googleauth 1.13.1 → 1.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d8ca5b2b0c7f4ce54f7971d8de2f23f3ee0837d08d7d3c568c503308fcf82ab
-  data.tar.gz: d5f8b8fd2fcb4fef4240db58bf90f54a8bfd021c550a7bc9063c9087285f3921
+  metadata.gz: 9e2eef22c1062f2fd2216760e90a1af9ece1b99838bccea486a7b4ce43be9734
+  data.tar.gz: 1e60ef4856de1e4f7a3d423f3953e5e39f86c7002216ad2d98ee46ec88aaaf25
 SHA512:
-  metadata.gz: 6a4de2b23f4dc0310a18568e0618c5d81fad54dfc8d57fe3c27b954c4bd21272fcc467c2c313f98f80fa127eab11ebe0d0fc55ceed7e6c5439764500e334df49
-  data.tar.gz: f4aff68138105ea19875bb7a51d4b6ced9ec2e7185ce725eca205ea1dc11beb9e6019c9dd89449866598ca6e4d3abb06b91f277f34e51ac7726d79a39fc40c67
+  metadata.gz: d5a87f962d04eb59c9ae083a4d3c46fd54ef4d4c53f0571b3952f6d1a9d30e3af89fb2c50e04b118e301097850c9985c713968dc29c62c5d388d0d8a4c3d306d
+  data.tar.gz: fae67434766ed2d4bb67e2c7ba2784a9397843110c28d96368d368b1dd30229a1ea83c5ee05e70a712446781e67ca84149fbaa72dd4239eb349d6943ff42b9b3

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Release History
 
+### 1.14.0 (2025-03-14)
+
+#### Features
+
+* add API key credentials ([#520](https://github.com/googleapis/google-auth-library-ruby/issues/520)) 
+* Add Bearer token credentials 
+* add BearerToken credentials ([#522](https://github.com/googleapis/google-auth-library-ruby/issues/522)) 
+* Update minimum Ruby version to 3.0 ([#527](https://github.com/googleapis/google-auth-library-ruby/issues/527)) 
+#### Bug Fixes
+
+* Eliminated the "attribute accessor as module_function" warning ([#519](https://github.com/googleapis/google-auth-library-ruby/issues/519)) 
+* Get the project_id from gcloud ([#479](https://github.com/googleapis/google-auth-library-ruby/issues/479)) 
+* logger configuration in service account JWT header ([#525](https://github.com/googleapis/google-auth-library-ruby/issues/525)) 
+
 ### 1.13.1 (2025-01-24)
 
 #### Bug Fixes

data/README.md

@@ -265,7 +265,7 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library is supported on Ruby 2.6+.
+This library is supported on Ruby 3.0+.
 
 Google provides official support for Ruby versions that are actively supported
 by Ruby Core—that is, Ruby versions that are either in normal maintenance or

data/lib/googleauth/api_key.rb

@@ -0,0 +1,155 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/base_client"
+require "googleauth/credentials_loader"
+
+module Google
+  module Auth
+    ##
+    # Implementation of Google API Key authentication.
+    #
+    # API Keys are text strings. They don't have an associated JSON file.
+    #
+    # The end-user is managing their API Keys directly, not via
+    # an authentication library.
+    #
+    # API Keys provide project information for an API request.
+    # API Keys don't reference an IAM principal, they do not expire,
+    # and cannot be refreshed.
+    #
+    class APIKeyCredentials
+      include Google::Auth::BaseClient
+
+      # @private Authorization header key
+      API_KEY_HEADER = "x-goog-api-key".freeze
+
+      # @private Environment variable containing API key
+      API_KEY_VAR = "GOOGLE_API_KEY".freeze
+
+      # @return [String] The API key
+      attr_reader :api_key
+
+      # @return [String] The universe domain of the universe
+      #   this API key is for
+      attr_accessor :universe_domain
+
+      class << self
+        # Creates an APIKeyCredentials from the environment.
+        # Checks the ENV['GOOGLE_API_KEY'] variable.
+        #
+        # @param [String] _scope
+        #  The scope to use for OAuth. Not used by API key auth.
+        # @param [Hash] options
+        #  The options to pass to the credentials instance
+        #
+        # @return [Google::Auth::APIKeyCredentials, nil]
+        #  Credentials if the API key environment variable is present,
+        #  nil otherwise
+        def from_env _scope = nil, options = {}
+          api_key = ENV[API_KEY_VAR]
+          return nil if api_key.nil? || api_key.empty?
+          new options.merge(api_key: api_key)
+        end
+
+        # Create the APIKeyCredentials.
+        #
+        # @param [Hash] options The credentials options
+        # @option options [String] :api_key
+        #   The API key to use for authentication
+        # @option options [String] :universe_domain
+        #   The universe domain of the universe this API key
+        #   belongs to (defaults to googleapis.com)
+        # @return [Google::Auth::APIKeyCredentials]
+        def make_creds options = {}
+          new options
+        end
+      end
+
+      # Initialize the APIKeyCredentials.
+      #
+      # @param [Hash] options The credentials options
+      # @option options [String] :api_key
+      #   The API key to use for authentication
+      # @option options [String] :universe_domain
+      #   The universe domain of the universe this API key
+      #   belongs to (defaults to googleapis.com)
+      def initialize options = {}
+        raise ArgumentError, "API key must be provided" if options[:api_key].nil? || options[:api_key].empty?
+        @api_key = options[:api_key]
+        @universe_domain = options[:universe_domain] || "googleapis.com"
+      end
+
+      # Determines if the credentials object has expired.
+      # Since API keys don't expire, this always returns false.
+      #
+      # @param [Fixnum] _seconds
+      #  The optional timeout in seconds since the last refresh
+      # @return [Boolean]
+      #  True if the token has expired, false otherwise.
+      def expires_within? _seconds
+        false
+      end
+
+      # Creates a duplicate of these credentials.
+      #
+      # @param [Hash] options Additional options for configuring the credentials
+      # @return [Google::Auth::APIKeyCredentials]
+      def duplicate options = {}
+        self.class.new(
+          api_key: options[:api_key] || @api_key,
+          universe_domain: options[:universe_domain] || @universe_domain
+        )
+      end
+
+      # Updates the provided hash with the API Key header.
+      #
+      # The `apply!` method modifies the provided hash in place, adding the
+      # `x-goog-api-key` header with the API Key value.
+      #
+      # The API Key is hashed before being logged for security purposes.
+      #
+      # NB: this method typically would be called through `updater_proc`.
+      # Some older clients call it directly though, so it has to be public.
+      #
+      # @param [Hash] a_hash The hash to which the API Key header should be added.
+      #   This is typically a hash representing the request headers.  This hash
+      #   will be modified in place.
+      # @param [Hash] _opts  Additional options (currently not used).  Included
+      #   for consistency with the `BaseClient` interface.
+      # @return [Hash] The modified hash (the same hash passed as the `a_hash`
+      #   argument).
+      def apply! a_hash, _opts = {}
+        a_hash[API_KEY_HEADER] = @api_key
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest @api_key
+          Google::Logging::Message.from message: "Sending API key auth token. (sha256:#{hash})"
+        end
+        a_hash
+      end
+
+      protected
+
+      # The token type should be :api_key
+      def token_type
+        :api_key
+      end
+
+      # We don't need to fetch access tokens for API key auth
+      def fetch_access_token! _options = {}
+        nil
+      end
+    end
+  end
+end

data/lib/googleauth/bearer_token.rb

@@ -0,0 +1,148 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/base_client"
+
+module Google
+  module Auth
+    ##
+    # Implementation of Bearer Token authentication scenario.
+    #
+    # Bearer tokens are strings representing an authorization grant.
+    # They can be OAuth2 ("ya.29") tokens, JWTs, IDTokens -- anything
+    # that is sent as a `Bearer` in an `Authorization` header.
+    #
+    # Not all 'authentication' strings can be used with this class,
+    # e.g. an API key cannot since API keys are sent in a
+    # `x-goog-api-key` header or as a query parameter.
+    #
+    # This class should be used when the end-user is managing the
+    # authentication token separately, e.g. with a separate service.
+    # This means that tasks like tracking the lifetime of and
+    # refreshing the token are outside the scope of this class.
+    #
+    # There is no JSON representation for this type of credentials.
+    # If the end-user has credentials in JSON format they should typically
+    # use the corresponding credentials type, e.g. ServiceAccountCredentials
+    # with the service account JSON.
+    #
+    class BearerTokenCredentials
+      include Google::Auth::BaseClient
+
+      # @private Authorization header name
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
+
+      # @return [String] The token to be sent as a part of Bearer claim
+      attr_reader :token
+      # The following aliasing is needed for BaseClient since it sends :token_type
+      alias bearer_token token
+
+      # @return [Time, nil] The token expiration time provided by the end-user.
+      attr_reader :expires_at
+
+      # @return [String] The universe domain of the universe
+      #   this token is for
+      attr_accessor :universe_domain
+
+      class << self
+        # Create the BearerTokenCredentials.
+        #
+        # @param [Hash] options The credentials options
+        # @option options [String] :token The bearer token to use.
+        # @option options [Time, Numeric, nil] :expires_at The token expiration time provided by the end-user.
+        #   Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch.
+        #   If `expires_at` is `nil`, it is treated as "token never expires".
+        # @option options [String] :universe_domain The universe domain of the universe
+        #   this token is for (defaults to googleapis.com)
+        # @return [Google::Auth::BearerTokenCredentials]
+        def make_creds options = {}
+          new options
+        end
+      end
+
+      # Initialize the BearerTokenCredentials.
+      #
+      # @param [Hash] options The credentials options
+      # @option options [String] :token The bearer token to use.
+      # @option options [Time, Numeric, nil] :expires_at The token expiration time provided by the end-user.
+      #   Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch.
+      #   If `expires_at` is `nil`, it is treated as "token never expires".
+      # @option options [String] :universe_domain The universe domain of the universe
+      #   this token is for (defaults to googleapis.com)
+      def initialize options = {}
+        raise ArgumentError, "Bearer token must be provided" if options[:token].nil? || options[:token].empty?
+        @token = options[:token]
+        @expires_at = case options[:expires_at]
+                      when Time
+                        options[:expires_at]
+                      when Numeric
+                        Time.at options[:expires_at]
+                      end
+
+        @universe_domain = options[:universe_domain] || "googleapis.com"
+      end
+
+      # Determines if the credentials object has expired.
+      #
+      # @param [Numeric] seconds The optional timeout in seconds.
+      # @return [Boolean] True if the token has expired, false otherwise, or
+      #   if the expires_at was not provided.
+      def expires_within? seconds
+        return false if @expires_at.nil? # Treat nil expiration as "never expires"
+        Time.now + seconds >= @expires_at
+      end
+
+      # Creates a duplicate of these credentials.
+      #
+      # @param [Hash] options Additional options for configuring the credentials
+      # @option options [String] :token The bearer token to use.
+      # @option options [Time, Numeric] :expires_at The token expiration time. Can be a Time
+      #   object or a number of seconds since epoch.
+      # @option options [String] :universe_domain The universe domain (defaults to googleapis.com)
+      # @return [Google::Auth::BearerTokenCredentials]
+      def duplicate options = {}
+        self.class.new(
+          token: options[:token] || @token,
+          expires_at: options[:expires_at] || @expires_at,
+          universe_domain: options[:universe_domain] || @universe_domain
+        )
+      end
+
+      protected
+
+      ##
+      # BearerTokenCredentials do not support fetching a new token.
+      #
+      # If the token has an expiration time and is expired, this method will
+      # raise an error.
+      #
+      # @param [Hash] _options Options for fetching a new token (not used).
+      # @return [nil] Always returns nil.
+      # @raise [StandardError] If the token is expired.
+      def fetch_access_token! _options = {}
+        if @expires_at && Time.now >= @expires_at
+          raise "Bearer token has expired."
+        end
+
+        nil
+      end
+
+      private
+
+      def token_type
+        :bearer_token
+      end
+    end
+  end
+end

