googleauth 0.10.0 → 0.14.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +7 -0
- data/.kokoro/continuous/linux.cfg +2 -2
- data/.kokoro/continuous/post.cfg +30 -0
- data/.kokoro/presubmit/linux.cfg +1 -1
- data/.kokoro/release.cfg +1 -1
- data/.repo-metadata.json +5 -0
- data/.rubocop.yml +5 -4
- data/CHANGELOG.md +27 -0
- data/Gemfile +5 -2
- data/{COPYING → LICENSE} +0 -0
- data/README.md +4 -5
- data/Rakefile +45 -3
- data/googleauth.gemspec +5 -3
- data/integration/helper.rb +31 -0
- data/integration/id_tokens/key_source_test.rb +74 -0
- data/lib/googleauth.rb +1 -0
- data/lib/googleauth/application_default.rb +2 -2
- data/lib/googleauth/compute_engine.rb +36 -6
- data/lib/googleauth/credentials.rb +89 -22
- data/lib/googleauth/id_tokens.rb +233 -0
- data/lib/googleauth/id_tokens/errors.rb +71 -0
- data/lib/googleauth/id_tokens/key_sources.rb +394 -0
- data/lib/googleauth/id_tokens/verifier.rb +144 -0
- data/lib/googleauth/json_key_reader.rb +6 -2
- data/lib/googleauth/service_account.rb +16 -7
- data/lib/googleauth/signet.rb +3 -2
- data/lib/googleauth/user_authorizer.rb +6 -1
- data/lib/googleauth/user_refresh.rb +1 -1
- data/lib/googleauth/version.rb +1 -1
- data/rakelib/devsite_builder.rb +45 -0
- data/rakelib/link_checker.rb +64 -0
- data/rakelib/repo_metadata.rb +59 -0
- data/spec/googleauth/apply_auth_examples.rb +28 -5
- data/spec/googleauth/compute_engine_spec.rb +48 -13
- data/spec/googleauth/credentials_spec.rb +17 -6
- data/spec/googleauth/service_account_spec.rb +23 -16
- data/spec/googleauth/signet_spec.rb +15 -7
- data/spec/googleauth/user_authorizer_spec.rb +21 -1
- data/spec/googleauth/user_refresh_spec.rb +1 -1
- data/test/helper.rb +33 -0
- data/test/id_tokens/key_sources_test.rb +240 -0
- data/test/id_tokens/verifier_test.rb +269 -0
- metadata +46 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8846e57d325ff993c15ca691e299b9c2c4b7472b1b0a9e905b36cdb99216e061
|
4
|
+
data.tar.gz: 2fcee29e36a6fd57420b9cd0106cf3ab73bf447e94e2f6bdce61a973d256cd5e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dd54bce055240fc1db34ccfe2850ab49f23b17f55f5336dfeccf380c2f93b8b9e29100a1c53f360564e8387805a9c4bf74d09eb2ca58b5bda666cdab3b061f45
|
7
|
+
data.tar.gz: 27dae4439e8163194604e912918709d2cd623c61856f70f7c350b08dfac010fdff50ad703934b88631c2759dcf7e5aab5b315a884cb160790c153115ee88bdfe
|
data/.github/CODEOWNERS
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
# Code owners file.
|
2
|
+
# This file controls who is tagged for review for any given pull request.
|
3
|
+
#
|
4
|
+
# For syntax help see:
|
5
|
+
# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax
|
6
|
+
|
7
|
+
* @googleapis/yoshi-ruby
|
@@ -3,10 +3,10 @@
|
|
3
3
|
build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
|
4
4
|
|
5
5
|
# Configure the docker image for kokoro-trampoline.
|
6
|
-
# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/
|
6
|
+
# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/multi
|
7
7
|
env_vars: {
|
8
8
|
key: "TRAMPOLINE_IMAGE"
|
9
|
-
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/
|
9
|
+
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi"
|
10
10
|
}
|
11
11
|
|
12
12
|
env_vars: {
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# Format: //devtools/kokoro/config/proto/build.proto
