Make it possible to run as a service account (#9)

* Make it possible to run as service account

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

* Delete extra slashes

* Update readme

* Return error when impersonated user not set

* Fix credentials example

* Fix issues with case insensitive import collision

* Add oauth_scopes to the provider config

* Add initial provider and config tests

* Add test for credentials and impersonated user

* Add make test and fix fmt issues

* Rollback repo path

* Use d for integers

* Revert the revert

* Run tests in Travis

Author: psalaberria002

.travis.yml

@@ -16,4 +16,5 @@ install:
 
 script:
   - 'if [ "${TRAVIS_BUILD_DIR}" != "${GOPATH}/src/github.com/DeviaVir/terraform-provider-gsuite" ]; then ln -s "${TRAVIS_BUILD_DIR}" "${GOPATH}/src/github.com/DeviaVir/terraform-provider-gsuite"; fi'
+  - make test
   - make

Gopkg.lock

@@ -95,6 +95,12 @@ dev:
 		-tags "${GOTAGS}" \
 		-o "${PLUGIN_PATH}/terraform-provider-gsuite"
 
+# test runs all tests
+test:
+	go test -i $(TEST) || exit 1
+	echo $(TEST) | \
+		xargs -t -n4 go test $(TESTARGS) -timeout=30s -parallel=4
+
 # dist builds the binaries and then signs and packages them for distribution
 dist:
 ifndef GPG_KEY

Makefile

@@ -2,7 +2,57 @@
 
 This is a terraform provider for managing GSuite (Admin SDK) resources on Google
 
-## Setup
+## Authentication
+
+There are two possible authentication mechanisms for using this provider.
+Using a service account, or a personal admin account. The latter requires
+user interaction, whereas a service account could be used in an automated
+workflow.
+
+See the necessary oauth scopes both for service accounts and users below:
+- https://www.googleapis.com/auth/admin.directory.customer
+- https://www.googleapis.com/auth/admin.directory.group
+- https://www.googleapis.com/auth/admin.directory.orgunit
+- https://www.googleapis.com/auth/admin.directory.user
+- https://www.googleapis.com/auth/admin.directory.userschema
+- https://www.googleapis.com/auth/userinfo.email
+
+You could also provide the minimal set of scopes using the
+`oauth_scopes` variable in the provider configuration.
+
+```
+provider "gsuite" {
+  oauth_scopes = [
+    "https://www.googleapis.com/auth/admin.directory.group"
+  ]
+}
+```
+
+### Using a service account
+
+Service accounts are great for automated workflows.
+
+Only users with access to the Admin APIs can access the Admin SDK Directory API,
+therefore the service account needs to impersonate one of those users
+to access the Admin SDK Directory API.
+
+Follow the instruction at
+https://developers.google.com/admin-sdk/directory/v1/guides/delegation.
+
+Add `credentials` and `impersonated_user_email` when initializing the provider.
+```
+provider "gsuite" {
+  credentials = "/full/path/service-account.json"
+  impersonated_user_email = "admin@xxx.com"
+}
+```
+
+Credentials can also be provided via the following environment variables:
+- GOOGLE_CREDENTIALS
+- GOOGLE_CLOUD_KEYFILE_JSON
+- GCLOUD_KEYFILE_JSON
+
+### Using a personal administrator account
 
 In order to use the Admin SDK with a project, we will first need to create
 credentials for that project, you can do so here:

README.md

@@ -11,9 +11,14 @@ import (
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/google"
 	directory "google.golang.org/api/admin/directory/v1"
+	"github.com/hashicorp/terraform/helper/pathorcontents"
+	"golang.org/x/oauth2/jwt"
+	"net/http"
+	"strings"
+	"encoding/json"
 )
 
-var oauthScopes = []string{
+var defaultOauthScopes = []string{
 	directory.AdminDirectoryCustomerScope,
 	directory.AdminDirectoryGroupScope,
 	directory.AdminDirectoryGroupMemberScope,
@@ -26,16 +31,68 @@ var oauthScopes = []string{
 
