jomz-google-api-client 0.7.1

data/lib/google/api_client/auth/compute_service_account.rb

@@ -0,0 +1,28 @@
+# Copyright 2013 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'faraday'
+require 'signet/oauth_2/client'
+
+module Google
+  class APIClient
+    class ComputeServiceAccount < Signet::OAuth2::Client
+      def fetch_access_token(options={})
+        connection = options[:connection] || Faraday.default_connection
+        response = connection.get 'http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token'
+        Signet::OAuth2.parse_json_credentials(response.body)
+      end
+    end
+  end
+end

data/lib/google/api_client/auth/file_storage.rb

@@ -0,0 +1,87 @@
+# Copyright 2013 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'json'
+require 'signet/oauth_2/client'
+
+module Google
+  class APIClient
+    ##
+    # Represents cached OAuth 2 tokens stored on local disk in a
+    # JSON serialized file. Meant to resemble the serialized format
+    # http://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.file.Storage-class.html
+    #
+    class FileStorage
+      # @return [String] Path to the credentials file.
+      attr_accessor :path
+
+      # @return [Signet::OAuth2::Client] Path to the credentials file.
+      attr_reader :authorization
+
+      ##
+      # Initializes the FileStorage object.
+      #
+      # @param [String] path
+      #    Path to the credentials file.
+      def initialize(path)
+        @path = path
+        self.load_credentials
+      end
+
+      ##
+      # Attempt to read in credentials from the specified file.
+      def load_credentials
+        if File.exist? self.path
+          File.open(self.path, 'r') do |file|
+            cached_credentials = JSON.load(file)
+            @authorization = Signet::OAuth2::Client.new(cached_credentials)
+            @authorization.issued_at = Time.at(cached_credentials['issued_at'])
+            if @authorization.expired?
+              @authorization.fetch_access_token!
+              self.write_credentials
+            end
+          end
+        end
+      end
+
+      ##
+      # Write the credentials to the specified file.
+      #
+      # @param [Signet::OAuth2::Client] authorization
+      #    Optional authorization instance. If not provided, the authorization
+      #    already associated with this instance will be written.
+      def write_credentials(authorization=nil)
+        @authorization = authorization unless authorization.nil?
+
+        unless @authorization.refresh_token.nil?
+          hash = {}
+          %w'access_token
+           authorization_uri
+           client_id
+           client_secret
+           expires_in
+           refresh_token
+           token_credential_uri'.each do |var|
+            hash[var] = @authorization.instance_variable_get("@#{var}")
+          end
+          hash['issued_at'] = @authorization.issued_at.to_i
+
+          File.open(self.path, 'w', 0600) do |file|
+            file.write(hash.to_json)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/api_client/auth/installed_app.rb

@@ -0,0 +1,122 @@
+# Copyright 2010 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'webrick'
+require 'launchy'
+
+module Google
+  class APIClient
+
+    # Small helper for the sample apps for performing OAuth 2.0 flows from the command
+    # line or in any other installed app environment.
+    #
+    # @example
+    #
+    #    client = Google::APIClient.new
+    #    flow = Google::APIClient::InstalledAppFlow.new(
+    #      :client_id => '691380668085.apps.googleusercontent.com',
+    #      :client_secret => '...,
+    #      :scope => 'https://www.googleapis.com/auth/drive'
+    #    )
+    #    client.authorization = flow.authorize
+    #
+    class InstalledAppFlow
+      
+      RESPONSE_BODY = <<-HTML
+        <html>
+          <head>
+            <script>
+              function closeWindow() { 
+                window.open('', '_self', '');
+                window.close();
+              }
+              setTimeout(closeWindow, 10);
+            </script>
+          </head>
+          <body>You may close this window.</body>
+        </html>
+      HTML
+      
+      ##
+      # Configure the flow
+      #
+      # @param [Hash] options The configuration parameters for the client.
+      # @option options [Fixnum] :port
+      #   Port to run the embedded server on. Defaults to 9292
+      # @option options [String] :client_id 
+      #   A unique identifier issued to the client to identify itself to the
+      #   authorization server.
+      # @option options [String] :client_secret
+      #   A shared symmetric secret issued by the authorization server,
+      #   which is used to authenticate the client.
+      # @option options [String] :scope
+      #   The scope of the access request, expressed either as an Array
+      #   or as a space-delimited String.
+      #
+      # @see Signet::OAuth2::Client
+      def initialize(options)
+        @port = options[:port] || 9292
+        @authorization = Signet::OAuth2::Client.new({
+          :authorization_uri => 'https://accounts.google.com/o/oauth2/auth',
+          :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
+          :redirect_uri => "http://localhost:#{@port}/"}.update(options)
+        )
+      end
+      
+      ##
+      # Request authorization. Opens a browser and waits for response.
+      #
+      # @param [Google::APIClient::FileStorage] storage
+      #  Optional object that responds to :write_credentials, used to serialize
+      #  the OAuth 2 credentials after completing the flow.
+      #
+      # @return [Signet::OAuth2::Client]
+      #  Authorization instance, nil if user cancelled.
+      def authorize(storage=nil)
+        auth = @authorization
+    
+        server = WEBrick::HTTPServer.new(
+          :Port => @port,
+          :BindAddress =>"localhost",
+          :Logger => WEBrick::Log.new(STDOUT, 0),
+          :AccessLog => []
+        )
+        trap("INT") { server.shutdown }
+        
+        server.mount_proc '/' do |req, res|
+            auth.code = req.query['code']
+            if auth.code
+              auth.fetch_access_token!
+            end
+            res.status = WEBrick::HTTPStatus::RC_ACCEPTED
+            res.body = RESPONSE_BODY
+            server.stop
+        end
+
+        Launchy.open(auth.authorization_uri.to_s)
+        server.start
+        if @authorization.access_token
+          if storage.respond_to?(:write_credentials)
+            storage.write_credentials(@authorization)
+          end
+          return @authorization
+        else
+          return nil
+        end
+      end
+    end
+
+  end
+end
+

data/lib/google/api_client/auth/jwt_asserter.rb

@@ -0,0 +1,126 @@
+# Copyright 2010 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'jwt'
+require 'signet/oauth_2/client'
+require 'delegate'
+
+module Google
+  class APIClient
+    ##
+    # Generates access tokens using the JWT assertion profile. Requires a
+    # service account & access to the private key.
+    #
+    # @example Using Signet
+    #
+    #   key = Google::APIClient::KeyUtils.load_from_pkcs12('client.p12', 'notasecret')
+    #   client.authorization = Signet::OAuth2::Client.new(
+    #     :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
+    #     :audience => 'https://accounts.google.com/o/oauth2/token',
+    #     :scope => 'https://www.googleapis.com/auth/prediction',
+    #     :issuer => '123456-abcdef@developer.gserviceaccount.com',
+    #     :signing_key => key)
+    #   client.authorization.fetch_access_token!
+    #   client.execute(...)
+    #
+    # @deprecated
+    #  Service accounts are now supported directly in Signet
+    # @see https://developers.google.com/accounts/docs/OAuth2ServiceAccount
+    class JWTAsserter
+      # @return [String] ID/email of the issuing party
+      attr_accessor :issuer
+      # @return [Fixnum] How long, in seconds, the assertion is valid for
+      attr_accessor :expiry
+      # @return [Fixnum] Seconds to expand the issued at/expiry window to account for clock skew
+      attr_accessor :skew
+      # @return [String] Scopes to authorize
+      attr_reader :scope
+      # @return [String,OpenSSL::PKey] key for signing assertions
+      attr_writer :key
+      # @return [String] Algorithm used for signing
+      attr_accessor :algorithm
+      
+      ##
+      # Initializes the asserter for a service account.
+      #
+      # @param [String] issuer
+      #    Name/ID of the client issuing the assertion
+      # @param [String, Array] scope
+      #   Scopes to authorize. May be a space delimited string or array of strings
+      # @param [String,OpenSSL::PKey] key
+      #   Key for signing assertions
+      # @param [String] algorithm
+      #   Algorithm to use, either 'RS256' for RSA with SHA-256 
+      #   or 'HS256' for HMAC with SHA-256
+      def initialize(issuer, scope, key, algorithm = "RS256")
+        self.issuer = issuer
+        self.scope = scope
+        self.expiry = 60 # 1 min default 
+        self.skew = 60      
+        self.key = key
+        self.algorithm = algorithm
+      end
+
+      ##
+      # Set the scopes to authorize
+      #
+      # @param [String, Array] new_scope
+      #   Scopes to authorize. May be a space delimited string or array of strings
+      def scope=(new_scope)
+        case new_scope
+        when Array
+          @scope = new_scope.join(' ')
+        when String
+          @scope = new_scope
+        when nil
+          @scope = ''
+        else
+          raise TypeError, "Expected Array or String, got #{new_scope.class}"
+        end
+      end
+      
+      ##
+      # Request a new access token.
+      # 
+      # @param [String] person
+      #   Email address of a user, if requesting a token to act on their behalf
+      # @param [Hash] options
+      #   Pass through to Signet::OAuth2::Client.fetch_access_token
+      # @return [Signet::OAuth2::Client] Access token 
+      #
+      # @see Signet::OAuth2::Client.fetch_access_token!
+      def authorize(person = nil, options={})
+        authorization = self.to_authorization(person)
+        authorization.fetch_access_token!(options)
+        return authorization
+      end
+      
+      ##
+      # Builds a Signet OAuth2 client
+      #
+      # @return [Signet::OAuth2::Client] Access token 
+      def to_authorization(person = nil)
+        return Signet::OAuth2::Client.new(
+          :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
+          :audience => 'https://accounts.google.com/o/oauth2/token',
+          :scope => self.scope,
+          :issuer => @issuer,
+          :signing_key => @key,
+          :signing_algorithm => @algorithm,
+          :person => person
+        )
+      end      
+    end
+  end
+end

data/lib/google/api_client/auth/key_utils.rb

@@ -0,0 +1,93 @@
+# Copyright 2010 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Google
+  class APIClient
+    ##
+    # Helper for loading keys from the PKCS12 files downloaded when
+    # setting up service accounts at the APIs Console.
+    #
+    module KeyUtils
+      ##
+      # Loads a key from PKCS12 file, assuming a single private key
+      # is present.
+      #
+      # @param [String] keyfile
+      #    Path of the PKCS12 file to load. If not a path to an actual file,
+      #    assumes the string is the content of the file itself. 
+      # @param [String] passphrase
+      #   Passphrase for unlocking the private key
+      #
+      # @return [OpenSSL::PKey] The private key for signing assertions.
+      def self.load_from_pkcs12(keyfile, passphrase)
+        load_key(keyfile, passphrase) do |content, passphrase| 
+          OpenSSL::PKCS12.new(content, passphrase).key
+        end
+      end
+      
+
+      ##
+      # Loads a key from a PEM file.
+      #
+      # @param [String] keyfile
+      #    Path of the PEM file to load. If not a path to an actual file,
+      #    assumes the string is the content of the file itself. 
+      # @param [String] passphrase
+      #   Passphrase for unlocking the private key
+      #
+      # @return [OpenSSL::PKey] The private key for signing assertions.
+      #
+      def self.load_from_pem(keyfile, passphrase)
+        load_key(keyfile, passphrase) do | content, passphrase|
+          OpenSSL::PKey::RSA.new(content, passphrase)
+        end
+      end
+
+      private
+      
+      ##
+      # Helper for loading keys from file or memory. Accepts a block
+      # to handle the specific file format.
+      #
+      # @param [String] keyfile
+      #    Path of thefile to load. If not a path to an actual file,
+      #    assumes the string is the content of the file itself. 
+      # @param [String] passphrase
+      #   Passphrase for unlocking the private key
+      #
+      # @yield [String, String]
+      #   Key file & passphrase to extract key from
+      # @yieldparam [String] keyfile
+      #   Contents of the file
+      # @yieldparam [String] passphrase
+      #   Passphrase to unlock key
+      # @yieldreturn [OpenSSL::PKey]
+      #   Private key
+      #
+      # @return [OpenSSL::PKey] The private key for signing assertions.
+      def self.load_key(keyfile, passphrase, &block)
+        begin
+          begin
+            content = File.open(keyfile, 'rb') { |io| io.read }
+          rescue
+            content = keyfile
+          end
+          block.call(content, passphrase)
+        rescue OpenSSL::OpenSSLError
+          raise ArgumentError.new("Invalid keyfile or passphrase")
+        end        
+      end  
+    end
+  end
+end