googleauth 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 146d1c41b29049fb35b0cc5c4934a811eb547f3d3000a95e3fbd8a24fc2b86bb
-  data.tar.gz: cb613b51160da7a51c545728ce03dac8977fee8f1806b72eca97997d28645450
+  metadata.gz: 5437d56e0c86ce235d37a202af1a28219a9caeb0bc0f8abac5540cc1d73edf28
+  data.tar.gz: f56369065e2abc56fb51abccc5003264f8c9ef3e745c202e06e5cb4c6b083d84
 SHA512:
-  metadata.gz: 39289ca31ac785dffbb151a71c6b8337d442db75e3d2d3fcfa94a4c5656076c5965c3beb09e55cc80996c189af170f9208dbb84df6adbb9b385ede36850ea6aa
-  data.tar.gz: 442083ee198a5ae04f8924f2360b1512eff862d12f66327d22195dbd75c5475b8d912701d7e41ab21b7c6ceae8f196b229b1f376cf69cb36846f5787f52eeb37
+  metadata.gz: f350fb9178517f4782c1dcf08804f5b0ec6bb12ed6dd460ff9c7a875b5929146bf357d797a52cb976878ef25ca8e3439d90b41dfb0e44fbf0b1cfcdf1109ec85
+  data.tar.gz: 5a1811530c2a2f5321937bdc90f157f7b55cf0b4c77c7c8f98e87474cfd22b06154987279003cefcb3f8cb400f690364078f9dd0302286f6cbd6d94afde826b3

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Release History
 
+### 1.7.0 (2023-07-14)
+
+#### Features
+
+* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437)) 
+#### Documentation
+
+* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438)) 
+
 ### 1.6.0 (2023-06-20)
 
 #### Features

data/lib/googleauth/external_account/external_account_utils.rb

@@ -86,6 +86,17 @@ module Google
             raise "Invalid time value #{time}"
           end
         end
+
+        def service_account_email
+          return nil if @service_account_impersonation_url.nil?
+          start_idx = @service_account_impersonation_url.rindex "/"
+          end_idx = @service_account_impersonation_url.index ":generateAccessToken"
+          if start_idx != -1 && end_idx != -1 && start_idx < end_idx
+            start_idx += 1
+            return @service_account_impersonation_url[start_idx..end_idx]
+          end
+          nil
+        end
       end
     end
   end

data/lib/googleauth/external_account/pluggable_credentials.rb

@@ -0,0 +1,156 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "open3"
+require "time"
+require "googleauth/external_account/base_credentials"
+require "googleauth/external_account/external_account_utils"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI
+      # provider then exchanging the credentials for a short-lived Google Cloud access token.
+      class PluggableAuthCredentials
+        # constant for pluggable auth enablement in environment variable.
+        ENABLE_PLUGGABLE_ENV = "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
+        EXECUTABLE_SUPPORTED_MAX_VERSION = 1
+        EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 30 * 1000
+        EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 1000
+        EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 120 * 1000
+        ID_TOKEN_TYPE = ["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze
+
+        include Google::Auth::ExternalAccount::BaseCredentials
+        include Google::Auth::ExternalAccount::ExternalAccountUtils
+        extend CredentialsLoader
+
+        # Will always be nil, but method still gets used.
+        attr_reader :client_id
+
+        # Initialize from options map.
+        #
+        # @param [string] audience
+        # @param [hash{symbol => value}] credential_source
+        #     credential_source is a hash that contains either source file or url.
+        #     credential_source_format is either text or json. To define how we parse the credential response.
+        #
+        def initialize options = {}
+          base_setup options
+
+          @audience = options[:audience]
+          @credential_source = options[:credential_source] || {}
+          @credential_source_executable = @credential_source[:executable]
+          raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil?
+          @credential_source_executable_command = @credential_source_executable[:command]
+          if @credential_source_executable_command.nil?
+            raise "Missing command field. Executable command must be provided."
+          end
+          @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
+                                                         EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
+          if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
+             @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
+            raise "Timeout must be between 5 and 120 seconds."
+          end
+          @credential_source_executable_output_file = @credential_source_executable[:output_file]
+        end
+
+        def retrieve_subject_token!
+          unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
+            raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
+                  "to run."
+          end
+          # check output file first
+          subject_token = load_subject_token_from_output_file
+          return subject_token unless subject_token.nil?
+          # environment variable injection
+          env = inject_environment_variables
+          output = subprocess_with_timeout env, @credential_source_executable_command,
+                                           @credential_source_executable_timeout_millis
+          response = MultiJson.load output, symbolize_keys: true
+          parse_subject_token response
+        end
+
+        private
+
+        def load_subject_token_from_output_file
+          return nil if @credential_source_executable_output_file.nil?
+          return nil unless File.exist? @credential_source_executable_output_file
+          begin
+            content = File.read @credential_source_executable_output_file, encoding: "utf-8"
+            response = MultiJson.load content, symbolize_keys: true
+          rescue StandardError
+            return nil
+          end
+          begin
+            subject_token = parse_subject_token response
+          rescue StandardError => e
+            return nil if e.message.match(/The token returned by the executable is expired/)
+            raise e
+          end
+          subject_token
+        end
+
+        def parse_subject_token response
+          validate_response_schema response
+          unless response[:success]
+            if response[:code].nil? || response[:message].nil?
+              raise "Error code and message fields are required in the response."
+            end
+            raise "Executable returned unsuccessful response: code: #{response[:code]}, message: #{response[:message]}."
+          end
+          if response[:expiration_time] && response[:expiration_time] < Time.now.to_i
+            raise "The token returned by the executable is expired."
+          end
+          raise "The executable response is missing the token_type field." if response[:token_type].nil?
+          return response[:id_token] if ID_TOKEN_TYPE.include? response[:token_type]
+          return response[:saml_response] if response[:token_type] == "urn:ietf:params:oauth:token-type:saml2"
+          raise "Executable returned unsupported token type."
+        end
+
+        def validate_response_schema response
+          raise "The executable response is missing the version field." if response[:version].nil?
+          if response[:version] > EXECUTABLE_SUPPORTED_MAX_VERSION
+            raise "Executable returned unsupported version #{response[:version]}."
+          end
+          raise "The executable response is missing the success field." if response[:success].nil?
+        end
+
+        def inject_environment_variables
+          env = ENV.to_h
+          env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = @audience
+          env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = @subject_token_type
+          env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "0" # only non-interactive mode we support.
+          unless @service_account_impersonation_url.nil?
+            env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = service_account_email
+          end
+          unless @credential_source_executable_output_file.nil?
+            env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = @credential_source_executable_output_file
+          end
+          env
+        end
+
+        def subprocess_with_timeout environment_vars, command, timeout_seconds
+          Timeout.timeout timeout_seconds do
+            output, error, status = Open3.capture3 environment_vars, command
+            unless status.success?
+              raise "Executable exited with non-zero return code #{status.exitstatus}. Error: #{output}, #{error}"
+            end
+            output
+          end
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account.rb

@@ -17,6 +17,7 @@ require "uri"
 require "googleauth/credentials_loader"
 require "googleauth/external_account/aws_credentials"
 require "googleauth/external_account/identity_pool_credentials"
+require "googleauth/external_account/pluggable_credentials"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -80,6 +81,9 @@ module Google
             unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
               return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
             end
+            unless user_creds[:credential_source][:executable].nil?
+              return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
+            end
             raise INVALID_EXTERNAL_ACCOUNT_TYPE
           end
         end

data/lib/googleauth/id_tokens.rb

@@ -153,7 +153,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
@@ -191,7 +191,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.6.0".freeze
+    VERSION = "1.7.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-23 00:00:00.000000000 Z
+date: 2023-07-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -145,6 +145,7 @@ files:
 - lib/googleauth/external_account/base_credentials.rb
 - lib/googleauth/external_account/external_account_utils.rb
 - lib/googleauth/external_account/identity_pool_credentials.rb
+- lib/googleauth/external_account/pluggable_credentials.rb
 - lib/googleauth/helpers/connection.rb
 - lib/googleauth/iam.rb
 - lib/googleauth/id_tokens.rb