Class: Google::Auth::ServiceAccountJwtHeaderCredentials
- Inherits:
- Object
- Object
- Google::Auth::ServiceAccountJwtHeaderCredentials
- Extended by:
- CredentialsLoader, JsonKeyReader
- Defined in:
- lib/googleauth/service_account_jwt_header.rb
Overview
Authenticates requests using Google's Service Account credentials via JWT Header.
This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.
Constant Summary collapse
- JWT_AUD_URI_KEY =
:jwt_aud_uri- AUTH_METADATA_KEY =
Google::Auth::BaseClient::AUTH_METADATA_KEY
- TOKEN_CRED_URI =
"https://www.googleapis.com/oauth2/v4/token".freeze
- SIGNING_ALGORITHM =
"RS256".freeze
- EXPIRY =
60
Constants included from CredentialsLoader
CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH
Instance Attribute Summary collapse
- #logger ⇒ Object
Returns the value of attribute logger.
- #project_id ⇒ Object readonly
Returns the value of attribute project_id.
- #quota_project_id ⇒ Object readonly
Returns the value of attribute quota_project_id.
- #universe_domain ⇒ Object
Returns the value of attribute universe_domain.
Class Method Summary collapse
- .make_creds(options = {}) ⇒ Object
Create a ServiceAccountJwtHeaderCredentials.
Instance Method Summary collapse
- #apply(a_hash, opts = {}) ⇒ Object
Returns a clone of a_hash updated with the authorization header.
- #apply!(a_hash, opts = {}) ⇒ Object
Construct a jwt token if the JWT_AUD_URI key is present in the input hash.
- #duplicate(options = {}) ⇒ Object
Creates a duplicate of these credentials.
- #initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials constructor
Initializes a ServiceAccountJwtHeaderCredentials.
- #needs_access_token? ⇒ Boolean
Duck-types the corresponding method from BaseClient.
- #new_jwt_token(jwt_aud_uri = nil, options = {}) ⇒ Object
Creates a jwt uri token.
- #updater_proc ⇒ Object
Returns a reference to the #apply method, suitable for passing as a closure.
Methods included from CredentialsLoader
from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds
Methods included from JsonKeyReader
Constructor Details
#initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials
Initializes a ServiceAccountJwtHeaderCredentials.
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | # File 'lib/googleauth/service_account_jwt_header.rb', line 60 def initialize = {} json_key_io = [:json_key_io] if json_key_io @private_key, @issuer, @project_id, @quota_project_id, @universe_domain = self.class.read_json_key json_key_io else @private_key = .key?(:private_key) ? [:private_key] : ENV[CredentialsLoader::PRIVATE_KEY_VAR] @issuer = .key?(:issuer) ? [:issuer] : ENV[CredentialsLoader::CLIENT_EMAIL_VAR] @project_id = .key?(:project_id) ? [:project_id] : ENV[CredentialsLoader::PROJECT_ID_VAR] @quota_project_id = [:quota_project_id] if .key? :quota_project_id @universe_domain = [:universe_domain] if .key? :universe_domain end @universe_domain ||= "googleapis.com" @project_id ||= CredentialsLoader.load_gcloud_project_id @signing_key = OpenSSL::PKey::RSA.new @private_key @scope = [:scope] if .key? :scope @logger = [:logger] if .key? :logger end |
Instance Attribute Details
#logger ⇒ Object
Returns the value of attribute logger.
46 47 48 | # File 'lib/googleauth/service_account_jwt_header.rb', line 46 def logger @logger end |
#project_id ⇒ Object (readonly)
Returns the value of attribute project_id.
43 44 45 | # File 'lib/googleauth/service_account_jwt_header.rb', line 43 def project_id @project_id end |
#quota_project_id ⇒ Object (readonly)
Returns the value of attribute quota_project_id.
44 45 46 | # File 'lib/googleauth/service_account_jwt_header.rb', line 44 def quota_project_id @quota_project_id end |
#universe_domain ⇒ Object
Returns the value of attribute universe_domain.
45 46 47 | # File 'lib/googleauth/service_account_jwt_header.rb', line 45 def universe_domain @universe_domain end |
Class Method Details
.make_creds(options = {}) ⇒ Object
Create a ServiceAccountJwtHeaderCredentials.
52 53 54 55 | # File 'lib/googleauth/service_account_jwt_header.rb', line 52 def self.make_creds = {} json_key_io, scope = .values_at :json_key_io, :scope new json_key_io: json_key_io, scope: scope end |
Instance Method Details
#apply(a_hash, opts = {}) ⇒ Object
Returns a clone of a_hash updated with the authorization header
122 123 124 125 126 | # File 'lib/googleauth/service_account_jwt_header.rb', line 122 def apply a_hash, opts = {} a_copy = a_hash.clone apply! a_copy, opts a_copy end |
#apply!(a_hash, opts = {}) ⇒ Object
Construct a jwt token if the JWT_AUD_URI key is present in the input hash.
The jwt token is used as the value of a 'Bearer '.
109 110 111 112 113 114 115 116 117 118 119 | # File 'lib/googleauth/service_account_jwt_header.rb', line 109 def apply! a_hash, opts = {} jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY return a_hash if jwt_aud_uri.nil? && @scope.nil? jwt_token = new_jwt_token jwt_aud_uri, opts a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}" logger&.debug do hash = Digest::SHA256.hexdigest jwt_token Google::Logging::Message.from message: "Sending JWT auth token. (sha256:#{hash})" end a_hash end |
#duplicate(options = {}) ⇒ Object
Creates a duplicate of these credentials
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | # File 'lib/googleauth/service_account_jwt_header.rb', line 89 def duplicate = {} = deep_hash_normalize = { private_key: @private_key, issuer: @issuer, scope: @scope, project_id: project_id, quota_project_id: quota_project_id, universe_domain: universe_domain, logger: logger }.merge() self.class.new end |
#needs_access_token? ⇒ Boolean
Duck-types the corresponding method from BaseClient
158 159 160 | # File 'lib/googleauth/service_account_jwt_header.rb', line 158 def needs_access_token? false end |
#new_jwt_token(jwt_aud_uri = nil, options = {}) ⇒ Object
Creates a jwt uri token.
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 | # File 'lib/googleauth/service_account_jwt_header.rb', line 135 def new_jwt_token jwt_aud_uri = nil, = {} now = Time.new skew = [:skew] || 60 assertion = { "iss" => @issuer, "sub" => @issuer, "exp" => (now + EXPIRY).to_i, "iat" => (now - skew).to_i } jwt_aud_uri = nil if @scope assertion["scope"] = Array(@scope).join " " if @scope assertion["aud"] = jwt_aud_uri if jwt_aud_uri logger&.debug do Google::Logging::Message.from message: "JWT assertion: #{assertion}" end JWT.encode assertion, @signing_key, SIGNING_ALGORITHM end |
#updater_proc ⇒ Object
Returns a reference to the #apply method, suitable for passing as a closure
130 131 132 | # File 'lib/googleauth/service_account_jwt_header.rb', line 130 def updater_proc proc { |a_hash, opts = {}| apply a_hash, opts } end |