Merge pull request #9 from emahiro/feature/improve_token_implemetation

Improve toke implementation
DeNA · Oct 29, 2019 · c36ba1d · c36ba1d
2 parents f1709fa + 4483724
commit c36ba1d
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 21 deletions.
diff --git a/client.go b/client.go
@@ -1,30 +1,36 @@
-// package aehcl provides HTTP RoundTripper for authentication service-to-service
-// in Google App Engine.
-
+// Package aehcl provides service-to-service authentication in Google App Engine.
 package aehcl
 
 import (
 	"net/http"
 )
 
 type transport struct {
-	base  http.RoundTripper
-	token tokenSource
+	base http.RoundTripper
 }
 
-// Transport is an implementation of RoundTripper with TokenSource required authentication service-to-service.
-// If base http RoundTripper is nil, it sets DefaultTransport.
+// Transport is an implementation of http.RoundTripper for App Engine.
+// When required service-to-service authentication, create http.Client using this transport.
+// If base http RoundTripper is nil, it sets http.DefaultTransport.
 func Transport(base http.RoundTripper) http.RoundTripper {
 	t := &transport{
-		base:  base,
-		token: token(),
+		base: base,
 	}
 	if base == nil {
 		t.base = http.DefaultTransport
 	}
 	return t
 }
 
+// RoundTrip issues a request with identity token required service-to-service authentication described in
+// https://cloud.google.com/run/docs/authenticating/service-to-service.
+// When failed to obtain the identity token from metadata API (e.g. in local environment), uses access token generated
+// from service account credentials.
+//
+// If uses service-to-serivce authentication, server that receives the request must be implemented to validate the token
+// added to Authorization header.
+// In case of identity token, verify the identity token using the public key provided by Google.
+// In case of access token, check the access token has permission to execute some operation requested by the receiver.
 func (t *transport) RoundTrip(ireq *http.Request) (*http.Response, error) {
 	token, err := t.token()
 	if err != nil {
@@ -43,6 +49,10 @@ func (t *transport) RoundTrip(ireq *http.Request) (*http.Response, error) {
 	return t.base.RoundTrip(req)
 }
 
+func (t *transport) token() (string, error) {
+	return fetchToken()
+}
+
 func cloneHeader(h http.Header) http.Header {
 	nv := 0
 	for _, v := range h {

diff --git a/client_test.go b/client_test.go
@@ -39,6 +39,8 @@ func TestRoundTrip(t *testing.T) {
 				Transport: tt.arg,
 			}
 			server := httptest.NewServer(tt.handler)
+			defer server.Close()
+
 			client.Get(server.URL)
 		})
 	}

diff --git a/identity.go b/identity.go
@@ -9,21 +9,13 @@ import (
 	"golang.org/x/oauth2/google"
 )
 
-type tokenSource func() (string, error)
-
-func token() tokenSource {
-	return func() (string, error) {
-		return fetchToken()
-	}
-}
-
 func fetchToken() (string, error) {
-	// get idToken from metadata of gcp
-	if idToken, err := fetchIDToken(); err == nil {
-		return idToken, nil
+	// fetch idToken from metadata of gcp
+	if idt, err := fetchIDToken(); err == nil {
+		return idt, nil
 	}
 
-	// get accesstoken from local `GOOGLE_APPLICATION_CREDENTIALS`
+	// fetch accesstoken from local `GOOGLE_APPLICATION_CREDENTIALS`
 	lat, err := fetchLocalAccessToken()
 	if err != nil {
 		return "", err