googleauth-extras 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56aa20519132423c5f99a9c67fb011bdf44d575ccb60d7109abd0f2f6db17a09
-  data.tar.gz: 6d63aaa0d4dce0256ee828233640f951af9a203a9bf56dc46640ad2994fbe05a
+  metadata.gz: 5ef5e7a09636bad627874135bfa0c1f020eace2016a31aaf8952a70b01465593
+  data.tar.gz: 77d1fd18df712dbf3dd6620c4d3e2dfdcd0ced4872e6ebea6f05340cc8bf28f3
 SHA512:
-  metadata.gz: a8c1978e55c6d63353823bf771c49c6c94266963774c2db5b9eef32d23f625f5762b08f30e773f71ef897bf53f07840f9e039a5dada27bc6bf7427b17667e3c1
-  data.tar.gz: 78b376acc7c4bfd48b0be54127761a4ef40ec02c28029e0de2d90526116a41f43d8cfe7029b5e877480c582fc9bb46b401f3aa2b8520bc8ce8668a866e523065
+  metadata.gz: 9dbab8990a50ddcea8df7e25aa651c294005bf9827c2b3729d77dc07df601384ece65af0acec8eeda7337a9c0fc358f8b9540e3fdde074cd718a496994bd26b9
+  data.tar.gz: 0e7aed934ce2b0e42f7e96e48ceca7866c81216e67a97b3e59f4027c298040c603e2c3a01e601914e8b33a97fb7c7457d52b70412a66f0bb2446b8a390cb8607

data/.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
-          - '2.7'
-          - '3.0'
           - '3.1'
           - '3.2'
+          - '3.3'
+          - '3.4'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

data/.rubocop.yml

@@ -49,6 +49,9 @@ RSpec/MultipleMemoizedHelpers:
 RSpec/NamedSubject:
   Enabled: false
 
+RSpec/NestedGroups:
+  Max: 5
+
 Style/ModuleFunction:
   EnforcedStyle: extend_self
 

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Release History
 
+0.5.0
+----------
+
+- Support signed JWT credentials. ([#14](https://github.com/persona-id/googleauth-extras/pull/14))
+
+- Drop support for Ruby 2.7 & 3.0, update test dependencies. ([#15](https://github.com/persona-id/googleauth-extras/pull/15))
+
+0.4.0
+----------
+
+- Support setting a quota project. ([#11](https://github.com/persona-id/googleauth-extras/pull/11))
+
+- Update gemspec for new RuboCop settings. ([#12](https://github.com/persona-id/googleauth-extras/pull/12))
+
 0.3.0
 -----
 

data/Gemfile

@@ -5,12 +5,12 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in googleauth-extras.gemspec
 gemspec
 
-gem 'google-cloud-storage', '~> 1.44'
+gem 'google-cloud-storage', '~> 1.55'
 
-gem 'pry-byebug', '~> 3.10'
-gem 'rake', '~> 12.0'
-gem 'rspec', '~> 3.0'
-gem 'rubocop', '~> 1.45'
-gem 'rubocop-rspec', '~> 2.18'
-gem 'timecop', '~> 0.9.6'
-gem 'webmock', '~> 3.18'
+gem 'pry-byebug', '~> 3.11'
+gem 'rake', '~> 13.2'
+gem 'rspec', '~> 3.13'
+gem 'rubocop', '~> 1.75'
+gem 'rubocop-rspec', '~> 3.5'
+gem 'timecop', '~> 0.9.10'
+gem 'webmock', '~> 3.25'

data/googleauth-extras.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/persona-id/googleauth-extras'
   spec.license       = 'MIT'
 
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.1.0')
 
   spec.metadata['allowed_push_host']     = 'https://rubygems.org'
   spec.metadata['rubygems_mfa_required'] = 'true'
@@ -30,9 +30,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'addressable', '~> 2.8'
-  spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0'
-  spec.add_runtime_dependency 'google-apis-iamcredentials_v1'
-  spec.add_runtime_dependency 'googleauth', '~> 1.3'
-  spec.add_runtime_dependency 'signet', '>= 0.17.0', '< 0.19.0'
+  spec.add_dependency 'addressable', '~> 2.8'
+  spec.add_dependency 'faraday', '>= 1.0', '< 3.0'
+  spec.add_dependency 'google-apis-iamcredentials_v1'
+  spec.add_dependency 'googleauth', '~> 1.3'
+  spec.add_dependency 'signet', '>= 0.17.0', '< 0.19.0'
 end

data/lib/google/auth/extras/impersonated_credential.rb

@@ -7,6 +7,8 @@ module Google
       class ImpersonatedCredential < Signet::OAuth2::Client
         include IdentityCredentialRefreshPatch
 