data/lib/googleauth/compute_engine.rb

@@ -87,7 +87,7 @@ module Google
       def initialize options = {}
         # Override the constructor to remember whether the universe domain was
         # overridden by a constructor argument.
-        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
+        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain]
         # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459).
         @disable_universe_domain_check = true
         super options

data/lib/googleauth/credentials_loader.rb

@@ -37,7 +37,7 @@ module Google
       AWS_SESSION_TOKEN_VAR     = "AWS_SESSION_TOKEN".freeze
       GCLOUD_POSIX_COMMAND      = "gcloud".freeze
       GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
-      GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none".freeze
+      GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none --quiet".freeze
 
       CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
       NOT_FOUND_ERROR = "Unable to read the credential file specified by #{ENV_VAR}".freeze
@@ -146,7 +146,7 @@ module Google
       def load_gcloud_project_id
         gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
         gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
-        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", in: :close, err: :close, &:read)
+        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", err: :close, &:read)
         config = MultiJson.load gcloud_json
         config["configuration"]["properties"]["core"]["project"]
       rescue StandardError

data/lib/googleauth/default_credentials.rb

@@ -16,10 +16,10 @@ require "multi_json"
 require "stringio"
 
 require "googleauth/credentials_loader"
+require "googleauth/external_account"
 require "googleauth/service_account"
+require "googleauth/service_account_jwt_header"
 require "googleauth/user_refresh"
-require "googleauth/external_account"
-require "googleauth/impersonated_service_account"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization

data/lib/googleauth/helpers/connection.rb

@@ -24,7 +24,13 @@ module Google
       module Connection
         module_function
 
-        attr_accessor :default_connection
+        def default_connection
+          @default_connection
+        end
+
+        def default_connection= conn
+          @default_connection = conn
+        end
 
