added BYOS (Bring Your Own SERVICE_ACCOUNT) for GCS authentication (#3262)

2024-01-27 18:27:12 +05:30
parent 83bbe4ec37
commit aeb6acf640
10 changed files with 88 additions and 12 deletions
--- a/taskchampion/taskchampion/src/server/cloud/gcp.rs
+++ b/taskchampion/taskchampion/src/server/cloud/gcp.rs
@@ -1,5 +1,6 @@
 use super::service::{ObjectInfo, Service};
 use crate::errors::Result;
+use google_cloud_storage::client::google_cloud_auth::credentials::CredentialsFile;
 use google_cloud_storage::client::{Client, ClientConfig};
 use google_cloud_storage::http::error::ErrorResponse;
 use google_cloud_storage::http::Error as GcsError;
@@ -25,9 +26,17 @@ fn is_http_error<T>(query: u16, res: &std::result::Result<T, http::Error>) -> bo
 }

 impl GcpService {
-    pub(in crate::server) fn new(bucket: String) -> Result<Self> {
+    pub(in crate::server) fn new(bucket: String, credential_path: Option<String>) -> Result<Self> {
        let rt = Runtime::new()?;
-        let config = rt.block_on(ClientConfig::default().with_auth())?;
+
+        let credentialpathstring = credential_path.clone().unwrap();
+        let config: ClientConfig = if credential_path.unwrap() == "" {
+            rt.block_on(ClientConfig::default().with_auth())?
+        } else {
+            let credentials = rt.block_on(CredentialsFile::new_from_file(credentialpathstring))?;
+            rt.block_on(ClientConfig::default().with_credentials(credentials))?
+        };
+
        Ok(Self {
            client: Client::new(config),
            rt,
@@ -244,10 +253,16 @@ mod tests {
        let Ok(bucket) = std::env::var("GCP_TEST_BUCKET") else {
            return None;
        };
+
+        let Ok(credential_path) = std::env::var("GCP_TEST_CREDENTIAL_PATH") else {
+            return None;
+        };
+
        let prefix = Uuid::new_v4();
-        Some((GcpService::new(bucket).unwrap(), move |n: &_| {
-            format!("{}-{}", prefix.as_simple(), n).into_bytes()
-        }))
+        Some((
+            GcpService::new(bucket, Some(credential_path)).unwrap(),
+            move |n: &_| format!("{}-{}", prefix.as_simple(), n).into_bytes(),
+        ))
    }

    #[test]
--- a/taskchampion/taskchampion/src/server/config.rs
+++ b/taskchampion/taskchampion/src/server/config.rs
@@ -37,7 +37,12 @@ pub enum ServerConfig {
        /// Bucket in which to store the task data. This bucket must not be used for any other
        /// purpose.
        bucket: String,
-
+        /// Path to a GCP credential file, in JSON format. This is required for GCP access incase
+        /// some other application already makes use of Application Default Credentials.
+        /// See https://cloud.google.com/docs/authentication#service-accounts for more details.
+        /// See https://cloud.google.com/iam/docs/keys-create-delete for instructions on how to
+        /// create a service account key.
+        credential_path: Option<String>,
        /// Private encryption secret used to encrypt all data sent to the server.  This can
        /// be any suitably un-guessable string of bytes.
        encryption_secret: Vec<u8>,
@@ -58,9 +63,10 @@ impl ServerConfig {
            #[cfg(feature = "server-gcp")]
            ServerConfig::Gcp {
                bucket,
+                credential_path,
                encryption_secret,
            } => Box::new(CloudServer::new(
-                GcpService::new(bucket)?,
+                GcpService::new(bucket, credential_path)?,
                encryption_secret,
            )?),
        })