mirror of https://github.com/grpc/grpc.git
Merge pull request #783 from tbetbetbe/grpc_ruby_switch_auth_to_google_auth_library_ruby
Grpc ruby switch auth to google auth library rubypull/400/merge
Michael Lumish
10 years ago
commit
886144544c
12 changed files with 30 additions and 667 deletions
@ -1,67 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
require 'faraday' |
||||
require 'grpc/auth/signet' |
||||
|
||||
module GRPC |
||||
# Module Auth provides classes that provide Google-specific authentication |
||||
# used to access Google gRPC services. |
||||
module Auth |
||||
# Extends Signet::OAuth2::Client so that the auth token is obtained from |
||||
# the GCE metadata server. |
||||
class GCECredentials < Signet::OAuth2::Client |
||||
COMPUTE_AUTH_TOKEN_URI = 'http://metadata/computeMetadata/v1/'\ |
||||
'instance/service-accounts/default/token' |
||||
COMPUTE_CHECK_URI = 'http://metadata.google.internal' |
||||
|
||||
# Detect if this appear to be a GCE instance, by checking if metadata |
||||
# is available |
||||
def self.on_gce?(options = {}) |
||||
c = options[:connection] || Faraday.default_connection |
||||
resp = c.get(COMPUTE_CHECK_URI) |
||||
return false unless resp.status == 200 |
||||
return false unless resp.headers.key?('Metadata-Flavor') |
||||
return resp.headers['Metadata-Flavor'] == 'Google' |
||||
rescue Faraday::ConnectionFailed |
||||
return false |
||||
end |
||||
|
||||
# Overrides the super class method to change how access tokens are |
||||
# fetched. |
||||
def fetch_access_token(options = {}) |
||||
c = options[:connection] || Faraday.default_connection |
||||
c.headers = { 'Metadata-Flavor' => 'Google' } |
||||
resp = c.get(COMPUTE_AUTH_TOKEN_URI) |
||||
Signet::OAuth2.parse_credentials(resp.body, |
||||
resp.headers['content-type']) |
||||
end |
||||
end |
||||
end |
||||
end |
||||
@ -1,66 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
require 'grpc/auth/signet' |
||||
require 'multi_json' |
||||
require 'openssl' |
||||
|
||||
# Reads the private key and client email fields from service account JSON key. |
||||
def read_json_key(json_key_io) |
||||
json_key = MultiJson.load(json_key_io.read) |
||||
fail 'missing client_email' unless json_key.key?('client_email') |
||||
fail 'missing private_key' unless json_key.key?('private_key') |
||||
[json_key['private_key'], json_key['client_email']] |
||||
end |
||||
|
||||
module GRPC |
||||
# Module Auth provides classes that provide Google-specific authentication |
||||
# used to access Google gRPC services. |
||||
module Auth |
||||
# Authenticates requests using Google's Service Account credentials. |
||||
# (cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount) |
||||
class ServiceAccountCredentials < Signet::OAuth2::Client |
||||
TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token' |
||||
AUDIENCE = TOKEN_CRED_URI |
||||
|
||||
# Initializes a ServiceAccountCredentials. |
||||
# |
||||
# @param scope [string|array] the scope(s) to access |
||||
# @param json_key_io [IO] an IO from which the JSON key can be read |
||||
def initialize(scope, json_key_io) |
||||
private_key, client_email = read_json_key(json_key_io) |
||||
super(token_credential_uri: TOKEN_CRED_URI, |
||||
audience: AUDIENCE, |
||||
scope: scope, |
||||
issuer: client_email, |
||||
signing_key: OpenSSL::PKey::RSA.new(private_key)) |
||||
end |
||||
end |
||||
end |
||||
end |
||||
@ -1,67 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
require 'signet/oauth_2/client' |
||||
|
||||
module Signet |
||||
# Signet::OAuth2 supports OAuth2 authentication. |
||||
module OAuth2 |
||||
AUTH_METADATA_KEY = :Authorization |
||||
# Signet::OAuth2::Client creates an OAuth2 client |
||||
# |
||||
# Here client is re-opened to add the #apply and #apply! methods which |
||||
# update a hash map with the fetched authentication token |
||||
# |
||||
# Eventually, this change may be merged into signet itself, or some other |
||||
# package that provides Google-specific auth via signet, and this extension |
||||
# will be unnecessary. |
||||
class Client |
||||
# Updates a_hash updated with the authentication token |
||||
def apply!(a_hash, opts = {}) |
||||
# fetch the access token there is currently not one, or if the client |
||||
# has expired |
||||
fetch_access_token!(opts) if access_token.nil? || expired? |
||||
a_hash[AUTH_METADATA_KEY] = "Bearer #{access_token}" |
||||
end |
||||
|
||||
# Returns a clone of a_hash updated with the authentication token |
||||
def apply(a_hash, opts = {}) |
||||
a_copy = a_hash.clone |
||||
apply!(a_copy, opts) |
||||
a_copy |
||||
end |
||||
|
||||
# Returns a reference to the #apply method, suitable for passing as |
||||
# a closure |
||||
def updater_proc |
||||
lambda(&method(:apply)) |
||||
end |
||||
end |
||||
end |
||||
end |
||||
@ -1,163 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
spec_dir = File.expand_path(File.join(File.dirname(__FILE__))) |
||||
$LOAD_PATH.unshift(spec_dir) |
||||
$LOAD_PATH.uniq! |
||||
|
||||
require 'faraday' |
||||
require 'spec_helper' |
||||
|
||||
def build_json_response(payload) |
||||
[200, |
||||
{ 'Content-Type' => 'application/json; charset=utf-8' }, |
||||
MultiJson.dump(payload)] |
||||
end |
||||
|
||||
WANTED_AUTH_KEY = :Authorization |
||||
|
||||
shared_examples 'apply/apply! are OK' do |
||||
# tests that use these examples need to define |
||||
# |
||||
# @client which should be an auth client |
||||
# |
||||
# @make_auth_stubs, which should stub out the expected http behaviour of the |
||||
# auth client |
||||
describe '#fetch_access_token' do |
||||
it 'should set access_token to the fetched value' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
@client.fetch_access_token!(connection: c) |
||||
expect(@client.access_token).to eq(token) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
end |
||||
|
||||
describe '#apply!' do |
||||
it 'should update the target hash with fetched access token' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
md = { foo: 'bar' } |
||||
@client.apply!(md, connection: c) |
||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } |
||||
expect(md).to eq(want) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
end |
||||
|
||||
describe 'updater_proc' do |
||||
it 'should provide a proc that updates a hash with the access token' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
md = { foo: 'bar' } |
||||
the_proc = @client.updater_proc |
||||
got = the_proc.call(md, connection: c) |
||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } |
||||
expect(got).to eq(want) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
end |
||||
|
||||
describe '#apply' do |
||||
it 'should not update the original hash with the access token' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
md = { foo: 'bar' } |
||||
@client.apply(md, connection: c) |
||||
want = { foo: 'bar' } |
||||
expect(md).to eq(want) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
|
||||
it 'should add the token to the returned hash' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
md = { foo: 'bar' } |
||||
got = @client.apply(md, connection: c) |
||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } |
||||
expect(got).to eq(want) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
|
||||
it 'should not fetch a new token if the current is not expired' do |
||||
token = '1/abcdef1234567890' |
||||
stubs = make_auth_stubs with_access_token: token |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
|
||||
n = 5 # arbitrary |
||||
n.times do |_t| |
||||
md = { foo: 'bar' } |
||||
got = @client.apply(md, connection: c) |
||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{token}" } |
||||
expect(got).to eq(want) |
||||
end |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
|
||||
it 'should fetch a new token if the current one is expired' do |
||||
token_1 = '1/abcdef1234567890' |
||||
token_2 = '2/abcdef1234567890' |
||||
|
||||
[token_1, token_2].each do |t| |
||||
stubs = make_auth_stubs with_access_token: t |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
md = { foo: 'bar' } |
||||
got = @client.apply(md, connection: c) |
||||
want = { :foo => 'bar', WANTED_AUTH_KEY => "Bearer #{t}" } |
||||
expect(got).to eq(want) |
||||
stubs.verify_stubbed_calls |
||||
@client.expires_at -= 3601 # default is to expire in 1hr |
||||
end |
||||
end |
||||
end |
||||
end |
||||
@ -1,108 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
spec_dir = File.expand_path(File.join(File.dirname(__FILE__))) |
||||
$LOAD_PATH.unshift(spec_dir) |
||||
$LOAD_PATH.uniq! |
||||
|
||||
require 'apply_auth_examples' |
||||
require 'faraday' |
||||
require 'grpc/auth/compute_engine' |
||||
require 'spec_helper' |
||||
|
||||
describe GRPC::Auth::GCECredentials do |
||||
MD_URI = '/computeMetadata/v1/instance/service-accounts/default/token' |
||||
GCECredentials = GRPC::Auth::GCECredentials |
||||
|
||||
before(:example) do |
||||
@client = GCECredentials.new |
||||
end |
||||
|
||||
def make_auth_stubs(with_access_token: '') |
||||
Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.get(MD_URI) do |env| |
||||
headers = env[:request_headers] |
||||
expect(headers['Metadata-Flavor']).to eq('Google') |
||||
build_json_response( |
||||
'access_token' => with_access_token, |
||||
'token_type' => 'Bearer', |
||||
'expires_in' => 3600) |
||||
end |
||||
end |
||||
end |
||||
|
||||
it_behaves_like 'apply/apply! are OK' |
||||
|
||||
describe '#on_gce?' do |
||||
it 'should be true when Metadata-Flavor is Google' do |
||||
stubs = Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.get('/') do |_env| |
||||
[200, |
||||
{ 'Metadata-Flavor' => 'Google' }, |
||||
''] |
||||
end |
||||
end |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
expect(GCECredentials.on_gce?(connection: c)).to eq(true) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
|
||||
it 'should be false when Metadata-Flavor is not Google' do |
||||
stubs = Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.get('/') do |_env| |
||||
[200, |
||||
{ 'Metadata-Flavor' => 'NotGoogle' }, |
||||
''] |
||||
end |
||||
end |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
expect(GCECredentials.on_gce?(connection: c)).to eq(false) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
|
||||
it 'should be false if the response is not 200' do |
||||
stubs = Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.get('/') do |_env| |
||||
[404, |
||||
{ 'Metadata-Flavor' => 'Google' }, |
||||
''] |
||||
end |
||||
end |
||||
c = Faraday.new do |b| |
||||
b.adapter(:test, stubs) |
||||
end |
||||
expect(GCECredentials.on_gce?(connection: c)).to eq(false) |
||||
stubs.verify_stubbed_calls |
||||
end |
||||
end |
||||
end |
||||
@ -1,75 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
spec_dir = File.expand_path(File.join(File.dirname(__FILE__))) |
||||
$LOAD_PATH.unshift(spec_dir) |
||||
$LOAD_PATH.uniq! |
||||
|
||||
require 'apply_auth_examples' |
||||
require 'grpc/auth/service_account' |
||||
require 'jwt' |
||||
require 'multi_json' |
||||
require 'openssl' |
||||
require 'spec_helper' |
||||
|
||||
describe GRPC::Auth::ServiceAccountCredentials do |
||||
before(:example) do |
||||
@key = OpenSSL::PKey::RSA.new(2048) |
||||
cred_json = { |
||||
private_key_id: 'a_private_key_id', |
||||
private_key: @key.to_pem, |
||||
client_email: 'app@developer.gserviceaccount.com', |
||||
client_id: 'app.apps.googleusercontent.com', |
||||
type: 'service_account' |
||||
} |
||||
cred_json_text = MultiJson.dump(cred_json) |
||||
@client = GRPC::Auth::ServiceAccountCredentials.new( |
||||
'https://www.googleapis.com/auth/userinfo.profile', |
||||
StringIO.new(cred_json_text)) |
||||
end |
||||
|
||||
def make_auth_stubs(with_access_token: '') |
||||
Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.post('/oauth2/v3/token') do |env| |
||||
params = Addressable::URI.form_unencode(env[:body]) |
||||
_claim, _header = JWT.decode(params.assoc('assertion').last, |
||||
@key.public_key) |
||||
want = ['grant_type', 'urn:ietf:params:oauth:grant-type:jwt-bearer'] |
||||
expect(params.assoc('grant_type')).to eq(want) |
||||
build_json_response( |
||||
'access_token' => with_access_token, |
||||
'token_type' => 'Bearer', |
||||
'expires_in' => 3600 |
||||
) |
||||
end |
||||
end |
||||
end |
||||
|
||||
it_behaves_like 'apply/apply! are OK' |
||||
end |
||||
@ -1,70 +0,0 @@ |
||||
# Copyright 2015, Google Inc. |
||||
# All rights reserved. |
||||
# |
||||
# Redistribution and use in source and binary forms, with or without |
||||
# modification, are permitted provided that the following conditions are |
||||
# met: |
||||
# |
||||
# * Redistributions of source code must retain the above copyright |
||||
# notice, this list of conditions and the following disclaimer. |
||||
# * Redistributions in binary form must reproduce the above |
||||
# copyright notice, this list of conditions and the following disclaimer |
||||
# in the documentation and/or other materials provided with the |
||||
# distribution. |
||||
# * Neither the name of Google Inc. nor the names of its |
||||
# contributors may be used to endorse or promote products derived from |
||||
# this software without specific prior written permission. |
||||
# |
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
|
||||
spec_dir = File.expand_path(File.join(File.dirname(__FILE__))) |
||||
$LOAD_PATH.unshift(spec_dir) |
||||
$LOAD_PATH.uniq! |
||||
|
||||
require 'apply_auth_examples' |
||||
require 'grpc/auth/signet' |
||||
require 'jwt' |
||||
require 'openssl' |
||||
require 'spec_helper' |
||||
|
||||
describe Signet::OAuth2::Client do |
||||
before(:example) do |
||||
@key = OpenSSL::PKey::RSA.new(2048) |
||||
@client = Signet::OAuth2::Client.new( |
||||
token_credential_uri: 'https://accounts.google.com/o/oauth2/token', |
||||
scope: 'https://www.googleapis.com/auth/userinfo.profile', |
||||
issuer: 'app@example.com', |
||||
audience: 'https://accounts.google.com/o/oauth2/token', |
||||
signing_key: @key |
||||
) |
||||
end |
||||
|
||||
def make_auth_stubs(with_access_token: '') |
||||
Faraday::Adapter::Test::Stubs.new do |stub| |
||||
stub.post('/o/oauth2/token') do |env| |
||||
params = Addressable::URI.form_unencode(env[:body]) |
||||
_claim, _header = JWT.decode(params.assoc('assertion').last, |
||||
@key.public_key) |
||||
want = ['grant_type', 'urn:ietf:params:oauth:grant-type:jwt-bearer'] |
||||
expect(params.assoc('grant_type')).to eq(want) |
||||
build_json_response( |
||||
'access_token' => with_access_token, |
||||
'token_type' => 'Bearer', |
||||
'expires_in' => 3600 |
||||
) |
||||
end |
||||
end |
||||
end |
||||
|
||||
it_behaves_like 'apply/apply! are OK' |
||||
end |
||||
Loading…
Reference in new issue