googleauth 1.8.1 → 1.13.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37795e56189392a97d5941b4982730ffa2ee1dd53ec63593bbb7f5ad50be044e
-  data.tar.gz: 72d6b584c89c321698485bda1e4aef33f361ed35da4762bd22b5dc4634556f8f
+  metadata.gz: 6d8ca5b2b0c7f4ce54f7971d8de2f23f3ee0837d08d7d3c568c503308fcf82ab
+  data.tar.gz: d5f8b8fd2fcb4fef4240db58bf90f54a8bfd021c550a7bc9063c9087285f3921
 SHA512:
-  metadata.gz: 1dcfc8f1e8e65f9b4b27c4933e71faffd2998d11766307cf464d0551d5f37e41c266e840a340a9aba41d49f44d05005006077526851b1b33e277ce3155d16370
-  data.tar.gz: f036b3403998c93f41eae33c472ad714758e6c6d06e9a1b197b53d118d182c2abb9caf40636ff63c152e2186642430de824e7929dcd2978cd358a5bd03194c1c
+  metadata.gz: 6a4de2b23f4dc0310a18568e0618c5d81fad54dfc8d57fe3c27b954c4bd21272fcc467c2c313f98f80fa127eab11ebe0d0fc55ceed7e6c5439764500e334df49
+  data.tar.gz: f4aff68138105ea19875bb7a51d4b6ced9ec2e7185ce725eca205ea1dc11beb9e6019c9dd89449866598ca6e4d3abb06b91f277f34e51ac7726d79a39fc40c67

data/CHANGELOG.md

@@ -1,5 +1,87 @@
 # Release History
 
+### 1.13.1 (2025-01-24)
+
+#### Bug Fixes
+
+* Signet client subclasses no longer make the update! method private ([#516](https://github.com/googleapis/google-auth-library-ruby/issues/516)) 
+
+### 1.13.0 (2025-01-22)
+
+#### Features
+
+* create impersonated service credentials ([#499](https://github.com/googleapis/google-auth-library-ruby/issues/499)) 
+#### Documentation
+
+* Include note about validating externally-provided credentials ([#512](https://github.com/googleapis/google-auth-library-ruby/issues/512)) 
+
+### 1.12.2 (2024-12-19)
+
+#### Bug Fixes
+
+* GCECredentials lazily fetches from the metadata server to ensure a universe domain is known ([#509](https://github.com/googleapis/google-auth-library-ruby/issues/509)) 
+
+### 1.12.1 (2024-12-17)
+
+#### Bug Fixes
+
+* Restored previous behavior where the apply! method returns the auth header ([#506](https://github.com/googleapis/google-auth-library-ruby/issues/506)) 
+
+### 1.12.0 (2024-12-05)
+
+#### Features
+
+* provided opt-in debug logging ([#490](https://github.com/googleapis/google-auth-library-ruby/issues/490)) 
+
+### 1.11.2 (2024-10-23)
+
+#### Bug Fixes
+
+* Temporarily disable universe domain query from GCE metadata server ([#493](https://github.com/googleapis/google-auth-library-ruby/issues/493)) 
+* Use updated metadata path for universe-domain ([#496](https://github.com/googleapis/google-auth-library-ruby/issues/496)) 
+
+### 1.11.1 (2024-10-04)
+
+#### Bug Fixes
+
+* Fixed parsing of expiration timestamp from ID tokens ([#492](https://github.com/googleapis/google-auth-library-ruby/issues/492)) 
+* Use NoMethodError instead of NotImplementedError for unimplemented base class methods ([#487](https://github.com/googleapis/google-auth-library-ruby/issues/487)) 
+
+### 1.11.0 (2024-02-09)
+
+#### Features
+
+* Deprecate the positional argument for callback_uri, and introduce keyword argument instead ([#475](https://github.com/googleapis/google-auth-library-ruby/issues/475)) 
+
+### 1.10.0 (2024-02-08)
+
+#### Features
+
+* add PKCE to 3 Legged OAuth exchange ([#471](https://github.com/googleapis/google-auth-library-ruby/issues/471)) 
+#### Bug Fixes
+
+* Client library credentials provide correct self-signed JWT and external account behavior when loading from a file path or JSON data ([#474](https://github.com/googleapis/google-auth-library-ruby/issues/474)) 
+* Prioritize universe domain specified in GCECredentials arguments over metadata-fetched value ([#472](https://github.com/googleapis/google-auth-library-ruby/issues/472)) 
+
+### 1.9.2 (2024-01-25)
+
+#### Bug Fixes
+
+* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467)) 
+
+### 1.9.1 (2023-12-12)
+
+#### Bug Fixes
+
+* update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464)) 
+
+### 1.9.0 (2023-12-07)
+
+#### Features
+
+* Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460)) 
+* Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459)) 
+
 ### 1.8.1 (2023-09-19)
 
 #### Documentation

data/README.md

@@ -64,6 +64,15 @@ well as a web variant tailored toward Rack-based applications.
 The authorizers are intended for authorization use cases. For sign-on,
 see [Google Identity Platform](https://developers.google.com/identity/)
 
+## Important notes
+
+If you accept a credential configuration (credential JSON/File/Stream) from an
+external source for authentication to Google Cloud, you must validate it before
+providing it to any Google API or library. Providing an unvalidated credential
+configuration to Google APIs can compromise the security of your systems and data.
+For more information, refer to [Validate credential configurations from external
+sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
 ### Example (Web)
 
 ```ruby
@@ -97,6 +106,45 @@ get('/oauth2callback') do
 end
 ```
 
+### Example (Web with PKCE)
+
+Proof Key for Code Exchange (PKCE) is an [RFC](https://www.rfc-editor.org/rfc/rfc7636) that aims to prevent malicious operating system processes from hijacking an OAUTH 2.0 exchange. PKCE mitigates the above vulnerability by including `code_challenge` and `code_challenge_method` parameters in the Authorization Request and a `code_verifier` parameter in the Access Token Request.
+
+```ruby
+require 'googleauth'
+require 'googleauth/web_user_authorizer'
+require 'googleauth/stores/redis_token_store'
+require 'redis'
+
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+scope = ['https://www.googleapis.com/auth/drive']
+token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
+authorizer = Google::Auth::WebUserAuthorizer.new(
+  client_id, scope, token_store, '/oauth2callback')
+
+
+get('/authorize') do
+  # NOTE: Assumes the user is already authenticated to the app
+  user_id = request.session['user_id']
+  # User needs to take care of generating the code_verifier and storing it in
+  # the session.
+  request.session['code_verifier'] ||= Google::Auth::WebUserAuthorizer.generate_code_verifier
+  authorizer.code_verifier = request.session['code_verifier']
+  credentials = authorizer.get_credentials(user_id, request)
+  if credentials.nil?
+    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
+  end
+  # Credentials are valid, can call APIs
+  # ...
+end
+
+get('/oauth2callback') do
+  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
+    request)
+  redirect target_url
+end
+```
+
 ### Example (Command Line) [Deprecated]
 
 The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.

data/lib/googleauth/application_default.rb

@@ -55,11 +55,7 @@ module Google
               DefaultCredentials.from_well_known_path(scope, options) ||
               DefaultCredentials.from_system_default_path(scope, options)
       return creds unless creds.nil?
-      unless GCECredentials.on_gce? options
-        # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.reset_cache
-        raise NOT_FOUND_ERROR
-      end
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
       GCECredentials.new options.merge(scope: scope)
     end
   end

data/lib/googleauth/base_client.rb

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "google/logging/message"
+
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
@@ -29,7 +31,14 @@ module Google
         # fetch the access token there is currently not one, or if the client
         # has expired
         fetch_access_token! opts if needs_access_token?
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
+        token = send token_type
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest token
+          Google::Logging::Message.from message: "Sending auth token. (sha256:#{hash})"
+        end
+
+        a_hash[AUTH_METADATA_KEY]
       end
 
       # Returns a clone of a_hash updated with the authentication token
@@ -63,17 +72,20 @@ module Google
       end
 
       def expires_within?
-        raise NotImplementedError
+        raise NoMethodError, "expires_within? not implemented"
       end
 
+      # The logger used to log operations on this client, such as token refresh.
+      attr_accessor :logger
+
       private
 
       def token_type
-        raise NotImplementedError
+        raise NoMethodError, "token_type not implemented"
       end
 
       def fetch_access_token!
-        raise NotImplementedError
+        raise NoMethodError, "fetch_access_token! not implemented"
       end
     end
   end

data/lib/googleauth/compute_engine.rb

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "faraday"
+require "google-cloud-env"
 require "googleauth/signet"
 
 module Google
@@ -33,94 +33,230 @@ module Google
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
-      # The IP Address is used in the URIs to speed up failures on non-GCE
-      # systems.
+      # @private Unused and deprecated but retained to prevent breaking changes
       DEFAULT_METADATA_HOST = "169.254.169.254".freeze
 
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_AUTH_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_ID_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
-      @on_gce_cache = {}
-
       class << self
+        # @private Unused and deprecated
         def metadata_host
           ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
         end
 
+        # @private Unused and deprecated
         def compute_check_uri
           "http://#{metadata_host}".freeze
         end
 
+        # @private Unused and deprecated
         def compute_auth_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
         end
 
+        # @private Unused and deprecated
         def compute_id_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
         end
 
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
-        def on_gce? options = {}, reload = false # rubocop:disable Style/OptionalBooleanParameter
-          # We can follow OptionalBooleanParameter here because it's a public interface, we can't change it.
-          @on_gce_cache.delete options if reload
-          @on_gce_cache.fetch options do
-            @on_gce_cache[options] = begin
-              # TODO: This should use google-cloud-env instead.
-              c = options[:connection] || Faraday.default_connection
-              headers = { "Metadata-Flavor" => "Google" }
-              resp = c.get compute_check_uri, nil, headers do |req|
-                req.options.timeout = 1.0
-                req.options.open_timeout = 0.1
-              end
-              return false unless resp.status == 200
-              resp.headers["Metadata-Flavor"] == "Google"
-            rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-              false
-            end
-          end
+        # The parameters are deprecated and unused.
+        def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
+          Google::Cloud.env.metadata?
         end
 
         def reset_cache
-          @on_gce_cache.clear
+          Google::Cloud.env.compute_metadata.reset_existence!
+          Google::Cloud.env.compute_metadata.cache.expire_all!
         end
         alias unmemoize_all reset_cache
       end
 
