Module: Google::Auth::CredentialsLoader

Extended by:

Memoist

Included in:

DefaultCredentials, ServiceAccountCredentials, ServiceAccountJwtHeaderCredentials, UserRefreshCredentials

Defined in:

lib/googleauth/credentials_loader.rb

Overview

CredentialsLoader contains the behaviour used to locate and find default credentials files on the file system.

Constant Summary

ENV_VAR =

'GOOGLE_APPLICATION_CREDENTIALS'.freeze

PRIVATE_KEY_VAR =

'GOOGLE_PRIVATE_KEY'.freeze

CLIENT_EMAIL_VAR =

'GOOGLE_CLIENT_EMAIL'.freeze

CLIENT_ID_VAR =

'GOOGLE_CLIENT_ID'.freeze

CLIENT_SECRET_VAR =

'GOOGLE_CLIENT_SECRET'.freeze

REFRESH_TOKEN_VAR =

'GOOGLE_REFRESH_TOKEN'.freeze

ACCOUNT_TYPE_VAR =

'GOOGLE_ACCOUNT_TYPE'.freeze

CREDENTIALS_FILE_NAME =

'application_default_credentials.json'.freeze

NOT_FOUND_ERROR =

"Unable to read the credential file specified by #{ENV_VAR}".freeze

WELL_KNOWN_PATH =

"gcloud/#{CREDENTIALS_FILE_NAME}".freeze

WELL_KNOWN_ERROR =

'Unable to read the default credential file'.freeze

SYSTEM_DEFAULT_ERROR =

'Unable to read the system default credential file'.freeze

CLOUD_SDK_CLIENT_ID =

'764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app'\
's.googleusercontent.com'.freeze

CLOUD_SDK_CREDENTIALS_WARNING =

'Your application has authenticated '\
'using end user credentials from Google Cloud SDK. We recommend that '\
'most server applications use service accounts instead. If your '\
'application continues to use end user credentials from Cloud SDK, '\
'you might receive a "quota exceeded" or "API not enabled" error. For'\
' more information about service accounts, see '\
'https://cloud.google.com/docs/authentication/.'.freeze

Class Method Summary

• .warn_if_cloud_sdk_credentials(client_id) ⇒ Object

  Issues warning if cloud sdk client id is used.

Instance Method Summary

• #from_env(scope = nil) ⇒ Object

  Creates an instance from the path specified in an environment variable.

• #from_system_default_path(scope = nil) ⇒ Object

  Creates an instance from the system default path.

• #from_well_known_path(scope = nil) ⇒ Object

  Creates an instance from a well known path.

• #make_creds(*args) ⇒ Object

  make_creds proxies the construction of a credentials instance.

Class Method Details

.warn_if_cloud_sdk_credentials(client_id) ⇒ Object

Issues warning if cloud sdk client id is used

# File 'lib/googleauth/credentials_loader.rb', line 134

def warn_if_cloud_sdk_credentials(client_id)
  warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
end

Instance Method Details

#from_env(scope = nil) ⇒ Object

Creates an instance from the path specified in an environment variable.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

# File 'lib/googleauth/credentials_loader.rb', line 83

def from_env(scope = nil)
  if ENV.key?(ENV_VAR)
    path = ENV[ENV_VAR]
    raise "file #{path} does not exist" unless File.exist?(path)
    File.open(path) do |f|
      return make_creds(json_key_io: f, scope: scope)
    end
  elsif service_account_env_vars? || authorized_user_env_vars?
    return make_creds(scope: scope)
  end
rescue StandardError => e
  raise "#{NOT_FOUND_ERROR}: #{e}"
end

#from_system_default_path(scope = nil) ⇒ Object

Creates an instance from the system default path

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

# File 'lib/googleauth/credentials_loader.rb', line 117

def from_system_default_path(scope = nil)
  if OS.windows?
    return nil unless ENV['ProgramData']
    prefix = File.join(ENV['ProgramData'], 'Google/Auth')
  else
    prefix = '/etc/google/auth/'
  end
  path = File.join(prefix, CREDENTIALS_FILE_NAME)
  return nil unless File.exist?(path)
  File.open(path) do |f|
    return make_creds(json_key_io: f, scope: scope)
  end
rescue StandardError => e
  raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
end

#from_well_known_path(scope = nil) ⇒ Object

Creates an instance from a well known path.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

# File 'lib/googleauth/credentials_loader.rb', line 100

def from_well_known_path(scope = nil)
  home_var = OS.windows? ? 'APPDATA' : 'HOME'
  base = WELL_KNOWN_PATH
  root = ENV[home_var].nil? ? '' : ENV[home_var]
  base = File.join('.config', base) unless OS.windows?
  path = File.join(root, base)
  return nil unless File.exist?(path)
  File.open(path) do |f|
    return make_creds(json_key_io: f, scope: scope)
  end
rescue StandardError => e
  raise "#{WELL_KNOWN_ERROR}: #{e}"
end

#make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

By default, it calls #new on the current class, but this behaviour can be modified, allowing different instances to be created.

# File 'lib/googleauth/credentials_loader.rb', line 75

def make_creds(*args)
  new(*args)
end