Module: Google::Auth::CredentialsLoader

Included in:

DefaultCredentials, ExternalAccount::AwsCredentials, ExternalAccount::IdentityPoolCredentials, ExternalAccount::PluggableAuthCredentials, ServiceAccountCredentials, ServiceAccountJwtHeaderCredentials, UserRefreshCredentials

Defined in:

lib/googleauth/credentials_loader.rb

Overview

CredentialsLoader contains the behaviour used to locate and find default credentials files on the file system.

Constant Summary

ENV_VAR =

"GOOGLE_APPLICATION_CREDENTIALS".freeze

PRIVATE_KEY_VAR =

"GOOGLE_PRIVATE_KEY".freeze

CLIENT_EMAIL_VAR =

"GOOGLE_CLIENT_EMAIL".freeze

CLIENT_ID_VAR =

"GOOGLE_CLIENT_ID".freeze

CLIENT_SECRET_VAR =

"GOOGLE_CLIENT_SECRET".freeze

REFRESH_TOKEN_VAR =

"GOOGLE_REFRESH_TOKEN".freeze

ACCOUNT_TYPE_VAR =

"GOOGLE_ACCOUNT_TYPE".freeze

PROJECT_ID_VAR =

"GOOGLE_PROJECT_ID".freeze

AWS_REGION_VAR =

"AWS_REGION".freeze

AWS_DEFAULT_REGION_VAR =

"AWS_DEFAULT_REGION".freeze

AWS_ACCESS_KEY_ID_VAR =

"AWS_ACCESS_KEY_ID".freeze

AWS_SECRET_ACCESS_KEY_VAR =

"AWS_SECRET_ACCESS_KEY".freeze

AWS_SESSION_TOKEN_VAR =

"AWS_SESSION_TOKEN".freeze

GCLOUD_POSIX_COMMAND =

"gcloud".freeze

GCLOUD_WINDOWS_COMMAND =

"gcloud.cmd".freeze

GCLOUD_CONFIG_COMMAND =

"config config-helper --format json --verbosity none".freeze

CREDENTIALS_FILE_NAME =

"application_default_credentials.json".freeze

NOT_FOUND_ERROR =

"Unable to read the credential file specified by #{ENV_VAR}".freeze

WELL_KNOWN_PATH =

"gcloud/#{CREDENTIALS_FILE_NAME}".freeze

WELL_KNOWN_ERROR =

"Unable to read the default credential file".freeze

SYSTEM_DEFAULT_ERROR =

"Unable to read the system default credential file".freeze

CLOUD_SDK_CLIENT_ID =

"764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
"s.googleusercontent.com".freeze

Class Method Summary

• .load_gcloud_project_id ⇒ Object

  Finds project_id from gcloud CLI configuration.

Instance Method Summary

• #from_env(scope = nil, options = {}) ⇒ Object

  Creates an instance from the path specified in an environment variable.

• #from_system_default_path(scope = nil, options = {}) ⇒ Object

  Creates an instance from the system default path.

• #from_well_known_path(scope = nil, options = {}) ⇒ Object

  Creates an instance from a well known path.

• #make_creds(*args) ⇒ Object

  make_creds proxies the construction of a credentials instance.

Class Method Details

.load_gcloud_project_id ⇒ Object

Finds project_id from gcloud CLI configuration

# File 'lib/googleauth/credentials_loader.rb', line 146

def load_gcloud_project_id
  gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
  gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
  gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", in: :close, err: :close, &:read)
  config = MultiJson.load gcloud_json
  config["configuration"]["properties"]["core"]["project"]
rescue StandardError
  nil
end

Instance Method Details

#from_env(scope = nil, options = {}) ⇒ Object

Creates an instance from the path specified in an environment variable.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • :default_connection The connection object to use.
  • :connection_builder A Proc that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 74

def from_env scope = nil, options = {}
  options = interpret_options scope, options
  if ENV.key?(ENV_VAR) && !ENV[ENV_VAR].empty?
    path = ENV[ENV_VAR]
    raise "file #{path} does not exist" unless File.exist? path
    File.open path do |f|
      return make_creds options.merge(json_key_io: f)
    end
  elsif service_account_env_vars? || authorized_user_env_vars?
    make_creds options
  end
rescue StandardError => e
  raise "#{NOT_FOUND_ERROR}: #{e}"
end

#from_system_default_path(scope = nil, options = {}) ⇒ Object

Creates an instance from the system default path

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • :default_connection The connection object to use.
  • :connection_builder A Proc that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 126

def from_system_default_path scope = nil, options = {}
  options = interpret_options scope, options
  if OS.windows?
    return nil unless ENV["ProgramData"]
    prefix = File.join ENV["ProgramData"], "Google/Auth"
  else
    prefix = "/etc/google/auth/"
  end
  path = File.join prefix, CREDENTIALS_FILE_NAME
  return nil unless File.exist? path
  File.open path do |f|
    return make_creds options.merge(json_key_io: f)
  end
rescue StandardError => e
  raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
end

#from_well_known_path(scope = nil, options = {}) ⇒ Object

Creates an instance from a well known path.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable Faraday::Connection. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • :default_connection The connection object to use.
  • :connection_builder A Proc that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 100

def from_well_known_path scope = nil, options = {}
  options = interpret_options scope, options
  home_var = OS.windows? ? "APPDATA" : "HOME"
  base = WELL_KNOWN_PATH
  root = ENV[home_var].nil? ? "" : ENV[home_var]
  base = File.join ".config", base unless OS.windows?
  path = File.join root, base
  return nil unless File.exist? path
  File.open path do |f|
    return make_creds options.merge(json_key_io: f)
  end
rescue StandardError => e
  raise "#{WELL_KNOWN_ERROR}: #{e}"
end

#make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

By default, it calls #new on the current class, but this behaviour can be modified, allowing different instances to be created.

# File 'lib/googleauth/credentials_loader.rb', line 56

def make_creds *args
  creds = new(*args)
  creds = creds.configure_connection args[0] if creds.respond_to?(:configure_connection) && args.size == 1
  creds
end