googleauth 0.8.1 → 0.16.0

data/lib/googleauth/id_tokens/verifier.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "jwt"
+
+module Google
+  module Auth
+    module IDTokens
+      ##
+      # An object that can verify ID tokens.
+      #
+      # A verifier maintains a set of default settings, including the key
+      # source and fields to verify. However, individual verification calls can
+      # override any of these settings.
+      #
+      class Verifier
+        ##
+        # Create a verifier.
+        #
+        # @param key_source [key source] The default key source to use. All
+        #     verification calls must have a key source, so if no default key
+        #     source is provided here, then calls to {#verify} _must_ provide
+        #     a key source.
+        # @param aud [String,nil] The default audience (`aud`) check, or `nil`
+        #     for no check.
+        # @param azp [String,nil] The default authorized party (`azp`) check,
+        #     or `nil` for no check.
+        # @param iss [String,nil] The default issuer (`iss`) check, or `nil`
+        #     for no check.
+        #
+        def initialize key_source: nil,
+                       aud:        nil,
+                       azp:        nil,
+                       iss:        nil
+          @key_source = key_source
+          @aud = aud
+          @azp = azp
+          @iss = iss
+        end
+
+        ##
+        # Verify the given token.
+        #
+        # @param token [String] the ID token to verify.
+        # @param key_source [key source] If given, override the key source.
+        # @param aud [String,nil] If given, override the `aud` check.
+        # @param azp [String,nil] If given, override the `azp` check.
+        # @param iss [String,nil] If given, override the `iss` check.
+        #
+        # @return [Hash] the decoded payload, if verification succeeded.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify token,
+                   key_source: :default,
+                   aud:        :default,
+                   azp:        :default,
+                   iss:        :default
+          key_source = @key_source if key_source == :default
+          aud = @aud if aud == :default
+          azp = @azp if azp == :default
+          iss = @iss if iss == :default
+
+          raise KeySourceError, "No key sources" unless key_source
+          keys = key_source.current_keys
+          payload = decode_token token, keys, aud, azp, iss
+          unless payload
+            keys = key_source.refresh_keys
+            payload = decode_token token, keys, aud, azp, iss
+          end
+          raise SignatureError, "Token not verified as issued by Google" unless payload
+          payload
+        end
+
+        private
+
+        def decode_token token, keys, aud, azp, iss
+          payload = nil
+          keys.find do |key|
+            options = { algorithms: key.algorithm }
+            decoded_token = JWT.decode token, key.key, true, options
+            payload = decoded_token.first
+          rescue JWT::ExpiredSignature
+            raise ExpiredTokenError, "Token signature is expired"
+          rescue JWT::DecodeError
+            nil # Try the next key
+          end
+
+          normalize_and_verify_payload payload, aud, azp, iss
+        end
+
+        def normalize_and_verify_payload payload, aud, azp, iss
+          return nil unless payload
+
+          # Map the legacy "cid" claim to the canonical "azp"
+          payload["azp"] ||= payload["cid"] if payload.key? "cid"
+
+          # Payload content validation
+          if aud && (Array(aud) & Array(payload["aud"])).empty?
+            raise AudienceMismatchError, "Token aud mismatch: #{payload['aud']}"
+          end
+          if azp && (Array(azp) & Array(payload["azp"])).empty?
+            raise AuthorizedPartyMismatchError, "Token azp mismatch: #{payload['azp']}"
+          end
+          if iss && (Array(iss) & Array(payload["iss"])).empty?
+            raise IssuerMismatchError, "Token iss mismatch: #{payload['iss']}"
+          end
+
+          payload
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/json_key_reader.rb

@@ -38,8 +38,12 @@ module Google
         json_key = MultiJson.load json_key_io.read
         raise "missing client_email" unless json_key.key? "client_email"
         raise "missing private_key" unless json_key.key? "private_key"
-        project_id = json_key["project_id"]
-        [json_key["private_key"], json_key["client_email"], project_id]
+        [
+          json_key["private_key"],
+          json_key["client_email"],
+          json_key["project_id"],
+          json_key["quota_project_id"]
+        ]
       end
     end
   end

data/lib/googleauth/scope_util.rb

@@ -51,7 +51,7 @@ module Google
         when Array
           scope
         when String
-          scope.split " "
+          scope.split
         else
           raise "Invalid scope value. Must be string or array"
         end

data/lib/googleauth/service_account.rb

@@ -45,34 +45,47 @@ module Google
     # from credentials from a json key file downloaded from the developer
     # console (via 'Generate new Json Key').
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountCredentials < Signet::OAuth2::Client
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       extend CredentialsLoader
       extend JsonKeyReader
       attr_reader :project_id
+      attr_reader :quota_project_id
+
+      def enable_self_signed_jwt?
+        @enable_self_signed_jwt
+      end
 
       # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
       def self.make_creds options = {}
-        json_key_io, scope = options.values_at :json_key_io, :scope
+        json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
+          options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
+                            :audience, :token_credential_uri
+        raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
+
         if json_key_io
-          private_key, client_email, project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          quota_project_id = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
-        new(token_credential_uri: TOKEN_CRED_URI,
-            audience:             TOKEN_CRED_URI,
-            scope:                scope,
-            issuer:               client_email,
-            signing_key:          OpenSSL::PKey::RSA.new(private_key),
-            project_id:           project_id)
+        new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
+            audience:               audience || TOKEN_CRED_URI,
+            scope:                  scope,
+            enable_self_signed_jwt: enable_self_signed_jwt,
+            target_audience:        target_audience,
+            issuer:                 client_email,
+            signing_key:            OpenSSL::PKey::RSA.new(private_key),
+            project_id:             project_id,
+            quota_project_id:       quota_project_id)
           .configure_connection(options)
       end
 
@@ -87,30 +100,34 @@ module Google
 
       def initialize options = {}
         @project_id = options[:project_id]
+        @quota_project_id = options[:quota_project_id]
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
         super options
       end
 
-      # Extends the base class.
-      #
-      # If scope(s) is not set, it creates a transient
-      # ServiceAccountJwtHeaderCredentials instance and uses that to
-      # authenticate instead.
+      # Extends the base class to use a transient
+      # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use the base implementation if scopes are set
-        unless scope.nil?
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token.
+        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+          apply_self_signed_jwt! a_hash
+        else
           super
-          return
         end
+      end
+
+      private
 
+      def apply_self_signed_jwt! a_hash
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
-        # if no scopes are set.
         cred_json = {
           private_key:  @signing_key.to_s,
           client_email: @issuer
         }
-        alt_clz = ServiceAccountJwtHeaderCredentials
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = alt_clz.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
         alt.apply! a_hash
       end
     end
@@ -123,7 +140,7 @@ module Google
     # console (via 'Generate new Json Key').  It is not part of any OAuth2
     # flow, rather it creates a JWT and sends that as a credential.
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
       AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
@@ -133,6 +150,7 @@ module Google
       extend CredentialsLoader
       extend JsonKeyReader
       attr_reader :project_id
+      attr_reader :quota_project_id
 
       # make_creds proxies the construction of a credentials instance
       #
@@ -151,12 +169,13 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id =
+          @private_key, @issuer, @project_id, @quota_project_id =
             self.class.read_json_key json_key_io
         else
           @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = nil
         end
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
@@ -184,7 +203,7 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       protected

data/lib/googleauth/signet.rb

@@ -48,8 +48,9 @@ module Signet
       def apply! a_hash, opts = {}
         # fetch the access token there is currently not one, or if the client
         # has expired
-        fetch_access_token! opts if access_token.nil? || expires_within?(60)
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{access_token}"
+        token_type = target_audience ? :id_token : :access_token
+        fetch_access_token! opts if send(token_type).nil? || expires_within?(60)
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
       end
 
       # Returns a clone of a_hash updated with the authentication token
@@ -62,11 +63,11 @@ module Signet
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       def on_refresh &block
-        @refresh_listeners ||= []
+        @refresh_listeners = [] unless defined? @refresh_listeners
         @refresh_listeners << block
       end
 
