chiu
/
google-auth-library-ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Pass scope through when getting metadata-based access tokens

This commit is contained in:
Hayden Ball 2020-07-08 16:13:38 +01:00 committed by GitHub
parent dcdf7cddbf
commit 48c689aa93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -1,3 +1,7 @@
### Unreleased
* Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
### 0.13.0 / 2020-06-17 ### 0.13.0 / 2020-06-17
* Support for validating ID tokens. * Support for validating ID tokens.
@ -143,3 +147,4 @@ Note: This release now requires Ruby 2.4 or later
[@tbetbetbe]: https://github.com/tbetbetbe [@tbetbetbe]: https://github.com/tbetbetbe
[@murgatroid99]: https://github.com/murgatroid99 [@murgatroid99]: https://github.com/murgatroid99
[@vsubramani]: https://github.com/vsubramani [@vsubramani]: https://github.com/vsubramani
[@ball-hayden]: https://github.com/ball-hayden

2
lib/googleauth/application_default.rb
View File

@ -75,7 +75,7 @@ module Google
GCECredentials.unmemoize_all GCECredentials.unmemoize_all
raise NOT_FOUND_ERROR raise NOT_FOUND_ERROR
end end
GCECredentials.new GCECredentials.new scope: scope
end end
end end
end end

3
lib/googleauth/compute_engine.rb
View File

@ -85,7 +85,8 @@ module Google
c = options[:connection] || Faraday.default_connection c = options[:connection] || Faraday.default_connection
retry_with_error do retry_with_error do
uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
query = target_audience ? { "audience" => target_audience, "format" => "full" } : nil query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
query[:scopes] = Array(scope).join " " if scope
headers = { "Metadata-Flavor" => "Google" } headers = { "Metadata-Flavor" => "Google" }
resp = c.get uri, query, headers resp = c.get uri, query, headers
case resp.status case resp.status

14
spec/googleauth/compute_engine_spec.rb
View File

@ -51,7 +51,11 @@ describe Google::Auth::GCECredentials do
body = MultiJson.dump("access_token" => opts[:access_token], body = MultiJson.dump("access_token" => opts[:access_token],
"token_type" => "Bearer", "token_type" => "Bearer",
"expires_in" => 3600) "expires_in" => 3600)
stub_request(:get, MD_ACCESS_URI)
uri = MD_ACCESS_URI
uri += "?scopes=#{opts[:scope]}" if opts[:scope]
stub_request(:get, uri)
.with(headers: { "Metadata-Flavor" => "Google" }) .with(headers: { "Metadata-Flavor" => "Google" })
.to_return(body: body, .to_return(body: body,
status: 200, status: 200,
@ -69,6 +73,14 @@ describe Google::Auth::GCECredentials do
context "metadata is unavailable" do context "metadata is unavailable" do
describe "#fetch_access_token" do describe "#fetch_access_token" do
it "should pass scopes when requesting an access token" do
scope = "https://www.googleapis.com/auth/drive"
stub = make_auth_stubs access_token: "1/abcdef1234567890", scope: scope
@client = GCECredentials.new(scope: [scope])
@client.fetch_access_token!
expect(stub).to have_been_requested
end
it "should fail if the metadata request returns a 404" do it "should fail if the metadata request returns a 404" do
stub = stub_request(:get, MD_ACCESS_URI) stub = stub_request(:get, MD_ACCESS_URI)
.to_return(status: 404, .to_return(status: 404,