Support for YubiKey private key storage

2026-06-29 18:31:38 +00:00 · 2021-02-11 16:38:19 +00:00
parent bf4a6e6cde
commit f74168e2c7
4 changed files with 92 additions and 8 deletions
--- a/src/gam/auth/init.py
+++ b/src/gam/auth/init.py
@@ -5,7 +5,9 @@ import os

 from google.auth.jwt import Credentials as JWTCredentials

+import gam
 from gam.auth import oauth
+from gam.auth import yubikey
 from gam.var import _FN_OAUTH2_TXT
 from gam.var import _FN_OAUTH2SERVICE_JSON
 from gam.var import GC_OAUTH2_TXT
@@ -36,10 +38,17 @@ def get_admin_credentials(api=None):
    with open(credential_file, 'r') as f:
        creds_data = json.load(f)
    # Validate that enable DASA matches content of authorization file
-    if GC_Values[GC_ENABLE_DASA] and 'private_key' in creds_data:
+    if GC_Values[GC_ENABLE_DASA] and 'private_key_id' in creds_data:
        audience = f'https://{api}.googleapis.com/'
-        return JWTCredentials.from_service_account_info(creds_data,
-                                                        audience=audience)
+        key_type = creds_data.get('key_type', 'default')
+        if key_type == 'default':
+            return JWTCredentials.from_service_account_info(creds_data,
+                                                            audience=audience)
+        elif key_type == 'yubikey':
+            yksigner = yubikey.YubiKey(creds_data)
+            return JWTCredentials._from_signer_and_info(yksigner,
+                creds_data,
+                audience=audience)
    elif not GC_Values[GC_ENABLE_DASA] and 'token' in creds_data:
        return oauth.Credentials.from_credentials_file(credential_file)
    else: