googleauth-extras 0.1.0 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0a86b0a5307d997f90698df100b415f4a21d91b8a40f81758449ec3876b3eb86
4
- data.tar.gz: 024a30daaed45790e9febd782300d197e5a9e0dd1494015912e07b34ceb081f5
3
+ metadata.gz: f05045744cb7032513fcf1a41cdc97a82240bebfdd02cc27c6da59eacd40ddf4
4
+ data.tar.gz: 377ecac6118f2759184df44bd0b6debd707d6df4e27bc0e67b3ede14d24f08cd
5
5
  SHA512:
6
- metadata.gz: d102b3fb295efc23afef1a4f945bff1a016e203fc25c73321ad3e4705854969a4fc8918bb37ac130b95c25804b8803a3ec86de468544bb797d67a41b90b7717c
7
- data.tar.gz: c04a1a5fadc7e6cc4c8f378f479285de2c537b190cd08ee3685930d48d855edfb0dc993d69a35419329eef99ce69e36c724e50a7894a714668a4814c7380a9ad
6
+ metadata.gz: 0ef2fa99d5922b5abbf5cacca3141f12b98986a5d5cb0c881c122a94e8b72286a3d63d1ba048022098d9340be49b5961e07299d632a6a174306715a8411fba18
7
+ data.tar.gz: e89598d2311705994ac0f75925e3f1c2bd2a6c4f8c7473b42657ef34169d0f5837dbef6544c75ed681ddee0acc4e166686870a3df38f68687b46a4c6b568d7b8
data/.rubocop.yml CHANGED
@@ -7,6 +7,12 @@ AllCops:
7
7
  Layout/FirstHashElementIndentation:
8
8
  EnforcedStyle: consistent
9
9
 
10
+ Layout/LineContinuationLeadingSpace:
11
+ EnforcedStyle: leading
12
+
13
+ Layout/LineEndStringConcatenationIndentation:
14
+ EnforcedStyle: indented
15
+
10
16
  Layout/LineLength:
11
17
  Max: 160
12
18
 
@@ -25,9 +31,15 @@ RSpec/ContextWording:
25
31
  RSpec/ExampleLength:
26
32
  Enabled: false
27
33
 
34
+ RSpec/LetSetup:
35
+ Enabled: false
36
+
28
37
  RSpec/MultipleExpectations:
29
38
  Max: 50
30
39
 
40
+ RSpec/MultipleMemoizedHelpers:
41
+ Max: 10
42
+
31
43
  RSpec/NamedSubject:
32
44
  Enabled: false
33
45
 
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Release History
2
2
 
3
+ 0.2.0
4
+ -----
5
+
6
+ - Split out authorization vs credential methods for old vs new SDKs. ([#3](https://github.com/persona-id/googleauth-extras/pull/3))
7
+
8
+ - Define #inspect so that it doesn't leak sensitive values. ([#2](https://github.com/persona-id/googleauth-extras/pull/2))
9
+
3
10
  0.1.0
4
11
  -----
5
12
 
data/Gemfile CHANGED
@@ -5,6 +5,8 @@ source 'https://rubygems.org'
5
5
  # Specify your gem's dependencies in googleauth-extras.gemspec
6
6
  gemspec
7
7
 
8
+ gem 'google-cloud-storage', '~> 1.44'
9
+
8
10
  gem 'pry-byebug', '~> 3.10'
9
11
  gem 'rake', '~> 12.0'
10
12
  gem 'rspec', '~> 3.0'
data/README.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # googleauth-extras
2
2
 
3
+ [![Gem Version](https://img.shields.io/gem/v/googleauth-extras?color=blue)](https://rubygems.org/gems/googleauth-extras)
4
+ ![Build](https://github.com/persona-id/googleauth-extras/workflows/CI/badge.svg)
5
+
3
6
  **Disclaimer: This gem is not sponsored by Google.**
4
7
 
5
8
  The [googleauth](https://github.com/googleapis/google-auth-library-ruby) currently lacks support for all the authentication schemes supported in Python and the `gcloud` CLI. This gem aims to support additional schemes like:
@@ -30,14 +33,31 @@ Or install it yourself as:
30
33
  If you'd like to have credentials that act as a different service account, you can setup the credentials with:
31
34
 
32
35
  ```ruby
33
- Google::Apis::DriveV3::DriveService.new.tap do |ds|
34
- ds.authorization = Google::Auth::Extras.impersonated_credential(
36
+ # Old API Client
37
+ Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.impersonated_authorization(
38
+ email_address: 'my-sa@my-project.iam.gserviceaccount.com',
39
+ scope: [
40
+ Google::Apis::ComputeV1::AUTH_CLOUD_PLATFORM,
41
+ Google::Apis::PubsubV1::AUTH_PUBSUB,
42
+ ],
43
+ )
44
+
45
+ # New API Client
46
+ Google::Cloud.configure.credentials = Google::Auth::Extras.impersonated_credential(
47
+ email_address: 'my-sa@my-project.iam.gserviceaccount.com',
48
+ scope: Google::Cloud.configure.pubsub.scope,
49
+ )
50
+
51
+ # Dual Client Setup
52
+ Google::Cloud.configure.credentials = Google::Auth::Extras.wrap_authorization(
53
+ Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.impersonated_authorization(
35
54
  email_address: 'my-sa@my-project.iam.gserviceaccount.com',
36
55
  scope: [
37
- Google::Apis::SheetsV4::AUTH_DRIVE,
56
+ Google::Apis::ComputeV1::AUTH_CLOUD_PLATFORM,
57
+ Google::Apis::PubsubV1::AUTH_PUBSUB,
38
58
  ],
39
59
  )
40
- end
60
+ )
41
61
  ```
42
62
 
43
63
  You can optionally specify the following additional options:
@@ -52,11 +72,21 @@ If you'd like to use a static access token, you can setup the credentials with:
52
72
 
53
73
  ```ruby
54
74
  # Old API Client
55
- Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_credential('my-access-token')
75
+ Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_authorization('my-access-token')
76
+
56
77
  # New API Client
57
78
  Google::Cloud.configure.credentials = Google::Auth::Extras.static_credential('my-access-token')
79
+
80
+ # Dual Client Setup
81
+ Google::Cloud.configure.credentials = Google::Auth::Extras.wrap_authorization(
82
+ Google::Apis::RequestOptions.default.authorization = Google::Auth::Extras.static_authorization('my-access-token')
83
+ )
58
84
  ```
59
85
 
86
+ ### Authorization vs Credential
87
+
88
+ The values returned from the `*_authorization` methods will work with both the old and new SDKs, it'll just trigger a warning with the newer SDKs. The reverse however is not true, the values returned from the `*_credential` methods will not work with the old SDKs.
89
+
60
90
  ## Development
61
91
 
62
92
  After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -66,6 +66,16 @@ module Google
66
66
  }
67
67
  end
68
68
 
69
+ def inspect
70
+ "#<#{self.class.name}" \
71
+ " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
72
+ " @expires_at=#{expires_at.inspect}" \
73
+ " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
74
+ " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
75
+ " @impersonate_name=#{@impersonate_name.inspect}" \
76
+ '>'
77
+ end
78
+
69
79
  private
70
80
 
71
81
  def transform_email_to_name(email)
@@ -26,6 +26,10 @@ module Google
26
26
  # This is a simple trick for getting the cause to be set.
27
27
  raise Signet::AuthorizationError, 'Refresh not supported'
28
28
  end
29
+
30
+ def inspect
31
+ "#<#{self.class.name} @access_token=[REDACTED] @expires_at=#{expires_at.inspect}>"
32
+ end
29
33
  end
30
34
  end
31
35
  end
@@ -3,7 +3,7 @@
3
3
  module Google
4
4
  module Auth
5
5
  module Extras
6
- VERSION = '0.1.0'
6
+ VERSION = '0.2.0'
7
7
  end
8
8
  end
9
9
  end
@@ -19,7 +19,8 @@ module Google
19
19
  # credential.
20
20
  class RefreshNotSupported < StandardError; end
21
21
 