+      # @private Temporary; remove when universe domain metadata endpoint is stable (see b/349488459).
+      attr_accessor :disable_universe_domain_check
+
+      # Construct a GCECredentials
+      def initialize options = {}
+        # Override the constructor to remember whether the universe domain was
+        # overridden by a constructor argument.
+        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
+        # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459).
+        @disable_universe_domain_check = true
+        super options
+      end
+
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:universe_domain_overridden` Whether the universe domain was
+      #     overriden during credentials creation
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            universe_domain_overridden: @universe_domain_overridden
+          }.merge(options)
+        )
+      end
+
+      # @private
+      # Overrides universe_domain getter to fetch lazily if it hasn't been
+      # fetched yet. This is necessary specifically for Compute Engine because
+      # the universe comes from the metadata service, and isn't known
+      # immediately on credential construction. All other credential types read
+      # the universe from their json key or other immediate input.
+      def universe_domain
+        value = super
+        return value unless value.nil?
+        fetch_access_token!
+        super
+      end
+
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token options = {}
-        c = options[:connection] || Faraday.default_connection
-        retry_with_error do
-          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
-          query[:scopes] = Array(scope).join "," if scope
-          resp = c.get uri, query, "Metadata-Flavor" => "Google"
+      def fetch_access_token _options = {}
+        query, entry =
+          if token_type == :id_token
+            [{ "audience" => target_audience, "format" => "full" }, "service-accounts/default/identity"]
+          else
+            [{}, "service-accounts/default/token"]
+          end
+        query[:scopes] = Array(scope).join "," if scope
+        begin
+          log_fetch_query
+          resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
+          log_fetch_resp resp
           case resp.status
           when 200
-            content_type = resp.headers["content-type"]
-            if ["text/html", "application/text"].include? content_type
-              { (target_audience ? "id_token" : "access_token") => resp.body }
-            else
-              Signet::OAuth2.parse_credentials resp.body, content_type
-            end
+            build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
           when 403, 500
-            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
-            raise Signet::UnexpectedStatusError, msg
+            raise Signet::UnexpectedStatusError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
           when 404
             raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
           else
-            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
-            raise Signet::AuthorizationError, msg
+            raise Signet::AuthorizationError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
           end
+        rescue Google::Cloud::Env::MetadataServerNotResponding => e
+          log_fetch_err e
+          raise Signet::AuthorizationError, e.message
         end
       end
+
+      # Destructively updates these credentials.
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:universe_domain_overridden` Whether the universe domain was
+      #     overriden during credentials creation
+      # @return [Google::Auth::GCECredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @universe_domain_overridden = options[:universe_domain_overridden] if options.key? :universe_domain_overridden
+
+        super(options)
+
+        self
+      end
+
+      private
+
+      def log_fetch_query
+        if token_type == :id_token
+          logger&.info do
+            Google::Logging::Message.from(
+              message: "Requesting id token from MDS with aud=#{target_audience}",
+              "credentialsId" => object_id
+            )
+          end
+        else
+          logger&.info do
+            Google::Logging::Message.from(
+              message: "Requesting access token from MDS",
+              "credentialsId" => object_id
+            )
+          end
+        end
+      end
+
+      def log_fetch_resp resp
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "Received #{resp.status} from MDS",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def log_fetch_err _err
+        logger&.info do
+          Google::Logging::Message.from(
+            message: "MDS did not respond to token request",
+            "credentialsId" => object_id
+          )
+        end
+      end
+
+      def build_token_hash body, content_type, retrieval_time
+        hash =
+          if ["text/html", "application/text"].include? content_type
+            parse_encoded_token body
+          else
+            Signet::OAuth2.parse_credentials body, content_type
+          end
+        add_universe_domain_to hash
+        adjust_for_stale_expires_in hash, retrieval_time
+        hash
+      end
+
+      def parse_encoded_token body
+        hash = { token_type.to_s => body }
+        if token_type == :id_token
+          expires_at = expires_at_from_id_token body
+          hash["expires_at"] = expires_at if expires_at
+        end
+        hash
+      end
+
+      def add_universe_domain_to hash
+        return if @universe_domain_overridden
+        universe_domain =
+          if disable_universe_domain_check
+            # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459).
+            "googleapis.com"
+          else
+            Google::Cloud.env.lookup_metadata "universe", "universe-domain"
+          end
+        universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+        hash["universe_domain"] = universe_domain.strip
+      end
+
+      # The response might have been cached, which means expires_in might be
+      # stale. Update it based on the time since the data was retrieved.
+      # We also ensure expires_in is conservative; subtracting at least 1
+      # second to offset any skew from metadata server latency.
+      def adjust_for_stale_expires_in hash, retrieval_time
+        return unless hash["expires_in"].is_a? Numeric
+        offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
+        hash["expires_in"] -= offset if offset.positive?
+        hash["expires_in"] = 0 if hash["expires_in"].negative?
+      end
     end
   end
 end