From 48c689aa93bfe81c5a6ae23362d86fc25ba098cf Mon Sep 17 00:00:00 2001
From: Hayden Ball <ball-hayden@users.noreply.github.com>
Date: Wed, 8 Jul 2020 16:13:38 +0100
Subject: [PATCH] fix: Pass scope through when getting metadata-based access
 tokens

---
 CHANGELOG.md                           |  5 +++++
 lib/googleauth/application_default.rb  |  2 +-
 lib/googleauth/compute_engine.rb       |  3 ++-
 spec/googleauth/compute_engine_spec.rb | 14 +++++++++++++-
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d96f347..12952f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### Unreleased
+
+* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
+
 ### 0.13.0 / 2020-06-17
 
 * Support for validating ID tokens.
@@ -143,3 +147,4 @@ Note: This release now requires Ruby 2.4 or later
 [@tbetbetbe]: https://github.com/tbetbetbe
 [@murgatroid99]: https://github.com/murgatroid99
 [@vsubramani]: https://github.com/vsubramani
+[@ball-hayden]: https://github.com/ball-hayden
diff --git a/lib/googleauth/application_default.rb b/lib/googleauth/application_default.rb
index b86142f..ee21b76 100644
--- a/lib/googleauth/application_default.rb
+++ b/lib/googleauth/application_default.rb
@@ -75,7 +75,7 @@ module Google
         GCECredentials.unmemoize_all
         raise NOT_FOUND_ERROR
       end
-      GCECredentials.new
+      GCECredentials.new scope: scope
     end
   end
 end
diff --git a/lib/googleauth/compute_engine.rb b/lib/googleauth/compute_engine.rb
index 41c38f3..a775ea0 100644
--- a/lib/googleauth/compute_engine.rb
+++ b/lib/googleauth/compute_engine.rb
@@ -85,7 +85,8 @@ module Google
         c = options[:connection] || Faraday.default_connection
         retry_with_error do
           uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : nil
+          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
+          query[:scopes] = Array(scope).join " " if scope
           headers = { "Metadata-Flavor" => "Google" }
           resp = c.get uri, query, headers
           case resp.status
diff --git a/spec/googleauth/compute_engine_spec.rb b/spec/googleauth/compute_engine_spec.rb
index 58645f5..aee3936 100644
--- a/spec/googleauth/compute_engine_spec.rb
+++ b/spec/googleauth/compute_engine_spec.rb
@@ -51,7 +51,11 @@ describe Google::Auth::GCECredentials do
       body = MultiJson.dump("access_token" => opts[:access_token],
                             "token_type"   => "Bearer",
                             "expires_in"   => 3600)
-      stub_request(:get, MD_ACCESS_URI)
+
+      uri = MD_ACCESS_URI
+      uri += "?scopes=#{opts[:scope]}" if opts[:scope]
+
+      stub_request(:get, uri)
         .with(headers: { "Metadata-Flavor" => "Google" })
         .to_return(body:    body,
                    status:  200,
@@ -69,6 +73,14 @@ describe Google::Auth::GCECredentials do
 
   context "metadata is unavailable" do
     describe "#fetch_access_token" do
+      it "should pass scopes when requesting an access token" do
+        scope = "https://www.googleapis.com/auth/drive"
+        stub = make_auth_stubs access_token: "1/abcdef1234567890", scope: scope
+        @client = GCECredentials.new(scope: [scope])
+        @client.fetch_access_token!
+        expect(stub).to have_been_requested
+      end
+
       it "should fail if the metadata request returns a 404" do
         stub = stub_request(:get, MD_ACCESS_URI)
                .to_return(status:  404,