190 lines
6.7 KiB
Ruby
190 lines
6.7 KiB
Ruby
# Copyright 2017, Google Inc.
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
#
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following disclaimer
|
|
# in the documentation and/or other materials provided with the
|
|
# distribution.
|
|
# * Neither the name of Google Inc. nor the names of its
|
|
# contributors may be used to endorse or promote products derived from
|
|
# this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity, MethodLength
|
|
|
|
require 'forwardable'
|
|
require 'json'
|
|
require 'signet/oauth_2/client'
|
|
|
|
require 'googleauth/credentials_loader'
|
|
|
|
module Google
|
|
module Auth
|
|
# This class is intended to be inherited by API-specific classes
|
|
# which overrides the SCOPE constant.
|
|
class Credentials
|
|
TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'.freeze
|
|
AUDIENCE = 'https://oauth2.googleapis.com/token'.freeze
|
|
SCOPE = [].freeze
|
|
PATH_ENV_VARS = [].freeze
|
|
JSON_ENV_VARS = [].freeze
|
|
DEFAULT_PATHS = [].freeze
|
|
|
|
attr_accessor :client
|
|
attr_reader :project_id
|
|
|
|
# Delegate client methods to the client object.
|
|
extend Forwardable
|
|
def_delegators :@client,
|
|
:token_credential_uri, :audience,
|
|
:scope, :issuer, :signing_key, :updater_proc
|
|
|
|
def initialize(keyfile, options = {})
|
|
scope = options[:scope]
|
|
verify_keyfile_provided! keyfile
|
|
@project_id = options['project_id'] || options['project']
|
|
if keyfile.is_a? Signet::OAuth2::Client
|
|
@client = keyfile
|
|
@project_id ||= keyfile.project_id if keyfile.respond_to? :project_id
|
|
elsif keyfile.is_a? Hash
|
|
hash = stringify_hash_keys keyfile
|
|
hash['scope'] ||= scope
|
|
@client = init_client hash
|
|
@project_id ||= (hash['project_id'] || hash['project'])
|
|
else
|
|
verify_keyfile_exists! keyfile
|
|
json = JSON.parse ::File.read(keyfile)
|
|
json['scope'] ||= scope
|
|
@project_id ||= (json['project_id'] || json['project'])
|
|
@client = init_client json
|
|
end
|
|
CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
|
|
@project_id ||= CredentialsLoader.load_gcloud_project_id
|
|
@client.fetch_access_token!
|
|
end
|
|
|
|
# Returns the default credentials checking, in this order, the path env
|
|
# evironment variables, json environment variables, default paths. If the
|
|
# previously stated locations do not contain keyfile information,
|
|
# this method defaults to use the application default.
|
|
def self.default(options = {})
|
|
scope = options[:scope]
|
|
# First try to find keyfile file from environment variables.
|
|
client = from_path_vars scope
|
|
|
|
# Second try to find keyfile json from environment variables.
|
|
client ||= from_json_vars scope
|
|
|
|
# Third try to find keyfile file from known file paths.
|
|
client ||= from_default_paths scope
|
|
|
|
# Finally get instantiated client from Google::Auth
|
|
client ||= from_application_default scope
|
|
client
|
|
end
|
|
|
|
def self.from_path_vars(scope)
|
|
self::PATH_ENV_VARS
|
|
.map { |v| ENV[v] }
|
|
.compact
|
|
.select { |p| ::File.file? p }
|
|
.each do |file|
|
|
return new file, scope: scope
|
|
end
|
|
nil
|
|
end
|
|
|
|
def self.from_json_vars(scope)
|
|
json = lambda do |v|
|
|
unless ENV[v].nil?
|
|
begin
|
|
JSON.parse ENV[v]
|
|
rescue
|
|
nil
|
|
end
|
|
end
|
|
end
|
|
self::JSON_ENV_VARS.map(&json).compact.each do |hash|
|
|
return new hash, scope: scope
|
|
end
|
|
nil
|
|
end
|
|
|
|
def self.from_default_paths(scope)
|
|
self::DEFAULT_PATHS
|
|
.select { |p| ::File.file? p }
|
|
.each do |file|
|
|
return new file, scope: scope
|
|
end
|
|
nil
|
|
end
|
|
|
|
def self.from_application_default(scope)
|
|
scope ||= self::SCOPE
|
|
client = Google::Auth.get_application_default scope
|
|
new client
|
|
end
|
|
private_class_method :from_path_vars,
|
|
:from_json_vars,
|
|
:from_default_paths,
|
|
:from_application_default
|
|
|
|
protected
|
|
|
|
# Verify that the keyfile argument is provided.
|
|
def verify_keyfile_provided!(keyfile)
|
|
return unless keyfile.nil?
|
|
raise 'The keyfile passed to Google::Auth::Credentials.new was nil.'
|
|
end
|
|
|
|
# Verify that the keyfile argument is a file.
|
|
def verify_keyfile_exists!(keyfile)
|
|
exists = ::File.file? keyfile
|
|
raise "The keyfile '#{keyfile}' is not a valid file." unless exists
|
|
end
|
|
|
|
# Initializes the Signet client.
|
|
def init_client(keyfile)
|
|
client_opts = client_options keyfile
|
|
Signet::OAuth2::Client.new client_opts
|
|
end
|
|
|
|
# returns a new Hash with string keys instead of symbol keys.
|
|
def stringify_hash_keys(hash)
|
|
Hash[hash.map { |k, v| [k.to_s, v] }]
|
|
end
|
|
|
|
def client_options(options)
|
|
# Keyfile options have higher priority over constructor defaults
|
|
options['token_credential_uri'] ||= self.class::TOKEN_CREDENTIAL_URI
|
|
options['audience'] ||= self.class::AUDIENCE
|
|
options['scope'] ||= self.class::SCOPE
|
|
|
|
# client options for initializing signet client
|
|
{ token_credential_uri: options['token_credential_uri'],
|
|
audience: options['audience'],
|
|
scope: Array(options['scope']),
|
|
issuer: options['client_email'],
|
|
signing_key: OpenSSL::PKey::RSA.new(options['private_key']) }
|
|
end
|
|
end
|
|
end
|
|
end
|