Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Client library credentials provide correct self-signed JWT and external account behavior when loading from a file path or JSON data #474

Merged
merged 1 commit into from
Feb 7, 2024

Conversation

dazuma
Copy link
Member

@dazuma dazuma commented Feb 4, 2024

The Google::Auth::Credentials class (used by GAPICs) didn't use the normal make_creds mechanism used by the rest of the auth system, and thus didn't construct the correct subclass of Signet::OAuth2::Client when reading from a custom file path or a custom hash. Instead, it just constructed an instance of the Signet::OAuth2::Client base class and hoped for the best. As a result, some key features that were implemented in subclasses were not working, including self-signed JWT authentication, and pretty much all of external credentials.

This change delegates back to make_creds instead of constructing the Signet::OAuth2::Client base class. This also allows us to remove some of the client options mapping being done (which was duplicating code in Google::Auth::ServiceAccountCredetials). Finally, we clean up some of the use of string vs symbol keys in options hashes to ensure the correct options are passed in and recognized.

The bulk of this change is actually in the test. Previously, the test relied on mocking out Signet itself, which the previous code got away with because it always called the Signet base class directly. Now that we are constructing subclasses via other code paths, we cannot just mock out Signet. Instead we allow the full credentials object to be constructed. This means, in a few cases, we needed to simulate a few more environment variables and/or mock out http requests.

Fixes #466.
Also fixes the case when credentials are passed by file path in a non-google universe domain (which requires self signed JWT).

@dazuma dazuma requested a review from a team as a code owner February 4, 2024 04:08
@dazuma dazuma force-pushed the pr/creds-subclasses branch from 44f10e9 to 4319eff Compare February 4, 2024 04:21
…xternal account behavior when loading from a file path or JSON data
@dazuma dazuma force-pushed the pr/creds-subclasses branch from 4319eff to d204e24 Compare February 5, 2024 20:10
@dazuma dazuma requested a review from bajajneha27 February 5, 2024 20:16
@dazuma dazuma merged commit 73ecde1 into googleapis:main Feb 7, 2024
11 checks passed
@dazuma dazuma deleted the pr/creds-subclasses branch February 15, 2024 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Credentials class initializer should use make_creds instead of using the signet base class
2 participants