googleauth 0.8.1 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25babf8085ee83a898e246364f5f177b31cdaebd1a7721650a4601ca9a568335
-  data.tar.gz: a62751620c543425fc7a8d83b07bb2a77b0d5e94c7dc5a790808115c17173f07
+  metadata.gz: e97bb2d3af353d706c6b608e1743fb3f571e62530201ffa3bebcae2c7e6460bb
+  data.tar.gz: 3c06cad2ea956d09a37783516292c61f754706366a2b8bf03ef7928769762070
 SHA512:
-  metadata.gz: 6309bd3fe40fecbb4a19e4cb0196400a4a8fe75dabe540c878eada5e454a1b1491cbbdad537523689901be4f51f6a8270440fc7f1535660c730298b764e77aa0
-  data.tar.gz: 52c8eb2d015b1442ff2c13bd13b86c40931d50f1eeedbc6fcaa2c278bfc2ed3a29199685f57c3540f110d90f693a32cee92e3ee1305da9507c4a307cc2f15555
+  metadata.gz: 68ad7978f7d5abcc14fbd4ca668ba24f69e4bef2c184427b1a70a8c57e2d742b636d5c0b8da10f4d62f8762adb0075d20c1eb75a76302f9f9b6e61cd1b989685
+  data.tar.gz: 25333a0a26181c8f8f0464642eccfe0340ed591a4c11f9fe3ed4b85179524c37100431f686a16a75f2985ade010e3b488aeb60a6c1a06e0109db46efa9e1d620

data/.kokoro/build.bat

@@ -5,4 +5,12 @@ REM  * Merges run all non-acceptance tests for every library, and acceptance tes
 REM  * Nightlies run all acceptance tests for every library.
 REM Currently only runs tests on 2.5.1
 
-"C:\Program Files\Git\bin\bash.exe" github/google-auth-library-ruby/.kokoro/windows.sh
+SET url="https://raw.githubusercontent.com/googleapis/google-cloud-ruby/master/.kokoro/build.bat"
+
+SET "download=powershell -C Invoke-WebRequest -Uri %url% -OutFile master-build.bat"
+
+SET EXIT_STATUS=1
+
+%download% && master-build.bat && SET EXIT_STATUS=0
+
+EXIT %EXIT_STATUS%

data/.kokoro/continuous/windows.cfg

@@ -1,3 +1,19 @@
 # Format: //devtools/kokoro/config/proto/build.proto
 
-build_file: "google-auth-library-ruby/.kokoro/build.bat"
+build_file: "google-auth-library-ruby/.kokoro/trampoline.bat"
+
+# Configure the docker image for kokoro-trampoline.
+env_vars: {
+    key: "TRAMPOLINE_IMAGE"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/windows"
+}
+
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: "github/google-auth-library-ruby/.kokoro/build.bat"
+}
+
+env_vars: {
+    key: "REPO_DIR"
+    value: "google-auth-library-ruby"
+}

data/.kokoro/presubmit/windows.cfg

@@ -1,3 +1,19 @@
 # Format: //devtools/kokoro/config/proto/build.proto
 
-build_file: "google-auth-library-ruby/.kokoro/build.bat"
+build_file: "google-auth-library-ruby/.kokoro/trampoline.bat"
+
+# Configure the docker image for kokoro-trampoline.
+env_vars: {
+    key: "TRAMPOLINE_IMAGE"
+    value: "gcr.io/cloud-devrel-kokoro-resources/yoshi-ruby/windows"
+}
+
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: "github/google-auth-library-ruby/.kokoro/build.bat"
+}
+
+env_vars: {
+    key: "REPO_DIR"
+    value: "google-auth-library-ruby"
+}

