Server IP : 213.176.29.180 / Your IP : 3.137.41.20 Web Server : Apache System : Linux 213.176.29.180.hostiran.name 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Tue Sep 24 05:16:59 EDT 2024 x86_64 User : webtaragh ( 1001) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0777) : /home/webtaragh/mail/../public_html/../www/whmcs/../ |
[ Home ] | [ C0mmand ] | [ Upload File ] |
---|
recaptcha/CONTRIBUTING.md 0000644 00000004247 14736103211 0010734 0 ustar 00 # Contributing Want to contribute? Great! First, read this page (including the small print at the end). ## Contributor License Agreement Before we can use your code, you must sign the [Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual?csw=1) (CLA), which you can do online. The CLA is necessary mainly because you own the copyright to your changes, even after your contribution becomes part of our codebase, so we need your permission to use and distribute your code. We also need to be sure of various other things—for instance that you'll tell us if you know that your code infringes on other people's patents. You don't have to sign the CLA until after you've submitted your code for review (a link will be automatically added to your Pull Request) and a member has approved it, but you must do it before we can put your code into our codebase. Before you start working on a larger contribution, you should get in touch with us first through the issue tracker with your idea so that we can help out and possibly guide you. Coordinating up front makes it much easier to avoid frustration later on. ## Linting and testing We use PHP Coding Standards Fixer to maintain coding standards and PHPUnit to run our tests. For convenience, there are Composer scripts to run each of these: ```sh composer run-script lint composer run-script test ``` These are run automatically by [Travis CI](https://travis-ci.org/google/recaptcha) against your Pull Request, but it's a good idea to run them locally before submission to avoid getting things bounced back. That said, tests can be a little daunting so feel free to submit your PR and ask for help. ## Code reviews All submissions, including submissions by project members, require review. Reviews are conducted on the Pull Requests. The reviews are there to ensure and improve code quality, so treat them like a discussion and opportunity to learn. Don't get disheartened if your Pull Request isn't just automatically approved. ### The small print Contributions made by corporations are covered by a different agreement than the one above, the Software Grant and Corporate Contributor License Agreement. recaptcha/src/autoload.php 0000644 00000005423 14736103211 0011610 0 ustar 00 <?php /* An autoloader for ReCaptcha\Foo classes. This should be required() * by the user before attempting to instantiate any of the ReCaptcha * classes. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ spl_autoload_register(function ($class) { if (substr($class, 0, 10) !== 'ReCaptcha\\') { /* If the class does not lie under the "ReCaptcha" namespace, * then we can exit immediately. */ return; } /* All of the classes have names like "ReCaptcha\Foo", so we need * to replace the backslashes with frontslashes if we want the * name to map directly to a location in the filesystem. */ $class = str_replace('\\', '/', $class); /* First, check under the current directory. It is important that * we look here first, so that we don't waste time searching for * test classes in the common case. */ $path = dirname(__FILE__).'/'.$class.'.php'; if (is_readable($path)) { require_once $path; return; } /* If we didn't find what we're looking for already, maybe it's * a test class? */ $path = dirname(__FILE__).'/../tests/'.$class.'.php'; if (is_readable($path)) { require_once $path; } }); recaptcha/src/ReCaptcha/Response.php 0000644 00000013750 14736103211 0013432 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha; /** * The response returned from the service. */ class Response { /** * Success or failure. * @var boolean */ private $success = false; /** * Error code strings. * @var array */ private $errorCodes = array(); /** * The hostname of the site where the reCAPTCHA was solved. * @var string */ private $hostname; /** * Timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ) * @var string */ private $challengeTs; /** * APK package name * @var string */ private $apkPackageName; /** * Score assigned to the request * @var float */ private $score; /** * Action as specified by the page * @var string */ private $action; /** * Build the response from the expected JSON returned by the service. * * @param string $json * @return \ReCaptcha\Response */ public static function fromJson($json) { $responseData = json_decode($json, true); if (!$responseData) { return new Response(false, array(ReCaptcha::E_INVALID_JSON)); } $hostname = isset($responseData['hostname']) ? $responseData['hostname'] : null; $challengeTs = isset($responseData['challenge_ts']) ? $responseData['challenge_ts'] : null; $apkPackageName = isset($responseData['apk_package_name']) ? $responseData['apk_package_name'] : null; $score = isset($responseData['score']) ? floatval($responseData['score']) : null; $action = isset($responseData['action']) ? $responseData['action'] : null; if (isset($responseData['success']) && $responseData['success'] == true) { return new Response(true, array(), $hostname, $challengeTs, $apkPackageName, $score, $action); } if (isset($responseData['error-codes']) && is_array($responseData['error-codes'])) { return new Response(false, $responseData['error-codes'], $hostname, $challengeTs, $apkPackageName, $score, $action); } return new Response(false, array(ReCaptcha::E_UNKNOWN_ERROR), $hostname, $challengeTs, $apkPackageName, $score, $action); } /** * Constructor. * * @param boolean $success * @param string $hostname * @param string $challengeTs * @param string $apkPackageName * @param float $score * @param string $action * @param array $errorCodes */ public function __construct($success, array $errorCodes = array(), $hostname = null, $challengeTs = null, $apkPackageName = null, $score = null, $action = null) { $this->success = $success; $this->hostname = $hostname; $this->challengeTs = $challengeTs; $this->apkPackageName = $apkPackageName; $this->score = $score; $this->action = $action; $this->errorCodes = $errorCodes; } /** * Is success? * * @return boolean */ public function isSuccess() { return $this->success; } /** * Get error codes. * * @return array */ public function getErrorCodes() { return $this->errorCodes; } /** * Get hostname. * * @return string */ public function getHostname() { return $this->hostname; } /** * Get challenge timestamp * * @return string */ public function getChallengeTs() { return $this->challengeTs; } /** * Get APK package name * * @return string */ public function getApkPackageName() { return $this->apkPackageName; } /** * Get score * * @return float */ public function getScore() { return $this->score; } /** * Get action * * @return string */ public function getAction() { return $this->action; } public function toArray() { return array( 'success' => $this->isSuccess(), 'hostname' => $this->getHostname(), 'challenge_ts' => $this->getChallengeTs(), 'apk_package_name' => $this->getApkPackageName(), 'score' => $this->getScore(), 'action' => $this->getAction(), 'error-codes' => $this->getErrorCodes(), ); } } recaptcha/src/ReCaptcha/RequestMethod.php 0000644 00000004025 14736103211 0014420 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha; /** * Method used to send the request to the service. */ interface RequestMethod { /** * Submit the request with the specified parameters. * * @param RequestParameters $params Request parameters * @return string Body of the reCAPTCHA response */ public function submit(RequestParameters $params); } recaptcha/src/ReCaptcha/RequestParameters.php 0000644 00000006652 14736103211 0015313 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha; /** * Stores and formats the parameters for the request to the reCAPTCHA service. */ class RequestParameters { /** * The shared key between your site and reCAPTCHA. * @var string */ private $secret; /** * The user response token provided by reCAPTCHA, verifying the user on your site. * @var string */ private $response; /** * Remote user's IP address. * @var string */ private $remoteIp; /** * Client version. * @var string */ private $version; /** * Initialise parameters. * * @param string $secret Site secret. * @param string $response Value from g-captcha-response form field. * @param string $remoteIp User's IP address. * @param string $version Version of this client library. */ public function __construct($secret, $response, $remoteIp = null, $version = null) { $this->secret = $secret; $this->response = $response; $this->remoteIp = $remoteIp; $this->version = $version; } /** * Array representation. * * @return array Array formatted parameters. */ public function toArray() { $params = array('secret' => $this->secret, 'response' => $this->response); if (!is_null($this->remoteIp)) { $params['remoteip'] = $this->remoteIp; } if (!is_null($this->version)) { $params['version'] = $this->version; } return $params; } /** * Query string representation for HTTP request. * * @return string Query string formatted parameters. */ public function toQueryString() { return http_build_query($this->toArray(), '', '&'); } } recaptcha/src/ReCaptcha/RequestMethod/CurlPost.php 0000644 00000007234 14736103211 0016200 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha\RequestMethod; use ReCaptcha\ReCaptcha; use ReCaptcha\RequestMethod; use ReCaptcha\RequestParameters; /** * Sends cURL request to the reCAPTCHA service. * Note: this requires the cURL extension to be enabled in PHP * @see http://php.net/manual/en/book.curl.php */ class CurlPost implements RequestMethod { /** * Curl connection to the reCAPTCHA service * @var Curl */ private $curl; /** * URL for reCAPTCHA siteverify API * @var string */ private $siteVerifyUrl; /** * Only needed if you want to override the defaults * * @param Curl $curl Curl resource * @param string $siteVerifyUrl URL for reCAPTCHA siteverify API */ public function __construct(Curl $curl = null, $siteVerifyUrl = null) { $this->curl = (is_null($curl)) ? new Curl() : $curl; $this->siteVerifyUrl = (is_null($siteVerifyUrl)) ? ReCaptcha::SITE_VERIFY_URL : $siteVerifyUrl; } /** * Submit the cURL request with the specified parameters. * * @param RequestParameters $params Request parameters * @return string Body of the reCAPTCHA response */ public function submit(RequestParameters $params) { $handle = $this->curl->init($this->siteVerifyUrl); $options = array( CURLOPT_POST => true, CURLOPT_POSTFIELDS => $params->toQueryString(), CURLOPT_HTTPHEADER => array( 'Content-Type: application/x-www-form-urlencoded' ), CURLINFO_HEADER_OUT => false, CURLOPT_HEADER => false, CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => true ); $this->curl->setoptArray($handle, $options); $response = $this->curl->exec($handle); $this->curl->close($handle); if ($response !== false) { return $response; } return '{"success": false, "error-codes": ["'.ReCaptcha::E_CONNECTION_FAILED.'"]}'; } } recaptcha/src/ReCaptcha/RequestMethod/SocketPost.php 0000644 00000010036 14736103211 0016515 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha\RequestMethod; use ReCaptcha\ReCaptcha; use ReCaptcha\RequestMethod; use ReCaptcha\RequestParameters; /** * Sends a POST request to the reCAPTCHA service, but makes use of fsockopen() * instead of get_file_contents(). This is to account for people who may be on * servers where allow_url_open is disabled. */ class SocketPost implements RequestMethod { /** * Socket to the reCAPTCHA service * @var Socket */ private $socket; /** * Only needed if you want to override the defaults * * @param \ReCaptcha\RequestMethod\Socket $socket optional socket, injectable for testing * @param string $siteVerifyUrl URL for reCAPTCHA siteverify API */ public function __construct(Socket $socket = null, $siteVerifyUrl = null) { $this->socket = (is_null($socket)) ? new Socket() : $socket; $this->siteVerifyUrl = (is_null($siteVerifyUrl)) ? ReCaptcha::SITE_VERIFY_URL : $siteVerifyUrl; } /** * Submit the POST request with the specified parameters. * * @param RequestParameters $params Request parameters * @return string Body of the reCAPTCHA response */ public function submit(RequestParameters $params) { $errno = 0; $errstr = ''; $urlParsed = parse_url($this->siteVerifyUrl); if (false === $this->socket->fsockopen('ssl://' . $urlParsed['host'], 443, $errno, $errstr, 30)) { return '{"success": false, "error-codes": ["'.ReCaptcha::E_CONNECTION_FAILED.'"]}'; } $content = $params->toQueryString(); $request = "POST " . $urlParsed['path'] . " HTTP/1.0\r\n"; $request .= "Host: " . $urlParsed['host'] . "\r\n"; $request .= "Content-Type: application/x-www-form-urlencoded\r\n"; $request .= "Content-length: " . strlen($content) . "\r\n"; $request .= "Connection: close\r\n\r\n"; $request .= $content . "\r\n\r\n"; $this->socket->fwrite($request); $response = ''; while (!$this->socket->feof()) { $response .= $this->socket->fgets(4096); } $this->socket->fclose(); if (0 !== strpos($response, 'HTTP/1.0 200 OK')) { return '{"success": false, "error-codes": ["'.ReCaptcha::E_BAD_RESPONSE.'"]}'; } $parts = preg_split("#\n\s*\n#Uis", $response); return $parts[1]; } } recaptcha/src/ReCaptcha/RequestMethod/Socket.php 0000644 00000006464 14736103211 0015661 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha\RequestMethod; /** * Convenience wrapper around native socket and file functions to allow for * mocking. */ class Socket { private $handle = null; /** * fsockopen * * @see http://php.net/fsockopen * @param string $hostname * @param int $port * @param int $errno * @param string $errstr * @param float $timeout * @return resource */ public function fsockopen($hostname, $port = -1, &$errno = 0, &$errstr = '', $timeout = null) { $this->handle = fsockopen($hostname, $port, $errno, $errstr, (is_null($timeout) ? ini_get("default_socket_timeout") : $timeout)); if ($this->handle != false && $errno === 0 && $errstr === '') { return $this->handle; } return false; } /** * fwrite * * @see http://php.net/fwrite * @param string $string * @param int $length * @return int | bool */ public function fwrite($string, $length = null) { return fwrite($this->handle, $string, (is_null($length) ? strlen($string) : $length)); } /** * fgets * * @see http://php.net/fgets * @param int $length * @return string */ public function fgets($length = null) { return fgets($this->handle, $length); } /** * feof * * @see http://php.net/feof * @return bool */ public function feof() { return feof($this->handle); } /** * fclose * * @see http://php.net/fclose * @return bool */ public function fclose() { return fclose($this->handle); } } recaptcha/src/ReCaptcha/RequestMethod/Curl.php 0000644 00000005065 14736103211 0015332 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha\RequestMethod; /** * Convenience wrapper around the cURL functions to allow mocking. */ class Curl { /** * @see http://php.net/curl_init * @param string $url * @return resource cURL handle */ public function init($url = null) { return curl_init($url); } /** * @see http://php.net/curl_setopt_array * @param resource $ch * @param array $options * @return bool */ public function setoptArray($ch, array $options) { return curl_setopt_array($ch, $options); } /** * @see http://php.net/curl_exec * @param resource $ch * @return mixed */ public function exec($ch) { return curl_exec($ch); } /** * @see http://php.net/curl_close * @param resource $ch */ public function close($ch) { curl_close($ch); } } recaptcha/src/ReCaptcha/RequestMethod/Post.php 0000644 00000006343 14736103211 0015352 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha\RequestMethod; use ReCaptcha\ReCaptcha; use ReCaptcha\RequestMethod; use ReCaptcha\RequestParameters; /** * Sends POST requests to the reCAPTCHA service. */ class Post implements RequestMethod { /** * URL for reCAPTCHA siteverify API * @var string */ private $siteVerifyUrl; /** * Only needed if you want to override the defaults * * @param string $siteVerifyUrl URL for reCAPTCHA siteverify API */ public function __construct($siteVerifyUrl = null) { $this->siteVerifyUrl = (is_null($siteVerifyUrl)) ? ReCaptcha::SITE_VERIFY_URL : $siteVerifyUrl; } /** * Submit the POST request with the specified parameters. * * @param RequestParameters $params Request parameters * @return string Body of the reCAPTCHA response */ public function submit(RequestParameters $params) { $options = array( 'http' => array( 'header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => $params->toQueryString(), // Force the peer to validate (not needed in 5.6.0+, but still works) 'verify_peer' => true, ), ); $context = stream_context_create($options); $response = file_get_contents($this->siteVerifyUrl, false, $context); if ($response !== false) { return $response; } return '{"success": false, "error-codes": ["'.ReCaptcha::E_CONNECTION_FAILED.'"]}'; } } recaptcha/src/ReCaptcha/ReCaptcha.php 0000644 00000020706 14736103211 0013465 0 ustar 00 <?php /** * This is a PHP library that handles calling reCAPTCHA. * * BSD 3-Clause License * @copyright (c) 2019, Google Inc. * @link https://www.google.com/recaptcha * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ namespace ReCaptcha; /** * reCAPTCHA client. */ class ReCaptcha { /** * Version of this client library. * @const string */ const VERSION = 'php_1.2.4'; /** * URL for reCAPTCHA siteverify API * @const string */ const SITE_VERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify'; /** * Invalid JSON received * @const string */ const E_INVALID_JSON = 'invalid-json'; /** * Could not connect to service * @const string */ const E_CONNECTION_FAILED = 'connection-failed'; /** * Did not receive a 200 from the service * @const string */ const E_BAD_RESPONSE = 'bad-response'; /** * Not a success, but no error codes received! * @const string */ const E_UNKNOWN_ERROR = 'unknown-error'; /** * ReCAPTCHA response not provided * @const string */ const E_MISSING_INPUT_RESPONSE = 'missing-input-response'; /** * Expected hostname did not match * @const string */ const E_HOSTNAME_MISMATCH = 'hostname-mismatch'; /** * Expected APK package name did not match * @const string */ const E_APK_PACKAGE_NAME_MISMATCH = 'apk_package_name-mismatch'; /** * Expected action did not match * @const string */ const E_ACTION_MISMATCH = 'action-mismatch'; /** * Score threshold not met * @const string */ const E_SCORE_THRESHOLD_NOT_MET = 'score-threshold-not-met'; /** * Challenge timeout * @const string */ const E_CHALLENGE_TIMEOUT = 'challenge-timeout'; /** * Shared secret for the site. * @var string */ private $secret; /** * Method used to communicate with service. Defaults to POST request. * @var RequestMethod */ private $requestMethod; /** * Create a configured instance to use the reCAPTCHA service. * * @param string $secret The shared key between your site and reCAPTCHA. * @param RequestMethod $requestMethod method used to send the request. Defaults to POST. * @throws \RuntimeException if $secret is invalid */ public function __construct($secret, RequestMethod $requestMethod = null) { if (empty($secret)) { throw new \RuntimeException('No secret provided'); } if (!is_string($secret)) { throw new \RuntimeException('The provided secret must be a string'); } $this->secret = $secret; $this->requestMethod = (is_null($requestMethod)) ? new RequestMethod\Post() : $requestMethod; } /** * Calls the reCAPTCHA siteverify API to verify whether the user passes * CAPTCHA test and additionally runs any specified additional checks * * @param string $response The user response token provided by reCAPTCHA, verifying the user on your site. * @param string $remoteIp The end user's IP address. * @return Response Response from the service. */ public function verify($response, $remoteIp = null) { // Discard empty solution submissions if (empty($response)) { $recaptchaResponse = new Response(false, array(self::E_MISSING_INPUT_RESPONSE)); return $recaptchaResponse; } $params = new RequestParameters($this->secret, $response, $remoteIp, self::VERSION); $rawResponse = $this->requestMethod->submit($params); $initialResponse = Response::fromJson($rawResponse); $validationErrors = array(); if (isset($this->hostname) && strcasecmp($this->hostname, $initialResponse->getHostname()) !