192 lines
10 KiB
Ruby
192 lines
10 KiB
Ruby
# Copyright 2020 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
require 'date'
|
|
require 'google/apis/core/base_service'
|
|
require 'google/apis/core/json_representation'
|
|
require 'google/apis/core/hashable'
|
|
require 'google/apis/errors'
|
|
|
|
module Google
|
|
module Apis
|
|
module StsV1beta
|
|
|
|
# Request message for ExchangeToken.
|
|
class GoogleIdentityStsV1betaExchangeTokenRequest
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The full resource name of the identity provider. For example, `//iam.
|
|
# googleapis.com/projects//workloadIdentityPools//providers/`. Required when
|
|
# exchanging an external credential for a Google access token.
|
|
# Corresponds to the JSON property `audience`
|
|
# @return [String]
|
|
attr_accessor :audience
|
|
|
|
# Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-
|
|
# exchange`, which indicates a token exchange.
|
|
# Corresponds to the JSON property `grantType`
|
|
# @return [String]
|
|
attr_accessor :grant_type
|
|
|
|
# A set of features that Security Token Service supports, in addition to the
|
|
# standard OAuth 2.0 token exchange, formatted as a serialized JSON object of
|
|
# Options.
|
|
# Corresponds to the JSON property `options`
|
|
# @return [String]
|
|
attr_accessor :options
|
|
|
|
# Required. The type of security token. Must be `urn:ietf:params:oauth:token-
|
|
# type:access_token`, which indicates an OAuth 2.0 access token.
|
|
# Corresponds to the JSON property `requestedTokenType`
|
|
# @return [String]
|
|
attr_accessor :requested_token_type
|
|
|
|
# The OAuth 2.0 scopes to include on the resulting access token, formatted as a
|
|
# list of space-delimited, case-sensitive strings. Required when exchanging an
|
|
# external credential for a Google access token.
|
|
# Corresponds to the JSON property `scope`
|
|
# @return [String]
|
|
attr_accessor :scope
|
|
|
|
# Required. The input token. This token is a either an external credential
|
|
# issued by a workload identity pool provider, or a short-lived access token
|
|
# issued by Google. If the token is an OIDC JWT, it must use the JWT format
|
|
# defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `
|
|
# subject_token_type` must be `urn:ietf:params:oauth:token-type:jwt`. The
|
|
# following headers are required: - `kid`: The identifier of the signing key
|
|
# securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must
|
|
# be `RS256`. The following payload fields are required. For more information,
|
|
# see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `
|
|
# iss`: The issuer of the token. The issuer must provide a discovery document at
|
|
# the URL `/.well-known/openid-configuration`, where `` is the value of this
|
|
# field. The document must be formatted according to section 4.2 of the [OIDC 1.
|
|
# 0 Discovery specification](https://openid.net/specs/openid-connect-discovery-
|
|
# 1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds,
|
|
# since the Unix epoch. Must be in the past. - `exp`: The expiration time, in
|
|
# seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter
|
|
# expiration times are more secure. If possible, we recommend setting an
|
|
# expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. -
|
|
# `aud`: Configured by the mapper policy. The default value is the service
|
|
# account's unique ID. Example header: ``` ` "alg": "RS256", "kid": "us-east-11"
|
|
# ` ``` Example payload: ``` ` "iss": "https://accounts.google.com", "iat":
|
|
# 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": "
|
|
# 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If `
|
|
# subject_token` is an AWS token, it must be a serialized, [signed](https://docs.
|
|
# aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the
|
|
# AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/
|
|
# APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded
|
|
# JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-
|
|
# type:aws4_request`. The following parameters are required: - `url`: The URL of
|
|
# the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.
|
|
# com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also
|
|
# supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP
|
|
# request headers, which must include: - `Authorization`: The request signature.
|
|
# - `x-amz-date`: The time you will send the request, formatted as an [ISO8601
|
|
# Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#
|
|
# sigv4_elements_date) string. This is typically set to the current time and
|
|
# used to prevent replay attacks. - `host`: The hostname of the `url` field; for
|
|
# example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full,
|
|
# canonical resource name of the workload identity pool provider, with or
|
|
# without an `https:` prefix. To help ensure data integrity, we recommend
|
|
# including this header in the `SignedHeaders` field of the signed request. For
|
|
# example: //iam.googleapis.com/projects//locations//workloadIdentityPools//
|
|
# providers/ https://iam.googleapis.com/projects//locations//
|
|
# workloadIdentityPools//providers/ If you are using temporary security
|
|
# credentials provided by AWS, you must also include the header `x-amz-security-
|
|
# token`, with the value ``. The following example shows a signed, serialized
|
|
# request: ``` ` "headers":[ `"key": "x-amz-date", "value": "20200815T015049Z"`,
|
|
# `"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+
|
|
# SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$
|
|
# signature"`, `"key": "x-goog-cloud-target-resource", "value": "//iam.
|
|
# googleapis.com/projects//locations//workloadIdentityPools//providers/"`, `"key"
|
|
# : "host", "value": "sts.amazonaws.com"` . ], "method":"POST", "url":"https://
|
|
# sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" ` ``` You can
|
|
# also use a Google-issued OAuth 2.0 access token with this field to obtain an
|
|
# access token with new security attributes applied, such as a Credential Access
|
|
# Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:
|
|
# token-type:access_token`. If an access token already contains security
|
|
# attributes, you cannot apply additional security attributes.
|
|
# Corresponds to the JSON property `subjectToken`
|
|
# @return [String]
|
|
attr_accessor :subject_token
|
|
|
|
# Required. `urn:ietf:params:oauth:token-type:access_token`.
|
|
# Corresponds to the JSON property `subjectTokenType`
|
|
# @return [String]
|
|
attr_accessor :subject_token_type
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@audience = args[:audience] if args.key?(:audience)
|
|
@grant_type = args[:grant_type] if args.key?(:grant_type)
|
|
@options = args[:options] if args.key?(:options)
|
|
@requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
|
|
@scope = args[:scope] if args.key?(:scope)
|
|
@subject_token = args[:subject_token] if args.key?(:subject_token)
|
|
@subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
|
|
end
|
|
end
|
|
|
|
# Response message for ExchangeToken.
|
|
class GoogleIdentityStsV1betaExchangeTokenResponse
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# An OAuth 2.0 security token, issued by Google, in response to the token
|
|
# exchange request. Tokens can vary in size, depending in part on the size of
|
|
# mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the
|
|
# right to change the token size and the maximum length at any time.
|
|
# Corresponds to the JSON property `access_token`
|
|
# @return [String]
|
|
attr_accessor :access_token
|
|
|
|
# The amount of time, in seconds, between the time when the `access_token` was
|
|
# issued and the time when the `access_token` will expire. This field is absent
|
|
# when the `subject_token` in the request is a Google-issued, short-lived access
|
|
# token. In this case, the `access_token` has the same expiration time as the `
|
|
# subject_token`.
|
|
# Corresponds to the JSON property `expires_in`
|
|
# @return [Fixnum]
|
|
attr_accessor :expires_in
|
|
|
|
# The token type. Always matches the value of `requested_token_type` from the
|
|
# request.
|
|
# Corresponds to the JSON property `issued_token_type`
|
|
# @return [String]
|
|
attr_accessor :issued_token_type
|
|
|
|
# The type of `access_token`. Always has the value `Bearer`.
|
|
# Corresponds to the JSON property `token_type`
|
|
# @return [String]
|
|
attr_accessor :token_type
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@access_token = args[:access_token] if args.key?(:access_token)
|
|
@expires_in = args[:expires_in] if args.key?(:expires_in)
|
|
@issued_token_type = args[:issued_token_type] if args.key?(:issued_token_type)
|
|
@token_type = args[:token_type] if args.key?(:token_type)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|