eaiovnaovbqoebvqoeavibavo LICENSE000064400000024020150230132410005536 0ustar00Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. autoload.php000064400000002133150230132410007053 0ustar00 3) { // Maximum class file path depth in this project is 3. $classPath = array_slice($classPath, 0, 3); } $filePath = dirname(__FILE__) . '/src/' . implode('/', $classPath) . '.php'; if (file_exists($filePath)) { require_once $filePath; } } spl_autoload_register('oauth2client_php_autoload'); CODE_OF_CONDUCT.md000064400000003675150230132410007345 0ustar00# Contributor Code of Conduct As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery * Personal attacks * Trolling or insulting/derogatory comments * Public or private harassment * Publishing other's private information, such as physical or electronic addresses, without explicit permission * Other unethical or unprofessional conduct. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team. This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers. This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) README.md000064400000017230150230132410006015 0ustar00# Google Auth Library for PHP
Homepage
http://www.github.com/google/google-auth-library-php
Reference Docs
https://googleapis.github.io/google-auth-library-php/master/
Authors
Tim Emiola
Stanley Cheung
Brent Shaffer
Copyright
Copyright © 2015 Google, Inc.
License
Apache 2.0
## Description This is Google's officially supported PHP client library for using OAuth 2.0 authorization and authentication with Google APIs. ### Installing via Composer The recommended way to install the google auth library is through [Composer](http://getcomposer.org). ```bash # Install Composer curl -sS https://getcomposer.org/installer | php ``` Next, run the Composer command to install the latest stable version: ```bash composer.phar require google/auth ``` ## Application Default Credentials This library provides an implementation of [application default credentials][application default credentials] for PHP. The Application Default Credentials provide a simple way to get authorization credentials for use in calling Google APIs. They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Compute Engine. #### Download your Service Account Credentials JSON file To use `Application Default Credentials`, You first need to download a set of JSON credentials for your project. Go to **APIs & Services** > **Credentials** in the [Google Developers Console][developer console] and select **Service account** from the **Add credentials** dropdown. > This file is your *only copy* of these credentials. It should never be > committed with your source code, and should be stored securely. Once downloaded, store the path to this file in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. ```php putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); ``` > PHP's `putenv` function is just one way to set an environment variable. > Consider using `.htaccess` or apache configuration files as well. #### Enable the API you want to use Before making your API call, you must be sure the API you're calling has been enabled. Go to **APIs & Auth** > **APIs** in the [Google Developers Console][developer console] and enable the APIs you'd like to call. For the example below, you must enable the `Drive API`. #### Call the APIs As long as you update the environment variable below to point to *your* JSON credentials file, the following code should output a list of your Drive files. ```php use Google\Auth\ApplicationDefaultCredentials; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; // specify the path to your application credentials putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); // define the scopes for your API call $scopes = ['https://www.googleapis.com/auth/drive.readonly']; // create middleware $middleware = ApplicationDefaultCredentials::getMiddleware($scopes); $stack = HandlerStack::create(); $stack->push($middleware); // create the HTTP client $client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com', 'auth' => 'google_auth' // authorize all requests ]); // make the request $response = $client->get('drive/v2/files'); // show the result! print_r((string) $response->getBody()); ``` ##### Guzzle 5 Compatibility If you are using [Guzzle 5][Guzzle 5], replace the `create middleware` and `create the HTTP Client` steps with the following: ```php // create the HTTP client $client = new Client([ 'base_url' => 'https://www.googleapis.com', 'auth' => 'google_auth' // authorize all requests ]); // create subscriber $subscriber = ApplicationDefaultCredentials::getSubscriber($scopes); $client->getEmitter()->attach($subscriber); ``` #### Call using an ID Token If your application is running behind Cloud Run, or using Cloud Identity-Aware Proxy (IAP), you will need to fetch an ID token to access your application. For this, use the static method `getIdTokenMiddleware` on `ApplicationDefaultCredentials`. ```php use Google\Auth\ApplicationDefaultCredentials; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; // specify the path to your application credentials putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); // Provide the ID token audience. This can be a Client ID associated with an IAP application, // Or the URL associated with a CloudRun App // $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com'; // $targetAudience = 'https://service-1234-uc.a.run.app'; $targetAudience = 'YOUR_ID_TOKEN_AUDIENCE'; // create middleware $middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience); $stack = HandlerStack::create(); $stack->push($middleware); // create the HTTP client $client = new Client([ 'handler' => $stack, 'auth' => 'google_auth', // Cloud Run, IAP, or custom resource URL 'base_uri' => 'https://YOUR_PROTECTED_RESOURCE', ]); // make the request $response = $client->get('/'); // show the result! print_r((string) $response->getBody()); ``` For invoking Cloud Run services, your service account will need the [`Cloud Run Invoker`](https://cloud.google.com/run/docs/authenticating/service-to-service) IAM permission. For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID used when you set up your protected resource as the target audience. See how to [secure your IAP app with signed headers](https://cloud.google.com/iap/docs/signed-headers-howto). #### Verifying JWTs If you are [using Google ID tokens to authenticate users][google-id-tokens], use the `Google\Auth\AccessToken` class to verify the ID token: ```php use Google\Auth\AccessToken; $auth = new AccessToken(); $auth->verify($idToken); ``` If your app is running behind [Google Identity-Aware Proxy][iap-id-tokens] (IAP), you can verify the ID token coming from the IAP server by pointing to the appropriate certificate URL for IAP. This is because IAP signs the ID tokens with a different key than the Google Identity service: ```php use Google\Auth\AccessToken; $auth = new AccessToken(); $auth->verify($idToken, [ 'certsLocation' => AccessToken::IAP_CERT_URL ]); ``` [google-id-tokens]: https://developers.google.com/identity/sign-in/web/backend-auth [iap-id-tokens]: https://cloud.google.com/iap/docs/signed-headers-howto ## License This library is licensed under Apache 2.0. Full license text is available in [COPYING][copying]. ## Contributing See [CONTRIBUTING][contributing]. ## Support Please [report bugs at the project on Github](https://github.com/google/google-auth-library-php/issues). Don't hesitate to [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-php) about the client or APIs on [StackOverflow](http://stackoverflow.com). [google-apis-php-client]: https://github.com/google/google-api-php-client [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials [contributing]: https://github.com/google/google-auth-library-php/tree/master/.github/CONTRIBUTING.md [copying]: https://github.com/google/google-auth-library-php/tree/master/COPYING [Guzzle]: https://github.com/guzzle/guzzle [Guzzle 5]: http://docs.guzzlephp.org/en/5.3 [developer console]: https://console.developers.google.com COPYING000064400000026116150230132410005574 0ustar00 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright 2015 Google Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. composer.json000064400000002151150230132410007254 0ustar00{ "name": "google/auth", "type": "library", "description": "Google Auth Library for PHP", "keywords": ["google", "oauth2", "authentication"], "homepage": "http://github.com/google/google-auth-library-php", "license": "Apache-2.0", "support": { "docs": "https://googleapis.github.io/google-auth-library-php/master/" }, "require": { "php": ">=5.4", "firebase/php-jwt": "~2.0|~3.0|~4.0|~5.0", "guzzlehttp/guzzle": "^5.3.1|^6.2.1|^7.0", "guzzlehttp/psr7": "^1.2", "psr/http-message": "^1.0", "psr/cache": "^1.0" }, "require-dev": { "guzzlehttp/promises": "0.1.1|^1.3", "squizlabs/php_codesniffer": "^3.5", "phpunit/phpunit": "^4.8.36|^5.7", "sebastian/comparator": ">=1.2.3", "phpseclib/phpseclib": "^2", "kelvinmo/simplejwt": "^0.2.5|^0.5.1" }, "suggest": { "phpseclib/phpseclib": "May be used in place of OpenSSL for signing strings or for token management. Please require version ^2." }, "autoload": { "psr-4": { "Google\\Auth\\": "src" } }, "autoload-dev": { "psr-4": { "Google\\Auth\\Tests\\": "tests" } } } CHANGELOG.md000064400000012013150230132410006341 0ustar00## 1.15.0 (02/05/2021) * [feat]: support for PHP 8.0: updated dependencies and tests (#318, #319) ## 1.14.3 (10/16/2020) * [fix]: add expires_at to GCECredentials (#314) ## 1.14.2 (10/14/2020) * [fix]: Better FetchAuthTokenCache and getLastReceivedToken (#311) ## 1.14.1 (10/05/2020) * [fix]: variable typo (#310) ## 1.14.0 (10/02/2020) * [feat]: Add support for default scopes (#306) ## 1.13.0 (9/18/2020) * [feat]: Add service account identity support to GCECredentials (#304) ## 1.12.0 (8/31/2020) * [feat]: Add QuotaProject option to getMiddleware (#296) * [feat]: Add caching for calls to GCECredentials::onGce (#301) * [feat]: Add updateMetadata function to token cache (#298) * [fix]: Use quota_project_id instead of quota_project (#299) ## 1.11.1 (7/27/2020) * [fix]: catch ConnectException in GCE check (#294) * [docs]: Adds [reference docs](https://googleapis.github.io/google-auth-library-php/master) ## 1.11.0 (7/22/2020) * [feat]: Check cache expiration (#291) * [fix]: OAuth2 cache key when audience is set (#291) ## 1.10.0 (7/8/2020) * [feat]: Add support for Guzzle 7 (#256) * [fix]: Remove SDK warning (#283) * [chore]: Switch to github pages deploy action (#284) ## 1.9.0 (5/14/2020) * [feat] Add quotaProject param for extensible client options support (#277) * [feat] Add signingKeyId param for jwt signing (#270) * [docs] Misc documentation improvements (#268, #278, #273) * [chore] Switch from Travis to Github Actions (#273) ## 1.8.0 (3/26/2020) * [feat] Add option to throw exception in AccessToken::verify(). (#265) * [feat] Add support for x-goog-user-project. (#254) * [feat] Add option to specify issuer in AccessToken::verify(). (#267) * [feat] Add getProjectId to credentials types where project IDs can be determined. (#230) ## 1.7.1 (02/12/2020) * [fix] Invalid character in iap cert cache key (#263) * [fix] Typo in exception for package name (#262) ## 1.7.0 (02/11/2020) * [feat] Add ID token to auth token methods. (#248) * [feat] Add support for ES256 in `AccessToken::verify`. (#255) * [fix] Let namespace match the file structure. (#258) * [fix] Construct RuntimeException. (#257) * [tests] Update tests for PHP 7.4 compatibility. (#253) * [chore] Add a couple more things to `.gitattributes`. (#252) ## 1.6.1 (10/29/2019) * [fix] Handle DST correctly for cache item expirations. (#246) ## 1.6.0 (10/01/2019) * [feat] Add utility for verifying and revoking access tokens. (#243) * [docs] Fix README console terminology. (#242) * [feat] Support custom scopes with GCECredentials. (#239) * [fix] Fix phpseclib existence check. (#237) ## 1.5.2 (07/22/2019) * [fix] Move loadItems call out of `SysVCacheItemPool` constructor. (#229) * [fix] Add `Metadata-Flavor` header to initial GCE metadata call. (#232) ## 1.5.1 (04/16/2019) * [fix] Moved `getClientName()` from `Google\Auth\FetchAuthTokenInterface` to `Google\Auth\SignBlobInterface`, and removed `getClientName()` from `InsecureCredentials` and `UserRefreshCredentials`. (#223) ## 1.5.0 (04/15/2019) ### Changes * Add support for signing strings with a Credentials instance. (#221) * [Docs] Describe the arrays returned by fetchAuthToken. (#216) * [Testing] Fix failing tests (#217) * Update GitHub issue templates (#214, #213) ## 1.4.0 (09/17/2018) ### Changes * Add support for insecure credentials (#208) ## 1.3.3 (08/27/2018) ### Changes * Add retry and increase timeout for GCE credentials (#195) * [Docs] Fix spelling (#204) * Update token url (#206) ## 1.3.2 (07/23/2018) ### Changes * Only emits a warning for gcloud credentials (#202) ## 1.3.1 (07/19/2018) ### Changes * Added a warning for 3 legged OAuth credentials (#199) * [Code cleanup] Removed useless else after return (#193) ## 1.3.0 (06/04/2018) ### Changes * Fixes usage of deprecated env var for GAE Flex (#189) * fix - guzzlehttp/psr7 dependency version definition (#190) * Added SystemV shared memory based CacheItemPool (#191) ## 1.2.1 (24/01/2018) ### Changes * Fixes array merging bug in Guzzle5HttpHandler (#186) * Fixes constructor argument bug in Subscriber & Middleware (#184) ## 1.2.0 (6/12/2017) ### Changes * Adds async method to HTTP handlers (#176) * Misc bug fixes and improvements (#177, #175, #178) ## 1.1.0 (10/10/2017) ### Changes * Supports additional claims in JWT tokens (#171) * Adds makeHttpClient for creating authorized Guzzle clients (#162) * Misc bug fixes/improvements (#168, #161, #167, #170, #143) ## 1.0.1 (31/07/2017) ### Changes * Adds support for Firebase 5.0 (#159) ## 1.0.0 (12/06/2017) ### Changes * Adds hashing and shortening to enforce max key length ([@bshaffer]) * Fix for better PSR-6 compliance - verifies a hit before getting the cache item ([@bshaffer]) * README fixes ([@bshaffer]) * Change authorization header key to lowercase ([@stanley-cheung]) ## 0.4.0 (23/04/2015) ### Changes * Export callback function to update auth metadata ([@stanley-cheung][]) * Adds an implementation of User Refresh Token auth ([@stanley-cheung][]) [@bshaffer]: https://github.com/bshaffer [@stanley-cheung]: https://github.com/stanley-cheung src/GetQuotaProjectInterface.php000064400000001663150230132410012742 0ustar00options = $options + [ 'variableKey' => self::VAR_KEY, 'proj' => self::DEFAULT_PROJ, 'memsize' => self::DEFAULT_MEMSIZE, 'perm' => self::DEFAULT_PERM ]; $this->items = []; $this->deferredItems = []; $this->sysvKey = ftok(__FILE__, $this->options['proj']); } public function getItem($key) { $this->loadItems(); return current($this->getItems([$key])); } /** * {@inheritdoc} */ public function getItems(array $keys = []) { $this->loadItems(); $items = []; foreach ($keys as $key) { $items[$key] = $this->hasItem($key) ? clone $this->items[$key] : new Item($key); } return $items; } /** * {@inheritdoc} */ public function hasItem($key) { $this->loadItems(); return isset($this->items[$key]) && $this->items[$key]->isHit(); } /** * {@inheritdoc} */ public function clear() { $this->items = []; $this->deferredItems = []; return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function deleteItem($key) { return $this->deleteItems([$key]); } /** * {@inheritdoc} */ public function deleteItems(array $keys) { if (!