googleauth-extras 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a86b0a5307d997f90698df100b415f4a21d91b8a40f81758449ec3876b3eb86
-  data.tar.gz: 024a30daaed45790e9febd782300d197e5a9e0dd1494015912e07b34ceb081f5
+  metadata.gz: f05045744cb7032513fcf1a41cdc97a82240bebfdd02cc27c6da59eacd40ddf4
+  data.tar.gz: 377ecac6118f2759184df44bd0b6debd707d6df4e27bc0e67b3ede14d24f08cd
 SHA512:
-  metadata.gz: d102b3fb295efc23afef1a4f945bff1a016e203fc25c73321ad3e4705854969a4fc8918bb37ac130b95c25804b8803a3ec86de468544bb797d67a41b90b7717c
-  data.tar.gz: c04a1a5fadc7e6cc4c8f378f479285de2c537b190cd08ee3685930d48d855edfb0dc993d69a35419329eef99ce69e36c724e50a7894a714668a4814c7380a9ad
+  metadata.gz: 0ef2fa99d5922b5abbf5cacca3141f12b98986a5d5cb0c881c122a94e8b72286a3d63d1ba048022098d9340be49b5961e07299d632a6a174306715a8411fba18
+  data.tar.gz: e89598d2311705994ac0f75925e3f1c2bd2a6c4f8c7473b42657ef34169d0f5837dbef6544c75ed681ddee0acc4e166686870a3df38f68687b46a4c6b568d7b8

data/.rubocop.yml

@@ -7,6 +7,12 @@ AllCops:
 Layout/FirstHashElementIndentation:
   EnforcedStyle: consistent
 
+Layout/LineContinuationLeadingSpace:
+  EnforcedStyle: leading
+
+Layout/LineEndStringConcatenationIndentation:
+  EnforcedStyle: indented
+
 Layout/LineLength:
   Max: 160
 
@@ -25,9 +31,15 @@ RSpec/ContextWording:
 RSpec/ExampleLength:
   Enabled: false
 
+RSpec/LetSetup:
+  Enabled: false
+
 RSpec/MultipleExpectations:
   Max: 50
 
+RSpec/MultipleMemoizedHelpers:
+  Max: 10
+
 RSpec/NamedSubject:
   Enabled: false
 

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+0.2.0
+-----
+
+- Split out authorization vs credential methods for old vs new SDKs. ([#3](https://github.com/persona-id/googleauth-extras/pull/3))
+
+- Define #inspect so that it doesn't leak sensitive values. ([#2](https://github.com/persona-id/googleauth-extras/pull/2))
+
 0.1.0
 -----
 

data/Gemfile

@@ -5,6 +5,8 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in googleauth-extras.gemspec
 gemspec
 
+gem 'google-cloud-storage', '~> 1.44'
+
 gem 'pry-byebug', '~> 3.10'
 gem 'rake', '~> 12.0'
 gem 'rspec', '~> 3.0'

data/README.md

@@ -1,5 +1,8 @@
 # googleauth-extras
 
+[![Gem Version](https://img.shields.io/gem/v/googleauth-extras?color=blue)](https://rubygems.org/gems/googleauth-extras)
+![Build](https://github.com/persona-id/googleauth-extras/workflows/CI/badge.svg)
+
 **Disclaimer: This gem is not sponsored by Google.**
 
 The [googleauth](https://github.com/googleapis/google-auth-library-ruby) currently lacks support for all the authentication schemes supported in Python and the `gcloud` CLI. This gem aims to support additional schemes like:
@@ -30,14 +33,31 @@ Or install it yourself as:
 If you'd like to have credentials that act as a different service account, you can setup the credentials with:
 
 ```ruby
-Google::Apis::DriveV3::DriveService.new.tap do |ds|
-  ds.authorization = Google::Auth::Extras.impersonated_credential(
+# Old API Client
+Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.impersonated_authorization(
+  email_address: 'my-sa@my-project.iam.gserviceaccount.com',
+  scope: [
+    Google::Apis::ComputeV1::AUTH_CLOUD_PLATFORM,
+    Google::Apis::PubsubV1::AUTH_PUBSUB,
+  ],
+)
+
+# New API Client
+Google::Cloud.configure.credentials = Google::Auth::Extras.impersonated_credential(
+  email_address: 'my-sa@my-project.iam.gserviceaccount.com',
+  scope: Google::Cloud.configure.pubsub.scope,
+)
+
+# Dual Client Setup
+Google::Cloud.configure.credentials = Google::Auth::Extras.wrap_authorization(
+  Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.impersonated_authorization(
     email_address: 'my-sa@my-project.iam.gserviceaccount.com',
     scope: [
-      Google::Apis::SheetsV4::AUTH_DRIVE,
+      Google::Apis::ComputeV1::AUTH_CLOUD_PLATFORM,
+      Google::Apis::PubsubV1::AUTH_PUBSUB,
     ],
   )
-end
+)
 ```
 
