From f29a0daa511eca2f29a1989f9ac0c3fe25c86bfa Mon Sep 17 00:00:00 2001
From: Brad Wadsworth <brad.wadsworth@mavenwave.com>
Date: Wed, 14 Sep 2022 10:52:56 -0500
Subject: [PATCH 1/2] Added alternative auth methods

Signed-off-by: Brad Wadsworth <brad.wadsworth@mavenwave.com>
---
 internal/clients/gke/gke.go          | 36 ++++++++++++++++++++++++----
 internal/controller/object/object.go | 19 ++++++++++-----
 2 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/internal/clients/gke/gke.go b/internal/clients/gke/gke.go
index 16aa2a4e..fc18a539 100644
--- a/internal/clients/gke/gke.go
+++ b/internal/clients/gke/gke.go
@@ -16,6 +16,7 @@ package gke
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 
 	"github.com/pkg/errors"
@@ -33,15 +34,42 @@ var DefaultScopes []string = []string{
 // WrapRESTConfig configures the supplied REST config to use OAuth2 bearer
 // tokens fetched using the supplied Google Application Credentials.
 func WrapRESTConfig(ctx context.Context, rc *rest.Config, credentials []byte, scopes ...string) error {
-	creds, err := google.CredentialsFromJSON(ctx, credentials, scopes...)
-	if err != nil {
-		return errors.Wrap(err, "cannot load Google Application Credentials from JSON")
+	var ts oauth2.TokenSource
+	if credentials != nil {
+		if isJSON(credentials) {
+			// If credentials are in a JSON format, extract the credential from the JSON
+			// CredentialsFromJSON creates a TokenSource that handles token caching.
+			creds, err := google.CredentialsFromJSON(ctx, credentials, scopes...)
+			if err != nil {
+				return errors.Wrap(err, "cannot load Google Application Credentials from JSON")
+			}
+			ts = creds.TokenSource
+		} else {
+			// if the credential not in a JSON format, treat the credential as an access token
+			t := oauth2.Token{
+				AccessToken: string(credentials),
+			}
+			ts = oauth2.StaticTokenSource(&t)
+		}
+	} else {
+		var t *oauth2.Token
+		// DefaultTokenSource retrieves a token source from an injected identity.
+		gsrc, err := google.DefaultTokenSource(ctx, scopes...)
+		if err != nil {
+			return errors.Wrap(err, "failed to extract default credentials source")
+		}
+		ts = oauth2.ReuseTokenSource(t, gsrc)
 	}
 
 	// CredentialsFromJSON creates a TokenSource that handles token caching.
 	rc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
-		return &oauth2.Transport{Source: creds.TokenSource, Base: rt}
+		return &oauth2.Transport{Source: ts, Base: rt}
 	})
 
 	return nil
 }
+
+func isJSON(b []byte) bool {
+	var js json.RawMessage
+	return json.Unmarshal(b, &js) == nil
+}
diff --git a/internal/controller/object/object.go b/internal/controller/object/object.go
index a15e3e7e..cfc0b5c9 100644
--- a/internal/controller/object/object.go
+++ b/internal/controller/object/object.go
@@ -161,13 +161,20 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 	// time of writing there's only one valid value (Google App Creds), and
 	// that value is required.
 	if id := pc.Spec.Identity; id != nil {
-		creds, err := c.gcpExtractorFn(ctx, id.Source, c.kube, id.CommonCredentialSelectors)
-		if err != nil {
-			return nil, errors.Wrap(err, errFailedToExtractGoogleCredentials)
-		}
+		switch id.Source { //nolint:exhaustive
+		case xpv1.CredentialsSourceInjectedIdentity:
+			if err := c.gcpInjectorFn(ctx, rc, nil, gke.DefaultScopes...); err != nil {
+				return nil, errors.Wrap(err, errFailedToInjectGoogleCredentials)
+			}
+		default:
+			creds, err := c.gcpExtractorFn(ctx, id.Source, c.kube, id.CommonCredentialSelectors)
+			if err != nil {
+				return nil, errors.Wrap(err, errFailedToExtractGoogleCredentials)
+			}
 
-		if err := c.gcpInjectorFn(ctx, rc, creds, gke.DefaultScopes...); err != nil {
-			return nil, errors.Wrap(err, errFailedToInjectGoogleCredentials)
+			if err := c.gcpInjectorFn(ctx, rc, creds, gke.DefaultScopes...); err != nil {
+				return nil, errors.Wrap(err, errFailedToInjectGoogleCredentials)
+			}
 		}
 	}
 

From 36aea5961972736e1192b06c0ae5663f4d9c165c Mon Sep 17 00:00:00 2001
From: Brad Wadsworth <brad.wadsworth@mavenwave.com>
Date: Thu, 15 Sep 2022 11:33:35 -0500
Subject: [PATCH 2/2] Added access token validation

Signed-off-by: Brad Wadsworth <brad.wadsworth@mavenwave.com>
---
 internal/clients/gke/gke.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal/clients/gke/gke.go b/internal/clients/gke/gke.go
index fc18a539..4fd38471 100644
--- a/internal/clients/gke/gke.go
+++ b/internal/clients/gke/gke.go
@@ -49,6 +49,9 @@ func WrapRESTConfig(ctx context.Context, rc *rest.Config, credentials []byte, sc
 			t := oauth2.Token{
 				AccessToken: string(credentials),
 			}
+			if ok := t.Valid(); !ok {
+				return errors.New("Access token invalid")
+			}
 			ts = oauth2.StaticTokenSource(&t)
 		}
 	} else {