Use gcloud oauth token before trying application default credentials (GoogleCloudPlatform#198)

This changes the oauth token source to first try to retrieve auth tokens using `gcloud config config-helper` first before trying application default credentials. This behavior will only exist when the proxy is invoked as a binary, but not when it is used as a library. The intent here is that its likely reasonable for individuals to run the proxy, but if they are using the proxy as a library, we do still want to encourage them to use a service account, since that is more reliable for production configurations

Author: hfwang

cmd/cloud_sql_proxy/cloud_sql_proxy.go

@@ -20,16 +20,13 @@
 package main
 
 import (
-	"bytes"
-	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -40,6 +37,7 @@ import (
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/fuse"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/limits"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/proxy"
+	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/util"
 
 	"cloud.google.com/go/compute/metadata"
 	"golang.org/x/net/context"
@@ -85,25 +83,13 @@ can be removed automatically by this program.`)
 You may set the GOOGLE_APPLICATION_CREDENTIALS environment variable for the same effect.`)
 	ipAddressTypes = flag.String("ip_address_types", "PRIMARY", "Default to be 'PRIMARY'. Options: a list of strings separated by ',', e.g. 'PRIMARY, PRIVATE' ")
 
-	// Set to non-default value when gcloud execution failed.
-	gcloudStatus gcloudStatusCode
-
 	// Setting to choose what API to connect to
 	host = flag.String("host", "https://www.googleapis.com/sql/v1beta4/", "When set, the proxy uses this host as the base API path.")
 )
 
-type gcloudStatusCode int
-
-const (
-	gcloudOk gcloudStatusCode = iota
-	gcloudNotFound
-	// generic execution failure error not specified above.
-	gcloudExecErr
-)
-
 const (
 	minimumRefreshCfgThrottle = time.Second
-  
+
 	port = 3307
 )
 
@@ -286,7 +272,17 @@ func authenticatedClient(ctx context.Context) (*http.Client, error) {
 		return oauth2.NewClient(ctx, src), nil
 	}
 
-	return goauth.DefaultClient(ctx, proxy.SQLScope)
+	// If flags don't specify an auth source, try either gcloud or application default
+	// credentials.
+	src, err := util.GcloudTokenSource(ctx)
+	if err != nil {
+		src, err = goauth.DefaultTokenSource(ctx, proxy.SQLScope)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return oauth2.NewClient(ctx, src), nil
 }
 
 func stringList(s string) []string {
@@ -343,38 +339,15 @@ func listInstances(ctx context.Context, cl *http.Client, projects []string) ([]s
 	return ret, nil
 }
 
-func gcloudProject() []string {
-	buf := new(bytes.Buffer)
-	cmd := exec.Command("gcloud", "--format", "json", "config", "list", "core/project")
-	cmd.Stdout = buf
-
-	if err := cmd.Run(); err != nil {
-		if strings.Contains(err.Error(), "executable file not found") {
-			// gcloud not found (probably not installed). Ignore the error but record
-			// the status for later use.
-			gcloudStatus = gcloudNotFound
-			return nil
-		}
-		gcloudStatus = gcloudExecErr
-		logging.Errorf("Error detecting gcloud project: %v", err)
-		return nil
-	}
-
-	var data struct {
-		Core struct {
-			Project string
-		}
+func gcloudProject() ([]string, error) {
+	cfg, err := util.GcloudConfig()
+	if err != nil {
+		return nil, err
 	}
-
-	if err := json.Unmarshal(buf.Bytes(), &data); err != nil {
-		gcloudStatus = gcloudExecErr
-		logging.Errorf("Failed to unmarshal bytes from gcloud: %v", err)
-		logging.Errorf("   gcloud returned:\n%s", buf)
-		return nil
+	if cfg.Configuration.Properties.Core.Project == "" {
+		return nil, fmt.Errorf("gcloud has no active project, you can set it by running `gcloud config set project <project>`")
 	}
-
-	logging.Infof("Using gcloud's active project: %v", data.Core.Project)
-	return []string{data.Core.Project}
+	return []string{cfg.Configuration.Properties.Core.Project}, nil
 }
 
 // Main executes the main function of the proxy, allowing it to be called from tests.
@@ -431,7 +404,15 @@ func main() {
 	projList := stringList(*projects)
 	// TODO: it'd be really great to consolidate flag verification in one place.
 	if len(instList) == 0 && *instanceSrc == "" && len(projList) == 0 && !*useFuse {
-		projList = gcloudProject()
+		var err error
+		projList, err = gcloudProject()
+		if err == nil {
+			logging.Infof("Using gcloud's active project: %v", projList)
+		} else if gErr, ok := err.(*util.GcloudError); ok && gErr.Status == util.GcloudNotFound {
+			log.Fatalf("gcloud is not in the path and -instances and -projects are empty")
+		} else {
+			log.Fatalf("unable to retrieve the active gcloud project and -instances and -projects are empty: %v", err)
+		}
 	}
 
