Class: Google::Auth::ExternalAccount::PluggableAuthCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader
Includes:
BaseCredentials, ExternalAccountUtils
Defined in:
lib/googleauth/external_account/pluggable_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary collapse

ENABLE_PLUGGABLE_ENV =

constant for pluggable auth enablement in environment variable.

"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
EXECUTABLE_SUPPORTED_MAX_VERSION = 
1
EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 
30 * 1000
EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 
5 * 1000
EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 
120 * 1000
ID_TOKEN_TYPE = 
["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Attributes included from BaseClient

#logger

Instance Method Summary collapse

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection, default_connection, default_connection=

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ PluggableAuthCredentials

Initialize from options map.

Parameters:

  • options (Hash) (defaults to: {})

    Configuration options

Options Hash (options):

  • :audience (String)

    Audience for the token

  • :credential_source (Hash)

    Credential source configuration that contains executable configuration

Raises:



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 50

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_executable = @credential_source[:executable]
  if @credential_source_executable.nil?
    raise InitializationError,
          "Missing excutable source. An 'executable' must be provided"
  end
  @credential_source_executable_command = @credential_source_executable[:command]
  if @credential_source_executable_command.nil?
    raise InitializationError, "Missing command field. Executable command must be provided."
  end
  @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
                                                 EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
  if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
     @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
    raise InitializationError, "Timeout must be between 5 and 120 seconds."
  end
  @credential_source_executable_output_file = @credential_source_executable[:output_file]
end

Instance Attribute Details

#client_idObject (readonly)

Will always be nil, but method still gets used.



41
42
43
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 41

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token!String

Retrieves the subject token using the credential_source object.

Returns:

  • (String)

    The retrieved subject token

Raises:



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 78

def retrieve_subject_token!
  unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
    raise CredentialsError,
          "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
          "to run."
  end
  # check output file first
  subject_token = load_subject_token_from_output_file
  return subject_token unless subject_token.nil?
  # environment variable injection
  env = inject_environment_variables
  output = subprocess_with_timeout env, @credential_source_executable_command,
                                   @credential_source_executable_timeout_millis
  response = MultiJson.load output, symbolize_keys: true
  parse_subject_token response
end