googleauth 1.3.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0bc48c47d78d7ec955a2a5557fc8f1cff502a28dd1e18c5af3fc566be5743171
-  data.tar.gz: 220a8fed81a73d5bc93a2fca2951a749b9469cb769a198cf13564ad7f714ac90
+  metadata.gz: 42581efbf67b1cafdcdcd18cd227d22b5d456d695f3b5cfaa089f4121c17bce2
+  data.tar.gz: 968618cfa8048d5c246c83acc769b19c3f258958e21810481464d1b297d651bc
 SHA512:
-  metadata.gz: 73f52ffce21a05e15102b54aabbcb3cb199d32e9caf318b125b48b6caeddc01f77c3de4ea09513b0b1e9e503c912e55adf5864b4295b86af0620aa0c7df25df4
-  data.tar.gz: 7ec107faa35d72aa1fd8e79b86b30df9acf061ce86ac52641bc12b69391f0b4f2adde8021b908327e379dee65c1e2ed7ed1b203e629ca1f4d25a988e80c31eb2
+  metadata.gz: 392dc977400f0229fd416cdcd2d5ed60fa0a8592926c622fed3dea2ba6ba1e083169d978c7a48d4e895014909352196fca56ac8c21df1f0b3694e55439cfedb2
+  data.tar.gz: 1a33a41171c9963196f833fa83702d61af6e335b677a229bf0f93316e7f0272f9b211f00fc7e180c4f07e1e7dd5ffbe29b484f5cd72578a49096046c6d017fc4

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Release History
 
+### 1.5.0 (2023-03-21)
+
+#### Features
+
+* Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418)) 
+
+### 1.4.0 (2022-12-14)
+
+#### Features
+
+* make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405)) 
+
 ### 1.3.0 (2022-10-18)
 
 #### Features

data/lib/googleauth/base_client.rb

@@ -0,0 +1,80 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # BaseClient is a class used to contain common methods that are required by any
+    # Credentials Client, including AwsCredentials, ServiceAccountCredentials,
+    # and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
+    # and has been created to create a generic interface for all credentials clients
+    # to use, including ones which do not inherit from Signet::OAuth2::Client.
+    module BaseClient
+      AUTH_METADATA_KEY = :authorization
+
+      # Updates a_hash updated with the authentication token
+      def apply! a_hash, opts = {}
+        # fetch the access token there is currently not one, or if the client
+        # has expired
+        fetch_access_token! opts if needs_access_token?
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
+      end
+
+      # Returns a clone of a_hash updated with the authentication token
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Whether the id_token or access_token is missing or about to expire.
+      def needs_access_token?
+        send(token_type).nil? || expires_within?(60)
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      def on_refresh &block
+        @refresh_listeners = [] unless defined? @refresh_listeners
+        @refresh_listeners << block
+      end
+
+      def notify_refresh_listeners
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
+        listeners.each do |block|
+          block.call self
+        end
+      end
+
+      def expires_within?
+        raise NotImplementedError
+      end
+
+      private
+
+      def token_type
+        raise NotImplementedError
+      end
+
+      def fetch_access_token!
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/googleauth/credentials.rb

@@ -355,7 +355,7 @@ module Google
         @project_id = options["project_id"] || options["project"]
         @quota_project_id = options["quota_project_id"]
         case keyfile
-        when Signet::OAuth2::Client
+        when Google::Auth::BaseClient
           update_from_signet keyfile
         when Hash
           update_from_hash keyfile, options

data/lib/googleauth/credentials_loader.rb

@@ -30,6 +30,11 @@ module Google
       REFRESH_TOKEN_VAR         = "GOOGLE_REFRESH_TOKEN".freeze
       ACCOUNT_TYPE_VAR          = "GOOGLE_ACCOUNT_TYPE".freeze
       PROJECT_ID_VAR            = "GOOGLE_PROJECT_ID".freeze
+      AWS_REGION_VAR            = "AWS_REGION".freeze
+      AWS_DEFAULT_REGION_VAR    = "AWS_DEFAULT_REGION".freeze
+      AWS_ACCESS_KEY_ID_VAR     = "AWS_ACCESS_KEY_ID".freeze
+      AWS_SECRET_ACCESS_KEY_VAR = "AWS_SECRET_ACCESS_KEY".freeze
+      AWS_SESSION_TOKEN_VAR     = "AWS_SESSION_TOKEN".freeze
       GCLOUD_POSIX_COMMAND      = "gcloud".freeze
       GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
       GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none".freeze

data/lib/googleauth/default_credentials.rb

@@ -18,6 +18,7 @@ require "stringio"
 require "googleauth/credentials_loader"
 require "googleauth/service_account"
 require "googleauth/user_refresh"
+require "googleauth/external_account"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -53,6 +54,8 @@ module Google
           ServiceAccountCredentials
         when "authorized_user"
           UserRefreshCredentials
+        when "external_account"
+          ExternalAccount::Credentials
         else
           raise "credentials type '#{type}' is not supported"
         end
@@ -69,6 +72,8 @@ module Google
           [json_key, ServiceAccountCredentials]
         when "authorized_user"
           [json_key, UserRefreshCredentials]
+        when "external_account"
+          [json_key, ExternalAccount::Credentials]
         else
           raise "credentials type '#{type}' is not supported"
         end

data/lib/googleauth/external_account/aws_credentials.rb

@@ -0,0 +1,373 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "time"
+require "googleauth/external_account/base_credentials"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using External Account credentials, such
+    # as those provided by the AWS provider.
+    module ExternalAccount
+      # This module handles the retrieval of credentials from Google Cloud
+      # by utilizing the AWS EC2 metadata service and then exchanging the
+      # credentials for a short-lived Google Cloud access token.
+      class AwsCredentials
+        include Google::Auth::ExternalAccount::BaseCredentials
+        extend CredentialsLoader
+
+        # Will always be nil, but method still gets used.
+        attr_reader :client_id
+
+        def initialize options = {}
+          base_setup options
+
+          @audience = options[:audience]
+          @credential_source = options[:credential_source] || {}
+          @environment_id = @credential_source["environment_id"]
+          @region_url = validate_metadata_server @credential_source["region_url"], "region_url"
+          @credential_verification_url = validate_metadata_server @credential_source["url"], "url"
+          @regional_cred_verification_url = @credential_source["regional_cred_verification_url"]
+          @imdsv2_session_token_url = validate_metadata_server @credential_source["imdsv2_session_token_url"],
+                                                               "imdsv2_session_token_url"
+
+          # These will be lazily loaded when needed, or will raise an error if not provided
+          @region = nil
+          @request_signer = nil
+        end
+
+        # Retrieves the subject token using the credential_source object.
+        # The subject token is a serialized [AWS GetCallerIdentity signed request](
+        #   https://cloud.google.com/iam/docs/access-resources-aws#exchange-token).
+        #
+        # The logic is summarized as:
+        #
+        # Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
+        # environment variable or from the AWS metadata server availability-zone
+        # if not found in the environment variable.
+        #
+        # Check AWS credentials in environment variables. If not found, retrieve
+        # from the AWS metadata server security-credentials endpoint.
+        #
+        # When retrieving AWS credentials from the metadata server
+        # security-credentials endpoint, the AWS role needs to be determined by
+        # calling the security-credentials endpoint without any argument. Then the
+        # credentials can be retrieved via: security-credentials/role_name
+        #
+        # Generate the signed request to AWS STS GetCallerIdentity action.
+        #
+        # Inject x-goog-cloud-target-resource into header and serialize the
+        # signed request. This will be the subject-token to pass to GCP STS.
+        #
+        # @return [string] The retrieved subject token.
+        #
+        def retrieve_subject_token!
+          if @request_signer.nil?
+            @region = region
+            @request_signer = AwsRequestSigner.new @region
+          end
+
+          request = {
+            method: "POST",
+            url: @regional_cred_verification_url.sub("{region}", @region)
+          }
+
+          request_options = @request_signer.generate_signed_request fetch_security_credentials, request
+
+          request_headers = request_options[:headers]
+          request_headers["x-goog-cloud-target-resource"] = @audience
+
+          aws_signed_request = {
+            headers: [],
+            method: request_options[:method],
+            url: request_options[:url]
+          }
+
+          aws_signed_request[:headers] = request_headers.keys.sort.map do |key|
+            { key: key, value: request_headers[key] }
+          end
+
+          uri_escape aws_signed_request.to_json
+        end
+
+        private
+
+        def validate_metadata_server url, name
+          return nil if url.nil?
+          host = URI(url).host
+          raise "Invalid host #{host} for #{name}." unless ["169.254.169.254", "[fd00:ec2::254]"].include? host