|
2
|
+
|
3
|
+
build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
|
4
|
+
|
5
|
+
# Configure the docker image for kokoro-trampoline.
|
6
|
+
# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/multi-node
|
7
|
+
env_vars: {
|
8
|
+
key: "TRAMPOLINE_IMAGE"
|
9
|
+
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi-node"
|
10
|
+
}
|
11
|
+
|
12
|
+
env_vars: {
|
13
|
+
key: "TRAMPOLINE_BUILD_FILE"
|
14
|
+
value: "github/google-auth-library-ruby/.kokoro/build.sh"
|
15
|
+
}
|
16
|
+
|
17
|
+
env_vars: {
|
18
|
+
key: "TRAMPOLINE_SCRIPT"
|
19
|
+
value: "trampoline_v1.py"
|
20
|
+
}
|
21
|
+
|
22
|
+
env_vars: {
|
23
|
+
key: "OS"
|
24
|
+
value: "linux"
|
25
|
+
}
|
26
|
+
|
27
|
+
env_vars: {
|
28
|
+
key: "JOB_TYPE"
|
29
|
+
value: "post"
|
30
|
+
}
|
data/.kokoro/presubmit/linux.cfg
CHANGED
@@ -5,7 +5,7 @@ build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
|
|
5
5
|
# Configure the docker image for kokoro-trampoline.
|
6
6
|
env_vars: {
|
7
7
|
key: "TRAMPOLINE_IMAGE"
|
8
|
-
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/
|
8
|
+
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi"
|
9
9
|
}
|
10
10
|
|
11
11
|
env_vars: {
|
data/.kokoro/release.cfg
CHANGED
@@ -60,7 +60,7 @@ build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
|
|
60
60
|
# Configure the docker image for kokoro-trampoline.
|
61
61
|
env_vars: {
|
62
62
|
key: "TRAMPOLINE_IMAGE"
|
63
|
-
value: "gcr.io/cloud-devrel-kokoro-resources/
|
63
|
+
value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/release"
|
64
64
|
}
|
65
65
|
|
66
66
|
env_vars: {
|
data/.repo-metadata.json
ADDED
data/.rubocop.yml
CHANGED
@@ -3,12 +3,13 @@ inherit_gem:
|
|
3
3
|
|
4
4
|
AllCops:
|
5
5
|
Exclude:
|
6
|
-
- "spec/**/*"
|
7
6
|
- "Rakefile"
|
7
|
+
- "integration/**/*"
|
8
|
+
- "rakelib/**/*"
|
9
|
+
- "spec/**/*"
|
10
|
+
- "test/**/*"
|
8
11
|
Metrics/ClassLength:
|
9
|
-
Max:
|
10
|
-
Exclude:
|
11
|
-
- "lib/googleauth/credentials.rb"
|
12
|
+
Max: 200
|
12
13
|
Metrics/ModuleLength:
|
13
14
|
Max: 110
|
14
15
|
Metrics/BlockLength:
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,29 @@
|
|
1
|
+
# Release History
|
2
|
+
|
3
|
+
### 0.14.0 / 2020-10-09
|
4
|
+
|
5
|
+
* Honor GCE_METADATA_HOST environment variable
|
6
|
+
* Fix errors in some environments when requesting an access token for multiple scopes
|
7
|
+
|
8
|
+
### 0.13.1 / 2020-07-30
|
9
|
+
|
10
|
+
* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
|
11
|
+
|
12
|
+
### 0.13.0 / 2020-06-17
|
13
|
+
|
14
|
+
* Support for validating ID tokens.
|
15
|
+
* Fixed header application of ID tokens from service accounts.
|
16
|
+
|
17
|
+
### 0.12.0 / 2020-04-08
|
18
|
+
|
19
|
+
* Support for ID token credentials.
|
20
|
+
* Support reading quota_id_project from service account credentials.
|
21
|
+
|
22
|
+
### 0.11.0 / 2020-02-24
|
23
|
+
|
24
|
+
* Support Faraday 1.x.
|
25
|
+
* Allow special "postmessage" value for redirect_uri.
