googleauth 1.9.1 → 1.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5950bbb2b0bb696d85ded5cfd31bc2a44192b9a5e42c774260300e467a821316
-  data.tar.gz: 937e9ef7634d2667a6e552276e0dc7716511a3597b33de2c20174a865bcb3598
+  metadata.gz: 3298a8e70480c26df728476ce2bc2723b28f571e2ffd56b5915d6df70f4d2beb
+  data.tar.gz: 8121dbd23bcc3b7458f9eab0d83210321109b7006bac1f53ce94801e544f3ee9
 SHA512:
-  metadata.gz: 94c41b28ce5fdd2ed5437cf30aeb67d53f04b5863711fd74b1403612cd0747f9e2856fda14678927ef1c026af0f45e6c15a2eef68415a77585b752845f7852a6
-  data.tar.gz: 46d4ace82973f0df463733bad339ea00786baa90e1adbb665bdadf3d71999dfeb67177f98b4b26b13464307d02a5ef7b649793bb56dc7619b7f9a076118b3942
+  metadata.gz: 779e31aafd092dc978ba405171502011d8b4828f614c8023e6fd7d8296fd6ec805650187cabade3b8b4528c5020ff1455f38b1db8d3b4da82c6a76a0a400f3fc
+  data.tar.gz: 51ea4d44575fc2f778d60c702c370d53c2f36b42f67c046c212fbe7a97ac9dc4da54f08a8d7fffd144a8b60e2db465233f22d3a2f318ea0814aaf42f05989aa8

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Release History
 
+### 1.10.0 (2024-02-08)
+
+#### Features
+
+* add PKCE to 3 Legged OAuth exchange ([#471](https://github.com/googleapis/google-auth-library-ruby/issues/471)) 
+#### Bug Fixes
+
+* Client library credentials provide correct self-signed JWT and external account behavior when loading from a file path or JSON data ([#474](https://github.com/googleapis/google-auth-library-ruby/issues/474)) 
+* Prioritize universe domain specified in GCECredentials arguments over metadata-fetched value ([#472](https://github.com/googleapis/google-auth-library-ruby/issues/472)) 
+
+### 1.9.2 (2024-01-25)
+
+#### Bug Fixes
+
+* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467)) 
+
 ### 1.9.1 (2023-12-12)
 
 #### Bug Fixes

data/README.md

@@ -97,6 +97,45 @@ get('/oauth2callback') do
 end
 ```
 
+### Example (Web with PKCE)
+
+Proof Key for Code Exchange (PKCE) is an [RFC](https://www.rfc-editor.org/rfc/rfc7636) that aims to prevent malicious operating system processes from hijacking an OAUTH 2.0 exchange. PKCE mitigates the above vulnerability by including `code_challenge` and `code_challenge_method` parameters in the Authorization Request and a `code_verifier` parameter in the Access Token Request.
+
+```ruby
+require 'googleauth'
+require 'googleauth/web_user_authorizer'
+require 'googleauth/stores/redis_token_store'
+require 'redis'
+
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+scope = ['https://www.googleapis.com/auth/drive']
+token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
+authorizer = Google::Auth::WebUserAuthorizer.new(
+  client_id, scope, token_store, '/oauth2callback')
+
+
+get('/authorize') do
+  # NOTE: Assumes the user is already authenticated to the app
+  user_id = request.session['user_id']
+  # User needs to take care of generating the code_verifier and storing it in
+  # the session.
+  request.session['code_verifier'] ||= Google::Auth::WebUserAuthorizer.generate_code_verifier
+  authorizer.code_verifier = request.session['code_verifier']
+  credentials = authorizer.get_credentials(user_id, request)
+  if credentials.nil?
+    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
+  end
+  # Credentials are valid, can call APIs
+  # ...
+end
+
+get('/oauth2callback') do
+  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
+    request)
+  redirect target_url
+end
+```
+
 ### Example (Command Line) [Deprecated]
 
 The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.

data/lib/googleauth/compute_engine.rb

@@ -80,6 +80,14 @@ module Google
         alias unmemoize_all reset_cache
       end
 
+      # Construct a GCECredentials
+      def initialize options = {}
+        # Override the constructor to remember whether the universe domain was
+        # overridden by a constructor argument.
+        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
+        super options
+      end
+
       # Overrides the super class method to change how access tokens are
       # fetched.
       def fetch_access_token _options = {}
@@ -119,9 +127,11 @@ module Google
           else
             Signet::OAuth2.parse_credentials body, content_type
           end
-        universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
-        universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
-        hash["universe_domain"] = universe_domain.strip
+        unless @universe_domain_overridden
+          universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
+          universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+          hash["universe_domain"] = universe_domain.strip
+        end
         # The response might have been cached, which means expires_in might be
         # stale. Update it based on the time since the data was retrieved.
         # We also ensure expires_in is conservative; subtracting at least 1

data/lib/googleauth/credentials.rb

@@ -356,8 +356,9 @@ module Google
       #
       def initialize keyfile, options = {}
         verify_keyfile_provided! keyfile
-        @project_id = options["project_id"] || options["project"]
-        @quota_project_id = options["quota_project_id"]
+        options = symbolize_hash_keys options
+        @project_id = options[:project_id] || options[:project]
+        @quota_project_id = options[:quota_project_id]
         case keyfile
         when Google::Auth::BaseClient
           update_from_signet keyfile
@@ -484,10 +485,11 @@ module Google
       end
 
       # Initializes the Signet client.
-      def init_client keyfile, connection_options = {}
-        client_opts = client_options keyfile
-        Signet::OAuth2::Client.new(client_opts)
-                              .configure_connection(connection_options)
+      def init_client hash, options = {}
+        options = update_client_options options
+        io = StringIO.new JSON.generate hash
+        options.merge! json_key_io: io
+        Google::Auth::DefaultCredentials.make_creds options
       end
 
       # returns a new Hash with string keys instead of symbol keys.
@@ -495,34 +497,28 @@ module Google
         hash.to_h.transform_keys(&:to_s)
       end
 
-      # rubocop:disable Metrics/AbcSize
+      # returns a new Hash with symbol keys instead of string keys.
+      def symbolize_hash_keys hash
+        hash.to_h.transform_keys(&:to_sym)
+      end
+
+      def update_client_options options
+        options = options.dup
 
-      def client_options options
-        # Keyfile options have higher priority over constructor defaults
-        options["token_credential_uri"] ||= self.class.token_credential_uri
-        options["audience"] ||= self.class.audience
-        options["scope"] ||= self.class.scope
-        options["target_audience"] ||= self.class.target_audience
+        # options have higher priority over constructor defaults
+        options[:token_credential_uri] ||= self.class.token_credential_uri
+        options[:audience] ||= self.class.audience
+        options[:scope] ||= self.class.scope
+        options[:target_audience] ||= self.class.target_audience
 
-        if !Array(options["scope"]).empty? && options["target_audience"]
+        if !Array(options[:scope]).empty? && options[:target_audience]
           raise ArgumentError, "Cannot specify both scope and target_audience"
         end
+        options.delete :scope unless options[:target_audience].nil?
 
-        needs_scope = options["target_audience"].nil?
-        # client options for initializing signet client
-        {
-          token_credential_uri: options["token_credential_uri"],
-          audience:             options["audience"],
-          scope:                (needs_scope ? Array(options["scope"]) : nil),
-          target_audience:      options["target_audience"],
-          issuer:               options["client_email"],
-          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]),
-          universe_domain:      options["universe_domain"] || "googleapis.com"
-        }
+        options
       end
 
-      # rubocop:enable Metrics/AbcSize
-
       def update_from_signet client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id

data/lib/googleauth/service_account.rb

@@ -39,7 +39,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -95,17 +99,18 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token,
-        # OR we are not in the default universe and thus OAuth isn't supported.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -216,6 +221,11 @@ module Google
 
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
     end
   end
 end

data/lib/googleauth/user_authorizer.rb

@@ -16,6 +16,7 @@ require "uri"
 require "multi_json"
 require "googleauth/signet"
 require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -57,7 +58,11 @@ module Google
       # @param [String] callback_uri
       #  URL (either absolute or relative) of the auth callback.
       #  Defaults to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     callback_uri = nil, code_verifier: nil
         raise NIL_CLIENT_ID_ERROR if client_id.nil?
         raise NIL_SCOPE_ERROR if scope.nil?
 
@@ -65,6 +70,7 @@ module Google
         @scope = Array(scope)
         @token_store = token_store
         @callback_uri = callback_uri || "/oauth2callback"
+        @code_verifier = code_verifier
       end
 
       # Build the URL for requesting authorization.
@@ -86,6 +92,18 @@ module Google
       #  Authorization url
       def get_authorization_url options = {}
         scope = options[:scope] || @scope
+
+        options[:additional_parameters] ||= {}
+
+        if @code_verifier
+          options[:additional_parameters].merge!(
+            {
+              code_challenge: generate_code_challenge(@code_verifier),
+              code_challenge_method: code_challenge_method
+            }
+          )
+        end
+
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
@@ -157,6 +175,8 @@ module Google
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
+        options[:additional_parameters] ||= {}
+        options[:additional_parameters].merge!({ code_verifier: @code_verifier })
         credentials = UserRefreshCredentials.new(
           client_id:             @client_id.id,
           client_secret:         @client_id.secret,
@@ -228,6 +248,23 @@ module Google
         credentials
       end
 
+      # The code verifier for PKCE for OAuth 2.0. When set, the
+      # authorization URI will contain the Code Challenge and Code
+      # Challenge Method querystring parameters, and the token URI will
+      # contain the Code Verifier parameter.
+      #
+      # @param [String|nil] new_code_erifier
+      def code_verifier= new_code_verifier
+        @code_verifier = new_code_verifier
+      end
+
+      # Generate the code verifier needed to be sent while fetching
+      # authorization URL.
+      def self.generate_code_verifier
+        random_number = rand 32..96
+        SecureRandom.alphanumeric random_number
+      end
+
       private
 
       # @private Fetch stored token with given user_id
@@ -272,6 +309,15 @@ module Google
       def uri_is_postmessage? uri
         uri.to_s.casecmp("postmessage").zero?
       end
+
+      def generate_code_challenge code_verifier
+        digest = Digest::SHA256.digest code_verifier
+        Base64.urlsafe_encode64 digest, padding: false
+      end
+
+      def code_challenge_method
+        "S256"
+      end
     end
   end
 end

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.9.1".freeze
+    VERSION = "1.10.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -96,8 +96,12 @@ module Google
       # @param [String] callback_uri
       #  URL (either absolute or relative) of the auth callback. Defaults
       #  to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
-        super client_id, scope, token_store, callback_uri
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     callback_uri = nil, code_verifier: nil
+        super client_id, scope, token_store, callback_uri, code_verifier: code_verifier
       end
 
       # Handle the result of the oauth callback. Exchanges the authorization

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.9.1
+  version: 1.10.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-12 00:00:00.000000000 Z
+date: 2024-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -186,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby