Authenticates requests using Google's Service Account credentials via JWT Header.
This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.
cf [Application Default Credentials](goo.gl/mkAHpZ)
::make_creds proxies the construction of a credentials instance
::make_creds is used by the methods in CredentialsLoader.
By default, it calls new with 2 args, the second one being an optional scope. Here's the constructor only has one param, so we modify ::make_creds to reflect this.
# File lib/googleauth/service_account.rb, line 134 def self.make_creds(*args) new(json_key_io: args[0][:json_key_io]) end
Initializes a ServiceAccountJwtHeaderCredentials.
@param json_key_io [IO] an IO from which the JSON key can be read
# File lib/googleauth/service_account.rb, line 150 def initialize(options = {}) json_key_io = options[:json_key_io] if json_key_io private_key, client_email = self.class.read_json_key(json_key_io) else private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR] client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR] end @private_key = private_key @issuer = client_email @signing_key = OpenSSL::PKey::RSA.new(private_key) end
Reads the private key and client email fields from the service account JSON key.
# File lib/googleauth/service_account.rb, line 140 def self.read_json_key(json_key_io) json_key = MultiJson.load(json_key_io.read) raise 'missing client_email' unless json_key.key?('client_email') raise 'missing private_key' unless json_key.key?('private_key') [json_key['private_key'], json_key['client_email']] end
Returns a clone of a_hash updated with the authoriation header
# File lib/googleauth/service_account.rb, line 176 def apply(a_hash, opts = {}) a_copy = a_hash.clone apply!(a_copy, opts) a_copy end
Construct a jwt token if the JWT_AUD_URI key is present in the input hash.
The jwt token is used as the value of a 'Bearer '.
# File lib/googleauth/service_account.rb, line 167 def apply!(a_hash, opts = {}) jwt_aud_uri = a_hash.delete(JWT_AUD_URI_KEY) return a_hash if jwt_aud_uri.nil? jwt_token = new_jwt_token(jwt_aud_uri, opts) a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}" a_hash end
Returns a reference to the apply method, suitable for passing as a closure
# File lib/googleauth/service_account.rb, line 184 def updater_proc lambda(&method(:apply)) end
Creates a jwt uri token.
# File lib/googleauth/service_account.rb, line 191 def new_jwt_token(jwt_aud_uri, options = {}) now = Time.new skew = options[:skew] || 60 assertion = { 'iss' => @issuer, 'sub' => @issuer, 'aud' => jwt_aud_uri, 'exp' => (now + EXPIRY).to_i, 'iat' => (now - skew).to_i } JWT.encode(assertion, @signing_key, SIGNING_ALGORITHM) end