googleauth 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: adef96ddcbbab3bf0cdf0bcb5e2772bbf3de2f04
-  data.tar.gz: ab58fe380898294110ec76ac571a22ef411efe6b
+  metadata.gz: ea1a2e263bd1d7876d89a72efe9c3a7d7059865c
+  data.tar.gz: d50f82ec16c2af13c46254705101efa26cc407c0
 SHA512:
-  metadata.gz: 5ad82896ca3cac5f605ece8cf51c512bc4625c782045452fee044064ae4d751e33e29101f6c9caef569f08816b1b1066626000a3b541c30dc02033a70cbebe7c
-  data.tar.gz: cd31e77291d39c9cf44c6ffa39a3e939274a5ca9834d6ee558f2e5ec4d5b575d6c8d29655cbaa4b25dc8e5ca89330a5f87d61dd1eea302398ac388c27f56aa46
+  metadata.gz: 56c038dfecebcf7239404231372e79fbd626f18cc833291ab83caaf81f8f3b8579b4ec7b38ceb670a0b44e8b155290333c52569ce664a52dc67bb08637a36fcd
+  data.tar.gz: d23147ecd1ba999174ead84aa967be369a6aa7c77f85505c18f600ab47b390fc356668bf495e38e49909beed9958e471bdb6148a2c58b202857d7ea713c06529

data/.rubocop_todo.yml

@@ -1,15 +1,32 @@
-# This configuration was generated by `rubocop --auto-gen-config`
-# on 2015-05-18 09:38:28 -0700 using RuboCop version 0.31.0.
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2015-10-14 13:50:41 -0700 using RuboCop version 0.34.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 3
+# Offense count: 4
 Metrics/AbcSize:
-  Max: 24
+  Max: 27
 
-# Offense count: 10
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 109
+
+# Offense count: 1
+Metrics/CyclomaticComplexity:
+  Max: 7
+
+# Offense count: 16
 # Configuration parameters: CountComments.
 Metrics/MethodLength:
-  Max: 13
+  Max: 22
+
+# Offense count: 2
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/FormatString:
+  Exclude:
+    - 'lib/googleauth/user_authorizer.rb'
+    - 'lib/googleauth/web_user_authorizer.rb'

data/.travis.yml

@@ -7,6 +7,9 @@ rvm:
   - 1.9.3
   - rbx-2
   - jruby
+matrix:
+  allow_failures:
+    - rvm: rbx-2 # See rubinius/rubinius#3485 - rubocop segfaults
 script: "bundle exec rake"
 addons:
   apt:

data/CHANGELOG.md

@@ -1,8 +1,15 @@
+## 0.5.0 (12/10/2015)
+
+### Changes
+
+* Initial support for user credentials ([@sqrrrl][])
+* Update Signet to 0.7
+
 ## 0.4.2 (05/08/2015)
 
 ### Changes
 
-* Updated UserRefreshCredentials hash to use string keys ([@haabator][])
+* Updated UserRefreshCredentials hash to use string keys ([@haabaato][])
 [#36](https://github.com/google/google-auth-library-ruby/issues/36)
 
 * Add support for a system default credentials file. ([@mr-salty][])

data/Gemfile

@@ -2,3 +2,23 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in googleauth.gemspec
 gemspec
+
+group :development do
+  gem 'bundler', '~> 1.9'
+  gem 'simplecov', '~> 0.9'
+  gem 'coveralls', '~> 0.7'
+  gem 'fakefs', '~> 0.6'
+  gem 'rake', '~> 10.0'
+  gem 'rubocop', '~> 0.30'
+  gem 'rspec', '~> 3.0'
+  gem 'redis', '~> 3.2'
+  gem 'fakeredis', '~> 0.5'
+  gem 'webmock', '~> 1.21'
+  gem 'rack-test', '~> 0.6'
+  gem 'sinatra'
+end
+
+platforms :jruby do
+  group :development do
+  end
+end

data/README.md

@@ -38,7 +38,8 @@ $ gem install googleauth
 require 'googleauth'
 
 # Get the environment configured authorization
-scopes =  ['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute']
+scopes =  ['https://www.googleapis.com/auth/cloud-platform',
+           'https://www.googleapis.com/auth/compute']
 authorization = Google::Auth.get_application_default(scopes)
 
 # Add the the access token obtained using the authorization to a hash, e.g
@@ -61,6 +62,84 @@ and authorization level for the application independent of the user. This is
 the recommended approach to authorize calls to Cloud APIs, particularly when
 you're building an application that uses Google Compute Engine.
 
+## User Credentials
+
+The library also provides support for requesting and storing user
+credentials (3-Legged OAuth2.) Two implementations are currently available,
+a generic authorizer useful for command line apps or custom integrations as
+well as a web variant tailored toward Rack-based applications.
+
+The authorizers are intended for authorization use cases. For sign-on,
+see [Google Idenity Platform](https://developers.google.com/identity/)
+
+### Example (Web)
+
+```ruby
+require 'googleauth'
+require 'googleauth/web_user_authorizer'
+require 'googleauth/stores/redis_token_store'
+require 'redis'
+
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+scope = ['https://www.googleapis.com/auth/drive']
+token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
+authorizer = Google::Auth::WebUserAuthorizer.new(
+  client_id, scope, token_store, '/oauth2callback')
+
+
+get('/authorize') do
+  # NOTE: Assumes the user is already authenticated to the app
+  user_id = request.session['user_id']
+  credentials = authorizer.get_credentials(user_id, request)
+  if credentials.nil?
+    redirect authorizer.get_authorization_url(user_id: user_id, request: request)
+  end
+  # Credentials are valid, can call APIs
+  # ...
+end
+
+get('/oauth2callback') do
+  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
+    request)
+  redirect target_url
+end
+```
+
+### Example (Command Line)
+
+```ruby
+require 'googleauth'
+require 'googleauth/stores/file_token_store'
+
+scope = 'https://www.googleapis.com/auth/drive'
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+token_store = Google::Auth::Stores::FileTokenStore.new(
+  :file => '/path/to/tokens.yaml')
+authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)
+
+credentials = authorizer.get_credentials(user_id)
+if credentials.nil?
+  url = authorizer.get_authorization_url(base_url: 'urn:ietf:wg:oauth:2.0:oob')
+  puts "Open #{url} in your browser and enter the resulting code:"
+  code = gets
+  credentials = authorizer.get_and_store_credentials_from_code(
+    user_id: user_id, code: code, base_url: OOB_URI)
+end
+
+# OK to use credentials
+```
+
+### Storage
+
+Authorizers require a storage instance to manage long term persistence of
+access and refresh tokens. Two storage implementations are included:
+
+*   Google::Auth::Stores::FileTokenStore
+*   Google::Auth::Stores::RedisTokenStore
+
+Custom storage implementations can also be used. See
+[token_store.rb](lib/googleauth/token_store.rb) for additional details.
+
 ## What about auth in google-apis-ruby-client?
 
 The goal is for all auth done by

data/googleauth.gemspec

@@ -30,13 +30,5 @@ Gem::Specification.new do |s|
   s.add_dependency 'jwt', '~> 1.4'
   s.add_dependency 'memoist', '~> 0.12'
   s.add_dependency 'multi_json', '~> 1.11'
-  s.add_dependency 'signet', '~> 0.6'
-
-  s.add_development_dependency 'bundler', '~> 1.9'
-  s.add_development_dependency 'simplecov', '~> 0.9'
-  s.add_development_dependency 'coveralls', '~> 0.7'
-  s.add_development_dependency 'fakefs', '~> 0.6'
-  s.add_development_dependency 'rake', '~> 10.0'
-  s.add_development_dependency 'rubocop', '~> 0.30'
-  s.add_development_dependency 'rspec', '~> 3.0'
+  s.add_dependency 'signet', '~> 0.7'
 end

data/lib/googleauth.rb

@@ -34,6 +34,9 @@ require 'googleauth/credentials_loader'
 require 'googleauth/compute_engine'
 require 'googleauth/service_account'
 require 'googleauth/user_refresh'
+require 'googleauth/client_id'
+require 'googleauth/user_authorizer'
+require 'googleauth/web_user_authorizer'
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -56,11 +59,11 @@ END
         json_key_io, scope = options.values_at(:json_key_io, :scope)
         if json_key_io
           json_key, clz = determine_creds_class(json_key_io)
-          clz.new(json_key_io: StringIO.new(MultiJson.dump(json_key)),
-                  scope: scope)
+          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
+                         scope: scope)
         else
           clz = read_creds
-          clz.new(scope: scope)
+          clz.make_creds(scope: scope)
         end
       end
 

