googleauth 0.5.1 → 0.14.0

data/lib/googleauth/json_key_reader.rb

@@ -0,0 +1,50 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # JsonKeyReader contains the behaviour used to read private key and
+    # client email fields from the service account
+    module JsonKeyReader
+      def read_json_key json_key_io
+        json_key = MultiJson.load json_key_io.read
+        raise "missing client_email" unless json_key.key? "client_email"
+        raise "missing private_key" unless json_key.key? "private_key"
+        [
+          json_key["private_key"],
+          json_key["client_email"],
+          json_key["project_id"],
+          json_key["quota_project_id"]
+        ]
+      end
+    end
+  end
+end

data/lib/googleauth/scope_util.rb

@@ -27,33 +27,33 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/signet'
-require 'googleauth/credentials_loader'
-require 'multi_json'
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "multi_json"
 
 module Google
   module Auth
     # Small utility for normalizing scopes into canonical form
     module ScopeUtil
       ALIASES = {
-        'email' => 'https://www.googleapis.com/auth/userinfo.email',
-        'profile' => 'https://www.googleapis.com/auth/userinfo.profile',
-        'openid' => 'https://www.googleapis.com/auth/plus.me'
-      }
+        "email"   => "https://www.googleapis.com/auth/userinfo.email",
+        "profile" => "https://www.googleapis.com/auth/userinfo.profile",
+        "openid"  => "https://www.googleapis.com/auth/plus.me"
+      }.freeze
 
-      def self.normalize(scope)
-        list = as_array(scope)
+      def self.normalize scope
+        list = as_array scope
         list.map { |item| ALIASES[item] || item }
       end
 
-      def self.as_array(scope)
+      def self.as_array scope
         case scope
         when Array
           scope
         when String
-          scope.split(' ')
+          scope.split " "
         else
-          fail 'Invalid scope value. Must be string or array'
+          raise "Invalid scope value. Must be string or array"
         end
       end
     end

data/lib/googleauth/service_account.rb

@@ -27,11 +27,12 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/signet'
-require 'googleauth/credentials_loader'
-require 'jwt'
-require 'multi_json'
-require 'stringio'
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "googleauth/json_key_reader"
+require "jwt"
+require "multi_json"
+require "stringio"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -44,42 +45,56 @@ module Google
     # from credentials from a json key file downloaded from the developer
     # console (via 'Generate new Json Key').
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountCredentials < Signet::OAuth2::Client
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       extend CredentialsLoader
+      extend JsonKeyReader
+      attr_reader :project_id
+      attr_reader :quota_project_id
 
       # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
+      def self.make_creds options = {}
+        json_key_io, scope, target_audience = options.values_at :json_key_io, :scope, :target_audience
+        raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
+
         if json_key_io
-          private_key, client_email = read_json_key(json_key_io)
+          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
         else
-          private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          quota_project_id = nil
         end
+        project_id ||= CredentialsLoader.load_gcloud_project_id
 
         new(token_credential_uri: TOKEN_CRED_URI,
-            audience: TOKEN_CRED_URI,
-            scope: scope,
-            issuer: client_email,
-            signing_key: OpenSSL::PKey::RSA.new(private_key))
+            audience:             TOKEN_CRED_URI,
+            scope:                scope,
+            target_audience:      target_audience,
+            issuer:               client_email,
+            signing_key:          OpenSSL::PKey::RSA.new(private_key),
+            project_id:           project_id,
+            quota_project_id:     quota_project_id)
+          .configure_connection(options)
       end
 
-      # Reads the private key and client email fields from the service account
-      # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        fail 'missing client_email' unless json_key.key?('client_email')
-        fail 'missing private_key' unless json_key.key?('private_key')
-        [json_key['private_key'], json_key['client_email']]
+      # Handles certain escape sequences that sometimes appear in input.
+      # Specifically, interprets the "\n" sequence for newline, and removes
+      # enclosing quotes.
+      def self.unescape str
+        str = str.gsub '\n', "\n"
+        str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
+        str
       end
 
-      def initialize(options = {})
-        super(options)
+      def initialize options = {}
+        @project_id = options[:project_id]
+        @quota_project_id = options[:quota_project_id]
+        super options
       end
 
       # Extends the base class.
@@ -87,9 +102,9 @@ module Google
       # If scope(s) is not set, it creates a transient
       # ServiceAccountJwtHeaderCredentials instance and uses that to
       # authenticate instead.
-      def apply!(a_hash, opts = {})
+      def apply! a_hash, opts = {}
         # Use the base implementation if scopes are set
-        unless scope.nil?
+        unless scope.nil? && target_audience.nil?
           super
           return
         end
@@ -97,13 +112,13 @@ module Google
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
         # if no scopes are set.
         cred_json = {
-          private_key: @signing_key.to_s,
+          private_key:  @signing_key.to_s,
           client_email: @issuer
         }
         alt_clz = ServiceAccountJwtHeaderCredentials
-        key_io = StringIO.new(MultiJson.dump(cred_json))
-        alt = alt_clz.make_creds(json_key_io: key_io)
-        alt.apply!(a_hash)
+        key_io = StringIO.new MultiJson.dump(cred_json)
+        alt = alt_clz.make_creds json_key_io: key_io
+        alt.apply! a_hash
       end
     end
 
@@ -115,14 +130,17 @@ module Google
     # console (via 'Generate new Json Key').  It is not part of any OAuth2
     # flow, rather it creates a JWT and sends that as a credential.
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
       AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
-      SIGNING_ALGORITHM = 'RS256'
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
+      SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
       extend CredentialsLoader
+      extend JsonKeyReader
+      attr_reader :project_id
+      attr_reader :quota_project_id
 
       # make_creds proxies the construction of a credentials instance
       #
@@ -131,51 +149,44 @@ module Google
       # By default, it calls #new with 2 args, the second one being an
       # optional scope. Here's the constructor only has one param, so
       # we modify make_creds to reflect this.
-      def self.make_creds(*args)
-        new(json_key_io: args[0][:json_key_io])
-      end
-
-      # Reads the private key and client email fields from the service account
-      # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        fail 'missing client_email' unless json_key.key?('client_email')
-        fail 'missing private_key' unless json_key.key?('private_key')
-        [json_key['private_key'], json_key['client_email']]
+      def self.make_creds *args
+        new json_key_io: args[0][:json_key_io]
       end
 
       # Initializes a ServiceAccountJwtHeaderCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize(options = {})
+      def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          private_key, client_email = self.class.read_json_key(json_key_io)
+          @private_key, @issuer, @project_id, @quota_project_id =
+            self.class.read_json_key json_key_io
         else
-          private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = nil
         end
-        @private_key = private_key
-        @issuer = client_email
-        @signing_key = OpenSSL::PKey::RSA.new(private_key)
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @signing_key = OpenSSL::PKey::RSA.new @private_key
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
       # hash.
       #
       # The jwt token is used as the value of a 'Bearer '.
-      def apply!(a_hash, opts = {})
-        jwt_aud_uri = a_hash.delete(JWT_AUD_URI_KEY)
+      def apply! a_hash, opts = {}
+        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
         return a_hash if jwt_aud_uri.nil?
-        jwt_token = new_jwt_token(jwt_aud_uri, opts)
+        jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
         a_hash
       end
 
       # Returns a clone of a_hash updated with the authoriation header
-      def apply(a_hash, opts = {})
+      def apply a_hash, opts = {}
         a_copy = a_hash.clone
-        apply!(a_copy, opts)
+        apply! a_copy, opts
         a_copy
       end
 
