googleauth 1.8.1 → 1.13.1

data/lib/googleauth/impersonated_service_account.rb

@@ -0,0 +1,282 @@
+# Copyright 2024 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/signet"
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    # Authenticates requests using impersonation from base credentials.
+    # This is a two-step process: first authentication claim from the base credentials is created
+    # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
+    # The short-lived token and its expiration time are cached.
+    class ImpersonatedServiceAccountCredentials
+      # @private
+      ERROR_SUFFIX = <<~ERROR.freeze
+        when trying to get security access token
+        from IAM Credentials endpoint using the credentials provided.
+      ERROR
+
+      # @private
+      IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+      # BaseClient most importantly implements the `:updater_proc` getter,
+      # that returns a reference to an `apply!` method that updates
+      # a hash argument provided with the authorization header containing
+      # the access token (impersonation token in this case).
+      include Google::Auth::BaseClient
+
+      include Helpers::Connection
+
+      # @return [Object] The original authenticated credentials used to fetch short-lived impersonation access tokens
+      attr_reader :base_credentials
+
+      # @return [Object] The modified version of base credentials, tailored for impersonation purposes
+      #   with necessary scope adjustments
+      attr_reader :source_credentials
+
+      # @return [String] The URL endpoint used to generate an impersonation token. This URL should follow a specific
+      #   format to specify the impersonated service account.
+      attr_reader :impersonation_url
+
+      # @return [Array<String>, String] The scope(s) required for the impersonated access token,
+      #   indicating the permissions needed for the short-lived token
+      attr_reader :scope
+
+      # @return [String, nil] The short-lived impersonation access token, retrieved and cached
+      #   after making the impersonation request
+      attr_reader :access_token
+
+      # @return [Time, nil] The expiration time of the current access token, used to determine
+      #   if the token is still valid
+      attr_reader :expires_at
+
+      # Create a ImpersonatedServiceAccountCredentials
+      # When you use service account impersonation, you start with an authenticated principal
+      # (e.g. your user account or a service account)
+      # and request short-lived credentials for a service account
+      # that has the authorization that your use case requires.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def self.make_creds options = {}
+        new options
+      end
+
+      # Initializes a new instance of ImpersonatedServiceAccountCredentials.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #   It is redundant to provide both source and base credentials as only source will be used,
+      #   but it can be done, e.g. when duplicating existing credentials.
+      #
+      # @raise [ArgumentError] If any of the required options are missing.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def initialize options = {}
+        @base_credentials, @impersonation_url, @scope =
+          options.values_at :base_credentials,
+                            :impersonation_url,
+                            :scope
+
+        # Fail-fast checks for required parameters
+        if @base_credentials.nil? && !options.key?(:source_credentials)
+          raise ArgumentError, "Missing required option: either :base_credentials or :source_credentials"
+        end
+        raise ArgumentError, "Missing required option: :impersonation_url" if @impersonation_url.nil?
+        raise ArgumentError, "Missing required option: :scope" if @scope.nil?
+
+        # Some credentials (all Signet-based ones and this one) include scope and a bunch of transient state
+        # (e.g. refresh status) as part of themselves
+        # so a copy needs to be created with the scope overriden and transient state dropped.
+        #
+        # If a credentials does not support `duplicate` we'll try to use it as is assuming it has a broad enough scope.
+        # This might result in an "access denied" error downstream when the token from that credentials is being used
+        # for the token exchange.
+        @source_credentials = if options.key? :source_credentials
+                                options[:source_credentials]
+                              elsif @base_credentials.respond_to? :duplicate
+                                @base_credentials.duplicate({
+                                                              scope: IAM_SCOPE
+                                                            })
+                              else
+                                @base_credentials
+                              end
+      end
+
+      # Determines whether the current access token expires within the specified number of seconds.
+      #
+      # @param seconds [Integer] The number of seconds to check against the token's expiration time.
+      #
+      # @return [Boolean] Whether the access token expires within the given time frame
+      def expires_within? seconds
+        # This method is needed for BaseClient
+        @expires_at && @expires_at - Time.now.utc < seconds
+      end
+
+      # The universe domain of the impersonated credentials.
+      # Effectively this retrieves the universe domain of the source credentials.
+      #
+      # @return [String] The universe domain of the credentials.
+      def universe_domain
+        @source_credentials.universe_domain
+      end
+
+      # @return [Logger, nil] The logger of the credentials.
+      def logger
+        @source_credentials.logger if source_credentials.respond_to? :logger
+      end
+
+      # Creates a duplicate of these credentials without transient token state
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `base_credentials` the base credentials used to initialize the impersonation
+      #   * `source_credentials` the authenticated credentials which usually would be
+      #     base credentials with scope overridden to IAM_SCOPE
+      #   * `impersonation_url` the URL to use to make an impersonation token exchange
+      #   * `scope` the scope(s) to access
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          base_credentials: @base_credentials,
+          source_credentials: @source_credentials,
+          impersonation_url: @impersonation_url,
+          scope: @scope
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      private
+
+      # Generates a new impersonation access token by exchanging the source credentials' token
+      # at the impersonation URL.
+      #
+      # This method first fetches an access token from the source credentials and then exchanges it
+      # for an impersonation token using the specified impersonation URL. The generated token and
+      # its expiration time are cached for subsequent use.
+      #
+      # @param _options [Hash] (optional) Additional options for token retrieval (currently unused).
+      #
+      # @raise [Signet::UnexpectedStatusError] If the response status is 403 or 500.
+      # @raise [Signet::AuthorizationError] For other unexpected response statuses.
+      #
+      # @return [String] The newly generated impersonation access token.
+      def fetch_access_token! _options = {}
+        auth_header = {}
+        auth_header = @source_credentials.updater_proc.call auth_header
+
+        resp = connection.post @impersonation_url do |req|
+          req.headers.merge! auth_header
+          req.headers["Content-Type"] = "application/json"
+          req.body = MultiJson.dump({ scope: @scope })
+        end
+
+        case resp.status
+        when 200
+          response = MultiJson.load resp.body
+          self.expires_at = response["expireTime"]
+          @access_token = response["accessToken"]
+          access_token
+        when 403, 500
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::UnexpectedStatusError, msg
+        else
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::AuthorizationError, msg
+        end
+      end
+
+      # Setter for the expires_at value that makes sure it is converted
+      # to Time object.
+      def expires_at= new_expires_at
+        @expires_at = normalize_timestamp new_expires_at
+      end
+
+      # Returns the type of token (access_token).
+      # This method is needed for BaseClient.
+      def token_type
+        :access_token
+      end
+
+      # Normalizes a timestamp to a Time object.
+      #
+      # @param time [Time, String, nil] The timestamp to normalize.
+      #
+      # @return [Time, nil] The normalized Time object, or nil if the input is nil.
+      #
+      # @raise [RuntimeError] If the input is not a Time, String, or nil.
+      def normalize_timestamp time
+        case time
+        when NilClass
+          nil
+        when Time
+          time
+        when String
+          Time.parse time
+        else
+          raise "Invalid time value #{time}"
+        end
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+    end
+  end
+end

data/lib/googleauth/json_key_reader.rb

@@ -27,7 +27,8 @@ module Google
           json_key["private_key"],
           json_key["client_email"],
           json_key["project_id"],
-          json_key["quota_project_id"]
+          json_key["quota_project_id"],
+          json_key["universe_domain"]
         ]
       end
     end

data/lib/googleauth/service_account.rb

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "google/logging/message"
 require "googleauth/signet"
 require "googleauth/credentials_loader"
 require "googleauth/json_key_reader"
@@ -39,7 +40,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +58,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,10 +76,35 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            enable_self_signed_jwt: @enable_self_signed_jwt,
+            project_id: project_id,
+            quota_project_id: quota_project_id,
+            logger: logger
+          }.merge(options)
+        )
+      end
+
       # Handles certain escape sequences that sometimes appear in input.
       # Specifically, interprets the "\n" sequence for newline, and removes
       # enclosing quotes.
@@ -93,16 +124,44 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::ServiceAccountCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -115,6 +174,7 @@ module Google
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
         alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
+        alt.logger = logger
         alt.apply! a_hash
       end
     end
@@ -134,10 +194,14 @@ module Google
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
+
       extend CredentialsLoader
       extend JsonKeyReader
+
       attr_reader :project_id
       attr_reader :quota_project_id
+      attr_accessor :universe_domain
+      attr_accessor :logger
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -154,17 +218,46 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
-          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = nil
+          @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+          @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+          @universe_domain = options[:universe_domain] if options.key? :universe_domain
         end
+        @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope]
+        @scope = options[:scope] if options.key? :scope
+        @logger = options[:logger] if options.key? :scope
+      end
+
+      # Creates a duplicate of these credentials
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `private key` the private key in string form
+      #   * `issuer` the SA issuer
+      #   * `scope` the scope(s) to access
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #   * `universe_domain` the universe domain of the credentials
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          private_key: @private_key,
+          issuer: @issuer,
+          scope: @scope,
+          project_id: project_id,
+          quota_project_id: quota_project_id,
+          universe_domain: universe_domain,
+          logger: logger
+        }.merge(options)
+
+        self.class.new options
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -176,10 +269,14 @@ module Google
         return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
+        logger&.debug do
+          hash = Digest::SHA256.hexdigest jwt_token
+          Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
+        end
         a_hash
       end
 
-      # Returns a clone of a_hash updated with the authoriation header
+      # Returns a clone of a_hash updated with the authorization header
       def apply a_hash, opts = {}
         a_copy = a_hash.clone
         apply! a_copy, opts
@@ -208,8 +305,34 @@ module Google
         assertion["scope"] = Array(@scope).join " " if @scope
         assertion["aud"] = jwt_aud_uri if jwt_aud_uri
 
+        logger&.debug do
+          Google::Logging::Message.from message: "JWT assertion: #{assertion}"
+        end
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
+
+      private
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
     end
   end
 end