googleauth 0.14.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.yardopts +11 -0
- data/CHANGELOG.md +72 -10
- data/README.md +48 -13
- data/SECURITY.md +7 -0
- data/lib/googleauth/application_default.rb +10 -25
- data/lib/googleauth/client_id.rb +10 -25
- data/lib/googleauth/compute_engine.rb +16 -30
- data/lib/googleauth/credentials.rb +178 -74
- data/lib/googleauth/credentials_loader.rb +23 -44
- data/lib/googleauth/default_credentials.rb +10 -25
- data/lib/googleauth/iam.rb +11 -26
- data/lib/googleauth/id_tokens/errors.rb +9 -23
- data/lib/googleauth/id_tokens/key_sources.rb +26 -38
- data/lib/googleauth/id_tokens/verifier.rb +16 -32
- data/lib/googleauth/id_tokens.rb +9 -23
- data/lib/googleauth/json_key_reader.rb +10 -25
- data/lib/googleauth/scope_util.rb +11 -26
- data/lib/googleauth/service_account.rb +60 -59
- data/lib/googleauth/signet.rb +22 -28
- data/lib/googleauth/stores/file_token_store.rb +11 -25
- data/lib/googleauth/stores/redis_token_store.rb +11 -25
- data/lib/googleauth/token_store.rb +10 -25
- data/lib/googleauth/user_authorizer.rb +10 -25
- data/lib/googleauth/user_refresh.rb +15 -27
- data/lib/googleauth/version.rb +11 -26
- data/lib/googleauth/web_user_authorizer.rb +14 -32
- data/lib/googleauth.rb +10 -25
- metadata +26 -97
- data/.github/CODEOWNERS +0 -7
- data/.github/CONTRIBUTING.md +0 -74
- data/.github/ISSUE_TEMPLATE/bug_report.md +0 -36
- data/.github/ISSUE_TEMPLATE/feature_request.md +0 -21
- data/.github/ISSUE_TEMPLATE/support_request.md +0 -7
- data/.gitignore +0 -36
- data/.kokoro/build.bat +0 -16
- data/.kokoro/build.sh +0 -4
- data/.kokoro/continuous/common.cfg +0 -24
- data/.kokoro/continuous/linux.cfg +0 -25
- data/.kokoro/continuous/osx.cfg +0 -8
- data/.kokoro/continuous/post.cfg +0 -30
- data/.kokoro/continuous/windows.cfg +0 -29
- data/.kokoro/osx.sh +0 -4
- data/.kokoro/presubmit/common.cfg +0 -24
- data/.kokoro/presubmit/linux.cfg +0 -24
- data/.kokoro/presubmit/osx.cfg +0 -8
- data/.kokoro/presubmit/windows.cfg +0 -29
- data/.kokoro/release.cfg +0 -94
- data/.kokoro/trampoline.bat +0 -10
- data/.kokoro/trampoline.sh +0 -4
- data/.repo-metadata.json +0 -5
- data/.rspec +0 -2
- data/.rubocop.yml +0 -19
- data/Gemfile +0 -30
- data/Rakefile +0 -132
- data/googleauth.gemspec +0 -38
- data/integration/helper.rb +0 -31
- data/integration/id_tokens/key_source_test.rb +0 -74
- data/rakelib/devsite_builder.rb +0 -45
- data/rakelib/link_checker.rb +0 -64
- data/rakelib/repo_metadata.rb +0 -59
- data/spec/googleauth/apply_auth_examples.rb +0 -171
- data/spec/googleauth/client_id_spec.rb +0 -160
- data/spec/googleauth/compute_engine_spec.rb +0 -160
- data/spec/googleauth/credentials_spec.rb +0 -478
- data/spec/googleauth/get_application_default_spec.rb +0 -286
- data/spec/googleauth/iam_spec.rb +0 -80
- data/spec/googleauth/scope_util_spec.rb +0 -77
- data/spec/googleauth/service_account_spec.rb +0 -489
- data/spec/googleauth/signet_spec.rb +0 -142
- data/spec/googleauth/stores/file_token_store_spec.rb +0 -57
- data/spec/googleauth/stores/redis_token_store_spec.rb +0 -50
- data/spec/googleauth/stores/store_examples.rb +0 -58
- data/spec/googleauth/user_authorizer_spec.rb +0 -343
- data/spec/googleauth/user_refresh_spec.rb +0 -359
- data/spec/googleauth/web_user_authorizer_spec.rb +0 -172
- data/spec/spec_helper.rb +0 -92
- data/test/helper.rb +0 -33
- data/test/id_tokens/key_sources_test.rb +0 -240
- data/test/id_tokens/verifier_test.rb +0 -269
@@ -1,31 +1,16 @@
|
|
1
|
-
# Copyright 2017
|
2
|
-
# All rights reserved.
|
1
|
+
# Copyright 2017 Google, Inc.
|
3
2
|
#
|
4
|
-
#
|
5
|
-
#
|
6
|
-
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
7
6
|
#
|
8
|
-
#
|
9
|
-
# notice, this list of conditions and the following disclaimer.
|
10
|
-
# * Redistributions in binary form must reproduce the above
|
11
|
-
# copyright notice, this list of conditions and the following disclaimer
|
12
|
-
# in the documentation and/or other materials provided with the
|
13
|
-
# distribution.
|
14
|
-
# * Neither the name of Google Inc. nor the names of its
|
15
|
-
# contributors may be used to endorse or promote products derived from
|
16
|
-
# this software without specific prior written permission.
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
17
8
|
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
#
|
21
|
-
#
|
22
|
-
#
|
23
|
-
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
24
|
-
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
25
|
-
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
26
|
-
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
27
|
-
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
28
|
-
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
29
14
|
|
30
15
|
require "forwardable"
|
31
16
|
require "json"
|
@@ -36,9 +21,46 @@ require "googleauth/credentials_loader"
