googleapis / google-auth-library-ruby Goto Github PK

View Code? Open in Web Editor NEW

447.0 62.0 249.0 691 KB

Google Auth Library for Ruby

License: Apache License 2.0

Ruby 95.76% Shell 4.24%

google-auth-library-ruby's Introduction

Google Auth Library for Ruby

Homepage: http://www.github.com/googleapis/google-auth-library-ruby
Authors: Tim Emiola
Copyright: Copyright © 2015 Google, Inc.
License: Apache 2.0

Description

This is Google's officially supported ruby client library for using OAuth 2.0 authorization and authentication with Google APIs.

Install

Be sure https://rubygems.org/ is in your gem sources.

For normal client usage, this is sufficient:

$ gem install googleauth

Example Usage

require 'googleauth'

# Get the environment configured authorization
scopes =  ['https://www.googleapis.com/auth/cloud-platform',
           'https://www.googleapis.com/auth/compute']
authorization = Google::Auth.get_application_default(scopes)

# Add the the access token obtained using the authorization to a hash, e.g
# headers.
some_headers = {}
authorization.apply(some_headers)

Application Default Credentials

This library provides an implementation of application default credentials for Ruby.

The Application Default Credentials provide a simple way to get authorization credentials for use in calling Google APIs.

They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Compute Engine.

User Credentials

The library also provides support for requesting and storing user credentials (3-Legged OAuth2.) Two implementations are currently available, a generic authorizer useful for command line apps or custom integrations as well as a web variant tailored toward Rack-based applications.

The authorizers are intended for authorization use cases. For sign-on, see Google Identity Platform

Example (Web)

require 'googleauth'
require 'googleauth/web_user_authorizer'
require 'googleauth/stores/redis_token_store'
require 'redis'

client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
scope = ['https://www.googleapis.com/auth/drive']
token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
authorizer = Google::Auth::WebUserAuthorizer.new(
  client_id, scope, token_store, '/oauth2callback')


get('/authorize') do
  # NOTE: Assumes the user is already authenticated to the app
  user_id = request.session['user_id']
  credentials = authorizer.get_credentials(user_id, request)
  if credentials.nil?
    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
  end
  # Credentials are valid, can call APIs
  # ...
end

get('/oauth2callback') do
  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
    request)
  redirect target_url
end

Example (Web with PKCE)

Proof Key for Code Exchange (PKCE) is an RFC that aims to prevent malicious operating system processes from hijacking an OAUTH 2.0 exchange. PKCE mitigates the above vulnerability by including code_challenge and code_challenge_method parameters in the Authorization Request and a code_verifier parameter in the Access Token Request.

require 'googleauth'
require 'googleauth/web_user_authorizer'
require 'googleauth/stores/redis_token_store'
require 'redis'

client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
scope = ['https://www.googleapis.com/auth/drive']
token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
authorizer = Google::Auth::WebUserAuthorizer.new(
  client_id, scope, token_store, '/oauth2callback')


get('/authorize') do
  # NOTE: Assumes the user is already authenticated to the app
  user_id = request.session['user_id']
  # User needs to take care of generating the code_verifier and storing it in
  # the session.
  request.session['code_verifier'] ||= Google::Auth::WebUserAuthorizer.generate_code_verifier
  authorizer.code_verifier = request.session['code_verifier']
  credentials = authorizer.get_credentials(user_id, request)
  if credentials.nil?
    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
  end
  # Credentials are valid, can call APIs
  # ...
end

get('/oauth2callback') do
  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
    request)
  redirect target_url
end

Example (Command Line) [Deprecated]

The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this OOB Migration guide.

require 'googleauth'
require 'googleauth/stores/file_token_store'

OOB_URI = 'urn:ietf:wg:oauth:2.0:oob'

scope = 'https://www.googleapis.com/auth/drive'
client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
token_store = Google::Auth::Stores::FileTokenStore.new(
  :file => '/path/to/tokens.yaml')
authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)

user_id = ENV['USER']
credentials = authorizer.get_credentials(user_id)
if credentials.nil?
  url = authorizer.get_authorization_url(base_url: OOB_URI )
  puts "Open #{url} in your browser and enter the resulting code:"
  code = gets
  credentials = authorizer.get_and_store_credentials_from_code(
    user_id: user_id, code: code, base_url: OOB_URI)
end

# OK to use credentials

Example (Service Account)

scope = 'https://www.googleapis.com/auth/androidpublisher'

authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
  json_key_io: File.open('/path/to/service_account_json_key.json'),
  scope: scope)

authorizer.fetch_access_token!

You can also use a JSON keyfile by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable.

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_json_key.json

require 'googleauth'
require 'google/apis/drive_v3'

Drive = ::Google::Apis::DriveV3
drive = Drive::DriveService.new

scope = 'https://www.googleapis.com/auth/drive'

authorizer = Google::Auth::ServiceAccountCredentials.from_env(scope: scope)
drive.authorization = authorizer

list_files = drive.list_files()

3-Legged OAuth with a Service Account

This is similar to regular service account authorization (see this answer for more details on the differences), but you'll need to indicate which user your service account is impersonating by manually updating the sub field.

scope = 'https://www.googleapis.com/auth/androidpublisher'

authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
  json_key_io: File.open('/path/to/service_account_json_key.json'),
  scope: scope
)
authorizer.update!(sub: "[email protected]")

authorizer.fetch_access_token!

Example (Environment Variables)

export GOOGLE_ACCOUNT_TYPE=service_account
export GOOGLE_CLIENT_ID=000000000000000000000
export [email protected]
export GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"

require 'googleauth'
require 'google/apis/drive_v3'

Drive = ::Google::Apis::DriveV3
drive = Drive::DriveService.new

# Auths with ENV vars:
# "GOOGLE_CLIENT_ID",
# "GOOGLE_CLIENT_EMAIL",
# "GOOGLE_ACCOUNT_TYPE", 
# "GOOGLE_PRIVATE_KEY"
auth = ::Google::Auth::ServiceAccountCredentials
  .make_creds(scope: 'https://www.googleapis.com/auth/drive')
drive.authorization = auth

list_files = drive.list_files()

Storage

Authorizers require a storage instance to manage long term persistence of access and refresh tokens. Two storage implementations are included:

Google::Auth::Stores::FileTokenStore
Google::Auth::Stores::RedisTokenStore

Custom storage implementations can also be used. See token_store.rb for additional details.

Supported Ruby Versions

This library is supported on Ruby 2.6+.

Google provides official support for Ruby versions that are actively supported by Ruby Core—that is, Ruby versions that are either in normal maintenance or in security maintenance, and not end of life. Older versions of Ruby may still work, but are unsupported and not recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby support schedule.

License

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

Contributing

See CONTRIBUTING.

Support

Please report bugs at the project on Github. Don't hesitate to ask questions about the client or APIs on StackOverflow.

google-auth-library-ruby's People

Contributors

Stargazers

Watchers

Forkers

tbetbetbe blowmage runlevel5 stanley-cheung igrep dwilkie mr-salty haabaato jjmarfa sarkonovich compuives tjmw liftforward sqrrrl morningcoffeedev mnjstwins serg09 usawal dmcgua01 ravisingh47 zonecheung murgatroid99 mikem836 lacostej pkdevboxy unlimit omrimas bramj kleopatra999 bra-kodairakenya kingside selmanj sasi87 pramodshinde vivace99 lucascioffi runt18 anthonybobsin abotchkarev oriolgual hipflat mrozmanith pelletencate thisismitch awright415 oney tomk32 sjchmiela dongoon-inc dondyabla mypravite-project blueroot soardex mahemoff obslabs kehra ianchesal arvindfundly igallina mariotatis icco rthbound pbibalan arissetyawan hxiong388 terkalma imraghava thermatix edwardbetts jschnurholmes dazuma olleolleolle jurriaan landrito bassamaziz bantini vincedevendra michaelglass error404j h6ah4i ryanatwork 9re aprioni yanshiyason shekharrajak adetokunbo fameoflight pablomarti adaynu zuckeym-17 alexfilatov tadast yut148 kerwin-personalyze mzsanford s2t2 dynamicworkplace aldodelgado kurodashota-mf podigee

google-auth-library-ruby's Issues

ServiceAccountJwtHeaderCredentials doesn't properly apply authorization header

run into a couple problems attempting to access the google api's via googleauth and google-api-client.
the exact same request, as far as I can tell, works just fine using the golang library. this may just be a documentation problem, I might be invoking the libraries incorrectly.

problem 1) doesn't properly set authorization header in http_command#apply_request_options.

apps_market = ::Google::Apis::AppsmarketV2::AppsmarketService.new
apps_market.authorization = ::Google::Auth::ServiceAccountJwtHeaderCredentials.make_creds(json_key_io: File.open("..."), scope: [Google::Apis::AppsmarketV2::AUTH_APPSMARKETPLACE_LICENSE])
apps_market.get_customer_license(Rails.application.secrets.gapps_marketplace_id, domain)

reason: req.header doesn't have the jwt_aud_uri key set.
setting it manually like so:

apps_market.get_customer_license(Rails.application.secrets.gapps_marketplace_id, domain), :options => {:header => {:jwt_aud_uri => true}})

doesn't work either because apply! gets invoked before the header being supplied gets applied to the request header.

#http_command.rb#apply_request_options(req)
def apply_request_options
  if options.authorization.respond_to?(:apply!)
    options.authorization.apply!(req.header)
  elsif options.authorization.is_a?(String)
    req.header[:authorization] = sprintf('Bearer %s', options.authorization)
  end
  req.header.update(header)
  req.options.timeout = options.timeout_sec
end

problem 2) ::Google::Auth::ServiceAccountJwtHeaderCredentials doesn't support scopes?
scopes missing from make_creds method.

# make_creds proxies the construction of a credentials instance
#
# make_creds is used by the methods in CredentialsLoader.
#
# By default, it calls #new with 2 args, the second one being an
# optional scope. Here's the constructor only has one param, so
# we modify make_creds to reflect this.
def self.make_creds(*args)
  new(json_key_io: args[0][:json_key_io])
end

# Reads the private key and client email fields from the service account
# JSON key.
def self.read_json_key(json_key_io)
  json_key = MultiJson.load(json_key_io.read)
  fail 'missing client_email' unless json_key.key?('client_email')
  fail 'missing private_key' unless json_key.key?('private_key')
  [json_key['private_key'], json_key['client_email']]
end

equivalent code in golang:

const gapps_marketplace_id = "..."
const domain = "someplace.com"
const marketplaceScope = "https://www.googleapis.com/auth/appsmarketplace.license"

func jwtConfig() {
    data, err := ioutil.ReadFile("...")
    if err != nil {
        log.Println(err)
        return
    }

    conf, err := google.JWTConfigFromJSON(data, marketplaceScope)
    if err != nil {
        log.Println(err)
        return
    }

    s1, err := appsmarket.New(conf.Client(oauth2.NoContext))
    if err != nil {
        log.Println(err)
        return
    }

    cls := s1.CustomerLicense.Get(gapps_marketplace_id, domain)
    r, err := cls.Do()
    if err != nil {
        x := err.(*googleapi.Error)
        log.Println("Code", x.Code)
        log.Println("Body", x.Body)
        log.Println("Errors", x.Errors)
        log.Println(err)
        return
    }
    log.Println("SUCCESS", r.ApplicationId, r.CustomerId, r.State)
}

Support for plain OAuth 2.0.

Hi, does this library provide support for plain OAuth 2.0 mentioned in the docs here?https://developers.google.com/identity/choose-auth

Edit: To clarify, I'd like to let my users sign-in using their google account just like the way slack does:

Redirect the user to google's login form,
User signs in,
Redirect to callback URL,
Sign-in the user to the host application.

This was possible using the deprecated (http://www.rubydoc.info/github/google/google-api-ruby-client/Google/APIClient/ClientSecrets) Google::APIClient::ClientSecrets way as provided in the example here:

require 'google/apis/drive_v2'
require 'google/api_client/client_secrets'

client_secrets = Google::APIClient::ClientSecrets.load
auth_client = client_secrets.to_authorization
auth_client.update!(
  :scope => 'https://www.googleapis.com/auth/drive.metadata.readonly',
  :redirect_uri => 'http://www.example.com/oauth2callback'
)

But now, the docs point out to using the sign-in button as mentioned here:

https://developers.google.com/api-client-library/ruby/auth/web-app

which requires that:

Users click on the sign in button
Google sign-in button popups-up the Google login form using JS,
User signs in,
Popup closes, calls-back JS function with user ID and ID token
My application makes another request to Google's token verification end-point
Google verifies ID of the user and my application signs in the user.

But isn't this more complicated and adds more points of failures to watchout for? Including:

What happens when the user doesn't have JS enabled?
My application makes an additional request to Google's servers to verify ID token, which may fail the sign in process if there's a network issue, etc.

Thanks!

GCE error when --no-scopes used

From googleapis/google-api-ruby-client#207

In compute_service_account.rb we do:

    response = connection.get 'http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token'

However, if the VM was created with --no-scopes this will return an error page instead of the token, which usually leads to a subsequent exception while trying to parse it.

example exception

error_class="MultiJson::ParseError" error="lexical error: invalid char in json text.\n                                       <!DOCTYPE html> <html lang=en> \n                     (right here) ------^\n" plugin_id="object:3f9bc1d9bd80"
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/multi_json-1.11.0/lib/multi_json/adapters/yajl.rb:11:in `parse'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/multi_json-1.11.0/lib/multi_json/adapters/yajl.rb:11:in `load'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/multi_json-1.11.0/lib/multi_json/adapter.rb:21:in `load'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/multi_json-1.11.0/lib/multi_json.rb:119:in `load'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/signet-0.5.1/lib/signet/oauth_2.rb:81:in `parse_json_credentials'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/google-api-client-0.7.1/lib/google/api_client/auth/compute_service_account.rb:24:in `fetch_access_token'
  2015-03-25 22:43:22 +0000 [warn]: /opt/google-fluentd/embedded/lib/ruby/gems/2.1.0/gems/signet-0.5.1/lib/signet/oauth_2/client.rb:956:in `fetch_access_token!'

curl results from the affected machine

$ curl 'http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token'
<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/errors/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/errors/logo_sm_2_hr.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:55px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/computeMetadata/v1beta1/instance/service-accounts/default/token</code> was not found on this server.  <ins>That’s all we know.</ins>

can't get default credentials for use with datastore emulator

I am trying to use the datastore emulator locally with my rails app in development mode for testing etc.

I run the beta datastore emulator, then run gcloud beta emulators datastore env-init and make sure those environment variables are in my .bashrc file (and source my .bashrc file). Then I try to do the following from within Rails:

require 'gcloud'
gcloud = Gcloud.new('[project id here]')
dataset = gcloud.datastore

I get the following error:

RuntimeError: Could not load the default credentials. Browse to
https://developers.google.com/accounts/docs/application-default-credentials
for more information

    from /home/sam/.rvm/gems/ruby-2.2.3/gems/googleauth-0.5.1/lib/googleauth.rb:119:in `get_application_default'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/gcloud-0.7.2/lib/gcloud/credentials.rb:83:in `default'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/gcloud-0.7.2/lib/gcloud/datastore.rb:62:in `datastore'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/gcloud-0.7.2/lib/gcloud.rb:106:in `datastore'
    from (irb):3
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/railties-4.2.6/lib/rails/commands/console.rb:110:in `start'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/railties-4.2.6/lib/rails/commands/console.rb:9:in `start'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:68:in `console'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:39:in `run_command!'
    from /home/sam/.rvm/gems/ruby-2.2.3/gems/railties-4.2.6/lib/rails/commands.rb:17:in `<top (required)>'
    from bin/rails:18:in `require'
    from bin/rails:18:in `<main>'

I was under the impression I did not need a keyfile if using the datastore emulator. If I do need a keyfile, how do I create it? The datastore emulator documentation doesn't mention this at all, and seems to suggest that merely having these environment variables in place should be enough for local clients to connect automatically.

Please advise!

Use a token store with ServiceAccountCredentials

Hi,

I have a questions regarding the use of ServiceAccountCredentials, alas there is no documentation:

Is it possible to use a token store with ServiceAccountCredentials? I don't find any helpful hints in the #make_creds methods https://github.com/google/google-auth-library-ruby/blob/master/lib/googleauth/service_account.rb#L56 nor in the initializer.

Correct me if I'm wrong, but I isn't it a good idea to reuse the access tokens when doing multiple requests, regardless of the underlying auth mechanism? The documentation shows a sample code for WebUserAuthorizer, but not for ServiceAccountCredentials.

Hope somebody can help me,
thx!

DefaultCredentials.from_env requires ENV_VAR to be GOOGLE_APPLICATION_CREDENTIALS

If I'm developing for multiple systems on my laptop, it would be nice to be able to use different json files for each system. The current implementation requires the ENV_VAR to be GOOGLE_APPLICATION_CREDENTIALS, and is not customizable.

Add a new credential type IAMCredential

It is constructed with and holds two fields

iam-token
iam-authority-selector
IAMCredential applies these values to requests as a pair HTTP headers (or an equivalents) keys
- "x-goog-iam-authorization-token"
- "x-goog-iam-authority-selector"
  respectively

N.B, there is no requirement that an IAMCredential be returned by Application Default Credentials

ADC doesn't work on some Windows machines

Currently only some of the possible host_os values (i.e. Windows and mswin) are used to identify whether the library is running on a windows machine. There are many other possible values that could signify a windows machine. E.g. my machine has 'mingw32'. Using the OS.windows? seems like a more reliable way to identify this.

Missing loading pkcs keys

I'm upgrading code from 0.8 to 0.9. I'm not finding where this method is in the new auth api: Google::APIClient::KeyUtils.load_from_pkcs12

Context: I'm deploying ruby code to heroku for service account access to Google Admin SDK. Since the code base is open source, I can not store the json file or pkcs12 on the filesystem. I see that in Issue 27 you added support for reading a json file from environment variables, but I'm having a deuce of a time formatting the json so that it can be stored as an environment variable. As such, I'd like to be able to pull in a pkcs12 key from an environment variable.

Release 0.4.2?

I'd like to know if you plan a release of a 0.4.2 version, as it contains a fix for relaxing the version constaints on the multi_json gem, that impacts the use of this library with chef-provisioning and the chefdk.

Nil scope when using JSON file

example application:

require "google/api_client"

client = Google::APIClient.new(:application_name => 'My Script', :application_version => "0.0.1")
# byebug
client.authorization= :google_app_default
client.authorization.fetch_access_token!

I get the following error:

/Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb:835:in `to_jwt': undefined method `join' for nil:NilClass (NoMethodError)
    from /Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb:904:in `generate_access_token_request'
    from /Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb:935:in `fetch_access_token'
    from /Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb:964:in `fetch_access_token!'
    from scripts/test.rb:7:in `<top (required)>'

tracing through bugsnag I find the error thrown at

Catchpoint at /Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb:835: `undefined method `join' for nil:NilClass' (NoMethodError)

[830, 839] in /Users/user/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/signet-0.6.0/lib/signet/oauth_2/client.rb
   830: 
   831:         now = Time.new
   832:         skew = options[:skew] || 60
   833:         assertion = {
   834:           "iss" => self.issuer,
=> 835:           "scope" => self.scope.join(' '),
   836:           "aud" => self.audience,
   837:           "exp" => (now + self.expiry).to_i,
   838:           "iat" => (now - skew).to_i
   839:         }

inspecting locals and self shows us:

(byebug) v l
assertion = nil
now = 2015-05-19 12:03:26 -0700
options = {:connection=>#<Faraday::Connection:0x007fb4bd038ad0 @parallel_manager=nil, @headers={"User-Agent"=>"Faraday v0.9.1"}, @params={}, @options=#<Farad...
self = #<Google::Auth::ServiceAccountCredentials:0x007fb4b9eb0918>
skew = 60
(byebug) self
#<Google::Auth::ServiceAccountCredentials:0x007fb4b9eb0918 @token_credential_uri=#<Addressable::URI:0x3fda5fc2e59c URI:https://www.googleapis.com/oauth2/v3/token>, @scope=nil, @issuer="[email protected]", @expiry=60, @audience="https://www.googleapis.com/oauth2/v3/token", @signing_key=#<OpenSSL::PKey::RSA:0x007fb4bf8572a0>, @extension_parameters={}, @additional_parameters={}, @grant_type=nil, @refresh_token=nil>

obviously the @scope is nil.

can't get default credentials with service account

I did

$ cloud auth activate-service-account --key-file my_key.pem  [email protected]

Then

$ gcloud auth list
Loading legacy configuration file: [~/.config/gcloud/properties]
This configuration file is deprecated and will not be read in a future
gcloud release.  gcloud will automatically migrate your current settings to the
new configuration format the next time you set a property by running:
  $ gcloud config set PROPERTY VALUE
You may also run:
  $ gcloud init
to create a new configuration and walk you through initializing some basic
settings.  You can find more information on named configurations by running:
  $ gcloud topic configurations

Credentialed accounts:
 - [email protected] (active)
...

Then I did

$ gcloud init
...

All went fine but then I still can't login:

[3] pry(#<DefaultWorld>)> Google::Auth.get_application_default(@config[:scopes])
RuntimeError: Could not load the default credentials. Browse to
https://developers.google.com/accounts/docs/application-default-credentials
for more information
from ~/.gem/ruby/gems/googleauth-0.5.1/lib/googleauth.rb:119:in `get_application_default'

Two things are strange. That after login, the sdk tool still not very happy with format used. And after init the ruby library can't find credentials.

private_key is escaped when loaded using environment variable.

Problem in googleauth/service_account.rb ; method: self.make_creds

Working with service account.
private_key is defined as environment variable

GOOGLE_PRIVATE_KEY='-----BEGIN PRIVATE KEY-----\n ... \n-----END PRIVATE KEY-----\n'

When reading it in, the value becomes escaped:

ENV['GOOGLE_PRIVATE_KEY']
=> "-----BEGIN PRIVATE KEY-----\ ... \n-----END PRIVATE KEY-----\n"

My environment:
MacBook Pro, Ruby 2.3.1, Rails 5.0.0.1
development mode

Passing `user_id` to `get_credentials` results in an error

Line authorizer.get_authorization_url(user_id: nil, request: request) (inside a controller) throws the error:

googleauth (0.5.1) lib/googleauth/user_authorizer.rb, line 103
undefined method 'id' for #<String:0x007ffa796f4048>

def authorizer
    token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.current)
    @authorizer ||= Google::Auth::WebUserAuthorizer.new(
      ENV['GOOGLE_CLIENT_ID'],
      Google::Apis::GmailV1::AUTH_GMAIL_READONLY,
      token_store,
      '/oauth2callback')
  end

Add a README.md, COPYING and other top-level documentation

Retrieve GCE project_id?

Is it possible for Google::Auth::GCECredentials to retrieve project_id as well as fetching the access token? My understanding is that the project_id can be accessed from http://metadata.google.internal/computeMetadata/v1/project/project_id when running on a Compute Engine instance.

Not sure if we should look to googleauth for this, or if we should implement it ourselves. Thanks!

ADC Support for User Refresh Tokens

The initial implementation of Application Default Credentials is missing one of the 3 credential types: User Refresh Tokens. This is basically the end result of a 3LO flow, and is an important part of the tool integration, as the Cloud SDK writes out this form of credential in the well-known-file location.

The file format to support is this:

{
"type": "authorized_user",
"client_id": "kflc91.apps.googleusercontent.com",
"client_secret": "1/olgReg3YaBQqxm6T",
"refresh_token": "2/fFAGRNJru1FTz70BzhT3Zg"
}
The "type" value is to differentiate it from a service account. The other 3 values are needed to get refresh tokens back. This is a common OAuth2 scenario, so there is likely to be an existing object that already supports getting access tokens from these values. This file could be in either the well-known file location or the environment variable location.

For reference, the Java implementation of these features is here:
https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

Retry fetch_access_token! if connection fails

We have a report of access_tokens not being fetched due to failed connection. The user indicates that the request should be automatically retried in this circumstance. Can you implement a retry mechanism with an incremental backoff while fetching access_tokens?

UserAuthorizer does not support 'postmessage' value for redirect_uri

UserAuthorizer won't work with special value for redirect_uri which is postmessage (without any URI protocol). This value is taken from this instruction by Google and is confirmed to be working.

Currently UserAuthorizer will raise an exception in redirect_uri_for method:

" Absolute base url required for relative callback url "postmessage"

while underlying Signet::OAuth2::Client has support for it, even in a wierd way for now

def uri_is_postmessage?(uri)
return uri.to_s.casecmp('postmessage') == 0
end

The request will go through and get credentials (by code).
Meanwhile, using UserRefreshCredentials directly allows to use postmessage as value for redirect_uri and make calls.

Special check for this value should be added in UserAuthorizer, probably in redirect_uri_for method

Can't find mentioned example

In this file: https://github.com/google/google-auth-library-ruby/blob/master/lib/googleauth/web_user_authorizer.rb, it says this: "For rails apps, see {Google::Auth::ControllerHelpers}". I can't seem to figure out where to find that resource. Can someone show me exactly where to look for that resource?

Cannot refresh access_token

I have a working app (Rails) that authenticates a user and saves her tokens in a Redis store.

If I've understood it correctly, using googleauth together with google-api-client, the client object will refresh the access token (by itself) as needed? This doesn't happen though, the token expires and some time after that I get a 403 error.

If the problem is on my side - can/should I invoke a new access_token manually, and if so how do I do that?

The code I've used is mainly taken from the quickstart guide.

def authorizer
  scope = Google::Apis::CalendarV3::AUTH_CALENDAR
  client_id = Google::Auth::ClientId.from_hash(JSON.parse(ENV['GOOGLE_CLIENT_SECRETS']))
  token_store = Google::Auth::Stores::RedisTokenStore.new(redis: $redis)
  authorizer = Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store)
  authorizer
end

def authenticate_the_user
  user_id = "1"
  credentials = authorizer.get_credentials(user_id)
  redirect_to authorizer.get_authorization_url(login_hint: user_id, request: request, base_url: "http://localhost:3000")
end

def handle_callback
  credentials = authorizer.get_and_store_credentials_from_code(user_id: "1", code: params[:code], base_url: "http://localhost:3000/oauth2callback")
end

Add ability to authenticate a service account via environment variables instead of json file

Due to project requirements, I can't store files with tokens on the server, so all credentials have to read from environment variables. Adding an initializer to ServiceAccountCredentials that accepts private_key & client_email as arguments instead of reading them from a file would be preferable. #L66

I can open a PR if the above solution would work.

Updated tags?

New versions are not tagged after 0.4.1 which makes it difficult to lock down to specific versions. Can you please resume tagging releases?

Retrieve default Google Cloud project ID

Feature request

googleauth should have functionality to retrieve default Google Cloud project ID

The Google authentication libraries for other languages have implemented this or are planning on adding this. See #97 Support detection of project ID on the Node.js authentication library.

This bug is a follow-up from bug #951 google-cloud-ruby does not work with Application Default Credentials filed on the Google Cloud Client Library

This is related to a previous bug #43 Retrieve GCE project_id but googleauth should fetch this from different locations in addition to GCE.

The googleauth gem already has existing code that:

Project detection should lookup the project ID from:

Well-known environment variable, GOOGLE_CLOUD_PROJECT
Well-known path to Google Cloud SDK configuration file
Google Compute Engine metadata server

This code will be used by the Google Cloud Client Library and could also be utilized by the generic Google API Client

Getting an error `State token does not match expected value`

I have integrated the google auth library and everything is working fine for a particular URL. But if I change the place from where the auth is called from keeping the redirect url same, I get an error saying State token does not match expected value

I have commented out the check for xsrf_token and session token which makes everything work but that isn't a solution I want to go with. Can anyone please help me solve this issue?

Thanks.

Do this library handle refreshing tokens procedure?

Hi, I see that token lives 1 hour but can't see where refreshing is done.

I use this gem with google-api-ruby-client, and in google-api-client-0.9/lib/google/apis/core/http_command.rb:130 see that # Handled implicitly by auth lib, here in case need to override

WebUserAuthorizer token revoking

Is there a way to revoke a token using the WebUserAuthorizer?

What works:

authorizer = Google::Auth::UserAuthorizer.new(client_id, SCOPE, token_store)	
authorizer.revoke_authorization(user_id)

The problem is that elsewhere I am using the WebUserAuthorizer to create the request. So I would like to do something like:

authorizer = Google::Auth::WebUserAuthorizer.new(client_id, SCOPE, token_store)	
authorizer.revoke_authorization(user_id)
=> ArgumentError (wrong number of arguments (given 1, expected 2..3))

Now if I change to:

authorizer.revoke_authorization(user_id, request)
=> ArgumentError (wrong number of arguments (given 2, expected 1)):

Should I keep using the UserAuthorizer? It works I suppose, but it seems weird to use both.

How do you just provide some credentials?

We are trying to upgrade to the newest google-api-client library (v0.9.9) and are struggling with getting the authentication to work. How do we simply provide a client_id, client_secret, access_token, and refresh_token? We tried using Signet directly but that doesn't seem to work.

client.authorization = Signet::OAuth2::Client.new(
  client_id: "...",
  client_secret: "...",
  access_token: "...",
  refresh_token: "..."
)

We then tried to use this library, but there doesn't seem to be a straightforward way to provide credentials. Any help would be appreciated!

Authorization issues when trying to use the library

Hi.

I've been trying to use the library and unfortunately not having much success... It's probably because I'm missing something really silly, but I can't progress anymore so maybe you could help?

This is what I am doing

require 'google/apis/compute_v1'
require 'googleauth'

scopes = ['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute']
authorization = Google::Auth.get_application_default(scopes)

some_headers = {}
auth = authorization.apply(some_headers)

compute = Google::Apis::ComputeV1
compute = Cont::ComputeService.new
compute.authorization = auth

compute.list_instances(myproject, project_region)

However, i keep getting this error a after the last line is ran:

2.1.6 :015 > compute.list_instances(myproject, project_region)
Google::Apis::AuthorizationError: Unauthorized
from /Users/pedrovieira/.rvm/gems/ruby-2.1.6/gems/google-api-client-0.9.pre3/lib/google/apis/core/http_command.rb:191:in `check_status'
from /Users/pedrovieira/.rvm/gems/ruby-2.1.6/gems/google-api-client-0.9.pre3/lib/google/apis/core/api_command.rb:105:in `check_status'
from /Users/pedrovieira/.rvm/gems/ruby-2.1.6/gems/google-api-client-0.9.pre3/lib/google/apis/core/http_command.rb:162:in `process_response'
from /Users/pedrovieira/.rvm/gems/ruby-2.1.6/gems/google-api-client-0.9.pre3/lib/google/apis/core/http_command.rb:261:in `execute_once'
from /Users/pedrovieira/.rvm/gems/ruby-2.1.6/gems/g .... stacktrace continues...

I'm stuck at this point and was hopping you could shed some light on I might be missing here.

Thanks!

UserAuthorizer saves and loads "expires_at" field for OAuth2::Client, this will not be updated on token refresh

Currently UserAuthorizer class saves expires_at field in store_credentials method, which in the first time when token was created (e.g. from authorization code) is a calculated field in Signet::Client unless not set explicitly.

json = MultiJson.dump(
        client_id: credentials.client_id,
        access_token: credentials.access_token,
        refresh_token: credentials.refresh_token,
        scope: credentials.scope,
        expiration_time_millis: credentials.expires_at.to_i * 1000
      )

  def expires_at
      if @expires_at
        @expires_at
      elsif @issued_at && @expires_in
        return @issued_at + @expires_in
      else
        return nil
      end
    end

UserAuthorizer then uses this stored value in get_credentials call here and put it explicitly to new UserRefreshCredentials object. This time it will have explicit value and not calculate expires_at properly.

credentials = UserRefreshCredentials.new(
          client_id: @client_id.id,
          client_secret: @client_id.secret,
          scope: data['scope'] || @scope,
          access_token: data['access_token'],
          refresh_token: data['refresh_token'],
          expires_at: data.fetch('expiration_time_millis', 0) / 1000
        )

Later, when token will be refreshed because of expiration, expire_at field won't get updated because Google will explicitly return expires_in only in return for token refresh call. And Signet::Client doesn't update expires_at if it was not set explicitly (and it's not). So expires_at will remain to be old value, explicitly set by UserAuthorizer before. See here:

  def expires_in=(new_expires_in)
       if new_expires_in != nil
         @expires_in = new_expires_in.to_i
         @issued_at = Time.now
       else
         @expires_in, @issued_at, @expires_at = nil, nil, nil
       end
     end

Same time, expires_within? method (used each apply! call to verify if token expired) checks for expires_at method, which will use explicit value if it was set (and calculated value only if not set). So in apply! method it will think that token has expired because checking against expires_at value, although it was just updated (but hasn't updated expires_at field).

JWT Dependency pulled from ruby_gems

Hey this is very hot given the whole left-pad incident.

So the JWT gem looks to have been pulled from ruby gems thus breaking this library, and the gloud-ruby gem as well.

expiration_time_millis not updated after token refresh

I have written a custom token store for persisting my tokens. Everything about automatically refreshing seems to be working and the refresh token gets persisted back to my store properly. The issue I'm having is that the expiration_time_millis field on the json token passed to the store method of my custom token store isn't updated with the new expiration time. It still has the old value from before the refresh happens. This in turn leads to 2 refreshes every time the code is run and defeats the ability to actually persist tokens for reuse once the initial validity period expires.

Credentials from OmniAuth?

Hi,

I haven't been able to successfully construct the credentials required to use the new google-api-ruby-client after logging in with OmniAuth. I saw this blog article: http://www.thegreatcodeadventure.com/using-the-google-api-ruby-client-with-google-calendar-api/ but they also had problems with the newer library.

Was wondering if there are any pointers to how to leverage the great Omniauth provider, but then use this client library?

Load JSON file's content on Heroku?

it seems to me that the credentials_loader.rb insists on a file but on Heroku there are those nice config vars. Can the credentials_loader.rb somehow be tricked to accept a config var instead of

ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "api-test-key.json"

I managed to put the JSON's contents in a heroku config var nicely and can get it by calling

puts ENV["GOOGLE_APPLICATION_CREDENTIALS"]

Thanks!

Should logging be made a development dependency?

While reviewing the project's dependencies I noticed that logging is only loaded by the test suite. Did I overlook something?

Can logging be made a development dependency if its use is restricted to the test suite?

Using the command line example, how can I get credentials to refresh?

I'm authenticating against a REST Execution API script target.

Currently after authorizing, I can run Google::Apis::ScriptV1::ExecutionRequests until the expiration_time_millis, and then they stop working with "errorMessage"=>"Authorization is required to perform that action." until I manually delete the tokens.json file and re-authenticate.

Is there something beyond the command line example in the readme that I need to do? I can't figure it out from browsing the code.

My end goal is to authenticate my rails app against my script target once on deployment, and have it run indefinitely.

Bug: ArgumentError when revoking credentials via WebUserAuthorizer

# Where google_authorizer is a Google::Auth::WebUserAuthorizer
google_authorizer.revoke_authorization("[email protected]")
# !! <ArgumentError: wrong number of arguments (given 1, expected 2..3)> from ..../googleauth-0.5.1/lib/googleauth/web_user_authorizer.rb:185:in `get_credentials'

Seems to be due to the change in arity of get_credentials inside the authorizer.

As a workaround I am monkey-patching the authorizer eigenclass:

def google_authorizer.revoke2(user_id)
  credentials = method(:get_credentials).super_method.call(user_id)
  if credentials
    @token_store.delete(user_id)
    credentials.revoke! rescue nil
  end
end
google_authorizer.revoke2("[email protected]")

Add the storage/store classes from google-api-ruby-client

Unclear how to get user

This is an issue with documentation. Both examples assume that user_id is known. What if it isn't, i.e. if I am actually doing SSO with this flow?

Bearer prefix in jwt_token

Not sure if this is an issue of auth library, but token generated here:

https://github.com/google/google-auth-library-ruby/blob/master/lib/googleauth/service_account.rb#L171

conflicts with gapi JS library if passed as is:

gapi.analytics.auth.authorize
  serverAuth:
    access_token: accessToken

The problem is that Bearer prefix is added once again by gapi method. Is this gapi issue, that might need to check if token contains Bearer prefix before adding one?

Could not load the default credentials

Very often we have got next nessage:

Error encountered during server creation: RuntimeError: Could not load the default credentials. Browse to https://developers.google.com/accounts/docs/application-default-credentials for more information

cat chef/cookbooks/jetty/.kitchen/logs/jetty-centos-67.log
I, [2016-08-16T13:13:47.130398 #2916]  INFO -- jetty-centos-67: -----> Cleaning up any prior instances of <jetty-centos-67>
I, [2016-08-16T13:13:47.130752 #2916]  INFO -- jetty-centos-67: -----> Destroying <jetty-centos-67>...
I, [2016-08-16T13:13:47.132258 #2916]  INFO -- jetty-centos-67: Finished destroying <jetty-centos-67> (0m0.00s).
I, [2016-08-16T13:13:47.132630 #2916]  INFO -- jetty-centos-67: -----> Testing <jetty-centos-67>
I, [2016-08-16T13:13:47.132841 #2916]  INFO -- jetty-centos-67: -----> Creating <jetty-centos-67>...
E, [2016-08-16T13:13:47.341093 #2916] ERROR -- jetty-centos-67: Error encountered during server creation: RuntimeError: Could not load the default credentials. Browse to
https://developers.google.com/accounts/docs/application-default-credentials
for more information

E, [2016-08-16T13:13:47.341355 #2916] ERROR -- jetty-centos-67: Create failed on instance <jetty-centos-67>.
E, [2016-08-16T13:13:47.341449 #2916] ERROR -- jetty-centos-67: ------Exception-------
E, [2016-08-16T13:13:47.341507 #2916] ERROR -- jetty-centos-67: Class: RuntimeError
E, [2016-08-16T13:13:47.341554 #2916] ERROR -- jetty-centos-67: Message: Could not load the default credentials. Browse to
https://developers.google.com/accounts/docs/application-default-credentials
for more information

E, [2016-08-16T13:13:47.341599 #2916] ERROR -- jetty-centos-67: ------Backtrace-------
E, [2016-08-16T13:13:47.341655 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/googleauth-0.5.1/lib/googleauth.rb:119:in `get_application_default'
E, [2016-08-16T13:13:47.341724 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:193:in `authorization'
E, [2016-08-16T13:13:47.341769 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:183:in `connection'
E, [2016-08-16T13:13:47.341819 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:233:in `block in valid_project?'
E, [2016-08-16T13:13:47.341861 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:224:in `check_api_call'
E, [2016-08-16T13:13:47.341903 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:233:in `valid_project?'
E, [2016-08-16T13:13:47.341949 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:162:in `validate!'
E, [2016-08-16T13:13:47.342017 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/kitchen-google-1.1.0/lib/kitchen/driver/gce.rb:113:in `create'
E, [2016-08-16T13:13:47.342065 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:449:in `public_send'
E, [2016-08-16T13:13:47.342126 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:449:in `block in perform_action'
E, [2016-08-16T13:13:47.342175 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:513:in `call'
E, [2016-08-16T13:13:47.342231 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:513:in `synchronize_or_call'
E, [2016-08-16T13:13:47.342269 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:478:in `block in action'
E, [2016-08-16T13:13:47.342313 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/2.1.0/benchmark.rb:279:in `measure'
E, [2016-08-16T13:13:47.342358 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:477:in `action'
E, [2016-08-16T13:13:47.342394 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:449:in `perform_action'
E, [2016-08-16T13:13:47.342451 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:359:in `create_action'
E, [2016-08-16T13:13:47.342491 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:348:in `block in transition_to'
E, [2016-08-16T13:13:47.342554 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:347:in `each'
E, [2016-08-16T13:13:47.342617 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:347:in `transition_to'
E, [2016-08-16T13:13:47.342660 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:160:in `verify'
E, [2016-08-16T13:13:47.342701 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:189:in `block in test'
E, [2016-08-16T13:13:47.342743 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/2.1.0/benchmark.rb:279:in `measure'
E, [2016-08-16T13:13:47.342782 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/instance.rb:185:in `test'
E, [2016-08-16T13:13:47.342826 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/command.rb:176:in `public_send'
E, [2016-08-16T13:13:47.342869 #2916] ERROR -- jetty-centos-67: /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/test-kitchen-1.7.3/lib/kitchen/command.rb:176:in `block (2 levels) in run_action'
E, [2016-08-16T13:13:47.342923 #2916] ERROR -- jetty-centos-67: ----------------------
I, [2016-08-16T13:13:47.343881 #2916]  INFO -- jetty-centos-67: -----> Destroying <jetty-centos-67>...
I, [2016-08-16T13:13:47.344810 #2916]  INFO -- jetty-centos-67: Finished destroying <jetty-centos-67> (0m0.00s).

Do you have any methods for debug this issue? How to determine what problem?

Centos 6.7
Chef Development Kit Version: 0.13.21
chef-client version: 12.9.41
berks version: 4.3.2
kitchen version: 1.7.3

chef exec gem list

*** LOCAL GEMS ***

activesupport (4.2.6)
addressable (2.4.0)
app_conf (0.4.2)
appbundler (0.9.0)
artifactory (2.3.2)
ast (2.2.0)
autoparse (0.3.3)
aws-sdk (2.2.34)
aws-sdk-core (2.2.34)
aws-sdk-resources (2.2.34)
aws-sdk-v1 (1.66.0)
berkshelf (4.3.2)
berkshelf-api-client (2.0.2)
bigdecimal (default: 1.2.4)
binding_of_caller (0.7.2)
buff-config (1.0.1)
buff-extensions (1.0.0)
buff-ignore (1.1.1)
buff-ruby_engine (0.1.0)
buff-shell_out (0.2.0)
builder (3.2.2)
bundler (1.11.2)
byebug (8.2.4)
celluloid (0.16.0)
celluloid-io (0.16.2)
CFPropertyList (2.3.2)
chef (12.9.41)
chef-config (12.9.41)
chef-dk (0.13.21)
chef-provisioning (1.7.0)
chef-provisioning-aws (1.8.0)
chef-provisioning-azure (0.5.0)
chef-provisioning-fog (0.18.0)
chef-provisioning-vagrant (0.11.0)
chef-vault (2.9.0)
chef-zero (4.5.0)
cheffish (2.0.3)
chefspec (4.6.1)
cleanroom (1.0.0)
coderay (1.1.1)
compat_resource (12.9.1)
cookbook-omnifetch (0.2.2)
cucumber-core (1.4.0)
debug_inspector (0.0.2)
dep-selector-libgecode (1.2.0)
dep_selector (1.0.3)
diff-lcs (1.2.5)
diffy (3.1.0)
docker-api (1.26.2)
erubis (2.7.0)
excon (0.49.0)
extlib (0.9.16)
faraday (0.9.2)
fauxhai (3.2.0)
ffi (1.9.10)
ffi-yajl (2.2.3)
fission (0.5.0)
fog (1.38.0)
fog-aliyun (0.1.0)
fog-atmos (0.1.0)
fog-aws (0.9.2)
fog-brightbox (0.10.1)
fog-cloudatcost (0.1.2)
fog-core (1.37.0)
fog-dynect (0.0.3)
fog-ecloud (0.3.0)
fog-google (0.1.0)
fog-json (1.0.2)
fog-local (0.3.0)
fog-openstack (0.1.2)
fog-powerdns (0.1.1)
fog-profitbricks (0.0.5)
fog-rackspace (0.1.1)
fog-radosgw (0.0.5)
fog-riakcs (0.1.0)
fog-sakuracloud (1.7.5)
fog-serverlove (0.1.2)
fog-softlayer (1.1.0)
fog-storm_on_demand (0.1.1)
fog-terremark (0.1.0)
fog-vmfusion (0.1.0)
fog-voxel (0.1.0)
fog-vsphere (0.6.3)
fog-xenserver (0.2.3)
fog-xml (0.1.2)
foodcritic (6.1.1)
formatador (0.2.5)
fuzzyurl (0.8.0)
gcewinpass (1.0.0)
gherkin (3.2.0)
git (1.3.0)
google-api-client (0.9.8, 0.8.6)
googleauth (0.5.1)
gssapi (1.2.0)
guard (2.13.0)
gyoku (1.3.1)
hashie (3.4.3)
highline (1.7.8)
hitimes (1.2.3)
httpclient (2.7.1)
hurley (0.2)
i18n (0.7.0)
inflecto (0.0.2)
inifile (3.0.0)
inspec (0.18.0)
io-console (default: 0.4.3)
ipaddress (0.8.3)
jmespath (1.2.4)
json (1.8.3, default: 1.8.1)
json_pure (1.8.3)
jwt (1.5.1)
kitchen-ec2 (1.0.0)
kitchen-google (1.1.0)
kitchen-inspec (0.12.5)
kitchen-sync (2.1.1)
kitchen-vagrant (0.20.0)
knife-spork (1.6.1)
knife-windows (1.4.0)
launchy (2.4.3)
libyajl2 (1.2.0)
listen (3.0.6)
little-plugger (1.1.4)
logging (2.1.0)
lumberjack (1.0.10)
macaddr (1.7.1)
memoist (0.14.0)
method_source (0.8.2)
mime-types (2.99.1)
mini_portile2 (2.0.0)
minitar (0.5.4)
minitest (5.8.4, default: 4.7.5)
mixlib-authentication (1.4.0)
mixlib-cli (1.5.0)
mixlib-config (2.2.1)
mixlib-install (1.0.6)
mixlib-log (1.6.0)
mixlib-shellout (2.2.6)
mixlib-versioning (1.1.0)
molinillo (0.4.4)
multi_json (1.11.2)
multipart-post (2.0.0)
nenv (0.3.0)
net-scp (1.2.1)
net-sftp (2.1.2)
net-ssh (3.1.1)
net-ssh-gateway (1.2.0)
net-ssh-multi (1.2.1)
net-telnet (0.1.1)
nio4r (1.2.1)
nokogiri (1.6.7.2)
nori (2.6.0)
notiffany (0.0.8)
octokit (4.3.0)
ohai (8.14.0)
os (0.9.6)
paint (1.0.1)
parser (2.3.0.7)
plist (3.2.0)
polyglot (0.3.5)
powerpack (0.1.1)
proxifier (1.0.3)
pry (0.10.3)
pry-byebug (3.3.0)
pry-remote (0.1.8)
pry-stack_explorer (0.4.9.2)
psych (default: 2.0.5)
r-train (0.10.4)
rack (1.6.4)
rainbow (2.1.0)
rake (11.1.2, default: 10.1.0)
rb-fsevent (0.9.7)
rb-inotify (0.9.7)
rb-readline (0.5.3)
rbvmomi (1.8.2)
rdoc (4.2.2, default: 4.1.0)
representable (2.3.0)
retriable (2.1.0, 1.4.1)
retryable (2.0.3)
ridley (4.5.0)
rspec (3.4.0)
rspec-core (3.4.4)
rspec-expectations (3.4.0)
rspec-its (1.2.0)
rspec-mocks (3.4.1)
rspec-support (3.4.1)
rspec_junit_formatter (0.2.3)
rubocop (0.37.2)
ruby-prof (0.15.9)
ruby-progressbar (1.7.5)
ruby-shadow (2.5.0)
rubygems-update (2.6.3)
rubyntlm (0.6.0)
rubyzip (1.2.0)
rufus-lru (1.0.5)
safe_yaml (1.0.4)
sawyer (0.7.0)
semverse (1.2.1)
serverspec (2.31.1)
sfl (2.2)
shellany (0.0.1)
signet (0.7.2)
slop (3.6.0)
solve (2.0.3)
specinfra (2.56.1)
stuartpreston-azure-sdk-for-ruby (0.7.1)
syslog-logger (1.6.8)
systemu (2.6.5)
test-kitchen (1.7.3)
test-unit (default: 2.1.8.0)
thor (0.19.1)
thread_safe (0.3.5)
timers (4.0.4)
treetop (1.6.5)
trollop (2.1.2)
tzinfo (1.2.2)
uber (0.0.15)
ubuntu_ami (0.4.1)
unicode-display_width (0.3.1)
uuid (2.3.8)
uuidtools (2.1.5)
varia_model (0.4.1)
winrm (1.7.3)
winrm-fs (0.4.2)
wmi-lite (1.0.0)
xml-simple (1.1.5)
yajl-ruby (1.2.1)
yard (0.8.7.6)

improve exception error messages

(filed on behalf of a user of https://github.com/GoogleCloudPlatform/fluent-plugin-google-cloud)

I'm trying to troubleshoot "dry run failed: Could not load the default credentials."

From the error message, we can't tell some basic things:

what path is it looking for the credentials at?
is it unable to find or open the file?
is it reading the file, but cannot parse the contents?
some other issue?

Faraday Newer Version Support

Any plans to support newer versions of faraday? Starting to run into gem conflicts that are stuck on v0.9x of faraday.

ServiceAccountCredentials initialize does not pass additional options to parent

I'm using the ServiceAccountCredentials to authenticate a service account. I also need to specify the 'sub' parameter to set the email address of a delegated account. Using the code:

client = Google::Auth::ServiceAccountCredentials.new(json_key_io: json_key_io, scope: scope, sub: '[email protected]')

The sub parameter is not passed to the parent class. I need to specify it manually in a separate step like this:

client = Google::Auth::ServiceAccountCredentials.new(json_key_io: json_key_io, scope: scope)
client.update!(sub: '[email protected]')

Missing loading pkcs keys

I'm upgrading code from 0.8 to 0.9. I'm not finding where this method is in the new auth api: Google::APIClient::KeyUtils.load_from_pkcs12

Jwt Access Credentials should cache JWTs

The JWT Access Credentials should temporarily cache JWTs. Suggested algorithm:

Hash JWTs using Audience as key.
Also store the timestamp of last use with each JWT.
On access clear any JWT unused for more than 1 hour.

Update all file operations in tests to use fakefs

Add custom params to the callback url

Hi all!

It seems I can't find a way to set some custom query params to the callback url. I've tried using state, but if I do that I'm getting Invalid redirect_uri contains reserved response param state from Google... and I can't find anything in the code around it.

Is there any way to send a custom param and have that back in the callback url?

Thanks

Multiple public/private key pairs

In my case I have different public/private key pairs to access the same API in different accounts. Any suggestions on how to use these with googleauth? Setting the GOOGLE_APPLICATION_CREDENTIALS in that case won't work (I guess).

ADC Support for JWT Service Tokens

This is similar to ServiceAccount authorization

service account creds are required
a jwt token is sent as the Authorization header, rather instead of being exchanged for an access token
the jwt token is constructed from service account creds, and requires the uri being accessed

googleapis / google-auth-library-ruby Goto Github PK

google-auth-library-ruby's Introduction

Google Auth Library for Ruby

Description

Install

Example Usage

Application Default Credentials

User Credentials

Example (Web)

Example (Web with PKCE)

Example (Command Line) [Deprecated]

Example (Service Account)

3-Legged OAuth with a Service Account

Example (Environment Variables)

Storage

Supported Ruby Versions

License

Contributing

Support

google-auth-library-ruby's People

Contributors

Stargazers

Watchers

Forkers

google-auth-library-ruby's Issues

Feature request

Recommend Projects

Recommend Topics

Recommend Org