googleauth 0.10.0 → 0.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +7 -0
- data/.kokoro/continuous/linux.cfg +2 -2
- data/.kokoro/continuous/post.cfg +30 -0
- data/.kokoro/presubmit/linux.cfg +1 -1
- data/.kokoro/release.cfg +1 -1
- data/.repo-metadata.json +5 -0
- data/.rubocop.yml +5 -4
- data/CHANGELOG.md +27 -0
- data/Gemfile +5 -2
- data/{COPYING → LICENSE} +0 -0
- data/README.md +4 -5
- data/Rakefile +45 -3
- data/googleauth.gemspec +5 -3
- data/integration/helper.rb +31 -0
- data/integration/id_tokens/key_source_test.rb +74 -0
- data/lib/googleauth.rb +1 -0
- data/lib/googleauth/application_default.rb +2 -2
- data/lib/googleauth/compute_engine.rb +36 -6
- data/lib/googleauth/credentials.rb +89 -22
- data/lib/googleauth/id_tokens.rb +233 -0
- data/lib/googleauth/id_tokens/errors.rb +71 -0
- data/lib/googleauth/id_tokens/key_sources.rb +394 -0
- data/lib/googleauth/id_tokens/verifier.rb +144 -0
- data/lib/googleauth/json_key_reader.rb +6 -2
- data/lib/googleauth/service_account.rb +16 -7
- data/lib/googleauth/signet.rb +3 -2
- data/lib/googleauth/user_authorizer.rb +6 -1
- data/lib/googleauth/user_refresh.rb +1 -1
- data/lib/googleauth/version.rb +1 -1
- data/rakelib/devsite_builder.rb +45 -0
- data/rakelib/link_checker.rb +64 -0
- data/rakelib/repo_metadata.rb +59 -0
- data/spec/googleauth/apply_auth_examples.rb +28 -5
- data/spec/googleauth/compute_engine_spec.rb +48 -13
- data/spec/googleauth/credentials_spec.rb +17 -6
- data/spec/googleauth/service_account_spec.rb +23 -16
- data/spec/googleauth/signet_spec.rb +15 -7
- data/spec/googleauth/user_authorizer_spec.rb +21 -1
- data/spec/googleauth/user_refresh_spec.rb +1 -1
- data/test/helper.rb +33 -0
- data/test/id_tokens/key_sources_test.rb +240 -0
- data/test/id_tokens/verifier_test.rb +269 -0
- metadata +46 -12
@@ -47,6 +47,8 @@ module Google
|
|
47
47
|
# The default target audience ID to be used when none is provided during initialization.
|
48
48
|
AUDIENCE = "https://oauth2.googleapis.com/token".freeze
|
49
49
|
|
50
|
+
@audience = @scope = @target_audience = @env_vars = @paths = nil
|
51
|
+
|
50
52
|
##
|
51
53
|
# The default token credential URI to be used when none is provided during initialization.
|
52
54
|
# The URI is the authorization server's HTTP endpoint capable of issuing tokens and
|
@@ -97,20 +99,25 @@ module Google
|
|
97
99
|
# A scope is an access range defined by the authorization server.
|
98
100
|
# The scope can be a single value or a list of values.
|
99
101
|
#
|
102
|
+
# Either {#scope} or {#target_audience}, but not both, should be non-nil.
|
103
|
+
# If {#scope} is set, this credential will produce access tokens.
|
104
|
+
# If {#target_audience} is set, this credential will produce ID tokens.
|
105
|
+
#
|
100
106
|
# @return [String, Array<String>]
|
101
107
|
#
|
102
108
|
def self.scope
|
103
109
|
return @scope unless @scope.nil?
|
104
110
|
|
105
|
-
|
106
|
-
# Pull in values is the SCOPE constant exists.
|
107
|
-
tmp_scope << const_get(:SCOPE) if const_defined? :SCOPE
|
108
|
-
tmp_scope.flatten.uniq
|
111
|
+
Array(const_get(:SCOPE)).flatten.uniq if const_defined? :SCOPE
|
109
112
|
end
|
110
113
|
|
111
114
|
##
|
112
115
|
# Sets the default scope to be used when none is provided during initialization.
|
113
116
|
#
|
117
|
+
# Either {#scope} or {#target_audience}, but not both, should be non-nil.
|
118
|
+
# If {#scope} is set, this credential will produce access tokens.
|
119
|
+
# If {#target_audience} is set, this credential will produce ID tokens.
|
120
|
+
#
|
114
121
|
# @param [String, Array<String>] new_scope
|
115
122
|
# @return [String, Array<String>]
|
116
123
|
#
|
@@ -119,6 +126,34 @@ module Google
|
|
119
126
|
@scope = new_scope
|
120
127
|
end
|
121
128
|
|
129
|
+
##
|
130
|
+
# The default final target audience for ID tokens, to be used when none
|
131
|
+
# is provided during initialization.
|
132
|
+
#
|
133
|
+
# Either {#scope} or {#target_audience}, but not both, should be non-nil.
|
134
|
+
# If {#scope} is set, this credential will produce access tokens.
|
135
|
+
# If {#target_audience} is set, this credential will produce ID tokens.
|
136
|
+
#
|
137
|
+
# @return [String]
|
138
|
+
#
|
139
|
+
def self.target_audience
|
140
|
+
@target_audience
|
141
|
+
end
|
142
|
+
|
143
|
+
##
|
144
|
+
# Sets the default final target audience for ID tokens, to be used when none
|
145
|
+
# is provided during initialization.
|
146
|
+
#
|
147
|
+
# Either {#scope} or {#target_audience}, but not both, should be non-nil.
|
148
|
+
# If {#scope} is set, this credential will produce access tokens.
|
149
|
+
# If {#target_audience} is set, this credential will produce ID tokens.
|
150
|
+
#
|
151
|
+
# @param [String] new_target_audience
|
152
|
+
#
|
153
|
+
def self.target_audience= new_target_audience
|
154
|
+
@target_audience = new_target_audience
|
155
|
+
end
|
156
|
+
|
122
157
|
##
|
123
158
|
# The environment variables to search for credentials. Values can either be a file path to the
|
124
159
|
# credentials file, or the JSON contents of the credentials file.
|
@@ -185,6 +220,13 @@ module Google
|
|
185
220
|
#
|
186
221
|
attr_reader :project_id
|
187
222
|
|
223
|
+
##
|
224
|
+
# Identifier for a separate project used for billing/quota, if any.
|
225
|
+
#
|
226
|
+
# @return [String,nil]
|
227
|
+
#
|
228
|
+
attr_reader :quota_project_id
|
229
|
+
|
188
230
|
# @private Delegate client methods to the client object.
|
189
231
|
extend Forwardable
|
190
232
|
|
@@ -201,6 +243,9 @@ module Google
|
|
201
243
|
# @return [String, Array<String>] The scope for this client. A scope is an access range
|
202
244
|
# defined by the authorization server. The scope can be a single value or a list of values.
|
203
245
|
#
|
246
|
+
# @!attribute [r] target_audience
|
247
|
+
# @return [String] The final target audience for ID tokens returned by this credential.
|
248
|
+
#
|
204
249
|
# @!attribute [r] issuer
|
205
250
|
# @return [String] The issuer ID associated with this client.
|
206
251
|
#
|
@@ -213,9 +258,7 @@ module Google
|
|
213
258
|
#
|
214
259
|
def_delegators :@client,
|
215
260
|
:token_credential_uri, :audience,
|
216
|
-
:scope, :issuer, :signing_key, :updater_proc
|
217
|
-
|
218
|
-
# rubocop:disable Metrics/AbcSize
|
261
|
+
:scope, :issuer, :signing_key, :updater_proc, :target_audience
|
219
262
|
|
220
263
|
##
|
221
264
|
# Creates a new Credentials instance with the provided auth credentials, and with the default
|
@@ -236,23 +279,15 @@ module Google
|
|
236
279
|
# * +:default_connection+ - the default connection to use for the client
|
237
280
|
#
|
238
281
|
def initialize keyfile, options = {}
|
239
|
-
scope = options[:scope]
|
240
282
|
verify_keyfile_provided! keyfile
|
241
283
|
@project_id = options["project_id"] || options["project"]
|
284
|
+
@quota_project_id = options["quota_project_id"]
|
242
285
|
if keyfile.is_a? Signet::OAuth2::Client
|
243
|
-
|
244
|
-
@project_id ||= keyfile.project_id if keyfile.respond_to? :project_id
|
286
|
+
update_from_signet keyfile
|
245
287
|
elsif keyfile.is_a? Hash
|
246
|
-
|
247
|
-
hash["scope"] ||= scope
|
248
|
-
@client = init_client hash, options
|
249
|
-
@project_id ||= (hash["project_id"] || hash["project"])
|
288
|
+
update_from_hash keyfile, options
|
250
289
|
else
|
251
|
-
|
252
|
-
json = JSON.parse ::File.read(keyfile)
|
253
|
-
json["scope"] ||= scope
|
254
|
-
@project_id ||= (json["project_id"] || json["project"])
|
255
|
-
@client = init_client json, options
|
290
|
+
update_from_filepath keyfile, options
|
256
291
|
end
|
257
292
|
CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
|
258
293
|
@project_id ||= CredentialsLoader.load_gcloud_project_id
|
@@ -261,7 +296,6 @@ module Google
|
|
261
296
|
@paths = nil
|
262
297
|
@scope = nil
|
263
298
|
end
|
264
|
-
# rubocop:enable Metrics/AbcSize
|
265
299
|
|
266
300
|
##
|
267
301
|
# Creates a new Credentials instance with auth credentials acquired by searching the
|
@@ -323,7 +357,8 @@ module Google
|
|
323
357
|
# @private Lookup Credentials using Google::Auth.get_application_default.
|
324
358
|
def self.from_application_default options
|
325
359
|
scope = options[:scope] || self.scope
|
326
|
-
|
360
|
+
auth_opts = { target_audience: options[:target_audience] || target_audience }
|
361
|
+
client = Google::Auth.get_application_default scope, auth_opts
|
327
362
|
new client, options
|
328
363
|
end
|
329
364
|
|
@@ -362,14 +397,46 @@ module Google
|
|
362
397
|
options["token_credential_uri"] ||= self.class.token_credential_uri
|
363
398
|
options["audience"] ||= self.class.audience
|
364
399
|
options["scope"] ||= self.class.scope
|
400
|
+
options["target_audience"] ||= self.class.target_audience
|
365
401
|
|
402
|
+
if !Array(options["scope"]).empty? && options["target_audience"]
|
403
|
+
raise ArgumentError, "Cannot specify both scope and target_audience"
|
404
|
+
end
|
405
|
+
|
406
|
+
needs_scope = options["target_audience"].nil?
|
366
407
|
# client options for initializing signet client
|
367
408
|
{ token_credential_uri: options["token_credential_uri"],
|
368
409
|
audience: options["audience"],
|
369
|
-
scope: Array(options["scope"]),
|
410
|
+
scope: (needs_scope ? Array(options["scope"]) : nil),
|
411
|
+
target_audience: options["target_audience"],
|
370
412
|
issuer: options["client_email"],
|
371
413
|
signing_key: OpenSSL::PKey::RSA.new(options["private_key"]) }
|
372
414
|
end
|
415
|
+
|
416
|
+
def update_from_signet client
|
417
|
+
@project_id ||= client.project_id if client.respond_to? :project_id
|
418
|
+
@quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
|
419
|
+
@client = client
|
420
|
+
end
|
421
|
+
|
422
|
+
def update_from_hash hash, options
|
423
|
+
hash = stringify_hash_keys hash
|
424
|
+
hash["scope"] ||= options[:scope]
|
425
|
+
hash["target_audience"] ||= options[:target_audience]
|
426
|
+
@project_id ||= (hash["project_id"] || hash["project"])
|
427
|
+
@quota_project_id ||= hash["quota_project_id"]
|
428
|
+
@client = init_client hash, options
|
429
|
+
end
|
430
|
+
|
431
|
+
def update_from_filepath path, options
|
432
|
+
verify_keyfile_exists! path
|
433
|
+
json = JSON.parse ::File.read(path)
|
434
|
+
json["scope"] ||= options[:scope]
|
435
|
+
json["target_audience"] ||= options[:target_audience]
|
436
|
+
@project_id ||= (json["project_id"] || json["project"])
|
437
|
+
@quota_project_id ||= json["quota_project_id"]
|
438
|
+
@client = init_client json, options
|
439
|
+
end
|
373
440
|
end
|
374
441
|
end
|
375
442
|
end
|
@@ -0,0 +1,233 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Redistribution and use in source and binary forms, with or without
