googleauth 0.11.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '084256f40daf70be42b7489597bbdde5fa0809a0b33690f60307fafa4928d83f'
-  data.tar.gz: ecf351e58a7ff196ed6e75e9a9bdca3eef918828feb9e65dd5e51869c6c6a235
+  metadata.gz: b15478e865e5cfea5a21aaf18b55e6f7839c0c6a81fd127a249d414ce7f62589
+  data.tar.gz: 0a5ea3ff83f4706367b710ac200ef1936f042f8c124174c0ab5857aa435e940c
 SHA512:
-  metadata.gz: eb987a66865f02231cd66e8b96bbc8a26c97bb516a0a4324c19b86e9c5a77b84f1af208aa96b2a9f9b3656b0d9b742b0f27b6dcc26060cb9acfd5b03d96beccb
-  data.tar.gz: b59184d1118bc14fdf5499eb2a19e5ecd9ba4e90c9d1f6ba648e18a648f4162c2a6ef0fe2d65683ecf1b0dfd42500a9fdfbba0d61208538d4c3c4bd85b482f9e
+  metadata.gz: a096b40f4f8559d1263e9f7fd8d28742ee63199dfc5ae77c486602f14bb9f03ed1331b86e64a0afe32bcafef38bb9e26140226615ac546817e1bc8d4c96812ba
+  data.tar.gz: fefa616d20dbfb6b11b71e7869d08e470b919cce6ea991d91930f5036f2945fb652cbb6dfe83f50e93c626c953ba4d9b82483b28891abc97bbb8f4fae863013c

data/.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Code owners file.
+# This file controls who is tagged for review for any given pull request.
+#
+# For syntax help see:
+# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax
+
+*     @googleapis/yoshi-ruby

data/.github/workflows/release.yml

@@ -0,0 +1,36 @@
+on:
+  schedule:
+    - cron: '29 9 * * 1'
+  workflow_dispatch:
+
+name: release
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ReleasePlease
+        id: release-please
+        uses: GoogleCloudPlatform/release-please-action@v2
+        with:
+          command: release-pr
+          token: ${{ secrets.YOSHI_CODE_BOT_TOKEN }}
+          fork: true
+          release-type: ruby
+          package-name: google-auth-library-ruby
+          version-file: lib/googleauth/version.rb
+          monorepo-tags: true
+          bump-minor-pre-major: true
+      - name: ReleaseLabel
+        id: release-label
+        if: ${{ steps.release-please.outputs.pr }}
+        uses: actions/github-script@v2
+        with:
+          github-token: ${{secrets.YOSHI_APPROVER_TOKEN}}
+          script: |
+            core.info("Labeling release");
+            github.issues.addLabels({
+              owner: 'googleapis',
+              repo: 'google-auth-library-ruby',
+              issue_number: ${{ steps.release-please.outputs.pr }},
+              labels: ["autorelease: pending", "kokoro:force-run"]
+            });

data/.rubocop.yml

@@ -3,9 +3,11 @@ inherit_gem:
 
 AllCops:
   Exclude:
-    - "spec/**/*"
     - "Rakefile"
+    - "integration/**/*"
     - "rakelib/**/*"
+    - "spec/**/*"
+    - "test/**/*"
 Metrics/ClassLength:
   Max: 200
 Metrics/ModuleLength:

data/CHANGELOG.md

@@ -1,9 +1,44 @@
-### 0.11.0 / 2020-02-24
+# Release History
+
+## [0.15.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/v0.14.0...v0.15.0) (2021-01-26)
+
+
+### Features
+
+* Credential parameters inherit from superclasses ([4fa4720](https://www.github.com/googleapis/google-auth-library-ruby/commit/4fa47206dbd62f8bbdd1b9d3721f6baee9fd1d62))
+* Service accounts apply a self-signed JWT if scopes are marked as default ([d22acb8](https://www.github.com/googleapis/google-auth-library-ruby/commit/d22acb8a510e6711b5674545c31a4816e5a9168f))
+
+
+### Bug Fixes
+
+* Retry fetch_access_token when GCE metadata server returns unexpected errors ([cd9b012](https://www.github.com/googleapis/google-auth-library-ruby/commit/cd9b0126d3419b9953982f71edc9e6ba3f640e3c))
+* Support correct service account and user refresh behavior for custom credential env variables ([d2dffe5](https://www.github.com/googleapis/google-auth-library-ruby/commit/d2dffe592112b45006291ad9a57f56e00fb208c3))
+
+## 0.14.0 / 2020-10-09
+
+* Honor GCE_METADATA_HOST environment variable
+* Fix errors in some environments when requesting an access token for multiple scopes
+
+## 0.13.1 / 2020-07-30
+
+* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
+
+## 0.13.0 / 2020-06-17
+
+* Support for validating ID tokens.
+* Fixed header application of ID tokens from service accounts.
+
+## 0.12.0 / 2020-04-08
+
+* Support for ID token credentials.
+* Support reading quota_id_project from service account credentials.
+
+## 0.11.0 / 2020-02-24
 
 * Support Faraday 1.x.
 * Allow special "postmessage" value for redirect_uri.
 
-### 0.10.0 / 2019-10-09
+## 0.10.0 / 2019-10-09
 
 Note: This release now requires Ruby 2.4 or later
 
@@ -13,7 +48,7 @@ Note: This release now requires Ruby 2.4 or later
 * Set instance variables at initialization to avoid spamming warnings
 * Pass "Metadata-Flavor" header to metadata server when checking for GCE
 
-### 0.9.0 / 2019-08-05
+## 0.9.0 / 2019-08-05
 
 * Restore compatibility with Ruby 2.0. This is the last release that will work on end-of-lifed versions of Ruby. The 0.10 release will require Ruby 2.4 or later.
 * Update Credentials to use methods for values that are intended to be changed by users, replacing constants.
@@ -22,79 +57,79 @@ Note: This release now requires Ruby 2.4 or later
 * Add verbosity none to gcloud command
 * Make arity of WebUserAuthorizer#get_credentials compatible with the base class
 
-### 0.8.1 / 2019-03-27
+## 0.8.1 / 2019-03-27
 
 * Silence unnecessary gcloud warning
 * Treat empty credentials environment variables as unset
 
-### 0.8.0 / 2019-01-02
+## 0.8.0 / 2019-01-02
 
 * Support connection options :default_connection and :connection_builder when creating credentials that need to refresh OAuth tokens. This lets clients provide connection objects with custom settings, such as proxies, needed for the client environment.
 * Removed an unnecessary warning about project IDs.
 
-### 0.7.1 / 2018-10-25
+## 0.7.1 / 2018-10-25
 
 * Make load_gcloud_project_id module function.
 
-### 0.7.0 / 2018-10-24
+## 0.7.0 / 2018-10-24
 
 * Add project_id instance variable to UserRefreshCredentials, ServiceAccountCredentials, and Credentials.
 
-### 0.6.7 / 2018-10-16
+## 0.6.7 / 2018-10-16
 
 * Update memoist dependency to ~> 0.16.
 
-### 0.6.6 / 2018-08-22
+## 0.6.6 / 2018-08-22
 
 * Remove ruby version warnings.
 
-### 0.6.5 / 2018-08-16
+## 0.6.5 / 2018-08-16
 
 * Fix incorrect http verb when revoking credentials.
 * Warn on EOL ruby versions.
 
-### 0.6.4 / 2018-08-03
+## 0.6.4 / 2018-08-03
 
 * Resolve issue where DefaultCredentials constant was undefined.
 
-### 0.6.3 / 2018-08-02
+## 0.6.3 / 2018-08-02
 
 * Resolve issue where token_store was being written to twice
 
-### 0.6.2 / 2018-08-01
+## 0.6.2 / 2018-08-01
 
 * Add warning when using cloud sdk credentials
 
-### 0.6.1 / 2017-10-18
+## 0.6.1 / 2017-10-18
 
 * Fix file permissions
 
-### 0.6.0 / 2017-10-17
+## 0.6.0 / 2017-10-17
 
 * Support ruby-jwt 2.0
 * Add simple credentials class
 
-### 0.5.3 / 2017-07-21
+## 0.5.3 / 2017-07-21
 
 * Fix file permissions on the gem's `.rb` files.
 
-### 0.5.2 / 2017-07-19
+## 0.5.2 / 2017-07-19
 
 * Add retry mechanism when fetching access tokens in `GCECredentials` and `UserRefreshCredentials` classes.
 * Update Google API OAuth2 token credential URI to v4.
 
-### 0.5.1 / 2016-01-06
+## 0.5.1 / 2016-01-06
 
 * Change header name emitted by `Client#apply` from "Authorization" to "authorization" ([@murgatroid99][])
 * Fix ADC not working on some windows machines ([@vsubramani][])
 [#55](https://github.com/google/google-auth-library-ruby/issues/55)
 
-### 0.5.0 / 2015-10-12
+## 0.5.0 / 2015-10-12
 
 * Initial support for user credentials ([@sqrrrl][])
 * Update Signet to 0.7
 
-### 0.4.2 / 2015-08-05
+## 0.4.2 / 2015-08-05
 
 * Updated UserRefreshCredentials hash to use string keys ([@haabaato][])
 [#36](https://github.com/google/google-auth-library-ruby/issues/36)
@@ -111,16 +146,16 @@ Note: This release now requires Ruby 2.4 or later
 * Enables passing credentials via environment variables. ([@haabaato][])
 [#27](https://github.com/google/google-auth-library-ruby/issues/27)
 
-### 0.4.1 / 2015-04-25
+## 0.4.1 / 2015-04-25
 
 * Improves handling of --no-scopes GCE authorization ([@tbetbetbe][])
 * Refactoring and cleanup ([@joneslee85][])
 
-### 0.4.0 / 2015-03-25
+## 0.4.0 / 2015-03-25
 
 * Adds an implementation of JWT header auth ([@tbetbetbe][])
 
-### 0.3.0 / 2015-03-23
+## 0.3.0 / 2015-03-23
 
 * makes the scope parameter's optional in all APIs. ([@tbetbetbe][])
 * changes the scope parameter's position in various constructors. ([@tbetbetbe][])
@@ -133,3 +168,4 @@ Note: This release now requires Ruby 2.4 or later
 [@tbetbetbe]: https://github.com/tbetbetbe
 [@murgatroid99]: https://github.com/murgatroid99
 [@vsubramani]: https://github.com/vsubramani
+[@ball-hayden]: https://github.com/ball-hayden

data/Gemfile

@@ -10,13 +10,15 @@ group :development do
   gem "fakeredis", "~> 0.5"
   gem "google-style", "~> 1.24.0"
   gem "logging", "~> 2.0"
+  gem "minitest", "~> 5.14"
+  gem "minitest-focus", "~> 1.1"
   gem "rack-test", "~> 0.6"
-  gem "rake", "~> 10.0"
+  gem "rake", "~> 13.0"
   gem "redis", "~> 3.2"
   gem "rspec", "~> 3.0"
   gem "simplecov", "~> 0.9"
   gem "sinatra"
-  gem "webmock", "~> 1.21"
+  gem "webmock", "~> 3.8"
 end
 
 platforms :jruby do
@@ -24,4 +26,5 @@ platforms :jruby do
   end
 end
 
+gem "faraday", "~> 0.17"
 gem "gems", "~> 1.2"

data/Rakefile

@@ -2,9 +2,30 @@
 require "json"
 require "bundler/gem_tasks"
 
+require "rubocop/rake_task"
+RuboCop::RakeTask.new
+
+require "rake/testtask"
+
+desc "Run tests."
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+desc "Run integration tests."
+Rake::TestTask.new("integration") do |t|
+  t.libs << "integration"
+  t.test_files = FileList["integration/**/*_test.rb"]
+  t.warning = false
+end
+
 task :ci do
   header "Using Ruby - #{RUBY_VERSION}"
   sh "bundle exec rubocop"
+  Rake::Task["test"].invoke
+  Rake::Task["integration"].invoke
   sh "bundle exec rspec"
 end
 

data/googleauth.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |gem|
   gem.version       = Google::Auth::VERSION
   gem.authors       = ["Tim Emiola"]
   gem.email         = "temiola@google.com"
-  gem.homepage      = "https://github.com/google/google-auth-library-ruby"
+  gem.homepage      = "https://github.com/googleapis/google-auth-library-ruby"
   gem.summary       = "Google Auth Library for Ruby"
   gem.license       = "Apache-2.0"
   gem.description   = <<-DESCRIPTION
@@ -32,6 +32,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency "memoist", "~> 0.16"
   gem.add_dependency "multi_json", "~> 1.11"
   gem.add_dependency "os", ">= 0.9", "< 2.0"
-  gem.add_dependency "signet", "~> 0.12"
+  gem.add_dependency "signet", "~> 0.14"
+
   gem.add_development_dependency "yard", "~> 0.9"
 end

data/integration/helper.rb

@@ -0,0 +1,31 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "minitest/autorun"
+require "minitest/focus"
+require "googleauth"

data/integration/id_tokens/key_source_test.rb

@@ -0,0 +1,74 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "helper"
+
+describe Google::Auth::IDTokens do
+  describe "key source" do
+    let(:legacy_oidc_key_source) {
+      Google::Auth::IDTokens::X509CertHttpKeySource.new "https://www.googleapis.com/oauth2/v1/certs"
+    }
+    let(:oidc_key_source) { Google::Auth::IDTokens.oidc_key_source }
+    let(:iap_key_source) { Google::Auth::IDTokens.iap_key_source }
+
+    it "Gets real keys from the OAuth2 V1 cert URL" do
+      keys = legacy_oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets real keys from the OAuth2 V3 cert URL" do
+      keys = oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets the same keys from the OAuth2 V1 and V3 cert URLs" do
+      keys_v1 = legacy_oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      keys_v3 = oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      assert_equal keys_v1, keys_v3
+    end
+
+    it "Gets real keys from the IAP public key URL" do
+      keys = iap_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::EC, key.key
+        assert_equal "ES256", key.algorithm
+      end
+    end
+  end
+end

data/lib/googleauth.rb

@@ -31,5 +31,6 @@ require "googleauth/application_default"
 require "googleauth/client_id"
 require "googleauth/credentials"
 require "googleauth/default_credentials"
+require "googleauth/id_tokens"
 require "googleauth/user_authorizer"
 require "googleauth/web_user_authorizer"

data/lib/googleauth/application_default.rb

@@ -75,7 +75,7 @@ module Google
         GCECredentials.unmemoize_all
         raise NOT_FOUND_ERROR
       end
-      GCECredentials.new
+      GCECredentials.new scope: scope
     end
   end
 end