googleauth 0.5.1 → 0.14.0

data/lib/googleauth/stores/redis_token_store.rb

@@ -27,8 +27,8 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'redis'
-require 'googleauth/token_store'
+require "redis"
+require "googleauth/token_store"
 
 module Google
   module Auth
@@ -37,7 +37,7 @@ module Google
       # are stored as JSON using the supplied key, prefixed with
       # `g-user-token:`
       class RedisTokenStore < Google::Auth::TokenStore
-        DEFAULT_KEY_PREFIX = 'g-user-token:'
+        DEFAULT_KEY_PREFIX = "g-user-token:".freeze
 
         # Create a new store with the supplied redis client.
         #
@@ -48,34 +48,34 @@ module Google
         # @note If no redis instance is provided, a new one is created and
         #  the options passed through. You may include any other keys accepted
         #  by `Redis.new`
-        def initialize(options = {})
-          redis = options.delete(:redis)
-          prefix = options.delete(:prefix)
-          case redis
-          when Redis
-            @redis = redis
-          else
-            @redis = Redis.new(options)
-          end
+        def initialize options = {}
+          redis = options.delete :redis
+          prefix = options.delete :prefix
+          @redis = case redis
+                   when Redis
+                     redis
+                   else
+                     Redis.new options
+                   end
           @prefix = prefix || DEFAULT_KEY_PREFIX
         end
 
         # (see Google::Auth::Stores::TokenStore#load)
-        def load(id)
-          key = key_for(id)
-          @redis.get(key)
+        def load id
+          key = key_for id
+          @redis.get key
         end
 
         # (see Google::Auth::Stores::TokenStore#store)
-        def store(id, token)
-          key = key_for(id)
-          @redis.set(key, token)
+        def store id, token
+          key = key_for id
+          @redis.set key, token
         end
 
         # (see Google::Auth::Stores::TokenStore#delete)
-        def delete(id)
-          key = key_for(id)
-          @redis.del(key)
+        def delete id
+          key = key_for id
+          @redis.del key
         end
 
         private
@@ -86,7 +86,7 @@ module Google
         #  ID of the token
         # @return [String]
         #  Redis key
-        def key_for(id)
+        def key_for id
           @prefix + id
         end
       end

data/lib/googleauth/token_store.rb

@@ -43,8 +43,8 @@ module Google
       #  ID of token data to load.
       # @return [String]
       #  The loaded token data.
-      def load(_id)
-        fail 'Not implemented'
+      def load _id
+        raise "Not implemented"
       end
 
       # Put the token data into storage for the given ID.
@@ -53,16 +53,16 @@ module Google
       #  ID of token data to store.
       # @param [String] token
       #  The token data to store.
-      def store(_id, _token)
-        fail 'Not implemented'
+      def store _id, _token
+        raise "Not implemented"
       end
 
       # Remove the token data from storage for the given ID.
       #
       # @param [String] id
       #  ID of the token data to delete
-      def delete(_id)
-        fail 'Not implemented'
+      def delete _id
+        raise "Not implemented"
       end
     end
   end

data/lib/googleauth/user_authorizer.rb

@@ -27,10 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'uri'
-require 'multi_json'
-require 'googleauth/signet'
-require 'googleauth/user_refresh'
+require "uri"
+require "multi_json"
+require "googleauth/signet"
+require "googleauth/user_refresh"
 
