lib/googleauth/external_account.rb in googleauth-1.5.2 vs lib/googleauth/external_account.rb in googleauth-1.6.0
- old
+ new
@@ -14,10 +14,11 @@
require "time"
require "uri"
require "googleauth/credentials_loader"
require "googleauth/external_account/aws_credentials"
+require "googleauth/external_account/identity_pool_credentials"
module Google
# Module Auth provides classes that provide Google-specific authorization
# used to access Google APIs.
module Auth
@@ -26,11 +27,12 @@
module ExternalAccount
# Provides an entrypoint for all Exernal Account credential classes.
class Credentials
# The subject token type used for AWS external_account credentials.
AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
- AWS_SUBJECT_TOKEN_INVALID = "aws is the only currently supported external account type".freeze
+ MISSING_CREDENTIAL_SOURCE = "missing credential source for external account".freeze
+ INVALID_EXTERNAL_ACCOUNT_TYPE = "credential source is not supported external account type".freeze
# Create a ExternalAccount::Credentials
#
# @param json_key_io [IO] an IO from which the JSON key can be read
# @param scope [String,Array,nil] the scope(s) to access
@@ -38,32 +40,49 @@
json_key_io, scope = options.values_at :json_key_io, :scope
raise "A json file is required for external account credentials." unless json_key_io
user_creds = read_json_key json_key_io
- # TODO: check for other External Account Credential types. Currently only AWS is supported.
- raise AWS_SUBJECT_TOKEN_INVALID unless user_creds["subject_token_type"] == AWS_SUBJECT_TOKEN_TYPE
+ # AWS credentials is determined by aws subject token type
+ return make_aws_credentials user_creds, scope if user_creds[:subject_token_type] == AWS_SUBJECT_TOKEN_TYPE
- Google::Auth::ExternalAccount::AwsCredentials.new(
- audience: user_creds["audience"],
- scope: scope,
- subject_token_type: user_creds["subject_token_type"],
- token_url: user_creds["token_url"],
- credential_source: user_creds["credential_source"],
- service_account_impersonation_url: user_creds["service_account_impersonation_url"]
- )
+ raise MISSING_CREDENTIAL_SOURCE if user_creds[:credential_source].nil?
+ user_creds[:scope] = scope
+ make_external_account_credentials user_creds
end
# Reads the required fields from the JSON.
def self.read_json_key json_key_io
- json_key = MultiJson.load json_key_io.read
+ json_key = MultiJson.load json_key_io.read, symbolize_keys: true
wanted = [
- "audience", "subject_token_type", "token_url", "credential_source"
+ :audience, :subject_token_type, :token_url, :credential_source
]
wanted.each do |key|
raise "the json is missing the #{key} field" unless json_key.key? key
end
json_key
+ end
+
+ class << self
+ private
+
+ def make_aws_credentials user_creds, scope
+ Google::Auth::ExternalAccount::AwsCredentials.new(
+ audience: user_creds[:audience],
+ scope: scope,
+ subject_token_type: user_creds[:subject_token_type],
+ token_url: user_creds[:token_url],
+ credential_source: user_creds[:credential_source],
+ service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+ )
+ end
+
+ def make_external_account_credentials user_creds
+ unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
+ return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
+ end
+ raise INVALID_EXTERNAL_ACCOUNT_TYPE
+ end
end
end
end
end
end