googleauth 0.8.1 → 0.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +7 -0
- data/.github/workflows/release.yml +39 -0
- data/.kokoro/build.bat +9 -1
- data/.kokoro/continuous/linux.cfg +12 -2
- data/.kokoro/continuous/osx.cfg +5 -0
- data/.kokoro/continuous/post.cfg +30 -0
- data/.kokoro/continuous/windows.cfg +27 -1
- data/.kokoro/presubmit/linux.cfg +11 -1
- data/.kokoro/presubmit/osx.cfg +5 -0
- data/.kokoro/presubmit/windows.cfg +27 -1
- data/.kokoro/release.cfg +42 -1
- data/.kokoro/trampoline.bat +10 -0
- data/.repo-metadata.json +5 -0
- data/.rubocop.yml +8 -2
- data/CHANGELOG.md +94 -20
- data/Gemfile +7 -7
- data/{COPYING → LICENSE} +0 -0
- data/README.md +12 -15
- data/Rakefile +48 -5
- data/googleauth.gemspec +7 -3
- data/integration/helper.rb +31 -0
- data/integration/id_tokens/key_source_test.rb +74 -0
- data/lib/googleauth.rb +1 -0
- data/lib/googleauth/application_default.rb +2 -2
- data/lib/googleauth/compute_engine.rb +45 -20
- data/lib/googleauth/credentials.rb +445 -71
- data/lib/googleauth/credentials_loader.rb +11 -9
- data/lib/googleauth/iam.rb +1 -1
- data/lib/googleauth/id_tokens.rb +233 -0
- data/lib/googleauth/id_tokens/errors.rb +71 -0
- data/lib/googleauth/id_tokens/key_sources.rb +396 -0
- data/lib/googleauth/id_tokens/verifier.rb +142 -0
- data/lib/googleauth/json_key_reader.rb +6 -2
- data/lib/googleauth/scope_util.rb +1 -1
- data/lib/googleauth/service_account.rb +42 -23
- data/lib/googleauth/signet.rb +9 -6
- data/lib/googleauth/stores/file_token_store.rb +1 -0
- data/lib/googleauth/stores/redis_token_store.rb +1 -0
- data/lib/googleauth/user_authorizer.rb +6 -1
- data/lib/googleauth/user_refresh.rb +2 -2
- data/lib/googleauth/version.rb +1 -1
- data/lib/googleauth/web_user_authorizer.rb +16 -14
- data/rakelib/devsite_builder.rb +45 -0
- data/rakelib/link_checker.rb +64 -0
- data/rakelib/repo_metadata.rb +59 -0
- data/spec/googleauth/apply_auth_examples.rb +28 -5
- data/spec/googleauth/compute_engine_spec.rb +69 -13
- data/spec/googleauth/credentials_spec.rb +492 -165
- data/spec/googleauth/service_account_spec.rb +31 -16
- data/spec/googleauth/signet_spec.rb +46 -7
- data/spec/googleauth/user_authorizer_spec.rb +21 -1
- data/spec/googleauth/user_refresh_spec.rb +1 -1
- data/spec/googleauth/web_user_authorizer_spec.rb +6 -0
- data/test/helper.rb +33 -0
- data/test/id_tokens/key_sources_test.rb +240 -0
- data/test/id_tokens/verifier_test.rb +269 -0
- metadata +49 -13
- data/.kokoro/windows.sh +0 -4
|
@@ -0,0 +1,269 @@
|
|
|
1
|
+
# Copyright 2020 Google LLC
|
|
2
|
+
#
|
|
3
|
+
# Redistribution and use in source and binary forms, with or without
|
|
4
|
+
# modification, are permitted provided that the following conditions are
|
|
5
|
+
# met:
|
|
6
|
+
#
|
|
7
|
+
# * Redistributions of source code must retain the above copyright
|
|
8
|
+
# notice, this list of conditions and the following disclaimer.
|
|
9
|
+
# * Redistributions in binary form must reproduce the above
|
|
10
|
+
# copyright notice, this list of conditions and the following disclaimer
|
