googleauth 1.3.0 → 1.8.1

data/lib/googleauth/external_account/aws_credentials.rb

@@ -0,0 +1,378 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "time"
+require "googleauth/external_account/base_credentials"
+require "googleauth/external_account/external_account_utils"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
+  module Auth
+    # Authenticates requests using External Account credentials, such as those provided by the AWS provider.
+    module ExternalAccount
+      # This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and
+      # then exchanging the credentials for a short-lived Google Cloud access token.
+      class AwsCredentials
+        # Constant for imdsv2 session token expiration in seconds
+        IMDSV2_TOKEN_EXPIRATION_IN_SECONDS = 300
+
+        include Google::Auth::ExternalAccount::BaseCredentials
+        include Google::Auth::ExternalAccount::ExternalAccountUtils
+        extend CredentialsLoader
+
+        # Will always be nil, but method still gets used.
+        attr_reader :client_id
+
+        def initialize options = {}
+          base_setup options
+
+          @audience = options[:audience]
+          @credential_source = options[:credential_source] || {}
+          @environment_id = @credential_source[:environment_id]
+          @region_url = @credential_source[:region_url]
+          @credential_verification_url = @credential_source[:url]
+          @regional_cred_verification_url = @credential_source[:regional_cred_verification_url]
+          @imdsv2_session_token_url = @credential_source[:imdsv2_session_token_url]
+
+          # These will be lazily loaded when needed, or will raise an error if not provided
+          @region = nil
+          @request_signer = nil
+          @imdsv2_session_token = nil
+          @imdsv2_session_token_expiry = nil
+        end
+
+        # Retrieves the subject token using the credential_source object.
+        # The subject token is a serialized [AWS GetCallerIdentity signed request](
+        #   https://cloud.google.com/iam/docs/access-resources-aws#exchange-token).
+        #
+        # The logic is summarized as:
+        #
+        # Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS
+        # metadata server availability-zone if not found in the environment variable.
+        #
+        # Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server
+        # security-credentials endpoint.
+        #
+        # When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to
+        # be determined by # calling the security-credentials endpoint without any argument.
+        # Then the credentials can be retrieved via: security-credentials/role_name
+        #
+        # Generate the signed request to AWS STS GetCallerIdentity action.
+        #
+        # Inject x-goog-cloud-target-resource into header and serialize the signed request.
+        # This will be the subject-token to pass to GCP STS.
+        #
+        # @return [string] The retrieved subject token.
+        #
+        def retrieve_subject_token!
+          if @request_signer.nil?
+            @region = region
+            @request_signer = AwsRequestSigner.new @region
+          end
+
+          request = {
+            method: "POST",
+            url: @regional_cred_verification_url.sub("{region}", @region)
+          }
+
+          request_options = @request_signer.generate_signed_request fetch_security_credentials, request
+
+          request_headers = request_options[:headers]
+          request_headers["x-goog-cloud-target-resource"] = @audience
+
+          aws_signed_request = {
+            headers: [],
+            method: request_options[:method],
+            url: request_options[:url]
+          }
+
+          aws_signed_request[:headers] = request_headers.keys.sort.map do |key|
+            { key: key, value: request_headers[key] }
+          end
+
+          uri_escape aws_signed_request.to_json
+        end
+
+        private
+
+        def imdsv2_session_token
+          return @imdsv2_session_token unless imdsv2_session_token_invalid?
+          raise "IMDSV2 token url must be provided" if @imdsv2_session_token_url.nil?
+          begin
+            response = connection.put @imdsv2_session_token_url do |req|
+              req.headers["x-aws-ec2-metadata-token-ttl-seconds"] = IMDSV2_TOKEN_EXPIRATION_IN_SECONDS.to_s
+            end
+          rescue Faraday::Error => e
+            raise "Fetching AWS IMDSV2 token error: #{e}"
+          end
+          raise Faraday::Error unless response.success?
+          @imdsv2_session_token = response.body
+          @imdsv2_session_token_expiry = Time.now + IMDSV2_TOKEN_EXPIRATION_IN_SECONDS
+          @imdsv2_session_token
+        end
+
+        def imdsv2_session_token_invalid?
+          return true if @imdsv2_session_token.nil?
+          @imdsv2_session_token_expiry.nil? || @imdsv2_session_token_expiry < Time.now
+        end
+
+        def get_aws_resource url, name, data: nil, headers: {}
+          begin
+            headers["x-aws-ec2-metadata-token"] = imdsv2_session_token
+            response = if data
+                         headers["Content-Type"] = "application/json"
+                         connection.post url, data, headers
+                       else
+                         connection.get url, nil, headers
+                       end
+
+            raise Faraday::Error unless response.success?
+            response
+          rescue Faraday::Error
+            raise "Failed to retrieve AWS #{name}."
+          end
+        end
+
+        def uri_escape string
+          if string.nil?
+            nil
+          else
+            CGI.escape(string.encode("UTF-8")).gsub("+", "%20").gsub("%7E", "~")
+          end
+        end
+
+        # Retrieves the AWS security credentials required for signing AWS requests from either the AWS security
+        # credentials environment variables or from the AWS metadata server.
+        def fetch_security_credentials
+          env_aws_access_key_id = ENV[CredentialsLoader::AWS_ACCESS_KEY_ID_VAR]
+          env_aws_secret_access_key = ENV[CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR]
+          # This is normally not available for permanent credentials.
+          env_aws_session_token = ENV[CredentialsLoader::AWS_SESSION_TOKEN_VAR]
+
+          if env_aws_access_key_id && env_aws_secret_access_key
+            return {
+              access_key_id: env_aws_access_key_id,
+              secret_access_key: env_aws_secret_access_key,
+              session_token: env_aws_session_token
+            }
+          end
+
+          role_name = fetch_metadata_role_name
+          credentials = fetch_metadata_security_credentials role_name
+
+          {
+            access_key_id: credentials["AccessKeyId"],
+            secret_access_key: credentials["SecretAccessKey"],
+            session_token: credentials["Token"]
+          }
+        end
+
+        # Retrieves the AWS role currently attached to the current AWS workload by querying the AWS metadata server.
+        # This is needed for the AWS metadata server security credentials endpoint in order to retrieve the AWS security
+        # credentials needed to sign requests to AWS APIs.
+        def fetch_metadata_role_name
+          unless @credential_verification_url
+            raise "Unable to determine the AWS metadata server security credentials endpoint"
+          end
+
+          get_aws_resource(@credential_verification_url, "IAM Role").body
+        end
+
+        # Retrieves the AWS security credentials required for signing AWS requests from the AWS metadata server.
+        def fetch_metadata_security_credentials role_name
+          response = get_aws_resource "#{@credential_verification_url}/#{role_name}", "credentials"
+          MultiJson.load response.body
+        end
+
+        def region
+          @region = ENV[CredentialsLoader::AWS_REGION_VAR] || ENV[CredentialsLoader::AWS_DEFAULT_REGION_VAR]
+
+          unless @region
+            raise "region_url or region must be set for external account credentials" unless @region_url
+
+            @region ||= get_aws_resource(@region_url, "region").body[0..-2]
+          end
+
+          @region
+        end
+      end
+
+      # Implements an AWS request signer based on the AWS Signature Version 4 signing process.
+      # https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
+      class AwsRequestSigner
+        # Instantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS
+        # Signature Version 4 signing process.
+        #
+        # @param [string] region_name
+        #     The AWS region to use.
+        def initialize region_name
+          @region_name = region_name
+        end
+
+        # Generates the signed request for the provided HTTP request for calling
+        # an AWS API. This follows the steps described at:
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
+        #
+        # @param [Hash[string, string]] aws_security_credentials
+        #     A dictionary containing the AWS security credentials.
+        # @param [string] url
+        #     The AWS service URL containing the canonical URI and query string.
+        # @param [string] method
+        #     The HTTP method used to call this API.
+        #
+        # @return [hash{string => string}]
+        #     The AWS signed request dictionary object.
+        #
+        def generate_signed_request aws_credentials, original_request
+          uri = Addressable::URI.parse original_request[:url]
+          raise "Invalid AWS service URL" unless uri.hostname && uri.scheme == "https"
+          service_name = uri.host.split(".").first
+
+          datetime = Time.now.utc.strftime "%Y%m%dT%H%M%SZ"
+          date = datetime[0, 8]
+
+          headers = aws_headers aws_credentials, original_request, datetime
+
+          request_payload = original_request[:data] || ""
+          content_sha256 = sha256_hexdigest request_payload
+
+          canonical_req = canonical_request original_request[:method], uri, headers, content_sha256
+          sts = string_to_sign datetime, canonical_req, service_name
+
+          # Authorization header requires everything else to be properly setup in order to be properly
+          # calculated.
+          headers["Authorization"] = build_authorization_header headers, sts, aws_credentials, service_name, date
+
+          {
+            url: uri.to_s,
+            headers: headers,
+            method: original_request[:method],
+            data: (request_payload unless request_payload.empty?)
+          }.compact
+        end
+
+        private
+
+        def aws_headers aws_credentials, original_request, datetime
+          uri = Addressable::URI.parse original_request[:url]
+          temp_headers = original_request[:headers] || {}
+          headers = {}
+          temp_headers.each_key { |k| headers[k.to_s] = temp_headers[k] }
+          headers["host"] = uri.host
+          headers["x-amz-date"] = datetime
+          headers["x-amz-security-token"] = aws_credentials[:session_token] if aws_credentials[:session_token]
+          headers
+        end
+
+        def build_authorization_header headers, sts, aws_credentials, service_name, date
+          [
+            "AWS4-HMAC-SHA256",
+            "Credential=#{credential aws_credentials[:access_key_id], date, service_name},",
+            "SignedHeaders=#{headers.keys.sort.join ';'},",
+            "Signature=#{signature aws_credentials[:secret_access_key], date, sts, service_name}"
+          ].join(" ")
+        end
+
+        def signature secret_access_key, date, string_to_sign, service
+          k_date = hmac "AWS4#{secret_access_key}", date
+          k_region = hmac k_date, @region_name
+          k_service = hmac k_region, service
+          k_credentials = hmac k_service, "aws4_request"
+
+          hexhmac k_credentials, string_to_sign
+        end
+
+        def hmac key, value
+          OpenSSL::HMAC.digest OpenSSL::Digest.new("sha256"), key, value
+        end
+
+        def hexhmac key, value
+          OpenSSL::HMAC.hexdigest OpenSSL::Digest.new("sha256"), key, value
+        end
+
+        def credential access_key_id, date, service
+          "#{access_key_id}/#{credential_scope date, service}"
+        end
+
+        def credential_scope date, service
+          [
+            date,
+            @region_name,
+            service,
+            "aws4_request"
+          ].join("/")
+        end
+
+        def string_to_sign datetime, canonical_request, service
+          [
+            "AWS4-HMAC-SHA256",
+            datetime,
+            credential_scope(datetime[0, 8], service),
+            sha256_hexdigest(canonical_request)
+          ].join("\n")
+        end
+
+        def host uri
+          # Handles known and unknown URI schemes; default_port nil when unknown.
+          if uri.default_port == uri.port
+            uri.host
+          else
+            "#{uri.host}:#{uri.port}"
+          end
+        end
+
+        def canonical_request http_method, uri, headers, content_sha256
+          headers = headers.sort_by(&:first) # transforms to a sorted array of [key, value]
+
+          [
+            http_method,
+            uri.path.empty? ? "/" : uri.path,
+            build_canonical_querystring(uri.query || ""),
+            headers.map { |k, v| "#{k}:#{v}\n" }.join, # Canonical headers
+            headers.map(&:first).join(";"), # Signed headers
+            content_sha256
+          ].join("\n")
+        end
+
+        def sha256_hexdigest string
+          OpenSSL::Digest::SHA256.hexdigest string
+        end
+
+        # Generates the canonical query string given a raw query string.
+        # Logic is based on
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        # Code is from the AWS SDK for Ruby
+        # https://github.com/aws/aws-sdk-ruby/blob/0ac3d0a393ed216290bfb5f0383380376f6fb1f1/gems/aws-sigv4/lib/aws-sigv4/signer.rb#L532
+        def build_canonical_querystring query
+          params = query.split "&"
+          params = params.map { |p| p.include?("=") ? p : "#{p}=" }
+
+          params.each.with_index.sort do |(a, a_offset), (b, b_offset)|
+            a_name, a_value = a.split "="
+            b_name, b_value = b.split "="
+            if a_name == b_name
+              if a_value == b_value
+                a_offset <=> b_offset
+              else
+                a_value <=> b_value
+              end
+            else
+              a_name <=> b_name
+            end
+          end.map(&:first).join("&")
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account/base_credentials.rb

@@ -0,0 +1,158 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.require "time"
+
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+require "googleauth/oauth2/sts_client"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # Authenticates requests using External Account credentials, such
+      # as those provided by the AWS provider or OIDC provider like Azure, etc.
+      module BaseCredentials
+        # Contains all methods needed for all external account credentials.
+        # Other credentials should call `base_setup` during initialization
+        # And should define the :retrieve_subject_token! method
+
+        # External account JSON type identifier.
+        EXTERNAL_ACCOUNT_JSON_TYPE = "external_account".freeze
+        # The token exchange grant_type used for exchanging credentials.
+        STS_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange".freeze
+        # The token exchange requested_token_type. This is always an access_token.
+        STS_REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token".freeze
+        # Default IAM_SCOPE
+        IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+        include Google::Auth::BaseClient
+        include Helpers::Connection
+
+        attr_reader :expires_at
+        attr_accessor :access_token
+
+        def expires_within? seconds
+          # This method is needed for BaseClient
+          @expires_at && @expires_at - Time.now.utc < seconds
+        end
+
+        def expires_at= new_expires_at
+          @expires_at = normalize_timestamp new_expires_at
+        end
+
+        def fetch_access_token! _options = {}
+          # This method is needed for BaseClient
+          response = exchange_token
+
+          if @service_account_impersonation_url
+            impersonated_response = get_impersonated_access_token response["access_token"]
+            self.expires_at = impersonated_response["expireTime"]
+            self.access_token = impersonated_response["accessToken"]
+          else
+            # Extract the expiration time in seconds from the response and calculate the actual expiration time
+            # and then save that to the expiry variable.
+            self.expires_at = Time.now.utc + response["expires_in"].to_i
+            self.access_token = response["access_token"]
+          end
+
+          notify_refresh_listeners
+        end
+
+        # Retrieves the subject token using the credential_source object.
+        # @return [string]
+        #     The retrieved subject token.
+        #
+        def retrieve_subject_token!
+          raise NotImplementedError
+        end
+
+        # Returns whether the credentials represent a workforce pool (True) or
+        # workload (False) based on the credentials' audience.
+        #
+        # @return [bool]
+        #     true if the credentials represent a workforce pool.
+        #     false if they represent a workload.
+        def is_workforce_pool?
+          pattern = "//iam\.googleapis\.com/locations/[^/]+/workforcePools/"
+          /#{pattern}/.match?(@audience || "")
+        end
+
+        private
+
+        def token_type
+          # This method is needed for BaseClient
+          :access_token
+        end
+
+        def base_setup options
+          self.default_connection = options[:connection]
+
+          @audience = options[:audience]
+          @scope = options[:scope] || IAM_SCOPE
+          @subject_token_type = options[:subject_token_type]
+          @token_url = options[:token_url]
+          @token_info_url = options[:token_info_url]
+          @service_account_impersonation_url = options[:service_account_impersonation_url]
+          @service_account_impersonation_options = options[:service_account_impersonation_options] || {}
+          @client_id = options[:client_id]
+          @client_secret = options[:client_secret]
+          @quota_project_id = options[:quota_project_id]
+          @project_id = nil
+          @workforce_pool_user_project = options[:workforce_pool_user_project]
+
+          @expires_at = nil
+          @access_token = nil
+
+          @sts_client = Google::Auth::OAuth2::STSClient.new(
+            token_exchange_endpoint: @token_url,
+            connection: default_connection
+          )
+          return unless @workforce_pool_user_project && !is_workforce_pool?
+          raise "workforce_pool_user_project should not be set for non-workforce pool credentials."
+        end
+
+        def exchange_token
+          additional_options = nil
+          if @client_id.nil? && @workforce_pool_user_project
+            additional_options = { userProject: @workforce_pool_user_project }
+          end
+          @sts_client.exchange_token(
+            audience: @audience,
+            grant_type: STS_GRANT_TYPE,
+            subject_token: retrieve_subject_token!,
+            subject_token_type: @subject_token_type,
+            scopes: @service_account_impersonation_url ? IAM_SCOPE : @scope,
+            requested_token_type: STS_REQUESTED_TOKEN_TYPE,
+            additional_options: additional_options
+          )
+        end
+
+        def get_impersonated_access_token token, _options = {}
+          response = connection.post @service_account_impersonation_url do |req|
+            req.headers["Authorization"] = "Bearer #{token}"
+            req.headers["Content-Type"] = "application/json"
+            req.body = MultiJson.dump({ scope: @scope })
+          end
+
+          if response.status != 200
+            raise "Service account impersonation failed with status #{response.status}"
+          end
+
+          MultiJson.load response.body
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account/external_account_utils.rb

@@ -0,0 +1,103 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.require "time"
+
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+require "googleauth/oauth2/sts_client"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # Authenticates requests using External Account credentials, such
+      # as those provided by the AWS provider or OIDC provider like Azure, etc.
+      module ExternalAccountUtils
+        # Cloud resource manager URL used to retrieve project information.
+        CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/".freeze
+
+        ##
+        # Retrieves the project ID corresponding to the workload identity or workforce pool.
+        # For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project.
+        # When not determinable, None is returned.
+        #
+        # The resource may not have permission (resourcemanager.projects.get) to
+        # call this API or the required scopes may not be selected:
+        # https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
+        #
+        # @return [string,nil]
+        #     The project ID corresponding to the workload identity pool or workforce pool if determinable.
+        #
+        def project_id
+          return @project_id unless @project_id.nil?
+          project_number = self.project_number || @workforce_pool_user_project
+
+          # if we missing either project number or scope, we won't retrieve project_id
+          return nil if project_number.nil? || @scope.nil?
+
+          url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
+          response = connection.get url do |req|
+            req.headers["Authorization"] = "Bearer #{@access_token}"
+            req.headers["Content-Type"] = "application/json"
+          end
+
+          if response.status == 200
+            response_data = MultiJson.load response.body, symbolize_names: true
+            @project_id = response_data[:projectId]
+          end
+
+          @project_id
+        end
+
+        ##
+        # Retrieve the project number corresponding to workload identity pool
+        # STS audience pattern:
+        #     `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...`
+        #
+        # @return [string, nil]
+        #
+        def project_number
+          segments = @audience.split "/"
+          idx = segments.index "projects"
+          return nil if idx.nil? || idx + 1 == segments.size
+          segments[idx + 1]
+        end
+
+        def normalize_timestamp time
+          case time
+          when NilClass
+            nil
+          when Time
+            time
+          when String
+            Time.parse time
+          else
+            raise "Invalid time value #{time}"
+          end
+        end
+
+        def service_account_email
+          return nil if @service_account_impersonation_url.nil?
+          start_idx = @service_account_impersonation_url.rindex "/"
+          end_idx = @service_account_impersonation_url.index ":generateAccessToken"
+          if start_idx != -1 && end_idx != -1 && start_idx < end_idx
+            start_idx += 1
+            return @service_account_impersonation_url[start_idx..end_idx]
+          end
+          nil
+        end
+      end
+    end
+  end
+end