Add simple credentials class. (#122)
* Add simple credentials class * 1.9.3 fix * Review fixes * Move into it's own file. Cleanup require statements
This commit is contained in:
parent
7ee081052d
commit
c148fc12bb
|
@ -27,99 +27,9 @@
|
|||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
require 'multi_json'
|
||||
require 'stringio'
|
||||
|
||||
require 'googleauth/credentials_loader'
|
||||
require 'googleauth/compute_engine'
|
||||
require 'googleauth/service_account'
|
||||
require 'googleauth/user_refresh'
|
||||
require 'googleauth/application_default'
|
||||
require 'googleauth/client_id'
|
||||
require 'googleauth/credentials'
|
||||
require 'googleauth/default_credentials'
|
||||
require 'googleauth/user_authorizer'
|
||||
require 'googleauth/web_user_authorizer'
|
||||
|
||||
module Google
|
||||
# Module Auth provides classes that provide Google-specific authorization
|
||||
# used to access Google APIs.
|
||||
module Auth
|
||||
NOT_FOUND_ERROR = <<END.freeze
|
||||
Could not load the default credentials. Browse to
|
||||
https://developers.google.com/accounts/docs/application-default-credentials
|
||||
for more information
|
||||
END
|
||||
|
||||
# DefaultCredentials is used to preload the credentials file, to determine
|
||||
# which type of credentials should be loaded.
|
||||
class DefaultCredentials
|
||||
extend CredentialsLoader
|
||||
|
||||
# override CredentialsLoader#make_creds to use the class determined by
|
||||
# loading the json.
|
||||
def self.make_creds(options = {})
|
||||
json_key_io, scope = options.values_at(:json_key_io, :scope)
|
||||
if json_key_io
|
||||
json_key, clz = determine_creds_class(json_key_io)
|
||||
clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
|
||||
scope: scope)
|
||||
else
|
||||
clz = read_creds
|
||||
clz.make_creds(scope: scope)
|
||||
end
|
||||
end
|
||||
|
||||
def self.read_creds
|
||||
env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
|
||||
type = ENV[env_var]
|
||||
raise "#{env_var} is undefined in env" unless type
|
||||
case type
|
||||
when 'service_account'
|
||||
ServiceAccountCredentials
|
||||
when 'authorized_user'
|
||||
UserRefreshCredentials
|
||||
else
|
||||
raise "credentials type '#{type}' is not supported"
|
||||
end
|
||||
end
|
||||
|
||||
# Reads the input json and determines which creds class to use.
|
||||
def self.determine_creds_class(json_key_io)
|
||||
json_key = MultiJson.load(json_key_io.read)
|
||||
key = 'type'
|
||||
raise "the json is missing the '#{key}' field" unless json_key.key?(key)
|
||||
type = json_key[key]
|
||||
case type
|
||||
when 'service_account'
|
||||
[json_key, ServiceAccountCredentials]
|
||||
when 'authorized_user'
|
||||
[json_key, UserRefreshCredentials]
|
||||
else
|
||||
raise "credentials type '#{type}' is not supported"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Obtains the default credentials implementation to use in this
|
||||
# environment.
|
||||
#
|
||||
# Use this to obtain the Application Default Credentials for accessing
|
||||
# Google APIs. Application Default Credentials are described in detail
|
||||
# at http://goo.gl/IUuyuX.
|
||||
#
|
||||
# If supplied, scope is used to create the credentials instance, when it can
|
||||
# be applied. E.g, on google compute engine and for user credentials the
|
||||
# scope is ignored.
|
||||
#
|
||||
# @param scope [string|array|nil] the scope(s) to access
|
||||
# @param options [hash] allows override of the connection being used
|
||||
def get_application_default(scope = nil, options = {})
|
||||
creds = DefaultCredentials.from_env(scope) ||
|
||||
DefaultCredentials.from_well_known_path(scope) ||
|
||||
DefaultCredentials.from_system_default_path(scope)
|
||||
return creds unless creds.nil?
|
||||
raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
|
||||
GCECredentials.new
|
||||
end
|
||||
|
||||
module_function :get_application_default
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
# Copyright 2015, Google Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following disclaimer
|
||||
# in the documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# * Neither the name of Google Inc. nor the names of its
|
||||
# contributors may be used to endorse or promote products derived from
|
||||
# this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
require 'googleauth/compute_engine'
|
||||
require 'googleauth/default_credentials'
|
||||
|
||||
module Google
|
||||
# Module Auth provides classes that provide Google-specific authorization
|
||||
# used to access Google APIs.
|
||||
module Auth
|
||||
NOT_FOUND_ERROR = <<ERROR_MESSAGE.freeze
|
||||
Could not load the default credentials. Browse to
|
||||
https://developers.google.com/accounts/docs/application-default-credentials
|
||||
for more information
|
||||
ERROR_MESSAGE
|
||||
|
||||
# Obtains the default credentials implementation to use in this
|
||||
# environment.
|
||||
#
|
||||
# Use this to obtain the Application Default Credentials for accessing
|
||||
# Google APIs. Application Default Credentials are described in detail
|
||||
# at http://goo.gl/IUuyuX.
|
||||
#
|
||||
# If supplied, scope is used to create the credentials instance, when it can
|
||||
# be applied. E.g, on google compute engine and for user credentials the
|
||||
# scope is ignored.
|
||||
#
|
||||
# @param scope [string|array|nil] the scope(s) to access
|
||||
# @param options [hash] allows override of the connection being used
|
||||
def get_application_default(scope = nil, options = {})
|
||||
creds = DefaultCredentials.from_env(scope) ||
|
||||
DefaultCredentials.from_well_known_path(scope) ||
|
||||
DefaultCredentials.from_system_default_path(scope)
|
||||
return creds unless creds.nil?
|
||||
raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
|
||||
GCECredentials.new
|
||||
end
|
||||
|
||||
module_function :get_application_default
|
||||
end
|
||||
end
|
|
@ -0,0 +1,177 @@
|
|||
# Copyright 2017, Google Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following disclaimer
|
||||
# in the documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# * Neither the name of Google Inc. nor the names of its
|
||||
# contributors may be used to endorse or promote products derived from
|
||||
# this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
require 'forwardable'
|
||||
require 'json'
|
||||
require 'signet/oauth_2/client'
|
||||
|
||||
require 'googleauth/default_credentials'
|
||||
|
||||
module Google
|
||||
module Auth
|
||||
# This class is intended to be inherited by API-specific classes
|
||||
# which overrides the SCOPE constant.
|
||||
class Credentials
|
||||
TOKEN_CREDENTIAL_URI = 'https://accounts.google.com/o/oauth2/token'.freeze
|
||||
AUDIENCE = 'https://accounts.google.com/o/oauth2/token'.freeze
|
||||
SCOPE = [].freeze
|
||||
PATH_ENV_VARS = [].freeze
|
||||
JSON_ENV_VARS = [].freeze
|
||||
DEFAULT_PATHS = [].freeze
|
||||
|
||||
attr_accessor :client
|
||||
|
||||
# Delegate client methods to the client object.
|
||||
extend Forwardable
|
||||
def_delegators :@client,
|
||||
:token_credential_uri, :audience,
|
||||
:scope, :issuer, :signing_key, :updater_proc
|
||||
|
||||
def initialize(keyfile, options = {})
|
||||
scope = options[:scope]
|
||||
verify_keyfile_provided! keyfile
|
||||
if keyfile.is_a? Signet::OAuth2::Client
|
||||
@client = keyfile
|
||||
elsif keyfile.is_a? Hash
|
||||
hash = stringify_hash_keys keyfile
|
||||
hash['scope'] ||= scope
|
||||
@client = init_client hash
|
||||
else
|
||||
verify_keyfile_exists! keyfile
|
||||
json = JSON.parse ::File.read(keyfile)
|
||||
json['scope'] ||= scope
|
||||
@client = init_client json
|
||||
end
|
||||
@client.fetch_access_token!
|
||||
end
|
||||
|
||||
# Returns the default credentials checking, in this order, the path env
|
||||
# evironment variables, json environment variables, default paths. If the
|
||||
# previously stated locations do not contain keyfile information,
|
||||
# this method defaults to use the application default.
|
||||
def self.default(options = {})
|
||||
scope = options[:scope]
|
||||
# First try to find keyfile file from environment variables.
|
||||
client = from_path_vars(scope)
|
||||
|
||||
# Second try to find keyfile json from environment variables.
|
||||
client ||= from_json_vars(scope)
|
||||
|
||||
# Third try to find keyfile file from known file paths.
|
||||
client ||= from_default_vars(scope)
|
||||
|
||||
# Finally get instantiated client from Google::Auth
|
||||
client ||= from_application_default(scope)
|
||||
client
|
||||
end
|
||||
|
||||
def self.from_path_vars(scope)
|
||||
self::PATH_ENV_VARS
|
||||
.map { |v| ENV[v] }
|
||||
.compact
|
||||
.select { |p| ::File.file? p }
|
||||
.each do |file|
|
||||
return new file, scope: scope
|
||||
end
|
||||
end
|
||||
|
||||
def self.from_json_vars(scope)
|
||||
json = lambda do |v|
|
||||
unless ENV[v].nil?
|
||||
begin
|
||||
JSON.parse ENV[v]
|
||||
rescue
|
||||
nil
|
||||
end
|
||||
end
|
||||
end
|
||||
self::JSON_ENV_VARS.map(&json).compact.each do |hash|
|
||||
return new hash, scope: scope
|
||||
end
|
||||
end
|
||||
|
||||
def self.from_default_paths(scope)
|
||||
self::DEFAULT_PATHS
|
||||
.select { |p| ::File.file? p }
|
||||
.each do |file|
|
||||
return new file, scope: scope
|
||||
end
|
||||
end
|
||||
|
||||
def self.from_application_default(scope)
|
||||
scope ||= self::SCOPE
|
||||
client = Google::Auth.get_application_default scope
|
||||
new client
|
||||
end
|
||||
private_class_method :from_path_vars,
|
||||
:from_json_vars,
|
||||
:from_default_paths,
|
||||
:from_application_default
|
||||
|
||||
protected
|
||||
|
||||
# Verify that the keyfile argument is provided.
|
||||
def verify_keyfile_provided!(keyfile)
|
||||
return unless keyfile.nil?
|
||||
raise 'The keyfile passed to Google::Auth::Credentials.new was nil.'
|
||||
end
|
||||
|
||||
# Verify that the keyfile argument is a file.
|
||||
def verify_keyfile_exists!(keyfile)
|
||||
exists = ::File.file? keyfile
|
||||
raise "The keyfile '#{keyfile}' is not a valid file." unless exists
|
||||
end
|
||||
|
||||
# Initializes the Signet client.
|
||||
def init_client(keyfile)
|
||||
client_opts = client_options keyfile
|
||||
Signet::OAuth2::Client.new client_opts
|
||||
end
|
||||
|
||||
# returns a new Hash with string keys instead of symbol keys.
|
||||
def stringify_hash_keys(hash)
|
||||
Hash[hash.map { |k, v| [k.to_s, v] }]
|
||||
end
|
||||
|
||||
def client_options(options)
|
||||
# Keyfile options have higher priority over constructor defaults
|
||||
options['token_credential_uri'] ||= self.class::TOKEN_CREDENTIAL_URI
|
||||
options['audience'] ||= self.class::AUDIENCE
|
||||
options['scope'] ||= self.class::SCOPE
|
||||
|
||||
# client options for initializing signet client
|
||||
{ token_credential_uri: options['token_credential_uri'],
|
||||
audience: options['audience'],
|
||||
scope: Array(options['scope']),
|
||||
issuer: options['client_email'],
|
||||
signing_key: OpenSSL::PKey::RSA.new(options['private_key']) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,91 @@
|
|||
# Copyright 2015, Google Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following disclaimer
|
||||
# in the documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# * Neither the name of Google Inc. nor the names of its
|
||||
# contributors may be used to endorse or promote products derived from
|
||||
# this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
require 'multi_json'
|
||||
require 'stringio'
|
||||
|
||||
require 'googleauth/credentials_loader'
|
||||
require 'googleauth/service_account'
|
||||
require 'googleauth/user_refresh'
|
||||
|
||||
module Google
|
||||
# Module Auth provides classes that provide Google-specific authorization
|
||||
# used to access Google APIs.
|
||||
module Auth
|
||||
# DefaultCredentials is used to preload the credentials file, to determine
|
||||
# which type of credentials should be loaded.
|
||||
class DefaultCredentials
|
||||
extend CredentialsLoader
|
||||
|
||||
# override CredentialsLoader#make_creds to use the class determined by
|
||||
# loading the json.
|
||||
def self.make_creds(options = {})
|
||||
json_key_io, scope = options.values_at(:json_key_io, :scope)
|
||||
if json_key_io
|
||||
json_key, clz = determine_creds_class(json_key_io)
|
||||
clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
|
||||
scope: scope)
|
||||
else
|
||||
clz = read_creds
|
||||
clz.make_creds(scope: scope)
|
||||
end
|
||||
end
|
||||
|
||||
def self.read_creds
|
||||
env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
|
||||
type = ENV[env_var]
|
||||
raise "#{env_var} is undefined in env" unless type
|
||||
case type
|
||||
when 'service_account'
|
||||
ServiceAccountCredentials
|
||||
when 'authorized_user'
|
||||
UserRefreshCredentials
|
||||
else
|
||||
raise "credentials type '#{type}' is not supported"
