googleauth 0.9.0 → 0.17.1

data/lib/googleauth/credentials.rb

@@ -36,9 +36,46 @@ require "googleauth/credentials_loader"
 module Google
   module Auth
     ##
-    # Credentials is responsible for representing the authentication when connecting to an API. This
-    # class is also intended to be inherited by API-specific classes.
-    class Credentials
+    # Credentials is a high-level base class used by Google's API client
+    # libraries to represent the authentication when connecting to an API.
+    # In most cases, it is subclassed by API-specific credential classes that
+    # can be instantiated by clients.
+    #
+    # ## Options
+    #
+    # Credentials classes are configured with options that dictate default
+    # values for parameters such as scope and audience. These defaults are
+    # expressed as class attributes, and may differ from endpoint to endpoint.
+    # Normally, an API client will provide subclasses specific to each
+    # endpoint, configured with appropriate values.
+    #
+    # Note that these options inherit up the class hierarchy. If a particular
+    # options is not set for a subclass, its superclass is queried.
+    #
+    # Some older users of this class set options via constants. This usage is
+    # deprecated. For example, instead of setting the `AUDIENCE` constant on
+    # your subclass, call the `audience=` method.
+    #
+    # ## Example
+    #
+    #     class MyCredentials < Google::Auth::Credentials
+    #       # Set the default scope for these credentials
+    #       self.scope = "http://example.com/my_scope"
+    #     end
+    #
+    #     # creds is a credentials object suitable for Google API clients
+    #     creds = MyCredentials.default
+    #     creds.scope  # => ["http://example.com/my_scope"]
+    #
+    #     class SubCredentials < MyCredentials
+    #       # Override the default scope for this subclass
+    #       self.scope = "http://example.com/sub_scope"
+    #     end
+    #
+    #     creds2 = SubCredentials.default
+    #     creds2.scope  # => ["http://example.com/sub_scope"]
+    #
+    class Credentials # rubocop:disable Metrics/ClassLength
       ##
       # The default token credential URI to be used when none is provided during initialization.
       TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
@@ -47,6 +84,8 @@ module Google
       # The default target audience ID to be used when none is provided during initialization.
       AUDIENCE = "https://oauth2.googleapis.com/token".freeze
 
+      @audience = @scope = @target_audience = @env_vars = @paths = @token_credential_uri = nil
+
       ##
       # The default token credential URI to be used when none is provided during initialization.
       # The URI is the authorization server's HTTP endpoint capable of issuing tokens and
@@ -55,16 +94,15 @@ module Google
       # @return [String]
       #
       def self.token_credential_uri
-        return @token_credential_uri unless @token_credential_uri.nil?
-
-        const_get :TOKEN_CREDENTIAL_URI if const_defined? :TOKEN_CREDENTIAL_URI
+        lookup_auth_param :token_credential_uri do
+          lookup_local_constant :TOKEN_CREDENTIAL_URI
+        end
       end
 
       ##
       # Set the default token credential URI to be used when none is provided during initialization.
       #
       # @param [String] new_token_credential_uri
-      # @return [String]
       #
       def self.token_credential_uri= new_token_credential_uri
         @token_credential_uri = new_token_credential_uri
@@ -77,16 +115,15 @@ module Google
       # @return [String]
       #
       def self.audience
-        return @audience unless @audience.nil?
-
-        const_get :AUDIENCE if const_defined? :AUDIENCE
+        lookup_auth_param :audience do
+          lookup_local_constant :AUDIENCE
+        end
       end
 
       ##
       # Sets the default target audience ID to be used when none is provided during initialization.
       #
       # @param [String] new_audience
-      # @return [String]
       #
       def self.audience= new_audience
         @audience = new_audience
@@ -97,49 +134,91 @@ module Google
       # A scope is an access range defined by the authorization server.
       # The scope can be a single value or a list of values.
       #
-      # @return [String, Array<String>]
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @return [String, Array<String>, nil]
       #
       def self.scope
-        return @scope unless @scope.nil?
-
-        tmp_scope = []
-        # Pull in values is the SCOPE constant exists.
-        tmp_scope << const_get(:SCOPE) if const_defined? :SCOPE
-        tmp_scope.flatten.uniq
+        lookup_auth_param :scope do
+          vals = lookup_local_constant :SCOPE
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
       # Sets the default scope to be used when none is provided during initialization.
       #
-      # @param [String, Array<String>] new_scope
-      # @return [String, Array<String>]
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @param [String, Array<String>, nil] new_scope
       #
       def self.scope= new_scope
         new_scope = Array new_scope unless new_scope.nil?
         @scope = new_scope
       end
 
+      ##
+      # The default final target audience for ID tokens, to be used when none
+      # is provided during initialization.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @return [String, nil]
+      #
+      def self.target_audience
+        lookup_auth_param :target_audience
+      end
+
+      ##
+      # Sets the default final target audience for ID tokens, to be used when none
+      # is provided during initialization.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @param [String, nil] new_target_audience
+      #
+      def self.target_audience= new_target_audience
+        @target_audience = new_target_audience
+      end
+
       ##
       # The environment variables to search for credentials. Values can either be a file path to the
       # credentials file, or the JSON contents of the credentials file.
+      # The env_vars will never be nil. If there are no vars, the empty array is returned.
       #
       # @return [Array<String>]
       #
       def self.env_vars
-        return @env_vars unless @env_vars.nil?
+        env_vars_internal || []
+      end
 
-        # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
-        tmp_env_vars = []
-        tmp_env_vars << const_get(:PATH_ENV_VARS) if const_defined? :PATH_ENV_VARS
-        tmp_env_vars << const_get(:JSON_ENV_VARS) if const_defined? :JSON_ENV_VARS
-        tmp_env_vars.flatten.uniq
+      ##
+      # @private
+      # Internal recursive lookup for env_vars.
+      #
+      def self.env_vars_internal
+        lookup_auth_param :env_vars, :env_vars_internal do
+          # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+          path_env_vars = lookup_local_constant :PATH_ENV_VARS
+          json_env_vars = lookup_local_constant :JSON_ENV_VARS
+          (Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars
+        end
       end
 
       ##
       # Sets the environment variables to search for credentials.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
       #
-      # @param [Array<String>] new_env_vars
-      # @return [Array<String>]
+      # @param [String, Array<String>, nil] new_env_vars
       #
       def self.env_vars= new_env_vars
         new_env_vars = Array new_env_vars unless new_env_vars.nil?
@@ -148,29 +227,72 @@ module Google
 
       ##
       # The file paths to search for credentials files.
+      # The paths will never be nil. If there are no paths, the empty array is returned.
       #
       # @return [Array<String>]
       #
       def self.paths
-        return @paths unless @paths.nil?
+        paths_internal || []
+      end
 
-        tmp_paths = []
-        # Pull in values is the DEFAULT_PATHS constant exists.
-        tmp_paths << const_get(:DEFAULT_PATHS) if const_defined? :DEFAULT_PATHS
-        tmp_paths.flatten.uniq
+      ##
+      # @private
+      # Internal recursive lookup for paths.
+      #
+      def self.paths_internal
+        lookup_auth_param :paths, :paths_internal do
+          # Pull in values if the DEFAULT_PATHS constant exists.
+          vals = lookup_local_constant :DEFAULT_PATHS
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
       # Set the file paths to search for credentials files.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
       #
-      # @param [Array<String>] new_paths
-      # @return [Array<String>]
+      # @param [String, Array<String>, nil] new_paths
       #
       def self.paths= new_paths
         new_paths = Array new_paths unless new_paths.nil?
         @paths = new_paths
       end
 
+      ##
+      # @private
+      # Return the given parameter value, defaulting up the class hierarchy.
+      #
+      # First returns the value of the instance variable, if set.
+      # Next, calls the given block if provided. (This is generally used to
+      # look up legacy constant-based values.)
+      # Otherwise, calls the superclass method if present.
+      # Returns nil if all steps fail.
+      #
+      # @param name [Symbol] The parameter name
+      # @param method_name [Symbol] The lookup method name, if different
+      # @return [Object] The value
+      #
+      def self.lookup_auth_param name, method_name = name
+        val = instance_variable_get "@#{name}".to_sym
+        val = yield if val.nil? && block_given?
+        return val unless val.nil?
+        return superclass.send method_name if superclass.respond_to? method_name
+        nil
+      end
+
+      ##
+      # @private
+      # Return the value of the given constant if it is defined directly in
+      # this class, or nil if not.
+      #
+      # @param [Symbol] Name of the constant
+      # @return [Object] The value
+      #
+      def self.lookup_local_constant name
+        const_defined?(name, false) ? const_get(name) : nil
+      end
+
       ##
       # The Signet::OAuth2::Client object the Credentials instance is using.
       #
@@ -185,6 +307,13 @@ module Google
       #
       attr_reader :project_id
 
+      ##
+      # Identifier for a separate project used for billing/quota, if any.
+      #
+      # @return [String,nil]
+      #
+      attr_reader :quota_project_id
+
       # @private Delegate client methods to the client object.
       extend Forwardable
 
@@ -201,6 +330,9 @@ module Google
       #   @return [String, Array<String>] The scope for this client. A scope is an access range
       #     defined by the authorization server. The scope can be a single value or a list of values.
       #
+      # @!attribute [r] target_audience
+      #   @return [String] The final target audience for ID tokens returned by this credential.
+      #
       # @!attribute [r] issuer
       #   @return [String] The issuer ID associated with this client.
       #
@@ -213,9 +345,7 @@ module Google
       #
       def_delegators :@client,
                      :token_credential_uri, :audience,
-                     :scope, :issuer, :signing_key, :updater_proc
-
-      # rubocop:disable Metrics/AbcSize
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
 
       ##
       # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -236,29 +366,24 @@ module Google
       #   * +:default_connection+ - the default connection to use for the client
       #
       def initialize keyfile, options = {}
-        scope = options[:scope]
         verify_keyfile_provided! keyfile
         @project_id = options["project_id"] || options["project"]
-        if keyfile.is_a? Signet::OAuth2::Client
-          @client = keyfile
-          @project_id ||= keyfile.project_id if keyfile.respond_to? :project_id
-        elsif keyfile.is_a? Hash
-          hash = stringify_hash_keys keyfile
-          hash["scope"] ||= scope
-          @client = init_client hash, options
-          @project_id ||= (hash["project_id"] || hash["project"])
+        @quota_project_id = options["quota_project_id"]
+        case keyfile
+        when Signet::OAuth2::Client
+          update_from_signet keyfile
+        when Hash
+          update_from_hash keyfile, options
         else
-          verify_keyfile_exists! keyfile
-          json = JSON.parse ::File.read(keyfile)
-          json["scope"] ||= scope
-          @project_id ||= (json["project_id"] || json["project"])
-          @client = init_client json, options
+          update_from_filepath keyfile, options
         end
         CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @client.fetch_access_token!
+        @env_vars = nil
+        @paths = nil
+        @scope = nil
       end
-      # rubocop:enable Metrics/AbcSize
 
