-	}
-	return opts
+	// DialerOpts specifies the opts to use when creating a new dialer. This
+	// value is ignored when a Dialer has been set.
+	DialerOpts []alloydbconn.Option
 }
 
 type portConfig struct {

tests/alloydb_test.go

@@ -141,3 +141,16 @@ func TestPostgresAuthWithCredentialsFile(t *testing.T) {
 		[]string{"--credentials-file", path, *alloydbConnName},
 		"alloydb3", dsn)
 }
+
+func TestAuthWithGcloudAuth(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping Postgres integration tests")
+	}
+	requirePostgresVars(t)
+
+	dsn := fmt.Sprintf("host=localhost user=%s password=%s database=%s sslmode=disable",
+		*alloydbUser, *alloydbPass, *alloydbDB)
+	proxyConnTest(t,
+		[]string{"--gcloud-auth", *alloydbConnName},
+		"pgx", dsn)
+}