googleauth 0.10.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db5eb8767a7eae3ca209e8a6eeebc6e8e3b0b8724ce456734fbb4f10fc62319a
-  data.tar.gz: 36501fbb7a1963cde692f1122d40fcbc02d6f98d517736ffd11745c42649dcef
+  metadata.gz: 8846e57d325ff993c15ca691e299b9c2c4b7472b1b0a9e905b36cdb99216e061
+  data.tar.gz: 2fcee29e36a6fd57420b9cd0106cf3ab73bf447e94e2f6bdce61a973d256cd5e
 SHA512:
-  metadata.gz: fd87ff90b92d1906310f9bebeffa84a692b11bd54c114d597e19c02968955922c0202b87cf6fb6b6e172804234ffb5f4b642ac1415b562013cbd789b942025a0
-  data.tar.gz: 444ce4532265ff0b8ecdd384653384579c0d99730fa0c415c957c8a956d603fdc1667e2dd2c112efa062b7c11c55285d783a85894e84c440c74f5c6923140c10
+  metadata.gz: dd54bce055240fc1db34ccfe2850ab49f23b17f55f5336dfeccf380c2f93b8b9e29100a1c53f360564e8387805a9c4bf74d09eb2ca58b5bda666cdab3b061f45
+  data.tar.gz: 27dae4439e8163194604e912918709d2cd623c61856f70f7c350b08dfac010fdff50ad703934b88631c2759dcf7e5aab5b315a884cb160790c153115ee88bdfe

data/.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Code owners file.
+# This file controls who is tagged for review for any given pull request.
+#
+# For syntax help see:
+# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax
+
+*     @googleapis/yoshi-ruby

data/.kokoro/continuous/linux.cfg

@@ -3,10 +3,10 @@
 build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
 
 # Configure the docker image for kokoro-trampoline.
-# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/ruby-multi
+# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/multi
 env_vars: {
     key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/ruby-multi"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi"
 }
 
 env_vars: {

data/.kokoro/continuous/post.cfg

@@ -0,0 +1,30 @@
+# Format: //devtools/kokoro/config/proto/build.proto
+
+build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
+
+# Configure the docker image for kokoro-trampoline.
+# Dockerfile is maintained at https://github.com/googleapis/google-cloud-ruby/tree/master/.kokoro/docker/multi-node
+env_vars: {
+    key: "TRAMPOLINE_IMAGE"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi-node"
+}
+
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: "github/google-auth-library-ruby/.kokoro/build.sh"
+}
+
+env_vars: {
+    key: "TRAMPOLINE_SCRIPT"
+    value: "trampoline_v1.py"
+}
+
+env_vars: {
+    key: "OS"
+    value: "linux"
+}
+
+env_vars: {
+    key: "JOB_TYPE"
+    value: "post"
+}

data/.kokoro/presubmit/linux.cfg

@@ -5,7 +5,7 @@ build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
 # Configure the docker image for kokoro-trampoline.
 env_vars: {
     key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/ruby-multi"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/multi"
 }
 
 env_vars: {

data/.kokoro/release.cfg

@@ -60,7 +60,7 @@ build_file: "google-auth-library-ruby/.kokoro/trampoline.sh"
 # Configure the docker image for kokoro-trampoline.
 env_vars: {
     key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/google-cloud-ruby/ruby-release"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/release"
 }
 
 env_vars: {

data/.repo-metadata.json

@@ -0,0 +1,5 @@
+{
+    "name": "googleauth",
+    "language": "ruby",
+    "distribution-name": "googleauth"
+}

data/.rubocop.yml

@@ -3,12 +3,13 @@ inherit_gem:
 
 AllCops:
   Exclude:
-    - "spec/**/*"
     - "Rakefile"
+    - "integration/**/*"
+    - "rakelib/**/*"
+    - "spec/**/*"
+    - "test/**/*"
 Metrics/ClassLength:
-  Max: 110
-  Exclude:
-    - "lib/googleauth/credentials.rb"
+  Max: 200
 Metrics/ModuleLength:
   Max: 110
 Metrics/BlockLength:

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+# Release History
+
+### 0.14.0 / 2020-10-09
+
+* Honor GCE_METADATA_HOST environment variable
+* Fix errors in some environments when requesting an access token for multiple scopes
+
+### 0.13.1 / 2020-07-30
+
+* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
+
+### 0.13.0 / 2020-06-17
+
+* Support for validating ID tokens.
+* Fixed header application of ID tokens from service accounts.
+
+### 0.12.0 / 2020-04-08
+
+* Support for ID token credentials.
+* Support reading quota_id_project from service account credentials.
+
+### 0.11.0 / 2020-02-24
+
+* Support Faraday 1.x.
+* Allow special "postmessage" value for redirect_uri.
+
 ### 0.10.0 / 2019-10-09
 
 Note: This release now requires Ruby 2.4 or later
@@ -128,3 +154,4 @@ Note: This release now requires Ruby 2.4 or later
 [@tbetbetbe]: https://github.com/tbetbetbe
 [@murgatroid99]: https://github.com/murgatroid99
 [@vsubramani]: https://github.com/vsubramani
+[@ball-hayden]: https://github.com/ball-hayden

data/Gemfile

@@ -10,13 +10,15 @@ group :development do
   gem "fakeredis", "~> 0.5"
   gem "google-style", "~> 1.24.0"
   gem "logging", "~> 2.0"
+  gem "minitest", "~> 5.14"
+  gem "minitest-focus", "~> 1.1"
   gem "rack-test", "~> 0.6"
-  gem "rake", "~> 10.0"
+  gem "rake", "~> 13.0"
   gem "redis", "~> 3.2"
   gem "rspec", "~> 3.0"
   gem "simplecov", "~> 0.9"
   gem "sinatra"
-  gem "webmock", "~> 1.21"
+  gem "webmock", "~> 3.8"
 end
 
 platforms :jruby do
@@ -24,4 +26,5 @@ platforms :jruby do
   end
 end
 
+gem "faraday", "~> 0.17"
 gem "gems", "~> 1.2"

data/README.md

@@ -178,7 +178,7 @@ access and refresh tokens. Two storage implementations are included:
 *   Google::Auth::Stores::RedisTokenStore
 
 Custom storage implementations can also be used. See
-[token_store.rb](lib/googleauth/token_store.rb) for additional details.
+[token_store.rb](https://googleapis.dev/ruby/googleauth/latest/Google/Auth/TokenStore.html) for additional details.
 
 ## Supported Ruby Versions
 
@@ -206,7 +206,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[google-apis-ruby-client]: (https://github.com/google/google-api-ruby-client)
-[application default credentials]: (https://developers.google.com/accounts/docs/application-default-credentials)
-[contributing]: https://github.com/google/google-auth-library-ruby/tree/master/CONTRIBUTING.md
-[copying]: https://github.com/google/google-auth-library-ruby/tree/master/COPYING
+[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
+[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
+[copying]: https://github.com/googleapis/google-auth-library-ruby/tree/master/COPYING

data/Rakefile

@@ -2,9 +2,30 @@
 require "json"
 require "bundler/gem_tasks"
 
+require "rubocop/rake_task"
+RuboCop::RakeTask.new
+
+require "rake/testtask"
+
+desc "Run tests."
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+desc "Run integration tests."
+Rake::TestTask.new("integration") do |t|
+  t.libs << "integration"
+  t.test_files = FileList["integration/**/*_test.rb"]
+  t.warning = false
+end
+
 task :ci do
   header "Using Ruby - #{RUBY_VERSION}"
   sh "bundle exec rubocop"
+  Rake::Task["test"].invoke
+  Rake::Task["integration"].invoke
   sh "bundle exec rspec"
 end
 
@@ -13,7 +34,7 @@ task :release_gem, :tag do |_t, args|
   raise "You must provide a tag to release." if tag.nil?
 
   # Verify the tag format "vVERSION"
-  m = tag.match(/google-auth-library-ruby\/v(?<version>\S*)/)
+  m = tag.match /v(?<version>\S*)/
   raise "Tag #{tag} does not match the expected format." if m.nil?
 
   version = m[:version]
@@ -35,16 +56,23 @@ task :release_gem, :tag do |_t, args|
   end
 
   path_to_be_pushed = "pkg/googleauth-#{version}.gem"
+  gem_was_published = nil
   if File.file? path_to_be_pushed
     begin
-      ::Gems.push File.new(path_to_be_pushed)
+      response = ::Gems.push File.new(path_to_be_pushed)
+      puts response
+      raise unless response.include? "Successfully registered gem:"
+      gem_was_published = true
       puts "Successfully built and pushed googleauth for version #{version}"
     rescue StandardError => e
+      gem_was_published = false
       puts "Error while releasing googleauth version #{version}: #{e.message}"
     end
   else
     raise "Cannot build googleauth for version #{version}"
   end
+
+  Rake::Task["kokoro:publish_docs"].invoke if gem_was_published
 end
 
 namespace :kokoro do
@@ -64,6 +92,14 @@ namespace :kokoro do
     Rake::Task["ci"].invoke
   end
 
+  task :post do
+    require_relative "rakelib/link_checker.rb"
+
+    link_checker = LinkChecker.new
+    link_checker.run
+    exit link_checker.exit_status
+  end
+
   task :nightly do
     Rake::Task["ci"].invoke
   end
@@ -76,7 +112,13 @@ namespace :kokoro do
                 .first.split("(").last.split(")").first || "0.1.0"
     end
     Rake::Task["kokoro:load_env_vars"].invoke
-    Rake::Task["release_gem"].invoke "google-auth-library-ruby/v#{version}"
+    Rake::Task["release_gem"].invoke "v#{version}"
+  end
+
+  task :publish_docs do
+    require_relative "rakelib/devsite_builder.rb"
+
+    DevsiteBuilder.new(__dir__).publish
   end
 end
 

data/googleauth.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |gem|
   gem.version       = Google::Auth::VERSION
   gem.authors       = ["Tim Emiola"]
   gem.email         = "temiola@google.com"
-  gem.homepage      = "https://github.com/google/google-auth-library-ruby"
+  gem.homepage      = "https://github.com/googleapis/google-auth-library-ruby"
   gem.summary       = "Google Auth Library for Ruby"
   gem.license       = "Apache-2.0"
   gem.description   = <<-DESCRIPTION
@@ -27,10 +27,12 @@ Gem::Specification.new do |gem|
   gem.platform      = Gem::Platform::RUBY
   gem.required_ruby_version = ">= 2.4.0"
 
-  gem.add_dependency "faraday", "~> 0.12"
+  gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
   gem.add_dependency "jwt", ">= 1.4", "< 3.0"
   gem.add_dependency "memoist", "~> 0.16"
   gem.add_dependency "multi_json", "~> 1.11"
   gem.add_dependency "os", ">= 0.9", "< 2.0"
-  gem.add_dependency "signet", "~> 0.12"
+  gem.add_dependency "signet", "~> 0.14"
+
+  gem.add_development_dependency "yard", "~> 0.9"
 end

data/integration/helper.rb

@@ -0,0 +1,31 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "minitest/autorun"
+require "minitest/focus"
+require "googleauth"

data/integration/id_tokens/key_source_test.rb

@@ -0,0 +1,74 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "helper"
+
+describe Google::Auth::IDTokens do
+  describe "key source" do
+    let(:legacy_oidc_key_source) {
+      Google::Auth::IDTokens::X509CertHttpKeySource.new "https://www.googleapis.com/oauth2/v1/certs"
+    }
+    let(:oidc_key_source) { Google::Auth::IDTokens.oidc_key_source }
+    let(:iap_key_source) { Google::Auth::IDTokens.iap_key_source }
+
+    it "Gets real keys from the OAuth2 V1 cert URL" do
+      keys = legacy_oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets real keys from the OAuth2 V3 cert URL" do
+      keys = oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets the same keys from the OAuth2 V1 and V3 cert URLs" do
+      keys_v1 = legacy_oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      keys_v3 = oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      assert_equal keys_v1, keys_v3
+    end
+
+    it "Gets real keys from the IAP public key URL" do
+      keys = iap_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::EC, key.key
+        assert_equal "ES256", key.algorithm
+      end
+    end
+  end
+end

data/lib/googleauth.rb

@@ -31,5 +31,6 @@ require "googleauth/application_default"
 require "googleauth/client_id"
 require "googleauth/credentials"
 require "googleauth/default_credentials"
+require "googleauth/id_tokens"
 require "googleauth/user_authorizer"
 require "googleauth/web_user_authorizer"

data/lib/googleauth/application_default.rb

@@ -47,7 +47,7 @@ module Google
     #
     # Use this to obtain the Application Default Credentials for accessing
     # Google APIs.  Application Default Credentials are described in detail
-    # at http://goo.gl/IUuyuX.
+    # at https://cloud.google.com/docs/authentication/production.
     #
     # If supplied, scope is used to create the credentials instance, when it can
     # be applied.  E.g, on google compute engine and for user credentials the
@@ -75,7 +75,7 @@ module Google
         GCECredentials.unmemoize_all
         raise NOT_FOUND_ERROR
       end
-      GCECredentials.new
+      GCECredentials.new scope: scope
     end
   end
 end

data/lib/googleauth/compute_engine.rb

@@ -51,20 +51,43 @@ module Google
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
-      COMPUTE_AUTH_TOKEN_URI = "http://169.254.169.254/computeMetadata/v1/"\
-      "instance/service-accounts/default/token".freeze
+      DEFAULT_METADATA_HOST = "169.254.169.254".freeze
+
+      # @private Unused and deprecated
+      COMPUTE_AUTH_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+      # @private Unused and deprecated
+      COMPUTE_ID_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+      # @private Unused and deprecated
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
         extend Memoist
 
+        def metadata_host
+          ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
+        end
+
+        def compute_check_uri
+          "http://#{metadata_host}".freeze
+        end
+
+        def compute_auth_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
+        end
+
+        def compute_id_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+        end
+
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
         def on_gce? options = {}
           # TODO: This should use google-cloud-env instead.
           c = options[:connection] || Faraday.default_connection
           headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get COMPUTE_CHECK_URI, nil, headers do |req|
+          resp = c.get compute_check_uri, nil, headers do |req|
             req.options.timeout = 1.0
             req.options.open_timeout = 0.1
           end
@@ -82,12 +105,19 @@ module Google
       def fetch_access_token options = {}
         c = options[:connection] || Faraday.default_connection
         retry_with_error do
+          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
+          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
+          query[:scopes] = Array(scope).join "," if scope
           headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get COMPUTE_AUTH_TOKEN_URI, nil, headers
+          resp = c.get uri, query, headers
           case resp.status
           when 200
-            Signet::OAuth2.parse_credentials(resp.body,
-                                             resp.headers["content-type"])
+            content_type = resp.headers["content-type"]
+            if content_type == "text/html"
+              { (target_audience ? "id_token" : "access_token") => resp.body }
+            else
+              Signet::OAuth2.parse_credentials resp.body, content_type
+            end
           when 404
             raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
           else