Add support for loading either credentials type as determined by the loaded content

This commit is contained in:
Tim Emiola 2015-03-06 16:58:57 -08:00
parent 3bd8751519
commit 4d4bcd46e8
3 changed files with 134 additions and 77 deletions

View File

@ -27,8 +27,13 @@
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
require 'googleauth/service_account'
require 'multi_json'
require 'stringio'
require 'googleauth/credentials_loader'
require 'googleauth/compute_engine'
require 'googleauth/service_account'
require 'googleauth/user_refresh'
module Google
# Module Auth provides classes that provide Google-specific authorization
@ -40,6 +45,28 @@ https://developers.google.com/accounts/docs/application-default-credentials
for more information
END
# DefaultCredentials is used to preload the credentials file, to determine
# which type of credentials should be loaded.
class DefaultCredentials
extend CredentialsLoader
# override CredentialsLoader#make_creds to use the class determined by
# loading the json.
def self.make_creds(scope, json_key_io)
json_key, clz = determine_creds_class(json_key_io)
clz.new(scope, StringIO.new(MultiJson.dump(json_key)))
end
# Reads the input json and determines which creds class to use.
def self.determine_creds_class(json_key_io)
json_key = MultiJson.load(json_key_io.read)
fail "the json is missing the #{key} field" unless json_key.key?('type')
svc_account = json_key['type'] == 'service_account'
return json_key, ServiceAccountCredentials if svc_account
[json_key, UserRefreshCredentials]
end
end
# Obtains the default credentials implementation to use in this
# environment.
#
@ -53,9 +80,9 @@ END
# @param scope [string|array] the scope(s) to access
# @param options [hash] allows override of the connection being used
def get_application_default(scope, options = {})
creds = ServiceAccountCredentials.from_env(scope)
creds = DefaultCredentials.from_env(scope)
return creds unless creds.nil?
creds = ServiceAccountCredentials.from_well_known_path(scope)
creds = DefaultCredentials.from_well_known_path(scope)
return creds unless creds.nil?
fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
GCECredentials.new

View File

@ -50,6 +50,14 @@ module Google
end
memoize :windows?
# make_creds proxies the construction of a credentials instance
#
# By default, it calls #new on the current class, but this behaviour can
# be modified, allowing different instances to be created.
def make_creds(*args)
new(*args)
end
# Creates an instance from the path specified in an environment
# variable.
#
@ -59,7 +67,7 @@ module Google
path = ENV[ENV_VAR]
fail 'file #{path} does not exist' unless File.exist?(path)
File.open(path) do |f|
return new(scope, f)
return make_creds(scope, f)
end
rescue StandardError => e
raise "#{NOT_FOUND_ERROR}: #{e}"
@ -75,7 +83,7 @@ module Google
path = File.join(root, base)
return nil unless File.exist?(path)
File.open(path) do |f|
return new(scope, f)
return make_creds(scope, f)
end
rescue StandardError => e
raise "#{WELL_KNOWN_ERROR}: #{e}"

View File

@ -49,17 +49,7 @@ describe '#get_application_default' do
ENV['HOME'] = @home unless @home == ENV['HOME']
end
def cred_json_text
cred_json = {
private_key_id: 'a_private_key_id',
private_key: @key.to_pem,
client_email: 'app@developer.gserviceaccount.com',
client_id: 'app.apps.googleusercontent.com',
type: 'service_account'
}
MultiJson.dump(cred_json)
end
shared_examples 'it loads them correctly' do
it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
Dir.mktmpdir do |dir|
key_path = File.join(dir, 'does-not-exist')
@ -78,7 +68,7 @@ describe '#get_application_default' do
end
end
it 'succeeds with default file if GOOGLE_APPLICATION_CREDENTIALS is unset' do
it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
ENV.delete(@var_name) unless ENV[@var_name].nil?
Dir.mktmpdir do |dir|
key_path = File.join(dir, '.config',
@ -126,9 +116,41 @@ describe '#get_application_default' do
c = Faraday.new do |b|
b.adapter(:test, stubs)
end
expect(Google::Auth.get_application_default(@scope,
connection: c)).to_not be_nil
creds = Google::Auth.get_application_default(
@scope,
connection: c)
expect(creds).to_not be_nil
end
stubs.verify_stubbed_calls
end
end
describe 'when credential type is service account' do
def cred_json_text
cred_json = {
private_key_id: 'a_private_key_id',
private_key: @key.to_pem,
client_email: 'app@developer.gserviceaccount.com',
client_id: 'app.apps.googleusercontent.com',
type: 'service_account'
}
MultiJson.dump(cred_json)
end
it_behaves_like 'it loads them correctly'
end
describe 'when credential type is authorized_user' do
def cred_json_text
cred_json = {
client_secret: 'privatekey',
refresh_token: 'refreshtoken',
client_id: 'app.apps.googleusercontent.com',
type: 'authorized_user'
}
MultiJson.dump(cred_json)
end
it_behaves_like 'it loads them correctly'
end
end