googleauth 1.11.1 → 1.13.1

data/lib/googleauth/impersonated_service_account.rb

@@ -0,0 +1,282 @@
+# Copyright 2024 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/signet"
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    # Authenticates requests using impersonation from base credentials.
+    # This is a two-step process: first authentication claim from the base credentials is created
+    # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
+    # The short-lived token and its expiration time are cached.
+    class ImpersonatedServiceAccountCredentials
+      # @private
+      ERROR_SUFFIX = <<~ERROR.freeze
+        when trying to get security access token
+        from IAM Credentials endpoint using the credentials provided.
+      ERROR
+
+      # @private
+      IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+      # BaseClient most importantly implements the `:updater_proc` getter,
+      # that returns a reference to an `apply!` method that updates
+      # a hash argument provided with the authorization header containing
+      # the access token (impersonation token in this case).
+      include Google::Auth::BaseClient
+
+      include Helpers::Connection
+
+      # @return [Object] The original authenticated credentials used to fetch short-lived impersonation access tokens
+      attr_reader :base_credentials
+
+      # @return [Object] The modified version of base credentials, tailored for impersonation purposes
+      #   with necessary scope adjustments
+      attr_reader :source_credentials
+
+      # @return [String] The URL endpoint used to generate an impersonation token. This URL should follow a specific
+      #   format to specify the impersonated service account.
+      attr_reader :impersonation_url
+
+      # @return [Array<String>, String] The scope(s) required for the impersonated access token,
+      #   indicating the permissions needed for the short-lived token
+      attr_reader :scope
+
+      # @return [String, nil] The short-lived impersonation access token, retrieved and cached
+      #   after making the impersonation request
+      attr_reader :access_token
+
+      # @return [Time, nil] The expiration time of the current access token, used to determine
+      #   if the token is still valid
+      attr_reader :expires_at
+
+      # Create a ImpersonatedServiceAccountCredentials
+      # When you use service account impersonation, you start with an authenticated principal
+      # (e.g. your user account or a service account)
+      # and request short-lived credentials for a service account
+      # that has the authorization that your use case requires.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def self.make_creds options = {}
+        new options
+      end
+
+      # Initializes a new instance of ImpersonatedServiceAccountCredentials.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #   It is redundant to provide both source and base credentials as only source will be used,
+      #   but it can be done, e.g. when duplicating existing credentials.
+      #
+      # @raise [ArgumentError] If any of the required options are missing.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def initialize options = {}
+        @base_credentials, @impersonation_url, @scope =
+          options.values_at :base_credentials,
+                            :impersonation_url,
+                            :scope
+
+        # Fail-fast checks for required parameters
+        if @base_credentials.nil? && !options.key?(:source_credentials)
+          raise ArgumentError, "Missing required option: either :base_credentials or :source_credentials"
+        end
+        raise ArgumentError, "Missing required option: :impersonation_url" if @impersonation_url.nil?
+        raise ArgumentError, "Missing required option: :scope" if @scope.nil?
+
+        # Some credentials (all Signet-based ones and this one) include scope and a bunch of transient state
+        # (e.g. refresh status) as part of themselves
+        # so a copy needs to be created with the scope overriden and transient state dropped.
+        #
+        # If a credentials does not support `duplicate` we'll try to use it as is assuming it has a broad enough scope.
+        # This might result in an "access denied" error downstream when the token from that credentials is being used
+        # for the token exchange.
+        @source_credentials = if options.key? :source_credentials
+                                options[:source_credentials]
+                              elsif @base_credentials.respond_to? :duplicate
+                                @base_credentials.duplicate({
+                                                              scope: IAM_SCOPE
+                                                            })
+                              else
+                                @base_credentials
+                              end
+      end
+
+      # Determines whether the current access token expires within the specified number of seconds.
+      #
+      # @param seconds [Integer] The number of seconds to check against the token's expiration time.
+      #
+      # @return [Boolean] Whether the access token expires within the given time frame
+      def expires_within? seconds
+        # This method is needed for BaseClient
+        @expires_at && @expires_at - Time.now.utc < seconds
+      end
+
+      # The universe domain of the impersonated credentials.
+      # Effectively this retrieves the universe domain of the source credentials.
+      #
+      # @return [String] The universe domain of the credentials.
+      def universe_domain
+        @source_credentials.universe_domain
+      end
+
+      # @return [Logger, nil] The logger of the credentials.
+      def logger
+        @source_credentials.logger if source_credentials.respond_to? :logger
+      end
+
+      # Creates a duplicate of these credentials without transient token state
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `base_credentials` the base credentials used to initialize the impersonation
+      #   * `source_credentials` the authenticated credentials which usually would be
+      #     base credentials with scope overridden to IAM_SCOPE
+      #   * `impersonation_url` the URL to use to make an impersonation token exchange
+      #   * `scope` the scope(s) to access
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          base_credentials: @base_credentials,
+          source_credentials: @source_credentials,
+          impersonation_url: @impersonation_url,
+          scope: @scope
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      private
+
+      # Generates a new impersonation access token by exchanging the source credentials' token
+      # at the impersonation URL.
+      #
+      # This method first fetches an access token from the source credentials and then exchanges it
+      # for an impersonation token using the specified impersonation URL. The generated token and
+      # its expiration time are cached for subsequent use.
+      #
+      # @param _options [Hash] (optional) Additional options for token retrieval (currently unused).
+      #
+      # @raise [Signet::UnexpectedStatusError] If the response status is 403 or 500.
+      # @raise [Signet::AuthorizationError] For other unexpected response statuses.
+      #
+      # @return [String] The newly generated impersonation access token.
+      def fetch_access_token! _options = {}
+        auth_header = {}
+        auth_header = @source_credentials.updater_proc.call auth_header
+
+        resp = connection.post @impersonation_url do |req|
+          req.headers.merge! auth_header
+          req.headers["Content-Type"] = "application/json"
+          req.body = MultiJson.dump({ scope: @scope })
+        end
+
+        case resp.status
+        when 200
+          response = MultiJson.load resp.body
+          self.expires_at = response["expireTime"]
+          @access_token = response["accessToken"]
+          access_token
+        when 403, 500
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::UnexpectedStatusError, msg
+        else
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::AuthorizationError, msg
+        end
+      end
+
+      # Setter for the expires_at value that makes sure it is converted
+      # to Time object.
+      def expires_at= new_expires_at
+        @expires_at = normalize_timestamp new_expires_at
+      end
+
+      # Returns the type of token (access_token).
+      # This method is needed for BaseClient.
+      def token_type
+        :access_token
+      end
+
+      # Normalizes a timestamp to a Time object.
+      #
+      # @param time [Time, String, nil] The timestamp to normalize.
+      #
+      # @return [Time, nil] The normalized Time object, or nil if the input is nil.
+      #
+      # @raise [RuntimeError] If the input is not a Time, String, or nil.
+      def normalize_timestamp time
+        case time
+        when NilClass
+          nil
+        when Time
+          time
+        when String
+          Time.parse time
+        else
+          raise "Invalid time value #{time}"
+        end
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "google/logging/message"
 require "googleauth/signet"
 require "googleauth/credentials_loader"
 require "googleauth/json_key_reader"
@@ -80,6 +81,30 @@ module Google
           .configure_connection(options)
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            enable_self_signed_jwt: @enable_self_signed_jwt,
+            project_id: project_id,
+            quota_project_id: quota_project_id,
+            logger: logger
+          }.merge(options)
+        )
+      end
+
       # Handles certain escape sequences that sometimes appear in input.
       # Specifically, interprets the "\n" sequence for newline, and removes
       # enclosing quotes.
@@ -111,6 +136,32 @@ module Google
         super && !enable_self_signed_jwt?
       end
 
