Promote ServiceAccountCredentials when scope is nil
- if the ServiceAccountCredentials#apply is called when the scope is not set, authentication with the equivalent ServiceAccountJwtHeaderCredentials instance is attempted.
This commit is contained in:
parent
53ec6fce3b
commit
c4bde552e6
|
@ -31,6 +31,7 @@ require 'googleauth/signet'
|
||||||
require 'googleauth/credentials_loader'
|
require 'googleauth/credentials_loader'
|
||||||
require 'jwt'
|
require 'jwt'
|
||||||
require 'multi_json'
|
require 'multi_json'
|
||||||
|
require 'stringio'
|
||||||
|
|
||||||
module Google
|
module Google
|
||||||
# Module Auth provides classes that provide Google-specific authorization
|
# Module Auth provides classes that provide Google-specific authorization
|
||||||
|
@ -69,6 +70,29 @@ module Google
|
||||||
issuer: client_email,
|
issuer: client_email,
|
||||||
signing_key: OpenSSL::PKey::RSA.new(private_key))
|
signing_key: OpenSSL::PKey::RSA.new(private_key))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Extends the base class.
|
||||||
|
#
|
||||||
|
# If scope(s) is not set, it creates a transient
|
||||||
|
# ServiceAccountJwtHeaderCredentials instance and uses that to
|
||||||
|
# authenticate instead.
|
||||||
|
def apply!(a_hash, opts = {})
|
||||||
|
# Use the base implementation if scopes are set
|
||||||
|
unless scope.nil?
|
||||||
|
super
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# Use the ServiceAccountJwtHeaderCredentials using the same cred values
|
||||||
|
# if no scopes are set.
|
||||||
|
cred_json = {
|
||||||
|
private_key: @signing_key.to_s,
|
||||||
|
client_email: @issuer
|
||||||
|
}
|
||||||
|
alt_clz = ServiceAccountJwtHeaderCredentials
|
||||||
|
alt = alt_clz.new(StringIO.new(MultiJson.dump(cred_json)))
|
||||||
|
alt.apply!(a_hash)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Authenticates requests using Google's Service Account credentials via
|
# Authenticates requests using Google's Service Account credentials via
|
||||||
|
@ -118,7 +142,7 @@ module Google
|
||||||
@signing_key = OpenSSL::PKey::RSA.new(private_key)
|
@signing_key = OpenSSL::PKey::RSA.new(private_key)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Construct a jwt token if the WT_AUD_URI key is present in the input
|
# Construct a jwt token if the JWT_AUD_URI key is present in the input
|
||||||
# hash.
|
# hash.
|
||||||
#
|
#
|
||||||
# The jwt token is used as the value of a 'Bearer '.
|
# The jwt token is used as the value of a 'Bearer '.
|
||||||
|
|
|
@ -47,7 +47,7 @@ def build_access_token_json(token)
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'apply/apply! are OK' do
|
shared_examples 'apply/apply! are OK' do
|
||||||
WANTED_AUTH_KEY = :Authorization
|
let(:auth_key) { :Authorization }
|
||||||
|
|
||||||
# tests that use these examples need to define
|
# tests that use these examples need to define
|
||||||
#
|
#
|
||||||
|
@ -79,7 +79,7 @@ shared_examples 'apply/apply! are OK' do
|
||||||
|
|
||||||
md = { foo: 'bar' }
|
md = { foo: 'bar' }
|
||||||
@client.apply!(md, connection: c)
|
@client.apply!(md, connection: c)
|
||||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" }
|
want = { :foo => 'bar', auth_key => "Bearer #{token}" }
|
||||||
expect(md).to eq(want)
|
expect(md).to eq(want)
|
||||||
stubs.verify_stubbed_calls
|
stubs.verify_stubbed_calls
|
||||||
end
|
end
|
||||||
|
@ -96,7 +96,7 @@ shared_examples 'apply/apply! are OK' do
|
||||||
md = { foo: 'bar' }
|
md = { foo: 'bar' }
|
||||||
the_proc = @client.updater_proc
|
the_proc = @client.updater_proc
|
||||||
got = the_proc.call(md, connection: c)
|
got = the_proc.call(md, connection: c)
|
||||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" }
|
want = { :foo => 'bar', auth_key => "Bearer #{token}" }
|
||||||
expect(got).to eq(want)
|
expect(got).to eq(want)
|
||||||
stubs.verify_stubbed_calls
|
stubs.verify_stubbed_calls
|
||||||
end
|
end
|
||||||
|
@ -126,7 +126,7 @@ shared_examples 'apply/apply! are OK' do
|
||||||
|
|
||||||
md = { foo: 'bar' }
|
md = { foo: 'bar' }
|
||||||
got = @client.apply(md, connection: c)
|
got = @client.apply(md, connection: c)
|
||||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" }
|
want = { :foo => 'bar', auth_key => "Bearer #{token}" }
|
||||||
expect(got).to eq(want)
|
expect(got).to eq(want)
|
||||||
stubs.verify_stubbed_calls
|
stubs.verify_stubbed_calls
|
||||||
end
|
end
|
||||||
|
@ -142,7 +142,7 @@ shared_examples 'apply/apply! are OK' do
|
||||||
n.times do |_t|
|
n.times do |_t|
|
||||||
md = { foo: 'bar' }
|
md = { foo: 'bar' }
|
||||||
got = @client.apply(md, connection: c)
|
got = @client.apply(md, connection: c)
|
||||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" }
|
want = { :foo => 'bar', auth_key => "Bearer #{token}" }
|
||||||
expect(got).to eq(want)
|
expect(got).to eq(want)
|
||||||
end
|
end
|
||||||
stubs.verify_stubbed_calls
|
stubs.verify_stubbed_calls
|
||||||
|
@ -159,7 +159,7 @@ shared_examples 'apply/apply! are OK' do
|
||||||
end
|
end
|
||||||
md = { foo: 'bar' }
|
md = { foo: 'bar' }
|
||||||
got = @client.apply(md, connection: c)
|
got = @client.apply(md, connection: c)
|
||||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{t}" }
|
want = { :foo => 'bar', auth_key => "Bearer #{t}" }
|
||||||
expect(got).to eq(want)
|
expect(got).to eq(want)
|
||||||
stubs.verify_stubbed_calls
|
stubs.verify_stubbed_calls
|
||||||
@client.expires_at -= 3601 # default is to expire in 1hr
|
@client.expires_at -= 3601 # default is to expire in 1hr
|
||||||
|
|
|
@ -40,10 +40,73 @@ require 'openssl'
|
||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
require 'tmpdir'
|
require 'tmpdir'
|
||||||
|
|
||||||
|
include Google::Auth::CredentialsLoader
|
||||||
|
|
||||||
|
shared_examples 'jwt header auth' do
|
||||||
|
context 'when jwt_aud_uri is present' do
|
||||||
|
let(:test_uri) { 'https://www.googleapis.com/myservice' }
|
||||||
|
let(:auth_prefix) { 'Bearer ' }
|
||||||
|
let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
|
||||||
|
let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
|
||||||
|
|
||||||
|
def expect_is_encoded_jwt(hdr)
|
||||||
|
expect(hdr).to_not be_nil
|
||||||
|
expect(hdr.start_with?(auth_prefix)).to be true
|
||||||
|
authorization = hdr[auth_prefix.length..-1]
|
||||||
|
payload, _ = JWT.decode(authorization, @key.public_key)
|
||||||
|
expect(payload['aud']).to eq(test_uri)
|
||||||
|
expect(payload['iss']).to eq(client_email)
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#apply!' do
|
||||||
|
it 'should update the target hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[jwt_uri_key] = test_uri
|
||||||
|
@client.apply!(md)
|
||||||
|
auth_header = md[auth_key]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
expect(md[jwt_uri_key]).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'updater_proc' do
|
||||||
|
it 'should provide a proc that updates a hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[jwt_uri_key] = test_uri
|
||||||
|
the_proc = @client.updater_proc
|
||||||
|
got = the_proc.call(md)
|
||||||
|
auth_header = got[auth_key]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
expect(got[jwt_uri_key]).to be_nil
|
||||||
|
expect(md[jwt_uri_key]).to_not be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#apply' do
|
||||||
|
it 'should not update the original hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[jwt_uri_key] = test_uri
|
||||||
|
the_proc = @client.updater_proc
|
||||||
|
got = the_proc.call(md)
|
||||||
|
auth_header = md[auth_key]
|
||||||
|
expect(auth_header).to be_nil
|
||||||
|
expect(got[jwt_uri_key]).to be_nil
|
||||||
|
expect(md[jwt_uri_key]).to_not be_nil
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should add a jwt token to the returned hash' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[jwt_uri_key] = test_uri
|
||||||
|
got = @client.apply(md)
|
||||||
|
auth_header = got[auth_key]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe Google::Auth::ServiceAccountCredentials do
|
describe Google::Auth::ServiceAccountCredentials do
|
||||||
ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
|
ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
|
||||||
CredentialsLoader = Google::Auth::CredentialsLoader
|
|
||||||
|
|
||||||
let(:client_email) { 'app@developer.gserviceaccount.com' }
|
let(:client_email) { 'app@developer.gserviceaccount.com' }
|
||||||
|
|
||||||
before(:example) do
|
before(:example) do
|
||||||
|
@ -80,9 +143,17 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
|
|
||||||
it_behaves_like 'apply/apply! are OK'
|
it_behaves_like 'apply/apply! are OK'
|
||||||
|
|
||||||
|
context 'when scope is nil' do
|
||||||
|
before(:example) do
|
||||||
|
@client.scope = nil
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'jwt header auth'
|
||||||
|
end
|
||||||
|
|
||||||
describe '#from_env' do
|
describe '#from_env' do
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@var_name = CredentialsLoader::ENV_VAR
|
@var_name = ENV_VAR
|
||||||
@orig = ENV[@var_name]
|
@orig = ENV[@var_name]
|
||||||
@scope = 'https://www.googleapis.com/auth/userinfo.profile'
|
@scope = 'https://www.googleapis.com/auth/userinfo.profile'
|
||||||
@clz = ServiceAccountCredentials
|
@clz = ServiceAccountCredentials
|
||||||
|
@ -122,7 +193,7 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@home = ENV['HOME']
|
@home = ENV['HOME']
|
||||||
@scope = 'https://www.googleapis.com/auth/userinfo.profile'
|
@scope = 'https://www.googleapis.com/auth/userinfo.profile'
|
||||||
@known_path = CredentialsLoader::WELL_KNOWN_PATH
|
@known_path = WELL_KNOWN_PATH
|
||||||
@clz = ServiceAccountCredentials
|
@clz = ServiceAccountCredentials
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -148,7 +219,6 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe Google::Auth::ServiceAccountJwtHeaderCredentials do
|
describe Google::Auth::ServiceAccountJwtHeaderCredentials do
|
||||||
CredentialsLoader = Google::Auth::CredentialsLoader
|
|
||||||
ServiceAccountJwtHeaderCredentials =
|
ServiceAccountJwtHeaderCredentials =
|
||||||
Google::Auth::ServiceAccountJwtHeaderCredentials
|
Google::Auth::ServiceAccountJwtHeaderCredentials
|
||||||
|
|
||||||
|
@ -171,70 +241,11 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
|
||||||
MultiJson.dump(cred_json)
|
MultiJson.dump(cred_json)
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when jwt_aud_uri is present' do
|
it_behaves_like 'jwt header auth'
|
||||||
WANTED_AUTH_KEY = ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY
|
|
||||||
JWT_AUD_URI_KEY = ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY
|
|
||||||
let(:test_uri) { 'https://www.googleapis.com/myservice' }
|
|
||||||
let(:auth_prefix) { 'Bearer ' }
|
|
||||||
|
|
||||||
def expect_is_encoded_jwt(hdr)
|
|
||||||
expect(hdr).to_not be_nil
|
|
||||||
expect(hdr.start_with?(auth_prefix)).to be true
|
|
||||||
authorization = hdr[auth_prefix.length..-1]
|
|
||||||
payload, _ = JWT.decode(authorization, @key.public_key)
|
|
||||||
expect(payload['aud']).to eq(test_uri)
|
|
||||||
expect(payload['iss']).to eq(client_email)
|
|
||||||
end
|
|
||||||
|
|
||||||
describe '#apply!' do
|
|
||||||
it 'should update the target hash with a jwt token' do
|
|
||||||
md = { foo: 'bar' }
|
|
||||||
md[JWT_AUD_URI_KEY] = test_uri
|
|
||||||
@client.apply!(md)
|
|
||||||
auth_header = md[WANTED_AUTH_KEY]
|
|
||||||
expect_is_encoded_jwt(auth_header)
|
|
||||||
expect(md[JWT_AUD_URI_KEY]).to be_nil
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe 'updater_proc' do
|
|
||||||
it 'should provide a proc that updates a hash with a jwt token' do
|
|
||||||
md = { foo: 'bar' }
|
|
||||||
md[JWT_AUD_URI_KEY] = test_uri
|
|
||||||
the_proc = @client.updater_proc
|
|
||||||
got = the_proc.call(md)
|
|
||||||
auth_header = got[WANTED_AUTH_KEY]
|
|
||||||
expect_is_encoded_jwt(auth_header)
|
|
||||||
expect(got[JWT_AUD_URI_KEY]).to be_nil
|
|
||||||
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe '#apply' do
|
|
||||||
it 'should not update the original hash with a jwt token' do
|
|
||||||
md = { foo: 'bar' }
|
|
||||||
md[JWT_AUD_URI_KEY] = test_uri
|
|
||||||
the_proc = @client.updater_proc
|
|
||||||
got = the_proc.call(md)
|
|
||||||
auth_header = md[WANTED_AUTH_KEY]
|
|
||||||
expect(auth_header).to be_nil
|
|
||||||
expect(got[JWT_AUD_URI_KEY]).to be_nil
|
|
||||||
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should add a jwt token to the returned hash' do
|
|
||||||
md = { foo: 'bar' }
|
|
||||||
md[JWT_AUD_URI_KEY] = test_uri
|
|
||||||
got = @client.apply(md)
|
|
||||||
auth_header = got[WANTED_AUTH_KEY]
|
|
||||||
expect_is_encoded_jwt(auth_header)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe '#from_env' do
|
describe '#from_env' do
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@var_name = CredentialsLoader::ENV_VAR
|
@var_name = ENV_VAR
|
||||||
@orig = ENV[@var_name]
|
@orig = ENV[@var_name]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -271,7 +282,6 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
|
||||||
describe '#from_well_known_path' do
|
describe '#from_well_known_path' do
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@home = ENV['HOME']
|
@home = ENV['HOME']
|
||||||
@known_path = CredentialsLoader::WELL_KNOWN_PATH
|
|
||||||
end
|
end
|
||||||
|
|
||||||
after(:example) do
|
after(:example) do
|
||||||
|
@ -285,7 +295,7 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
|
||||||
|
|
||||||
it 'successfully loads the file when it is present' do
|
it 'successfully loads the file when it is present' do
|
||||||
Dir.mktmpdir do |dir|
|
Dir.mktmpdir do |dir|
|
||||||
key_path = File.join(dir, '.config', @known_path)
|
key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
|
||||||
FileUtils.mkdir_p(File.dirname(key_path))
|
FileUtils.mkdir_p(File.dirname(key_path))
|
||||||
File.write(key_path, cred_json_text)
|
File.write(key_path, cred_json_text)
|
||||||
ENV['HOME'] = dir
|
ENV['HOME'] = dir
|
||||||
|
|
Loading…
Reference in New Issue