fog-google 1.24.0 → 1.24.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 419c2fcd50b3c90ffe65c7a284bfc75479b1da059e0ea01b187a9f8f03721784
-  data.tar.gz: 470db0019a0de386752a1ca9c1a8cdb092e34037ef3e53a6a456a1ea033e6033
+  metadata.gz: 32fba42f750f2248b67a52b9c90e4ad74afeee359c7b8eec325de6e61e958e3d
+  data.tar.gz: 6b34cbc9704516e06f9dbff7a6cb37eb403acaefd06e5be5361bcad5e065ebc3
 SHA512:
-  metadata.gz: af159d5054ca5ceb4e391f8bbc019ad813c1e9163f11eeeb67dd3f57ccdfb157497d39451303210a7aa3e7b01f7295be937d445e97552f4fd8c9f1f42ca98c84
-  data.tar.gz: 00eb0b6200ad0fd56ea680e2dd1824548fe34d67da6e7469a872e27462281cf335f3aa23ede4956cea95433efa3e382c85c0ad60a732c0c96965b3830fac56f0
+  metadata.gz: 06b4ca2279ada450d5036ed62e54187bdb82172fb48873446929dd409b8c45ab1e2fb59f63bfdd1498e1d8917e7276ebc69a718ae7a6c188c8279fffe4eb36a1
+  data.tar.gz: 3f2201ff0d673c300b89d69ee228301afd660bc59bfdde91dcc1da48894798f9c64a6e9847c0818c8c32dcca1097ad33646966d484988c0959a7a0dd91b35678

data/CHANGELOG.md

@@ -7,6 +7,16 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 ## Next
 
 
+## 1.24.1
+
+### User-facing
+
+#### Fixed
+
+- #629 Fix IAM scope for storage requests [stanhu]
+
+## 1.24.0
+
 ### User-facing
 
 #### Added
@@ -16,7 +26,7 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 ### Development changes
 
-### Added
+#### Added
 
 - #618 Deprecated Ruby-2.0 support [temikus]
 - #624 Migrated the Integration tests to new ARC runners [temikus]

data/lib/fog/google/shared.rb

@@ -67,20 +67,21 @@ module Fog
           ::Google::Apis.logger.level = ::Logger::DEBUG
         end
 
-        auth = nil
+        initialize_auth(options).tap do |auth|
+          ::Google::Apis::RequestOptions.default.authorization = auth
+        end
+      end
 
+      def initialize_auth(options)
         if options[:google_json_key_location] || options[:google_json_key_string]
-          auth = process_key_auth(options)
+          process_key_auth(options)
         elsif options[:google_auth]
-          auth = options[:google_auth]
+          options[:google_auth]
         elsif options[:google_application_default]
-          auth = process_application_default_auth(options)
+          process_application_default_auth(options)
         else
-          auth = process_fallback_auth(options)
+          process_fallback_auth(options)
         end
-
-        ::Google::Apis::RequestOptions.default.authorization = auth
-        auth
       end
 
       ##

data/lib/fog/google/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module Google
-    VERSION = "1.24.0".freeze
+    VERSION = "1.24.1".freeze
   end
 end

data/lib/fog/storage/google_json/real.rb

@@ -10,16 +10,12 @@ module Fog
 
         def initialize(options = {})
           shared_initialize(options[:google_project], GOOGLE_STORAGE_JSON_API_VERSION, GOOGLE_STORAGE_JSON_BASE_URL)
+          @options = options.dup
           options[:google_api_scope_url] = GOOGLE_STORAGE_JSON_API_SCOPE_URLS.join(" ")
           @host = options[:host] || "storage.googleapis.com"
 
           # TODO(temikus): Do we even need this client?
           @client = initialize_google_client(options)
-          # IAM client used for SignBlob API
-          @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new
-          apply_client_options(@iam_service, {
-                                 google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" ")
-                               })
 
           @storage_json = ::Google::Apis::StorageV1::StorageService.new
           apply_client_options(@storage_json, options)
@@ -141,6 +137,18 @@ DATA
           return key.sign(digest, string_to_sign)
         end
 
+        # IAM client used for SignBlob API.
+        # Lazily initialize this since it requires another authorization request.
+        def iam_service
+          return @iam_service if defined?(@iam_service)
+
+          @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new
+          apply_client_options(@iam_service, @options)
+          iam_options = @options.merge(google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" "))
+          @iam_service.authorization = initialize_auth(iam_options)
+          @iam_service
+        end
+
         ##
         # Fallback URL signer using the IAM SignServiceAccountBlob API, see
         #   Google::Apis::IamcredentialsV1::IAMCredentialsService#sign_service_account_blob
@@ -162,7 +170,7 @@ DATA
           )
 
           resource = "projects/-/serviceAccounts/#{google_access_id}"
-          response = @iam_service.sign_service_account_blob(resource, request)
+          response = iam_service.sign_service_account_blob(resource, request)
 
           return response.signed_blob
         end

data/lib/fog/storage/google_json.rb

@@ -29,7 +29,7 @@ module Fog
 
       # Version of IAM API used for blob signing, see Fog::Storage::GoogleJSON::Real#iam_signer
       GOOGLE_STORAGE_JSON_IAM_API_VERSION = "v1".freeze
-      GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/devstorage.full_control).freeze
+      GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/iam).freeze
 
       # TODO: Come up with a way to only request a subset of permissions.
       # https://cloud.google.com/storage/docs/json_api/v1/how-tos/authorizing

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fog-google
 version: !ruby/object:Gem::Version
-  version: 1.24.0
+  version: 1.24.1
 platform: ruby
 authors:
 - Nat Welch
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-08 00:00:00.000000000 Z
+date: 2024-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fog-core