Class: Google::Auth::ExternalAccount::PluggableAuthCredentials
- Inherits:
-
Object
- Object
- Google::Auth::ExternalAccount::PluggableAuthCredentials
- Extended by:
- CredentialsLoader
- Includes:
- BaseCredentials, ExternalAccountUtils
- Defined in:
- lib/googleauth/external_account/pluggable_credentials.rb
Overview
This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.
Constant Summary collapse
- ENABLE_PLUGGABLE_ENV =
constant for pluggable auth enablement in environment variable.
"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
- EXECUTABLE_SUPPORTED_MAX_VERSION =
1
- EXECUTABLE_TIMEOUT_MILLIS_DEFAULT =
30 * 1000
- EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND =
5 * 1000
- EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND =
120 * 1000
- ID_TOKEN_TYPE =
["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze
Constants included from CredentialsLoader
CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH
Constants included from ExternalAccountUtils
ExternalAccountUtils::CLOUD_RESOURCE_MANAGER
Constants included from BaseCredentials
BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE
Constants included from BaseClient
Instance Attribute Summary collapse
-
#client_id ⇒ Object
readonly
Will always be nil, but method still gets used.
Attributes included from BaseCredentials
#access_token, #expires_at, #universe_domain
Attributes included from BaseClient
Instance Method Summary collapse
-
#initialize(options = {}) ⇒ PluggableAuthCredentials
constructor
Initialize from options map.
- #retrieve_subject_token! ⇒ Object
Methods included from CredentialsLoader
from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds
Methods included from ExternalAccountUtils
#normalize_timestamp, #project_id, #project_number, #service_account_email
Methods included from BaseCredentials
#expires_within?, #fetch_access_token!, #is_workforce_pool?
Methods included from Helpers::Connection
Methods included from BaseClient
#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc
Constructor Details
#initialize(options = {}) ⇒ PluggableAuthCredentials
Initialize from options map.
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 49 def initialize = {} base_setup @audience = [:audience] @credential_source = [:credential_source] || {} @credential_source_executable = @credential_source[:executable] raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil? @credential_source_executable_command = @credential_source_executable[:command] if @credential_source_executable_command.nil? raise "Missing command field. Executable command must be provided." end @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] || EXECUTABLE_TIMEOUT_MILLIS_DEFAULT if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND || @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND raise "Timeout must be between 5 and 120 seconds." end @credential_source_executable_output_file = @credential_source_executable[:output_file] end |
Instance Attribute Details
#client_id ⇒ Object (readonly)
Will always be nil, but method still gets used.
40 41 42 |
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 40 def client_id @client_id end |
Instance Method Details
#retrieve_subject_token! ⇒ Object
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 69 def retrieve_subject_token! unless ENV[ENABLE_PLUGGABLE_ENV] == "1" raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \ "to run." end # check output file first subject_token = load_subject_token_from_output_file return subject_token unless subject_token.nil? # environment variable injection env = inject_environment_variables output = subprocess_with_timeout env, @credential_source_executable_command, @credential_source_executable_timeout_millis response = MultiJson.load output, symbolize_keys: true parse_subject_token response end |