+          url
+        end
+
+        def get_aws_resource url, name, data: nil, headers: {}
+          begin
+            unless [nil, url].include? @imdsv2_session_token_url
+              headers["x-aws-ec2-metadata-token"] = get_aws_resource(
+                @imdsv2_session_token_url,
+                "Session Token",
+                headers: { "x-aws-ec2-metadata-token-ttl-seconds": "300" }
+              ).body
+            end
+
+            response = if data
+                         headers["Content-Type"] = "application/json"
+                         connection.post url, data, headers
+                       else
+                         connection.get url, nil, headers
+                       end
+
+            raise Faraday::Error unless response.success?
+            response
+          rescue Faraday::Error
+            raise "Failed to retrieve AWS #{name}."
+          end
+        end
+
+        def uri_escape string
+          if string.nil?
+            nil
+          else
+            CGI.escape(string.encode("UTF-8")).gsub("+", "%20").gsub("%7E", "~")
+          end
+        end
+
+        # Retrieves the AWS security credentials required for signing AWS
+        # requests from either the AWS security credentials environment variables
+        # or from the AWS metadata server.
+        def fetch_security_credentials
+          env_aws_access_key_id = ENV[CredentialsLoader::AWS_ACCESS_KEY_ID_VAR]
+          env_aws_secret_access_key = ENV[CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR]
+          # This is normally not available for permanent credentials.
+          env_aws_session_token = ENV[CredentialsLoader::AWS_SESSION_TOKEN_VAR]
+
+          if env_aws_access_key_id && env_aws_secret_access_key
+            return {
+              access_key_id: env_aws_access_key_id,
+              secret_access_key: env_aws_secret_access_key,
+              session_token: env_aws_session_token
+            }
+          end
+
+          role_name = fetch_metadata_role_name
+          credentials = fetch_metadata_security_credentials role_name
+
+          {
+            access_key_id: credentials["AccessKeyId"],
+            secret_access_key: credentials["SecretAccessKey"],
+            session_token: credentials["Token"]
+          }
+        end
+
+        # Retrieves the AWS role currently attached to the current AWS
+        # workload by querying the AWS metadata server. This is needed for the
+        # AWS metadata server security credentials endpoint in order to retrieve
+        # the AWS security credentials needed to sign requests to AWS APIs.
+        def fetch_metadata_role_name
+          unless @credential_verification_url
+            raise "Unable to determine the AWS metadata server security credentials endpoint"
+          end
+
+          get_aws_resource(@credential_verification_url, "IAM Role").body
+        end
+
+        # Retrieves the AWS security credentials required for signing AWS
+        # requests from the AWS metadata server.
+        def fetch_metadata_security_credentials role_name
+          response = get_aws_resource "#{@credential_verification_url}/#{role_name}", "credentials"
+          MultiJson.load response.body
+        end
+
+        def region
+          @region = ENV[CredentialsLoader::AWS_REGION_VAR] || ENV[CredentialsLoader::AWS_DEFAULT_REGION_VAR]
+
+          unless @region
+            raise "region_url or region must be set for external account credentials" unless @region_url
+
+            @region ||= get_aws_resource(@region_url, "region").body[0..-2]
+          end
+
+          @region
+        end
+      end
+
+      # Implements an AWS request signer based on the AWS Signature Version 4 signing process.
+      # https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
+      class AwsRequestSigner
+        # Instantiates an AWS request signer used to compute authenticated signed
+        # requests to AWS APIs based on the AWS Signature Version 4 signing process.
+        #
+        # @param [string] region_name
+        #     The AWS region to use.
+        def initialize region_name
+          @region_name = region_name
+        end
+
+        # Generates the signed request for the provided HTTP request for calling
+        # an AWS API. This follows the steps described at:
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
+        #
+        # @param [Hash[string, string]] aws_security_credentials
+        #     A dictionary containing the AWS security credentials.
+        # @param [string] url
+        #     The AWS service URL containing the canonical URI and query string.
+        # @param [string] method
+        #     The HTTP method used to call this API.
+        #
+        # @return [hash{string => string}]
+        #     The AWS signed request dictionary object.
+        #
+        def generate_signed_request aws_credentials, original_request
+          uri = Addressable::URI.parse original_request[:url]
+          raise "Invalid AWS service URL" unless uri.hostname && uri.scheme == "https"
+          service_name = uri.host.split(".").first
+
+          datetime = Time.now.utc.strftime "%Y%m%dT%H%M%SZ"
+          date = datetime[0, 8]
+
+          headers = aws_headers aws_credentials, original_request, datetime
+
+          request_payload = original_request[:data] || ""
+          content_sha256 = sha256_hexdigest request_payload
+
+          canonical_req = canonical_request original_request[:method], uri, headers, content_sha256
+          sts = string_to_sign datetime, canonical_req, service_name
+
+          # Authorization header requires everything else to be properly setup in order to be properly
+          # calculated.
+          headers["Authorization"] = build_authorization_header headers, sts, aws_credentials, service_name, date
+
+          {
+            url: uri.to_s,
+            headers: headers,
+            method: original_request[:method],
+            data: (request_payload unless request_payload.empty?)
+          }.compact
+        end
+
+        private
+
+        def aws_headers aws_credentials, original_request, datetime
+          uri = Addressable::URI.parse original_request[:url]
+          temp_headers = original_request[:headers] || {}
+          headers = {}
+          temp_headers.each_key { |k| headers[k.to_s] = temp_headers[k] }
+          headers["host"] = uri.host
+          headers["x-amz-date"] = datetime
+          headers["x-amz-security-token"] = aws_credentials[:session_token] if aws_credentials[:session_token]
+          headers
+        end
+
+        def build_authorization_header headers, sts, aws_credentials, service_name, date
+          [
+            "AWS4-HMAC-SHA256",
+            "Credential=#{credential aws_credentials[:access_key_id], date, service_name},",
+            "SignedHeaders=#{headers.keys.sort.join ';'},",
+            "Signature=#{signature aws_credentials[:secret_access_key], date, sts, service_name}"
+          ].join(" ")
+        end
+
+        def signature secret_access_key, date, string_to_sign, service
+          k_date = hmac "AWS4#{secret_access_key}", date
+          k_region = hmac k_date, @region_name
+          k_service = hmac k_region, service
+          k_credentials = hmac k_service, "aws4_request"
+
+          hexhmac k_credentials, string_to_sign
+        end
+
+        def hmac key, value
+          OpenSSL::HMAC.digest OpenSSL::Digest.new("sha256"), key, value
+        end
+
+        def hexhmac key, value
+          OpenSSL::HMAC.hexdigest OpenSSL::Digest.new("sha256"), key, value
+        end
+
+        def credential access_key_id, date, service
+          "#{access_key_id}/#{credential_scope date, service}"
+        end
+
+        def credential_scope date, service
+          [
+            date,
+            @region_name,
+            service,
+            "aws4_request"
+          ].join("/")
+        end
+
+        def string_to_sign datetime, canonical_request, service
+          [
+            "AWS4-HMAC-SHA256",
+            datetime,
+            credential_scope(datetime[0, 8], service),
+            sha256_hexdigest(canonical_request)
+          ].join("\n")
+        end
+
+        def host uri
+          # Handles known and unknown URI schemes; default_port nil when unknown.
+          if uri.default_port == uri.port
+            uri.host
+          else
+            "#{uri.host}:#{uri.port}"
+          end
+        end
+
+        def canonical_request http_method, uri, headers, content_sha256
+          headers = headers.sort_by(&:first) # transforms to a sorted array of [key, value]
+
+          [
+            http_method,
+            uri.path.empty? ? "/" : uri.path,
+            build_canonical_querystring(uri.query || ""),
+            headers.map { |k, v| "#{k}:#{v}\n" }.join, # Canonical headers
+            headers.map(&:first).join(";"), # Signed headers
+            content_sha256
+          ].join("\n")
+        end
+
+        def sha256_hexdigest string
+          OpenSSL::Digest::SHA256.hexdigest string
+        end
+
+        # Generates the canonical query string given a raw query string.
+        # Logic is based on
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        # Code is from the AWS SDK for Ruby
+        # https://github.com/aws/aws-sdk-ruby/blob/0ac3d0a393ed216290bfb5f0383380376f6fb1f1/gems/aws-sigv4/lib/aws-sigv4/signer.rb#L532
+        def build_canonical_querystring query
+          params = query.split "&"
+          params = params.map { |p| p.include?("=") ? p : "#{p}=" }
+
+          params.each.with_index.sort do |(a, a_offset), (b, b_offset)|
+            a_name, a_value = a.split "="
+            b_name, b_value = b.split "="
+            if a_name == b_name
+              if a_value == b_value
+                a_offset <=> b_offset
+              else
+                a_value <=> b_value
+              end
+            else
+              a_name <=> b_name
+            end
+          end.map(&:first).join("&")
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account/base_credentials.rb

@@ -0,0 +1,200 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.require "time"
+
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+require "googleauth/oauth2/sts_client"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using External Account credentials, such
+    # as those provided by the AWS provider.
+    module ExternalAccount
+      # Authenticates requests using External Account credentials, such
+      # as those provided by the AWS provider.
+      module BaseCredentials
+        # Contains all methods needed for all external account credentials.
+        # Other credentials should call `base_setup` during initialization
+        # And should define the :retrieve_subject_token method
+
+        # External account JSON type identifier.
+        EXTERNAL_ACCOUNT_JSON_TYPE = "external_account".freeze
+        # The token exchange grant_type used for exchanging credentials.
+        STS_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange".freeze
+        # The token exchange requested_token_type. This is always an access_token.
+        STS_REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token".freeze
+        # Cloud resource manager URL used to retrieve project information.
+        CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/".freeze
+        # Default IAM_SCOPE
+        IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+        include Google::Auth::BaseClient
+        include Helpers::Connection
+
+        attr_reader :expires_at
+        attr_accessor :access_token
+
+        def expires_within? seconds
+          # This method is needed for BaseClient
+          @expires_at && @expires_at - Time.now.utc < seconds
+        end
+
+        def expires_at= new_expires_at
+          @expires_at = normalize_timestamp new_expires_at
+        end
+
+        def fetch_access_token! _options = {}
+          # This method is needed for BaseClient
+          response = exchange_token
+
+          if @service_account_impersonation_url
+            impersonated_response = get_impersonated_access_token response["access_token"]
+            self.expires_at = impersonated_response["expireTime"]
+            self.access_token = impersonated_response["accessToken"]
+          else
+            # Extract the expiration time in seconds from the response and calculate the actual expiration time
+            # and then save that to the expiry variable.
+            self.expires_at = Time.now.utc + response["expires_in"].to_i
+            self.access_token = response["access_token"]
+          end
+
+          notify_refresh_listeners
+        end
+
+        ##
+        # Retrieves the project ID corresponding to the workload identity or workforce pool.
+        # For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project.
+        # When not determinable, None is returned.
+        #
+        # The resource may not have permission (resourcemanager.projects.get) to
+        # call this API or the required scopes may not be selected:
+        # https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
+        #
+        # @return [string,nil]
+        #     The project ID corresponding to the workload identity pool or workforce pool if determinable.
+        #
+        def project_id
+          return @project_id unless @project_id.nil?
+          project_number = self.project_number || @workforce_pool_user_project
+
+          # if we missing either project number or scope, we won't retrieve project_id
+          return nil if project_number.nil? || @scope.nil?
+
+          url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
+
+          response = connection.get url do |req|
+            req.headers["Authorization"] = "Bearer #{@access_token}"
+            req.headers["Content-Type"] = "application/json"
+          end
+
+          if response.status == 200
+            response_data = MultiJson.load response.body
+            @project_id = response_data[:projectId]
+          end
+
+          @project_id
+        end
+
+        ##
+        # Retrieve the project number corresponding to workload identity pool
+        # STS audience pattern:
+        #     `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...`
+        #
+        # @return [string, nil]
+        #
+        def project_number
+          segments = @audience.split "/"
+          idx = segments.index "projects"
+          return nil if idx.nil? || idx + 1 == segments.size
+          segments[idx + 1]
+        end
+
+        private
+
+        def token_type
+          # This method is needed for BaseClient
+          :access_token
+        end
+
+        def base_setup options
+          self.default_connection = options[:connection]
+
+          @audience = options[:audience]
+          @scope = options[:scope] || IAM_SCOPE
+          @subject_token_type = options[:subject_token_type]
+          @token_url = options[:token_url]
+          @service_account_impersonation_url = options[:service_account_impersonation_url]
+          @service_account_impersonation_options = options[:service_account_impersonation_options] || {}
+          @client_id = options[:client_id]
+          @client_secret = options[:client_secret]
+          @quota_project_id = options[:quota_project_id]
+          @project_id = nil
+          @workforce_pool_user_project = [:workforce_pool_user_project]
+
+          @expires_at = nil
+          @access_token = nil
+
+          @sts_client = Google::Auth::OAuth2::STSClient.new(
+            token_exchange_endpoint: @token_url,
+            connection: default_connection
+          )
+        end
+
+        def normalize_timestamp time
+          case time
+          when NilClass
+            nil
+          when Time
+            time
+          when String
+            Time.parse time
+          else
+            raise "Invalid time value #{time}"
+          end
+        end
+
+        def exchange_token
+          @sts_client.exchange_token(
+            audience: @audience,
+            grant_type: STS_GRANT_TYPE,
+            subject_token: retrieve_subject_token!,
+            subject_token_type: @subject_token_type,
+            scopes: @service_account_impersonation_url ? IAM_SCOPE : @scope,
+            requested_token_type: STS_REQUESTED_TOKEN_TYPE
+          )
+        end
+
+        def get_impersonated_access_token token, _options = {}
+          response = connection.post @service_account_impersonation_url do |req|
+            req.headers["Authorization"] = "Bearer #{token}"
+            req.headers["Content-Type"] = "application/json"
+            req.body = MultiJson.dump({ scope: @scope })
+          end
+
+          if response.status != 200
+            raise "Service account impersonation failed with status #{response.status}"
+          end
+
+          MultiJson.load response.body
+        end
+
+        def retrieve_subject_token!
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account.rb

@@ -0,0 +1,111 @@
+# Copyright 2022 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "time"
+require "uri"
+require "googleauth/credentials_loader"
+require "googleauth/external_account/aws_credentials"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using External Account credentials, such
+    # as those provided by the AWS provider.
+    module ExternalAccount
+      # Provides an entrypoint for all Exernal Account credential classes.
+      class Credentials
+        # The subject token type used for AWS external_account credentials.
+        AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
+        AWS_SUBJECT_TOKEN_INVALID = "aws is the only currently supported external account type".freeze
+
+        TOKEN_URL_PATTERNS = [
+          /^[^.\s\/\\]+\.sts(?:\.mtls)?\.googleapis\.com$/,
+          /^sts(?:\.mtls)?\.googleapis\.com$/,
+          /^sts\.[^.\s\/\\]+(?:\.mtls)?\.googleapis\.com$/,
+          /^[^.\s\/\\]+-sts(?:\.mtls)?\.googleapis\.com$/,
+          /^sts-[^.\s\/\\]+\.p(?:\.mtls)?\.googleapis\.com$/
+        ].freeze
+
+        SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS = [
+          /^[^.\s\/\\]+\.iamcredentials\.googleapis\.com$/.freeze,
+          /^iamcredentials\.googleapis\.com$/.freeze,
+          /^iamcredentials\.[^.\s\/\\]+\.googleapis\.com$/.freeze,
+          /^[^.\s\/\\]+-iamcredentials\.googleapis\.com$/.freeze,
+          /^iamcredentials-[^.\s\/\\]+\.p\.googleapis\.com$/.freeze
+        ].freeze
+
+        # Create a ExternalAccount::Credentials
+        #
+        # @param json_key_io [IO] an IO from which the JSON key can be read
+        # @param scope [String,Array,nil] the scope(s) to access
+        def self.make_creds options = {}
+          json_key_io, scope = options.values_at :json_key_io, :scope
+
+          raise "A json file is required for external account credentials." unless json_key_io
+          user_creds = read_json_key json_key_io
+
+          raise "The provided token URL is invalid." unless is_token_url_valid? user_creds["token_url"]
+          unless is_service_account_impersonation_url_valid? user_creds["service_account_impersonation_url"]
+            raise "The provided service account impersonation url is invalid."
+          end
+
+          # TODO: check for other External Account Credential types. Currently only AWS is supported.
+          raise AWS_SUBJECT_TOKEN_INVALID unless user_creds["subject_token_type"] == AWS_SUBJECT_TOKEN_TYPE
+
+          Google::Auth::ExternalAccount::AwsCredentials.new(
+            audience: user_creds["audience"],
+            scope: scope,
+            subject_token_type: user_creds["subject_token_type"],
+            token_url: user_creds["token_url"],
+            credential_source: user_creds["credential_source"],
+            service_account_impersonation_url: user_creds["service_account_impersonation_url"]
+          )
+        end
+
+        # Reads the required fields from the JSON.
+        def self.read_json_key json_key_io
+          json_key = MultiJson.load json_key_io.read
+          wanted = [
+            "audience", "subject_token_type", "token_url", "credential_source"
+          ]
+          wanted.each do |key|
+            raise "the json is missing the #{key} field" unless json_key.key? key
+          end
+          json_key
+        end
+
+        def self.is_valid_url? url, valid_hostnames
+          begin
+            uri = URI(url)
+          rescue URI::InvalidURIError, ArgumentError
+            return false
+          end
+
+          return false unless uri.scheme == "https"
+
+          valid_hostnames.any? { |hostname| hostname =~ uri.host }
+        end
+
+        def self.is_token_url_valid? url
+          is_valid_url? url, TOKEN_URL_PATTERNS
+        end
+
+        def self.is_service_account_impersonation_url_valid? url
+          !url or is_valid_url? url, SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/helpers/connection.rb

@@ -0,0 +1,35 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "faraday"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Helpers provides utility methods for Google::Auth.
+    module Helpers
+      # Connection provides a Faraday connection for use with Google::Auth.
+      module Connection
+        module_function
+
+        attr_accessor :default_connection
+
+        def connection
+          @default_connection || Faraday.default_connection
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/oauth2/sts_client.rb

@@ -0,0 +1,99 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    module OAuth2
+      # OAuth 2.0 Token Exchange Spec.
+      # This module defines a token exchange utility based on the
+      # [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/rfc8693) spec. This will be mainly
+      # used to exchange external credentials for GCP access tokens in workload identity pools to
+      # access Google APIs.
+      # The implementation will support various types of client authentication as allowed in the spec.
+      #
+      # A deviation on the spec will be for additional Google specific options that cannot be easily
+      # mapped to parameters defined in the RFC.
+      # The returned dictionary response will be based on the [rfc8693 section 2.2.1]
+      # (https://tools.ietf.org/html/rfc8693#section-2.2.1) spec JSON response.
+      #
+      class STSClient
+        include Helpers::Connection
+
+        URLENCODED_HEADERS = { "Content-Type": "application/x-www-form-urlencoded" }.freeze
+
+        # Create a new instance of the STSClient.
+        #
+        # @param [String] token_exchange_endpoint
+        #  The token exchange endpoint.
+        def initialize options = {}
+          raise "Token exchange endpoint can not be nil" if options[:token_exchange_endpoint].nil?
+          self.default_connection = options[:connection]
+          @token_exchange_endpoint = options[:token_exchange_endpoint]
+        end
+
+        # Exchanges the provided token for another type of token based on the
+        # rfc8693 spec
+        #
+        # @param [Faraday instance] connection
+        # A callable faraday instance used to make HTTP requests.
+        # @param [String] grant_type
+        #   The OAuth 2.0 token exchange grant type.
+        # @param [String] subject_token
+        #   The OAuth 2.0 token exchange subject token.
+        # @param [String] subject_token_type
+        #   The OAuth 2.0 token exchange subject token type.
+        # @param [String] resource
+        #   The optional OAuth 2.0 token exchange resource field.
+        # @param [String] audience
+        #   The optional OAuth 2.0 token exchange audience field.
+        # @param [Array<String>] scopes
+        #   The optional list of scopes to use.
+        # @param [String] requested_token_type
+        #   The optional OAuth 2.0 token exchange requested token type.
+        # @param additional_headers (Hash<String,String>):
+        #   The optional additional headers to pass to the token exchange endpoint.
+        #
+        # @return [Hash] A hash containing the token exchange response.
+        def exchange_token options = {}
+          missing_required_opts = [:grant_type, :subject_token, :subject_token_type] - options.keys
+          unless missing_required_opts.empty?
+            raise ArgumentError, "Missing required options: #{missing_required_opts.join ', '}"
+          end
+
+          # TODO: Add the ability to add authentication to the headers
+          headers = URLENCODED_HEADERS.dup.merge(options[:additional_headers] || {})
+
+          request_body = {
+            grant_type: options[:grant_type],
+            audience: options[:audience],
+            scope: Array(options[:scopes])&.join(" ") || [],
+            requested_token_type: options[:requested_token_type],
+            subject_token: options[:subject_token],
+            subject_token_type: options[:subject_token_type]
+          }
+
+          response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers
+
+          if response.status != 200
+            raise "Token exchange failed with status #{response.status}"
+          end
+
+          MultiJson.load response.body
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -130,7 +130,7 @@ module Google
     # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
+      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       SIGNING_ALGORITHM = "RS256".freeze
       EXPIRY = 60
@@ -192,8 +192,6 @@ module Google
         proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
-      protected
-
       # Creates a jwt uri token.
       def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new

data/lib/googleauth/signet.rb

@@ -13,16 +13,18 @@
 # limitations under the License.
 
 require "signet/oauth_2/client"
+require "googleauth/base_client"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
   module OAuth2
-    AUTH_METADATA_KEY = :authorization
     # Signet::OAuth2::Client creates an OAuth2 client
     #
     # This reopens Client to add #apply and #apply! methods which update a
     # hash with the fetched authentication token.
     class Client
+      include Google::Auth::BaseClient
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -34,37 +36,6 @@ module Signet
         target_audience ? :id_token : :access_token
       end
 
-      # Whether the id_token or access_token is missing or about to expire.
-      def needs_access_token?
-        send(token_type).nil? || expires_within?(60)
-      end
-
-      # Updates a_hash updated with the authentication token
-      def apply! a_hash, opts = {}
-        # fetch the access token there is currently not one, or if the client
-        # has expired
-        fetch_access_token! opts if needs_access_token?
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
-      end
-
-      # Returns a clone of a_hash updated with the authentication token
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
-      end
-
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
-      end
-
-      def on_refresh &block
-        @refresh_listeners = [] unless defined? @refresh_listeners
-        @refresh_listeners << block
-      end
-
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
         unless options[:connection]
@@ -78,13 +49,6 @@ module Signet
         info
       end
 
-      def notify_refresh_listeners
-        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
-        listeners.each do |block|
-          block.call self
-        end
-      end
-
       def build_default_connection
         if !defined?(@connection_info)
           nil

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.3.0".freeze
+    VERSION = "1.5.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Tim Emiola
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-18 00:00:00.000000000 Z
+date: 2023-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -134,17 +134,23 @@ files:
 - SECURITY.md
 - lib/googleauth.rb
 - lib/googleauth/application_default.rb
+- lib/googleauth/base_client.rb
 - lib/googleauth/client_id.rb
 - lib/googleauth/compute_engine.rb
 - lib/googleauth/credentials.rb
 - lib/googleauth/credentials_loader.rb
 - lib/googleauth/default_credentials.rb
+- lib/googleauth/external_account.rb
+- lib/googleauth/external_account/aws_credentials.rb
+- lib/googleauth/external_account/base_credentials.rb
+- lib/googleauth/helpers/connection.rb
 - lib/googleauth/iam.rb
 - lib/googleauth/id_tokens.rb
 - lib/googleauth/id_tokens/errors.rb
 - lib/googleauth/id_tokens/key_sources.rb
 - lib/googleauth/id_tokens/verifier.rb
 - lib/googleauth/json_key_reader.rb
+- lib/googleauth/oauth2/sts_client.rb
 - lib/googleauth/scope_util.rb
 - lib/googleauth/service_account.rb
 - lib/googleauth/signet.rb
@@ -162,7 +168,7 @@ metadata:
   changelog_uri: https://github.com/googleapis/google-auth-library-ruby/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/googleapis/google-auth-library-ruby
   bug_tracker_uri: https://github.com/googleapis/google-auth-library-ruby/issues
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -177,8 +183,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.14
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Google Auth Library for Ruby
 test_files: []