 	onGCE := onGCE()
@@ -505,10 +486,10 @@ func main() {
 		Port:           port,
 		MaxConnections: *maxConnections,
 		Certs: certs.NewCertSourceOpts(client, certs.RemoteOpts{
-			APIBasePath:  *host,
-			IgnoreRegion: !*checkRegion,
-			UserAgent:    userAgentFromVersionString(),
-			IPAddrTypeOpts:   ipAddrTypeOptsInput,
+			APIBasePath:    *host,
+			IgnoreRegion:   !*checkRegion,
+			UserAgent:      userAgentFromVersionString(),
+			IPAddrTypeOpts: ipAddrTypeOptsInput,
 		}),
 		Conns:              connset,
 		RefreshCfgThrottle: refreshCfgThrottle,

cmd/cloud_sql_proxy/proxy.go

@@ -349,12 +349,6 @@ func CreateInstanceConfigs(dir string, useFuse bool, instances []string, instanc
 		}
 
 		errStr := fmt.Sprintf("no instance selected because none of %s is specified", flags)
-		switch gcloudStatus {
-		case gcloudNotFound:
-			errStr = fmt.Sprintf("%s and gcloud could not be found in the system path", errStr)
-		case gcloudExecErr:
-			errStr = fmt.Sprintf("%s and gcloud failed to get the project list", errStr)
-		}
 		return nil, errors.New(errStr)
 	}
 	return cfgs, nil

proxy/util/gcloudutil.go

@@ -0,0 +1,119 @@
+// Copyright 2018 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"os/exec"
+	"runtime"
+	"time"
+
+	"github.com/GoogleCloudPlatform/cloudsql-proxy/logging"
+	"golang.org/x/oauth2"
+)
+
+// GcloudConfigData represents the data returned by `gcloud config config-helper`.
+type GcloudConfigData struct {
+	Configuration struct {
+		Properties struct {
+			Core struct {
+				Project string
+				Account string
+			}
+		}
+	}
+	Credential struct {
+		AccessToken string    `json:"access_token"`
+		TokenExpiry time.Time `json:"token_expiry"`
+	}
+}
+
+func (cfg *GcloudConfigData) oauthToken() *oauth2.Token {
+	return &oauth2.Token{
+		AccessToken: cfg.Credential.AccessToken,
+		Expiry:      cfg.Credential.TokenExpiry,
+	}
+}
+
+type GcloudStatusCode int
+
+const (
+	GcloudOk GcloudStatusCode = iota
+	GcloudNotFound
+	// generic execution failure error not specified above.
+	GcloudExecErr
+)
+
+type GcloudError struct {
+	GcloudError error
+	Status      GcloudStatusCode
+}
+
+func (e *GcloudError) Error() string {
+	return e.GcloudError.Error()
+}
+
+// GcloudConfig returns a GcloudConfigData object or an error of type *GcloudError.
+func GcloudConfig() (*GcloudConfigData, error) {
+	gcloudCmd := "gcloud"
+	if runtime.GOOS == "windows" {
+		gcloudCmd = gcloudCmd + ".cmd"
+	}
+
+	if _, err := exec.LookPath(gcloudCmd); err != nil {
+		return nil, &GcloudError{err, GcloudNotFound}
+	}
+
+	buf := new(bytes.Buffer)
+	cmd := exec.Command(gcloudCmd, "--format", "json", "config", "config-helper")
+	cmd.Stdout = buf
+
+	if err := cmd.Run(); err != nil {
+		logging.Errorf("Error detecting gcloud project: %v", err)
+		return nil, &GcloudError{err, GcloudExecErr}
+	}
+
+	data := &GcloudConfigData{}
+	if err := json.Unmarshal(buf.Bytes(), data); err != nil {
+		logging.Errorf("Failed to unmarshal bytes from gcloud: %v", err)
+		logging.Errorf("   gcloud returned:\n%s", buf)
+		return nil, &GcloudError{err, GcloudExecErr}
+	}
+
+	return data, nil
+}
+
+// gcloudTokenSource implements oauth2.TokenSource via the `gcloud config config-helper` command.
+type gcloudTokenSource struct {
+}
+
+// Token helps gcloudTokenSource implement oauth2.TokenSource.
+func (src *gcloudTokenSource) Token() (*oauth2.Token, error) {
+	cfg, err := GcloudConfig()
+	if err != nil {
+		return nil, err
+	}
+	return cfg.oauthToken(), nil
+}
+
+func GcloudTokenSource(ctx context.Context) (oauth2.TokenSource, error) {
+	cfg, err := GcloudConfig()
+	if err != nil {
+		return nil, err
+	}
+	return oauth2.ReuseTokenSource(cfg.oauthToken(), &gcloudTokenSource{}), nil
+}