fix: Pass scope through when getting metadata-based access tokens

2020-07-08 16:13:38 +01:00 · 2020-07-08 16:13:38 +01:00 · 48c689aa93
parent dcdf7cddbf
commit 48c689aa93
4 changed files with 21 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,7 @@
+### Unreleased
+
+* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
+
 ### 0.13.0 / 2020-06-17

 * Support for validating ID tokens.
@ -143,3 +147,4 @@ Note: This release now requires Ruby 2.4 or later
 [@tbetbetbe]: https://github.com/tbetbetbe
 [@murgatroid99]: https://github.com/murgatroid99
 [@vsubramani]: https://github.com/vsubramani
+[@ball-hayden]: https://github.com/ball-hayden
--- a/lib/googleauth/application_default.rb
+++ b/lib/googleauth/application_default.rb
@ -75,7 +75,7 @@ module Google
        GCECredentials.unmemoize_all
        raise NOT_FOUND_ERROR
      end
-      GCECredentials.new
+      GCECredentials.new scope: scope
    end
  end
 end
--- a/lib/googleauth/compute_engine.rb
+++ b/lib/googleauth/compute_engine.rb
@ -85,7 +85,8 @@ module Google
        c = options[:connection] || Faraday.default_connection
        retry_with_error do
          uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : nil
+          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
+          query[:scopes] = Array(scope).join " " if scope
          headers = { "Metadata-Flavor" => "Google" }
          resp = c.get uri, query, headers
          case resp.status
--- a/spec/googleauth/compute_engine_spec.rb
+++ b/spec/googleauth/compute_engine_spec.rb
@ -51,7 +51,11 @@ describe Google::Auth::GCECredentials do
      body = MultiJson.dump("access_token" => opts[:access_token],
                            "token_type"   => "Bearer",
                            "expires_in"   => 3600)
-      stub_request(:get, MD_ACCESS_URI)
+
+      uri = MD_ACCESS_URI
+      uri += "?scopes=#{opts[:scope]}" if opts[:scope]
+
+      stub_request(:get, uri)
        .with(headers: { "Metadata-Flavor" => "Google" })
        .to_return(body:    body,
                   status:  200,
@ -69,6 +73,14 @@ describe Google::Auth::GCECredentials do

  context "metadata is unavailable" do
    describe "#fetch_access_token" do
+      it "should pass scopes when requesting an access token" do
+        scope = "https://www.googleapis.com/auth/drive"
+        stub = make_auth_stubs access_token: "1/abcdef1234567890", scope: scope
+        @client = GCECredentials.new(scope: [scope])
+        @client.fetch_access_token!
+        expect(stub).to have_been_requested
+      end
+
      it "should fail if the metadata request returns a 404" do
        stub = stub_request(:get, MD_ACCESS_URI)
               .to_return(status:  404,