/** * Updates metadata with the authorization token * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * * @return array updated metadata hashmap */ public function updateMetadata($metadata, $authUri = null, callable $httpHandler = null) { if (empty($authUri)) { return $metadata; } $this->auth->setAudience($authUri); return parent::updateMetadata($metadata, $authUri, $httpHandler); }
/** * Updates metadata with the authorization token * * @param $metadata array metadata hashmap * @param $authUri string optional auth uri * @param $client optional client interface * * @return array updated metadata hashmap */ public function updateMetadata($metadata, $authUri = null, ClientInterface $client = null) { if (empty($authUri)) { return $metadata; } $this->auth->setAudience($authUri); return parent::updateMetadata($metadata, $authUri, $client); }
/** * Get a keyfile. * * Process: * 1. If $config['keyFile'] is set, use that. * 2. If $config['keyFilePath'] is set, load the file and use that. * 3. If GOOGLE_APPLICATION_CREDENTIALS environment variable is set, load * from that location and use that. * 4. If OS-specific well-known-file is set, load from that location and use * that. * 5. Exception. :( * * @param array $config * @return array Key data * @throws GoogleException */ private function getKeyFile(array $config = []) { $config += ['keyFile' => null, 'keyFilePath' => null]; if ($config['keyFile']) { return $config['keyFile']; } if ($config['keyFilePath']) { if (!file_exists($config['keyFilePath'])) { throw new GoogleException('Given keyfile path does not exist'); } $keyFileData = json_decode(file_get_contents($config['keyFilePath']), true); if (json_last_error() !== JSON_ERROR_NONE) { throw new GoogleException('Given keyfile was invalid'); } return $keyFileData; } return CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); }
/** * Obtains the default FetchAuthTokenInterface implementation to use * in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the Compute Engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * * @param $client GuzzleHttp\ClientInterface optional client. * @throws DomainException if no implementation can be obtained. */ public static function getCredentials($scope = null, $client = null) { $creds = CredentialsLoader::fromEnv($scope); if (!is_null($creds)) { return $creds; } $creds = CredentialsLoader::fromWellKnownFile($scope); if (!is_null($creds)) { return $creds; } if (AppIdentityCredentials::onAppEngine()) { return new AppIdentityCredentials($scope); } if (GCECredentials::onGce($client)) { return new GCECredentials(); } throw new \DomainException(self::notFound()); }
private function createApplicationDefaultCredentials() { $scopes = $this->prepareScopes(); $sub = $this->config['subject']; $signingKey = $this->config['signing_key']; // create credentials using values supplied in setAuthConfig if ($signingKey) { $serviceAccountCredentials = array('client_id' => $this->config['client_id'], 'client_email' => $this->config['client_email'], 'private_key' => $signingKey, 'type' => 'service_account'); $keyStream = Psr7\stream_for(json_encode($serviceAccountCredentials)); $credentials = CredentialsLoader::makeCredentials($scopes, $keyStream); } else { $credentials = ApplicationDefaultCredentials::getCredentials($scopes); } // for service account domain-wide authority (impersonating a user) // @see https://developers.google.com/identity/protocols/OAuth2ServiceAccount if ($sub) { if (!$credentials instanceof ServiceAccountCredentials) { throw new DomainException('domain-wide authority requires service account credentials'); } $credentials->setSub($sub); } return $credentials; }
/** * Updates metadata with the authorization token * * @param $metadata array metadata hashmap * @param $authUri string optional auth uri * @param $client optional client interface * * @return array updated metadata hashmap */ public function updateMetadata($metadata, $authUri = null, ClientInterface $client = null) { // scope exists. use oauth implementation $scope = $this->auth->getScope(); if (!is_null($scope)) { return parent::updateMetadata($metadata, $authUri, $client); } // no scope found. create jwt with the auth uri $credJson = array('private_key' => $this->auth->getSigningKey(), 'client_email' => $this->auth->getIssuer()); $jwtCreds = new ServiceAccountJwtAccessCredentials($credJson); return $jwtCreds->updateMetadata($metadata, $authUri, $client); }
/** * Obtains the default FetchAuthTokenInterface implementation to use * in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the Compute Engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache * * @return CredentialsLoader * * @throws DomainException if no implementation can be obtained. */ public static function getCredentials($scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null) { $creds = null; $jsonKey = CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); if (!is_null($jsonKey)) { $creds = CredentialsLoader::makeCredentials($scope, $jsonKey); } if (AppIdentityCredentials::onAppEngine() && !GCECredentials::onAppEngineFlexible()) { $creds = new AppIdentityCredentials($scope); } if (GCECredentials::onGce($httpHandler)) { $creds = new GCECredentials(); } if (is_null($creds)) { throw new \DomainException(self::notFound()); } if (!is_null($cache)) { $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache); } return $creds; }
/** * Adds auth listeners to the HTTP client based on the credentials * set in the Google API Client object * * @param GuzzleHttp\ClientInterface $http the http client object. * @param GuzzleHttp\ClientInterface $authHttp an http client for authentication. * @return void */ public function authorize(ClientInterface $http, ClientInterface $authHttp = null) { $subscriber = null; $authIdentifier = null; // if we end up needing to make an HTTP request to retrieve credentials, we // can use our existing one, but we need to throw exceptions so the error // bubbles up. $authHttp = $authHttp ?: $this->createDefaultAuthHttpClient($http); // These conditionals represent the decision tree for authentication // 1. Check for Application Default Credentials // 2. Check for API Key // 3a. Check for an Access Token // 3b. If access token exists but is expired, try to refresh it if ($this->config->get('use_application_default_credentials')) { $scopes = $this->prepareScopes(); if ($sub = $this->config->get('subject')) { // for service account domain-wide authority (impersonating a user) // @see https://developers.google.com/identity/protocols/OAuth2ServiceAccount if (!($creds = CredentialsLoader::fromEnv($scopes))) { $creds = CredentialsLoader::fromWellKnownFile($scopes); } if (!$creds instanceof ServiceAccountCredentials) { throw new DomainException('domain-wide authority requires service account credentials'); } $creds->setSub($sub); $subscriber = new AuthTokenFetcher($creds, array(), $this->cache, $authHttp); } else { $subscriber = ApplicationDefaultCredentials::getFetcher($scopes, $authHttp, array(), $this->cache); } $authIdentifier = 'google_auth'; } elseif ($key = $this->config->get('developer_key')) { // if a developer key is set, authorize using that $subscriber = new Simple(['key' => $key]); $authIdentifier = 'simple'; } elseif ($token = $this->getAccessToken()) { $scopes = $this->prepareScopes(); // add refresh subscriber to request a new token if ($this->isAccessTokenExpired() && isset($token['refresh_token'])) { $subscriber = $this->createUserRefreshCredentials($scopes, $token['refresh_token'], $authHttp); $authIdentifier = 'google_auth'; } else { $subscriber = new ScopedAccessToken(function ($scopes) use($token) { return $token['access_token']; }, (array) $scopes, []); $authIdentifier = 'scoped'; } } if ($subscriber) { $http->setDefaultOption('auth', $authIdentifier); $http->getEmitter()->attach($subscriber); $this->getLogger()->log('info', sprintf('Added listener for auth type "%s"', $authIdentifier)); } return $http; }
/** * Gets the credentials fetcher and sets up caching. Precedence begins with * user supplied credentials fetcher instance, followed by a reference to a * key file stream, and finally the application default credentials. * * @return FetchAuthTokenInterface */ public function getCredentialsFetcher() { $fetcher = null; if ($this->credentialsFetcher) { $fetcher = $this->credentialsFetcher; } elseif ($this->keyFile) { $fetcher = CredentialsLoader::makeCredentials($this->scopes, $this->keyFile); } else { $fetcher = ApplicationDefaultCredentials::getCredentials($this->scopes, $this->authHttpHandler); } return new FetchAuthTokenCache($fetcher, $this->authCacheOptions, $this->authCache); }
/** * Gets the credentials fetcher. Precedence begins with user supplied * credentials fetcher instance, followed by a reference to a key file * stream, and finally the application default credentials. * * @return FetchAuthTokenInterface */ public function getCredentialsFetcher() { if ($this->credentialsFetcher) { return $this->credentialsFetcher; } if ($this->keyFile) { return CredentialsLoader::makeCredentials($this->scopes, $this->keyFile); } return ApplicationDefaultCredentials::getCredentials($this->scopes, $this->authHttpHandler); }