googleauth 1.2.0 → 1.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +83 -0
- data/README.md +10 -8
- data/lib/googleauth/application_default.rb +5 -9
- data/lib/googleauth/base_client.rb +80 -0
- data/lib/googleauth/client_id.rb +25 -8
- data/lib/googleauth/compute_engine.rb +55 -35
- data/lib/googleauth/credentials.rb +14 -8
- data/lib/googleauth/credentials_loader.rb +6 -14
- data/lib/googleauth/default_credentials.rb +5 -2
- data/lib/googleauth/external_account/aws_credentials.rb +378 -0
- data/lib/googleauth/external_account/base_credentials.rb +159 -0
- data/lib/googleauth/external_account/external_account_utils.rb +103 -0
- data/lib/googleauth/external_account/identity_pool_credentials.rb +118 -0
- data/lib/googleauth/external_account/pluggable_credentials.rb +156 -0
- data/lib/googleauth/external_account.rb +94 -0
- data/lib/googleauth/helpers/connection.rb +35 -0
- data/lib/googleauth/id_tokens/key_sources.rb +9 -10
- data/lib/googleauth/id_tokens.rb +2 -2
- data/lib/googleauth/json_key_reader.rb +2 -1
- data/lib/googleauth/oauth2/sts_client.rb +109 -0
- data/lib/googleauth/scope_util.rb +35 -2
- data/lib/googleauth/service_account.rb +25 -11
- data/lib/googleauth/signet.rb +14 -38
- data/lib/googleauth/user_authorizer.rb +12 -5
- data/lib/googleauth/user_refresh.rb +4 -2
- data/lib/googleauth/version.rb +1 -1
- data/lib/googleauth/web_user_authorizer.rb +4 -4
- metadata +29 -20
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '089cb78f4121da1e8502eb258e106d161b72642f1d4aeb9959ea605197dba5d9'
|
4
|
+
data.tar.gz: a93423d64db3c8e0fb55807586befc3d13480c43e17b4a8cbd37704f95d12fa7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1d3513b20df2ec263c7f7db1a14421d4fef63fdaf836cbad78c62b22bf8399bd6ed7a830ba8548ffa197e6a7279eb0f8aaab65379c7cf1b4612a494e9a83a8ec
|
7
|
+
data.tar.gz: 8ee1b859360348eded906242f44e7a7d58841a864e195f34b0726c2aba660e6c10ae07e27d3d2a4517e1756b5ff989e449aad0965419995b4f2bc58ad45ae597
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,88 @@
|
|
1
1
|
# Release History
|
2
2
|
|
3
|
+
### 1.9.2 (2024-01-25)
|
4
|
+
|
5
|
+
#### Bug Fixes
|
6
|
+
|
7
|
+
* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467))
|
8
|
+
|
9
|
+
### 1.9.1 (2023-12-12)
|
10
|
+
|
11
|
+
#### Bug Fixes
|
12
|
+
|
13
|
+
* update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464))
|
14
|
+
|
15
|
+
### 1.9.0 (2023-12-07)
|
16
|
+
|
17
|
+
#### Features
|
18
|
+
|
19
|
+
* Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460))
|
20
|
+
* Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459))
|
21
|
+
|
22
|
+
### 1.8.1 (2023-09-19)
|
23
|
+
|
24
|
+
#### Documentation
|
25
|
+
|
26
|
+
* improve ADC related error and warning messages ([#452](https://github.com/googleapis/google-auth-library-ruby/issues/452))
|
27
|
+
|
28
|
+
### 1.8.0 (2023-09-07)
|
29
|
+
|
30
|
+
#### Features
|
31
|
+
|
32
|
+
* Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447))
|
33
|
+
#### Documentation
|
34
|
+
|
35
|
+
* improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449))
|
36
|
+
|
37
|
+
### 1.7.0 (2023-07-14)
|
38
|
+
|
39
|
+
#### Features
|
40
|
+
|
41
|
+
* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437))
|
42
|
+
#### Documentation
|
43
|
+
|
44
|
+
* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438))
|
45
|
+
|
46
|
+
### 1.6.0 (2023-06-20)
|
47
|
+
|
48
|
+
#### Features
|
49
|
+
|
50
|
+
* adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433))
|
51
|
+
#### Documentation
|
52
|
+
