Class: Google::Auth::ExternalAccount::PluggableAuthCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader
Includes:
BaseCredentials, ExternalAccountUtils
Defined in:
lib/googleauth/external_account/pluggable_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary collapse

ENABLE_PLUGGABLE_ENV =

constant for pluggable auth enablement in environment variable.

"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
EXECUTABLE_SUPPORTED_MAX_VERSION =
1
EXECUTABLE_TIMEOUT_MILLIS_DEFAULT =
30 * 1000
EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND =
5 * 1000
EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND =
120 * 1000
ID_TOKEN_TYPE =
["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Attributes included from BaseClient

#logger

Instance Method Summary collapse

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ PluggableAuthCredentials

Initialize from options map.

Parameters:

  • audience (string)
  • credential_source (hash{symbol => value})

    credential_source is a hash that contains either source file or url. credential_source_format is either text or json. To define how we parse the credential response.



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 49

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_executable = @credential_source[:executable]
  raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil?
  @credential_source_executable_command = @credential_source_executable[:command]
  if @credential_source_executable_command.nil?
    raise "Missing command field. Executable command must be provided."
  end
  @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
                                                 EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
  if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
     @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
    raise "Timeout must be between 5 and 120 seconds."
  end
  @credential_source_executable_output_file = @credential_source_executable[:output_file]
end

Instance Attribute Details

#client_idObject (readonly)

Will always be nil, but method still gets used.



40
41
42
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 40

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token!Object



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 69

def retrieve_subject_token!
  unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
    raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
          "to run."
  end
  # check output file first
  subject_token = load_subject_token_from_output_file
  return subject_token unless subject_token.nil?
  # environment variable injection
  env = inject_environment_variables
  output = subprocess_with_timeout env, @credential_source_executable_command,
                                   @credential_source_executable_timeout_millis
  response = MultiJson.load output, symbolize_keys: true
  parse_subject_token response
end