googleauth-extras 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29ad90b986d4915e183e4592f58eedff84badd6ee70900337981d3173f0c64b2
-  data.tar.gz: 0c69256ea700526a9891d9434338954fec778d99b6f3c927654739dd690f03dd
+  metadata.gz: 5ef5e7a09636bad627874135bfa0c1f020eace2016a31aaf8952a70b01465593
+  data.tar.gz: 77d1fd18df712dbf3dd6620c4d3e2dfdcd0ced4872e6ebea6f05340cc8bf28f3
 SHA512:
-  metadata.gz: 9b3de1122f1a208f337134b30023fef63eb171c5ad3c888a8cc0cb81bc72aa5ae0d476f1c22ff659d4ce4637795ffff5ae1a5e07eee64dd68f9a5f887e9f02bb
-  data.tar.gz: 7eb79ba62b30a7b7a5cc2bab1d00f1079d19f57fd99df98ad52fec2d46d5e77eae781ddb50960c1832e77462e6b2e9d4c729e860db25610b2014432df6505f0d
+  metadata.gz: 9dbab8990a50ddcea8df7e25aa651c294005bf9827c2b3729d77dc07df601384ece65af0acec8eeda7337a9c0fc358f8b9540e3fdde074cd718a496994bd26b9
+  data.tar.gz: 0e7aed934ce2b0e42f7e96e48ceca7866c81216e67a97b3e59f4027c298040c603e2c3a01e601914e8b33a97fb7c7457d52b70412a66f0bb2446b8a390cb8607

data/.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
-          - '2.7'
-          - '3.0'
           - '3.1'
           - '3.2'
+          - '3.3'
+          - '3.4'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+0.5.0
+----------
+
+- Support signed JWT credentials. ([#14](https://github.com/persona-id/googleauth-extras/pull/14))
+
+- Drop support for Ruby 2.7 & 3.0, update test dependencies. ([#15](https://github.com/persona-id/googleauth-extras/pull/15))
+
 0.4.0
 ----------
 

data/Gemfile

@@ -5,12 +5,12 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in googleauth-extras.gemspec
 gemspec
 
-gem 'google-cloud-storage', '~> 1.44'
+gem 'google-cloud-storage', '~> 1.55'
 
-gem 'pry-byebug', '~> 3.10'
-gem 'rake', '~> 12.0'
-gem 'rspec', '~> 3.0'
-gem 'rubocop', '~> 1.45'
-gem 'rubocop-rspec', '~> 2.18'
-gem 'timecop', '~> 0.9.6'
-gem 'webmock', '~> 3.18'
+gem 'pry-byebug', '~> 3.11'
+gem 'rake', '~> 13.2'
+gem 'rspec', '~> 3.13'
+gem 'rubocop', '~> 1.75'
+gem 'rubocop-rspec', '~> 3.5'
+gem 'timecop', '~> 0.9.10'
+gem 'webmock', '~> 3.25'

data/googleauth-extras.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/persona-id/googleauth-extras'
   spec.license       = 'MIT'
 
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.1.0')
 
   spec.metadata['allowed_push_host']     = 'https://rubygems.org'
   spec.metadata['rubygems_mfa_required'] = 'true'

data/lib/google/auth/extras/service_account_jwt_credential.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module Google
+  module Auth
+    module Extras
+      # This credential issues JWTs signed a service account.
+      class ServiceAccountJWTCredential < Signet::OAuth2::Client
+        include IdentityCredentialRefreshPatch
+
+        # A credential that obtains a signed JWT from Google for a service account.
+        #
+        # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+        #   Credentials to use to sign the JWTs.
+        #
+        # @param delegate_email_addresses [String, Array<String>]
+        #   The email addresses (if any) of intermediate service accounts to reach
+        #   the +email_address+ from +base_credentials+.
+        #
+        # @param email_address [String]
+        #   Email of the service account to sign the JWT.
+        #
+        # @param issuer [String]
+        #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+        #
+        # @param lifetime [Integers]
+        #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+        #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+        #   performed when the token less than 60s of remaining life and refresh requires
+        #   an additional API call.
+        #
+        # @param subject [String]
+        #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+        #
+        # @param target_audience [String]
+        #   The audience for the token, such as the API or account that this token grants access to.
+        #
+        # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+        # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+        #
+        def initialize(
+          email_address:,
+          target_audience:,
+          base_credentials: nil,
+          delegate_email_addresses: nil,
+          issuer: nil,
+          lifetime: 3600,
+          subject: nil
+        )
+          super(client_id: target_audience, target_audience: target_audience)
+
+          @iam_credentials_service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new.tap do |ics|
+            ics.authorization = base_credentials if base_credentials
+          end
+
+          @jwt_issuer = issuer || email_address
+          @jwt_lifetime = lifetime
+          @jwt_subject = subject || email_address
+
+          @sa_delegates = Array(delegate_email_addresses).map do |email|
+            transform_email_to_name(email)
+          end
+
+          @sa_name = transform_email_to_name(email_address)
+        end
+
+        def fetch_access_token(*)
+          now = Time.now.to_i
+
+          request = Google::Apis::IamcredentialsV1::SignJwtRequest.new(
+            payload: JSON.dump(
+              aud: target_audience,
+              exp: now + @jwt_lifetime,
+              iat: now,
+              iss: @jwt_issuer,
+              sub: @jwt_subject,
+            ),
+          )
+
+          # The Google SDK doesn't like nil repeated values, but be careful with others as well.
+          request.delegates = @sa_delegates unless @sa_delegates.empty?
+
+          response = @iam_credentials_service.sign_service_account_jwt(@sa_name, request)
+
+          {
+            id_token: response.signed_jwt,
+          }
+        end
+
+        def inspect
+          "#<#{self.class.name}" \
+            " @expires_at=#{expires_at.inspect}" \
+            " @id_token=#{@id_token ? '[REDACTED]' : 'nil'}" \
+            " @jwt_issuer=#{@jwt_issuer.inspect}" \
+            " @jwt_lifetime=#{@jwt_lifetime.inspect}" \
+            " @jwt_subject=#{@jwt_subject.inspect}" \
+            " @sa_delegates=#{@sa_delegates.inspect}" \
+            " @sa_name=#{@sa_name.inspect}" \
+            " @target_audience=#{@target_audience.inspect}" \
+            '>'
+        end
+
+        private
+
+        def transform_email_to_name(email)
+          "projects/-/serviceAccounts/#{email}"
+        end
+      end
+    end
+  end
+end

data/lib/google/auth/extras/version.rb

@@ -3,7 +3,7 @@
 module Google
   module Auth
     module Extras
-      VERSION = '0.4.0'
+      VERSION = '0.5.0'
     end
   end
 end

data/lib/google/auth/extras.rb

@@ -6,6 +6,7 @@ require 'signet/oauth_2/client'
 
 require 'google/auth/extras/identity_credential_refresh_patch'
 require 'google/auth/extras/impersonated_credential'
+require 'google/auth/extras/service_account_jwt_credential'
 require 'google/auth/extras/static_credential'
 require 'google/auth/extras/token_info'
 require 'google/auth/extras/version'
@@ -151,6 +152,116 @@ module Google
         )
       end
 
+      # A credential that obtains a signed JWT from Google for a service account.
+      # For usage with the older style GCP Ruby SDKs from the google-apis-* gems.
+      # Also useful for calling IAP-protected endpoints using the Google-managed
+      # OAuth client.
+      #
+      # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+      #   Credentials to use to sign the JWTs.
+      #
+      # @param delegate_email_addresses [String, Array<String>]
+      #   The email addresses (if any) of intermediate service accounts to reach
+      #   the +email_address+ from +base_credentials+.
+      #
+      # @param email_address [String]
+      #   Email of the service account to sign the JWT.
+      #
+      # @param issuer [String]
+      #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+      #
+      # @param lifetime [Integers]
+      #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+      #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+      #   performed when the token less than 60s of remaining life and refresh requires
+      #   an additional API call.
+      #
+      # @param subject [String]
+      #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+      #
+      # @param target_audience [String]
+      #   The audience for the token, such as the API or account that this token grants access to.
+      #
+      # @return [Google::Auth::Extras::ServiceAccountJWTCredential]
+      #
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+      # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      #
+      def service_account_jwt_authorization(
+        email_address:,
+        target_audience:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        issuer: nil,
+        lifetime: 3600,
+        subject: nil
+      )
+        ServiceAccountJWTCredential.new(
+          base_credentials: base_credentials,
+          delegate_email_addresses: delegate_email_addresses,
+          email_address: email_address,
+          issuer: issuer,
+          lifetime: lifetime,
+          subject: subject,
+          target_audience: target_audience,
+        )
+      end
+
+      # A credential that obtains a signed JWT from Google for a service account.
+      # For usage with the newer style GCP Ruby SDKs from the google-cloud-* gems.
+      #
+      # @param base_credentials [Hash, String, Signet::OAuth2::Client]
+      #   Credentials to use to sign the JWTs.
+      #
+      # @param delegate_email_addresses [String, Array<String>]
+      #   The email addresses (if any) of intermediate service accounts to reach
+      #   the +email_address+ from +base_credentials+.
+      #
+      # @param email_address [String]
+      #   Email of the service account to sign the JWT.
+      #
+      # @param issuer [String]
+      #   The desired value of the iss field on the issued JWT. Defaults to the email_address.
+      #
+      # @param lifetime [Integers]
+      #   The desired lifetime (in seconds) of the JWT before needing to be refreshed.
+      #   Defaults to 3600 (1h), adjust as needed given a refresh is automatically
+      #   performed when the token less than 60s of remaining life and refresh requires
+      #   an additional API call.
+      #
+      # @param subject [String]
+      #   The desired value of the sub field on the issued JWT. Defaults to the email_address.
+      #
+      # @param target_audience [String]
+      #   The audience for the token, such as the API or account that this token grants access to.
+      #
+      # @return [Google::Auth::Extras::ServiceAccountJWTCredential]
+      #
+      # @see https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+      # @see https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated#sa-credentials-permissions
+      #
+      def service_account_jwt_credential(
+        email_address:,
+        target_audience:,
+        base_credentials: nil,
+        delegate_email_addresses: nil,
+        issuer: nil,
+        lifetime: 3600,
+        subject: nil
+      )
+        wrap_authorization(
+          service_account_jwt_authorization(
+            base_credentials: base_credentials,
+            delegate_email_addresses: delegate_email_addresses,
+            email_address: email_address,
+            issuer: issuer,
+            lifetime: lifetime,
+            subject: subject,
+            target_audience: target_audience,
+          ),
+        )
+      end
+
       # A credential using a static access token. For usage with the older
       # style GCP Ruby SDKs from the google-apis-* gems.
       #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth-extras
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Persona Identities
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-06 00:00:00.000000000 Z
+date: 2025-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -92,7 +92,7 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 0.19.0
-description: 
+description:
 email:
 - alex.coomans@withpersona.com
 executables: []
@@ -115,6 +115,7 @@ files:
 - lib/google/auth/extras.rb
 - lib/google/auth/extras/identity_credential_refresh_patch.rb
 - lib/google/auth/extras/impersonated_credential.rb
+- lib/google/auth/extras/service_account_jwt_credential.rb
 - lib/google/auth/extras/static_credential.rb
 - lib/google/auth/extras/token_info.rb
 - lib/google/auth/extras/version.rb
@@ -128,7 +129,7 @@ metadata:
   homepage_uri: https://github.com/persona-id/googleauth-extras
   source_code_uri: https://github.com/persona-id/googleauth-extras
   changelog_uri: https://github.com/persona-id/googleauth-extras/blob/main/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -136,15 +137,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key: 
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Additions to the googleauth gem for unsupported authentication schemes.
 test_files: []