googleauth 1.2.0 → 1.11.0

data/lib/googleauth/id_tokens/key_sources.rb

@@ -130,13 +130,8 @@ module Google
             end
             n_bn = OpenSSL::BN.new n_data, 2
             e_bn = OpenSSL::BN.new e_data, 2
-            rsa_key = OpenSSL::PKey::RSA.new
-            if rsa_key.respond_to? :set_key
-              rsa_key.set_key n_bn, e_bn, nil
-            else
-              rsa_key.n = n_bn
-              rsa_key.e = e_bn
-            end
+            sequence = [OpenSSL::ASN1::Integer.new(n_bn), OpenSSL::ASN1::Integer.new(e_bn)]
+            rsa_key =  OpenSSL::PKey::RSA.new OpenSSL::ASN1::Sequence(sequence).to_der
             rsa_key.public_key
           end
 
@@ -161,9 +156,13 @@ module Google
             x_hex = x_data.unpack1 "H*"
             y_hex = y_data.unpack1 "H*"
             bn = OpenSSL::BN.new ["04#{x_hex}#{y_hex}"].pack("H*"), 2
-            key = OpenSSL::PKey::EC.new curve_name
-            key.public_key = OpenSSL::PKey::EC::Point.new group, bn
-            key
+            point =  OpenSSL::PKey::EC::Point.new group, bn
+            sequence = OpenSSL::ASN1::Sequence([
+                                                 OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                                                                          OpenSSL::ASN1::ObjectId(curve_name)]),
+                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+                                               ])
+            OpenSSL::PKey::EC.new sequence.to_der
           end
         end
       end

data/lib/googleauth/id_tokens.rb

@@ -153,7 +153,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
@@ -191,7 +191,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer

data/lib/googleauth/json_key_reader.rb

@@ -27,7 +27,8 @@ module Google
           json_key["private_key"],
           json_key["client_email"],
           json_key["project_id"],
-          json_key["quota_project_id"]
+          json_key["quota_project_id"],
+          json_key["universe_domain"]
         ]
       end
     end

data/lib/googleauth/oauth2/sts_client.rb

@@ -0,0 +1,109 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    module OAuth2
+      # OAuth 2.0 Token Exchange Spec.
+      # This module defines a token exchange utility based on the
+      # [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/rfc8693) spec. This will be mainly
+      # used to exchange external credentials for GCP access tokens in workload identity pools to
+      # access Google APIs.
+      # The implementation will support various types of client authentication as allowed in the spec.
+      #
+      # A deviation on the spec will be for additional Google specific options that cannot be easily
+      # mapped to parameters defined in the RFC.
+      # The returned dictionary response will be based on the [rfc8693 section 2.2.1]
+      # (https://tools.ietf.org/html/rfc8693#section-2.2.1) spec JSON response.
+      #
+      class STSClient
+        include Helpers::Connection
+
+        URLENCODED_HEADERS = { "Content-Type": "application/x-www-form-urlencoded" }.freeze
+
+        # Create a new instance of the STSClient.
+        #
+        # @param [String] token_exchange_endpoint
+        #  The token exchange endpoint.
+        def initialize options = {}
+          raise "Token exchange endpoint can not be nil" if options[:token_exchange_endpoint].nil?
+          self.default_connection = options[:connection]
+          @token_exchange_endpoint = options[:token_exchange_endpoint]
+        end
+
+        # Exchanges the provided token for another type of token based on the
+        # rfc8693 spec
+        #
+        # @param [Faraday instance] connection
+        # A callable faraday instance used to make HTTP requests.
+        # @param [String] grant_type
+        #   The OAuth 2.0 token exchange grant type.
+        # @param [String] subject_token
+        #   The OAuth 2.0 token exchange subject token.
+        # @param [String] subject_token_type
+        #   The OAuth 2.0 token exchange subject token type.
+        # @param [String] resource
+        #   The optional OAuth 2.0 token exchange resource field.
+        # @param [String] audience
+        #   The optional OAuth 2.0 token exchange audience field.
+        # @param [Array<String>] scopes
+        #   The optional list of scopes to use.
+        # @param [String] requested_token_type
+        #   The optional OAuth 2.0 token exchange requested token type.
+        # @param additional_headers (Hash<String,String>):
+        #   The optional additional headers to pass to the token exchange endpoint.
+        #
+        # @return [Hash] A hash containing the token exchange response.
+        def exchange_token options = {}
+          missing_required_opts = [:grant_type, :subject_token, :subject_token_type] - options.keys
+          unless missing_required_opts.empty?
+            raise ArgumentError, "Missing required options: #{missing_required_opts.join ', '}"
+          end
+
+          # TODO: Add the ability to add authentication to the headers
+          headers = URLENCODED_HEADERS.dup.merge(options[:additional_headers] || {})
+
+          request_body = make_request options
+
+          response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers
+
+          if response.status != 200
+            raise "Token exchange failed with status #{response.status}"
+          end
+
+          MultiJson.load response.body
+        end
+
+        private
+
+        def make_request options = {}
+          request_body = {
+            grant_type: options[:grant_type],
+            audience: options[:audience],
+            scope: Array(options[:scopes])&.join(" ") || [],
+            requested_token_type: options[:requested_token_type],
+            subject_token: options[:subject_token],
+            subject_token_type: options[:subject_token_type]
+          }
+          unless options[:additional_options].nil?
+            request_body[:options] = CGI.escape MultiJson.dump(options[:additional_options], symbolize_name: true)
+          end
+          request_body
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/scope_util.rb

@@ -18,27 +18,60 @@ require "multi_json"
 
 module Google
   module Auth
-    # Small utility for normalizing scopes into canonical form
+    ##
+    # Small utility for normalizing scopes into canonical form.
+    #
+    # The canonical form of scopes is as an array of strings, each in the form
+    # of a full URL. This utility converts space-delimited scope strings into
+    # this form, and handles a small number of common aliases.
+    #
+    # This is used by UserRefreshCredentials to verify that a credential grants
+    # a requested scope.
+    #
     module ScopeUtil
+      ##
+      # Aliases understood by this utility
+      #
       ALIASES = {
         "email"   => "https://www.googleapis.com/auth/userinfo.email",
         "profile" => "https://www.googleapis.com/auth/userinfo.profile",
         "openid"  => "https://www.googleapis.com/auth/plus.me"
       }.freeze
 
+      ##
+      # Normalize the input, which may be an array of scopes or a whitespace-
+      # delimited scope string. The output is always an array, even if a single
+      # scope is input.
+      #
+      # @param scope [String,Array<String>] Input scope(s)
+      # @return [Array<String>] An array of scopes in canonical form.
+      #
       def self.normalize scope
         list = as_array scope
         list.map { |item| ALIASES[item] || item }
       end
 
+      ##
+      # Ensure the input is an array. If a single string is passed in, splits
+      # it via whitespace. Does not interpret aliases.
+      #
+      # @param scope [String,Array<String>] Input scope(s)
+      # @return [Array<String>] Always an array of strings
+      # @raise ArgumentError If the input is not a string or array of strings
+      #
       def self.as_array scope
         case scope
         when Array
+          scope.each do |item|
+            unless item.is_a? String
+              raise ArgumentError, "Invalid scope value: #{item.inspect}. Must be string or array"
+            end
+          end
           scope
         when String
           scope.split
         else
-          raise "Invalid scope value. Must be string or array"
+          raise ArgumentError, "Invalid scope value: #{scope.inspect}. Must be string or array"
         end
       end
     end

data/lib/googleauth/service_account.rb

@@ -39,7 +39,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +57,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,7 +75,8 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
@@ -93,16 +99,18 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -130,7 +138,7 @@ module Google
     # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
@@ -138,6 +146,7 @@ module Google
       extend JsonKeyReader
       attr_reader :project_id
       attr_reader :quota_project_id
+      attr_accessor :universe_domain
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -154,14 +163,16 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
           @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           @quota_project_id = nil
+          @universe_domain = nil
         end
+        @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
         @scope = options[:scope]
@@ -192,8 +203,6 @@ module Google
         proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
-      protected
-
       # Creates a jwt uri token.
       def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new
@@ -212,6 +221,11 @@ module Google
 
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
     end
   end
 end

data/lib/googleauth/signet.rb

@@ -13,16 +13,27 @@
 # limitations under the License.
 
 require "signet/oauth_2/client"
+require "googleauth/base_client"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
   module OAuth2
-    AUTH_METADATA_KEY = :authorization
     # Signet::OAuth2::Client creates an OAuth2 client
     #
     # This reopens Client to add #apply and #apply! methods which update a
     # hash with the fetched authentication token.
     class Client
+      include Google::Auth::BaseClient
+
+      alias update_token_signet_base update_token!
+
+      def update_token! options = {}
+        options = deep_hash_normalize options
+        update_token_signet_base options
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        self
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -34,36 +45,8 @@ module Signet
         target_audience ? :id_token : :access_token
       end
 
-      # Whether the id_token or access_token is missing or about to expire.
-      def needs_access_token?
-        send(token_type).nil? || expires_within?(60)
-      end
-
-      # Updates a_hash updated with the authentication token
-      def apply! a_hash, opts = {}
-        # fetch the access token there is currently not one, or if the client
-        # has expired
-        fetch_access_token! opts if needs_access_token?
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
-      end
-
-      # Returns a clone of a_hash updated with the authentication token
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
-      end
-
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
-      end
-
-      def on_refresh &block
-        @refresh_listeners = [] unless defined? @refresh_listeners
-        @refresh_listeners << block
-      end
+      # Set the universe domain
+      attr_accessor :universe_domain
 
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
@@ -78,13 +61,6 @@ module Signet
         info
       end
 
-      def notify_refresh_listeners
-        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
-        listeners.each do |block|
-          block.call self
-        end
-      end
-
       def build_default_connection
         if !defined?(@connection_info)
           nil

data/lib/googleauth/user_authorizer.rb

@@ -16,6 +16,7 @@ require "uri"
 require "multi_json"
 require "googleauth/signet"
 require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -54,17 +55,26 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback.
-      #  Defaults to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
+      #  Defaults to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
         raise NIL_CLIENT_ID_ERROR if client_id.nil?
         raise NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || "/oauth2callback"
+        @callback_uri = legacy_callback_uri || callback_uri || "/oauth2callback"
+        @code_verifier = code_verifier
       end
 
       # Build the URL for requesting authorization.
@@ -80,14 +90,29 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if not
       #  nil.
+      # @param [Hash] additional_parameters
+      #  Additional query parameters to be added to the authorization URL.
       # @return [String]
       #  Authorization url
       def get_authorization_url options = {}
         scope = options[:scope] || @scope
+
+        options[:additional_parameters] ||= {}
+
+        if @code_verifier
+          options[:additional_parameters].merge!(
+            {
+              code_challenge: generate_code_challenge(@code_verifier),
+              code_challenge_method: code_challenge_method
+            }
+          )
+        end
+
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope:         scope
+          scope:         scope,
+          additional_parameters: options[:additional_parameters]
         )
         redirect_uri = redirect_uri_for options[:base_url]
         url = credentials.authorization_uri(access_type:            "offline",
@@ -144,6 +169,9 @@ module Google
       #  Absolute URL to resolve the configured callback uri against.
       #  Required if the configured
       #  callback uri is a relative.
+      # @param [Hash] additional_parameters
+      #  Additional parameters to be added to the post body of token
+      #  endpoint request.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
       def get_credentials_from_code options = {}
@@ -151,11 +179,14 @@ module Google
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
+        options[:additional_parameters] ||= {}
+        options[:additional_parameters].merge!({ code_verifier: @code_verifier })
         credentials = UserRefreshCredentials.new(
-          client_id:     @client_id.id,
-          client_secret: @client_id.secret,
-          redirect_uri:  redirect_uri_for(base_url),
-          scope:         scope
+          client_id:             @client_id.id,
+          client_secret:         @client_id.secret,
+          redirect_uri:          redirect_uri_for(base_url),
+          scope:                 scope,
+          additional_parameters: options[:additional_parameters]
         )
         credentials.code = code
         credentials.fetch_access_token!({})
@@ -221,6 +252,23 @@ module Google
         credentials
       end
 
+      # The code verifier for PKCE for OAuth 2.0. When set, the
+      # authorization URI will contain the Code Challenge and Code
+      # Challenge Method querystring parameters, and the token URI will
+      # contain the Code Verifier parameter.
+      #
+      # @param [String|nil] new_code_erifier
+      def code_verifier= new_code_verifier
+        @code_verifier = new_code_verifier
+      end
+
+      # Generate the code verifier needed to be sent while fetching
+      # authorization URL.
+      def self.generate_code_verifier
+        random_number = rand 32..96
+        SecureRandom.alphanumeric random_number
+      end
+
       private
 
       # @private Fetch stored token with given user_id
@@ -265,6 +313,15 @@ module Google
       def uri_is_postmessage? uri
         uri.to_s.casecmp("postmessage").zero?
       end
+
+      def generate_code_challenge code_verifier
+        digest = Digest::SHA256.digest code_verifier
+        Base64.urlsafe_encode64 digest, padding: false
+      end
+
+      def code_challenge_method
+        "S256"
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -50,7 +50,8 @@ module Google
           "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
           "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
           "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR],
-          "quota_project_id" => nil
+          "quota_project_id" => nil,
+          "universe_domain" => nil
         }
         new(token_credential_uri: TOKEN_CRED_URI,
             client_id:            user_creds["client_id"],
@@ -58,7 +59,8 @@ module Google
             refresh_token:        user_creds["refresh_token"],
             project_id:           user_creds["project_id"],
             quota_project_id:     user_creds["quota_project_id"],
-            scope:                scope)
+            scope:                scope,
+            universe_domain:      user_creds["universe_domain"] || "googleapis.com")
           .configure_connection(options)
       end
 

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.2.0".freeze
+    VERSION = "1.11.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -93,11 +93,22 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback. Defaults
-      #  to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
-        super client_id, scope, token_store, callback_uri
+      #  to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
+        super client_id, scope, token_store,
+              legacy_callback_uri,
+              code_verifier: code_verifier,
+              callback_uri: callback_uri
       end
 
       # Handle the result of the oauth callback. Exchanges the authorization
@@ -192,13 +203,13 @@ module Google
       end
 
       def self.extract_callback_state request
-        state = MultiJson.load(request[STATE_PARAM] || "{}")
+        state = MultiJson.load(request.params[STATE_PARAM] || "{}")
         redirect_uri = state[CURRENT_URI_KEY]
         callback_state = {
-          AUTH_CODE_KEY  => request[AUTH_CODE_KEY],
-          ERROR_CODE_KEY => request[ERROR_CODE_KEY],
+          AUTH_CODE_KEY  => request.params[AUTH_CODE_KEY],
+          ERROR_CODE_KEY => request.params[ERROR_CODE_KEY],
           SESSION_ID_KEY => state[SESSION_ID_KEY],
-          SCOPE_KEY      => request[SCOPE_KEY]
+          SCOPE_KEY      => request.params[SCOPE_KEY]
         }
         [callback_state, redirect_uri]
       end