googleauth 0.13.1 → 0.16.1

data/Gemfile

@@ -8,7 +8,7 @@ group :development do
   gem "coveralls", "~> 0.7"
   gem "fakefs", "~> 0.6"
   gem "fakeredis", "~> 0.5"
-  gem "google-style", "~> 1.24.0"
+  gem "google-style", "~> 1.25.1"
   gem "logging", "~> 2.0"
   gem "minitest", "~> 5.14"
   gem "minitest-focus", "~> 1.1"
@@ -21,10 +21,5 @@ group :development do
   gem "webmock", "~> 3.8"
 end
 
-platforms :jruby do
-  group :development do
-  end
-end
-
-gem "faraday", "~> 0.17"
+gem "faraday", ">= 0.17.3", "< 2.0"
 gem "gems", "~> 1.2"

data/README.md

@@ -182,17 +182,19 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library requires Ruby 2.4 or later.
+This library is supported on Ruby 2.5+.
 
-In general, this library supports Ruby versions that are considered current and
-supported by Ruby Core (that is, Ruby versions that are either in normal
-maintenance or in security maintenance).
-See https://www.ruby-lang.org/en/downloads/branches/ for further details.
+Google provides official support for Ruby versions that are actively supported
+by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
+security maintenance, and not end of life. Currently, this means Ruby 2.5 and
+later. Older versions of Ruby _may_ still work, but are unsupported and not
+recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
+about the Ruby support schedule.
 
 ## License
 
 This library is licensed under Apache 2.0. Full license text is
-available in [COPYING][copying].
+available in [LICENSE][license].
 
 ## Contributing
 
@@ -208,4 +210,4 @@ about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
 [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
 [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
-[copying]: https://github.com/googleapis/google-auth-library-ruby/tree/master/COPYING
+[license]: https://github.com/googleapis/google-auth-library-ruby/tree/master/LICENSE

data/googleauth.gemspec

@@ -24,8 +24,9 @@ Gem::Specification.new do |gem|
     File.basename f
   end
   gem.require_paths = ["lib"]
+
   gem.platform      = Gem::Platform::RUBY
-  gem.required_ruby_version = ">= 2.4.0"
+  gem.required_ruby_version = ">= 2.5"
 
   gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
   gem.add_dependency "jwt", ">= 1.4", "< 3.0"

data/lib/googleauth/compute_engine.rb

@@ -51,22 +51,43 @@ module Google
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
+      DEFAULT_METADATA_HOST = "169.254.169.254".freeze
+
+      # @private Unused and deprecated
       COMPUTE_AUTH_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+      # @private Unused and deprecated
       COMPUTE_ID_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+      # @private Unused and deprecated
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
         extend Memoist
 
+        def metadata_host
+          ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
+        end
+
+        def compute_check_uri
+          "http://#{metadata_host}".freeze
+        end
+
+        def compute_auth_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
+        end
+
+        def compute_id_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+        end
+
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
         def on_gce? options = {}
           # TODO: This should use google-cloud-env instead.
           c = options[:connection] || Faraday.default_connection
           headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get COMPUTE_CHECK_URI, nil, headers do |req|
+          resp = c.get compute_check_uri, nil, headers do |req|
             req.options.timeout = 1.0
             req.options.open_timeout = 0.1
           end
@@ -84,24 +105,25 @@ module Google
       def fetch_access_token options = {}
         c = options[:connection] || Faraday.default_connection
         retry_with_error do
-          uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
+          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
           query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
-          query[:scopes] = Array(scope).join " " if scope
-          headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get uri, query, headers
+          query[:scopes] = Array(scope).join "," if scope
+          resp = c.get uri, query, "Metadata-Flavor" => "Google"
           case resp.status
           when 200
             content_type = resp.headers["content-type"]
-            if content_type == "text/html"
+            if ["text/html", "application/text"].include? content_type
               { (target_audience ? "id_token" : "access_token") => resp.body }
             else
               Signet::OAuth2.parse_credentials resp.body, content_type
             end
+          when 403, 500
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::UnexpectedStatusError, msg
           when 404
             raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
           else
-            msg = "Unexpected error code #{resp.status}" \
-              "#{UNEXPECTED_ERROR_SUFFIX}"
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::AuthorizationError, msg
           end
         end

data/lib/googleauth/credentials.rb

@@ -36,9 +36,46 @@ require "googleauth/credentials_loader"
 module Google
   module Auth
     ##
-    # Credentials is responsible for representing the authentication when connecting to an API. This
-    # class is also intended to be inherited by API-specific classes.
-    class Credentials
+    # Credentials is a high-level base class used by Google's API client
+    # libraries to represent the authentication when connecting to an API.
+    # In most cases, it is subclassed by API-specific credential classes that
+    # can be instantiated by clients.
+    #
+    # ## Options
+    #
+    # Credentials classes are configured with options that dictate default
+    # values for parameters such as scope and audience. These defaults are
+    # expressed as class attributes, and may differ from endpoint to endpoint.
+    # Normally, an API client will provide subclasses specific to each
+    # endpoint, configured with appropriate values.
+    #
+    # Note that these options inherit up the class hierarchy. If a particular
+    # options is not set for a subclass, its superclass is queried.
+    #
+    # Some older users of this class set options via constants. This usage is
+    # deprecated. For example, instead of setting the `AUDIENCE` constant on
+    # your subclass, call the `audience=` method.
+    #
+    # ## Example
+    #
+    #     class MyCredentials < Google::Auth::Credentials
+    #       # Set the default scope for these credentials
+    #       self.scope = "http://example.com/my_scope"
+    #     end
+    #
+    #     # creds is a credentials object suitable for Google API clients
+    #     creds = MyCredentials.default
+    #     creds.scope  # => ["http://example.com/my_scope"]
+    #
+    #     class SubCredentials < MyCredentials
+    #       # Override the default scope for this subclass
+    #       self.scope = "http://example.com/sub_scope"
+    #     end
+    #
+    #     creds2 = SubCredentials.default
+    #     creds2.scope  # => ["http://example.com/sub_scope"]
+    #
+    class Credentials # rubocop:disable Metrics/ClassLength
       ##
       # The default token credential URI to be used when none is provided during initialization.
       TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
@@ -47,7 +84,7 @@ module Google
       # The default target audience ID to be used when none is provided during initialization.
       AUDIENCE = "https://oauth2.googleapis.com/token".freeze
 
-      @audience = @scope = @target_audience = @env_vars = @paths = nil
+      @audience = @scope = @target_audience = @env_vars = @paths = @token_credential_uri = nil
 
       ##
       # The default token credential URI to be used when none is provided during initialization.
@@ -57,16 +94,15 @@ module Google
       # @return [String]
       #
       def self.token_credential_uri
-        return @token_credential_uri unless @token_credential_uri.nil?
-
-        const_get :TOKEN_CREDENTIAL_URI if const_defined? :TOKEN_CREDENTIAL_URI
+        lookup_auth_param :token_credential_uri do
+          lookup_local_constant :TOKEN_CREDENTIAL_URI
+        end
       end
 
       ##
       # Set the default token credential URI to be used when none is provided during initialization.
       #
       # @param [String] new_token_credential_uri
-      # @return [String]
       #
       def self.token_credential_uri= new_token_credential_uri
         @token_credential_uri = new_token_credential_uri
@@ -79,16 +115,15 @@ module Google
       # @return [String]
       #
       def self.audience
-        return @audience unless @audience.nil?
-
-        const_get :AUDIENCE if const_defined? :AUDIENCE
+        lookup_auth_param :audience do
+          lookup_local_constant :AUDIENCE
+        end
       end
 