|
53
|
+
* deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435))
|
54
|
+
|
55
|
+
### 1.5.2 (2023-04-13)
|
56
|
+
|
57
|
+
#### Bug Fixes
|
58
|
+
|
59
|
+
* AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429))
|
60
|
+
* GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425))
|
61
|
+
|
62
|
+
### 1.5.1 (2023-04-10)
|
63
|
+
|
64
|
+
#### Bug Fixes
|
65
|
+
|
66
|
+
* Remove external account config validation ([#427](https://github.com/googleapis/google-auth-library-ruby/issues/427))
|
67
|
+
|
68
|
+
### 1.5.0 (2023-03-21)
|
69
|
+
|
70
|
+
#### Features
|
71
|
+
|
72
|
+
* Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418))
|
73
|
+
|
74
|
+
### 1.4.0 (2022-12-14)
|
75
|
+
|
76
|
+
#### Features
|
77
|
+
|
78
|
+
* make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405))
|
79
|
+
|
80
|
+
### 1.3.0 (2022-10-18)
|
81
|
+
|
82
|
+
#### Features
|
83
|
+
|
84
|
+
* Use OpenSSL 3.0 compatible interfaces for IDTokens ([#397](https://github.com/googleapis/google-auth-library-ruby/issues/397))
|
85
|
+
|
3
86
|
### 1.2.0 (2022-06-23)
|
4
87
|
|
5
88
|
* Updated minimum Ruby version to 2.6
|
data/README.md
CHANGED
@@ -97,7 +97,9 @@ get('/oauth2callback') do
|
|
97
97
|
end
|
98
98
|
```
|
99
99
|
|
100
|
-
### Example (Command Line)
|
100
|
+
### Example (Command Line) [Deprecated]
|
101
|
+
|
102
|
+
The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
|
101
103
|
|
102
104
|
```ruby
|
103
105
|
require 'googleauth'
|
@@ -215,14 +217,14 @@ Custom storage implementations can also be used. See
|
|
215
217
|
|
216
218
|
## Supported Ruby Versions
|
217
219
|
|
218
|
-
This library is supported on Ruby 2.
|
220
|
+
This library is supported on Ruby 2.6+.
|
219
221
|
|
220
222
|
Google provides official support for Ruby versions that are actively supported
|
221
|
-
by Ruby Core—that is, Ruby versions that are either in normal maintenance or
|
222
|
-
security maintenance, and not end of life.
|
223
|
-
|
224
|
-
|
225
|
-
|
223
|
+
by Ruby Core—that is, Ruby versions that are either in normal maintenance or
|
224
|
+
in security maintenance, and not end of life. Older versions of Ruby _may_
|
225
|
+
still work, but are unsupported and not recommended. See
|
226
|
+
https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby
|
227
|
+
support schedule.
|
226
228
|
|
227
229
|
## License
|
228
230
|
|
@@ -241,6 +243,6 @@ hesitate to
|
|
241
243
|
[ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
|
242
244
|
about the client or APIs on [StackOverflow](http://stackoverflow.com).
|
243
245
|
|
244
|
-
[application default credentials]: https://
|
246
|
+
[application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
|
245
247
|
[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
|
246
248
|
[license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE
|
@@ -20,9 +20,9 @@ module Google
|
|
20
20
|
# used to access Google APIs.
|
21
21
|
module Auth
|
22
22
|
NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
|
23
|
-
|
24
|
-
|
25
|
-
|
23
|
+
Your credentials were not found. To set up Application Default
|
24
|
+
Credentials for your environment, see
|
25
|
+
https://cloud.google.com/docs/authentication/external/set-up-adc
|
26
26
|
ERROR_MESSAGE
|
27
27
|
|
28
28
|
module_function
|
@@ -55,12 +55,8 @@ module Google
|
|
55
55
|
DefaultCredentials.from_well_known_path(scope, options) ||
|
56
56
|
DefaultCredentials.from_system_default_path(scope, options)
|
57
57
|
return creds unless creds.nil?
|
58
|
-
unless GCECredentials.on_gce? options
|
59
|
-
|
60
|
-
GCECredentials.unmemoize_all
|
61
|
-
raise NOT_FOUND_ERROR
|
62
|
-
end
|
63
|
-
GCECredentials.new scope: scope
|
58
|
+
raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
|
59
|
+
GCECredentials.new options.merge(scope: scope)
|
64
60
|
end
|
65
61
|
end
|
66
62
|
end
|
@@ -0,0 +1,80 @@
|
|
1
|
+
# Copyright 2023 Google, Inc.
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
module Google
|
16
|
+
# Module Auth provides classes that provide Google-specific authorization
|
17
|
+
# used to access Google APIs.
|
18
|
+
module Auth
|
19
|
+
# BaseClient is a class used to contain common methods that are required by any
|
20
|
+
# Credentials Client, including AwsCredentials, ServiceAccountCredentials,
|
21
|
+
# and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
|
22
|
+
# and has been created to create a generic interface for all credentials clients
|
23
|
+
# to use, including ones which do not inherit from Signet::OAuth2::Client.
|
24
|
+
module BaseClient
|
25
|
+
AUTH_METADATA_KEY = :authorization
|
26
|
+
|
27
|
+
# Updates a_hash updated with the authentication token
|
28
|
+
def apply! a_hash, opts = {}
|
29
|
+
# fetch the access token there is currently not one, or if the client
|
30
|
+
# has expired
|
31
|
+
fetch_access_token! opts if needs_access_token?
|
32
|
+
a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
|
33
|
+
end
|
34
|
+
|
35
|
+
# Returns a clone of a_hash updated with the authentication token
|
36
|
+
def apply a_hash, opts = {}
|
37
|
+
a_copy = a_hash.clone
|
38
|
+
apply! a_copy, opts
|
39
|
+
a_copy
|
40
|
+
end
|
41
|
+
|
42
|
+
# Whether the id_token or access_token is missing or about to expire.
|
43
|
+
def needs_access_token?
|
44
|
+
send(token_type).nil? || expires_within?(60)
|
45
|
+
end
|
46
|
+
|
47
|
+
# Returns a reference to the #apply method, suitable for passing as
|
48
|
+
# a closure
|
49
|
+
def updater_proc
|
50
|
+
proc { |a_hash, opts = {}| apply a_hash, opts }
|
51
|
+
end
|
52
|
+
|
53
|
+
def on_refresh &block
|
54
|
+
@refresh_listeners = [] unless defined? @refresh_listeners
|
55
|
+
@refresh_listeners << block
|
56
|
+
end
|
57
|
+
|
58
|
+
def notify_refresh_listeners
|
59
|
+
listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
|
60
|
+
listeners.each do |block|
|
61
|
+
block.call self
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
def expires_within?
|
66
|
+
raise NotImplementedError
|
67
|
+
end
|
68
|
+
|
69
|
+
private
|
70
|
+
|
71
|
+
def token_type
|
72
|
+
raise NotImplementedError
|
73
|
+
end
|
74
|
+
|
75
|
+
def fetch_access_token!
|
76
|
+
raise NotImplementedError
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
data/lib/googleauth/client_id.rb
CHANGED
@@ -17,51 +17,67 @@ require "googleauth/credentials_loader"