 // Config is the structure used to instantiate the GSuite provider.
 type Config struct {
+	Credentials string
+	// Only users with access to the Admin APIs can access the Admin SDK Directory API,
+	// therefore the service account needs to impersonate one of those users to access the Admin SDK Directory API.
+	// See https://developers.google.com/admin-sdk/directory/v1/guides/delegation
+	ImpersonatedUserEmail string
+
+	OauthScopes []string
+
 	directory *directory.Service
 }
 
 // loadAndValidate loads the application default credentials from the
 // environment and creates a client for communicating with Google APIs.
 func (c *Config) loadAndValidate() error {
-	log.Printf("[INFO] authenticating with local client")
-	client, err := google.DefaultClient(context.Background(), oauthScopes...)
-	if err != nil {
-		return errors.Wrap(err, "failed to create client")
+	var account accountFile
+
+	oauthScopes := c.OauthScopes
+
+
+
+	var client *http.Client
+	if c.Credentials != "" {
+		if c.ImpersonatedUserEmail == "" {
+			return fmt.Errorf("required field missing: impersonated_user_email")
+		}
+
+		contents, _, err := pathorcontents.Read(c.Credentials)
+		if err != nil {
+			return fmt.Errorf("Error loading credentials: %s", err)
+		}
+
+		// Assume account_file is a JSON string
+		if err := parseJSON(&account, contents); err != nil {
+			return fmt.Errorf("Error parsing credentials '%s': %s", contents, err)
+		}
+
+		// Get the token for use in our requests
+		log.Printf("[INFO] Requesting Google token...")
+		log.Printf("[INFO]   -- Email: %s", account.ClientEmail)
+		log.Printf("[INFO]   -- Scopes: %s", oauthScopes)
+		log.Printf("[INFO]   -- Private Key Length: %d", len(account.PrivateKey))
+
+		conf := jwt.Config{
+			Email:      account.ClientEmail,
+			PrivateKey: []byte(account.PrivateKey),
+			Scopes:     oauthScopes,
+			TokenURL:   "https://accounts.google.com/o/oauth2/token",
+		}
+
+		conf.Subject = c.ImpersonatedUserEmail
+
+		// Initiate an http.Client. The following GET request will be
+		// authorized and authenticated on the behalf of
+		// your service account.
+		client = conf.Client(context.Background())
+	} else {
+		log.Printf("[INFO] Authenticating using DefaultClient")
+		err := error(nil)
+		client, err = google.DefaultClient(context.Background(), oauthScopes...)
+		if err != nil {
+			return errors.Wrap(err, "failed to create client")
+		}
 	}
 
 	// Use a custom user-agent string. This helps google with analytics and it's
@@ -54,3 +111,18 @@ func (c *Config) loadAndValidate() error {
 
 	return nil
 }
+
+// accountFile represents the structure of the account file JSON file.
+type accountFile struct {
+	PrivateKeyId string `json:"private_key_id"`
+	PrivateKey   string `json:"private_key"`
+	ClientEmail  string `json:"client_email"`
+	ClientId     string `json:"client_id"`
+}
+
+func parseJSON(result interface{}, contents string) error {
+	r := strings.NewReader(contents)
+	dec := json.NewDecoder(r)
+
+	return dec.Decode(result)
+}

gsuite/config.go

@@ -0,0 +1,75 @@
+package gsuite
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+const testFakeCredentialsPath = "./test-fixtures/fake_account.json"
+
+func TestConfigLoadAndValidate_accountFilePath(t *testing.T) {
+	config := Config{
+		Credentials: testFakeCredentialsPath,
+		ImpersonatedUserEmail: "xxx@xxx.xom",
+	}
+
+	err := config.loadAndValidate()
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+}
+
+func TestConfigLoadAndValidate_accountFileJSON(t *testing.T) {
+	contents, err := ioutil.ReadFile(testFakeCredentialsPath)
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	config := Config{
+		Credentials: string(contents),
+		ImpersonatedUserEmail: "xxx@xxx.xom",
+	}
+
+	err = config.loadAndValidate()
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+}
+
+func TestConfigLoadAndValidate_accountFileJSONInvalid(t *testing.T) {
+	config := Config{
+		Credentials: "{this is not json}",
+	}
+
+	if config.loadAndValidate() == nil {
+		t.Fatalf("expected error, but got nil")
+	}
+}
+
+func TestConfigLoadAndValidate_noImpersonatedEmail(t *testing.T) {
+	// ImpersonatedUserEmail empty string when credentials set
+	config := Config{
+		Credentials: testFakeCredentialsPath,
+		ImpersonatedUserEmail: "",
+	}
+
+	err := config.loadAndValidate()
+	if err == nil {
+		t.Fatalf("error: %v", err)
+	}
+	if err.Error() != "required field missing: impersonated_user_email" {
+		t.Fatalf("error: %v", err)
+	}
+
+	// ImpersonatedUserEmail not provided when credentials set
+	config = Config{
+		Credentials: testFakeCredentialsPath,
+	}
+
+	err = config.loadAndValidate()
+	if err == nil {
+		t.Fatalf("error: %v", err)
+	}
+	if err.Error() != "required field missing: impersonated_user_email" {
+		t.Fatalf("error: %v", err)
+	}
+}

gsuite/config_test.go

@@ -5,7 +5,11 @@ import (
 	"time"
 
 	"github.com/hashicorp/terraform/helper/schema"
+	"os"
+	"encoding/json"
+	"fmt"
 	"github.com/pkg/errors"
+	"log"
 )
 
 var (
@@ -16,6 +20,27 @@ var (
 // Provider returns the actual provider instance.
 func Provider() *schema.Provider {
 	return &schema.Provider{
+		Schema: map[string]*schema.Schema{
+			"credentials": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"GOOGLE_CREDENTIALS",
+					"GOOGLE_CLOUD_KEYFILE_JSON",
+					"GCLOUD_KEYFILE_JSON",
+				}, nil),
+				ValidateFunc: validateCredentials,
+			},
+			"impersonated_user_email": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"oauth_scopes": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Optional: true,
+			},
+		},
 		ResourcesMap: map[string]*schema.Resource{
 			"gsuite_group": resourceGroup(),
 			"gsuite_user": resourceUser(),
@@ -26,18 +51,51 @@ func Provider() *schema.Provider {
 	}
 }
 
-// providerConfigure configures the provider. Normally this would use schema
-// data from the provider, but the provider loads all its configuration from the
-// environment, so we just tell the config to load.
+func oauthScopesFromConfigOrDefault(oauthScopesSet *schema.Set) []string {
+	oauthScopes := convertStringSet(oauthScopesSet)
+	if len(oauthScopes) == 0 {
+		log.Printf("[INFO] No Oauth Scopes provided. Using default oauth scopes.")
+		oauthScopes = defaultOauthScopes
+	}
+	return oauthScopes
+}
+
 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
-	var c Config
-	if err := c.loadAndValidate(); err != nil {
+	credentials := d.Get("credentials").(string)
+	impersonatedUserEmail := d.Get("impersonated_user_email").(string)
+	oauthScopes := oauthScopesFromConfigOrDefault(d.Get("oauth_scopes").(*schema.Set))
+	config := Config{
+		Credentials: credentials,
+		ImpersonatedUserEmail: impersonatedUserEmail,
+		OauthScopes: oauthScopes,
+	}
+
+	if err := config.loadAndValidate(); err != nil {
 		return nil, errors.Wrap(err, "failed to load config")
 	}
-	return &c, nil
+
+	return &config, nil
 }
 
 // contextWithTimeout creates a new context with the global context timeout.
 func contextWithTimeout() (context.Context, func()) {
 	return context.WithTimeout(context.Background(), contextTimeout)
 }
+
+func validateCredentials(v interface{}, k string) (warnings []string, errors []error) {
+	if v == nil || v.(string) == "" {
+		return
+	}
+	creds := v.(string)
+	// if this is a path and we can stat it, assume it's ok
+	if _, err := os.Stat(creds); err == nil {
+		return
+	}
+	var account accountFile
+	if err := json.Unmarshal([]byte(creds), &account); err != nil {
+		errors = append(errors,
+			fmt.Errorf("credentials are not valid JSON '%s': %s", creds, err))
+	}
+
+	return
+}