|
|
36
21
|
module Google
|
37
22
|
module Auth
|
38
23
|
##
|
39
|
-
# Credentials is
|
40
|
-
#
|
41
|
-
|
24
|
+
# Credentials is a high-level base class used by Google's API client
|
25
|
+
# libraries to represent the authentication when connecting to an API.
|
26
|
+
# In most cases, it is subclassed by API-specific credential classes that
|
27
|
+
# can be instantiated by clients.
|
28
|
+
#
|
29
|
+
# ## Options
|
30
|
+
#
|
31
|
+
# Credentials classes are configured with options that dictate default
|
32
|
+
# values for parameters such as scope and audience. These defaults are
|
33
|
+
# expressed as class attributes, and may differ from endpoint to endpoint.
|
34
|
+
# Normally, an API client will provide subclasses specific to each
|
35
|
+
# endpoint, configured with appropriate values.
|
36
|
+
#
|
37
|
+
# Note that these options inherit up the class hierarchy. If a particular
|
38
|
+
# options is not set for a subclass, its superclass is queried.
|
39
|
+
#
|
40
|
+
# Some older users of this class set options via constants. This usage is
|
41
|
+
# deprecated. For example, instead of setting the `AUDIENCE` constant on
|
42
|
+
# your subclass, call the `audience=` method.
|
43
|
+
#
|
44
|
+
# ## Example
|
45
|
+
#
|
46
|
+
# class MyCredentials < Google::Auth::Credentials
|
47
|
+
# # Set the default scope for these credentials
|
48
|
+
# self.scope = "http://example.com/my_scope"
|
49
|
+
# end
|
50
|
+
#
|
51
|
+
# # creds is a credentials object suitable for Google API clients
|
52
|
+
# creds = MyCredentials.default
|
53
|
+
# creds.scope # => ["http://example.com/my_scope"]
|
54
|
+
#
|
55
|
+
# class SubCredentials < MyCredentials
|
56
|
+
# # Override the default scope for this subclass
|
57
|
+
# self.scope = "http://example.com/sub_scope"
|
58
|
+
# end
|
59
|
+
#
|
60
|
+
# creds2 = SubCredentials.default
|
61
|
+
# creds2.scope # => ["http://example.com/sub_scope"]
|
62
|
+
#
|
63
|
+
class Credentials # rubocop:disable Metrics/ClassLength
|
42
64
|
##
|
43
65
|
# The default token credential URI to be used when none is provided during initialization.
|
44
66
|
TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
|
@@ -47,7 +69,7 @@ module Google
|
|
47
69
|
# The default target audience ID to be used when none is provided during initialization.
|
48
70
|
AUDIENCE = "https://oauth2.googleapis.com/token".freeze
|
49
71
|
|
50
|
-
@audience = @scope = @target_audience = @env_vars = @paths = nil
|
72
|
+
@audience = @scope = @target_audience = @env_vars = @paths = @token_credential_uri = nil
|
51
73
|
|
52
74
|
##
|
53
75
|
# The default token credential URI to be used when none is provided during initialization.
|
@@ -57,16 +79,15 @@ module Google
|
|
57
79
|
# @return [String]
|
58
80
|
#
|
59
81
|
def self.token_credential_uri
|
60
|
-
|
61
|
-
|
62
|
-
|
82
|
+
lookup_auth_param :token_credential_uri do
|
83
|
+
lookup_local_constant :TOKEN_CREDENTIAL_URI
|
84
|
+
end
|
63
85
|
end
|
64
86
|
|
65
87
|
##
|
66
88
|
# Set the default token credential URI to be used when none is provided during initialization.
|
67
89
|
#
|
68
90
|
# @param [String] new_token_credential_uri
|
69
|
-
# @return [String]
|
70
91
|
#
|
71
92
|
def self.token_credential_uri= new_token_credential_uri
|
72
93
|
@token_credential_uri = new_token_credential_uri
|
@@ -79,16 +100,15 @@ module Google
|
|
79
100
|
# @return [String]
|
80
101
|
#
|
81
102
|
def self.audience
|
82
|
-
|
83
|
-
|
84
|
-
|
103
|
+
lookup_auth_param :audience do
|
104
|
+
lookup_local_constant :AUDIENCE
|
105
|
+
end
|
85
106
|
end
|
86
107
|
|
87
108
|
##
|
88
109
|
# Sets the default target audience ID to be used when none is provided during initialization.
|
89
110
|
#
|
90
111
|
# @param [String] new_audience
|
91
|
-
# @return [String]
|
92
112
|
#
|
93
113
|
def self.audience= new_audience
|
94
114
|
@audience = new_audience
|
@@ -103,12 +123,13 @@ module Google
|
|
103
123
|
# If {#scope} is set, this credential will produce access tokens.
|
104
124
|
# If {#target_audience} is set, this credential will produce ID tokens.
|
105
125
|
#
|
106
|
-
# @return [String, Array<String
|
126
|
+
# @return [String, Array<String>, nil]
|
107
127
|
#
|
108
128
|
def self.scope
|
109
|
-
|
110
|
-
|
111
|
-
|
129
|
+
lookup_auth_param :scope do
|
130
|
+
vals = lookup_local_constant :SCOPE
|
131
|
+
vals ? Array(vals).flatten.uniq : nil
|
132
|
+
end
|
112
133
|
end
|
113
134
|
|
114
135
|
##
|
@@ -118,8 +139,7 @@ module Google
|
|
118
139
|
# If {#scope} is set, this credential will produce access tokens.
|
119
140
|
# If {#target_audience} is set, this credential will produce ID tokens.
|
120
141
|
#
|
121
|
-
# @param [String, Array<String
|
122
|
-
# @return [String, Array<String>]
|
142
|
+
# @param [String, Array<String>, nil] new_scope
|
123
143
|
#
|
124
144
|
def self.scope= new_scope
|
125
145
|
new_scope = Array new_scope unless new_scope.nil?
|
@@ -134,10 +154,10 @@ module Google
|
|
134
154
|
# If {#scope} is set, this credential will produce access tokens.
|
135
155
|
# If {#target_audience} is set, this credential will produce ID tokens.
|
136
156
|
#
|
137
|
-
# @return [String]
|
157
|
+
# @return [String, nil]
|
138
158
|
#
|
139
159
|
def self.target_audience
|
140
|
-
|
160
|
+
lookup_auth_param :target_audience
|
141
161
|
end
|
142
162
|
|
143
163
|
##
|
@@ -148,7 +168,7 @@ module Google
|
|
148
168
|
# If {#scope} is set, this credential will produce access tokens.
|
149
169
|
# If {#target_audience} is set, this credential will produce ID tokens.
|
150
170
|
#
|
151
|
-
# @param [String] new_target_audience
|
171
|
+
# @param [String, nil] new_target_audience
|
152
172
|
#
|
153
173
|
def self.target_audience= new_target_audience
|
154
174
|
@target_audience = new_target_audience
|
@@ -157,24 +177,33 @@ module Google
|
|
157
177
|
##
|
158
178
|
# The environment variables to search for credentials. Values can either be a file path to the
|
159
179
|
# credentials file, or the JSON contents of the credentials file.
|
180
|
+
# The env_vars will never be nil. If there are no vars, the empty array is returned.
|
160
181
|
#
|
161
182
|
# @return [Array<String>]
|
162
183
|
#
|
163
184
|
def self.env_vars
|
164
|
-
|
185
|
+
env_vars_internal || []
|
186
|
+
end
|
165
187
|
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
188
|
+
##
|
189
|
+
# @private
|
190
|
+
# Internal recursive lookup for env_vars.
|
191
|
+
#
|
192
|
+
def self.env_vars_internal
|
193
|
+
lookup_auth_param :env_vars, :env_vars_internal do
|
194
|
+
# Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
|
195
|
+
path_env_vars = lookup_local_constant :PATH_ENV_VARS
|
196
|
+
json_env_vars = lookup_local_constant :JSON_ENV_VARS
|
197
|
+
(Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars
|
198
|
+
end
|
171
199
|
end
|
172
200
|
|
173
201
|
##
|
174
202
|
# Sets the environment variables to search for credentials.
|
203
|
+
# Setting to `nil` "unsets" the value, and defaults to the superclass
|
204
|
+
# (or to the empty array if there is no superclass).
|
175
205
|
#
|
176
|
-
# @param [Array<String
|
177
|
-
# @return [Array<String>]
|
206
|
+
# @param [String, Array<String>, nil] new_env_vars
|
178
207
|
#
|
179
208
|
def self.env_vars= new_env_vars
|
180
209
|
new_env_vars = Array new_env_vars unless new_env_vars.nil?
|
@@ -183,29 +212,72 @@ module Google
|
|
183
212
|
|
184
213
|
##
|
185
214
|
# The file paths to search for credentials files.
|
215
|
+
# The paths will never be nil. If there are no paths, the empty array is returned.
|
186
216
|
#
|
187
217
|
# @return [Array<String>]
|
188
218
|
#
|
189
219
|
def self.paths
|
190
|
-
|
220
|
+
paths_internal || []