|
26
|
+
|
1
27
|
### 0.10.0 / 2019-10-09
|
2
28
|
|
3
29
|
Note: This release now requires Ruby 2.4 or later
|
@@ -128,3 +154,4 @@ Note: This release now requires Ruby 2.4 or later
|
|
128
154
|
[@tbetbetbe]: https://github.com/tbetbetbe
|
129
155
|
[@murgatroid99]: https://github.com/murgatroid99
|
130
156
|
[@vsubramani]: https://github.com/vsubramani
|
157
|
+
[@ball-hayden]: https://github.com/ball-hayden
|
data/Gemfile
CHANGED
@@ -10,13 +10,15 @@ group :development do
|
|
10
10
|
gem "fakeredis", "~> 0.5"
|
11
11
|
gem "google-style", "~> 1.24.0"
|
12
12
|
gem "logging", "~> 2.0"
|
13
|
+
gem "minitest", "~> 5.14"
|
14
|
+
gem "minitest-focus", "~> 1.1"
|
13
15
|
gem "rack-test", "~> 0.6"
|
14
|
-
gem "rake", "~>
|
16
|
+
gem "rake", "~> 13.0"
|
15
17
|
gem "redis", "~> 3.2"
|
16
18
|
gem "rspec", "~> 3.0"
|
17
19
|
gem "simplecov", "~> 0.9"
|
18
20
|
gem "sinatra"
|
19
|
-
gem "webmock", "~>
|
21
|
+
gem "webmock", "~> 3.8"
|
20
22
|
end
|
21
23
|
|
22
24
|
platforms :jruby do
|
@@ -24,4 +26,5 @@ platforms :jruby do
|
|
24
26
|
end
|
25
27
|
end
|
26
28
|
|
29
|
+
gem "faraday", "~> 0.17"
|
27
30
|
gem "gems", "~> 1.2"
|
data/{COPYING → LICENSE}
RENAMED
File without changes
|
data/README.md
CHANGED
@@ -178,7 +178,7 @@ access and refresh tokens. Two storage implementations are included:
|
|
178
178
|
* Google::Auth::Stores::RedisTokenStore
|
179
179
|
|
180
180
|
Custom storage implementations can also be used. See
|
181
|
-
[token_store.rb](
|
181
|
+
[token_store.rb](https://googleapis.dev/ruby/googleauth/latest/Google/Auth/TokenStore.html) for additional details.
|
182
182
|
|
183
183
|
## Supported Ruby Versions
|
184
184
|
|
@@ -206,7 +206,6 @@ hesitate to
|
|
206
206
|
[ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
|
207
207
|
about the client or APIs on [StackOverflow](http://stackoverflow.com).
|
208
208
|
|
209
|
-
[
|
210
|
-
[
|
211
|
-
[
|
212
|
-
[copying]: https://github.com/google/google-auth-library-ruby/tree/master/COPYING
|
209
|
+
[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
|
210
|
+
[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
|
211
|
+
[copying]: https://github.com/googleapis/google-auth-library-ruby/tree/master/COPYING
|
data/Rakefile
CHANGED
@@ -2,9 +2,30 @@
|
|
2
2
|
require "json"
|
3
3
|
require "bundler/gem_tasks"
|
4
4
|
|
5
|
+
require "rubocop/rake_task"
|
6
|
+
RuboCop::RakeTask.new
|
7
|
+
|
8
|
+
require "rake/testtask"
|
9
|
+
|
10
|
+
desc "Run tests."
|
11
|
+
Rake::TestTask.new do |t|
|
12
|
+
t.libs << "test"
|
13
|
+
t.test_files = FileList["test/**/*_test.rb"]
|
14
|
+
t.warning = false
|
15
|
+
end
|
16
|
+
|
17
|
+
desc "Run integration tests."
|
18
|
+
Rake::TestTask.new("integration") do |t|
|
19
|
+
t.libs << "integration"
|
20
|
+
t.test_files = FileList["integration/**/*_test.rb"]
|
21
|
+
t.warning = false
|
22
|
+
end
|
23
|
+
|
5
24
|
task :ci do
|
6
25
|
header "Using Ruby - #{RUBY_VERSION}"
|
7
26
|
sh "bundle exec rubocop"
|
27
|
+
Rake::Task["test"].invoke
|
28
|
+
Rake::Task["integration"].invoke
|
8
29
|
sh "bundle exec rspec"
|
9
30
|
end
|
10
31
|
|
@@ -13,7 +34,7 @@ task :release_gem, :tag do |_t, args|
|
|
13
34
|
raise "You must provide a tag to release." if tag.nil?
|
14
35
|
|
15
36
|
# Verify the tag format "vVERSION"
|
16
|
-
m = tag.match
|
37
|
+
m = tag.match /v(?<version>\S*)/
|
17
38
|
raise "Tag #{tag} does not match the expected format." if m.nil?
