googleauth-extras 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad8095b3525757ef2de9dc247ff7d0c73b33934e7499bcf014b6c4195584e263
-  data.tar.gz: d358b9edd0c828c64caade73dfdd5f005949b33701f5e6422ff46cd21f2e113f
+  metadata.gz: 56aa20519132423c5f99a9c67fb011bdf44d575ccb60d7109abd0f2f6db17a09
+  data.tar.gz: 6d63aaa0d4dce0256ee828233640f951af9a203a9bf56dc46640ad2994fbe05a
 SHA512:
-  metadata.gz: 7635394f3775d86163f9da920cba3f03f94c1081dbe8ca1c402190e1cb5a5f4539cc0068e17b4386e4724786fdbc7579eb737ee6806c92f45447d005f9152a2a
-  data.tar.gz: 07f10d26bbc5db9a065d72160b02cba39b506b49badb3826c99122ef05cbfefa76c87357f7d84ef1f5ff53f3870f65106f6d8c57d44def8375737697045bf5d2
+  metadata.gz: a8c1978e55c6d63353823bf771c49c6c94266963774c2db5b9eef32d23f625f5762b08f30e773f71ef897bf53f07840f9e039a5dada27bc6bf7427b17667e3c1
+  data.tar.gz: 78b376acc7c4bfd48b0be54127761a4ef40ec02c28029e0de2d90526116a41f43d8cfe7029b5e877480c582fc9bb46b401f3aa2b8520bc8ce8668a866e523065

data/.rubocop.yml

@@ -19,12 +19,18 @@ Layout/LineLength:
 Metrics/AbcSize:
   Enabled: false
 
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
 Metrics/MethodLength:
-  Max: 20
+  Max: 30
 
 Metrics/ParameterLists:
   Enabled: false
 
+Metrics/PerceivedComplexity:
+  Enabled: false
+
 RSpec/ContextWording:
   Enabled: false
 

data/CHANGELOG.md

@@ -1,9 +1,14 @@
 # Release History
 
+0.3.0
+-----
+
+- Support impersonation with ID tokens. ([#9](https://github.com/persona-id/googleauth-extras/pull/9))
+
 0.2.1
 -----
 
-- Support signet 0.18.0 ([#7](https://github.com/persona-id/googleauth-extras/pull/7))
+- Support signet 0.18.0. ([#7](https://github.com/persona-id/googleauth-extras/pull/7))
 
 0.2.0
 -----

data/lib/google/auth/extras/identity_credential_refresh_patch.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Google
+  module Auth
+    module Extras
+      # This module fixes an issue with ID tokens not automatically refreshing
+      # because their expiration is encoded in the JWT.
+      module IdentityCredentialRefreshPatch
+        def update_token!(*)
+          super.tap do
+            self.expires_at = decoded_id_token['exp'] if id_token
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/auth/extras/impersonated_credential.rb

@@ -5,10 +5,15 @@ module Google
     module Extras
       # This credential impersonates a service account.
       class ImpersonatedCredential < Signet::OAuth2::Client
-        class MissingScope < StandardError; end
+        include IdentityCredentialRefreshPatch
 
         # A credential that impersonates a service account.
         #
+        # The `email_address` of the service account to impersonate may be the exact
+        # same as the one represented in `base_credentials` for any desired situation
+        # but a handy usage is for going from and access token to an ID token (aka
+        # using `target_audience`).
+        #
         # @param base_credentials [Hash, String, Signet::OAuth2::Client]
         #   Credentials to use to impersonate the provided email address.
         #
@@ -19,22 +24,48 @@ module Google
         # @param email_address [String]
         #   Email of the service account to impersonate.
         #
+        # @param include_email [Boolean]
+        #   Include the service account email in the token. If set to true, the token will
+        #   contain email and email_verified claims.
+        #   Only supported when using a target_audience.
+        #
         # @param lifetime [String]
         #   The desired lifetime (in seconds) of the token before needing to be refreshed.
         #   Defaults to 1h, adjust as needed given a refresh is automatically performed
         #   when the token less than 60s of remaining life and refresh requires an
         #   additional API call.
+        #   Only supported when not using a target_audience.
         #
         # @param scope [String, Array<String>]
         #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+        #   Only supported when not using a target_audience.
+        #
+        # @param target_audience [String]
+        #   The audience for the token, such as the API or account that this token grants access to.
         #
         # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+        # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
         # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+        # @see https://developers.google.com/identity/protocols/oauth2/scopes
         #
-        def initialize(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
-          super(scope: scope)
+        def initialize(
+          email_address:,
+          base_credentials: nil,
+          delegate_email_addresses: nil,
+          include_email: nil,
+          lifetime: nil,
+          scope: nil,
+          target_audience: nil
+        )
+          super(client_id: target_audience, scope: scope, target_audience: target_audience)
 
-          raise MissingScope if self.scope.nil? || self.scope.empty?
+          if self.target_audience.nil? || self.target_audience.empty?
+            raise(ArgumentError, 'Must provide scope or target_audience') if self.scope.nil? || self.scope.empty?
+          elsif self.scope.nil? || self.scope.empty?
+            # no-op
+          else
+            raise ArgumentError, 'Must provide scope or target_audience, not both'
+          end
 
           @iam_credentials_service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new.tap do |ics|
             ics.authorization = base_credentials if base_credentials
@@ -44,36 +75,77 @@ module Google
             transform_email_to_name(email)
           end
 
-          @impersonate_lifetime = lifetime
+          # This is true when target_audience is passed
+          if token_type == :id_token
+            @impersonate_include_email = include_email
+          elsif !include_email.nil?
+            raise ArgumentError, 'Can only provide include_email when using target_audience'
+          end
+
+          # This is true when scope is passed
+          if token_type == :access_token
+            @impersonate_lifetime = lifetime
+          elsif !lifetime.nil?
+            raise ArgumentError, 'Cannot provide lifetime when using target_audience'
+          end
 
           @impersonate_name = transform_email_to_name(email_address)
         end
 
         def fetch_access_token(*)
-          access_token_request = Google::Apis::IamcredentialsV1::GenerateAccessTokenRequest.new(
-            scope: scope,
-          )
+          token_request = if token_type == :id_token
+                            Google::Apis::IamcredentialsV1::GenerateIdTokenRequest.new(
+                              audience: target_audience,
+                            )
+                          else
+                            Google::Apis::IamcredentialsV1::GenerateAccessTokenRequest.new(
+                              scope: scope,
+                            )
+                          end
 
           # The Google SDK doesn't like nil repeated values, but be careful with others as well.
-          access_token_request.delegates = @impersonate_delegates unless @impersonate_delegates.empty?
-          access_token_request.lifetime = @impersonate_lifetime unless @impersonate_lifetime.nil?
+          token_request.delegates = @impersonate_delegates unless @impersonate_delegates.empty?
+          if token_type == :id_token
+            token_request.include_email = @impersonate_include_email unless @impersonate_include_email.nil?
+          else
+            token_request.lifetime = @impersonate_lifetime unless @impersonate_lifetime.nil?
+          end
+
+          if token_type == :id_token
+            id_token_response = @iam_credentials_service.generate_service_account_id_token(@impersonate_name, token_request)
 
-          access_token_response = @iam_credentials_service.generate_service_account_access_token(@impersonate_name, access_token_request)
+            {
+              id_token: id_token_response.token,
+            }
+          else
+            access_token_response = @iam_credentials_service.generate_service_account_access_token(@impersonate_name, token_request)
 
-          {
-            access_token: access_token_response.access_token,
-            expires_at: DateTime.rfc3339(access_token_response.expire_time).to_time,
-          }
+            {
+              access_token: access_token_response.access_token,
+              expires_at: DateTime.rfc3339(access_token_response.expire_time).to_time,
+            }
+          end
         end
 
         def inspect
-          "#<#{self.class.name}" \
-            " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
-            " @expires_at=#{expires_at.inspect}" \
-            " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
-            " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
-            " @impersonate_name=#{@impersonate_name.inspect}" \
-            '>'
+          if token_type == :id_token
+            "#<#{self.class.name}" \
+              " @expires_at=#{expires_at.inspect}" \
+              " @id_token=#{@id_token ? '[REDACTED]' : 'nil'}" \
+              " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
+              " @impersonate_include_email=#{@impersonate_include_email.inspect}" \
+              " @impersonate_name=#{@impersonate_name.inspect}" \
+              " @target_audience=#{@target_audience.inspect}" \
+              '>'
+          else
+            "#<#{self.class.name}" \
+              " @access_token=#{@access_token ? '[REDACTED]' : 'nil'}" \
+              " @expires_at=#{expires_at.inspect}" \
+              " @impersonate_delegates=#{@impersonate_delegates.inspect}" \
+              " @impersonate_lifetime=#{@impersonate_lifetime.inspect}" \
+              " @impersonate_name=#{@impersonate_name.inspect}" \
+              '>'
+          end
         end
 
         private

data/lib/google/auth/extras/version.rb

@@ -3,7 +3,7 @@
 module Google
   module Auth
     module Extras
-      VERSION = '0.2.1'
+      VERSION = '0.3.0'
     end
   end
 end

data/lib/google/auth/extras.rb

@@ -4,6 +4,7 @@ require 'date'
 require 'google/apis/iamcredentials_v1'
 require 'signet/oauth_2/client'
 
+require 'google/auth/extras/identity_credential_refresh_patch'
 require 'google/auth/extras/impersonated_credential'
 require 'google/auth/extras/static_credential'
 require 'google/auth/extras/token_info'
@@ -22,6 +23,11 @@ module Google
       # A credential that impersonates a service account. For usage with the
       # older style GCP Ruby SDKs from the google-apis-* gems.
       #
+      # The `email_address` of the service account to impersonate may be the exact
+      # same as the one represented in `base_credentials` for any desired situation
+      # but a handy usage is for going from and access token to an ID token (aka
+      # using `target_audience`).
+      #
       # @param base_credentials [Hash, String, Signet::OAuth2::Client]
       #   Credentials to use to impersonate the provided email address.
       #
@@ -32,28 +38,46 @@ module Google
       # @param email_address [String]
       #   Email of the service account to impersonate.
       #
+      # @param include_email [Boolean]
+      #   Include the service account email in the token. If set to true, the token will
+      #   contain email and email_verified claims.
+      #   Only supported when using a target_audience.
+      #
       # @param lifetime [String]
       #   The desired lifetime (in seconds) of the token before needing to be refreshed.
       #   Defaults to 1h, adjust as needed given a refresh is automatically performed
       #   when the token less than 60s of remaining life and refresh requires an
       #   additional API call.
+      #   Only supported when not using a target_audience.
       #
       # @param scope [String, Array<String>]
-      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
+      #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+      #   Only supported when not using a target_audience.
       #
       # @return [Google::Auth::Extras::ImpersonatedCredential]
       #
       # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
       # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
       # @see https://developers.google.com/identity/protocols/oauth2/scopes
       #
-      def impersonated_authorization(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+      def impersonated_authorization(
+        email_address:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        include_email: nil,
+        lifetime: nil,
+        scope: nil,
+        target_audience: nil
+      )
         ImpersonatedCredential.new(
           base_credentials: base_credentials,
           delegate_email_addresses: delegate_email_addresses,
           email_address: email_address,
+          include_email: include_email,
           lifetime: lifetime,
           scope: scope,
+          target_audience: target_audience,
         )
       end
 
@@ -70,29 +94,47 @@ module Google
       # @param email_address [String]
       #   Email of the service account to impersonate.
       #
+      # @param include_email [Boolean]
+      #   Include the service account email in the token. If set to true, the token will
+      #   contain email and email_verified claims.
+      #   Only supported when using a target_audience.
+      #
       # @param lifetime [String]
       #   The desired lifetime (in seconds) of the token before needing to be refreshed.
       #   Defaults to 1h, adjust as needed given a refresh is automatically performed
       #   when the token less than 60s of remaining life and refresh requires an
       #   additional API call.
+      #   Only supported when not using a target_audience.
       #
       # @param scope [String, Array<String>]
-      #   The OAuth 2 scope(s) to request. Can either be formatted as a comma seperated string or array.
+      #   The OAuth 2 scopes to request. Can either be formatted as a comma seperated string or array.
+      #   Only supported when not using a target_audience.
       #
       # @return [Google::Auth::Credential<Google::Auth::Extras::ImpersonatedCredential>]
       #
       # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
       # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
       # @see https://developers.google.com/identity/protocols/oauth2/scopes
       #
-      def impersonated_credential(email_address:, scope:, base_credentials: nil, delegate_email_addresses: nil, lifetime: nil)
+      def impersonated_credential(
+        email_address:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        include_email: nil,
+        lifetime: nil,
+        scope: nil,
+        target_audience: nil
+      )
         wrap_authorization(
           impersonated_authorization(
             base_credentials: base_credentials,
             delegate_email_addresses: delegate_email_addresses,
             email_address: email_address,
+            include_email: include_email,
             lifetime: lifetime,
             scope: scope,
+            target_audience: target_audience,
           ),
         )
       end
@@ -122,7 +164,7 @@ module Google
       end
 
       # Take an authorization and turn it into a credential, primarily used
-      # for setting up both the old and new style SDK.s
+      # for setting up both the old and new style SDKs.
       #
       # @param client [Signet::OAuth2::Client]
       #   Authorization credential to wrap.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth-extras
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Persona Identities
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-09-06 00:00:00.000000000 Z
+date: 2024-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -113,6 +113,7 @@ files:
 - bin/setup
 - googleauth-extras.gemspec
 - lib/google/auth/extras.rb
+- lib/google/auth/extras/identity_credential_refresh_patch.rb
 - lib/google/auth/extras/impersonated_credential.rb
 - lib/google/auth/extras/static_credential.rb
 - lib/google/auth/extras/token_info.rb