+        attr_reader :quota_project_id
+
         # A credential that impersonates a service account.
         #
         # The `email_address` of the service account to impersonate may be the exact
@@ -36,6 +38,10 @@ module Google
         #   additional API call.
         #   Only supported when not using a target_audience.
         #
+        # @param quota_project_id [String]
+        #   The project ID used for quota and billing. This project may be different from
+        #   the project used to create the credentials.
+        #
         # @param scope [String, Array<String>]
         #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
         #   Only supported when not using a target_audience.
@@ -54,6 +60,7 @@ module Google
           delegate_email_addresses: nil,
           include_email: nil,
           lifetime: nil,
+          quota_project_id: nil,
           scope: nil,
           target_audience: nil
         )
@@ -90,6 +97,8 @@ module Google
           end
 
           @impersonate_name = transform_email_to_name(email_address)
+
+          @quota_project_id = quota_project_id
         end
 
         def fetch_access_token(*)
@@ -135,6 +144,7 @@ module Google
               " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
               " @impersonate_include_email=#{@impersonate_include_email.inspect}" \
               " @impersonate_name=#{@impersonate_name.inspect}" \
+              " @quota_project_id=#{@quota_project_id.inspect}" \
               " @target_audience=#{@target_audience.inspect}" \
               '>'
           else
@@ -144,6 +154,7 @@ module Google
               " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
               " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
               " @impersonate_name=#{@impersonate_name.inspect}" \
+              " @quota_project_id=#{@quota_project_id.inspect}" \
               '>'
           end
         end

data/lib/google/auth/extras/service_account_jwt_credential.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module Google
+  module Auth
+    module Extras
+      # This credential issues JWTs signed a service account.
+      class ServiceAccountJWTCredential < Signet::OAuth2::Client
+        include IdentityCredentialRefreshPatch
+
+        # A credential that obtains a signed JWT from Google for a service account.
+        #
+        # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+        #   Credentials to use to sign the JWTs.
+        #
+        # @param delegate_email_addresses [String, Array<String>]
+        #   The email addresses (if any) of intermediate service accounts to reach
+        #   the +email_address+ from +base_credentials+.
+        #
+        # @param email_address [String]
+        #   Email of the service account to sign the JWT.
+        #
+        # @param issuer [String]
+        #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+        #
+        # @param lifetime [Integers]
+        #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+        #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+        #   performed when the token less than 60s of remaining life and refresh requires
+        #   an additional API call.
+        #
+        # @param subject [String]
+        #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+        #
+        # @param target_audience [String]
+        #   The audience for the token, such as the API or account that this token grants access to.
+        #
+        # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+        # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+        #
+        def initialize(
+          email_address:,
+          target_audience:,
+          base_credentials: nil,
+          delegate_email_addresses: nil,
+          issuer: nil,
+          lifetime: 3600,
+          subject: nil
+        )
+          super(client_id: target_audience, target_audience: target_audience)
+
+          @iam_credentials_service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new.tap do |ics|
+            ics.authorization = base_credentials if base_credentials
+          end
+
+          @jwt_issuer = issuer || email_address
+          @jwt_lifetime = lifetime
+          @jwt_subject = subject || email_address
+
+          @sa_delegates = Array(delegate_email_addresses).map do |email|
+            transform_email_to_name(email)
+          end
+
+          @sa_name = transform_email_to_name(email_address)
+        end
+
+        def fetch_access_token(*)
+          now = Time.now.to_i
+
+          request = Google::Apis::IamcredentialsV1::SignJwtRequest.new(
+            payload: JSON.dump(
+              aud: target_audience,
+              exp: now + @jwt_lifetime,
+              iat: now,
+              iss: @jwt_issuer,
+              sub: @jwt_subject,
+            ),
+          )
+
+          # The Google SDK doesn't like nil repeated values, but be careful with others as well.
+          request.delegates = @sa_delegates unless @sa_delegates.empty?
+
+          response = @iam_credentials_service.sign_service_account_jwt(@sa_name, request)
+
+          {
+            id_token: response.signed_jwt,
+          }
+        end
+
+        def inspect
+          "#<#{self.class.name}" \
+            " @expires_at=#{expires_at.inspect}" \
+            " @id_token=#{@id_token ? '[REDACTED]' : 'nil'}" \
+            " @jwt_issuer=#{@jwt_issuer.inspect}" \
+            " @jwt_lifetime=#{@jwt_lifetime.inspect}" \
+            " @jwt_subject=#{@jwt_subject.inspect}" \
+            " @sa_delegates=#{@sa_delegates.inspect}" \
+            " @sa_name=#{@sa_name.inspect}" \
+            " @target_audience=#{@target_audience.inspect}" \
+            '>'
+        end
+
+        private
+
+        def transform_email_to_name(email)
+          "projects/-/serviceAccounts/#{email}"
+        end
+      end
+    end
+  end
+end

