Class: Google::Auth::ExternalAccount::PluggableAuthCredentials

Inherits:

Object

• Object
• Google::Auth::ExternalAccount::PluggableAuthCredentials

Extended by:

CredentialsLoader

Includes:

BaseCredentials, ExternalAccountUtils

Defined in:

lib/googleauth/external_account/pluggable_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary

ENABLE_PLUGGABLE_ENV =

constant for pluggable auth enablement in environment variable.

"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze

EXECUTABLE_SUPPORTED_MAX_VERSION =

1

EXECUTABLE_TIMEOUT_MILLIS_DEFAULT =

30 * 1000

EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND =

5 * 1000

EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND =

120 * 1000

ID_TOKEN_TYPE =

["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary

• #client_id ⇒ Object readonly

  Will always be nil, but method still gets used.

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Instance Method Summary

• #initialize(options = {}) ⇒ PluggableAuthCredentials constructor

  Initialize from options map.

• #retrieve_subject_token! ⇒ Object

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ PluggableAuthCredentials

Initialize from options map.

Parameters:

• audience (string)
• credential_source (hash{symbol => value}) —

  credential_source is a hash that contains either source file or url. credential_source_format is either text or json. To define how we parse the credential response.

# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 49

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_executable = @credential_source[:executable]
  raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil?
  @credential_source_executable_command = @credential_source_executable[:command]
  if @credential_source_executable_command.nil?
    raise "Missing command field. Executable command must be provided."
  end
  @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
                                                 EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
  if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
     @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
    raise "Timeout must be between 5 and 120 seconds."
  end
  @credential_source_executable_output_file = @credential_source_executable[:output_file]
end

Instance Attribute Details

#client_id ⇒ Object (readonly)

Will always be nil, but method still gets used.

# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 40

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token! ⇒ Object

# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 69

def retrieve_subject_token!
  unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
    raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
          "to run."
  end
  # check output file first
  subject_token = load_subject_token_from_output_file
  return subject_token unless subject_token.nil?
  # environment variable injection
  env = inject_environment_variables
  output = subprocess_with_timeout env, @credential_source_executable_command,
                                   @credential_source_executable_timeout_millis
  response = MultiJson.load output, symbolize_keys: true
  parse_subject_token response
end