googleauth 1.5.1 → 1.5.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cc7032e8f5f0a060f621bd405feccbea08b70b5a8ed7a3d33676ddf1926160a7
|
|
4
|
+
data.tar.gz: 23a199f6a6333ed269c8f564a028533802450c3e7cb100debf5e7e8d940dc8b3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8b2142a0bdeffd451c3f98c97c8414b26a63939dcd5b4430cb9299b3f1ecdf12d8cc39b8cf813531034dc63121764600c386b372ffe819fdd202c51b070acef2
|
|
7
|
+
data.tar.gz: 56e4c86362466b27ad68ec388138fb469b44e604aa60f40454f7499210f61c16e19e559ecd9358023a9de74a8f21289410f5855e128598ac1206c341c328997d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# Release History
|
|
2
2
|
|
|
3
|
+
### 1.5.2 (2023-04-13)
|
|
4
|
+
|
|
5
|
+
#### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429))
|
|
8
|
+
* GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425))
|
|
9
|
+
|
|
3
10
|
### 1.5.1 (2023-04-10)
|
|
4
11
|
|
|
5
12
|
#### Bug Fixes
|
|
@@ -16,16 +16,16 @@ require "time"
|
|
|
16
16
|
require "googleauth/external_account/base_credentials"
|
|
17
17
|
|
|
18
18
|
module Google
|
|
19
|
-
# Module Auth provides classes that provide Google-specific authorization
|
|
20
|
-
# used to access Google APIs.
|
|
19
|
+
# Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
|
|
21
20
|
module Auth
|
|
22
|
-
# Authenticates requests using External Account credentials, such
|
|
23
|
-
# as those provided by the AWS provider.
|
|
21
|
+
# Authenticates requests using External Account credentials, such as those provided by the AWS provider.
|
|
24
22
|
module ExternalAccount
|
|
25
|
-
# This module handles the retrieval of credentials from Google Cloud
|
|
26
|
-
#
|
|
27
|
-
# credentials for a short-lived Google Cloud access token.
|
|
23
|
+
# This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and
|
|
24
|
+
# then exchanging the credentials for a short-lived Google Cloud access token.
|
|
28
25
|
class AwsCredentials
|
|
26
|
+
# Constant for imdsv2 session token expiration in seconds
|
|
27
|
+
IMDSV2_TOKEN_EXPIRATION_IN_SECONDS = 300
|
|
28
|
+
|
|
29
29
|
include Google::Auth::ExternalAccount::BaseCredentials
|
|
30
30
|
extend CredentialsLoader
|
|
31
31
|
|
|
@@ -46,6 +46,8 @@ module Google
|
|
|
46
46
|
# These will be lazily loaded when needed, or will raise an error if not provided
|
|
47
47
|
@region = nil
|
|
48
48
|
@request_signer = nil
|
|
49
|
+
@imdsv2_session_token = nil
|
|
50
|
+
@imdsv2_session_token_expiry = nil
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
# Retrieves the subject token using the credential_source object.
|
|
@@ -54,22 +56,20 @@ module Google
|
|
|
54
56
|
#
|
|
55
57
|
# The logic is summarized as:
|
|
56
58
|
#
|
|
57
|
-
# Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
|
|
58
|
-
#
|
|
59
|
-
# if not found in the environment variable.
|
|
59
|
+
# Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS
|
|
60
|
+
# metadata server availability-zone if not found in the environment variable.
|
|
60
61
|
#
|
|
61
|
-
# Check AWS credentials in environment variables. If not found, retrieve
|
|
62
|
-
#
|
|
62
|
+
# Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server
|
|
63
|
+
# security-credentials endpoint.
|
|
63
64
|
#
|
|
64
|
-
# When retrieving AWS credentials from the metadata server
|
|
65
|
-
#
|
|
66
|
-
#
|
|
67
|
-
# credentials can be retrieved via: security-credentials/role_name
|
|
65
|
+
# When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to
|
|
66
|
+
# be determined by # calling the security-credentials endpoint without any argument.
|
|
67
|
+
# Then the credentials can be retrieved via: security-credentials/role_name
|
|
68
68
|
#
|
|
69
69
|
# Generate the signed request to AWS STS GetCallerIdentity action.
|
|
70
70
|
#
|
|
71
|
-
# Inject x-goog-cloud-target-resource into header and serialize the
|
|
72
|
-
#
|
|
71
|
+
# Inject x-goog-cloud-target-resource into header and serialize the signed request.
|
|
72
|
+
# This will be the subject-token to pass to GCP STS.
|
|
73
73
|
#
|
|
74
74
|
# @return [string] The retrieved subject token.
|
|
75
75
|
#
|
|
@@ -104,16 +104,30 @@ module Google
|
|
|
104
104
|
|
|
105
105
|
private
|
|
106
106
|
|
|
107
|
-
def
|
|
107
|
+
def imdsv2_session_token
|
|
108
|
+
return @imdsv2_session_token unless imdsv2_session_token_invalid?
|
|
109
|
+
raise "IMDSV2 token url must be provided" if @imdsv2_session_token_url.nil?
|
|
108
110
|
begin
|
|
109
|
-
|
|
110
|
-
headers["x-aws-ec2-metadata-token"] =
|
|
111
|
-
@imdsv2_session_token_url,
|
|
112
|
-
"Session Token",
|
|
113
|
-
headers: { "x-aws-ec2-metadata-token-ttl-seconds": "300" }
|
|
114
|
-
).body
|
|
111
|
+
response = connection.put @imdsv2_session_token_url do |req|
|
|
112
|
+
req.headers["x-aws-ec2-metadata-token-ttl-seconds"] = IMDSV2_TOKEN_EXPIRATION_IN_SECONDS.to_s
|
|
115
113
|
end
|
|
114
|
+
rescue Faraday::Error => e
|
|
115
|
+
raise "Fetching AWS IMDSV2 token error: #{e}"
|
|
116
|
+
end
|
|
117
|
+
raise Faraday::Error unless response.success?
|
|
118
|
+
@imdsv2_session_token = response.body
|
|
119
|
+
@imdsv2_session_token_expiry = Time.now + IMDSV2_TOKEN_EXPIRATION_IN_SECONDS
|
|
120
|
+
@imdsv2_session_token
|
|
121
|
+
end
|
|
116
122
|
|
|
123
|
+
def imdsv2_session_token_invalid?
|
|
124
|
+
return true if @imdsv2_session_token.nil?
|
|
125
|
+
@imdsv2_session_token_expiry.nil? || @imdsv2_session_token_expiry < Time.now
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def get_aws_resource url, name, data: nil, headers: {}
|
|
129
|
+
begin
|
|
130
|
+
headers["x-aws-ec2-metadata-token"] = imdsv2_session_token
|
|
117
131
|
response = if data
|
|
118
132
|
headers["Content-Type"] = "application/json"
|
|
119
133
|
connection.post url, data, headers
|
|
@@ -136,9 +150,8 @@ module Google
|
|
|
136
150
|
end
|
|
137
151
|
end
|
|
138
152
|
|
|
139
|
-
# Retrieves the AWS security credentials required for signing AWS
|
|
140
|
-
#
|
|
141
|
-
# or from the AWS metadata server.
|
|
153
|
+
# Retrieves the AWS security credentials required for signing AWS requests from either the AWS security
|
|
154
|
+
# credentials environment variables or from the AWS metadata server.
|
|
142
155
|
def fetch_security_credentials
|
|
143
156
|
env_aws_access_key_id = ENV[CredentialsLoader::AWS_ACCESS_KEY_ID_VAR]
|
|
144
157
|
env_aws_secret_access_key = ENV[CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR]
|
|
@@ -163,10 +176,9 @@ module Google
|
|
|
163
176
|
}
|
|
164
177
|
end
|
|
165
178
|
|
|
166
|
-
# Retrieves the AWS role currently attached to the current AWS
|
|
167
|
-
#
|
|
168
|
-
#
|
|
169
|
-
# the AWS security credentials needed to sign requests to AWS APIs.
|
|
179
|
+
# Retrieves the AWS role currently attached to the current AWS workload by querying the AWS metadata server.
|
|
180
|
+
# This is needed for the AWS metadata server security credentials endpoint in order to retrieve the AWS security
|
|
181
|
+
# credentials needed to sign requests to AWS APIs.
|
|
170
182
|
def fetch_metadata_role_name
|
|
171
183
|
unless @credential_verification_url
|
|
172
184
|
raise "Unable to determine the AWS metadata server security credentials endpoint"
|
|
@@ -175,8 +187,7 @@ module Google
|
|
|
175
187
|
get_aws_resource(@credential_verification_url, "IAM Role").body
|
|
176
188
|
end
|
|
177
189
|
|
|
178
|
-
# Retrieves the AWS security credentials required for signing AWS
|
|
179
|
-
# requests from the AWS metadata server.
|
|
190
|
+
# Retrieves the AWS security credentials required for signing AWS requests from the AWS metadata server.
|
|
180
191
|
def fetch_metadata_security_credentials role_name
|
|
181
192
|
response = get_aws_resource "#{@credential_verification_url}/#{role_name}", "credentials"
|
|
182
193
|
MultiJson.load response.body
|
|
@@ -198,8 +209,8 @@ module Google
|
|
|
198
209
|
# Implements an AWS request signer based on the AWS Signature Version 4 signing process.
|
|
199
210
|
# https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
|
|
200
211
|
class AwsRequestSigner
|
|
201
|
-
# Instantiates an AWS request signer used to compute authenticated signed
|
|
202
|
-
#
|
|
212
|
+
# Instantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS
|
|
213
|
+
# Signature Version 4 signing process.
|
|
203
214
|
#
|
|
204
215
|
# @param [string] region_name
|
|
205
216
|
# The AWS region to use.
|
data/lib/googleauth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: googleauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.5.
|
|
4
|
+
version: 1.5.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Emiola
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-04-
|
|
11
|
+
date: 2023-04-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|