googleauth 1.5.1 → 1.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cc7032e8f5f0a060f621bd405feccbea08b70b5a8ed7a3d33676ddf1926160a7
|
|
4
|
+
data.tar.gz: 23a199f6a6333ed269c8f564a028533802450c3e7cb100debf5e7e8d940dc8b3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8b2142a0bdeffd451c3f98c97c8414b26a63939dcd5b4430cb9299b3f1ecdf12d8cc39b8cf813531034dc63121764600c386b372ffe819fdd202c51b070acef2
|
|
7
|
+
data.tar.gz: 56e4c86362466b27ad68ec388138fb469b44e604aa60f40454f7499210f61c16e19e559ecd9358023a9de74a8f21289410f5855e128598ac1206c341c328997d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# Release History
|
|
2
2
|
|
|
3
|
+
### 1.5.2 (2023-04-13)
|
|
4
|
+
|
|
5
|
+
#### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429))
|
|
8
|
+
* GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425))
|
|
9
|
+
|
|
3
10
|
### 1.5.1 (2023-04-10)
|
|
4
11
|
|
|
5
12
|
#### Bug Fixes
|
|
@@ -16,16 +16,16 @@ require "time"
|
|
|
16
16
|
require "googleauth/external_account/base_credentials"
|
|
17
17
|
|
|
18
18
|
module Google
|
|
19
|
-
# Module Auth provides classes that provide Google-specific authorization
|
|
20
|
-
# used to access Google APIs.
|
|
19
|
+
# Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
|
|
21
20
|
module Auth
|
|
22
|
-
# Authenticates requests using External Account credentials, such
|
|
23
|
-
# as those provided by the AWS provider.
|
|
21
|
+
# Authenticates requests using External Account credentials, such as those provided by the AWS provider.
|
|
24
22
|
module ExternalAccount
|
|
25
|
-
# This module handles the retrieval of credentials from Google Cloud
|
|
26
|
-
#
|
|
27
|
-
# credentials for a short-lived Google Cloud access token.
|
|
23
|
+
# This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and
|
|
24
|
+
# then exchanging the credentials for a short-lived Google Cloud access token.
|
|
28
25
|
class AwsCredentials
|
|
26
|
+
# Constant for imdsv2 session token expiration in seconds
|
|
27
|
+
IMDSV2_TOKEN_EXPIRATION_IN_SECONDS = 300
|
|
28
|
+
|
|
29
29
|
include Google::Auth::ExternalAccount::BaseCredentials
|
|
30
30
|
extend CredentialsLoader
|
|
31
31
|
|
|
@@ -46,6 +46,8 @@ module Google
|
|
|
46
46
|
# These will be lazily loaded when needed, or will raise an error if not provided
|
|
47
47
|
@region = nil
|
|
48
48
|
@request_signer = nil
|
|
49
|
+
@imdsv2_session_token = nil
|
|
50
|
+
@imdsv2_session_token_expiry = nil
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
# Retrieves the subject token using the credential_source object.
|
|
@@ -54,22 +56,20 @@ module Google
|
|
|
54
56
|
#
|
|
55
57
|
# The logic is summarized as:
|
|
56
58
|
#
|
|
57
|
-
# Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
|
|
58
|
-
#
|
|
59
|
-
# if not found in the environment variable.
|
|
59
|
+
# Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS
|
|
60
|
+
# metadata server availability-zone if not found in the environment variable.
|
|
60
61
|
#
|
|
61
|
-
# Check AWS credentials in environment variables. If not found, retrieve
|
|
62
|
-
#
|
|
62
|
+
# Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server
|
|
63
|
+
# security-credentials endpoint.
|
|
63
64
|
#
|
|
64
|
-
# When retrieving AWS credentials from the metadata server
|
|
65
|
-
#
|
|
66
|
-
#
|
|
67
|
-
# credentials can be retrieved via: security-credentials/role_name
|
|
65
|
+
# When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to
|
|
66
|
+
# be determined by # calling the security-credentials endpoint without any argument.
|
|
67
|
+
# Then the credentials can be retrieved via: security-credentials/role_name
|
|
68
68
|
#
|
|
69
69
|
# Generate the signed request to AWS STS GetCallerIdentity action.
|
|
70
70
|
#
|
|
71
|
-
# Inject x-goog-cloud-target-resource into header and serialize the
|
|
72
|
-
#
|
|
71
|
+
# Inject x-goog-cloud-target-resource into header and serialize the signed request.
|
|
72
|
+
# This will be the subject-token to pass to GCP STS.
|
|
73
73
|
#
|
|
74
74
|
# @return [string] The retrieved subject token.
|
|
75
75
|
#
|
|
@@ -104,16 +104,30 @@ module Google
|
|
|
104
104
|
|
|
105
105
|
private
|
|
106
106
|
|
|
107
|
-
def
|
|
107
|
+
def imdsv2_session_token
|
|
108
|
+
return @imdsv2_session_token unless imdsv2_session_token_invalid?
|
|
109
|
+
raise "IMDSV2 token url must be provided" if @imdsv2_session_token_url.nil?
|
|
108
110
|
begin
|
|
109
|
-
|
|
110
|
-
headers["x-aws-ec2-metadata-token"] =
|
|
111
|
-
@imdsv2_session_token_url,
|
|
112
|
-
"Session Token",
|
|
113
|
-
headers: { "x-aws-ec2-metadata-token-ttl-seconds": "300" }
|
|
114
|
-
).body
|
|
111
|
+
response = connection.put @imdsv2_session_token_url do |req|
|
|
112
|
+
req.headers["x-aws-ec2-metadata-token-ttl-seconds"] = IMDSV2_TOKEN_EXPIRATION_IN_SECONDS.to_s
|
|
115
113
|
end
|
|
114
|
+
rescue Faraday::Error => e
|
|
115
|
+
raise "Fetching AWS IMDSV2 token error: #{e}"
|
|
116
|
+
end
|
|
117
|
+
raise Faraday::Error unless response.success?
|
|
118
|
+
@imdsv2_session_token = response.body
|
|
119
|
+
@imdsv2_session_token_expiry = Time.now + IMDSV2_TOKEN_EXPIRATION_IN_SECONDS
|
|
120
|
+
@imdsv2_session_token
|
|
121
|
+
end
|
|
116
122
|
|
|
123
|
+
def imdsv2_session_token_invalid?
|
|
124
|
+
return true if @imdsv2_session_token.nil?
|
|
125
|
+
@imdsv2_session_token_expiry.nil? || @imdsv2_session_token_expiry < Time.now
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def get_aws_resource url, name, data: nil, headers: {}
|
|
129
|
+
begin
|
|
130
|
+
headers["x-aws-ec2-metadata-token"] = imdsv2_session_token
|
|
117
131
|
response = if data
|
|
118
132
|
headers["Content-Type"] = "application/json"
|
|
119
133
|
connection.post url, data, headers
|
|
@@ -136,9 +150,8 @@ module Google
|
|
|
136
150
|
end
|
|
137
151
|
end
|
|
138
152
|
|
|
139
|
-
# Retrieves the AWS security credentials required for signing AWS
|
|
140
|
-
#
|
|
141
|
-
# or from the AWS metadata server.
|
|
153
|
+
# Retrieves the AWS security credentials required for signing AWS requests from either the AWS security
|
|
154
|
+
# credentials environment variables or from the AWS metadata server.
|
|
142
155
|
def fetch_security_credentials
|
|
143
156
|
env_aws_access_key_id = ENV[CredentialsLoader::AWS_ACCESS_KEY_ID_VAR]
|
|
144
157
|
env_aws_secret_access_key = ENV[CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR]
|
|
@@ -163,10 +176,9 @@ module Google
|
|
|
163
176
|
}
|
|
164
177
|
end
|
|
165
178
|
|
|
166
|
-
# Retrieves the AWS role currently attached to the current AWS
|
|
167
|
-
#
|
|
168
|
-
#
|
|
169
|
-
# the AWS security credentials needed to sign requests to AWS APIs.
|
|
179
|
+
# Retrieves the AWS role currently attached to the current AWS workload by querying the AWS metadata server.
|
|
180
|
+
# This is needed for the AWS metadata server security credentials endpoint in order to retrieve the AWS security
|
|
181
|
+
# credentials needed to sign requests to AWS APIs.
|
|
170
182
|
def fetch_metadata_role_name
|
|
171
183
|
unless @credential_verification_url
|
|
172
184
|
raise "Unable to determine the AWS metadata server security credentials endpoint"
|
|
@@ -175,8 +187,7 @@ module Google
|
|
|
175
187
|
get_aws_resource(@credential_verification_url, "IAM Role").body
|
|
176
188
|
end
|
|
177
189
|
|
|
178
|
-
# Retrieves the AWS security credentials required for signing AWS
|
|
179
|
-
# requests from the AWS metadata server.
|
|
190
|
+
# Retrieves the AWS security credentials required for signing AWS requests from the AWS metadata server.
|
|
180
191
|
def fetch_metadata_security_credentials role_name
|
|
181
192
|
response = get_aws_resource "#{@credential_verification_url}/#{role_name}", "credentials"
|
|
182
193
|
MultiJson.load response.body
|
|
@@ -198,8 +209,8 @@ module Google
|
|
|
198
209
|
# Implements an AWS request signer based on the AWS Signature Version 4 signing process.
|
|
199
210
|
# https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
|
|
200
211
|
class AwsRequestSigner
|
|
201
|
-
# Instantiates an AWS request signer used to compute authenticated signed
|
|
202
|
-
#
|
|
212
|
+
# Instantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS
|
|
213
|
+
# Signature Version 4 signing process.
|
|
203
214
|
#
|
|
204
215
|
# @param [string] region_name
|
|
205
216
|
# The AWS region to use.
|
data/lib/googleauth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: googleauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.5.
|
|
4
|
+
version: 1.5.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Emiola
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-04-
|
|
11
|
+
date: 2023-04-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|