       ##
       # Creates a new Credentials instance with auth credentials acquired by searching the
@@ -299,8 +424,15 @@ module Google
         env_vars.each do |env_var|
           str = ENV[env_var]
           next if str.nil?
-          return new str, options if ::File.file? str
-          return new ::JSON.parse(str), options rescue nil
+          io =
+            if ::File.file? str
+              ::StringIO.new ::File.read str
+            else
+              json = ::JSON.parse str rescue nil
+              json ? ::StringIO.new(str) : nil
+            end
+          next if io.nil?
+          return from_io io, options
         end
         nil
       end
@@ -308,11 +440,11 @@ module Google
       ##
       # @private Lookup Credentials from default file paths.
       def self.from_default_paths options
-        paths
-          .select { |p| ::File.file? p }
-          .each do |file|
-            return new file, options
-          end
+        paths.each do |path|
+          next unless path && ::File.file?(path)
+          io = ::StringIO.new ::File.read path
+          return from_io io, options
+        end
         nil
       end
 
@@ -320,13 +452,34 @@ module Google
       # @private Lookup Credentials using Google::Auth.get_application_default.
       def self.from_application_default options
         scope = options[:scope] || self.scope
-        client = Google::Auth.get_application_default scope
+        auth_opts = {
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?
+        }
+        client = Google::Auth.get_application_default scope, auth_opts
         new client, options
       end
 
+      # @private Read credentials from a JSON stream.
+      def self.from_io io, options
+        creds_input = {
+          json_key_io:            io,
+          scope:                  options[:scope] || scope,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?,
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience
+        }
+        client = Google::Auth::DefaultCredentials.make_creds creds_input
+        new client
+      end
+
       private_class_method :from_env_vars,
                            :from_default_paths,
-                           :from_application_default
+                           :from_application_default,
+                           :from_io
 
       protected
 
@@ -351,22 +504,58 @@ module Google
 
       # returns a new Hash with string keys instead of symbol keys.
       def stringify_hash_keys hash
-        Hash[hash.map { |k, v| [k.to_s, v] }]
+        hash.to_h.transform_keys(&:to_s)
       end
 
+      # rubocop:disable Metrics/AbcSize
+
       def client_options options
         # Keyfile options have higher priority over constructor defaults
         options["token_credential_uri"] ||= self.class.token_credential_uri
         options["audience"] ||= self.class.audience
         options["scope"] ||= self.class.scope
+        options["target_audience"] ||= self.class.target_audience
+
+        if !Array(options["scope"]).empty? && options["target_audience"]
+          raise ArgumentError, "Cannot specify both scope and target_audience"
+        end
 
+        needs_scope = options["target_audience"].nil?
         # client options for initializing signet client
         { token_credential_uri: options["token_credential_uri"],
           audience:             options["audience"],
-          scope:                Array(options["scope"]),
+          scope:                (needs_scope ? Array(options["scope"]) : nil),
+          target_audience:      options["target_audience"],
           issuer:               options["client_email"],
           signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
       end
+
+      # rubocop:enable Metrics/AbcSize
+
+      def update_from_signet client
+        @project_id ||= client.project_id if client.respond_to? :project_id
+        @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
+        @client = client
+      end
+
+      def update_from_hash hash, options
+        hash = stringify_hash_keys hash
+        hash["scope"] ||= options[:scope]
+        hash["target_audience"] ||= options[:target_audience]
+        @project_id ||= (hash["project_id"] || hash["project"])
+        @quota_project_id ||= hash["quota_project_id"]
+        @client = init_client hash, options
+      end
+
+      def update_from_filepath path, options
+        verify_keyfile_exists! path
+        json = JSON.parse ::File.read(path)
+        json["scope"] ||= options[:scope]
+        json["target_audience"] ||= options[:target_audience]
+        @project_id ||= (json["project_id"] || json["project"])
+        @quota_project_id ||= json["quota_project_id"]
+        @client = init_client json, options
+      end
     end
   end
 end

data/lib/googleauth/credentials_loader.rb

@@ -64,13 +64,13 @@ module Google
       CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
         "s.googleusercontent.com".freeze
 
