Module: Google::Auth::CredentialsLoader

Extended by:

Memoist

Included in:

DefaultCredentials, ServiceAccountCredentials, ServiceAccountJwtHeaderCredentials, UserRefreshCredentials

Defined in:

lib/googleauth/credentials_loader.rb

Overview

CredentialsLoader contains the behaviour used to locate and find default credentials files on the file system.

Constant Summary

ENV_VAR =

'GOOGLE_APPLICATION_CREDENTIALS'.freeze

PRIVATE_KEY_VAR =

'GOOGLE_PRIVATE_KEY'.freeze

CLIENT_EMAIL_VAR =

'GOOGLE_CLIENT_EMAIL'.freeze

CLIENT_ID_VAR =

'GOOGLE_CLIENT_ID'.freeze

CLIENT_SECRET_VAR =

'GOOGLE_CLIENT_SECRET'.freeze

REFRESH_TOKEN_VAR =

'GOOGLE_REFRESH_TOKEN'.freeze

ACCOUNT_TYPE_VAR =

'GOOGLE_ACCOUNT_TYPE'.freeze

PROJECT_ID_VAR =

'GOOGLE_PROJECT_ID'.freeze

GCLOUD_POSIX_COMMAND =

'gcloud'.freeze

GCLOUD_WINDOWS_COMMAND =

'gcloud.cmd'.freeze

GCLOUD_CONFIG_COMMAND =

'config config-helper --format json'.freeze

CREDENTIALS_FILE_NAME =

'application_default_credentials.json'.freeze

NOT_FOUND_ERROR =

"Unable to read the credential file specified by #{ENV_VAR}".freeze

WELL_KNOWN_PATH =

"gcloud/#{CREDENTIALS_FILE_NAME}".freeze

WELL_KNOWN_ERROR =

'Unable to read the default credential file'.freeze

SYSTEM_DEFAULT_ERROR =

'Unable to read the system default credential file'.freeze

CLOUD_SDK_CLIENT_ID =

'764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app'\
's.googleusercontent.com'.freeze

CLOUD_SDK_CREDENTIALS_WARNING =

'Your application has authenticated '\
'using end user credentials from Google Cloud SDK. We recommend that '\
'most server applications use service accounts instead. If your '\
'application continues to use end user credentials from Cloud SDK, '\
'you might receive a "quota exceeded" or "API not enabled" error. For'\
' more information about service accounts, see '\
'https://cloud.google.com/docs/authentication/.'.freeze

Class Method Summary

• .load_gcloud_project_id ⇒ Object

  Finds project_id from gcloud CLI configuration.

• .warn_if_cloud_sdk_credentials(client_id) ⇒ Object

  Issues warning if cloud sdk client id is used.

Instance Method Summary

• #from_env(scope = nil, options = {}) ⇒ Object

  Creates an instance from the path specified in an environment variable.

• #from_system_default_path(scope = nil, options = {}) ⇒ Object

  Creates an instance from the system default path.

• #from_well_known_path(scope = nil, options = {}) ⇒ Object

  Creates an instance from a well known path.

• #make_creds(*args) ⇒ Object

  make_creds proxies the construction of a credentials instance.

Class Method Details

.load_gcloud_project_id ⇒ Object

Finds project_id from gcloud CLI configuration

# File 'lib/googleauth/credentials_loader.rb', line 174

def load_gcloud_project_id
  gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
  gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
  config = MultiJson.load(`#{gcloud} #{GCLOUD_CONFIG_COMMAND}`)
  config['configuration']['properties']['core']['project']
rescue
  nil
end

.warn_if_cloud_sdk_credentials(client_id) ⇒ Object

Issues warning if cloud sdk client id is used

# File 'lib/googleauth/credentials_loader.rb', line 168

def warn_if_cloud_sdk_credentials(client_id)
  warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
end

Instance Method Details

#from_env(scope = nil, options = {}) ⇒ Object

Creates an instance from the path specified in an environment variable.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable ‘Faraday::Connection`. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • ‘:default_connection` The connection object to use.

  • ‘:connection_builder` A `Proc` that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 98

def from_env(scope = nil, options = {})
  options = interpret_options scope, options
  if ENV.key?(ENV_VAR)
    path = ENV[ENV_VAR]
    raise "file #{path} does not exist" unless File.exist?(path)
    File.open(path) do |f|
      return make_creds(options.merge(json_key_io: f))
    end
  elsif service_account_env_vars? || authorized_user_env_vars?
    return make_creds(options)
  end
rescue StandardError => e
  raise "#{NOT_FOUND_ERROR}: #{e}"
end

#from_system_default_path(scope = nil, options = {}) ⇒ Object

Creates an instance from the system default path

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable ‘Faraday::Connection`. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • ‘:default_connection` The connection object to use.

  • ‘:connection_builder` A `Proc` that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 150

def from_system_default_path(scope = nil, options = {})
  options = interpret_options scope, options
  if OS.windows?
    return nil unless ENV['ProgramData']
    prefix = File.join(ENV['ProgramData'], 'Google/Auth')
  else
    prefix = '/etc/google/auth/'
  end
  path = File.join(prefix, CREDENTIALS_FILE_NAME)
  return nil unless File.exist?(path)
  File.open(path) do |f|
    return make_creds(options.merge(json_key_io: f))
  end
rescue StandardError => e
  raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
end

#from_well_known_path(scope = nil, options = {}) ⇒ Object

Creates an instance from a well known path.

Parameters:

• scope (string|array|nil) (defaults to: nil) —

  the scope(s) to access

• options (Hash) (defaults to: {}) —

  Connection options. These may be used to configure how OAuth tokens are retrieved, by providing a suitable ‘Faraday::Connection`. For example, if a connection proxy must be used in the current network, you may provide a connection with with the needed proxy options. The following keys are recognized:

  • ‘:default_connection` The connection object to use.

  • ‘:connection_builder` A `Proc` that returns a connection.

# File 'lib/googleauth/credentials_loader.rb', line 124

def from_well_known_path(scope = nil, options = {})
  options = interpret_options scope, options
  home_var = OS.windows? ? 'APPDATA' : 'HOME'
  base = WELL_KNOWN_PATH
  root = ENV[home_var].nil? ? '' : ENV[home_var]
  base = File.join('.config', base) unless OS.windows?
  path = File.join(root, base)
  return nil unless File.exist?(path)
  File.open(path) do |f|
    return make_creds(options.merge(json_key_io: f))
  end
rescue StandardError => e
  raise "#{WELL_KNOWN_ERROR}: #{e}"
end

#make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

By default, it calls #new on the current class, but this behaviour can be modified, allowing different instances to be created.

# File 'lib/googleauth/credentials_loader.rb', line 78

def make_creds(*args)
  creds = new(*args)
  if creds.respond_to?(:configure_connection) && args.size == 1
    creds = creds.configure_connection(args[0])
  end
  creds
end