googleauth 0.1.0 → 0.16.1

data/lib/googleauth/id_tokens/verifier.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "jwt"
+
+module Google
+  module Auth
+    module IDTokens
+      ##
+      # An object that can verify ID tokens.
+      #
+      # A verifier maintains a set of default settings, including the key
+      # source and fields to verify. However, individual verification calls can
+      # override any of these settings.
+      #
+      class Verifier
+        ##
+        # Create a verifier.
+        #
+        # @param key_source [key source] The default key source to use. All
+        #     verification calls must have a key source, so if no default key
+        #     source is provided here, then calls to {#verify} _must_ provide
+        #     a key source.
+        # @param aud [String,nil] The default audience (`aud`) check, or `nil`
+        #     for no check.
+        # @param azp [String,nil] The default authorized party (`azp`) check,
+        #     or `nil` for no check.
+        # @param iss [String,nil] The default issuer (`iss`) check, or `nil`
+        #     for no check.
+        #
+        def initialize key_source: nil,
+                       aud:        nil,
+                       azp:        nil,
+                       iss:        nil
+          @key_source = key_source
+          @aud = aud
+          @azp = azp
+          @iss = iss
+        end
+
+        ##
+        # Verify the given token.
+        #
+        # @param token [String] the ID token to verify.
+        # @param key_source [key source] If given, override the key source.
+        # @param aud [String,nil] If given, override the `aud` check.
+        # @param azp [String,nil] If given, override the `azp` check.
+        # @param iss [String,nil] If given, override the `iss` check.
+        #
+        # @return [Hash] the decoded payload, if verification succeeded.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify token,
+                   key_source: :default,
+                   aud:        :default,
+                   azp:        :default,
+                   iss:        :default
+          key_source = @key_source if key_source == :default
+          aud = @aud if aud == :default
+          azp = @azp if azp == :default
+          iss = @iss if iss == :default
+
+          raise KeySourceError, "No key sources" unless key_source
+          keys = key_source.current_keys
+          payload = decode_token token, keys, aud, azp, iss
+          unless payload
+            keys = key_source.refresh_keys
+            payload = decode_token token, keys, aud, azp, iss
+          end
+          raise SignatureError, "Token not verified as issued by Google" unless payload
+          payload
+        end
+
+        private
+
+        def decode_token token, keys, aud, azp, iss
+          payload = nil
+          keys.find do |key|
+            options = { algorithms: key.algorithm }
+            decoded_token = JWT.decode token, key.key, true, options
+            payload = decoded_token.first
+          rescue JWT::ExpiredSignature
+            raise ExpiredTokenError, "Token signature is expired"
+          rescue JWT::DecodeError
+            nil # Try the next key
+          end
+
+          normalize_and_verify_payload payload, aud, azp, iss
+        end
+
+        def normalize_and_verify_payload payload, aud, azp, iss
+          return nil unless payload
+
+          # Map the legacy "cid" claim to the canonical "azp"
+          payload["azp"] ||= payload["cid"] if payload.key? "cid"
+
+          # Payload content validation
+          if aud && (Array(aud) & Array(payload["aud"])).empty?
+            raise AudienceMismatchError, "Token aud mismatch: #{payload['aud']}"
+          end
+          if azp && (Array(azp) & Array(payload["azp"])).empty?
+            raise AuthorizedPartyMismatchError, "Token azp mismatch: #{payload['azp']}"
+          end
+          if iss && (Array(iss) & Array(payload["iss"])).empty?
+            raise IssuerMismatchError, "Token iss mismatch: #{payload['iss']}"
+          end
+
+          payload
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/json_key_reader.rb

@@ -0,0 +1,50 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # JsonKeyReader contains the behaviour used to read private key and
+    # client email fields from the service account
+    module JsonKeyReader
+      def read_json_key json_key_io
+        json_key = MultiJson.load json_key_io.read
+        raise "missing client_email" unless json_key.key? "client_email"
+        raise "missing private_key" unless json_key.key? "private_key"
+        [
+          json_key["private_key"],
+          json_key["client_email"],
+          json_key["project_id"],
+          json_key["quota_project_id"]
+        ]
+      end
+    end
+  end
+end

data/lib/googleauth/scope_util.rb

@@ -0,0 +1,61 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "multi_json"
+
+module Google
+  module Auth
+    # Small utility for normalizing scopes into canonical form
+    module ScopeUtil
+      ALIASES = {
+        "email"   => "https://www.googleapis.com/auth/userinfo.email",
+        "profile" => "https://www.googleapis.com/auth/userinfo.profile",
+        "openid"  => "https://www.googleapis.com/auth/plus.me"
+      }.freeze
+
+      def self.normalize scope
+        list = as_array scope
+        list.map { |item| ALIASES[item] || item }
+      end
+
+      def self.as_array scope
+        case scope
+        when Array
+          scope
+        when String
+          scope.split
+        else
+          raise "Invalid scope value. Must be string or array"
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -27,91 +27,199 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/signet'
-require 'memoist'
-require 'multi_json'
-require 'openssl'
-require 'rbconfig'
-
-# Reads the private key and client email fields from service account JSON key.
-def read_json_key(json_key_io)
-  json_key = MultiJson.load(json_key_io.read)
-  fail 'missing client_email' unless json_key.key?('client_email')
-  fail 'missing private_key' unless json_key.key?('private_key')
-  [json_key['private_key'], json_key['client_email']]
-end
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "googleauth/json_key_reader"
+require "jwt"
+require "multi_json"
+require "stringio"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    # Authenticates requests using Google's Service Account credentials.
+    # Authenticates requests using Google's Service Account credentials via an
+    # OAuth access token.
     #
     # This class allows authorizing requests for service accounts directly
     # from credentials from a json key file downloaded from the developer
     # console (via 'Generate new Json Key').
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountCredentials < Signet::OAuth2::Client
-      ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
-      NOT_FOUND_ERROR =
-        "Unable to read the credential file specified by #{ENV_VAR}"
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
-      WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
-      WELL_KNOWN_ERROR = 'Unable to read the default credential file'
-
-      class << self
-        extend Memoist
-
-        # determines if the current OS is windows
-        def windows?
-          RbConfig::CONFIG['host_os'] =~ /Windows|mswin/
-        end
-        memoize :windows?
-
-        # Creates an instance from the path specified in an environment
-        # variable.
-        #
-        # @param scope [string|array] the scope(s) to access
-        def from_env(scope)
-          return nil unless ENV.key?(ENV_VAR)
-          path = ENV[ENV_VAR]
-          fail 'file #{path} does not exist' unless File.exist?(path)
-          File.open(path) do |f|
-            return new(scope, f)
-          end
-        rescue StandardError => e
-          raise "#{NOT_FOUND_ERROR}: #{e}"
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
+      extend CredentialsLoader
+      extend JsonKeyReader
+      attr_reader :project_id
+      attr_reader :quota_project_id
+
+      def enable_self_signed_jwt?
+        @enable_self_signed_jwt
+      end
+
+      # Creates a ServiceAccountCredentials.
+      #
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
+          options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
+                            :audience, :token_credential_uri
+        raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
+
+        if json_key_io
+          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+        else
+          private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          quota_project_id = nil
         end
+        project_id ||= CredentialsLoader.load_gcloud_project_id
+
+        new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
+            audience:               audience || TOKEN_CRED_URI,
+            scope:                  scope,
+            enable_self_signed_jwt: enable_self_signed_jwt,
+            target_audience:        target_audience,
+            issuer:                 client_email,
+            signing_key:            OpenSSL::PKey::RSA.new(private_key),
+            project_id:             project_id,
+            quota_project_id:       quota_project_id)
+          .configure_connection(options)
+      end
 