22
- # A credential that impersonates a service account.
22
+ # A credential that impersonates a service account. For usage with the
23
+ # older style GCP Ruby SDKs from the google-apis-* gems.
23
24
  #
24
25
  # @param base_credentials [Hash, String, Signet::OAuth2::Client]
25
26
  # Credentials to use to impersonate the provided email address.
@@ -38,14 +39,15 @@ module Google
38
39
  # additional API call.
39
40
  #
40
41
  # @param scope [String, Array<String>]
41
- # The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
42
+ # The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
42
43
  #
43
44
  # @return [Google::Auth::Extras::ImpersonatedCredential]
44
45
  #
45
46
  # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
46
47
  # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
48
+ # @see https://developers.google.com/identity/protocols/oauth2/scopes
47
49
  #
48
- def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
50
+ def impersonated_authorization(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
49
51
  ImpersonatedCredential.new(
50
52
  base_credentials: base_credentials,
51
53
  delegate_email_addresses: delegate_email_addresses,
@@ -55,16 +57,81 @@ module Google
55
57
  )
56
58
  end
57
59
 
58
- # A credential using a static access token token.
60
+ # A credential that impersonates a service account. For usage with the
61
+ # newer style GCP Ruby SDKs from the google-cloud-* gems.
62
+ #
63
+ # @param base_credentials [Hash, String, Signet::OAuth2::Client]
64
+ # Credentials to use to impersonate the provided email address.
65
+ #
66
+ # @param delegate_email_addresses [String, Array<String>]
67
+ # The list of email address if there are intermediate service accounts that
68
+ # need to be impersonated using delegation.
69
+ #
70
+ # @param email_address [String]
71
+ # Email of the service account to impersonate.
72
+ #
73
+ # @param lifetime [String]
74
+ # The desired lifetime (in seconds) of the token before needing to be refreshed.
75
+ # Defaults to 1h, adjust as needed given a refresh is automatically performed
76
+ # when the token less than 60s of remaining life and refresh requires an
77
+ # additional API call.
78
+ #
79
+ # @param scope [String, Array<String>]
80
+ # The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
81
+ #
82
+ # @return [Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>]
83
+ #
84
+ # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
85
+ # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
86
+ # @see https://developers.google.com/identity/protocols/oauth2/scopes
87
+ #
88
+ def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
89
+ wrap_authorization(
90
+ impersonated_authorization(
91
+ base_credentials: base_credentials,
92
+ delegate_email_addresses: delegate_email_addresses,
93
+ email_address: email_address,
94
+ lifetime: lifetime,
95
+ scope: scope,
96
+ ),
97
+ )
98
+ end
99
+
100
+ # A credential using a static access token. For usage with the older
101
+ # style GCP Ruby SDKs from the google-apis-* gems.
59
102
  #
60
103
  # @param token [String]
61
104
  # The access token to use.
62
105
  #
63
106
  # @return [Google::Auth::Extras::StaticCredential]
64
107
  #
65
- def static_credential(token)
108
+ def static_authorization(token)
66
109
  StaticCredential.new(access_token: token)
67
110
  end
111
+
112
+ # A credential using a static access token. For usage with the newer
113
+ # style GCP Ruby SDKs from the google-cloud-* gems.
114
+ #
115
+ # @param token [String]
116
+ # The access token to use.
117
+ #
118
+ # @return [Google::Auth::Credential<Google::Auth::Extras::StaticCredential>]
119
+ #
120
+ def static_credential(token)
121
+ wrap_authorization(static_authorization(token))
122
+ end
123
+
124
+ # Take an authorization and turn it into a credential, primarily used
125
+ # for setting up both the old and new style SDK.s
126
+ #
127
+ # @param client [Signet::OAuth2::Client]
128
+ # Authorization credential to wrap.
129
+ #
130
+ # @return [Google::Auth::Credential]
131
+ #
132
+ def wrap_authorization(client)
133
+ ::Google::Auth::Credentials.new(client)
134
+ end
68
135
  end
69
136
  end
70
137
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: googleauth-extras
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Persona Identities
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-02-17 00:00:00.000000000 Z
11
+ date: 2023-02-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: addressable