data/lib/google/auth/extras/static_credential.rb

@@ -7,17 +7,25 @@ module Google
       class StaticCredential < Signet::OAuth2::Client
         class AuthorizationExpired < StandardError; end
 
+        attr_reader :quota_project_id
+
         # A credential using a static access token.
         #
         # @param access_token [String]
         #   The access token to use.
         #
-        def initialize(access_token:)
+        # @param quota_project_id [String]
+        #   The project ID used for quota and billing. This project may be different from
+        #   the project used to create the credentials.
+        #
+        def initialize(access_token:, quota_project_id: nil)
           super(
             access_token: access_token,
             expires_at: TokenInfo.lookup_access_token(access_token).fetch('exp'),
             issued_at: nil,
           )
+
+          @quota_project_id = quota_project_id
         end
 
         def fetch_access_token(*)
@@ -28,7 +36,11 @@ module Google
         end
 
         def inspect
-          "#<#{self.class.name} @access_token=[REDACTED] @expires_at=#{expires_at.inspect}>"
+          "#<#{self.class.name}" \
+            ' @access_token=[REDACTED]' \
+            " @expires_at=#{expires_at.inspect}" \
+            " @quota_project_id=#{@quota_project_id.inspect}" \
+            '>'
         end
       end
     end

data/lib/google/auth/extras/version.rb

@@ -3,7 +3,7 @@
 module Google
   module Auth
     module Extras
-      VERSION = '0.3.0'
+      VERSION = '0.5.0'
     end
   end
 end

data/lib/google/auth/extras.rb

@@ -6,6 +6,7 @@ require 'signet/oauth_2/client'
 
 require 'google/auth/extras/identity_credential_refresh_patch'
 require 'google/auth/extras/impersonated_credential'
+require 'google/auth/extras/service_account_jwt_credential'
 require 'google/auth/extras/static_credential'
 require 'google/auth/extras/token_info'
 require 'google/auth/extras/version'
@@ -50,6 +51,10 @@ module Google
       #   additional API call.
       #   Only supported when not using a target_audience.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
       # @param scope [String, Array<String>]
       #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
       #   Only supported when not using a target_audience.
@@ -67,6 +72,7 @@ module Google
         delegate_email_addresses: nil,
         include_email: nil,
         lifetime: nil,
+        quota_project_id: nil,
         scope: nil,
         target_audience: nil
       )
@@ -76,6 +82,7 @@ module Google
           email_address: email_address,
           include_email: include_email,
           lifetime: lifetime,
+          quota_project_id: quota_project_id,
           scope: scope,
           target_audience: target_audience,
         )
@@ -106,6 +113,10 @@ module Google
       #   additional API call.
       #   Only supported when not using a target_audience.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
       # @param scope [String, Array<String>]
       #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
       #   Only supported when not using a target_audience.
@@ -123,6 +134,7 @@ module Google
         delegate_email_addresses: nil,
         include_email: nil,
         lifetime: nil,
+        quota_project_id: nil,
         scope: nil,
         target_audience: nil
       )
@@ -133,22 +145,138 @@ module Google
             email_address: email_address,
             include_email: include_email,
             lifetime: lifetime,
+            quota_project_id: quota_project_id,
             scope: scope,
             target_audience: target_audience,
           ),
         )
       end
 