 module Google
   module Auth
@@ -53,13 +53,13 @@ module Google
     #     ...
     class UserAuthorizer
       MISMATCHED_CLIENT_ID_ERROR =
-        'Token client ID of %s does not match configured client id %s'
-      NIL_CLIENT_ID_ERROR = 'Client id can not be nil.'
-      NIL_SCOPE_ERROR = 'Scope can not be nil.'
-      NIL_USER_ID_ERROR = 'User ID can not be nil.'
-      NIL_TOKEN_STORE_ERROR = 'Can not call method if token store is nil'
+        "Token client ID of %s does not match configured client id %s".freeze
+      NIL_CLIENT_ID_ERROR = "Client id can not be nil.".freeze
+      NIL_SCOPE_ERROR = "Scope can not be nil.".freeze
+      NIL_USER_ID_ERROR = "User ID can not be nil.".freeze
+      NIL_TOKEN_STORE_ERROR = "Can not call method if token store is nil".freeze
       MISSING_ABSOLUTE_URL_ERROR =
-        'Absolute base url required for relative callback url "%s"'
+        'Absolute base url required for relative callback url "%s"'.freeze
 
       # Initialize the authorizer
       #
@@ -72,14 +72,14 @@ module Google
       # @param [String] callback_uri
       #  URL (either absolute or relative) of the auth callback.
       #  Defaults to '/oauth2callback'
-      def initialize(client_id, scope, token_store, callback_uri = nil)
-        fail NIL_CLIENT_ID_ERROR if client_id.nil?
-        fail NIL_SCOPE_ERROR if scope.nil?
+      def initialize client_id, scope, token_store, callback_uri = nil
+        raise NIL_CLIENT_ID_ERROR if client_id.nil?
+        raise NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || '/oauth2callback'
+        @callback_uri = callback_uri || "/oauth2callback"
       end
 
       # Build the URL for requesting authorization.
@@ -97,19 +97,20 @@ module Google
       #  nil.
       # @return [String]
       #  Authorization url
-      def get_authorization_url(options = {})
+      def get_authorization_url options = {}
         scope = options[:scope] || @scope
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope: scope)
-        redirect_uri = redirect_uri_for(options[:base_url])
-        url = credentials.authorization_uri(access_type: 'offline',
-                                            redirect_uri: redirect_uri,
-                                            approval_prompt: 'force',
-                                            state: options[:state],
+          scope:         scope
+        )
+        redirect_uri = redirect_uri_for options[:base_url]
+        url = credentials.authorization_uri(access_type:            "offline",
+                                            redirect_uri:           redirect_uri,
+                                            approval_prompt:        "force",
+                                            state:                  options[:state],
                                             include_granted_scopes: true,
-                                            login_hint: options[:login_hint])
+                                            login_hint:             options[:login_hint])
         url.to_s
       end
 
@@ -122,31 +123,26 @@ module Google
       #  the requested scopes
       # @return [Google::Auth::UserRefreshCredentials]
       #  Stored credentials, nil if none present
-      def get_credentials(user_id, scope = nil)
-        fail NIL_USER_ID_ERROR if user_id.nil?
-        fail NIL_TOKEN_STORE_ERROR if @token_store.nil?
-
-        scope ||= @scope
-        saved_token = @token_store.load(user_id)
+      def get_credentials user_id, scope = nil
+        saved_token = stored_token user_id
         return nil if saved_token.nil?
-        data = MultiJson.load(saved_token)
+        data = MultiJson.load saved_token
 
-        if data.fetch('client_id', @client_id.id) != @client_id.id
-          fail sprintf(MISMATCHED_CLIENT_ID_ERROR,
-                       data['client_id'], @client_id.id)
+        if data.fetch("client_id", @client_id.id) != @client_id.id
+          raise format(MISMATCHED_CLIENT_ID_ERROR,
+                       data["client_id"], @client_id.id)
         end
 
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope: data['scope'] || @scope,
-          access_token: data['access_token'],
-          refresh_token: data['refresh_token'],
-          expires_at: data.fetch('expiration_time_millis', 0) / 1000)
-        if credentials.includes_scope?(scope)
-          monitor_credentials(user_id, credentials)
-          return credentials
-        end
+          scope:         data["scope"] || @scope,
+          access_token:  data["access_token"],
+          refresh_token: data["refresh_token"],
+          expires_at:    data.fetch("expiration_time_millis", 0) / 1000
+        )
+        scope ||= @scope
+        return monitor_credentials user_id, credentials if credentials.includes_scope? scope
         nil
       end
 