$this->hasLoadedItems) { $this->loadItems(); } foreach ($keys as $key) { unset($this->items[$key]); } return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function save(CacheItemInterface $item) { if (!$this->hasLoadedItems) { $this->loadItems(); } $this->items[$item->getKey()] = $item; return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function saveDeferred(CacheItemInterface $item) { $this->deferredItems[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function commit() { foreach ($this->deferredItems as $item) { if ($this->save($item) === false) { return false; } } $this->deferredItems = []; return true; } /** * Save the current items. * * @return bool true when success, false upon failure */ private function saveCurrentItems() { $shmid = shm_attach( $this->sysvKey, $this->options['memsize'], $this->options['perm'] ); if ($shmid !== false) { $ret = shm_put_var( $shmid, $this->options['variableKey'], $this->items ); shm_detach($shmid); return $ret; } return false; } /** * Load the items from the shared memory. * * @return bool true when success, false upon failure */ private function loadItems() { $shmid = shm_attach( $this->sysvKey, $this->options['memsize'], $this->options['perm'] ); if ($shmid !== false) { $data = @shm_get_var($shmid, $this->options['variableKey']); if (!empty($data)) { $this->items = $data; } else { $this->items = []; } shm_detach($shmid); $this->hasLoadedItems = true; return true; } return false; } } src/Cache/Item.php000064400000010273150230132410007737 0ustar00key = $key; } /** * {@inheritdoc} */ public function getKey() { return $this->key; } /** * {@inheritdoc} */ public function get() { return $this->isHit() ? $this->value : null; } /** * {@inheritdoc} */ public function isHit() { if (!$this->isHit) { return false; } if ($this->expiration === null) { return true; } return $this->currentTime()->getTimestamp() < $this->expiration->getTimestamp(); } /** * {@inheritdoc} */ public function set($value) { $this->isHit = true; $this->value = $value; return $this; } /** * {@inheritdoc} */ public function expiresAt($expiration) { if ($this->isValidExpiration($expiration)) { $this->expiration = $expiration; return $this; } $implementationMessage = interface_exists('DateTimeInterface') ? 'implement interface DateTimeInterface' : 'be an instance of DateTime'; $error = sprintf( 'Argument 1 passed to %s::expiresAt() must %s, %s given', get_class($this), $implementationMessage, gettype($expiration) ); $this->handleError($error); } /** * {@inheritdoc} */ public function expiresAfter($time) { if (is_int($time)) { $this->expiration = $this->currentTime()->add(new \DateInterval("PT{$time}S")); } elseif ($time instanceof \DateInterval) { $this->expiration = $this->currentTime()->add($time); } elseif ($time === null) { $this->expiration = $time; } else { $message = 'Argument 1 passed to %s::expiresAfter() must be an ' . 'instance of DateInterval or of the type integer, %s given'; $error = sprintf($message, get_class($this), gettype($time)); $this->handleError($error); } return $this; } /** * Handles an error. * * @param string $error * @throws \TypeError */ private function handleError($error) { if (class_exists('TypeError')) { throw new \TypeError($error); } trigger_error($error, E_USER_ERROR); } /** * Determines if an expiration is valid based on the rules defined by PSR6. * * @param mixed $expiration * @return bool */ private function isValidExpiration($expiration) { if ($expiration === null) { return true; } // We test for two types here due to the fact the DateTimeInterface // was not introduced until PHP 5.5. Checking for the DateTime type as // well allows us to support 5.4. if ($expiration instanceof \DateTimeInterface) { return true; } if ($expiration instanceof \DateTime) { return true; } return false; } protected function currentTime() { return new \DateTime('now', new \DateTimeZone('UTC')); } } src/Cache/MemoryCacheItemPool.php000064400000006147150230132410012713 0ustar00getItems([$key])); } /** * {@inheritdoc} */ public function getItems(array $keys = []) { $items = []; foreach ($keys as $key) { $items[$key] = $this->hasItem($key) ? clone $this->items[$key] : new Item($key); } return $items; } /** * {@inheritdoc} */ public function hasItem($key) { $this->isValidKey($key); return isset($this->items[$key]) && $this->items[$key]->isHit(); } /** * {@inheritdoc} */ public function clear() { $this->items = []; $this->deferredItems = []; return true; } /** * {@inheritdoc} */ public function deleteItem($key) { return $this->deleteItems([$key]); } /** * {@inheritdoc} */ public function deleteItems(array $keys) { array_walk($keys, [$this, 'isValidKey']); foreach ($keys as $key) { unset($this->items[$key]); } return true; } /** * {@inheritdoc} */ public function save(CacheItemInterface $item) { $this->items[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function saveDeferred(CacheItemInterface $item) { $this->deferredItems[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function commit() { foreach ($this->deferredItems as $item) { $this->save($item); } $this->deferredItems = []; return true; } /** * Determines if the provided key is valid. * * @param string $key * @return bool * @throws InvalidArgumentException */ private function isValidKey($key) { $invalidCharacters = '{}()/\\\\@:'; if (!is_string($key) || preg_match("#[$invalidCharacters]#", $key)) { throw new InvalidArgumentException('The provided key is not valid: ' . var_export($key, true)); } return true; } } src/UpdateMetadataInterface.php000064400000002317150230132410012542 0ustar00cache)) { return; } $key = $this->getFullCacheKey($k); if (is_null($key)) { return; } $cacheItem = $this->cache->getItem($key); if ($cacheItem->isHit()) { return $cacheItem->get(); } } /** * Saves the value in the cache when that is available. */ private function setCachedValue($k, $v) { if (is_null($this->cache)) { return; } $key = $this->getFullCacheKey($k); if (is_null($key)) { return; } $cacheItem = $this->cache->getItem($key); $cacheItem->set($v); $cacheItem->expiresAfter($this->cacheConfig['lifetime']); return $this->cache->save($cacheItem); } private function getFullCacheKey($key) { if (is_null($key)) { return; } $key = $this->cacheConfig['prefix'] . $key; // ensure we do not have illegal characters $key = preg_replace('|[^a-zA-Z0-9_\.!]|', '', $key); // Hash keys if they exceed $maxKeyLength (defaults to 64) if ($this->maxKeyLength && strlen($key) > $this->maxKeyLength) { $key = substr(hash('sha256', $key), 0, $this->maxKeyLength); } return $key; } } src/ServiceAccountSignerTrait.php000064400000003464150230132410013133 0ustar00auth->getSigningKey(); $signedString = ''; if (class_exists('\\phpseclib\\Crypt\\RSA') && !$forceOpenssl) { $rsa = new RSA; $rsa->loadKey($privateKey); $rsa->setSignatureMode(RSA::SIGNATURE_PKCS1); $rsa->setHash('sha256'); $signedString = $rsa->sign($stringToSign); } elseif (extension_loaded('openssl')) { openssl_sign($stringToSign, $signedString, $privateKey, 'sha256WithRSAEncryption'); } else { // @codeCoverageIgnoreStart throw new \RuntimeException('OpenSSL is not installed.'); } // @codeCoverageIgnoreEnd return base64_encode($signedString); } } src/GCECache.php000064400000004667150230132410007372 0ustar00cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => 1500, 'prefix' => '', ], (array) $cacheConfig); } /** * Caches the result of onGce so the metadata server is not called multiple * times. * * @param callable $httpHandler callback which delivers psr7 request * @return bool True if this a GCEInstance, false otherwise */ public function onGce(callable $httpHandler = null) { if (is_null($this->cache)) { return GCECredentials::onGce($httpHandler); } $cacheKey = self::GCE_CACHE_KEY; $onGce = $this->getCachedValue($cacheKey); if (is_null($onGce)) { $onGce = GCECredentials::onGce($httpHandler); $this->setCachedValue($cacheKey, $onGce); } return $onGce; } } src/CredentialsLoader.php000064400000017451150230132410011427 0ustar00setDefaultOption('auth', 'google_auth'); $subscriber = new Subscriber\AuthTokenSubscriber( $fetcher, $httpHandler, $tokenCallback ); $client->getEmitter()->attach($subscriber); return $client; } $middleware = new Middleware\AuthTokenMiddleware( $fetcher, $httpHandler, $tokenCallback ); $stack = \GuzzleHttp\HandlerStack::create(); $stack->push($middleware); return new \GuzzleHttp\Client([ 'handler' => $stack, 'auth' => 'google_auth', ] + $httpClientOptions); } /** * Create a new instance of InsecureCredentials. * * @return InsecureCredentials */ public static function makeInsecureCredentials() { return new InsecureCredentials(); } /** * export a callback function which updates runtime metadata. * * @return array updateMetadata function * @deprecated */ public function getUpdateMetadataFunc() { return array($this, 'updateMetadata'); } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { if (isset($metadata[self::AUTH_METADATA_KEY])) { // Auth metadata has already been set return $metadata; } $result = $this->fetchAuthToken($httpHandler); if (!isset($result['access_token'])) { return $metadata; } $metadata_copy = $metadata; $metadata_copy[self::AUTH_METADATA_KEY] = array('Bearer ' . $result['access_token']); return $metadata_copy; } } src/AccessToken.php000064400000042365150230132410010247 0ustar00httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); $this->cache = $cache ?: new MemoryCacheItemPool(); } /** * Verifies an id token and returns the authenticated apiLoginTicket. * Throws an exception if the id token is not valid. * The audience parameter can be used to control which id tokens are * accepted. By default, the id token must have been issued to this OAuth2 client. * * @param string $token The JSON Web Token to be verified. * @param array $options [optional] Configuration options. * @param string $options.audience The indended recipient of the token. * @param string $options.issuer The intended issuer of the token. * @param string $options.cacheKey The cache key of the cached certs. Defaults to * the sha1 of $certsLocation if provided, otherwise is set to * "federated_signon_certs_v3". * @param string $options.certsLocation The location (remote or local) from which * to retrieve certificates, if not cached. This value should only be * provided in limited circumstances in which you are sure of the * behavior. * @param bool $options.throwException Whether the function should throw an * exception if the verification fails. This is useful for * determining the reason verification failed. * @return array|bool the token payload, if successful, or false if not. * @throws InvalidArgumentException If certs could not be retrieved from a local file. * @throws InvalidArgumentException If received certs are in an invalid format. * @throws InvalidArgumentException If the cert alg is not supported. * @throws RuntimeException If certs could not be retrieved from a remote location. * @throws UnexpectedValueException If the token issuer does not match. * @throws UnexpectedValueException If the token audience does not match. */ public function verify($token, array $options = []) { $audience = isset($options['audience']) ? $options['audience'] : null; $issuer = isset($options['issuer']) ? $options['issuer'] : null; $certsLocation = isset($options['certsLocation']) ? $options['certsLocation'] : self::FEDERATED_SIGNON_CERT_URL; $cacheKey = isset($options['cacheKey']) ? $options['cacheKey'] : $this->getCacheKeyFromCertLocation($certsLocation); $throwException = isset($options['throwException']) ? $options['throwException'] : false; // for backwards compatibility // Check signature