[WIP] Refactor token source code into the token_source.go file

Author: cemakd

pkg/gce-cloud-provider/compute/gce-compute.go

@@ -164,12 +164,14 @@ func (cloud *CloudProvider) listDisksInternal(ctx context.Context, fields []goog
 	disks := []*computev1.Disk{}
 
 	// listing out regional disks in the region
+	klog.Infof("Getting regional disks for default project: %s", cloud.project)
 	rDisks, err := listRegionalDisksForProject(cloud.service, cloud.project, region, fields, filter)
 	if err != nil {
 		return nil, "", err
 	}
 	disks = append(disks, rDisks...)
 	for tProject, tService := range cloud.tenantServiceMap {
+		klog.Infof("Getting regional disks for tenant: %s", tProject)
 		rDisks, err := listRegionalDisksForProject(tService, tProject, region, fields, filter)
 		if err != nil {
 			return nil, "", err
@@ -178,12 +180,14 @@ func (cloud *CloudProvider) listDisksInternal(ctx context.Context, fields []goog
 	}
 
 	// listing out zonal disks in all zones of the region
+	klog.Infof("Getting zonal disks for default project: %s", cloud.project)
 	zDisks, err := listZonalDisksForProject(cloud.service, cloud.project, zones, fields, filter)
 	if err != nil {
 		return nil, "", err
 	}
 	disks = append(disks, zDisks...)
 	for tProject, tService := range cloud.tenantServiceMap {
+		klog.Infof("Getting zonal disks for tenant: %s", tProject)
 		zDisks, err := listZonalDisksForProject(tService, tProject, zones, fields, filter)
 		if err != nil {
 			return nil, "", err
@@ -913,6 +917,7 @@ func (cloud *CloudProvider) AttachDisk(ctx context.Context, project string, volK
 
 	service := cloud.service
 	if _, ok := cloud.tenantServiceMap[project]; ok {
+		klog.Infof("Using tenant service in AttachDisk for project: %s", project)
 		service = cloud.tenantServiceMap[project]
 	}
 	op, err := service.Instances.AttachDisk(project, instanceZone, instanceName, attachedDiskV1).Context(ctx).ForceAttach(forceAttach).Do()
@@ -1211,6 +1216,7 @@ func (cloud *CloudProvider) GetInstanceOrError(ctx context.Context, project, ins
 	klog.V(5).Infof("Getting instance %v from zone %v", instanceName, instanceZone)
 	service := cloud.service
 	if _, ok := cloud.tenantServiceMap[project]; ok {
+		klog.Infof("Using tenant service in GetInstanceOrError for project: %s", project)
 		service = cloud.tenantServiceMap[project]
 	}
 	instance, err := service.Instances.Get(project, instanceZone, instanceName).Do()

pkg/gce-cloud-provider/compute/gce.go

@@ -69,9 +69,6 @@ const (
 	// globalComputeParentPathFmt is the string format for the full path of global compute resource.
 	globalComputeParentPathFmt = "//compute.googleapis.com/projects/%s/global/%s/%d"
 
-	// tenantAuthenticationPathFmt is the string format for the full URL needed to generate an access token for tenants
-	tenantAuthenticationPathFmt = "https://preprod-gkeauth.sandbox.googleapis.com/v1/projects/%s/locations/%s/tenants/%s:generateTenantToken"
-
 	// gcpTagsRequestRateLimit is the tag request rate limit per second.
 	gcpTagsRequestRateLimit = 8
 
@@ -216,16 +213,24 @@ func CreateCloudProvider(ctx context.Context, vendorVersion string, configPath s
 					return
 				}
 
-				tenantTokenUrl := fmt.Sprintf(tenantAuthenticationPathFmt, tenantMeta.ProjectNumber, configFile.Global.Zone, tenantMeta.TenantName)
-				tokenSource := NewAltTokenSource(tenantTokenUrl, "")
-
-				testToken, err := tokenSource.Token()
+				region, err := common.GetRegionFromZones([]string{zone})
+				if err != nil {
+					klog.Errorf("error getting region from zone(%s): %v", zone, err)
+					return
+				}
+				tokenSource, err := NewTenantTokenSource(tenantMeta, region, configFile.Global.TokenURL, configFile.Global.TokenBody)
 				if err != nil {
-					klog.Errorf("error fetching initial token during test: %v", err.Error())
+					klog.Errorf("error during tenant token generation: %v", err.Error())
 				}
-				klog.Infof("Token type: %v", testToken.TokenType)
-				klog.Infof("Token access token: %v", testToken.AccessToken)
-				klog.Infof("%+v", testToken)
+
+				// testToken, err := tokenSource.Token()
+				// if err != nil {
+				// 	klog.Errorf("error fetching initial token during test: %v", err.Error())
+				// 	return
+				// }
+				// klog.Infof("Token type: %v", testToken.TokenType)
+				// klog.Infof("Token access token: %v", testToken.AccessToken)
+				// klog.Infof("%+v", testToken)
 
 				svc, err := createCloudService(ctx, vendorVersion, tokenSource, computeEndpoint, computeEnvironment)
 				if err != nil {

pkg/gce-cloud-provider/compute/token_source.go

@@ -18,11 +18,14 @@ package gcecloudprovider
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
 	"k8s.io/client-go/util/flowcontrol"
+	"sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/pkg/gce-cloud-provider/compute/tenancy"
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
@@ -34,6 +37,8 @@ const (
 	tokenURLQPS = .05 // back off to once every 20 seconds when failing
 	// Maximum burst of requests to token URL before limiting.
 	tokenURLBurst = 3
+	// tenantAuthenticationPathFmt is the string format for the full URL needed to generate an access token for tenants
+	tenantAuthenticationPathFmt = "https://preprod-gkeauth.sandbox.googleapis.com/v1/projects/%s/locations/%s/tenants/%s:generateTenantToken"
 )
 
 // TODO(#276) add metrics around token requests once the driver integrates with Prometheus.
@@ -89,3 +94,84 @@ func NewAltTokenSource(tokenURL, tokenBody string) oauth2.TokenSource {
 	}
 	return oauth2.ReuseTokenSource(nil, a)
 }
+
+func NewTenantTokenSource(tenantMeta tenancy.Metadata, region, existingTokenURL, existingTokenBody string) (oauth2.TokenSource, error) {
+	tenantTokenUrl, err := getTenantTokenURL(tenantMeta, existingTokenURL)
+	if err != nil {
+		return nil, err
+	}
+	tenantTokenBody, err := getTenantTokenBody(tenantMeta, existingTokenBody)
+	if err != nil {
+		return nil, err
+	}
+	return NewAltTokenSource(tenantTokenUrl, tenantTokenBody), nil
+}
+
+func getTenantTokenURL(tenantMeta tenancy.Metadata, existingTokenURL string) (string, error) {
+	location := extractLocationFromTokenURL(existingTokenURL)
+	if location == "" {
+		return "", fmt.Errorf("could not extract location from existing token URL: %s", existingTokenURL)
+	}
+
+	tokenURLParts := strings.SplitN(existingTokenURL, "/projects/", 2)
+	if len(tokenURLParts) != 2 {
+		return "", fmt.Errorf("invalid existing token URL format: %s, cannot extract base URL", existingTokenURL)
+	}
+	baseURL := tokenURLParts[0]
+
+	// Format: {BASE_URL}/projects/{TENANT_PROJECT_NUMBER}/locations/{TENANT_LOCATION}/tenants/{TENANT_ID}:generateTenantToken
+	formatString := "%s/projects/%s/locations/%s/tenants/%s:generateTenantToken"
+	tokenURL := fmt.Sprintf(formatString, baseURL, tenantMeta.ProjectNumber, location, tenantMeta.TenantName)
+	return tokenURL, nil
+}
+
+// extractLocationFromTokenURL extracts the location from a GKE token URL.
+// Example input: https://gkeauth.googleapis.com/v1/projects/654321/locations/us-central1/clusters/example-cluster:generateToken
+// Returns: us-central1
+func extractLocationFromTokenURL(tokenURL string) string {
+	parts := strings.Split(tokenURL, "/")
+	for i, part := range parts {
+		if part == "locations" && i+1 < len(parts) {
+			return parts[i+1]
+		}
+	}
+	return ""
+}
+
+func getTenantTokenBody(tenantMeta tenancy.Metadata, existingTokenBody string) (string, error) {
+	// Check if the token body is a quoted JSON string
+	// Quoted example: "{\"projectNumber\":12345,\"clusterId\":\"example-cluster\"}"
+	// Non-quoted example: {"projectNumber":12345,"clusterId":"example-cluster"}
+	isQuoted := len(existingTokenBody) > 0 && existingTokenBody[0] == '"' && existingTokenBody[len(existingTokenBody)-1] == '"'
+
+	var jsonStr string
+	if isQuoted {
+		var err error
+		jsonStr, err = strconv.Unquote(existingTokenBody)
+		if err != nil {
+			return "", fmt.Errorf("error unquoting TokenBody: %v", err)
+		}
+	} else {
+		jsonStr = existingTokenBody
+	}
+
+	var bodyMap map[string]any
+
+	if err := json.Unmarshal([]byte(jsonStr), &bodyMap); err != nil {
+		return "", fmt.Errorf("error unmarshaling TokenBody: %v", err)
+	}
+
+	bodyMap["projectNumber"] = tenantMeta.ProjectNumber
+
+	newTokenBodyBytes, err := json.Marshal(bodyMap)
+	if err != nil {
+		return "", fmt.Errorf("error marshaling TokenBody: %v", err)
+	}
+
+	if isQuoted {
+		// Re-quote the JSON string if the original was quoted
+		return strconv.Quote(string(newTokenBodyBytes)), nil
+	}
+
+	return string(newTokenBodyBytes), nil
+}