signet 0.15.0 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d6cce64f05742592f4945a2a394ab1fc239107e9c5d8145f38a4189689e46ea
-  data.tar.gz: a20b6a81fac21113e804c8cbac63db3464da5357aa7428bc17509212217e50a3
+  metadata.gz: 13bd869943add17b04e66089d5c1a5d34a8d6053c55fb4dc389bc9e3a83c36ae
+  data.tar.gz: 17a0094e4ef483d07ea945155956d81a06423a8d57abc725d326b49c2cb62171
 SHA512:
-  metadata.gz: b1f2c4ab3031aa346f118bc152f129559436f92ae8b3d0008f3a2efa51fb82e0e45fec0f999c6984772be58661c90f6fbe1a1c973cf6ccdec8329696da4e1101
-  data.tar.gz: fc909052f1a89ec0f79d9b9a36ca7196cef5be879595e8c1e7699050ced959b3062881e1418fc9b8258985819f3c2bb64e7e9f60008f25e5ddccb6375934c2f5
+  metadata.gz: c6817470226e95dd4535bb7316b98c2b95d6ef70a8b9a1466656018fc9e642a02901390e0b40562e7ac7ea3a6acfefdb07d3317c6879453bb23ca07090bd9643
+  data.tar.gz: d49ad82ef1cbf8fab14b74370f07e3567c3f2594045e3cf82ec5f72f69f93ebe47954bff340fe7c472fb31f6269bbe012fec8e24f369167e59a519bfc02ff13b

data/.yardopts

@@ -0,0 +1,11 @@
+--no-private
+--title=Signet
+--markup markdown
+--markup-provider redcarpet
+
+./lib/**/*.rb
+-
+README.md
+CHANGELOG.md
+CODE_OF_CONDUCT.md
+LICENSE

data/CHANGELOG.md

@@ -1,67 +1,85 @@
 # Release History
 
-## [0.15.0](https://www.github.com/googleapis/signet/compare/v0.14.1...v0.15.0) (2021-03-04)
+### 0.17.0 (2022-06-23)
 
+* Updated minimum Ruby version to 2.6
 
-### Features
+### 0.16.1 (2022-02-24)
 
-* Drop support for Ruby 2.4 and add support for Ruby 3.0 ([bd6fe87](https://www.github.com/googleapis/signet/commit/bd6fe87948f8fc7702720dae651e82f4fd348b5d))
+#### Bug Fixes
 
-## 0.14.1 / 2021-01-27
+* Support Faraday 2
+
+### 0.16.0 (2021-09-03)
+
+#### Features
+
+* Support for fetching an access token with basic auth
+
+#### Bug Fixes
+
+* Remove extraneous files from the gem
+* Require addressable 2.8 to remediate vulnerability
+
+### 0.15.0 (2021-03-04)
+
+* Drop support for Ruby 2.4 and add support for Ruby 3.0
+
+### 0.14.1 / 2021-01-27
 
 * Fix OAuth1 signature with duplicate query param names
 
-## 0.14.0 / 2020-03-31
+### 0.14.0 / 2020-03-31
 
 * Support for fetching ID tokens from google oauth2 endpoint.
 
-## 0.13.2 / 2020-03-25
+### 0.13.2 / 2020-03-25
 
 Rerelease of 0.13.1.
 
-## 0.13.1 / 2020-03-24
+### 0.13.1 / 2020-03-24
 
 * Update github url
 
-## 0.13.0 / 2020-02-24
+### 0.13.0 / 2020-02-24
 
 * Support Faraday 1.x
 
-## 0.12.0 / 2019-10-08
+### 0.12.0 / 2019-10-08
 
 * This version now requires Ruby 2.4.
 * Support array values of the "aud" field.
 * Normalize the version constant to match related gems.
 
-## 0.11.0 / 2018-10-08
+### 0.11.0 / 2018-10-08
 
 * Add constant time comparison for oauth signatures.
 
-## 0.10.0 / 2018-09-21
+### 0.10.0 / 2018-09-21
 
 * Add UnexpectedStatusError class for http status errors that are not handled.
 
-## 0.9.2 / 2018-09-12
+### 0.9.2 / 2018-09-12
 
 * Update issued_at correctly when it is set simultaneously with expires_in.
 
-## 0.9.1 / 2018-08-29
+### 0.9.1 / 2018-08-29
 
 * Warn on EOL ruby versions.
 * Fix DateTime normalization.
 
-## 0.9.0 / 2018-08-20
+### 0.9.0 / 2018-08-20
 
 * Add RemoteServerError class for 5xx level errors.
 * Allow to_json to be called with arguments
 * Expires_in now sets and reflects current expires_at value
 * Expires_within(0) now returns false when expires_at is nil.
 
-## 0.8.1 / 2017-10-13
+### 0.8.1 / 2017-10-13
 
 * Restore support for Ruby 1.9.3
 
-## 0.8.0 / 2017-10-12
+### 0.8.0 / 2017-10-12
 
 * Ensure the "expires_at" attribute is recalculated on refresh (chutzimir)
 * Fix warnings on Ruby 2.4 (koic)
@@ -69,20 +87,20 @@ Rerelease of 0.13.1.
 * Provide signature verification algorithm for compatibility with ruby-jwt 2.0 (jurriaan)
 * Signet::OAuth2::Client#decoded_id_token can take a keyfinder block (mvastola)
 
-## 0.7.3 / 2016-06-20
+### 0.7.3 / 2016-06-20
 
 * Fix timestamp parsing on 32-bit systems
 * Fix expiration check when issue/expiry times are nil
 
-## 0.7.2 / 2015-12-21
+### 0.7.2 / 2015-12-21
 
 * Don't assume Faraday form encoding middleware is present
 
-## 0.7.1 / 2015-12-17
+### 0.7.1 / 2015-12-17
 
 * Fix an issue with date parsing
 
-## 0.7 / 2015-12-06
+### 0.7 / 2015-12-06
 
 * No longer overwrite SSL environment variables.
 * Tighten up date & URL (de)serialization for OAuth2 client
@@ -91,7 +109,7 @@ Rerelease of 0.13.1.
 * Add expires_within(sec) method to oauth2 client to facilitate proactive
   refreshes
 
-## 0.6.1 / 2015-06-08
+### 0.6.1 / 2015-06-08
 
 * Fix language warnings for unused & shadowed variables ((@blowmage)[])
 * Update SSL cert path for OSX ((@gambaroff)[])
@@ -99,14 +117,14 @@ Rerelease of 0.13.1.
 * Fix incorrect parameter name in OAuth2 client docs ((@samuelreh)[])
 * Fix symbolization of URL parameter keys ((@swifthand)[])
 
-## 0.6.0 / 2014-12-05
+### 0.6.0 / 2014-12-05
 
 * Drop support for ruby versions < 1.9.3
 * Update gem dependencies and lock down versions tighter
 * Allow form encoded responses when exchanging OAuth 2 authorization codes
 * Normalize options keys for indifferent access
 
-## 0.5.1 / 2014-06-08
+### 0.5.1 / 2014-06-08
 
 * Allow Hash objects to be used to initialize authorization URI
 * Added PLAINTEXT and RSA-SHA1 signature methods to OAuth 1 support
@@ -114,53 +132,53 @@ Rerelease of 0.13.1.
 * The `approval_prompt` option no longer defaults to `:force`
 * The `approval_prompt` and `prompt` are now mutually exclusive.
 
-## 0.5.0 / 2013-05-31
+### 0.5.0 / 2013-05-31
 
 * Switched to faraday 0.9.0
 * Added `expires_at` option
 
-## 0.4.5
+### 0.4.5
 
 * Minor documentation fixes
 * Allow postmessage as a valid redirect_uri in OAuth 2
 
-## 0.4.4
+### 0.4.4
 
 * Add support for assertion profile
 
-## 0.4.3
+### 0.4.3
 
 * Added method to clear credentials
 
-## 0.4.2
+### 0.4.2
 
 * Backwards compatibility for MultiJson
 
-## 0.4.1
+### 0.4.1
 
 * Updated Launchy dependency
 
-## 0.4.0
+### 0.4.0
 
 * Added OAuth 1 server implementation
 * Updated Faraday dependency
 
-## 0.3.4
+### 0.3.4
 
 * Attempts to auto-detect CA cert location
 
-## 0.3.3
+### 0.3.3
 
 * Request objects no longer recreated during processing
 * Faraday middleware now supported
 * Streamed requests now supported
 * Fixed assertion profiles; client ID/secret omission no longer an error
 
-## 0.3.2
+### 0.3.2
 
 * Added audience security check for ID tokens
 
-## 0.3.1
+### 0.3.1
 
 * Fixed a warning while determining grant type
 * Removed requirement that a connection be supplied when authorizing requests
@@ -168,52 +186,52 @@ Rerelease of 0.13.1.
 * Fixed some documentation stuff around markdown formatting
 * Added support for Google Code wiki format output when generating docs
 
-## 0.3.0
+### 0.3.0
 
 * Replaced httpadapter gem dependency with faraday
 * Replaced json gem dependency with multi_json
 * Updated to OAuth 2.0 draft 22
 * Complete test coverage
 
-## 0.2.4
+### 0.2.4
 
 * Updated to incorporate changes to the Google OAuth endpoints
 
-## 0.2.3
+### 0.2.3
 
 * Added support for JWT-formatted ID tokens.
 * Added :issued_at option to #update_token! method.
 
-## 0.2.2
+### 0.2.2
 
 * Lowered requirements for json gem
 
-## 0.2.1
+### 0.2.1
 
 * Updated to keep in sync with the new httpadapter changes
 
-## 0.2.0
+### 0.2.0
 
 * Added support for OAuth 2.0 draft 10
 
-## 0.1.4
+### 0.1.4
 
 * Added support for a two-legged authorization flow
 
-## 0.1.3
+### 0.1.3
 
 * Fixed issue with headers passed in as a Hash
 * Fixed incompatibilities with Ruby 1.8.6
 
-## 0.1.2
+### 0.1.2
 
 * Fixed bug with overzealous normalization
 
-## 0.1.1
+### 0.1.1
 
 * Fixed bug with missing StringIO require
 * Fixed issue with dependency on unreleased features of addressable
 
-## 0.1.0
+### 0.1.0
 
 * Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project,
+and in the interest of fostering an open and welcoming community,
+we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project
+a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information,
+such as physical or electronic
+addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct
+may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported by opening an issue
+or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
+available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

data/SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue.

data/lib/signet/oauth_1/client.rb

@@ -926,7 +926,7 @@ module Signet
 
         content_type = request["Content-Type"].to_s
         content_type = content_type.split(";", 2).first if content_type.index ";"
-        if request.method == :post && content_type == "application/x-www-form-urlencoded"
+        if request.http_method == :post && content_type == "application/x-www-form-urlencoded"
           # Serializes the body in case a hash/array was passed. Noop if already string like
           encoder = Faraday::Request::UrlEncoded.new(->(_env) {})
           encoder.call env

data/lib/signet/oauth_1/credential.rb

@@ -12,7 +12,7 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   module OAuth1
     class Credential
       ##

data/lib/signet/oauth_1/server.rb

@@ -152,12 +152,12 @@ module Signet
       # @return [Hash] normalized request components
       def verify_request_components options = {}
         if options[:request]
-          if options[:request].is_a?(Faraday::Request) || options[:request].is_a?(Array)
+          if options[:request].is_a? Faraday::Request
             request = options[:request]
           elsif options[:adapter]
             request = options[:adapter].adapt_request options[:request]
           end
-          method = request.method
+          method = request.http_method
           uri = request.path
           headers = request.headers
           body = request.body
@@ -458,7 +458,7 @@ module Signet
           # can't have been signed correctly(5849#3.4.1.3)
           unless post_parameters.sort == auth_hash.reject { |k, _v| k.index "oauth_" }.to_a.sort
             raise MalformedAuthorizationError, "Request is of type application/x-www-form-urlencoded " \
-              "but Authentication header did not include form values"
+                                               "but Authentication header did not include form values"
           end
         end
 

data/lib/signet/oauth_1/signature_methods/hmac_sha1.rb

@@ -1,7 +1,7 @@
 require "openssl"
 require "signet"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   module OAuth1
     module HMACSHA1
       def self.generate_signature \

data/lib/signet/oauth_1/signature_methods/plaintext.rb

@@ -1,6 +1,6 @@
 require "signet"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   module OAuth1
     module PLAINTEXT
       def self.generate_signature \

data/lib/signet/oauth_1/signature_methods/rsa_sha1.rb

@@ -3,7 +3,7 @@ require "base64"
 require "openssl"
 require "signet"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   module OAuth1
     module RSASHA1
       def self.generate_signature \

data/lib/signet/oauth_1.rb

@@ -3,7 +3,7 @@ require "signet"
 
 require "securerandom"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   module OAuth1
     OUT_OF_BAND = "oob".freeze
 

data/lib/signet/oauth_2/client.rb

@@ -20,6 +20,7 @@ require "signet/errors"
 require "signet/oauth_2"
 require "jwt"
 require "date"
+require "time"
 
 module Signet
   module OAuth2
@@ -880,13 +881,13 @@ module Signet
       end
 
       def grant_type= new_grant_type
-        case new_grant_type
-        when "authorization_code", "refresh_token",
-            "password", "client_credentials"
-          @grant_type = new_grant_type
-        else
-          @grant_type = Addressable::URI.parse new_grant_type
-        end
+        @grant_type =
+          case new_grant_type
+          when "authorization_code", "refresh_token", "password", "client_credentials"
+            new_grant_type
+          else
+            Addressable::URI.parse new_grant_type
+          end
       end
 
       def to_jwt options = {}
@@ -972,8 +973,8 @@ module Signet
           end
           parameters.merge! extension_parameters
         end
-        parameters["client_id"] = client_id unless client_id.nil?
-        parameters["client_secret"] = client_secret unless client_secret.nil?
+        parameters["client_id"] = client_id if !options[:use_basic_auth] && !client_id.nil?
+        parameters["client_secret"] = client_secret if !options[:use_basic_auth] && !client_secret.nil?
         if options[:scope]
           parameters["scope"] = options[:scope]
         elsif options[:use_configured_scope] && !scope.nil?
@@ -990,10 +991,18 @@ module Signet
         options = deep_hash_normalize options
 
         client = options[:connection] ||= Faraday.default_connection
-        url = Addressable::URI.parse(token_credential_uri).normalize.to_s
+        url = Addressable::URI.parse token_credential_uri
         parameters = generate_access_token_request options
         if client.is_a? Faraday::Connection
-          response = client.post url,
+          if options[:use_basic_auth]
+            # The Basic Auth middleware usage differs before and after Faraday v2
+            if Gem::Version.new(Faraday::VERSION).segments.first >= 2
+              client.request :authorization, :basic, client_id, client_secret
+            else
+              client.request :basic_auth, client_id, client_secret
+            end
+          end
+          response = client.post url.normalize.to_s,
                                  Addressable::URI.form_encode(parameters),
                                  "Content-Type" => "application/x-www-form-urlencoded"
           status = response.status.to_i
@@ -1001,7 +1010,11 @@ module Signet
           content_type = response.headers["Content-type"]
         else
           # Hurley
-          response = client.post url, parameters
+          if options[:use_basic_auth]
+            url.user = client_id
+            url.password = client_secret
+          end
+          response = client.post url.normalize.to_s, parameters
           status = response.status_code.to_i
           body = response.body
           content_type = response.header[:content_type]

data/lib/signet/oauth_2.rb

@@ -16,7 +16,7 @@ require "base64"
 require "signet"
 require "multi_json"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   ##
   # An implementation of http://tools.ietf.org/html/draft-ietf-oauth-v2-10
   #
@@ -78,7 +78,7 @@ module Signet #:nodoc:
       when %r{^application/json.*}
         MultiJson.load body
       when %r{^application/x-www-form-urlencoded.*}
-        Hash[Addressable::URI.form_unencode(body)]
+        Addressable::URI.form_unencode(body).to_h
       else
         raise ArgumentError, "Invalid content type '#{content_type}'"
       end

data/lib/signet/version.rb

@@ -13,5 +13,5 @@
 #    limitations under the License.
 
 module Signet
-  VERSION = "0.15.0".freeze
+  VERSION = "0.17.0".freeze
 end

data/lib/signet.rb

@@ -14,7 +14,7 @@
 
 require "signet/version"
 
-module Signet #:nodoc:
+module Signet # :nodoc:
   def self.parse_auth_param_list auth_param_string
     # Production rules from:
     # http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12