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::ServiceAccountCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -123,6 +174,7 @@ module Google
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
         alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
+        alt.logger = logger
         alt.apply! a_hash
       end
     end
@@ -142,11 +194,14 @@ module Google
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
+
       extend CredentialsLoader
       extend JsonKeyReader
+
       attr_reader :project_id
       attr_reader :quota_project_id
       attr_accessor :universe_domain
+      attr_accessor :logger
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -166,16 +221,43 @@ module Google
           @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
-          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = nil
-          @universe_domain = nil
+          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+          @universe_domain = options[:universe_domain] if options.key? :universe_domain
         end
         @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope]
+        @scope = options[:scope] if options.key? :scope
+        @logger = options[:logger] if options.key? :scope
+      end
+
+      # Creates a duplicate of these credentials
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `private key` the private key in string form
+      #   * `issuer` the SA issuer
+      #   * `scope` the scope(s) to access
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #   * `universe_domain` the universe domain of the credentials
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          private_key: @private_key,
+          issuer: @issuer,
+          scope: @scope,
+          project_id: project_id,
+          quota_project_id: quota_project_id,
+          universe_domain: universe_domain,
+          logger: logger
+        }.merge(options)
+
+        self.class.new options
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -187,10 +269,14 @@ module Google
         return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest jwt_token
+          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
+        end
         a_hash
       end
 
