fix: Pass scope through when getting metadata-based access tokens
This commit is contained in:
parent
dcdf7cddbf
commit
48c689aa93
|
@ -1,3 +1,7 @@
|
||||||
|
### Unreleased
|
||||||
|
|
||||||
|
* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
|
||||||
|
|
||||||
### 0.13.0 / 2020-06-17
|
### 0.13.0 / 2020-06-17
|
||||||
|
|
||||||
* Support for validating ID tokens.
|
* Support for validating ID tokens.
|
||||||
|
@ -143,3 +147,4 @@ Note: This release now requires Ruby 2.4 or later
|
||||||
[@tbetbetbe]: https://github.com/tbetbetbe
|
[@tbetbetbe]: https://github.com/tbetbetbe
|
||||||
[@murgatroid99]: https://github.com/murgatroid99
|
[@murgatroid99]: https://github.com/murgatroid99
|
||||||
[@vsubramani]: https://github.com/vsubramani
|
[@vsubramani]: https://github.com/vsubramani
|
||||||
|
[@ball-hayden]: https://github.com/ball-hayden
|
||||||
|
|
|
@ -75,7 +75,7 @@ module Google
|
||||||
GCECredentials.unmemoize_all
|
GCECredentials.unmemoize_all
|
||||||
raise NOT_FOUND_ERROR
|
raise NOT_FOUND_ERROR
|
||||||
end
|
end
|
||||||
GCECredentials.new
|
GCECredentials.new scope: scope
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -85,7 +85,8 @@ module Google
|
||||||
c = options[:connection] || Faraday.default_connection
|
c = options[:connection] || Faraday.default_connection
|
||||||
retry_with_error do
|
retry_with_error do
|
||||||
uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
|
uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
|
||||||
query = target_audience ? { "audience" => target_audience, "format" => "full" } : nil
|
query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
|
||||||
|
query[:scopes] = Array(scope).join " " if scope
|
||||||
headers = { "Metadata-Flavor" => "Google" }
|
headers = { "Metadata-Flavor" => "Google" }
|
||||||
resp = c.get uri, query, headers
|
resp = c.get uri, query, headers
|
||||||
case resp.status
|
case resp.status
|
||||||
|
|
|
@ -51,7 +51,11 @@ describe Google::Auth::GCECredentials do
|
||||||
body = MultiJson.dump("access_token" => opts[:access_token],
|
body = MultiJson.dump("access_token" => opts[:access_token],
|
||||||
"token_type" => "Bearer",
|
"token_type" => "Bearer",
|
||||||
"expires_in" => 3600)
|
"expires_in" => 3600)
|
||||||
stub_request(:get, MD_ACCESS_URI)
|
|
||||||
|
uri = MD_ACCESS_URI
|
||||||
|
uri += "?scopes=#{opts[:scope]}" if opts[:scope]
|
||||||
|
|
||||||
|
stub_request(:get, uri)
|
||||||
.with(headers: { "Metadata-Flavor" => "Google" })
|
.with(headers: { "Metadata-Flavor" => "Google" })
|
||||||
.to_return(body: body,
|
.to_return(body: body,
|
||||||
status: 200,
|
status: 200,
|
||||||
|
@ -69,6 +73,14 @@ describe Google::Auth::GCECredentials do
|
||||||
|
|
||||||
context "metadata is unavailable" do
|
context "metadata is unavailable" do
|
||||||
describe "#fetch_access_token" do
|
describe "#fetch_access_token" do
|
||||||
|
it "should pass scopes when requesting an access token" do
|
||||||
|
scope = "https://www.googleapis.com/auth/drive"
|
||||||
|
stub = make_auth_stubs access_token: "1/abcdef1234567890", scope: scope
|
||||||
|
@client = GCECredentials.new(scope: [scope])
|
||||||
|
@client.fetch_access_token!
|
||||||
|
expect(stub).to have_been_requested
|
||||||
|
end
|
||||||
|
|
||||||
it "should fail if the metadata request returns a 404" do
|
it "should fail if the metadata request returns a 404" do
|
||||||
stub = stub_request(:get, MD_ACCESS_URI)
|
stub = stub_request(:get, MD_ACCESS_URI)
|
||||||
.to_return(status: 404,
|
.to_return(status: 404,
|
||||||
|
|
Loading…
Reference in New Issue