@@ -165,19 +161,20 @@ module Google
       #  callback uri is a relative.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
-      def get_credentials_from_code(options = {})
+      def get_credentials_from_code options = {}
         user_id = options[:user_id]
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          redirect_uri: redirect_uri_for(base_url),
-          scope: scope)
+          redirect_uri:  redirect_uri_for(base_url),
+          scope:         scope
+        )
         credentials.code = code
         credentials.fetch_access_token!({})
-        monitor_credentials(user_id, credentials)
+        monitor_credentials user_id, credentials
       end
 
       # Exchanges an authorization code returned in the oauth callback.
@@ -197,10 +194,9 @@ module Google
       #  callback uri is a relative.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
-      def get_and_store_credentials_from_code(options = {})
-        credentials = get_credentials_from_code(options)
-        monitor_credentials(options[:user_id], credentials)
-        store_credentials(options[:user_id], credentials)
+      def get_and_store_credentials_from_code options = {}
+        credentials = get_credentials_from_code options
+        store_credentials options[:user_id], credentials
       end
 
       # Revokes a user's credentials. This both revokes the actual
@@ -208,11 +204,11 @@ module Google
       #
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
-      def revoke_authorization(user_id)
-        credentials = get_credentials(user_id)
+      def revoke_authorization user_id
+        credentials = get_credentials user_id
         if credentials
           begin
-            @token_store.delete(user_id)
+            @token_store.delete user_id
           ensure
             credentials.revoke!
           end
@@ -228,19 +224,32 @@ module Google
       #  Unique ID of the user for loading/storing credentials.
       # @param [Google::Auth::UserRefreshCredentials] credentials
       #  Credentials to store.
-      def store_credentials(user_id, credentials)
+      def store_credentials user_id, credentials
         json = MultiJson.dump(
-          client_id: credentials.client_id,
-          access_token: credentials.access_token,
-          refresh_token: credentials.refresh_token,
-          scope: credentials.scope,
-          expiration_time_millis: (credentials.expires_at.to_i) * 1000)
-        @token_store.store(user_id, json)
+          client_id:              credentials.client_id,
+          access_token:           credentials.access_token,
+          refresh_token:          credentials.refresh_token,
+          scope:                  credentials.scope,
+          expiration_time_millis: credentials.expires_at.to_i * 1000
+        )
+        @token_store.store user_id, json
         credentials
       end
 
       private
 
+      # @private Fetch stored token with given user_id
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @return [String] The saved token from @token_store
+      def stored_token user_id
+        raise NIL_USER_ID_ERROR if user_id.nil?
+        raise NIL_TOKEN_STORE_ERROR if @token_store.nil?
+
+        @token_store.load user_id
+      end
+
       # Begin watching a credential for refreshes so the access token can be
       # saved.
       #
@@ -248,9 +257,9 @@ module Google
       #  Unique ID of the user for loading/storing credentials.
       # @param [Google::Auth::UserRefreshCredentials] credentials
       #  Credentials to store.
-      def monitor_credentials(user_id, credentials)
+      def monitor_credentials user_id, credentials
         credentials.on_refresh do |cred|
-          store_credentials(user_id, cred)
+          store_credentials user_id, cred
         end
         credentials
       end
@@ -261,13 +270,16 @@ module Google
       #  Absolute URL to resolve the callback against if necessary.
       # @return [String]
       #  Redirect URI
-      def redirect_uri_for(base_url)
-        return @callback_uri unless URI(@callback_uri).scheme.nil?
-        fail sprintf(
-          MISSING_ABSOLUTE_URL_ERROR,
-          @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
+      def redirect_uri_for base_url
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
+        raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
         URI.join(base_url, @callback_uri).to_s
       end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -27,10 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/signet'
-require 'googleauth/credentials_loader'
-require 'googleauth/scope_util'
-require 'multi_json'
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "googleauth/scope_util"
+require "multi_json"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -44,63 +44,72 @@ module Google
     # 'gcloud auth login' saves a file with these contents in well known
     # location
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class UserRefreshCredentials < Signet::OAuth2::Client
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
-      AUTHORIZATION_URI = 'https://accounts.google.com/o/oauth2/auth'
-      REVOKE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/revoke'
+      TOKEN_CRED_URI = "https://oauth2.googleapis.com/token".freeze
+      AUTHORIZATION_URI = "https://accounts.google.com/o/oauth2/auth".freeze
+      REVOKE_TOKEN_URI = "https://oauth2.googleapis.com/revoke".freeze
       extend CredentialsLoader
+      attr_reader :project_id
 
       # Create a UserRefreshCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
-        user_creds = read_json_key(json_key_io) if json_key_io
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        user_creds = read_json_key json_key_io if json_key_io
         user_creds ||= {
-          'client_id'     => ENV[CredentialsLoader::CLIENT_ID_VAR],
-          'client_secret' => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
-          'refresh_token' => ENV[CredentialsLoader::REFRESH_TOKEN_VAR]
+          "client_id"     => ENV[CredentialsLoader::CLIENT_ID_VAR],
+          "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
+          "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
+          "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR]
         }
 
         new(token_credential_uri: TOKEN_CRED_URI,
-            client_id: user_creds['client_id'],
-            client_secret: user_creds['client_secret'],
-            refresh_token: user_creds['refresh_token'],
-            scope: scope)
+            client_id:            user_creds["client_id"],
+            client_secret:        user_creds["client_secret"],
+            refresh_token:        user_creds["refresh_token"],
+            project_id:           user_creds["project_id"],
+            scope:                scope)
+          .configure_connection(options)
       end
 
       # Reads the client_id, client_secret and refresh_token fields from the
       # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        wanted = %w(client_id client_secret refresh_token)
+      def self.read_json_key json_key_io
+        json_key = MultiJson.load json_key_io.read
+        wanted = ["client_id", "client_secret", "refresh_token"]
         wanted.each do |key|
-          fail "the json is missing the #{key} field" unless json_key.key?(key)
+          raise "the json is missing the #{key} field" unless json_key.key? key
         end
         json_key
       end
 
-      def initialize(options = {})
+      def initialize options = {}
         options ||= {}
         options[:token_credential_uri] ||= TOKEN_CRED_URI
         options[:authorization_uri] ||= AUTHORIZATION_URI
-        super(options)
+        @project_id = options[:project_id]
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        super options
       end
 
       # Revokes the credential
-      def revoke!(options = {})
+      def revoke! options = {}
         c = options[:connection] || Faraday.default_connection
-        resp = c.get(REVOKE_TOKEN_URI, token: refresh_token || access_token)
-        case resp.status
-        when 200
-          self.access_token = nil
-          self.refresh_token = nil
-          self.expires_at = 0
-        else
-          fail(Signet::AuthorizationError,
-               "Unexpected error code #{resp.status}")
+
+        retry_with_error do
+          resp = c.post(REVOKE_TOKEN_URI, token: refresh_token || access_token)
+          case resp.status
+          when 200
+            self.access_token = nil
+            self.refresh_token = nil
+            self.expires_at = 0
+          else
+            raise(Signet::AuthorizationError,
+                  "Unexpected error code #{resp.status}")
+          end
         end
       end
 
@@ -110,7 +119,7 @@ module Google
       #  Scope to verify
       # @return [Boolean]
       #  True if scope is granted
-      def includes_scope?(required_scope)
+      def includes_scope? required_scope
         missing_scope = Google::Auth::ScopeUtil.normalize(required_scope) -
                         Google::Auth::ScopeUtil.normalize(scope)
         missing_scope.empty?