Add token fetching and handle exchange

Author: claytoncasey01

cli/config/config.go

@@ -199,6 +199,10 @@ type CommonOpts struct {
 	// authentication
 	Authentication *CliConfigAuthentication `json:"auth,omitempty" mapstructure:"auth"`
 
+	// Workload Identity Federation fields
+	Audience  string `json:"audience,omitempty" mapstructure:"audience"`
+	IssuerURI string `json:"issuer_uri,omitempty" mapstructure:"issuer_uri"`
+
 	// client features
 	Features []string `json:"features,omitempty" mapstructure:"features"`
 
@@ -245,14 +249,26 @@ func (c *CommonOpts) GetFeatures() cnquery.Features {
 // GetServiceCredential returns the service credential that is defined in the config.
 // If no service credential is defined, it will return nil.
 func (c *CommonOpts) GetServiceCredential() *upstream.ServiceAccountCredentials {
-	if c.Authentication != nil && c.Authentication.Method == "ssh" {
-		log.Info().Msg("using ssh authentication method, generate temporary credentials")
-		serviceAccount, err := upstream.ExchangeSSHKey(c.UpstreamApiEndpoint(), c.ServiceAccountMrn, c.GetParentMrn())
-		if err != nil {
-			log.Error().Err(err).Msg("could not exchange ssh key")
-			return nil
+	if c.Authentication != nil {
+		switch c.Authentication.Method {
+		case "ssh":
+			log.Info().Msg("using ssh authentication method, generate temporary credentials")
+			serviceAccount, err := upstream.ExchangeSSHKey(c.UpstreamApiEndpoint(), c.ServiceAccountMrn, c.GetParentMrn())
+			if err != nil {
+				log.Error().Err(err).Msg("could not exchange ssh key")
+				return nil
+			}
+			return serviceAccount
+		case "wif":
+			log.Info().Msg("using wif authentication method, generate temporary credentials")
+			serviceAccount, err := upstream.ExchangeExternalToken(c.UpstreamApiEndpoint(), c.Audience, c.IssuerURI)
+			if err != nil {
+				log.Error().Err(err).Msg("could not exchange external (wif) token")
+				return nil
+			}
+
+			return serviceAccount
 		}
-		return serviceAccount
 	}
 
 	// return nil when no service account is defined

providers-sdk/v1/upstream/sts.go

@@ -10,6 +10,9 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
 	"net/url"
 	"time"
 
@@ -55,15 +58,22 @@ func ExchangeSSHKey(apiEndpoint string, identityMrn string, resourceMrn string)
 	}, nil
 }
 
-func ExchangeExternalToken(apiEndpoint string, audience string, issuerUri string, jsonToken string) (*ServiceAccountCredentials, error) {
+func ExchangeExternalToken(apiEndpoint string, audience string, issuerURI string) (*ServiceAccountCredentials, error) {
+	// TODO: This is just a testing function to fetch a GCP identity token
+	// it should change to be a generic function.
+	jsonToken, err := fetchGCPIdentityToken(audience)
+	if err != nil {
+		return nil, err
+	}
+
 	stsClient, err := NewSecureTokenServiceClient(apiEndpoint, ranger.DefaultHttpClient())
 	if err != nil {
 		return nil, err
 	}
 
 	resp, err := stsClient.ExchangeExternalToken(context.Background(), &ExchangeExternalTokenRequest{
 		Audience:  audience,
-		IssuerUri: issuerUri,
+		IssuerUri: issuerURI,
 		JwtToken:  jsonToken,
 	})
 	if err != nil {
@@ -85,6 +95,30 @@ func ExchangeExternalToken(apiEndpoint string, audience string, issuerUri string
 	return &creds, nil
 }
 
+// TODO: This is just a testing function to fetch a GCP identity token
+// it should change to be a generic function that checks the provider and fetches the token accordingly.
+func fetchGCPIdentityToken(audience string) (string, error) {
+	url := fmt.Sprintf("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=%s", audience)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Add("Metadata-Flavor", "Google")
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	tokenBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	return string(tokenBytes), nil
+}
+
 // signClaims implements claims signing with ssh.Signer
 //
 // To generate a new SSH key use: