Module: Google::Auth::CredentialsLoader

Included in:
DefaultCredentials, ServiceAccountCredentials, ServiceAccountJwtHeaderCredentials, UserRefreshCredentials
Defined in:
lib/googleauth/credentials_loader.rb

Overview

CredentialsLoader contains the behaviour used to locate and find default credentials files on the file system.

Constant Summary collapse

ENV_VAR =
"GOOGLE_APPLICATION_CREDENTIALS".freeze
PRIVATE_KEY_VAR =
"GOOGLE_PRIVATE_KEY".freeze
CLIENT_EMAIL_VAR =
"GOOGLE_CLIENT_EMAIL".freeze
CLIENT_ID_VAR =
"GOOGLE_CLIENT_ID".freeze
CLIENT_SECRET_VAR =
"GOOGLE_CLIENT_SECRET".freeze
REFRESH_TOKEN_VAR =
"GOOGLE_REFRESH_TOKEN".freeze
ACCOUNT_TYPE_VAR =
"GOOGLE_ACCOUNT_TYPE".freeze
PROJECT_ID_VAR =
"GOOGLE_PROJECT_ID".freeze
GCLOUD_POSIX_COMMAND =
"gcloud".freeze
GCLOUD_WINDOWS_COMMAND =
"gcloud.cmd".freeze
GCLOUD_CONFIG_COMMAND =
"config config-helper --format json --verbosity none".freeze
CREDENTIALS_FILE_NAME =
"application_default_credentials.json".freeze
NOT_FOUND_ERROR =
"Unable to read the credential file specified by #{ENV_VAR}".freeze
WELL_KNOWN_PATH =
"gcloud/#{CREDENTIALS_FILE_NAME}".freeze
WELL_KNOWN_ERROR =
"Unable to read the default credential file".freeze
SYSTEM_DEFAULT_ERROR =
"Unable to read the system default credential file".freeze
CLOUD_SDK_CLIENT_ID =
"764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
"s.googleusercontent.com".freeze
CLOUD_SDK_CREDENTIALS_WARNING =
"Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most" \
" server applications use service accounts instead. If your application continues to use end user credentials" \
' from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about' \
" service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the"\
" GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.load_gcloud_project_idObject

Finds project_id from gcloud CLI configuration


154
155
156
157
158
159
160
161
162
# File 'lib/googleauth/credentials_loader.rb', line 154

def load_gcloud_project_id
  gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
  gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
  gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", in: :close, err: :close, &:read)
  config = MultiJson.load gcloud_json
  config["configuration"]["properties"]["core"]["project"]
rescue StandardError
  nil
end

.warn_if_cloud_sdk_credentials(client_id) ⇒ Object

Issues warning if cloud sdk client id is used


148
149
150
151
# File 'lib/googleauth/credentials_loader.rb', line 148

def warn_if_cloud_sdk_credentials client_id
  return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
  warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
end

Instance Method Details

#from_env(scope = nil, options = {}) ⇒ Object

Creates an instance from the path specified in an environment variable.

Parameters:

  • scope (string|array|nil) (defaults to: nil)

    the scope(s) to access

  • options (Hash) (defaults to: {})

    Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

    • :default_connection The connection object to use.
    • :connection_builder A Proc that returns a connection.

76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/googleauth/credentials_loader.rb', line 76

def from_env scope = nil, options = {}
  options = interpret_options scope, options
  if ENV.key?(ENV_VAR) && !ENV[ENV_VAR].empty?
    path = ENV[ENV_VAR]
    raise "file #{path} does not exist" unless File.exist? path
    File.open path do |f|
      return make_creds options.merge(json_key_io: f)
    end
  elsif  || authorized_user_env_vars?
    make_creds options
  end
rescue StandardError => e
  raise "#{NOT_FOUND_ERROR}: #{e}"
end

#from_system_default_path(scope = nil, options = {}) ⇒ Object

Creates an instance from the system default path

Parameters:

  • scope (string|array|nil) (defaults to: nil)

    the scope(s) to access

  • options (Hash) (defaults to: {})

    Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

    • :default_connection The connection object to use.
    • :connection_builder A Proc that returns a connection.

128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/googleauth/credentials_loader.rb', line 128

def from_system_default_path scope = nil, options = {}
  options = interpret_options scope, options
  if OS.windows?
    return nil unless ENV["ProgramData"]
    prefix = File.join ENV["ProgramData"], "Google/Auth"
  else
    prefix = "/etc/google/auth/"
  end
  path = File.join prefix, CREDENTIALS_FILE_NAME
  return nil unless File.exist? path
  File.open path do |f|
    return make_creds options.merge(json_key_io: f)
  end
rescue StandardError => e
  raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
end

#from_well_known_path(scope = nil, options = {}) ⇒ Object

Creates an instance from a well known path.

Parameters:

  • scope (string|array|nil) (defaults to: nil)

    the scope(s) to access

  • options (Hash) (defaults to: {})

    Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

    • :default_connection The connection object to use.
    • :connection_builder A Proc that returns a connection.

102
103
104
105
106
107
108
109
110
111
112
113
114
115
# File 'lib/googleauth/credentials_loader.rb', line 102

def from_well_known_path scope = nil, options = {}
  options = interpret_options scope, options
  home_var = OS.windows? ? "APPDATA" : "HOME"
  base = WELL_KNOWN_PATH
  root = ENV[home_var].nil? ? "" : ENV[home_var]
  base = File.join ".config", base unless OS.windows?
  path = File.join root, base
  return nil unless File.exist? path
  File.open path do |f|
    return make_creds options.merge(json_key_io: f)
  end
rescue StandardError => e
  raise "#{WELL_KNOWN_ERROR}: #{e}"
end

#make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

By default, it calls #new on the current class, but this behaviour can be modified, allowing different instances to be created.


58
59
60
61
62
# File 'lib/googleauth/credentials_loader.rb', line 58

def make_creds *args
  creds = new(*args)
  creds = creds.configure_connection args[0] if creds.respond_to?(:configure_connection) && args.size == 1
  creds
end