Fix token generation

google-auth-library is not needed, as IAMCredentialsClient is doing everything - loading credentials from JSON when passed, so no need to additionally prepare this
taskcluster · Apr 26, 2024 · c4d5f2b · c4d5f2b
1 parent 8aefd60
commit c4d5f2b
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 26 deletions.
diff --git a/services/auth/src/gcp.js b/services/auth/src/gcp.js
@@ -49,10 +49,15 @@ export const gcpBuilder = builder => builder.declare({
         'https://www.googleapis.com/auth/cloud-platform',
       ],
       delegates: [],
-      lifetime: '3600s',
+      lifetime: {
+        seconds: 3600,
+      },
     });
 
-    return res.reply(response.data);
+    const [{ accessToken, expireTime }] = response;
+    const expires = new Date(expireTime.seconds * 1000);
+
+    return res.reply({ accessToken, expireTime: expires.toISOString() });
   } catch (err) {
     return res.reportError('ResourceNotFound', err.message);
   }

diff --git a/services/auth/src/main.js b/services/auth/src/main.js
@@ -15,7 +15,6 @@ import createSignatureValidator from './signaturevalidator.js';
 import taskcluster from 'taskcluster-client';
 import makeSentryManager from './sentrymanager.js';
 import * as libPulse from 'taskcluster-lib-pulse';
-import * as googleapis from 'google-auth-library';
 import { IAMCredentialsClient } from '@google-cloud/iam-credentials';
 import assert from 'assert';
 import { fileURLToPath } from 'url';
@@ -174,7 +173,7 @@ const load = Loader({
       assert(projectIds.length <= 1, "at most one GCP project is supported");
 
       if (projectIds.length === 0) {
-        return { googleapis, auth: {}, credentials: {}, allowedServiceAccounts: [] };
+        return { auth: {}, credentials: {}, allowedServiceAccounts: [] };
       }
 
       const project = projects[projectIds[0]];
@@ -183,21 +182,16 @@ const load = Loader({
 
       assert(Array.isArray(allowedServiceAccounts));
 
-      // note that this service can currently start up correctly without GCP
-      // credentials configured.
-      const auth = credentials ? googleapis.auth.fromJSON(credentials) : {};
-
-      auth.scopes = [
-        'https://www.googleapis.com/auth/cloud-platform',
-        'https://www.googleapis.com/auth/iam',
-      ];
-
-      const iamCredentialsClient = new IAMCredentialsClient({ credentials: auth });
+      const iamCredentialsClient = new IAMCredentialsClient({
+        scopes: [
+          'https://www.googleapis.com/auth/cloud-platform',
+          'https://www.googleapis.com/auth/iam',
+        ],
+        credentials,
+      });
 
       // return an object with..
       return {
-        // the constructed auth object
-        auth,
         // and the credentials configuration
         credentials,
         // service accounts we allow to generate temporary credentials from

diff --git a/services/auth/test/helper.js b/services/auth/test/helper.js
@@ -275,8 +275,8 @@ helper.withServers = (mock, skipping) => {
  * using real credentials.
  */
 helper.withGcp = (mock, skipping) => {
-  const fakeGoogleApis = ({ auth }) => {
-    const { client_email } = auth.testCredentials;
+  const fakeGoogleApis = ({ credentials }) => {
+    const { client_email } = credentials;
     return {
       generateAccessToken: async ({ name, scope, delegates, lifetime }) => {
         if (name === 'projects/-/serviceAccounts/invalid@mozilla.com') {
@@ -285,14 +285,16 @@ helper.withGcp = (mock, skipping) => {
         assert.equal(name, `projects/-/serviceAccounts/${client_email}`);
         assert.deepEqual(scope, ['https://www.googleapis.com/auth/cloud-platform']);
         assert.deepEqual(delegates, []);
-        assert.equal(lifetime, '3600s');
+        assert.deepEqual(lifetime, { seconds: 3600 });
 
-        return {
-          data: {
+        return [
+          {
             accessToken: 'sekrit',
-            expireTime: new Date(1978, 6, 15).toJSON(),
+            expireTime: { seconds: Math.floor(new Date(1978, 6, 15).getTime() / 1000), nanos: 0 },
           },
-        };
+          null,
+          null,
+        ];
       },
     };
   };
@@ -307,15 +309,13 @@ helper.withGcp = (mock, skipping) => {
         project_id: 'testproject',
         client_email: 'test_client@example.com',
       };
-      const auth = { testCredentials: credentials };
       const allowedServiceAccounts = [
         credentials.client_email,
         'invalid@mozilla.com',
       ];
 
       load.inject('gcp', {
-        auth,
-        iamCredentialsClient: fakeGoogleApis({ auth }),
+        iamCredentialsClient: fakeGoogleApis({ credentials }),
         credentials,
         allowedServiceAccounts,
       });