Add support for loading either credentials type as determined by the loaded content

2015-03-06 16:58:57 -08:00 · 2015-03-06 16:58:57 -08:00 · 4d4bcd46e8
parent 3bd8751519
commit 4d4bcd46e8
3 changed files with 134 additions and 77 deletions
--- a/lib/googleauth.rb
+++ b/lib/googleauth.rb
@ -27,8 +27,13 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-require 'googleauth/service_account'
+require 'multi_json'
+require 'stringio'
+
+require 'googleauth/credentials_loader'
 require 'googleauth/compute_engine'
+require 'googleauth/service_account'
+require 'googleauth/user_refresh'

 module Google
  # Module Auth provides classes that provide Google-specific authorization
@ -40,6 +45,28 @@ https://developers.google.com/accounts/docs/application-default-credentials
 for more information
 END

+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds(scope, json_key_io)
+        json_key, clz = determine_creds_class(json_key_io)
+        clz.new(scope, StringIO.new(MultiJson.dump(json_key)))
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        fail "the json is missing the #{key} field" unless json_key.key?('type')
+        svc_account = json_key['type'] == 'service_account'
+        return json_key, ServiceAccountCredentials if svc_account
+        [json_key, UserRefreshCredentials]
+      end
+    end
+
    # Obtains the default credentials implementation to use in this
    # environment.
    #
@ -53,9 +80,9 @@ END
    # @param scope [string|array] the scope(s) to access
    # @param options [hash] allows override of the connection being used
    def get_application_default(scope, options = {})
-      creds = ServiceAccountCredentials.from_env(scope)
+      creds = DefaultCredentials.from_env(scope)
      return creds unless creds.nil?
-      creds = ServiceAccountCredentials.from_well_known_path(scope)
+      creds = DefaultCredentials.from_well_known_path(scope)
      return creds unless creds.nil?
      fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
      GCECredentials.new
--- a/lib/googleauth/credentials_loader.rb
+++ b/lib/googleauth/credentials_loader.rb
@ -50,6 +50,14 @@ module Google
      end
      memoize :windows?

+      # make_creds proxies the construction of a credentials instance
+      #
+      # By default, it calls #new on the current class, but this behaviour can
+      # be modified, allowing different instances to be created.
+      def make_creds(*args)
+        new(*args)
+      end
+
      # Creates an instance from the path specified in an environment
      # variable.
      #
@ -59,7 +67,7 @@ module Google
        path = ENV[ENV_VAR]
        fail 'file #{path} does not exist' unless File.exist?(path)
        File.open(path) do |f|
-          return new(scope, f)
+          return make_creds(scope, f)
        end
      rescue StandardError => e
        raise "#{NOT_FOUND_ERROR}: #{e}"
@ -75,7 +83,7 @@ module Google
        path = File.join(root, base)
        return nil unless File.exist?(path)
        File.open(path) do |f|
-          return new(scope, f)
+          return make_creds(scope, f)
        end
      rescue StandardError => e
        raise "#{WELL_KNOWN_ERROR}: #{e}"
--- a/spec/googleauth/get_application_default_spec.rb
+++ b/spec/googleauth/get_application_default_spec.rb
@ -49,86 +49,108 @@ describe '#get_application_default' do
    ENV['HOME'] = @home unless @home == ENV['HOME']
  end

-  def cred_json_text
-    cred_json = {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: 'app@developer.gserviceaccount.com',
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
-    }
-    MultiJson.dump(cred_json)
-  end
+  shared_examples 'it loads them correctly' do
+    it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, 'does-not-exist')
+        ENV[@var_name] = key_path
+        expect { Google::Auth.get_application_default(@scope) }.to raise_error
+      end
+    end

-  it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
-    Dir.mktmpdir do |dir|
-      key_path = File.join(dir, 'does-not-exist')
-      ENV[@var_name] = key_path
-      expect { Google::Auth.get_application_default(@scope) }.to raise_error
+    it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, 'my_cert_file')
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV[@var_name] = key_path
+        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+      end
+    end
+
+    it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil?
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, '.config',
+                             CredentialsLoader::WELL_KNOWN_PATH)
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV['HOME'] = dir
+        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+      end
+    end
+
+    it 'fails without default file or env if not on compute engine' do
+      stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+        stub.get('/') do |_env|
+          [404,
+           { 'Metadata-Flavor' => 'Google' },
+           '']
+        end
+      end  # GCE not detected
+      Dir.mktmpdir do |dir|
+        ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
+        ENV['HOME'] = dir  # no config present in this tmp dir
+        c = Faraday.new do |b|
+          b.adapter(:test, stubs)
+        end
+        blk = proc do
+          Google::Auth.get_application_default(@scope, connection: c)
+        end
+        expect(&blk).to raise_error
+      end
+      stubs.verify_stubbed_calls
+    end
+
+    it 'succeeds without default file or env if on compute engine' do
+      stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+        stub.get('/') do |_env|
+          [200,
+           { 'Metadata-Flavor' => 'Google' },
+           '']
+        end
+      end  # GCE detected
+      Dir.mktmpdir do |dir|
+        ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
+        ENV['HOME'] = dir  # no config present in this tmp dir
+        c = Faraday.new do |b|
+          b.adapter(:test, stubs)
+        end
+        creds = Google::Auth.get_application_default(
+          @scope,
+          connection: c)
+        expect(creds).to_not be_nil
+      end
+      stubs.verify_stubbed_calls
    end
  end

-  it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
-    Dir.mktmpdir do |dir|
-      key_path = File.join(dir, 'my_cert_file')
-      FileUtils.mkdir_p(File.dirname(key_path))
-      File.write(key_path, cred_json_text)
-      ENV[@var_name] = key_path
-      expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+  describe 'when credential type is service account' do
+    def cred_json_text
+      cred_json = {
+        private_key_id: 'a_private_key_id',
+        private_key: @key.to_pem,
+        client_email: 'app@developer.gserviceaccount.com',
+        client_id: 'app.apps.googleusercontent.com',
+        type: 'service_account'
+      }
+      MultiJson.dump(cred_json)
    end
+
+    it_behaves_like 'it loads them correctly'
  end

-  it 'succeeds with default file if GOOGLE_APPLICATION_CREDENTIALS is unset' do
-    ENV.delete(@var_name) unless ENV[@var_name].nil?
-    Dir.mktmpdir do |dir|
-      key_path = File.join(dir, '.config',
-                           CredentialsLoader::WELL_KNOWN_PATH)
-      FileUtils.mkdir_p(File.dirname(key_path))
-      File.write(key_path, cred_json_text)
-      ENV['HOME'] = dir
-      expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+  describe 'when credential type is authorized_user' do
+    def cred_json_text
+      cred_json = {
+        client_secret: 'privatekey',
+        refresh_token: 'refreshtoken',
+        client_id: 'app.apps.googleusercontent.com',
+        type: 'authorized_user'
+      }
+      MultiJson.dump(cred_json)
    end
-  end

-  it 'fails without default file or env if not on compute engine' do
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get('/') do |_env|
-        [404,
-         { 'Metadata-Flavor' => 'Google' },
-         '']
-      end
-    end  # GCE not detected
-    Dir.mktmpdir do |dir|
-      ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
-      ENV['HOME'] = dir  # no config present in this tmp dir
-      c = Faraday.new do |b|
-        b.adapter(:test, stubs)
-      end
-      blk = proc do
-        Google::Auth.get_application_default(@scope, connection: c)
-      end
-      expect(&blk).to raise_error
-    end
-    stubs.verify_stubbed_calls
-  end
-
-  it 'succeeds without default file or env if on compute engine' do
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get('/') do |_env|
-        [200,
-         { 'Metadata-Flavor' => 'Google' },
-         '']
-      end
-    end  # GCE detected
-    Dir.mktmpdir do |dir|
-      ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
-      ENV['HOME'] = dir  # no config present in this tmp dir
-      c = Faraday.new do |b|
-        b.adapter(:test, stubs)
-      end
-      expect(Google::Auth.get_application_default(@scope,
-                                                  connection: c)).to_not be_nil
-    end
-    stubs.verify_stubbed_calls
+    it_behaves_like 'it loads them correctly'
  end
 end