googleauth 0.15.1 → 0.17.0

data/README.md

@@ -182,17 +182,19 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library requires Ruby 2.4 or later.
+This library is supported on Ruby 2.5+.
 
-In general, this library supports Ruby versions that are considered current and
-supported by Ruby Core (that is, Ruby versions that are either in normal
-maintenance or in security maintenance).
-See https://www.ruby-lang.org/en/downloads/branches/ for further details.
+Google provides official support for Ruby versions that are actively supported
+by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
+security maintenance, and not end of life. Currently, this means Ruby 2.5 and
+later. Older versions of Ruby _may_ still work, but are unsupported and not
+recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
+about the Ruby support schedule.
 
 ## License
 
 This library is licensed under Apache 2.0. Full license text is
-available in [COPYING][copying].
+available in [LICENSE][license].
 
 ## Contributing
 
@@ -208,4 +210,4 @@ about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
 [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
 [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
-[copying]: https://github.com/googleapis/google-auth-library-ruby/tree/master/COPYING
+[license]: https://github.com/googleapis/google-auth-library-ruby/tree/master/LICENSE

data/SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue.

data/googleauth.gemspec

@@ -24,8 +24,9 @@ Gem::Specification.new do |gem|
     File.basename f
   end
   gem.require_paths = ["lib"]
+
   gem.platform      = Gem::Platform::RUBY
-  gem.required_ruby_version = ">= 2.4.0"
+  gem.required_ruby_version = ">= 2.5"
 
   gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
   gem.add_dependency "jwt", ">= 1.4", "< 3.0"

data/lib/googleauth/compute_engine.rb

@@ -112,7 +112,7 @@ module Google
           case resp.status
           when 200
             content_type = resp.headers["content-type"]
-            if content_type == "text/html"
+            if ["text/html", "application/text"].include? content_type
               { (target_audience ? "id_token" : "access_token") => resp.body }
             else
               Signet::OAuth2.parse_credentials resp.body, content_type

data/lib/googleauth/credentials.rb

@@ -369,9 +369,10 @@ module Google
         verify_keyfile_provided! keyfile
         @project_id = options["project_id"] || options["project"]
         @quota_project_id = options["quota_project_id"]
-        if keyfile.is_a? Signet::OAuth2::Client
+        case keyfile
+        when Signet::OAuth2::Client
           update_from_signet keyfile
-        elsif keyfile.is_a? Hash
+        when Hash
           update_from_hash keyfile, options
         else
           update_from_filepath keyfile, options
@@ -503,9 +504,11 @@ module Google
 
       # returns a new Hash with string keys instead of symbol keys.
       def stringify_hash_keys hash
-        Hash[hash.map { |k, v| [k.to_s, v] }]
+        hash.to_h.transform_keys(&:to_s)
       end
 
+      # rubocop:disable Metrics/AbcSize
+
       def client_options options
         # Keyfile options have higher priority over constructor defaults
         options["token_credential_uri"] ||= self.class.token_credential_uri
@@ -527,6 +530,8 @@ module Google
           signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
       end
 
+      # rubocop:enable Metrics/AbcSize
+
       def update_from_signet client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id

data/lib/googleauth/credentials_loader.rb

@@ -103,7 +103,7 @@ module Google
             return make_creds options.merge(json_key_io: f)
           end
         elsif service_account_env_vars? || authorized_user_env_vars?
-          return make_creds options
+          make_creds options
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"

data/lib/googleauth/iam.rb

@@ -68,7 +68,7 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, _opts = {}| apply a_hash }
       end
     end
   end

data/lib/googleauth/id_tokens/key_sources.rb

@@ -171,7 +171,9 @@ module Google
             curve_name = CURVE_NAME_MAP[jwk[:crv]]
             raise KeySourceError, "Unsupported EC curve #{jwk[:crv]}" unless curve_name
             group = OpenSSL::PKey::EC::Group.new curve_name
-            bn = OpenSSL::BN.new ["04" + x_data.unpack1("H*") + y_data.unpack1("H*")].pack("H*"), 2
+            x_hex = x_data.unpack1 "H*"
+            y_hex = y_data.unpack1 "H*"
+            bn = OpenSSL::BN.new ["04#{x_hex}#{y_hex}"].pack("H*"), 2
             key = OpenSSL::PKey::EC.new curve_name
             key.public_key = OpenSSL::PKey::EC::Point.new group, bn
             key
@@ -284,10 +286,10 @@ module Google
             raise KeySourceError, "Unable to retrieve data from #{uri}" unless response.is_a? Net::HTTPSuccess
 
             data = begin
-                     JSON.parse response.body
-                   rescue JSON::ParserError
-                     raise KeySourceError, "Unable to parse JSON"
-                   end
+              JSON.parse response.body
+            rescue JSON::ParserError
+              raise KeySourceError, "Unable to parse JSON"
+            end
 
             @current_keys = Array(interpret_json(data))
           end

data/lib/googleauth/id_tokens/verifier.rb

@@ -105,15 +105,13 @@ module Google
         def decode_token token, keys, aud, azp, iss
           payload = nil
           keys.find do |key|
-            begin
-              options = { algorithms: key.algorithm }
-              decoded_token = JWT.decode token, key.key, true, options
-              payload = decoded_token.first
-            rescue JWT::ExpiredSignature
-              raise ExpiredTokenError, "Token signature is expired"
-            rescue JWT::DecodeError
-              nil # Try the next key
-            end
+            options = { algorithms: key.algorithm }
+            decoded_token = JWT.decode token, key.key, true, options
+            payload = decoded_token.first
+          rescue JWT::ExpiredSignature
+            raise ExpiredTokenError, "Token signature is expired"
+          rescue JWT::DecodeError
+            nil # Try the next key
           end
 
           normalize_and_verify_payload payload, aud, azp, iss

data/lib/googleauth/scope_util.rb

@@ -51,7 +51,7 @@ module Google
         when Array
           scope
         when String
-          scope.split " "
+          scope.split
         else
           raise "Invalid scope value. Must be string or array"
         end

data/lib/googleauth/service_account.rb

@@ -123,11 +123,13 @@ module Google
       def apply_self_signed_jwt! a_hash
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
         cred_json = {
-          private_key:  @signing_key.to_s,
-          client_email: @issuer
+          private_key: @signing_key.to_s,
+          client_email: @issuer,
+          project_id: @project_id,
+          quota_project_id: @quota_project_id
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
         alt.apply! a_hash
       end
     end
@@ -152,15 +154,13 @@ module Google
       attr_reader :project_id
       attr_reader :quota_project_id
 
-      # make_creds proxies the construction of a credentials instance
+      # Create a ServiceAccountJwtHeaderCredentials.
       #
-      # make_creds is used by the methods in CredentialsLoader.
-      #
-      # By default, it calls #new with 2 args, the second one being an
-      # optional scope. Here's the constructor only has one param, so
-      # we modify make_creds to reflect this.
-      def self.make_creds *args
-        new json_key_io: args[0][:json_key_io]
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        new json_key_io: json_key_io, scope: scope
       end
 
       # Initializes a ServiceAccountJwtHeaderCredentials.
@@ -179,6 +179,7 @@ module Google
         end
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
+        @scope = options[:scope]
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -187,7 +188,7 @@ module Google
       # The jwt token is used as the value of a 'Bearer '.
       def apply! a_hash, opts = {}
         jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil?
+        return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
         a_hash
@@ -203,22 +204,27 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       protected
 
       # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri, options = {}
+      def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new
         skew = options[:skew] || 60
         assertion = {
           "iss" => @issuer,
           "sub" => @issuer,
-          "aud" => jwt_aud_uri,
           "exp" => (now + EXPIRY).to_i,
           "iat" => (now - skew).to_i
         }
+
+        jwt_aud_uri = nil if @scope
+
+        assertion["scope"] = Array(@scope).join " " if @scope
+        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
     end

data/lib/googleauth/signet.rb

@@ -63,7 +63,7 @@ module Signet
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       def on_refresh &block

data/lib/googleauth/stores/file_token_store.rb

@@ -40,6 +40,7 @@ module Google
         # @param [String, File] file
         #  Path to storage file
         def initialize options = {}
+          super()
           path = options[:file]
           @store = YAML::Store.new path
         end

data/lib/googleauth/stores/redis_token_store.rb

@@ -49,6 +49,7 @@ module Google
         #  the options passed through. You may include any other keys accepted
         #  by `Redis.new`
         def initialize options = {}
+          super()
           redis = options.delete :redis
           prefix = options.delete :prefix
           @redis = case redis

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.15.1".freeze
+    VERSION = "0.17.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -189,7 +189,7 @@ module Google
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
       def get_credentials user_id, request = nil, scope = nil
-        if request && request.session.key?(CALLBACK_STATE_KEY)
+        if request&.session&.key? CALLBACK_STATE_KEY
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
           state_json = request.session.delete CALLBACK_STATE_KEY

data/spec/googleauth/service_account_spec.rb

@@ -44,9 +44,10 @@ require "os"
 
 include Google::Auth::CredentialsLoader
 
-shared_examples "jwt header auth" do
+shared_examples "jwt header auth" do |aud="https://www.googleapis.com/myservice"|
   context "when jwt_aud_uri is present" do
-    let(:test_uri) { "https://www.googleapis.com/myservice" }
+    let(:test_uri) { aud }
+    let(:test_scope) { "scope/1 scope/2" }
     let(:auth_prefix) { "Bearer " }
     let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
     let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
@@ -56,14 +57,16 @@ shared_examples "jwt header auth" do
       expect(hdr.start_with?(auth_prefix)).to be true
       authorization = hdr[auth_prefix.length..-1]
       payload, = JWT.decode authorization, @key.public_key, true, algorithm: "RS256"
-      expect(payload["aud"]).to eq(test_uri)
+
+      expect(payload["aud"]).to eq(test_uri) if not test_uri.nil?
+      expect(payload["scope"]).to eq(test_scope) if test_uri.nil?
       expect(payload["iss"]).to eq(client_email)
     end
 
     describe "#apply!" do
       it "should update the target hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         @client.apply! md
         auth_header = md[auth_key]
         expect_is_encoded_jwt auth_header
@@ -74,31 +77,31 @@ shared_examples "jwt header auth" do
     describe "updater_proc" do
       it "should provide a proc that updates a hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         the_proc = @client.updater_proc
         got = the_proc.call md
         auth_header = got[auth_key]
         expect_is_encoded_jwt auth_header
         expect(got[jwt_uri_key]).to be_nil
-        expect(md[jwt_uri_key]).to_not be_nil
+        expect(md[jwt_uri_key]).to_not be_nil if test_uri
       end
     end
 
     describe "#apply" do
       it "should not update the original hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         the_proc = @client.updater_proc
         got = the_proc.call md
         auth_header = md[auth_key]
         expect(auth_header).to be_nil
         expect(got[jwt_uri_key]).to be_nil
-        expect(md[jwt_uri_key]).to_not be_nil
+        expect(md[jwt_uri_key]).to_not be_nil if test_uri
       end
 
       it "should add a jwt token to the returned hash" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         got = @client.apply md
         auth_header = got[auth_key]
         expect_is_encoded_jwt auth_header
@@ -107,6 +110,7 @@ shared_examples "jwt header auth" do
   end
 end
 
+
 describe Google::Auth::ServiceAccountCredentials do
   ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
   let(:client_email) { "app@developer.gserviceaccount.com" }
@@ -169,14 +173,24 @@ describe Google::Auth::ServiceAccountCredentials do
     it_behaves_like "jwt header auth"
   end
 
-  context "when enable_self_signed_jwt is set" do
+  context "when enable_self_signed_jwt is set with aud" do
     before :example do
+      @client.scope = nil
       @client.instance_variable_set(:@enable_self_signed_jwt, true)
     end
 
     it_behaves_like "jwt header auth"
   end
 
+  context "when enable_self_signed_jwt is set with scope" do
+    before :example do
+      @client.scope = ['scope/1', 'scope/2']
+      @client.instance_variable_set(:@enable_self_signed_jwt, true)
+    end
+
+    it_behaves_like "jwt header auth", nil
+  end
+
   describe "#from_env" do
     before :example do
       @var_name = ENV_VAR

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.15.1
+  version: 0.17.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2021-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -140,32 +140,31 @@ files:
 - ".github/ISSUE_TEMPLATE/bug_report.md"
 - ".github/ISSUE_TEMPLATE/feature_request.md"
 - ".github/ISSUE_TEMPLATE/support_request.md"
-- ".github/workflows/release.yml"
+- ".github/renovate.json"
+- ".github/sync-repo-settings.yaml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/release-please.yml"
 - ".gitignore"
-- ".kokoro/build.bat"
-- ".kokoro/build.sh"
-- ".kokoro/continuous/common.cfg"
-- ".kokoro/continuous/linux.cfg"
-- ".kokoro/continuous/osx.cfg"
-- ".kokoro/continuous/post.cfg"
-- ".kokoro/continuous/windows.cfg"
-- ".kokoro/osx.sh"
-- ".kokoro/presubmit/common.cfg"
-- ".kokoro/presubmit/linux.cfg"
-- ".kokoro/presubmit/osx.cfg"
-- ".kokoro/presubmit/windows.cfg"
+- ".kokoro/populate-secrets.sh"
 - ".kokoro/release.cfg"
-- ".kokoro/trampoline.bat"
-- ".kokoro/trampoline.sh"
+- ".kokoro/release.sh"
+- ".kokoro/trampoline_v2.sh"
 - ".repo-metadata.json"
 - ".rspec"
 - ".rubocop.yml"
+- ".toys/.toys.rb"
+- ".toys/ci.rb"
+- ".toys/kokoro/.toys.rb"
+- ".toys/kokoro/publish-docs.rb"
+- ".toys/kokoro/publish-gem.rb"
+- ".toys/linkinator.rb"
+- ".trampolinerc"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE
 - README.md
-- Rakefile
+- SECURITY.md
 - googleauth.gemspec
 - integration/helper.rb
 - integration/id_tokens/key_source_test.rb
@@ -192,9 +191,6 @@ files:
 - lib/googleauth/user_refresh.rb
 - lib/googleauth/version.rb
 - lib/googleauth/web_user_authorizer.rb
-- rakelib/devsite_builder.rb
-- rakelib/link_checker.rb
-- rakelib/repo_metadata.rb
 - spec/googleauth/apply_auth_examples.rb
 - spec/googleauth/client_id_spec.rb
 - spec/googleauth/compute_engine_spec.rb
@@ -226,14 +222,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.6
+rubygems_version: 3.2.17
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby