googleauth 1.8.0 → 1.15.0

data/lib/googleauth/external_account.rb

@@ -15,6 +15,7 @@
 require "time"
 require "uri"
 require "googleauth/credentials_loader"
+require "googleauth/errors"
 require "googleauth/external_account/aws_credentials"
 require "googleauth/external_account/identity_pool_credentials"
 require "googleauth/external_account/pluggable_credentials"
@@ -35,30 +36,41 @@ module Google
 
         # Create a ExternalAccount::Credentials
         #
-        # @param json_key_io [IO] an IO from which the JSON key can be read
-        # @param scope [String,Array,nil] the scope(s) to access
+        # @param options [Hash] Options for creating credentials
+        # @option options [IO] :json_key_io (required) An IO object containing the JSON key
+        # @option options [String,Array,nil] :scope The scope(s) to access
+        # @return [Google::Auth::ExternalAccount::AwsCredentials,
+        #   Google::Auth::ExternalAccount::IdentityPoolCredentials,
+        #   Google::Auth::ExternalAccount::PluggableAuthCredentials]
+        #   The appropriate external account credentials based on the credential source
+        # @raise [Google::Auth::InitializationError] If the json file is missing, lacks required fields,
+        #   or does not contain a supported credential source
         def self.make_creds options = {}
           json_key_io, scope = options.values_at :json_key_io, :scope
 
-          raise "A json file is required for external account credentials." unless json_key_io
+          raise InitializationError, "A json file is required for external account credentials." unless json_key_io
           user_creds = read_json_key json_key_io
 
           # AWS credentials is determined by aws subject token type
           return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE
 
-          raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
+          raise InitializationError, MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
           user_creds[:scope] = scope
           make_external_account_credentials user_creds
         end
 
         # Reads the required fields from the JSON.
+        #
+        # @param json_key_io [IO] An IO object containing the JSON key
+        # @return [Hash] The parsed JSON key
+        # @raise [Google::Auth::InitializationError] If the JSON is missing required fields
         def self.read_json_key json_key_io
           json_key = MultiJson.load json_key_io.read, symbolize_keys: true
           wanted = [
             :audience, :subject_token_type, :token_url, :credential_source
           ]
           wanted.each do |key|
-            raise "the json is missing the #{key} field" unless json_key.key? key
+            raise InitializationError, "the json is missing the #{key} field" unless json_key.key? key
           end
           json_key
         end
@@ -66,6 +78,11 @@ module Google
         class << self
           private
 
+          # Creates AWS credentials from the provided user credentials
+          #
+          # @param user_creds [Hash] The user credentials containing AWS credential source information
+          # @param scope [String,Array,nil] The scope(s) to access
+          # @return [Google::Auth::ExternalAccount::AwsCredentials] The AWS credentials
           def make_aws_credentials user_creds, scope
             Google::Auth::ExternalAccount::AwsCredentials.new(
               audience: user_creds[:audience],
@@ -73,10 +90,18 @@ module Google
               subject_token_type: user_creds[:subject_token_type],
               token_url: user_creds[:token_url],
               credential_source: user_creds[:credential_source],
-              service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+              service_account_impersonation_url: user_creds[:service_account_impersonation_url],
+              universe_domain: user_creds[:universe_domain]
             )
           end
 
+          # Creates the appropriate external account credentials based on the credential source type
+          #
+          # @param user_creds [Hash] The user credentials containing credential source information
+          # @return [Google::Auth::ExternalAccount::IdentityPoolCredentials,
+          #   Google::Auth::ExternalAccount::PluggableAuthCredentials]
+          #   The appropriate external account credentials
+          # @raise [Google::Auth::InitializationError] If the credential source is not a supported type
           def make_external_account_credentials user_creds
             unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
               return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
@@ -84,7 +109,7 @@ module Google
             unless user_creds[:credential_source][:executable].nil?
               return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
             end
-            raise INVALID_EXTERNAL_ACCOUNT_TYPE
+            raise InitializationError, INVALID_EXTERNAL_ACCOUNT_TYPE
           end
         end
       end

data/lib/googleauth/helpers/connection.rb

@@ -24,7 +24,13 @@ module Google
       module Connection
         module_function
 
-        attr_accessor :default_connection
+        def default_connection
+          @default_connection
+        end
+
+        def default_connection= conn
+          @default_connection = conn
+        end
 
         def connection
           @default_connection || Faraday.default_connection

data/lib/googleauth/iam.rb

@@ -27,8 +27,9 @@ module Google
 
       # Initializes an IAMCredentials.
       #
-      # @param selector the IAM selector.
-      # @param token the IAM token.
+      # @param selector [String] The IAM selector.
+      # @param token [String] The IAM token.
+      # @raise [TypeError] If selector or token is not a String
       def initialize selector, token
         raise TypeError unless selector.is_a? String
         raise TypeError unless token.is_a? String
@@ -37,13 +38,19 @@ module Google
       end
 
       # Adds the credential fields to the hash.
+      #
+      # @param a_hash [Hash] The hash to update with credentials
+      # @return [Hash] The updated hash with credentials
       def apply! a_hash
         a_hash[SELECTOR_KEY] = @selector
         a_hash[TOKEN_KEY] = @token
         a_hash
       end
 
-      # Returns a clone of a_hash updated with the authoriation header
+      # Returns a clone of a_hash updated with the authorization header
+      #
+      # @param a_hash [Hash] The hash to clone and update with credentials
+      # @return [Hash] A new hash with credentials
       def apply a_hash
         a_copy = a_hash.clone
         apply! a_copy
@@ -52,9 +59,18 @@ module Google
 
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
+      #
+      # @return [Proc] A procedure that updates a hash with credentials
       def updater_proc
         proc { |a_hash, _opts = {}| apply a_hash }
       end
+
+      # Returns the IAM authority selector as the principal
+      # @private
+      # @return [String] the IAM authoirty selector
+      def principal
+        @selector
+      end
     end
   end
 end

data/lib/googleauth/id_tokens/errors.rb

@@ -14,6 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "googleauth/errors"
+
 
 module Google
   module Auth
@@ -21,35 +23,39 @@ module Google
       ##
       # Failed to obtain keys from the key source.
       #
-      class KeySourceError < StandardError; end
+      class KeySourceError < StandardError
+        include Google::Auth::Error
+      end
 
       ##
       # Failed to verify a token.
       #
-      class VerificationError < StandardError; end
+      class VerificationError < StandardError
+        include Google::Auth::Error
+      end
 
       ##
-      # Failed to verify a token because it is expired.
+      # Failed to verify token because it is expired.
       #
       class ExpiredTokenError < VerificationError; end
 
       ##
-      # Failed to verify a token because its signature did not match.
+      # Failed to verify token because its signature did not match.
       #
       class SignatureError < VerificationError; end
 
       ##
-      # Failed to verify a token because its issuer did not match.
+      # Failed to verify token because its issuer did not match.
       #
       class IssuerMismatchError < VerificationError; end
 
       ##
-      # Failed to verify a token because its audience did not match.
+      # Failed to verify token because its audience did not match.
       #
       class AudienceMismatchError < VerificationError; end
 
       ##
-      # Failed to verify a token because its authorized party did not match.
+      # Failed to verify token because its authorized party did not match.
       #
       class AuthorizedPartyMismatchError < VerificationError; end
     end

data/lib/googleauth/id_tokens/key_sources.rb

@@ -72,8 +72,8 @@ module Google
           #
           # @param jwk [Hash,String] The JWK specification.
           # @return [KeyInfo]
-          # @raise [KeySourceError] If the key could not be extracted from the
-          #     JWK.
+          # @raise [Google::Auth::IDTokens::KeySourceError] If the key could not be extracted from the
+          #     JWK due to invalid type, malformed JSON, or invalid key data.
           #
           def from_jwk jwk
             jwk = symbolize_keys ensure_json_parsed jwk
@@ -94,10 +94,10 @@ module Google
           # Create an array of KeyInfo from a JWK Set, which may be given as
           # either a hash or an unparsed JSON string.
           #
-          # @param jwk [Hash,String] The JWK Set specification.
+          # @param jwk_set [Hash,String] The JWK Set specification.
           # @return [Array<KeyInfo>]
-          # @raise [KeySourceError] If a key could not be extracted from the
-          #     JWK Set.
+          # @raise [Google::Auth::IDTokens::KeySourceError] If a key could not be extracted from the
+          #     JWK Set, or if the set contains no keys.
           #
           def from_jwk_set jwk_set
             jwk_set = symbolize_keys ensure_json_parsed jwk_set
@@ -261,7 +261,8 @@ module Google
         # return the new keys.
         #
         # @return [Array<KeyInfo>]
-        # @raise [KeySourceError] if key retrieval failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] If key retrieval fails, JSON parsing
+        #     fails, or the data cannot be interpreted as keys
         #
         def refresh_keys
           @monitor.synchronize do
@@ -310,6 +311,11 @@ module Google
 
         protected
 
+        # Interpret JSON data as X509 certificates
+        #
+        # @param data [Hash] The JSON data containing certificate strings
+        # @return [Array<KeyInfo>] Array of key info objects
+        # @raise [Google::Auth::IDTokens::KeySourceError] If X509 certificates cannot be parsed
         def interpret_json data
           data.map do |id, cert_str|
             key = OpenSSL::X509::Certificate.new(cert_str).public_key
@@ -371,7 +377,7 @@ module Google
         # Attempt to refresh keys and return the new keys.
         #
         # @return [Array<KeyInfo>]
-        # @raise [KeySourceError] if key retrieval failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] If key retrieval failed for any source.
         #
         def refresh_keys
           @sources.flat_map(&:refresh_keys)

data/lib/googleauth/id_tokens/verifier.rb

@@ -61,10 +61,9 @@ module Google
         # @param iss [String,nil] If given, override the `iss` check.
         #
         # @return [Hash] the decoded payload, if verification succeeded.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
-        #
         def verify token,
                    key_source: :default,
                    aud:        :default,

data/lib/googleauth/id_tokens.rb

@@ -160,15 +160,14 @@ module Google
         #     checking is performed. Default is to check against {OIDC_ISSUERS}.
         #
         # @return [Hash] The decoded token payload.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
         #
         def verify_oidc token,
                         aud: nil,
                         azp: nil,
                         iss: OIDC_ISSUERS
-
           verifier = Verifier.new key_source: oidc_key_source,
                                   aud:        aud,
                                   azp:        azp,
@@ -198,15 +197,14 @@ module Google
         #     checking is performed. Default is to check against {IAP_ISSUERS}.
         #
         # @return [Hash] The decoded token payload.
-        # @raise [KeySourceError] if the key source failed to obtain public keys
-        # @raise [VerificationError] if the token verification failed.
+        # @raise [Google::Auth::IDTokens::KeySourceError] if the key source failed to obtain public keys
+        # @raise [Google::Auth::IDTokens::VerificationError] if the token verification failed.
         #     Additional data may be available in the error subclass and message.
         #
         def verify_iap token,
                        aud: nil,
                        azp: nil,
                        iss: IAP_ISSUERS
-
           verifier = Verifier.new key_source: iap_key_source,
                                   aud:        aud,
                                   azp:        azp,

data/lib/googleauth/impersonated_service_account.rb

@@ -0,0 +1,329 @@
+# Copyright 2024 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/base_client"
+require "googleauth/errors"
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    # Authenticates requests using impersonation from base credentials.
+    # This is a two-step process: first authentication claim from the base credentials is created
+    # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
+    # The short-lived token and its expiration time are cached.
+    class ImpersonatedServiceAccountCredentials
+      # @private
+      ERROR_SUFFIX = <<~ERROR.freeze
+        when trying to get security access token
+        from IAM Credentials endpoint using the credentials provided.
+      ERROR
+
+      # @private
+      IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+      # BaseClient most importantly implements the `:updater_proc` getter,
+      # that returns a reference to an `apply!` method that updates
+      # a hash argument provided with the authorization header containing
+      # the access token (impersonation token in this case).
+      include Google::Auth::BaseClient
+
+      include Helpers::Connection
+
+      # @return [Object] The original authenticated credentials used to fetch short-lived impersonation access tokens
+      attr_reader :base_credentials
+
+      # @return [Object] The modified version of base credentials, tailored for impersonation purposes
+      #   with necessary scope adjustments
+      attr_reader :source_credentials
+
+      # @return [String] The URL endpoint used to generate an impersonation token. This URL should follow a specific
+      #   format to specify the impersonated service account.
+      attr_reader :impersonation_url
+
+      # @return [Array<String>, String] The scope(s) required for the impersonated access token,
+      #   indicating the permissions needed for the short-lived token
+      attr_reader :scope
+
+      # @return [String, nil] The short-lived impersonation access token, retrieved and cached
+      #   after making the impersonation request
+      attr_reader :access_token
+
+      # @return [Time, nil] The expiration time of the current access token, used to determine
+      #   if the token is still valid
+      attr_reader :expires_at
+
+      # Create a ImpersonatedServiceAccountCredentials
+      # When you use service account impersonation, you start with an authenticated principal
+      # (e.g. your user account or a service account)
+      # and request short-lived credentials for a service account
+      # that has the authorization that your use case requires.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def self.make_creds options = {}
+        new options
+      end
+
+      # Initializes a new instance of ImpersonatedServiceAccountCredentials.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #   It is redundant to provide both source and base credentials as only source will be used,
+      #   but it can be done, e.g. when duplicating existing credentials.
+      #
+      # @raise [ArgumentError] If any of the required options are missing.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def initialize options = {}
+        @base_credentials, @impersonation_url, @scope =
+          options.values_at :base_credentials,
+                            :impersonation_url,
+                            :scope
+
+        # Fail-fast checks for required parameters
+        if @base_credentials.nil? && !options.key?(:source_credentials)
+          raise ArgumentError, "Missing required option: either :base_credentials or :source_credentials"
+        end
+        raise ArgumentError, "Missing required option: :impersonation_url" if @impersonation_url.nil?
+        raise ArgumentError, "Missing required option: :scope" if @scope.nil?
+
+        # Some credentials (all Signet-based ones and this one) include scope and a bunch of transient state
+        # (e.g. refresh status) as part of themselves
+        # so a copy needs to be created with the scope overriden and transient state dropped.
+        #
+        # If a credentials does not support `duplicate` we'll try to use it as is assuming it has a broad enough scope.
+        # This might result in an "access denied" error downstream when the token from that credentials is being used
+        # for the token exchange.
+        @source_credentials = if options.key? :source_credentials
+                                options[:source_credentials]
+                              elsif @base_credentials.respond_to? :duplicate
+                                @base_credentials.duplicate({
+                                                              scope: IAM_SCOPE
+                                                            })
+                              else
+                                @base_credentials
+                              end
+      end
+
+      # Determines whether the current access token expires within the specified number of seconds.
+      #
+      # @param seconds [Integer] The number of seconds to check against the token's expiration time.
+      #
+      # @return [Boolean] Whether the access token expires within the given time frame
+      def expires_within? seconds
+        # This method is needed for BaseClient
+        @expires_at && @expires_at - Time.now.utc < seconds
+      end
+
+      # The universe domain of the impersonated credentials.
+      # Effectively this retrieves the universe domain of the source credentials.
+      #
+      # @return [String] The universe domain of the credentials.
+      def universe_domain
+        @source_credentials.universe_domain
+      end
+
+      # @return [Logger, nil] The logger of the credentials.
+      def logger
+        @source_credentials.logger if source_credentials.respond_to? :logger
+      end
+
+      # Creates a duplicate of these credentials without transient token state
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `base_credentials` the base credentials used to initialize the impersonation
+      #   * `source_credentials` the authenticated credentials which usually would be
+      #     base credentials with scope overridden to IAM_SCOPE
+      #   * `impersonation_url` the URL to use to make an impersonation token exchange
+      #   * `scope` the scope(s) to access
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          base_credentials: @base_credentials,
+          source_credentials: @source_credentials,
+          impersonation_url: @impersonation_url,
+          scope: @scope
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      # The principal behind the credentials. This class allows custom source credentials type
+      # that might not implement `principal`, in which case `:unknown` is returned.
+      #
+      # @private
+      # @return [String, Symbol] The string representation of the principal,
+      #     the token type in lieu of the principal, or :unknown if source principal is unknown.
+      def principal
+        if @source_credentials.respond_to? :principal
+          @source_credentials.principal
+        else
+          :unknown
+        end
+      end
+
+      private
+
+      # Generates a new impersonation access token by exchanging the source credentials' token
+      # at the impersonation URL.
+      #
+      # This method first fetches an access token from the source credentials and then exchanges it
+      # for an impersonation token using the specified impersonation URL. The generated token and
+      # its expiration time are cached for subsequent use.
+      #
+      # @private
+      # @param _options [Hash] (optional) Additional options for token retrieval (currently unused).
+      #
+      # @raise [Google::Auth::UnexpectedStatusError] If the response status is 403 or 500.
+      # @raise [Google::Auth::AuthorizationError] For other unexpected response statuses.
+      #
+      # @return [String] The newly generated impersonation access token.
+      def fetch_access_token! _options = {}
+        auth_header = prepare_auth_header
+        resp = make_impersonation_request auth_header
+
+        case resp.status
+        when 200
+          response = MultiJson.load resp.body
+          self.expires_at = response["expireTime"]
+          @access_token = response["accessToken"]
+          access_token
+        when 403, 500
+          handle_error_response resp, UnexpectedStatusError
+        else
+          handle_error_response resp, AuthorizationError
+        end
+      end
+
+      # Prepares the authorization header for the impersonation request
+      # by fetching a token from source credentials.
+      #
+      # @private
+      # @return [Hash] The authorization header with the source credentials' token
+      def prepare_auth_header
+        auth_header = {}
+        @source_credentials.updater_proc.call auth_header
+        auth_header
+      end
+
+      # Makes the HTTP request to the impersonation endpoint.
+      #
+      # @private
+      # @param [Hash] auth_header The authorization header containing the source token
+      # @return [Faraday::Response] The HTTP response from the impersonation endpoint
+      def make_impersonation_request auth_header
+        connection.post @impersonation_url do |req|
+          req.headers.merge! auth_header
+          req.headers["Content-Type"] = "application/json"
+          req.body = MultiJson.dump({ scope: @scope })
+        end
+      end
+
+      # Creates and raises an appropriate error based on the response.
+      #
+      # @private
+      # @param [Faraday::Response] resp The HTTP response
+      # @param [Class] error_class The error class to instantiate
+      # @raise [StandardError] The appropriate error with details
+      def handle_error_response resp, error_class
+        msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+        raise error_class.with_details(
+          msg,
+          credential_type_name: self.class.name,
+          principal: principal
+        )
+      end
+
+      # Setter for the expires_at value that makes sure it is converted
+      # to Time object.
+      def expires_at= new_expires_at
+        @expires_at = normalize_timestamp new_expires_at
+      end
+
+      # Returns the type of token (access_token).
+      # This method is needed for BaseClient.
+      def token_type
+        :access_token
+      end
+
+      # Normalizes a timestamp to a Time object.
+      #
+      # @param time [Time, String, nil] The timestamp to normalize.
+      #
+      # @return [Time, nil] The normalized Time object, or nil if the input is nil.
+      #
+      # @raise [Google::Auth::CredentialsError] If the input is not a Time, String, or nil.
+      def normalize_timestamp time
+        case time
+        when NilClass
+          nil
+        when Time
+          time
+        when String
+          Time.parse time
+        else
+          message = "Invalid time value #{time}"
+          raise CredentialsError.with_details(message, credential_type_name: self.class.name, principal: principal)
+        end
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+    end
+  end
+end