googleauth 0.1.0 → 0.16.1

data/spec/googleauth/service_account_spec.rb

@@ -27,116 +27,470 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-spec_dir = File.expand_path(File.join(File.dirname(__FILE__)))
-$LOAD_PATH.unshift(spec_dir)
+spec_dir = File.expand_path File.join(File.dirname(__FILE__))
+$LOAD_PATH.unshift spec_dir
 $LOAD_PATH.uniq!
 
-require 'apply_auth_examples'
-require 'fileutils'
-require 'googleauth/service_account'
-require 'jwt'
-require 'multi_json'
-require 'openssl'
-require 'spec_helper'
-require 'tmpdir'
+require "apply_auth_examples"
+require "fakefs/safe"
+require "fileutils"
+require "googleauth/service_account"
+require "jwt"
+require "multi_json"
+require "openssl"
+require "spec_helper"
+require "tmpdir"
+require "os"
+
+include Google::Auth::CredentialsLoader
+
+shared_examples "jwt header auth" do
+  context "when jwt_aud_uri is present" do
+    let(:test_uri) { "https://www.googleapis.com/myservice" }
+    let(:auth_prefix) { "Bearer " }
+    let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
+    let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
+
+    def expect_is_encoded_jwt hdr
+      expect(hdr).to_not be_nil
+      expect(hdr.start_with?(auth_prefix)).to be true
+      authorization = hdr[auth_prefix.length..-1]
+      payload, = JWT.decode authorization, @key.public_key, true, algorithm: "RS256"
+      expect(payload["aud"]).to eq(test_uri)
+      expect(payload["iss"]).to eq(client_email)
+    end
+
+    describe "#apply!" do
+      it "should update the target hash with a jwt token" do
+        md = { foo: "bar" }
+        md[jwt_uri_key] = test_uri
+        @client.apply! md
+        auth_header = md[auth_key]
+        expect_is_encoded_jwt auth_header
+        expect(md[jwt_uri_key]).to be_nil
+      end
+    end
+
+    describe "updater_proc" do
+      it "should provide a proc that updates a hash with a jwt token" do
+        md = { foo: "bar" }
+        md[jwt_uri_key] = test_uri
+        the_proc = @client.updater_proc
+        got = the_proc.call md
+        auth_header = got[auth_key]
+        expect_is_encoded_jwt auth_header
+        expect(got[jwt_uri_key]).to be_nil
+        expect(md[jwt_uri_key]).to_not be_nil
+      end
+    end
+
+    describe "#apply" do
+      it "should not update the original hash with a jwt token" do
+        md = { foo: "bar" }
+        md[jwt_uri_key] = test_uri
+        the_proc = @client.updater_proc
+        got = the_proc.call md
+        auth_header = md[auth_key]
+        expect(auth_header).to be_nil
+        expect(got[jwt_uri_key]).to be_nil
+        expect(md[jwt_uri_key]).to_not be_nil
+      end
+
+      it "should add a jwt token to the returned hash" do
+        md = { foo: "bar" }
+        md[jwt_uri_key] = test_uri
+        got = @client.apply md
+        auth_header = got[auth_key]
+        expect_is_encoded_jwt auth_header
+      end
+    end
+  end
+end
 
 describe Google::Auth::ServiceAccountCredentials do
   ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
+  let(:client_email) { "app@developer.gserviceaccount.com" }
+  let :cred_json do
+    {
+      private_key_id:   "a_private_key_id",
+      private_key:      @key.to_pem,
+      client_email:     client_email,
+      client_id:        "app.apps.googleusercontent.com",
+      type:             "service_account",
+      project_id:       "a_project_id",
+      quota_project_id: "b_project_id"
+    }
+  end
 
-  before(:example) do
-    @key = OpenSSL::PKey::RSA.new(2048)
-    @client = ServiceAccountCredentials.new(
-        'https://www.googleapis.com/auth/userinfo.profile',
-        StringIO.new(cred_json_text))
+  before :example do
+    @key = OpenSSL::PKey::RSA.new 2048
+    @client = ServiceAccountCredentials.make_creds(
+      json_key_io: StringIO.new(cred_json_text),
+      scope:       "https://www.googleapis.com/auth/userinfo.profile"
+    )
+    @id_client = ServiceAccountCredentials.make_creds(
+      json_key_io:     StringIO.new(cred_json_text),
+      target_audience: "https://pubsub.googleapis.com/"
+    )
   end
 
-  def make_auth_stubs(access_token: '')
-    Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/oauth2/v3/token') do |env|
-        params = Addressable::URI.form_unencode(env[:body])
-        _claim, _header = JWT.decode(params.assoc('assertion').last,
-                                     @key.public_key)
-        want = ['grant_type', 'urn:ietf:params:oauth:grant-type:jwt-bearer']
-        expect(params.assoc('grant_type')).to eq(want)
-        build_access_token_json(access_token)
-      end
+  def make_auth_stubs opts
+    body_fields = { "token_type" => "Bearer", "expires_in" => 3600 }
+    body_fields["access_token"] = opts[:access_token] if opts[:access_token]
+    body_fields["id_token"] = opts[:id_token] if opts[:id_token]
+    body = MultiJson.dump body_fields
+    blk = proc do |request|
+      params = Addressable::URI.form_unencode request.body
+      claim, _header = JWT.decode(params.assoc("assertion").last,
+                                  @key.public_key, true,
+                                  algorithm: "RS256")
+      !opts[:id_token] || claim["target_audience"] == "https://pubsub.googleapis.com/"
     end
+    stub_request(:post, "https://www.googleapis.com/oauth2/v4/token")
+      .with(body: hash_including(
+        "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      ), &blk)
+      .to_return(body:    body,
+                 status:  200,
+                 headers: { "Content-Type" => "application/json" })
   end
 
   def cred_json_text
-    cred_json = {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: 'app@developer.gserviceaccount.com',
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
-    }
-    MultiJson.dump(cred_json)
+    MultiJson.dump cred_json
+  end
+
+  it_behaves_like "apply/apply! are OK"
+
+  context "when scope is nil" do
+    before :example do
+      @client.scope = nil
+    end
+
+    it_behaves_like "jwt header auth"
+  end
+
+  context "when enable_self_signed_jwt is set" do
+    before :example do
+      @client.instance_variable_set(:@enable_self_signed_jwt, true)
+    end
+
+    it_behaves_like "jwt header auth"
   end
 
-  it_behaves_like 'apply/apply! are OK'
+  describe "#from_env" do
+    before :example do
+      @var_name = ENV_VAR
+      @credential_vars = [
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR
+      ]
+      @original_env_vals = {}
+      @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
 
-  describe '#from_env' do
-    before(:example) do
-      @var_name = ServiceAccountCredentials::ENV_VAR
-      @orig = ENV[@var_name]
-      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
+      @clz = ServiceAccountCredentials
     end
 
-    after(:example) do
-      ENV[@var_name] = @orig unless @orig.nil?
+    after :example do
+      @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
-    it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
       expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
     end
 
-    it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is empty" do
+      ENV[@var_name] = ""
+      expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
+    end
+
+    it "fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
       expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'does-not-exist')
+        key_path = File.join dir, "does-not-exist"
         ENV[@var_name] = key_path
-        expect { sac.from_env(@scope) }.to raise_error
+        expect { @clz.from_env @scope }.to raise_error RuntimeError
       end
     end
 
-    it 'succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
-      sac = ServiceAccountCredentials  # shortens name
+    it "succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'my_cert_file')
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
+        key_path = File.join dir, "my_cert_file"
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
         ENV[@var_name] = key_path
-        expect(sac.from_env(@scope)).to_not be_nil
+        expect(@clz.from_env(@scope)).to_not be_nil
       end
     end
+
+    it "succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are"\
+      " valid" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(@clz.from_env(@scope)).to_not be_nil
+    end
+
+    it "sets project_id when the PROJECT_ID_VAR env var is set" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[PROJECT_ID_VAR] = cred_json[:project_id]
+      ENV[ENV_VAR] = nil
+      credentials = @clz.from_env @scope
+      expect(credentials.project_id).to eq(cred_json[:project_id])
+    end
+
+    it "succeeds when GOOGLE_PRIVATE_KEY is escaped" do
+      escaped_key = cred_json[:private_key].gsub "\n", '\n'
+      ENV[PRIVATE_KEY_VAR] = "\"#{escaped_key}\""
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(@clz.from_env(@scope)).to_not be_nil
+    end
+
+    it "propagates default_connection option" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      connection = Faraday.new headers: { "User-Agent" => "hello" }
+      creds = @clz.from_env @scope, default_connection: connection
+      expect(creds.build_default_connection).to be connection
+    end
   end
 
-  describe '#from_well_known_path' do
-    before(:example) do
-      @home = ENV['HOME']
-      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+  describe "#from_well_known_path" do
+    before :example do
+      @home = ENV["HOME"]
+      @app_data = ENV["APPDATA"]
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
+      @known_path = WELL_KNOWN_PATH
+      @clz = ServiceAccountCredentials
     end
 
-    after(:example) do
-      ENV['HOME'] = @home unless @home == ENV['HOME']
+    after :example do
+      ENV["HOME"] = @home unless @home == ENV["HOME"]
+      ENV["APPDATA"] = @app_data unless @app_data == ENV["APPDATA"]
     end
 
-    it 'is nil if no file exists' do
-      ENV['HOME'] = File.dirname(__FILE__)
+    it "is nil if no file exists" do
+      ENV["HOME"] = File.dirname __FILE__
       expect(ServiceAccountCredentials.from_well_known_path(@scope)).to be_nil
     end
 
-    it 'successfully loads the file when it is present' do
-      sac = ServiceAccountCredentials  # shortens name
+    it "successfully loads the file when it is present" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        expect(@clz.from_well_known_path(@scope)).to_not be_nil
+      end
+    end
+
+    it "successfully sets project_id when file is present" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        credentials = @clz.from_well_known_path @scope
+        expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to eq(cred_json[:quota_project_id])
+      end
+    end
+
+    it "propagates default_connection option" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        connection = Faraday.new headers: { "User-Agent" => "hello" }
+        creds = @clz.from_well_known_path @scope, default_connection: connection
+        expect(creds.build_default_connection).to be connection
+      end
+    end
+  end
+
+  describe "#from_system_default_path" do
+    before :example do
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
+      @program_data = ENV["ProgramData"]
+      @prefix = OS.windows? ? "/etc/Google/Auth/" : "/etc/google/auth/"
+      @path = File.join @prefix, CREDENTIALS_FILE_NAME
+      @clz = ServiceAccountCredentials
+    end
+
+    after :example do
+      ENV["ProgramData"] = @program_data
+    end
+
+    it "is nil if no file exists" do
+      FakeFS do
+        expect(ServiceAccountCredentials.from_system_default_path(@scope))
+          .to be_nil
+      end
+    end
+
+    it "successfully loads the file when it is present" do
+      FakeFS do
+        ENV["ProgramData"] = "/etc"
+        FileUtils.mkdir_p File.dirname(@path)
+        File.write @path, cred_json_text
+        expect(@clz.from_system_default_path(@scope)).to_not be_nil
+        File.delete @path
+      end
+    end
+
+    it "propagates default_connection option" do
+      FakeFS do
+        ENV["ProgramData"] = "/etc"
+        FileUtils.mkdir_p File.dirname(@path)
+        File.write @path, cred_json_text
+        connection = Faraday.new headers: { "User-Agent" => "hello" }
+        creds = @clz.from_system_default_path @scope, default_connection: connection
+        expect(creds.build_default_connection).to be connection
+        File.delete @path
+      end
+    end
+  end
+end
+
+describe Google::Auth::ServiceAccountJwtHeaderCredentials do
+  ServiceAccountJwtHeaderCredentials =
+    Google::Auth::ServiceAccountJwtHeaderCredentials
+
+  let(:client_email) { "app@developer.gserviceaccount.com" }
+  let(:clz) { Google::Auth::ServiceAccountJwtHeaderCredentials }
+  let :cred_json do
+    {
+      private_key_id: "a_private_key_id",
+      private_key:    @key.to_pem,
+      client_email:   client_email,
+      client_id:      "app.apps.googleusercontent.com",
+      type:           "service_account",
+      project_id:     "a_project_id"
+    }
+  end
+
+  before :example do
+    @key = OpenSSL::PKey::RSA.new 2048
+    @client = clz.make_creds json_key_io: StringIO.new(cred_json_text)
+  end
+
+  def cred_json_text
+    MultiJson.dump cred_json
+  end
+
+  it_behaves_like "jwt header auth"
+
+  describe "#from_env" do
+    before :example do
+      @var_name = ENV_VAR
+      @credential_vars = [
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR
+      ]
+      @original_env_vals = {}
+      @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
+    end
+
+    after :example do
+      @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
+    end
+
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
+      expect(clz.from_env).to be_nil
+    end
+
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is empty" do
+      ENV[@var_name] = ""
+      expect(clz.from_env).to be_nil
+    end
+
+    it "fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
+      expect(clz.from_env).to be_nil
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, "does-not-exist"
+        ENV[@var_name] = key_path
+        expect { clz.from_env }.to raise_error RuntimeError
+      end
+    end
+
+    it "succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, "my_cert_file"
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV[@var_name] = key_path
+        expect(clz.from_env).to_not be_nil
+      end
+    end
+
+    it "succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are"\
+      " valid" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(clz.from_env(@scope)).to_not be_nil
+    end
+
+    it "sets project_id when the PROJECT_ID_VAR env var is set" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[PROJECT_ID_VAR] = cred_json[:project_id]
+      ENV[ENV_VAR] = nil
+      credentials = clz.from_env @scope
+      expect(credentials).to_not be_nil
+      expect(credentials.project_id).to eq(cred_json[:project_id])
+    end
+  end
+
+  describe "#from_well_known_path" do
+    before :example do
+      @home = ENV["HOME"]
+      @app_data = ENV["APPDATA"]
+    end
+
+    after :example do
+      ENV["HOME"] = @home unless @home == ENV["HOME"]
+      ENV["APPDATA"] = @app_data unless @app_data == ENV["APPDATA"]
+    end
+
+    it "is nil if no file exists" do
+      ENV["HOME"] = File.dirname __FILE__
+      expect(clz.from_well_known_path).to be_nil
+    end
+
+    it "successfully loads the file when it is present" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", WELL_KNOWN_PATH
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        expect(clz.from_well_known_path).to_not be_nil
+      end
+    end
+
+    it "successfully sets project_id when file is present" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config', sac::WELL_KNOWN_PATH)
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
-        ENV['HOME'] = dir
-        expect(sac.from_well_known_path(@scope)).to_not be_nil
+        key_path = File.join dir, ".config", WELL_KNOWN_PATH
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        credentials = clz.from_well_known_path @scope
+        expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to be_nil
       end
     end
   end