-      # Returns a clone of a_hash updated with the authoriation header
+      # Returns a clone of a_hash updated with the authorization header
       def apply a_hash, opts = {}
         a_copy = a_hash.clone
         apply! a_copy, opts
@@ -219,6 +305,10 @@ module Google
         assertion["scope"] = Array(@scope).join " " if @scope
         assertion["aud"] = jwt_aud_uri if jwt_aud_uri
 
+        logger&.debug do
+          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
+        end
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
 
@@ -226,6 +316,23 @@ module Google
       def needs_access_token?
         false
       end
+
+      private
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
     end
   end
 end

data/lib/googleauth/signet.rb

@@ -38,6 +38,22 @@ module Signet
         self
       end
 
+      alias update_signet_base update!
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        # This `update!` method "overide" adds the `@logger`` update and
+        # the `universe_domain` update.
+        #
+        # The `universe_domain` is also updated in `update_token!` but is
+        # included here for completeness
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        @logger = options[:logger] if options.key? :logger
+
+        update_signet_base options
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -65,6 +81,24 @@ module Signet
         info
       end
 
+      alias googleauth_orig_generate_access_token_request generate_access_token_request
+      def generate_access_token_request options = {}
+        parameters = googleauth_orig_generate_access_token_request options
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Requesting access token from #{parameters['grant_type']}",
+            "credentialsId" => object_id
+          )
+        end
+        logger&.debug do
+          Google::Logging::Message.from(
+            message: "Token fetch params: #{parameters}",
+            "credentialsId" => object_id
+          )
+        end
+        parameters
+      end
+
       def build_default_connection
         if !defined?(@connection_info)
           nil
@@ -79,21 +113,62 @@ module Signet
         retry_count = 0
 
         begin
-          yield
+          yield.tap { |resp| log_response resp }
         rescue StandardError => e
-          raise e if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+          if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+            log_auth_error e
+            raise e
+          end
 
           if retry_count < max_retry_count
+            log_transient_error e
             retry_count += 1
             sleep retry_count * 0.3
             retry
           else
+            log_retries_exhausted e
             msg = "Unexpected error: #{e.inspect}"
             raise Signet::AuthorizationError, msg
           end
         end
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      # @see Signet::OAuth2::Client#update!
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        opts = {
+          authorization_uri: @authorization_uri,
+          token_credential_uri: @token_credential_uri,
+          client_id: @client_id,
+          client_secret: @client_secret,
+          scope: @scope,
+          target_audience: @target_audience,
+          redirect_uri: @redirect_uri,
+          username: @username,
+          password: @password,
+          issuer: @issuer,
+          person: @person,
+          sub: @sub,
+          audience: @audience,
+          signing_key: @signing_key,
+          extension_parameters: @extension_parameters,
+          additional_parameters: @additional_parameters,
+          access_type: @access_type,
+          universe_domain: @universe_domain,
+          logger: @logger
+        }.merge(options)
+
+        new_client = self.class.new opts
+
+        new_client.configure_connection options
+      end
+
       private
 
       def expires_at_from_id_token id_token
@@ -106,6 +181,49 @@ module Signet
         # Shouldn't happen unless we get a garbled ID token
         nil
       end
+
+      def log_response token_response
+        response_hash = JSON.parse token_response rescue {}
+        if response_hash["access_token"]
+          digest = Digest::SHA256.hexdigest response_hash["access_token"]
+          response_hash["access_token"] = "(sha256:#{digest})"
+        end
+        if response_hash["id_token"]
+          digest = Digest::SHA256.hexdigest response_hash["id_token"]
+          response_hash["id_token"] = "(sha256:#{digest})"
+        end
+        Google::Logging::Message.from(
+          message: "Received auth token response: #{response_hash}",
+          "credentialsId" => object_id
+        )
+      end
+
+      def log_auth_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Auth error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_transient_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Transient error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_retries_exhausted err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Exhausted retries when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -85,6 +85,26 @@ module Google
         super options
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            project_id: @project_id,
+            quota_project_id: @quota_project_id
+          }.merge(options)
+        )
+      end
+
       # Revokes the credential
       def revoke! options = {}
         c = options[:connection] || Faraday.default_connection
@@ -114,6 +134,29 @@ module Google
                         Google::Auth::ScopeUtil.normalize(scope)
         missing_scope.empty?
       end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::UserRefreshCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
     end
   end
 end