Promote ServiceAccountCredentials when scope is nil

- if the ServiceAccountCredentials#apply is called when the scope is not set,
  authentication with the equivalent ServiceAccountJwtHeaderCredentials instance
  is attempted.
This commit is contained in:
Tim Emiola 2015-03-23 21:06:26 -07:00
parent 53ec6fce3b
commit c4bde552e6
3 changed files with 109 additions and 75 deletions

View File

@ -31,6 +31,7 @@ require 'googleauth/signet'
require 'googleauth/credentials_loader' require 'googleauth/credentials_loader'
require 'jwt' require 'jwt'
require 'multi_json' require 'multi_json'
require 'stringio'
module Google module Google
# Module Auth provides classes that provide Google-specific authorization # Module Auth provides classes that provide Google-specific authorization
@ -69,6 +70,29 @@ module Google
issuer: client_email, issuer: client_email,
signing_key: OpenSSL::PKey::RSA.new(private_key)) signing_key: OpenSSL::PKey::RSA.new(private_key))
end end
# Extends the base class.
#
# If scope(s) is not set, it creates a transient
# ServiceAccountJwtHeaderCredentials instance and uses that to
# authenticate instead.
def apply!(a_hash, opts = {})
# Use the base implementation if scopes are set
unless scope.nil?
super
return
end
# Use the ServiceAccountJwtHeaderCredentials using the same cred values
# if no scopes are set.
cred_json = {
private_key: @signing_key.to_s,
client_email: @issuer
}
alt_clz = ServiceAccountJwtHeaderCredentials
alt = alt_clz.new(StringIO.new(MultiJson.dump(cred_json)))
alt.apply!(a_hash)
end
end end
# Authenticates requests using Google's Service Account credentials via # Authenticates requests using Google's Service Account credentials via
@ -118,7 +142,7 @@ module Google
@signing_key = OpenSSL::PKey::RSA.new(private_key) @signing_key = OpenSSL::PKey::RSA.new(private_key)
end end
# Construct a jwt token if the WT_AUD_URI key is present in the input # Construct a jwt token if the JWT_AUD_URI key is present in the input
# hash. # hash.
# #
# The jwt token is used as the value of a 'Bearer '. # The jwt token is used as the value of a 'Bearer '.

View File

@ -47,7 +47,7 @@ def build_access_token_json(token)
end end
shared_examples 'apply/apply! are OK' do shared_examples 'apply/apply! are OK' do
WANTED_AUTH_KEY = :Authorization let(:auth_key) { :Authorization }
# tests that use these examples need to define # tests that use these examples need to define
# #
@ -79,7 +79,7 @@ shared_examples 'apply/apply! are OK' do
md = { foo: 'bar' } md = { foo: 'bar' }
@client.apply!(md, connection: c) @client.apply!(md, connection: c)
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } want = { :foo => 'bar', auth_key => "Bearer #{token}" }
expect(md).to eq(want) expect(md).to eq(want)
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
end end
@ -96,7 +96,7 @@ shared_examples 'apply/apply! are OK' do
md = { foo: 'bar' } md = { foo: 'bar' }
the_proc = @client.updater_proc the_proc = @client.updater_proc
got = the_proc.call(md, connection: c) got = the_proc.call(md, connection: c)
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } want = { :foo => 'bar', auth_key => "Bearer #{token}" }
expect(got).to eq(want) expect(got).to eq(want)
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
end end
@ -126,7 +126,7 @@ shared_examples 'apply/apply! are OK' do
md = { foo: 'bar' } md = { foo: 'bar' }
got = @client.apply(md, connection: c) got = @client.apply(md, connection: c)
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } want = { :foo => 'bar', auth_key => "Bearer #{token}" }
expect(got).to eq(want) expect(got).to eq(want)
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
end end
@ -142,7 +142,7 @@ shared_examples 'apply/apply! are OK' do
n.times do |_t| n.times do |_t|
md = { foo: 'bar' } md = { foo: 'bar' }
got = @client.apply(md, connection: c) got = @client.apply(md, connection: c)
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } want = { :foo => 'bar', auth_key => "Bearer #{token}" }
expect(got).to eq(want) expect(got).to eq(want)
end end
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
@ -159,7 +159,7 @@ shared_examples 'apply/apply! are OK' do
end end
md = { foo: 'bar' } md = { foo: 'bar' }
got = @client.apply(md, connection: c) got = @client.apply(md, connection: c)
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{t}" } want = { :foo => 'bar', auth_key => "Bearer #{t}" }
expect(got).to eq(want) expect(got).to eq(want)
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
@client.expires_at -= 3601 # default is to expire in 1hr @client.expires_at -= 3601 # default is to expire in 1hr

View File

@ -40,10 +40,73 @@ require 'openssl'
require 'spec_helper' require 'spec_helper'
require 'tmpdir' require 'tmpdir'
include Google::Auth::CredentialsLoader
shared_examples 'jwt header auth' do
context 'when jwt_aud_uri is present' do
let(:test_uri) { 'https://www.googleapis.com/myservice' }
let(:auth_prefix) { 'Bearer ' }
let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
def expect_is_encoded_jwt(hdr)
expect(hdr).to_not be_nil
expect(hdr.start_with?(auth_prefix)).to be true
authorization = hdr[auth_prefix.length..-1]
payload, _ = JWT.decode(authorization, @key.public_key)
expect(payload['aud']).to eq(test_uri)
expect(payload['iss']).to eq(client_email)
end
describe '#apply!' do
it 'should update the target hash with a jwt token' do
md = { foo: 'bar' }
md[jwt_uri_key] = test_uri
@client.apply!(md)
auth_header = md[auth_key]
expect_is_encoded_jwt(auth_header)
expect(md[jwt_uri_key]).to be_nil
end
end
describe 'updater_proc' do
it 'should provide a proc that updates a hash with a jwt token' do
md = { foo: 'bar' }
md[jwt_uri_key] = test_uri
the_proc = @client.updater_proc
got = the_proc.call(md)
auth_header = got[auth_key]
expect_is_encoded_jwt(auth_header)
expect(got[jwt_uri_key]).to be_nil
expect(md[jwt_uri_key]).to_not be_nil
end
end
describe '#apply' do
it 'should not update the original hash with a jwt token' do
md = { foo: 'bar' }
md[jwt_uri_key] = test_uri
the_proc = @client.updater_proc
got = the_proc.call(md)
auth_header = md[auth_key]
expect(auth_header).to be_nil
expect(got[jwt_uri_key]).to be_nil
expect(md[jwt_uri_key]).to_not be_nil
end
it 'should add a jwt token to the returned hash' do
md = { foo: 'bar' }
md[jwt_uri_key] = test_uri
got = @client.apply(md)
auth_header = got[auth_key]
expect_is_encoded_jwt(auth_header)
end
end
end
end
describe Google::Auth::ServiceAccountCredentials do describe Google::Auth::ServiceAccountCredentials do
ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
CredentialsLoader = Google::Auth::CredentialsLoader
let(:client_email) { 'app@developer.gserviceaccount.com' } let(:client_email) { 'app@developer.gserviceaccount.com' }
before(:example) do before(:example) do
@ -80,9 +143,17 @@ describe Google::Auth::ServiceAccountCredentials do
it_behaves_like 'apply/apply! are OK' it_behaves_like 'apply/apply! are OK'
context 'when scope is nil' do
before(:example) do
@client.scope = nil
end
it_behaves_like 'jwt header auth'
end
describe '#from_env' do describe '#from_env' do
before(:example) do before(:example) do
@var_name = CredentialsLoader::ENV_VAR @var_name = ENV_VAR
@orig = ENV[@var_name] @orig = ENV[@var_name]
@scope = 'https://www.googleapis.com/auth/userinfo.profile' @scope = 'https://www.googleapis.com/auth/userinfo.profile'
@clz = ServiceAccountCredentials @clz = ServiceAccountCredentials
@ -122,7 +193,7 @@ describe Google::Auth::ServiceAccountCredentials do
before(:example) do before(:example) do
@home = ENV['HOME'] @home = ENV['HOME']
@scope = 'https://www.googleapis.com/auth/userinfo.profile' @scope = 'https://www.googleapis.com/auth/userinfo.profile'
@known_path = CredentialsLoader::WELL_KNOWN_PATH @known_path = WELL_KNOWN_PATH
@clz = ServiceAccountCredentials @clz = ServiceAccountCredentials
end end
@ -148,7 +219,6 @@ describe Google::Auth::ServiceAccountCredentials do
end end
describe Google::Auth::ServiceAccountJwtHeaderCredentials do describe Google::Auth::ServiceAccountJwtHeaderCredentials do
CredentialsLoader = Google::Auth::CredentialsLoader
ServiceAccountJwtHeaderCredentials = ServiceAccountJwtHeaderCredentials =
Google::Auth::ServiceAccountJwtHeaderCredentials Google::Auth::ServiceAccountJwtHeaderCredentials
@ -171,70 +241,11 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
MultiJson.dump(cred_json) MultiJson.dump(cred_json)
end end
context 'when jwt_aud_uri is present' do it_behaves_like 'jwt header auth'
WANTED_AUTH_KEY = ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY
JWT_AUD_URI_KEY = ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY
let(:test_uri) { 'https://www.googleapis.com/myservice' }
let(:auth_prefix) { 'Bearer ' }
def expect_is_encoded_jwt(hdr)
expect(hdr).to_not be_nil
expect(hdr.start_with?(auth_prefix)).to be true
authorization = hdr[auth_prefix.length..-1]
payload, _ = JWT.decode(authorization, @key.public_key)
expect(payload['aud']).to eq(test_uri)
expect(payload['iss']).to eq(client_email)
end
describe '#apply!' do
it 'should update the target hash with a jwt token' do
md = { foo: 'bar' }
md[JWT_AUD_URI_KEY] = test_uri
@client.apply!(md)
auth_header = md[WANTED_AUTH_KEY]
expect_is_encoded_jwt(auth_header)
expect(md[JWT_AUD_URI_KEY]).to be_nil
end
end
describe 'updater_proc' do
it 'should provide a proc that updates a hash with a jwt token' do
md = { foo: 'bar' }
md[JWT_AUD_URI_KEY] = test_uri
the_proc = @client.updater_proc
got = the_proc.call(md)
auth_header = got[WANTED_AUTH_KEY]
expect_is_encoded_jwt(auth_header)
expect(got[JWT_AUD_URI_KEY]).to be_nil
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
end
end
describe '#apply' do
it 'should not update the original hash with a jwt token' do
md = { foo: 'bar' }
md[JWT_AUD_URI_KEY] = test_uri
the_proc = @client.updater_proc
got = the_proc.call(md)
auth_header = md[WANTED_AUTH_KEY]
expect(auth_header).to be_nil
expect(got[JWT_AUD_URI_KEY]).to be_nil
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
end
it 'should add a jwt token to the returned hash' do
md = { foo: 'bar' }
md[JWT_AUD_URI_KEY] = test_uri
got = @client.apply(md)
auth_header = got[WANTED_AUTH_KEY]
expect_is_encoded_jwt(auth_header)
end
end
end
describe '#from_env' do describe '#from_env' do
before(:example) do before(:example) do
@var_name = CredentialsLoader::ENV_VAR @var_name = ENV_VAR
@orig = ENV[@var_name] @orig = ENV[@var_name]
end end
@ -271,7 +282,6 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
describe '#from_well_known_path' do describe '#from_well_known_path' do
before(:example) do before(:example) do
@home = ENV['HOME'] @home = ENV['HOME']
@known_path = CredentialsLoader::WELL_KNOWN_PATH
end end
after(:example) do after(:example) do
@ -285,7 +295,7 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
it 'successfully loads the file when it is present' do it 'successfully loads the file when it is present' do
Dir.mktmpdir do |dir| Dir.mktmpdir do |dir|
key_path = File.join(dir, '.config', @known_path) key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
FileUtils.mkdir_p(File.dirname(key_path)) FileUtils.mkdir_p(File.dirname(key_path))
File.write(key_path, cred_json_text) File.write(key_path, cred_json_text)
ENV['HOME'] = dir ENV['HOME'] = dir