googleauth 1.8.0 → 1.15.0

data/lib/googleauth/signet.rb

@@ -12,8 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "base64"
+require "json"
 require "signet/oauth_2/client"
 require "googleauth/base_client"
+require "googleauth/errors"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
@@ -25,6 +28,33 @@ module Signet
     class Client
       include Google::Auth::BaseClient
 
+      alias update_token_signet_base update_token!
+
+      def update_token! options = {}
+        options = deep_hash_normalize options
+        id_token_expires_at = expires_at_from_id_token options[:id_token]
+        options[:expires_at] = id_token_expires_at if id_token_expires_at
+        update_token_signet_base options
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        self
+      end
+
+      alias update_signet_base update!
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        # This `update!` method "overide" adds the `@logger`` update and
+        # the `universe_domain` update.
+        #
+        # The `universe_domain` is also updated in `update_token!` but is
+        # included here for completeness
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        @logger = options[:logger] if options.key? :logger
+
+        update_signet_base options
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -36,6 +66,9 @@ module Signet
         target_audience ? :id_token : :access_token
       end
 
+      # Set the universe domain
+      attr_accessor :universe_domain
+
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
         unless options[:connection]
@@ -49,6 +82,24 @@ module Signet
         info
       end
 
+      alias googleauth_orig_generate_access_token_request generate_access_token_request
+      def generate_access_token_request options = {}
+        parameters = googleauth_orig_generate_access_token_request options
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Requesting access token from #{parameters['grant_type']}",
+            "credentialsId" => object_id
+          )
+        end
+        logger&.debug do
+          Google::Logging::Message.from(
+            message: "Token fetch params: #{parameters}",
+            "credentialsId" => object_id
+          )
+        end
+        parameters
+      end
+
       def build_default_connection
         if !defined?(@connection_info)
           nil
@@ -59,24 +110,138 @@ module Signet
         end
       end
 
+      # rubocop:disable Metrics/MethodLength
+
+      # Retries the provided block with exponential backoff, handling and wrapping errors.
+      #
+      # @param [Integer] max_retry_count The maximum number of retries before giving up
+      # @yield The block to execute and potentially retry
+      # @return [Object] The result of the block if successful
+      # @raise [Google::Auth::AuthorizationError] If a Signet::AuthorizationError occurs or if retries are exhausted
+      # @raise [Google::Auth::ParseError] If a Signet::ParseError occurs during token parsing
       def retry_with_error max_retry_count = 5
         retry_count = 0
 
         begin
-          yield
+          yield.tap { |resp| log_response resp }
+        rescue Signet::AuthorizationError, Signet::ParseError => e
+          log_auth_error e
+          error_class = e.is_a?(Signet::ParseError) ? Google::Auth::ParseError : Google::Auth::AuthorizationError
+          raise error_class.with_details(
+            e.message,
+            credential_type_name: self.class.name,
+            principal: respond_to?(:principal) ? principal : :signet_client
+          )
         rescue StandardError => e
-          raise e if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
-
           if retry_count < max_retry_count
+            log_transient_error e
             retry_count += 1
             sleep retry_count * 0.3
             retry
           else
+            log_retries_exhausted e
             msg = "Unexpected error: #{e.inspect}"
-            raise Signet::AuthorizationError, msg
+            raise Google::Auth::AuthorizationError.with_details(
+              msg,
+              credential_type_name: self.class.name,
+              principal: respond_to?(:principal) ? principal : :signet_client
+            )
           end
         end
       end
+      # rubocop:enable Metrics/MethodLength
+
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      # @see Signet::OAuth2::Client#update!
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        opts = {
+          authorization_uri: @authorization_uri,
+          token_credential_uri: @token_credential_uri,
+          client_id: @client_id,
+          client_secret: @client_secret,
+          scope: @scope,
+          target_audience: @target_audience,
+          redirect_uri: @redirect_uri,
+          username: @username,
+          password: @password,
+          issuer: @issuer,
+          person: @person,
+          sub: @sub,
+          audience: @audience,
+          signing_key: @signing_key,
+          extension_parameters: @extension_parameters,
+          additional_parameters: @additional_parameters,
+          access_type: @access_type,
+          universe_domain: @universe_domain,
+          logger: @logger
+        }.merge(options)
+
+        new_client = self.class.new opts
+
+        new_client.configure_connection options
+      end
+
+      private
+
+      def expires_at_from_id_token id_token
+        match = /^[\w=-]+\.([\w=-]+)\.[\w=-]+$/.match id_token.to_s
+        return unless match
+        json = JSON.parse Base64.urlsafe_decode64 match[1]
+        return unless json.key? "exp"
+        Time.at json["exp"].to_i
+      rescue StandardError
+        # Shouldn't happen unless we get a garbled ID token
+        nil
+      end
+
+      def log_response token_response
+        response_hash = JSON.parse token_response rescue {}
+        if response_hash["access_token"]
+          digest = Digest::SHA256.hexdigest response_hash["access_token"]
+          response_hash["access_token"] = "(sha256:#{digest})"
+        end
+        if response_hash["id_token"]
+          digest = Digest::SHA256.hexdigest response_hash["id_token"]
+          response_hash["id_token"] = "(sha256:#{digest})"
+        end
+        Google::Logging::Message.from(
+          message: "Received auth token response: #{response_hash}",
+          "credentialsId" => object_id
+        )
+      end
+
+      def log_auth_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Auth error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_transient_error err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Transient error when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_retries_exhausted err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Exhausted retries when fetching auth token: #{err}",
+            "credentialsId" => object_id
+          )
+        end
+      end
     end
   end
 end

data/lib/googleauth/token_store.rb

@@ -29,7 +29,7 @@ module Google
       # @return [String]
       #  The loaded token data.
       def load _id
-        raise "Not implemented"
+        raise NoMethodError, "load not implemented"
       end
 
       # Put the token data into storage for the given ID.
@@ -39,7 +39,7 @@ module Google
       # @param [String] token
       #  The token data to store.
       def store _id, _token
-        raise "Not implemented"
+        raise NoMethodError, "store not implemented"
       end
 
       # Remove the token data from storage for the given ID.
@@ -47,7 +47,7 @@ module Google
       # @param [String] id
       #  ID of the token data to delete
       def delete _id
-        raise "Not implemented"
+        raise NoMethodError, "delete not implemented"
       end
     end
   end

data/lib/googleauth/user_authorizer.rb

@@ -16,6 +16,7 @@ require "uri"
 require "multi_json"
 require "googleauth/signet"
 require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -54,17 +55,28 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback.
-      #  Defaults to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
-        raise NIL_CLIENT_ID_ERROR if client_id.nil?
-        raise NIL_SCOPE_ERROR if scope.nil?
+      #  Defaults to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      # @raise [Google::Auth::InitializationError]
+      #  If client_id is nil or scope is nil
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
+        raise InitializationError, NIL_CLIENT_ID_ERROR if client_id.nil?
+        raise InitializationError, NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || "/oauth2callback"
+        @callback_uri = legacy_callback_uri || callback_uri || "/oauth2callback"
+        @code_verifier = code_verifier
       end
 
       # Build the URL for requesting authorization.
@@ -86,6 +98,18 @@ module Google
       #  Authorization url
       def get_authorization_url options = {}
         scope = options[:scope] || @scope
+
+        options[:additional_parameters] ||= {}
+
+        if @code_verifier
+          options[:additional_parameters].merge!(
+            {
+              code_challenge: generate_code_challenge(@code_verifier),
+              code_challenge_method: code_challenge_method
+            }
+          )
+        end
+
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
@@ -111,14 +135,19 @@ module Google
       #  the requested scopes
       # @return [Google::Auth::UserRefreshCredentials]
       #  Stored credentials, nil if none present
+      # @raise [Google::Auth::CredentialsError]
+      #  If the client ID in the stored token doesn't match the configured client ID
       def get_credentials user_id, scope = nil
         saved_token = stored_token user_id
         return nil if saved_token.nil?
         data = MultiJson.load saved_token
 
         if data.fetch("client_id", @client_id.id) != @client_id.id
-          raise format(MISMATCHED_CLIENT_ID_ERROR,
-                       data["client_id"], @client_id.id)
+          raise CredentialsError.with_details(
+            format(MISMATCHED_CLIENT_ID_ERROR, data["client_id"], @client_id.id),
+            credential_type_name: self.class.name,
+            principal: principal
+          )
         end
 
         credentials = UserRefreshCredentials.new(
@@ -157,6 +186,8 @@ module Google
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
+        options[:additional_parameters] ||= {}
+        options[:additional_parameters].merge!({ code_verifier: @code_verifier })
         credentials = UserRefreshCredentials.new(
           client_id:             @client_id.id,
           client_secret:         @client_id.secret,
@@ -216,6 +247,8 @@ module Google
       #  Unique ID of the user for loading/storing credentials.
       # @param [Google::Auth::UserRefreshCredentials] credentials
       #  Credentials to store.
+      # @return [Google::Auth::UserRefreshCredentials]
+      #  The stored credentials
       def store_credentials user_id, credentials
         json = MultiJson.dump(
           client_id:              credentials.client_id,
@@ -228,6 +261,32 @@ module Google
         credentials
       end
 
+      # The code verifier for PKCE for OAuth 2.0. When set, the
+      # authorization URI will contain the Code Challenge and Code
+      # Challenge Method querystring parameters, and the token URI will
+      # contain the Code Verifier parameter.
+      #
+      # @param [String|nil] new_code_erifier
+      def code_verifier= new_code_verifier
+        @code_verifier = new_code_verifier
+      end
+
+      # Generate the code verifier needed to be sent while fetching
+      # authorization URL.
+      def self.generate_code_verifier
+        random_number = rand 32..96
+        SecureRandom.alphanumeric random_number
+      end
+
+      # Returns the principal identifier for this authorizer
+      # The client ID is used as the principal for user authorizers
+      #
+      # @private
+      # @return [String] The client ID associated with this authorizer
+      def principal
+        @client_id.id
+      end
+
       private
 
       # @private Fetch stored token with given user_id
@@ -235,9 +294,11 @@ module Google
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
       # @return [String] The saved token from @token_store
+      # @raise [Google::Auth::InitializationError]
+      #  If user_id is nil or token_store is nil
       def stored_token user_id
-        raise NIL_USER_ID_ERROR if user_id.nil?
-        raise NIL_TOKEN_STORE_ERROR if @token_store.nil?
+        raise InitializationError, NIL_USER_ID_ERROR if user_id.nil?
+        raise InitializationError, NIL_TOKEN_STORE_ERROR if @token_store.nil?
 
         @token_store.load user_id
       end
@@ -262,9 +323,17 @@ module Google
       #  Absolute URL to resolve the callback against if necessary.
       # @return [String]
       #  Redirect URI
+      # @raise [Google::Auth::CredentialsError]
+      #  If the callback URI is relative and base_url is nil or not absolute
       def redirect_uri_for base_url
         return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
-        raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
+        if base_url.nil? || URI(base_url).scheme.nil?
+          raise CredentialsError.with_details(
+            format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri),
+            credential_type_name: self.class.name,
+            principal: principal
+          )
+        end
         URI.join(base_url, @callback_uri).to_s
       end
 
@@ -272,6 +341,15 @@ module Google
       def uri_is_postmessage? uri
         uri.to_s.casecmp("postmessage").zero?
       end
+
+      def generate_code_challenge code_verifier
+        digest = Digest::SHA256.digest code_verifier
+        Base64.urlsafe_encode64 digest, padding: false
+      end
+
+      def code_challenge_method
+        "S256"
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -12,9 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "googleauth/signet"
 require "googleauth/credentials_loader"
+require "googleauth/errors"
 require "googleauth/scope_util"
+require "googleauth/signet"
 require "multi_json"
 
 module Google
@@ -40,7 +41,7 @@ module Google
 
       # Create a UserRefreshCredentials.
       #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param json_key_io [IO] An IO object containing the JSON key
       # @param scope [string|array|nil] the scope(s) to access
       def self.make_creds options = {}
         json_key_io, scope = options.values_at :json_key_io, :scope
@@ -50,7 +51,8 @@ module Google
           "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
           "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
           "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR],
-          "quota_project_id" => nil
+          "quota_project_id" => nil,
+          "universe_domain" => nil
         }
         new(token_credential_uri: TOKEN_CRED_URI,
             client_id:            user_creds["client_id"],
@@ -58,17 +60,21 @@ module Google
             refresh_token:        user_creds["refresh_token"],
             project_id:           user_creds["project_id"],
             quota_project_id:     user_creds["quota_project_id"],
-            scope:                scope)
+            scope:                scope,
+            universe_domain:      user_creds["universe_domain"] || "googleapis.com")
           .configure_connection(options)
       end
 
-      # Reads the client_id, client_secret and refresh_token fields from the
-      # JSON key.
+      # Reads a JSON key from an IO object and extracts required fields.
+      #
+      # @param [IO] json_key_io An IO object containing the JSON key
+      # @return [Hash] The parsed JSON key
+      # @raise [Google::Auth::InitializationError] If the JSON is missing required fields
       def self.read_json_key json_key_io
         json_key = MultiJson.load json_key_io.read
         wanted = ["client_id", "client_secret", "refresh_token"]
         wanted.each do |key|
-          raise "the json is missing the #{key} field" unless json_key.key? key
+          raise InitializationError, "the json is missing the #{key} field" unless json_key.key? key
         end
         json_key
       end
@@ -83,7 +89,31 @@ module Google
         super options
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            project_id: @project_id,
+            quota_project_id: @quota_project_id
+          }.merge(options)
+        )
+      end
+
       # Revokes the credential
+      #
+      # @param [Hash] options Options for revoking the credential
+      # @option options [Faraday::Connection] :connection The connection to use
+      # @raise [Google::Auth::AuthorizationError] If the revocation request fails
       def revoke! options = {}
         c = options[:connection] || Faraday.default_connection
 
@@ -95,8 +125,11 @@ module Google
             self.refresh_token = nil
             self.expires_at = 0
           else
-            raise(Signet::AuthorizationError,
-                  "Unexpected error code #{resp.status}")
+            raise AuthorizationError.with_details(
+              "Unexpected error code #{resp.status}",
+              credential_type_name: self.class.name,
+              principal: principal
+            )
           end
         end
       end
@@ -112,6 +145,36 @@ module Google
                         Google::Auth::ScopeUtil.normalize(scope)
         missing_scope.empty?
       end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::UserRefreshCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
+
+      # Returns the client ID as the principal for user refresh credentials
+      # @private
+      # @return [String, Symbol] the client ID or :user_refresh if not available
+      def principal
+        @client_id || :user_refresh
+      end
     end
   end
 end

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.8.0".freeze
+    VERSION = "1.15.0".freeze
   end
 end