feat(client): Add Google's Identity-Aware-Proxy in client config

README.md

@@ -194,7 +194,7 @@ subdirectories are merged like so:
     - To clarify, this also means that you could not define `alerting.slack.webhook-url` in two files with different values. All files are merged into one before they are processed. This is by design.
 
 > 💡 You can also use environment variables in the configuration file (e.g. `$DOMAIN`, `${DOMAIN}`)
-> 
+>
 > See [examples/docker-compose-postgres-storage/config/config.yaml](.examples/docker-compose-postgres-storage/config/config.yaml) for an example.
 
 If you want to test it locally, see [Docker](#docker).
@@ -346,17 +346,19 @@ See [examples/docker-compose-postgres-storage](.examples/docker-compose-postgres
 In order to support a wide range of environments, each monitored endpoint has a unique configuration for
 the client used to send the request.
 
-| Parameter                     | Description                                                                | Default         |
-|:------------------------------|:---------------------------------------------------------------------------|:----------------|
-| `client.insecure`             | Whether to skip verifying the server's certificate chain and host name.    | `false`         |
-| `client.ignore-redirect`      | Whether to ignore redirects (true) or follow them (false, default).        | `false`         |
-| `client.timeout`              | Duration before timing out.                                                | `10s`           |
-| `client.dns-resolver`         | Override the DNS resolver using the format `{proto}://{host}:{port}`.      | `""`            |
-| `client.oauth2`               | OAuth2 client configuration.                                               | `{}`            |
-| `client.oauth2.token-url`     | The token endpoint URL                                                     | required `""`   |
-| `client.oauth2.client-id`     | The client id which should be used for the `Client credentials flow`       | required `""`   |
-| `client.oauth2.client-secret` | The client secret which should be used for the `Client credentials flow`   | required `""`   |
-| `client.oauth2.scopes[]`      | A list of `scopes` which should be used for the `Client credentials flow`. | required `[""]` |
+| Parameter                              | Description                                                                 | Default         |
+| :------------------------------------- | :-------------------------------------------------------------------------- | :-------------- |
+| `client.insecure`                      | Whether to skip verifying the server's certificate chain and host name.     | `false`         |
+| `client.ignore-redirect`               | Whether to ignore redirects (true) or follow them (false, default).         | `false`         |
+| `client.timeout`                       | Duration before timing out.                                                 | `10s`           |
+| `client.dns-resolver`                  | Override the DNS resolver using the format `{proto}://{host}:{port}`.       | `""`            |
+| `client.oauth2`                        | OAuth2 client configuration.                                                | `{}`            |
+| `client.oauth2.token-url`              | The token endpoint URL                                                      | required `""`   |
+| `client.oauth2.client-id`              | The client id which should be used for the `Client credentials flow`        | required `""`   |
+| `client.oauth2.client-secret`          | The client secret which should be used for the `Client credentials flow`    | required `""`   |
+| `client.oauth2.scopes[]`               | A list of `scopes` which should be used for the `Client credentials flow`.  | required `[""]` |
+| `client.identity-aware-proxy`          | Google Identity-Aware-Proxy client configuration.                           | `{}`            |
+| `client.identity-aware-proxy.audience` | The Identity-Aware-Proxy audience. (client-id of the IAP oauth2 credential) | required `""`   |
 
 > 📝 Some of these parameters are ignored based on the type of endpoint. For instance, there's no certificate involved
 in ICMP requests (ping), therefore, setting `client.insecure` to `true` for an endpoint of that type will not do anything.
@@ -409,6 +411,18 @@ endpoints:
       - "[STATUS] == 200"
 ```
 
+This example shows how you can use the `client.identity-aware-proxy` configuration to query a backend API with `Bearer token` using Google Identity-Aware-Proxy:
+```yaml
+endpoints:
+  - name: with-custom-iap
+    url: "https://my.iap.protected.app/health"
+    client:
+      identity-aware-proxy:
+        audience: "XXXXXXXX-XXXXXXXXXXXX.apps.googleusercontent.com"
+    conditions:
+      - "[STATUS] == 200"
+```
+> 📝 Note that Gatus will use the [gcloud default credentials](https://cloud.google.com/docs/authentication/application-default-credentials) within its environment to generate the token.
 
 ### Alerting
 Gatus supports multiple alerting providers, such as Slack and PagerDuty, and supports different alerts for each
@@ -1402,7 +1416,7 @@ See [examples/docker-compose-grafana-prometheus](.examples/docker-compose-grafan
 | `connectivity.checker.interval` | Interval at which to validate connectivity | `1m`          |
 
 While Gatus is used to monitor other services, it is possible for Gatus itself to lose connectivity to the internet.
-In order to prevent Gatus from reporting endpoints as unhealthy when Gatus itself is unhealthy, you may configure 
+In order to prevent Gatus from reporting endpoints as unhealthy when Gatus itself is unhealthy, you may configure
 Gatus to periodically check for internet connectivity.
 
 All endpoint executions are skipped while the connectivity checker deems connectivity to be down.
@@ -1420,7 +1434,7 @@ This feature allows you to retrieve endpoint statuses from a remote Gatus instan
 
 There are two main use cases for this:
 - You have multiple Gatus instances running on different machines, and you wish to visually expose the statuses through a single dashboard
-- You have one or more Gatus instances that are not publicly accessible (e.g. behind a firewall), and you wish to retrieve 
+- You have one or more Gatus instances that are not publicly accessible (e.g. behind a firewall), and you wish to retrieve
 
 This is an experimental feature. It may be removed or updated in a breaking manner at any time. Furthermore,
 there are known issues with this feature. If you'd like to provide some feedback, please write a comment in [#64](https://github.com/TwiN/gatus/issues/64).
@@ -1683,7 +1697,7 @@ endpoints:
     ssh:
       username: "username"
       password: "password"
-    body: | 
+    body: |
       {
         "command": "uptime"
       }
@@ -1741,7 +1755,7 @@ endpoints:
 ```
 
 > ⚠ The usage of the `[DOMAIN_EXPIRATION]` placeholder requires Gatus to send a request to the official IANA WHOIS service [through a library](https://github.com/TwiN/whois)
-and in some cases, a secondary request to a TLD-specific WHOIS server (e.g. `whois.nic.sh`). 
+and in some cases, a secondary request to a TLD-specific WHOIS server (e.g. `whois.nic.sh`).
 To prevent the WHOIS service from throttling your IP address if you send too many requests, Gatus will prevent you from
 using the `[DOMAIN_EXPIRATION]` placeholder on an endpoint with an interval of less than `5m`.
 
@@ -1873,7 +1887,7 @@ endpoints:
     url: "https://example.org"
 
   - name: anchor-example-2
-    <<: *defaults 
+    <<: *defaults
     group: example              # This will override the group defined in &defaults
     url: "https://example.com"
 
@@ -1952,10 +1966,10 @@ Where:
 - `{key}` has the pattern `<GROUP_NAME>_<ENDPOINT_NAME>` in which both variables have ` `, `/`, `_`, `,` and `.` replaced by `-`.
 
 
-##### How to change the color thresholds of the response time badge  
-To change the response time badges' threshold, a corresponding configuration can be added to an endpoint.   
-The values in the array correspond to the levels [Awesome, Great, Good, Passable, Bad]  
-All five values must be given in milliseconds (ms).  
+##### How to change the color thresholds of the response time badge
+To change the response time badges' threshold, a corresponding configuration can be added to an endpoint.
+The values in the array correspond to the levels [Awesome, Great, Good, Passable, Bad]
+All five values must be given in milliseconds (ms).
 
 ```
 endpoints:

client/config.go

@@ -13,6 +13,7 @@ import (
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
+	"google.golang.org/api/idtoken"
 )
 
 const (
@@ -23,6 +24,7 @@ var (
 	ErrInvalidDNSResolver        = errors.New("invalid DNS resolver specified. Required format is {proto}://{ip}:{port}")
 	ErrInvalidDNSResolverPort    = errors.New("invalid DNS resolver port")
 	ErrInvalidClientOAuth2Config = errors.New("invalid oauth2 configuration: must define all fields for client credentials flow (token-url, client-id, client-secret, scopes)")
+	ErrInvalidClientIAPConfig    = errors.New("invalid Identity-Aware-Proxy configuration: must define all fields for Google Identity-Aware-Proxy programmatic authentication (audience)")
 
 	defaultConfig = Config{
 		Insecure:       false,
@@ -58,6 +60,9 @@ type Config struct {
 	// See configureOAuth2 for more details.
 	OAuth2Config *OAuth2Config `yaml:"oauth2,omitempty"`
 
+	// IAPConfig is the Google Cloud Identity-Aware-Proxy configuration used for the client. (e.g. audience)
+	IAPConfig *IAPConfig `yaml:"identity-aware-proxy,omitempty"`
+
 	httpClient *http.Client
 }
 
@@ -76,6 +81,11 @@ type OAuth2Config struct {
 	Scopes       []string `yaml:"scopes"` // e.g. ["openid"]
 }
 
+// IAPConfig is the configuration for the Google Cloud Identity-Aware-Proxy
+type IAPConfig struct {
+	Audience string `yaml:"audience"` // e.g. "toto.apps.googleusercontent.com"
+}
+
 // ValidateAndSetDefaults validates the client configuration and sets the default values if necessary
 func (c *Config) ValidateAndSetDefaults() error {
 	if c.Timeout < time.Millisecond {
@@ -90,6 +100,9 @@ func (c *Config) ValidateAndSetDefaults() error {
 	if c.HasOAuth2Config() && !c.OAuth2Config.isValid() {
 		return ErrInvalidClientOAuth2Config
 	}
+	if c.HasIAPConfig() && !c.IAPConfig.isValid() {
+		return ErrInvalidClientIAPConfig
+	}
 	return nil
 }
 
@@ -130,6 +143,16 @@ func (c *Config) HasOAuth2Config() bool {
 	return c.OAuth2Config != nil
 }
 
+// HasIAPConfig returns true if the client has IAP configuration parameters
+func (c *Config) HasIAPConfig() bool {
+	return c.IAPConfig != nil
+}
+
+// isValid() returns true if the IAP configuration is valid
+func (c *IAPConfig) isValid() bool {
+	return len(c.Audience) > 0
+}
+
 // isValid() returns true if the OAuth2 configuration is valid
 func (c *OAuth2Config) isValid() bool {
 	return len(c.TokenURL) > 0 && len(c.ClientID) > 0 && len(c.ClientSecret) > 0 && len(c.Scopes) > 0
@@ -178,13 +201,56 @@ func (c *Config) getHTTPClient() *http.Client {
 				}
 			}
 		}
-		if c.HasOAuth2Config() {
+		if c.HasOAuth2Config() && c.HasIAPConfig() {
+			log.Println("[client][getHTTPClient] Error: Both Identity-Aware-Proxy and Oauth2 configuration are present.")
+		} else if c.HasOAuth2Config() {
 			c.httpClient = configureOAuth2(c.httpClient, *c.OAuth2Config)
+		} else if c.HasIAPConfig() {
+			c.httpClient = configureIAP(c.httpClient, *c.IAPConfig)
 		}
 	}
 	return c.httpClient
 }
 
+// validateIAPToken returns a boolean that will define if the google identity-aware-proxy token can be fetch
+// and if is it valid.
+func validateIAPToken(ctx context.Context, c IAPConfig) bool {
+	ts, err := idtoken.NewTokenSource(ctx, c.Audience)
+	if err != nil {
+		log.Println("[client][ValidateIAPToken] Claiming Identity token failed. error:", err.Error())
+		return false
+	}
+	tok, err := ts.Token()
+	if err != nil {
+		log.Println("[client][ValidateIAPToken] Get Identity-Aware-Proxy token failed. error:", err.Error())
+		return false
+	}
+	payload, err := idtoken.Validate(ctx, tok.AccessToken, c.Audience)
+	_ = payload
+	if err != nil {
+		log.Println("[client][ValidateIAPToken] Token Validation failed. error:", err.Error())
+		return false
+	}
+	return true
+}
+
+// configureIAP returns an HTTP client that will obtain and refresh Identity-Aware-Proxy tokens as necessary.
+// The returned Client and its Transport should not be modified.
+func configureIAP(httpClient *http.Client, c IAPConfig) *http.Client {
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)
+	if validateIAPToken(ctx, c) {
+		ts, err := idtoken.NewTokenSource(ctx, c.Audience)
+		if err != nil {
+			log.Println("[client][ConfigureIAP] Claiming Token Source failed. error:", err.Error())
+			return httpClient
+		}
+		client := oauth2.NewClient(ctx, ts)
+		client.Timeout = httpClient.Timeout
+		return client
+	}
+	return httpClient
+}
+
 // configureOAuth2 returns an HTTP client that will obtain and refresh tokens as necessary.
 // The returned Client and its Transport should not be modified.
 func configureOAuth2(httpClient *http.Client, c OAuth2Config) *http.Client {
@@ -195,5 +261,7 @@ func configureOAuth2(httpClient *http.Client, c OAuth2Config) *http.Client {
 		TokenURL:     c.TokenURL,
 	}
 	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)
-	return oauth2cfg.Client(ctx)
+	client := oauth2cfg.Client(ctx)
+	client.Timeout = httpClient.Timeout
+	return client
 }

go.mod

@@ -23,12 +23,15 @@ require (
 	golang.org/x/crypto v0.14.0
 	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.13.0
+	google.golang.org/api v0.148.0
 	gopkg.in/mail.v2 v2.3.1
 	gopkg.in/yaml.v3 v3.0.1
 	modernc.org/sqlite v1.26.0
 )
 
 require (
+	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blend/go-sdk v1.20220411.3 // indirect
@@ -37,8 +40,11 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/klauspost/compress v1.16.7 // indirect
@@ -55,12 +61,16 @@ require (
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/image v0.11.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a // indirect
+	google.golang.org/grpc v1.58.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect