Adds an implementation of JWT signing to ServiceAccountCredentials
This commit is contained in:
parent
5124dc2a46
commit
e3e33e2c38
|
@ -1,15 +1,15 @@
|
||||||
# This configuration was generated by `rubocop --auto-gen-config`
|
# This configuration was generated by `rubocop --auto-gen-config`
|
||||||
# on 2015-02-25 04:34:33 -0800 using RuboCop version 0.28.0.
|
# on 2015-03-06 19:51:00 -0800 using RuboCop version 0.28.0.
|
||||||
# The point is for the user to remove these configuration records
|
# The point is for the user to remove these configuration records
|
||||||
# one by one as the offenses are removed from the code base.
|
# one by one as the offenses are removed from the code base.
|
||||||
# Note that changes in the inspected code, or installation of new
|
# Note that changes in the inspected code, or installation of new
|
||||||
# versions of RuboCop, may require this file to be generated again.
|
# versions of RuboCop, may require this file to be generated again.
|
||||||
|
|
||||||
# Offense count: 1
|
# Offense count: 3
|
||||||
Metrics/AbcSize:
|
Metrics/AbcSize:
|
||||||
Max: 16
|
Max: 24
|
||||||
|
|
||||||
# Offense count: 1
|
# Offense count: 3
|
||||||
# Configuration parameters: CountComments.
|
# Configuration parameters: CountComments.
|
||||||
Metrics/MethodLength:
|
Metrics/MethodLength:
|
||||||
Max: 11
|
Max: 11
|
||||||
|
|
|
@ -29,6 +29,7 @@
|
||||||
|
|
||||||
require 'googleauth/signet'
|
require 'googleauth/signet'
|
||||||
require 'googleauth/credentials_loader'
|
require 'googleauth/credentials_loader'
|
||||||
|
require 'jwt'
|
||||||
require 'multi_json'
|
require 'multi_json'
|
||||||
|
|
||||||
module Google
|
module Google
|
||||||
|
@ -43,6 +44,8 @@ module Google
|
||||||
#
|
#
|
||||||
# cf [Application Default Credentials](http://goo.gl/mkAHpZ)
|
# cf [Application Default Credentials](http://goo.gl/mkAHpZ)
|
||||||
class ServiceAccountCredentials < Signet::OAuth2::Client
|
class ServiceAccountCredentials < Signet::OAuth2::Client
|
||||||
|
JWT_AUD_URI_KEY = :jwt_aud_uri
|
||||||
|
AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
|
||||||
TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
|
TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
|
||||||
extend CredentialsLoader
|
extend CredentialsLoader
|
||||||
|
|
||||||
|
@ -67,6 +70,34 @@ module Google
|
||||||
issuer: client_email,
|
issuer: client_email,
|
||||||
signing_key: OpenSSL::PKey::RSA.new(private_key))
|
signing_key: OpenSSL::PKey::RSA.new(private_key))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Extends the superclass behaviour to construct a jwt token if the
|
||||||
|
# google jwt uri key is present in the input hash.
|
||||||
|
#
|
||||||
|
# The jwt is used as the authentication token.
|
||||||
|
def apply!(a_hash, opts = {})
|
||||||
|
jwt_aud_uri = a_hash.delete(JWT_AUD_URI_KEY)
|
||||||
|
unless jwt_aud_uri.nil?
|
||||||
|
jwt_token = new_jwt_token(jwt_aud_uri, opts)
