GO-2024-3350: WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service in github.com/clidey/whodb/core

gcp

package

v0.0.0-...-44099a2 Latest Latest Go to latest Published: May 28, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/clidey/whodb

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GenerateCloudSQLIAMAuthToken(ctx context.Context, serviceAccountKeyPath, username string) (string, error)
func HandleGCPError(err error) error
type AuthMethod
type GCPConfig
- func LoadGCPConfig(ctx context.Context, creds *engine.Credentials) (*GCPConfig, error)
type GCPCredentialConfig
- func ParseFromWhoDB(creds *engine.Credentials) (*GCPCredentialConfig, error)
- func (c *GCPCredentialConfig) IsServiceAccountKeyAuth() bool
- func (c *GCPCredentialConfig) Validate() error
type LocalProject
- func DiscoverLocalProjects() ([]LocalProject, error)
type Region
- func GetRegions() []Region

Constants ¶

View Source

const (
	AdvancedKeyAuthMethod            = "Auth Method"
	AdvancedKeyServiceAccountKeyPath = "Service Account Key Path"
	AdvancedKeyProjectID             = "Project ID"
)

Variables ¶

View Source

var (
	ErrPermissionDenied              = errors.New("permission denied: check IAM permissions for this operation")
	ErrInvalidCredentials            = errors.New("invalid GCP credentials: check service account key or application default credentials")
	ErrProjectNotFound               = errors.New("project not found: check the project ID")
	ErrServiceDisabled               = errors.New("API not enabled: enable the required API in the Google Cloud Console")
	ErrQuotaExceeded                 = errors.New("quota exceeded: too many requests, try again later")
	ErrServiceUnavailable            = errors.New("GCP service temporarily unavailable: try again later")
	ErrResourceNotFound              = errors.New("resource not found: check the resource name and region")
	ErrConnectionFailed              = errors.New("connection failed: check network connectivity and endpoint")
	ErrRegionRequired                = errors.New("GCP region is required")
	ErrProjectIDRequired             = errors.New("GCP project ID is required")
	ErrServiceAccountKeyPathRequired = errors.New("service account key auth requires a key file path")
	ErrInvalidAuthMethod             = errors.New("invalid auth method: must be one of: default, service-account-key")
	ErrGCPProviderDisabled           = errors.New("GCP provider is disabled")
)

Functions ¶

func GenerateCloudSQLIAMAuthToken ¶

func GenerateCloudSQLIAMAuthToken(ctx context.Context, serviceAccountKeyPath, username string) (string, error)

GenerateCloudSQLIAMAuthToken generates an OAuth2 access token for Cloud SQL IAM database authentication. The access token is used directly as the database password.

If serviceAccountKeyPath is non-empty, credentials are loaded from that file. Otherwise, Application Default Credentials are used.

See: https://cloud.google.com/sql/docs/mysql/iam-authentication

func HandleGCPError ¶

func HandleGCPError(err error) error

HandleGCPError maps GCP SDK errors to user-friendly messages. Handles both REST API errors (googleapi.Error) and gRPC errors (status.Status).

Types ¶

type AuthMethod ¶

type AuthMethod string

AuthMethod defines how to authenticate with Google Cloud.

const (
	// AuthMethodDefault uses Application Default Credentials (ADC).
	// This automatically handles: GOOGLE_APPLICATION_CREDENTIALS env var,
	// gcloud CLI credentials, GCE/GKE metadata server, etc.
	AuthMethodDefault AuthMethod = "default"

	// AuthMethodServiceAccountKey uses an explicit service account JSON key file.
	AuthMethodServiceAccountKey AuthMethod = "service-account-key"
)

type GCPConfig ¶

type GCPConfig struct {
	ProjectID string
	Region    string
	Options   []option.ClientOption
}

GCPConfig holds the resolved GCP configuration for creating service clients. Unlike AWS which returns a single aws.Config, GCP SDK uses option.ClientOption slices passed to each service client constructor.

func LoadGCPConfig ¶

func LoadGCPConfig(ctx context.Context, creds *engine.Credentials) (*GCPConfig, error)

LoadGCPConfig creates a GCP SDK configuration from WhoDB credentials. This is the primary entry point for GCP plugins.

type GCPCredentialConfig ¶

type GCPCredentialConfig struct {
	ProjectID             string
	Region                string
	AuthMethod            AuthMethod
	ServiceAccountKeyPath string
}

GCPCredentialConfig holds parsed GCP configuration extracted from WhoDB credentials.

func ParseFromWhoDB ¶

func ParseFromWhoDB(creds *engine.Credentials) (*GCPCredentialConfig, error)

ParseFromWhoDB extracts GCP configuration from WhoDB credentials. Returns an error if required fields are missing or invalid.

func (*GCPCredentialConfig) IsServiceAccountKeyAuth ¶

func (c *GCPCredentialConfig) IsServiceAccountKeyAuth() bool

IsServiceAccountKeyAuth returns true if using explicit service account key authentication.

func (*GCPCredentialConfig) Validate ¶

func (c *GCPCredentialConfig) Validate() error

Validate checks that the configuration is valid for the selected auth method.

type LocalProject ¶

type LocalProject struct {
	ProjectID string
	Name      string
	Source    string // "environment", "gcloud-config", "service-account"
	IsDefault bool
}

LocalProject represents a GCP project discovered from local configuration.

func DiscoverLocalProjects ¶

func DiscoverLocalProjects() ([]LocalProject, error)

DiscoverLocalProjects scans environment variables and gcloud CLI configuration for available GCP projects.

type Region ¶

type Region struct {
	ID          string
	Description string
}

Region represents a GCP region.

func GetRegions ¶

func GetRegions() []Region

GetRegions returns the list of GCP regions. Based on https://cloud.google.com/about/locations

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL