googleauth 1.6.0 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/lib/googleauth/external_account/external_account_utils.rb +11 -0
- data/lib/googleauth/external_account/pluggable_credentials.rb +156 -0
- data/lib/googleauth/external_account.rb +4 -0
- data/lib/googleauth/id_tokens.rb +2 -2
- data/lib/googleauth/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5437d56e0c86ce235d37a202af1a28219a9caeb0bc0f8abac5540cc1d73edf28
|
|
4
|
+
data.tar.gz: f56369065e2abc56fb51abccc5003264f8c9ef3e745c202e06e5cb4c6b083d84
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f350fb9178517f4782c1dcf08804f5b0ec6bb12ed6dd460ff9c7a875b5929146bf357d797a52cb976878ef25ca8e3439d90b41dfb0e44fbf0b1cfcdf1109ec85
|
|
7
|
+
data.tar.gz: 5a1811530c2a2f5321937bdc90f157f7b55cf0b4c77c7c8f98e87474cfd22b06154987279003cefcb3f8cb400f690364078f9dd0302286f6cbd6d94afde826b3
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Release History
|
|
2
2
|
|
|
3
|
+
### 1.7.0 (2023-07-14)
|
|
4
|
+
|
|
5
|
+
#### Features
|
|
6
|
+
|
|
7
|
+
* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437))
|
|
8
|
+
#### Documentation
|
|
9
|
+
|
|
10
|
+
* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438))
|
|
11
|
+
|
|
3
12
|
### 1.6.0 (2023-06-20)
|
|
4
13
|
|
|
5
14
|
#### Features
|
|
@@ -86,6 +86,17 @@ module Google
|
|
|
86
86
|
raise "Invalid time value #{time}"
|
|
87
87
|
end
|
|
88
88
|
end
|
|
89
|
+
|
|
90
|
+
def service_account_email
|
|
91
|
+
return nil if @service_account_impersonation_url.nil?
|
|
92
|
+
start_idx = @service_account_impersonation_url.rindex "/"
|
|
93
|
+
end_idx = @service_account_impersonation_url.index ":generateAccessToken"
|
|
94
|
+
if start_idx != -1 && end_idx != -1 && start_idx < end_idx
|
|
95
|
+
start_idx += 1
|
|
96
|
+
return @service_account_impersonation_url[start_idx..end_idx]
|
|
97
|
+
end
|
|
98
|
+
nil
|
|
99
|
+
end
|
|
89
100
|
end
|
|
90
101
|
end
|
|
91
102
|
end
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
# Copyright 2023 Google, Inc.
|
|
2
|
+
#
|
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
# you may not use this file except in compliance with the License.
|
|
5
|
+
# You may obtain a copy of the License at
|
|
6
|
+
#
|
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
#
|
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
# See the License for the specific language governing permissions and
|
|
13
|
+
# limitations under the License.
|
|
14
|
+
|
|
15
|
+
require "open3"
|
|
16
|
+
require "time"
|
|
17
|
+
require "googleauth/external_account/base_credentials"
|
|
18
|
+
require "googleauth/external_account/external_account_utils"
|
|
19
|
+
|
|
20
|
+
module Google
|
|
21
|
+
# Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
|
|
22
|
+
module Auth
|
|
23
|
+
module ExternalAccount
|
|
24
|
+
# This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI
|
|
25
|
+
# provider then exchanging the credentials for a short-lived Google Cloud access token.
|
|
26
|
+
class PluggableAuthCredentials
|
|
27
|
+
# constant for pluggable auth enablement in environment variable.
|
|
28
|
+
ENABLE_PLUGGABLE_ENV = "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
|
|
29
|
+
EXECUTABLE_SUPPORTED_MAX_VERSION = 1
|
|
30
|
+
EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 30 * 1000
|
|
31
|
+
EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 1000
|
|
32
|
+
EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 120 * 1000
|
|
33
|
+
ID_TOKEN_TYPE = ["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze
|
|
34
|
+
|
|
35
|
+
include Google::Auth::ExternalAccount::BaseCredentials
|
|
36
|
+
include Google::Auth::ExternalAccount::ExternalAccountUtils
|
|
37
|
+
extend CredentialsLoader
|
|
38
|
+
|
|
39
|
+
# Will always be nil, but method still gets used.
|
|
40
|
+
attr_reader :client_id
|
|
41
|
+
|
|
42
|
+
# Initialize from options map.
|
|
43
|
+
#
|
|
44
|
+
# @param [string] audience
|
|
45
|
+
# @param [hash{symbol => value}] credential_source
|
|
46
|
+
# credential_source is a hash that contains either source file or url.
|
|
47
|
+
# credential_source_format is either text or json. To define how we parse the credential response.
|
|
48
|
+
#
|
|
49
|
+
def initialize options = {}
|
|
50
|
+
base_setup options
|
|
51
|
+
|
|
52
|
+
@audience = options[:audience]
|
|
53
|
+
@credential_source = options[:credential_source] || {}
|
|
54
|
+
@credential_source_executable = @credential_source[:executable]
|
|
55
|
+
raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil?
|
|
56
|
+
@credential_source_executable_command = @credential_source_executable[:command]
|
|
57
|
+
if @credential_source_executable_command.nil?
|
|
58
|
+
raise "Missing command field. Executable command must be provided."
|
|
59
|
+
end
|
|
60
|
+
@credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
|
|
61
|
+
EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
|
|
62
|
+
if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
|
|
63
|
+
@credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
|
|
64
|
+
raise "Timeout must be between 5 and 120 seconds."
|
|
65
|
+
end
|
|
66
|
+
@credential_source_executable_output_file = @credential_source_executable[:output_file]
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def retrieve_subject_token!
|
|
70
|
+
unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
|
|
71
|
+
raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
|
|
72
|
+
"to run."
|
|
73
|
+
end
|
|
74
|
+
# check output file first
|
|
75
|
+
subject_token = load_subject_token_from_output_file
|
|
76
|
+
return subject_token unless subject_token.nil?
|
|
77
|
+
# environment variable injection
|
|
78
|
+
env = inject_environment_variables
|
|
79
|
+
output = subprocess_with_timeout env, @credential_source_executable_command,
|
|
80
|
+
@credential_source_executable_timeout_millis
|
|
81
|
+
response = MultiJson.load output, symbolize_keys: true
|
|
82
|
+
parse_subject_token response
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
private
|
|
86
|
+
|
|
87
|
+
def load_subject_token_from_output_file
|
|
88
|
+
return nil if @credential_source_executable_output_file.nil?
|
|
89
|
+
return nil unless File.exist? @credential_source_executable_output_file
|
|
90
|
+
begin
|
|
91
|
+
content = File.read @credential_source_executable_output_file, encoding: "utf-8"
|
|
92
|
+
response = MultiJson.load content, symbolize_keys: true
|
|
93
|
+
rescue StandardError
|
|
94
|
+
return nil
|
|
95
|
+
end
|
|
96
|
+
begin
|
|
97
|
+
subject_token = parse_subject_token response
|
|
98
|
+
rescue StandardError => e
|
|
99
|
+
return nil if e.message.match(/The token returned by the executable is expired/)
|
|
100
|
+
raise e
|
|
101
|
+
end
|
|
102
|
+
subject_token
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
def parse_subject_token response
|
|
106
|
+
validate_response_schema response
|
|
107
|
+
unless response[:success]
|
|
108
|
+
if response[:code].nil? || response[:message].nil?
|
|
109
|
+
raise "Error code and message fields are required in the response."
|
|
110
|
+
end
|
|
111
|
+
raise "Executable returned unsuccessful response: code: #{response[:code]}, message: #{response[:message]}."
|
|
112
|
+
end
|
|
113
|
+
if response[:expiration_time] && response[:expiration_time] < Time.now.to_i
|
|
114
|
+
raise "The token returned by the executable is expired."
|
|
115
|
+
end
|
|
116
|
+
raise "The executable response is missing the token_type field." if response[:token_type].nil?
|
|
117
|
+
return response[:id_token] if ID_TOKEN_TYPE.include? response[:token_type]
|
|
118
|
+
return response[:saml_response] if response[:token_type] == "urn:ietf:params:oauth:token-type:saml2"
|
|
119
|
+
raise "Executable returned unsupported token type."
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
def validate_response_schema response
|
|
123
|
+
raise "The executable response is missing the version field." if response[:version].nil?
|
|
124
|
+
if response[:version] > EXECUTABLE_SUPPORTED_MAX_VERSION
|
|
125
|
+
raise "Executable returned unsupported version #{response[:version]}."
|
|
126
|
+
end
|
|
127
|
+
raise "The executable response is missing the success field." if response[:success].nil?
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
def inject_environment_variables
|
|
131
|
+
env = ENV.to_h
|
|
132
|
+
env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = @audience
|
|
133
|
+
env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = @subject_token_type
|
|
134
|
+
env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "0" # only non-interactive mode we support.
|
|
135
|
+
unless @service_account_impersonation_url.nil?
|
|
136
|
+
env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = service_account_email
|
|
137
|
+
end
|
|
138
|
+
unless @credential_source_executable_output_file.nil?
|
|
139
|
+
env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = @credential_source_executable_output_file
|
|
140
|
+
end
|
|
141
|
+
env
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
def subprocess_with_timeout environment_vars, command, timeout_seconds
|
|
145
|
+
Timeout.timeout timeout_seconds do
|
|
146
|
+
output, error, status = Open3.capture3 environment_vars, command
|
|
147
|
+
unless status.success?
|
|
148
|
+
raise "Executable exited with non-zero return code #{status.exitstatus}. Error: #{output}, #{error}"
|
|
149
|
+
end
|
|
150
|
+
output
|
|
151
|
+
end
|
|
152
|
+
end
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
end
|
|
156
|
+
end
|
|
@@ -17,6 +17,7 @@ require "uri"
|
|
|
17
17
|
require "googleauth/credentials_loader"
|
|
18
18
|
require "googleauth/external_account/aws_credentials"
|
|
19
19
|
require "googleauth/external_account/identity_pool_credentials"
|
|
20
|
+
require "googleauth/external_account/pluggable_credentials"
|
|
20
21
|
|
|
21
22
|
module Google
|
|
22
23
|
# Module Auth provides classes that provide Google-specific authorization
|
|
@@ -80,6 +81,9 @@ module Google
|
|
|
80
81
|
unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
|
|
81
82
|
return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
|
|
82
83
|
end
|
|
84
|
+
unless user_creds[:credential_source][:executable].nil?
|
|
85
|
+
return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
|
|
86
|
+
end
|
|
83
87
|
raise INVALID_EXTERNAL_ACCOUNT_TYPE
|
|
84
88
|
end
|
|
85
89
|
end
|
data/lib/googleauth/id_tokens.rb
CHANGED
|
@@ -153,7 +153,7 @@ module Google
|
|
|
153
153
|
# one of the provided values, or the verification will fail with
|
|
154
154
|
# {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
|
|
155
155
|
# (the default), no azp checking is performed.
|
|
156
|
-
# @param
|
|
156
|
+
# @param iss [String,Array<String>,nil] The expected issuer. At least
|
|
157
157
|
# one `iss` field in the token must match at least one of the
|
|
158
158
|
# provided issuers, or the verification will fail with
|
|
159
159
|
# {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
|
|
@@ -191,7 +191,7 @@ module Google
|
|
|
191
191
|
# one of the provided values, or the verification will fail with
|
|
192
192
|
# {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
|
|
193
193
|
# (the default), no azp checking is performed.
|
|
194
|
-
# @param
|
|
194
|
+
# @param iss [String,Array<String>,nil] The expected issuer. At least
|
|
195
195
|
# one `iss` field in the token must match at least one of the
|
|
196
196
|
# provided issuers, or the verification will fail with
|
|
197
197
|
# {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
|
data/lib/googleauth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: googleauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Emiola
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-07-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|
|
@@ -145,6 +145,7 @@ files:
|
|
|
145
145
|
- lib/googleauth/external_account/base_credentials.rb
|
|
146
146
|
- lib/googleauth/external_account/external_account_utils.rb
|
|
147
147
|
- lib/googleauth/external_account/identity_pool_credentials.rb
|
|
148
|
+
- lib/googleauth/external_account/pluggable_credentials.rb
|
|
148
149
|
- lib/googleauth/helpers/connection.rb
|
|
149
150
|
- lib/googleauth/iam.rb
|
|
150
151
|
- lib/googleauth/id_tokens.rb
|