From 262d88a1a8f4a870cc8c95c4280a5ec1d0b15627 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= <kvch@users.noreply.github.com>
Date: Mon, 14 Sep 2020 15:23:30 +0200
Subject: [PATCH] Do not need Google credentials before using it (#21072)

This PR moves retrieving a GCP token to a later stage of running Functionbeat. From now on tokens are only needed when the operations require it.

Previously user was required to set a proper credentials file under `GOOGLE_APPLICATION_CREDENTIALS` environment variable regardless of the operation.

Closes #17329

(cherry picked from commit c2efa09dd19f5acf9aa2d3682b0e51e7953ff57e)
---
 CHANGELOG.next.asciidoc                       |  1 +
 .../functionbeat/manager/gcp/cli_manager.go   | 38 ++++++++++++++-----
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 58d4d4efab8..926e70a814a 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Functionbeat*
 
+- Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072]
 
 ==== Added
 
diff --git a/x-pack/functionbeat/manager/gcp/cli_manager.go b/x-pack/functionbeat/manager/gcp/cli_manager.go
index f0cf31cc301..d286f1e465a 100644
--- a/x-pack/functionbeat/manager/gcp/cli_manager.go
+++ b/x-pack/functionbeat/manager/gcp/cli_manager.go
@@ -76,14 +76,19 @@ func (c *CLIManager) deploy(update bool, name string) error {
 	executer.Add(newOpEnsureBucket(c.log, c.config))
 	executer.Add(newOpUploadToBucket(c.log, c.config, name, functionData.raw))
 
+	token, err := c.getTokenSrc()
+	if err != nil {
+		return err
+	}
+
 	ctx := &functionContext{}
 	if update {
-		executer.Add(newOpUpdateFunction(ctx, c.log, c.tokenSrc, functionData.function.Name, functionData.function))
+		executer.Add(newOpUpdateFunction(ctx, c.log, token, functionData.function.Name, functionData.function))
 	} else {
-		executer.Add(newOpCreateFunction(ctx, c.log, c.tokenSrc, c.location, name, functionData.function))
+		executer.Add(newOpCreateFunction(ctx, c.log, token, c.location, name, functionData.function))
 	}
 
-	executer.Add(newOpWaitForFunction(ctx, c.log, c.tokenSrc))
+	executer.Add(newOpWaitForFunction(ctx, c.log, token))
 
 	if err := executer.Execute(nil); err != nil {
 		if rollbackErr := executer.Rollback(nil); rollbackErr != nil {
@@ -104,9 +109,14 @@ func (c *CLIManager) Remove(name string) error {
 		return err
 	}
 
+	token, err := c.getTokenSrc()
+	if err != nil {
+		return err
+	}
+
 	ctx := &functionContext{}
 	executer := executor.NewExecutor(c.log)
-	executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, c.tokenSrc))
+	executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, token))
 	executer.Add(newOpDeleteFromBucket(c.log, c.config, name))
 
 	if err := executer.Execute(nil); err != nil {
@@ -151,6 +161,20 @@ func (c *CLIManager) Package(outputPattern string) error {
 	return nil
 }
 
+func (c *CLIManager) getTokenSrc() (oauth2.TokenSource, error) {
+	if c.tokenSrc != nil {
+		return c.tokenSrc, nil
+	}
+
+	var err error
+	c.tokenSrc, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+	if err != nil {
+		return nil, fmt.Errorf("error while creating CLIManager: %+v", err)
+	}
+
+	return c.tokenSrc, nil
+}
+
 // NewCLI returns the interface to manage functions on Google Cloud Platform.
 func NewCLI(
 	log *logp.Logger,
@@ -173,16 +197,10 @@ func NewCLI(
 
 	location := fmt.Sprintf(locationTemplate, config.ProjectID, config.Location)
 
-	tokenSrc, err := google.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform")
-	if err != nil {
-		return nil, fmt.Errorf("error while creating CLIManager: %+v", err)
-	}
-
 	return &CLIManager{
 		config:          config,
 		log:             logp.NewLogger("gcp"),
 		location:        location,
-		tokenSrc:        tokenSrc,
 		templateBuilder: templateBuilder,
 	}, nil
 }