googleauth 0.16.2 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a1f96ad8fd7b2aae5671af839775b83db2c3f6b9c31e36622c2dc983d647e54d
-  data.tar.gz: 58db2385909da01755365839451a6a8bbb79fceaabd76de313dab9496a7ea0dd
+  metadata.gz: 5101c77470407b3d53ea18a41ecc2472c3e6b7d86c8a7ce21cc604ed346e030c
+  data.tar.gz: b33a1ca384b5178aaf0438a0ac87776bc598326dd221804e4562c5f7b2076e97
 SHA512:
-  metadata.gz: 39f9a7e75bbb27ff0cd9bb50ebc077751f83ee22fec724d4de9ed54c3bde97a92e5a9f577859784d2c298405fa9cf57491bddf73043ff5a0cb6a567379fc2cbb
-  data.tar.gz: 543d6c2e8175ea1262c4235e581124378ef932fe96b7c63e27b75654a2e7cdfc5e427c6f9668141de1b06d770dedfb97ca8b94b1df800d0bdf04c1860644dc2c
+  metadata.gz: 8c33deaf116dc8ba017b73525ba5dc4029511530d3e34d03584ad32023689d9b4837b5136344ec66486157651a55693fd16b23e770573912fff0094d33031fd7
+  data.tar.gz: 8adfa4263bbcecd04770de3647dae120beb585c140315dd6392d16cbdcb523d438f35cd5a7f0be74a6b824448ff201c8a654a96b774c902ea9cfbdf1c1d9dc94

data/.repo-metadata.json

@@ -1,5 +1,5 @@
 {
-    "name": "googleauth",
     "language": "ruby",
-    "distribution-name": "googleauth"
-}
+    "distribution-name": "googleauth",
+    "library_type": "AUTH"
+}

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+## [0.17.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/google-auth-library-ruby/v0.16.2...google-auth-library-ruby/v0.17.0) (2021-07-30)
+
+
+### Features
+
+* Allow scopes to be self-signed into jwts ([e67ce40](https://www.github.com/googleapis/google-auth-library-ruby/commit/e67ce40f919b7eb3723c2ec95f5b8d58315ab1ee))
+
 ### [0.16.2](https://www.github.com/googleapis/google-auth-library-ruby/compare/google-auth-library-ruby/v0.16.1...google-auth-library-ruby/v0.16.2) (2021-04-28)
 
 

data/SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue.

data/lib/googleauth/service_account.rb

@@ -129,7 +129,7 @@ module Google
           quota_project_id: @quota_project_id
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
         alt.apply! a_hash
       end
     end
@@ -154,15 +154,13 @@ module Google
       attr_reader :project_id
       attr_reader :quota_project_id
 
-      # make_creds proxies the construction of a credentials instance
+      # Create a ServiceAccountJwtHeaderCredentials.
       #
-      # make_creds is used by the methods in CredentialsLoader.
-      #
-      # By default, it calls #new with 2 args, the second one being an
-      # optional scope. Here's the constructor only has one param, so
-      # we modify make_creds to reflect this.
-      def self.make_creds *args
-        new json_key_io: args[0][:json_key_io]
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        new json_key_io: json_key_io, scope: scope
       end
 
       # Initializes a ServiceAccountJwtHeaderCredentials.
@@ -181,6 +179,7 @@ module Google
         end
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
+        @scope = options[:scope]
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -189,7 +188,7 @@ module Google
       # The jwt token is used as the value of a 'Bearer '.
       def apply! a_hash, opts = {}
         jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil?
+        return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
         a_hash
@@ -211,16 +210,21 @@ module Google
       protected
 
       # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri, options = {}
+      def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new
         skew = options[:skew] || 60
         assertion = {
           "iss" => @issuer,
           "sub" => @issuer,
-          "aud" => jwt_aud_uri,
           "exp" => (now + EXPIRY).to_i,
           "iat" => (now - skew).to_i
         }
+
+        jwt_aud_uri = nil if @scope
+
+        assertion["scope"] = Array(@scope).join " " if @scope
+        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
     end

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.16.2".freeze
+    VERSION = "0.17.0".freeze
   end
 end

data/spec/googleauth/service_account_spec.rb

@@ -44,9 +44,10 @@ require "os"
 
 include Google::Auth::CredentialsLoader
 
-shared_examples "jwt header auth" do
+shared_examples "jwt header auth" do |aud="https://www.googleapis.com/myservice"|
   context "when jwt_aud_uri is present" do
-    let(:test_uri) { "https://www.googleapis.com/myservice" }
+    let(:test_uri) { aud }
+    let(:test_scope) { "scope/1 scope/2" }
     let(:auth_prefix) { "Bearer " }
     let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
     let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
@@ -56,14 +57,16 @@ shared_examples "jwt header auth" do
       expect(hdr.start_with?(auth_prefix)).to be true
       authorization = hdr[auth_prefix.length..-1]
       payload, = JWT.decode authorization, @key.public_key, true, algorithm: "RS256"
-      expect(payload["aud"]).to eq(test_uri)
+
+      expect(payload["aud"]).to eq(test_uri) if not test_uri.nil?
+      expect(payload["scope"]).to eq(test_scope) if test_uri.nil?
       expect(payload["iss"]).to eq(client_email)
     end
 
     describe "#apply!" do
       it "should update the target hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         @client.apply! md
         auth_header = md[auth_key]
         expect_is_encoded_jwt auth_header
@@ -74,31 +77,31 @@ shared_examples "jwt header auth" do
     describe "updater_proc" do
       it "should provide a proc that updates a hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         the_proc = @client.updater_proc
         got = the_proc.call md
         auth_header = got[auth_key]
         expect_is_encoded_jwt auth_header
         expect(got[jwt_uri_key]).to be_nil
-        expect(md[jwt_uri_key]).to_not be_nil
+        expect(md[jwt_uri_key]).to_not be_nil if test_uri
       end
     end
 
     describe "#apply" do
       it "should not update the original hash with a jwt token" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         the_proc = @client.updater_proc
         got = the_proc.call md
         auth_header = md[auth_key]
         expect(auth_header).to be_nil
         expect(got[jwt_uri_key]).to be_nil
-        expect(md[jwt_uri_key]).to_not be_nil
+        expect(md[jwt_uri_key]).to_not be_nil if test_uri
       end
 
       it "should add a jwt token to the returned hash" do
         md = { foo: "bar" }
-        md[jwt_uri_key] = test_uri
+        md[jwt_uri_key] = test_uri if test_uri
         got = @client.apply md
         auth_header = got[auth_key]
         expect_is_encoded_jwt auth_header
@@ -107,6 +110,7 @@ shared_examples "jwt header auth" do
   end
 end
 
+
 describe Google::Auth::ServiceAccountCredentials do
   ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
   let(:client_email) { "app@developer.gserviceaccount.com" }
@@ -169,14 +173,24 @@ describe Google::Auth::ServiceAccountCredentials do
     it_behaves_like "jwt header auth"
   end
 
-  context "when enable_self_signed_jwt is set" do
+  context "when enable_self_signed_jwt is set with aud" do
     before :example do
+      @client.scope = nil
       @client.instance_variable_set(:@enable_self_signed_jwt, true)
     end
 
     it_behaves_like "jwt header auth"
   end
 
+  context "when enable_self_signed_jwt is set with scope" do
+    before :example do
+      @client.scope = ['scope/1', 'scope/2']
+      @client.instance_variable_set(:@enable_self_signed_jwt, true)
+    end
+
+    it_behaves_like "jwt header auth", nil
+  end
+
   describe "#from_env" do
     before :example do
       @var_name = ENV_VAR

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.16.2
+  version: 0.17.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-28 00:00:00.000000000 Z
+date: 2021-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -164,6 +164,7 @@ files:
 - Gemfile
 - LICENSE
 - README.md
+- SECURITY.md
 - googleauth.gemspec
 - integration/helper.rb
 - integration/id_tokens/key_source_test.rb
@@ -228,7 +229,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.16
+rubygems_version: 3.2.17
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby