GCP - generate RO credentials

keboola · Jan 13, 2025 · 7fdd5dd · 7fdd5dd
1 parent 4d5218b
commit 7fdd5dd
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 3 deletions.
diff --git a/src/Application.php b/src/Application.php
@@ -88,7 +88,7 @@ public function generateReadCredentials(): array
     {
         $sapi = $this->initSapi();
         /** @var string */
-        $backupId = $sapi->generateId();
+        $backupId = $this->config->getBackupId() !== '' ? $this->config->getBackupId() : $sapi->generateId();
         if ($this->config->isUserDefinedCredentials()) {
             $path = $this->config->getPath();
         } else {

diff --git a/src/Storages/GoogleCloudStorage.php b/src/Storages/GoogleCloudStorage.php
@@ -24,8 +24,56 @@ public function __construct(readonly GcsConfig $config, readonly LoggerInterface
 
     public function generateTempReadCredentials(string $backupId, string $path): array
     {
-        // @TODO
-        return [];
+        $credentials = new ServiceAccountCredentials(
+            'https://www.googleapis.com/auth/cloud-platform',
+            (array) json_decode($this->config->getJsonKey(), true),
+        );
+
+        $httpHandler = HttpHandlerFactory::build();
+        $authToken = $credentials->fetchAuthToken($httpHandler);
+
+        $sts = new CloudSecurityToken(new Google_Client([
+            'keyFile' => json_decode($this->config->getJsonKey(), true),
+        ]));
+        $request = new GoogleIdentityStsV1ExchangeTokenRequest();
+
+        $permissionOptions = [
+            'accessBoundary' => [
+                'accessBoundaryRules' => [
+                    [
+                        'availableResource' => sprintf(
+                            '//storage.googleapis.com/projects/_/buckets/%s',
+                            $this->config->getBucket(),
+                        ),
+                        'availablePermissions' => [
+                            'inRole:roles/storage.objectViewer',
+                        ],
+                        'availabilityCondition' => [
+                            'expression' => sprintf(
+                                'resource.name == \'projects/_/buckets/%s/objects/%s\'',
+                                $this->config->getBucket(),
+                                $path . 'signedUrls.json',
+                            ),
+                        ],
+                    ],
+                ],
+            ],
+        ];
+
+        $request->setOptions(urlencode(json_encode($permissionOptions, JSON_THROW_ON_ERROR)));
+        $request->setGrantType('urn:ietf:params:oauth:grant-type:token-exchange');
+        $request->setRequestedTokenType('urn:ietf:params:oauth:token-type:access_token');
+        $request->setSubjectToken($authToken['access_token']);
+        $request->setSubjectTokenType('urn:ietf:params:oauth:token-type:access_token');
+
+        $response = $sts->v1->token($request);
+
+        return [
+            'backupId' => $backupId,
+            'region' => $this->config->getRegion(),
+            'container' => $path,
+            'credentials' => $response,
+        ];
     }
 
     public function getBackup(Client $sapi, string $path): Backup