gogcli/internal/googleapi/client.go
tengis 45c272ffe8
feat(auth): add Application Default Credentials (ADC) auth mode (#357)
* feat: add Application Default Credentials (ADC) auth mode

When GOG_AUTH_MODE=adc, the CLI authenticates using ambient credentials
(GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC)
instead of the keyring-based OAuth flow. This enables use in environments
like GKE pods where the service account accesses resources explicitly
shared with it — no domain-wide delegation or user impersonation needed.

The account email is no longer required in ADC mode; requireAccount()
returns "adc" as a placeholder when no --account/GOG_ACCOUNT is set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(auth): add ADC mode (#357) (thanks @tengis617)

* fix(auth): satisfy ADC lint on landed branch (#357)

* test(auth): fix ADC test whitespace lint (#357)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-08 17:18:18 +00:00

120 lines
3.6 KiB
Go

package googleapi
import (
"context"
"crypto/tls"
"fmt"
"log/slog"
"net/http"
"os"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/option"
"github.com/steipete/gogcli/internal/googleauth"
)
const (
// responseHeaderTimeout limits the time waiting for the server to begin
// responding (send response headers). Once headers arrive and the body
// starts streaming, there is no hard cap — large file downloads are not
// cut short. This replaces the former http.Client.Timeout which applied
// to the entire request lifecycle and caused timeouts on large Drive
// file downloads.
responseHeaderTimeout = 30 * time.Second
// tokenExchangeTimeout is applied to the short-lived HTTP client used
// for OAuth2 token refresh exchanges, which should always be fast.
tokenExchangeTimeout = 30 * time.Second
)
var newADCTokenSource = google.DefaultTokenSource
func optionsForAccount(ctx context.Context, service googleauth.Service, email string) ([]option.ClientOption, error) {
scopes, err := googleauth.Scopes(service)
if err != nil {
return nil, fmt.Errorf("resolve scopes: %w", err)
}
return optionsForAccountScopes(ctx, string(service), email, scopes)
}
// IsADCMode reports whether Application Default Credentials mode is active.
// When GOG_AUTH_MODE=adc, the CLI authenticates using the ambient credentials
// (e.g. GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC)
// instead of the keyring-based OAuth flow. The service account accesses only
// resources explicitly shared with it — no domain-wide delegation needed.
func IsADCMode() bool {
return os.Getenv("GOG_AUTH_MODE") == "adc"
}
func optionsForAccountScopes(ctx context.Context, serviceLabel string, email string, scopes []string) ([]option.ClientOption, error) {
slog.Debug("creating client options with custom scopes", "serviceLabel", serviceLabel, "email", email)
var ts oauth2.TokenSource
if IsADCMode() {
slog.Debug("using Application Default Credentials (GOG_AUTH_MODE=adc)", "serviceLabel", serviceLabel)
adcTS, err := newADCTokenSource(ctx, scopes...)
if err != nil {
return nil, fmt.Errorf("ADC token source: %w", err)
}
ts = adcTS
} else {
var err error
ts, err = tokenSourceForAvailableAccountAuth(ctx, serviceLabel, email, scopes)
if err != nil {
return nil, err
}
}
baseTransport := newBaseTransport()
retryTransport := NewRetryTransport(&oauth2.Transport{
Source: ts,
Base: baseTransport,
})
c := &http.Client{
Transport: retryTransport,
// No Timeout set: large file downloads (Drive videos, etc.) must not
// be cut short. Server responsiveness is guarded by the transport's
// ResponseHeaderTimeout instead.
}
slog.Debug("client options with custom scopes created successfully", "serviceLabel", serviceLabel, "email", email)
return []option.ClientOption{option.WithHTTPClient(c)}, nil
}
func newBaseTransport() *http.Transport {
defaultTransport, ok := http.DefaultTransport.(*http.Transport)
if !ok || defaultTransport == nil {
return &http.Transport{
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
},
ResponseHeaderTimeout: responseHeaderTimeout,
}
}
// Clone() deep-copies TLSClientConfig, so no additional clone needed.
transport := defaultTransport.Clone()
transport.ResponseHeaderTimeout = responseHeaderTimeout
if transport.TLSClientConfig == nil {
transport.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS12}
return transport
}
if transport.TLSClientConfig.MinVersion < tls.VersionTLS12 {
transport.TLSClientConfig.MinVersion = tls.VersionTLS12
}
return transport
}