|
221
|
+
end
|
191
222
|
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
223
|
+
##
|
224
|
+
# @private
|
225
|
+
# Internal recursive lookup for paths.
|
226
|
+
#
|
227
|
+
def self.paths_internal
|
228
|
+
lookup_auth_param :paths, :paths_internal do
|
229
|
+
# Pull in values if the DEFAULT_PATHS constant exists.
|
230
|
+
vals = lookup_local_constant :DEFAULT_PATHS
|
231
|
+
vals ? Array(vals).flatten.uniq : nil
|
232
|
+
end
|
196
233
|
end
|
197
234
|
|
198
235
|
##
|
199
236
|
# Set the file paths to search for credentials files.
|
237
|
+
# Setting to `nil` "unsets" the value, and defaults to the superclass
|
238
|
+
# (or to the empty array if there is no superclass).
|
200
239
|
#
|
201
|
-
# @param [Array<String
|
202
|
-
# @return [Array<String>]
|
240
|
+
# @param [String, Array<String>, nil] new_paths
|
203
241
|
#
|
204
242
|
def self.paths= new_paths
|
205
243
|
new_paths = Array new_paths unless new_paths.nil?
|
206
244
|
@paths = new_paths
|
207
245
|
end
|
208
246
|
|
247
|
+
##
|
248
|
+
# @private
|
249
|
+
# Return the given parameter value, defaulting up the class hierarchy.
|
250
|
+
#
|
251
|
+
# First returns the value of the instance variable, if set.
|
252
|
+
# Next, calls the given block if provided. (This is generally used to
|
253
|
+
# look up legacy constant-based values.)
|
254
|
+
# Otherwise, calls the superclass method if present.
|
255
|
+
# Returns nil if all steps fail.
|
256
|
+
#
|
257
|
+
# @param name [Symbol] The parameter name
|
258
|
+
# @param method_name [Symbol] The lookup method name, if different
|
259
|
+
# @return [Object] The value
|
260
|
+
#
|
261
|
+
def self.lookup_auth_param name, method_name = name
|
262
|
+
val = instance_variable_get "@#{name}".to_sym
|
263
|
+
val = yield if val.nil? && block_given?
|
264
|
+
return val unless val.nil?
|
265
|
+
return superclass.send method_name if superclass.respond_to? method_name
|
266
|
+
nil
|
267
|
+
end
|
268
|
+
|
269
|
+
##
|
270
|
+
# @private
|
271
|
+
# Return the value of the given constant if it is defined directly in
|
272
|
+
# this class, or nil if not.
|
273
|
+
#
|
274
|
+
# @param [Symbol] Name of the constant
|
275
|
+
# @return [Object] The value
|
276
|
+
#
|
277
|
+
def self.lookup_local_constant name
|
278
|
+
const_defined?(name, false) ? const_get(name) : nil
|
279
|
+
end
|
280
|
+
|
209
281
|
##
|
210
282
|
# The Signet::OAuth2::Client object the Credentials instance is using.
|
211
283
|
#
|
@@ -282,16 +354,17 @@ module Google
|
|
282
354
|
verify_keyfile_provided! keyfile
|
283
355
|
@project_id = options["project_id"] || options["project"]
|
284
356
|
@quota_project_id = options["quota_project_id"]
|
285
|
-
|
357
|
+
case keyfile
|
358
|
+
when Signet::OAuth2::Client
|
286
359
|
update_from_signet keyfile
|
287
|
-
|
360
|
+
when Hash
|
288
361
|
update_from_hash keyfile, options
|
289
362
|
else
|
290
363
|
update_from_filepath keyfile, options
|
291
364
|
end
|
292
365
|
CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
|
293
366
|
@project_id ||= CredentialsLoader.load_gcloud_project_id
|
294
|
-
@client.fetch_access_token!
|
367
|
+
@client.fetch_access_token! if @client.needs_access_token?
|
295
368
|
@env_vars = nil
|
296
369
|
@paths = nil
|
297
370
|
@scope = nil
|
@@ -336,8 +409,15 @@ module Google
|
|
336
409
|
env_vars.each do |env_var|
|
337
410
|
str = ENV[env_var]
|
338
411
|
next if str.nil?
|
339
|
-
|
340
|
-
|
412
|
+
io =
|
413
|
+
if ::File.file? str
|
414
|
+
::StringIO.new ::File.read str
|
415
|
+
else
|
416
|
+
json = ::JSON.parse str rescue nil
|
417
|
+
json ? ::StringIO.new(str) : nil
|
418
|
+
end
|
419
|
+
next if io.nil?
|
420
|
+
return from_io io, options
|
341
421
|
end
|
342
422
|
nil
|
343
423
|
end
|
@@ -345,11 +425,11 @@ module Google
|
|
345
425
|
##
|
346
426
|
# @private Lookup Credentials from default file paths.
|
347
427
|
def self.from_default_paths options
|
348
|
-
paths
|
349
|
-
|
350
|
-
.
|
351
|
-
|
352
|
-
|
428
|
+
paths.each do |path|
|
429
|
+
next unless path && ::File.file?(path)
|
430
|
+
io = ::StringIO.new ::File.read path
|
431
|
+
return from_io io, options
|
432
|
+
end
|
353
433
|
nil
|
354
434
|
end
|
355
435
|
|
@@ -357,14 +437,34 @@ module Google
|
|
357
437
|
# @private Lookup Credentials using Google::Auth.get_application_default.
|
358
438
|
def self.from_application_default options
|
359
439
|
scope = options[:scope] || self.scope
|
360
|
-
auth_opts = {
|
440
|
+
auth_opts = {
|
441
|
+
token_credential_uri: options[:token_credential_uri] || token_credential_uri,
|
442
|
+
audience: options[:audience] || audience,
|
443
|
+
target_audience: options[:target_audience] || target_audience,
|
444
|
+
enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?
|
445
|
+
}
|
361
446
|
client = Google::Auth.get_application_default scope, auth_opts
|
362
447
|
new client, options
|
363
448
|
end
|
364
449
|
|
450
|
+
# @private Read credentials from a JSON stream.
|
451
|
+
def self.from_io io, options
|
452
|
+
creds_input = {
|
453
|
+
json_key_io: io,
|
454
|
+
scope: options[:scope] || scope,
|
455
|
+
target_audience: options[:target_audience] || target_audience,
|
456
|
+
enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?,
|
457
|
+
token_credential_uri: options[:token_credential_uri] || token_credential_uri,
|
458
|
+
audience: options[:audience] || audience
|
459
|
+
}
|
460
|
+
client = Google::Auth::DefaultCredentials.make_creds creds_input
|
461
|
+
new client
|
462
|
+
end
|
463
|
+
|
365
464
|
private_class_method :from_env_vars,
|
366
465
|
:from_default_paths,
|
367
|
-
:from_application_default
|
466
|
+
:from_application_default,
|
467
|
+
:from_io
|
368
468
|
|
369
469
|
protected
|
370
470
|
|
@@ -389,9 +489,11 @@ module Google
|
|
389
489
|
|
390
490
|
# returns a new Hash with string keys instead of symbol keys.
|
391
491
|
def stringify_hash_keys hash
|
392
|
-
|
492
|
+
hash.to_h.transform_keys(&:to_s)
|
393
493
|
end
|
394
494
|
|
495
|
+
# rubocop:disable Metrics/AbcSize
|
496
|
+
|
395
497
|
def client_options options
|
396
498
|
# Keyfile options have higher priority over constructor defaults
|
397
499
|
options["token_credential_uri"] ||= self.class.token_credential_uri
|
@@ -413,6 +515,8 @@ module Google
|
|
413
515
|
signing_key: OpenSSL::PKey::RSA.new(options["private_key"]) }
|
414
516
|
end
|
415
517
|
|
518
|
+
# rubocop:enable Metrics/AbcSize
|
519
|
+
|
416
520
|
def update_from_signet client
|
417
521
|
@project_id ||= client.project_id if client.respond_to? :project_id
|
418
522
|
@quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
|
@@ -1,33 +1,17 @@
|
|
1
|
-
# Copyright 2015
|
2
|
-
# All rights reserved.
|
1
|
+
# Copyright 2015 Google, Inc.
|
3
2
|
#
|
4
|
-
#
|
5
|
-
#
|
6
|
-
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
7
6
|
#
|
8
|
-
#
|
9
|
-
# notice, this list of conditions and the following disclaimer.
|
10
|
-
# * Redistributions in binary form must reproduce the above
|
11
|
-
# copyright notice, this list of conditions and the following disclaimer
|
12
|
-
# in the documentation and/or other materials provided with the
|
13
|
-
# distribution.
|
14
|
-
# * Neither the name of Google Inc. nor the names of its
|
15
|
-
# contributors may be used to endorse or promote products derived from
|
16
|
-
# this software without specific prior written permission.
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
17
8
|
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
#
|
21
|
-
#
|
22
|
-
#
|
23
|
-
|
24
|
-
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
25
|
-
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
26
|
-
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
27
|
-
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
28
|
-
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
29
|
-
|
30
|
-
require "memoist"
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
31
15
|
require "os"
|
32
16
|
require "rbconfig"
|
33
17
|
|
@@ -38,7 +22,6 @@ module Google
|
|
38
22
|
# CredentialsLoader contains the behaviour used to locate and find default
|
39
23
|
# credentials files on the file system.
|
40
24
|
module CredentialsLoader
|
41
|
-
extend Memoist
|
42
25
|
ENV_VAR = "GOOGLE_APPLICATION_CREDENTIALS".freeze
|
43
26
|
PRIVATE_KEY_VAR = "GOOGLE_PRIVATE_KEY".freeze
|
44
27
|
CLIENT_EMAIL_VAR = "GOOGLE_CLIENT_EMAIL".freeze
|
@@ -49,27 +32,23 @@ module Google
|
|
49
32
|
PROJECT_ID_VAR = "GOOGLE_PROJECT_ID".freeze
|
50
33
|
GCLOUD_POSIX_COMMAND = "gcloud".freeze
|
51
34
|
GCLOUD_WINDOWS_COMMAND = "gcloud.cmd".freeze
|
52
|
-
GCLOUD_CONFIG_COMMAND =
|
53
|
-
"config config-helper --format json --verbosity none".freeze
|
35
|
+
GCLOUD_CONFIG_COMMAND = "config config-helper --format json --verbosity none".freeze
|
54
36
|
|
55
37
|
CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
|
56
|
-
NOT_FOUND_ERROR =
|
57
|
-
"Unable to read the credential file specified by #{ENV_VAR}".freeze
|
38
|
+
NOT_FOUND_ERROR = "Unable to read the credential file specified by #{ENV_VAR}".freeze
|
58
39
|
WELL_KNOWN_PATH = "gcloud/#{CREDENTIALS_FILE_NAME}".freeze
|
59
40
|
WELL_KNOWN_ERROR = "Unable to read the default credential file".freeze
|
60
41
|
|
61
|
-
SYSTEM_DEFAULT_ERROR =
|
62
|
-
"Unable to read the system default credential file".freeze
|
42
|
+
SYSTEM_DEFAULT_ERROR = "Unable to read the system default credential file".freeze
|
63
43
|
|
64
|
-
CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
|
65
|
-
|
44
|
+
CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
|
45
|
+
"s.googleusercontent.com".freeze
|
66
46
|
|
67
|
-
CLOUD_SDK_CREDENTIALS_WARNING =
|
68
|
-
"credentials from Google Cloud SDK. We recommend that most
|
69
|
-
"service accounts instead. If your application continues to use end user credentials "\
|
70
|
-
'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For '\
|
71
|
-
"
|
72
|
-
"https://cloud.google.com/docs/authentication/. To suppress this message, set the "\
|
47
|
+
CLOUD_SDK_CREDENTIALS_WARNING =
|
48
|
+
"Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most " \
|
49
|
+
"server applications use service accounts instead. If your application continues to use end user credentials " \
|
50
|
+
'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about ' \
|
51
|
+
"service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the " \
|
73
52
|
"GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
|
74
53
|
|
75
54
|
# make_creds proxies the construction of a credentials instance
|
@@ -103,7 +82,7 @@ module Google
|
|
103
82
|
return make_creds options.merge(json_key_io: f)
|
104
83
|
end
|
105
84
|
elsif service_account_env_vars? || authorized_user_env_vars?
|
106
|
-
|
85
|
+
make_creds options
|
107
86
|
end
|
108
87
|
rescue StandardError => e
|
109
88
|
raise "#{NOT_FOUND_ERROR}: #{e}"
|
@@ -175,7 +154,7 @@ module Google
|
|
175
154
|
def load_gcloud_project_id
|
176
155
|
gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
|
177
156
|
gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
|
178
|
-
gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", &:read)
|
157
|
+
gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", in: :close, err: :close, &:read)
|
179
158
|
config = MultiJson.load gcloud_json
|
180
159
|
config["configuration"]["properties"]["core"]["project"]
|
181
160
|
rescue StandardError
|
@@ -1,31 +1,16 @@
|
|
1
|
-
# Copyright 2015
|
2
|
-
# All rights reserved.
|
1
|
+
# Copyright 2015 Google, Inc.
|
3
2
|
#
|
4
|
-
#
|
5
|
-
#
|
6
|
-
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
7
6
|
#
|
8
|
-
#
|
9
|
-
# notice, this list of conditions and the following disclaimer.
|
10
|
-
# * Redistributions in binary form must reproduce the above
|
11
|
-
# copyright notice, this list of conditions and the following disclaimer
|
12
|
-
# in the documentation and/or other materials provided with the
|
13
|
-
# distribution.
|
14
|
-
# * Neither the name of Google Inc. nor the names of its
|
15
|
-
# contributors may be used to endorse or promote products derived from
|
16
|
-
# this software without specific prior written permission.
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
17
8
|
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
#
|
21
|
-
#
|
22
|
-
#
|
23
|
-
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
24
|
-
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
25
|
-
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
26
|
-
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
27
|
-
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
28
|
-
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
29
14
|
|
30
15
|
require "multi_json"
|
31
16
|
require "stringio"
|
data/lib/googleauth/iam.rb
CHANGED
@@ -1,31 +1,16 @@
|
|
1
|
-
# Copyright 2015
|
2
|
-
# All rights reserved.
|
1
|
+
# Copyright 2015 Google, Inc.
|
3
2
|
#
|
4
|
-
#
|
5
|
-
#
|
6
|
-
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
7
6
|
#
|
8
|
-
#
|
9
|
-
# notice, this list of conditions and the following disclaimer.
|
10
|
-
# * Redistributions in binary form must reproduce the above
|
11
|
-
# copyright notice, this list of conditions and the following disclaimer
|
12
|
-
# in the documentation and/or other materials provided with the
|
13
|
-
# distribution.
|
14
|
-
# * Neither the name of Google Inc. nor the names of its
|
15
|
-
# contributors may be used to endorse or promote products derived from
|
16
|
-
# this software without specific prior written permission.
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
17
8
|
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
#
|
21
|
-
#
|
22
|
-
#
|
23
|
-
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
24
|
-
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
25
|
-
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
26
|
-
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
27
|
-
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
28
|
-
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
29
14
|
|
30
15
|
require "googleauth/signet"
|
31
16
|
require "googleauth/credentials_loader"
|
@@ -68,7 +53,7 @@ module Google
|
|
68
53
|
# Returns a reference to the #apply method, suitable for passing as
|
69
54
|
# a closure
|
70
55
|
def updater_proc
|
71
|
-
|
56
|
+
proc { |a_hash, _opts = {}| apply a_hash }
|
72
57
|
end
|
73
58
|
end
|
74
59
|
end
|