Class: Google::Auth::Credentials
- Inherits:
-
Object
- Object
- Google::Auth::Credentials
- Extended by:
- Forwardable
- Defined in:
- lib/googleauth/credentials.rb
Overview
Credentials is a high-level base class used by Google’s API client libraries to represent the authentication when connecting to an API. In most cases, it is subclassed by API-specific credential classes that can be instantiated by clients.
## Options
Credentials classes are configured with options that dictate default values for parameters such as scope and audience. These defaults are expressed as class attributes, and may differ from endpoint to endpoint. Normally, an API client will provide subclasses specific to each endpoint, configured with appropriate values.
Note that these options inherit up the class hierarchy. If a particular options is not set for a subclass, its superclass is queried.
Some older users of this class set options via constants. This usage is deprecated. For example, instead of setting the ‘AUDIENCE` constant on your subclass, call the `audience=` method.
## Example
class MyCredentials < Google::Auth::Credentials
# Set the default scope for these credentials
self.scope = "http://example.com/my_scope"
end
# creds is a credentials object suitable for Google API clients
creds = MyCredentials.default
creds.scope # => ["http://example.com/my_scope"]
class SubCredentials < MyCredentials
# Override the default scope for this subclass
self.scope = "http://example.com/sub_scope"
end
creds2 = SubCredentials.default
creds2.scope # => ["http://example.com/sub_scope"]
Constant Summary collapse
- TOKEN_CREDENTIAL_URI =
The default token credential URI to be used when none is provided during initialization.
"https://oauth2.googleapis.com/token".freeze
- AUDIENCE =
The default target audience ID to be used when none is provided during initialization.
"https://oauth2.googleapis.com/token".freeze
Instance Attribute Summary collapse
-
#audience ⇒ String
readonly
The target audience ID when issuing assertions.
-
#client ⇒ Signet::OAuth2::Client
The Signet::OAuth2::Client object the Credentials instance is using.
-
#issuer ⇒ String
readonly
The issuer ID associated with this client.
-
#project_id ⇒ String
readonly
Identifier for the project the client is authenticating with.
-
#quota_project_id ⇒ String?
readonly
Identifier for a separate project used for billing/quota, if any.
-
#scope ⇒ String+
readonly
The scope for this client.
-
#signing_key ⇒ String, OpenSSL::PKey
readonly
The signing key associated with this client.
-
#target_audience ⇒ String
readonly
The final target audience for ID tokens returned by this credential.
-
#token_credential_uri ⇒ String
readonly
The token credential URI.
-
#updater_proc ⇒ Proc
readonly
Returns a reference to the Signet::OAuth2::Client#apply method, suitable for passing as a closure.
Class Method Summary collapse
-
.audience ⇒ String
The default target audience ID to be used when none is provided during initialization.
-
.audience=(new_audience) ⇒ Object
Sets the default target audience ID to be used when none is provided during initialization.
-
.default(options = {}) ⇒ Credentials
Creates a new Credentials instance with auth credentials acquired by searching the environment variables and paths configured on the class, and with the default values configured on the class.
-
.env_vars ⇒ Array<String>
The environment variables to search for credentials.
-
.env_vars=(new_env_vars) ⇒ Object
Sets the environment variables to search for credentials.
-
.env_vars_internal ⇒ Object
Internal recursive lookup for env_vars.
-
.lookup_auth_param(name, method_name = name) ⇒ Object
Return the given parameter value, defaulting up the class hierarchy.
-
.lookup_local_constant(name) ⇒ Object
Return the value of the given constant if it is defined directly in this class, or nil if not.
-
.paths ⇒ Array<String>
The file paths to search for credentials files.
-
.paths=(new_paths) ⇒ Object
Set the file paths to search for credentials files.
-
.paths_internal ⇒ Object
Internal recursive lookup for paths.
-
.scope ⇒ String, ...
The default scope to be used when none is provided during initialization.
-
.scope=(new_scope) ⇒ Object
Sets the default scope to be used when none is provided during initialization.
-
.target_audience ⇒ String?
The default final target audience for ID tokens, to be used when none is provided during initialization.
-
.target_audience=(new_target_audience) ⇒ Object
Sets the default final target audience for ID tokens, to be used when none is provided during initialization.
-
.token_credential_uri ⇒ String
The default token credential URI to be used when none is provided during initialization.
-
.token_credential_uri=(new_token_credential_uri) ⇒ Object
Set the default token credential URI to be used when none is provided during initialization.
Instance Method Summary collapse
-
#initialize(keyfile, options = {}) ⇒ Credentials
constructor
Creates a new Credentials instance with the provided auth credentials, and with the default values configured on the class.
Constructor Details
#initialize(keyfile, options = {}) ⇒ Credentials
Creates a new Credentials instance with the provided auth credentials, and with the default values configured on the class.
368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 |
# File 'lib/googleauth/credentials.rb', line 368 def initialize keyfile, = {} verify_keyfile_provided! keyfile @project_id = ["project_id"] || ["project"] @quota_project_id = ["quota_project_id"] case keyfile when Signet::OAuth2::Client update_from_signet keyfile when Hash update_from_hash keyfile, else update_from_filepath keyfile, end CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id @project_id ||= CredentialsLoader.load_gcloud_project_id @client.fetch_access_token! @env_vars = nil @paths = nil @scope = nil end |
Instance Attribute Details
#audience ⇒ String (readonly)
Returns The target audience ID when issuing assertions. Used only by the assertion grant type.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#client ⇒ Signet::OAuth2::Client
The Signet::OAuth2::Client object the Credentials instance is using.
301 302 303 |
# File 'lib/googleauth/credentials.rb', line 301 def client @client end |
#issuer ⇒ String (readonly)
Returns The issuer ID associated with this client.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#project_id ⇒ String (readonly)
Identifier for the project the client is authenticating with.
308 309 310 |
# File 'lib/googleauth/credentials.rb', line 308 def project_id @project_id end |
#quota_project_id ⇒ String? (readonly)
Identifier for a separate project used for billing/quota, if any.
315 316 317 |
# File 'lib/googleauth/credentials.rb', line 315 def quota_project_id @quota_project_id end |
#scope ⇒ String+ (readonly)
Returns The scope for this client. A scope is an access range defined by the authorization server. The scope can be a single value or a list of values.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#signing_key ⇒ String, OpenSSL::PKey (readonly)
Returns The signing key associated with this client.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#target_audience ⇒ String (readonly)
Returns The final target audience for ID tokens returned by this credential.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#token_credential_uri ⇒ String (readonly)
Returns The token credential URI. The URI is the authorization server’s HTTP endpoint capable of issuing tokens and refreshing expired tokens.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
#updater_proc ⇒ Proc (readonly)
Returns a reference to the Signet::OAuth2::Client#apply method, suitable for passing as a closure.
346 347 348 |
# File 'lib/googleauth/credentials.rb', line 346 def_delegators :@client, :token_credential_uri, :audience, :scope, :issuer, :signing_key, :updater_proc, :target_audience |
Class Method Details
.audience ⇒ String
The default target audience ID to be used when none is provided during initialization. Used only by the assertion grant type.
117 118 119 120 121 |
# File 'lib/googleauth/credentials.rb', line 117 def self.audience lookup_auth_param :audience do lookup_local_constant :AUDIENCE end end |
.audience=(new_audience) ⇒ Object
Sets the default target audience ID to be used when none is provided during initialization.
128 129 130 |
# File 'lib/googleauth/credentials.rb', line 128 def self.audience= new_audience @audience = new_audience end |
.default(options = {}) ⇒ Credentials
Creates a new Credentials instance with auth credentials acquired by searching the environment variables and paths configured on the class, and with the default values configured on the class.
The auth credentials are searched for in the following order:
-
configured environment variables (see env_vars)
-
configured default file paths (see paths)
-
application default (see Google::Auth.get_application_default)
409 410 411 412 413 414 415 416 417 418 419 |
# File 'lib/googleauth/credentials.rb', line 409 def self.default = {} # First try to find keyfile file or json from environment variables. client = from_env_vars # Second try to find keyfile file from known file paths. client ||= from_default_paths # Finally get instantiated client from Google::Auth client ||= from_application_default client end |
.env_vars ⇒ Array<String>
The environment variables to search for credentials. Values can either be a file path to the credentials file, or the JSON contents of the credentials file. The env_vars will never be nil. If there are no vars, the empty array is returned.
199 200 201 |
# File 'lib/googleauth/credentials.rb', line 199 def self.env_vars env_vars_internal || [] end |
.env_vars=(new_env_vars) ⇒ Object
Sets the environment variables to search for credentials. Setting to ‘nil` “unsets” the value, and defaults to the superclass (or to the empty array if there is no superclass).
223 224 225 226 |
# File 'lib/googleauth/credentials.rb', line 223 def self.env_vars= new_env_vars new_env_vars = Array new_env_vars unless new_env_vars.nil? @env_vars = new_env_vars end |
.env_vars_internal ⇒ Object
Internal recursive lookup for env_vars.
207 208 209 210 211 212 213 214 |
# File 'lib/googleauth/credentials.rb', line 207 def self.env_vars_internal lookup_auth_param :env_vars, :env_vars_internal do # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists. path_env_vars = lookup_local_constant :PATH_ENV_VARS json_env_vars = lookup_local_constant :JSON_ENV_VARS (Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars end end |
.lookup_auth_param(name, method_name = name) ⇒ Object
Return the given parameter value, defaulting up the class hierarchy.
First returns the value of the instance variable, if set. Next, calls the given block if provided. (This is generally used to look up legacy constant-based values.) Otherwise, calls the superclass method if present. Returns nil if all steps fail.
276 277 278 279 280 281 282 |
# File 'lib/googleauth/credentials.rb', line 276 def self.lookup_auth_param name, method_name = name val = instance_variable_get "@#{name}".to_sym val = yield if val.nil? && block_given? return val unless val.nil? return superclass.send method_name if superclass.respond_to? method_name nil end |
.lookup_local_constant(name) ⇒ Object
Return the value of the given constant if it is defined directly in this class, or nil if not.
292 293 294 |
# File 'lib/googleauth/credentials.rb', line 292 def self.lookup_local_constant name const_defined?(name, false) ? const_get(name) : nil end |
.paths ⇒ Array<String>
The file paths to search for credentials files. The paths will never be nil. If there are no paths, the empty array is returned.
234 235 236 |
# File 'lib/googleauth/credentials.rb', line 234 def self.paths paths_internal || [] end |
.paths=(new_paths) ⇒ Object
Set the file paths to search for credentials files. Setting to ‘nil` “unsets” the value, and defaults to the superclass (or to the empty array if there is no superclass).
257 258 259 260 |
# File 'lib/googleauth/credentials.rb', line 257 def self.paths= new_paths new_paths = Array new_paths unless new_paths.nil? @paths = new_paths end |
.paths_internal ⇒ Object
Internal recursive lookup for paths.
242 243 244 245 246 247 248 |
# File 'lib/googleauth/credentials.rb', line 242 def self.paths_internal lookup_auth_param :paths, :paths_internal do # Pull in values if the DEFAULT_PATHS constant exists. vals = lookup_local_constant :DEFAULT_PATHS vals ? Array(vals).flatten.uniq : nil end end |
.scope ⇒ String, ...
The default scope to be used when none is provided during initialization. A scope is an access range defined by the authorization server. The scope can be a single value or a list of values.
Either #scope or #target_audience, but not both, should be non-nil. If #scope is set, this credential will produce access tokens. If #target_audience is set, this credential will produce ID tokens.
143 144 145 146 147 148 |
# File 'lib/googleauth/credentials.rb', line 143 def self.scope lookup_auth_param :scope do vals = lookup_local_constant :SCOPE vals ? Array(vals).flatten.uniq : nil end end |
.scope=(new_scope) ⇒ Object
Sets the default scope to be used when none is provided during initialization.
Either #scope or #target_audience, but not both, should be non-nil. If #scope is set, this credential will produce access tokens. If #target_audience is set, this credential will produce ID tokens.
159 160 161 162 |
# File 'lib/googleauth/credentials.rb', line 159 def self.scope= new_scope new_scope = Array new_scope unless new_scope.nil? @scope = new_scope end |
.target_audience ⇒ String?
The default final target audience for ID tokens, to be used when none is provided during initialization.
Either #scope or #target_audience, but not both, should be non-nil. If #scope is set, this credential will produce access tokens. If #target_audience is set, this credential will produce ID tokens.
174 175 176 |
# File 'lib/googleauth/credentials.rb', line 174 def self.target_audience lookup_auth_param :target_audience end |
.target_audience=(new_target_audience) ⇒ Object
Sets the default final target audience for ID tokens, to be used when none is provided during initialization.
Either #scope or #target_audience, but not both, should be non-nil. If #scope is set, this credential will produce access tokens. If #target_audience is set, this credential will produce ID tokens.
188 189 190 |
# File 'lib/googleauth/credentials.rb', line 188 def self.target_audience= new_target_audience @target_audience = new_target_audience end |
.token_credential_uri ⇒ String
The default token credential URI to be used when none is provided during initialization. The URI is the authorization server’s HTTP endpoint capable of issuing tokens and refreshing expired tokens.
96 97 98 99 100 |
# File 'lib/googleauth/credentials.rb', line 96 def self.token_credential_uri lookup_auth_param :token_credential_uri do lookup_local_constant :TOKEN_CREDENTIAL_URI end end |
.token_credential_uri=(new_token_credential_uri) ⇒ Object
Set the default token credential URI to be used when none is provided during initialization.
107 108 109 |
# File 'lib/googleauth/credentials.rb', line 107 def self.token_credential_uri= new_token_credential_uri @token_credential_uri = new_token_credential_uri end |