google-api-ruby-client/lib/google/api_client/auth/jwt_asserter.rb

# Copyright 2010 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'jwt'
require 'signet/oauth_2/client'
require 'delegate'

module Google
  class APIClient
    ##
    # Generates access tokens using the JWT assertion profile. Requires a
    # service account & access to the private key.
    #
    # @example Using Signet
    #
    #   key = Google::APIClient::KeyUtils.load_from_pkcs12('client.p12', 'notasecret')
    #   client.authorization = Signet::OAuth2::Client.new(
    #     :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
    #     :audience => 'https://accounts.google.com/o/oauth2/token',
    #     :scope => 'https://www.googleapis.com/auth/prediction',
    #     :issuer => '123456-abcdef@developer.gserviceaccount.com',
    #     :signing_key => key)
    #   client.authorization.fetch_access_token!
    #   client.execute(...)
    #
    # @example Deprecated version
    #
    #    client = Google::APIClient.new
    #    key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')
    #    service_account = Google::APIClient::JWTAsserter.new(
    #     '123456-abcdef@developer.gserviceaccount.com',
    #     'https://www.googleapis.com/auth/prediction',
    #     key)
    #    client.authorization = service_account.authorize
    #    client.execute(...)
    #
    # @deprecated
    #  Service accounts are now supported directly in Signet
    # @see https://developers.google.com/accounts/docs/OAuth2ServiceAccount
    class JWTAsserter
      # @return [String] ID/email of the issuing party
      attr_accessor :issuer
      # @return [Fixnum] How long, in seconds, the assertion is valid for
      attr_accessor :expiry
      # @return [Fixnum] Seconds to expand the issued at/expiry window to account for clock skew
      attr_accessor :skew
      # @return [String] Scopes to authorize
      attr_reader :scope
      # @return [String,OpenSSL::PKey] key for signing assertions
      attr_writer :key
      # @return [String] Algorithm used for signing
      attr_accessor :algorithm
      
      ##
      # Initializes the asserter for a service account.
      #
      # @param [String] issuer
      #    Name/ID of the client issuing the assertion
      # @param [String, Array] scope
      #   Scopes to authorize. May be a space delimited string or array of strings
      # @param [String,OpenSSL::PKey] key
      #   Key for signing assertions
      # @param [String] algorithm
      #   Algorithm to use, either 'RS256' for RSA with SHA-256 
      #   or 'HS256' for HMAC with SHA-256
      def initialize(issuer, scope, key, algorithm = "RS256")
        self.issuer = issuer
        self.scope = scope
        self.expiry = 60 # 1 min default 
        self.skew = 60      
        self.key = key
        self.algorithm = algorithm
      end

      ##
      # Set the scopes to authorize
      #
      # @param [String, Array] new_scope
      #   Scopes to authorize. May be a space delimited string or array of strings
      def scope=(new_scope)
        case new_scope
        when Array
          @scope = new_scope.join(' ')
        when String
          @scope = new_scope
        when nil
          @scope = ''
        else
          raise TypeError, "Expected Array or String, got #{new_scope.class}"
        end
      end
      
      ##
      # Request a new access token.
      # 
      # @param [String] person
      #   Email address of a user, if requesting a token to act on their behalf
      # @param [Hash] options
      #   Pass through to Signet::OAuth2::Client.fetch_access_token
      # @return [Signet::OAuth2::Client] Access token 
      #
      # @see Signet::OAuth2::Client.fetch_access_token!
      def authorize(person = nil, options={})
        authorization = self.to_authorization(person)
        authorization.fetch_access_token!(options)
        return authorization
      end
      
      ##
      # Builds a Signet OAuth2 client
      #
      # @return [Signet::OAuth2::Client] Access token 
      def to_authorization(person = nil)
        return Signet::OAuth2::Client.new(
          :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
          :audience => 'https://accounts.google.com/o/oauth2/token',
          :scope => self.scope,
          :issuer => @issuer,
          :signing_key => @key,
          :signing_algorithm => @algorithm,
          :person => person
        )
      end      
    end
  end
end
Re-org service account support 2012-10-10 20:18:33 +00:00			`# Copyright 2010 Google Inc.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`require 'jwt'`
			`require 'signet/oauth_2/client'`
Auto-refresh OAuth 2 tokens & retry request on 401 response 2012-10-30 20:18:12 +00:00			`require 'delegate'`
Re-org service account support 2012-10-10 20:18:33 +00:00
			`module Google`
			`class APIClient`
			`##`
			`# Generates access tokens using the JWT assertion profile. Requires a`
			`# service account & access to the private key.`
			`#`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @example Using Signet`
			`#`
			`# key = Google::APIClient::KeyUtils.load_from_pkcs12('client.p12', 'notasecret')`
			`# client.authorization = Signet::OAuth2::Client.new(`
			`# :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',`
			`# :audience => 'https://accounts.google.com/o/oauth2/token',`
Fix JWT example in docs 2013-01-03 00:12:47 +00:00			`# :scope => 'https://www.googleapis.com/auth/prediction',`
			`# :issuer => '123456-abcdef@developer.gserviceaccount.com',`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# :signing_key => key)`
			`# client.authorization.fetch_access_token!`
			`# client.execute(...)`
			`#`
			`# @example Deprecated version`
Re-org service account support 2012-10-10 20:18:33 +00:00			`#`
			`# client = Google::APIClient.new`
			`# key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')`
Fix sample for JWTAsserter (missing .new) 2012-11-02 19:50:06 +00:00			`# service_account = Google::APIClient::JWTAsserter.new(`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# '123456-abcdef@developer.gserviceaccount.com',`
			`# 'https://www.googleapis.com/auth/prediction',`
			`# key)`
Re-org service account support 2012-10-10 20:18:33 +00:00			`# client.authorization = service_account.authorize`
			`# client.execute(...)`
			`#`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @deprecated`
			`# Service accounts are now supported directly in Signet`
Re-org service account support 2012-10-10 20:18:33 +00:00			`# @see https://developers.google.com/accounts/docs/OAuth2ServiceAccount`
			`class JWTAsserter`
			`# @return [String] ID/email of the issuing party`
			`attr_accessor :issuer`
			`# @return [Fixnum] How long, in seconds, the assertion is valid for`
			`attr_accessor :expiry`
			`# @return [Fixnum] Seconds to expand the issued at/expiry window to account for clock skew`
			`attr_accessor :skew`
			`# @return [String] Scopes to authorize`
			`attr_reader :scope`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @return [String,OpenSSL::PKey] key for signing assertions`
Re-org service account support 2012-10-10 20:18:33 +00:00			`attr_writer :key`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @return [String] Algorithm used for signing`
			`attr_accessor :algorithm`

Re-org service account support 2012-10-10 20:18:33 +00:00			`##`
			`# Initializes the asserter for a service account.`
			`#`
			`# @param [String] issuer`
			`# Name/ID of the client issuing the assertion`
			`# @param [String, Array] scope`
			`# Scopes to authorize. May be a space delimited string or array of strings`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @param [String,OpenSSL::PKey] key`
			`# Key for signing assertions`
			`# @param [String] algorithm`
			`# Algorithm to use, either 'RS256' for RSA with SHA-256`
			`# or 'HS256' for HMAC with SHA-256`
			`def initialize(issuer, scope, key, algorithm = "RS256")`
Re-org service account support 2012-10-10 20:18:33 +00:00			`self.issuer = issuer`
			`self.scope = scope`
			`self.expiry = 60 # 1 min default`
			`self.skew = 60`
			`self.key = key`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`self.algorithm = algorithm`
Re-org service account support 2012-10-10 20:18:33 +00:00			`end`

			`##`
			`# Set the scopes to authorize`
			`#`
			`# @param [String, Array] new_scope`
			`# Scopes to authorize. May be a space delimited string or array of strings`
			`def scope=(new_scope)`
			`case new_scope`
			`when Array`
			`@scope = new_scope.join(' ')`
			`when String`
			`@scope = new_scope`
			`when nil`
			`@scope = ''`
			`else`
			`raise TypeError, "Expected Array or String, got #{new_scope.class}"`
			`end`
			`end`

			`##`
			`# Request a new access token.`
			`#`
			`# @param [String] person`
			`# Email address of a user, if requesting a token to act on their behalf`
			`# @param [Hash] options`
			`# Pass through to Signet::OAuth2::Client.fetch_access_token`
			`# @return [Signet::OAuth2::Client] Access token`
			`#`
Fix sample for JWTAsserter (missing .new) 2012-11-02 19:50:06 +00:00			`# @see Signet::OAuth2::Client.fetch_access_token!`
Re-org service account support 2012-10-10 20:18:33 +00:00			`def authorize(person = nil, options={})`
fix for #22 impersonation 2013-01-12 15:29:47 +00:00			`authorization = self.to_authorization(person)`
Re-org service account support 2012-10-10 20:18:33 +00:00			`authorization.fetch_access_token!(options)`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`return authorization`
Auto-refresh OAuth 2 tokens & retry request on 401 response 2012-10-30 20:18:12 +00:00			`end`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00
Fix sample for JWTAsserter (missing .new) 2012-11-02 19:50:06 +00:00			`##`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# Builds a Signet OAuth2 client`
Fix sample for JWTAsserter (missing .new) 2012-11-02 19:50:06 +00:00			`#`
Use JWT support in signet, ignore broken PKCS12 tests on jruby 2013-01-02 19:50:45 +00:00			`# @return [Signet::OAuth2::Client] Access token`
			`def to_authorization(person = nil)`
			`return Signet::OAuth2::Client.new(`
			`:token_credential_uri => 'https://accounts.google.com/o/oauth2/token',`
			`:audience => 'https://accounts.google.com/o/oauth2/token',`
			`:scope => self.scope,`
			`:issuer => @issuer,`
			`:signing_key => @key,`
			`:signing_algorithm => @algorithm,`
			`:person => person`
			`)`
			`end`
Re-org service account support 2012-10-10 20:18:33 +00:00			`end`
			`end`
			`end`