@@ -188,17 +199,17 @@ module Google
       protected
 
       # Creates a jwt uri token.
-      def new_jwt_token(jwt_aud_uri, options = {})
+      def new_jwt_token jwt_aud_uri, options = {}
         now = Time.new
         skew = options[:skew] || 60
         assertion = {
-          'iss' => @issuer,
-          'sub' => @issuer,
-          'aud' => jwt_aud_uri,
-          'exp' => (now + EXPIRY).to_i,
-          'iat' => (now - skew).to_i
+          "iss" => @issuer,
+          "sub" => @issuer,
+          "aud" => jwt_aud_uri,
+          "exp" => (now + EXPIRY).to_i,
+          "iat" => (now - skew).to_i
         }
-        JWT.encode(assertion, @signing_key, SIGNING_ALGORITHM)
+        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
     end
   end

data/lib/googleauth/signet.rb

@@ -27,7 +27,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'signet/oauth_2/client'
+require "signet/oauth_2/client"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
@@ -38,18 +38,25 @@ module Signet
     # This reopens Client to add #apply and #apply! methods which update a
     # hash with the fetched authentication token.
     class Client
+      def configure_connection options
+        @connection_info =
+          options[:connection_builder] || options[:default_connection]
+        self
+      end
+
       # Updates a_hash updated with the authentication token
-      def apply!(a_hash, opts = {})
+      def apply! a_hash, opts = {}
         # fetch the access token there is currently not one, or if the client
         # has expired
-        fetch_access_token!(opts) if access_token.nil? || expires_within?(60)
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{access_token}"
+        token_type = target_audience ? :id_token : :access_token
+        fetch_access_token! opts if send(token_type).nil? || expires_within?(60)
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
       end
 
       # Returns a clone of a_hash updated with the authentication token
-      def apply(a_hash, opts = {})
+      def apply a_hash, opts = {}
         a_copy = a_hash.clone
-        apply!(a_copy, opts)
+        apply! a_copy, opts
         a_copy
       end
 
@@ -59,22 +66,57 @@ module Signet
         lambda(&method(:apply))
       end
 
-      def on_refresh(&block)
-        @refresh_listeners ||= []
+      def on_refresh &block
+        @refresh_listeners = [] unless defined? @refresh_listeners
         @refresh_listeners << block
       end
 
-      alias_method :orig_fetch_access_token!, :fetch_access_token!
-      def fetch_access_token!(options = {})
-        info = orig_fetch_access_token!(options)
+      alias orig_fetch_access_token! fetch_access_token!
+      def fetch_access_token! options = {}
+        unless options[:connection]
+          connection = build_default_connection
+          options = options.merge connection: connection if connection
+        end
+        info = retry_with_error do
+          orig_fetch_access_token! options
+        end
         notify_refresh_listeners
         info
       end
 
       def notify_refresh_listeners
-        listeners = @refresh_listeners || []
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
         listeners.each do |block|
-          block.call(self)
+          block.call self
+        end
+      end
+
+      def build_default_connection
+        if !defined?(@connection_info)
+          nil
+        elsif @connection_info.respond_to? :call
+          @connection_info.call
+        else
+          @connection_info
+        end
+      end
+
+      def retry_with_error max_retry_count = 5
+        retry_count = 0
+
+        begin
+          yield
+        rescue StandardError => e
+          raise e if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+
+          if retry_count < max_retry_count
+            retry_count += 1
+            sleep retry_count * 0.3
+            retry
+          else
+            msg = "Unexpected error: #{e.inspect}"
+            raise Signet::AuthorizationError, msg
+          end
         end
       end
     end

data/lib/googleauth/stores/file_token_store.rb

@@ -27,8 +27,8 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'yaml/store'
-require 'googleauth/token_store'
+require "yaml/store"
+require "googleauth/token_store"
 
 module Google
   module Auth
@@ -39,24 +39,24 @@ module Google
         #
         # @param [String, File] file
         #  Path to storage file
-        def initialize(options = {})
+        def initialize options = {}
           path = options[:file]
-          @store = YAML::Store.new(path)
+          @store = YAML::Store.new path
         end
 
         # (see Google::Auth::Stores::TokenStore#load)
-        def load(id)
+        def load id
           @store.transaction { @store[id] }
         end
 
         # (see Google::Auth::Stores::TokenStore#store)
-        def store(id, token)
+        def store id, token
           @store.transaction { @store[id] = token }
         end
 
         # (see Google::Auth::Stores::TokenStore#delete)
-        def delete(id)
-          @store.transaction { @store.delete(id) }
+        def delete id
+          @store.transaction { @store.delete id }
         end
       end
     end