@@ -76,13 +77,15 @@ module Signet
           connection = build_default_connection
           options = options.merge connection: connection if connection
         end
-        info = orig_fetch_access_token! options
+        info = retry_with_error do
+          orig_fetch_access_token! options
+        end
         notify_refresh_listeners
         info
       end
 
       def notify_refresh_listeners
-        listeners = @refresh_listeners || []
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
         listeners.each do |block|
           block.call self
         end

data/lib/googleauth/stores/file_token_store.rb

@@ -40,6 +40,7 @@ module Google
         # @param [String, File] file
         #  Path to storage file
         def initialize options = {}
+          super()
           path = options[:file]
           @store = YAML::Store.new path
         end

data/lib/googleauth/stores/redis_token_store.rb

@@ -49,6 +49,7 @@ module Google
         #  the options passed through. You may include any other keys accepted
         #  by `Redis.new`
         def initialize options = {}
+          super()
           redis = options.delete :redis
           prefix = options.delete :prefix
           @redis = case redis

data/lib/googleauth/user_authorizer.rb

@@ -271,10 +271,15 @@ module Google
       # @return [String]
       #  Redirect URI
       def redirect_uri_for base_url
-        return @callback_uri unless URI(@callback_uri).scheme.nil?
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
         raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
         URI.join(base_url, @callback_uri).to_s
       end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -44,7 +44,7 @@ module Google
     # 'gcloud auth login' saves a file with these contents in well known
     # location
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class UserRefreshCredentials < Signet::OAuth2::Client
       TOKEN_CRED_URI = "https://oauth2.googleapis.com/token".freeze
       AUTHORIZATION_URI = "https://accounts.google.com/o/oauth2/auth".freeze
@@ -79,7 +79,7 @@ module Google
       # JSON key.
       def self.read_json_key json_key_io
         json_key = MultiJson.load json_key_io.read
-        wanted = %w[client_id client_secret refresh_token]
+        wanted = ["client_id", "client_secret", "refresh_token"]
         wanted.each do |key|
           raise "the json is missing the #{key} field" unless json_key.key? key
         end

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.8.1".freeze
+    VERSION = "0.16.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -58,12 +58,9 @@ module Google
     #    end
     #
     # Instead of implementing the callback directly, applications are
-    # encouraged to use {Google::Auth::Web::AuthCallbackApp} instead.
+    # encouraged to use {Google::Auth::WebUserAuthorizer::CallbackApp} instead.
     #
-    # For rails apps, see {Google::Auth::ControllerHelpers}
-    #
-    # @see {Google::Auth::AuthCallbackApp}
-    # @see {Google::Auth::ControllerHelpers}
+    # @see CallbackApp
     # @note Requires sessions are enabled
     class WebUserAuthorizer < Google::Auth::UserAuthorizer
       STATE_PARAM = "state".freeze
@@ -154,6 +151,8 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if
       #  not nil.
+      # @param [Hash] state
+      #  Optional key-values to be returned to the oauth callback.
       # @return [String]
       #  Authorization url
       def get_authorization_url options = {}
@@ -162,22 +161,25 @@ module Google
         raise NIL_REQUEST_ERROR if request.nil?
         raise NIL_SESSION_ERROR if request.session.nil?
 
+        state = options[:state] || {}
+
         redirect_to = options[:redirect_to] || request.url
         request.session[XSRF_KEY] = SecureRandom.base64
-        options[:state] = MultiJson.dump(
-          SESSION_ID_KEY  => request.session[XSRF_KEY],
-          CURRENT_URI_KEY => redirect_to
-        )
+        options[:state] = MultiJson.dump(state.merge(
+                                           SESSION_ID_KEY  => request.session[XSRF_KEY],
+                                           CURRENT_URI_KEY => redirect_to
+                                         ))
         options[:base_url] = request.url
         super options
       end
 
-      # Fetch stored credentials for the user.
+      # Fetch stored credentials for the user from the given request session.
       #
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
       # @param [Rack::Request] request
-      #  Current request
+      #  Current request. Optional. If omitted, this will attempt to fall back
+      #  on the base class behavior of reading from the token store.
       # @param [Array<String>, String] scope
       #  If specified, only returns credentials that have all the \
       #  requested scopes
@@ -186,8 +188,8 @@ module Google
       # @raise [Signet::AuthorizationError]
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
-      def get_credentials user_id, request, scope = nil
-        if request.session.key? CALLBACK_STATE_KEY
+      def get_credentials user_id, request = nil, scope = nil
+        if request&.session&.key? CALLBACK_STATE_KEY
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
           state_json = request.session.delete CALLBACK_STATE_KEY
@@ -256,7 +258,7 @@ module Google
       #       Google::Auth::WebUserAuthorizer::CallbackApp.call(env)
       #     end
       #
-      # @see {Google::Auth::WebUserAuthorizer}
+      # @see Google::Auth::WebUserAuthorizer
       class CallbackApp
         LOCATION_HEADER = "Location".freeze
         REDIR_STATUS = 302