shrub/pkg/arvo/ted/get-gcp-jwt.hoon
J d978e6a551 -get-gcp-jwt: produces an access token
The correct scope to ask for is not devstorage.editor, but
cloud-platform. This will, rather than returning a signed JWT from
Google that looks like it works but doesn't, return a JSON object
containing an access token and expiration time.
2021-02-23 22:18:59 +00:00

135 lines
3.9 KiB
Plaintext

:: Thread that gets a JWT for use with Google Storage.
::
:: This thread expects settings-store to contain relevant fields from a GCP
:: service account JSON file, e.g. as poked by urbit/sh/poke-gcp-account-json.
:: Specifically, it depends on the `token_uri`, `client_email`,
:: `private_key_id`, and `private_key` fields. If these fields are not in
:: settings-store at the time the thread is run, it will fail.
::
:: The thread works by first constructing a self-signed JWT using the fields
:: in settings-store. Then, it sends this JWT to the specified token URI
:: (usually https://oauth2.googleapis.com/token), which gives us a JWT signed
:: by Google. This token can then be used as a bearer token for requests to
:: Google Storage.
::
:: The returned token has an expiration time of 60 minutes after the time at
:: which the thread was called.
::
::
/- spider, settings
/+ jose, pkcs, primitive-rsa, strandio
=, strand=strand:spider
=, rsa=primitive-rsa
^- thread:spider
|^
|= *
=/ m (strand ,vase)
^- form:m
;< =bowl:spider bind:m get-bowl:strandio
;< iss=@t bind:m (read-setting %client-email)
;< =key:rsa bind:m read-private-key
;< kid=@t bind:m (read-setting %private-key-id)
;< aud=@t bind:m (read-setting %token-uri)
=/ sot=@t
%: self-jwt
key kid iss
'https://www.googleapis.com/auth/cloud-platform'
aud now.bowl
==
;< p=[tok=@t exp=@da] bind:m (sign-jwt sot aud)
(pure:m !>(p))
::
++ read-setting
|= key=term
=/ m (strand @t) ^- form:m
;< has=? bind:m
(scry:strandio ? /gx/settings-store/has-entry/gcp-store/[key]/noun)
?. has
(strand-fail:strandio %no-setting key ~)
;< =data:settings bind:m
%+ scry:strandio
data:settings
/gx/settings-store/entry/gcp-store/[key]/settings-data
?> ?=([%entry %s @] data)
(pure:m p.val.data)
::
++ read-private-key
=/ m (strand ,key:rsa) ^- form:m
;< dat=@t bind:m (read-setting %private-key)
%- pure:m
%. dat
;: cork
to-wain:format
ring:de:pem:pkcs8:pkcs
need
==
:: construct and return a self-signed JWT issued now, expiring in ~h1.
:: TODO: maybe move this into lib/jose/hoon
::
++ self-jwt
|= [=key:rsa kid=@t iss=@t scope=@t aud=@t iat=@da]
^- @t
=/ job=json
=, enjs:format
%^ sign:jws:jose key
:: the JWT's "header"
%: pairs
alg+s+'RS256'
typ+s+'JWT'
kid+s+kid
~
==
:: the JWT's "payload"
%: pairs
iss+s+iss
sub+s+iss :: per g.co, use iss for sub
scope+s+scope
aud+s+aud
iat+(sect iat)
exp+(sect (add iat ~h1))
~
==
=/ [pod=@t pad=@t sig=@t]
=, dejs:format
((ot 'protected'^so 'payload'^so 'signature'^so ~) job)
(rap 3 (join '.' `(list @t)`~[pod pad sig]))
:: RPC to get a signed JWT. Probably only works with Google.
:: Described at:
:: https://developers.google.com/identity/protocols/oauth2/service-account
::
++ sign-jwt
|= [jot=@t url=@t]
=/ m (strand ,[@t @da]) ^- form:m
;< ~ bind:m
%: send-request:strandio
method=%'POST'
url=url
header-list=['Content-Type'^'application/json' ~]
^= body
%- some %- as-octt:mimes:html
%- en-json:html
%: pairs:enjs:format
['grant_type' s+'urn:ietf:params:oauth:grant-type:jwt-bearer']
assertion+s+jot
~
==
==
;< rep=client-response:iris bind:m
take-client-response:strandio
?> ?=(%finished -.rep)
?~ full-file.rep
(strand-fail:strandio %no-response ~)
=/ body=@t q.data.u.full-file.rep
=/ jon=(unit json) (de-json:html body)
?~ jon
(strand-fail:strandio %bad-body ~[body])
=* job u.jon
~| job
=, dejs:format
=/ [typ=@t exp=@da tok=@t]
((ot 'token_type'^so 'expires_in'^du 'access_token'^so ~) job)
?> =('Bearer' typ)
%- pure:m
[tok exp]
--