googleauth-extras 0.2.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad8095b3525757ef2de9dc247ff7d0c73b33934e7499bcf014b6c4195584e263
-  data.tar.gz: d358b9edd0c828c64caade73dfdd5f005949b33701f5e6422ff46cd21f2e113f
+  metadata.gz: 29ad90b986d4915e183e4592f58eedff84badd6ee70900337981d3173f0c64b2
+  data.tar.gz: 0c69256ea700526a9891d9434338954fec778d99b6f3c927654739dd690f03dd
 SHA512:
-  metadata.gz: 7635394f3775d86163f9da920cba3f03f94c1081dbe8ca1c402190e1cb5a5f4539cc0068e17b4386e4724786fdbc7579eb737ee6806c92f45447d005f9152a2a
-  data.tar.gz: 07f10d26bbc5db9a065d72160b02cba39b506b49badb3826c99122ef05cbfefa76c87357f7d84ef1f5ff53f3870f65106f6d8c57d44def8375737697045bf5d2
+  metadata.gz: 9b3de1122f1a208f337134b30023fef63eb171c5ad3c888a8cc0cb81bc72aa5ae0d476f1c22ff659d4ce4637795ffff5ae1a5e07eee64dd68f9a5f887e9f02bb
+  data.tar.gz: 7eb79ba62b30a7b7a5cc2bab1d00f1079d19f57fd99df98ad52fec2d46d5e77eae781ddb50960c1832e77462e6b2e9d4c729e860db25610b2014432df6505f0d

data/.rubocop.yml

@@ -19,12 +19,18 @@ Layout/LineLength:
 Metrics/AbcSize:
   Enabled: false
 
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
 Metrics/MethodLength:
-  Max: 20
+  Max: 30
 
 Metrics/ParameterLists:
   Enabled: false
 
+Metrics/PerceivedComplexity:
+  Enabled: false
+
 RSpec/ContextWording:
   Enabled: false
 
@@ -43,6 +49,9 @@ RSpec/MultipleMemoizedHelpers:
 RSpec/NamedSubject:
   Enabled: false
 
+RSpec/NestedGroups:
+  Max: 5
+
 Style/ModuleFunction:
   EnforcedStyle: extend_self
 

data/CHANGELOG.md

@@ -1,9 +1,21 @@
 # Release History
 
+0.4.0
+----------
+
+- Support setting a quota project. ([#11](https://github.com/persona-id/googleauth-extras/pull/11))
+
+- Update gemspec for new RuboCop settings. ([#12](https://github.com/persona-id/googleauth-extras/pull/12))
+
+0.3.0
+-----
+
+- Support impersonation with ID tokens. ([#9](https://github.com/persona-id/googleauth-extras/pull/9))
+
 0.2.1
 -----
 
-- Support signet 0.18.0 ([#7](https://github.com/persona-id/googleauth-extras/pull/7))
+- Support signet 0.18.0. ([#7](https://github.com/persona-id/googleauth-extras/pull/7))
 
 0.2.0
 -----

data/googleauth-extras.gemspec

@@ -30,9 +30,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'addressable', '~> 2.8'
-  spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0'
-  spec.add_runtime_dependency 'google-apis-iamcredentials_v1'
-  spec.add_runtime_dependency 'googleauth', '~> 1.3'
-  spec.add_runtime_dependency 'signet', '>= 0.17.0', '< 0.19.0'
+  spec.add_dependency 'addressable', '~> 2.8'
+  spec.add_dependency 'faraday', '>= 1.0', '< 3.0'
+  spec.add_dependency 'google-apis-iamcredentials_v1'
+  spec.add_dependency 'googleauth', '~> 1.3'
+  spec.add_dependency 'signet', '>= 0.17.0', '< 0.19.0'
 end

data/lib/google/auth/extras/identity_credential_refresh_patch.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Google
+  module Auth
+    module Extras
+      # This module fixes an issue with ID tokens not automatically refreshing
+      # because their expiration is encoded in the JWT.
+      module IdentityCredentialRefreshPatch
+        def update_token!(*)
+          super.tap do
+            self.expires_at = decoded_id_token['exp'] if id_token
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/auth/extras/impersonated_credential.rb

@@ -5,10 +5,17 @@ module Google
     module Extras
       # This credential impersonates a service account.
       class ImpersonatedCredential < Signet::OAuth2::Client
-        class MissingScope < StandardError; end
+        include IdentityCredentialRefreshPatch
+
+        attr_reader :quota_project_id
 
         # A credential that impersonates a service account.
         #
+        # The `email_address` of the service account to impersonate may be the exact
+        # same as the one represented in `base_credentials` for any desired situation
+        # but a handy usage is for going from and access token to an ID token (aka
+        # using `target_audience`).
+        #
         # @param base_credentials [Hash, String, Signet::OAuth2::Client]
         #   Credentials to use to impersonate the provided email address.
         #
@@ -19,22 +26,53 @@ module Google
         # @param email_address [String]
         #   Email of the service account to impersonate.
         #
+        # @param include_email [Boolean]
+        #   Include the service account email in the token. If set to true, the token will
+        #   contain email and email_verified claims.
+        #   Only supported when using a target_audience.
+        #
         # @param lifetime [String]
         #   The desired lifetime (in seconds) of the token before needing to be refreshed.
         #   Defaults to 1h, adjust as needed given a refresh is automatically performed
         #   when the token less than 60s of remaining life and refresh requires an
         #   additional API call.
+        #   Only supported when not using a target_audience.
+        #
+        # @param quota_project_id [String]
+        #   The project ID used for quota and billing. This project may be different from
+        #   the project used to create the credentials.
         #
         # @param scope [String, Array<String>]
         #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+        #   Only supported when not using a target_audience.
+        #
+        # @param target_audience [String]
+        #   The audience for the token, such as the API or account that this token grants access to.
         #
         # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+        # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
         # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+        # @see https://developers.google.com/identity/protocols/oauth2/scopes
         #
-        def initialize(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
-          super(scope: scope)
+        def initialize(
+          email_address:,
+          base_credentials: nil,
+          delegate_email_addresses: nil,
+          include_email: nil,
+          lifetime: nil,
+          quota_project_id: nil,
+          scope: nil,
+          target_audience: nil
+        )
+          super(client_id: target_audience, scope: scope, target_audience: target_audience)
 
-          raise MissingScope if self.scope.nil? || self.scope.empty?
+          if self.target_audience.nil? || self.target_audience.empty?
+            raise(ArgumentError, 'Must provide scope or target_audience') if self.scope.nil? || self.scope.empty?
+          elsif self.scope.nil? || self.scope.empty?
+            # no-op
+          else
+            raise ArgumentError, 'Must provide scope or target_audience, not both'
+          end
 
           @iam_credentials_service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new.tap do |ics|
             ics.authorization = base_credentials if base_credentials
@@ -44,36 +82,81 @@ module Google
             transform_email_to_name(email)
           end
 
-          @impersonate_lifetime = lifetime
+          # This is true when target_audience is passed
+          if token_type == :id_token
+            @impersonate_include_email = include_email
+          elsif !include_email.nil?
+            raise ArgumentError, 'Can only provide include_email when using target_audience'
+          end
+
+          # This is true when scope is passed
+          if token_type == :access_token
+            @impersonate_lifetime = lifetime
+          elsif !lifetime.nil?
+            raise ArgumentError, 'Cannot provide lifetime when using target_audience'
+          end
 
           @impersonate_name = transform_email_to_name(email_address)
+
+          @quota_project_id = quota_project_id
         end
 
         def fetch_access_token(*)
-          access_token_request = Google::Apis::IamcredentialsV1::GenerateAccessTokenRequest.new(
-            scope: scope,
-          )
+          token_request = if token_type == :id_token
+                            Google::Apis::IamcredentialsV1::GenerateIdTokenRequest.new(
+                              audience: target_audience,
+                            )
+                          else
+                            Google::Apis::IamcredentialsV1::GenerateAccessTokenRequest.new(
+                              scope: scope,
+                            )
+                          end
 
           # The Google SDK doesn't like nil repeated values, but be careful with others as well.
-          access_token_request.delegates = @impersonate_delegates unless @impersonate_delegates.empty?
-          access_token_request.lifetime = @impersonate_lifetime unless @impersonate_lifetime.nil?
+          token_request.delegates = @impersonate_delegates unless @impersonate_delegates.empty?
+          if token_type == :id_token
+            token_request.include_email = @impersonate_include_email unless @impersonate_include_email.nil?
+          else
+            token_request.lifetime = @impersonate_lifetime unless @impersonate_lifetime.nil?
+          end
 
-          access_token_response = @iam_credentials_service.generate_service_account_access_token(@impersonate_name, access_token_request)
+          if token_type == :id_token
+            id_token_response = @iam_credentials_service.generate_service_account_id_token(@impersonate_name, token_request)
 
-          {
-            access_token: access_token_response.access_token,
-            expires_at: DateTime.rfc3339(access_token_response.expire_time).to_time,
-          }
+            {
+              id_token: id_token_response.token,
+            }
+          else
+            access_token_response = @iam_credentials_service.generate_service_account_access_token(@impersonate_name, token_request)
+
+            {
+              access_token: access_token_response.access_token,
+              expires_at: DateTime.rfc3339(access_token_response.expire_time).to_time,
+            }
+          end
         end
 
         def inspect
-          "#<#{self.class.name}" \
-            " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
-            " @expires_at=#{expires_at.inspect}" \
-            " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
-            " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
-            " @impersonate_name=#{@impersonate_name.inspect}" \
-            '>'
+          if token_type == :id_token
+            "#<#{self.class.name}" \
+              " @expires_at=#{expires_at.inspect}" \
+              " @id_token=#{@id_token ? '[REDACTED]' : 'nil'}" \
+              " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
+              " @impersonate_include_email=#{@impersonate_include_email.inspect}" \
+              " @impersonate_name=#{@impersonate_name.inspect}" \
+              " @quota_project_id=#{@quota_project_id.inspect}" \
+              " @target_audience=#{@target_audience.inspect}" \
+              '>'
+          else
+            "#<#{self.class.name}" \
+              " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
+              " @expires_at=#{expires_at.inspect}" \
+              " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
+              " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
+              " @impersonate_name=#{@impersonate_name.inspect}" \
+              " @quota_project_id=#{@quota_project_id.inspect}" \
+              '>'
+          end
         end
 
         private

data/lib/google/auth/extras/static_credential.rb

@@ -7,17 +7,25 @@ module Google
       class StaticCredential < Signet::OAuth2::Client
         class AuthorizationExpired < StandardError; end
 
+        attr_reader :quota_project_id
+
         # A credential using a static access token.
         #
         # @param access_token [String]
         #   The access token to use.
         #
-        def initialize(access_token:)
+        # @param quota_project_id [String]
+        #   The project ID used for quota and billing. This project may be different from
+        #   the project used to create the credentials.
+        #
+        def initialize(access_token:, quota_project_id: nil)
           super(
             access_token: access_token,
             expires_at: TokenInfo.lookup_access_token(access_token).fetch('exp'),
             issued_at: nil,
           )
+
+          @quota_project_id = quota_project_id
         end
 
         def fetch_access_token(*)
@@ -28,7 +36,11 @@ module Google
         end
 
         def inspect
-          "#<#{self.class.name} @access_token=[REDACTED] @expires_at=#{expires_at.inspect}>"
+          "#<#{self.class.name}" \
+            ' @access_token=[REDACTED]' \
+            " @expires_at=#{expires_at.inspect}" \
+            " @quota_project_id=#{@quota_project_id.inspect}" \
+            '>'
         end
       end
     end

data/lib/google/auth/extras/version.rb

@@ -3,7 +3,7 @@
 module Google
   module Auth
     module Extras
-      VERSION = '0.2.1'
+      VERSION = '0.4.0'
     end
   end
 end

data/lib/google/auth/extras.rb

@@ -4,6 +4,7 @@ require 'date'
 require 'google/apis/iamcredentials_v1'
 require 'signet/oauth_2/client'
 
+require 'google/auth/extras/identity_credential_refresh_patch'
 require 'google/auth/extras/impersonated_credential'
 require 'google/auth/extras/static_credential'
 require 'google/auth/extras/token_info'
@@ -22,6 +23,11 @@ module Google
       # A credential that impersonates a service account. For usage with the
       # older style GCP Ruby SDKs from the google-apis-* gems.
       #
+      # The `email_address` of the service account to impersonate may be the exact
+      # same as the one represented in `base_credentials` for any desired situation
+      # but a handy usage is for going from and access token to an ID token (aka
+      # using `target_audience`).
+      #
       # @param base_credentials [Hash, String, Signet::OAuth2::Client]
       #   Credentials to use to impersonate the provided email address.
       #
@@ -32,28 +38,52 @@ module Google
       # @param email_address [String]
       #   Email of the service account to impersonate.
       #
+      # @param include_email [Boolean]
+      #   Include the service account email in the token. If set to true, the token will
+      #   contain email and email_verified claims.
+      #   Only supported when using a target_audience.
+      #
       # @param lifetime [String]
       #   The desired lifetime (in seconds) of the token before needing to be refreshed.
       #   Defaults to 1h, adjust as needed given a refresh is automatically performed
       #   when the token less than 60s of remaining life and refresh requires an
       #   additional API call.
+      #   Only supported when not using a target_audience.
+      #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
       #
       # @param scope [String, Array<String>]
-      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
+      #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+      #   Only supported when not using a target_audience.
       #
       # @return [Google::Auth::Extras::ImpersonatedCredential]
       #
       # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
       # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
       # @see https://developers.google.com/identity/protocols/oauth2/scopes
       #
-      def impersonated_authorization(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+      def impersonated_authorization(
+        email_address:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        include_email: nil,
+        lifetime: nil,
+        quota_project_id: nil,
+        scope: nil,
+        target_audience: nil
+      )
         ImpersonatedCredential.new(
           base_credentials: base_credentials,
           delegate_email_addresses: delegate_email_addresses,
           email_address: email_address,
+          include_email: include_email,
           lifetime: lifetime,
+          quota_project_id: quota_project_id,
           scope: scope,
+          target_audience: target_audience,
         )
       end
 
@@ -70,29 +100,53 @@ module Google
       # @param email_address [String]
       #   Email of the service account to impersonate.
       #
+      # @param include_email [Boolean]
+      #   Include the service account email in the token. If set to true, the token will
+      #   contain email and email_verified claims.
+      #   Only supported when using a target_audience.
+      #
       # @param lifetime [String]
       #   The desired lifetime (in seconds) of the token before needing to be refreshed.
       #   Defaults to 1h, adjust as needed given a refresh is automatically performed
       #   when the token less than 60s of remaining life and refresh requires an
       #   additional API call.
+      #   Only supported when not using a target_audience.
+      #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
       #
       # @param scope [String, Array<String>]
-      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
+      #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+      #   Only supported when not using a target_audience.
       #
       # @return [Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>]
       #
       # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
       # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
       # @see https://developers.google.com/identity/protocols/oauth2/scopes
       #
-      def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+      def impersonated_credential(
+        email_address:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        include_email: nil,
+        lifetime: nil,
+        quota_project_id: nil,
+        scope: nil,
+        target_audience: nil
+      )
         wrap_authorization(
           impersonated_authorization(
             base_credentials: base_credentials,
             delegate_email_addresses: delegate_email_addresses,
             email_address: email_address,
+            include_email: include_email,
             lifetime: lifetime,
+            quota_project_id: quota_project_id,
             scope: scope,
+            target_audience: target_audience,
           ),
         )
       end
@@ -103,10 +157,15 @@ module Google
       # @param token [String]
       #   The access token to use.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
+      #
       # @return [Google::Auth::Extras::StaticCredential]
       #
-      def static_authorization(token)
-        StaticCredential.new(access_token: token)
+      def static_authorization(token, quota_project_id: nil)
+        StaticCredential.new(access_token: token, quota_project_id: quota_project_id)
       end
 
       # A credential using a static access token. For usage with the newer
@@ -115,14 +174,18 @@ module Google
       # @param token [String]
       #   The access token to use.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
       # @return [Google::Auth::Credential<Google::Auth::Extras::StaticCredential>]
       #
-      def static_credential(token)
-        wrap_authorization(static_authorization(token))
+      def static_credential(token, quota_project_id: nil)
+        wrap_authorization(static_authorization(token, quota_project_id: quota_project_id))
       end
 
       # Take an authorization and turn it into a credential, primarily used
-      # for setting up both the old and new style SDK.s
+      # for setting up both the old and new style SDKs.
       #
       # @param client [Signet::OAuth2::Client]
       #   Authorization credential to wrap.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth-extras
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Persona Identities
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-09-06 00:00:00.000000000 Z
+date: 2024-08-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -113,6 +113,7 @@ files:
 - bin/setup
 - googleauth-extras.gemspec
 - lib/google/auth/extras.rb
+- lib/google/auth/extras/identity_credential_refresh_patch.rb
 - lib/google/auth/extras/impersonated_credential.rb
 - lib/google/auth/extras/static_credential.rb
 - lib/google/auth/extras/token_info.rb