|
11
|
+
# in the documentation and/or other materials provided with the
|
|
12
|
+
# distribution.
|
|
13
|
+
# * Neither the name of Google Inc. nor the names of its
|
|
14
|
+
# contributors may be used to endorse or promote products derived from
|
|
15
|
+
# this software without specific prior written permission.
|
|
16
|
+
#
|
|
17
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
18
|
+
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
19
|
+
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
20
|
+
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
21
|
+
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
22
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
23
|
+
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
24
|
+
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
25
|
+
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
26
|
+
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
27
|
+
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
28
|
+
|
|
29
|
+
require "helper"
|
|
30
|
+
|
|
31
|
+
describe Google::Auth::IDTokens::Verifier do
|
|
32
|
+
describe "verify_oidc" do
|
|
33
|
+
let(:oidc_token) {
|
|
34
|
+
"eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ5MjcxMGE3ZmNkYjE1Mzk2MGNlMDFmNzYwNTIwY" \
|
|
35
|
+
"TMyYzg0NTVkZmYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwOi8vZXhhbXBsZS5jb20" \
|
|
36
|
+
"iLCJhenAiOiI1NDIzMzkzNTc2MzgtY3IwZHNlcnIyZXZnN3N2MW1lZ2hxZXU3MDMyNzRm" \
|
|
37
|
+
"M2hAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJlbWFpbCI6IjU0MjMzOTM1N" \
|
|
38
|
+
"zYzOC1jcjBkc2VycjJldmc3c3YxbWVnaHFldTcwMzI3NGYzaEBkZXZlbG9wZXIuZ3Nlcn" \
|
|
39
|
+
"ZpY2VhY2NvdW50LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE1OTEzNDI" \
|
|
40
|
+
"3NzYsImlhdCI6MTU5MTMzOTE3NiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUu" \
|
|
41
|
+
"Y29tIiwic3ViIjoiMTA0MzQxNDczMTMxODI1OTU3NjAzIn0.GGDE_5HoLacyqdufdxnAC" \
|
|
42
|
+
"rXxYySKQYAzSQ5qfGjSUriuO3uLm2-rwSPFfLzzBeflEHdVX7XRFFszpxKajuZklF4dXd" \
|
|
43
|
+
"0evB1u5i3QeCJ8MSZKKx6qus_ETJv4rtuPNEuyhaRcShB7BwI8RY0IZ4_EDrhYqYInrO2" \
|
|
44
|
+
"wQyJGYvc41JcmoKzRoNnEVydN0Qppt9bqevq_lJg-9UjJkJ2QHjPfTgMjwhLIgNptKgtR" \
|
|
45
|
+
"qdoRpJmleFlbuUqyPPJfAzv3Tc6h3kw88tEcI8R3n04xmHOSMwERFFQYJdQDMd2F9SSDe" \
|
|
46
|
+
"rh40codO_GuPZ7bEUiKq9Lkx2LH5TuhythfsMzIwJpaEA"
|
|
47
|
+
}
|
|
48
|
+
let(:oidc_jwk_body) {
|
|
49
|
+
<<~JWK
|
|
50
|
+
{
|
|
51
|
+
"keys": [
|
|
52
|
+
{
|
|
53
|
+
"kid": "fb8ca5b7d8d9a5c6c6788071e866c6c40f3fc1f9",
|
|
54
|
+
"e": "AQAB",
|
|
55
|
+
"alg": "RS256",
|
|
56
|
+
"use": "sig",
|
|
57
|
+
"n": "zK8PHf_6V3G5rU-viUOL1HvAYn7q--dxMoUkt7x1rSWX6fimla-lpoYAKhFTLUELkRKy_6UDzfybz0P9eItqS2UxVWYpKYmKTQ08HgUBUde4GtO_B0SkSk8iLtGh653UBBjgXmfzdfQEz_DsaWn7BMtuAhY9hpMtJye8LQlwaS8ibQrsC0j0GZM5KXRITHwfx06_T1qqC_MOZRA6iJs-J2HNlgeyFuoQVBTY6pRqGXa-qaVsSG3iU-vqNIciFquIq-xydwxLqZNksRRer5VAsSHf0eD3g2DX-cf6paSy1aM40svO9EfSvG_07MuHafEE44RFvSZZ4ubEN9U7ALSjdw",
|
|
58
|
+
"kty": "RSA"
|
|
59
|
+
},
|
|
60
|
+
{
|
|
61
|
+
"kty": "RSA",
|
|
62
|
+
"kid": "492710a7fcdb153960ce01f760520a32c8455dff",
|
|
63
|
+
"e": "AQAB",
|
|
64
|
+
"alg": "RS256",
|
|
65
|
+
"use": "sig",
|
|
66
|
+
"n": "wl6TaY_3dsuLczYH_hioeQ5JjcLKLGYb--WImN9_IKMkOj49dgs25wkjsdI9XGJYhhPJLlvfjIfXH49ZGA_XKLx7fggNaBRZcj1y-I3_77tVa9N7An5JLq3HT9XVt0PNTq0mtX009z1Hva4IWZ5IhENx2rWlZOfFAXiMUqhnDc8VY3lG7vr8_VG3cw3XRKvlZQKbb6p2YIMFsUwaDGL2tVF4SkxpxIazUYfOY5lijyVugNTslOBhlEMq_43MZlkznSrbFx8ToQ2bQX4Shj-r9pLyofbo6A7K9mgWnQXGY5rQVLPYYRzUg0ThWDzwHdgxYC5MNxKyQH4RC2LPv3U0LQ"
|
|
67
|
+
}
|
|
68
|
+
]
|
|
69
|
+
}
|
|
70
|
+
JWK
|
|
71
|
+
}
|
|
72
|
+
let(:expected_aud) { "http://example.com" }
|
|
73
|
+
let(:expected_azp) { "542339357638-cr0dserr2evg7sv1meghqeu703274f3h@developer.gserviceaccount.com" }
|
|
74
|
+
let(:unexpired_test_time) { Time.at 1591339181 }
|
|
75
|
+
let(:expired_test_time) { unexpired_test_time + 86400 }
|
|
76
|
+
|
|
77
|
+
after do
|
|
78
|
+
WebMock.reset!
|
|
79
|
+
Google::Auth::IDTokens.forget_sources!
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
it "verifies a good token with iss, aud, and azp checks" do
|
|
83
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
84
|
+
Time.stub :now, unexpired_test_time do
|
|
85
|
+
Google::Auth::IDTokens.verify_oidc oidc_token, aud: expected_aud, azp: expected_azp
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
it "fails to verify a bad token" do
|
|
90
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
91
|
+
Time.stub :now, unexpired_test_time do
|
|
92
|
+
assert_raises Google::Auth::IDTokens::SignatureError do
|
|
93
|
+
Google::Auth::IDTokens.verify_oidc "#{oidc_token}x"
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
it "fails to verify a token with the wrong aud" do
|
|
99
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
100
|
+
Time.stub :now, unexpired_test_time do
|
|
101
|
+
assert_raises Google::Auth::IDTokens::AudienceMismatchError do
|
|
102
|
+
Google::Auth::IDTokens.verify_oidc oidc_token, aud: ["hello", "world"]
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
it "fails to verify a token with the wrong azp" do
|
|
108
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
109
|
+
Time.stub :now, unexpired_test_time do
|
|
110
|
+
assert_raises Google::Auth::IDTokens::AuthorizedPartyMismatchError do
|
|
111
|
+
Google::Auth::IDTokens.verify_oidc oidc_token, azp: "hello"
|
|
112
|
+
end
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
it "fails to verify a token with the wrong issuer" do
|
|
117
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
118
|
+
Time.stub :now, unexpired_test_time do
|
|
119
|
+
assert_raises Google::Auth::IDTokens::IssuerMismatchError do
|
|
120
|
+
Google::Auth::IDTokens.verify_oidc oidc_token, iss: "hello"
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
it "fails to verify an expired token" do
|
|
126
|
+
stub_request(:get, Google::Auth::IDTokens::OAUTH2_V3_CERTS_URL).to_return(body: oidc_jwk_body)
|
|
127
|
+
Time.stub :now, expired_test_time do
|
|
128
|
+
assert_raises Google::Auth::IDTokens::ExpiredTokenError do
|
|
129
|
+
Google::Auth::IDTokens.verify_oidc oidc_token
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
describe "verify_iap" do
|
|
136
|
+
let(:iap_token) {
|
|
137
|
+
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjBvZUxjUSJ9.eyJhdWQiOiIvcH" \
|
|
138
|
+
"JvamVjdHMvNjUyNTYyNzc2Nzk4L2FwcHMvY2xvdWQtc2FtcGxlcy10ZXN0cy1waHAtaWFwI" \
|
|
139
|
+
"iwiZW1haWwiOiJkYXp1bWFAZ29vZ2xlLmNvbSIsImV4cCI6MTU5MTMzNTcyNCwiZ29vZ2xl" \
|
|
140
|
+
"Ijp7ImFjY2Vzc19sZXZlbHMiOlsiYWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L2FjY2V" \
|
|
141
|
+
"zc0xldmVscy9yZWNlbnRTZWN1cmVDb25uZWN0RGF0YSIsImFjY2Vzc1BvbGljaWVzLzUxOD" \
|
|
142
|
+
"U1MTI4MDkyNC9hY2Nlc3NMZXZlbHMvdGVzdE5vT3AiLCJhY2Nlc3NQb2xpY2llcy81MTg1N" \
|
|
143
|
+
"TEyODA5MjQvYWNjZXNzTGV2ZWxzL2V2YXBvcmF0aW9uUWFEYXRhRnVsbHlUcnVzdGVkIiwi" \
|
|
144
|
+
"YWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L2FjY2Vzc0xldmVscy9jYWFfZGlzYWJsZWQ" \
|
|
145
|
+
"iLCJhY2Nlc3NQb2xpY2llcy81MTg1NTEyODA5MjQvYWNjZXNzTGV2ZWxzL3JlY2VudE5vbk" \
|
|
146
|
+
"1vYmlsZVNlY3VyZUNvbm5lY3REYXRhIiwiYWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L" \
|
|
147
|
+
"2FjY2Vzc0xldmVscy9jb25jb3JkIiwiYWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L2Fj" \
|
|
148
|
+
"Y2Vzc0xldmVscy9mdWxseVRydXN0ZWRfY2FuYXJ5RGF0YSIsImFjY2Vzc1BvbGljaWVzLzU" \
|
|
149
|
+
"xODU1MTI4MDkyNC9hY2Nlc3NMZXZlbHMvZnVsbHlUcnVzdGVkX3Byb2REYXRhIl19LCJoZC" \
|
|
150
|
+
"I6Imdvb2dsZS5jb20iLCJpYXQiOjE1OTEzMzUxMjQsImlzcyI6Imh0dHBzOi8vY2xvdWQuZ" \
|
|
151
|
+
"29vZ2xlLmNvbS9pYXAiLCJzdWIiOiJhY2NvdW50cy5nb29nbGUuY29tOjExMzc3OTI1ODA4" \
|
|
152
|
+
"MTE5ODAwNDY5NCJ9.2BlagZOoonmX35rNY-KPbONiVzFAdNXKRGkX45uGFXeHryjKgv--K6" \
|
|
153
|
+
"siL8syeCFXzHvgmWpJk31sEt4YLxPKvQ"
|
|
154
|
+
}
|
|
155
|
+
let(:iap_jwk_body) {
|
|
156
|
+
<<~JWK
|
|
157
|
+
{
|
|
158
|
+
"keys" : [
|
|
159
|
+
{
|
|
160
|
+
"alg" : "ES256",
|
|
161
|
+
"crv" : "P-256",
|
|
162
|
+
"kid" : "LYyP2g",
|
|
163
|
+
"kty" : "EC",
|
|
164
|
+
"use" : "sig",
|
|
165
|
+
"x" : "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
|
|
166
|
+
"y" : "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
|
|
167
|
+
},
|
|
168
|
+
{
|
|
169
|
+
"alg" : "ES256",
|
|
170
|
+
"crv" : "P-256",
|
|
171
|
+
"kid" : "mpf0DA",
|
|
172
|
+
"kty" : "EC",
|
|
173
|
+
"use" : "sig",
|
|
174
|
+
"x" : "fHEdeT3a6KaC1kbwov73ZwB_SiUHEyKQwUUtMCEn0aI",
|
|
175
|
+
"y" : "QWOjwPhInNuPlqjxLQyhveXpWqOFcQPhZ3t-koMNbZI"
|
|
176
|
+
},
|
|
177
|
+
{
|
|
178
|
+
"alg" : "ES256",
|
|
179
|
+
"crv" : "P-256",
|
|
180
|
+
"kid" : "b9vTLA",
|
|
181
|
+
"kty" : "EC",
|
|
182
|
+
"use" : "sig",
|
|
183
|
+
"x" : "qCByTAvci-jRAD7uQSEhTdOs8iA714IbcY2L--YzynI",
|
|
184
|
+
"y" : "WQY0uCoQyPSozWKGQ0anmFeOH5JNXiZa9i6SNqOcm7w"
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"alg" : "ES256",
|
|
188
|
+
"crv" : "P-256",
|
|
189
|
+
"kid" : "0oeLcQ",
|
|
190
|
+
"kty" : "EC",
|
|
191
|
+
"use" : "sig",
|
|
192
|
+
"x" : "MdhRXGEoGJLtBjQEIjnYLPkeci9rXnca2TffkI0Kac0",
|
|
193
|
+
"y" : "9BoREHfX7g5OK8ELpA_4RcOnFCGSjfR4SGZpBo7juEY"
|
|
194
|
+
},
|
|
195
|
+
{
|
|
196
|
+
"alg" : "ES256",
|
|
197
|
+
"crv" : "P-256",
|
|
198
|
+
"kid" : "g5X6ig",
|
|
199
|
+
"kty" : "EC",
|
|
200
|
+
"use" : "sig",
|
|
201
|
+
"x" : "115LSuaFVzVROJiGfdPN1kT14Hv3P4RIjthfslZ010s",
|
|
202
|
+
"y" : "-FAaRtO4yvrN4uJ89xwGWOEJcSwpLmFOtb0SDJxEAuc"
|
|
203
|
+
}
|
|
204
|
+
]
|
|
205
|
+
}
|
|
206
|
+
JWK
|
|
207
|
+
}
|
|
208
|
+
let(:expected_aud) { "/projects/652562776798/apps/cloud-samples-tests-php-iap" }
|
|
209
|
+
let(:unexpired_test_time) { Time.at 1591335143 }
|
|
210
|
+
let(:expired_test_time) { unexpired_test_time + 86400 }
|
|
211
|
+
|
|
212
|
+
after do
|
|
213
|
+
WebMock.reset!
|
|
214
|
+
Google::Auth::IDTokens.forget_sources!
|
|
215
|
+
end
|
|
216
|
+
|
|
217
|
+
it "verifies a good token with iss and aud checks" do
|
|
218
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
219
|
+
Time.stub :now, unexpired_test_time do
|
|
220
|
+
Google::Auth::IDTokens.verify_iap iap_token, aud: expected_aud
|
|
221
|
+
end
|
|
222
|
+
end
|
|
223
|
+
|
|
224
|
+
it "fails to verify a bad token" do
|
|
225
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
226
|
+
Time.stub :now, unexpired_test_time do
|
|
227
|
+
assert_raises Google::Auth::IDTokens::SignatureError do
|
|
228
|
+
Google::Auth::IDTokens.verify_iap "#{iap_token}x"
|
|
229
|
+
end
|
|
230
|
+
end
|
|
231
|
+
end
|
|
232
|
+
|
|
233
|
+
it "fails to verify a token with the wrong aud" do
|
|
234
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
235
|
+
Time.stub :now, unexpired_test_time do
|
|
236
|
+
assert_raises Google::Auth::IDTokens::AudienceMismatchError do
|
|
237
|
+
Google::Auth::IDTokens.verify_iap iap_token, aud: ["hello", "world"]
|
|
238
|
+
end
|
|
239
|
+
end
|
|
240
|
+
end
|
|
241
|
+
|
|
242
|
+
it "fails to verify a token with the wrong azp" do
|
|
243
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
244
|
+
Time.stub :now, unexpired_test_time do
|
|
245
|
+
assert_raises Google::Auth::IDTokens::AuthorizedPartyMismatchError do
|
|
246
|
+
Google::Auth::IDTokens.verify_iap iap_token, azp: "hello"
|
|
247
|
+
end
|
|
248
|
+
end
|
|
249
|
+
end
|
|
250
|
+
|
|
251
|
+
it "fails to verify a token with the wrong issuer" do
|
|
252
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
253
|
+
Time.stub :now, unexpired_test_time do
|
|
254
|
+
assert_raises Google::Auth::IDTokens::IssuerMismatchError do
|
|
255
|
+
Google::Auth::IDTokens.verify_iap iap_token, iss: "hello"
|
|
256
|
+
end
|
|
257
|
+
end
|
|
258
|
+
end
|
|
259
|
+
|
|
260
|
+
it "fails to verify an expired token" do
|
|
261
|
+
stub_request(:get, Google::Auth::IDTokens::IAP_JWK_URL).to_return(body: iap_jwk_body)
|
|
262
|
+
Time.stub :now, expired_test_time do
|
|
263
|
+
assert_raises Google::Auth::IDTokens::ExpiredTokenError do
|
|
264
|
+
Google::Auth::IDTokens.verify_iap iap_token
|
|
265
|
+
end
|
|
266
|
+
end
|
|
267
|
+
end
|
|
268
|
+
end
|
|
269
|
+
end
|
metadata
CHANGED
|
@@ -1,29 +1,35 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: googleauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Emiola
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-03-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
|
-
- - "
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 0.17.3
|
|
20
|
+
- - "<"
|
|
18
21
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '0
|
|
22
|
+
version: '2.0'
|
|
20
23
|
type: :runtime
|
|
21
24
|
prerelease: false
|
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
26
|
requirements:
|
|
24
|
-
- - "
|
|
27
|
+
- - ">="
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: 0.17.3
|
|
30
|
+
- - "<"
|
|
25
31
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '0
|
|
32
|
+
version: '2.0'
|
|
27
33
|
- !ruby/object:Gem::Dependency
|
|
28
34
|
name: jwt
|
|
29
35
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,14 +104,28 @@ dependencies:
|
|
|
98
104
|
requirements:
|
|
99
105
|
- - "~>"
|
|
100
106
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: '0.
|
|
107
|
+
version: '0.14'
|
|
102
108
|
type: :runtime
|
|
103
109
|
prerelease: false
|
|
104
110
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
111
|
requirements:
|
|
106
112
|
- - "~>"
|
|
107
113
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: '0.
|
|
114
|
+
version: '0.14'
|
|
115
|
+
- !ruby/object:Gem::Dependency
|
|
116
|
+
name: yard
|
|
117
|
+
requirement: !ruby/object:Gem::Requirement
|
|
118
|
+
requirements:
|
|
119
|
+
- - "~>"
|
|
120
|
+
- !ruby/object:Gem::Version
|
|
121
|
+
version: '0.9'
|
|
122
|
+
type: :development
|
|
123
|
+
prerelease: false
|
|
124
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
125
|
+
requirements:
|
|
126
|
+
- - "~>"
|
|
127
|
+
- !ruby/object:Gem::Version
|
|
128
|
+
version: '0.9'
|
|
109
129
|
description: |2
|
|
110
130
|
Allows simple authorization for accessing Google APIs.
|
|
111
131
|
Provide support for Application Default Credentials, as described at
|
|
@@ -115,16 +135,19 @@ executables: []
|
|
|
115
135
|
extensions: []
|
|
116
136
|
extra_rdoc_files: []
|
|
117
137
|
files:
|
|
138
|
+
- ".github/CODEOWNERS"
|
|
118
139
|
- ".github/CONTRIBUTING.md"
|
|
119
140
|
- ".github/ISSUE_TEMPLATE/bug_report.md"
|
|
120
141
|
- ".github/ISSUE_TEMPLATE/feature_request.md"
|
|
121
142
|
- ".github/ISSUE_TEMPLATE/support_request.md"
|
|
143
|
+
- ".github/workflows/release.yml"
|
|
122
144
|
- ".gitignore"
|
|
123
145
|
- ".kokoro/build.bat"
|
|
124
146
|
- ".kokoro/build.sh"
|
|
125
147
|
- ".kokoro/continuous/common.cfg"
|
|
126
148
|
- ".kokoro/continuous/linux.cfg"
|
|
127
149
|
- ".kokoro/continuous/osx.cfg"
|
|
150
|
+
- ".kokoro/continuous/post.cfg"
|
|
128
151
|
- ".kokoro/continuous/windows.cfg"
|
|
129
152
|
- ".kokoro/osx.sh"
|
|
130
153
|
- ".kokoro/presubmit/common.cfg"
|
|
@@ -132,17 +155,20 @@ files:
|
|
|
132
155
|
- ".kokoro/presubmit/osx.cfg"
|
|
133
156
|
- ".kokoro/presubmit/windows.cfg"
|
|
134
157
|
- ".kokoro/release.cfg"
|
|
158
|
+
- ".kokoro/trampoline.bat"
|
|
135
159
|
- ".kokoro/trampoline.sh"
|
|
136
|
-
- ".
|
|
160
|
+
- ".repo-metadata.json"
|
|
137
161
|
- ".rspec"
|
|
138
162
|
- ".rubocop.yml"
|
|
139
163
|
- CHANGELOG.md
|
|
140
164
|
- CODE_OF_CONDUCT.md
|
|
141
|
-
- COPYING
|
|
142
165
|
- Gemfile
|
|
166
|
+
- LICENSE
|
|
143
167
|
- README.md
|
|
144
168
|
- Rakefile
|
|
145
169
|
- googleauth.gemspec
|
|
170
|
+
- integration/helper.rb
|
|
171
|
+
- integration/id_tokens/key_source_test.rb
|
|
146
172
|
- lib/googleauth.rb
|
|
147
173
|
- lib/googleauth/application_default.rb
|
|
148
174
|
- lib/googleauth/client_id.rb
|
|
@@ -151,6 +177,10 @@ files:
|
|
|
151
177
|
- lib/googleauth/credentials_loader.rb
|
|
152
178
|
- lib/googleauth/default_credentials.rb
|
|
153
179
|
- lib/googleauth/iam.rb
|
|
180
|
+
- lib/googleauth/id_tokens.rb
|
|
181
|
+
- lib/googleauth/id_tokens/errors.rb
|
|
182
|
+
- lib/googleauth/id_tokens/key_sources.rb
|
|
183
|
+
- lib/googleauth/id_tokens/verifier.rb
|
|
154
184
|
- lib/googleauth/json_key_reader.rb
|
|
155
185
|
- lib/googleauth/scope_util.rb
|
|
156
186
|
- lib/googleauth/service_account.rb
|
|
@@ -162,6 +192,9 @@ files:
|
|
|
162
192
|
- lib/googleauth/user_refresh.rb
|
|
163
193
|
- lib/googleauth/version.rb
|
|
164
194
|
- lib/googleauth/web_user_authorizer.rb
|
|
195
|
+
- rakelib/devsite_builder.rb
|
|
196
|
+
- rakelib/link_checker.rb
|
|
197
|
+
- rakelib/repo_metadata.rb
|
|
165
198
|
- spec/googleauth/apply_auth_examples.rb
|
|
166
199
|
- spec/googleauth/client_id_spec.rb
|
|
167
200
|
- spec/googleauth/compute_engine_spec.rb
|
|
@@ -178,7 +211,10 @@ files:
|
|
|
178
211
|
- spec/googleauth/user_refresh_spec.rb
|
|
179
212
|
- spec/googleauth/web_user_authorizer_spec.rb
|
|
180
213
|
- spec/spec_helper.rb
|
|
181
|
-
|
|
214
|
+
- test/helper.rb
|
|
215
|
+
- test/id_tokens/key_sources_test.rb
|
|
216
|
+
- test/id_tokens/verifier_test.rb
|
|
217
|
+
homepage: https://github.com/googleapis/google-auth-library-ruby
|
|
182
218
|
licenses:
|
|
183
219
|
- Apache-2.0
|
|
184
220
|
metadata: {}
|
|
@@ -190,14 +226,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
190
226
|
requirements:
|
|
191
227
|
- - ">="
|
|
192
228
|
- !ruby/object:Gem::Version
|
|
193
|
-
version: '
|
|
229
|
+
version: '2.5'
|
|
194
230
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
195
231
|
requirements:
|
|
196
232
|
- - ">="
|
|
197
233
|
- !ruby/object:Gem::Version
|
|
198
234
|
version: '0'
|
|
199
235
|
requirements: []
|
|
200
|
-
rubygems_version: 3.
|
|
236
|
+
rubygems_version: 3.2.11
|
|
201
237
|
signing_key:
|
|
202
238
|
specification_version: 4
|
|
203
239
|
summary: Google Auth Library for Ruby
|
data/.kokoro/windows.sh
DELETED