Fix token generation

google-auth-library is not needed, as IAMCredentialsClient is doing
everything - loading credentials from JSON when passed, so no need to
additionally prepare this

package.json

@@ -27,8 +27,8 @@
     "@azure/ms-rest-azure-js": "^2.0.1",
     "@azure/ms-rest-js": "^2.6.6",
     "@azure/ms-rest-nodeauth": "^3.0.5",
-    "@google-cloud/iam-credentials": "^3.1.0",
-    "@googleapis/compute": "^9.0.0",
+    "@google-cloud/compute": "^4.4.0",
+    "@google-cloud/iam-credentials": "^3.2.0",
     "@graphql-tools/schema": "^10.0.3",
     "@octokit/auth-app": "^4.0.7",
     "@octokit/core": "^3.0.0",
@@ -58,7 +58,6 @@
     "fast-azure-storage": "^3.1.2",
     "fast-json-stable-stringify": "^2.0.0",
     "generate-password": "^1.5.0",
-    "google-auth-library": "^9.7.0",
     "got": "^14.2.1",
     "graphql": "^16.8.1",
     "graphql-depth-limit": "^1.1.0",

services/auth/src/api.js

@@ -147,7 +147,7 @@ const builder = new APIBuilder({
     // the loaded config
     'cfg',
 
-    // An object containing {googleapis, auth, credentials} for interacting
+    // An object containing { allowedServiceAccounts, credentials, iamCredentialsClient } for interacting
     // with GCP.
     'gcp',
   ],

services/auth/src/gcp.js

@@ -49,10 +49,15 @@ export const gcpBuilder = builder => builder.declare({
         'https://www.googleapis.com/auth/cloud-platform',
       ],
       delegates: [],
-      lifetime: '3600s',
+      lifetime: {
+        seconds: 3600,
+      },
     });
 
-    return res.reply(response.data);
+    const [{ accessToken, expireTime }] = response;
+    const expires = new Date(expireTime.seconds * 1000);
+
+    return res.reply({ accessToken, expireTime: expires.toISOString() });
   } catch (err) {
     return res.reportError('ResourceNotFound', err.message);
   }

services/auth/src/main.js

@@ -15,7 +15,6 @@ import createSignatureValidator from './signaturevalidator.js';
 import taskcluster from 'taskcluster-client';
 import makeSentryManager from './sentrymanager.js';
 import * as libPulse from 'taskcluster-lib-pulse';
-import * as googleapis from 'google-auth-library';
 import { IAMCredentialsClient } from '@google-cloud/iam-credentials';
 import assert from 'assert';
 import { fileURLToPath } from 'url';
@@ -174,7 +173,7 @@ const load = Loader({
       assert(projectIds.length <= 1, "at most one GCP project is supported");
 
       if (projectIds.length === 0) {
-        return { googleapis, auth: {}, credentials: {}, allowedServiceAccounts: [] };
+        return { auth: {}, credentials: {}, allowedServiceAccounts: [] };
       }
 
       const project = projects[projectIds[0]];
@@ -183,21 +182,16 @@ const load = Loader({
 
       assert(Array.isArray(allowedServiceAccounts));
 
-      // note that this service can currently start up correctly without GCP
-      // credentials configured.
-      const auth = credentials ? googleapis.auth.fromJSON(credentials) : {};
-
-      auth.scopes = [
-        'https://www.googleapis.com/auth/cloud-platform',
-        'https://www.googleapis.com/auth/iam',
-      ];
-
-      const iamCredentialsClient = new IAMCredentialsClient({ credentials: auth });
+      const iamCredentialsClient = new IAMCredentialsClient({
+        scopes: [
+          'https://www.googleapis.com/auth/cloud-platform',
+          'https://www.googleapis.com/auth/iam',
+        ],
+        credentials,
+      });
 
       // return an object with..
       return {
-        // the constructed auth object
-        auth,
         // and the credentials configuration
         credentials,
         // service accounts we allow to generate temporary credentials from

services/auth/test/helper.js

@@ -275,8 +275,8 @@ helper.withServers = (mock, skipping) => {
  * using real credentials.
  */
 helper.withGcp = (mock, skipping) => {
-  const fakeGoogleApis = ({ auth }) => {
-    const { client_email } = auth.testCredentials;
+  const fakeGoogleApis = ({ credentials }) => {
+    const { client_email } = credentials;
     return {
       generateAccessToken: async ({ name, scope, delegates, lifetime }) => {
         if (name === 'projects/-/serviceAccounts/invalid@mozilla.com') {
@@ -285,14 +285,16 @@ helper.withGcp = (mock, skipping) => {
         assert.equal(name, `projects/-/serviceAccounts/${client_email}`);
         assert.deepEqual(scope, ['https://www.googleapis.com/auth/cloud-platform']);
         assert.deepEqual(delegates, []);
-        assert.equal(lifetime, '3600s');
+        assert.deepEqual(lifetime, { seconds: 3600 });
 
-        return {
-          data: {
+        return [
+          {
             accessToken: 'sekrit',
-            expireTime: new Date(1978, 6, 15).toJSON(),
+            expireTime: { seconds: Math.floor(new Date(1978, 6, 15).getTime() / 1000), nanos: 0 },
           },
-        };
+          null,
+          null,
+        ];
       },
     };
   };
@@ -307,15 +309,13 @@ helper.withGcp = (mock, skipping) => {
         project_id: 'testproject',
         client_email: 'test_client@example.com',
       };
-      const auth = { testCredentials: credentials };
       const allowedServiceAccounts = [
         credentials.client_email,
         'invalid@mozilla.com',
       ];
 
       load.inject('gcp', {
-        auth,
-        iamCredentialsClient: fakeGoogleApis({ auth }),
+        iamCredentialsClient: fakeGoogleApis({ credentials }),
         credentials,
         allowedServiceAccounts,
       });

yarn.lock

@@ -1503,21 +1503,21 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@google-cloud/iam-credentials@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "@google-cloud/iam-credentials@npm:3.1.0"
+"@google-cloud/compute@npm:^4.4.0":
+  version: 4.4.0
+  resolution: "@google-cloud/compute@npm:4.4.0"
   dependencies:
     google-gax: "npm:^4.0.3"
-  checksum: 10c0/ec682ae1dd7559076f22697f11405191854a0977341a5fa617cbaaca8e9f207764569cb3701f7071364e8d91a2081b8d8831171057a8b002d4d95a0b1bf5d6c8
+  checksum: 10c0/c21a84d78f0018a4d4c16aa25580b84ff2865f4a9a559fab41bae31a2bf5355cc5118b1c3e986e0ee9a64fb3260a61a49b59d531650a6417e51af89f36d632ed
   languageName: node
   linkType: hard
 
-"@googleapis/compute@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "@googleapis/compute@npm:9.0.0"
+"@google-cloud/iam-credentials@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "@google-cloud/iam-credentials@npm:3.2.0"
   dependencies:
-    googleapis-common: "npm:^7.0.0"
-  checksum: 10c0/0d9a962d14097318455f4c21ee62d2ec29e64c2d44e042605ac31e2b5bd0ba3f45ab411bb2c1738bbcad38af7961a1e40d9adb109a2a05fc8b309ca55d947b5c
+    google-gax: "npm:^4.0.3"
+  checksum: 10c0/4a109b296956ac6a1b8f3cf2a573426398a85cc4b58612758028fb3d0d30a78ec8a1df3a6a79f20e7d23b7212c0f06f58bf4f021f16b5dbb114a5da713bdfc0d
   languageName: node
   linkType: hard
 
@@ -6507,7 +6507,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"gaxios@npm:^6.0.0, gaxios@npm:^6.0.3, gaxios@npm:^6.1.1":
+"gaxios@npm:^6.0.0, gaxios@npm:^6.1.1":
   version: 6.3.0
   resolution: "gaxios@npm:6.3.0"
   dependencies:
@@ -6697,7 +6697,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"google-auth-library@npm:^9.3.0, google-auth-library@npm:^9.7.0":
+"google-auth-library@npm:^9.3.0":
   version: 9.7.0
   resolution: "google-auth-library@npm:9.7.0"
   dependencies:
@@ -6731,20 +6731,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"googleapis-common@npm:^7.0.0":
-  version: 7.1.0
-  resolution: "googleapis-common@npm:7.1.0"
-  dependencies:
-    extend: "npm:^3.0.2"
-    gaxios: "npm:^6.0.3"
-    google-auth-library: "npm:^9.7.0"
-    qs: "npm:^6.7.0"
-    url-template: "npm:^2.0.8"
-    uuid: "npm:^9.0.0"
-  checksum: 10c0/6ef780c3b26a41cb4d4934978271c39154264d1843901021593c4ef72f9fce02bfbab6a837bf45019ce1612cab3c57f1742da5f28ce50e0f4d1ff22404d8b45e
-  languageName: node
-  linkType: hard
-
 "gopd@npm:^1.0.1":
   version: 1.0.1
   resolution: "gopd@npm:1.0.1"
@@ -10137,15 +10123,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"qs@npm:^6.7.0":
-  version: 6.12.0
-  resolution: "qs@npm:6.12.0"
-  dependencies:
-    side-channel: "npm:^1.0.6"
-  checksum: 10c0/e165a77ac5f3ca60c15c5f3d51b321ddec7aa438804436b29d160117bc6fb7bf7dab94abd0c7d7c0785890d3a75ae41e1d6346e158aaf1540c6fe53a31f11675
-  languageName: node
-  linkType: hard
-
 "qs@npm:~6.5.2":
   version: 6.5.3
   resolution: "qs@npm:6.5.3"
@@ -11761,8 +11738,8 @@ __metadata:
     "@azure/ms-rest-azure-js": "npm:^2.0.1"
     "@azure/ms-rest-js": "npm:^2.6.6"
     "@azure/ms-rest-nodeauth": "npm:^3.0.5"
-    "@google-cloud/iam-credentials": "npm:^3.1.0"
-    "@googleapis/compute": "npm:^9.0.0"
+    "@google-cloud/compute": "npm:^4.4.0"
+    "@google-cloud/iam-credentials": "npm:^3.2.0"
     "@graphql-tools/schema": "npm:^10.0.3"
     "@octokit/auth-app": "npm:^4.0.7"
     "@octokit/core": "npm:^3.0.0"
@@ -11809,7 +11786,6 @@ __metadata:
     generate-password: "npm:^1.5.0"
     github-slugger: "npm:^2.0.0"
     glob: "npm:^8.0.3"
-    google-auth-library: "npm:^9.7.0"
     got: "npm:^14.2.1"
     graphql: "npm:^16.8.1"
     graphql-depth-limit: "npm:^1.1.0"
@@ -12299,13 +12275,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"url-template@npm:^2.0.8":
-  version: 2.0.8
-  resolution: "url-template@npm:2.0.8"
-  checksum: 10c0/56a15057eacbcf05d52b0caed8279c8451b3dd9d32856a1fdd91c6dc84dcb1646f12bafc756b7ade62ca5b1564da8efd7baac5add35868bafb43eb024c62805b
-  languageName: node
-  linkType: hard
-
 "util-deprecate@npm:^1.0.1, util-deprecate@npm:~1.0.1":
   version: 1.0.2
   resolution: "util-deprecate@npm:1.0.2"