|
6
|
+
# modification, are permitted provided that the following conditions are
|
7
|
+
# met:
|
8
|
+
#
|
9
|
+
# * Redistributions of source code must retain the above copyright
|
10
|
+
# notice, this list of conditions and the following disclaimer.
|
11
|
+
# * Redistributions in binary form must reproduce the above
|
12
|
+
# copyright notice, this list of conditions and the following disclaimer
|
13
|
+
# in the documentation and/or other materials provided with the
|
14
|
+
# distribution.
|
15
|
+
# * Neither the name of Google Inc. nor the names of its
|
16
|
+
# contributors may be used to endorse or promote products derived from
|
17
|
+
# this software without specific prior written permission.
|
18
|
+
#
|
19
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
20
|
+
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
21
|
+
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
22
|
+
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
23
|
+
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
24
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
25
|
+
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
26
|
+
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
27
|
+
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
28
|
+
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
29
|
+
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
30
|
+
|
31
|
+
require "googleauth/id_tokens/errors"
|
32
|
+
require "googleauth/id_tokens/key_sources"
|
33
|
+
require "googleauth/id_tokens/verifier"
|
34
|
+
|
35
|
+
module Google
|
36
|
+
module Auth
|
37
|
+
##
|
38
|
+
# ## Verifying Google ID tokens
|
39
|
+
#
|
40
|
+
# This module verifies ID tokens issued by Google. This can be used to
|
41
|
+
# authenticate signed-in users using OpenID Connect. See
|
42
|
+
# https://developers.google.com/identity/sign-in/web/backend-auth for more
|
43
|
+
# information.
|
44
|
+
#
|
45
|
+
# ### Basic usage
|
46
|
+
#
|
47
|
+
# To verify an ID token issued by Google accounts:
|
48
|
+
#
|
49
|
+
# payload = Google::Auth::IDTokens.verify_oidc the_token,
|
50
|
+
# aud: "my-app-client-id"
|
51
|
+
#
|
52
|
+
# If verification succeeds, you will receive the token's payload as a hash.
|
53
|
+
# If verification fails, an exception (normally a subclass of
|
54
|
+
# {Google::Auth::IDTokens::VerificationError}) will be raised.
|
55
|
+
#
|
56
|
+
# To verify an ID token issued by the Google identity-aware proxy (IAP):
|
57
|
+
#
|
58
|
+
# payload = Google::Auth::IDTokens.verify_iap the_token,
|
59
|
+
# aud: "my-app-client-id"
|
60
|
+
#
|
61
|
+
# These methods will automatically download and cache the Google public
|
62
|
+
# keys necessary to verify these tokens. They will also automatically
|
63
|
+
# verify the issuer (`iss`) field for their respective types of ID tokens.
|
64
|
+
#
|
65
|
+
# ### Advanced usage
|
66
|
+
#
|
67
|
+
# If you want to provide your own public keys, either by pointing at a
|
68
|
+
# custom URI or by providing the key data directly, use the Verifier class
|
69
|
+
# and pass in a key source.
|
70
|
+
#
|
71
|
+
# To point to a custom URI that returns a JWK set:
|
72
|
+
#
|
73
|
+
# source = Google::Auth::IDTokens::JwkHttpKeySource.new "https://example.com/jwk"
|
74
|
+
# verifier = Google::Auth::IDTokens::Verifier.new key_source: source
|
75
|
+
# payload = verifier.verify the_token, aud: "my-app-client-id"
|
76
|
+
#
|
77
|
+
# To provide key data directly:
|
78
|
+
#
|
79
|
+
# jwk_data = {
|
80
|
+
# keys: [
|
81
|
+
# {
|
82
|
+
# alg: "ES256",
|
83
|
+
# crv: "P-256",
|
84
|
+
# kid: "LYyP2g",
|
85
|
+
# kty: "EC",
|
86
|
+
# use: "sig",
|
87
|
+
# x: "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
|
88
|
+
# y: "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
|
89
|
+
# }
|
90
|
+
# ]
|
91
|
+
# }
|
92
|
+
# source = Google::Auth::IDTokens::StaticKeySource.from_jwk_set jwk_data
|
93
|
+
# verifier = Google::Auth::IDTokens::Verifier key_source: source
|
94
|
+
# payload = verifier.verify the_token, aud: "my-app-client-id"
|
95
|
+
#
|
96
|
+
module IDTokens
|
97
|
+
##
|
98
|
+
# A list of issuers expected for Google OIDC-issued tokens.
|
99
|
+
#
|
100
|
+
# @return [Array<String>]
|
101
|
+
#
|
102
|
+
OIDC_ISSUERS = ["accounts.google.com", "https://accounts.google.com"].freeze
|
103
|
+
|
104
|
+
##
|
105
|
+
# A list of issuers expected for Google IAP-issued tokens.
|
106
|
+
#
|
107
|
+
# @return [Array<String>]
|
108
|
+
#
|
109
|
+
IAP_ISSUERS = ["https://cloud.google.com/iap"].freeze
|
110
|
+
|
111
|
+
##
|
112
|
+
# The URL for Google OAuth2 V3 public certs
|
113
|
+
#
|
114
|
+
# @return [String]
|
115
|
+
#
|
116
|
+
OAUTH2_V3_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs"
|
117
|
+
|
118
|
+
##
|
119
|
+
# The URL for Google IAP public keys
|
120
|
+
#
|
121
|
+
# @return [String]
|
122
|
+
#
|
123
|
+
IAP_JWK_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"
|
124
|
+
|
125
|
+
class << self
|
126
|
+
##
|
127
|
+
# The key source providing public keys that can be used to verify
|
128
|
+
# ID tokens issued by Google OIDC.
|
129
|
+
#
|
130
|
+
# @return [Google::Auth::IDTokens::JwkHttpKeySource]
|
131
|
+
#
|
132
|
+
def oidc_key_source
|
133
|
+
@oidc_key_source ||= JwkHttpKeySource.new OAUTH2_V3_CERTS_URL
|
134
|
+
end
|
135
|
+
|
136
|
+
##
|
137
|
+
# The key source providing public keys that can be used to verify
|
138
|
+
# ID tokens issued by Google IAP.
|
139
|
+
#
|
140
|
+
# @return [Google::Auth::IDTokens::JwkHttpKeySource]
|
141
|
+
#
|
142
|
+
def iap_key_source
|
143
|
+
@iap_key_source ||= JwkHttpKeySource.new IAP_JWK_URL
|
144
|
+
end
|
145
|
+
|
146
|
+
##
|
147
|
+
# Reset all convenience key sources. Used for testing.
|
148
|
+
# @private
|
149
|
+
#
|
150
|
+
def forget_sources!
|
151
|
+
@oidc_key_source = @iap_key_source = nil
|
152
|
+
self
|
153
|
+
end
|
154
|
+
|
155
|
+
##
|
156
|
+
# A convenience method that verifies a token allegedly issued by Google
|
157
|
+
# OIDC.
|
158
|
+
#
|
159
|
+
# @param token [String] The ID token to verify
|
160
|
+
# @param aud [String,Array<String>,nil] The expected audience. At least
|
161
|
+
# one `aud` field in the token must match at least one of the
|
162
|
+
# provided audiences, or the verification will fail with
|
163
|
+
# {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
|
164
|
+
# default), no audience checking is performed.
|
165
|
+
# @param azp [String,Array<String>,nil] The expected authorized party
|
166
|
+
# (azp). At least one `azp` field in the token must match at least
|
167
|
+
# one of the provided values, or the verification will fail with
|
168
|
+
# {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
|
169
|
+
# (the default), no azp checking is performed.
|
170
|
+
# @param aud [String,Array<String>,nil] The expected audience. At least
|
171
|
+
# one `iss` field in the token must match at least one of the
|
172
|
+
# provided issuers, or the verification will fail with
|
173
|
+
# {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
|
174
|
+
# checking is performed. Default is to check against {OIDC_ISSUERS}.
|
175
|
+
#
|
176
|
+
# @return [Hash] The decoded token payload.
|
177
|
+
# @raise [KeySourceError] if the key source failed to obtain public keys
|
178
|
+
# @raise [VerificationError] if the token verification failed.
|
179
|
+
# Additional data may be available in the error subclass and message.
|
180
|
+
#
|
181
|
+
def verify_oidc token,
|
182
|
+
aud: nil,
|
183
|
+
azp: nil,
|
184
|
+
iss: OIDC_ISSUERS
|
185
|
+
|
186
|
+
verifier = Verifier.new key_source: oidc_key_source,
|
187
|
+
aud: aud,
|
188
|
+
azp: azp,
|
189
|
+
iss: iss
|
190
|
+
verifier.verify token
|
191
|
+
end
|
192
|
+
|
193
|
+
##
|
194
|
+
# A convenience method that verifies a token allegedly issued by Google
|
195
|
+
# IAP.
|
196
|
+
#
|
197
|
+
# @param token [String] The ID token to verify
|
198
|
+
# @param aud [String,Array<String>,nil] The expected audience. At least
|
199
|
+
# one `aud` field in the token must match at least one of the
|
200
|
+
# provided audiences, or the verification will fail with
|
201
|
+
# {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
|
202
|
+
# default), no audience checking is performed.
|
203
|
+
# @param azp [String,Array<String>,nil] The expected authorized party
|
204
|
+
# (azp). At least one `azp` field in the token must match at least
|
205
|
+
# one of the provided values, or the verification will fail with
|
206
|
+
# {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
|
207
|
+
# (the default), no azp checking is performed.
|
208
|
+
# @param aud [String,Array<String>,nil] The expected audience. At least
|
209
|
+
# one `iss` field in the token must match at least one of the
|
210
|
+
# provided issuers, or the verification will fail with
|
211
|
+
# {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
|
212
|
+
# checking is performed. Default is to check against {IAP_ISSUERS}.
|
213
|
+
#
|
214
|
+
# @return [Hash] The decoded token payload.
|
215
|
+
# @raise [KeySourceError] if the key source failed to obtain public keys
|
216
|
+
# @raise [VerificationError] if the token verification failed.
|
217
|
+
# Additional data may be available in the error subclass and message.
|
218
|
+
#
|
219
|
+
def verify_iap token,
|
220
|
+
aud: nil,
|
221
|
+
azp: nil,
|
222
|
+
iss: IAP_ISSUERS
|
223
|
+
|
224
|
+
verifier = Verifier.new key_source: iap_key_source,
|
225
|
+
aud: aud,
|
226
|
+
azp: azp,
|
227
|
+
iss: iss
|
228
|
+
verifier.verify token
|
229
|
+
end
|
230
|
+
end
|
231
|
+
end
|
232
|
+
end
|
233
|
+
end
|
@@ -0,0 +1,71 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Redistribution and use in source and binary forms, with or without
|
6
|
+
# modification, are permitted provided that the following conditions are
|
7
|
+
# met:
|
8
|
+
#
|
9
|
+
# * Redistributions of source code must retain the above copyright
|
10
|
+
# notice, this list of conditions and the following disclaimer.
|
11
|
+
# * Redistributions in binary form must reproduce the above
|
12
|
+
# copyright notice, this list of conditions and the following disclaimer
|
13
|
+
# in the documentation and/or other materials provided with the
|
14
|
+
# distribution.
|
15
|
+
# * Neither the name of Google Inc. nor the names of its
|
16
|
+
# contributors may be used to endorse or promote products derived from
|
17
|
+
# this software without specific prior written permission.
|
18
|
+
#
|
19
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
20
|
+
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
21
|
+
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
22
|
+
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
23
|
+
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
24
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
25
|
+
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
26
|
+
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
27
|
+
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
28
|
+
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
29
|
+
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
30
|
+
|
31
|
+
|
32
|
+
module Google
|
33
|
+
module Auth
|
34
|
+
module IDTokens
|
35
|
+
##
|
36
|
+
# Failed to obtain keys from the key source.
|
37
|
+
#
|
38
|
+
class KeySourceError < StandardError; end
|
39
|
+
|
40
|
+
##
|
41
|
+
# Failed to verify a token.
|
42
|
+
#
|
43
|
+
class VerificationError < StandardError; end
|
44
|
+
|
45
|
+
##
|
46
|
+
# Failed to verify a token because it is expired.
|
47
|
+
#
|
48
|
+
class ExpiredTokenError < VerificationError; end
|
49
|
+
|
50
|
+
##
|
51
|
+
# Failed to verify a token because its signature did not match.
|
52
|
+
#
|
53
|
+
class SignatureError < VerificationError; end
|
54
|
+
|
55
|
+
##
|
56
|
+
# Failed to verify a token because its issuer did not match.
|
57
|
+
#
|
58
|
+
class IssuerMismatchError < VerificationError; end
|
59
|
+
|
60
|
+
##
|
61
|
+
# Failed to verify a token because its audience did not match.
|
62
|
+
#
|
63
|
+
class AudienceMismatchError < VerificationError; end
|
64
|
+
|
65
|
+
##
|
66
|
+
# Failed to verify a token because its authorized party did not match.
|
67
|
+
#
|
68
|
+
class AuthorizedPartyMismatchError < VerificationError; end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|