against each available cert. $certs = $this->getCerts($certsLocation, $cacheKey, $options); $alg = $this->determineAlg($certs); if (!in_array($alg, ['RS256', 'ES256'])) { throw new InvalidArgumentException( 'unrecognized "alg" in certs, expected ES256 or RS256' ); } try { if ($alg == 'RS256') { return $this->verifyRs256($token, $certs, $audience, $issuer); } return $this->verifyEs256($token, $certs, $audience, $issuer); } catch (ExpiredException $e) { // firebase/php-jwt 3+ } catch (\ExpiredException $e) { // firebase/php-jwt 2 } catch (SignatureInvalidException $e) { // firebase/php-jwt 3+ } catch (\SignatureInvalidException $e) { // firebase/php-jwt 2 } catch (InvalidTokenException $e) { // simplejwt } catch (DomainException $e) { } catch (InvalidArgumentException $e) { } catch (UnexpectedValueException $e) { } if ($throwException) { throw $e; } return false; } /** * Identifies the expected algorithm to verify by looking at the "alg" key * of the provided certs. * * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @return string The expected algorithm, such as "ES256" or "RS256". */ private function determineAlg(array $certs) { $alg = null; foreach ($certs as $cert) { if (empty($cert['alg'])) { throw new InvalidArgumentException( 'certs expects "alg" to be set' ); } $alg = $alg ?: $cert['alg']; if ($alg != $cert['alg']) { throw new InvalidArgumentException( 'More than one alg detected in certs' ); } } return $alg; } /** * Verifies an ES256-signed JWT. * * @param string $token The JSON Web Token to be verified. * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @param string|null $audience If set, returns false if the provided * audience does not match the "aud" claim on the JWT. * @param string|null $issuer If set, returns false if the provided * issuer does not match the "iss" claim on the JWT. * @return array|bool the token payload, if successful, or false if not. */ private function verifyEs256($token, array $certs, $audience = null, $issuer = null) { $this->checkSimpleJwt(); $jwkset = new KeySet(); foreach ($certs as $cert) { $jwkset->add(KeyFactory::create($cert, 'php')); } // Validate the signature using the key set and ES256 algorithm. $jwt = $this->callSimpleJwtDecode([$token, $jwkset, 'ES256']); $payload = $jwt->getClaims(); if (isset($payload['aud'])) { if ($audience && $payload['aud'] != $audience) { throw new UnexpectedValueException('Audience does not match'); } } // @see https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload $issuer = $issuer ?: self::IAP_ISSUER; if (!isset($payload['iss']) || $payload['iss'] !== $issuer) { throw new UnexpectedValueException('Issuer does not match'); } return $payload; } /** * Verifies an RS256-signed JWT. * * @param string $token The JSON Web Token to be verified. * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @param string|null $audience If set, returns false if the provided * audience does not match the "aud" claim on the JWT. * @param string|null $issuer If set, returns false if the provided * issuer does not match the "iss" claim on the JWT. * @return array|bool the token payload, if successful, or false if not. */ private function verifyRs256($token, array $certs, $audience = null, $issuer = null) { $this->checkAndInitializePhpsec(); $keys = []; foreach ($certs as $cert) { if (empty($cert['kid'])) { throw new InvalidArgumentException( 'certs expects "kid" to be set' ); } if (empty($cert['n']) || empty($cert['e'])) { throw new InvalidArgumentException( 'RSA certs expects "n" and "e" to be set' ); } $rsa = new RSA(); $rsa->loadKey([ 'n' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [ $cert['n'], ]), 256), 'e' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [ $cert['e'] ]), 256), ]); // create an array of key IDs to certs for the JWT library $keys[$cert['kid']] = $rsa->getPublicKey(); } $payload = $this->callJwtStatic('decode', [ $token, $keys, ['RS256'] ]); if (property_exists($payload, 'aud')) { if ($audience && $payload->aud != $audience) { throw new UnexpectedValueException('Audience does not match'); } } // support HTTP and HTTPS issuers // @see https://developers.google.com/identity/sign-in/web/backend-auth $issuers = $issuer ? [$issuer] : [self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS]; if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) { throw new UnexpectedValueException('Issuer does not match'); } return (array) $payload; } /** * Revoke an OAuth2 access token or refresh token. This method will revoke the current access * token, if a token isn't provided. * * @param string|array $token The token (access token or a refresh token) that should be revoked. * @param array $options [optional] Configuration options. * @return bool Returns True if the revocation was successful, otherwise False. */ public function revoke($token, array $options = []) { if (is_array($token)) { if (isset($token['refresh_token'])) { $token = $token['refresh_token']; } else { $token = $token['access_token']; } } $body = Psr7\stream_for(http_build_query(['token' => $token])); $request = new Request('POST', self::OAUTH2_REVOKE_URI, [ 'Cache-Control' => 'no-store', 'Content-Type' => 'application/x-www-form-urlencoded', ], $body); $httpHandler = $this->httpHandler; $response = $httpHandler($request, $options); return $response->getStatusCode() == 200; } /** * Gets federated sign-on certificates to use for verifying identity tokens. * Returns certs as array structure, where keys are key ids, and values * are PEM encoded certificates. * * @param string $location The location from which to retrieve certs. * @param string $cacheKey The key under which to cache the retrieved certs. * @param array $options [optional] Configuration options. * @return array * @throws InvalidArgumentException If received certs are in an invalid format. */ private function getCerts($location, $cacheKey, array $options = []) { $cacheItem = $this->cache->getItem($cacheKey); $certs = $cacheItem ? $cacheItem->get() : null; $gotNewCerts = false; if (!$certs) { $certs = $this->retrieveCertsFromLocation($location, $options); $gotNewCerts = true; } if (!isset($certs['keys'])) { if ($location !== self::IAP_CERT_URL) { throw new InvalidArgumentException( 'federated sign-on certs expects "keys" to be set' ); } throw new InvalidArgumentException( 'certs expects "keys" to be set' ); } // Push caching off until after verifying certs are in a valid format. // Don't want to cache bad data. if ($gotNewCerts) { $cacheItem->expiresAt(new DateTime('+1 hour')); $cacheItem->set($certs); $this->cache->save($cacheItem); } return $certs['keys']; } /** * Retrieve and cache a certificates file. * * @param $url string location * @param array $options [optional] Configuration options. * @return array certificates * @throws InvalidArgumentException If certs could not be retrieved from a local file. * @throws RuntimeException If certs could not be retrieved from a remote location. */ private function retrieveCertsFromLocation($url, array $options = []) { // If we're retrieving a local file, just grab it. if (strpos($url, 'http') !== 0) { if (!file_exists($url)) { throw new InvalidArgumentException(sprintf( 'Failed to retrieve verification certificates from path: %s.', $url )); } return json_decode(file_get_contents($url), true); } $httpHandler = $this->httpHandler; $response = $httpHandler(new Request('GET', $url), $options); if ($response->getStatusCode() == 200) { return json_decode((string) $response->getBody(), true); } throw new RuntimeException(sprintf( 'Failed to retrieve verification certificates: "%s".', $response->getBody()->getContents() ), $response->getStatusCode()); } private function checkAndInitializePhpsec() { // @codeCoverageIgnoreStart if (!class_exists('phpseclib\Crypt\RSA')) { throw new RuntimeException('Please require phpseclib/phpseclib v2 to use this utility.'); } // @codeCoverageIgnoreEnd $this->setPhpsecConstants(); } private function checkSimpleJwt() { // @codeCoverageIgnoreStart if (!class_exists('SimpleJWT\JWT')) { throw new RuntimeException('Please require kelvinmo/simplejwt ^0.2 to use this utility.'); } // @codeCoverageIgnoreEnd } /** * phpseclib calls "phpinfo" by default, which requires special * whitelisting in the AppEngine VM environment. This function * sets constants to bypass the need for phpseclib to check phpinfo * * @see phpseclib/Math/BigInteger * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85 * @codeCoverageIgnore */ private function setPhpsecConstants() { if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) { if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) { define('MATH_BIGINTEGER_OPENSSL_ENABLED', true); } if (!defined('CRYPT_RSA_MODE')) { define('CRYPT_RSA_MODE', RSA::MODE_OPENSSL); } } } /** * Provide a hook to mock calls to the JWT static methods. * * @param string $method * @param array $args * @return mixed */ protected function callJwtStatic($method, array $args = []) { $class = class_exists('Firebase\JWT\JWT') ? 'Firebase\JWT\JWT' : 'JWT'; return call_user_func_array([$class, $method], $args); } /** * Provide a hook to mock calls to the JWT static methods. * * @param array $args * @return mixed */ protected function callSimpleJwtDecode(array $args = []) { return call_user_func_array(['SimpleJWT\JWT', 'decode'], $args); } /** * Generate a cache key based on the cert location using sha1 with the * exception of using "federated_signon_certs_v3" to preserve BC. * * @param string $certsLocation * @return string */ private function getCacheKeyFromCertLocation($certsLocation) { $key = $certsLocation === self::FEDERATED_SIGNON_CERT_URL ? 'federated_signon_certs_v3' : sha1($certsLocation); return 'google_auth_certs_cache|' . $key; } } src/Subscriber/ScopedAccessTokenSubscriber.php000064400000012014150230132410015520 0ustar00' */ class ScopedAccessTokenSubscriber implements SubscriberInterface { use CacheTrait; const DEFAULT_CACHE_LIFETIME = 1500; /** * @var CacheItemPoolInterface */ private $cache; /** * @var callable The access token generator function */ private $tokenFunc; /** * @var array|string The scopes used to generate the token */ private $scopes; /** * @var array */ private $cacheConfig; /** * Creates a new ScopedAccessTokenSubscriber. * * @param callable $tokenFunc a token generator function * @param array|string $scopes the token authentication scopes * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache an implementation of CacheItemPoolInterface */ public function __construct( callable $tokenFunc, $scopes, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $this->tokenFunc = $tokenFunc; if (!(is_string($scopes) || is_array($scopes))) { throw new \InvalidArgumentException( 'wants scope should be string or array' ); } $this->scopes = $scopes; if (!is_null($cache)) { $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => self::DEFAULT_CACHE_LIFETIME, 'prefix' => '', ], $cacheConfig); } } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request with an Authorization header when auth is 'scoped'. * * E.g this could be used to authenticate using the AppEngine AppIdentityService. * * Example: * ``` * use google\appengine\api\app_identity\AppIdentityService; * use Google\Auth\Subscriber\ScopedAccessTokenSubscriber; * use GuzzleHttp\Client; * * $scope = 'https://www.googleapis.com/auth/taskqueue' * $subscriber = new ScopedAccessToken( * 'AppIdentityService::getAccessToken', * $scope, * ['prefix' => 'Google\Auth\ScopedAccessToken::'], * $cache = new Memcache() * ); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'defaults' => ['auth' => 'scoped'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="scoped" will be authorized. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'scoped') { return; } $auth_header = 'Bearer ' . $this->fetchToken(); $request->setHeader('authorization', $auth_header); } /** * @return string */ private function getCacheKey() { $key = null; if (is_string($this->scopes)) { $key .= $this->scopes; } elseif (is_array($this->scopes)) { $key .= implode(':', $this->scopes); } return $key; } /** * Determine if token is available in the cache, if not call tokenFunc to * fetch it. * * @return string */ private function fetchToken() { $cacheKey = $this->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (!empty($cached)) { return $cached; } $token = call_user_func($this->tokenFunc, $this->scopes); $this->setCachedValue($cacheKey, $token); return $token; } } src/Subscriber/SimpleSubscriber.php000064400000005077150230132410013424 0ustar00config = array_merge([], $config); } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request query with the developer key if auth is set to simple. * * Example: * ``` * use Google\Auth\Subscriber\SimpleSubscriber; * use GuzzleHttp\Client; * * $my_key = 'is not the same as yours'; * $subscriber = new SimpleSubscriber(['key' => $my_key]); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/discovery/v1/', * 'defaults' => ['auth' => 'simple'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('drive/v2/rest'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="simple" with the developer key. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'simple') { return; } $request->getQuery()->overwriteWith($this->config); } } src/Subscriber/AuthTokenSubscriber.php000064400000010135150230132410014064 0ustar00' */ class AuthTokenSubscriber implements SubscriberInterface { /** * @var callable */ private $httpHandler; /** * @var FetchAuthTokenInterface */ private $fetcher; /** * @var callable */ private $tokenCallback; /** * Creates a new AuthTokenSubscriber. * * @param FetchAuthTokenInterface $fetcher is used to fetch the auth token * @param callable $httpHandler (optional) http client to fetch the token. * @param callable $tokenCallback (optional) function to be called when a new token is fetched. */ public function __construct( FetchAuthTokenInterface $fetcher, callable $httpHandler = null, callable $tokenCallback = null ) { $this->fetcher = $fetcher; $this->httpHandler = $httpHandler; $this->tokenCallback = $tokenCallback; } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request with an Authorization header when auth is 'fetched_auth_token'. * * Example: * ``` * use GuzzleHttp\Client; * use Google\Auth\OAuth2; * use Google\Auth\Subscriber\AuthTokenSubscriber; * * $config = [...]; * $oauth2 = new OAuth2($config) * $subscriber = new AuthTokenSubscriber($oauth2); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'defaults' => ['auth' => 'google_auth'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="google_auth" will be authorized. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'google_auth') { return; } // Fetch the auth token. $auth_tokens = $this->fetcher->fetchAuthToken($this->httpHandler); if (array_key_exists('access_token', $auth_tokens)) { $request->setHeader('authorization', 'Bearer ' . $auth_tokens['access_token']); // notify the callback if applicable if ($this->tokenCallback) { call_user_func($this->tokenCallback, $this->fetcher->getCacheKey(), $auth_tokens['access_token']); } } if ($quotaProject = $this->getQuotaProject()) { $request->setHeader( GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER, $quotaProject ); } } private function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } } src/FetchAuthTokenCache.php000064400000017270150230132410011642 0ustar00fetcher = $fetcher; $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => 1500, 'prefix' => '', ], (array) $cacheConfig); } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Checks the cache for a valid auth token and fetches the auth tokens * from the supplied fetcher. * * @param callable $httpHandler callback which delivers psr7 request * @return array the response * @throws \Exception */ public function fetchAuthToken(callable $httpHandler = null) { if ($cached = $this->fetchAuthTokenFromCache()) { return $cached; } $auth_token = $this->fetcher->fetchAuthToken($httpHandler); $this->saveAuthTokenInCache($auth_token); return $auth_token; } /** * @return string */ public function getCacheKey() { return $this->getFullCacheKey($this->fetcher->getCacheKey()); } /** * @return array|null */ public function getLastReceivedToken() { return $this->fetcher->getLastReceivedToken(); } /** * Get the client name from the fetcher. * * @param callable $httpHandler An HTTP handler to deliver PSR7 requests. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->fetcher->getClientName($httpHandler); } /** * Sign a blob using the fetcher. * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl Require use of OpenSSL for local signing. Does * not apply to signing done using external services. **Defaults to** * `false`. * @return string The resulting signature. * @throws \RuntimeException If the fetcher does not implement * `Google\Auth\SignBlobInterface`. */ public function signBlob($stringToSign, $forceOpenSsl = false) { if (!$this->fetcher instanceof SignBlobInterface) { throw new \RuntimeException( 'Credentials fetcher does not implement ' . 'Google\Auth\SignBlobInterface' ); } return $this->fetcher->signBlob($stringToSign, $forceOpenSsl); } /** * Get the quota project used for this API request from the credentials * fetcher. * * @return string|null */ public function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } /* * Get the Project ID from the fetcher. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null * @throws \RuntimeException If the fetcher does not implement * `Google\Auth\ProvidesProjectIdInterface`. */ public function getProjectId(callable $httpHandler = null) { if (!$this->fetcher instanceof ProjectIdProviderInterface) { throw new \RuntimeException( 'Credentials fetcher does not implement ' . 'Google\Auth\ProvidesProjectIdInterface' ); } return $this->fetcher->getProjectId($httpHandler); } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap * @throws \RuntimeException If the fetcher does not implement * `Google\Auth\UpdateMetadataInterface`. */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { if (!$this->fetcher instanceof UpdateMetadataInterface) { throw new \RuntimeException( 'Credentials fetcher does not implement ' . 'Google\Auth\UpdateMetadataInterface' ); } $cached = $this->fetchAuthTokenFromCache($authUri); if ($cached) { // Set the access token in the `Authorization` metadata header so // the downstream call to updateMetadata know they don't need to // fetch another token. if (isset($cached['access_token'])) { $metadata[self::AUTH_METADATA_KEY] = [ 'Bearer ' . $cached['access_token'] ]; } } $newMetadata = $this->fetcher->updateMetadata( $metadata, $authUri, $httpHandler ); if (!$cached && $token = $this->fetcher->getLastReceivedToken()) { $this->saveAuthTokenInCache($token, $authUri); } return $newMetadata; } private function fetchAuthTokenFromCache($authUri = null) { // Use the cached value if its available. // // TODO: correct caching; update the call to setCachedValue to set the expiry // to the value returned with the auth token. // // TODO: correct caching; enable the cache to be cleared. // if $authUri is set, use it as the cache key $cacheKey = $authUri ? $this->getFullCacheKey($authUri) : $this->fetcher->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (is_array($cached)) { if (empty($cached['expires_at'])) { // If there is no expiration data, assume token is not expired. // (for JwtAccess and ID tokens) return $cached; } if (time() < $cached['expires_at']) { // access token is not expired return $cached; } } return null; } private function saveAuthTokenInCache($authToken, $authUri = null) { if (isset($authToken['access_token']) || isset($authToken['id_token'])) { // if $authUri is set, use it as the cache key $cacheKey = $authUri ? $this->getFullCacheKey($authUri) : $this->fetcher->getCacheKey(); $this->setCachedValue($cacheKey, $authToken); } } } src/ApplicationDefaultCredentials.php000064400000027422150230132410013770 0ustar00push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` */ class ApplicationDefaultCredentials { /** * Obtains an AuthTokenSubscriber that uses the default FetchAuthTokenInterface * implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the compute engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return AuthTokenSubscriber * @throws DomainException if no implementation can be obtained. */ public static function getSubscriber( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = self::getCredentials($scope, $httpHandler, $cacheConfig, $cache); return new AuthTokenSubscriber($creds, $httpHandler); } /** * Obtains an AuthTokenMiddleware that uses the default FetchAuthTokenInterface * implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the compute engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @param string $quotaProject specifies a project to bill for access * charges associated with the request. * @return AuthTokenMiddleware * @throws DomainException if no implementation can be obtained. */ public static function getMiddleware( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null, $quotaProject = null ) { $creds = self::getCredentials($scope, $httpHandler, $cacheConfig, $cache, $quotaProject); return new AuthTokenMiddleware($creds, $httpHandler); } /** * Obtains an AuthTokenMiddleware which will fetch an access token to use in * the Authorization header. The middleware is configured with the default * FetchAuthTokenInterface implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the Compute Engine defaults. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @param string $quotaProject specifies a project to bill for access * charges associated with the request. * @param string|array $defaultScope The default scope to use if no * user-defined scopes exist, expressed either as an Array or as a * space-delimited string. * * @return CredentialsLoader * @throws DomainException if no implementation can be obtained. */ public static function getCredentials( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null, $quotaProject = null, $defaultScope = null ) { $creds = null; $jsonKey = CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); $anyScope = $scope ?: $defaultScope; if (!$httpHandler) { if (!($client = HttpClientCache::getHttpClient())) { $client = new Client(); HttpClientCache::setHttpClient($client); } $httpHandler = HttpHandlerFactory::build($client); } if (!is_null($jsonKey)) { if ($quotaProject) { $jsonKey['quota_project_id'] = $quotaProject; } $creds = CredentialsLoader::makeCredentials( $scope, $jsonKey, $defaultScope ); } elseif (AppIdentityCredentials::onAppEngine() && !GCECredentials::onAppEngineFlexible()) { $creds = new AppIdentityCredentials($anyScope); } elseif (self::onGce($httpHandler, $cacheConfig, $cache)) { $creds = new GCECredentials(null, $anyScope, null, $quotaProject); } if (is_null($creds)) { throw new DomainException(self::notFound()); } if (!is_null($cache)) { $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache); } return $creds; } /** * Obtains an AuthTokenMiddleware which will fetch an ID token to use in the * Authorization header. The middleware is configured with the default * FetchAuthTokenInterface implementation to use in this environment. * * If supplied, $targetAudience is used to set the "aud" on the resulting * ID token. * * @param string $targetAudience The audience for the ID token. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return AuthTokenMiddleware * @throws DomainException if no implementation can be obtained. */ public static function getIdTokenMiddleware( $targetAudience, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = self::getIdTokenCredentials($targetAudience, $httpHandler, $cacheConfig, $cache); return new AuthTokenMiddleware($creds, $httpHandler); } /** * Obtains the default FetchAuthTokenInterface implementation to use * in this environment, configured with a $targetAudience for fetching an ID * token. * * @param string $targetAudience The audience for the ID token. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return CredentialsLoader * @throws DomainException if no implementation can be obtained. * @throws InvalidArgumentException if JSON "type" key is invalid */ public static function getIdTokenCredentials( $targetAudience, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = null; $jsonKey = CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); if (!$httpHandler) { if (!($client = HttpClientCache::getHttpClient())) { $client = new Client(); HttpClientCache::setHttpClient($client); } $httpHandler = HttpHandlerFactory::build($client); } if (!is_null($jsonKey)) { if (!array_key_exists('type', $jsonKey)) { throw new \InvalidArgumentException('json key is missing the type field'); } if ($jsonKey['type'] == 'authorized_user') { throw new InvalidArgumentException('ID tokens are not supported for end user credentials'); } if ($jsonKey['type'] != 'service_account') { throw new InvalidArgumentException('invalid value in the type field'); } $creds = new ServiceAccountCredentials(null, $jsonKey, null, $targetAudience); } elseif (self::onGce($httpHandler, $cacheConfig, $cache)) { $creds = new GCECredentials(null, null, $targetAudience); } if (is_null($creds)) { throw new DomainException(self::notFound()); } if (!is_null($cache)) { $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache); } return $creds; } private static function notFound() { $msg = 'Could not load the default credentials. Browse to '; $msg .= 'https://developers.google.com'; $msg .= '/accounts/docs/application-default-credentials'; $msg .= ' for more information'; return $msg; } private static function onGce( callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $gceCacheConfig = []; foreach (['lifetime', 'prefix'] as $key) { if (isset($cacheConfig['gce_' . $key])) { $gceCacheConfig[$key] = $cacheConfig['gce_' . $key]; } } return (new GCECache($gceCacheConfig, $cache))->onGce($httpHandler); } } src/Credentials/UserRefreshCredentials.php000064400000010117150230132410014703 0ustar00auth = new OAuth2([ 'clientId' => $jsonKey['client_id'], 'clientSecret' => $jsonKey['client_secret'], 'refresh_token' => $jsonKey['refresh_token'], 'scope' => $scope, 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI, ]); if (array_key_exists('quota_project_id', $jsonKey)) { $this->quotaProject = (string) $jsonKey['quota_project_id']; } } /** * @param callable $httpHandler * * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expires_in (int) * - scope (string) * - token_type (string) * - id_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->auth->fetchAuthToken($httpHandler); } /** * @return string */ public function getCacheKey() { return $this->auth->getClientId() . ':' . $this->auth->getCacheKey(); } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } src/Credentials/ServiceAccountCredentials.php000064400000020575150230132410015374 0ustar00push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface { use ServiceAccountSignerTrait; /** * The OAuth2 instance used to conduct authorization. * * @var OAuth2 */ protected $auth; /** * The quota project associated with the JSON credentials * * @var string */ protected $quotaProject; /* * @var string|null */ protected $projectId; /* * @var array|null */ private $lastReceivedJwtAccessToken; /** * Create a new ServiceAccountCredentials. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param string|array $jsonKey JSON credential file path or JSON credentials * as an associative array * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. * @param string $targetAudience The audience for the ID token. */ public function __construct( $scope, $jsonKey, $sub = null, $targetAudience = null ) { if (is_string($jsonKey)) { if (!file_exists($jsonKey)) { throw new \InvalidArgumentException('file does not exist'); } $jsonKeyStream = file_get_contents($jsonKey); if (!$jsonKey = json_decode($jsonKeyStream, true)) { throw new \LogicException('invalid json for auth config'); } } if (!array_key_exists('client_email', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_email field' ); } if (!array_key_exists('private_key', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the private_key field' ); } if (array_key_exists('quota_project_id', $jsonKey)) { $this->quotaProject = (string) $jsonKey['quota_project_id']; } if ($scope && $targetAudience) { throw new InvalidArgumentException( 'Scope and targetAudience cannot both be supplied' ); } $additionalClaims = []; if ($targetAudience) { $additionalClaims = ['target_audience' => $targetAudience]; } $this->auth = new OAuth2([ 'audience' => self::TOKEN_CREDENTIAL_URI, 'issuer' => $jsonKey['client_email'], 'scope' => $scope, 'signingAlgorithm' => 'RS256', 'signingKey' => $jsonKey['private_key'], 'sub' => $sub, 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI, 'additionalClaims' => $additionalClaims, ]); $this->projectId = isset($jsonKey['project_id']) ? $jsonKey['project_id'] : null; } /** * @param callable $httpHandler * * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expires_in (int) * - token_type (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->auth->fetchAuthToken($httpHandler); } /** * @return string */ public function getCacheKey() { $key = $this->auth->getIssuer() . ':' . $this->auth->getCacheKey(); if ($sub = $this->auth->getSub()) { $key .= ':' . $sub; } return $key; } /** * @return array */ public function getLastReceivedToken() { // If self-signed JWTs are being used, fetch the last received token // from memory. Else, fetch it from OAuth2 return $this->useSelfSignedJwt() ? $this->lastReceivedJwtAccessToken : $this->auth->getLastReceivedToken(); } /** * Get the project ID from the service account keyfile. * * Returns null if the project ID does not exist in the keyfile. * * @param callable $httpHandler Not used by this credentials type. * @return string|null */ public function getProjectId(callable $httpHandler = null) { return $this->projectId; } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { // scope exists. use oauth implementation if (!$this->useSelfSignedJwt()) { return parent::updateMetadata($metadata, $authUri, $httpHandler); } // no scope found. create jwt with the auth uri $credJson = array( 'private_key' => $this->auth->getSigningKey(), 'client_email' => $this->auth->getIssuer(), ); $jwtCreds = new ServiceAccountJwtAccessCredentials($credJson); $updatedMetadata = $jwtCreds->updateMetadata($metadata, $authUri, $httpHandler); if ($lastReceivedToken = $jwtCreds->getLastReceivedToken()) { // Keep self-signed JWTs in memory as the last received token $this->lastReceivedJwtAccessToken = $lastReceivedToken; } return $updatedMetadata; } /** * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. */ public function setSub($sub) { $this->auth->setSub($sub); } /** * Get the client name from the keyfile. * * In this case, it returns the keyfile's client_email key. * * @param callable $httpHandler Not used by this credentials type. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->auth->getIssuer(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } private function useSelfSignedJwt() { return is_null($this->auth->getScope()); } } src/Credentials/ServiceAccountJwtAccessCredentials.php000064400000013050150230132410017171 0ustar00quotaProject = (string) $jsonKey['quota_project_id']; } $this->auth = new OAuth2([ 'issuer' => $jsonKey['client_email'], 'sub' => $jsonKey['client_email'], 'signingAlgorithm' => 'RS256', 'signingKey' => $jsonKey['private_key'], ]); $this->projectId = isset($jsonKey['project_id']) ? $jsonKey['project_id'] : null; } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { if (empty($authUri)) { return $metadata; } $this->auth->setAudience($authUri); return parent::updateMetadata($metadata, $authUri, $httpHandler); } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * @param callable $httpHandler * * @return array|void A set of auth related metadata, containing the * following keys: * - access_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { $audience = $this->auth->getAudience(); if (empty($audience)) { return null; } $access_token = $this->auth->toJwt(); // Set the self-signed access token in OAuth2 for getLastReceivedToken $this->auth->setAccessToken($access_token); return array('access_token' => $access_token); } /** * @return string */ public function getCacheKey() { return $this->auth->getCacheKey(); } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Get the project ID from the service account keyfile. * * Returns null if the project ID does not exist in the keyfile. * * @param callable $httpHandler Not used by this credentials type. * @return string|null */ public function getProjectId(callable $httpHandler = null) { return $this->projectId; } /** * Get the client name from the keyfile. * * In this case, it returns the keyfile's client_email key. * * @param callable $httpHandler Not used by this credentials type. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->auth->getIssuer(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } src/Credentials/IAMCredentials.php000064400000004673150230132410013066 0ustar00selector = $selector; $this->token = $token; } /** * export a callback function which updates runtime metadata. * * @return array updateMetadata function */ public function getUpdateMetadataFunc() { return array($this, 'updateMetadata'); } /** * Updates metadata with the appropriate header metadata. * * @param array $metadata metadata hashmap * @param string $unusedAuthUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * Note: this param is unused here, only included here for * consistency with other credentials class * * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $unusedAuthUri = null, callable $httpHandler = null ) { $metadata_copy = $metadata; $metadata_copy[self::SELECTOR_KEY] = $this->selector; $metadata_copy[self::TOKEN_KEY] = $this->token; return $metadata_copy; } } src/Credentials/GCECredentials.php000064400000037476150230132410013065 0ustar00push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class GCECredentials extends CredentialsLoader implements SignBlobInterface, ProjectIdProviderInterface, GetQuotaProjectInterface { // phpcs:disable const cacheKey = 'GOOGLE_AUTH_PHP_GCE'; // phpcs:enable /** * The metadata IP address on appengine instances. * * The IP is used instead of the domain 'metadata' to avoid slow responses * when not on Compute Engine. */ const METADATA_IP = '169.254.169.254'; /** * The metadata path of the default token. */ const TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token'; /** * The metadata path of the default id token. */ const ID_TOKEN_URI_PATH = 'v1/instance/service-accounts/default/identity'; /** * The metadata path of the client ID. */ const CLIENT_ID_URI_PATH = 'v1/instance/service-accounts/default/email'; /** * The metadata path of the project ID. */ const PROJECT_ID_URI_PATH = 'v1/project/project-id'; /** * The header whose presence indicates GCE presence. */ const FLAVOR_HEADER = 'Metadata-Flavor'; /** * Note: the explicit `timeout` and `tries` below is a workaround. The underlying * issue is that resolving an unknown host on some networks will take * 20-30 seconds; making this timeout short fixes the issue, but * could lead to false negatives in the event that we are on GCE, but * the metadata resolution was particularly slow. The latter case is * "unlikely" since the expected 4-nines time is about 0.5 seconds. * This allows us to limit the total ping maximum timeout to 1.5 seconds * for developer desktop scenarios. */ const MAX_COMPUTE_PING_TRIES = 3; const COMPUTE_PING_CONNECTION_TIMEOUT_S = 0.5; /** * Flag used to ensure that the onGCE test is only done once;. * * @var bool */ private $hasCheckedOnGce = false; /** * Flag that stores the value of the onGCE check. * * @var bool */ private $isOnGce = false; /** * Result of fetchAuthToken. */ protected $lastReceivedToken; /** * @var string|null */ private $clientName; /** * @var string|null */ private $projectId; /** * @var Iam|null */ private $iam; /** * @var string */ private $tokenUri; /** * @var string */ private $targetAudience; /** * @var string|null */ private $quotaProject; /** * @var string|null */ private $serviceAccountIdentity; /** * @param Iam $iam [optional] An IAM instance. * @param string|array $scope [optional] the scope of the access request, * expressed either as an array or as a space-delimited string. * @param string $targetAudience [optional] The audience for the ID token. * @param string $quotaProject [optional] Specifies a project to bill for access * charges associated with the request. * @param string $serviceAccountIdentity [optional] Specify a service * account identity name to use instead of "default". */ public function __construct( Iam $iam = null, $scope = null, $targetAudience = null, $quotaProject = null, $serviceAccountIdentity = null ) { $this->iam = $iam; if ($scope && $targetAudience) { throw new InvalidArgumentException( 'Scope and targetAudience cannot both be supplied' ); } $tokenUri = self::getTokenUri($serviceAccountIdentity); if ($scope) { if (is_string($scope)) { $scope = explode(' ', $scope); } $scope = implode(',', $scope); $tokenUri = $tokenUri . '?scopes='. $scope; } elseif ($targetAudience) { $tokenUri = self::getIdTokenUri($serviceAccountIdentity); $tokenUri = $tokenUri . '?audience='. $targetAudience; $this->targetAudience = $targetAudience; } $this->tokenUri = $tokenUri; $this->quotaProject = $quotaProject; $this->serviceAccountIdentity = $serviceAccountIdentity; } /** * The full uri for accessing the default token. * * @param string $serviceAccountIdentity [optional] Specify a service * account identity name to use instead of "default". * @return string */ public static function getTokenUri($serviceAccountIdentity = null) { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; $base .= self::TOKEN_URI_PATH; if ($serviceAccountIdentity) { return str_replace( '/default/', '/' . $serviceAccountIdentity . '/', $base ); } return $base; } /** * The full uri for accessing the default service account. * * @param string $serviceAccountIdentity [optional] Specify a service * account identity name to use instead of "default". * @return string */ public static function getClientNameUri($serviceAccountIdentity = null) { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; $base .= self::CLIENT_ID_URI_PATH; if ($serviceAccountIdentity) { return str_replace( '/default/', '/' . $serviceAccountIdentity . '/', $base ); } return $base; } /** * The full uri for accesesing the default identity token. * * @param string $serviceAccountIdentity [optional] Specify a service * account identity name to use instead of "default". * @return string */ private static function getIdTokenUri($serviceAccountIdentity = null) { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; $base .= self::ID_TOKEN_URI_PATH; if ($serviceAccountIdentity) { return str_replace( '/default/', '/' . $serviceAccountIdentity . '/', $base ); } return $base; } /** * The full uri for accessing the default project ID. * * @return string */ private static function getProjectIdUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::PROJECT_ID_URI_PATH; } /** * Determines if this an App Engine Flexible instance, by accessing the * GAE_INSTANCE environment variable. * * @return bool true if this an App Engine Flexible Instance, false otherwise */ public static function onAppEngineFlexible() { return substr(getenv('GAE_INSTANCE'), 0, 4) === 'aef-'; } /** * Determines if this a GCE instance, by accessing the expected metadata * host. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * @return bool True if this a GCEInstance, false otherwise */ public static function onGce(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); $checkUri = 'http://' . self::METADATA_IP; for ($i = 1; $i <= self::MAX_COMPUTE_PING_TRIES; $i++) { try { // Comment from: oauth2client/client.py // // Note: the explicit `timeout` below is a workaround. The underlying // issue is that resolving an unknown host on some networks will take // 20-30 seconds; making this timeout short fixes the issue, but // could lead to false negatives in the event that we are on GCE, but // the metadata resolution was particularly slow. The latter case is // "unlikely". $resp = $httpHandler( new Request( 'GET', $checkUri, [self::FLAVOR_HEADER => 'Google'] ), ['timeout' => self::COMPUTE_PING_CONNECTION_TIMEOUT_S] ); return $resp->getHeaderLine(self::FLAVOR_HEADER) == 'Google'; } catch (ClientException $e) { } catch (ServerException $e) { } catch (RequestException $e) { } catch (ConnectException $e) { } } return false; } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Fetches the auth tokens from the GCE metadata host if it is available. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * * @return array A set of auth related metadata, based on the token type. * * Access tokens have the following keys: * - access_token (string) * - expires_in (int) * - token_type (string) * ID tokens have the following keys: * - id_token (string) * * @throws \Exception */ public function fetchAuthToken(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return array(); // return an empty array with no access token } $response = $this->getFromMetadata($httpHandler, $this->tokenUri); if ($this->targetAudience) { return ['id_token' => $response]; } if (null === $json = json_decode($response, true)) { throw new \Exception('Invalid JSON response'); } $json['expires_at'] = time() + $json['expires_in']; // store this so we can retrieve it later $this->lastReceivedToken = $json; return $json; } /** * @return string */ public function getCacheKey() { return self::cacheKey; } /** * @return array|null */ public function getLastReceivedToken() { if ($this->lastReceivedToken) { return [ 'access_token' => $this->lastReceivedToken['access_token'], 'expires_at' => $this->lastReceivedToken['expires_at'], ]; } return null; } /** * Get the client name from GCE metadata. * * Subsequent calls will return a cached value. * * @param callable $httpHandler callback which delivers psr7 request * @return string */ public function getClientName(callable $httpHandler = null) { if ($this->clientName) { return $this->clientName; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return ''; } $this->clientName = $this->getFromMetadata( $httpHandler, self::getClientNameUri($this->serviceAccountIdentity) ); return $this->clientName; } /** * Sign a string using the default service account private key. * * This implementation uses IAM's signBlob API. * * @see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl [optional] Does not apply to this credentials * type. * @return string */ public function signBlob($stringToSign, $forceOpenSsl = false) { $httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient()); // Providing a signer is useful for testing, but it's undocumented // because it's not something a user would generally need to do. $signer = $this->iam ?: new Iam($httpHandler); $email = $this->getClientName($httpHandler); $previousToken = $this->getLastReceivedToken(); $accessToken = $previousToken ? $previousToken['access_token'] : $this->fetchAuthToken($httpHandler)['access_token']; return $signer->signBlob($email, $accessToken, $stringToSign); } /** * Fetch the default Project ID from compute engine. * * Returns null if called outside GCE. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null */ public function getProjectId(callable $httpHandler = null) { if ($this->projectId) { return $this->projectId; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return null; } $this->projectId = $this->getFromMetadata($httpHandler, self::getProjectIdUri()); return $this->projectId; } /** * Fetch the value of a GCE metadata server URI. * * @param callable $httpHandler An HTTP Handler to deliver PSR7 requests. * @param string $uri The metadata URI. * @return string */ private function getFromMetadata(callable $httpHandler, $uri) { $resp = $httpHandler( new Request( 'GET', $uri, [self::FLAVOR_HEADER => 'Google'] ) ); return (string) $resp->getBody(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } src/Credentials/InsecureCredentials.php000064400000003470150230132410014227 0ustar00 '' ]; /** * Fetches the auth token. In this case it returns an empty string. * * @param callable $httpHandler * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->token; } /** * Returns the cache key. In this case it returns a null value, disabling * caching. * * @return string|null */ public function getCacheKey() { return null; } /** * Fetches the last received token. In this case, it returns the same empty string * auth token. * * @return array */ public function getLastReceivedToken() { return $this->token; } } src/Credentials/AppIdentityCredentials.php000064400000015275150230132410014712 0ustar00push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/books/v1', * 'auth' => 'google_auth' * ]); * * $res = $client->get('volumes?q=Henry+David+Thoreau&country=US'); * ``` */ class AppIdentityCredentials extends CredentialsLoader implements SignBlobInterface, ProjectIdProviderInterface { /** * Result of fetchAuthToken. * * @var array */ protected $lastReceivedToken; /** * Array of OAuth2 scopes to be requested. * * @var array */ private $scope; /** * @var string */ private $clientName; /** * @param array $scope One or more scopes. */ public function __construct($scope = array()) { $this->scope = $scope; } /** * Determines if this an App Engine instance, by accessing the * SERVER_SOFTWARE environment variable (prod) or the APPENGINE_RUNTIME * environment variable (dev). * * @return bool true if this an App Engine Instance, false otherwise */ public static function onAppEngine() { $appEngineProduction = isset($_SERVER['SERVER_SOFTWARE']) && 0 === strpos($_SERVER['SERVER_SOFTWARE'], 'Google App Engine'); if ($appEngineProduction) { return true; } $appEngineDevAppServer = isset($_SERVER['APPENGINE_RUNTIME']) && $_SERVER['APPENGINE_RUNTIME'] == 'php'; if ($appEngineDevAppServer) { return true; } return false; } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Fetches the auth tokens using the AppIdentityService if available. * As the AppIdentityService uses protobufs to fetch the access token, * the GuzzleHttp\ClientInterface instance passed in will not be used. * * @param callable $httpHandler callback which delivers psr7 request * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expiration_time (string) */ public function fetchAuthToken(callable $httpHandler = null) { try { $this->checkAppEngineContext(); } catch (\Exception $e) { return []; } // AppIdentityService expects an array when multiple scopes are supplied $scope = is_array($this->scope) ? $this->scope : explode(' ', $this->scope); $token = AppIdentityService::getAccessToken($scope); $this->lastReceivedToken = $token; return $token; } /** * Sign a string using AppIdentityService. * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl [optional] Does not apply to this credentials * type. * @return string The signature, base64-encoded. * @throws \Exception If AppEngine SDK or mock is not available. */ public function signBlob($stringToSign, $forceOpenSsl = false) { $this->checkAppEngineContext(); return base64_encode(AppIdentityService::signForApp($stringToSign)['signature']); } /** * Get the project ID from AppIdentityService. * * Returns null if AppIdentityService is unavailable. * * @param callable $httpHandler Not used by this type. * @return string|null */ public function getProjectId(callable $httpHander = null) { try { $this->checkAppEngineContext(); } catch (\Exception $e) { return null; } return AppIdentityService::getApplicationId(); } /** * Get the client name from AppIdentityService. * * Subsequent calls to this method will return a cached value. * * @param callable $httpHandler Not used in this implementation. * @return string * @throws \Exception If AppEngine SDK or mock is not available. */ public function getClientName(callable $httpHandler = null) { $this->checkAppEngineContext(); if (!$this->clientName) { $this->clientName = AppIdentityService::getServiceAccountName(); } return $this->clientName; } /** * @return array|null */ public function getLastReceivedToken() { if ($this->lastReceivedToken) { return [ 'access_token' => $this->lastReceivedToken['access_token'], 'expires_at' => $this->lastReceivedToken['expiration_time'], ]; } return null; } /** * Caching is handled by the underlying AppIdentityService, return empty string * to prevent caching. * * @return string */ public function getCacheKey() { return ''; } private function checkAppEngineContext() { if (!self::onAppEngine() || !class_exists('google\appengine\api\app_identity\AppIdentityService')) { throw new \Exception( 'This class must be run in App Engine, or you must include the AppIdentityService ' . 'mock class defined in tests/mocks/AppIdentityService.php' ); } } } src/FetchAuthTokenInterface.php000064400000003154150230132410012533 0ustar00client = $client; } /** * Accepts a PSR-7 Request and an array of options and returns a PSR-7 response. * * @param RequestInterface $request * @param array $options * @return ResponseInterface */ public function __invoke(RequestInterface $request, array $options = []) { $response = $this->client->send( $this->createGuzzle5Request($request, $options) ); return $this->createPsr7Response($response); } /** * Accepts a PSR-7 request and an array of options and returns a PromiseInterface * * @param RequestInterface $request * @param array $options * @return Promise */ public function async(RequestInterface $request, array $options = []) { if (!class_exists('GuzzleHttp\Promise\Promise')) { throw new Exception('Install guzzlehttp/promises to use async with Guzzle 5'); } $futureResponse = $this->client->send( $this->createGuzzle5Request( $request, ['future' => true] + $options ) ); $promise = new Promise( function () use ($futureResponse) { try { $futureResponse->wait(); } catch (Exception $e) { // The promise is already delivered when the exception is // thrown, so don't rethrow it. } }, [$futureResponse, 'cancel'] ); $futureResponse->then([$promise, 'resolve'], [$promise, 'reject']); return $promise->then( function (Guzzle5ResponseInterface $response) { // Adapt the Guzzle 5 Response to a PSR-7 Response. return $this->createPsr7Response($response); }, function (Exception $e) { return new RejectedPromise($e); } ); } private function createGuzzle5Request(RequestInterface $request, array $options) { return $this->client->createRequest( $request->getMethod(), $request->getUri(), array_merge_recursive([ 'headers' => $request->getHeaders(), 'body' => $request->getBody(), ], $options) ); } private function createPsr7Response(Guzzle5ResponseInterface $response) { return new Response( $response->getStatusCode(), $response->getHeaders() ?: [], $response->getBody(), $response->getProtocolVersion(), $response->getReasonPhrase() ); } } src/HttpHandler/HttpHandlerFactory.php000064400000003325150230132410014020 0ustar00client = $client; } /** * Accepts a PSR-7 request and an array of options and returns a PSR-7 response. * * @param RequestInterface $request * @param array $options * @return ResponseInterface */ public function __invoke(RequestInterface $request, array $options = []) { return $this->client->send($request, $options); } /** * Accepts a PSR-7 request and an array of options and returns a PromiseInterface * * @param RequestInterface $request * @param array $options * * @return \GuzzleHttp\Promise\PromiseInterface */ public function async(RequestInterface $request, array $options = []) { return $this->client->sendAsync($request, $options); } } src/HttpHandler/HttpClientCache.php000064400000002517150230132410013257 0ustar00config = array_merge(['key' => null], $config); } /** * Updates the request query with the developer key if auth is set to simple. * * use Google\Auth\Middleware\SimpleMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $my_key = 'is not the same as yours'; * $middleware = new SimpleMiddleware(['key' => $my_key]); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/discovery/v1/', * 'auth' => 'simple' * ]); * * $res = $client->get('drive/v2/rest'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="scoped" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'simple') { return $handler($request, $options); } $query = Psr7\parse_query($request->getUri()->getQuery()); $params = array_merge($query, $this->config); $uri = $request->getUri()->withQuery(Psr7\build_query($params)); $request = $request->withUri($uri); return $handler($request, $options); }; } } src/Middleware/ScopedAccessTokenMiddleware.php000064400000011737150230132410015457 0ustar00' */ class ScopedAccessTokenMiddleware { use CacheTrait; const DEFAULT_CACHE_LIFETIME = 1500; /** * @var CacheItemPoolInterface */ private $cache; /** * @var array configuration */ private $cacheConfig; /** * @var callable */ private $tokenFunc; /** * @var array|string */ private $scopes; /** * Creates a new ScopedAccessTokenMiddleware. * * @param callable $tokenFunc a token generator function * @param array|string $scopes the token authentication scopes * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache an implementation of CacheItemPoolInterface */ public function __construct( callable $tokenFunc, $scopes, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $this->tokenFunc = $tokenFunc; if (!(is_string($scopes) || is_array($scopes))) { throw new \InvalidArgumentException( 'wants scope should be string or array' ); } $this->scopes = $scopes; if (!is_null($cache)) { $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => self::DEFAULT_CACHE_LIFETIME, 'prefix' => '', ], $cacheConfig); } } /** * Updates the request with an Authorization header when auth is 'scoped'. * * E.g this could be used to authenticate using the AppEngine * AppIdentityService. * * use google\appengine\api\app_identity\AppIdentityService; * use Google\Auth\Middleware\ScopedAccessTokenMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $scope = 'https://www.googleapis.com/auth/taskqueue' * $middleware = new ScopedAccessTokenMiddleware( * 'AppIdentityService::getAccessToken', * $scope, * [ 'prefix' => 'Google\Auth\ScopedAccessToken::' ], * $cache = new Memcache() * ); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'scoped' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="scoped" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'scoped') { return $handler($request, $options); } $request = $request->withHeader('authorization', 'Bearer ' . $this->fetchToken()); return $handler($request, $options); }; } /** * @return string */ private function getCacheKey() { $key = null; if (is_string($this->scopes)) { $key .