about summary refs log tree commit diff
path: root/tools/nixery/server/config/config.go
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-10-27T12·36+0100
committerVincent Ambo <github@tazj.in>2019-10-27T12·58+0100
commit3a5db4f9f184d38799cda1ca83039d11ff457c04 (patch)
tree696379416d1da5824c3abda53b6ab2286babceff /tools/nixery/server/config/config.go
parentcca835ae37cc35f3cae80afe5af8049009a6aa89 (diff)
refactor(server): Load GCS signing key from service account key
The JSON file generated for service account keys already contains the
required information for signing URLs in GCS, thus the environment
variables for toggling signing behaviour have been removed.

Signing is now enabled automatically in the presence of service
account credentials (i.e. `GOOGLE_APPLICATION_CREDENTIALS`).
Diffstat (limited to 'tools/nixery/server/config/config.go')
-rw-r--r--tools/nixery/server/config/config.go28
1 files changed, 16 insertions, 12 deletions
diff --git a/tools/nixery/server/config/config.go b/tools/nixery/server/config/config.go
index fe05734ee6ac..6c1baafce8c1 100644
--- a/tools/nixery/server/config/config.go
+++ b/tools/nixery/server/config/config.go
@@ -23,29 +23,33 @@ import (
 
 	"cloud.google.com/go/storage"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2/google"
 )
 
-// Load (optional) GCS bucket signing data from the GCS_SIGNING_KEY and
-// GCS_SIGNING_ACCOUNT envvars.
+// Configure GCS URL signing in the presence of a service account key
+// (toggled if the user has set GOOGLE_APPLICATION_CREDENTIALS).
 func signingOptsFromEnv() *storage.SignedURLOptions {
-	path := os.Getenv("GCS_SIGNING_KEY")
-	id := os.Getenv("GCS_SIGNING_ACCOUNT")
-
-	if path == "" || id == "" {
-		log.Info("GCS URL signing disabled")
+	path := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")
+	if path == "" {
 		return nil
 	}
 
-	log.WithField("account", id).Info("GCS URL signing enabled")
+	key, err := ioutil.ReadFile(path)
+	if err != nil {
+		log.WithError(err).WithField("file", path).Fatal("failed to read service account key")
+	}
 
-	k, err := ioutil.ReadFile(path)
+	conf, err := google.JWTConfigFromJSON(key)
 	if err != nil {
-		log.WithError(err).WithField("file", path).Fatal("failed to read GCS signing key")
+		log.WithError(err).WithField("file", path).Fatal("failed to parse service account key")
 	}
 
+	log.WithField("account", conf.Email).Info("GCS URL signing enabled")
+
 	return &storage.SignedURLOptions{
-		GoogleAccessID: id,
-		PrivateKey:     k,
+		Scheme:         storage.SigningSchemeV4,
+		GoogleAccessID: conf.Email,
+		PrivateKey:     conf.PrivateKey,
 		Method:         "GET",
 	}
 }