googleauth 1.3.0 → 1.13.1

data/lib/googleauth/service_account.rb

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "google/logging/message"
 require "googleauth/signet"
 require "googleauth/credentials_loader"
 require "googleauth/json_key_reader"
@@ -39,7 +40,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +58,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,10 +76,35 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            enable_self_signed_jwt: @enable_self_signed_jwt,
+            project_id: project_id,
+            quota_project_id: quota_project_id,
+            logger: logger
+          }.merge(options)
+        )
+      end
+
       # Handles certain escape sequences that sometimes appear in input.
       # Specifically, interprets the "\n" sequence for newline, and removes
       # enclosing quotes.
@@ -93,16 +124,44 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::ServiceAccountCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -115,6 +174,7 @@ module Google
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
         alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
+        alt.logger = logger
         alt.apply! a_hash
       end
     end
@@ -130,14 +190,18 @@ module Google
     # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
+
       extend CredentialsLoader
       extend JsonKeyReader
+
       attr_reader :project_id
       attr_reader :quota_project_id
+      attr_accessor :universe_domain
+      attr_accessor :logger
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -154,17 +218,46 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
-          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = nil
+          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+          @universe_domain = options[:universe_domain] if options.key? :universe_domain
         end
+        @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope]
+        @scope = options[:scope] if options.key? :scope
+        @logger = options[:logger] if options.key? :scope
+      end
+
+      # Creates a duplicate of these credentials
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `private key` the private key in string form
+      #   * `issuer` the SA issuer
+      #   * `scope` the scope(s) to access
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #   * `universe_domain` the universe domain of the credentials
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          private_key: @private_key,
+          issuer: @issuer,
+          scope: @scope,
+          project_id: project_id,
+          quota_project_id: quota_project_id,
+          universe_domain: universe_domain,
+          logger: logger
+        }.merge(options)
+
+        self.class.new options
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -176,10 +269,14 @@ module Google
         return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest jwt_token
+          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
+        end
         a_hash
       end
 
-      # Returns a clone of a_hash updated with the authoriation header
+      # Returns a clone of a_hash updated with the authorization header
       def apply a_hash, opts = {}
         a_copy = a_hash.clone
         apply! a_copy, opts
@@ -192,8 +289,6 @@ module Google
         proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
-      protected
-
       # Creates a jwt uri token.
       def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new
@@ -210,8 +305,34 @@ module Google
         assertion["scope"] = Array(@scope).join " " if @scope
         assertion["aud"] = jwt_aud_uri if jwt_aud_uri
 
+        logger&.debug do
+          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
+        end
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
+
+      private
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
     end
   end
 end

data/lib/googleauth/signet.rb

@@ -12,58 +12,61 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "base64"
+require "json"
 require "signet/oauth_2/client"
+require "googleauth/base_client"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
   module OAuth2
-    AUTH_METADATA_KEY = :authorization
     # Signet::OAuth2::Client creates an OAuth2 client
     #
     # This reopens Client to add #apply and #apply! methods which update a
     # hash with the fetched authentication token.
     class Client
-      def configure_connection options
-        @connection_info =
-          options[:connection_builder] || options[:default_connection]
+      include Google::Auth::BaseClient
+
+      alias update_token_signet_base update_token!
+
+      def update_token! options = {}
+        options = deep_hash_normalize options
+        id_token_expires_at = expires_at_from_id_token options[:id_token]
+        options[:expires_at] = id_token_expires_at if id_token_expires_at
+        update_token_signet_base options
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
         self
       end
 
-      # The token type as symbol, either :id_token or :access_token
-      def token_type
-        target_audience ? :id_token : :access_token
-      end
+      alias update_signet_base update!
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
 
-      # Whether the id_token or access_token is missing or about to expire.
-      def needs_access_token?
-        send(token_type).nil? || expires_within?(60)
-      end
+        # This `update!` method "overide" adds the `@logger`` update and
+        # the `universe_domain` update.
+        #
+        # The `universe_domain` is also updated in `update_token!` but is
+        # included here for completeness
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        @logger = options[:logger] if options.key? :logger
 
-      # Updates a_hash updated with the authentication token
-      def apply! a_hash, opts = {}
-        # fetch the access token there is currently not one, or if the client
-        # has expired
-        fetch_access_token! opts if needs_access_token?
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
+        update_signet_base options
       end
 
-      # Returns a clone of a_hash updated with the authentication token
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
+      def configure_connection options
+        @connection_info =
+          options[:connection_builder] || options[:default_connection]
+        self
       end
 
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
+      # The token type as symbol, either :id_token or :access_token
+      def token_type
+        target_audience ? :id_token : :access_token
       end
 
-      def on_refresh &block
-        @refresh_listeners = [] unless defined? @refresh_listeners
-        @refresh_listeners << block
-      end
+      # Set the universe domain
+      attr_accessor :universe_domain
 
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
@@ -78,11 +81,22 @@ module Signet
         info
       end
 
-      def notify_refresh_listeners
-        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
-        listeners.each do |block|
-          block.call self
+      alias googleauth_orig_generate_access_token_request generate_access_token_request
+      def generate_access_token_request options = {}
+        parameters = googleauth_orig_generate_access_token_request options
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Requesting access token from #{parameters['grant_type']}",
+            "credentialsId" => object_id
+          )
+        end
+        logger&.debug do
+          Google::Logging::Message.from(
+            message: "Token fetch params: #{parameters}",
+            "credentialsId" => object_id
+          )
         end
+        parameters
       end
 
       def build_default_connection
@@ -99,20 +113,117 @@ module Signet
         retry_count = 0
 
         begin
-          yield
+          yield.tap { |resp| log_response resp }
         rescue StandardError => e
-          raise e if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+          if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+            log_auth_error e
+            raise e
+          end
 
           if retry_count < max_retry_count
+            log_transient_error e
             retry_count += 1
             sleep retry_count * 0.3
             retry
           else
+            log_retries_exhausted e
             msg = "Unexpected error: #{e.inspect}"
             raise Signet::AuthorizationError, msg
           end
         end
       end
+
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      # @see Signet::OAuth2::Client#update!
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        opts = {
+          authorization_uri: @authorization_uri,
+          token_credential_uri: @token_credential_uri,
+          client_id: @client_id,
+          client_secret: @client_secret,
+          scope: @scope,
+          target_audience: @target_audience,
+          redirect_uri: @redirect_uri,
+          username: @username,
+          password: @password,
+          issuer: @issuer,
+          person: @person,
+          sub: @sub,
+          audience: @audience,
+          signing_key: @signing_key,
+          extension_parameters: @extension_parameters,
+          additional_parameters: @additional_parameters,
+          access_type: @access_type,
+          universe_domain: @universe_domain,
+          logger: @logger
+        }.merge(options)
+
+        new_client = self.class.new opts
+
+        new_client.configure_connection options
+      end
+
+      private
+
+      def expires_at_from_id_token id_token
+        match = /^[\w=-]+\.([\w=-]+)\.[\w=-]+$/.match id_token.to_s
+        return unless match
+        json = JSON.parse Base64.urlsafe_decode64 match[1]
+        return unless json.key? "exp"
+        Time.at json["exp"].to_i
+      rescue StandardError
+        # Shouldn't happen unless we get a garbled ID token
+        nil
+      end
+
+      def log_response token_response
+        response_hash = JSON.parse token_response rescue {}
+        if response_hash["access_token"]
+          digest = Digest::SHA256.hexdigest response_hash["access_token"]
+          response_hash["access_token"] = "(sha256:#{digest})"
+        end
+        if response_hash["id_token"]
+          digest = Digest::SHA256.hexdigest response_hash["id_token"]
+          response_hash["id_token"] = "(sha256:#{digest})"
+        end
+        Google::Logging::Message.from(
+          message: "Received auth token response: #{response_hash}",
+          "credentialsId" => object_id
+        )
+      end
+
+      def log_auth_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Auth error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_transient_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Transient error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_retries_exhausted err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Exhausted retries when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
     end
   end
 end

data/lib/googleauth/token_store.rb

@@ -29,7 +29,7 @@ module Google
       # @return [String]
       #  The loaded token data.
       def load _id
-        raise "Not implemented"
+        raise NoMethodError, "load not implemented"
       end
 
       # Put the token data into storage for the given ID.
@@ -39,7 +39,7 @@ module Google
       # @param [String] token
       #  The token data to store.
       def store _id, _token
-        raise "Not implemented"
+        raise NoMethodError, "store not implemented"
       end
 
       # Remove the token data from storage for the given ID.
@@ -47,7 +47,7 @@ module Google
       # @param [String] id
       #  ID of the token data to delete
       def delete _id
-        raise "Not implemented"
+        raise NoMethodError, "delete not implemented"
       end
     end
   end

data/lib/googleauth/user_authorizer.rb

@@ -16,6 +16,7 @@ require "uri"
 require "multi_json"
 require "googleauth/signet"
 require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -54,17 +55,26 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback.
-      #  Defaults to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
+      #  Defaults to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
         raise NIL_CLIENT_ID_ERROR if client_id.nil?
         raise NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || "/oauth2callback"
+        @callback_uri = legacy_callback_uri || callback_uri || "/oauth2callback"
+        @code_verifier = code_verifier
       end
 
       # Build the URL for requesting authorization.
@@ -80,14 +90,29 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if not
       #  nil.
+      # @param [Hash] additional_parameters
+      #  Additional query parameters to be added to the authorization URL.
       # @return [String]
       #  Authorization url
       def get_authorization_url options = {}
         scope = options[:scope] || @scope
+
+        options[:additional_parameters] ||= {}
+
+        if @code_verifier
+          options[:additional_parameters].merge!(
+            {
+              code_challenge: generate_code_challenge(@code_verifier),
+              code_challenge_method: code_challenge_method
+            }
+          )
+        end
+
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope:         scope
+          scope:         scope,
+          additional_parameters: options[:additional_parameters]
         )
         redirect_uri = redirect_uri_for options[:base_url]
         url = credentials.authorization_uri(access_type:            "offline",
@@ -144,6 +169,9 @@ module Google
       #  Absolute URL to resolve the configured callback uri against.
       #  Required if the configured
       #  callback uri is a relative.
+      # @param [Hash] additional_parameters
+      #  Additional parameters to be added to the post body of token
+      #  endpoint request.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
       def get_credentials_from_code options = {}
@@ -151,11 +179,14 @@ module Google
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
+        options[:additional_parameters] ||= {}
+        options[:additional_parameters].merge!({ code_verifier: @code_verifier })
         credentials = UserRefreshCredentials.new(
-          client_id:     @client_id.id,
-          client_secret: @client_id.secret,
-          redirect_uri:  redirect_uri_for(base_url),
-          scope:         scope
+          client_id:             @client_id.id,
+          client_secret:         @client_id.secret,
+          redirect_uri:          redirect_uri_for(base_url),
+          scope:                 scope,
+          additional_parameters: options[:additional_parameters]
         )
         credentials.code = code
         credentials.fetch_access_token!({})
@@ -221,6 +252,23 @@ module Google
         credentials
       end
 
+      # The code verifier for PKCE for OAuth 2.0. When set, the
+      # authorization URI will contain the Code Challenge and Code
+      # Challenge Method querystring parameters, and the token URI will
+      # contain the Code Verifier parameter.
+      #
+      # @param [String|nil] new_code_erifier
+      def code_verifier= new_code_verifier
+        @code_verifier = new_code_verifier
+      end
+
+      # Generate the code verifier needed to be sent while fetching
+      # authorization URL.
+      def self.generate_code_verifier
+        random_number = rand 32..96
+        SecureRandom.alphanumeric random_number
+      end
+
       private
 
       # @private Fetch stored token with given user_id
@@ -265,6 +313,15 @@ module Google
       def uri_is_postmessage? uri
         uri.to_s.casecmp("postmessage").zero?
       end
+
+      def generate_code_challenge code_verifier
+        digest = Digest::SHA256.digest code_verifier
+        Base64.urlsafe_encode64 digest, padding: false
+      end
+
+      def code_challenge_method
+        "S256"
+      end
     end
   end
 end