googleauth 1.3.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0bc48c47d78d7ec955a2a5557fc8f1cff502a28dd1e18c5af3fc566be5743171
4
- data.tar.gz: 220a8fed81a73d5bc93a2fca2951a749b9469cb769a198cf13564ad7f714ac90
3
+ metadata.gz: 37795e56189392a97d5941b4982730ffa2ee1dd53ec63593bbb7f5ad50be044e
4
+ data.tar.gz: 72d6b584c89c321698485bda1e4aef33f361ed35da4762bd22b5dc4634556f8f
5
5
  SHA512:
6
- metadata.gz: 73f52ffce21a05e15102b54aabbcb3cb199d32e9caf318b125b48b6caeddc01f77c3de4ea09513b0b1e9e503c912e55adf5864b4295b86af0620aa0c7df25df4
7
- data.tar.gz: 7ec107faa35d72aa1fd8e79b86b30df9acf061ce86ac52641bc12b69391f0b4f2adde8021b908327e379dee65c1e2ed7ed1b203e629ca1f4d25a988e80c31eb2
6
+ metadata.gz: 1dcfc8f1e8e65f9b4b27c4933e71faffd2998d11766307cf464d0551d5f37e41c266e840a340a9aba41d49f44d05005006077526851b1b33e277ce3155d16370
7
+ data.tar.gz: f036b3403998c93f41eae33c472ad714758e6c6d06e9a1b197b53d118d182c2abb9caf40636ff63c152e2186642430de824e7929dcd2978cd358a5bd03194c1c
data/CHANGELOG.md CHANGED
@@ -1,5 +1,63 @@
1
1
  # Release History
2
2
 
3
+ ### 1.8.1 (2023-09-19)
4
+
5
+ #### Documentation
6
+
7
+ * improve ADC related error and warning messages ([#452](https://github.com/googleapis/google-auth-library-ruby/issues/452))
8
+
9
+ ### 1.8.0 (2023-09-07)
10
+
11
+ #### Features
12
+
13
+ * Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447))
14
+ #### Documentation
15
+
16
+ * improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449))
17
+
18
+ ### 1.7.0 (2023-07-14)
19
+
20
+ #### Features
21
+
22
+ * Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437))
23
+ #### Documentation
24
+
25
+ * fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438))
26
+
27
+ ### 1.6.0 (2023-06-20)
28
+
29
+ #### Features
30
+
31
+ * adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433))
32
+ #### Documentation
33
+
34
+ * deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435))
35
+
36
+ ### 1.5.2 (2023-04-13)
37
+
38
+ #### Bug Fixes
39
+
40
+ * AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429))
41
+ * GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425))
42
+
43
+ ### 1.5.1 (2023-04-10)
44
+
45
+ #### Bug Fixes
46
+
47
+ * Remove external account config validation ([#427](https://github.com/googleapis/google-auth-library-ruby/issues/427))
48
+
49
+ ### 1.5.0 (2023-03-21)
50
+
51
+ #### Features
52
+
53
+ * Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418))
54
+
55
+ ### 1.4.0 (2022-12-14)
56
+
57
+ #### Features
58
+
59
+ * make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405))
60
+
3
61
  ### 1.3.0 (2022-10-18)
4
62
 
5
63
  #### Features
data/README.md CHANGED
@@ -97,7 +97,9 @@ get('/oauth2callback') do
97
97
  end
98
98
  ```
99
99
 
100
- ### Example (Command Line)
100
+ ### Example (Command Line) [Deprecated]
101
+
102
+ The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
101
103
 
102
104
  ```ruby
103
105
  require 'googleauth'
@@ -241,6 +243,6 @@ hesitate to
241
243
  [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
242
244
  about the client or APIs on [StackOverflow](http://stackoverflow.com).
243
245
 
244
- [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
246
+ [application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
245
247
  [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
246
248
  [license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE
@@ -20,9 +20,9 @@ module Google
20
20
  # used to access Google APIs.
21
21
  module Auth
22
22
  NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
23
- Could not load the default credentials. Browse to
24
- https://developers.google.com/accounts/docs/application-default-credentials
25
- for more information
23
+ Your credentials were not found. To set up Application Default
24
+ Credentials for your environment, see
25
+ https://cloud.google.com/docs/authentication/external/set-up-adc
26
26
  ERROR_MESSAGE
27
27
 
28
28
  module_function
@@ -57,10 +57,10 @@ module Google
57
57
  return creds unless creds.nil?
58
58
  unless GCECredentials.on_gce? options
59
59
  # Clear cache of the result of GCECredentials.on_gce?
60
- GCECredentials.unmemoize_all
60
+ GCECredentials.reset_cache
61
61
  raise NOT_FOUND_ERROR
62
62
  end
63
- GCECredentials.new scope: scope
63
+ GCECredentials.new options.merge(scope: scope)
64
64
  end
65
65
  end
66
66
  end
@@ -0,0 +1,80 @@
1
+ # Copyright 2023 Google, Inc.
2
+ #
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+ #
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+ #
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ module Google
16
+ # Module Auth provides classes that provide Google-specific authorization
17
+ # used to access Google APIs.
18
+ module Auth
19
+ # BaseClient is a class used to contain common methods that are required by any
20
+ # Credentials Client, including AwsCredentials, ServiceAccountCredentials,
21
+ # and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
22
+ # and has been created to create a generic interface for all credentials clients
23
+ # to use, including ones which do not inherit from Signet::OAuth2::Client.
24
+ module BaseClient
25
+ AUTH_METADATA_KEY = :authorization
26
+
27
+ # Updates a_hash updated with the authentication token
28
+ def apply! a_hash, opts = {}
29
+ # fetch the access token there is currently not one, or if the client
30
+ # has expired
31
+ fetch_access_token! opts if needs_access_token?
32
+ a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
33
+ end
34
+
35
+ # Returns a clone of a_hash updated with the authentication token
36
+ def apply a_hash, opts = {}
37
+ a_copy = a_hash.clone
38
+ apply! a_copy, opts
39
+ a_copy
40
+ end
41
+
42
+ # Whether the id_token or access_token is missing or about to expire.
43
+ def needs_access_token?
44
+ send(token_type).nil? || expires_within?(60)
45
+ end
46
+
47
+ # Returns a reference to the #apply method, suitable for passing as
48
+ # a closure
49
+ def updater_proc
50
+ proc { |a_hash, opts = {}| apply a_hash, opts }
51
+ end
52
+
53
+ def on_refresh &block
54
+ @refresh_listeners = [] unless defined? @refresh_listeners
55
+ @refresh_listeners << block
56
+ end
57
+
58
+ def notify_refresh_listeners
59
+ listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
60
+ listeners.each do |block|
61
+ block.call self
62
+ end
63
+ end
64
+
65
+ def expires_within?
66
+ raise NotImplementedError
67
+ end
68
+
69
+ private
70
+
71
+ def token_type
72
+ raise NotImplementedError
73
+ end
74
+
75
+ def fetch_access_token!
76
+ raise NotImplementedError
77
+ end
78
+ end
79
+ end
80
+ end
@@ -17,51 +17,67 @@ require "googleauth/credentials_loader"
17
17
 
18
18
  module Google
19
19
  module Auth
20
- # Representation of an application's identity for user authorization
21
- # flows.
20
+ ##
21
+ # Representation of an application's identity for user authorization flows.
22
+ #
22
23
  class ClientId
24
+ # Toplevel JSON key for the an installed app configuration.
25
+ # Must include client_id and client_secret subkeys if present.
23
26
  INSTALLED_APP = "installed".freeze
27
+ # Toplevel JSON key for the a webapp configuration.
28
+ # Must include client_id and client_secret subkeys if present.
24
29
  WEB_APP = "web".freeze
30
+ # JSON key for the client ID within an app configuration.
25
31
  CLIENT_ID = "client_id".freeze
32
+ # JSON key for the client secret within an app configuration.
26
33
  CLIENT_SECRET = "client_secret".freeze
34
+ # An error message raised when none of the expected toplevel properties
35
+ # can be found.
27
36
  MISSING_TOP_LEVEL_ELEMENT_ERROR =
28
37
  "Expected top level property 'installed' or 'web' to be present.".freeze
29
38
 
39
+ ##
30
40
  # Text identifier of the client ID
31
41
  # @return [String]
42
+ #
32
43
  attr_reader :id
33
44
 
45
+ ##
34
46
  # Secret associated with the client ID
35
47
  # @return [String]
48
+ #
36
49
  attr_reader :secret
37
50
 
38
51
  class << self
39
52
  attr_accessor :default
40
53
  end
41
54
 
42
- # Initialize the Client ID
55
+ ##
56
+ # Initialize the Client ID. Both id and secret must be non-nil.
43
57
  #
44
58
  # @param [String] id
45
59
  # Text identifier of the client ID
46
60
  # @param [String] secret
47
61
  # Secret associated with the client ID
48
- # @note Direction instantion is discouraged to avoid embedding IDs
49
- # & secrets in source. See {#from_file} to load from
62
+ # @note Direct instantiation is discouraged to avoid embedding IDs
63
+ # and secrets in source. See {#from_file} to load from
50
64
  # `client_secrets.json` files.
65
+ #
51
66
  def initialize id, secret
52
- CredentialsLoader.warn_if_cloud_sdk_credentials id
53
67
  raise "Client id can not be nil" if id.nil?
54
68
  raise "Client secret can not be nil" if secret.nil?
55
69
  @id = id
56
70
  @secret = secret
57
71
  end
58
72
 
73
+ ##
59
74
  # Constructs a Client ID from a JSON file downloaded from the
60
75
  # Google Developers Console.
61
76
  #
62
77
  # @param [String, File] file
63
78
  # Path of file to read from
64
79
  # @return [Google::Auth::ClientID]
80
+ #
65
81
  def self.from_file file
66
82
  raise "File can not be nil." if file.nil?
67
83
  File.open file.to_s do |f|
@@ -71,13 +87,14 @@ module Google
71
87
  end
72
88
  end
73
89
 
90
+ ##
74
91
  # Constructs a Client ID from a previously loaded JSON file. The hash
75
- # structure should
76
- # match the expected JSON format.
92
+ # structure should match the expected JSON format.
77
93
  #
78
94
  # @param [hash] config
79
95
  # Parsed contents of the JSON file
80
96
  # @return [Google::Auth::ClientID]
97
+ #
81
98
  def self.from_hash config
82
99
  raise "Hash can not be nil." if config.nil?
83
100
  raw_detail = config[INSTALLED_APP] || config[WEB_APP]
@@ -14,7 +14,6 @@
14
14
 
15
15
  require "faraday"
16
16
  require "googleauth/signet"
17
- require "memoist"
18
17
 
19
18
  module Google
20
19
  # Module Auth provides classes that provide Google-specific authorization
@@ -47,9 +46,9 @@ module Google
47
46
  # @private Unused and deprecated
48
47
  COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
49
48
 
50
- class << self
51
- extend Memoist
49
+ @on_gce_cache = {}
52
50
 
51
+ class << self
53
52
  def metadata_host
54
53
  ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
55
54
  end
@@ -68,21 +67,30 @@ module Google
68
67
 
69
68
  # Detect if this appear to be a GCE instance, by checking if metadata
70
69
  # is available.
71
- def on_gce? options = {}
72
- # TODO: This should use google-cloud-env instead.
73
- c = options[:connection] || Faraday.default_connection
74
- headers = { "Metadata-Flavor" => "Google" }
75
- resp = c.get compute_check_uri, nil, headers do |req|
76
- req.options.timeout = 1.0
77
- req.options.open_timeout = 0.1
70
+ def on_gce? options = {}, reload = false # rubocop:disable Style/OptionalBooleanParameter
71
+ # We can follow OptionalBooleanParameter here because it's a public interface, we can't change it.
72
+ @on_gce_cache.delete options if reload
73
+ @on_gce_cache.fetch options do
74
+ @on_gce_cache[options] = begin
75
+ # TODO: This should use google-cloud-env instead.
76
+ c = options[:connection] || Faraday.default_connection
77
+ headers = { "Metadata-Flavor" => "Google" }
78
+ resp = c.get compute_check_uri, nil, headers do |req|
79
+ req.options.timeout = 1.0
80
+ req.options.open_timeout = 0.1
81
+ end
82
+ return false unless resp.status == 200
83
+ resp.headers["Metadata-Flavor"] == "Google"
84
+ rescue Faraday::TimeoutError, Faraday::ConnectionFailed
85
+ false
86
+ end
78
87
  end
79
- return false unless resp.status == 200
80
- resp.headers["Metadata-Flavor"] == "Google"
81
- rescue Faraday::TimeoutError, Faraday::ConnectionFailed
82
- false
83
88
  end
84
89
 
85
- memoize :on_gce?
90
+ def reset_cache
91
+ @on_gce_cache.clear
92
+ end
93
+ alias unmemoize_all reset_cache
86
94
  end
87
95
 
88
96
  # Overrides the super class method to change how access tokens are
@@ -355,14 +355,13 @@ module Google
355
355
  @project_id = options["project_id"] || options["project"]
356
356
  @quota_project_id = options["quota_project_id"]
357
357
  case keyfile
358
- when Signet::OAuth2::Client
358
+ when Google::Auth::BaseClient
359
359
  update_from_signet keyfile
360
360
  when Hash
361
361
  update_from_hash keyfile, options
362
362
  else
363
363
  update_from_filepath keyfile, options
364
364
  end
365
- CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
366
365
  @project_id ||= CredentialsLoader.load_gcloud_project_id
367
366
  @client.fetch_access_token! if @client.needs_access_token?
368
367
  @env_vars = nil
@@ -30,6 +30,11 @@ module Google
30
30
  REFRESH_TOKEN_VAR = "GOOGLE_REFRESH_TOKEN".freeze
31
31
  ACCOUNT_TYPE_VAR = "GOOGLE_ACCOUNT_TYPE".freeze
32
32
  PROJECT_ID_VAR = "GOOGLE_PROJECT_ID".freeze
33
+ AWS_REGION_VAR = "AWS_REGION".freeze
34
+ AWS_DEFAULT_REGION_VAR = "AWS_DEFAULT_REGION".freeze
35
+ AWS_ACCESS_KEY_ID_VAR = "AWS_ACCESS_KEY_ID".freeze
36
+ AWS_SECRET_ACCESS_KEY_VAR = "AWS_SECRET_ACCESS_KEY".freeze
37
+ AWS_SESSION_TOKEN_VAR = "AWS_SESSION_TOKEN".freeze
33
38
  GCLOUD_POSIX_COMMAND = "gcloud".freeze
34
39
  GCLOUD_WINDOWS_COMMAND = "gcloud.cmd".freeze
35
40
  GCLOUD_CONFIG_COMMAND = "config config-helper --format json --verbosity none".freeze
@@ -44,13 +49,6 @@ module Google
44
49
  CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
45
50
  "s.googleusercontent.com".freeze
46
51
 
47
- CLOUD_SDK_CREDENTIALS_WARNING =
48
- "Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most " \
49
- "server applications use service accounts instead. If your application continues to use end user credentials " \
50
- 'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about ' \
51
- "service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the " \
52
- "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
53
-
54
52
  # make_creds proxies the construction of a credentials instance
55
53
  #
56
54
  # By default, it calls #new on the current class, but this behaviour can
@@ -144,12 +142,6 @@ module Google
144
142
 
145
143
  module_function
146
144
 
147
- # Issues warning if cloud sdk client id is used
148
- def warn_if_cloud_sdk_credentials client_id
149
- return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
150
- warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
151
- end
152
-
153
145
  # Finds project_id from gcloud CLI configuration
154
146
  def load_gcloud_project_id
155
147
  gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
@@ -18,6 +18,7 @@ require "stringio"
18
18
  require "googleauth/credentials_loader"
19
19
  require "googleauth/service_account"
20
20
  require "googleauth/user_refresh"
21
+ require "googleauth/external_account"
21
22
 
22
23
  module Google
23
24
  # Module Auth provides classes that provide Google-specific authorization
@@ -34,11 +35,9 @@ module Google
34
35
  json_key_io = options[:json_key_io]
35
36
  if json_key_io
36
37
  json_key, clz = determine_creds_class json_key_io
37
- warn_if_cloud_sdk_credentials json_key["client_id"]
38
38
  io = StringIO.new MultiJson.dump(json_key)
39
39
  clz.make_creds options.merge(json_key_io: io)
40
40
  else
41
- warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
42
41
  clz = read_creds
43
42
  clz.make_creds options
44
43
  end
@@ -53,6 +52,8 @@ module Google
53
52
  ServiceAccountCredentials
54
53
  when "authorized_user"
55
54
  UserRefreshCredentials
55
+ when "external_account"
56
+ ExternalAccount::Credentials
56
57
  else
57
58
  raise "credentials type '#{type}' is not supported"
58
59
  end
@@ -69,6 +70,8 @@ module Google
69
70
  [json_key, ServiceAccountCredentials]
70
71
  when "authorized_user"
71
72
  [json_key, UserRefreshCredentials]
73
+ when "external_account"
74
+ [json_key, ExternalAccount::Credentials]
72
75
  else
73
76
  raise "credentials type '#{type}' is not supported"
74
77
  end