From 1866bc095522dbfff0582a54786fd21a3242a22f Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Tue, 9 Apr 2024 14:43:49 -0700 Subject: [PATCH] storage: fix incorrect API scopes for IAM SignBlob API Previously when a service account attempted to use the IAM SignBlob API, the request would fail with a 403 `ACCESS_TOKEN_SCOPE_INSUFFICIENT` because the wrong scope was requested. As documented in https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob, either `https://www.googleapis.com/auth/iam` or `https://www.googleapis.com/auth/cloud-platform` is needed. This commit fixes an issue where the default authorization header with the `https://www.googleapis.com/auth/devstorage.full_control` scope was being used by the IAM service. This occurred because the previous code did not actually set the scope properly, and for the IAM service to work properly, we need to request a new access token with the correct scope. Note that the service account in question needs to have the `Service Account Token Creator` IAM role to work. Closes #599 --- lib/fog/google/shared.rb | 17 +++++++++-------- lib/fog/storage/google_json.rb | 2 +- lib/fog/storage/google_json/real.rb | 20 ++++++++++++++------ 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/lib/fog/google/shared.rb b/lib/fog/google/shared.rb index 0520a695b..a70e75697 100644 --- a/lib/fog/google/shared.rb +++ b/lib/fog/google/shared.rb @@ -67,20 +67,21 @@ def initialize_google_client(options) ::Google::Apis.logger.level = ::Logger::DEBUG end - auth = nil + initialize_auth(options).tap do |auth| + ::Google::Apis::RequestOptions.default.authorization = auth + end + end + def initialize_auth(options) if options[:google_json_key_location] || options[:google_json_key_string] - auth = process_key_auth(options) + process_key_auth(options) elsif options[:google_auth] - auth = options[:google_auth] + options[:google_auth] elsif options[:google_application_default] - auth = process_application_default_auth(options) + process_application_default_auth(options) else - auth = process_fallback_auth(options) + process_fallback_auth(options) end - - ::Google::Apis::RequestOptions.default.authorization = auth - auth end ## diff --git a/lib/fog/storage/google_json.rb b/lib/fog/storage/google_json.rb index 5d7ca9afa..aec31fbf3 100644 --- a/lib/fog/storage/google_json.rb +++ b/lib/fog/storage/google_json.rb @@ -29,7 +29,7 @@ class GoogleJSON < Fog::Service # Version of IAM API used for blob signing, see Fog::Storage::GoogleJSON::Real#iam_signer GOOGLE_STORAGE_JSON_IAM_API_VERSION = "v1".freeze - GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/devstorage.full_control).freeze + GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/iam).freeze # TODO: Come up with a way to only request a subset of permissions. # https://cloud.google.com/storage/docs/json_api/v1/how-tos/authorizing diff --git a/lib/fog/storage/google_json/real.rb b/lib/fog/storage/google_json/real.rb index d562a07d1..8396cf230 100644 --- a/lib/fog/storage/google_json/real.rb +++ b/lib/fog/storage/google_json/real.rb @@ -10,16 +10,12 @@ class Real def initialize(options = {}) shared_initialize(options[:google_project], GOOGLE_STORAGE_JSON_API_VERSION, GOOGLE_STORAGE_JSON_BASE_URL) + @options = options.dup options[:google_api_scope_url] = GOOGLE_STORAGE_JSON_API_SCOPE_URLS.join(" ") @host = options[:host] || "storage.googleapis.com" # TODO(temikus): Do we even need this client? @client = initialize_google_client(options) - # IAM client used for SignBlob API - @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new - apply_client_options(@iam_service, { - google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" ") - }) @storage_json = ::Google::Apis::StorageV1::StorageService.new apply_client_options(@storage_json, options) @@ -141,6 +137,18 @@ def default_signer(string_to_sign) return key.sign(digest, string_to_sign) end + # IAM client used for SignBlob API. + # Lazily initialize this since it requires another authorization request. + def iam_service + return @iam_service if defined?(@iam_service) + + @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new + apply_client_options(@iam_service, @options) + iam_options = @options.merge(google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" "))) + @iam_service.authorization = initialize_auth(iam_options) + @iam_service + end + ## # Fallback URL signer using the IAM SignServiceAccountBlob API, see # Google::Apis::IamcredentialsV1::IAMCredentialsService#sign_service_account_blob @@ -162,7 +170,7 @@ def iam_signer(string_to_sign) ) resource = "projects/-/serviceAccounts/#{google_access_id}" - response = @iam_service.sign_service_account_blob(resource, request) + response = iam_service.sign_service_account_blob(resource, request) return response.signed_blob end