         def connection
           @default_connection || Faraday.default_connection

data/lib/googleauth/service_account.rb

@@ -12,13 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "jwt"
+require "multi_json"
+require "stringio"
+
 require "google/logging/message"
 require "googleauth/signet"
 require "googleauth/credentials_loader"
 require "googleauth/json_key_reader"
-require "jwt"
-require "multi_json"
-require "stringio"
+require "googleauth/service_account_jwt_header"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -178,161 +180,5 @@ module Google
         alt.apply! a_hash
       end
     end
-
-    # Authenticates requests using Google's Service Account credentials via
-    # JWT Header.
-    #
-    # This class allows authorizing requests for service accounts directly
-    # from credentials from a json key file downloaded from the developer
-    # console (via 'Generate new Json Key').  It is not part of any OAuth2
-    # flow, rather it creates a JWT and sends that as a credential.
-    #
-    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
-    class ServiceAccountJwtHeaderCredentials
-      JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
-      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
-      SIGNING_ALGORITHM = "RS256".freeze
-      EXPIRY = 60
-
-      extend CredentialsLoader
-      extend JsonKeyReader
-
-      attr_reader :project_id
-      attr_reader :quota_project_id
-      attr_accessor :universe_domain
-      attr_accessor :logger
-
-      # Create a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds options = {}
-        json_key_io, scope = options.values_at :json_key_io, :scope
-        new json_key_io: json_key_io, scope: scope
-      end
-
-      # Initializes a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize options = {}
-        json_key_io = options[:json_key_io]
-        if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
-            self.class.read_json_key json_key_io
-        else
-          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
-          @universe_domain = options[:universe_domain] if options.key? :universe_domain
-        end
-        @universe_domain ||= "googleapis.com"
-        @project_id ||= CredentialsLoader.load_gcloud_project_id
-        @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope] if options.key? :scope
-        @logger = options[:logger] if options.key? :scope
-      end
-
-      # Creates a duplicate of these credentials
-      #
-      # @param options [Hash] Overrides for the credentials parameters.
-      #   The following keys are recognized
-      #   * `private key` the private key in string form
-      #   * `issuer` the SA issuer
-      #   * `scope` the scope(s) to access
-      #   * `project_id` the project id to use during the authentication
-      #   * `quota_project_id` the quota project id to use
-      #   * `universe_domain` the universe domain of the credentials
-      def duplicate options = {}
-        options = deep_hash_normalize options
-
-        options = {
-          private_key: @private_key,
-          issuer: @issuer,
-          scope: @scope,
-          project_id: project_id,
-          quota_project_id: quota_project_id,
-          universe_domain: universe_domain,
-          logger: logger
-        }.merge(options)
-
-        self.class.new options
-      end
-
-      # Construct a jwt token if the JWT_AUD_URI key is present in the input
-      # hash.
-      #
-      # The jwt token is used as the value of a 'Bearer '.
-      def apply! a_hash, opts = {}
-        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil? && @scope.nil?
-        jwt_token = new_jwt_token jwt_aud_uri, opts
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
-        logger&.debug do
-          hash = Digest::SHA256.hexdigest jwt_token
-          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
-        end
-        a_hash
-      end
-
-      # Returns a clone of a_hash updated with the authorization header
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
-      end
-
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
-      end
-
-      # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri = nil, options = {}
-        now = Time.new
-        skew = options[:skew] || 60
-        assertion = {
-          "iss" => @issuer,
-          "sub" => @issuer,
-          "exp" => (now + EXPIRY).to_i,
-          "iat" => (now - skew).to_i
-        }
-
-        jwt_aud_uri = nil if @scope
-
-        assertion["scope"] = Array(@scope).join " " if @scope
-        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
-
-        logger&.debug do
-          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
-        end
-
-        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
-      end
-
-      # Duck-types the corresponding method from BaseClient
-      def needs_access_token?
-        false
-      end
-
-      private
-
-      def deep_hash_normalize old_hash
-        sym_hash = {}
-        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
-        sym_hash
-      end
-
-      # Convert all keys in this hash (nested) to symbols for uniform retrieval
-      def recursive_hash_normalize_keys val
-        if val.is_a? Hash
-          deep_hash_normalize val
-        else
-          val
-        end
-      end
-    end
   end
 end

data/lib/googleauth/service_account_jwt_header.rb

@@ -0,0 +1,180 @@
+# Copyright 2025 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "google/logging/message"
+require "googleauth/credentials_loader"
+require "googleauth/json_key_reader"
+require "jwt"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using Google's Service Account credentials via
+    # JWT Header.
+    #
+    # This class allows authorizing requests for service accounts directly
+    # from credentials from a json key file downloaded from the developer
+    # console (via 'Generate new Json Key').  It is not part of any OAuth2
+    # flow, rather it creates a JWT and sends that as a credential.
+    #
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
+    class ServiceAccountJwtHeaderCredentials
+      JWT_AUD_URI_KEY = :jwt_aud_uri
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
+      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
+      SIGNING_ALGORITHM = "RS256".freeze
+      EXPIRY = 60
+
+      extend CredentialsLoader
+      extend JsonKeyReader
+
+      attr_reader :project_id
+      attr_reader :quota_project_id
+      attr_accessor :universe_domain
+      attr_accessor :logger
+
+      # Create a ServiceAccountJwtHeaderCredentials.
+      #
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        new json_key_io: json_key_io, scope: scope
+      end
+
+      # Initializes a ServiceAccountJwtHeaderCredentials.
+      #
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      def initialize options = {}
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
+            self.class.read_json_key json_key_io
+        else
+          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+          @universe_domain = options[:universe_domain] if options.key? :universe_domain
+        end
+        @universe_domain ||= "googleapis.com"
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @signing_key = OpenSSL::PKey::RSA.new @private_key
+        @scope = options[:scope] if options.key? :scope
+        @logger = options[:logger] if options.key? :logger
+      end
+
+      # Creates a duplicate of these credentials
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `private key` the private key in string form
+      #   * `issuer` the SA issuer
+      #   * `scope` the scope(s) to access
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #   * `universe_domain` the universe domain of the credentials
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          private_key: @private_key,
+          issuer: @issuer,
+          scope: @scope,
+          project_id: project_id,
+          quota_project_id: quota_project_id,
+          universe_domain: universe_domain,
+          logger: logger
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      # Construct a jwt token if the JWT_AUD_URI key is present in the input
+      # hash.
+      #
+      # The jwt token is used as the value of a 'Bearer '.
+      def apply! a_hash, opts = {}
+        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
+        return a_hash if jwt_aud_uri.nil? && @scope.nil?
+        jwt_token = new_jwt_token jwt_aud_uri, opts
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest jwt_token
+          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
+        end
+        a_hash
+      end
+
+      # Returns a clone of a_hash updated with the authorization header
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      # Creates a jwt uri token.
+      def new_jwt_token jwt_aud_uri = nil, options = {}
+        now = Time.new
+        skew = options[:skew] || 60
+        assertion = {
+          "iss" => @issuer,
+          "sub" => @issuer,
+          "exp" => (now + EXPIRY).to_i,
+          "iat" => (now - skew).to_i
+        }
+
+        jwt_aud_uri = nil if @scope
+
+        assertion["scope"] = Array(@scope).join " " if @scope
+        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
+
+        logger&.debug do
+          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
+        end
+
+        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
+      end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
+
+      private
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.13.1".freeze
+    VERSION = "1.14.0".freeze
   end
 end

data/lib/googleauth.rb

@@ -13,9 +13,16 @@
 # limitations under the License.
 
 require "googleauth/application_default"
+require "googleauth/api_key"
+require "googleauth/bearer_token"
 require "googleauth/client_id"
 require "googleauth/credentials"
 require "googleauth/default_credentials"
+require "googleauth/external_account"
 require "googleauth/id_tokens"
+require "googleauth/impersonated_service_account"
+require "googleauth/service_account"
+require "googleauth/service_account_jwt_header"
 require "googleauth/user_authorizer"
+require "googleauth/user_refresh"
 require "googleauth/web_user_authorizer"

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.13.1
+  version: 1.14.0
 platform: ruby
 authors:
-- Tim Emiola
+- Google LLC
 bindir: bin
 cert_chain: []
-date: 2025-01-24 00:00:00.000000000 Z
+date: 2025-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -134,7 +134,7 @@ dependencies:
 description: Implements simple authorization for accessing Google APIs, and provides
   support for Application Default Credentials.
 email:
-- temiola@google.com
+- googleapis-packages@google.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -146,8 +146,10 @@ files:
 - README.md
 - SECURITY.md
 - lib/googleauth.rb
+- lib/googleauth/api_key.rb
 - lib/googleauth/application_default.rb
 - lib/googleauth/base_client.rb
+- lib/googleauth/bearer_token.rb
 - lib/googleauth/client_id.rb
 - lib/googleauth/compute_engine.rb
 - lib/googleauth/credentials.rb
@@ -170,6 +172,7 @@ files:
 - lib/googleauth/oauth2/sts_client.rb
 - lib/googleauth/scope_util.rb
 - lib/googleauth/service_account.rb
+- lib/googleauth/service_account_jwt_header.rb
 - lib/googleauth/signet.rb
 - lib/googleauth/stores/file_token_store.rb
 - lib/googleauth/stores/redis_token_store.rb
@@ -192,14 +195,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.5
 specification_version: 4
 summary: Google Auth Library for Ruby
 test_files: []