192 lines
10 KiB
Ruby
192 lines
10 KiB
Ruby
# Copyright 2015 Google Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
require 'date'
|
|
require 'google/apis/core/base_service'
|
|
require 'google/apis/core/json_representation'
|
|
require 'google/apis/core/hashable'
|
|
require 'google/apis/errors'
|
|
|
|
module Google
|
|
module Apis
|
|
module StsV1beta
|
|
|
|
# Request message for ExchangeToken.
|
|
class GoogleIdentityStsV1betaExchangeTokenRequest
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The full resource name of the identity provider; for example: `https://iam.
|
|
# googleapis.com/projects/`PROJECT_ID`/workloadIdentityPools/`POOL_ID`/providers/
|
|
# `PROVIDER_ID``. Required when exchanging an external credential for a Google
|
|
# access token.
|
|
# Corresponds to the JSON property `audience`
|
|
# @return [String]
|
|
attr_accessor :audience
|
|
|
|
# Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-
|
|
# exchange`, which indicates a token exchange is requested.
|
|
# Corresponds to the JSON property `grantType`
|
|
# @return [String]
|
|
attr_accessor :grant_type
|
|
|
|
# A set of features that Security Token Service supports, in addition to the
|
|
# standard OAuth 2.0 token exchange, formatted as a serialized JSON object of
|
|
# Options.
|
|
# Corresponds to the JSON property `options`
|
|
# @return [String]
|
|
attr_accessor :options
|
|
|
|
# Required. An identifier for the type of requested security token. Must be `urn:
|
|
# ietf:params:oauth:token-type:access_token`.
|
|
# Corresponds to the JSON property `requestedTokenType`
|
|
# @return [String]
|
|
attr_accessor :requested_token_type
|
|
|
|
# The OAuth 2.0 scopes to include on the resulting access token, formatted as a
|
|
# list of space-delimited, case-sensitive strings. Required when exchanging an
|
|
# external credential for a Google access token.
|
|
# Corresponds to the JSON property `scope`
|
|
# @return [String]
|
|
attr_accessor :scope
|
|
|
|
# Required. The input token. This is a either an external credential issued by a
|
|
# WorkloadIdentityPoolProvider, or a short-lived access token issued by Google.
|
|
# If the token is an OIDC JWT, it must use the JWT format defined in [RFC 7523](
|
|
# https://tools.ietf.org/html/rfc7523), and `subject_token_type` must be `urn:
|
|
# ietf:params:oauth:token-type:jwt`. The following headers are required: - **`
|
|
# kid`**: The identifier of the signing key securing the JWT. - **`alg`**: The
|
|
# cryptographic algorithm securing the JWT. Must be `RS256`. The following
|
|
# payload fields are required. For more information, see [RFC 7523, Section 3](
|
|
# https://tools.ietf.org/html/rfc7523#section-3). - **`iss`**: The issuer of the
|
|
# token. The issuer must provide a discovery document at `/.well-known/openid-
|
|
# configuration`, formatted according to section 4.2 of the [OIDC 1.0 Discovery
|
|
# specification](https://openid.net/specs/openid-connect-discovery-1_0.html#
|
|
# ProviderConfigurationResponse). - **`iat`**: The issue time, in seconds, since
|
|
# epoch. Must be in the past. - **`exp`**: The expiration time, in seconds,
|
|
# since epoch. Must be fewer than 48 hours after `iat`. Shorter expiration times
|
|
# are more. secure. If possible, we recommend setting an expiration time fewer
|
|
# than 6 hours. - **`sub`**: The identity asserted in the JWT. - **`aud`**:
|
|
# Configured by the mapper policy. The default value is the service account's
|
|
# unique ID. Example header: ``` ` "alg": "RS256", "kid": "us-east-11" ` ```
|
|
# Example payload: ``` ` "iss": "https://accounts.google.com", "iat": 1517963104,
|
|
# "exp": 1517966704, "aud": "113475438248934895348", "sub": "
|
|
# 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If `
|
|
# subject_token` is an AWS token, it must be a serialized, [signed](https://docs.
|
|
# aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the
|
|
# AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/
|
|
# APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded
|
|
# JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-
|
|
# type:aws4_request`. The following parameters are required: - **`url`**: The
|
|
# URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.
|
|
# amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints
|
|
# are also supported. - **`method`:** The HTTP request method: `POST`. - **`
|
|
# headers`**: The HTTP request headers, which must include: - **`Authorization`**
|
|
# : The request signature. - **`x-amz-date`**`: The time you will send the
|
|
# request, formatted as an [ISO8601 Basic](https://docs.aws.amazon.com/general/
|
|
# latest/gr/sigv4_elements.html#sigv4_elements_date) string. This is typically
|
|
# set to the current time, and used to prevent replay attacks. - **`host`**: The
|
|
# hostname of the `url` field; for example, `sts.amazonaws.com`. - **`x-goog-
|
|
# cloud-target-resource`**: The full, canonical resource name of the
|
|
# WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``
|
|
# ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
|
|
# https://iam.googleapis.com/projects//locations//workloadIdentityPools//
|
|
# providers/ ``` Signing this header as part of the signature is recommended to
|
|
# ensure data integrity. If you are using temporary security credentials
|
|
# provided by AWS, you must also include the header `x-amz-security-token`, with
|
|
# the value `[SESSION_TOKEN]`. The following is an example of a signed,
|
|
# serialized request: ``` ` "headers":[ `"key": "x-amz-date", "value": "
|
|
# 20200815T015049Z"`, `"key": "Authorization", "value": "AWS4-HMAC-SHA256+
|
|
# Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-
|
|
# resource,+Signature=$signature"`, `"key": "x-goog-cloud-target-resource", "
|
|
# value": "//iam.googleapis.com/projects//locations//workloadIdentityPools//
|
|
# providers/"`, `"key": "host", "value": "sts.amazonaws.com"` . ], "method":"
|
|
# POST", "url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-
|
|
# 06-15" ` ``` You can also use a Google-issued OAuth 2.0 access token with this
|
|
# field to obtain an access token with new security attributes applied, such as
|
|
# an AccessBoundary. In this case, set `subject_token_type` to `urn:ietf:params:
|
|
# oauth:token-type:access_token`. Applying additional security attributes on
|
|
# access tokens that already contain security attributes is not allowed.
|
|
# Corresponds to the JSON property `subjectToken`
|
|
# @return [String]
|
|
attr_accessor :subject_token
|
|
|
|
# Required. An identifier that indicates the type of the security token in the `
|
|
# subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-
|
|
# type:jwt`, `urn:ietf:params:aws:token-type:aws4_request` and `urn:ietf:params:
|
|
# oauth:token-type:access_token`.
|
|
# Corresponds to the JSON property `subjectTokenType`
|
|
# @return [String]
|
|
attr_accessor :subject_token_type
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@audience = args[:audience] if args.key?(:audience)
|
|
@grant_type = args[:grant_type] if args.key?(:grant_type)
|
|
@options = args[:options] if args.key?(:options)
|
|
@requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
|
|
@scope = args[:scope] if args.key?(:scope)
|
|
@subject_token = args[:subject_token] if args.key?(:subject_token)
|
|
@subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
|
|
end
|
|
end
|
|
|
|
# Response message for ExchangeToken.
|
|
class GoogleIdentityStsV1betaExchangeTokenResponse
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# An OAuth 2.0 security token, issued by Google, in response to the token
|
|
# exchange request.
|
|
# Corresponds to the JSON property `access_token`
|
|
# @return [String]
|
|
attr_accessor :access_token
|
|
|
|
# The expiration time of `access_token`, in seconds, from the time of issuance.
|
|
# This field is absent when the `subject_token` in the request is a Google-
|
|
# issued, short-lived access token. In this case, the expiration time of the `
|
|
# access_token` is the same as the `subject_token`.
|
|
# Corresponds to the JSON property `expires_in`
|
|
# @return [Fixnum]
|
|
attr_accessor :expires_in
|
|
|
|
# The token type. Always matches the value of `requested_token_type` from the
|
|
# request.
|
|
# Corresponds to the JSON property `issued_token_type`
|
|
# @return [String]
|
|
attr_accessor :issued_token_type
|
|
|
|
# The type of `access_token`. Always has the value `Bearer`.
|
|
# Corresponds to the JSON property `token_type`
|
|
# @return [String]
|
|
attr_accessor :token_type
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@access_token = args[:access_token] if args.key?(:access_token)
|
|
@expires_in = args[:expires_in] if args.key?(:expires_in)
|
|
@issued_token_type = args[:issued_token_type] if args.key?(:issued_token_type)
|
|
@token_type = args[:token_type] if args.key?(:token_type)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|