-        # Creates an instance from a well known path.
-        #
-        # @param scope [string|array] the scope(s) to access
-        def from_well_known_path(scope)
-          home_var, base = windows? ? 'APPDATA' : 'HOME', WELL_KNOWN_PATH
-          root = ENV[home_var].nil? ? '' : ENV[home_var]
-          base = File.join('.config', base) unless windows?
-          path = File.join(root, base)
-          return nil unless File.exist?(path)
-          File.open(path) do |f|
-            return new(scope, f)
-          end
-        rescue StandardError => e
-          raise "#{WELL_KNOWN_ERROR}: #{e}"
+      # Handles certain escape sequences that sometimes appear in input.
+      # Specifically, interprets the "\n" sequence for newline, and removes
+      # enclosing quotes.
+      def self.unescape str
+        str = str.gsub '\n', "\n"
+        str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
+        str
+      end
+
+      def initialize options = {}
+        @project_id = options[:project_id]
+        @quota_project_id = options[:quota_project_id]
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
+        super options
+      end
+
+      # Extends the base class to use a transient
+      # ServiceAccountJwtHeaderCredentials for certain cases.
+      def apply! a_hash, opts = {}
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token.
+        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+          apply_self_signed_jwt! a_hash
+        else
+          super
         end
       end
 
-      # Initializes a ServiceAccountCredentials.
+      private
+
+      def apply_self_signed_jwt! a_hash
+        # Use the ServiceAccountJwtHeaderCredentials using the same cred values
+        cred_json = {
+          private_key:  @signing_key.to_s,
+          client_email: @issuer
+        }
+        key_io = StringIO.new MultiJson.dump(cred_json)
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
+        alt.apply! a_hash
+      end
+    end
+
+    # Authenticates requests using Google's Service Account credentials via
+    # JWT Header.
+    #
+    # This class allows authorizing requests for service accounts directly
+    # from credentials from a json key file downloaded from the developer
+    # console (via 'Generate new Json Key').  It is not part of any OAuth2
+    # flow, rather it creates a JWT and sends that as a credential.
+    #
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
+    class ServiceAccountJwtHeaderCredentials
+      JWT_AUD_URI_KEY = :jwt_aud_uri
+      AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
+      SIGNING_ALGORITHM = "RS256".freeze
+      EXPIRY = 60
+      extend CredentialsLoader
+      extend JsonKeyReader
+      attr_reader :project_id
+      attr_reader :quota_project_id
+
+      # make_creds proxies the construction of a credentials instance
+      #
+      # make_creds is used by the methods in CredentialsLoader.
+      #
+      # By default, it calls #new with 2 args, the second one being an
+      # optional scope. Here's the constructor only has one param, so
+      # we modify make_creds to reflect this.
+      def self.make_creds *args
+        new json_key_io: args[0][:json_key_io]
+      end
+
+      # Initializes a ServiceAccountJwtHeaderCredentials.
       #
-      # @param scope [string|array] the scope(s) to access
       # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize(scope, json_key_io)
-        private_key, client_email = read_json_key(json_key_io)
-        super(token_credential_uri: TOKEN_CRED_URI,
-              audience: TOKEN_CRED_URI,  # TODO: confirm this
-              scope: scope,
-              issuer: client_email,
-              signing_key: OpenSSL::PKey::RSA.new(private_key))
+      def initialize options = {}
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          @private_key, @issuer, @project_id, @quota_project_id =
+            self.class.read_json_key json_key_io
+        else
+          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = nil
+        end
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @signing_key = OpenSSL::PKey::RSA.new @private_key
+      end
+
+      # Construct a jwt token if the JWT_AUD_URI key is present in the input
+      # hash.
+      #
+      # The jwt token is used as the value of a 'Bearer '.
+      def apply! a_hash, opts = {}
+        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
+        return a_hash if jwt_aud_uri.nil?
+        jwt_token = new_jwt_token jwt_aud_uri, opts
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        a_hash
+      end
+
+      # Returns a clone of a_hash updated with the authoriation header
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      protected
+
+      # Creates a jwt uri token.
+      def new_jwt_token jwt_aud_uri, options = {}
+        now = Time.new
+        skew = options[:skew] || 60
+        assertion = {
+          "iss" => @issuer,
+          "sub" => @issuer,
+          "aud" => jwt_aud_uri,
+          "exp" => (now + EXPIRY).to_i,
+          "iat" => (now - skew).to_i
+        }
+        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
     end
   end