google-auth-library
Advanced tools
Comparing version 8.7.0 to 8.8.0
@@ -42,4 +42,2 @@ import { BaseExternalAccountClient, BaseExternalAccountClientOptions } from './baseexternalclient'; | ||
private validateEnvironmentId; | ||
private validateMetadataServerURLs; | ||
private validateMetadataURL; | ||
/** | ||
@@ -94,2 +92,5 @@ * Triggered when an external subject token is needed to be exchanged for a | ||
private getAwsSecurityCredentials; | ||
private shouldUseMetadataServer; | ||
private get regionFromEnv(); | ||
private get securityCredentialsFromEnv(); | ||
} |
@@ -50,5 +50,4 @@ "use strict"; | ||
this.region = ''; | ||
// data validators | ||
// Data validators. | ||
this.validateEnvironmentId(); | ||
this.validateMetadataServerURLs(); | ||
} | ||
@@ -65,16 +64,2 @@ validateEnvironmentId() { | ||
} | ||
validateMetadataServerURLs() { | ||
this.validateMetadataURL(this.regionUrl, 'region_url'); | ||
this.validateMetadataURL(this.securityCredentialsUrl, 'url'); | ||
this.validateMetadataURL(this.imdsV2SessionTokenUrl, 'imdsv2_session_token_url'); | ||
} | ||
validateMetadataURL(value, prop) { | ||
if (!value) | ||
return; | ||
const url = new URL(value); | ||
if (url.hostname !== AwsClient.AWS_EC2_METADATA_IPV4_ADDRESS && | ||
url.hostname !== `[${AwsClient.AWS_EC2_METADATA_IPV6_ADDRESS}]`) { | ||
throw new RangeError(`Invalid host "${url.hostname}" for "${prop}". Expecting ${AwsClient.AWS_EC2_METADATA_IPV4_ADDRESS} or ${AwsClient.AWS_EC2_METADATA_IPV6_ADDRESS}.`); | ||
} | ||
} | ||
/** | ||
@@ -108,3 +93,8 @@ * Triggered when an external subject token is needed to be exchanged for a | ||
const metadataHeaders = {}; | ||
if (this.imdsV2SessionTokenUrl) { | ||
// Only retrieve the IMDSv2 session token if both the security credentials and region are | ||
// not retrievable through the environment. | ||
// The credential config contains all the URLs by default but clients may be running this | ||
// where the metadata server is not available and returning the credentials through the environment. | ||
// Removing this check may break them. | ||
if (this.shouldUseMetadataServer() && this.imdsV2SessionTokenUrl) { | ||
metadataHeaders['x-aws-ec2-metadata-token'] = | ||
@@ -117,10 +107,4 @@ await this.getImdsV2SessionToken(); | ||
// https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html | ||
if (process.env['AWS_ACCESS_KEY_ID'] && | ||
process.env['AWS_SECRET_ACCESS_KEY']) { | ||
return { | ||
accessKeyId: process.env['AWS_ACCESS_KEY_ID'], | ||
secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'], | ||
// This is normally not available for permanent credentials. | ||
token: process.env['AWS_SESSION_TOKEN'], | ||
}; | ||
if (this.securityCredentialsFromEnv) { | ||
return this.securityCredentialsFromEnv; | ||
} | ||
@@ -201,4 +185,4 @@ // Since the role on a VM can change, we don't need to cache it. | ||
// AWS_REGION > AWS_DEFAULT_REGION > metadata server. | ||
if (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION']) { | ||
return (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION']); | ||
if (this.regionFromEnv) { | ||
return this.regionFromEnv; | ||
} | ||
@@ -255,2 +239,24 @@ if (!this.regionUrl) { | ||
} | ||
shouldUseMetadataServer() { | ||
// The metadata server must be used when either the AWS region or AWS security | ||
// credentials cannot be retrieved through their defined environment variables. | ||
return !this.regionFromEnv || !this.securityCredentialsFromEnv; | ||
} | ||
get regionFromEnv() { | ||
// The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION. | ||
// Only one is required. | ||
return (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION'] || null); | ||
} | ||
get securityCredentialsFromEnv() { | ||
// Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required. | ||
if (process.env['AWS_ACCESS_KEY_ID'] && | ||
process.env['AWS_SECRET_ACCESS_KEY']) { | ||
return { | ||
accessKeyId: process.env['AWS_ACCESS_KEY_ID'], | ||
secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'], | ||
token: process.env['AWS_SESSION_TOKEN'], | ||
}; | ||
} | ||
return null; | ||
} | ||
} | ||
@@ -257,0 +263,0 @@ exports.AwsClient = AwsClient; |
@@ -7,3 +7,3 @@ import { GaxiosOptions } from 'gaxios'; | ||
*/ | ||
interface AwsSecurityCredentials { | ||
export interface AwsSecurityCredentials { | ||
accessKeyId: string; | ||
@@ -42,2 +42,1 @@ secretAccessKey: string; | ||
} | ||
export {}; |
@@ -213,10 +213,3 @@ import { GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios'; | ||
private getScopesArray; | ||
/** | ||
* Checks whether Google APIs URL is valid. | ||
* @param apiName The apiName of url. | ||
* @param url The Google API URL to validate. | ||
* @return Whether the URL is valid or not. | ||
*/ | ||
private validateGoogleAPIsUrl; | ||
} | ||
export {}; |
@@ -30,6 +30,2 @@ "use strict"; | ||
const DEFAULT_OAUTH_SCOPE = 'https://www.googleapis.com/auth/cloud-platform'; | ||
/** The google apis domain pattern. */ | ||
const GOOGLE_APIS_DOMAIN_PATTERN = '\\.googleapis\\.com$'; | ||
/** The variable portion pattern in a Google APIs domain. */ | ||
const VARIABLE_PORTION_PATTERN = '[^\\.\\s\\/\\\\]+'; | ||
/** Default impersonated token lifespan in seconds.*/ | ||
@@ -86,5 +82,2 @@ const DEFAULT_TOKEN_LIFESPAN = 3600; | ||
: undefined; | ||
if (!this.validateGoogleAPIsUrl('sts', options.token_url)) { | ||
throw new Error(`"${options.token_url}" is not a valid token url.`); | ||
} | ||
this.stsCredential = new sts.StsCredentials(options.token_url, this.clientAuth); | ||
@@ -104,7 +97,2 @@ // Default OAuth scope. This could be overridden via public property. | ||
} | ||
if (typeof options.service_account_impersonation_url !== 'undefined' && | ||
!this.validateGoogleAPIsUrl('iamcredentials', options.service_account_impersonation_url)) { | ||
throw new Error(`"${options.service_account_impersonation_url}" is ` + | ||
'not a valid service account impersonation url.'); | ||
} | ||
this.serviceAccountImpersonationUrl = | ||
@@ -415,55 +403,4 @@ options.service_account_impersonation_url; | ||
} | ||
/** | ||
* Checks whether Google APIs URL is valid. | ||
* @param apiName The apiName of url. | ||
* @param url The Google API URL to validate. | ||
* @return Whether the URL is valid or not. | ||
*/ | ||
validateGoogleAPIsUrl(apiName, url) { | ||
let parsedUrl; | ||
// Return false if error is thrown during parsing URL. | ||
try { | ||
parsedUrl = new URL(url); | ||
} | ||
catch (e) { | ||
return false; | ||
} | ||
const urlDomain = parsedUrl.hostname; | ||
// Check the protocol is https. | ||
if (parsedUrl.protocol !== 'https:') { | ||
return false; | ||
} | ||
const googleAPIsDomainPatterns = [ | ||
new RegExp('^' + | ||
VARIABLE_PORTION_PATTERN + | ||
'\\.' + | ||
apiName + | ||
GOOGLE_APIS_DOMAIN_PATTERN), | ||
new RegExp('^' + apiName + GOOGLE_APIS_DOMAIN_PATTERN), | ||
new RegExp('^' + | ||
apiName + | ||
'\\.' + | ||
VARIABLE_PORTION_PATTERN + | ||
GOOGLE_APIS_DOMAIN_PATTERN), | ||
new RegExp('^' + | ||
VARIABLE_PORTION_PATTERN + | ||
'\\-' + | ||
apiName + | ||
GOOGLE_APIS_DOMAIN_PATTERN), | ||
new RegExp('^' + | ||
apiName + | ||
'\\-' + | ||
VARIABLE_PORTION_PATTERN + | ||
'\\.p' + | ||
GOOGLE_APIS_DOMAIN_PATTERN), | ||
]; | ||
for (const googleAPIsDomainPattern of googleAPIsDomainPatterns) { | ||
if (urlDomain.match(googleAPIsDomainPattern)) { | ||
return true; | ||
} | ||
} | ||
return false; | ||
} | ||
} | ||
exports.BaseExternalAccountClient = BaseExternalAccountClient; | ||
//# sourceMappingURL=baseexternalclient.js.map |
@@ -6,3 +6,3 @@ import { RefreshOptions } from './oauth2client'; | ||
import { PluggableAuthClientOptions } from './pluggable-auth-client'; | ||
export declare type ExternalAccountClientOptions = IdentityPoolClientOptions | AwsClientOptions | PluggableAuthClientOptions; | ||
export type ExternalAccountClientOptions = IdentityPoolClientOptions | AwsClientOptions | PluggableAuthClientOptions; | ||
/** | ||
@@ -9,0 +9,0 @@ * Dummy class with no constructor. Developers are expected to use fromJSON. |
@@ -16,2 +16,3 @@ /// <reference types="node" /> | ||
import { AuthClient } from './authclient'; | ||
import { ExternalAccountAuthorizedUserClient } from './externalAccountAuthorizedUserClient'; | ||
/** | ||
@@ -21,3 +22,3 @@ * Defines all types of explicit clients that are determined via ADC JSON | ||
*/ | ||
export declare type JSONClient = JWT | UserRefreshClient | BaseExternalAccountClient | Impersonated; | ||
export type JSONClient = JWT | UserRefreshClient | BaseExternalAccountClient | ExternalAccountAuthorizedUserClient | Impersonated; | ||
export interface ProjectIdCallback { | ||
@@ -24,0 +25,0 @@ (err?: Error | null, projectId?: string | null): void; |
@@ -32,2 +32,3 @@ "use strict"; | ||
const baseexternalclient_1 = require("./baseexternalclient"); | ||
const externalAccountAuthorizedUserClient_1 = require("./externalAccountAuthorizedUserClient"); | ||
exports.CLOUD_SDK_CLIENT_ID = '764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com'; | ||
@@ -40,2 +41,7 @@ const GoogleAuthExceptionMessages = { | ||
class GoogleAuth { | ||
// Note: this properly is only public to satisify unit tests. | ||
// https://github.com/Microsoft/TypeScript/issues/5228 | ||
get isGCE() { | ||
return this.checkIsGCE; | ||
} | ||
constructor(opts) { | ||
@@ -59,7 +65,2 @@ /** | ||
} | ||
// Note: this properly is only public to satisify unit tests. | ||
// https://github.com/Microsoft/TypeScript/issues/5228 | ||
get isGCE() { | ||
return this.checkIsGCE; | ||
} | ||
// GAPIC client libraries should always use self-signed JWTs. The following | ||
@@ -362,9 +363,6 @@ // variables are set on the JWT client in order to indicate the type of library, | ||
*/ | ||
fromJSON(json, options) { | ||
fromJSON(json, options = {}) { | ||
let client; | ||
if (!json) { | ||
throw new Error('Must pass in a JSON object containing the Google auth settings.'); | ||
} | ||
options = options || {}; | ||
if (json.type === 'authorized_user') { | ||
if (json.type === refreshclient_1.USER_REFRESH_ACCOUNT_TYPE) { | ||
client = new refreshclient_1.UserRefreshClient(options); | ||
@@ -380,2 +378,5 @@ client.fromJSON(json); | ||
} | ||
else if (json.type === externalAccountAuthorizedUserClient_1.EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE) { | ||
client = new externalAccountAuthorizedUserClient_1.ExternalAccountAuthorizedUserClient(json, options); | ||
} | ||
else { | ||
@@ -397,22 +398,3 @@ options.scopes = this.scopes; | ||
_cacheClientFromJSON(json, options) { | ||
let client; | ||
// create either a UserRefreshClient or JWT client. | ||
options = options || {}; | ||
if (json.type === 'authorized_user') { | ||
client = new refreshclient_1.UserRefreshClient(options); | ||
client.fromJSON(json); | ||
} | ||
else if (json.type === impersonated_1.IMPERSONATED_ACCOUNT_TYPE) { | ||
client = this.fromImpersonatedJSON(json); | ||
} | ||
else if (json.type === baseexternalclient_1.EXTERNAL_ACCOUNT_TYPE) { | ||
client = externalclient_1.ExternalAccountClient.fromJSON(json, options); | ||
client.scopes = this.getAnyScopes(); | ||
} | ||
else { | ||
options.scopes = this.scopes; | ||
client = new jwtclient_1.JWT(options); | ||
this.setGapicJWTValues(client); | ||
client.fromJSON(json); | ||
} | ||
const client = this.fromJSON(json, options); | ||
// cache both raw data used to instantiate client and client itself. | ||
@@ -419,0 +401,0 @@ this.jsonContent = json; |
import { BaseExternalAccountClient, BaseExternalAccountClientOptions } from './baseexternalclient'; | ||
import { RefreshOptions } from './oauth2client'; | ||
declare type SubjectTokenFormatType = 'json' | 'text'; | ||
type SubjectTokenFormatType = 'json' | 'text'; | ||
/** | ||
@@ -5,0 +5,0 @@ * Url-sourced/file-sourced credentials json interface. |
@@ -0,2 +1,4 @@ | ||
/// <reference types="node" /> | ||
import { GaxiosError, GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios'; | ||
import * as querystring from 'querystring'; | ||
import { JwkCertificate } from '../crypto/crypto'; | ||
@@ -237,2 +239,7 @@ import { BodyResponseCallback } from '../transporters'; | ||
code_challenge?: string; | ||
/** | ||
* A way for developers and/or the auth team to provide a set of key value | ||
* pairs to be added as query parameters to the authorization url. | ||
*/ | ||
[key: string]: querystring.ParsedUrlQueryInput[keyof querystring.ParsedUrlQueryInput]; | ||
} | ||
@@ -239,0 +246,0 @@ export interface AccessTokenResponse { |
@@ -6,3 +6,3 @@ import { GaxiosOptions } from 'gaxios'; | ||
*/ | ||
declare type OAuthErrorCode = 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope' | string; | ||
type OAuthErrorCode = 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope' | string; | ||
/** | ||
@@ -21,3 +21,3 @@ * The standard OAuth error response. | ||
*/ | ||
export declare type ConfidentialClientType = 'basic' | 'request-body'; | ||
export type ConfidentialClientType = 'basic' | 'request-body'; | ||
/** | ||
@@ -24,0 +24,0 @@ * Defines the client authentication credentials for basic and request-body |
@@ -5,2 +5,3 @@ /// <reference types="node" /> | ||
import { GetTokenResponse, OAuth2Client, RefreshOptions } from './oauth2client'; | ||
export declare const USER_REFRESH_ACCOUNT_TYPE = "authorized_user"; | ||
export interface UserRefreshClientOptions extends RefreshOptions { | ||
@@ -7,0 +8,0 @@ clientId?: string; |
@@ -16,4 +16,5 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.UserRefreshClient = void 0; | ||
exports.UserRefreshClient = exports.USER_REFRESH_ACCOUNT_TYPE = void 0; | ||
const oauth2client_1 = require("./oauth2client"); | ||
exports.USER_REFRESH_ACCOUNT_TYPE = 'authorized_user'; | ||
class UserRefreshClient extends oauth2client_1.OAuth2Client { | ||
@@ -20,0 +21,0 @@ constructor(optionsOrClientId, clientSecret, refreshToken, eagerRefreshThresholdMillis, forceRefreshOnFailure) { |
@@ -13,3 +13,3 @@ import { GaxiosError, GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios'; | ||
} | ||
export declare class DefaultTransporter { | ||
export declare class DefaultTransporter implements Transporter { | ||
/** | ||
@@ -16,0 +16,0 @@ * Default user agent. |
{ | ||
"name": "google-auth-library", | ||
"version": "8.7.0", | ||
"version": "8.8.0", | ||
"author": "Google Inc.", | ||
@@ -25,3 +25,3 @@ "description": "Google APIs Authentication Client Library for Node.js", | ||
"gaxios": "^5.0.0", | ||
"gcp-metadata": "^5.0.0", | ||
"gcp-metadata": "^5.2.0", | ||
"gtoken": "^6.1.0", | ||
@@ -42,3 +42,2 @@ "jws": "^4.0.0", | ||
"@types/sinon": "^10.0.0", | ||
"@types/tmp": "^0.2.0", | ||
"assert-rejects": "^1.0.0", | ||
@@ -56,3 +55,3 @@ "c8": "^7.0.0", | ||
"karma-mocha": "^2.0.0", | ||
"karma-sourcemap-loader": "^0.3.7", | ||
"karma-sourcemap-loader": "^0.4.0", | ||
"karma-webpack": "^5.0.0", | ||
@@ -67,4 +66,3 @@ "keypair": "^1.0.4", | ||
"puppeteer": "^18.0.0", | ||
"sinon": "^14.0.0", | ||
"tmp": "^0.2.0", | ||
"sinon": "^15.0.0", | ||
"ts-loader": "^8.0.0", | ||
@@ -71,0 +69,0 @@ "typescript": "^4.6.3", |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
513886
37
68
8485
1306
27
Updatedgcp-metadata@^5.2.0