Add support for loading either credentials type as determined by the loaded content

This commit is contained in:
Tim Emiola 2015-03-06 16:58:57 -08:00
parent 3bd8751519
commit 4d4bcd46e8
3 changed files with 134 additions and 77 deletions

View File

@ -27,8 +27,13 @@
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
require 'googleauth/service_account' require 'multi_json'
require 'stringio'
require 'googleauth/credentials_loader'
require 'googleauth/compute_engine' require 'googleauth/compute_engine'
require 'googleauth/service_account'
require 'googleauth/user_refresh'
module Google module Google
# Module Auth provides classes that provide Google-specific authorization # Module Auth provides classes that provide Google-specific authorization
@ -40,6 +45,28 @@ https://developers.google.com/accounts/docs/application-default-credentials
for more information for more information
END END
# DefaultCredentials is used to preload the credentials file, to determine
# which type of credentials should be loaded.
class DefaultCredentials
extend CredentialsLoader
# override CredentialsLoader#make_creds to use the class determined by
# loading the json.
def self.make_creds(scope, json_key_io)
json_key, clz = determine_creds_class(json_key_io)
clz.new(scope, StringIO.new(MultiJson.dump(json_key)))
end
# Reads the input json and determines which creds class to use.
def self.determine_creds_class(json_key_io)
json_key = MultiJson.load(json_key_io.read)
fail "the json is missing the #{key} field" unless json_key.key?('type')
svc_account = json_key['type'] == 'service_account'
return json_key, ServiceAccountCredentials if svc_account
[json_key, UserRefreshCredentials]
end
end
# Obtains the default credentials implementation to use in this # Obtains the default credentials implementation to use in this
# environment. # environment.
# #
@ -53,9 +80,9 @@ END
# @param scope [string|array] the scope(s) to access # @param scope [string|array] the scope(s) to access
# @param options [hash] allows override of the connection being used # @param options [hash] allows override of the connection being used
def get_application_default(scope, options = {}) def get_application_default(scope, options = {})
creds = ServiceAccountCredentials.from_env(scope) creds = DefaultCredentials.from_env(scope)
return creds unless creds.nil? return creds unless creds.nil?
creds = ServiceAccountCredentials.from_well_known_path(scope) creds = DefaultCredentials.from_well_known_path(scope)
return creds unless creds.nil? return creds unless creds.nil?
fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options) fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
GCECredentials.new GCECredentials.new

View File

@ -50,6 +50,14 @@ module Google
end end
memoize :windows? memoize :windows?
# make_creds proxies the construction of a credentials instance
#
# By default, it calls #new on the current class, but this behaviour can
# be modified, allowing different instances to be created.
def make_creds(*args)
new(*args)
end
# Creates an instance from the path specified in an environment # Creates an instance from the path specified in an environment
# variable. # variable.
# #
@ -59,7 +67,7 @@ module Google
path = ENV[ENV_VAR] path = ENV[ENV_VAR]
fail 'file #{path} does not exist' unless File.exist?(path) fail 'file #{path} does not exist' unless File.exist?(path)
File.open(path) do |f| File.open(path) do |f|
return new(scope, f) return make_creds(scope, f)
end end
rescue StandardError => e rescue StandardError => e
raise "#{NOT_FOUND_ERROR}: #{e}" raise "#{NOT_FOUND_ERROR}: #{e}"
@ -75,7 +83,7 @@ module Google
path = File.join(root, base) path = File.join(root, base)
return nil unless File.exist?(path) return nil unless File.exist?(path)
File.open(path) do |f| File.open(path) do |f|
return new(scope, f) return make_creds(scope, f)
end end
rescue StandardError => e rescue StandardError => e
raise "#{WELL_KNOWN_ERROR}: #{e}" raise "#{WELL_KNOWN_ERROR}: #{e}"

View File

@ -49,17 +49,7 @@ describe '#get_application_default' do
ENV['HOME'] = @home unless @home == ENV['HOME'] ENV['HOME'] = @home unless @home == ENV['HOME']
end end
def cred_json_text shared_examples 'it loads them correctly' do
cred_json = {
private_key_id: 'a_private_key_id',
private_key: @key.to_pem,
client_email: 'app@developer.gserviceaccount.com',
client_id: 'app.apps.googleusercontent.com',
type: 'service_account'
}
MultiJson.dump(cred_json)
end
it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
Dir.mktmpdir do |dir| Dir.mktmpdir do |dir|
key_path = File.join(dir, 'does-not-exist') key_path = File.join(dir, 'does-not-exist')
@ -78,7 +68,7 @@ describe '#get_application_default' do
end end
end end
it 'succeeds with default file if GOOGLE_APPLICATION_CREDENTIALS is unset' do it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
ENV.delete(@var_name) unless ENV[@var_name].nil? ENV.delete(@var_name) unless ENV[@var_name].nil?
Dir.mktmpdir do |dir| Dir.mktmpdir do |dir|
key_path = File.join(dir, '.config', key_path = File.join(dir, '.config',
@ -126,9 +116,41 @@ describe '#get_application_default' do
c = Faraday.new do |b| c = Faraday.new do |b|
b.adapter(:test, stubs) b.adapter(:test, stubs)
end end
expect(Google::Auth.get_application_default(@scope, creds = Google::Auth.get_application_default(
connection: c)).to_not be_nil @scope,
connection: c)
expect(creds).to_not be_nil
end end
stubs.verify_stubbed_calls stubs.verify_stubbed_calls
end end
end
describe 'when credential type is service account' do
def cred_json_text
cred_json = {
private_key_id: 'a_private_key_id',
private_key: @key.to_pem,
client_email: 'app@developer.gserviceaccount.com',
client_id: 'app.apps.googleusercontent.com',
type: 'service_account'
}
MultiJson.dump(cred_json)
end
it_behaves_like 'it loads them correctly'
end
describe 'when credential type is authorized_user' do
def cred_json_text
cred_json = {
client_secret: 'privatekey',
refresh_token: 'refreshtoken',
client_id: 'app.apps.googleusercontent.com',
type: 'authorized_user'
}
MultiJson.dump(cred_json)
end
it_behaves_like 'it loads them correctly'
end
end end