diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f90c9e54..3cec30575 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ * [feat]: add support for Firebase v6.0 (#391) +## [1.36.0](https://github.com/googleapis/google-auth-library-php/compare/v1.35.0...v1.36.0) (2024-02-20) + + +### Features + +* Universe domain for Iam ([#531](https://github.com/googleapis/google-auth-library-php/issues/531)) ([b905a56](https://github.com/googleapis/google-auth-library-php/commit/b905a561ac8913420d4b3c0a24734ded48687028)) + ## [1.35.0](https://github.com/googleapis/google-auth-library-php/compare/v1.34.0...v1.35.0) (2024-02-01) diff --git a/src/Credentials/ExternalAccountCredentials.php b/src/Credentials/ExternalAccountCredentials.php index bc4a68610..c3a8c628a 100644 --- a/src/Credentials/ExternalAccountCredentials.php +++ b/src/Credentials/ExternalAccountCredentials.php @@ -43,7 +43,7 @@ class ExternalAccountCredentials implements use UpdateMetadataTrait; private const EXTERNAL_ACCOUNT_TYPE = 'external_account'; - private const CLOUD_RESOURCE_MANAGER_URL='https://cloudresourcemanager.UNIVERSE_DOMAIN/v1/projects/%s'; + private const CLOUD_RESOURCE_MANAGER_URL = 'https://cloudresourcemanager.UNIVERSE_DOMAIN/v1/projects/%s'; private OAuth2 $auth; private ?string $quotaProject; diff --git a/src/Iam.php b/src/Iam.php index 943ecf2d6..2f67f0009 100644 --- a/src/Iam.php +++ b/src/Iam.php @@ -29,22 +29,31 @@ */ class Iam { + /** + * @deprecated + */ const IAM_API_ROOT = 'https://iamcredentials.googleapis.com/v1'; const SIGN_BLOB_PATH = '%s:signBlob?alt=json'; const SERVICE_ACCOUNT_NAME = 'projects/-/serviceAccounts/%s'; + private const IAM_API_ROOT_TEMPLATE = 'https://iamcredentials.UNIVERSE_DOMAIN/v1'; /** * @var callable */ private $httpHandler; + private string $universeDomain; + /** * @param callable $httpHandler [optional] The HTTP Handler to send requests. */ - public function __construct(callable $httpHandler = null) - { + public function __construct( + callable $httpHandler = null, + string $universeDomain = GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN + ) { $this->httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); + $this->universeDomain = $universeDomain; } /** @@ -66,7 +75,8 @@ public function signBlob($email, $accessToken, $stringToSign, array $delegates = { $httpHandler = $this->httpHandler; $name = sprintf(self::SERVICE_ACCOUNT_NAME, $email); - $uri = self::IAM_API_ROOT . '/' . sprintf(self::SIGN_BLOB_PATH, $name); + $apiRoot = str_replace('UNIVERSE_DOMAIN', $this->universeDomain, self::IAM_API_ROOT_TEMPLATE); + $uri = $apiRoot . '/' . sprintf(self::SIGN_BLOB_PATH, $name); if ($delegates) { foreach ($delegates as &$delegate) { diff --git a/src/IamSignerTrait.php b/src/IamSignerTrait.php index 9de18b3fd..da3c90903 100644 --- a/src/IamSignerTrait.php +++ b/src/IamSignerTrait.php @@ -51,7 +51,12 @@ public function signBlob($stringToSign, $forceOpenSsl = false, $accessToken = nu // Providing a signer is useful for testing, but it's undocumented // because it's not something a user would generally need to do. - $signer = $this->iam ?: new Iam($httpHandler); + $signer = $this->iam; + if (!$signer) { + $signer = $this instanceof GetUniverseDomainInterface + ? new Iam($httpHandler, $this->getUniverseDomain()) + : new Iam($httpHandler); + } $email = $this->getClientName($httpHandler); diff --git a/tests/Credentials/GCECredentialsTest.php b/tests/Credentials/GCECredentialsTest.php index a82e6f5c9..5964b9a5c 100644 --- a/tests/Credentials/GCECredentialsTest.php +++ b/tests/Credentials/GCECredentialsTest.php @@ -23,6 +23,7 @@ use Google\Auth\Tests\BaseTest; use GuzzleHttp\Exception\ClientException; use GuzzleHttp\Psr7; +use GuzzleHttp\Psr7\Request; use GuzzleHttp\Psr7\Response; use GuzzleHttp\Psr7\Utils; use InvalidArgumentException; @@ -380,6 +381,44 @@ public function testSignBlobWithLastReceivedAccessToken() $signature = $creds->signBlob($stringToSign); } + public function testSignBlobWithUniverseDomain() + { + $token = [ + 'access_token' => 'token', + 'expires_in' => '57', + 'token_type' => 'Bearer', + ]; + $signedBlob = ['signedBlob' => 'abc123']; + $client = $this->prophesize('GuzzleHttp\ClientInterface'); + $client->send(Argument::any(), Argument::any()) + ->willReturn( + new Response(200, [], Utils::streamFor('test@test.com')), + new Response(200, [], Utils::streamFor(json_encode($token))) + ); + $client->send( + Argument::that( + fn (Request $request) => $request->getUri()->getHost() === 'iamcredentials.example-universe.com' + ), + Argument::any() + ) + ->shouldBeCalledOnce() + ->willReturn(new Response(200, [], Utils::streamFor(json_encode($signedBlob)))); + + HttpClientCache::setHttpClient($client->reveal()); + + $creds = new GCECredentials( + null, + null, + null, + null, + null, + 'example-universe.com' + ); + $creds->setIsOnGce(true); + $signature = $creds->signBlob('inputString'); + $this->assertEquals('abc123', $signature); + } + public function testGetProjectId() { $expected = 'foobar';