Cache
5 days ago
CredentialSource
5 days ago
Credentials
5 days ago
HttpHandler
5 days ago
Middleware
5 days ago
AccessToken.php
5 days ago
ApplicationDefaultCredentials.php
5 days ago
CacheTrait.php
5 days ago
CredentialsLoader.php
5 days ago
ExternalAccountCredentialSourceInterface.php
5 days ago
FetchAuthTokenCache.php
5 days ago
FetchAuthTokenInterface.php
5 days ago
GCECache.php
5 days ago
GetQuotaProjectInterface.php
5 days ago
GetUniverseDomainInterface.php
5 days ago
Iam.php
5 days ago
IamSignerTrait.php
5 days ago
OAuth2.php
5 days ago
ProjectIdProviderInterface.php
5 days ago
ServiceAccountSignerTrait.php
5 days ago
SignBlobInterface.php
5 days ago
UpdateMetadataInterface.php
5 days ago
UpdateMetadataTrait.php
5 days ago
Iam.php
87 lines
| 1 | <?php |
| 2 | |
| 3 | /* |
| 4 | * Copyright 2019 Google LLC |
| 5 | * |
| 6 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 7 | * you may not use this file except in compliance with the License. |
| 8 | * You may obtain a copy of the License at |
| 9 | * |
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | * |
| 12 | * Unless required by applicable law or agreed to in writing, software |
| 13 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 15 | * See the License for the specific language governing permissions and |
| 16 | * limitations under the License. |
| 17 | */ |
| 18 | namespace WPMailSMTP\Vendor\Google\Auth; |
| 19 | |
| 20 | use WPMailSMTP\Vendor\Google\Auth\HttpHandler\HttpClientCache; |
| 21 | use WPMailSMTP\Vendor\Google\Auth\HttpHandler\HttpHandlerFactory; |
| 22 | use WPMailSMTP\Vendor\GuzzleHttp\Psr7; |
| 23 | use WPMailSMTP\Vendor\GuzzleHttp\Psr7\Utils; |
| 24 | /** |
| 25 | * Tools for using the IAM API. |
| 26 | * |
| 27 | * @see https://cloud.google.com/iam/docs IAM Documentation |
| 28 | */ |
| 29 | class Iam |
| 30 | { |
| 31 | /** |
| 32 | * @deprecated |
| 33 | */ |
| 34 | const IAM_API_ROOT = 'https://iamcredentials.googleapis.com/v1'; |
| 35 | const SIGN_BLOB_PATH = '%s:signBlob?alt=json'; |
| 36 | const SERVICE_ACCOUNT_NAME = 'projects/-/serviceAccounts/%s'; |
| 37 | private const IAM_API_ROOT_TEMPLATE = 'https://iamcredentials.UNIVERSE_DOMAIN/v1'; |
| 38 | /** |
| 39 | * @var callable |
| 40 | */ |
| 41 | private $httpHandler; |
| 42 | private string $universeDomain; |
| 43 | /** |
| 44 | * @param callable $httpHandler [optional] The HTTP Handler to send requests. |
| 45 | */ |
| 46 | public function __construct(?callable $httpHandler = null, string $universeDomain = GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN) |
| 47 | { |
| 48 | $this->httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); |
| 49 | $this->universeDomain = $universeDomain; |
| 50 | } |
| 51 | /** |
| 52 | * Sign a string using the IAM signBlob API. |
| 53 | * |
| 54 | * Note that signing using IAM requires your service account to have the |
| 55 | * `iam.serviceAccounts.signBlob` permission, part of the "Service Account |
| 56 | * Token Creator" IAM role. |
| 57 | * |
| 58 | * @param string $email The service account email. |
| 59 | * @param string $accessToken An access token from the service account. |
| 60 | * @param string $stringToSign The string to be signed. |
| 61 | * @param array<string> $delegates [optional] A list of service account emails to |
| 62 | * add to the delegate chain. If omitted, the value of `$email` will |
| 63 | * be used. |
| 64 | * @return string The signed string, base64-encoded. |
| 65 | */ |
| 66 | public function signBlob($email, $accessToken, $stringToSign, array $delegates = []) |
| 67 | { |
| 68 | $httpHandler = $this->httpHandler; |
| 69 | $name = \sprintf(self::SERVICE_ACCOUNT_NAME, $email); |
| 70 | $apiRoot = \str_replace('UNIVERSE_DOMAIN', $this->universeDomain, self::IAM_API_ROOT_TEMPLATE); |
| 71 | $uri = $apiRoot . '/' . \sprintf(self::SIGN_BLOB_PATH, $name); |
| 72 | if ($delegates) { |
| 73 | foreach ($delegates as &$delegate) { |
| 74 | $delegate = \sprintf(self::SERVICE_ACCOUNT_NAME, $delegate); |
| 75 | } |
| 76 | } else { |
| 77 | $delegates = [$name]; |
| 78 | } |
| 79 | $body = ['delegates' => $delegates, 'payload' => \base64_encode($stringToSign)]; |
| 80 | $headers = ['Authorization' => 'Bearer ' . $accessToken]; |
| 81 | $request = new Psr7\Request('POST', $uri, $headers, Utils::streamFor(\json_encode($body))); |
| 82 | $res = $httpHandler($request); |
| 83 | $body = \json_decode((string) $res->getBody(), \true); |
| 84 | return $body['signedBlob']; |
| 85 | } |
| 86 | } |
| 87 |