== 0) { $validationErrors[] = self::E_HOSTNAME_MISMATCH; } if (isset($this->apkPackageName) && strcasecmp($this->apkPackageName, $initialResponse->getApkPackageName()) !== 0) { $validationErrors[] = self::E_APK_PACKAGE_NAME_MISMATCH; } if (isset($this->action) && strcasecmp($this->action, $initialResponse->getAction()) !== 0) { $validationErrors[] = self::E_ACTION_MISMATCH; } if (isset($this->threshold) && $this->threshold > $initialResponse->getScore()) { $validationErrors[] = self::E_SCORE_THRESHOLD_NOT_MET; } if (isset($this->timeoutSeconds)) { $challengeTs = strtotime($initialResponse->getChallengeTs()); if ($challengeTs > 0 && time() - $challengeTs > $this->timeoutSeconds) { $validationErrors[] = self::E_CHALLENGE_TIMEOUT; } } if (empty($validationErrors)) { return $initialResponse; } return new Response( false, array_merge($initialResponse->getErrorCodes(), $validationErrors), $initialResponse->getHostname(), $initialResponse->getChallengeTs(), $initialResponse->getApkPackageName(), $initialResponse->getScore(), $initialResponse->getAction() ); } /** * Provide a hostname to match against in verify() * This should be without a protocol or trailing slash, e.g. www.google.com * * @param string $hostname Expected hostname * @return ReCaptcha Current instance for fluent interface */ public function setExpectedHostname($hostname) { $this->hostname = $hostname; return $this; } /** * Provide an APK package name to match against in verify() * * @param string $apkPackageName Expected APK package name * @return ReCaptcha Current instance for fluent interface */ public function setExpectedApkPackageName($apkPackageName) { $this->apkPackageName = $apkPackageName; return $this; } /** * Provide an action to match against in verify() * This should be set per page. * * @param string $action Expected action * @return ReCaptcha Current instance for fluent interface */ public function setExpectedAction($action) { $this->action = $action; return $this; } /** * Provide a threshold to meet or exceed in verify() * Threshold should be a float between 0 and 1 which will be tested as response >= threshold. * * @param float $threshold Expected threshold * @return ReCaptcha Current instance for fluent interface */ public function setScoreThreshold($threshold) { $this->threshold = floatval($threshold); return $this; } /** * Provide a timeout in seconds to test against the challenge timestamp in verify() * * @param int $timeoutSeconds Expected hostname * @return ReCaptcha Current instance for fluent interface */ public function setChallengeTimeout($timeoutSeconds) { $this->timeoutSeconds = $timeoutSeconds; return $this; } } recaptcha/ARCHITECTURE.md 0000644 00000004745 14736103211 0010712 0 ustar 00 # Architecture The general pattern of usage is to instantiate the `ReCaptcha` class with your secret key, specify any additional validation rules, and then call `verify()` with the reCAPTCHA response and user's IP address. For example: ```php <?php $recaptcha = new \ReCaptcha\ReCaptcha($secret); $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com') ->verify($gRecaptchaResponse, $remoteIp); if ($resp->isSuccess()) { // Verified! } else { $errors = $resp->getErrorCodes(); } ``` By default, this will use the [`stream_context_create()`](https://secure.php.net/stream_context_create) and [`file_get_contents()`](https://secure.php.net/file_get_contents) to make a POST request to the reCAPTCHA service. This is handled by the [`RequestMethod\Post`](./src/ReCaptcha/RequestMethod/Post.php) class. ## Alternate request methods You may need to use other methods for making requests in your environment. The [`ReCaptcha`](./src/ReCaptcha/ReCaptcha.php) class allows an optional [`RequestMethod`](./src/ReCaptcha/RequestMethod.php) instance to configure this. For example, if you want to use [cURL](https://secure.php.net/curl) instead you can do this: ```php <?php $recaptcha = new \ReCaptcha\ReCaptcha($secret, new \ReCaptcha\RequestMethod\CurlPost()); ``` Alternatively, you can also use a [socket](https://secure.php.net/fsockopen): ```php <?php $recaptcha = new \ReCaptcha\ReCaptcha($secret, new \ReCaptcha\RequestMethod\SocketPost()); ``` ## Adding new request methods Create a class that implements the [`RequestMethod`](./src/ReCaptcha/RequestMethod.php) interface. The convention is to name this class `RequestMethod\`_MethodType_`Post` and create a separate `RequestMethod\`_MethodType_ class that wraps just the calls to the network calls themselves. This means that the `RequestMethod\`_MethodType_`Post` can be unit tested by passing in a mock. Take a look at [`RequestMethod\CurlPost`](./src/ReCaptcha/RequestMethod/CurlPost.php) and [`RequestMethod\Curl`](./src/ReCaptcha/RequestMethod/Curl.php) with the matching [`RequestMethod/CurlPostTest`](./tests/ReCaptcha/RequestMethod/CurlPostTest.php) to see this pattern in action. ### Error conventions The client returns the response as provided by the reCAPTCHA services augmented with additional error codes based on the client's checks. When adding a new [`RequestMethod`](./src/ReCaptcha/RequestMethod.php) ensure that it returns the `ReCaptcha::E_CONNECTION_FAILED` and `ReCaptcha::E_BAD_RESPONSE` where appropriate. recaptcha/README.md 0000644 00000011755 14736103211 0007764 0 ustar 00 # reCAPTCHA PHP client library [![Build Status](https://travis-ci.org/google/recaptcha.svg)](https://travis-ci.org/google/recaptcha) [![Coverage Status](https://coveralls.io/repos/github/google/recaptcha/badge.svg)](https://coveralls.io/github/google/recaptcha) [![Latest Stable Version](https://poser.pugx.org/google/recaptcha/v/stable.svg)](https://packagist.org/packages/google/recaptcha) [![Total Downloads](https://poser.pugx.org/google/recaptcha/downloads.svg)](https://packagist.org/packages/google/recaptcha) reCAPTCHA is a free CAPTCHA service that protects websites from spam and abuse. This is a PHP library that wraps up the server-side verification step required to process responses from the reCAPTCHA service. This client supports both v2 and v3. - reCAPTCHA: https://www.google.com/recaptcha - This repo: https://github.com/google/recaptcha - Hosted demo: https://recaptcha-demo.appspot.com/ - Version: 1.2.4 - License: BSD, see [LICENSE](LICENSE) ## Installation ### Composer (recommended) Use [Composer](https://getcomposer.org) to install this library from Packagist: [`google/recaptcha`](https://packagist.org/packages/google/recaptcha) Run the following command from your project directory to add the dependency: ```sh composer require google/recaptcha "^1.2" ``` Alternatively, add the dependency directly to your `composer.json` file: ```json "require": { "google/recaptcha": "^1.2" } ``` ### Direct download Download the [ZIP file](https://github.com/google/recaptcha/archive/master.zip) and extract into your project. An autoloader script is provided in `src/autoload.php` which you can require into your script. For example: ```php require_once '/path/to/recaptcha/src/autoload.php'; $recaptcha = new \ReCaptcha\ReCaptcha($secret); ``` The classes in the project are structured according to the [PSR-4](http://www.php-fig.org/psr/psr-4/) standard, so you can also use your own autoloader or require the needed files directly in your code. ## Usage First obtain the appropriate keys for the type of reCAPTCHA you wish to integrate for v2 at https://www.google.com/recaptcha/admin or v3 at https://g.co/recaptcha/v3. Then follow the [integration guide on the developer site](https://developers.google.com/recaptcha/intro) to add the reCAPTCHA functionality into your frontend. This library comes in when you need to verify the user's response. On the PHP side you need the response from the reCAPTCHA service and secret key from your credentials. Instantiate the `ReCaptcha` class with your secret key, specify any additional validation rules, and then call `verify()` with the reCAPTCHA response and user's IP address. For example: ```php <?php $recaptcha = new \ReCaptcha\ReCaptcha($secret); $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com') ->verify($gRecaptchaResponse, $remoteIp); if ($resp->isSuccess()) { // Verified! } else { $errors = $resp->getErrorCodes(); } ``` The following methods are available: - `setExpectedHostname($hostname)`: ensures the hostname matches. You must do this if you have disabled "Domain/Package Name Validation" for your credentials. - `setExpectedApkPackageName($apkPackageName)`: if you're verifying a response from an Android app. Again, you must do this if you have disabled "Domain/Package Name Validation" for your credentials. - `setExpectedAction($action)`: ensures the action matches for the v3 API. - `setScoreThreshold($threshold)`: set a score threshold for responses from the v3 API - `setChallengeTimeout($timeoutSeconds)`: set a timeout between the user passing the reCAPTCHA and your server processing it. Each of the `set`\*`()` methods return the `ReCaptcha` instance so you can chain them together. For example: ```php <?php $recaptcha = new \ReCaptcha\ReCaptcha($secret); $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com') ->setExpectedAction('homepage') ->setScoreThreshold(0.5) ->verify($gRecaptchaResponse, $remoteIp); if ($resp->isSuccess()) { // Verified! } else { $errors = $resp->getErrorCodes(); } ``` You can find the constants for the libraries error codes in the `ReCaptcha` class constants, e.g. `ReCaptcha::E_HOSTNAME_MISMATCH` For more details on usage and structure, see [ARCHITECTURE](ARCHITECTURE.md). ### Examples You can see examples of each reCAPTCHA type in [examples/](examples/). You can run the examples locally by using the Composer script: ```sh composer run-script serve-examples ``` This makes use of the in-built PHP dev server to host the examples at http://localhost:8080/ These are also hosted on Google AppEngine Flexible environment at https://recaptcha-demo.appspot.com/. This is configured by [`app.yaml`](./app.yaml) which you can also use to [deploy to your own AppEngine project](https://cloud.google.com/appengine/docs/flexible/php/download). ## Contributing No one ever has enough engineers, so we're very happy to accept contributions via Pull Requests. For details, see [CONTRIBUTING](CONTRIBUTING.md) recaptcha/LICENSE 0000644 00000002757 14736103211 0007514 0 ustar 00 BSD 3-Clause License Copyright (c) 2019, Google Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. recaptcha/app.yaml 0000644 00000000127 14736103211 0010140 0 ustar 00 runtime: php env: flex skip_files: - tests runtime_config: document_root: examples apiclient/CONTRIBUTING.md 0000644 00000003032 14736103211 0010741 0 ustar 00 # How to become a contributor and submit your own code ## Contributor License Agreements We'd love to accept your code patches! However, before we can take them, we have to jump a couple of legal hurdles. Please fill out either the individual or corporate Contributor License Agreement (CLA). * If you are an individual writing original source code and you're sure you own the intellectual property, then you'll need to sign an [individual CLA](http://code.google.com/legal/individual-cla-v1.0.html). * If you work for a company that wants to allow you to contribute your work to this client library, then you'll need to sign a[corporate CLA](http://code.google.com/legal/corporate-cla-v1.0.html). Follow either of the two links above to access the appropriate CLA and instructions for how to sign and return it. Once we receive it, we'll add you to the official list of contributors and be able to accept your patches. ## Submitting Patches 1. Fork the PHP client library on GitHub 1. Decide which code you want to submit. A submission should be a set of changes that addresses one issue in the issue tracker. Please file one change per issue, and address one issue per change. If you want to make a change that doesn't have a corresponding issue in the issue tracker, please file a new ticket! 1. Ensure that your code adheres to standard PHP conventions, as used in the rest of the library. 1. Ensure that there are unit tests for your code. 1. Sign a Contributor License Agreement (see above). 1. Submit a pull request with your patch on Github. apiclient/CODE_OF_CONDUCT.md 0000644 00000003675 14736103211 0011324 0 ustar 00 # Contributor Code of Conduct As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery * Personal attacks * Trolling or insulting/derogatory comments * Public or private harassment * Publishing other's private information, such as physical or electronic addresses, without explicit permission * Other unethical or unprofessional conduct. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team. This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers. This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) apiclient/UPGRADING.md 0000644 00000026453 14736103211 0010366 0 ustar 00 Google API Client Upgrade Guide =============================== 1.0 to 2.0 ---------- The Google API Client for PHP has undergone major internal changes in `2.0`. Please read through the list below in order to upgrade to the latest version: ## Installation now uses `Composer` **Before** The project was cloned in your project and you would run the autoloader from wherever: ```php // the autoload file was included require_once 'google-api-php-client/src/Google/autoload.php'; // or wherever autoload.php is located // OR classes were added one-by-one require_once 'Google/Client.php'; require_once 'Google/Service/YouTube.php'; ``` **After** This library now uses [composer](https://getcomposer.org) (We suggest installing composer [globally](http://symfony.com/doc/current/cookbook/composer.html)). Add this library by running the following in the root of your project: ``` $ composer require google/apiclient:~2.0 ``` This will install this library and generate an autoload file in `vendor/autoload.php` in the root of your project. You can now include this library with the following code: ```php require_once 'vendor/autoload.php'; ``` ## Access Tokens are passed around as arrays instead of JSON strings **Before** ```php $accessToken = $client->getAccessToken(); print_r($accessToken); // would output: // string(153) "{"access_token":"ya29.FAKsaByOPoddfzvKRo_LBpWWCpVTiAm4BjsvBwxtN7IgSNoUfcErBk_VPl4iAiE1ntb_","token_type":"Bearer","expires_in":3593,"created":1445548590}" file_put_contents($credentialsPath, $accessToken); ``` **After** ```php $accessToken = $client->getAccessToken(); print_r($accessToken); // will output: // array(4) { // ["access_token"]=> // string(73) "ya29.FAKsaByOPoddfzvKRo_LBpWWCpVTiAm4BjsvBwxtN7IgSNoUfcErBk_VPl4iAiE1ntb_" // ["token_type"]=> // string(6) "Bearer" // ["expires_in"]=> // int(3593) // ["created"]=> // int(1445548590) // } file_put_contents($credentialsPath, json_encode($accessToken)); ``` ## ID Token data is returned as an array **Before** ```php $ticket = $client->verifyIdToken($idToken); $data = $ticket->getAttributes(); $userId = $data['payload']['sub']; ``` **After** ```php $userData = $client->verifyIdToken($idToken); $userId = $userData['sub']; ``` ## `Google_Auth_AssertionCredentials` has been removed For service accounts, we now use `setAuthConfig` or `useApplicationDefaultCredentials` **Before** ```php $client_email = '1234567890-a1b2c3d4e5f6g7h8i@developer.gserviceaccount.com'; $private_key = file_get_contents('MyProject.p12'); $scopes = array('https://www.googleapis.com/auth/sqlservice.admin'); $credentials = new Google_Auth_AssertionCredentials( $client_email, $scopes, $private_key ); ``` **After** ```php $client->setAuthConfig('/path/to/service-account.json'); // OR use environment variables (recommended) putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json'); $client->useApplicationDefaultCredentials(); ``` > Note: P12s are deprecated in favor of service account JSON, which can be generated in the > Credentials section of Google Developer Console. In order to impersonate a user, call `setSubject` when your service account credentials are being used. **Before** ```php $user_to_impersonate = 'user@example.org'; $credentials = new Google_Auth_AssertionCredentials( $client_email, $scopes, $private_key, 'notasecret', // Default P12 password 'http://oauth.net/grant_type/jwt/1.0/bearer', // Default grant type $user_to_impersonate, ); ``` **After** ```php $user_to_impersonate = 'user@example.org'; $client->setSubject($user_to_impersonate); ``` Additionally, `Google_Client::loadServiceAccountJson` has been removed in favor of `Google_Client::setAuthConfig`: **Before** ```php $scopes = [ Google_Service_Books::BOOKS ]; $client->loadServiceAccountJson('/path/to/service-account.json', $scopes); ``` **After** ```php $scopes = [ Google_Service_Books::BOOKS ]; $client->setAuthConfig('/path/to/service-account.json'); $client->setScopes($scopes); ``` ## `Google_Auth_AppIdentity` has been removed For App Engine authentication, we now use the underlying [`google/auth`][Google Auth] and call `useApplicationDefaultCredentials`: **Before** ```php $client->setAuth(new Google_Auth_AppIdentity($client)); $client->getAuth() ->authenticateForScope('https://www.googleapis.com/auth/sqlservice.admin') ``` **After** ```php $client->useApplicationDefaultCredentials(); $client->addScope('https://www.googleapis.com/auth/sqlservice.admin'); ``` This will detect when the App Engine environment is present, and use the appropriate credentials. ## `Google_Auth_Abstract` classes have been removed [`google/auth`][Google Auth] is now used for authentication. As a result, all `Google_Auth`-related functionality has been removed. The methods that were a part of `Google_Auth_Abstract` have been moved into the `Google_Client` object. **Before** ```php $request = new Google_Http_Request(); $client->getAuth()->sign($request); ``` **After** ```php // create an authorized HTTP client $httpClient = $client->authorize(); // OR add authorization to an existing client $httpClient = new GuzzleHttp\Client(); $httpClient = $client->authorize($httpClient); ``` **Before** ```php $request = new Google_Http_Request(); $response = $client->getAuth()->authenticatedRequest($request); ``` **After** ```php $httpClient = $client->authorize(); $request = new GuzzleHttp\Psr7\Request('POST', $url); $response = $httpClient->send($request); ``` > NOTE: `$request` can be any class implementing > `Psr\Http\Message\RequestInterface` In addition, other methods that were callable on `Google_Auth_OAuth2` are now called on the `Google_Client` object: **Before** ```php $client->getAuth()->refreshToken($token); $client->getAuth()->refreshTokenWithAssertion(); $client->getAuth()->revokeToken($token); $client->getAuth()->isAccessTokenExpired(); ``` **After** ```php $client->refreshToken($token); $client->refreshTokenWithAssertion(); $client->revokeToken($token); $client->isAccessTokenExpired(); ``` ## PHP 5.4 is now the minimum supported PHP version This was previously `PHP 5.2`. If you still need to use PHP 5.2, please continue to use the [v1-master](https://github.com/google/google-api-php-client/tree/v1-master) branch. ## Guzzle and PSR-7 are used for HTTP Requests The HTTP library Guzzle is used for all HTTP Requests. By default, [`Guzzle 6`][Guzzle 6] is used, but this library is also compatible with [`Guzzle 5`][Guzzle 5]. As a result, all `Google_IO`-related functionality and `Google_Http`-related functionality has been changed or removed. 1. Removed `Google_Http_Request` 1. Removed `Google_IO_Abstract`, `Google_IO_Exception`, `Google_IO_Curl`, and `Google_IO_Stream` 1. Removed methods `Google_Client::getIo` and `Google_Client::setIo` 1. Refactored `Google_Http_Batch` and `Google_Http_MediaFileUpload` for Guzzle 1. Added `Google_Client::getHttpClient` and `Google_Client::setHttpClient` for getting and setting the Guzzle `GuzzleHttp\ClientInterface` object. > NOTE: `PSR-7`-compatible libraries can now be used with this library. ## Other Changes - [`PSR 3`][PSR 3] `LoggerInterface` is now supported, and [Monolog][Monolog] is used for all logging. As a result, all `Google_Logger`-related functionality has been removed: 1. Removed `Google_Logger_Abstract`, `Google_Logger_Exception`, `Google_Logger_File`, `Google_Logger_Null`, and `Google_Logger_Psr` 1. `Google_Client::setLogger` now requires `Psr\Log\LoggerInterface` - [`firebase/jwt`][Firebase JWT] is now used for all JWT signing and verifying. As a result, the following classes have been changed or removed: 1. Removed `Google_Signer_P12` 1. Removed `Google_Verifier_Pem` 1. Removed `Google_Auth_LoginTicket` (see below) - The following classes and methods have been removed in favor of [`google/auth`][Google Auth]: 1. Removed methods `Google_Client::getAuth` and `Google_Client::setAuth` 1. Removed `Google_Auth_Abstract` - `Google_Auth_Abstract::sign` and `Google_Auth_Abstract::authenticatedRequest` have been replaced by `Google_Client::authorize`. See the above examples for more details. 1. Removed `Google_Auth_AppIdentity`. This is now supported in [`google/auth`][Google Auth AppIdentity] and is used automatically when `Google_Client::useApplicationDefaultCredentials` is called. 1. Removed `Google_Auth_AssertionCredentials`. Use `Google_Client::setAuthConfig` instead. 1. Removed `Google_Auth_ComputeEngine`. This is now supported in [`google/auth`][Google Auth GCE], and is used automatically when `Google_Client::useApplicationDefaultCredentials` is called. 1. Removed `Google_Auth_Exception` 1. Removed `Google_Auth_LoginTicket`. Calls to `Google_Client::verifyIdToken` now returns the payload of the ID Token as an array if the verification is successful. 1. Removed `Google_Auth_OAuth2`. This functionality is now supported in [`google/auth`][Google Auth OAuth2] and wrapped in `Google_Client`. These changes will only affect applications calling `Google_Client::getAuth`, as the methods on `Google_Client` have not changed. 1. Removed `Google_Auth_Simple`. This is now supported in [`google/auth`][Google Auth Simple] and is used automatically when `Google_Client::setDeveloperKey` is called. - `Google_Client::sign` has been replaced by `Google_Client::authorize`. This function now takes a `GuzzleHttp\ClientInterface` object and uses the following decision tree for authentication: 1. Uses Application Default Credentials when `Google_Client::useApplicationDefaultCredentials` is called - Looks for `GOOGLE_APPLICATION_CREDENTIALS` environment variable if set - Looks in `~/.config/gcloud/application_default_credentials.json` - Otherwise, uses `GCECredentials` 1. Uses API Key if set (see `Client::setDeveloperKey`) 1. Uses Access Token if set (call `Client::setAccessToken`) 1. Automatically refreshes access tokens if one is set and the access token is expired - Removed `Google_Config` - Removed `Google_Utils` - [`PSR-6`][PSR 6] cache is used for all caching. As a result: 1. Removed `Google_Cache_Abstract` 1. Classes `Google_Cache_Apc`, `Google_Cache_File`, `Google_Cache_Memcache`, and `Google_Cache_Null` now implement `Google\Auth\CacheInterface`. 1. Google Auth provides simple [caching utilities][Google Auth Cache] which are used by default unless you provide alternatives. - Removed `$boundary` constructor argument for `Google_Http_MediaFileUpload` [PSR 3]: https://www.php-fig.org/psr/psr-3/ [PSR 6]: https://www.php-fig.org/psr/psr-6/ [Guzzle 5]: https://github.com/guzzle/guzzle [Guzzle 6]: http://docs.guzzlephp.org/en/latest/psr7.html [Monolog]: https://github.com/Seldaek/monolog [Google Auth]: https://github.com/google/google-auth-library-php [Google Auth Cache]: https://github.com/googleapis/google-auth-library-php/tree/master/src/Cache [Google Auth GCE]: https://github.com/google/google-auth-library-php/blob/master/src/GCECredentials.php [Google Auth OAuth2]: https://github.com/google/google-auth-library-php/blob/master/src/OAuth2.php [Google Auth Simple]: https://github.com/google/google-auth-library-php/blob/master/src/Simple.php [Google Auth AppIdentity]: https://github.com/google/google-auth-library-php/blob/master/src/AppIdentityCredentials.php [Firebase JWT]: https://github.com/firebase/php-jwt apiclient/src/Google/AuthHandler/Guzzle6AuthHandler.php 0000644 00000005434 14736103211 0017121 0 ustar 00 <?php use Google\Auth\CredentialsLoader; use Google\Auth\HttpHandler\HttpHandlerFactory; use Google\Auth\FetchAuthTokenCache; use Google\Auth\Middleware\AuthTokenMiddleware; use Google\Auth\Middleware\ScopedAccessTokenMiddleware; use Google\Auth\Middleware\SimpleMiddleware; use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; use Psr\Cache\CacheItemPoolInterface; /** * This supports Guzzle 6 */ class Google_AuthHandler_Guzzle6AuthHandler { protected $cache; protected $cacheConfig; public function __construct(CacheItemPoolInterface $cache = null, array $cacheConfig = []) { $this->cache = $cache; $this->cacheConfig = $cacheConfig; } public function attachCredentials( ClientInterface $http, CredentialsLoader $credentials, callable $tokenCallback = null ) { // use the provided cache if ($this->cache) { $credentials = new FetchAuthTokenCache( $credentials, $this->cacheConfig, $this->cache ); } // if we end up needing to make an HTTP request to retrieve credentials, we // can use our existing one, but we need to throw exceptions so the error // bubbles up. $authHttp = $this->createAuthHttp($http); $authHttpHandler = HttpHandlerFactory::build($authHttp); $middleware = new AuthTokenMiddleware( $credentials, $authHttpHandler, $tokenCallback ); $config = $http->getConfig(); $config['handler']->remove('google_auth'); $config['handler']->push($middleware, 'google_auth'); $config['auth'] = 'google_auth'; $http = new Client($config); return $http; } public function attachToken(ClientInterface $http, array $token, array $scopes) { $tokenFunc = function ($scopes) use ($token) { return $token['access_token']; }; $middleware = new ScopedAccessTokenMiddleware( $tokenFunc, $scopes, $this->cacheConfig, $this->cache ); $config = $http->getConfig(); $config['handler']->remove('google_auth'); $config['handler']->push($middleware, 'google_auth'); $config['auth'] = 'scoped'; $http = new Client($config); return $http; } public function attachKey(ClientInterface $http, $key) { $middleware = new SimpleMiddleware(['key' => $key]); $config = $http->getConfig(); $config['handler']->remove('google_auth'); $config['handler']->push($middleware, 'google_auth'); $config['auth'] = 'simple'; $http = new Client($config); return $http; } private function createAuthHttp(ClientInterface $http) { return new Client( [ 'base_uri' => $http->getConfig('base_uri'), 'exceptions' => true, 'verify' => $http->getConfig('verify'), 'proxy' => $http->getConfig('proxy'), ] ); } } apiclient/src/Google/AuthHandler/Guzzle7AuthHandler.php 0000644 00000001331 14736103211 0017112 0 ustar 00 <?php /** * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * This supports Guzzle 7 */ class Google_AuthHandler_Guzzle7AuthHandler extends Google_AuthHandler_Guzzle6AuthHandler { } apiclient/src/Google/AuthHandler/Guzzle5AuthHandler.php 0000644 00000004751 14736103211 0017121 0 ustar 00 <?php use Google\Auth\CredentialsLoader; use Google\Auth\HttpHandler\HttpHandlerFactory; use Google\Auth\FetchAuthTokenCache; use Google\Auth\Subscriber\AuthTokenSubscriber; use Google\Auth\Subscriber\ScopedAccessTokenSubscriber; use Google\Auth\Subscriber\SimpleSubscriber; use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; use Psr\Cache\CacheItemPoolInterface; /** * */ class Google_AuthHandler_Guzzle5AuthHandler { protected $cache; protected $cacheConfig; public function __construct(CacheItemPoolInterface $cache = null, array $cacheConfig = []) { $this->cache = $cache; $this->cacheConfig = $cacheConfig; } public function attachCredentials( ClientInterface $http, CredentialsLoader $credentials, callable $tokenCallback = null ) { // use the provided cache if ($this->cache) { $credentials = new FetchAuthTokenCache( $credentials, $this->cacheConfig, $this->cache ); } // if we end up needing to make an HTTP request to retrieve credentials, we // can use our existing one, but we need to throw exceptions so the error // bubbles up. $authHttp = $this->createAuthHttp($http); $authHttpHandler = HttpHandlerFactory::build($authHttp); $subscriber = new AuthTokenSubscriber( $credentials, $authHttpHandler, $tokenCallback ); $http->setDefaultOption('auth', 'google_auth'); $http->getEmitter()->attach($subscriber); return $http; } public function attachToken(ClientInterface $http, array $token, array $scopes) { $tokenFunc = function ($scopes) use ($token) { return $token['access_token']; }; $subscriber = new ScopedAccessTokenSubscriber( $tokenFunc, $scopes, $this->cacheConfig, $this->cache ); $http->setDefaultOption('auth', 'scoped'); $http->getEmitter()->attach($subscriber); return $http; } public function attachKey(ClientInterface $http, $key) { $subscriber = new SimpleSubscriber(['key' => $key]); $http->setDefaultOption('auth', 'simple'); $http->getEmitter()->attach($subscriber); return $http; } private function createAuthHttp(ClientInterface $http) { return new Client( [ 'base_url' => $http->getBaseUrl(), 'defaults' => [ 'exceptions' => true, 'verify' => $http->getDefaultOption('verify'), 'proxy' => $http->getDefaultOption('proxy'), ] ] ); } } apiclient/src/Google/AuthHandler/AuthHandlerFactory.php 0000644 00000003230 14736103211 0017152 0 ustar 00 <?php /** * Copyright 2015 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; class Google_AuthHandler_AuthHandlerFactory { /** * Builds out a default http handler for the installed version of guzzle. * * @return Google_AuthHandler_Guzzle5AuthHandler|Google_AuthHandler_Guzzle6AuthHandler * @throws Exception */ public static function build($cache = null, array $cacheConfig = []) { $guzzleVersion = null; if (defined('\GuzzleHttp\ClientInterface::MAJOR_VERSION')) { $guzzleVersion = ClientInterface::MAJOR_VERSION; } elseif (defined('\GuzzleHttp\ClientInterface::VERSION')) { $guzzleVersion = (int) substr(ClientInterface::VERSION, 0, 1); } switch ($guzzleVersion) { case 5: return new Google_AuthHandler_Guzzle5AuthHandler($cache, $cacheConfig); case 6: return new Google_AuthHandler_Guzzle6AuthHandler($cache, $cacheConfig); case 7: return new Google_AuthHandler_Guzzle7AuthHandler($cache, $cacheConfig); default: throw new Exception('Version not supported'); } } } apiclient/src/Google/autoload.php 0000644 00000001321 14736103211 0013033 0 ustar 00 <?php /** * THIS FILE IS FOR BACKWARDS COMPATIBLITY ONLY * * If you were not already including this file in your project, please ignore it */ $file = __DIR__ . '/../../vendor/autoload.php'; if (!file_exists($file)) { $exception = 'This library must be installed via composer or by downloading the full package.'; $exception .= ' See the instructions at https://github.com/google/google-api-php-client#installation.'; throw new Exception($exception); } $error = 'google-api-php-client\'s autoloader was moved to vendor/autoload.php in 2.0.0. This '; $error .= 'redirect will be removed in 2.1. Please adjust your code to use the new location.'; trigger_error($error, E_USER_DEPRECATED); require_once $file; apiclient/src/Google/Task/Exception.php 0000644 00000001223 14736103211 0014064 0 ustar 00 <?php /* * Copyright 2014 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ class Google_Task_Exception extends Google_Exception { } apiclient/src/Google/Task/Runner.php 0000644 00000016045 14736103211 0013407 0 ustar 00 <?php /* * Copyright 2014 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * A task runner with exponential backoff support. * * @see https://developers.google.com/drive/web/handle-errors#implementing_exponential_backoff */ class Google_Task_Runner { const TASK_RETRY_NEVER = 0; const TASK_RETRY_ONCE = 1; const TASK_RETRY_ALWAYS = -1; /** * @var integer $maxDelay The max time (in seconds) to wait before a retry. */ private $maxDelay = 60; /** * @var integer $delay The previous delay from which the next is calculated. */ private $delay = 1; /** * @var integer $factor The base number for the exponential back off. */ private $factor = 2; /** * @var float $jitter A random number between -$jitter and $jitter will be * added to $factor on each iteration to allow for a better distribution of * retries. */ private $jitter = 0.5; /** * @var integer $attempts The number of attempts that have been tried so far. */ private $attempts = 0; /** * @var integer $maxAttempts The max number of attempts allowed. */ private $maxAttempts = 1; /** * @var callable $action The task to run and possibly retry. */ private $action; /** * @var array $arguments The task arguments. */ private $arguments; /** * @var array $retryMap Map of errors with retry counts. */ protected $retryMap = [ '500' => self::TASK_RETRY_ALWAYS, '503' => self::TASK_RETRY_ALWAYS, 'rateLimitExceeded' => self::TASK_RETRY_ALWAYS, 'userRateLimitExceeded' => self::TASK_RETRY_ALWAYS, 6 => self::TASK_RETRY_ALWAYS, // CURLE_COULDNT_RESOLVE_HOST 7 => self::TASK_RETRY_ALWAYS, // CURLE_COULDNT_CONNECT 28 => self::TASK_RETRY_ALWAYS, // CURLE_OPERATION_TIMEOUTED 35 => self::TASK_RETRY_ALWAYS, // CURLE_SSL_CONNECT_ERROR 52 => self::TASK_RETRY_ALWAYS // CURLE_GOT_NOTHING ]; /** * Creates a new task runner with exponential backoff support. * * @param array $config The task runner config * @param string $name The name of the current task (used for logging) * @param callable $action The task to run and possibly retry * @param array $arguments The task arguments * @throws Google_Task_Exception when misconfigured */ public function __construct( $config, $name, $action, array $arguments = array() ) { if (isset($config['initial_delay'])) { if ($config['initial_delay'] < 0) { throw new Google_Task_Exception( 'Task configuration `initial_delay` must not be negative.' ); } $this->delay = $config['initial_delay']; } if (isset($config['max_delay'])) { if ($config['max_delay'] <= 0) { throw new Google_Task_Exception( 'Task configuration `max_delay` must be greater than 0.' ); } $this->maxDelay = $config['max_delay']; } if (isset($config['factor'])) { if ($config['factor'] <= 0) { throw new Google_Task_Exception( 'Task configuration `factor` must be greater than 0.' ); } $this->factor = $config['factor']; } if (isset($config['jitter'])) { if ($config['jitter'] <= 0) { throw new Google_Task_Exception( 'Task configuration `jitter` must be greater than 0.' ); } $this->jitter = $config['jitter']; } if (isset($config['retries'])) { if ($config['retries'] < 0) { throw new Google_Task_Exception( 'Task configuration `retries` must not be negative.' ); } $this->maxAttempts += $config['retries']; } if (!is_callable($action)) { throw new Google_Task_Exception( 'Task argument `$action` must be a valid callable.' ); } $this->action = $action; $this->arguments = $arguments; } /** * Checks if a retry can be attempted. * * @return boolean */ public function canAttempt() { return $this->attempts < $this->maxAttempts; } /** * Runs the task and (if applicable) automatically retries when errors occur. * * @return mixed * @throws Google_Task_Retryable on failure when no retries are available. */ public function run() { while ($this->attempt()) { try { return call_user_func_array($this->action, $this->arguments); } catch (Google_Service_Exception $exception) { $allowedRetries = $this->allowedRetries( $exception->getCode(), $exception->getErrors() ); if (!$this->canAttempt() || !$allowedRetries) { throw $exception; } if ($allowedRetries > 0) { $this->maxAttempts = min( $this->maxAttempts, $this->attempts + $allowedRetries ); } } } } /** * Runs a task once, if possible. This is useful for bypassing the `run()` * loop. * * NOTE: If this is not the first attempt, this function will sleep in * accordance to the backoff configurations before running the task. * * @return boolean */ public function attempt() { if (!$this->canAttempt()) { return false; } if ($this->attempts > 0) { $this->backOff(); } $this->attempts++; return true; } /** * Sleeps in accordance to the backoff configurations. */ private function backOff() { $delay = $this->getDelay(); usleep($delay * 1000000); } /** * Gets the delay (in seconds) for the current backoff period. * * @return float */ private function getDelay() { $jitter = $this->getJitter(); $factor = $this->attempts > 1 ? $this->factor + $jitter : 1 + abs($jitter); return $this->delay = min($this->maxDelay, $this->delay * $factor); } /** * Gets the current jitter (random number between -$this->jitter and * $this->jitter). * * @return float */ private function getJitter() { return $this->jitter * 2 * mt_rand() / mt_getrandmax() - $this->jitter; } /** * Gets the number of times the associated task can be retried. * * NOTE: -1 is returned if the task can be retried indefinitely * * @return integer */ public function allowedRetries($code, $errors = array()) { if (isset($this->retryMap[$code])) { return $this->retryMap[$code]; } if ( !empty($errors) && isset($errors[0]['reason'], $this->retryMap[$errors[0]['reason']]) ) { return $this->retryMap[$errors[0]['reason']]; } return 0; } public function setRetryMap($retryMap) { $this->retryMap = $retryMap; } } apiclient/src/Google/Task/Retryable.php 0000644 00000001343 14736103211 0014062 0 ustar 00 <?php /* * Copyright 2014 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * Interface for checking how many times a given task can be retried following * a failure. */ interface Google_Task_Retryable { } apiclient/src/Google/Task/Composer.php 0000644 00000006040 14736103211 0013717 0 ustar 00 <?php /* * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy of * the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations under * the License. */ use Composer\Script\Event; use Symfony\Component\Filesystem\Filesystem; use Symfony\Component\Finder\Finder; class Google_Task_Composer { /** * @param Event $event Composer event passed in for any script method * @param FilesystemInterface $filesystem Optional. Used for testing. */ public static function cleanup( Event $event, Filesystem $filesystem = null ) { $composer = $event->getComposer(); $extra = $composer->getPackage()->getExtra(); $servicesToKeep = isset($extra['google/apiclient-services']) ? $extra['google/apiclient-services'] : []; if ($servicesToKeep) { $serviceDir = sprintf( '%s/google/apiclient-services/src/Google/Service', $composer->getConfig()->get('vendor-dir') ); self::verifyServicesToKeep($serviceDir, $servicesToKeep); $finder = self::getServicesToRemove($serviceDir, $servicesToKeep); $filesystem = $filesystem ?: new Filesystem(); if (0 !== $count = count($finder)) { $event->getIO()->write( sprintf( 'Removing %s google services', $count ) ); foreach ($finder as $file) { $realpath = $file->getRealPath(); $filesystem->remove($realpath); $filesystem->remove($realpath . '.php'); } } } } /** * @throws InvalidArgumentException when the service doesn't exist */ private static function verifyServicesToKeep( $serviceDir, array $servicesToKeep ) { $finder = (new Finder()) ->directories() ->depth('== 0'); foreach ($servicesToKeep as $service) { if (!preg_match('/^[a-zA-Z0-9]*$/', $service)) { throw new \InvalidArgumentException( sprintf( 'Invalid Google service name "%s"', $service ) ); } try { $finder->in($serviceDir . '/' . $service); } catch (\InvalidArgumentException $e) { throw new \InvalidArgumentException( sprintf( 'Google service "%s" does not exist or was removed previously', $service ) ); } } } private static function getServicesToRemove( $serviceDir, array $servicesToKeep ) { // find all files in the current directory return (new Finder()) ->directories() ->depth('== 0') ->in($serviceDir) ->exclude($servicesToKeep); } } apiclient/src/Google/Exception.php 0000644 00000001207 14736103211 0013164 0 ustar 00 <?php /* * Copyright 2013 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ class Google_Exception extends Exception { } apiclient/src/Google/Service.php 0000644 00000002411 14736103211 0012624 0 ustar 00 <?php /* * Copyright 2010 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ class Google_Service { public $batchPath; public $rootUrl; public $version; public $servicePath; public $availableScopes; public $resource; private $client; public function __construct(Google_Client $client) { $this->client = $client; } /** * Return the associated Google_Client class. * @return Google_Client */ public function getClient() { return $this->client; } /** * Create a new HTTP Batch handler for this service * * @return Google_Http_Batch */ public function createBatch() { return new Google_Http_Batch( $this->client, false, $this->rootUrl, $this->batchPath ); } } apiclient/src/Google/Utils/UriTemplate.php 0000644 00000022346 14736103211 0014570 0 ustar 00 <?php /* * Copyright 2013 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * Implementation of levels 1-3 of the URI Template spec. * @see http://tools.ietf.org/html/rfc6570 */ class Google_Utils_UriTemplate { const TYPE_MAP = "1"; const TYPE_LIST = "2"; const TYPE_SCALAR = "4"; /** * @var $operators array * These are valid at the start of a template block to * modify the way in which the variables inside are * processed. */ private $operators = array( "+" => "reserved", "/" => "segments", "." => "dotprefix", "#" => "fragment", ";" => "semicolon", "?" => "form", "&" => "continuation" ); /** * @var reserved array * These are the characters which should not be URL encoded in reserved * strings. */ private $reserved = array( "=", ",", "!", "@", "|", ":", "/", "?", "#", "[", "]",'$', "&", "'", "(", ")", "*", "+", ";" ); private $reservedEncoded = array( "%3D", "%2C", "%21", "%40", "%7C", "%3A", "%2F", "%3F", "%23", "%5B", "%5D", "%24", "%26", "%27", "%28", "%29", "%2A", "%2B", "%3B" ); public function parse($string, array $parameters) { return $this->resolveNextSection($string, $parameters); } /** * This function finds the first matching {...} block and * executes the replacement. It then calls itself to find * subsequent blocks, if any. */ private function resolveNextSection($string, $parameters) { $start = strpos($string, "{"); if ($start === false) { return $string; } $end = strpos($string, "}"); if ($end === false) { return $string; } $string = $this->replace($string, $start, $end, $parameters); return $this->resolveNextSection($string, $parameters); } private function replace($string, $start, $end, $parameters) { // We know a data block will have {} round it, so we can strip that. $data = substr($string, $start + 1, $end - $start - 1); // If the first character is one of the reserved operators, it effects // the processing of the stream. if (isset($this->operators[$data[0]])) { $op = $this->operators[$data[0]]; $data = substr($data, 1); $prefix = ""; $prefix_on_missing = false; switch ($op) { case "reserved": // Reserved means certain characters should not be URL encoded $data = $this->replaceVars($data, $parameters, ",", null, true); break; case "fragment": // Comma separated with fragment prefix. Bare values only. $prefix = "#"; $prefix_on_missing = true; $data = $this->replaceVars($data, $parameters, ",", null, true); break; case "segments": // Slash separated data. Bare values only. $prefix = "/"; $data =$this->replaceVars($data, $parameters, "/"); break; case "dotprefix": // Dot separated data. Bare values only. $prefix = "."; $prefix_on_missing = true; $data = $this->replaceVars($data, $parameters, "."); break; case "semicolon": // Semicolon prefixed and separated. Uses the key name $prefix = ";"; $data = $this->replaceVars($data, $parameters, ";", "=", false, true, false); break; case "form": // Standard URL format. Uses the key name $prefix = "?"; $data = $this->replaceVars($data, $parameters, "&", "="); break; case "continuation": // Standard URL, but with leading ampersand. Uses key name. $prefix = "&"; $data = $this->replaceVars($data, $parameters, "&", "="); break; } // Add the initial prefix character if data is valid. if ($data || ($data !== false && $prefix_on_missing)) { $data = $prefix . $data; } } else { // If no operator we replace with the defaults. $data = $this->replaceVars($data, $parameters); } // This is chops out the {...} and replaces with the new section. return substr($string, 0, $start) . $data . substr($string, $end + 1); } private function replaceVars( $section, $parameters, $sep = ",", $combine = null, $reserved = false, $tag_empty = false, $combine_on_empty = true ) { if (strpos($section, ",") === false) { // If we only have a single value, we can immediately process. return $this->combine( $section, $parameters, $sep, $combine, $reserved, $tag_empty, $combine_on_empty ); } else { // If we have multiple values, we need to split and loop over them. // Each is treated individually, then glued together with the // separator character. $vars = explode(",", $section); return $this->combineList( $vars, $sep, $parameters, $combine, $reserved, false, // Never emit empty strings in multi-param replacements $combine_on_empty ); } } public function combine( $key, $parameters, $sep, $combine, $reserved, $tag_empty, $combine_on_empty ) { $length = false; $explode = false; $skip_final_combine = false; $value = false; // Check for length restriction. if (strpos($key, ":") !== false) { list($key, $length) = explode(":", $key); } // Check for explode parameter. if ($key[strlen($key) - 1] == "*") { $explode = true; $key = substr($key, 0, -1); $skip_final_combine = true; } // Define the list separator. $list_sep = $explode ? $sep : ","; if (isset($parameters[$key])) { $data_type = $this->getDataType($parameters[$key]); switch ($data_type) { case self::TYPE_SCALAR: $value = $this->getValue($parameters[$key], $length); break; case self::TYPE_LIST: $values = array(); foreach ($parameters[$key] as $pkey => $pvalue) { $pvalue = $this->getValue($pvalue, $length); if ($combine && $explode) { $values[$pkey] = $key . $combine . $pvalue; } else { $values[$pkey] = $pvalue; } } $value = implode($list_sep, $values); if ($value == '') { return ''; } break; case self::TYPE_MAP: $values = array(); foreach ($parameters[$key] as $pkey => $pvalue) { $pvalue = $this->getValue($pvalue, $length); if ($explode) { $pkey = $this->getValue($pkey, $length); $values[] = $pkey . "=" . $pvalue; // Explode triggers = combine. } else { $values[] = $pkey; $values[] = $pvalue; } } $value = implode($list_sep, $values); if ($value == '') { return false; } break; } } else if ($tag_empty) { // If we are just indicating empty values with their key name, return that. return $key; } else { // Otherwise we can skip this variable due to not being defined. return false; } if ($reserved) { $value = str_replace($this->reservedEncoded, $this->reserved, $value); } // If we do not need to include the key name, we just return the raw // value. if (!$combine || $skip_final_combine) { return $value; } // Else we combine the key name: foo=bar, if value is not the empty string. return $key . ($value != '' || $combine_on_empty ? $combine . $value : ''); } /** * Return the type of a passed in value */ private function getDataType($data) { if (is_array($data)) { reset($data); if (key($data) !== 0) { return self::TYPE_MAP; } return self::TYPE_LIST; } return self::TYPE_SCALAR; } /** * Utility function that merges multiple combine calls * for multi-key templates. */ private function combineList( $vars, $sep, $parameters, $combine, $reserved, $tag_empty, $combine_on_empty ) { $ret = array(); foreach ($vars as $var) { $response = $this->combine( $var, $parameters, $sep, $combine, $reserved, $tag_empty, $combine_on_empty ); if ($response === false) { continue; } $ret[] = $response; } return implode($sep, $ret); } /** * Utility function to encode and trim values */ private function getValue($value, $length) { if ($length) { $value = substr($value, 0, $length); } $value = rawurlencode($value); return $value; } } apiclient/src/Google/Http/MediaFileUpload.php 0000644 00000022035 14736103211 0015133 0 ustar 00 <?php /** * Copyright 2012 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use GuzzleHttp\Psr7; use GuzzleHttp\Psr7\Request; use GuzzleHttp\Psr7\Uri; use Psr\Http\Message\RequestInterface; /** * Manage large file uploads, which may be media but can be any type * of sizable data. */ class Google_Http_MediaFileUpload { const UPLOAD_MEDIA_TYPE = 'media'; const UPLOAD_MULTIPART_TYPE = 'multipart'; const UPLOAD_RESUMABLE_TYPE = 'resumable'; /** @var string $mimeType */ private $mimeType; /** @var string $data */ private $data; /** @var bool $resumable */ private $resumable; /** @var int $chunkSize */ private $chunkSize; /** @var int $size */ private $size; /** @var string $resumeUri */ private $resumeUri; /** @var int $progress */ private $progress; /** @var Google_Client */ private $client; /** @var Psr\Http\Message\RequestInterface */ private $request; /** @var string */ private $boundary; /** * Result code from last HTTP call * @var int */ private $httpResultCode; /** * @param Google_Client $client * @param RequestInterface $request * @param string $mimeType * @param string $data The bytes you want to upload. * @param bool $resumable * @param bool $chunkSize File will be uploaded in chunks of this many bytes. * only used if resumable=True */ public function __construct( Google_Client $client, RequestInterface $request, $mimeType, $data, $resumable = false, $chunkSize = false ) { $this->client = $client; $this->request = $request; $this->mimeType = $mimeType; $this->data = $data; $this->resumable = $resumable; $this->chunkSize = $chunkSize; $this->progress = 0; $this->process(); } /** * Set the size of the file that is being uploaded. * @param $size - int file size in bytes */ public function setFileSize($size) { $this->size = $size; } /** * Return the progress on the upload * @return int progress in bytes uploaded. */ public function getProgress() { return $this->progress; } /** * Send the next part of the file to upload. * @param string|bool $chunk Optional. The next set of bytes to send. If false will * use $data passed at construct time. */ public function nextChunk($chunk = false) { $resumeUri = $this->getResumeUri(); if (false == $chunk) { $chunk = substr($this->data, $this->progress, $this->chunkSize); } $lastBytePos = $this->progress + strlen($chunk) - 1; $headers = array( 'content-range' => "bytes $this->progress-$lastBytePos/$this->size", 'content-length' => strlen($chunk), 'expect' => '', ); $request = new Request( 'PUT', $resumeUri, $headers, Psr7\stream_for($chunk) ); return $this->makePutRequest($request); } /** * Return the HTTP result code from the last call made. * @return int code */ public function getHttpResultCode() { return $this->httpResultCode; } /** * Sends a PUT-Request to google drive and parses the response, * setting the appropiate variables from the response() * * @param Google_Http_Request $httpRequest the Reuqest which will be send * * @return false|mixed false when the upload is unfinished or the decoded http response * */ private function makePutRequest(RequestInterface $request) { $response = $this->client->execute($request); $this->httpResultCode = $response->getStatusCode(); if (308 == $this->httpResultCode) { // Track the amount uploaded. $range = $response->getHeaderLine('range'); if ($range) { $range_array = explode('-', $range); $this->progress = $range_array[1] + 1; } // Allow for changing upload URLs. $location = $response->getHeaderLine('location'); if ($location) { $this->resumeUri = $location; } // No problems, but upload not complete. return false; } return Google_Http_REST::decodeHttpResponse($response, $this->request); } /** * Resume a previously unfinished upload * @param $resumeUri the resume-URI of the unfinished, resumable upload. */ public function resume($resumeUri) { $this->resumeUri = $resumeUri; $headers = array( 'content-range' => "bytes */$this->size", 'content-length' => 0, ); $httpRequest = new Request( 'PUT', $this->resumeUri, $headers ); return $this->makePutRequest($httpRequest); } /** * @return Psr\Http\Message\RequestInterface $request * @visible for testing */ private function process() { $this->transformToUploadUrl(); $request = $this->request; $postBody = ''; $contentType = false; $meta = (string) $request->getBody(); $meta = is_string($meta) ? json_decode($meta, true) : $meta; $uploadType = $this->getUploadType($meta); $request = $request->withUri( Uri::withQueryValue($request->getUri(), 'uploadType', $uploadType) ); $mimeType = $this->mimeType ?: $request->getHeaderLine('content-type'); if (self::UPLOAD_RESUMABLE_TYPE == $uploadType) { $contentType = $mimeType; $postBody = is_string($meta) ? $meta : json_encode($meta); } else if (self::UPLOAD_MEDIA_TYPE == $uploadType) { $contentType = $mimeType; $postBody = $this->data; } else if (self::UPLOAD_MULTIPART_TYPE == $uploadType) { // This is a multipart/related upload. $boundary = $this->boundary ?: mt_rand(); $boundary = str_replace('"', '', $boundary); $contentType = 'multipart/related; boundary=' . $boundary; $related = "--$boundary\r\n"; $related .= "Content-Type: application/json; charset=UTF-8\r\n"; $related .= "\r\n" . json_encode($meta) . "\r\n"; $related .= "--$boundary\r\n"; $related .= "Content-Type: $mimeType\r\n"; $related .= "Content-Transfer-Encoding: base64\r\n"; $related .= "\r\n" . base64_encode($this->data) . "\r\n"; $related .= "--$boundary--"; $postBody = $related; } $request = $request->withBody(Psr7\stream_for($postBody)); if (isset($contentType) && $contentType) { $request = $request->withHeader('content-type', $contentType); } return $this->request = $request; } /** * Valid upload types: * - resumable (UPLOAD_RESUMABLE_TYPE) * - media (UPLOAD_MEDIA_TYPE) * - multipart (UPLOAD_MULTIPART_TYPE) * @param $meta * @return string * @visible for testing */ public function getUploadType($meta) { if ($this->resumable) { return self::UPLOAD_RESUMABLE_TYPE; } if (false == $meta && $this->data) { return self::UPLOAD_MEDIA_TYPE; } return self::UPLOAD_MULTIPART_TYPE; } public function getResumeUri() { if (null === $this->resumeUri) { $this->resumeUri = $this->fetchResumeUri(); } return $this->resumeUri; } private function fetchResumeUri() { $body = $this->request->getBody(); if ($body) { $headers = array( 'content-type' => 'application/json; charset=UTF-8', 'content-length' => $body->getSize(), 'x-upload-content-type' => $this->mimeType, 'x-upload-content-length' => $this->size, 'expect' => '', ); foreach ($headers as $key => $value) { $this->request = $this->request->withHeader($key, $value); } } $response = $this->client->execute($this->request, false); $location = $response->getHeaderLine('location'); $code = $response->getStatusCode(); if (200 == $code && true == $location) { return $location; } $message = $code; $body = json_decode((string) $this->request->getBody(), true); if (isset($body['error']['errors'])) { $message .= ': '; foreach ($body['error']['errors'] as $error) { $message .= "{$error['domain']}, {$error['message']};"; } $message = rtrim($message, ';'); } $error = "Failed to start the resumable upload (HTTP {$message})"; $this->client->getLogger()->error($error); throw new Google_Exception($error); } private function transformToUploadUrl() { $parts = parse_url((string) $this->request->getUri()); if (!isset($parts['path'])) { $parts['path'] = ''; } $parts['path'] = '/upload' . $parts['path']; $uri = Uri::fromParts($parts); $this->request = $this->request->withUri($uri); } public function setChunkSize($chunkSize) { $this->chunkSize = $chunkSize; } public function getRequest() { return $this->request; } } apiclient/src/Google/Http/REST.php 0000644 00000013107 14736103211 0012724 0 ustar 00 <?php /* * Copyright 2010 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use Google\Auth\HttpHandler\HttpHandlerFactory; use GuzzleHttp\ClientInterface; use GuzzleHttp\Exception\RequestException; use GuzzleHttp\Psr7\Response; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; /** * This class implements the RESTful transport of apiServiceRequest()'s */ class Google_Http_REST { /** * Executes a Psr\Http\Message\RequestInterface and (if applicable) automatically retries * when errors occur. * * @param Google_Client $client * @param Psr\Http\Message\RequestInterface $req * @param string $expectedClass * @param array $config * @param array $retryMap * @return array decoded result * @throws Google_Service_Exception on server side error (ie: not authenticated, * invalid or malformed post body, invalid url) */ public static function execute( ClientInterface $client, RequestInterface $request, $expectedClass = null, $config = array(), $retryMap = null ) { $runner = new Google_Task_Runner( $config, sprintf('%s %s', $request->getMethod(), (string) $request->getUri()), array(get_class(), 'doExecute'), array($client, $request, $expectedClass) ); if (null !== $retryMap) { $runner->setRetryMap($retryMap); } return $runner->run(); } /** * Executes a Psr\Http\Message\RequestInterface * * @param Google_Client $client * @param Psr\Http\Message\RequestInterface $request * @param string $expectedClass * @return array decoded result * @throws Google_Service_Exception on server side error (ie: not authenticated, * invalid or malformed post body, invalid url) */ public static function doExecute(ClientInterface $client, RequestInterface $request, $expectedClass = null) { try { $httpHandler = HttpHandlerFactory::build($client); $response = $httpHandler($request); } catch (RequestException $e) { // if Guzzle throws an exception, catch it and handle the response if (!$e->hasResponse()) { throw $e; } $response = $e->getResponse(); // specific checking for Guzzle 5: convert to PSR7 response if ($response instanceof \GuzzleHttp\Message\ResponseInterface) { $response = new Response( $response->getStatusCode(), $response->getHeaders() ?: [], $response->getBody(), $response->getProtocolVersion(), $response->getReasonPhrase() ); } } return self::decodeHttpResponse($response, $request, $expectedClass); } /** * Decode an HTTP Response. * @static * @throws Google_Service_Exception * @param Psr\Http\Message\RequestInterface $response The http response to be decoded. * @param Psr\Http\Message\ResponseInterface $response * @param string $expectedClass * @return mixed|null */ public static function decodeHttpResponse( ResponseInterface $response, RequestInterface $request = null, $expectedClass = null ) { $code = $response->getStatusCode(); // retry strategy if (intVal($code) >= 400) { // if we errored out, it should be safe to grab the response body $body = (string) $response->getBody(); // Check if we received errors, and add those to the Exception for convenience throw new Google_Service_Exception($body, $code, null, self::getResponseErrors($body)); } // Ensure we only pull the entire body into memory if the request is not // of media type $body = self::decodeBody($response, $request); if ($expectedClass = self::determineExpectedClass($expectedClass, $request)) { $json = json_decode($body, true); return new $expectedClass($json); } return $response; } private static function decodeBody(ResponseInterface $response, RequestInterface $request = null) { if (self::isAltMedia($request)) { // don't decode the body, it's probably a really long string return ''; } return (string) $response->getBody(); } private static function determineExpectedClass($expectedClass, RequestInterface $request = null) { // "false" is used to explicitly prevent an expected class from being returned if (false === $expectedClass) { return null; } // if we don't have a request, we just use what's passed in if (null === $request) { return $expectedClass; } // return what we have in the request header if one was not supplied return $expectedClass ?: $request->getHeaderLine('X-Php-Expected-Class'); } private static function getResponseErrors($body) { $json = json_decode($body, true); if (isset($json['error']['errors'])) { return $json['error']['errors']; } return null; } private static function isAltMedia(RequestInterface $request = null) { if ($request && $qs = $request->getUri()->getQuery()) { parse_str($qs, $query); if (isset($query['alt']) && $query['alt'] == 'media') { return true; } } return false; } } apiclient/src/Google/Http/Batch.php 0000644 00000015631 14736103211 0013174 0 ustar 00 <?php /* * Copyright 2012 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use GuzzleHttp\Psr7; use GuzzleHttp\Psr7\Request; use GuzzleHttp\Psr7\Response; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; /** * Class to handle batched requests to the Google API service. * * Note that calls to `Google_Http_Batch::execute()` do not clear the queued * requests. To start a new batch, be sure to create a new instance of this * class. */ class Google_Http_Batch { const BATCH_PATH = 'batch'; private static $CONNECTION_ESTABLISHED_HEADERS = array( "HTTP/1.0 200 Connection established\r\n\r\n", "HTTP/1.1 200 Connection established\r\n\r\n", ); /** @var string Multipart Boundary. */ private $boundary; /** @var array service requests to be executed. */ private $requests = array(); /** @var Google_Client */ private $client; private $rootUrl; private $batchPath; public function __construct( Google_Client $client, $boundary = false, $rootUrl = null, $batchPath = null ) { $this->client = $client; $this->boundary = $boundary ?: mt_rand(); $this->rootUrl = rtrim($rootUrl ?: $this->client->getConfig('base_path'), '/'); $this->batchPath = $batchPath ?: self::BATCH_PATH; } public function add(RequestInterface $request, $key = false) { if (false == $key) { $key = mt_rand(); } $this->requests[$key] = $request; } public function execute() { $body = ''; $classes = array(); $batchHttpTemplate = <<<EOF --%s Content-Type: application/http Content-Transfer-Encoding: binary MIME-Version: 1.0 Content-ID: %s %s %s%s EOF; /** @var Google_Http_Request $req */ foreach ($this->requests as $key => $request) { $firstLine = sprintf( '%s %s HTTP/%s', $request->getMethod(), $request->getRequestTarget(), $request->getProtocolVersion() ); $content = (string) $request->getBody(); $headers = ''; foreach ($request->getHeaders() as $name => $values) { $headers .