googleauth 1.13.1 → 1.15.0

data/lib/googleauth/iam.rb

@@ -27,8 +27,9 @@ module Google
 
       # Initializes an IAMCredentials.
       #
-      # @param selector the IAM selector.
-      # @param token the IAM token.
+      # @param selector [String] The IAM selector.
+      # @param token [String] The IAM token.
+      # @raise [TypeError] If selector or token is not a String
       def initialize selector, token
         raise TypeError unless selector.is_a? String
         raise TypeError unless token.is_a? String
@@ -37,13 +38,19 @@ module Google
       end
 
       # Adds the credential fields to the hash.
+      #
+      # @param a_hash [Hash] The hash to update with credentials
+      # @return [Hash] The updated hash with credentials
       def apply! a_hash
         a_hash[SELECTOR_KEY] = @selector
         a_hash[TOKEN_KEY] = @token
         a_hash
       end
 
-      # Returns a clone of a_hash updated with the authoriation header
+      # Returns a clone of a_hash updated with the authorization header
+      #
+      # @param a_hash [Hash] The hash to clone and update with credentials
+      # @return [Hash] A new hash with credentials
       def apply a_hash
         a_copy = a_hash.clone
         apply! a_copy
@@ -52,9 +59,18 @@ module Google
 
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
+      #
+      # @return [Proc] A procedure that updates a hash with credentials
       def updater_proc
         proc { |a_hash, _opts = {}| apply a_hash }
       end
+
+      # Returns the IAM authority selector as the principal
+      # @private
+      # @return [String] the IAM authoirty selector
+      def principal
+        @selector
+      end
     end
   end
 end

data/lib/googleauth/id_tokens/errors.rb

@@ -14,6 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "googleauth/errors"
+
 
 module Google
   module Auth
@@ -21,35 +23,39 @@ module Google
       ##
       # Failed to obtain keys from the key source.
       #
-      class KeySourceError < StandardError; end
+      class KeySourceError < StandardError
+        include Google::Auth::Error
+      end
 
       ##
       # Failed to verify a token.
       #
-      class VerificationError < StandardError; end
+      class VerificationError < StandardError
+        include Google::Auth::Error
+      end
 
       ##
-      # Failed to verify a token because it is expired.
+      # Failed to verify token because it is expired.
       #
       class ExpiredTokenError < VerificationError; end
 
       ##
-      # Failed to verify a token because its signature did not match.
+      # Failed to verify token because its signature did not match.
       #
       class SignatureError < VerificationError; end
 
       ##
-      # Failed to verify a token because its issuer did not match.
+      # Failed to verify token because its issuer did not match.
       #
       class IssuerMismatchError < VerificationError; end
 
       ##
-      # Failed to verify a token because its audience did not match.
+      # Failed to verify token because its audience did not match.
       #
       class AudienceMismatchError < VerificationError; end
 
       ##
-      # Failed to verify a token because its authorized party did not match.
+      # Failed to verify token because its authorized party did not match.
       #
       class AuthorizedPartyMismatchError < VerificationError; end
     end

data/lib/googleauth/id_tokens/key_sources.rb

@@ -72,8 +72,8 @@ module Google
           #
           # @param jwk [Hash,String] The JWK specification.
           # @return [KeyInfo]
-          # @raise [KeySourceError] If the key could not be extracted from the
-          #     JWK.
+          # @raise [Google::Auth::IDTokens::KeySourceError] If the key could not be extracted from the
+          #     JWK due to invalid type, malformed JSON, or invalid key data.
           #
           def from_jwk jwk
             jwk = symbolize_keys ensure_json_parsed jwk
@@ -94,10 +94,10 @@ module Google
           # Create an array of KeyInfo from a JWK Set, which may be given as
           # either a hash or an unparsed JSON string.
           #
-          # @param jwk [Hash,String] The JWK Set specification.
+          # @param jwk_set [Hash,String] The JWK Set specification.
           # @return [Array<KeyInfo>]
-          # @raise [KeySourceError] If a key could not be extracted from the
-          #     JWK Set.
+          # @raise [Google::Auth::IDTokens::KeySourceError] If a key could not be extracted from the
+          #     JWK Set, or if the set contains no keys.
           #
           def from_jwk_set jwk_set
             jwk_set = symbolize_keys ensure_json_parsed jwk_set
@@ -261,7 +261,8 @@ module Google
         # return the new keys.
         #
         # @return [Array<KeyInfo>]
-        # @raise [KeySourceError] if key retrieval failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] If key retrieval fails, JSON parsing
+        #     fails, or the data cannot be interpreted as keys
         #
         def refresh_keys
           @monitor.synchronize do
@@ -310,6 +311,11 @@ module Google
 
         protected
 
+        # Interpret JSON data as X509 certificates
+        #
+        # @param data [Hash] The JSON data containing certificate strings
+        # @return [Array<KeyInfo>] Array of key info objects
+        # @raise [Google::Auth::IDTokens::KeySourceError] If X509 certificates cannot be parsed
         def interpret_json data
           data.map do |id, cert_str|
             key = OpenSSL::X509::Certificate.new(cert_str).public_key
@@ -371,7 +377,7 @@ module Google
         # Attempt to refresh keys and return the new keys.
         #
         # @return [Array<KeyInfo>]
-        # @raise [KeySourceError] if key retrieval failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] If key retrieval failed for any source.
         #
         def refresh_keys
           @sources.flat_map(&:refresh_keys)

data/lib/googleauth/id_tokens/verifier.rb

@@ -61,10 +61,9 @@ module Google
         # @param iss [String,nil] If given, override the `iss` check.
         #
         # @return [Hash] the decoded payload, if verification succeeded.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
-        #
         def verify token,
                    key_source: :default,
                    aud:        :default,

data/lib/googleauth/id_tokens.rb

@@ -160,8 +160,8 @@ module Google
         #     checking is performed. Default is to check against {OIDC_ISSUERS}.
         #
         # @return [Hash] The decoded token payload.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
         #
         def verify_oidc token,
@@ -197,8 +197,8 @@ module Google
         #     checking is performed. Default is to check against {IAP_ISSUERS}.
         #
         # @return [Hash] The decoded token payload.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
         #
         def verify_iap token,

data/lib/googleauth/impersonated_service_account.rb

@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "googleauth/signet"
 require "googleauth/base_client"
+require "googleauth/errors"
 require "googleauth/helpers/connection"
 
 module Google
@@ -191,6 +191,20 @@ module Google
         self.class.new options
       end
 
+      # The principal behind the credentials. This class allows custom source credentials type
+      # that might not implement `principal`, in which case `:unknown` is returned.
+      #
+      # @private
+      # @return [String, Symbol] The string representation of the principal,
+      #     the token type in lieu of the principal, or :unknown if source principal is unknown.
+      def principal
+        if @source_credentials.respond_to? :principal
+          @source_credentials.principal
+        else
+          :unknown
+        end
+      end
+
       private
 
       # Generates a new impersonation access token by exchanging the source credentials' token
@@ -200,21 +214,16 @@ module Google
       # for an impersonation token using the specified impersonation URL. The generated token and
       # its expiration time are cached for subsequent use.
       #
+      # @private
       # @param _options [Hash] (optional) Additional options for token retrieval (currently unused).
       #
-      # @raise [Signet::UnexpectedStatusError] If the response status is 403 or 500.
-      # @raise [Signet::AuthorizationError] For other unexpected response statuses.
+      # @raise [Google::Auth::UnexpectedStatusError] If the response status is 403 or 500.
+      # @raise [Google::Auth::AuthorizationError] For other unexpected response statuses.
       #
       # @return [String] The newly generated impersonation access token.
       def fetch_access_token! _options = {}
-        auth_header = {}
-        auth_header = @source_credentials.updater_proc.call auth_header
-
-        resp = connection.post @impersonation_url do |req|
-          req.headers.merge! auth_header
-          req.headers["Content-Type"] = "application/json"
-          req.body = MultiJson.dump({ scope: @scope })
-        end
+        auth_header = prepare_auth_header
+        resp = make_impersonation_request auth_header
 
         case resp.status
         when 200
@@ -223,14 +232,51 @@ module Google
           @access_token = response["accessToken"]
           access_token
         when 403, 500
-          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
-          raise Signet::UnexpectedStatusError, msg
+          handle_error_response resp, UnexpectedStatusError
         else
-          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
-          raise Signet::AuthorizationError, msg
+          handle_error_response resp, AuthorizationError
+        end
+      end
+
+      # Prepares the authorization header for the impersonation request
+      # by fetching a token from source credentials.
+      #
+      # @private
+      # @return [Hash] The authorization header with the source credentials' token
+      def prepare_auth_header
+        auth_header = {}
+        @source_credentials.updater_proc.call auth_header
+        auth_header
+      end
+
+      # Makes the HTTP request to the impersonation endpoint.
+      #
+      # @private
+      # @param [Hash] auth_header The authorization header containing the source token
+      # @return [Faraday::Response] The HTTP response from the impersonation endpoint
+      def make_impersonation_request auth_header
+        connection.post @impersonation_url do |req|
+          req.headers.merge! auth_header
+          req.headers["Content-Type"] = "application/json"
+          req.body = MultiJson.dump({ scope: @scope })
         end
       end
 
+      # Creates and raises an appropriate error based on the response.
+      #
+      # @private
+      # @param [Faraday::Response] resp The HTTP response
+      # @param [Class] error_class The error class to instantiate
+      # @raise [StandardError] The appropriate error with details
+      def handle_error_response resp, error_class
+        msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+        raise error_class.with_details(
+          msg,
+          credential_type_name: self.class.name,
+          principal: principal
+        )
+      end
+
       # Setter for the expires_at value that makes sure it is converted
       # to Time object.
       def expires_at= new_expires_at
@@ -249,7 +295,7 @@ module Google
       #
       # @return [Time, nil] The normalized Time object, or nil if the input is nil.
       #
-      # @raise [RuntimeError] If the input is not a Time, String, or nil.
+      # @raise [Google::Auth::CredentialsError] If the input is not a Time, String, or nil.
       def normalize_timestamp time
         case time
         when NilClass
@@ -259,7 +305,8 @@ module Google
         when String
           Time.parse time
         else
-          raise "Invalid time value #{time}"
+          message = "Invalid time value #{time}"
+          raise CredentialsError.with_details(message, credential_type_name: self.class.name, principal: principal)
         end
       end
 

data/lib/googleauth/json_key_reader.rb

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "googleauth/errors"
+
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
@@ -19,10 +21,17 @@ module Google
     # JsonKeyReader contains the behaviour used to read private key and
     # client email fields from the service account
     module JsonKeyReader
+      # Reads a JSON key from an IO object and extracts common fields.
+      #
+      # @param json_key_io [IO] An IO object containing the JSON key
+      # @return [Array(String, String, String, String, String)] An array containing:
+      #   private_key, client_email, project_id, quota_project_id, and universe_domain
+      # @raise [Google::Auth::InitializationError] If client_email or private_key
+      #   fields are missing from the JSON
       def read_json_key json_key_io
         json_key = MultiJson.load json_key_io.read
-        raise "missing client_email" unless json_key.key? "client_email"
-        raise "missing private_key" unless json_key.key? "private_key"
+        raise InitializationError, "missing client_email" unless json_key.key? "client_email"
+        raise InitializationError, "missing private_key" unless json_key.key? "private_key"
         [
           json_key["private_key"],
           json_key["client_email"],

data/lib/googleauth/oauth2/sts_client.rb

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "googleauth/errors"
 require "googleauth/helpers/connection"
 
 module Google
@@ -36,10 +37,12 @@ module Google
 
         # Create a new instance of the STSClient.
         #
-        # @param [String] token_exchange_endpoint
-        #  The token exchange endpoint.
+        # @param [Hash] options Configuration options
+        # @option options [String] :token_exchange_endpoint The token exchange endpoint
+        # @option options [Faraday::Connection] :connection The Faraday connection to use
+        # @raise [Google::Auth::InitializationError] If token_exchange_endpoint is nil
         def initialize options = {}
-          raise "Token exchange endpoint can not be nil" if options[:token_exchange_endpoint].nil?
+          raise InitializationError, "Token exchange endpoint can not be nil" if options[:token_exchange_endpoint].nil?
           self.default_connection = options[:connection]
           @token_exchange_endpoint = options[:token_exchange_endpoint]
         end
@@ -67,6 +70,8 @@ module Google
         #   The optional additional headers to pass to the token exchange endpoint.
         #
         # @return [Hash] A hash containing the token exchange response.
+        # @raise [ArgumentError] If required options are missing
+        # @raise [Google::Auth::AuthorizationError] If the token exchange request fails
         def exchange_token options = {}
           missing_required_opts = [:grant_type, :subject_token, :subject_token_type] - options.keys
           unless missing_required_opts.empty?
@@ -81,7 +86,7 @@ module Google
           response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers
 
           if response.status != 200
-            raise "Token exchange failed with status #{response.status}"
+            raise AuthorizationError, "Token exchange failed with status #{response.status}"
           end
 
           MultiJson.load response.body

data/lib/googleauth/scope_util.rb

@@ -57,7 +57,7 @@ module Google
       #
       # @param scope [String,Array<String>] Input scope(s)
       # @return [Array<String>] Always an array of strings
-      # @raise ArgumentError If the input is not a string or array of strings
+      # @raise [ArgumentError] If the input is not a string or array of strings
       #
       def self.as_array scope
         case scope

data/lib/googleauth/service_account.rb

@@ -12,13 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "jwt"
+require "multi_json"
+require "stringio"
+
 require "google/logging/message"
 require "googleauth/signet"
 require "googleauth/credentials_loader"
 require "googleauth/json_key_reader"
-require "jwt"
-require "multi_json"
-require "stringio"
+require "googleauth/service_account_jwt_header"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -49,8 +51,9 @@ module Google
 
       # Creates a ServiceAccountCredentials.
       #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param json_key_io [IO] An IO object containing the JSON key
       # @param scope [string|array|nil] the scope(s) to access
+      # @raise [ArgumentError] If both scope and target_audience are specified
       def self.make_creds options = {}
         json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
           options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
@@ -108,6 +111,9 @@ module Google
       # Handles certain escape sequences that sometimes appear in input.
       # Specifically, interprets the "\n" sequence for newline, and removes
       # enclosing quotes.
+      #
+      # @param str [String] The string to unescape
+      # @return [String] The unescaped string
       def self.unescape str
         str = str.gsub '\n', "\n"
         str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
@@ -162,6 +168,13 @@ module Google
         self
       end
 
+      # Returns the client email as the principal for service account credentials
+      # @private
+      # @return [String] the email address of the service account
+      def principal
+        @issuer
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -178,161 +191,5 @@ module Google
         alt.apply! a_hash
       end
     end
-
-    # Authenticates requests using Google's Service Account credentials via
-    # JWT Header.
-    #
-    # This class allows authorizing requests for service accounts directly
-    # from credentials from a json key file downloaded from the developer
-    # console (via 'Generate new Json Key').  It is not part of any OAuth2
-    # flow, rather it creates a JWT and sends that as a credential.
-    #
-    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
-    class ServiceAccountJwtHeaderCredentials
-      JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
-      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
-      SIGNING_ALGORITHM = "RS256".freeze
-      EXPIRY = 60
-
-      extend CredentialsLoader
-      extend JsonKeyReader
-
-      attr_reader :project_id
-      attr_reader :quota_project_id
-      attr_accessor :universe_domain
-      attr_accessor :logger
-
-      # Create a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds options = {}
-        json_key_io, scope = options.values_at :json_key_io, :scope
-        new json_key_io: json_key_io, scope: scope
-      end
-
-      # Initializes a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize options = {}
-        json_key_io = options[:json_key_io]
-        if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
-            self.class.read_json_key json_key_io
-        else
-          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
-          @universe_domain = options[:universe_domain] if options.key? :universe_domain
-        end
-        @universe_domain ||= "googleapis.com"
-        @project_id ||= CredentialsLoader.load_gcloud_project_id
-        @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope] if options.key? :scope
-        @logger = options[:logger] if options.key? :scope
-      end
-
-      # Creates a duplicate of these credentials
-      #
-      # @param options [Hash] Overrides for the credentials parameters.
-      #   The following keys are recognized
-      #   * `private key` the private key in string form
-      #   * `issuer` the SA issuer
-      #   * `scope` the scope(s) to access
-      #   * `project_id` the project id to use during the authentication
-      #   * `quota_project_id` the quota project id to use
-      #   * `universe_domain` the universe domain of the credentials
-      def duplicate options = {}
-        options = deep_hash_normalize options
-
-        options = {
-          private_key: @private_key,
-          issuer: @issuer,
-          scope: @scope,
-          project_id: project_id,
-          quota_project_id: quota_project_id,
-          universe_domain: universe_domain,
-          logger: logger
-        }.merge(options)
-
-        self.class.new options
-      end
-
-      # Construct a jwt token if the JWT_AUD_URI key is present in the input
-      # hash.
-      #
-      # The jwt token is used as the value of a 'Bearer '.
-      def apply! a_hash, opts = {}
-        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil? && @scope.nil?
-        jwt_token = new_jwt_token jwt_aud_uri, opts
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
-        logger&.debug do
-          hash = Digest::SHA256.hexdigest jwt_token
-          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
-        end
-        a_hash
-      end
-
-      # Returns a clone of a_hash updated with the authorization header
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
-      end
-
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
-      end
-
-      # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri = nil, options = {}
-        now = Time.new
-        skew = options[:skew] || 60
-        assertion = {
-          "iss" => @issuer,
-          "sub" => @issuer,
-          "exp" => (now + EXPIRY).to_i,
-          "iat" => (now - skew).to_i
-        }
-
-        jwt_aud_uri = nil if @scope
-
-        assertion["scope"] = Array(@scope).join " " if @scope
-        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
-
-        logger&.debug do
-          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
-        end
-
-        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
-      end
-
-      # Duck-types the corresponding method from BaseClient
-      def needs_access_token?
-        false
-      end
-
-      private
-
-      def deep_hash_normalize old_hash
-        sym_hash = {}
-        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
-        sym_hash
-      end
-
-      # Convert all keys in this hash (nested) to symbols for uniform retrieval
-      def recursive_hash_normalize_keys val
-        if val.is_a? Hash
-          deep_hash_normalize val
-        else
-          val
-        end
-      end
-    end
   end
 end