module Google::Auth::ExternalAccount::BaseCredentials

def base_setup options

Raises:
  • (Google::Auth::InitializationError) - If workforce_pool_user_project is incorrectly set 
def base_setup options
  self.default_connection = options[:connection]
  @audience = options[:audience]
  @scope = options[:scope] || IAM_SCOPE
  @subject_token_type = options[:subject_token_type]
  @token_url = options[:token_url]
  @token_info_url = options[:token_info_url]
  @service_account_impersonation_url = options[:service_account_impersonation_url]
  @service_account_impersonation_options = options[:service_account_impersonation_options] || {}
  @client_id = options[:client_id]
  @client_secret = options[:client_secret]
  @quota_project_id = options[:quota_project_id]
  @project_id = nil
  @workforce_pool_user_project = options[:workforce_pool_user_project]
  @universe_domain = options[:universe_domain] || "googleapis.com"
  @expires_at = nil
  @access_token = nil
  @sts_client = Google::Auth::OAuth2::STSClient.new(
    token_exchange_endpoint: @token_url,
    connection: default_connection
  )
  return unless @workforce_pool_user_project && !is_workforce_pool?
  raise InitializationError, "workforce_pool_user_project should not be set for non-workforce pool credentials."
end

def exchange_token

Raises:
  • (Google::Auth::AuthorizationError) - If the token exchange request fails 
def exchange_token
  additional_options = nil
  if @client_id.nil? && @workforce_pool_user_project
    additional_options = { userProject: @workforce_pool_user_project }
  end
  token_request = {
    audience: @audience,
    grant_type: STS_GRANT_TYPE,
    subject_token: retrieve_subject_token!,
    subject_token_type: @subject_token_type,
    scopes: @service_account_impersonation_url ? IAM_SCOPE : @scope,
    requested_token_type: STS_REQUESTED_TOKEN_TYPE,
    additional_options: additional_options
  }
  log_token_request token_request
  @sts_client.exchange_token token_request
rescue Google::Auth::AuthorizationError => e
  raise Google::Auth::AuthorizationError.with_details(
    e.message,
    credential_type_name: self.class.name,
    principal: principal
  )
end

def expires_at= new_expires_at 

def expires_at= new_expires_at
  @expires_at = normalize_timestamp new_expires_at
end

def expires_within? seconds 

def expires_within? seconds
  # This method is needed for BaseClient
  @expires_at && @expires_at - Time.now.utc < seconds
end

def fetch_access_token! _options = {} 

def fetch_access_token! _options = {}
  # This method is needed for BaseClient
  response = exchange_token
  if @service_account_impersonation_url
    impersonated_response = get_impersonated_access_token response["access_token"]
    self.expires_at = impersonated_response["expireTime"]
    self.access_token = impersonated_response["accessToken"]
  else
    # Extract the expiration time in seconds from the response and calculate the actual expiration time
    # and then save that to the expiry variable.
    self.expires_at = Time.now.utc + response["expires_in"].to_i
    self.access_token = response["access_token"]
  end
  notify_refresh_listeners
end

def get_impersonated_access_token token, _options = {}

Raises:
  • (Google::Auth::CredentialsError) - If the impersonation request fails

Returns:
  • (Hash) - The response containing the impersonated access token

Parameters:
  • _options (Hash) -- Additional options (not used)
  • token (String) -- The token to exchange 
def get_impersonated_access_token token, _options = {}
  log_impersonated_token_request token
  response = connection.post @service_account_impersonation_url do |req|
    req.headers["Authorization"] = "Bearer #{token}"
    req.headers["Content-Type"] = "application/json"
    req.body = MultiJson.dump({ scope: @scope })
  end
  if response.status != 200
    raise CredentialsError.with_details(
      "Service account impersonation failed with status #{response.status}",
      credential_type_name: self.class.name,
      principal: principal
    )
  end
  MultiJson.load response.body
end

def is_workforce_pool?

Returns:
  • (bool) - 
def is_workforce_pool?
  %r{/iam\.googleapis\.com/locations/[^/]+/workforcePools/}.match?(@audience || "")
end

def log_impersonated_token_request original_token 

def log_impersonated_token_request original_token
  logger&.info do
    digest = Digest::SHA256.hexdigest original_token
    Google::Logging::Message.from(
      message: "Requesting impersonated access token with original token (sha256:#{digest})",
      "credentialsId" => object_id
    )
  end
end

def log_token_request token_request 

def log_token_request token_request
  logger&.info do
    Google::Logging::Message.from(
      message: "Requesting access token from #{token_request[:grant_type]}",
      "credentialsId" => object_id
    )
  end
  logger&.debug do
    digest = Digest::SHA256.hexdigest token_request[:subject_token].to_s
    loggable_request = token_request.merge subject_token: "(sha256:#{digest})"
    Google::Logging::Message.from(
      message: "Request data",
      "request" => loggable_request,
      "credentialsId" => object_id
    )
  end
end

def principal

Returns:
  • (String) - the GCP principal, e.g. a workforce pool

Other tags:
    Private: - 
def principal
  @audience
end

def retrieve_subject_token!

Returns:
  • (string) - 
def retrieve_subject_token!
  raise NoMethodError, "retrieve_subject_token! not implemented"
end

def token_type 

def token_type
  # This method is needed for BaseClient
  :access_token
end