= $this->scopes; } elseif (is_array($this->scopes)) { $key .= implode(':', $this->scopes); } return $key; } /** * Determine if token is available in the cache, if not call tokenFunc to * fetch it. * * @return string */ private function fetchToken() { $cacheKey = $this->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (!empty($cached)) { return $cached; } $token = call_user_func($this->tokenFunc, $this->scopes); $this->setCachedValue($cacheKey, $token); return $token; } } src/Middleware/AuthTokenMiddleware.php000064400000010756150230132410014021 0ustar00' */ class AuthTokenMiddleware { /** * @var callback */ private $httpHandler; /** * @var FetchAuthTokenInterface */ private $fetcher; /** * @var callable */ private $tokenCallback; /** * Creates a new AuthTokenMiddleware. * * @param FetchAuthTokenInterface $fetcher is used to fetch the auth token * @param callable $httpHandler (optional) callback which delivers psr7 request * @param callable $tokenCallback (optional) function to be called when a new token is fetched. */ public function __construct( FetchAuthTokenInterface $fetcher, callable $httpHandler = null, callable $tokenCallback = null ) { $this->fetcher = $fetcher; $this->httpHandler = $httpHandler; $this->tokenCallback = $tokenCallback; } /** * Updates the request with an Authorization header when auth is 'google_auth'. * * use Google\Auth\Middleware\AuthTokenMiddleware; * use Google\Auth\OAuth2; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $config = [...]; * $oauth2 = new OAuth2($config) * $middleware = new AuthTokenMiddleware($oauth2); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="google_auth" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'google_auth') { return $handler($request, $options); } $request = $request->withHeader('authorization', 'Bearer ' . $this->fetchToken()); if ($quotaProject = $this->getQuotaProject()) { $request = $request->withHeader( GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER, $quotaProject ); } return $handler($request, $options); }; } /** * Call fetcher to fetch the token. * * @return string */ private function fetchToken() { $auth_tokens = $this->fetcher->fetchAuthToken($this->httpHandler); if (array_key_exists('access_token', $auth_tokens)) { // notify the callback if applicable if ($this->tokenCallback) { call_user_func( $this->tokenCallback, $this->fetcher->getCacheKey(), $auth_tokens['access_token'] ); } return $auth_tokens['access_token']; } if (array_key_exists('id_token', $auth_tokens)) { return $auth_tokens['id_token']; } } private function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } } src/SignBlobInterface.php000064400000002773150230132410011364 0ustar00 self::DEFAULT_EXPIRY_SECONDS, 'extensionParams' => [], 'authorizationUri' => null, 'redirectUri' => null, 'tokenCredentialUri' => null, 'state' => null, 'username' => null, 'password' => null, 'clientId' => null, 'clientSecret' => null, 'issuer' => null, 'sub' => null, 'audience' => null, 'signingKey' => null, 'signingKeyId' => null, 'signingAlgorithm' => null, 'scope' => null, 'additionalClaims' => [], ], $config); $this->setAuthorizationUri($opts['authorizationUri']); $this->setRedirectUri($opts['redirectUri']); $this->setTokenCredentialUri($opts['tokenCredentialUri']); $this->setState($opts['state']); $this->setUsername($opts['username']); $this->setPassword($opts['password']); $this->setClientId($opts['clientId']); $this->setClientSecret($opts['clientSecret']); $this->setIssuer($opts['issuer']); $this->setSub($opts['sub']); $this->setExpiry($opts['expiry']); $this->setAudience($opts['audience']); $this->setSigningKey($opts['signingKey']); $this->setSigningKeyId($opts['signingKeyId']); $this->setSigningAlgorithm($opts['signingAlgorithm']); $this->setScope($opts['scope']); $this->setExtensionParams($opts['extensionParams']); $this->setAdditionalClaims($opts['additionalClaims']); $this->updateToken($opts); } /** * Verifies the idToken if present. * * - if none is present, return null * - if present, but invalid, raises DomainException. * - otherwise returns the payload in the idtoken as a PHP object. * * The behavior of this method varies depending on the version of * `firebase/php-jwt` you are using. In versions lower than 3.0.0, if * `$publicKey` is null, the key is decoded without being verified. In * newer versions, if a public key is not given, this method will throw an * `\InvalidArgumentException`. * * @param string $publicKey The public key to use to authenticate the token * @param array $allowed_algs List of supported verification algorithms * @throws \DomainException if the token is missing an audience. * @throws \DomainException if the audience does not match the one set in * the OAuth2 class instance. * @throws \UnexpectedValueException If the token is invalid * @throws SignatureInvalidException If the signature is invalid. * @throws BeforeValidException If the token is not yet valid. * @throws ExpiredException If the token has expired. * @return null|object */ public function verifyIdToken($publicKey = null, $allowed_algs = array()) { $idToken = $this->getIdToken(); if (is_null($idToken)) { return null; } $resp = $this->jwtDecode($idToken, $publicKey, $allowed_algs); if (!property_exists($resp, 'aud')) { throw new \DomainException('No audience found the id token'); } if ($resp->aud != $this->getAudience()) { throw new \DomainException('Wrong audience present in the id token'); } return $resp; } /** * Obtains the encoded jwt from the instance data. * * @param array $config array optional configuration parameters * @return string */ public function toJwt(array $config = []) { if (is_null($this->getSigningKey())) { throw new \DomainException('No signing key available'); } if (is_null($this->getSigningAlgorithm())) { throw new \DomainException('No signing algorithm specified'); } $now = time(); $opts = array_merge([ 'skew' => self::DEFAULT_SKEW_SECONDS, ], $config); $assertion = [ 'iss' => $this->getIssuer(), 'aud' => $this->getAudience(), 'exp' => ($now + $this->getExpiry()), 'iat' => ($now - $opts['skew']), ]; foreach ($assertion as $k => $v) { if (is_null($v)) { throw new \DomainException($k . ' should not be null'); } } if (!(is_null($this->getScope()))) { $assertion['scope'] = $this->getScope(); } if (!(is_null($this->getSub()))) { $assertion['sub'] = $this->getSub(); } $assertion += $this->getAdditionalClaims(); return $this->jwtEncode( $assertion, $this->getSigningKey(), $this->getSigningAlgorithm(), $this->getSigningKeyId() ); } /** * Generates a request for token credentials. * * @return RequestInterface the authorization Url. */ public function generateCredentialsRequest() { $uri = $this->getTokenCredentialUri(); if (is_null($uri)) { throw new \DomainException('No token credential URI was set.'); } $grantType = $this->getGrantType(); $params = array('grant_type' => $grantType); switch ($grantType) { case 'authorization_code': $params['code'] = $this->getCode(); $params['redirect_uri'] = $this->getRedirectUri(); $this->addClientCredentials($params); break; case 'password': $params['username'] = $this->getUsername(); $params['password'] = $this->getPassword(); $this->addClientCredentials($params); break; case 'refresh_token': $params['refresh_token'] = $this->getRefreshToken(); $this->addClientCredentials($params); break; case self::JWT_URN: $params['assertion'] = $this->toJwt(); break; default: if (!is_null($this->getRedirectUri())) { # Grant type was supposed to be 'authorization_code', as there # is a redirect URI. throw new \DomainException('Missing authorization code'); } unset($params['grant_type']); if (!is_null($grantType)) { $params['grant_type'] = $grantType; } $params = array_merge($params, $this->getExtensionParams()); } $headers = [ 'Cache-Control' => 'no-store', 'Content-Type' => 'application/x-www-form-urlencoded', ]; return new Request( 'POST', $uri, $headers, Psr7\build_query($params) ); } /** * Fetches the auth tokens based on the current state. * * @param callable $httpHandler callback which delivers psr7 request * @return array the response */ public function fetchAuthToken(callable $httpHandler = null) { if (is_null($httpHandler)) { $httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient()); } $response = $httpHandler($this->generateCredentialsRequest()); $credentials = $this->parseTokenResponse($response); $this->updateToken($credentials); return $credentials; } /** * Obtains a key that can used to cache the results of #fetchAuthToken. * * The key is derived from the scopes. * * @return string a key that may be used to cache the auth token. */ public function getCacheKey() { if (is_array($this->scope)) { return implode(':', $this->scope); } if ($this->audience) { return $this->audience; } // If scope has not set, return null to indicate no caching. return null; } /** * Parses the fetched tokens. * * @param ResponseInterface $resp the response. * @return array the tokens parsed from the response body. * @throws \Exception */ public function parseTokenResponse(ResponseInterface $resp) { $body = (string)$resp->getBody(); if ($resp->hasHeader('Content-Type') && $resp->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded' ) { $res = array(); parse_str($body, $res); return $res; } // Assume it's JSON; if it's not throw an exception if (null === $res = json_decode($body, true)) { throw new \Exception('Invalid JSON response'); } return $res; } /** * Updates an OAuth 2.0 client. * * Example: * ``` * $oauth->updateToken([ * 'refresh_token' => 'n4E9O119d', * 'access_token' => 'FJQbwq9', * 'expires_in' => 3600 * ]); * ``` * * @param array $config * The configuration parameters related to the token. * * - refresh_token * The refresh token associated with the access token * to be refreshed. * * - access_token * The current access token for this client. * * - id_token * The current ID token for this client. * * - expires_in * The time in seconds until access token expiration. * * - expires_at * The time as an integer number of seconds since the Epoch * * - issued_at * The timestamp that the token was issued at. */ public function updateToken(array $config) { $opts = array_merge([ 'extensionParams' => [], 'access_token' => null, 'id_token' => null, 'expires_in' => null, 'expires_at' => null, 'issued_at' => null, ], $config); $this->setExpiresAt($opts['expires_at']); $this->setExpiresIn($opts['expires_in']); // By default, the token is issued at `Time.now` when `expiresIn` is set, // but this can be used to supply a more precise time. if (!is_null($opts['issued_at'])) { $this->setIssuedAt($opts['issued_at']); } $this->setAccessToken($opts['access_token']); $this->setIdToken($opts['id_token']); // The refresh token should only be updated if a value is explicitly // passed in, as some access token responses do not include a refresh // token. if (array_key_exists('refresh_token', $opts)) { $this->setRefreshToken($opts['refresh_token']); } } /** * Builds the authorization Uri that the user should be redirected to. * * @param array $config configuration options that customize the return url * @return UriInterface the authorization Url. * @throws InvalidArgumentException */ public function buildFullAuthorizationUri(array $config = []) { if (is_null($this->getAuthorizationUri())) { throw new InvalidArgumentException( 'requires an authorizationUri to have been set' ); } $params = array_merge([ 'response_type' => 'code', 'access_type' => 'offline', 'client_id' => $this->clientId, 'redirect_uri' => $this->redirectUri, 'state' => $this->state, 'scope' => $this->getScope(), ], $config); // Validate the auth_params if (is_null($params['client_id'])) { throw new InvalidArgumentException( 'missing the required client identifier' ); } if (is_null($params['redirect_uri'])) { throw new InvalidArgumentException('missing the required redirect URI'); } if (!empty($params['prompt']) && !empty($params['approval_prompt'])) { throw new InvalidArgumentException( 'prompt and approval_prompt are mutually exclusive' ); } // Construct the uri object; return it if it is valid. $result = clone $this->authorizationUri; $existingParams = Psr7\parse_query($result->getQuery()); $result = $result->withQuery( Psr7\build_query(array_merge($existingParams, $params)) ); if ($result->getScheme() != 'https') { throw new InvalidArgumentException( 'Authorization endpoint must be protected by TLS' ); } return $result; } /** * Sets the authorization server's HTTP endpoint capable of authenticating * the end-user and obtaining authorization. * * @param string $uri */ public function setAuthorizationUri($uri) { $this->authorizationUri = $this->coerceUri($uri); } /** * Gets the authorization server's HTTP endpoint capable of authenticating * the end-user and obtaining authorization. * * @return UriInterface */ public function getAuthorizationUri() { return $this->authorizationUri; } /** * Gets the authorization server's HTTP endpoint capable of issuing tokens * and refreshing expired tokens. * * @return string */ public function getTokenCredentialUri() { return $this->tokenCredentialUri; } /** * Sets the authorization server's HTTP endpoint capable of issuing tokens * and refreshing expired tokens. * * @param string $uri */ public function setTokenCredentialUri($uri) { $this->tokenCredentialUri = $this->coerceUri($uri); } /** * Gets the redirection URI used in the initial request. * * @return string */ public function getRedirectUri() { return $this->redirectUri; } /** * Sets the redirection URI used in the initial request. * * @param string $uri */ public function setRedirectUri($uri) { if (is_null($uri)) { $this->redirectUri = null; return; } // redirect URI must be absolute if (!