From df56f8af3399317d0fb66ea12ec228383e42ac80 Mon Sep 17 00:00:00 2001 From: Tim Emiola Date: Fri, 6 Mar 2015 13:13:26 -0800 Subject: [PATCH 1/4] Refactoring: move the credentials load into its own class --- lib/googleauth/credentials_loader.rb | 85 +++++++++++++++++++ lib/googleauth/service_account.rb | 68 +++------------ .../get_application_default_spec.rb | 4 +- spec/googleauth/service_account_spec.rb | 16 ++-- 4 files changed, 107 insertions(+), 66 deletions(-) create mode 100644 lib/googleauth/credentials_loader.rb diff --git a/lib/googleauth/credentials_loader.rb b/lib/googleauth/credentials_loader.rb new file mode 100644 index 0000000..96c9ee2 --- /dev/null +++ b/lib/googleauth/credentials_loader.rb @@ -0,0 +1,85 @@ +# Copyright 2015, Google Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Google Inc. nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +require 'memoist' +require 'rbconfig' + +module Google + # Module Auth provides classes that provide Google-specific authorization + # used to access Google APIs. + module Auth + # CredentialsLoader contains the behaviour used to locate and find default + # credentials files on the file system. + module CredentialsLoader + extend Memoist + ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS' + NOT_FOUND_ERROR = + "Unable to read the credential file specified by #{ENV_VAR}" + WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json' + WELL_KNOWN_ERROR = 'Unable to read the default credential file' + + # determines if the current OS is windows + def windows? + RbConfig::CONFIG['host_os'] =~ /Windows|mswin/ + end + memoize :windows? + + # Creates an instance from the path specified in an environment + # variable. + # + # @param scope [string|array] the scope(s) to access + def from_env(scope) + return nil unless ENV.key?(ENV_VAR) + path = ENV[ENV_VAR] + fail 'file #{path} does not exist' unless File.exist?(path) + File.open(path) do |f| + return new(scope, f) + end + rescue StandardError => e + raise "#{NOT_FOUND_ERROR}: #{e}" + end + + # Creates an instance from a well known path. + # + # @param scope [string|array] the scope(s) to access + def from_well_known_path(scope) + home_var, base = windows? ? 'APPDATA' : 'HOME', WELL_KNOWN_PATH + root = ENV[home_var].nil? ? '' : ENV[home_var] + base = File.join('.config', base) unless windows? + path = File.join(root, base) + return nil unless File.exist?(path) + File.open(path) do |f| + return new(scope, f) + end + rescue StandardError => e + raise "#{WELL_KNOWN_ERROR}: #{e}" + end + end + end +end diff --git a/lib/googleauth/service_account.rb b/lib/googleauth/service_account.rb index 4e8072b..fed67ca 100644 --- a/lib/googleauth/service_account.rb +++ b/lib/googleauth/service_account.rb @@ -28,18 +28,8 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. require 'googleauth/signet' -require 'memoist' +require 'googleauth/credentials_loader' require 'multi_json' -require 'openssl' -require 'rbconfig' - -# Reads the private key and client email fields from service account JSON key. -def read_json_key(json_key_io) - json_key = MultiJson.load(json_key_io.read) - fail 'missing client_email' unless json_key.key?('client_email') - fail 'missing private_key' unless json_key.key?('private_key') - [json_key['private_key'], json_key['client_email']] -end module Google # Module Auth provides classes that provide Google-specific authorization @@ -53,52 +43,16 @@ module Google # # cf [Application Default Credentials](http://goo.gl/mkAHpZ) class ServiceAccountCredentials < Signet::OAuth2::Client - ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS' - NOT_FOUND_ERROR = - "Unable to read the credential file specified by #{ENV_VAR}" TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token' - WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json' - WELL_KNOWN_ERROR = 'Unable to read the default credential file' + extend CredentialsLoader - class << self - extend Memoist - - # determines if the current OS is windows - def windows? - RbConfig::CONFIG['host_os'] =~ /Windows|mswin/ - end - memoize :windows? - - # Creates an instance from the path specified in an environment - # variable. - # - # @param scope [string|array] the scope(s) to access - def from_env(scope) - return nil unless ENV.key?(ENV_VAR) - path = ENV[ENV_VAR] - fail 'file #{path} does not exist' unless File.exist?(path) - File.open(path) do |f| - return new(scope, f) - end - rescue StandardError => e - raise "#{NOT_FOUND_ERROR}: #{e}" - end - - # Creates an instance from a well known path. - # - # @param scope [string|array] the scope(s) to access - def from_well_known_path(scope) - home_var, base = windows? ? 'APPDATA' : 'HOME', WELL_KNOWN_PATH - root = ENV[home_var].nil? ? '' : ENV[home_var] - base = File.join('.config', base) unless windows? - path = File.join(root, base) - return nil unless File.exist?(path) - File.open(path) do |f| - return new(scope, f) - end - rescue StandardError => e - raise "#{WELL_KNOWN_ERROR}: #{e}" - end + # Reads the private key and client email fields from the service account + # JSON key. + def self.read_json_key(json_key_io) + json_key = MultiJson.load(json_key_io.read) + fail 'missing client_email' unless json_key.key?('client_email') + fail 'missing private_key' unless json_key.key?('private_key') + [json_key['private_key'], json_key['client_email']] end # Initializes a ServiceAccountCredentials. @@ -106,9 +60,9 @@ module Google # @param scope [string|array] the scope(s) to access # @param json_key_io [IO] an IO from which the JSON key can be read def initialize(scope, json_key_io) - private_key, client_email = read_json_key(json_key_io) + private_key, client_email = self.class.read_json_key(json_key_io) super(token_credential_uri: TOKEN_CRED_URI, - audience: TOKEN_CRED_URI, # TODO: confirm this + audience: TOKEN_CRED_URI, scope: scope, issuer: client_email, signing_key: OpenSSL::PKey::RSA.new(private_key)) diff --git a/spec/googleauth/get_application_default_spec.rb b/spec/googleauth/get_application_default_spec.rb index 6c1b9d5..877d940 100644 --- a/spec/googleauth/get_application_default_spec.rb +++ b/spec/googleauth/get_application_default_spec.rb @@ -38,7 +38,7 @@ require 'spec_helper' describe '#get_application_default' do before(:example) do @key = OpenSSL::PKey::RSA.new(2048) - @var_name = ServiceAccountCredentials::ENV_VAR + @var_name = CredentialsLoader::ENV_VAR @orig = ENV[@var_name] @home = ENV['HOME'] @scope = 'https://www.googleapis.com/auth/userinfo.profile' @@ -82,7 +82,7 @@ describe '#get_application_default' do ENV.delete(@var_name) unless ENV[@var_name].nil? Dir.mktmpdir do |dir| key_path = File.join(dir, '.config', - ServiceAccountCredentials::WELL_KNOWN_PATH) + CredentialsLoader::WELL_KNOWN_PATH) FileUtils.mkdir_p(File.dirname(key_path)) File.write(key_path, cred_json_text) ENV['HOME'] = dir diff --git a/spec/googleauth/service_account_spec.rb b/spec/googleauth/service_account_spec.rb index f0ec305..6298116 100644 --- a/spec/googleauth/service_account_spec.rb +++ b/spec/googleauth/service_account_spec.rb @@ -42,6 +42,7 @@ require 'tmpdir' describe Google::Auth::ServiceAccountCredentials do ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials + CredentialsLoader = Google::Auth::CredentialsLoader before(:example) do @key = OpenSSL::PKey::RSA.new(2048) @@ -79,9 +80,10 @@ describe Google::Auth::ServiceAccountCredentials do describe '#from_env' do before(:example) do - @var_name = ServiceAccountCredentials::ENV_VAR + @var_name = CredentialsLoader::ENV_VAR @orig = ENV[@var_name] @scope = 'https://www.googleapis.com/auth/userinfo.profile' + @clz = ServiceAccountCredentials end after(:example) do @@ -99,18 +101,17 @@ describe Google::Auth::ServiceAccountCredentials do Dir.mktmpdir do |dir| key_path = File.join(dir, 'does-not-exist') ENV[@var_name] = key_path - expect { sac.from_env(@scope) }.to raise_error + expect { @clz.from_env(@scope) }.to raise_error end end it 'succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid' do - sac = ServiceAccountCredentials # shortens name Dir.mktmpdir do |dir| key_path = File.join(dir, 'my_cert_file') FileUtils.mkdir_p(File.dirname(key_path)) File.write(key_path, cred_json_text) ENV[@var_name] = key_path - expect(sac.from_env(@scope)).to_not be_nil + expect(@clz.from_env(@scope)).to_not be_nil end end end @@ -119,6 +120,8 @@ describe Google::Auth::ServiceAccountCredentials do before(:example) do @home = ENV['HOME'] @scope = 'https://www.googleapis.com/auth/userinfo.profile' + @known_path = CredentialsLoader::WELL_KNOWN_PATH + @clz = ServiceAccountCredentials end after(:example) do @@ -131,13 +134,12 @@ describe Google::Auth::ServiceAccountCredentials do end it 'successfully loads the file when it is present' do - sac = ServiceAccountCredentials # shortens name Dir.mktmpdir do |dir| - key_path = File.join(dir, '.config', sac::WELL_KNOWN_PATH) + key_path = File.join(dir, '.config', @known_path) FileUtils.mkdir_p(File.dirname(key_path)) File.write(key_path, cred_json_text) ENV['HOME'] = dir - expect(sac.from_well_known_path(@scope)).to_not be_nil + expect(@clz.from_well_known_path(@scope)).to_not be_nil end end end From 3bd875151982f1c4218da9917cf8293f01a7089e Mon Sep 17 00:00:00 2001 From: Tim Emiola Date: Fri, 6 Mar 2015 15:33:05 -0800 Subject: [PATCH 2/4] Adds a credential class that supports User Refresh Tokens --- lib/googleauth/user_refresh.rb | 76 ++++++++++++ spec/googleauth/user_refresh_spec.rb | 170 +++++++++++++++++++++++++++ 2 files changed, 246 insertions(+) create mode 100644 lib/googleauth/user_refresh.rb create mode 100644 spec/googleauth/user_refresh_spec.rb diff --git a/lib/googleauth/user_refresh.rb b/lib/googleauth/user_refresh.rb new file mode 100644 index 0000000..3cfb1db --- /dev/null +++ b/lib/googleauth/user_refresh.rb @@ -0,0 +1,76 @@ +# Copyright 2015, Google Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Google Inc. nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +require 'googleauth/signet' +require 'googleauth/credentials_loader' +require 'multi_json' + +module Google + # Module Auth provides classes that provide Google-specific authorization + # used to access Google APIs. + module Auth + # Authenticates requests using User Refresh credentials. + # + # This class allows authorizing requests from user refresh tokens. + # + # This the end of the result of a 3LO flow. E.g, the end result of + # 'gcloud auth login' saves a file with these contents in well known + # location + # + # cf [Application Default Credentials](http://goo.gl/mkAHpZ) + class UserRefreshCredentials < Signet::OAuth2::Client + TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token' + extend CredentialsLoader + + # Reads the client_id, client_secret and refresh_token fields from the + # JSON key. + def self.read_json_key(json_key_io) + json_key = MultiJson.load(json_key_io.read) + wanted = %w(client_id client_secret refresh_token) + wanted.each do |key| + fail "the json is missing the #{key} field" unless json_key.key?(key) + end + json_key + end + + # Initializes a UserRefreshCredentials. + # + # @param scope [string|array] the scope(s) to access + # @param json_key_io [IO] an IO from which the JSON key can be read + def initialize(scope, json_key_io) + user_creds = self.class.read_json_key(json_key_io) + super(token_credential_uri: TOKEN_CRED_URI, + client_id: user_creds['client_id'], + client_secret: user_creds['client_secret'], + refresh_token: user_creds['refresh_token'], + scope: scope) + end + end + end +end diff --git a/spec/googleauth/user_refresh_spec.rb b/spec/googleauth/user_refresh_spec.rb new file mode 100644 index 0000000..bbf23d2 --- /dev/null +++ b/spec/googleauth/user_refresh_spec.rb @@ -0,0 +1,170 @@ +# Copyright 2015, Google Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Google Inc. nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +spec_dir = File.expand_path(File.join(File.dirname(__FILE__))) +$LOAD_PATH.unshift(spec_dir) +$LOAD_PATH.uniq! + +require 'apply_auth_examples' +require 'fileutils' +require 'googleauth/user_refresh' +require 'jwt' +require 'multi_json' +require 'openssl' +require 'spec_helper' +require 'tmpdir' + +describe Google::Auth::UserRefreshCredentials do + UserRefreshCredentials = Google::Auth::UserRefreshCredentials + CredentialsLoader = Google::Auth::CredentialsLoader + + before(:example) do + @key = OpenSSL::PKey::RSA.new(2048) + @client = UserRefreshCredentials.new( + 'https://www.googleapis.com/auth/userinfo.profile', + StringIO.new(cred_json_text)) + end + + def make_auth_stubs(opts = {}) + access_token = opts[:access_token] || '' + Faraday::Adapter::Test::Stubs.new do |stub| + stub.post('/oauth2/v3/token') do |env| + params = Addressable::URI.form_unencode(env[:body]) + want = %w(grant_type