data/lib/googleauth/client_id.rb

@@ -0,0 +1,102 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'multi_json'
+
+module Google
+  module Auth
+    # Representation of an application's identity for user authorization
+    # flows.
+    class ClientId
+      INSTALLED_APP = 'installed'
+      WEB_APP = 'web'
+      CLIENT_ID = 'client_id'
+      CLIENT_SECRET = 'client_secret'
+      MISSING_TOP_LEVEL_ELEMENT_ERROR =
+        "Expected top level property 'installed' or 'web' to be present."
+
+      # Text identifier of the client ID
+      # @return [String]
+      attr_reader :id
+
+      # Secret associated with the client ID
+      # @return [String]
+      attr_reader :secret
+
+      class << self
+        attr_accessor :default
+      end
+
+      # Initialize the Client ID
+      #
+      # @param [String] id
+      #  Text identifier of the client ID
+      # @param [String] secret
+      #  Secret associated with the client ID
+      # @note Direction instantion is discouraged to avoid embedding IDs
+      #       & secrets in source. See {#from_file} to load from
+      #       `client_secrets.json` files.
+      def initialize(id, secret)
+        fail 'Client id can not be nil' if id.nil?
+        fail 'Client secret can not be nil' if secret.nil?
+        @id = id
+        @secret = secret
+      end
+
+      # Constructs a Client ID from a JSON file downloaed from the
+      # Google Developers Console.
+      #
+      # @param [String, File] file
+      #  Path of file to read from
+      # @return [Google::Auth::ClientID]
+      def self.from_file(file)
+        fail 'File can not be nil.' if file.nil?
+        File.open(file.to_s) do |f|
+          json = f.read
+          config = MultiJson.load(json)
+          from_hash(config)
+        end
+      end
+
+      # Constructs a Client ID from a previously loaded JSON file. The hash
+      # structure should
+      # match the expected JSON format.
+      #
+      # @param [hash] config
+      #  Parsed contents of the JSON file
+      # @return [Google::Auth::ClientID]
+      def self.from_hash(config)
+        fail 'Hash can not be nil.' if config.nil?
+        raw_detail = config[INSTALLED_APP] || config[WEB_APP]
+        fail MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
+        ClientId.new(raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET])
+      end
+    end
+  end
+end

data/lib/googleauth/scope_util.rb

@@ -0,0 +1,61 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth/signet'
+require 'googleauth/credentials_loader'
+require 'multi_json'
+
+module Google
+  module Auth
+    # Small utility for normalizing scopes into canonical form
+    module ScopeUtil
+      ALIASES = {
+        'email' => 'https://www.googleapis.com/auth/userinfo.email',
+        'profile' => 'https://www.googleapis.com/auth/userinfo.profile',
+        'openid' => 'https://www.googleapis.com/auth/plus.me'
+      }
+
+      def self.normalize(scope)
+        list = as_array(scope)
+        list.map { |item| ALIASES[item] || item }
+      end
+
+      def self.as_array(scope)
+        case scope
+        when Array
+          scope
+        when String
+          scope.split(' ')
+        else
+          fail 'Invalid scope value. Must be string or array'
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -49,33 +49,37 @@ module Google
       TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
       extend CredentialsLoader
 
-      # Reads the private key and client email fields from the service account
-      # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        fail 'missing client_email' unless json_key.key?('client_email')
-        fail 'missing private_key' unless json_key.key?('private_key')
-        [json_key['private_key'], json_key['client_email']]
-      end
-
-      # Initializes a ServiceAccountCredentials.
+      # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def initialize(options = {})
+      def self.make_creds(options = {})
         json_key_io, scope = options.values_at(:json_key_io, :scope)
         if json_key_io
-          private_key, client_email = self.class.read_json_key(json_key_io)
+          private_key, client_email = read_json_key(json_key_io)
         else
           private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
         end
 
-        super(token_credential_uri: TOKEN_CRED_URI,
-              audience: TOKEN_CRED_URI,
-              scope: scope,
-              issuer: client_email,
-              signing_key: OpenSSL::PKey::RSA.new(private_key))
+        new(token_credential_uri: TOKEN_CRED_URI,
+            audience: TOKEN_CRED_URI,
+            scope: scope,
+            issuer: client_email,
+            signing_key: OpenSSL::PKey::RSA.new(private_key))
+      end
+
+      # Reads the private key and client email fields from the service account
+      # JSON key.
+      def self.read_json_key(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        fail 'missing client_email' unless json_key.key?('client_email')
+        fail 'missing private_key' unless json_key.key?('private_key')
+        [json_key['private_key'], json_key['client_email']]
+      end
+
+      def initialize(options = {})
+        super(options)
       end
 
       # Extends the base class.
@@ -97,7 +101,8 @@ module Google
           client_email: @issuer
         }
         alt_clz = ServiceAccountJwtHeaderCredentials
-        alt = alt_clz.new(json_key_io: StringIO.new(MultiJson.dump(cred_json)))
+        key_io = StringIO.new(MultiJson.dump(cred_json))
+        alt = alt_clz.make_creds(json_key_io: key_io)
         alt.apply!(a_hash)
       end
     end