= sprintf("%s:%s\r\n", $name, implode(', ', $values)); } $body .= sprintf( $batchHttpTemplate, $this->boundary, $key, $firstLine, $headers, $content ? "\n".$content : '' ); $classes['response-' . $key] = $request->getHeaderLine('X-Php-Expected-Class'); } $body .= "--{$this->boundary}--"; $body = trim($body); $url = $this->rootUrl . '/' . $this->batchPath; $headers = array( 'Content-Type' => sprintf('multipart/mixed; boundary=%s', $this->boundary), 'Content-Length' => strlen($body), ); $request = new Request( 'POST', $url, $headers, $body ); $response = $this->client->execute($request); return $this->parseResponse($response, $classes); } public function parseResponse(ResponseInterface $response, $classes = array()) { $contentType = $response->getHeaderLine('content-type'); $contentType = explode(';', $contentType); $boundary = false; foreach ($contentType as $part) { $part = explode('=', $part, 2); if (isset($part[0]) && 'boundary' == trim($part[0])) { $boundary = $part[1]; } } $body = (string) $response->getBody(); if (!empty($body)) { $body = str_replace("--$boundary--", "--$boundary", $body); $parts = explode("--$boundary", $body); $responses = array(); $requests = array_values($this->requests); foreach ($parts as $i => $part) { $part = trim($part); if (!empty($part)) { list($rawHeaders, $part) = explode("\r\n\r\n", $part, 2); $headers = $this->parseRawHeaders($rawHeaders); $status = substr($part, 0, strpos($part, "\n")); $status = explode(" ", $status); $status = $status[1]; list($partHeaders, $partBody) = $this->parseHttpResponse($part, false); $response = new Response( $status, $partHeaders, Psr7\stream_for($partBody) ); // Need content id. $key = $headers['content-id']; try { $response = Google_Http_REST::decodeHttpResponse($response, $requests[$i-1]); } catch (Google_Service_Exception $e) { // Store the exception as the response, so successful responses // can be processed. $response = $e; } $responses[$key] = $response; } } return $responses; } return null; } private function parseRawHeaders($rawHeaders) { $headers = array(); $responseHeaderLines = explode("\r\n", $rawHeaders); foreach ($responseHeaderLines as $headerLine) { if ($headerLine && strpos($headerLine, ':') !== false) { list($header, $value) = explode(': ', $headerLine, 2); $header = strtolower($header); if (isset($headers[$header])) { $headers[$header] .= "\n" . $value; } else { $headers[$header] = $value; } } } return $headers; } /** * Used by the IO lib and also the batch processing. * * @param $respData * @param $headerSize * @return array */ private function parseHttpResponse($respData, $headerSize) { // check proxy header foreach (self::$CONNECTION_ESTABLISHED_HEADERS as $established_header) { if (stripos($respData, $established_header) !== false) { // existed, remove it $respData = str_ireplace($established_header, '', $respData); // Subtract the proxy header size unless the cURL bug prior to 7.30.0 // is present which prevented the proxy header size from being taken into // account. // @TODO look into this // if (!$this->needsQuirk()) { // $headerSize -= strlen($established_header); // } break; } } if ($headerSize) { $responseBody = substr($respData, $headerSize); $responseHeaders = substr($respData, 0, $headerSize); } else { $responseSegments = explode("\r\n\r\n", $respData, 2); $responseHeaders = $responseSegments[0]; $responseBody = isset($responseSegments[1]) ? $responseSegments[1] : null; } $responseHeaders = $this->parseRawHeaders($responseHeaders); return array($responseHeaders, $responseBody); } } apiclient/src/Google/Collection.php 0000644 00000004505 14736103211 0013325 0 ustar 00 <?php if (!class_exists('Google_Client')) { require_once __DIR__ . '/autoload.php'; } /** * Extension to the regular Google_Model that automatically * exposes the items array for iteration, so you can just * iterate over the object rather than a reference inside. */ class Google_Collection extends Google_Model implements Iterator, Countable { protected $collection_key = 'items'; public function rewind() { if (isset($this->{$this->collection_key}) && is_array($this->{$this->collection_key})) { reset($this->{$this->collection_key}); } } public function current() { $this->coerceType($this->key()); if (is_array($this->{$this->collection_key})) { return current($this->{$this->collection_key}); } } public function key() { if (isset($this->{$this->collection_key}) && is_array($this->{$this->collection_key})) { return key($this->{$this->collection_key}); } } public function next() { return next($this->{$this->collection_key}); } public function valid() { $key = $this->key(); return $key !== null && $key !== false; } public function count() { if (!isset($this->{$this->collection_key})) { return 0; } return count($this->{$this->collection_key}); } public function offsetExists($offset) { if (!is_numeric($offset)) { return parent::offsetExists($offset); } return isset($this->{$this->collection_key}[$offset]); } public function offsetGet($offset) { if (!is_numeric($offset)) { return parent::offsetGet($offset); } $this->coerceType($offset); return $this->{$this->collection_key}[$offset]; } public function offsetSet($offset, $value) { if (!is_numeric($offset)) { return parent::offsetSet($offset, $value); } $this->{$this->collection_key}[$offset] = $value; } public function offsetUnset($offset) { if (!is_numeric($offset)) { return parent::offsetUnset($offset); } unset($this->{$this->collection_key}[$offset]); } private function coerceType($offset) { $keyType = $this->keyType($this->collection_key); if ($keyType && !is_object($this->{$this->collection_key}[$offset])) { $this->{$this->collection_key}[$offset] = new $keyType($this->{$this->collection_key}[$offset]); } } } apiclient/src/Google/Model.php 0000644 00000021133 14736103211 0012266 0 ustar 00 <?php /* * Copyright 2011 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * This class defines attributes, valid values, and usage which is generated * from a given json schema. * http://tools.ietf.org/html/draft-zyp-json-schema-03#section-5 * */ class Google_Model implements ArrayAccess { /** * If you need to specify a NULL JSON value, use Google_Model::NULL_VALUE * instead - it will be replaced when converting to JSON with a real null. */ const NULL_VALUE = "{}gapi-php-null"; protected $internal_gapi_mappings = array(); protected $modelData = array(); protected $processed = array(); /** * Polymorphic - accepts a variable number of arguments dependent * on the type of the model subclass. */ final public function __construct() { if (func_num_args() == 1 && is_array(func_get_arg(0))) { // Initialize the model with the array's contents. $array = func_get_arg(0); $this->mapTypes($array); } $this->gapiInit(); } /** * Getter that handles passthrough access to the data array, and lazy object creation. * @param string $key Property name. * @return mixed The value if any, or null. */ public function __get($key) { $keyType = $this->keyType($key); $keyDataType = $this->dataType($key); if ($keyType && !isset($this->processed[$key])) { if (isset($this->modelData[$key])) { $val = $this->modelData[$key]; } elseif ($keyDataType == 'array' || $keyDataType == 'map') { $val = array(); } else { $val = null; } if ($this->isAssociativeArray($val)) { if ($keyDataType && 'map' == $keyDataType) { foreach ($val as $arrayKey => $arrayItem) { $this->modelData[$key][$arrayKey] = new $keyType($arrayItem); } } else { $this->modelData[$key] = new $keyType($val); } } else if (is_array($val)) { $arrayObject = array(); foreach ($val as $arrayIndex => $arrayItem) { $arrayObject[$arrayIndex] = new $keyType($arrayItem); } $this->modelData[$key] = $arrayObject; } $this->processed[$key] = true; } return isset($this->modelData[$key]) ? $this->modelData[$key] : null; } /** * Initialize this object's properties from an array. * * @param array $array Used to seed this object's properties. * @return void */ protected function mapTypes($array) { // Hard initialise simple types, lazy load more complex ones. foreach ($array as $key => $val) { if ($keyType = $this->keyType($key)) { $dataType = $this->dataType($key); if ($dataType == 'array' || $dataType == 'map') { $this->$key = array(); foreach ($val as $itemKey => $itemVal) { if ($itemVal instanceof $keyType) { $this->{$key}[$itemKey] = $itemVal; } else { $this->{$key}[$itemKey] = new $keyType($itemVal); } } } elseif ($val instanceof $keyType) { $this->$key = $val; } else { $this->$key = new $keyType($val); } unset($array[$key]); } elseif (property_exists($this, $key)) { $this->$key = $val; unset($array[$key]); } elseif (property_exists($this, $camelKey = $this->camelCase($key))) { // This checks if property exists as camelCase, leaving it in array as snake_case // in case of backwards compatibility issues. $this->$camelKey = $val; } } $this->modelData = $array; } /** * Blank initialiser to be used in subclasses to do post-construction initialisation - this * avoids the need for subclasses to have to implement the variadics handling in their * constructors. */ protected function gapiInit() { return; } /** * Create a simplified object suitable for straightforward * conversion to JSON. This is relatively expensive * due to the usage of reflection, but shouldn't be called * a whole lot, and is the most straightforward way to filter. */ public function toSimpleObject() { $object = new stdClass(); // Process all other data. foreach ($this->modelData as $key => $val) { $result = $this->getSimpleValue($val); if ($result !== null) { $object->$key = $this->nullPlaceholderCheck($result); } } // Process all public properties. $reflect = new ReflectionObject($this); $props = $reflect->getProperties(ReflectionProperty::IS_PUBLIC); foreach ($props as $member) { $name = $member->getName(); $result = $this->getSimpleValue($this->$name); if ($result !== null) { $name = $this->getMappedName($name); $object->$name = $this->nullPlaceholderCheck($result); } } return $object; } /** * Handle different types of values, primarily * other objects and map and array data types. */ private function getSimpleValue($value) { if ($value instanceof Google_Model) { return $value->toSimpleObject(); } else if (is_array($value)) { $return = array(); foreach ($value as $key => $a_value) { $a_value = $this->getSimpleValue($a_value); if ($a_value !== null) { $key = $this->getMappedName($key); $return[$key] = $this->nullPlaceholderCheck($a_value); } } return $return; } return $value; } /** * Check whether the value is the null placeholder and return true null. */ private function nullPlaceholderCheck($value) { if ($value === self::NULL_VALUE) { return null; } return $value; } /** * If there is an internal name mapping, use that. */ private function getMappedName($key) { if (isset($this->internal_gapi_mappings, $this->internal_gapi_mappings[$key])) { $key = $this->internal_gapi_mappings[$key]; } return $key; } /** * Returns true only if the array is associative. * @param array $array * @return bool True if the array is associative. */ protected function isAssociativeArray($array) { if (!is_array($array)) { return false; } $keys = array_keys($array); foreach ($keys as $key) { if (is_string($key)) { return true; } } return false; } /** * Verify if $obj is an array. * @throws Google_Exception Thrown if $obj isn't an array. * @param array $obj Items that should be validated. * @param string $method Method expecting an array as an argument. */ public function assertIsArray($obj, $method) { if ($obj && !is_array($obj)) { throw new Google_Exception( "Incorrect parameter type passed to $method(). Expected an array." ); } } public function offsetExists($offset) { return isset($this->$offset) || isset($this->modelData[$offset]); } public function offsetGet($offset) { return isset($this->$offset) ? $this->$offset : $this->__get($offset); } public function offsetSet($offset, $value) { if (property_exists($this, $offset)) { $this->$offset = $value; } else { $this->modelData[$offset] = $value; $this->processed[$offset] = true; } } public function offsetUnset($offset) { unset($this->modelData[$offset]); } protected function keyType($key) { $keyType = $key . "Type"; // ensure keyType is a valid class if (property_exists($this, $keyType) && class_exists($this->$keyType)) { return $this->$keyType; } } protected function dataType($key) { $dataType = $key . "DataType"; if (property_exists($this, $dataType)) { return $this->$dataType; } } public function __isset($key) { return isset($this->modelData[$key]); } public function __unset($key) { unset($this->modelData[$key]); } /** * Convert a string to camelCase * @param string $value * @return string */ private function camelCase($value) { $value = ucwords(str_replace(array('-', '_'), ' ', $value)); $value = str_replace(' ', '', $value); $value[0] = strtolower($value[0]); return $value; } } apiclient/src/Google/AccessToken/Verify.php 0000644 00000016562 14736103211 0014706 0 ustar 00 <?php /* * Copyright 2008 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use Firebase\JWT\ExpiredException as ExpiredExceptionV3; use Firebase\JWT\SignatureInvalidException; use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; use Psr\Cache\CacheItemPoolInterface; use Google\Auth\Cache\MemoryCacheItemPool; use Stash\Driver\FileSystem; use Stash\Pool; /** * Wrapper around Google Access Tokens which provides convenience functions * */ class Google_AccessToken_Verify { const FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs'; const OAUTH2_ISSUER = 'accounts.google.com'; const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com'; /** * @var GuzzleHttp\ClientInterface The http client */ private $http; /** * @var Psr\Cache\CacheItemPoolInterface cache class */ private $cache; /** * Instantiates the class, but does not initiate the login flow, leaving it * to the discretion of the caller. */ public function __construct( ClientInterface $http = null, CacheItemPoolInterface $cache = null, $jwt = null ) { if (null === $http) { $http = new Client(); } if (null === $cache) { $cache = new MemoryCacheItemPool; } $this->http = $http; $this->cache = $cache; $this->jwt = $jwt ?: $this->getJwtService(); } /** * Verifies an id token and returns the authenticated apiLoginTicket. * Throws an exception if the id token is not valid. * The audience parameter can be used to control which id tokens are * accepted. By default, the id token must have been issued to this OAuth2 client. * * @param string $idToken the ID token in JWT format * @param string $audience Optional. The audience to verify against JWt "aud" * @return array the token payload, if successful */ public function verifyIdToken($idToken, $audience = null) { if (empty($idToken)) { throw new LogicException('id_token cannot be null'); } // set phpseclib constants if applicable $this->setPhpsecConstants(); // Check signature $certs = $this->getFederatedSignOnCerts(); foreach ($certs as $cert) { $bigIntClass = $this->getBigIntClass(); $rsaClass = $this->getRsaClass(); $modulus = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['n']), 256); $exponent = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['e']), 256); $rsa = new $rsaClass(); $rsa->loadKey(array('n' => $modulus, 'e' => $exponent)); try { $payload = $this->jwt->decode( $idToken, $rsa->getPublicKey(), array('RS256') ); if (property_exists($payload, 'aud')) { if ($audience && $payload->aud != $audience) { return false; } } // support HTTP and HTTPS issuers // @see https://developers.google.com/identity/sign-in/web/backend-auth $issuers = array(self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS); if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) { return false; } return (array) $payload; } catch (ExpiredException $e) { return false; } catch (ExpiredExceptionV3 $e) { return false; } catch (SignatureInvalidException $e) { // continue } catch (DomainException $e) { // continue } } return false; } private function getCache() { return $this->cache; } /** * Retrieve and cache a certificates file. * * @param $url string location * @throws Google_Exception * @return array certificates */ private function retrieveCertsFromLocation($url) { // If we're retrieving a local file, just grab it. if (0 !== strpos($url, 'http')) { if (!$file = file_get_contents($url)) { throw new Google_Exception( "Failed to retrieve verification certificates: '" . $url . "'." ); } return json_decode($file, true); } $response = $this->http->get($url); if ($response->getStatusCode() == 200) { return json_decode((string) $response->getBody(), true); } throw new Google_Exception( sprintf( 'Failed to retrieve verification certificates: "%s".', $response->getBody()->getContents() ), $response->getStatusCode() ); } // Gets federated sign-on certificates to use for verifying identity tokens. // Returns certs as array structure, where keys are key ids, and values // are PEM encoded certificates. private function getFederatedSignOnCerts() { $certs = null; if ($cache = $this->getCache()) { $cacheItem = $cache->getItem('federated_signon_certs_v3'); $certs = $cacheItem->get(); } if (!$certs) { $certs = $this->retrieveCertsFromLocation( self::FEDERATED_SIGNON_CERT_URL ); if ($cache) { $cacheItem->expiresAt(new DateTime('+1 hour')); $cacheItem->set($certs); $cache->save($cacheItem); } } if (!isset($certs['keys'])) { throw new InvalidArgumentException( 'federated sign-on certs expects "keys" to be set' ); } return $certs['keys']; } private function getJwtService() { $jwtClass = 'JWT'; if (class_exists('\Firebase\JWT\JWT')) { $jwtClass = 'Firebase\JWT\JWT'; } if (property_exists($jwtClass, 'leeway') && $jwtClass::$leeway < 1) { // Ensures JWT leeway is at least 1 // @see https://github.com/google/google-api-php-client/issues/827 $jwtClass::$leeway = 1; } return new $jwtClass; } private function getRsaClass() { if (class_exists('phpseclib\Crypt\RSA')) { return 'phpseclib\Crypt\RSA'; } return 'Crypt_RSA'; } private function getBigIntClass() { if (class_exists('phpseclib\Math\BigInteger')) { return 'phpseclib\Math\BigInteger'; } return 'Math_BigInteger'; } private function getOpenSslConstant() { if (class_exists('phpseclib\Crypt\RSA')) { return 'phpseclib\Crypt\RSA::MODE_OPENSSL'; } if (class_exists('Crypt_RSA')) { return 'CRYPT_RSA_MODE_OPENSSL'; } throw new \Exception('Cannot find RSA class'); } /** * phpseclib calls "phpinfo" by default, which requires special * whitelisting in the AppEngine VM environment. This function * sets constants to bypass the need for phpseclib to check phpinfo * * @see phpseclib/Math/BigInteger * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85 */ private function setPhpsecConstants() { if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) { if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) { define('MATH_BIGINTEGER_OPENSSL_ENABLED', true); } if (!defined('CRYPT_RSA_MODE')) { define('CRYPT_RSA_MODE', constant($this->getOpenSslConstant())); } } } } apiclient/src/Google/AccessToken/Revoke.php 0000644 00000004212 14736103211 0014662 0 ustar 00 <?php /* * Copyright 2008 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use Google\Auth\HttpHandler\HttpHandlerFactory; use GuzzleHttp\ClientInterface; use GuzzleHttp\Psr7; use GuzzleHttp\Psr7\Request; /** * Wrapper around Google Access Tokens which provides convenience functions * */ class Google_AccessToken_Revoke { /** * @var GuzzleHttp\ClientInterface The http client */ private $http; /** * Instantiates the class, but does not initiate the login flow, leaving it * to the discretion of the caller. */ public function __construct(ClientInterface $http = null) { $this->http = $http; } /** * Revoke an OAuth2 access token or refresh token. This method will revoke the current access * token, if a token isn't provided. * * @param string|array $token The token (access token or a refresh token) that should be revoked. * @return boolean Returns True if the revocation was successful, otherwise False. */ public function revokeToken($token) { if (is_array($token)) { if (isset($token['refresh_token'])) { $token = $token['refresh_token']; } else { $token = $token['access_token']; } } $body = Psr7\stream_for(http_build_query(array('token' => $token))); $request = new Request( 'POST', Google_Client::OAUTH2_REVOKE_URI, [ 'Cache-Control' => 'no-store', 'Content-Type' => 'application/x-www-form-urlencoded', ], $body ); $httpHandler = HttpHandlerFactory::build($this->http); $response = $httpHandler($request); return $response->getStatusCode() == 200; } } apiclient/src/Google/Service/Resource.php 0000644 00000023403 14736103211 0014417 0 ustar 00 <?php /** * Copyright 2010 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use GuzzleHttp\Psr7\Request; /** * Implements the actual methods/resources of the discovered Google API using magic function * calling overloading (__call()), which on call will see if the method name (plus.activities.list) * is available in this service, and if so construct an apiHttpRequest representing it. * */ class Google_Service_Resource { // Valid query parameters that work, but don't appear in discovery. private $stackParameters = array( 'alt' => array('type' => 'string', 'location' => 'query'), 'fields' => array('type' => 'string', 'location' => 'query'), 'trace' => array('type' => 'string', 'location' => 'query'), 'userIp' => array('type' => 'string', 'location' => 'query'), 'quotaUser' => array('type' => 'string', 'location' => 'query'), 'data' => array('type' => 'string', 'location' => 'body'), 'mimeType' => array('type' => 'string', 'location' => 'header'), 'uploadType' => array('type' => 'string', 'location' => 'query'), 'mediaUpload' => array('type' => 'complex', 'location' => 'query'), 'prettyPrint' => array('type' => 'string', 'location' => 'query'), ); /** @var string $rootUrl */ private $rootUrl; /** @var Google_Client $client */ private $client; /** @var string $serviceName */ private $serviceName; /** @var string $servicePath */ private $servicePath; /** @var string $resourceName */ private $resourceName; /** @var array $methods */ private $methods; public function __construct($service, $serviceName, $resourceName, $resource) { $this->rootUrl = $service->rootUrl; $this->client = $service->getClient(); $this->servicePath = $service->servicePath; $this->serviceName = $serviceName; $this->resourceName = $resourceName; $this->methods = is_array($resource) && isset($resource['methods']) ? $resource['methods'] : array($resourceName => $resource); } /** * TODO: This function needs simplifying. * @param $name * @param $arguments * @param $expectedClass - optional, the expected class name * @return Google_Http_Request|expectedClass * @throws Google_Exception */ public function call($name, $arguments, $expectedClass = null) { if (! isset($this->methods[$name])) { $this->client->getLogger()->error( 'Service method unknown', array( 'service' => $this->serviceName, 'resource' => $this->resourceName, 'method' => $name ) ); throw new Google_Exception( "Unknown function: " . "{$this->serviceName}->{$this->resourceName}->{$name}()" ); } $method = $this->methods[$name]; $parameters = $arguments[0]; // postBody is a special case since it's not defined in the discovery // document as parameter, but we abuse the param entry for storing it. $postBody = null; if (isset($parameters['postBody'])) { if ($parameters['postBody'] instanceof Google_Model) { // In the cases the post body is an existing object, we want // to use the smart method to create a simple object for // for JSONification. $parameters['postBody'] = $parameters['postBody']->toSimpleObject(); } else if (is_object($parameters['postBody'])) { // If the post body is another kind of object, we will try and // wrangle it into a sensible format. $parameters['postBody'] = $this->convertToArrayAndStripNulls($parameters['postBody']); } $postBody = (array) $parameters['postBody']; unset($parameters['postBody']); } // TODO: optParams here probably should have been // handled already - this may well be redundant code. if (isset($parameters['optParams'])) { $optParams = $parameters['optParams']; unset($parameters['optParams']); $parameters = array_merge($parameters, $optParams); } if (!isset($method['parameters'])) { $method['parameters'] = array(); } $method['parameters'] = array_merge( $this->stackParameters, $method['parameters'] ); foreach ($parameters as $key => $val) { if ($key != 'postBody' && ! isset($method['parameters'][$key])) { $this->client->getLogger()->error( 'Service parameter unknown', array( 'service' => $this->serviceName, 'resource' => $this->resourceName, 'method' => $name, 'parameter' => $key ) ); throw new Google_Exception("($name) unknown parameter: '$key'"); } } foreach ($method['parameters'] as $paramName => $paramSpec) { if (isset($paramSpec['required']) && $paramSpec['required'] && ! isset($parameters[$paramName]) ) { $this->client->getLogger()->error( 'Service parameter missing', array( 'service' => $this->serviceName, 'resource' => $this->resourceName, 'method' => $name, 'parameter' => $paramName ) ); throw new Google_Exception("($name) missing required param: '$paramName'"); } if (isset($parameters[$paramName])) { $value = $parameters[$paramName]; $parameters[$paramName] = $paramSpec; $parameters[$paramName]['value'] = $value; unset($parameters[$paramName]['required']); } else { // Ensure we don't pass nulls. unset($parameters[$paramName]); } } $this->client->getLogger()->info( 'Service Call', array( 'service' => $this->serviceName, 'resource' => $this->resourceName, 'method' => $name, 'arguments' => $parameters, ) ); // build the service uri $url = $this->createRequestUri( $method['path'], $parameters ); // NOTE: because we're creating the request by hand, // and because the service has a rootUrl property // the "base_uri" of the Http Client is not accounted for $request = new Request( $method['httpMethod'], $url, ['content-type' => 'application/json'], $postBody ? json_encode($postBody) : '' ); // support uploads if (isset($parameters['data'])) { $mimeType = isset($parameters['mimeType']) ? $parameters['mimeType']['value'] : 'application/octet-stream'; $data = $parameters['data']['value']; $upload = new Google_Http_MediaFileUpload($this->client, $request, $mimeType, $data); // pull down the modified request $request = $upload->getRequest(); } // if this is a media type, we will return the raw response // rather than using an expected class if (isset($parameters['alt']) && $parameters['alt']['value'] == 'media') { $expectedClass = null; } // if the client is marked for deferring, rather than // execute the request, return the response if ($this->client->shouldDefer()) { // @TODO find a better way to do this $request = $request ->withHeader('X-Php-Expected-Class', $expectedClass); return $request; } return $this->client->execute($request, $expectedClass); } protected function convertToArrayAndStripNulls($o) { $o = (array) $o; foreach ($o as $k => $v) { if ($v === null) { unset($o[$k]); } elseif (is_object($v) || is_array($v)) { $o[$k] = $this->convertToArrayAndStripNulls($o[$k]); } } return $o; } /** * Parse/expand request parameters and create a fully qualified * request uri. * @static * @param string $restPath * @param array $params * @return string $requestUrl */ public function createRequestUri($restPath, $params) { // Override the default servicePath address if the $restPath use a / if ('/' == substr($restPath, 0, 1)) { $requestUrl = substr($restPath, 1); } else { $requestUrl = $this->servicePath . $restPath; } // code for leading slash if ($this->rootUrl) { if ('/' !== substr($this->rootUrl, -1) && '/' !== substr($requestUrl, 0, 1)) { $requestUrl = '/' . $requestUrl; } $requestUrl = $this->rootUrl . $requestUrl; } $uriTemplateVars = array(); $queryVars = array(); foreach ($params as $paramName => $paramSpec) { if ($paramSpec['type'] == 'boolean') { $paramSpec['value'] = $paramSpec['value'] ? 'true' : 'false'; } if ($paramSpec['location'] == 'path') { $uriTemplateVars[$paramName] = $paramSpec['value']; } else if ($paramSpec['location'] == 'query') { if (is_array($paramSpec['value'])) { foreach ($paramSpec['value'] as $value) { $queryVars[] = $paramName . '=' . rawurlencode(rawurldecode($value)); } } else { $queryVars[] = $paramName . '=' . rawurlencode(rawurldecode($paramSpec['value'])); } } } if (count($uriTemplateVars)) { $uriTemplateParser = new Google_Utils_UriTemplate(); $requestUrl = $uriTemplateParser->parse($requestUrl, $uriTemplateVars); } if (count($queryVars)) { $requestUrl .= '?' . implode('&', $queryVars); } return $requestUrl; } } apiclient/src/Google/Service/Exception.php 0000644 00000003431 14736103211 0014565 0 ustar 00 <?php /* * Copyright 2014 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ class Google_Service_Exception extends Google_Exception { /** * Optional list of errors returned in a JSON body of an HTTP error response. */ protected $errors = array(); /** * Override default constructor to add the ability to set $errors and a retry * map. * * @param string $message * @param int $code * @param Exception|null $previous * @param [{string, string}] errors List of errors returned in an HTTP * response. Defaults to []. */ public function __construct( $message, $code = 0, Exception $previous = null, $errors = array() ) { if (version_compare(PHP_VERSION, '5.3.0') >= 0) { parent::__construct($message, $code, $previous); } else { parent::__construct($message, $code); } $this->errors = $errors; } /** * An example of the possible errors returned. * * { * "domain": "global", * "reason": "authError", * "message": "Invalid Credentials", * "locationType": "header", * "location": "Authorization", * } * * @return [{string, string}] List of errors return in an HTTP response or []. */ public function getErrors() { return $this->errors; } } apiclient/src/Google/Service/README.md 0000644 00000000301 14736103211 0013366 0 ustar 00 # Google API Client Services Google API Client Service classes have been moved to the [google-api-php-client-services](https://github.com/google/google-api-php-client-services) repository. apiclient/src/Google/Client.php 0000644 00000104774 14736103211 0012461 0 ustar 00 <?php /* * Copyright 2010 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ use Google\Auth\ApplicationDefaultCredentials; use Google\Auth\Cache\MemoryCacheItemPool; use Google\Auth\CredentialsLoader; use Google\Auth\HttpHandler\HttpHandlerFactory; use Google\Auth\OAuth2; use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Credentials\UserRefreshCredentials; use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; use GuzzleHttp\Ring\Client\StreamHandler; use Psr\Cache\CacheItemPoolInterface; use Psr\Http\Message\RequestInterface; use Psr\Log\LoggerInterface; use Monolog\Logger; use Monolog\Handler\StreamHandler as MonologStreamHandler; use Monolog\Handler\SyslogHandler as MonologSyslogHandler; /** * The Google API Client * https://github.com/google/google-api-php-client */ class Google_Client { const LIBVER = "2.7.0"; const USER_AGENT_SUFFIX = "google-api-php-client/"; const OAUTH2_REVOKE_URI = 'https://oauth2.googleapis.com/revoke'; const OAUTH2_TOKEN_URI = 'https://oauth2.googleapis.com/token'; const OAUTH2_AUTH_URL = 'https://accounts.google.com/o/oauth2/auth'; const API_BASE_PATH = 'https://www.googleapis.com'; /** * @var Google\Auth\OAuth2 $auth */ private $auth; /** * @var GuzzleHttp\ClientInterface $http */ private $http; /** * @var Psr\Cache\CacheItemPoolInterface $cache */ private $cache; /** * @var array access token */ private $token; /** * @var array $config */ private $config; /** * @var Psr\Log\LoggerInterface $logger */ private $logger; /** * @var boolean $deferExecution */ private $deferExecution = false; /** @var array $scopes */ // Scopes requested by the client protected $requestedScopes = []; /** * Construct the Google Client. * * @param array $config */ public function __construct(array $config = array()) { $this->config = array_merge( [ 'application_name' => '', // Don't change these unless you're working against a special development // or testing environment. 'base_path' => self::API_BASE_PATH, // https://developers.google.com/console 'client_id' => '', 'client_secret' => '', // Path to JSON credentials or an array representing those credentials // @see Google_Client::setAuthConfig 'credentials' => null, // @see Google_Client::setScopes 'scopes' => null, // Sets X-Goog-User-Project, which specifies a user project to bill // for access charges associated with the request 'quota_project' => null, 'redirect_uri' => null, 'state' => null, // Simple API access key, also from the API console. Ensure you get // a Server key, and not a Browser key. 'developer_key' => '', // For use with Google Cloud Platform // fetch the ApplicationDefaultCredentials, if applicable // @see https://developers.google.com/identity/protocols/application-default-credentials 'use_application_default_credentials' => false, 'signing_key' => null, 'signing_algorithm' => null, 'subject' => null, // Other OAuth2 parameters. 'hd' => '', 'prompt' => '', 'openid.realm' => '', 'include_granted_scopes' => null, 'login_hint' => '', 'request_visible_actions' => '', 'access_type' => 'online', 'approval_prompt' => 'auto', // Task Runner retry configuration // @see Google_Task_Runner 'retry' => array(), 'retry_map' => null, // cache config for downstream auth caching 'cache_config' => [], // function to be called when an access token is fetched // follows the signature function ($cacheKey, $accessToken) 'token_callback' => null, // Service class used in Google_Client::verifyIdToken. // Explicitly pass this in to avoid setting JWT::$leeway 'jwt' => null, // Setting api_format_v2 will return more detailed error messages // from certain APIs. 'api_format_v2' => false ], $config ); if (!is_null($this->config['credentials'])) { $this->setAuthConfig($this->config['credentials']); unset($this->config['credentials']); } if (!is_null($this->config['scopes'])) { $this->setScopes($this->config['scopes']); unset($this->config['scopes']); } } /** * Get a string containing the version of the library. * * @return string */ public function getLibraryVersion() { return self::LIBVER; } /** * For backwards compatibility * alias for fetchAccessTokenWithAuthCode * * @param $code string code from accounts.google.com * @return array access token * @deprecated */ public function authenticate($code) { return $this->fetchAccessTokenWithAuthCode($code); } /** * Attempt to exchange a code for an valid authentication token. * Helper wrapped around the OAuth 2.0 implementation. * * @param $code string code from accounts.google.com * @return array access token */ public function fetchAccessTokenWithAuthCode($code) { if (strlen($code) == 0) { throw new InvalidArgumentException("Invalid code"); } $auth = $this->getOAuth2Service(); $auth->setCode($code); $auth->setRedirectUri($this->getRedirectUri()); $httpHandler = HttpHandlerFactory::build($this->getHttpClient()); $creds = $auth->fetchAuthToken($httpHandler); if ($creds && isset($creds['access_token'])) { $creds['created'] = time(); $this->setAccessToken($creds); } return $creds; } /** * For backwards compatibility * alias for fetchAccessTokenWithAssertion * * @return array access token * @deprecated */ public function refreshTokenWithAssertion() { return $this->fetchAccessTokenWithAssertion(); } /** * Fetches a fresh access token with a given assertion token. * @param ClientInterface $authHttp optional. * @return array access token */ public function fetchAccessTokenWithAssertion(ClientInterface $authHttp = null) { if (!$this->isUsingApplicationDefaultCredentials()) { throw new DomainException( 'set the JSON service account credentials using' . ' Google_Client::setAuthConfig or set the path to your JSON file' . ' with the "GOOGLE_APPLICATION_CREDENTIALS" environment variable' . ' and call Google_Client::useApplicationDefaultCredentials to' . ' refresh a token with assertion.' ); } $this->getLogger()->log( 'info', 'OAuth2 access token refresh with Signed JWT assertion grants.' ); $credentials = $this->createApplicationDefaultCredentials(); $httpHandler = HttpHandlerFactory::build($authHttp); $creds = $credentials->fetchAuthToken($httpHandler); if ($creds && isset($creds['access_token'])) { $creds['created'] = time(); $this->setAccessToken($creds); } return $creds; } /** * For backwards compatibility * alias for fetchAccessTokenWithRefreshToken * * @param string $refreshToken * @return array access token */ public function refreshToken($refreshToken) { return $this->fetchAccessTokenWithRefreshToken($refreshToken); } /** * Fetches a fresh OAuth 2.0 access token with the given refresh token. * @param string $refreshToken * @return array access token */ public function fetchAccessTokenWithRefreshToken($refreshToken = null) { if (null === $refreshToken) { if (!isset($this->token['refresh_token'])) { throw new LogicException( 'refresh token must be passed in or set as part of setAccessToken' ); } $refreshToken = $this->token['refresh_token']; } $this->getLogger()->info('OAuth2 access token refresh'); $auth = $this->getOAuth2Service(); $auth->setRefreshToken($refreshToken); $httpHandler = HttpHandlerFactory::build($this->getHttpClient()); $creds = $auth->fetchAuthToken($httpHandler); if ($creds && isset($creds['access_token'])) { $creds['created'] = time(); if (!isset($creds['refresh_token'])) { $creds['refresh_token'] = $refreshToken; } $this->setAccessToken($creds); } return $creds; } /** * Create a URL to obtain user authorization. * The authorization endpoint allows the user to first * authenticate, and then grant/deny the access request. * @param string|array $scope The scope is expressed as an array or list of space-delimited strings. * @return string */ public function createAuthUrl($scope = null) { if (empty($scope)) { $scope = $this->prepareScopes(); } if (is_array($scope)) { $scope = implode(' ', $scope); } // only accept one of prompt or approval_prompt $approvalPrompt = $this->config['prompt'] ? null : $this->config['approval_prompt']; // include_granted_scopes should be string "true", string "false", or null $includeGrantedScopes = $this->config['include_granted_scopes'] === null ? null : var_export($this->config['include_granted_scopes'], true); $params = array_filter( [ 'access_type' => $this->config['access_type'], 'approval_prompt' => $approvalPrompt, 'hd' => $this->config['hd'], 'include_granted_scopes' => $includeGrantedScopes, 'login_hint' => $this->config['login_hint'], 'openid.realm' => $this->config['openid.realm'], 'prompt' => $this->config['prompt'], 'response_type' => 'code', 'scope' => $scope, 'state' => $this->config['state'], ] ); // If the list of scopes contains plus.login, add request_visible_actions // to auth URL. $rva = $this->config['request_visible_actions']; if (strlen($rva) > 0 && false !== strpos($scope, 'plus.login')) { $params['request_visible_actions'] = $rva; } $auth = $this->getOAuth2Service(); return (string) $auth->buildFullAuthorizationUri($params); } /** * Adds auth listeners to the HTTP client based on the credentials * set in the Google API Client object * * @param GuzzleHttp\ClientInterface $http the http client object. * @return GuzzleHttp\ClientInterface the http client object */ public function authorize(ClientInterface $http = null) { $credentials = null; $token = null; $scopes = null; if (null === $http) { $http = $this->getHttpClient(); } // These conditionals represent the decision tree for authentication // 1. Check for Application Default Credentials // 2. Check for API Key // 3a. Check for an Access Token // 3b. If access token exists but is expired, try to refresh it if ($this->isUsingApplicationDefaultCredentials()) { $credentials = $this->createApplicationDefaultCredentials(); } elseif ($token = $this->getAccessToken()) { $scopes = $this->prepareScopes(); // add refresh subscriber to request a new token if (isset($token['refresh_token']) && $this->isAccessTokenExpired()) { $credentials = $this->createUserRefreshCredentials( $scopes, $token['refresh_token'] ); } } $authHandler = $this->getAuthHandler(); if ($credentials) { $callback = $this->config['token_callback']; $http = $authHandler->attachCredentials($http, $credentials, $callback); } elseif ($token) { $http = $authHandler->attachToken($http, $token, (array) $scopes); } elseif ($key = $this->config['developer_key']) { $http = $authHandler->attachKey($http, $key); } return $http; } /** * Set the configuration to use application default credentials for * authentication * * @see https://developers.google.com/identity/protocols/application-default-credentials * @param boolean $useAppCreds */ public function useApplicationDefaultCredentials($useAppCreds = true) { $this->config['use_application_default_credentials'] = $useAppCreds; } /** * To prevent useApplicationDefaultCredentials from inappropriately being * called in a conditional * * @see https://developers.google.com/identity/protocols/application-default-credentials */ public function isUsingApplicationDefaultCredentials() { return $this->config['use_application_default_credentials']; } /** * Set the access token used for requests. * * Note that at the time requests are sent, tokens are cached. A token will be * cached for each combination of service and authentication scopes. If a * cache pool is not provided, creating a new instance of the client will * allow modification of access tokens. If a persistent cache pool is * provided, in order to change the access token, you must clear the cached * token by calling `$client->getCache()->clear()`. (Use caution in this case, * as calling `clear()` will remove all cache items, including any items not * related to Google API PHP Client.) * * @param string|array $token * @throws InvalidArgumentException */ public function setAccessToken($token) { if (is_string($token)) { if ($json = json_decode($token, true)) { $token = $json; } else { // assume $token is just the token string $token = array( 'access_token' => $token, ); } } if ($token == null) { throw new InvalidArgumentException('invalid json token'); } if (!isset($token['access_token'])) { throw new InvalidArgumentException("Invalid token format"); } $this->token = $token; } public function getAccessToken() { return $this->token; } /** * @return string|null */ public function getRefreshToken() { if (isset($this->token['refresh_token'])) { return $this->token['refresh_token']; } return null; } /** * Returns if the access_token is expired. * @return bool Returns True if the access_token is expired. */ public function isAccessTokenExpired() { if (!$this->token) { return true; } $created = 0; if (isset($this->token['created'])) { $created = $this->token['created']; } elseif (isset($this->token['id_token'])) { // check the ID token for "iat" // signature verification is not required here, as we are just // using this for convenience to save a round trip request // to the Google API server $idToken = $this->token['id_token']; if (substr_count($idToken, '.') == 2) { $parts = explode('.', $idToken); $payload = json_decode(base64_decode($parts[1]), true); if ($payload && isset($payload['iat'])) { $created = $payload['iat']; } } } // If the token is set to expire in the next 30 seconds. return ($created + ($this->token['expires_in'] - 30)) < time(); } /** * @deprecated See UPGRADING.md for more information */ public function getAuth() { throw new BadMethodCallException( 'This function no longer exists. See UPGRADING.md for more information' ); } /** * @deprecated See UPGRADING.md for more information */ public function setAuth($auth) { throw new BadMethodCallException( 'This function no longer exists. See UPGRADING.md for more information' ); } /** * Set the OAuth 2.0 Client ID. * @param string $clientId */ public function setClientId($clientId) { $this->config['client_id'] = $clientId; } public function getClientId() { return $this->config['client_id']; } /** * Set the OAuth 2.0 Client Secret. * @param string $clientSecret */ public function setClientSecret($clientSecret) { $this->config['client_secret'] = $clientSecret; } public function getClientSecret() { return $this->config['client_secret']; } /** * Set the OAuth 2.0 Redirect URI. * @param string $redirectUri */ public function setRedirectUri($redirectUri) { $this->config['redirect_uri'] = $redirectUri; } public function getRedirectUri() { return $this->config['redirect_uri']; } /** * Set OAuth 2.0 "state" parameter to achieve per-request customization. * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1.2.2 * @param string $state */ public function setState($state) { $this->config['state'] = $state; } /** * @param string $accessType Possible values for access_type include: * {@code "offline"} to request offline access from the user. * {@code "online"} to request online access from the user. */ public function setAccessType($accessType) { $this->config['access_type'] = $accessType; } /** * @param string $approvalPrompt Possible values for approval_prompt include: * {@code "force"} to force the approval UI to appear. * {@code "auto"} to request auto-approval when possible. (This is the default value) */ public function setApprovalPrompt($approvalPrompt) { $this->config['approval_prompt'] = $approvalPrompt; } /** * Set the login hint, email address or sub id. * @param string $loginHint */ public function setLoginHint($loginHint) { $this->config['login_hint'] = $loginHint; } /** * Set the application name, this is included in the User-Agent HTTP header. * @param string $applicationName */ public function setApplicationName($applicationName) { $this->config['application_name'] = $applicationName; } /** * If 'plus.login' is included in the list of requested scopes, you can use * this method to define types of app activities that your app will write. * You can find a list of available types here: * @link https://developers.google.com/+/api/moment-types * * @param array $requestVisibleActions Array of app activity types */ public function setRequestVisibleActions($requestVisibleActions) { if (is_array($requestVisibleActions)) { $requestVisibleActions = implode(" ", $requestVisibleActions); } $this->config['request_visible_actions'] = $requestVisibleActions; } /** * Set the developer key to use, these are obtained through the API Console. * @see http://code.google.com/apis/console-help/#generatingdevkeys * @param string $developerKey */ public function setDeveloperKey($developerKey) { $this->config['developer_key'] = $developerKey; } /** * Set the hd (hosted domain) parameter streamlines the login process for * Google Apps hosted accounts. By including the domain of the user, you * restrict sign-in to accounts at that domain. * @param $hd string - the domain to use. */ public function setHostedDomain($hd) { $this->config['hd'] = $hd; } /** * Set the prompt hint. Valid values are none, consent and select_account. * If no value is specified and the user has not previously authorized * access, then the user is shown a consent screen. * @param $prompt string * {@code "none"} Do not display any authentication or consent screens. Must not be specified with other values. * {@code "consent"} Prompt the user for consent. * {@code "select_account"} Prompt the user to select an account. */ public function setPrompt($prompt) { $this->config['prompt'] = $prompt; } /** * openid.realm is a parameter from the OpenID 2.0 protocol, not from OAuth * 2.0. It is used in OpenID 2.0 requests to signify the URL-space for which * an authentication request is valid. * @param $realm string - the URL-space to use. */ public function setOpenidRealm($realm) { $this->config['openid.realm'] = $realm; } /** * If this is provided with the value true, and the authorization request is * granted, the authorization will include any previous authorizations * granted to this user/application combination for other scopes. * @param $include boolean - the URL-space to use. */ public function setIncludeGrantedScopes($include) { $this->config['include_granted_scopes'] = $include; } /** * sets function to be called when an access token is fetched * @param callable $tokenCallback - function ($cacheKey, $accessToken) */ public function setTokenCallback(callable $tokenCallback) { $this->config['token_callback'] = $tokenCallback; } /** * Revoke an OAuth2 access token or refresh token. This method will revoke the current access * token, if a token isn't provided. * * @param string|array|null $token The token (access token or a refresh token) that should be revoked. * @return boolean Returns True if the revocation was successful, otherwise False. */ public function revokeToken($token = null) { $tokenRevoker = new Google_AccessToken_Revoke( $this->getHttpClient() ); return $tokenRevoker->revokeToken($token ?: $this->getAccessToken()); } /** * Verify an id_token. This method will verify the current id_token, if one * isn't provided. * * @throws LogicException If no token was provided and no token was set using `setAccessToken`. * @throws UnexpectedValueException If the token is not a valid JWT. * @param string|null $idToken The token (id_token) that should be verified. * @return array|false Returns the token payload as an array if the verification was * successful, false otherwise. */ public function verifyIdToken($idToken = null) { $tokenVerifier = new Google_AccessToken_Verify( $this->getHttpClient(), $this->getCache(), $this->config['jwt'] ); if (null === $idToken) { $token = $this->getAccessToken(); if (!isset($token['id_token'])) { throw new LogicException( 'id_token must be passed in or set as part of setAccessToken' ); } $idToken = $token['id_token']; } return $tokenVerifier->verifyIdToken( $idToken, $this->getClientId() ); } /** * Set the scopes to be requested. Must be called before createAuthUrl(). * Will remove any previously configured scopes. * @param string|array $scope_or_scopes, ie: * array( * 'https://www.googleapis.com/auth/plus.login', * 'https://www.googleapis.com/auth/moderator' * ); */ public function setScopes($scope_or_scopes) { $this->requestedScopes = array(); $this->addScope($scope_or_scopes); } /** * This functions adds a scope to be requested as part of the OAuth2.0 flow. * Will append any scopes not previously requested to the scope parameter. * A single string will be treated as a scope to request. An array of strings * will each be appended. * @param $scope_or_scopes string|array e.g. "profile" */ public function addScope($scope_or_scopes) { if (is_string($scope_or_scopes) && !in_array($scope_or_scopes, $this->requestedScopes)) { $this->requestedScopes[] = $scope_or_scopes; } else if (is_array($scope_or_scopes)) { foreach ($scope_or_scopes as $scope) { $this->addScope($scope); } } } /** * Returns the list of scopes requested by the client * @return array the list of scopes * */ public function getScopes() { return $this->requestedScopes; } /** * @return string|null * @visible For Testing */ public function prepareScopes() { if (empty($this->requestedScopes)) { return null; } return implode(' ', $this->requestedScopes); } /** * Helper method to execute deferred HTTP requests. * * @param $request Psr\Http\Message\RequestInterface|Google_Http_Batch * @param string $expectedClass * @throws Google_Exception * @return object of the type of the expected class or Psr\Http\Message\ResponseInterface. */ public function execute(RequestInterface $request, $expectedClass = null) { $request = $request ->withHeader( 'User-Agent', sprintf( '%s %s%s', $this->config['application_name'], self::USER_AGENT_SUFFIX, $this->getLibraryVersion() ) ) ->withHeader( 'x-goog-api-client', sprintf( 'gl-php/%s gdcl/%s', phpversion(), $this->getLibraryVersion() ) ); if ($this->config['api_format_v2']) { $request = $request->withHeader( 'X-GOOG-API-FORMAT-VERSION', 2 ); } // call the authorize method // this is where most of the grunt work is done $http = $this->authorize(); return Google_Http_REST::execute( $http, $request, $expectedClass, $this->config['retry'], $this->config['retry_map'] ); } /** * Declare whether batch calls should be used. This may increase throughput * by making multiple requests in one connection. * * @param boolean $useBatch True if the batch support should * be enabled. Defaults to False. */ public function setUseBatch($useBatch) { // This is actually an alias for setDefer. $this->setDefer($useBatch); } /** * Are we running in Google AppEngine? * return bool */ public function isAppEngine() { return (isset($_SERVER['SERVER_SOFTWARE']) && strpos($_SERVER['SERVER_SOFTWARE'], 'Google App Engine') !== false); } public function setConfig($name, $value) { $this->config[$name] = $value; } public function getConfig($name, $default = null) { return isset($this->config[$name]) ? $this->config[$name] : $default; } /** * For backwards compatibility * alias for setAuthConfig * * @param string $file the configuration file * @throws Google_Exception * @deprecated */ public function setAuthConfigFile($file) { $this->setAuthConfig($file); } /** * Set the auth config from new or deprecated JSON config. * This structure should match the file downloaded from * the "Download JSON" button on in the Google Developer * Console. * @param string|array $config the configuration json * @throws Google_Exception */ public function setAuthConfig($config) { if (is_string($config)) { if (!file_exists($config)) { throw new InvalidArgumentException(sprintf('file "%s" does not exist', $config)); } $json = file_get_contents($config); if (!$config = json_decode($json, true)) { throw new LogicException('invalid json for auth config'); } } $key = isset($config['installed']) ? 'installed' : 'web'; if (isset($config['type']) && $config['type'] == 'service_account') { // application default credentials $this->useApplicationDefaultCredentials(); // set the information from the config $this->setClientId($config['client_id']); $this->config['client_email'] = $config['client_email']; $this->config['signing_key'] = $config['private_key']; $this->config['signing_algorithm'] = 'HS256'; } elseif (isset($config[$key])) { // old-style $this->setClientId($config[$key]['client_id']); $this->setClientSecret($config[$key]['client_secret']); if (isset($config[$key]['redirect_uris'])) { $this->setRedirectUri($config[$key]['redirect_uris'][0]); } } else { // new-style $this->setClientId($config['client_id']); $this->setClientSecret($config['client_secret']); if (isset($config['redirect_uris'])) { $this->setRedirectUri($config['redirect_uris'][0]); } } } /** * Use when the service account has been delegated domain wide access. * * @param string $subject an email address account to impersonate */ public function setSubject($subject) { $this->config['subject'] = $subject; } /** * Declare whether making API calls should make the call immediately, or * return a request which can be called with ->execute(); * * @param boolean $defer True if calls should not be executed right away. */ public function setDefer($defer) { $this->deferExecution = $defer; } /** * Whether or not to return raw requests * @return boolean */ public function shouldDefer() { return $this->deferExecution; } /** * @return Google\Auth\OAuth2 implementation */ public function getOAuth2Service() { if (!isset($this->auth)) { $this->auth = $this->createOAuth2Service(); } return $this->auth; } /** * create a default google auth object */ protected function createOAuth2Service() { $auth = new OAuth2( [ 'clientId' => $this->getClientId(), 'clientSecret' => $this->getClientSecret(), 'authorizationUri' => self::OAUTH2_AUTH_URL, 'tokenCredentialUri' => self::OAUTH2_TOKEN_URI, 'redirectUri' => $this->getRedirectUri(), 'issuer' => $this->config['client_id'], 'signingKey' => $this->config['signing_key'], 'signingAlgorithm' => $this->config['signing_algorithm'], ] ); return $auth; } /** * Set the Cache object * @param Psr\Cache\CacheItemPoolInterface $cache */ public function setCache(CacheItemPoolInterface $cache) { $this->cache = $cache; } /** * @return Psr\Cache\CacheItemPoolInterface Cache implementation */ public function getCache() { if (!$this->cache) { $this->cache = $this->createDefaultCache(); } return $this->cache; } /** * @param array $cacheConfig */ public function setCacheConfig(array $cacheConfig) { $this->config['cache_config'] = $cacheConfig; } /** * Set the Logger object * @param Psr\Log\LoggerInterface $logger */ public function setLogger(LoggerInterface $logger) { $this->logger = $logger; } /** * @return Psr\Log\LoggerInterface implementation */ public function getLogger() { if (!isset($this->logger)) { $this->logger = $this->createDefaultLogger(); } return $this->logger; } protected function createDefaultLogger() { $logger = new Logger('google-api-php-client'); if ($this->isAppEngine()) { $handler = new MonologSyslogHandler('app', LOG_USER, Logger::NOTICE); } else { $handler = new MonologStreamHandler('php://stderr', Logger::NOTICE); } $logger->pushHandler($handler); return $logger; } protected function createDefaultCache() { return new MemoryCacheItemPool; } /** * Set the Http Client object * @param GuzzleHttp\ClientInterface $http */ public function setHttpClient(ClientInterface $http) { $this->http = $http; } /** * @return GuzzleHttp\ClientInterface implementation */ public function getHttpClient() { if (null === $this->http) { $this->http = $this->createDefaultHttpClient(); } return $this->http; } /** * Set the API format version. * * `true` will use V2, which may return more useful error messages. * * @param bool $value */ public function setApiFormatV2($value) { $this->config['api_format_v2'] = (bool) $value; } protected function createDefaultHttpClient() { $guzzleVersion = null; if (defined('\GuzzleHttp\ClientInterface::MAJOR_VERSION')) { $guzzleVersion = ClientInterface::MAJOR_VERSION; } elseif (defined('\GuzzleHttp\ClientInterface::VERSION')) { $guzzleVersion = (int)substr(ClientInterface::VERSION, 0, 1); } $options = ['exceptions' => false]; if (5 === $guzzleVersion) { $options = [ 'base_url' => $this->config['base_path'], 'defaults' => $options, ]; if ($this->isAppEngine()) { // set StreamHandler on AppEngine by default $options['handler'] = new StreamHandler(); $options['defaults']['verify'] = '/etc/ca-certificates.crt'; } } elseif (6 === $guzzleVersion || 7 === $guzzleVersion) { // guzzle 6 or 7 $options['base_uri'] = $this->config['base_path']; } else { throw new LogicException('Could not find supported version of Guzzle.'); } return new Client($options); } private function createApplicationDefaultCredentials() { $scopes = $this->prepareScopes(); $sub = $this->config['subject']; $signingKey = $this->config['signing_key']; // create credentials using values supplied in setAuthConfig if ($signingKey) { $serviceAccountCredentials = array( 'client_id' => $this->config['client_id'], 'client_email' => $this->config['client_email'], 'private_key' => $signingKey, 'type' => 'service_account', 'quota_project' => $this->config['quota_project'], ); $credentials = CredentialsLoader::makeCredentials( $scopes, $serviceAccountCredentials ); } else { $credentials = ApplicationDefaultCredentials::getCredentials( $scopes, null, null, null, $this->config['quota_project'] ); } // for service account domain-wide authority (impersonating a user) // @see https://developers.google.com/identity/protocols/OAuth2ServiceAccount if ($sub) { if (!