 You can optionally specify the following additional options:
@@ -52,11 +72,21 @@ If you'd like to use a static access token, you can setup the credentials with:
 
 ```ruby
 # Old API Client
-Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_credential('my-access-token')
+Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_authorization('my-access-token')
+
 # New API Client
 Google::Cloud.configure.credentials = Google::Auth::Extras.static_credential('my-access-token')
+
+# Dual Client Setup
+Google::Cloud.configure.credentials = Google::Auth::Extras.wrap_authorization(
+  Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_authorization('my-access-token')
+)
 ```
 
+### Authorization vs Credential
+
+The values returned from the `*_authorization` methods will work with both the old and new SDKs, it'll just trigger a warning with the newer SDKs. The reverse however is not true, the values returned from the `*_credential` methods will not work with the old SDKs.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/lib/google/auth/extras/impersonated_credential.rb

@@ -66,6 +66,16 @@ module Google
           }
         end
 
+        def inspect
+          "#<#{self.class.name}" \
+            " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
+            " @expires_at=#{expires_at.inspect}" \
+            " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
+            " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
+            " @impersonate_name=#{@impersonate_name.inspect}" \
+            '>'
+        end
+
         private
 
         def transform_email_to_name(email)

data/lib/google/auth/extras/static_credential.rb

@@ -26,6 +26,10 @@ module Google
           # This is a simple trick for getting the cause to be set.
           raise Signet::AuthorizationError, 'Refresh not supported'
         end
+
+        def inspect
+          "#<#{self.class.name} @access_token=[REDACTED] @expires_at=#{expires_at.inspect}>"
+        end
       end
     end
   end

data/lib/google/auth/extras/version.rb

@@ -3,7 +3,7 @@
 module Google
   module Auth
     module Extras
-      VERSION = '0.1.0'
+      VERSION = '0.2.0'
     end
   end
 end

data/lib/google/auth/extras.rb

@@ -19,7 +19,8 @@ module Google
       # credential.
       class RefreshNotSupported < StandardError; end
 
-      # A credential that impersonates a service account.
+      # A credential that impersonates a service account. For usage with the
+      # older style GCP Ruby SDKs from the google-apis-* gems.
       #
       # @param base_credentials [Hash, String, Signet::OAuth2::Client]
       #   Credentials to use to impersonate the provided email address.
@@ -38,14 +39,15 @@ module Google
       #   additional API call.
       #
       # @param scope [String, Array<String>]
-      #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
       #
       # @return [Google::Auth::Extras::ImpersonatedCredential]
       #
       # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
       # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      # @see https://developers.google.com/identity/protocols/oauth2/scopes
       #
-      def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+      def impersonated_authorization(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
         ImpersonatedCredential.new(
           base_credentials: base_credentials,
           delegate_email_addresses: delegate_email_addresses,
@@ -55,16 +57,81 @@ module Google
         )
       end
 
-      # A credential using a static access token token.
+      # A credential that impersonates a service account. For usage with the
+      # newer style GCP Ruby SDKs from the google-cloud-* gems.
+      #
+      # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+      #   Credentials to use to impersonate the provided email address.
+      #
+      # @param delegate_email_addresses [String, Array<String>]
+      #   The list of email address if there are intermediate service accounts that
+      #   need to be impersonated using delegation.
+      #
+      # @param email_address [String]
+      #   Email of the service account to impersonate.
+      #
+      # @param lifetime [String]
+      #   The desired lifetime (in seconds) of the token before needing to be refreshed.
+      #   Defaults to 1h, adjust as needed given a refresh is automatically performed
+      #   when the token less than 60s of remaining life and refresh requires an
+      #   additional API call.
+      #
+      # @param scope [String, Array<String>]
+      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
+      #
+      # @return [Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>]
+      #
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+      # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      # @see https://developers.google.com/identity/protocols/oauth2/scopes
+      #
+      def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+        wrap_authorization(
+          impersonated_authorization(
+            base_credentials: base_credentials,
+            delegate_email_addresses: delegate_email_addresses,
+            email_address: email_address,
+            lifetime: lifetime,
+            scope: scope,
+          ),
+        )
+      end
+
+      # A credential using a static access token. For usage with the older
+      # style GCP Ruby SDKs from the google-apis-* gems.
       #
       # @param token [String]
       #   The access token to use.
       #
       # @return [Google::Auth::Extras::StaticCredential]
       #
-      def static_credential(token)
+      def static_authorization(token)
         StaticCredential.new(access_token: token)
       end
+
+      # A credential using a static access token. For usage with the newer
+      # style GCP Ruby SDKs from the google-cloud-* gems.
+      #
+      # @param token [String]
+      #   The access token to use.
+      #
+      # @return [Google::Auth::Credential<Google::Auth::Extras::StaticCredential>]
+      #
+      def static_credential(token)
+        wrap_authorization(static_authorization(token))
+      end
+
+      # Take an authorization and turn it into a credential, primarily used
+      # for setting up both the old and new style SDK.s
+      #
+      # @param client [Signet::OAuth2::Client]
+      #   Authorization credential to wrap.
+      #
+      # @return [Google::Auth::Credential]
+      #
+      def wrap_authorization(client)
+        ::Google::Auth::Credentials.new(client)
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth-extras
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Persona Identities
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-02-17 00:00:00.000000000 Z
+date: 2023-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable