Class: Google::Auth::ServiceAccountJwtHeaderCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader, JsonKeyReader
Defined in:
lib/googleauth/service_account_jwt_header.rb

Overview

Authenticates requests using Google's Service Account credentials via JWT Header.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

cf Application Default Credentials

Constant Summary collapse

JWT_AUD_URI_KEY = 
:jwt_aud_uri
AUTH_METADATA_KEY = 
Google::Auth::BaseClient::AUTH_METADATA_KEY
TOKEN_CRED_URI = 
"https://www.googleapis.com/oauth2/v4/token".freeze
SIGNING_ALGORITHM = 
"RS256".freeze
EXPIRY = 
60

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from JsonKeyReader

read_json_key

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials

Initializes a ServiceAccountJwtHeaderCredentials.

Parameters:

  • json_key_io (IO)

    an IO from which the JSON key can be read

[View source]

60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 60

def initialize options = {}
  json_key_io = options[:json_key_io]
  if json_key_io
    @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
      self.class.read_json_key json_key_io
  else
    @private_key = options.key?(:private_key) ? options[:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    @issuer = options.key?(:issuer) ? options[:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
    @project_id = options.key?(:project_id) ? options[:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR]
    @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
    @universe_domain = options[:universe_domain] if options.key? :universe_domain
  end
  @universe_domain ||= "googleapis.com"
  @project_id ||= CredentialsLoader.load_gcloud_project_id
  @signing_key = OpenSSL::PKey::RSA.new @private_key
  @scope = options[:scope] if options.key? :scope
  @logger = options[:logger] if options.key? :logger
end

Instance Attribute Details

#loggerObject

Returns the value of attribute logger.


46
47
48
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 46

def logger
  @logger
end

#project_idObject (readonly)

Returns the value of attribute project_id.


43
44
45
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 43

def project_id
  @project_id
end

#quota_project_idObject (readonly)

Returns the value of attribute quota_project_id.


44
45
46
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 44

def quota_project_id
  @quota_project_id
end

#universe_domainObject

Returns the value of attribute universe_domain.


45
46
47
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 45

def universe_domain
  @universe_domain
end

Class Method Details

.make_creds(options = {}) ⇒ Object

Create a ServiceAccountJwtHeaderCredentials.

Parameters:

  • json_key_io (IO)

    an IO from which the JSON key can be read

  • scope (string|array|nil)

    the scope(s) to access

[View source]

52
53
54
55
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 52

def self.make_creds options = {}
  json_key_io, scope = options.values_at :json_key_io, :scope
  new json_key_io: json_key_io, scope: scope
end

Instance Method Details

#apply(a_hash, opts = {}) ⇒ Object

Returns a clone of a_hash updated with the authorization header

[View source]

122
123
124
125
126
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 122

def apply a_hash, opts = {}
  a_copy = a_hash.clone
  apply! a_copy, opts
  a_copy
end

#apply!(a_hash, opts = {}) ⇒ Object

Construct a jwt token if the JWT_AUD_URI key is present in the input hash.

The jwt token is used as the value of a 'Bearer '.

[View source]

109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 109

def apply! a_hash, opts = {}
  jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
  return a_hash if jwt_aud_uri.nil? && @scope.nil?
  jwt_token = new_jwt_token jwt_aud_uri, opts
  a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
  logger&.debug do
    hash = Digest::SHA256.hexdigest jwt_token
    Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})"
  end
  a_hash
end

#duplicate(options = {}) ⇒ Object

Creates a duplicate of these credentials

Parameters:

  • options (Hash) (defaults to: {})

    Overrides for the credentials parameters. The following keys are recognized

    • private key the private key in string form
    • issuer the SA issuer
    • scope the scope(s) to access
    • project_id the project id to use during the authentication
    • quota_project_id the quota project id to use
    • universe_domain the universe domain of the credentials
[View source]

89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 89

def duplicate options = {}
  options = deep_hash_normalize options

  options = {
    private_key: @private_key,
    issuer: @issuer,
    scope: @scope,
    project_id: project_id,
    quota_project_id: quota_project_id,
    universe_domain: universe_domain,
    logger: logger
  }.merge(options)

  self.class.new options
end

#needs_access_token?Boolean

Duck-types the corresponding method from BaseClient

Returns:

  • (Boolean)
[View source]

158
159
160
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 158

def needs_access_token?
  false
end

#new_jwt_token(jwt_aud_uri = nil, options = {}) ⇒ Object

Creates a jwt uri token.

[View source]

135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 135

def new_jwt_token jwt_aud_uri = nil, options = {}
  now = Time.new
  skew = options[:skew] || 60
  assertion = {
    "iss" => @issuer,
    "sub" => @issuer,
    "exp" => (now + EXPIRY).to_i,
    "iat" => (now - skew).to_i
  }

  jwt_aud_uri = nil if @scope

  assertion["scope"] = Array(@scope).join " " if @scope
  assertion["aud"] = jwt_aud_uri if jwt_aud_uri

  logger&.debug do
    Google::Logging::Message.from message: "JWT assertion: #{assertion}"
  end

  JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
end

#updater_procObject

Returns a reference to the #apply method, suitable for passing as a closure

[View source]

130
131
132
 
# File 'lib/googleauth/service_account_jwt_header.rb', line 130

def updater_proc
  proc { |a_hash, opts = {}| apply a_hash, opts }
end