|
|
17
17
|
|
18
18
|
module Google
|
19
19
|
module Auth
|
20
|
-
|
21
|
-
# flows.
|
20
|
+
##
|
21
|
+
# Representation of an application's identity for user authorization flows.
|
22
|
+
#
|
22
23
|
class ClientId
|
24
|
+
# Toplevel JSON key for the an installed app configuration.
|
25
|
+
# Must include client_id and client_secret subkeys if present.
|
23
26
|
INSTALLED_APP = "installed".freeze
|
27
|
+
# Toplevel JSON key for the a webapp configuration.
|
28
|
+
# Must include client_id and client_secret subkeys if present.
|
24
29
|
WEB_APP = "web".freeze
|
30
|
+
# JSON key for the client ID within an app configuration.
|
25
31
|
CLIENT_ID = "client_id".freeze
|
32
|
+
# JSON key for the client secret within an app configuration.
|
26
33
|
CLIENT_SECRET = "client_secret".freeze
|
34
|
+
# An error message raised when none of the expected toplevel properties
|
35
|
+
# can be found.
|
27
36
|
MISSING_TOP_LEVEL_ELEMENT_ERROR =
|
28
37
|
"Expected top level property 'installed' or 'web' to be present.".freeze
|
29
38
|
|
39
|
+
##
|
30
40
|
# Text identifier of the client ID
|
31
41
|
# @return [String]
|
42
|
+
#
|
32
43
|
attr_reader :id
|
33
44
|
|
45
|
+
##
|
34
46
|
# Secret associated with the client ID
|
35
47
|
# @return [String]
|
48
|
+
#
|
36
49
|
attr_reader :secret
|
37
50
|
|
38
51
|
class << self
|
39
52
|
attr_accessor :default
|
40
53
|
end
|
41
54
|
|
42
|
-
|
55
|
+
##
|
56
|
+
# Initialize the Client ID. Both id and secret must be non-nil.
|
43
57
|
#
|
44
58
|
# @param [String] id
|
45
59
|
# Text identifier of the client ID
|
46
60
|
# @param [String] secret
|
47
61
|
# Secret associated with the client ID
|
48
|
-
# @note
|
49
|
-
#
|
62
|
+
# @note Direct instantiation is discouraged to avoid embedding IDs
|
63
|
+
# and secrets in source. See {#from_file} to load from
|
50
64
|
# `client_secrets.json` files.
|
65
|
+
#
|
51
66
|
def initialize id, secret
|
52
|
-
CredentialsLoader.warn_if_cloud_sdk_credentials id
|
53
67
|
raise "Client id can not be nil" if id.nil?
|
54
68
|
raise "Client secret can not be nil" if secret.nil?
|
55
69
|
@id = id
|
56
70
|
@secret = secret
|
57
71
|
end
|
58
72
|
|
73
|
+
##
|
59
74
|
# Constructs a Client ID from a JSON file downloaded from the
|
60
75
|
# Google Developers Console.
|
61
76
|
#
|
62
77
|
# @param [String, File] file
|
63
78
|
# Path of file to read from
|
64
79
|
# @return [Google::Auth::ClientID]
|
80
|
+
#
|
65
81
|
def self.from_file file
|
66
82
|
raise "File can not be nil." if file.nil?
|
67
83
|
File.open file.to_s do |f|
|
@@ -71,13 +87,14 @@ module Google
|
|
71
87
|
end
|
72
88
|
end
|
73
89
|
|
90
|
+
##
|
74
91
|
# Constructs a Client ID from a previously loaded JSON file. The hash
|
75
|
-
# structure should
|
76
|
-
# match the expected JSON format.
|
92
|
+
# structure should match the expected JSON format.
|
77
93
|
#
|
78
94
|
# @param [hash] config
|
79
95
|
# Parsed contents of the JSON file
|
80
96
|
# @return [Google::Auth::ClientID]
|
97
|
+
#
|
81
98
|
def self.from_hash config
|
82
99
|
raise "Hash can not be nil." if config.nil?
|
83
100
|
raw_detail = config[INSTALLED_APP] || config[WEB_APP]
|
@@ -12,9 +12,8 @@
|
|
12
12
|
# See the License for the specific language governing permissions and
|
13
13
|
# limitations under the License.
|
14
14
|
|
15
|
-
require "
|
15
|
+
require "google-cloud-env"
|
16
16
|
require "googleauth/signet"
|
17
|
-
require "memoist"
|
18
17
|
|
19
18
|
module Google
|
20
19
|
# Module Auth provides classes that provide Google-specific authorization
|
@@ -34,74 +33,69 @@ module Google
|
|
34
33
|
# Extends Signet::OAuth2::Client so that the auth token is obtained from
|
35
34
|
# the GCE metadata server.
|
36
35
|
class GCECredentials < Signet::OAuth2::Client
|
37
|
-
#
|
38
|
-
# systems.
|
36
|
+
# @private Unused and deprecated but retained to prevent breaking changes
|
39
37
|
DEFAULT_METADATA_HOST = "169.254.169.254".freeze
|
40
38
|
|
41
|
-
# @private Unused and deprecated
|
39
|
+
# @private Unused and deprecated but retained to prevent breaking changes
|
42
40
|
COMPUTE_AUTH_TOKEN_URI =
|
43
41
|
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
44
|
-
# @private Unused and deprecated
|
42
|
+
# @private Unused and deprecated but retained to prevent breaking changes
|
45
43
|
COMPUTE_ID_TOKEN_URI =
|
46
44
|
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
47
|
-
# @private Unused and deprecated
|
45
|
+
# @private Unused and deprecated but retained to prevent breaking changes
|
48
46
|
COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
|
49
47
|
|
50
48
|
class << self
|
51
|
-
|
52
|
-
|
49
|
+
# @private Unused and deprecated
|
53
50
|
def metadata_host
|
54
51
|
ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
|
55
52
|
end
|
56
53
|
|
54
|
+
# @private Unused and deprecated
|
57
55
|
def compute_check_uri
|
58
56
|
"http://#{metadata_host}".freeze
|
59
57
|
end
|
60
58
|
|
59
|
+
# @private Unused and deprecated
|
61
60
|
def compute_auth_token_uri
|
62
61
|
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
63
62
|
end
|
64
63
|
|
64
|
+
# @private Unused and deprecated
|
65
65
|
def compute_id_token_uri
|
66
66
|
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
67
67
|
end
|
68
68
|
|
69
69
|
# Detect if this appear to be a GCE instance, by checking if metadata
|
70
70
|
# is available.
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
headers = { "Metadata-Flavor" => "Google" }
|
75
|
-
resp = c.get compute_check_uri, nil, headers do |req|
|
76
|
-
req.options.timeout = 1.0
|
77
|
-
req.options.open_timeout = 0.1
|
78
|
-
end
|
79
|
-
return false unless resp.status == 200
|
80
|
-
resp.headers["Metadata-Flavor"] == "Google"
|
81
|
-
rescue Faraday::TimeoutError, Faraday::ConnectionFailed
|
82
|
-
false
|
71
|
+
# The parameters are deprecated and unused.
|
72
|
+
def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
|
73
|
+
Google::Cloud.env.metadata?
|
83
74
|
end
|
84
75
|
|
85
|
-
|
76
|
+
def reset_cache
|
77
|
+
Google::Cloud.env.compute_metadata.reset_existence!
|
78
|
+
Google::Cloud.env.compute_metadata.cache.expire_all!
|
79
|
+
end
|
80
|
+
alias unmemoize_all reset_cache
|
86
81
|
end
|
87
82
|
|
88
83
|
# Overrides the super class method to change how access tokens are
|
89
84
|
# fetched.
|
90
|
-
def fetch_access_token
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
query
|
96
|
-
|
85
|
+
def fetch_access_token _options = {}
|
86
|
+
if token_type == :id_token
|
87
|
+
query = { "audience" => target_audience, "format" => "full" }
|
88
|
+
entry = "service-accounts/default/identity"
|
89
|
+
else
|
90
|
+
query = {}
|
91
|
+
entry = "service-accounts/default/token"
|
92
|
+
end
|
93
|
+
query[:scopes] = Array(scope).join "," if scope
|
94
|
+
begin
|
95
|
+
resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
|
97
96
|
case resp.status
|
98
97
|
when 200
|
99
|
-
|
100
|
-
if ["text/html", "application/text"].include? content_type
|
101
|
-
{ (target_audience ? "id_token" : "access_token") => resp.body }
|
102
|
-
else
|
103
|
-
Signet::OAuth2.parse_credentials resp.body, content_type
|
104
|
-
end
|
98
|
+
build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
|
105
99
|
when 403, 500
|
106
100
|
msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
|
107
101
|
raise Signet::UnexpectedStatusError, msg
|
@@ -111,7 +105,33 @@ module Google
|
|
111
105
|
msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
|
112
106
|
raise Signet::AuthorizationError, msg
|
113
107
|
end
|
108
|
+
rescue Google::Cloud::Env::MetadataServerNotResponding => e
|
109
|
+
raise Signet::AuthorizationError, e.message
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
private
|
114
|
+
|
115
|
+
def build_token_hash body, content_type, retrieval_time
|
116
|
+
hash =
|
117
|
+
if ["text/html", "application/text"].include? content_type
|
118
|
+
{ token_type.to_s => body }
|
119
|
+
else
|
120
|
+
Signet::OAuth2.parse_credentials body, content_type
|
121
|
+
end
|
122
|
+
universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
|
123
|
+
universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
|
124
|
+
hash["universe_domain"] = universe_domain.strip
|
125
|
+
# The response might have been cached, which means expires_in might be
|
126
|
+
# stale. Update it based on the time since the data was retrieved.
|
127
|
+
# We also ensure expires_in is conservative; subtracting at least 1
|
128
|
+
# second to offset any skew from metadata server latency.
|
129
|
+
if hash["expires_in"].is_a? Numeric
|
130
|
+
offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
|
131
|
+
hash["expires_in"] -= offset if offset.positive?
|
132
|
+
hash["expires_in"] = 0 if hash["expires_in"].negative?
|
114
133
|
end
|
134
|
+
hash
|
115
135
|
end
|
116
136
|
end
|
117
137
|
end
|
@@ -259,7 +259,7 @@ module Google
|
|
259
259
|
# @return [Object] The value
|
260
260
|
#
|
261
261
|
def self.lookup_auth_param name, method_name = name
|
262
|
-
val = instance_variable_get "@#{name}"
|
262
|
+
val = instance_variable_get :"@#{name}"
|
263
263
|
val = yield if val.nil? && block_given?
|
264
264
|
return val unless val.nil?
|
265
265
|
return superclass.send method_name if superclass.respond_to? method_name
|
@@ -328,9 +328,13 @@ module Google
|
|
328
328
|
# @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
|
329
329
|
# suitable for passing as a closure.
|
330
330
|
#
|
331
|
+
# @!attribute [rw] universe_domain
|
332
|
+
# @return [String] The universe domain issuing these credentials.
|
333
|
+
#
|
331
334
|
def_delegators :@client,
|
332
335
|
:token_credential_uri, :audience,
|
333
|
-
:scope, :issuer, :signing_key, :updater_proc, :target_audience
|
336
|
+
:scope, :issuer, :signing_key, :updater_proc, :target_audience,
|
337
|
+
:universe_domain, :universe_domain=
|
334
338
|
|
335
339
|
##
|
336
340
|
# Creates a new Credentials instance with the provided auth credentials, and with the default
|
@@ -355,14 +359,13 @@ module Google
|
|
355
359
|
@project_id = options["project_id"] || options["project"]
|
356
360
|
@quota_project_id = options["quota_project_id"]
|
357
361
|
case keyfile
|
358
|
-
when
|
362
|
+
when Google::Auth::BaseClient
|
359
363
|
update_from_signet keyfile
|
360
364
|
when Hash
|
361
365
|
update_from_hash keyfile, options
|
362
366
|
else
|
363
367
|
update_from_filepath keyfile, options
|
364
368
|
end
|
365
|
-
CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
|
366
369
|
@project_id ||= CredentialsLoader.load_gcloud_project_id
|
367
370
|
@client.fetch_access_token! if @client.needs_access_token?
|
368
371
|
@env_vars = nil
|
@@ -507,12 +510,15 @@ module Google
|
|
507
510
|
|
508
511
|
needs_scope = options["target_audience"].nil?
|
509
512
|
# client options for initializing signet client
|
510
|
-
{
|
513
|
+
{
|
514
|
+
token_credential_uri: options["token_credential_uri"],
|
511
515
|
audience: options["audience"],
|
512
516
|
scope: (needs_scope ? Array(options["scope"]) : nil),
|
513
517
|
target_audience: options["target_audience"],
|
514
518
|
issuer: options["client_email"],
|
515
|
-
signing_key: OpenSSL::PKey::RSA.new(options["private_key"])
|
519
|
+
signing_key: OpenSSL::PKey::RSA.new(options["private_key"]),
|
520
|
+
universe_domain: options["universe_domain"] || "googleapis.com"
|
521
|
+
}
|
516
522
|
end
|
517
523
|
|
518
524
|
# rubocop:enable Metrics/AbcSize
|
@@ -527,7 +533,7 @@ module Google
|
|
527
533
|
hash = stringify_hash_keys hash
|
528
534
|
hash["scope"] ||= options[:scope]
|
529
535
|
hash["target_audience"] ||= options[:target_audience]
|
530
|
-
@project_id ||=
|
536
|
+
@project_id ||= hash["project_id"] || hash["project"]
|
531
537
|
@quota_project_id ||= hash["quota_project_id"]
|
532
538
|
@client = init_client hash, options
|
533
539
|
end
|
@@ -537,7 +543,7 @@ module Google
|
|
537
543
|
json = JSON.parse ::File.read(path)
|
538
544
|
json["scope"] ||= options[:scope]
|
539
545
|
json["target_audience"] ||= options[:target_audience]
|
540
|
-
@project_id ||=
|
546
|
+
@project_id ||= json["project_id"] || json["project"]
|
541
547
|
@quota_project_id ||= json["quota_project_id"]
|
542
548
|
@client = init_client json, options
|
543
549
|
end
|
@@ -30,6 +30,11 @@ module Google
|
|
30
30
|
REFRESH_TOKEN_VAR = "GOOGLE_REFRESH_TOKEN".freeze
|
31
31
|
ACCOUNT_TYPE_VAR = "GOOGLE_ACCOUNT_TYPE".freeze
|
32
32
|
PROJECT_ID_VAR = "GOOGLE_PROJECT_ID".freeze
|
33
|
+
AWS_REGION_VAR = "AWS_REGION".freeze
|
34
|
+
AWS_DEFAULT_REGION_VAR = "AWS_DEFAULT_REGION".freeze
|
35
|
+
AWS_ACCESS_KEY_ID_VAR = "AWS_ACCESS_KEY_ID".freeze
|
36
|
+
AWS_SECRET_ACCESS_KEY_VAR = "AWS_SECRET_ACCESS_KEY".freeze
|
37
|
+
AWS_SESSION_TOKEN_VAR = "AWS_SESSION_TOKEN".freeze
|
33
38
|
GCLOUD_POSIX_COMMAND = "gcloud".freeze
|
34
39
|
GCLOUD_WINDOWS_COMMAND = "gcloud.cmd".freeze
|
35
40
|
GCLOUD_CONFIG_COMMAND = "config config-helper --format json --verbosity none".freeze
|
@@ -41,16 +46,9 @@ module Google
|
|
41
46
|
|
42
47
|
SYSTEM_DEFAULT_ERROR = "Unable to read the system default credential file".freeze
|
43
48
|
|
44
|
-
CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
|
49
|
+
CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
|
45
50
|
"s.googleusercontent.com".freeze
|
46
51
|
|
47
|
-
CLOUD_SDK_CREDENTIALS_WARNING =
|
48
|
-
"Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most" \
|
49
|
-
" server applications use service accounts instead. If your application continues to use end user credentials" \
|
50
|
-
' from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about' \
|
51
|
-
" service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the"\
|
52
|
-
" GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
|
53
|
-
|
54
52
|
# make_creds proxies the construction of a credentials instance
|
55
53
|
#
|
56
54
|
# By default, it calls #new on the current class, but this behaviour can
|
@@ -144,12 +142,6 @@ module Google
|
|
144
142
|
|
145
143
|
module_function
|
146
144
|
|
147
|
-
# Issues warning if cloud sdk client id is used
|
148
|
-
def warn_if_cloud_sdk_credentials client_id
|
149
|
-
return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
|
150
|
-
warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
|
151
|
-
end
|
152
|
-
|
153
145
|
# Finds project_id from gcloud CLI configuration
|
154
146
|
def load_gcloud_project_id
|
155
147
|
gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
|
@@ -18,6 +18,7 @@ require "stringio"
|
|
18
18
|
require "googleauth/credentials_loader"
|
19
19
|
require "googleauth/service_account"
|
20
20
|
require "googleauth/user_refresh"
|
21
|
+
require "googleauth/external_account"
|
21
22
|
|
22
23
|
module Google
|
23
24
|
# Module Auth provides classes that provide Google-specific authorization
|
@@ -34,11 +35,9 @@ module Google
|
|
34
35
|
json_key_io = options[:json_key_io]
|
35
36
|
if json_key_io
|
36
37
|
json_key, clz = determine_creds_class json_key_io
|
37
|
-
warn_if_cloud_sdk_credentials json_key["client_id"]
|
38
38
|
io = StringIO.new MultiJson.dump(json_key)
|
39
39
|
clz.make_creds options.merge(json_key_io: io)
|
40
40
|
else
|
41
|
-
warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
|
42
41
|
clz = read_creds
|
43
42
|
clz.make_creds options
|
44
43
|
end
|
@@ -53,6 +52,8 @@ module Google
|
|
53
52
|
ServiceAccountCredentials
|
54
53
|
when "authorized_user"
|
55
54
|
UserRefreshCredentials
|
55
|
+
when "external_account"
|
56
|
+
ExternalAccount::Credentials
|
56
57
|
else
|
57
58
|
raise "credentials type '#{type}' is not supported"
|
58
59
|
end
|
@@ -69,6 +70,8 @@ module Google
|
|
69
70
|
[json_key, ServiceAccountCredentials]
|
70
71
|
when "authorized_user"
|
71
72
|
[json_key, UserRefreshCredentials]
|
73
|
+
when "external_account"
|
74
|
+
[json_key, ExternalAccount::Credentials]
|
72
75
|
else
|
73
76
|
raise "credentials type '#{type}' is not supported"
|
74
77
|
end
|