class Google::Auth::ExternalAccount::IdentityPoolCredentials

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Attributes

client_id[R]

Will always be nil, but method still gets used.

Public Class Methods

new(options = {}) click to toggle source

Initialize from options map.

@param [string] audience @param [hash{symbol => value}] credential_source

credential_source is a hash that contains either source file or url.
credential_source_format is either text or json. To define how we parse the credential response.
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 40
def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_file = @credential_source[:file]
  @credential_source_url = @credential_source[:url]
  @credential_source_headers = @credential_source[:headers] || {}
  @credential_source_format = @credential_source[:format] || {}
  @credential_source_format_type = @credential_source_format[:type] || "text"
  validate_credential_source
end

Public Instance Methods

retrieve_subject_token!() click to toggle source

Implementation of BaseCredentials retrieve_subject_token!

# File lib/googleauth/external_account/identity_pool_credentials.rb, line 54
def retrieve_subject_token!
  content, resource_name = token_data
  if @credential_source_format_type == "text"
    token = content
  else
    begin
      response_data = MultiJson.load content, symbolize_keys: true
      token = response_data[@credential_source_field_name.to_sym]
    rescue StandardError
      raise "Unable to parse subject_token from JSON resource #{resource_name} " \
            "using key #{@credential_source_field_name}"
    end
  end
  raise "Missing subject_token in the credential_source file/response." unless token
  token
end

Private Instance Methods

file_data() click to toggle source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 98
def file_data
  raise "File #{@credential_source_file} was not found." unless File.exist? @credential_source_file
  content = File.read @credential_source_file, encoding: "utf-8"
  [content, @credential_source_file]
end
token_data() click to toggle source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 94
def token_data
  @credential_source_file.nil? ? url_data : file_data
end
url_data() click to toggle source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 104
def url_data
  begin
    response = connection.get @credential_source_url do |req|
      req.headers.merge! @credential_source_headers
    end
  rescue Faraday::Error => e
    raise "Error retrieving from credential url: #{e}"
  end
  raise "Unable to retrieve Identity Pool subject token #{response.body}" unless response.success?
  [response.body, @credential_source_url]
end
validate_credential_source() click to toggle source
# File lib/googleauth/external_account/identity_pool_credentials.rb, line 73
def validate_credential_source
  # `environment_id` is only supported in AWS or dedicated future external account credentials.
  unless @credential_source[:environment_id].nil?
    raise "Invalid Identity Pool credential_source field 'environment_id'"
  end
  unless ["json", "text"].include? @credential_source_format_type
    raise "Invalid credential_source format #{@credential_source_format_type}"
  end
  # for JSON types, get the required subject_token field name.
  @credential_source_field_name = @credential_source_format[:subject_token_field_name]
  if @credential_source_format_type == "json" && @credential_source_field_name.nil?
    raise "Missing subject_token_field_name for JSON credential_source format"
  end
  # check file or url must be fulfilled and mutually exclusiveness.
  if @credential_source_file && @credential_source_url
    raise "Ambiguous credential_source. 'file' is mutually exclusive with 'url'."
  end
  return unless (@credential_source_file || @credential_source_url).nil?
  raise "Missing credential_source. A 'file' or 'url' must be provided."
end