|
18
39
|
|
19
40
|
version = m[:version]
|
@@ -35,16 +56,23 @@ task :release_gem, :tag do |_t, args|
|
|
35
56
|
end
|
36
57
|
|
37
58
|
path_to_be_pushed = "pkg/googleauth-#{version}.gem"
|
59
|
+
gem_was_published = nil
|
38
60
|
if File.file? path_to_be_pushed
|
39
61
|
begin
|
40
|
-
::Gems.push File.new(path_to_be_pushed)
|
62
|
+
response = ::Gems.push File.new(path_to_be_pushed)
|
63
|
+
puts response
|
64
|
+
raise unless response.include? "Successfully registered gem:"
|
65
|
+
gem_was_published = true
|
41
66
|
puts "Successfully built and pushed googleauth for version #{version}"
|
42
67
|
rescue StandardError => e
|
68
|
+
gem_was_published = false
|
43
69
|
puts "Error while releasing googleauth version #{version}: #{e.message}"
|
44
70
|
end
|
45
71
|
else
|
46
72
|
raise "Cannot build googleauth for version #{version}"
|
47
73
|
end
|
74
|
+
|
75
|
+
Rake::Task["kokoro:publish_docs"].invoke if gem_was_published
|
48
76
|
end
|
49
77
|
|
50
78
|
namespace :kokoro do
|
@@ -64,6 +92,14 @@ namespace :kokoro do
|
|
64
92
|
Rake::Task["ci"].invoke
|
65
93
|
end
|
66
94
|
|
95
|
+
task :post do
|
96
|
+
require_relative "rakelib/link_checker.rb"
|
97
|
+
|
98
|
+
link_checker = LinkChecker.new
|
99
|
+
link_checker.run
|
100
|
+
exit link_checker.exit_status
|
101
|
+
end
|
102
|
+
|
67
103
|
task :nightly do
|
68
104
|
Rake::Task["ci"].invoke
|
69
105
|
end
|
@@ -76,7 +112,13 @@ namespace :kokoro do
|
|
76
112
|
.first.split("(").last.split(")").first || "0.1.0"
|
77
113
|
end
|
78
114
|
Rake::Task["kokoro:load_env_vars"].invoke
|
79
|
-
Rake::Task["release_gem"].invoke "
|
115
|
+
Rake::Task["release_gem"].invoke "v#{version}"
|
116
|
+
end
|
117
|
+
|
118
|
+
task :publish_docs do
|
119
|
+
require_relative "rakelib/devsite_builder.rb"
|
120
|
+
|
121
|
+
DevsiteBuilder.new(__dir__).publish
|
80
122
|
end
|
81
123
|
end
|
82
124
|
|
data/googleauth.gemspec
CHANGED
@@ -9,7 +9,7 @@ Gem::Specification.new do |gem|
|
|
9
9
|
gem.version = Google::Auth::VERSION
|
10
10
|
gem.authors = ["Tim Emiola"]
|
11
11
|
gem.email = "temiola@google.com"
|
12
|
-
gem.homepage = "https://github.com/
|
12
|
+
gem.homepage = "https://github.com/googleapis/google-auth-library-ruby"
|
13
13
|
gem.summary = "Google Auth Library for Ruby"
|
14
14
|
gem.license = "Apache-2.0"
|
15
15
|
gem.description = <<-DESCRIPTION
|
@@ -27,10 +27,12 @@ Gem::Specification.new do |gem|
|
|
27
27
|
gem.platform = Gem::Platform::RUBY
|
28
28
|
gem.required_ruby_version = ">= 2.4.0"
|
29
29
|
|
30
|
-
gem.add_dependency "faraday", "
|
30
|
+
gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
|
31
31
|
gem.add_dependency "jwt", ">= 1.4", "< 3.0"
|
32
32
|
gem.add_dependency "memoist", "~> 0.16"
|
33
33
|
gem.add_dependency "multi_json", "~> 1.11"
|
34
34
|
gem.add_dependency "os", ">= 0.9", "< 2.0"
|
35
|
-
gem.add_dependency "signet", "~> 0.
|
35
|
+
gem.add_dependency "signet", "~> 0.14"
|
36
|
+
|
37
|
+
gem.add_development_dependency "yard", "~> 0.9"
|
36
38
|
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# Copyright 2020 Google LLC
|
2
|
+
#
|
3
|
+
# Redistribution and use in source and binary forms, with or without
|
4
|
+
# modification, are permitted provided that the following conditions are
|
5
|
+
# met:
|
6
|
+
#
|
7
|
+
# * Redistributions of source code must retain the above copyright
|
8
|
+
# notice, this list of conditions and the following disclaimer.
|
9
|
+
# * Redistributions in binary form must reproduce the above
|
10
|
+
# copyright notice, this list of conditions and the following disclaimer
|
11
|
+
# in the documentation and/or other materials provided with the
|
12
|
+
# distribution.
|
13
|
+
# * Neither the name of Google Inc. nor the names of its
|
14
|
+
# contributors may be used to endorse or promote products derived from
|
15
|
+
# this software without specific prior written permission.
|
16
|
+
#
|
17
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
18
|
+
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
19
|
+
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
20
|
+
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
21
|
+
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
22
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
23
|
+
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
24
|
+
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
25
|
+
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
26
|
+
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
27
|
+
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
28
|
+
|
29
|
+
require "minitest/autorun"
|
30
|
+
require "minitest/focus"
|
31
|
+
require "googleauth"
|
@@ -0,0 +1,74 @@
|
|
1
|
+
# Copyright 2020 Google LLC
|
2
|
+
#
|
3
|
+
# Redistribution and use in source and binary forms, with or without
|
4
|
+
# modification, are permitted provided that the following conditions are
|
5
|
+
# met:
|
6
|
+
#
|
7
|
+
# * Redistributions of source code must retain the above copyright
|
8
|
+
# notice, this list of conditions and the following disclaimer.
|
9
|
+
# * Redistributions in binary form must reproduce the above
|
10
|
+
# copyright notice, this list of conditions and the following disclaimer
|
11
|
+
# in the documentation and/or other materials provided with the
|
12
|
+
# distribution.
|
13
|
+
# * Neither the name of Google Inc. nor the names of its
|
14
|
+
# contributors may be used to endorse or promote products derived from
|
15
|
+
# this software without specific prior written permission.
|
16
|
+
#
|
17
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
18
|
+
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
19
|
+
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
20
|
+
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
21
|
+
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
22
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
23
|
+
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
24
|
+
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
25
|
+
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
26
|
+
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
27
|
+
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
28
|
+
|
29
|
+
require "helper"
|
30
|
+
|
31
|
+
describe Google::Auth::IDTokens do
|
32
|
+
describe "key source" do
|
33
|
+
let(:legacy_oidc_key_source) {
|
34
|
+
Google::Auth::IDTokens::X509CertHttpKeySource.new "https://www.googleapis.com/oauth2/v1/certs"
|
35
|
+
}
|
36
|
+
let(:oidc_key_source) { Google::Auth::IDTokens.oidc_key_source }
|
37
|
+
let(:iap_key_source) { Google::Auth::IDTokens.iap_key_source }
|
38
|
+
|
39
|
+
it "Gets real keys from the OAuth2 V1 cert URL" do
|
40
|
+
keys = legacy_oidc_key_source.refresh_keys
|
41
|
+
refute_empty keys
|
42
|
+
keys.each do |key|
|
43
|
+
assert_kind_of OpenSSL::PKey::RSA, key.key
|
44
|
+
refute key.key.private?
|
45
|
+
assert_equal "RS256", key.algorithm
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
it "Gets real keys from the OAuth2 V3 cert URL" do
|
50
|
+
keys = oidc_key_source.refresh_keys
|
51
|
+
refute_empty keys
|
52
|
+
keys.each do |key|
|
53
|
+
assert_kind_of OpenSSL::PKey::RSA, key.key
|
54
|
+
refute key.key.private?
|
55
|
+
assert_equal "RS256", key.algorithm
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
it "Gets the same keys from the OAuth2 V1 and V3 cert URLs" do
|
60
|
+
keys_v1 = legacy_oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
|
61
|
+
keys_v3 = oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
|
62
|
+
assert_equal keys_v1, keys_v3
|
63
|
+
end
|
64
|
+
|
65
|
+
it "Gets real keys from the IAP public key URL" do
|
66
|
+
keys = iap_key_source.refresh_keys
|
67
|
+
refute_empty keys
|
68
|
+
keys.each do |key|
|
69
|
+
assert_kind_of OpenSSL::PKey::EC, key.key
|
70
|
+
assert_equal "ES256", key.algorithm
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
data/lib/googleauth.rb
CHANGED
@@ -31,5 +31,6 @@ require "googleauth/application_default"
|
|
31
31
|
require "googleauth/client_id"
|
32
32
|
require "googleauth/credentials"
|
33
33
|
require "googleauth/default_credentials"
|
34
|
+
require "googleauth/id_tokens"
|
34
35
|
require "googleauth/user_authorizer"
|
35
36
|
require "googleauth/web_user_authorizer"
