Class: Google::Auth::UserRefreshCredentials

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::UserRefreshCredentials

Extended by:

CredentialsLoader

Defined in:

lib/googleauth/user_refresh.rb

Overview

Authenticates requests using User Refresh credentials.

This class allows authorizing requests from user refresh tokens.

This the end of the result of a 3LO flow. E.g, the end result of ‘gcloud auth login’ saves a file with these contents in well known location

cf [Application Default Credentials](goo.gl/mkAHpZ)

Constant Summary

TOKEN_CRED_URI =

'https://oauth2.googleapis.com/token'.freeze

AUTHORIZATION_URI =

'https://accounts.google.com/o/oauth2/auth'.freeze

REVOKE_TOKEN_URI =

'https://oauth2.googleapis.com/revoke'.freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Instance Attribute Summary

• #project_id ⇒ Object readonly

  Returns the value of attribute project_id.

Class Method Summary

• .make_creds(options = {}) ⇒ Object

  Create a UserRefreshCredentials.

• .read_json_key(json_key_io) ⇒ Object

  Reads the client_id, client_secret and refresh_token fields from the JSON key.

Instance Method Summary

• #includes_scope?(required_scope) ⇒ Boolean

  Verifies that a credential grants the requested scope.

• #initialize(options = {}) ⇒ UserRefreshCredentials constructor

  A new instance of UserRefreshCredentials.

• #revoke!(options = {}) ⇒ Object

  Revokes the credential.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds, warn_if_cloud_sdk_credentials

Methods inherited from Signet::OAuth2::Client

#apply, #apply!, #build_default_connection, #configure_connection, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ UserRefreshCredentials

Returns a new instance of UserRefreshCredentials.

# File 'lib/googleauth/user_refresh.rb', line 89

def initialize(options = {})
  options ||= {}
  options[:token_credential_uri] ||= TOKEN_CRED_URI
  options[:authorization_uri] ||= AUTHORIZATION_URI
  @project_id = options[:project_id]
  @project_id ||= CredentialsLoader.load_gcloud_project_id
  super(options)
end

Instance Attribute Details

#project_id ⇒ Object (readonly)

Returns the value of attribute project_id.

# File 'lib/googleauth/user_refresh.rb', line 53

def project_id
  @project_id
end

Class Method Details

.make_creds(options = {}) ⇒ Object

Create a UserRefreshCredentials.

Parameters:

• json_key_io (IO) —

  an IO from which the JSON key can be read

• scope (string|array|nil) —

  the scope(s) to access

# File 'lib/googleauth/user_refresh.rb', line 59

def self.make_creds(options = {})
  json_key_io, scope = options.values_at(:json_key_io, :scope)
  user_creds = read_json_key(json_key_io) if json_key_io
  user_creds ||= {
    'client_id'     => ENV[CredentialsLoader::CLIENT_ID_VAR],
    'client_secret' => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
    'refresh_token' => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
    'project_id'    => ENV[CredentialsLoader::PROJECT_ID_VAR]
  }

  new(token_credential_uri: TOKEN_CRED_URI,
      client_id: user_creds['client_id'],
      client_secret: user_creds['client_secret'],
      refresh_token: user_creds['refresh_token'],
      project_id:    user_creds['project_id'],
      scope: scope)
    .configure_connection(options)
end

.read_json_key(json_key_io) ⇒ Object

Reads the client_id, client_secret and refresh_token fields from the JSON key.

# File 'lib/googleauth/user_refresh.rb', line 80

def self.read_json_key(json_key_io)
  json_key = MultiJson.load(json_key_io.read)
  wanted = %w(client_id client_secret refresh_token)
  wanted.each do |key|
    raise "the json is missing the #{key} field" unless json_key.key?(key)
  end
  json_key
end

Instance Method Details

#includes_scope?(required_scope) ⇒ Boolean

Verifies that a credential grants the requested scope

Parameters:

• required_scope (Array<String>, String) —

  Scope to verify

Returns:

• (Boolean) —

  True if scope is granted

# File 'lib/googleauth/user_refresh.rb', line 122

def includes_scope?(required_scope)
  missing_scope = Google::Auth::ScopeUtil.normalize(required_scope) -
                  Google::Auth::ScopeUtil.normalize(scope)
  missing_scope.empty?
end

#revoke!(options = {}) ⇒ Object

Revokes the credential

# File 'lib/googleauth/user_refresh.rb', line 99

def revoke!(options = {})
  c = options[:connection] || Faraday.default_connection

  retry_with_error do
    resp = c.post(REVOKE_TOKEN_URI, token: refresh_token || access_token)
    case resp.status
    when 200
      self.access_token = nil
      self.refresh_token = nil
      self.expires_at = 0
    else
      raise(Signet::AuthorizationError,
            "Unexpected error code #{resp.status}")
    end
  end
end