|
||||||
|
a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
|
||||||
|
return a_hash
|
||||||
|
end
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
|
# Creates a jwt uri token.
|
||||||
|
def new_jwt_token(jwt_aud_uri, options = {})
|
||||||
|
now = Time.new
|
||||||
|
skew = options[:skew] || 60
|
||||||
|
assertion = {
|
||||||
|
'iss' => issuer,
|
||||||
|
'sub' => issuer,
|
||||||
|
'aud' => jwt_aud_uri,
|
||||||
|
'exp' => (now + expiry).to_i,
|
||||||
|
'iat' => (now - skew).to_i
|
||||||
|
}
|
||||||
|
JWT.encode(assertion, signing_key, signing_algorithm)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,9 +46,9 @@ def build_access_token_json(token)
|
||||||
'expires_in' => 3600)
|
'expires_in' => 3600)
|
||||||
end
|
end
|
||||||
|
|
||||||
WANTED_AUTH_KEY = :Authorization
|
|
||||||
|
|
||||||
shared_examples 'apply/apply! are OK' do
|
shared_examples 'apply/apply! are OK' do
|
||||||
|
WANTED_AUTH_KEY = :Authorization
|
||||||
|
|
||||||
# tests that use these examples need to define
|
# tests that use these examples need to define
|
||||||
#
|
#
|
||||||
# @client which should be an auth client
|
# @client which should be an auth client
|
||||||
|
|
|
@ -44,6 +44,8 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
|
ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
|
||||||
CredentialsLoader = Google::Auth::CredentialsLoader
|
CredentialsLoader = Google::Auth::CredentialsLoader
|
||||||
|
|
||||||
|
let(:client_email) { 'app@developer.gserviceaccount.com' }
|
||||||
|
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@key = OpenSSL::PKey::RSA.new(2048)
|
@key = OpenSSL::PKey::RSA.new(2048)
|
||||||
@client = ServiceAccountCredentials.new(
|
@client = ServiceAccountCredentials.new(
|
||||||
|
@ -69,7 +71,7 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
cred_json = {
|
cred_json = {
|
||||||
private_key_id: 'a_private_key_id',
|
private_key_id: 'a_private_key_id',
|
||||||
private_key: @key.to_pem,
|
private_key: @key.to_pem,
|
||||||
client_email: 'app@developer.gserviceaccount.com',
|
client_email: client_email,
|
||||||
client_id: 'app.apps.googleusercontent.com',
|
client_id: 'app.apps.googleusercontent.com',
|
||||||
type: 'service_account'
|
type: 'service_account'
|
||||||
}
|
}
|
||||||
|
@ -78,6 +80,67 @@ describe Google::Auth::ServiceAccountCredentials do
|
||||||
|
|
||||||
it_behaves_like 'apply/apply! are OK'
|
it_behaves_like 'apply/apply! are OK'
|
||||||
|
|
||||||
|
context 'when jwt_aud_uri is present' do
|
||||||
|
WANTED_AUTH_KEY = ServiceAccountCredentials::AUTH_METADATA_KEY
|
||||||
|
JWT_AUD_URI_KEY = ServiceAccountCredentials::JWT_AUD_URI_KEY
|
||||||
|
let(:test_uri) { 'https://www.googleapis.com/myservice' }
|
||||||
|
let(:auth_prefix) { 'Bearer ' }
|
||||||
|
|
||||||
|
def expect_is_encoded_jwt(hdr)
|
||||||
|
expect(hdr).to_not be_nil
|
||||||
|
expect(hdr.start_with?(auth_prefix)).to be true
|
||||||
|
authorization = hdr[auth_prefix.length..-1]
|
||||||
|
payload, _ = JWT.decode(authorization, @key.public_key)
|
||||||
|
expect(payload['aud']).to eq(test_uri)
|
||||||
|
expect(payload['iss']).to eq(client_email)
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#apply!' do
|
||||||
|
it 'should update the target hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[JWT_AUD_URI_KEY] = test_uri
|
||||||
|
@client.apply!(md)
|
||||||
|
auth_header = md[WANTED_AUTH_KEY]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
expect(md[JWT_AUD_URI_KEY]).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'updater_proc' do
|
||||||
|
it 'should provide a proc that updates a hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[JWT_AUD_URI_KEY] = test_uri
|
||||||
|
the_proc = @client.updater_proc
|
||||||
|
got = the_proc.call(md)
|
||||||
|
auth_header = got[WANTED_AUTH_KEY]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
expect(got[JWT_AUD_URI_KEY]).to be_nil
|
||||||
|
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#apply' do
|
||||||
|
it 'should not update the original hash with a jwt token' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[JWT_AUD_URI_KEY] = test_uri
|
||||||
|
the_proc = @client.updater_proc
|
||||||
|
got = the_proc.call(md)
|
||||||
|
auth_header = md[WANTED_AUTH_KEY]
|
||||||
|
expect(auth_header).to be_nil
|
||||||
|
expect(got[JWT_AUD_URI_KEY]).to be_nil
|
||||||
|
expect(md[JWT_AUD_URI_KEY]).to_not be_nil
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should add a jwt token to the returned hash' do
|
||||||
|
md = { foo: 'bar' }
|
||||||
|
md[JWT_AUD_URI_KEY] = test_uri
|
||||||
|
got = @client.apply(md)
|
||||||
|
auth_header = got[WANTED_AUTH_KEY]
|
||||||
|
expect_is_encoded_jwt(auth_header)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe '#from_env' do
|
describe '#from_env' do
|
||||||
before(:example) do
|
before(:example) do
|
||||||
@var_name = CredentialsLoader::ENV_VAR
|
@var_name = CredentialsLoader::ENV_VAR
|
||||||
|
|
Loading…
Reference in New Issue