support GCP Workload Identity Federation for CI

Add support for authenticating with Google Cloud using Workload Identity
Federation in addition to traditional service account keys. This enables
GitHub Actions and other federated identity providers to authenticate
without requiring service account key files.

Author: jordanstephens

src/pkg/clouds/gcp/account.go

@@ -6,7 +6,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"log"
+	"net/http"
+	"regexp"
 	"strings"
 
 	"golang.org/x/oauth2/google"
@@ -19,45 +20,102 @@ func (gcp Gcp) GetCurrentAccountEmail(ctx context.Context) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	content := struct {
-		ClientEmail string `json:"client_email"`
-	}{}
 
-	json.Unmarshal(creds.JSON, &content)
-	if content.ClientEmail != "" {
-		return content.ClientEmail, nil
+	// Unmarshal creds.JSON into a struct that includes both possible fields
+	var key struct {
+		ClientEmail                    string `json:"client_email"`
+		Type                           string `json:"type"`
+		ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
+	}
+	err = json.Unmarshal(creds.JSON, &key)
+	if err == nil {
+		if key.Type == "external_account" {
+			return parseServiceAccountFromURL(key.ServiceAccountImpersonationURL)
+		}
+		if key.Type == "impersonated_service_account" {
+			return parseServiceAccountFromURL(key.ServiceAccountImpersonationURL)
+		}
+		if key.ClientEmail != "" {
+			return key.ClientEmail, nil
+		}
 	}
 
+	// Fallback: get token and try to extract email
 	token, err := creds.TokenSource.Token()
 	if err != nil {
 		return "", fmt.Errorf("failed to retrieve token: %w", err)
 	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return "", errors.New("failed to retrieve ID token")
+
+	// Try to extract email from id_token if present
+	if idToken, ok := token.Extra("id_token").(string); ok && idToken != "" {
+		if email, err := extractEmailFromIDToken(idToken); err == nil && email != "" {
+			return email, nil
+		}
 	}
 
-	// Split the ID token into its 3 parts: header, payload, and signature
+	// Last resort: query tokeninfo endpoint
+	return getEmailFromToken(ctx, token.AccessToken)
+}
+
+func extractEmailFromIDToken(idToken string) (string, error) {
+	// JWT format: header.payload.signature
 	parts := strings.Split(idToken, ".")
-	if len(parts) != 3 {
-		log.Fatalf("invalid ID token format")
+	if len(parts) < 2 {
+		return "", errors.New("invalid id_token format")
 	}
 
-	// Decode and Parse the payload
+	// Decode the payload (second part)
 	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
 	if err != nil {
-		log.Fatalf("failed to decode payload: %v", err)
+		return "", fmt.Errorf("failed to decode id_token payload: %w", err)
 	}
-	claims := struct {
+
+	var claims struct {
 		Email string `json:"email"`
-	}{}
+	}
 	if err := json.Unmarshal(payload, &claims); err != nil {
-		log.Fatalf("failed to unmarshal payload: %v", err)
+		return "", fmt.Errorf("failed to unmarshal id_token claims: %w", err)
+	}
+
+	return claims.Email, nil
+}
+
+func parseServiceAccountFromURL(url string) (string, error) {
+	// URL format: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/EMAIL:generateAccessToken
+	re := regexp.MustCompile(`serviceAccounts/([^:]+):`)
+	matches := re.FindStringSubmatch(url)
+	if len(matches) > 1 {
+		return matches[1], nil
+	}
+	return "", fmt.Errorf("unable to parse service account from URL: %s", url)
+}
+
+func getEmailFromToken(ctx context.Context, accessToken string) (string, error) {
+	url := "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=" + accessToken
+
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	var tokenInfo struct {
+		Email         string `json:"email"`
+		VerifiedEmail bool   `json:"verified_email"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&tokenInfo); err != nil {
+		return "", err
 	}
 
-	if claims.Email != "" {
-		return claims.Email, nil
+	if tokenInfo.Email == "" {
+		return "", errors.New("no email found in token info")
 	}
 
-	return "", nil // Should this be an error?
+	return tokenInfo.Email, nil
 }

src/pkg/clouds/gcp/account_test.go

@@ -2,6 +2,9 @@ package gcp
 
 import (
 	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
 	"testing"
 
 	"golang.org/x/oauth2"
@@ -55,4 +58,161 @@ func TestGetCurrentAccountEmail(t *testing.T) {
 			t.Errorf("expected email to be %s, got %s", expected, email)
 		}
 	})
+
+	t.Run("External account with service account impersonation", func(t *testing.T) {
+		FindGoogleDefaultCredentials = func(ctx context.Context, scopes ...string) (*google.Credentials, error) {
+			return &google.Credentials{
+				JSON: []byte(`{
+				"type": "external_account",
+				"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/1234567890/serviceAccounts/[email protected]:generateAccessToken"
+			}`),
+			}, nil
+		}
+		var gcp Gcp
+		email, err := gcp.GetCurrentAccountEmail(context.Background())
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+		expected := "[email protected]"
+		if email != expected {
+			t.Errorf("expected email to be %s, got %s", expected, email)
+		}
+	})
+
+	t.Run("Error getting credentials", func(t *testing.T) {
+		FindGoogleDefaultCredentials = func(ctx context.Context, scopes ...string) (*google.Credentials, error) {
+			return nil, errors.New("no credentials found")
+		}
+		var gcp Gcp
+		_, err := gcp.GetCurrentAccountEmail(context.Background())
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("Token error", func(t *testing.T) {
+		FindGoogleDefaultCredentials = func(ctx context.Context, scopes ...string) (*google.Credentials, error) {
+			return &google.Credentials{
+				JSON:        []byte(`{}`),
+				TokenSource: &MockTokenSourceWithError{},
+			}, nil
+		}
+		var gcp Gcp
+		_, err := gcp.GetCurrentAccountEmail(context.Background())
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("Invalid JSON in credentials", func(t *testing.T) {
+		token := &oauth2.Token{AccessToken: "test-token"}
+		FindGoogleDefaultCredentials = func(ctx context.Context, scopes ...string) (*google.Credentials, error) {
+			return &google.Credentials{
+				JSON:        []byte(`invalid json`),
+				TokenSource: &MockTokenSource{token: token},
+			}, nil
+		}
+		var gcp Gcp
+		_, err := gcp.GetCurrentAccountEmail(context.Background())
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+}
+
+type MockTokenSourceWithError struct{}
+
+func (m *MockTokenSourceWithError) Token() (*oauth2.Token, error) {
+	return nil, errors.New("token error")
+}
+
+func TestExtractEmailFromIDToken(t *testing.T) {
+	t.Run("Valid ID token", func(t *testing.T) {
+		header := `{"typ":"JWT","alg":"HS256"}`
+		payload := `{"email":"[email protected]"}`
+		idToken := encodeJWT(header, payload)
+		email, err := extractEmailFromIDToken(idToken)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+		expected := "[email protected]"
+		if email != expected {
+			t.Errorf("expected email to be %s, got %s", expected, email)
+		}
+	})
+
+	t.Run("Invalid token format", func(t *testing.T) {
+		idToken := "invalid.token"
+		_, err := extractEmailFromIDToken(idToken)
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("Invalid base64 payload", func(t *testing.T) {
+		idToken := "header.invalid_base64.signature"
+		_, err := extractEmailFromIDToken(idToken)
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("Invalid JSON payload", func(t *testing.T) {
+		idToken := encodeJWT("header", "invalid json")
+		_, err := extractEmailFromIDToken(idToken)
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("Empty email in token", func(t *testing.T) {
+		// JWT with payload: {"email":""}
+		header := `{"typ":"JWT","alg":"HS256"}`
+		payload := `{"email":""}`
+		idToken := encodeJWT(header, payload)
+		email, err := extractEmailFromIDToken(idToken)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+		if email != "" {
+			t.Errorf("expected empty email, got %s", email)
+		}
+	})
+}
+
+func TestParseServiceAccountFromURL(t *testing.T) {
+	t.Run("Valid service account URL", func(t *testing.T) {
+		url := "https://iamcredentials.googleapis.com/v1/projects/123456789/serviceAccounts/[email protected]:generateAccessToken"
+		email, err := parseServiceAccountFromURL(url)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+		expected := "[email protected]"
+		if email != expected {
+			t.Errorf("expected email to be %s, got %s", expected, email)
+		}
+	})
+
+	t.Run("Invalid URL format", func(t *testing.T) {
+		url := "https://invalidpath"
+		_, err := parseServiceAccountFromURL(url)
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+
+	t.Run("URL without service account", func(t *testing.T) {
+		url := "https://iamcredentials.googleapis.com/v1/projects/123456789/notaserviceaccount"
+		_, err := parseServiceAccountFromURL(url)
+		if err == nil {
+			t.Error("expected error but got none")
+		}
+	})
+}
+
+func encodeJWT(header, payload string) string {
+	encode := func(s string) string {
+		return base64.RawURLEncoding.EncodeToString([]byte(s))
+	}
+	return fmt.Sprintf("%s.%s.signature", encode(header), encode(payload))
 }