+      # A credential that obtains a signed JWT from Google for a service account.
+      # For usage with the older style GCP Ruby SDKs from the google-apis-* gems.
+      # Also useful for calling IAP-protected endpoints using the Google-managed
+      # OAuth client.
+      #
+      # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+      #   Credentials to use to sign the JWTs.
+      #
+      # @param delegate_email_addresses [String, Array<String>]
+      #   The email addresses (if any) of intermediate service accounts to reach
+      #   the +email_address+ from +base_credentials+.
+      #
+      # @param email_address [String]
+      #   Email of the service account to sign the JWT.
+      #
+      # @param issuer [String]
+      #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+      #
+      # @param lifetime [Integers]
+      #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+      #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+      #   performed when the token less than 60s of remaining life and refresh requires
+      #   an additional API call.
+      #
+      # @param subject [String]
+      #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+      #
+      # @param target_audience [String]
+      #   The audience for the token, such as the API or account that this token grants access to.
+      #
+      # @return [Google::Auth::Extras::ServiceAccountJWTCredential]
+      #
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+      # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      #
+      def service_account_jwt_authorization(
+        email_address:,
+        target_audience:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        issuer: nil,
+        lifetime: 3600,
+        subject: nil
+      )
+        ServiceAccountJWTCredential.new(
+          base_credentials: base_credentials,
+          delegate_email_addresses: delegate_email_addresses,
+          email_address: email_address,
+          issuer: issuer,
+          lifetime: lifetime,
+          subject: subject,
+          target_audience: target_audience,
+        )
+      end
+
+      # A credential that obtains a signed JWT from Google for a service account.
+      # For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.
+      #
+      # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+      #   Credentials to use to sign the JWTs.
+      #
+      # @param delegate_email_addresses [String, Array<String>]
+      #   The email addresses (if any) of intermediate service accounts to reach
+      #   the +email_address+ from +base_credentials+.
+      #
+      # @param email_address [String]
+      #   Email of the service account to sign the JWT.
+      #
+      # @param issuer [String]
+      #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+      #
+      # @param lifetime [Integers]
+      #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+      #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+      #   performed when the token less than 60s of remaining life and refresh requires
+      #   an additional API call.
+      #
+      # @param subject [String]
+      #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+      #
+      # @param target_audience [String]
+      #   The audience for the token, such as the API or account that this token grants access to.
+      #
+      # @return [Google::Auth::Extras::ServiceAccountJWTCredential]
+      #
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+      # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      #
+      def service_account_jwt_credential(
+        email_address:,
+        target_audience:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        issuer: nil,
+        lifetime: 3600,
+        subject: nil
+      )
+        wrap_authorization(
+          service_account_jwt_authorization(
+            base_credentials: base_credentials,
+            delegate_email_addresses: delegate_email_addresses,
+            email_address: email_address,
+            issuer: issuer,
+            lifetime: lifetime,
+            subject: subject,
+            target_audience: target_audience,
+          ),
+        )
+      end
+
       # A credential using a static access token. For usage with the older
       # style GCP Ruby SDKs from the google-apis-* gems.
       #
       # @param token [String]
       #   The access token to use.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
+      #
       # @return [Google::Auth::Extras::StaticCredential]
       #
-      def static_authorization(token)
-        StaticCredential.new(access_token: token)
+      def static_authorization(token, quota_project_id: nil)
+        StaticCredential.new(access_token: token, quota_project_id: quota_project_id)
       end
 
       # A credential using a static access token. For usage with the newer
@@ -157,10 +285,14 @@ module Google
       # @param token [String]
       #   The access token to use.
       #
+      # @param quota_project_id [String]
+      #   The project ID used for quota and billing. This project may be different from
+      #   the project used to create the credentials.
+      #
       # @return [Google::Auth::Credential<Google::Auth::Extras::StaticCredential>]
       #
-      def static_credential(token)
-        wrap_authorization(static_authorization(token))
+      def static_credential(token, quota_project_id: nil)
+        wrap_authorization(static_authorization(token, quota_project_id: quota_project_id))
       end
 
       # Take an authorization and turn it into a credential, primarily used

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth-extras
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Persona Identities
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-07-09 00:00:00.000000000 Z
+date: 2025-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -92,7 +92,7 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 0.19.0
-description: 
+description:
 email:
 - alex.coomans@withpersona.com
 executables: []
@@ -115,6 +115,7 @@ files:
 - lib/google/auth/extras.rb
 - lib/google/auth/extras/identity_credential_refresh_patch.rb
 - lib/google/auth/extras/impersonated_credential.rb
+- lib/google/auth/extras/service_account_jwt_credential.rb
 - lib/google/auth/extras/static_credential.rb
 - lib/google/auth/extras/token_info.rb
 - lib/google/auth/extras/version.rb
@@ -128,7 +129,7 @@ metadata:
   homepage_uri: https://github.com/persona-id/googleauth-extras
   source_code_uri: https://github.com/persona-id/googleauth-extras
   changelog_uri: https://github.com/persona-id/googleauth-extras/blob/main/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -136,15 +137,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key: 
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Additions to the googleauth gem for unsupported authentication schemes.
 test_files: []