-
Notifications
You must be signed in to change notification settings - Fork 254
/
external_account.rb
94 lines (84 loc) · 3.88 KB
/
external_account.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Copyright 2022 Google, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require "time"
require "uri"
require "googleauth/credentials_loader"
require "googleauth/external_account/aws_credentials"
require "googleauth/external_account/identity_pool_credentials"
require "googleauth/external_account/pluggable_credentials"
module Google
# Module Auth provides classes that provide Google-specific authorization
# used to access Google APIs.
module Auth
# Authenticates requests using External Account credentials, such
# as those provided by the AWS provider.
module ExternalAccount
# Provides an entrypoint for all Exernal Account credential classes.
class Credentials
# The subject token type used for AWS external_account credentials.
AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
MISSING_CREDENTIAL_SOURCE = "missing credential source for external account".freeze
INVALID_EXTERNAL_ACCOUNT_TYPE = "credential source is not supported external account type".freeze
# Create a ExternalAccount::Credentials
#
# @param json_key_io [IO] an IO from which the JSON key can be read
# @param scope [String,Array,nil] the scope(s) to access
def self.make_creds options = {}
json_key_io, scope = options.values_at :json_key_io, :scope
raise "A json file is required for external account credentials." unless json_key_io
user_creds = read_json_key json_key_io
# AWS credentials is determined by aws subject token type
return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE
raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
user_creds[:scope] = scope
make_external_account_credentials user_creds
end
# Reads the required fields from the JSON.
def self.read_json_key json_key_io
json_key = MultiJson.load json_key_io.read, symbolize_keys: true
wanted = [
:audience, :subject_token_type, :token_url, :credential_source
]
wanted.each do |key|
raise "the json is missing the #{key} field" unless json_key.key? key
end
json_key
end
class << self
private
def make_aws_credentials user_creds, scope
Google::Auth::ExternalAccount::AwsCredentials.new(
audience: user_creds[:audience],
scope: scope,
subject_token_type: user_creds[:subject_token_type],
token_url: user_creds[:token_url],
credential_source: user_creds[:credential_source],
service_account_impersonation_url: user_creds[:service_account_impersonation_url],
universe_domain: user_creds[:universe_domain]
)
end
def make_external_account_credentials user_creds
unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
end
unless user_creds[:credential_source][:executable].nil?
return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
end
raise INVALID_EXTERNAL_ACCOUNT_TYPE
end
end
end
end
end
end