googleauth 1.2.0 → 1.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a8caed2ed693770223fcf3ec7e28c499c54ad1a2345e132bb182f4ca167a7f68
4
- data.tar.gz: f8f49257aef8acc7fef826ffcb1c1ddb0c81a814488b45f5f0997f5dd6eec4cf
3
+ metadata.gz: '089cb78f4121da1e8502eb258e106d161b72642f1d4aeb9959ea605197dba5d9'
4
+ data.tar.gz: a93423d64db3c8e0fb55807586befc3d13480c43e17b4a8cbd37704f95d12fa7
5
5
  SHA512:
6
- metadata.gz: 1a1b02f55e19af0f26164a8c9dda4aef819791ccb0774ec793b72fa23a352e4c9c52044555d34871e26f04547f3f6bce011738668054fa69e88a800b689397b2
7
- data.tar.gz: d9a68924f0e3f7d0796056f225d41ad905783b5ae1b6766434b8aaf85b6722ba6cfbbb1a92c12237edd4625f02f7e5a55bc0d5289ec6da555846d07c74ef767f
6
+ metadata.gz: 1d3513b20df2ec263c7f7db1a14421d4fef63fdaf836cbad78c62b22bf8399bd6ed7a830ba8548ffa197e6a7279eb0f8aaab65379c7cf1b4612a494e9a83a8ec
7
+ data.tar.gz: 8ee1b859360348eded906242f44e7a7d58841a864e195f34b0726c2aba660e6c10ae07e27d3d2a4517e1756b5ff989e449aad0965419995b4f2bc58ad45ae597
data/CHANGELOG.md CHANGED
@@ -1,5 +1,88 @@
1
1
  # Release History
2
2
 
3
+ ### 1.9.2 (2024-01-25)
4
+
5
+ #### Bug Fixes
6
+
7
+ * Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467))
8
+
9
+ ### 1.9.1 (2023-12-12)
10
+
11
+ #### Bug Fixes
12
+
13
+ * update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464))
14
+
15
+ ### 1.9.0 (2023-12-07)
16
+
17
+ #### Features
18
+
19
+ * Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460))
20
+ * Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459))
21
+
22
+ ### 1.8.1 (2023-09-19)
23
+
24
+ #### Documentation
25
+
26
+ * improve ADC related error and warning messages ([#452](https://github.com/googleapis/google-auth-library-ruby/issues/452))
27
+
28
+ ### 1.8.0 (2023-09-07)
29
+
30
+ #### Features
31
+
32
+ * Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447))
33
+ #### Documentation
34
+
35
+ * improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449))
36
+
37
+ ### 1.7.0 (2023-07-14)
38
+
39
+ #### Features
40
+
41
+ * Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437))
42
+ #### Documentation
43
+
44
+ * fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438))
45
+
46
+ ### 1.6.0 (2023-06-20)
47
+
48
+ #### Features
49
+
50
+ * adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433))
51
+ #### Documentation
52
+
53
+ * deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435))
54
+
55
+ ### 1.5.2 (2023-04-13)
56
+
57
+ #### Bug Fixes
58
+
59
+ * AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429))
60
+ * GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425))
61
+
62
+ ### 1.5.1 (2023-04-10)
63
+
64
+ #### Bug Fixes
65
+
66
+ * Remove external account config validation ([#427](https://github.com/googleapis/google-auth-library-ruby/issues/427))
67
+
68
+ ### 1.5.0 (2023-03-21)
69
+
70
+ #### Features
71
+
72
+ * Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418))
73
+
74
+ ### 1.4.0 (2022-12-14)
75
+
76
+ #### Features
77
+
78
+ * make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405))
79
+
80
+ ### 1.3.0 (2022-10-18)
81
+
82
+ #### Features
83
+
84
+ * Use OpenSSL 3.0 compatible interfaces for IDTokens ([#397](https://github.com/googleapis/google-auth-library-ruby/issues/397))
85
+
3
86
  ### 1.2.0 (2022-06-23)
4
87
 
5
88
  * Updated minimum Ruby version to 2.6
data/README.md CHANGED
@@ -97,7 +97,9 @@ get('/oauth2callback') do
97
97
  end
98
98
  ```
99
99
 
100
- ### Example (Command Line)
100
+ ### Example (Command Line) [Deprecated]
101
+
102
+ The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
101
103
 
102
104
  ```ruby
103
105
  require 'googleauth'
@@ -215,14 +217,14 @@ Custom storage implementations can also be used. See
215
217
 
216
218
  ## Supported Ruby Versions
217
219
 
218
- This library is supported on Ruby 2.5+.
220
+ This library is supported on Ruby 2.6+.
219
221
 
220
222
  Google provides official support for Ruby versions that are actively supported
221
- by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
222
- security maintenance, and not end of life. Currently, this means Ruby 2.5 and
223
- later. Older versions of Ruby _may_ still work, but are unsupported and not
224
- recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
225
- about the Ruby support schedule.
223
+ by Ruby Core—that is, Ruby versions that are either in normal maintenance or
224
+ in security maintenance, and not end of life. Older versions of Ruby _may_
225
+ still work, but are unsupported and not recommended. See
226
+ https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby
227
+ support schedule.
226
228
 
227
229
  ## License
228
230
 
@@ -241,6 +243,6 @@ hesitate to
241
243
  [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
242
244
  about the client or APIs on [StackOverflow](http://stackoverflow.com).
243
245
 
244
- [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
246
+ [application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
245
247
  [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
246
248
  [license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE
@@ -20,9 +20,9 @@ module Google
20
20
  # used to access Google APIs.
21
21
  module Auth
22
22
  NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
23
- Could not load the default credentials. Browse to
24
- https://developers.google.com/accounts/docs/application-default-credentials
25
- for more information
23
+ Your credentials were not found. To set up Application Default
24
+ Credentials for your environment, see
25
+ https://cloud.google.com/docs/authentication/external/set-up-adc
26
26
  ERROR_MESSAGE
27
27
 
28
28
  module_function
@@ -55,12 +55,8 @@ module Google
55
55
  DefaultCredentials.from_well_known_path(scope, options) ||
56
56
  DefaultCredentials.from_system_default_path(scope, options)
57
57
  return creds unless creds.nil?
58
- unless GCECredentials.on_gce? options
59
- # Clear cache of the result of GCECredentials.on_gce?
60
- GCECredentials.unmemoize_all
61
- raise NOT_FOUND_ERROR
62
- end
63
- GCECredentials.new scope: scope
58
+ raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
59
+ GCECredentials.new options.merge(scope: scope)
64
60
  end
65
61
  end
66
62
  end
@@ -0,0 +1,80 @@
1
+ # Copyright 2023 Google, Inc.
2
+ #
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+ #
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+ #
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ module Google
16
+ # Module Auth provides classes that provide Google-specific authorization
17
+ # used to access Google APIs.
18
+ module Auth
19
+ # BaseClient is a class used to contain common methods that are required by any
20
+ # Credentials Client, including AwsCredentials, ServiceAccountCredentials,
21
+ # and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
22
+ # and has been created to create a generic interface for all credentials clients
23
+ # to use, including ones which do not inherit from Signet::OAuth2::Client.
24
+ module BaseClient
25
+ AUTH_METADATA_KEY = :authorization
26
+
27
+ # Updates a_hash updated with the authentication token
28
+ def apply! a_hash, opts = {}
29
+ # fetch the access token there is currently not one, or if the client
30
+ # has expired
31
+ fetch_access_token! opts if needs_access_token?
32
+ a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
33
+ end
34
+
35
+ # Returns a clone of a_hash updated with the authentication token
36
+ def apply a_hash, opts = {}
37
+ a_copy = a_hash.clone
38
+ apply! a_copy, opts
39
+ a_copy
40
+ end
41
+
42
+ # Whether the id_token or access_token is missing or about to expire.
43
+ def needs_access_token?
44
+ send(token_type).nil? || expires_within?(60)
45
+ end
46
+
47
+ # Returns a reference to the #apply method, suitable for passing as
48
+ # a closure
49
+ def updater_proc
50
+ proc { |a_hash, opts = {}| apply a_hash, opts }
51
+ end
52
+
53
+ def on_refresh &block
54
+ @refresh_listeners = [] unless defined? @refresh_listeners
55
+ @refresh_listeners << block
56
+ end
57
+
58
+ def notify_refresh_listeners
59
+ listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
60
+ listeners.each do |block|
61
+ block.call self
62
+ end
63
+ end
64
+
65
+ def expires_within?
66
+ raise NotImplementedError
67
+ end
68
+
69
+ private
70
+
71
+ def token_type
72
+ raise NotImplementedError
73
+ end
74
+
75
+ def fetch_access_token!
76
+ raise NotImplementedError
77
+ end
78
+ end
79
+ end
80
+ end
@@ -17,51 +17,67 @@ require "googleauth/credentials_loader"
17
17
 
18
18
  module Google
19
19
  module Auth
20
- # Representation of an application's identity for user authorization
21
- # flows.
20
+ ##
21
+ # Representation of an application's identity for user authorization flows.
22
+ #
22
23
  class ClientId
24
+ # Toplevel JSON key for the an installed app configuration.
25
+ # Must include client_id and client_secret subkeys if present.
23
26
  INSTALLED_APP = "installed".freeze
27
+ # Toplevel JSON key for the a webapp configuration.
28
+ # Must include client_id and client_secret subkeys if present.
24
29
  WEB_APP = "web".freeze
30
+ # JSON key for the client ID within an app configuration.
25
31
  CLIENT_ID = "client_id".freeze
32
+ # JSON key for the client secret within an app configuration.
26
33
  CLIENT_SECRET = "client_secret".freeze
34
+ # An error message raised when none of the expected toplevel properties
35
+ # can be found.
27
36
  MISSING_TOP_LEVEL_ELEMENT_ERROR =
28
37
  "Expected top level property 'installed' or 'web' to be present.".freeze
29
38
 
39
+ ##
30
40
  # Text identifier of the client ID
31
41
  # @return [String]
42
+ #
32
43
  attr_reader :id
33
44
 
45
+ ##
34
46
  # Secret associated with the client ID
35
47
  # @return [String]
48
+ #
36
49
  attr_reader :secret
37
50
 
38
51
  class << self
39
52
  attr_accessor :default
40
53
  end
41
54
 
42
- # Initialize the Client ID
55
+ ##
56
+ # Initialize the Client ID. Both id and secret must be non-nil.
43
57
  #
44
58
  # @param [String] id
45
59
  # Text identifier of the client ID
46
60
  # @param [String] secret
47
61
  # Secret associated with the client ID
48
- # @note Direction instantion is discouraged to avoid embedding IDs
49
- # & secrets in source. See {#from_file} to load from
62
+ # @note Direct instantiation is discouraged to avoid embedding IDs
63
+ # and secrets in source. See {#from_file} to load from
50
64
  # `client_secrets.json` files.
65
+ #
51
66
  def initialize id, secret
52
- CredentialsLoader.warn_if_cloud_sdk_credentials id
53
67
  raise "Client id can not be nil" if id.nil?
54
68
  raise "Client secret can not be nil" if secret.nil?
55
69
  @id = id
56
70
  @secret = secret
57
71
  end
58
72
 
73
+ ##
59
74
  # Constructs a Client ID from a JSON file downloaded from the
60
75
  # Google Developers Console.
61
76
  #
62
77
  # @param [String, File] file
63
78
  # Path of file to read from
64
79
  # @return [Google::Auth::ClientID]
80
+ #
65
81
  def self.from_file file
66
82
  raise "File can not be nil." if file.nil?
67
83
  File.open file.to_s do |f|
@@ -71,13 +87,14 @@ module Google
71
87
  end
72
88
  end
73
89
 
90
+ ##
74
91
  # Constructs a Client ID from a previously loaded JSON file. The hash
75
- # structure should
76
- # match the expected JSON format.
92
+ # structure should match the expected JSON format.
77
93
  #
78
94
  # @param [hash] config
79
95
  # Parsed contents of the JSON file
80
96
  # @return [Google::Auth::ClientID]
97
+ #
81
98
  def self.from_hash config
82
99
  raise "Hash can not be nil." if config.nil?
83
100
  raw_detail = config[INSTALLED_APP] || config[WEB_APP]
@@ -12,9 +12,8 @@
12
12
  # See the License for the specific language governing permissions and
13
13
  # limitations under the License.
14
14
 
15
- require "faraday"
15
+ require "google-cloud-env"
16
16
  require "googleauth/signet"
17
- require "memoist"
18
17
 
19
18
  module Google
20
19
  # Module Auth provides classes that provide Google-specific authorization
@@ -34,74 +33,69 @@ module Google
34
33
  # Extends Signet::OAuth2::Client so that the auth token is obtained from
35
34
  # the GCE metadata server.
36
35
  class GCECredentials < Signet::OAuth2::Client
37
- # The IP Address is used in the URIs to speed up failures on non-GCE
38
- # systems.
36
+ # @private Unused and deprecated but retained to prevent breaking changes
39
37
  DEFAULT_METADATA_HOST = "169.254.169.254".freeze
40
38
 
41
- # @private Unused and deprecated
39
+ # @private Unused and deprecated but retained to prevent breaking changes
42
40
  COMPUTE_AUTH_TOKEN_URI =
43
41
  "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
44
- # @private Unused and deprecated
42
+ # @private Unused and deprecated but retained to prevent breaking changes
45
43
  COMPUTE_ID_TOKEN_URI =
46
44
  "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
47
- # @private Unused and deprecated
45
+ # @private Unused and deprecated but retained to prevent breaking changes
48
46
  COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
49
47
 
50
48
  class << self
51
- extend Memoist
52
-
49
+ # @private Unused and deprecated
53
50
  def metadata_host
54
51
  ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
55
52
  end
56
53
 
54
+ # @private Unused and deprecated
57
55
  def compute_check_uri
58
56
  "http://#{metadata_host}".freeze
59
57
  end
60
58
 
59
+ # @private Unused and deprecated
61
60
  def compute_auth_token_uri
62
61
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
63
62
  end
64
63
 
64
+ # @private Unused and deprecated
65
65
  def compute_id_token_uri
66
66
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
67
67
  end
68
68
 
69
69
  # Detect if this appear to be a GCE instance, by checking if metadata
70
70
  # is available.
71
- def on_gce? options = {}
72
- # TODO: This should use google-cloud-env instead.
73
- c = options[:connection] || Faraday.default_connection
74
- headers = { "Metadata-Flavor" => "Google" }
75
- resp = c.get compute_check_uri, nil, headers do |req|
76
- req.options.timeout = 1.0
77
- req.options.open_timeout = 0.1
78
- end
79
- return false unless resp.status == 200
80
- resp.headers["Metadata-Flavor"] == "Google"
81
- rescue Faraday::TimeoutError, Faraday::ConnectionFailed
82
- false
71
+ # The parameters are deprecated and unused.
72
+ def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
73
+ Google::Cloud.env.metadata?
83
74
  end
84
75
 
85
- memoize :on_gce?
76
+ def reset_cache
77
+ Google::Cloud.env.compute_metadata.reset_existence!
78
+ Google::Cloud.env.compute_metadata.cache.expire_all!
79
+ end
80
+ alias unmemoize_all reset_cache
86
81
  end
87
82
 
88
83
  # Overrides the super class method to change how access tokens are
89
84
  # fetched.
90
- def fetch_access_token options = {}
91
- c = options[:connection] || Faraday.default_connection
92
- retry_with_error do
93
- uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
94
- query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
95
- query[:scopes] = Array(scope).join "," if scope
96
- resp = c.get uri, query, "Metadata-Flavor" => "Google"
85
+ def fetch_access_token _options = {}
86
+ if token_type == :id_token
87
+ query = { "audience" => target_audience, "format" => "full" }
88
+ entry = "service-accounts/default/identity"
89
+ else
90
+ query = {}
91
+ entry = "service-accounts/default/token"
92
+ end
93
+ query[:scopes] = Array(scope).join "," if scope
94
+ begin
95
+ resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
97
96
  case resp.status
98
97
  when 200
99
- content_type = resp.headers["content-type"]
100
- if ["text/html", "application/text"].include? content_type
101
- { (target_audience ? "id_token" : "access_token") => resp.body }
102
- else
103
- Signet::OAuth2.parse_credentials resp.body, content_type
104
- end
98
+ build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
105
99
  when 403, 500
106
100
  msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
107
101
  raise Signet::UnexpectedStatusError, msg
@@ -111,7 +105,33 @@ module Google
111
105
  msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
112
106
  raise Signet::AuthorizationError, msg
113
107
  end
108
+ rescue Google::Cloud::Env::MetadataServerNotResponding => e
109
+ raise Signet::AuthorizationError, e.message
110
+ end
111
+ end
112
+
113
+ private
114
+
115
+ def build_token_hash body, content_type, retrieval_time
116
+ hash =
117
+ if ["text/html", "application/text"].include? content_type
118
+ { token_type.to_s => body }
119
+ else
120
+ Signet::OAuth2.parse_credentials body, content_type
121
+ end
122
+ universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
123
+ universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
124
+ hash["universe_domain"] = universe_domain.strip
125
+ # The response might have been cached, which means expires_in might be
126
+ # stale. Update it based on the time since the data was retrieved.
127
+ # We also ensure expires_in is conservative; subtracting at least 1
128
+ # second to offset any skew from metadata server latency.
129
+ if hash["expires_in"].is_a? Numeric
130
+ offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
131
+ hash["expires_in"] -= offset if offset.positive?
132
+ hash["expires_in"] = 0 if hash["expires_in"].negative?
114
133
  end
134
+ hash
115
135
  end
116
136
  end
117
137
  end
@@ -259,7 +259,7 @@ module Google
259
259
  # @return [Object] The value
260
260
  #
261
261
  def self.lookup_auth_param name, method_name = name
262
- val = instance_variable_get "@#{name}".to_sym
262
+ val = instance_variable_get :"@#{name}"
263
263
  val = yield if val.nil? && block_given?
264
264
  return val unless val.nil?
265
265
  return superclass.send method_name if superclass.respond_to? method_name
@@ -328,9 +328,13 @@ module Google
328
328
  # @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
329
329
  # suitable for passing as a closure.
330
330
  #
331
+ # @!attribute [rw] universe_domain
332
+ # @return [String] The universe domain issuing these credentials.
333
+ #
331
334
  def_delegators :@client,
332
335
  :token_credential_uri, :audience,
333
- :scope, :issuer, :signing_key, :updater_proc, :target_audience
336
+ :scope, :issuer, :signing_key, :updater_proc, :target_audience,
337
+ :universe_domain, :universe_domain=
334
338
 
335
339
  ##
336
340
  # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -355,14 +359,13 @@ module Google
355
359
  @project_id = options["project_id"] || options["project"]
356
360
  @quota_project_id = options["quota_project_id"]
357
361
  case keyfile
358
- when Signet::OAuth2::Client
362
+ when Google::Auth::BaseClient
359
363
  update_from_signet keyfile
360
364
  when Hash
361
365
  update_from_hash keyfile, options
362
366
  else
363
367
  update_from_filepath keyfile, options
364
368
  end
365
- CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
366
369
  @project_id ||= CredentialsLoader.load_gcloud_project_id
367
370
  @client.fetch_access_token! if @client.needs_access_token?
368
371
  @env_vars = nil
@@ -507,12 +510,15 @@ module Google
507
510
 
508
511
  needs_scope = options["target_audience"].nil?
509
512
  # client options for initializing signet client
510
- { token_credential_uri: options["token_credential_uri"],
513
+ {
514
+ token_credential_uri: options["token_credential_uri"],
511
515
  audience: options["audience"],
512
516
  scope: (needs_scope ? Array(options["scope"]) : nil),
513
517
  target_audience: options["target_audience"],
514
518
  issuer: options["client_email"],
515
- signing_key: OpenSSL::PKey::RSA.new(options["private_key"]) }
519
+ signing_key: OpenSSL::PKey::RSA.new(options["private_key"]),
520
+ universe_domain: options["universe_domain"] || "googleapis.com"
521
+ }
516
522
  end
517
523
 
518
524
  # rubocop:enable Metrics/AbcSize
@@ -527,7 +533,7 @@ module Google
527
533
  hash = stringify_hash_keys hash
528
534
  hash["scope"] ||= options[:scope]
529
535
  hash["target_audience"] ||= options[:target_audience]
530
- @project_id ||= (hash["project_id"] || hash["project"])
536
+ @project_id ||= hash["project_id"] || hash["project"]
531
537
  @quota_project_id ||= hash["quota_project_id"]
532
538
  @client = init_client hash, options
533
539
  end
@@ -537,7 +543,7 @@ module Google
537
543
  json = JSON.parse ::File.read(path)
538
544
  json["scope"] ||= options[:scope]
539
545
  json["target_audience"] ||= options[:target_audience]
540
- @project_id ||= (json["project_id"] || json["project"])
546
+ @project_id ||= json["project_id"] || json["project"]
541
547
  @quota_project_id ||= json["quota_project_id"]
542
548
  @client = init_client json, options
543
549
  end
@@ -30,6 +30,11 @@ module Google
30
30
  REFRESH_TOKEN_VAR = "GOOGLE_REFRESH_TOKEN".freeze
31
31
  ACCOUNT_TYPE_VAR = "GOOGLE_ACCOUNT_TYPE".freeze
32
32
  PROJECT_ID_VAR = "GOOGLE_PROJECT_ID".freeze
33
+ AWS_REGION_VAR = "AWS_REGION".freeze
34
+ AWS_DEFAULT_REGION_VAR = "AWS_DEFAULT_REGION".freeze
35
+ AWS_ACCESS_KEY_ID_VAR = "AWS_ACCESS_KEY_ID".freeze
36
+ AWS_SECRET_ACCESS_KEY_VAR = "AWS_SECRET_ACCESS_KEY".freeze
37
+ AWS_SESSION_TOKEN_VAR = "AWS_SESSION_TOKEN".freeze
33
38
  GCLOUD_POSIX_COMMAND = "gcloud".freeze
34
39
  GCLOUD_WINDOWS_COMMAND = "gcloud.cmd".freeze
35
40
  GCLOUD_CONFIG_COMMAND = "config config-helper --format json --verbosity none".freeze
@@ -41,16 +46,9 @@ module Google
41
46
 
42
47
  SYSTEM_DEFAULT_ERROR = "Unable to read the system default credential file".freeze
43
48
 
44
- CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
49
+ CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
45
50
  "s.googleusercontent.com".freeze
46
51
 
47
- CLOUD_SDK_CREDENTIALS_WARNING =
48
- "Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most" \
49
- " server applications use service accounts instead. If your application continues to use end user credentials" \
50
- ' from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about' \
51
- " service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the"\
52
- " GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
53
-
54
52
  # make_creds proxies the construction of a credentials instance
55
53
  #
56
54
  # By default, it calls #new on the current class, but this behaviour can
@@ -144,12 +142,6 @@ module Google
144
142
 
145
143
  module_function
146
144
 
147
- # Issues warning if cloud sdk client id is used
148
- def warn_if_cloud_sdk_credentials client_id
149
- return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
150
- warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
151
- end
152
-
153
145
  # Finds project_id from gcloud CLI configuration
154
146
  def load_gcloud_project_id
155
147
  gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
@@ -18,6 +18,7 @@ require "stringio"
18
18
  require "googleauth/credentials_loader"
19
19
  require "googleauth/service_account"
20
20
  require "googleauth/user_refresh"
21
+ require "googleauth/external_account"
21
22
 
22
23
  module Google
23
24
  # Module Auth provides classes that provide Google-specific authorization
@@ -34,11 +35,9 @@ module Google
34
35
  json_key_io = options[:json_key_io]
35
36
  if json_key_io
36
37
  json_key, clz = determine_creds_class json_key_io
37
- warn_if_cloud_sdk_credentials json_key["client_id"]
38
38
  io = StringIO.new MultiJson.dump(json_key)
39
39
  clz.make_creds options.merge(json_key_io: io)
40
40
  else
41
- warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
42
41
  clz = read_creds
43
42
  clz.make_creds options
44
43
  end
@@ -53,6 +52,8 @@ module Google
53
52
  ServiceAccountCredentials
54
53
  when "authorized_user"
55
54
  UserRefreshCredentials
55
+ when "external_account"
56
+ ExternalAccount::Credentials
56
57
  else
57
58
  raise "credentials type '#{type}' is not supported"
58
59
  end
@@ -69,6 +70,8 @@ module Google
69
70
  [json_key, ServiceAccountCredentials]
70
71
  when "authorized_user"
71
72
  [json_key, UserRefreshCredentials]
73
+ when "external_account"
74
+ [json_key, ExternalAccount::Credentials]
72
75
  else
73
76
  raise "credentials type '#{type}' is not supported"
74
77
  end