Merge pull request #147 from ekristen/firebase-auth-providers

feat: firebase auth providers

Author: ekristen

go.mod

@@ -35,9 +35,11 @@ require (
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/longrunning v0.6.2 // indirect
 	cloud.google.com/go/monitoring v1.21.2 // indirect
+	firebase.google.com/go/v4 v4.15.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
+	github.com/MicahParks/keyfunc v1.9.0 // indirect
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -49,6 +51,7 @@ require (
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/flatbuffers v23.5.26+incompatible // indirect
@@ -86,6 +89,7 @@ require (
 	golang.org/x/tools v0.24.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/appengine/v2 v2.0.2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect
 	google.golang.org/grpc v1.67.1 // indirect

go.sum

@@ -129,13 +129,17 @@ cloud.google.com/go/storage v1.47.0 h1:ajqgt30fnOMmLfWfu1PWcb+V9Dxz6n+9WKjdNg5R4
 cloud.google.com/go/storage v1.47.0/go.mod h1:Ks0vP374w0PW6jOUameJbapbQKXqkjGd/OJRp2fb9IQ=
 firebase.google.com/go v3.13.0+incompatible h1:3TdYC3DDi6aHn20qoRkxwGqNgdjtblwVAyRLQwGn/+4=
 firebase.google.com/go v3.13.0+incompatible/go.mod h1:xlah6XbEyW6tbfSklcfe5FHJIwjt8toICdV5Wh9ptHs=
+firebase.google.com/go/v4 v4.15.0 h1:k27M+cHbyN1YpBI2Cf4NSjeHnnYRB9ldXwpqA5KikN0=
+firebase.google.com/go/v4 v4.15.0/go.mod h1:S/4MJqVZn1robtXkHhpRUbwOC4gdYtgsiMMJQ4x+xmQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 h1:pB2F2JKCj1Znmp2rwxxt1J0Fg0wezTMgWYk5Mpbi1kg=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1/go.mod h1:jyqM3eLpJ3IbIFDTKVz2rF9T/xWGW0rIriGwnz8l9Tk=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 h1:8nn+rsCvTq9axyEh382S0PFLBeaFwNsT43IrPWzctRU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1/go.mod h1:viRWSEhtMZqz1rhwmOVKkWl6SwmVowfL9O2YR5gI2PE=
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
 github.com/apache/arrow/go/v15 v15.0.2 h1:60IliRbiyTWCWjERBCkO1W4Qun9svcYoZrSLcyOsMLE=
 github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+yea1jass9YXgjA=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -199,12 +203,16 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -355,6 +363,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
@@ -474,6 +483,8 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
+google.golang.org/appengine/v2 v2.0.2 h1:MSqyWy2shDLwG7chbwBJ5uMyw6SNqJzhJHNDwYB0Akk=
+google.golang.org/appengine/v2 v2.0.2/go.mod h1:PkgRUWz4o1XOvbqtWTkBtCitEJ5Tp4HoVEdMMYQR/8E=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=

pkg/gcputil/gcp.go

@@ -83,8 +83,10 @@ func (g *GCP) ImpersonateServiceAccount(ctx context.Context, targetServiceAccoun
 	defer credsClient.Close()
 
 	req := &credentialspb.GenerateAccessTokenRequest{
-		Name:  fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount),
-		Scope: []string{"https://www.googleapis.com/auth/cloud-platform"},
+		Name: fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount),
+		Scope: []string{
+			"https://www.googleapis.com/auth/cloud-platform",
+		},
 		Lifetime: &durationpb.Duration{
 			Seconds: int64(time.Hour.Seconds()), // 1 hour
 		},

pkg/gcputil/identitytoolkit.go

@@ -0,0 +1,242 @@
+package gcputil
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+	"google.golang.org/api/option"
+	htransport "google.golang.org/api/transport/http"
+)
+
+const identityPlatformBasePath = "https://identitytoolkit.googleapis.com/admin/v2/"
+
+// ProjectConfig represents the configuration of a project in Identity Platform
+type ProjectConfig struct {
+	Name                     string        `json:"name"`
+	AutoDeleteAnonymousUsers bool          `json:"autodeleteAnonymousUsers"`
+	SignIn                   *SignInConfig `json:"signIn,omitempty"`
+	MFA                      *MFAConfig    `json:"mfa,omitempty"`
+}
+
+type SignInConfig struct {
+	Anonymous *ProviderConfig `json:"anonymous,omitempty"`
+	Email     *ProviderConfig `json:"email,omitempty"`
+	Phone     *ProviderConfig `json:"phoneNumber,omitempty"`
+}
+
+type MFAConfig struct {
+	State string `json:"state"`
+}
+
+type ProviderConfig struct {
+	Enabled bool `json:"enabled"`
+}
+
+// IdentityPlatformService provides methods to interact with the Identity Platform API
+type IdentityPlatformService struct {
+	client    *http.Client
+	BasePath  string
+	UserAgent string
+}
+
+// NewIdentityPlatformService creates a new Identity Platform client
+func NewIdentityPlatformService(ctx context.Context, opts ...option.ClientOption) (*IdentityPlatformService, error) {
+	client, endpoint, err := htransport.NewClient(ctx, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	s := &IdentityPlatformService{client: client, BasePath: identityPlatformBasePath}
+	if endpoint != "" {
+		s.BasePath = endpoint
+	}
+
+	return s, nil
+}
+
+// GetProjectConfig retrieves the configuration of a project
+func (s *IdentityPlatformService) GetProjectConfig(ctx context.Context, projectID string) (*ProjectConfig, error) {
+	url := fmt.Sprintf("%sprojects/%s/config", s.BasePath, projectID)
+	logrus.Tracef("url: %s", url)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating request: %v", err)
+	}
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error requesting project config: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	var config ProjectConfig
+	if err = json.NewDecoder(resp.Body).Decode(&config); err != nil {
+		return nil, fmt.Errorf("error decoding response: %v", err)
+	}
+	return &config, nil
+}
+
+// UpdateProjectConfig updates the configuration of a project
+func (s *IdentityPlatformService) UpdateProjectConfig(ctx context.Context, projectID string, config *ProjectConfig) (*ProjectConfig, error) {
+	url := fmt.Sprintf("%sprojects/%s/config", s.BasePath, projectID)
+	logrus.Tracef("url: %s", url)
+
+	body, err := json.Marshal(config)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling request body: %v", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPatch, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("error creating request: %v", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error updating project config: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	var updatedConfig ProjectConfig
+	if err = json.NewDecoder(resp.Body).Decode(&updatedConfig); err != nil {
+		return nil, fmt.Errorf("error decoding response: %v", err)
+	}
+	return &updatedConfig, nil
+}
+
+type ListDefaultSupportedOAuthIdpConfigsResponse struct {
+	DefaultSupportedIdpConfigs []*DefaultSupportedOAuthIdpConfig `json:"defaultSupportedIdpConfigs"`
+}
+
+type DefaultSupportedOAuthIdpConfig struct {
+	Name         *string `json:"name,omitempty"`
+	Enabled      *bool   `json:"enabled,omitempty"`
+	ClientID     *string `json:"clientId,omitempty"`
+	ClientSecret *string `json:"clientSecret,omitempty"`
+}
+
+type ListOAuthIdpConfigsResponse struct {
+	OAuthIdpConfigs []*OAuthIdpConfig `json:"oauthIdpConfigs"`
+}
+
+type OAuthIdpConfig struct {
+	Name        *string `json:"name"`
+	ClientId    *string `json:"clientId"`
+	Issuer      *string `json:"issuer"`
+	DisplayName *string `json:"displayName"`
+	Enabled     *bool   `json:"enabled"`
+}
+
+// ListDefaultSupportedOAuthIdpConfigs lists the OAuth IDP configurations of a project
+func (s *IdentityPlatformService) ListDefaultSupportedOAuthIdpConfigs(ctx context.Context, projectID string) (*ListDefaultSupportedOAuthIdpConfigsResponse, error) {
+	url := fmt.Sprintf("%sprojects/%s/defaultSupportedIdpConfigs", s.BasePath, projectID)
+	logrus.Tracef("url: %s", url)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating request: %v", err)
+	}
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error requesting OAuth IDP configs: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	var configs *ListDefaultSupportedOAuthIdpConfigsResponse
+	if err = json.NewDecoder(resp.Body).Decode(&configs); err != nil {
+		return nil, fmt.Errorf("error decoding response: %v", err)
+	}
+	return configs, nil
+}
+
+// DeleteDefaultSupportedOAuthIdpConfig deletes an OAuth IDP configuration of a project
+func (s *IdentityPlatformService) DeleteDefaultSupportedOAuthIdpConfig(ctx context.Context, projectID, configID string) error {
+	url := fmt.Sprintf("%sprojects/%s/defaultSupportedIdpConfigs/%s", s.BasePath, projectID, configID)
+	logrus.Tracef("url: %s", url)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, url, nil)
+	if err != nil {
+		return fmt.Errorf("error creating request: %v", err)
+	}
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("error deleting OAuth IDP config: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	return nil
+}
+
+// ListOAuthIdpConfigs lists the OAuth IDP configurations of a project
+func (s *IdentityPlatformService) ListOAuthIdpConfigs(ctx context.Context, projectID string) (*ListOAuthIdpConfigsResponse, error) {
+	url := fmt.Sprintf("%sprojects/%s/oauthIdpConfigs", s.BasePath, projectID)
+	logrus.Tracef("url: %s", url)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating request: %v", err)
+	}
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error requesting OAuth IDP configs: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	var configs *ListOAuthIdpConfigsResponse
+	if err = json.NewDecoder(resp.Body).Decode(&configs); err != nil {
+		return nil, fmt.Errorf("error decoding response: %v", err)
+	}
+	return configs, nil
+}
+
+// DeleteOAuthIdpConfig deletes an OAuth IDP configuration of a project
+func (s *IdentityPlatformService) DeleteOAuthIdpConfig(ctx context.Context, projectID, configID string) error {
+	url := fmt.Sprintf("%sprojects/%s/oauthIdpConfigs/%s", s.BasePath, projectID, configID)
+	logrus.Tracef("url: %s", url)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, url, nil)
+	if err != nil {
+		return fmt.Errorf("error creating request: %v", err)
+	}
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("error deleting OAuth IDP config: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("API request error: status %d", resp.StatusCode)
+	}
+
+	return nil
+}