Cache
6 months ago
CredentialSource
6 months ago
Credentials
6 months ago
HttpHandler
6 months ago
Middleware
1 week ago
AccessToken.php
6 months ago
ApplicationDefaultCredentials.php
6 months ago
CacheTrait.php
6 months ago
CredentialsLoader.php
6 months ago
ExternalAccountCredentialSourceInterface.php
6 months ago
FetchAuthTokenCache.php
6 months ago
FetchAuthTokenInterface.php
6 months ago
GCECache.php
6 months ago
GetQuotaProjectInterface.php
6 months ago
GetUniverseDomainInterface.php
6 months ago
Iam.php
6 months ago
IamSignerTrait.php
6 months ago
OAuth2.php
6 months ago
ProjectIdProviderInterface.php
6 months ago
ServiceAccountSignerTrait.php
6 months ago
SignBlobInterface.php
6 months ago
UpdateMetadataInterface.php
6 months ago
UpdateMetadataTrait.php
6 months ago
Iam.php
111 lines
| 1 | <?php |
| 2 | /* |
| 3 | * Copyright 2019 Google LLC |
| 4 | * |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | namespace AmeliaVendor\Google\Auth; |
| 19 | |
| 20 | use AmeliaVendor\Google\Auth\HttpHandler\HttpClientCache; |
| 21 | use AmeliaVendor\Google\Auth\HttpHandler\HttpHandlerFactory; |
| 22 | use AmeliaVendor\GuzzleHttp\Psr7; |
| 23 | use AmeliaVendor\GuzzleHttp\Psr7\Utils; |
| 24 | |
| 25 | /** |
| 26 | * Tools for using the IAM API. |
| 27 | * |
| 28 | * @see https://cloud.google.com/iam/docs IAM Documentation |
| 29 | */ |
| 30 | class Iam |
| 31 | { |
| 32 | /** |
| 33 | * @deprecated |
| 34 | */ |
| 35 | const IAM_API_ROOT = 'https://iamcredentials.googleapis.com/v1'; |
| 36 | const SIGN_BLOB_PATH = '%s:signBlob?alt=json'; |
| 37 | const SERVICE_ACCOUNT_NAME = 'projects/-/serviceAccounts/%s'; |
| 38 | private const IAM_API_ROOT_TEMPLATE = 'https://iamcredentials.UNIVERSE_DOMAIN/v1'; |
| 39 | |
| 40 | /** |
| 41 | * @var callable |
| 42 | */ |
| 43 | private $httpHandler; |
| 44 | |
| 45 | private string $universeDomain; |
| 46 | |
| 47 | /** |
| 48 | * @param callable $httpHandler [optional] The HTTP Handler to send requests. |
| 49 | */ |
| 50 | public function __construct( |
| 51 | ?callable $httpHandler = null, |
| 52 | string $universeDomain = GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN |
| 53 | ) { |
| 54 | $this->httpHandler = $httpHandler |
| 55 | ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); |
| 56 | $this->universeDomain = $universeDomain; |
| 57 | } |
| 58 | |
| 59 | /** |
| 60 | * Sign a string using the IAM signBlob API. |
| 61 | * |
| 62 | * Note that signing using IAM requires your service account to have the |
| 63 | * `iam.serviceAccounts.signBlob` permission, part of the "Service Account |
| 64 | * Token Creator" IAM role. |
| 65 | * |
| 66 | * @param string $email The service account email. |
| 67 | * @param string $accessToken An access token from the service account. |
| 68 | * @param string $stringToSign The string to be signed. |
| 69 | * @param array<string> $delegates [optional] A list of service account emails to |
| 70 | * add to the delegate chain. If omitted, the value of `$email` will |
| 71 | * be used. |
| 72 | * @return string The signed string, base64-encoded. |
| 73 | */ |
| 74 | public function signBlob($email, $accessToken, $stringToSign, array $delegates = []) |
| 75 | { |
| 76 | $httpHandler = $this->httpHandler; |
| 77 | $name = sprintf(self::SERVICE_ACCOUNT_NAME, $email); |
| 78 | $apiRoot = str_replace('UNIVERSE_DOMAIN', $this->universeDomain, self::IAM_API_ROOT_TEMPLATE); |
| 79 | $uri = $apiRoot . '/' . sprintf(self::SIGN_BLOB_PATH, $name); |
| 80 | |
| 81 | if ($delegates) { |
| 82 | foreach ($delegates as &$delegate) { |
| 83 | $delegate = sprintf(self::SERVICE_ACCOUNT_NAME, $delegate); |
| 84 | } |
| 85 | } else { |
| 86 | $delegates = [$name]; |
| 87 | } |
| 88 | |
| 89 | $body = [ |
| 90 | 'delegates' => $delegates, |
| 91 | 'payload' => base64_encode($stringToSign), |
| 92 | ]; |
| 93 | |
| 94 | $headers = [ |
| 95 | 'Authorization' => 'Bearer ' . $accessToken |
| 96 | ]; |
| 97 | |
| 98 | $request = new Psr7\Request( |
| 99 | 'POST', |
| 100 | $uri, |
| 101 | $headers, |
| 102 | Utils::streamFor(json_encode($body)) |
| 103 | ); |
| 104 | |
| 105 | $res = $httpHandler($request); |
| 106 | $body = json_decode((string) $res->getBody(), true); |
| 107 | |
| 108 | return $body['signedBlob']; |
| 109 | } |
| 110 | } |
| 111 |