googleauth 1.8.1 → 1.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37795e56189392a97d5941b4982730ffa2ee1dd53ec63593bbb7f5ad50be044e
-  data.tar.gz: 72d6b584c89c321698485bda1e4aef33f361ed35da4762bd22b5dc4634556f8f
+  metadata.gz: '089cb78f4121da1e8502eb258e106d161b72642f1d4aeb9959ea605197dba5d9'
+  data.tar.gz: a93423d64db3c8e0fb55807586befc3d13480c43e17b4a8cbd37704f95d12fa7
 SHA512:
-  metadata.gz: 1dcfc8f1e8e65f9b4b27c4933e71faffd2998d11766307cf464d0551d5f37e41c266e840a340a9aba41d49f44d05005006077526851b1b33e277ce3155d16370
-  data.tar.gz: f036b3403998c93f41eae33c472ad714758e6c6d06e9a1b197b53d118d182c2abb9caf40636ff63c152e2186642430de824e7929dcd2978cd358a5bd03194c1c
+  metadata.gz: 1d3513b20df2ec263c7f7db1a14421d4fef63fdaf836cbad78c62b22bf8399bd6ed7a830ba8548ffa197e6a7279eb0f8aaab65379c7cf1b4612a494e9a83a8ec
+  data.tar.gz: 8ee1b859360348eded906242f44e7a7d58841a864e195f34b0726c2aba660e6c10ae07e27d3d2a4517e1756b5ff989e449aad0965419995b4f2bc58ad45ae597

data/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Release History
 
+### 1.9.2 (2024-01-25)
+
+#### Bug Fixes
+
+* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467)) 
+
+### 1.9.1 (2023-12-12)
+
+#### Bug Fixes
+
+* update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464)) 
+
+### 1.9.0 (2023-12-07)
+
+#### Features
+
+* Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460)) 
+* Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459)) 
+
 ### 1.8.1 (2023-09-19)
 
 #### Documentation

data/lib/googleauth/application_default.rb

@@ -55,11 +55,7 @@ module Google
               DefaultCredentials.from_well_known_path(scope, options) ||
               DefaultCredentials.from_system_default_path(scope, options)
       return creds unless creds.nil?
-      unless GCECredentials.on_gce? options
-        # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.reset_cache
-        raise NOT_FOUND_ERROR
-      end
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
       GCECredentials.new options.merge(scope: scope)
     end
   end

data/lib/googleauth/compute_engine.rb

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "faraday"
+require "google-cloud-env"
 require "googleauth/signet"
 
 module Google
@@ -33,83 +33,69 @@ module Google
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
-      # The IP Address is used in the URIs to speed up failures on non-GCE
-      # systems.
+      # @private Unused and deprecated but retained to prevent breaking changes
       DEFAULT_METADATA_HOST = "169.254.169.254".freeze
 
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_AUTH_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_ID_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
-      @on_gce_cache = {}
-
       class << self
+        # @private Unused and deprecated
         def metadata_host
           ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
         end
 
+        # @private Unused and deprecated
         def compute_check_uri
           "http://#{metadata_host}".freeze
         end
 
+        # @private Unused and deprecated
         def compute_auth_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
         end
 
+        # @private Unused and deprecated
         def compute_id_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
         end
 
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
-        def on_gce? options = {}, reload = false # rubocop:disable Style/OptionalBooleanParameter
-          # We can follow OptionalBooleanParameter here because it's a public interface, we can't change it.
-          @on_gce_cache.delete options if reload
-          @on_gce_cache.fetch options do
-            @on_gce_cache[options] = begin
-              # TODO: This should use google-cloud-env instead.
-              c = options[:connection] || Faraday.default_connection
-              headers = { "Metadata-Flavor" => "Google" }
-              resp = c.get compute_check_uri, nil, headers do |req|
-                req.options.timeout = 1.0
-                req.options.open_timeout = 0.1
-              end
-              return false unless resp.status == 200
-              resp.headers["Metadata-Flavor"] == "Google"
-            rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-              false
-            end
-          end
+        # The parameters are deprecated and unused.
+        def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
+          Google::Cloud.env.metadata?
         end
 
         def reset_cache
-          @on_gce_cache.clear
+          Google::Cloud.env.compute_metadata.reset_existence!
+          Google::Cloud.env.compute_metadata.cache.expire_all!
         end
         alias unmemoize_all reset_cache
       end
 
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token options = {}
-        c = options[:connection] || Faraday.default_connection
-        retry_with_error do
-          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
-          query[:scopes] = Array(scope).join "," if scope
-          resp = c.get uri, query, "Metadata-Flavor" => "Google"
+      def fetch_access_token _options = {}
+        if token_type == :id_token
+          query = { "audience" => target_audience, "format" => "full" }
+          entry = "service-accounts/default/identity"
+        else
+          query = {}
+          entry = "service-accounts/default/token"
+        end
+        query[:scopes] = Array(scope).join "," if scope
+        begin
+          resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
           case resp.status
           when 200
-            content_type = resp.headers["content-type"]
-            if ["text/html", "application/text"].include? content_type
-              { (target_audience ? "id_token" : "access_token") => resp.body }
-            else
-              Signet::OAuth2.parse_credentials resp.body, content_type
-            end
+            build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
           when 403, 500
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::UnexpectedStatusError, msg
@@ -119,7 +105,33 @@ module Google
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::AuthorizationError, msg
           end
+        rescue Google::Cloud::Env::MetadataServerNotResponding => e
+          raise Signet::AuthorizationError, e.message
+        end
+      end
+
+      private
+
+      def build_token_hash body, content_type, retrieval_time
+        hash =
+          if ["text/html", "application/text"].include? content_type
+            { token_type.to_s => body }
+          else
+            Signet::OAuth2.parse_credentials body, content_type
+          end
+        universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
+        universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+        hash["universe_domain"] = universe_domain.strip
+        # The response might have been cached, which means expires_in might be
+        # stale. Update it based on the time since the data was retrieved.
+        # We also ensure expires_in is conservative; subtracting at least 1
+        # second to offset any skew from metadata server latency.
+        if hash["expires_in"].is_a? Numeric
+          offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
+          hash["expires_in"] -= offset if offset.positive?
+          hash["expires_in"] = 0 if hash["expires_in"].negative?
         end
+        hash
       end
     end
   end

data/lib/googleauth/credentials.rb

@@ -259,7 +259,7 @@ module Google
       # @return [Object] The value
       #
       def self.lookup_auth_param name, method_name = name
-        val = instance_variable_get "@#{name}".to_sym
+        val = instance_variable_get :"@#{name}"
         val = yield if val.nil? && block_given?
         return val unless val.nil?
         return superclass.send method_name if superclass.respond_to? method_name
@@ -328,9 +328,13 @@ module Google
       #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
       #     suitable for passing as a closure.
       #
+      # @!attribute [rw] universe_domain
+      #   @return [String] The universe domain issuing these credentials.
+      #
       def_delegators :@client,
                      :token_credential_uri, :audience,
-                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience,
+                     :universe_domain, :universe_domain=
 
       ##
       # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -506,12 +510,15 @@ module Google
 
         needs_scope = options["target_audience"].nil?
         # client options for initializing signet client
-        { token_credential_uri: options["token_credential_uri"],
+        {
+          token_credential_uri: options["token_credential_uri"],
           audience:             options["audience"],
           scope:                (needs_scope ? Array(options["scope"]) : nil),
           target_audience:      options["target_audience"],
           issuer:               options["client_email"],
-          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]),
+          universe_domain:      options["universe_domain"] || "googleapis.com"
+        }
       end
 
       # rubocop:enable Metrics/AbcSize
@@ -526,7 +533,7 @@ module Google
         hash = stringify_hash_keys hash
         hash["scope"] ||= options[:scope]
         hash["target_audience"] ||= options[:target_audience]
-        @project_id ||= (hash["project_id"] || hash["project"])
+        @project_id ||= hash["project_id"] || hash["project"]
         @quota_project_id ||= hash["quota_project_id"]
         @client = init_client hash, options
       end
@@ -536,7 +543,7 @@ module Google
         json = JSON.parse ::File.read(path)
         json["scope"] ||= options[:scope]
         json["target_audience"] ||= options[:target_audience]
-        @project_id ||= (json["project_id"] || json["project"])
+        @project_id ||= json["project_id"] || json["project"]
         @quota_project_id ||= json["quota_project_id"]
         @client = init_client json, options
       end

data/lib/googleauth/external_account/base_credentials.rb

@@ -42,6 +42,7 @@ module Google
 
         attr_reader :expires_at
         attr_accessor :access_token
+        attr_accessor :universe_domain
 
         def expires_within? seconds
           # This method is needed for BaseClient
@@ -85,8 +86,7 @@ module Google
         #     true if the credentials represent a workforce pool.
         #     false if they represent a workload.
         def is_workforce_pool?
-          pattern = "//iam\.googleapis\.com/locations/[^/]+/workforcePools/"
-          /#{pattern}/.match?(@audience || "")
+          %r{/iam\.googleapis\.com/locations/[^/]+/workforcePools/}.match?(@audience || "")
         end
 
         private
@@ -111,6 +111,7 @@ module Google
           @quota_project_id = options[:quota_project_id]
           @project_id = nil
           @workforce_pool_user_project = options[:workforce_pool_user_project]
+          @universe_domain = options[:universe_domain] || "googleapis.com"
 
           @expires_at = nil
           @access_token = nil

data/lib/googleauth/external_account.rb

@@ -73,7 +73,8 @@ module Google
               subject_token_type: user_creds[:subject_token_type],
               token_url: user_creds[:token_url],
               credential_source: user_creds[:credential_source],
-              service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+              service_account_impersonation_url: user_creds[:service_account_impersonation_url],
+              universe_domain: user_creds[:universe_domain]
             )
           end
 

data/lib/googleauth/json_key_reader.rb

@@ -27,7 +27,8 @@ module Google
           json_key["private_key"],
           json_key["client_email"],
           json_key["project_id"],
-          json_key["quota_project_id"]
+          json_key["quota_project_id"],
+          json_key["universe_domain"]
         ]
       end
     end

data/lib/googleauth/service_account.rb

@@ -39,7 +39,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +57,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,7 +75,8 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
@@ -93,16 +99,18 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -138,6 +146,7 @@ module Google
       extend JsonKeyReader
       attr_reader :project_id
       attr_reader :quota_project_id
+      attr_accessor :universe_domain
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -154,14 +163,16 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
           @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           @quota_project_id = nil
+          @universe_domain = nil
         end
+        @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
         @scope = options[:scope]
@@ -210,6 +221,11 @@ module Google
 
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
     end
   end
 end

data/lib/googleauth/signet.rb

@@ -25,6 +25,15 @@ module Signet
     class Client
       include Google::Auth::BaseClient
 
+      alias update_token_signet_base update_token!
+
+      def update_token! options = {}
+        options = deep_hash_normalize options
+        update_token_signet_base options
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        self
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -36,6 +45,9 @@ module Signet
         target_audience ? :id_token : :access_token
       end
 
+      # Set the universe domain
+      attr_accessor :universe_domain
+
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
         unless options[:connection]

data/lib/googleauth/user_refresh.rb

@@ -50,7 +50,8 @@ module Google
           "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
           "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
           "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR],
-          "quota_project_id" => nil
+          "quota_project_id" => nil,
+          "universe_domain" => nil
         }
         new(token_credential_uri: TOKEN_CRED_URI,
             client_id:            user_creds["client_id"],
@@ -58,7 +59,8 @@ module Google
             refresh_token:        user_creds["refresh_token"],
             project_id:           user_creds["project_id"],
             quota_project_id:     user_creds["quota_project_id"],
-            scope:                scope)
+            scope:                scope,
+            universe_domain:      user_creds["universe_domain"] || "googleapis.com")
           .configure_connection(options)
       end
 

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.8.1".freeze
+    VERSION = "1.9.2".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.8.1
+  version: 1.9.2
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-20 00:00:00.000000000 Z
+date: 2024-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.17.3
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.a
@@ -26,10 +26,24 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.17.3
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.a
+- !ruby/object:Gem::Dependency
+  name: google-cloud-env
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -165,14 +179,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.6'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby