Class: Legate::Auth::Schemes::GoogleServiceAccount

Inherits:

ServiceAccount

• Object
• Legate::Auth::Scheme
• ServiceAccount
• Legate::Auth::Schemes::GoogleServiceAccount

Defined in:

lib/legate/auth/schemes/google_service_account.rb

Overview

GoogleServiceAccount implements authentication for Google service accounts using JWT assertions for OAuth 2.0 token exchange

Constant Summary

GOOGLE_TOKEN_URL =

Default token URL for Google service accounts

'https://oauth2.googleapis.com/token'

Constants inherited from ServiceAccount

ServiceAccount::DEFAULT_TOKEN_LIFETIME

Instance Attribute Summary

Attributes inherited from ServiceAccount

#audience, #client_email, #private_key_id, #scopes, #token_lifetime, #token_url

Instance Method Summary

• #fetch_token(credential) ⇒ Legate::Auth::ExchangedCredential

  Fetch a new token using the Google service account.

• #initialize(audience: nil, scopes: nil, token_url: GOOGLE_TOKEN_URL, token_lifetime: 3600) ⇒ GoogleServiceAccount constructor

  Initialize a new GoogleServiceAccount scheme.

• #scheme_type ⇒ Symbol

  The scheme type.

Methods inherited from ServiceAccount

#apply_to_request, #exchange_token, #refresh_token, #supports_refresh?, #to_h, #validate!

Methods inherited from Legate::Auth::Scheme

#apply_to_request, #authentication_error?, #build_authorization_uri, #exchange_token, #refresh_token, #revoke_token, #supports_refresh?, #to_h, #to_s, #validate!

Constructor Details

#initialize(audience: nil, scopes: nil, token_url: GOOGLE_TOKEN_URL, token_lifetime: 3600) ⇒ GoogleServiceAccount

Initialize a new GoogleServiceAccount scheme

Parameters:

• audience (String, nil) (defaults to: nil) —

  The audience for the JWT (defaults to token URL)

• scopes (Array<String>, String, nil) (defaults to: nil) —

  The requested scopes

• token_url (String) (defaults to: GOOGLE_TOKEN_URL) —

  The URL for token exchange

• token_lifetime (Integer) (defaults to: 3600) —

  The token lifetime in seconds

# File 'lib/legate/auth/schemes/google_service_account.rb', line 24

def initialize(audience: nil, scopes: nil, token_url: GOOGLE_TOKEN_URL, token_lifetime: 3600)
  super(
    token_url: token_url,
    audience: audience || token_url,
    scopes: scopes,
    token_lifetime: token_lifetime
  )
end

Instance Method Details

#fetch_token(credential) ⇒ Legate::Auth::ExchangedCredential

Fetch a new token using the Google service account

Parameters:

• credential (Legate::Auth::Credential) —

  The credential with service account info

Returns:

• (Legate::Auth::ExchangedCredential) —

  The exchanged credential with the token

Raises:

• (Legate::Auth::TokenExchangeError) —

  If token exchange fails

# File 'lib/legate/auth/schemes/google_service_account.rb', line 42

def fetch_token(credential)
  # Verify credential type
  raise Legate::Auth::CredentialError, 'Invalid credential type for service account' unless credential.is_a?(Legate::Auth::Credential)

  # Extract service account key from credential
  service_account_key = get_service_account_key(credential)

  # Create and sign the JWT
  jwt = create_signed_jwt(service_account_key)

  # Exchange the JWT for an access token
  token_response = exchange_jwt_for_token(jwt)

  # Create an exchanged credential with the token information
  Legate::Auth::ExchangedCredential.new(
    auth_type: :google_service_account,
    access_token: token_response[:access_token],
    expires_in: token_response[:expires_in],
    token_type: token_response[:token_type],
    scope: token_response[:scope]
  )
end

#scheme_type ⇒ Symbol

Returns The scheme type.

Returns:

• (Symbol) —

  The scheme type

# File 'lib/legate/auth/schemes/google_service_account.rb', line 34

def scheme_type
  :google_service_account
end