       ##
       # Sets the default target audience ID to be used when none is provided during initialization.
       #
       # @param [String] new_audience
-      # @return [String]
       #
       def self.audience= new_audience
         @audience = new_audience
@@ -103,12 +138,13 @@ module Google
       # If {#scope} is set, this credential will produce access tokens.
       # If {#target_audience} is set, this credential will produce ID tokens.
       #
-      # @return [String, Array<String>]
+      # @return [String, Array<String>, nil]
       #
       def self.scope
-        return @scope unless @scope.nil?
-
-        Array(const_get(:SCOPE)).flatten.uniq if const_defined? :SCOPE
+        lookup_auth_param :scope do
+          vals = lookup_local_constant :SCOPE
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
@@ -118,8 +154,7 @@ module Google
       # If {#scope} is set, this credential will produce access tokens.
       # If {#target_audience} is set, this credential will produce ID tokens.
       #
-      # @param [String, Array<String>] new_scope
-      # @return [String, Array<String>]
+      # @param [String, Array<String>, nil] new_scope
       #
       def self.scope= new_scope
         new_scope = Array new_scope unless new_scope.nil?
@@ -134,10 +169,10 @@ module Google
       # If {#scope} is set, this credential will produce access tokens.
       # If {#target_audience} is set, this credential will produce ID tokens.
       #
-      # @return [String]
+      # @return [String, nil]
       #
       def self.target_audience
-        @target_audience
+        lookup_auth_param :target_audience
       end
 
       ##
@@ -148,7 +183,7 @@ module Google
       # If {#scope} is set, this credential will produce access tokens.
       # If {#target_audience} is set, this credential will produce ID tokens.
       #
-      # @param [String] new_target_audience
+      # @param [String, nil] new_target_audience
       #
       def self.target_audience= new_target_audience
         @target_audience = new_target_audience
@@ -157,24 +192,33 @@ module Google
       ##
       # The environment variables to search for credentials. Values can either be a file path to the
       # credentials file, or the JSON contents of the credentials file.
+      # The env_vars will never be nil. If there are no vars, the empty array is returned.
       #
       # @return [Array<String>]
       #
       def self.env_vars
-        return @env_vars unless @env_vars.nil?
+        env_vars_internal || []
+      end
 
-        # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
-        tmp_env_vars = []
-        tmp_env_vars << const_get(:PATH_ENV_VARS) if const_defined? :PATH_ENV_VARS
-        tmp_env_vars << const_get(:JSON_ENV_VARS) if const_defined? :JSON_ENV_VARS
-        tmp_env_vars.flatten.uniq
+      ##
+      # @private
+      # Internal recursive lookup for env_vars.
+      #
+      def self.env_vars_internal
+        lookup_auth_param :env_vars, :env_vars_internal do
+          # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+          path_env_vars = lookup_local_constant :PATH_ENV_VARS
+          json_env_vars = lookup_local_constant :JSON_ENV_VARS
+          (Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars
+        end
       end
 
       ##
       # Sets the environment variables to search for credentials.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
       #
-      # @param [Array<String>] new_env_vars
-      # @return [Array<String>]
+      # @param [String, Array<String>, nil] new_env_vars
       #
       def self.env_vars= new_env_vars
         new_env_vars = Array new_env_vars unless new_env_vars.nil?
@@ -183,29 +227,72 @@ module Google
 
       ##
       # The file paths to search for credentials files.
+      # The paths will never be nil. If there are no paths, the empty array is returned.
       #
       # @return [Array<String>]
       #
       def self.paths
-        return @paths unless @paths.nil?
+        paths_internal || []
+      end
 
-        tmp_paths = []
-        # Pull in values is the DEFAULT_PATHS constant exists.
-        tmp_paths << const_get(:DEFAULT_PATHS) if const_defined? :DEFAULT_PATHS
-        tmp_paths.flatten.uniq
+      ##
+      # @private
+      # Internal recursive lookup for paths.
+      #
+      def self.paths_internal
+        lookup_auth_param :paths, :paths_internal do
+          # Pull in values if the DEFAULT_PATHS constant exists.
+          vals = lookup_local_constant :DEFAULT_PATHS
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
       # Set the file paths to search for credentials files.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
       #
-      # @param [Array<String>] new_paths
-      # @return [Array<String>]
+      # @param [String, Array<String>, nil] new_paths
       #
       def self.paths= new_paths
         new_paths = Array new_paths unless new_paths.nil?
         @paths = new_paths
       end
 
+      ##
+      # @private
+      # Return the given parameter value, defaulting up the class hierarchy.
+      #
+      # First returns the value of the instance variable, if set.
+      # Next, calls the given block if provided. (This is generally used to
+      # look up legacy constant-based values.)
+      # Otherwise, calls the superclass method if present.
+      # Returns nil if all steps fail.
+      #
+      # @param name [Symbol] The parameter name
+      # @param method_name [Symbol] The lookup method name, if different
+      # @return [Object] The value
+      #
+      def self.lookup_auth_param name, method_name = name
+        val = instance_variable_get "@#{name}".to_sym
+        val = yield if val.nil? && block_given?
+        return val unless val.nil?
+        return superclass.send method_name if superclass.respond_to? method_name
+        nil
+      end
+
+      ##
+      # @private
+      # Return the value of the given constant if it is defined directly in
+      # this class, or nil if not.
+      #
+      # @param [Symbol] Name of the constant
+      # @return [Object] The value
+      #
+      def self.lookup_local_constant name
+        const_defined?(name, false) ? const_get(name) : nil
+      end
+
       ##
       # The Signet::OAuth2::Client object the Credentials instance is using.
       #
@@ -282,9 +369,10 @@ module Google
         verify_keyfile_provided! keyfile
         @project_id = options["project_id"] || options["project"]
         @quota_project_id = options["quota_project_id"]
-        if keyfile.is_a? Signet::OAuth2::Client
+        case keyfile
+        when Signet::OAuth2::Client
           update_from_signet keyfile
-        elsif keyfile.is_a? Hash
+        when Hash
           update_from_hash keyfile, options
         else
           update_from_filepath keyfile, options
@@ -336,8 +424,15 @@ module Google
         env_vars.each do |env_var|
           str = ENV[env_var]
           next if str.nil?
-          return new str, options if ::File.file? str
-          return new ::JSON.parse(str), options rescue nil
+          io =
+            if ::File.file? str
+              ::StringIO.new ::File.read str
+            else
+              json = ::JSON.parse str rescue nil
+              json ? ::StringIO.new(str) : nil
+            end
+          next if io.nil?
+          return from_io io, options
         end
         nil
       end
@@ -345,11 +440,11 @@ module Google
       ##
       # @private Lookup Credentials from default file paths.
       def self.from_default_paths options
-        paths
-          .select { |p| ::File.file? p }
-          .each do |file|
-            return new file, options
-          end
+        paths.each do |path|
+          next unless path && ::File.file?(path)
+          io = ::StringIO.new ::File.read path
+          return from_io io, options
+        end
         nil
       end
 
@@ -357,14 +452,34 @@ module Google
       # @private Lookup Credentials using Google::Auth.get_application_default.
       def self.from_application_default options
         scope = options[:scope] || self.scope
-        auth_opts = { target_audience: options[:target_audience] || target_audience }
+        auth_opts = {
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?
+        }
         client = Google::Auth.get_application_default scope, auth_opts
         new client, options
       end
 
+      # @private Read credentials from a JSON stream.
+      def self.from_io io, options
+        creds_input = {
+          json_key_io:            io,
+          scope:                  options[:scope] || scope,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?,
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience
+        }
+        client = Google::Auth::DefaultCredentials.make_creds creds_input
+        new client
+      end
+
       private_class_method :from_env_vars,
                            :from_default_paths,
-                           :from_application_default
+                           :from_application_default,
+                           :from_io
 
       protected
 
@@ -389,9 +504,11 @@ module Google
 
       # returns a new Hash with string keys instead of symbol keys.
       def stringify_hash_keys hash
-        Hash[hash.map { |k, v| [k.to_s, v] }]
+        hash.to_h.transform_keys(&:to_s)
       end
 
+      # rubocop:disable Metrics/AbcSize
+
       def client_options options
         # Keyfile options have higher priority over constructor defaults
         options["token_credential_uri"] ||= self.class.token_credential_uri
@@ -413,6 +530,8 @@ module Google
           signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
       end
 
+      # rubocop:enable Metrics/AbcSize
+
       def update_from_signet client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id