data/.kokoro/trampoline.bat

@@ -0,0 +1,10 @@
+
+SET url="https://raw.githubusercontent.com/googleapis/google-cloud-ruby/master/.kokoro/trampoline.bat"
+
+SET "download=powershell -C Invoke-WebRequest -Uri %url% -OutFile master-trampoline.bat"
+
+SET EXIT_STATUS=1
+
+%download% && master-trampoline.bat && SET EXIT_STATUS=0
+
+EXIT %EXIT_STATUS%

data/.rubocop.yml

@@ -1,11 +1,42 @@
-inherit_gem:
-  google-style: google-style.yml
-
 AllCops:
   Exclude:
     - "spec/**/*"
     - "Rakefile"
-Metrics/ClassLength:
-  Max: 110
+
+Metrics/AbcSize:
+  Max: 25
+Metrics/BlockLength:
+  Exclude:
+    - "googleauth.gemspec"
+Metrics/CyclomaticComplexity:
+  Max: 8
+Metrics/PerceivedComplexity:
+  Max: 8
+Metrics/LineLength:
+  Max: 120
+Metrics/MethodLength:
+  Max: 21
 Metrics/ModuleLength:
-  Max: 110
+  Max: 150
+Metrics/ClassLength:
+  Enabled: false
+Layout/IndentHeredoc:
+  Enabled: false
+Style/FormatString:
+  Enabled: false
+Style/GuardClause:
+  Enabled: false
+Style/PercentLiteralDelimiters: # Contradicting rule
+  Enabled: false
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+Style/SymbolArray: # Undefined syntax in Ruby 1.9.3
+  Enabled: false
+Style/MethodDefParentheses:
+  Enabled: false
+Style/WordArray:
+  Enabled: false
+Style/TrivialAccessors:
+  Enabled: false
+Style/RescueModifier:
+  Enabled: false

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+### 0.9.0 / 2019-08-05
+
+* Restore compatibility with Ruby 2.0. This is the last release that will work on end-of-lifed versions of Ruby. The 0.10 release will require Ruby 2.4 or later.
+* Update Credentials to use methods for values that are intended to be changed by users, replacing constants.
+* Add retry on error for fetch_access_token
+* Allow specifying custom state key-values
+* Add verbosity none to gcloud command
+* Make arity of WebUserAuthorizer#get_credentials compatible with the base class
+
 ### 0.8.1 / 2019-03-27
 
 * Silence unnecessary gcloud warning

data/Gemfile

@@ -8,12 +8,12 @@ group :development do
   gem "coveralls", "~> 0.7"
   gem "fakefs", "~> 0.6"
   gem "fakeredis", "~> 0.5"
-  gem "google-style", "~> 0.2"
   gem "logging", "~> 2.0"
   gem "rack-test", "~> 0.6"
   gem "rake", "~> 10.0"
   gem "redis", "~> 3.2"
   gem "rspec", "~> 3.0"
+  gem "rubocop", ">= 0.41", "< 0.50"
   gem "simplecov", "~> 0.9"
   gem "sinatra"
   gem "webmock", "~> 1.21"

data/README.md

@@ -8,7 +8,6 @@
 </dl>
 
 [![Gem Version](https://badge.fury.io/rb/googleauth.svg)](http://badge.fury.io/rb/googleauth)
-[![Build Status](https://secure.travis-ci.org/google/google-auth-library-ruby.svg)](http://travis-ci.org/google/google-auth-library-ruby)
 [![Coverage Status](https://coveralls.io/repos/google/google-auth-library-ruby/badge.svg)](https://coveralls.io/r/google/google-auth-library-ruby)
 
 ## Description
@@ -184,7 +183,7 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library is currently supported on Ruby 1.9+.
+This library is currently supported on Ruby 2.3+.
 
 However, Ruby 2.4 or later is strongly recommended, as earlier releases have
 reached or are nearing end-of-life. After March 31, 2019, Google will provide

data/googleauth.gemspec

@@ -1,7 +1,7 @@
 # -*- ruby -*-
 # encoding: utf-8
 
-$LOAD_PATH.push File.expand_path("lib", __dir__)
+$LOAD_PATH.push File.expand_path("../lib", __FILE__)
 require "googleauth/version"
 
 Gem::Specification.new do |gem|

data/lib/googleauth/application_default.rb

@@ -34,13 +34,11 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
-      Could not load the default credentials. Browse to
-      https://developers.google.com/accounts/docs/application-default-credentials
-      for more information
-    ERROR_MESSAGE
-
-    module_function
+    NOT_FOUND_ERROR = <<-ERROR_MESSAGE.freeze
+Could not load the default credentials. Browse to
+https://developers.google.com/accounts/docs/application-default-credentials
+for more information
+ERROR_MESSAGE
 
     # Obtains the default credentials implementation to use in this
     # environment.
@@ -77,5 +75,7 @@ module Google
       end
       GCECredentials.new
     end
+
+    module_function :get_application_default
   end
 end

data/lib/googleauth/compute_engine.rb

@@ -35,16 +35,16 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    NO_METADATA_SERVER_ERROR = <<~ERROR.freeze
-      Error code 404 trying to get security access token
-      from Compute Engine metadata for the default service account. This
-      may be because the virtual machine instance does not have permission
-      scopes specified.
-    ERROR
-    UNEXPECTED_ERROR_SUFFIX = <<~ERROR.freeze
-      trying to get security access token from Compute Engine metadata for
-      the default service account
-    ERROR
+    NO_METADATA_SERVER_ERROR = <<-ERROR.freeze
+Error code 404 trying to get security access token
+from Compute Engine metadata for the default service account. This
+may be because the virtual machine instance does not have permission
+scopes specified.
+ERROR
+    UNEXPECTED_ERROR_SUFFIX = <<-ERROR.freeze
+trying to get security access token from Compute Engine metadata for
+the default service account
+ERROR
 
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.

data/lib/googleauth/credentials.rb

@@ -35,26 +35,206 @@ require "googleauth/credentials_loader"
 
 module Google
   module Auth
-    # This class is intended to be inherited by API-specific classes
-    # which overrides the SCOPE constant.
+    ##
+    # Credentials is responsible for representing the authentication when connecting to an API. This
+    # class is also intended to be inherited by API-specific classes.
     class Credentials
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
       TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
       AUDIENCE = "https://oauth2.googleapis.com/token".freeze
-      SCOPE = [].freeze
-      PATH_ENV_VARS = [].freeze
-      JSON_ENV_VARS = [].freeze
-      DEFAULT_PATHS = [].freeze
 
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
+      # The URI is the authorization server's HTTP endpoint capable of issuing tokens and
+      # refreshing expired tokens.
+      #
+      # @return [String]
+      #
+      def self.token_credential_uri
+        return @token_credential_uri unless @token_credential_uri.nil?
+
+        const_get :TOKEN_CREDENTIAL_URI if const_defined? :TOKEN_CREDENTIAL_URI
+      end
+
+      ##
+      # Set the default token credential URI to be used when none is provided during initialization.
+      #
+      # @param [String] new_token_credential_uri
+      # @return [String]
+      #
+      def self.token_credential_uri= new_token_credential_uri
+        @token_credential_uri = new_token_credential_uri
+      end
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
+      # Used only by the assertion grant type.
+      #
+      # @return [String]
+      #
+      def self.audience
+        return @audience unless @audience.nil?
+
+        const_get :AUDIENCE if const_defined? :AUDIENCE
+      end
+
+      ##
+      # Sets the default target audience ID to be used when none is provided during initialization.
+      #
+      # @param [String] new_audience
+      # @return [String]
+      #
+      def self.audience= new_audience
+        @audience = new_audience
+      end
+
+      ##
+      # The default scope to be used when none is provided during initialization.
+      # A scope is an access range defined by the authorization server.
+      # The scope can be a single value or a list of values.
+      #
+      # @return [String, Array<String>]
+      #
+      def self.scope
+        return @scope unless @scope.nil?
+
+        tmp_scope = []
+        # Pull in values is the SCOPE constant exists.
+        tmp_scope << const_get(:SCOPE) if const_defined? :SCOPE
+        tmp_scope.flatten.uniq
+      end
+
+      ##
+      # Sets the default scope to be used when none is provided during initialization.
+      #
+      # @param [String, Array<String>] new_scope
+      # @return [String, Array<String>]
+      #
+      def self.scope= new_scope
+        new_scope = Array new_scope unless new_scope.nil?
+        @scope = new_scope
+      end
+
+      ##
+      # The environment variables to search for credentials. Values can either be a file path to the
+      # credentials file, or the JSON contents of the credentials file.
+      #
+      # @return [Array<String>]
+      #
+      def self.env_vars
+        return @env_vars unless @env_vars.nil?
+
+        # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+        tmp_env_vars = []
+        tmp_env_vars << const_get(:PATH_ENV_VARS) if const_defined? :PATH_ENV_VARS
+        tmp_env_vars << const_get(:JSON_ENV_VARS) if const_defined? :JSON_ENV_VARS
+        tmp_env_vars.flatten.uniq
+      end
+
+      ##
+      # Sets the environment variables to search for credentials.
+      #
+      # @param [Array<String>] new_env_vars
+      # @return [Array<String>]
+      #
+      def self.env_vars= new_env_vars
+        new_env_vars = Array new_env_vars unless new_env_vars.nil?
+        @env_vars = new_env_vars
+      end
+
+      ##
+      # The file paths to search for credentials files.
+      #
+      # @return [Array<String>]
+      #
+      def self.paths
+        return @paths unless @paths.nil?
+
+        tmp_paths = []
+        # Pull in values is the DEFAULT_PATHS constant exists.
+        tmp_paths << const_get(:DEFAULT_PATHS) if const_defined? :DEFAULT_PATHS
+        tmp_paths.flatten.uniq
+      end
+
+      ##
+      # Set the file paths to search for credentials files.
+      #
+      # @param [Array<String>] new_paths
+      # @return [Array<String>]
+      #
+      def self.paths= new_paths
+        new_paths = Array new_paths unless new_paths.nil?
+        @paths = new_paths
+      end
+
+      ##
+      # The Signet::OAuth2::Client object the Credentials instance is using.
+      #
+      # @return [Signet::OAuth2::Client]
+      #
       attr_accessor :client
-      attr_reader   :project_id
 
-      # Delegate client methods to the client object.
+      ##
+      # Identifier for the project the client is authenticating with.
+      #
+      # @return [String]
+      #
+      attr_reader :project_id
+
+      # @private Delegate client methods to the client object.
       extend Forwardable
+
+      ##
+      # @!attribute [r] token_credential_uri
+      #   @return [String] The token credential URI. The URI is the authorization server's HTTP
+      #     endpoint capable of issuing tokens and refreshing expired tokens.
+      #
+      # @!attribute [r] audience
+      #   @return [String] The target audience ID when issuing assertions. Used only by the
+      #     assertion grant type.
+      #
+      # @!attribute [r] scope
+      #   @return [String, Array<String>] The scope for this client. A scope is an access range
+      #     defined by the authorization server. The scope can be a single value or a list of values.
+      #
+      # @!attribute [r] issuer
+      #   @return [String] The issuer ID associated with this client.
+      #
+      # @!attribute [r] signing_key
+      #   @return [String, OpenSSL::PKey] The signing key associated with this client.
+      #
+      # @!attribute [r] updater_proc
+      #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
+      #     suitable for passing as a closure.
+      #
       def_delegators :@client,
                      :token_credential_uri, :audience,
                      :scope, :issuer, :signing_key, :updater_proc
 