refresh_token) + expect(params.assoc('grant_type')).to eq(want) + build_access_token_json(access_token) + end + end + end + + def cred_json_text(missing = nil) + cred_json = { + client_secret: 'privatekey', + client_id: 'client123', + refresh_token: 'refreshtoken', + type: 'authorized_user' + } + cred_json.delete(missing.to_sym) unless missing.nil? + MultiJson.dump(cred_json) + end + + it_behaves_like 'apply/apply! are OK' + + describe '#from_env' do + before(:example) do + @var_name = CredentialsLoader::ENV_VAR + @orig = ENV[@var_name] + @scope = 'https://www.googleapis.com/auth/userinfo.profile' + @clz = UserRefreshCredentials + end + + after(:example) do + ENV[@var_name] = @orig unless @orig.nil? + end + + it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do + ENV.delete(@var_name) unless ENV[@var_name].nil? + expect(UserRefreshCredentials.from_env(@scope)).to be_nil + end + + it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do + ENV.delete(@var_name) unless ENV[@var_name].nil? + expect(UserRefreshCredentials.from_env(@scope)).to be_nil + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'does-not-exist') + ENV[@var_name] = key_path + expect { @clz.from_env(@scope) }.to raise_error + end + end + + it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path file is invalid' do + needed = %w(client_id client_secret refresh_token) + needed.each do |missing| + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'my_cert_file') + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text(missing)) + ENV[@var_name] = key_path + expect { @clz.from_env(@scope) }.to raise_error + end + end + end + + it 'succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'my_cert_file') + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV[@var_name] = key_path + expect(@clz.from_env(@scope)).to_not be_nil + end + end + end + + describe '#from_well_known_path' do + before(:example) do + @home = ENV['HOME'] + @scope = 'https://www.googleapis.com/auth/userinfo.profile' + @known_path = CredentialsLoader::WELL_KNOWN_PATH + @clz = UserRefreshCredentials + end + + after(:example) do + ENV['HOME'] = @home unless @home == ENV['HOME'] + end + + it 'is nil if no file exists' do + ENV['HOME'] = File.dirname(__FILE__) + expect(UserRefreshCredentials.from_well_known_path(@scope)).to be_nil + end + + it 'fails if the file is invalid' do + needed = %w(client_id client_secret refresh_token) + needed.each do |missing| + Dir.mktmpdir do |dir| + key_path = File.join(dir, '.config', @known_path) + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text(missing)) + ENV['HOME'] = dir + expect { @clz.from_env(@scope) }.to raise_error + end + end + end + + it 'successfully loads the file when it is present' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, '.config', @known_path) + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV['HOME'] = dir + expect(@clz.from_well_known_path(@scope)).to_not be_nil + end + end + end +end From 4d4bcd46e8d8350b021c2f34b712e507201b1449 Mon Sep 17 00:00:00 2001 From: Tim Emiola Date: Fri, 6 Mar 2015 16:58:57 -0800 Subject: [PATCH 3/4] Add support for loading either credentials type as determined by the loaded content --- lib/googleauth.rb | 33 +++- lib/googleauth/credentials_loader.rb | 12 +- .../get_application_default_spec.rb | 166 ++++++++++-------- 3 files changed, 134 insertions(+), 77 deletions(-) diff --git a/lib/googleauth.rb b/lib/googleauth.rb index d6dafa5..d82b2ac 100644 --- a/lib/googleauth.rb +++ b/lib/googleauth.rb @@ -27,8 +27,13 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -require 'googleauth/service_account' +require 'multi_json' +require 'stringio' + +require 'googleauth/credentials_loader' require 'googleauth/compute_engine' +require 'googleauth/service_account' +require 'googleauth/user_refresh' module Google # Module Auth provides classes that provide Google-specific authorization @@ -40,6 +45,28 @@ https://developers.google.com/accounts/docs/application-default-credentials for more information END + # DefaultCredentials is used to preload the credentials file, to determine + # which type of credentials should be loaded. + class DefaultCredentials + extend CredentialsLoader + + # override CredentialsLoader#make_creds to use the class determined by + # loading the json. + def self.make_creds(scope, json_key_io) + json_key, clz = determine_creds_class(json_key_io) + clz.new(scope, StringIO.new(MultiJson.dump(json_key))) + end + + # Reads the input json and determines which creds class to use. + def self.determine_creds_class(json_key_io) + json_key = MultiJson.load(json_key_io.read) + fail "the json is missing the #{key} field" unless json_key.key?('type') + svc_account = json_key['type'] == 'service_account' + return json_key, ServiceAccountCredentials if svc_account + [json_key, UserRefreshCredentials] + end + end + # Obtains the default credentials implementation to use in this # environment. # @@ -53,9 +80,9 @@ END # @param scope [string|array] the scope(s) to access # @param options [hash] allows override of the connection being used def get_application_default(scope, options = {}) - creds = ServiceAccountCredentials.from_env(scope) + creds = DefaultCredentials.from_env(scope) return creds unless creds.nil? - creds = ServiceAccountCredentials.from_well_known_path(scope) + creds = DefaultCredentials.from_well_known_path(scope) return creds unless creds.nil? fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options) GCECredentials.new diff --git a/lib/googleauth/credentials_loader.rb b/lib/googleauth/credentials_loader.rb index 96c9ee2..f4ea619 100644 --- a/lib/googleauth/credentials_loader.rb +++ b/lib/googleauth/credentials_loader.rb @@ -50,6 +50,14 @@ module Google end memoize :windows? + # make_creds proxies the construction of a credentials instance + # + # By default, it calls #new on the current class, but this behaviour can + # be modified, allowing different instances to be created. + def make_creds(*args) + new(*args) + end + # Creates an instance from the path specified in an environment # variable. # @@ -59,7 +67,7 @@ module Google path = ENV[ENV_VAR] fail 'file #{path} does not exist' unless File.exist?(path) File.open(path) do |f| - return new(scope, f) + return make_creds(scope, f) end rescue StandardError => e raise "#{NOT_FOUND_ERROR}: #{e}" @@ -75,7 +83,7 @@ module Google path = File.join(root, base) return nil unless File.exist?(path) File.open(path) do |f| - return new(scope, f) + return make_creds(scope, f) end rescue StandardError => e raise "#{WELL_KNOWN_ERROR}: #{e}" diff --git a/spec/googleauth/get_application_default_spec.rb b/spec/googleauth/get_application_default_spec.rb index 877d940..d6522fa 100644 --- a/spec/googleauth/get_application_default_spec.rb +++ b/spec/googleauth/get_application_default_spec.rb @@ -49,86 +49,108 @@ describe '#get_application_default' do ENV['HOME'] = @home unless @home == ENV['HOME'] end - def cred_json_text - cred_json = { - private_key_id: 'a_private_key_id', - private_key: @key.to_pem, - client_email: 'app@developer.gserviceaccount.com', - client_id: 'app.apps.googleusercontent.com', - type: 'service_account' - } - MultiJson.dump(cred_json) - end + shared_examples 'it loads them correctly' do + it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'does-not-exist') + ENV[@var_name] = key_path + expect { Google::Auth.get_application_default(@scope) }.to raise_error + end + end - it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do - Dir.mktmpdir do |dir| - key_path = File.join(dir, 'does-not-exist') - ENV[@var_name] = key_path - expect { Google::Auth.get_application_default(@scope) }.to raise_error + it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'my_cert_file') + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV[@var_name] = key_path + expect(Google::Auth.get_application_default(@scope)).to_not be_nil + end + end + + it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do + ENV.delete(@var_name) unless ENV[@var_name].nil? + Dir.mktmpdir do |dir| + key_path = File.join(dir, '.config', + CredentialsLoader::WELL_KNOWN_PATH) + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV['HOME'] = dir + expect(Google::Auth.get_application_default(@scope)).to_not be_nil + end + end + + it 'fails without default file or env if not on compute engine' do + stubs = Faraday::Adapter::Test::Stubs.new do |stub| + stub.get('/') do |_env| + [404, + { 'Metadata-Flavor' => 'Google' }, + ''] + end + end # GCE not detected + Dir.mktmpdir do |dir| + ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var + ENV['HOME'] = dir # no config present in this tmp dir + c = Faraday.new do |b| + b.adapter(:test, stubs) + end + blk = proc do + Google::Auth.get_application_default(@scope, connection: c) + end + expect(&blk).to raise_error + end + stubs.verify_stubbed_calls + end + + it 'succeeds without default file or env if on compute engine' do + stubs = Faraday::Adapter::Test::Stubs.new do |stub| + stub.get('/') do |_env| + [200, + { 'Metadata-Flavor' => 'Google' }, + ''] + end + end # GCE detected + Dir.mktmpdir do |dir| + ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var + ENV['HOME'] = dir # no config present in this tmp dir + c = Faraday.new do |b| + b.adapter(:test, stubs) + end + creds = Google::Auth.get_application_default( + @scope, + connection: c) + expect(creds).to_not be_nil + end + stubs.verify_stubbed_calls end end - it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do - Dir.mktmpdir do |dir| - key_path = File.join(dir, 'my_cert_file') - FileUtils.mkdir_p(File.dirname(key_path)) - File.write(key_path, cred_json_text) - ENV[@var_name] = key_path - expect(Google::Auth.get_application_default(@scope)).to_not be_nil + describe 'when credential type is service account' do + def cred_json_text + cred_json = { + private_key_id: 'a_private_key_id', + private_key: @key.to_pem, + client_email: 'app@developer.gserviceaccount.com', + client_id: 'app.apps.googleusercontent.com', + type: 'service_account' + } + MultiJson.dump(cred_json) end + + it_behaves_like 'it loads them correctly' end - it 'succeeds with default file if GOOGLE_APPLICATION_CREDENTIALS is unset' do - ENV.delete(@var_name) unless ENV[@var_name].nil? - Dir.mktmpdir do |dir| - key_path = File.join(dir, '.config', - CredentialsLoader::WELL_KNOWN_PATH) - FileUtils.mkdir_p(File.dirname(key_path)) - File.write(key_path, cred_json_text) - ENV['HOME'] = dir - expect(Google::Auth.get_application_default(@scope)).to_not be_nil + describe 'when credential type is authorized_user' do + def cred_json_text + cred_json = { + client_secret: 'privatekey', + refresh_token: 'refreshtoken', + client_id: 'app.apps.googleusercontent.com', + type: 'authorized_user' + } + MultiJson.dump(cred_json) end - end - it 'fails without default file or env if not on compute engine' do - stubs = Faraday::Adapter::Test::Stubs.new do |stub| - stub.get('/') do |_env| - [404, - { 'Metadata-Flavor' => 'Google' }, - ''] - end - end # GCE not detected - Dir.mktmpdir do |dir| - ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var - ENV['HOME'] = dir # no config present in this tmp dir - c = Faraday.new do |b| - b.adapter(:test, stubs) - end - blk = proc do - Google::Auth.get_application_default(@scope, connection: c) - end - expect(&blk).to raise_error - end - stubs.verify_stubbed_calls - end - - it 'succeeds without default file or env if on compute engine' do - stubs = Faraday::Adapter::Test::Stubs.new do |stub| - stub.get('/') do |_env| - [200, - { 'Metadata-Flavor' => 'Google' }, - ''] - end - end # GCE detected - Dir.mktmpdir do |dir| - ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var - ENV['HOME'] = dir # no config present in this tmp dir - c = Faraday.new do |b| - b.adapter(:test, stubs) - end - expect(Google::Auth.get_application_default(@scope, - connection: c)).to_not be_nil - end - stubs.verify_stubbed_calls + it_behaves_like 'it loads them correctly' end end From 8f33ba8f4c5474e41fa2d5b55039b2389d24bd58 Mon Sep 17 00:00:00 2001 From: Tim Emiola Date: Mon, 9 Mar 2015 09:50:18 -0700 Subject: [PATCH 4/4] Explicitly checks for user auth and fail if auth type is not known --- lib/googleauth.rb | 7 +- .../get_application_default_spec.rb | 94 ++++++++++++++----- 2 files changed, 73 insertions(+), 28 deletions(-) diff --git a/lib/googleauth.rb b/lib/googleauth.rb index d82b2ac..65ea0f4 100644 --- a/lib/googleauth.rb +++ b/lib/googleauth.rb @@ -61,9 +61,10 @@ END def self.determine_creds_class(json_key_io) json_key = MultiJson.load(json_key_io.read) fail "the json is missing the #{key} field" unless json_key.key?('type') - svc_account = json_key['type'] == 'service_account' - return json_key, ServiceAccountCredentials if svc_account - [json_key, UserRefreshCredentials] + type = json_key['type'] + return json_key, ServiceAccountCredentials if type == 'service_account' + return [json_key, UserRefreshCredentials] if type == 'authorized_user' + fail "credentials type '#{type}' is not supported" end end diff --git a/spec/googleauth/get_application_default_spec.rb b/spec/googleauth/get_application_default_spec.rb index d6522fa..28ec6cd 100644 --- a/spec/googleauth/get_application_default_spec.rb +++ b/spec/googleauth/get_application_default_spec.rb @@ -49,7 +49,7 @@ describe '#get_application_default' do ENV['HOME'] = @home unless @home == ENV['HOME'] end - shared_examples 'it loads them correctly' do + shared_examples 'it cannot load misconfigured credentials' do it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do Dir.mktmpdir do |dir| key_path = File.join(dir, 'does-not-exist') @@ -58,28 +58,6 @@ describe '#get_application_default' do end end - it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do - Dir.mktmpdir do |dir| - key_path = File.join(dir, 'my_cert_file') - FileUtils.mkdir_p(File.dirname(key_path)) - File.write(key_path, cred_json_text) - ENV[@var_name] = key_path - expect(Google::Auth.get_application_default(@scope)).to_not be_nil - end - end - - it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do - ENV.delete(@var_name) unless ENV[@var_name].nil? - Dir.mktmpdir do |dir| - key_path = File.join(dir, '.config', - CredentialsLoader::WELL_KNOWN_PATH) - FileUtils.mkdir_p(File.dirname(key_path)) - File.write(key_path, cred_json_text) - ENV['HOME'] = dir - expect(Google::Auth.get_application_default(@scope)).to_not be_nil - end - end - it 'fails without default file or env if not on compute engine' do stubs = Faraday::Adapter::Test::Stubs.new do |stub| stub.get('/') do |_env| @@ -101,6 +79,30 @@ describe '#get_application_default' do end stubs.verify_stubbed_calls end + end + + shared_examples 'it can successfully load credentials' do + it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'my_cert_file') + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV[@var_name] = key_path + expect(Google::Auth.get_application_default(@scope)).to_not be_nil + end + end + + it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do + ENV.delete(@var_name) unless ENV[@var_name].nil? + Dir.mktmpdir do |dir| + key_path = File.join(dir, '.config', + CredentialsLoader::WELL_KNOWN_PATH) + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV['HOME'] = dir + expect(Google::Auth.get_application_default(@scope)).to_not be_nil + end + end it 'succeeds without default file or env if on compute engine' do stubs = Faraday::Adapter::Test::Stubs.new do |stub| @@ -137,7 +139,8 @@ describe '#get_application_default' do MultiJson.dump(cred_json) end - it_behaves_like 'it loads them correctly' + it_behaves_like 'it can successfully load credentials' + it_behaves_like 'it cannot load misconfigured credentials' end describe 'when credential type is authorized_user' do @@ -151,6 +154,47 @@ describe '#get_application_default' do MultiJson.dump(cred_json) end - it_behaves_like 'it loads them correctly' + it_behaves_like 'it can successfully load credentials' + it_behaves_like 'it cannot load misconfigured credentials' + end + + describe 'when credential type is unknown' do + def cred_json_text + cred_json = { + client_secret: 'privatekey', + refresh_token: 'refreshtoken', + client_id: 'app.apps.googleusercontent.com', + type: 'not_known_type' + } + MultiJson.dump(cred_json) + end + + it 'fails if the GOOGLE_APPLICATION_CREDENTIALS file contains the creds' do + Dir.mktmpdir do |dir| + key_path = File.join(dir, 'my_cert_file') + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV[@var_name] = key_path + blk = proc do + Google::Auth.get_application_default(@scope) + end + expect(&blk).to raise_error RuntimeError + end + end + + it 'fails if the well known file contains the creds' do + ENV.delete(@var_name) unless ENV[@var_name].nil? + Dir.mktmpdir do |dir| + key_path = File.join(dir, '.config', + CredentialsLoader::WELL_KNOWN_PATH) + FileUtils.mkdir_p(File.dirname(key_path)) + File.write(key_path, cred_json_text) + ENV['HOME'] = dir + blk = proc do + Google::Auth.get_application_default(@scope) + end + expect(&blk).to raise_error RuntimeError + end + end end end