-      CLOUD_SDK_CREDENTIALS_WARNING = "Your application has authenticated "\
-        "using end user credentials from Google Cloud SDK. We recommend that "\
-        "most server applications use service accounts instead. If your "\
-        "application continues to use end user credentials from Cloud SDK, "\
-        'you might receive a "quota exceeded" or "API not enabled" error. For'\
-        " more information about service accounts, see "\
-        "https://cloud.google.com/docs/authentication/.".freeze
+      CLOUD_SDK_CREDENTIALS_WARNING = "Your application has authenticated using end user "\
+        "credentials from Google Cloud SDK. We recommend that most server applications use "\
+        "service accounts instead. If your application continues to use end user credentials "\
+        'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For '\
+        "more information about service accounts, see "\
+        "https://cloud.google.com/docs/authentication/. To suppress this message, set the "\
+        "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
 
       # make_creds proxies the construction of a credentials instance
       #
@@ -103,7 +103,7 @@ module Google
             return make_creds options.merge(json_key_io: f)
           end
         elsif service_account_env_vars? || authorized_user_env_vars?
-          return make_creds options
+          make_creds options
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"
@@ -163,11 +163,13 @@ module Google
         raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
       end
 
+      module_function
+
       # Issues warning if cloud sdk client id is used
       def warn_if_cloud_sdk_credentials client_id
+        return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
         warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
       end
-      module_function :warn_if_cloud_sdk_credentials
 
       # Finds project_id from gcloud CLI configuration
       def load_gcloud_project_id
@@ -179,7 +181,6 @@ module Google
       rescue StandardError
         nil
       end
-      module_function :load_gcloud_project_id
 
       private
 
@@ -193,15 +194,13 @@ module Google
       end
 
       def service_account_env_vars?
-        [PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR].all? do |key|
-          ENV[key] && !ENV[key].empty?
-        end
+        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR).join(" ").empty?
       end
 
       def authorized_user_env_vars?
-        [CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR].all? do |key|
-          ENV[key] && !ENV[key].empty?
-        end
+        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR).join(" ").empty?
       end
     end
   end

data/lib/googleauth/iam.rb

@@ -68,7 +68,7 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, _opts = {}| apply a_hash }
       end
     end
   end

data/{spec/googleauth/stores/store_examples.rb → lib/googleauth/id_tokens/errors.rb}

@@ -1,5 +1,6 @@
-# Copyright 2015, Google Inc.
-# All rights reserved.
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -27,32 +28,44 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-spec_dir = File.expand_path File.join(File.dirname(__FILE__))
-$LOAD_PATH.unshift spec_dir
-$LOAD_PATH.uniq!
 
-require "spec_helper"
+module Google
+  module Auth
+    module IDTokens
+      ##
+      # Failed to obtain keys from the key source.
+      #
+      class KeySourceError < StandardError; end
 
-shared_examples "token store" do
-  before :each do
-    store.store "default", "test"
-  end
+      ##
+      # Failed to verify a token.
+      #
+      class VerificationError < StandardError; end
 
-  it "should return a stored value" do
-    expect(store.load("default")).to eq "test"
-  end
+      ##
+      # Failed to verify a token because it is expired.
+      #
+      class ExpiredTokenError < VerificationError; end
 
-  it "should return nil for missing tokens" do
-    expect(store.load("notavalidkey")).to be_nil
-  end
+      ##
+      # Failed to verify a token because its signature did not match.
+      #
+      class SignatureError < VerificationError; end
 
-  it "should return nil for deleted tokens" do
-    store.delete "default"
-    expect(store.load("default")).to be_nil
-  end
+      ##
+      # Failed to verify a token because its issuer did not match.
+      #
+      class IssuerMismatchError < VerificationError; end
+
+      ##
+      # Failed to verify a token because its audience did not match.
+      #
+      class AudienceMismatchError < VerificationError; end
 
-  it "should save overwrite values on store" do
-    store.store "default", "test2"
-    expect(store.load("default")).to eq "test2"
+      ##
+      # Failed to verify a token because its authorized party did not match.
+      #
+      class AuthorizedPartyMismatchError < VerificationError; end
+    end
   end
 end