$this->isAbsoluteUri($uri)) { // "postmessage" is a reserved URI string in Google-land // @see https://developers.google.com/identity/sign-in/web/server-side-flow if ('postmessage' !== (string)$uri) { throw new InvalidArgumentException( 'Redirect URI must be absolute' ); } } $this->redirectUri = (string)$uri; } /** * Gets the scope of the access requests as a space-delimited String. * * @return string */ public function getScope() { if (is_null($this->scope)) { return $this->scope; } return implode(' ', $this->scope); } /** * Sets the scope of the access request, expressed either as an Array or as * a space-delimited String. * * @param string|array $scope * @throws InvalidArgumentException */ public function setScope($scope) { if (is_null($scope)) { $this->scope = null; } elseif (is_string($scope)) { $this->scope = explode(' ', $scope); } elseif (is_array($scope)) { foreach ($scope as $s) { $pos = strpos($s, ' '); if ($pos !== false) { throw new InvalidArgumentException( 'array scope values should not contain spaces' ); } } $this->scope = $scope; } else { throw new InvalidArgumentException( 'scopes should be a string or array of strings' ); } } /** * Gets the current grant type. * * @return string */ public function getGrantType() { if (!is_null($this->grantType)) { return $this->grantType; } // Returns the inferred grant type, based on the current object instance // state. if (!is_null($this->code)) { return 'authorization_code'; } if (!is_null($this->refreshToken)) { return 'refresh_token'; } if (!is_null($this->username) && !is_null($this->password)) { return 'password'; } if (!is_null($this->issuer) && !is_null($this->signingKey)) { return self::JWT_URN; } return null; } /** * Sets the current grant type. * * @param $grantType * @throws InvalidArgumentException */ public function setGrantType($grantType) { if (in_array($grantType, self::$knownGrantTypes)) { $this->grantType = $grantType; } else { // validate URI if (!$this->isAbsoluteUri($grantType)) { throw new InvalidArgumentException( 'invalid grant type' ); } $this->grantType = (string)$grantType; } } /** * Gets an arbitrary string designed to allow the client to maintain state. * * @return string */ public function getState() { return $this->state; } /** * Sets an arbitrary string designed to allow the client to maintain state. * * @param string $state */ public function setState($state) { $this->state = $state; } /** * Gets the authorization code issued to this client. */ public function getCode() { return $this->code; } /** * Sets the authorization code issued to this client. * * @param string $code */ public function setCode($code) { $this->code = $code; } /** * Gets the resource owner's username. */ public function getUsername() { return $this->username; } /** * Sets the resource owner's username. * * @param string $username */ public function setUsername($username) { $this->username = $username; } /** * Gets the resource owner's password. */ public function getPassword() { return $this->password; } /** * Sets the resource owner's password. * * @param $password */ public function setPassword($password) { $this->password = $password; } /** * Sets a unique identifier issued to the client to identify itself to the * authorization server. */ public function getClientId() { return $this->clientId; } /** * Sets a unique identifier issued to the client to identify itself to the * authorization server. * * @param $clientId */ public function setClientId($clientId) { $this->clientId = $clientId; } /** * Gets a shared symmetric secret issued by the authorization server, which * is used to authenticate the client. */ public function getClientSecret() { return $this->clientSecret; } /** * Sets a shared symmetric secret issued by the authorization server, which * is used to authenticate the client. * * @param $clientSecret */ public function setClientSecret($clientSecret) { $this->clientSecret = $clientSecret; } /** * Gets the Issuer ID when using assertion profile. */ public function getIssuer() { return $this->issuer; } /** * Sets the Issuer ID when using assertion profile. * * @param string $issuer */ public function setIssuer($issuer) { $this->issuer = $issuer; } /** * Gets the target sub when issuing assertions. */ public function getSub() { return $this->sub; } /** * Sets the target sub when issuing assertions. * * @param string $sub */ public function setSub($sub) { $this->sub = $sub; } /** * Gets the target audience when issuing assertions. */ public function getAudience() { return $this->audience; } /** * Sets the target audience when issuing assertions. * * @param string $audience */ public function setAudience($audience) { $this->audience = $audience; } /** * Gets the signing key when using an assertion profile. */ public function getSigningKey() { return $this->signingKey; } /** * Sets the signing key when using an assertion profile. * * @param string $signingKey */ public function setSigningKey($signingKey) { $this->signingKey = $signingKey; } /** * Gets the signing key id when using an assertion profile. * * @return string */ public function getSigningKeyId() { return $this->signingKeyId; } /** * Sets the signing key id when using an assertion profile. * * @param string $signingKeyId */ public function setSigningKeyId($signingKeyId) { $this->signingKeyId = $signingKeyId; } /** * Gets the signing algorithm when using an assertion profile. * * @return string */ public function getSigningAlgorithm() { return $this->signingAlgorithm; } /** * Sets the signing algorithm when using an assertion profile. * * @param string $signingAlgorithm */ public function setSigningAlgorithm($signingAlgorithm) { if (is_null($signingAlgorithm)) { $this->signingAlgorithm = null; } elseif (!in_array($signingAlgorithm, self::$knownSigningAlgorithms)) { throw new InvalidArgumentException('unknown signing algorithm'); } else { $this->signingAlgorithm = $signingAlgorithm; } } /** * Gets the set of parameters used by extension when using an extension * grant type. */ public function getExtensionParams() { return $this->extensionParams; } /** * Sets the set of parameters used by extension when using an extension * grant type. * * @param $extensionParams */ public function setExtensionParams($extensionParams) { $this->extensionParams = $extensionParams; } /** * Gets the number of seconds assertions are valid for. */ public function getExpiry() { return $this->expiry; } /** * Sets the number of seconds assertions are valid for. * * @param int $expiry */ public function setExpiry($expiry) { $this->expiry = $expiry; } /** * Gets the lifetime of the access token in seconds. */ public function getExpiresIn() { return $this->expiresIn; } /** * Sets the lifetime of the access token in seconds. * * @param int $expiresIn */ public function setExpiresIn($expiresIn) { if (is_null($expiresIn)) { $this->expiresIn = null; $this->issuedAt = null; } else { $this->issuedAt = time(); $this->expiresIn = (int)$expiresIn; } } /** * Gets the time the current access token expires at. * * @return int */ public function getExpiresAt() { if (!is_null($this->expiresAt)) { return $this->expiresAt; } if (!is_null($this->issuedAt) && !is_null($this->expiresIn)) { return $this->issuedAt + $this->expiresIn; } return null; } /** * Returns true if the acccess token has expired. * * @return bool */ public function isExpired() { $expiration = $this->getExpiresAt(); $now = time(); return !is_null($expiration) && $now >= $expiration; } /** * Sets the time the current access token expires at. * * @param int $expiresAt */ public function setExpiresAt($expiresAt) { $this->expiresAt = $expiresAt; } /** * Gets the time the current access token was issued at. */ public function getIssuedAt() { return $this->issuedAt; } /** * Sets the time the current access token was issued at. * * @param int $issuedAt */ public function setIssuedAt($issuedAt) { $this->issuedAt = $issuedAt; } /** * Gets the current access token. */ public function getAccessToken() { return $this->accessToken; } /** * Sets the current access token. * * @param string $accessToken */ public function setAccessToken($accessToken) { $this->accessToken = $accessToken; } /** * Gets the current ID token. */ public function getIdToken() { return $this->idToken; } /** * Sets the current ID token. * * @param $idToken */ public function setIdToken($idToken) { $this->idToken = $idToken; } /** * Gets the refresh token associated with the current access token. */ public function getRefreshToken() { return $this->refreshToken; } /** * Sets the refresh token associated with the current access token. * * @param $refreshToken */ public function setRefreshToken($refreshToken) { $this->refreshToken = $refreshToken; } /** * Sets additional claims to be included in the JWT token * * @param array $additionalClaims */ public function setAdditionalClaims(array $additionalClaims) { $this->additionalClaims = $additionalClaims; } /** * Gets the additional claims to be included in the JWT token. * * @return array */ public function getAdditionalClaims() { return $this->additionalClaims; } /** * The expiration of the last received token. * * @return array|null */ public function getLastReceivedToken() { if ($token = $this->getAccessToken()) { // the bare necessity of an auth token $authToken = [ 'access_token' => $token, 'expires_at' => $this->getExpiresAt(), ]; } elseif ($idToken = $this->getIdToken()) { $authToken = [ 'id_token' => $idToken, 'expires_at' => $this->getExpiresAt(), ]; } else { return null; } if ($expiresIn = $this->getExpiresIn()) { $authToken['expires_in'] = $expiresIn; } if ($issuedAt = $this->getIssuedAt()) { $authToken['issued_at'] = $issuedAt; } if ($refreshToken = $this->getRefreshToken()) { $authToken['refresh_token'] = $refreshToken; } return $authToken; } /** * Get the client ID. * * Alias of {@see Google\Auth\OAuth2::getClientId()}. * * @param callable $httpHandler * @return string * @access private */ public function getClientName(callable $httpHandler = null) { return $this->getClientId(); } /** * @todo handle uri as array * * @param string $uri * @return null|UriInterface */ private function coerceUri($uri) { if (is_null($uri)) { return; } return Psr7\uri_for($uri); } /** * @param string $idToken * @param string|array|null $publicKey * @param array $allowedAlgs * @return object */ private function jwtDecode($idToken, $publicKey, $allowedAlgs) { if (class_exists('Firebase\JWT\JWT')) { return \Firebase\JWT\JWT::decode($idToken, $publicKey, $allowedAlgs); } return \JWT::decode($idToken, $publicKey, $allowedAlgs); } private function jwtEncode($assertion, $signingKey, $signingAlgorithm, $signingKeyId = null) { if (class_exists('Firebase\JWT\JWT')) { return \Firebase\JWT\JWT::encode( $assertion, $signingKey, $signingAlgorithm, $signingKeyId ); } return \JWT::encode($assertion, $signingKey, $signingAlgorithm, $signingKeyId); } /** * Determines if the URI is absolute based on its scheme and host or path * (RFC 3986). * * @param string $uri * @return bool */ private function isAbsoluteUri($uri) { $uri = $this->coerceUri($uri); return $uri->getScheme() && ($uri->getHost() || $uri->getPath()); } /** * @param array $params * @return array */ private function addClientCredentials(&$params) { $clientId = $this->getClientId(); $clientSecret = $this->getClientSecret(); if ($clientId && $clientSecret) { $params['client_id'] = $clientId; $params['client_secret'] = $clientSecret; } return $params; } } src/Iam.php000064400000006053150230132410006545 0ustar00httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); } /** * Sign a string using the IAM signBlob API. * * Note that signing using IAM requires your service account to have the * `iam.serviceAccounts.signBlob` permission, part of the "Service Account * Token Creator" IAM role. * * @param string $email The service account email. * @param string $accessToken An access token from the service account. * @param string $stringToSign The string to be signed. * @param array $delegates [optional] A list of service account emails to * add to the delegate chain. If omitted, the value of `$email` will * be used. * @return string The signed string, base64-encoded. */ public function signBlob($email, $accessToken, $stringToSign, array $delegates = []) { $httpHandler = $this->httpHandler; $name = sprintf(self::SERVICE_ACCOUNT_NAME, $email); $uri = self::IAM_API_ROOT . '/' . sprintf(self::SIGN_BLOB_PATH, $name); if ($delegates) { foreach ($delegates as &$delegate) { $delegate = sprintf(self::SERVICE_ACCOUNT_NAME, $delegate); } } else { $delegates = [$name]; } $body = [ 'delegates' => $delegates, 'payload' => base64_encode($stringToSign), ]; $headers = [ 'Authorization' => 'Bearer ' . $accessToken ]; $request = new Psr7\Request( 'POST', $uri, $headers, Psr7\stream_for(json_encode($body)) ); $res = $httpHandler($request); $body = json_decode((string) $res->getBody(), true); return $body['signedBlob']; } }