       # rubocop:disable Metrics/AbcSize
+
+      ##
+      # Creates a new Credentials instance with the provided auth credentials, and with the default
+      # values configured on the class.
+      #
+      # @param [String, Hash, Signet::OAuth2::Client] keyfile
+      #   The keyfile can be provided as one of the following:
+      #
+      #   * The path to a JSON keyfile (as a +String+)
+      #   * The contents of a JSON keyfile (as a +Hash+)
+      #   * A +Signet::OAuth2::Client+ object
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
       def initialize keyfile, options = {}
         scope = options[:scope]
         verify_keyfile_provided! keyfile
@@ -80,18 +260,32 @@ module Google
       end
       # rubocop:enable Metrics/AbcSize
 
-      # Returns the default credentials checking, in this order, the path env
-      # evironment variables, json environment variables, default paths. If the
-      # previously stated locations do not contain keyfile information,
-      # this method defaults to use the application default.
+      ##
+      # Creates a new Credentials instance with auth credentials acquired by searching the
+      # environment variables and paths configured on the class, and with the default values
+      # configured on the class.
+      #
+      # The auth credentials are searched for in the following order:
+      #
+      # 1. configured environment variables (see {Credentials.env_vars})
+      # 2. configured default file paths (see {Credentials.paths})
+      # 3. application default (see {Google::Auth.get_application_default})
+      #
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
+      # @return [Credentials]
+      #
       def self.default options = {}
-        # First try to find keyfile file from environment variables.
-        client = from_path_vars options
-
-        # Second try to find keyfile json from environment variables.
-        client ||= from_json_vars options
+        # First try to find keyfile file or json from environment variables.
+        client = from_env_vars options
 
-        # Third try to find keyfile file from known file paths.
+        # Second try to find keyfile file from known file paths.
         client ||= from_default_paths options
 
         # Finally get instantiated client from Google::Auth
@@ -99,33 +293,22 @@ module Google
         client
       end
 
-      def self.from_path_vars options
-        self::PATH_ENV_VARS
-          .map { |v| ENV[v] }
-          .compact
-          .select { |p| ::File.file? p }
-          .each do |file|
-            return new file, options
-          end
-        nil
-      end
-
-      def self.from_json_vars options
-        json = lambda do |v|
-          unless ENV[v].nil?
-            begin
-              JSON.parse ENV[v]
-            rescue StandardError
-              nil
-            end
-          end
+      ##
+      # @private Lookup Credentials from environment variables.
+      def self.from_env_vars options
+        env_vars.each do |env_var|
+          str = ENV[env_var]
+          next if str.nil?
+          return new str, options if ::File.file? str
+          return new ::JSON.parse(str), options rescue nil
         end
-        self::JSON_ENV_VARS.map(&json).compact.each { |hash| return new hash, options }
         nil
       end
 
+      ##
+      # @private Lookup Credentials from default file paths.
       def self.from_default_paths options
-        self::DEFAULT_PATHS
+        paths
           .select { |p| ::File.file? p }
           .each do |file|
             return new file, options
@@ -133,13 +316,15 @@ module Google
         nil
       end
 
+      ##
+      # @private Lookup Credentials using Google::Auth.get_application_default.
       def self.from_application_default options
-        scope = options[:scope] || self::SCOPE
+        scope = options[:scope] || self.scope
         client = Google::Auth.get_application_default scope
         new client, options
       end
-      private_class_method :from_path_vars,
-                           :from_json_vars,
+
+      private_class_method :from_env_vars,
                            :from_default_paths,
                            :from_application_default
 
@@ -171,9 +356,9 @@ module Google
 
       def client_options options
         # Keyfile options have higher priority over constructor defaults
-        options["token_credential_uri"] ||= self.class::TOKEN_CREDENTIAL_URI
-        options["audience"] ||= self.class::AUDIENCE
-        options["scope"] ||= self.class::SCOPE
+        options["token_credential_uri"] ||= self.class.token_credential_uri
+        options["audience"] ||= self.class.audience
+        options["scope"] ||= self.class.scope
 
         # client options for initializing signet client
         { token_credential_uri: options["token_credential_uri"],