googleauth 1.12.2 → 1.14.0

data/lib/googleauth/service_account_jwt_header.rb

@@ -0,0 +1,180 @@
+# Copyright 2025 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "google/logging/message"
+require "googleauth/credentials_loader"
+require "googleauth/json_key_reader"
+require "jwt"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using Google's Service Account credentials via
+    # JWT Header.
+    #
+    # This class allows authorizing requests for service accounts directly
+    # from credentials from a json key file downloaded from the developer
+    # console (via 'Generate new Json Key').  It is not part of any OAuth2
+    # flow, rather it creates a JWT and sends that as a credential.
+    #
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
+    class ServiceAccountJwtHeaderCredentials
+      JWT_AUD_URI_KEY = :jwt_aud_uri
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
+      SIGNING_ALGORITHM = "RS256".freeze
+      EXPIRY = 60
+
+      extend CredentialsLoader
+      extend JsonKeyReader
+
+      attr_reader :project_id
+      attr_reader :quota_project_id
+      attr_accessor :universe_domain
+      attr_accessor :logger
+
+      # Create a ServiceAccountJwtHeaderCredentials.
+      #
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        new json_key_io: json_key_io, scope: scope
+      end
+
+      # Initializes a ServiceAccountJwtHeaderCredentials.
+      #
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      def initialize options = {}
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
+            self.class.read_json_key json_key_io
+        else
+          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+          @universe_domain = options[:universe_domain] if options.key? :universe_domain
+        end
+        @universe_domain ||= "googleapis.com"
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @signing_key = OpenSSL::PKey::RSA.new @private_key
+        @scope = options[:scope] if options.key? :scope
+        @logger = options[:logger] if options.key? :logger
+      end
+
+      # Creates a duplicate of these credentials
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `private key` the private key in string form
+      #   * `issuer` the SA issuer
+      #   * `scope` the scope(s) to access
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #   * `universe_domain` the universe domain of the credentials
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          private_key: @private_key,
+          issuer: @issuer,
+          scope: @scope,
+          project_id: project_id,
+          quota_project_id: quota_project_id,
+          universe_domain: universe_domain,
+          logger: logger
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      # Construct a jwt token if the JWT_AUD_URI key is present in the input
+      # hash.
+      #
+      # The jwt token is used as the value of a 'Bearer '.
+      def apply! a_hash, opts = {}
+        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
+        return a_hash if jwt_aud_uri.nil? && @scope.nil?
+        jwt_token = new_jwt_token jwt_aud_uri, opts
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest jwt_token
+          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
+        end
+        a_hash
+      end
+
+      # Returns a clone of a_hash updated with the authorization header
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      # Creates a jwt uri token.
+      def new_jwt_token jwt_aud_uri = nil, options = {}
+        now = Time.new
+        skew = options[:skew] || 60
+        assertion = {
+          "iss" => @issuer,
+          "sub" => @issuer,
+          "exp" => (now + EXPIRY).to_i,
+          "iat" => (now - skew).to_i
+        }
+
+        jwt_aud_uri = nil if @scope
+
+        assertion["scope"] = Array(@scope).join " " if @scope
+        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
+
+        logger&.debug do
+          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
+        end
+
+        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
+      end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
+
+      private
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/signet.rb

@@ -38,6 +38,22 @@ module Signet
         self
       end
 
+      alias update_signet_base update!
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        # This `update!` method "overide" adds the `@logger`` update and
+        # the `universe_domain` update.
+        #
+        # The `universe_domain` is also updated in `update_token!` but is
+        # included here for completeness
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        @logger = options[:logger] if options.key? :logger
+
+        update_signet_base options
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -117,6 +133,42 @@ module Signet
         end
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      # @see Signet::OAuth2::Client#update!
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        opts = {
+          authorization_uri: @authorization_uri,
+          token_credential_uri: @token_credential_uri,
+          client_id: @client_id,
+          client_secret: @client_secret,
+          scope: @scope,
+          target_audience: @target_audience,
+          redirect_uri: @redirect_uri,
+          username: @username,
+          password: @password,
+          issuer: @issuer,
+          person: @person,
+          sub: @sub,
+          audience: @audience,
+          signing_key: @signing_key,
+          extension_parameters: @extension_parameters,
+          additional_parameters: @additional_parameters,
+          access_type: @access_type,
+          universe_domain: @universe_domain,
+          logger: @logger
+        }.merge(options)
+
+        new_client = self.class.new opts
+
+        new_client.configure_connection options
+      end
+
       private
 
       def expires_at_from_id_token id_token

data/lib/googleauth/user_refresh.rb

@@ -85,6 +85,26 @@ module Google
         super options
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            project_id: @project_id,
+            quota_project_id: @quota_project_id
+          }.merge(options)
+        )
+      end
+
       # Revokes the credential
       def revoke! options = {}
         c = options[:connection] || Faraday.default_connection
@@ -114,6 +134,29 @@ module Google
                         Google::Auth::ScopeUtil.normalize(scope)
         missing_scope.empty?
       end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::UserRefreshCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
     end
   end
 end

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.12.2".freeze
+    VERSION = "1.14.0".freeze
   end
 end

data/lib/googleauth.rb

@@ -13,9 +13,16 @@
 # limitations under the License.
 
 require "googleauth/application_default"
+require "googleauth/api_key"
+require "googleauth/bearer_token"
 require "googleauth/client_id"
 require "googleauth/credentials"
 require "googleauth/default_credentials"
+require "googleauth/external_account"
 require "googleauth/id_tokens"
+require "googleauth/impersonated_service_account"
+require "googleauth/service_account"
+require "googleauth/service_account_jwt_header"
 require "googleauth/user_authorizer"
+require "googleauth/user_refresh"
 require "googleauth/web_user_authorizer"

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.12.2
+  version: 1.14.0
 platform: ruby
 authors:
-- Tim Emiola
-autorequire: 
+- Google LLC
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -135,7 +134,7 @@ dependencies:
 description: Implements simple authorization for accessing Google APIs, and provides
   support for Application Default Credentials.
 email:
-- temiola@google.com
+- googleapis-packages@google.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -147,8 +146,10 @@ files:
 - README.md
 - SECURITY.md
 - lib/googleauth.rb
+- lib/googleauth/api_key.rb
 - lib/googleauth/application_default.rb
 - lib/googleauth/base_client.rb
+- lib/googleauth/bearer_token.rb
 - lib/googleauth/client_id.rb
 - lib/googleauth/compute_engine.rb
 - lib/googleauth/credentials.rb
@@ -166,10 +167,12 @@ files:
 - lib/googleauth/id_tokens/errors.rb
 - lib/googleauth/id_tokens/key_sources.rb
 - lib/googleauth/id_tokens/verifier.rb
+- lib/googleauth/impersonated_service_account.rb
 - lib/googleauth/json_key_reader.rb
 - lib/googleauth/oauth2/sts_client.rb
 - lib/googleauth/scope_util.rb
 - lib/googleauth/service_account.rb
+- lib/googleauth/service_account_jwt_header.rb
 - lib/googleauth/signet.rb
 - lib/googleauth/stores/file_token_store.rb
 - lib/googleauth/stores/redis_token_store.rb
@@ -185,7 +188,6 @@ metadata:
   changelog_uri: https://github.com/googleapis/google-auth-library-ruby/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/googleapis/google-auth-library-ruby
   bug_tracker_uri: https://github.com/googleapis/google-auth-library-ruby/issues
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -193,15 +195,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.23
-signing_key: 
+rubygems_version: 3.6.5
 specification_version: 4
 summary: Google Auth Library for Ruby
 test_files: []