Class: Google::Auth::ServiceAccountJwtHeaderCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader
Defined in:
lib/googleauth/service_account.rb

Overview

Authenticates requests using Google's Service Account credentials via JWT Header.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

cf [Application Default Credentials](goo.gl/mkAHpZ)

Constant Summary collapse

JWT_AUD_URI_KEY =
:jwt_aud_uri
AUTH_METADATA_KEY =
Signet::OAuth2::AUTH_METADATA_KEY
TOKEN_CRED_URI =
'https://www.googleapis.com/oauth2/v3/token'
SIGNING_ALGORITHM =
'RS256'
EXPIRY =
60

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Class Method Summary collapse

Instance Method Summary collapse

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, make_creds, windows?

Constructor Details

#initialize(options = {}) ⇒ ServiceAccountJwtHeaderCredentials

Initializes a ServiceAccountJwtHeaderCredentials.

Parameters:

  • json_key_io (IO)

    an IO from which the JSON key can be read


150
151
152
153
154
155
156
157
158
159
160
161
# File 'lib/googleauth/service_account.rb', line 150

def initialize(options = {})
  json_key_io = options[:json_key_io]
  if json_key_io
    private_key, client_email = self.class.read_json_key(json_key_io)
  else
    private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
    client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
  end
  @private_key = private_key
  @issuer = client_email
  @signing_key = OpenSSL::PKey::RSA.new(private_key)
end

Class Method Details

.make_creds(*args) ⇒ Object

make_creds proxies the construction of a credentials instance

make_creds is used by the methods in CredentialsLoader.

By default, it calls #new with 2 args, the second one being an optional scope. Here's the constructor only has one param, so we modify make_creds to reflect this.


134
135
136
# File 'lib/googleauth/service_account.rb', line 134

def self.make_creds(*args)
  new(json_key_io: args[0][:json_key_io])
end

.read_json_key(json_key_io) ⇒ Object

Reads the private key and client email fields from the service account JSON key.


140
141
142
143
144
145
# File 'lib/googleauth/service_account.rb', line 140

def self.read_json_key(json_key_io)
  json_key = MultiJson.load(json_key_io.read)
  fail 'missing client_email' unless json_key.key?('client_email')
  fail 'missing private_key' unless json_key.key?('private_key')
  [json_key['private_key'], json_key['client_email']]
end

Instance Method Details

#apply(a_hash, opts = {}) ⇒ Object

Returns a clone of a_hash updated with the authoriation header


176
177
178
179
180
# File 'lib/googleauth/service_account.rb', line 176

def apply(a_hash, opts = {})
  a_copy = a_hash.clone
  apply!(a_copy, opts)
  a_copy
end

#apply!(a_hash, opts = {}) ⇒ Object

Construct a jwt token if the JWT_AUD_URI key is present in the input hash.

The jwt token is used as the value of a 'Bearer '.


167
168
169
170
171
172
173
# File 'lib/googleauth/service_account.rb', line 167

def apply!(a_hash, opts = {})
  jwt_aud_uri = a_hash.delete(JWT_AUD_URI_KEY)
  return a_hash if jwt_aud_uri.nil?
  jwt_token = new_jwt_token(jwt_aud_uri, opts)
  a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
  a_hash
end

#updater_procObject

Returns a reference to the #apply method, suitable for passing as a closure


184
185
186
# File 'lib/googleauth/service_account.rb', line 184

def updater_proc
  lambda(&method(:apply))
end