|
@@ -47,7 +47,7 @@ module Google
|
|
47
47
|
#
|
48
48
|
# Use this to obtain the Application Default Credentials for accessing
|
49
49
|
# Google APIs. Application Default Credentials are described in detail
|
50
|
-
# at
|
50
|
+
# at https://cloud.google.com/docs/authentication/production.
|
51
51
|
#
|
52
52
|
# If supplied, scope is used to create the credentials instance, when it can
|
53
53
|
# be applied. E.g, on google compute engine and for user credentials the
|
@@ -75,7 +75,7 @@ module Google
|
|
75
75
|
GCECredentials.unmemoize_all
|
76
76
|
raise NOT_FOUND_ERROR
|
77
77
|
end
|
78
|
-
GCECredentials.new
|
78
|
+
GCECredentials.new scope: scope
|
79
79
|
end
|
80
80
|
end
|
81
81
|
end
|
@@ -51,20 +51,43 @@ module Google
|
|
51
51
|
class GCECredentials < Signet::OAuth2::Client
|
52
52
|
# The IP Address is used in the URIs to speed up failures on non-GCE
|
53
53
|
# systems.
|
54
|
-
|
55
|
-
|
54
|
+
DEFAULT_METADATA_HOST = "169.254.169.254".freeze
|
55
|
+
|
56
|
+
# @private Unused and deprecated
|
57
|
+
COMPUTE_AUTH_TOKEN_URI =
|
58
|
+
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
59
|
+
# @private Unused and deprecated
|
60
|
+
COMPUTE_ID_TOKEN_URI =
|
61
|
+
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
62
|
+
# @private Unused and deprecated
|
56
63
|
COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
|
57
64
|
|
58
65
|
class << self
|
59
66
|
extend Memoist
|
60
67
|
|
68
|
+
def metadata_host
|
69
|
+
ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
|
70
|
+
end
|
71
|
+
|
72
|
+
def compute_check_uri
|
73
|
+
"http://#{metadata_host}".freeze
|
74
|
+
end
|
75
|
+
|
76
|
+
def compute_auth_token_uri
|
77
|
+
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
78
|
+
end
|
79
|
+
|
80
|
+
def compute_id_token_uri
|
81
|
+
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
82
|
+
end
|
83
|
+
|
61
84
|
# Detect if this appear to be a GCE instance, by checking if metadata
|
62
85
|
# is available.
|
63
86
|
def on_gce? options = {}
|
64
87
|
# TODO: This should use google-cloud-env instead.
|
65
88
|
c = options[:connection] || Faraday.default_connection
|
66
89
|
headers = { "Metadata-Flavor" => "Google" }
|
67
|
-
resp = c.get
|
90
|
+
resp = c.get compute_check_uri, nil, headers do |req|
|
68
91
|
req.options.timeout = 1.0
|
69
92
|
req.options.open_timeout = 0.1
|
70
93
|
end
|
@@ -82,12 +105,19 @@ module Google
|
|
82
105
|
def fetch_access_token options = {}
|
83
106
|
c = options[:connection] || Faraday.default_connection
|
84
107
|
retry_with_error do
|
108
|
+
uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
|
109
|
+
query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
|
110
|
+
query[:scopes] = Array(scope).join "," if scope
|
85
111
|
headers = { "Metadata-Flavor" => "Google" }
|
86
|
-
resp = c.get
|
112
|
+
resp = c.get uri, query, headers
|
87
113
|
case resp.status
|
88
114
|
when 200
|
89
|
-
|
90
|
-
|
115
|
+
content_type = resp.headers["content-type"]
|
116
|
+
if content_type == "text/html"
|
117
|
+
{ (target_audience ? "id_token" : "access_token") => resp.body }
|
118
|
+
else
|
119
|
+
Signet::OAuth2.parse_credentials resp.body, content_type
|
120
|
+
end
|
91
121
|
when 404
|
92
122
|
raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
|
93
123
|
else
|