|
||||
end
|
||||
end
|
||||
|
||||
# Reads the input json and determines which creds class to use.
|
||||
def self.determine_creds_class(json_key_io)
|
||||
json_key = MultiJson.load(json_key_io.read)
|
||||
key = 'type'
|
||||
raise "the json is missing the '#{key}' field" unless json_key.key?(key)
|
||||
type = json_key[key]
|
||||
case type
|
||||
when 'service_account'
|
||||
[json_key, ServiceAccountCredentials]
|
||||
when 'authorized_user'
|
||||
[json_key, UserRefreshCredentials]
|
||||
else
|
||||
raise "credentials type '#{type}' is not supported"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,108 @@
|
|||
# Copyright 2017, Google Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following disclaimer
|
||||
# in the documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# * Neither the name of Google Inc. nor the names of its
|
||||
# contributors may be used to endorse or promote products derived from
|
||||
# this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
require 'googleauth'
|
||||
|
||||
# This test is testing the private class Google::Auth::Credentials. We want to
|
||||
# make sure that the passed in scope propogates to the Signet object. This means
|
||||
# testing the private API, which is generally frowned on.
|
||||
describe Google::Auth::Credentials, :private do
|
||||
let(:default_keyfile_hash) do
|
||||
{
|
||||
'private_key_id' => 'testabc1234567890xyz',
|
||||
'private_key' => "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAOyi0Hy1l4Ym2m2o71Q0TF4O9E81isZEsX0bb+Bqz1SXEaSxLiXM\nUZE8wu0eEXivXuZg6QVCW/5l+f2+9UPrdNUCAwEAAQJAJkqubA/Chj3RSL92guy3\nktzeodarLyw8gF8pOmpuRGSiEo/OLTeRUMKKD1/kX4f9sxf3qDhB4e7dulXR1co/\nIQIhAPx8kMW4XTTL6lJYd2K5GrH8uBMp8qL5ya3/XHrBgw3dAiEA7+3Iw3ULTn2I\n1J34WlJ2D5fbzMzB4FAHUNEV7Ys3f1kCIQDtUahCMChrl7+H5t9QS+xrn77lRGhs\nB50pjvy95WXpgQIhAI2joW6JzTfz8fAapb+kiJ/h9Vcs1ZN3iyoRlNFb61JZAiA8\nNy5NyNrMVwtB/lfJf1dAK/p/Bwd8LZLtgM6PapRfgw==\n-----END RSA PRIVATE KEY-----\n",
|
||||
'client_email' => 'credz-testabc1234567890xyz@developer.gserviceaccount.com',
|
||||
'client_id' => 'credz-testabc1234567890xyz.apps.googleusercontent.com',
|
||||
'type' => 'service_account'
|
||||
}
|
||||
end
|
||||
|
||||
it 'uses a default scope' do
|
||||
mocked_signet = double('Signet::OAuth2::Client')
|
||||
allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
|
||||
allow(Signet::OAuth2::Client).to receive(:new) do |options|
|
||||
expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:scope]).to eq([])
|
||||
expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
|
||||
expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
|
||||
|
||||
mocked_signet
|
||||
end
|
||||
|
||||
Google::Auth::Credentials.new default_keyfile_hash
|
||||
end
|
||||
|
||||
it 'uses a custom scope' do
|
||||
mocked_signet = double('Signet::OAuth2::Client')
|
||||
allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
|
||||
allow(Signet::OAuth2::Client).to receive(:new) do |options|
|
||||
expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:scope]).to eq(['http://example.com/scope'])
|
||||
expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
|
||||
expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
|
||||
|
||||
mocked_signet
|
||||
end
|
||||
|
||||
Google::Auth::Credentials.new default_keyfile_hash, scope: 'http://example.com/scope'
|
||||
end
|
||||
|
||||
it 'can be subclassed to pass in other env paths' do
|
||||
TEST_PATH_ENV_VAR = 'TEST_PATH'.freeze
|
||||
TEST_PATH_ENV_VAL = '/unknown/path/to/file.txt'.freeze
|
||||
TEST_JSON_ENV_VAR = 'TEST_JSON_VARS'.freeze
|
||||
|
||||
ENV[TEST_PATH_ENV_VAR] = TEST_PATH_ENV_VAL
|
||||
ENV[TEST_JSON_ENV_VAR] = JSON.generate(default_keyfile_hash)
|
||||
|
||||
class TestCredentials < Google::Auth::Credentials
|
||||
SCOPE = 'http://example.com/scope'.freeze
|
||||
PATH_ENV_VARS = [TEST_PATH_ENV_VAR].freeze
|
||||
JSON_ENV_VARS = [TEST_JSON_ENV_VAR].freeze
|
||||
end
|
||||
|
||||
allow(::File).to receive(:file?).with(TEST_PATH_ENV_VAL) { false }
|
||||
|
||||
mocked_signet = double('Signet::OAuth2::Client')
|
||||
allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
|
||||
allow(Signet::OAuth2::Client).to receive(:new) do |options|
|
||||
expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
|
||||
expect(options[:scope]).to eq(['http://example.com/scope'])
|
||||
expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
|
||||
expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
|
||||
|
||||
mocked_signet
|
||||
end
|
||||
|
||||
TestCredentials.default
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue