googleauth 1.5.2 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc7032e8f5f0a060f621bd405feccbea08b70b5a8ed7a3d33676ddf1926160a7
-  data.tar.gz: 23a199f6a6333ed269c8f564a028533802450c3e7cb100debf5e7e8d940dc8b3
+  metadata.gz: 146d1c41b29049fb35b0cc5c4934a811eb547f3d3000a95e3fbd8a24fc2b86bb
+  data.tar.gz: cb613b51160da7a51c545728ce03dac8977fee8f1806b72eca97997d28645450
 SHA512:
-  metadata.gz: 8b2142a0bdeffd451c3f98c97c8414b26a63939dcd5b4430cb9299b3f1ecdf12d8cc39b8cf813531034dc63121764600c386b372ffe819fdd202c51b070acef2
-  data.tar.gz: 56e4c86362466b27ad68ec388138fb469b44e604aa60f40454f7499210f61c16e19e559ecd9358023a9de74a8f21289410f5855e128598ac1206c341c328997d
+  metadata.gz: 39289ca31ac785dffbb151a71c6b8337d442db75e3d2d3fcfa94a4c5656076c5965c3beb09e55cc80996c189af170f9208dbb84df6adbb9b385ede36850ea6aa
+  data.tar.gz: 442083ee198a5ae04f8924f2360b1512eff862d12f66327d22195dbd75c5475b8d912701d7e41ab21b7c6ceae8f196b229b1f376cf69cb36846f5787f52eeb37

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Release History
 
+### 1.6.0 (2023-06-20)
+
+#### Features
+
+* adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433)) 
+#### Documentation
+
+* deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435)) 
+
 ### 1.5.2 (2023-04-13)
 
 #### Bug Fixes

data/README.md

@@ -97,7 +97,9 @@ get('/oauth2callback') do
 end
 ```
 
-### Example (Command Line)
+### Example (Command Line) [Deprecated]
+
+The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
 
 ```ruby
 require 'googleauth'

data/lib/googleauth/external_account/aws_credentials.rb

@@ -14,6 +14,7 @@
 
 require "time"
 require "googleauth/external_account/base_credentials"
+require "googleauth/external_account/external_account_utils"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
@@ -27,6 +28,7 @@ module Google
         IMDSV2_TOKEN_EXPIRATION_IN_SECONDS = 300
 
         include Google::Auth::ExternalAccount::BaseCredentials
+        include Google::Auth::ExternalAccount::ExternalAccountUtils
         extend CredentialsLoader
 
         # Will always be nil, but method still gets used.
@@ -37,11 +39,11 @@ module Google
 
           @audience = options[:audience]
           @credential_source = options[:credential_source] || {}
-          @environment_id = @credential_source["environment_id"]
-          @region_url = @credential_source["region_url"]
-          @credential_verification_url = @credential_source["url"]
-          @regional_cred_verification_url = @credential_source["regional_cred_verification_url"]
-          @imdsv2_session_token_url = @credential_source["imdsv2_session_token_url"]
+          @environment_id = @credential_source[:environment_id]
+          @region_url = @credential_source[:region_url]
+          @credential_verification_url = @credential_source[:url]
+          @regional_cred_verification_url = @credential_source[:regional_cred_verification_url]
+          @imdsv2_session_token_url = @credential_source[:imdsv2_session_token_url]
 
           # These will be lazily loaded when needed, or will raise an error if not provided
           @region = nil

data/lib/googleauth/external_account/base_credentials.rb

@@ -20,15 +20,13 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    # Authenticates requests using External Account credentials, such
-    # as those provided by the AWS provider.
     module ExternalAccount
       # Authenticates requests using External Account credentials, such
-      # as those provided by the AWS provider.
+      # as those provided by the AWS provider or OIDC provider like Azure, etc.
       module BaseCredentials
         # Contains all methods needed for all external account credentials.
         # Other credentials should call `base_setup` during initialization
-        # And should define the :retrieve_subject_token method
+        # And should define the :retrieve_subject_token! method
 
         # External account JSON type identifier.
         EXTERNAL_ACCOUNT_JSON_TYPE = "external_account".freeze
@@ -36,8 +34,6 @@ module Google
         STS_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange".freeze
         # The token exchange requested_token_type. This is always an access_token.
         STS_REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token".freeze
-        # Cloud resource manager URL used to retrieve project information.
-        CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/".freeze
         # Default IAM_SCOPE
         IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
 
@@ -74,52 +70,23 @@ module Google
           notify_refresh_listeners
         end
 
-        ##
-        # Retrieves the project ID corresponding to the workload identity or workforce pool.
-        # For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project.
-        # When not determinable, None is returned.
+        # Retrieves the subject token using the credential_source object.
+        # @return [string]
+        #     The retrieved subject token.
         #
-        # The resource may not have permission (resourcemanager.projects.get) to
-        # call this API or the required scopes may not be selected:
-        # https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
-        #
-        # @return [string,nil]
-        #     The project ID corresponding to the workload identity pool or workforce pool if determinable.
-        #
-        def project_id
-          return @project_id unless @project_id.nil?
-          project_number = self.project_number || @workforce_pool_user_project
-
-          # if we missing either project number or scope, we won't retrieve project_id
-          return nil if project_number.nil? || @scope.nil?
-
-          url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
-
-          response = connection.get url do |req|
-            req.headers["Authorization"] = "Bearer #{@access_token}"
-            req.headers["Content-Type"] = "application/json"
-          end
-
-          if response.status == 200
-            response_data = MultiJson.load response.body, symbolize_names: true
-            @project_id = response_data[:projectId]
-          end
-
-          @project_id
+        def retrieve_subject_token!
+          raise NotImplementedError
         end
 
-        ##
-        # Retrieve the project number corresponding to workload identity pool
-        # STS audience pattern:
-        #     `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...`
-        #
-        # @return [string, nil]
+        # Returns whether the credentials represent a workforce pool (True) or
+        # workload (False) based on the credentials' audience.
         #
-        def project_number
-          segments = @audience.split "/"
-          idx = segments.index "projects"
-          return nil if idx.nil? || idx + 1 == segments.size
-          segments[idx + 1]
+        # @return [bool]
+        #     true if the credentials represent a workforce pool.
+        #     false if they represent a workload.
+        def is_workforce_pool?
+          pattern = "//iam\.googleapis\.com/locations/[^/]+/workforcePools/"
+          /#{pattern}/.match?(@audience || "")
         end
 
         private
@@ -136,13 +103,14 @@ module Google
           @scope = options[:scope] || IAM_SCOPE
           @subject_token_type = options[:subject_token_type]
           @token_url = options[:token_url]
+          @token_info_url = options[:token_info_url]
           @service_account_impersonation_url = options[:service_account_impersonation_url]
           @service_account_impersonation_options = options[:service_account_impersonation_options] || {}
           @client_id = options[:client_id]
           @client_secret = options[:client_secret]
           @quota_project_id = options[:quota_project_id]
           @project_id = nil
-          @workforce_pool_user_project = [:workforce_pool_user_project]
+          @workforce_pool_user_project = options[:workforce_pool_user_project]
 
           @expires_at = nil
           @access_token = nil
@@ -151,29 +119,23 @@ module Google
             token_exchange_endpoint: @token_url,
             connection: default_connection
           )
-        end
-
-        def normalize_timestamp time
-          case time
-          when NilClass
-            nil
-          when Time
-            time
-          when String
-            Time.parse time
-          else
-            raise "Invalid time value #{time}"
-          end
+          return unless @workforce_pool_user_project && !is_workforce_pool?
+          raise "workforce_pool_user_project should not be set for non-workforce pool credentials."
         end
 
         def exchange_token
+          additional_options = nil
+          if @client_id.nil? && @workforce_pool_user_project
+            additional_options = { userProject: @workforce_pool_user_project }
+          end
           @sts_client.exchange_token(
             audience: @audience,
             grant_type: STS_GRANT_TYPE,
             subject_token: retrieve_subject_token!,
             subject_token_type: @subject_token_type,
             scopes: @service_account_impersonation_url ? IAM_SCOPE : @scope,
-            requested_token_type: STS_REQUESTED_TOKEN_TYPE
+            requested_token_type: STS_REQUESTED_TOKEN_TYPE,
+            additional_options: additional_options
           )
         end
 
@@ -190,10 +152,6 @@ module Google
 
           MultiJson.load response.body
         end
-
-        def retrieve_subject_token!
-          raise NotImplementedError
-        end
       end
     end
   end

data/lib/googleauth/external_account/external_account_utils.rb

@@ -0,0 +1,92 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.require "time"
+
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+require "googleauth/oauth2/sts_client"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # Authenticates requests using External Account credentials, such
+      # as those provided by the AWS provider or OIDC provider like Azure, etc.
+      module ExternalAccountUtils
+        # Cloud resource manager URL used to retrieve project information.
+        CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/".freeze
+
+        ##
+        # Retrieves the project ID corresponding to the workload identity or workforce pool.
+        # For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project.
+        # When not determinable, None is returned.
+        #
+        # The resource may not have permission (resourcemanager.projects.get) to
+        # call this API or the required scopes may not be selected:
+        # https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
+        #
+        # @return [string,nil]
+        #     The project ID corresponding to the workload identity pool or workforce pool if determinable.
+        #
+        def project_id
+          return @project_id unless @project_id.nil?
+          project_number = self.project_number || @workforce_pool_user_project
+
+          # if we missing either project number or scope, we won't retrieve project_id
+          return nil if project_number.nil? || @scope.nil?
+
+          url = "#{CLOUD_RESOURCE_MANAGER}#{project_number}"
+          response = connection.get url do |req|
+            req.headers["Authorization"] = "Bearer #{@access_token}"
+            req.headers["Content-Type"] = "application/json"
+          end
+
+          if response.status == 200
+            response_data = MultiJson.load response.body, symbolize_names: true
+            @project_id = response_data[:projectId]
+          end
+
+          @project_id
+        end
+
+        ##
+        # Retrieve the project number corresponding to workload identity pool
+        # STS audience pattern:
+        #     `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...`
+        #
+        # @return [string, nil]
+        #
+        def project_number
+          segments = @audience.split "/"
+          idx = segments.index "projects"
+          return nil if idx.nil? || idx + 1 == segments.size
+          segments[idx + 1]
+        end
+
+        def normalize_timestamp time
+          case time
+          when NilClass
+            nil
+          when Time
+            time
+          when String
+            Time.parse time
+          else
+            raise "Invalid time value #{time}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account/identity_pool_credentials.rb

@@ -0,0 +1,118 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "time"
+require "googleauth/external_account/base_credentials"
+require "googleauth/external_account/external_account_utils"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI
+      # provider then exchanging the credentials for a short-lived Google Cloud access token.
+      class IdentityPoolCredentials
+        include Google::Auth::ExternalAccount::BaseCredentials
+        include Google::Auth::ExternalAccount::ExternalAccountUtils
+        extend CredentialsLoader
+
+        # Will always be nil, but method still gets used.
+        attr_reader :client_id
+
+        # Initialize from options map.
+        #
+        # @param [string] audience
+        # @param [hash{symbol => value}] credential_source
+        #     credential_source is a hash that contains either source file or url.
+        #     credential_source_format is either text or json. To define how we parse the credential response.
+        #
+        def initialize options = {}
+          base_setup options
+
+          @audience = options[:audience]
+          @credential_source = options[:credential_source] || {}
+          @credential_source_file = @credential_source[:file]
+          @credential_source_url = @credential_source[:url]
+          @credential_source_headers = @credential_source[:headers] || {}
+          @credential_source_format = @credential_source[:format] || {}
+          @credential_source_format_type = @credential_source_format[:type] || "text"
+          validate_credential_source
+        end
+
+        # Implementation of BaseCredentials retrieve_subject_token!
+        def retrieve_subject_token!
+          content, resource_name = token_data
+          if @credential_source_format_type == "text"
+            token = content
+          else
+            begin
+              response_data = MultiJson.load content, symbolize_keys: true
+              token = response_data[@credential_source_field_name.to_sym]
+            rescue StandardError
+              raise "Unable to parse subject_token from JSON resource #{resource_name} " \
+                    "using key #{@credential_source_field_name}"
+            end
+          end
+          raise "Missing subject_token in the credential_source file/response." unless token
+          token
+        end
+
+        private
+
+        def validate_credential_source
+          # `environment_id` is only supported in AWS or dedicated future external account credentials.
+          unless @credential_source[:environment_id].nil?
+            raise "Invalid Identity Pool credential_source field 'environment_id'"
+          end
+          unless ["json", "text"].include? @credential_source_format_type
+            raise "Invalid credential_source format #{@credential_source_format_type}"
+          end
+          # for JSON types, get the required subject_token field name.
+          @credential_source_field_name = @credential_source_format[:subject_token_field_name]
+          if @credential_source_format_type == "json" && @credential_source_field_name.nil?
+            raise "Missing subject_token_field_name for JSON credential_source format"
+          end
+          # check file or url must be fulfilled and mutually exclusiveness.
+          if @credential_source_file && @credential_source_url
+            raise "Ambiguous credential_source. 'file' is mutually exclusive with 'url'."
+          end
+          return unless (@credential_source_file || @credential_source_url).nil?
+          raise "Missing credential_source. A 'file' or 'url' must be provided."
+        end
+
+        def token_data
+          @credential_source_file.nil? ? url_data : file_data
+        end
+
+        def file_data
+          raise "File #{@credential_source_file} was not found." unless File.exist? @credential_source_file
+          content = File.read @credential_source_file, encoding: "utf-8"
+          [content, @credential_source_file]
+        end
+
+        def url_data
+          begin
+            response = connection.get @credential_source_url do |req|
+              req.headers.merge! @credential_source_headers
+            end
+          rescue Faraday::Error => e
+            raise "Error retrieving from credential url: #{e}"
+          end
+          raise "Unable to retrieve Identity Pool subject token #{response.body}" unless response.success?
+          [response.body, @credential_source_url]
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account.rb

@@ -16,6 +16,7 @@ require "time"
 require "uri"
 require "googleauth/credentials_loader"
 require "googleauth/external_account/aws_credentials"
+require "googleauth/external_account/identity_pool_credentials"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -28,7 +29,8 @@ module Google
       class Credentials
         # The subject token type used for AWS external_account credentials.
         AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
-        AWS_SUBJECT_TOKEN_INVALID = "aws is the only currently supported external account type".freeze
+        MISSING_CREDENTIAL_SOURCE = "missing credential source for external account".freeze
+        INVALID_EXTERNAL_ACCOUNT_TYPE = "credential source is not supported external account type".freeze
 
         # Create a ExternalAccount::Credentials
         #
@@ -40,30 +42,47 @@ module Google
           raise "A json file is required for external account credentials." unless json_key_io
           user_creds = read_json_key json_key_io
 
-          # TODO: check for other External Account Credential types. Currently only AWS is supported.
-          raise AWS_SUBJECT_TOKEN_INVALID unless user_creds["subject_token_type"] == AWS_SUBJECT_TOKEN_TYPE
+          # AWS credentials is determined by aws subject token type
+          return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE
 
-          Google::Auth::ExternalAccount::AwsCredentials.new(
-            audience: user_creds["audience"],
-            scope: scope,
-            subject_token_type: user_creds["subject_token_type"],
-            token_url: user_creds["token_url"],
-            credential_source: user_creds["credential_source"],
-            service_account_impersonation_url: user_creds["service_account_impersonation_url"]
-          )
+          raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
+          user_creds[:scope] = scope
+          make_external_account_credentials user_creds
         end
 
         # Reads the required fields from the JSON.
         def self.read_json_key json_key_io
-          json_key = MultiJson.load json_key_io.read
+          json_key = MultiJson.load json_key_io.read, symbolize_keys: true
           wanted = [
-            "audience", "subject_token_type", "token_url", "credential_source"
+            :audience, :subject_token_type, :token_url, :credential_source
           ]
           wanted.each do |key|
             raise "the json is missing the #{key} field" unless json_key.key? key
           end
           json_key
         end
+
+        class << self
+          private
+
+          def make_aws_credentials user_creds, scope
+            Google::Auth::ExternalAccount::AwsCredentials.new(
+              audience: user_creds[:audience],
+              scope: scope,
+              subject_token_type: user_creds[:subject_token_type],
+              token_url: user_creds[:token_url],
+              credential_source: user_creds[:credential_source],
+              service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+            )
+          end
+
+          def make_external_account_credentials user_creds
+            unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
+              return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
+            end
+            raise INVALID_EXTERNAL_ACCOUNT_TYPE
+          end
+        end
       end
     end
   end

data/lib/googleauth/oauth2/sts_client.rb

@@ -76,6 +76,20 @@ module Google
           # TODO: Add the ability to add authentication to the headers
           headers = URLENCODED_HEADERS.dup.merge(options[:additional_headers] || {})
 
+          request_body = make_request options
+
+          response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers
+
+          if response.status != 200
+            raise "Token exchange failed with status #{response.status}"
+          end
+
+          MultiJson.load response.body
+        end
+
+        private
+
+        def make_request options = {}
           request_body = {
             grant_type: options[:grant_type],
             audience: options[:audience],
@@ -84,14 +98,10 @@ module Google
             subject_token: options[:subject_token],
             subject_token_type: options[:subject_token_type]
           }
-
-          response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers
-
-          if response.status != 200
-            raise "Token exchange failed with status #{response.status}"
+          unless options[:additional_options].nil?
+            request_body[:options] = CGI.escape MultiJson.dump(options[:additional_options], symbolize_name: true)
           end
-
-          MultiJson.load response.body
+          request_body
         end
       end
     end

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.5.2".freeze
+    VERSION = "1.6.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 1.6.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-14 00:00:00.000000000 Z
+date: 2023-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -143,6 +143,8 @@ files:
 - lib/googleauth/external_account.rb
 - lib/googleauth/external_account/aws_credentials.rb
 - lib/googleauth/external_account/base_credentials.rb
+- lib/googleauth/external_account/external_account_utils.rb
+- lib/googleauth/external_account/identity_pool_credentials.rb
 - lib/googleauth/helpers/connection.rb
 - lib/googleauth/iam.rb
 - lib/googleauth/id_tokens.rb