package googleapi import ( "context" "crypto/tls" "fmt" "log/slog" "net/http" "os" "time" "golang.org/x/oauth2" "golang.org/x/oauth2/google" "google.golang.org/api/option" "github.com/steipete/gogcli/internal/googleauth" ) const ( // responseHeaderTimeout limits the time waiting for the server to begin // responding (send response headers). Once headers arrive and the body // starts streaming, there is no hard cap — large file downloads are not // cut short. This replaces the former http.Client.Timeout which applied // to the entire request lifecycle and caused timeouts on large Drive // file downloads. responseHeaderTimeout = 30 * time.Second // tokenExchangeTimeout is applied to the short-lived HTTP client used // for OAuth2 token refresh exchanges, which should always be fast. tokenExchangeTimeout = 30 * time.Second ) var newADCTokenSource = google.DefaultTokenSource func optionsForAccount(ctx context.Context, service googleauth.Service, email string) ([]option.ClientOption, error) { scopes, err := googleauth.Scopes(service) if err != nil { return nil, fmt.Errorf("resolve scopes: %w", err) } return optionsForAccountScopes(ctx, string(service), email, scopes) } type googleServiceFactory[T any] func(context.Context, ...option.ClientOption) (*T, error) func newGoogleServiceForAccount[T any]( ctx context.Context, email string, service googleauth.Service, label string, factory googleServiceFactory[T], ) (*T, error) { opts, err := optionsForAccount(ctx, service, email) if err != nil { return nil, fmt.Errorf("%s options: %w", label, err) } return newGoogleService(ctx, label, opts, factory) } func newGoogleServiceForScopes[T any]( ctx context.Context, email string, serviceLabel string, errorLabel string, scopes []string, factory googleServiceFactory[T], ) (*T, error) { opts, err := optionsForAccountScopes(ctx, serviceLabel, email, scopes) if err != nil { return nil, fmt.Errorf("%s options: %w", errorLabel, err) } return newGoogleService(ctx, errorLabel, opts, factory) } func newGoogleService[T any]( ctx context.Context, label string, opts []option.ClientOption, factory googleServiceFactory[T], ) (*T, error) { svc, err := factory(ctx, opts...) if err != nil { return nil, fmt.Errorf("create %s service: %w", label, err) } return svc, nil } // IsADCMode reports whether Application Default Credentials mode is active. // When GOG_AUTH_MODE=adc, the CLI authenticates using the ambient credentials // (e.g. GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC) // instead of the keyring-based OAuth flow. The service account accesses only // resources explicitly shared with it — no domain-wide delegation needed. func IsADCMode() bool { return os.Getenv("GOG_AUTH_MODE") == "adc" } func authenticatedTransport(ctx context.Context, serviceLabel string, email string, scopes []string) (http.RoundTripper, error) { var ts oauth2.TokenSource if IsADCMode() { slog.Debug("using Application Default Credentials (GOG_AUTH_MODE=adc)", "serviceLabel", serviceLabel) adcTS, err := newADCTokenSource(ctx, scopes...) if err != nil { return nil, fmt.Errorf("ADC token source: %w", err) } ts = adcTS } else { var err error ts, err = tokenSourceForAvailableAccountAuth(ctx, serviceLabel, email, scopes) if err != nil { return nil, err } } return NewRetryTransport(&oauth2.Transport{ Source: ts, Base: newBaseTransport(), }), nil } func optionsForAccountScopes(ctx context.Context, serviceLabel string, email string, scopes []string) ([]option.ClientOption, error) { slog.Debug("creating client options with custom scopes", "serviceLabel", serviceLabel, "email", email) transport, err := authenticatedTransport(ctx, serviceLabel, email, scopes) if err != nil { return nil, err } c := &http.Client{ Transport: transport, // No Timeout set: large file downloads (Drive videos, etc.) must not // be cut short. Server responsiveness is guarded by the transport's // ResponseHeaderTimeout instead. } slog.Debug("client options with custom scopes created successfully", "serviceLabel", serviceLabel, "email", email) return []option.ClientOption{option.WithHTTPClient(c)}, nil } // NewHTTPClient returns a raw *http.Client authenticated for the given service // and account. The caller may set CheckRedirect or other policies on the // returned client. func NewHTTPClient(ctx context.Context, service googleauth.Service, email string) (*http.Client, error) { scopes, err := googleauth.Scopes(service) if err != nil { return nil, fmt.Errorf("resolve scopes: %w", err) } transport, err := authenticatedTransport(ctx, string(service), email, scopes) if err != nil { return nil, err } return &http.Client{Transport: transport}, nil } func newBaseTransport() *http.Transport { defaultTransport, ok := http.DefaultTransport.(*http.Transport) if !ok || defaultTransport == nil { return &http.Transport{ Proxy: http.ProxyFromEnvironment, TLSClientConfig: &tls.Config{ MinVersion: tls.VersionTLS12, }, ResponseHeaderTimeout: responseHeaderTimeout, } } // Clone() deep-copies TLSClientConfig, so no additional clone needed. transport := defaultTransport.Clone() transport.ResponseHeaderTimeout = responseHeaderTimeout if transport.TLSClientConfig == nil { transport.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS12} return transport } if transport.TLSClientConfig.MinVersion < tls.VersionTLS12 { transport.TLSClientConfig.MinVersion = tls.VersionTLS12 } return transport }