$credentials instanceof ServiceAccountCredentials) { throw new DomainException('domain-wide authority requires service account credentials'); } $credentials->setSub($sub); } return $credentials; } protected function getAuthHandler() { // Be very careful using the cache, as the underlying auth library's cache // implementation is naive, and the cache keys do not account for user // sessions. // // @see https://github.com/google/google-api-php-client/issues/821 return Google_AuthHandler_AuthHandlerFactory::build( $this->getCache(), $this->config['cache_config'] ); } private function createUserRefreshCredentials($scope, $refreshToken) { $creds = array_filter( array( 'client_id' => $this->getClientId(), 'client_secret' => $this->getClientSecret(), 'refresh_token' => $refreshToken, ) ); return new UserRefreshCredentials($scope, $creds); } } apiclient/README.md 0000644 00000041270 14736103211 0007775 0 ustar 00 ![](https://github.com/googleapis/google-api-php-client/workflows/.github/workflows/tests.yml/badge.svg) # Google APIs Client Library for PHP # The Google API Client Library enables you to work with Google APIs such as Gmail, Drive or YouTube on your server. These client libraries are officially supported by Google. However, the libraries are considered complete and are in maintenance mode. This means that we will address critical bugs and security issues but will not add any new features. **NOTE** The actively maintained (v2) version of this client requires PHP 5.4 or above. If you require support for PHP 5.2 or 5.3, use the v1 branch. ## Google Cloud Platform For Google Cloud Platform APIs such as Datastore, Cloud Storage or Pub/Sub, we recommend using [GoogleCloudPlatform/google-cloud-php](https://github.com/googleapis/google-cloud-php) which is under active development. ## Requirements ## * [PHP 5.4.0 or higher](https://www.php.net/) ## Developer Documentation ## The [docs folder](docs/) provides detailed guides for using this library. ## Installation ## You can use **Composer** or simply **Download the Release** ### Composer The preferred method is via [composer](https://getcomposer.org/). Follow the [installation instructions](https://getcomposer.org/doc/00-intro.md) if you do not already have composer installed. Once composer is installed, execute the following command in your project root to install this library: ```sh composer require google/apiclient:"^2.7" ``` Finally, be sure to include the autoloader: ```php require_once '/path/to/your-project/vendor/autoload.php'; ``` This library relies on `google/apiclient-services`. That library provides up-to-date API wrappers for a large number of Google APIs. In order that users may make use of the latest API clients, this library does not pin to a specific version of `google/apiclient-services`. **In order to prevent the accidental installation of API wrappers with breaking changes**, it is highly recommended that you pin to the [latest version](https://github.com/googleapis/google-api-php-client-services/releases) yourself prior to using this library in production. #### Cleaning up unused services There are over 200 Google API services. The chances are good that you will not want them all. In order to avoid shipping these dependencies with your code, you can run the `Google_Task_Composer::cleanup` task and specify the services you want to keep in `composer.json`: ```json { "require": { "google/apiclient": "^2.7" }, "scripts": { "post-update-cmd": "Google_Task_Composer::cleanup" }, "extra": { "google/apiclient-services": [ "Drive", "YouTube" ] } } ``` This example will remove all services other than "Drive" and "YouTube" when `composer update` or a fresh `composer install` is run. **IMPORTANT**: If you add any services back in `composer.json`, you will need to remove the `vendor/google/apiclient-services` directory explicity for the change you made to have effect: ```sh rm -r vendor/google/apiclient-services composer update ``` **NOTE**: This command performs an exact match on the service name, so to keep `YouTubeReporting` and `YouTubeAnalytics` as well, you'd need to add each of them explicitly: ```json { "extra": { "google/apiclient-services": [ "Drive", "YouTube", "YouTubeAnalytics", "YouTubeReporting" ] } } ``` ### Download the Release If you prefer not to use composer, you can download the package in its entirety. The [Releases](https://github.com/googleapis/google-api-php-client/releases) page lists all stable versions. Download any file with the name `google-api-php-client-[RELEASE_NAME].zip` for a package including this library and its dependencies. Uncompress the zip file you download, and include the autoloader in your project: ```php require_once '/path/to/google-api-php-client/vendor/autoload.php'; ``` For additional installation and setup instructions, see [the documentation](docs/). ## Examples ## See the [`examples/`](examples) directory for examples of the key client features. You can view them in your browser by running the php built-in web server. ``` $ php -S localhost:8000 -t examples/ ``` And then browsing to the host and port you specified (in the above example, `http://localhost:8000`). ### Basic Example ### ```php // include your composer dependencies require_once 'vendor/autoload.php'; $client = new Google_Client(); $client->setApplicationName("Client_Library_Examples"); $client->setDeveloperKey("YOUR_APP_KEY"); $service = new Google_Service_Books($client); $optParams = array('filter' => 'free-ebooks'); $results = $service->volumes->listVolumes('Henry David Thoreau', $optParams); foreach ($results->getItems() as $item) { echo $item['volumeInfo']['title'], "<br /> \n"; } ``` ### Authentication with OAuth ### > An example of this can be seen in [`examples/simple-file-upload.php`](examples/simple-file-upload.php). 1. Follow the instructions to [Create Web Application Credentials](docs/oauth-web.md#create-authorization-credentials) 1. Download the JSON credentials 1. Set the path to these credentials using `Google_Client::setAuthConfig`: ```php $client = new Google_Client(); $client->setAuthConfig('/path/to/client_credentials.json'); ``` 1. Set the scopes required for the API you are going to call ```php $client->addScope(Google_Service_Drive::DRIVE); ``` 1. Set your application's redirect URI ```php // Your redirect URI can be any registered URI, but in this example // we redirect back to this same page $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; $client->setRedirectUri($redirect_uri); ``` 1. In the script handling the redirect URI, exchange the authorization code for an access token: ```php if (isset($_GET['code'])) { $token = $client->fetchAccessTokenWithAuthCode($_GET['code']); } ``` ### Authentication with Service Accounts ### > An example of this can be seen in [`examples/service-account.php`](examples/service-account.php). Some APIs (such as the [YouTube Data API](https://developers.google.com/youtube/v3/)) do not support service accounts. Check with the specific API documentation if API calls return unexpected 401 or 403 errors. 1. Follow the instructions to [Create a Service Account](docs/oauth-server.md#creating-a-service-account) 1. Download the JSON credentials 1. Set the path to these credentials using the `GOOGLE_APPLICATION_CREDENTIALS` environment variable: ```php putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json'); ``` 1. Tell the Google client to use your service account credentials to authenticate: ```php $client = new Google_Client(); $client->useApplicationDefaultCredentials(); ``` 1. Set the scopes required for the API you are going to call ```php $client->addScope(Google_Service_Drive::DRIVE); ``` 1. If you have delegated domain-wide access to the service account and you want to impersonate a user account, specify the email address of the user account using the method setSubject: ```php $client->setSubject($user_to_impersonate); ``` ### Making Requests ### The classes used to call the API in [google-api-php-client-services](https://github.com/googleapis/google-api-php-client-services) are autogenerated. They map directly to the JSON requests and responses found in the [APIs Explorer](https://developers.google.com/apis-explorer/#p/). A JSON request to the [Datastore API](https://developers.google.com/apis-explorer/#p/datastore/v1beta3/datastore.projects.runQuery) would look like this: ```json POST https://datastore.googleapis.com/v1beta3/projects/YOUR_PROJECT_ID:runQuery?key=YOUR_API_KEY { "query": { "kind": [{ "name": "Book" }], "order": [{ "property": { "name": "title" }, "direction": "descending" }], "limit": 10 } } ``` Using this library, the same call would look something like this: ```php // create the datastore service class $datastore = new Google_Service_Datastore($client); // build the query - this maps directly to the JSON $query = new Google_Service_Datastore_Query([ 'kind' => [ [ 'name' => 'Book', ], ], 'order' => [ 'property' => [ 'name' => 'title', ], 'direction' => 'descending', ], 'limit' => 10, ]); // build the request and response $request = new Google_Service_Datastore_RunQueryRequest(['query' => $query]); $response = $datastore->projects->runQuery('YOUR_DATASET_ID', $request); ``` However, as each property of the JSON API has a corresponding generated class, the above code could also be written like this: ```php // create the datastore service class $datastore = new Google_Service_Datastore($client); // build the query $request = new Google_Service_Datastore_RunQueryRequest(); $query = new Google_Service_Datastore_Query(); // - set the order $order = new Google_Service_Datastore_PropertyOrder(); $order->setDirection('descending'); $property = new Google_Service_Datastore_PropertyReference(); $property->setName('title'); $order->setProperty($property); $query->setOrder([$order]); // - set the kinds $kind = new Google_Service_Datastore_KindExpression(); $kind->setName('Book'); $query->setKinds([$kind]); // - set the limit $query->setLimit(10); // add the query to the request and make the request $request->setQuery($query); $response = $datastore->projects->runQuery('YOUR_DATASET_ID', $request); ``` The method used is a matter of preference, but *it will be very difficult to use this library without first understanding the JSON syntax for the API*, so it is recommended to look at the [APIs Explorer](https://developers.google.com/apis-explorer/#p/) before using any of the services here. ### Making HTTP Requests Directly ### If Google Authentication is desired for external applications, or a Google API is not available yet in this library, HTTP requests can be made directly. If you are installing this client only to authenticate your own HTTP client requests, you should use [`google/auth`](https://github.com/googleapis/google-auth-library-php#call-the-apis) instead. The `authorize` method returns an authorized [Guzzle Client](http://docs.guzzlephp.org/), so any request made using the client will contain the corresponding authorization. ```php // create the Google client $client = new Google_Client(); /** * Set your method for authentication. Depending on the API, This could be * directly with an access token, API key, or (recommended) using * Application Default Credentials. */ $client->useApplicationDefaultCredentials(); $client->addScope(Google_Service_Plus::PLUS_ME); // returns a Guzzle HTTP Client $httpClient = $client->authorize(); // make an HTTP request $response = $httpClient->get('https://www.googleapis.com/plus/v1/people/me'); ``` ### Caching ### It is recommended to use another caching library to improve performance. This can be done by passing a [PSR-6](https://www.php-fig.org/psr/psr-6/) compatible library to the client: ```php use League\Flysystem\Adapter\Local; use League\Flysystem\Filesystem; use Cache\Adapter\Filesystem\FilesystemCachePool; $filesystemAdapter = new Local(__DIR__.'/'); $filesystem = new Filesystem($filesystemAdapter); $cache = new FilesystemCachePool($filesystem); $client->setCache($cache); ``` In this example we use [PHP Cache](http://www.php-cache.com/). Add this to your project with composer: ``` composer require cache/filesystem-adapter ``` ### Updating Tokens ### When using [Refresh Tokens](https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline) or [Service Account Credentials](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#overview), it may be useful to perform some action when a new access token is granted. To do this, pass a callable to the `setTokenCallback` method on the client: ```php $logger = new Monolog\Logger; $tokenCallback = function ($cacheKey, $accessToken) use ($logger) { $logger->debug(sprintf('new access token received at cache key %s', $cacheKey)); }; $client->setTokenCallback($tokenCallback); ``` ### Debugging Your HTTP Request using Charles ### It is often very useful to debug your API calls by viewing the raw HTTP request. This library supports the use of [Charles Web Proxy](https://www.charlesproxy.com/documentation/getting-started/). Download and run Charles, and then capture all HTTP traffic through Charles with the following code: ```php // FOR DEBUGGING ONLY $httpClient = new GuzzleHttp\Client([ 'proxy' => 'localhost:8888', // by default, Charles runs on localhost port 8888 'verify' => false, // otherwise HTTPS requests will fail. ]); $client = new Google_Client(); $client->setHttpClient($httpClient); ``` Now all calls made by this library will appear in the Charles UI. One additional step is required in Charles to view SSL requests. Go to **Charles > Proxy > SSL Proxying Settings** and add the domain you'd like captured. In the case of the Google APIs, this is usually `*.googleapis.com`. ### Controlling HTTP Client Configuration Directly Google API Client uses [Guzzle](http://docs.guzzlephp.org/) as its default HTTP client. That means that you can control your HTTP requests in the same manner you would for any application using Guzzle. Let's say, for instance, we wished to apply a referrer to each request. ```php use GuzzleHttp\Client; $httpClient = new Client([ 'headers' => [ 'referer' => 'mysite.com' ] ]); $client = new Google_Client(); $client->setHttpClient($httpClient); ``` Other Guzzle features such as [Handlers and Middleware](http://docs.guzzlephp.org/en/stable/handlers-and-middleware.html) offer even more control. ### Service Specific Examples ### YouTube: https://github.com/youtube/api-samples/tree/master/php ## How Do I Contribute? ## Please see the [contributing](.github/CONTRIBUTING.md) page for more information. In particular, we love pull requests - but please make sure to sign the contributor license agreement. ## Frequently Asked Questions ## ### What do I do if something isn't working? ### For support with the library the best place to ask is via the google-api-php-client tag on StackOverflow: https://stackoverflow.com/questions/tagged/google-api-php-client If there is a specific bug with the library, please [file an issue](https://github.com/googleapis/google-api-php-client/issues) in the GitHub issues tracker, including an example of the failing code and any specific errors retrieved. Feature requests can also be filed, as long as they are core library requests, and not-API specific: for those, refer to the documentation for the individual APIs for the best place to file requests. Please try to provide a clear statement of the problem that the feature would address. ### I want an example of X! ### If X is a feature of the library, file away! If X is an example of using a specific service, the best place to go is to the teams for those specific APIs - our preference is to link to their examples rather than add them to the library, as they can then pin to specific versions of the library. If you have any examples for other APIs, let us know and we will happily add a link to the README above! ### Why does Google_..._Service have weird names? ### The _Service classes are generally automatically generated from the API discovery documents: https://developers.google.com/discovery/. Sometimes new features are added to APIs with unusual names, which can cause some unexpected or non-standard style naming in the PHP classes. ### How do I deal with non-JSON response types? ### Some services return XML or similar by default, rather than JSON, which is what the library supports. You can request a JSON response by adding an 'alt' argument to optional params that is normally the last argument to a method call: ``` $opt_params = array( 'alt' => "json" ); ``` ### How do I set a field to null? ### The library strips out nulls from the objects sent to the Google APIs as its the default value of all of the uninitialized properties. To work around this, set the field you want to null to `Google_Model::NULL_VALUE`. This is a placeholder that will be replaced with a true null when sent over the wire. ## Code Quality ## Run the PHPUnit tests with PHPUnit. You can configure an API key and token in BaseTest.php to run all calls, but this will require some setup on the Google Developer Console. phpunit tests/ ### Coding Style To check for coding style violations, run ``` vendor/bin/phpcs src --standard=style/ruleset.xml -np ``` To automatically fix (fixable) coding style violations, run ``` vendor/bin/phpcbf src --standard=style/ruleset.xml ``` apiclient/style/ruleset.xml 0000644 00000017404 14736103211 0012065 0 ustar 00 <?xml version="1.0"?> <ruleset name="GAPI"> <description>The Google API client library coding standard.</description> <!-- PHP code MUST use the long <?php ?> tags or the short-echo <?= ?> tags; it MUST NOT use the other tag variations. --> <rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound"> <severity>0</severity> </rule> <!-- PHP code MUST use only UTF-8 without BOM. --> <rule ref="Generic.Files.ByteOrderMark"/> <!-- Check for duplicated class names --> <rule ref="Generic.Classes.DuplicateClassName" /> <!-- Class constants MUST be declared in all upper case with underscore separators. --> <rule ref="Generic.NamingConventions.UpperCaseConstantName"/> <!-- Method names MUST be declared in camelCase(). --> <rule ref="Generic.NamingConventions.CamelCapsFunctionName"> <properties> <property name="strict" value="false"/> </properties> <!-- Generated libs have some properties that break this! --> <exclude-pattern>Service/*.php</exclude-pattern> </rule> <!-- All PHP files MUST use the Unix LF (linefeed) line ending. --> <rule ref="Generic.Files.LineEndings"> <properties> <property name="eolChar" value="\n"/> </properties> </rule> <!-- All PHP files MUST end with a single blank line. --> <rule ref="PSR2.Files.EndFileNewline" /> <!-- The closing ?> tag MUST be omitted from files containing only PHP. --> <rule ref="Zend.Files.ClosingTag"/> <!-- The soft limit on line length MUST be 100 characters; automated style checkers MUST warn but MUST NOT error at the soft limit. --> <rule ref="Generic.Files.LineLength"> <properties> <property name="lineLimit" value="100"/> <property name="absoluteLineLimit" value="120"/> </properties> <!-- Generated libs have some rather long class names that break this! --> <exclude-pattern>Service/*.php</exclude-pattern> </rule> <!-- There MUST NOT be trailing whitespace at the end of non-blank lines. --> <rule ref="Squiz.WhiteSpace.SuperfluousWhitespace"> <properties> <property name="ignoreBlankLines" value="true"/> </properties> </rule> <rule ref="Squiz.WhiteSpace.SuperfluousWhitespace.StartFile"> <severity>0</severity> </rule> <rule ref="Squiz.WhiteSpace.SuperfluousWhitespace.EndFile"> <severity>0</severity> </rule> <rule ref="Squiz.WhiteSpace.SuperfluousWhitespace.EmptyLines"> <severity>0</severity> </rule> <!-- There MUST NOT be more than one statement per line. --> <rule ref="Generic.Formatting.DisallowMultipleStatements"/> <!-- Code MUST use an indent of 2 spaces, and MUST NOT use tabs for indenting. --> <rule ref="Generic.WhiteSpace.ScopeIndent"> <properties> <property name="indent" value="2" /> </properties> </rule> <rule ref="Generic.WhiteSpace.DisallowTabIndent"/> <!-- PHP keywords MUST be in lower case. --> <rule ref="Generic.PHP.LowerCaseKeyword"/> <!-- The PHP constants true, false, and null MUST be in lower case. --> <rule ref="Generic.PHP.LowerCaseConstant"/> <!-- The extends and implements keywords MUST be declared on the same line as the class name. The opening brace for the class go MUST go on its own line; the closing brace for the class MUST go on the next line after the body. Lists of implements MAY be split across multiple lines, where each subsequent line is indented once. When doing so, the first item in the list MUST be on the next line, and there MUST be only one interface per line. --> <rule ref="PSR2.Classes.ClassDeclaration" /> <!-- Visibility MUST be declared on all properties. The var keyword MUST NOT be used to declare a property. There MUST NOT be more than one property declared per statement. Property names SHOULD NOT be prefixed with a single underscore to indicate protected or private visibility. --> <rule ref="PSR2.Classes.PropertyDeclaration" /> <rule ref="PSR2.Classes.PropertyDeclaration.Underscore" /> <!-- Visibility MUST be declared on all methods. --> <rule ref="Squiz.Scope.MethodScope"/> <rule ref="Squiz.WhiteSpace.ScopeKeywordSpacing"/> <!-- Method names MUST NOT be declared with a space after the method name. The opening brace MUST go on its own line, and the closing brace MUST go on the next line following the body. There MUST NOT be a space after the opening parenthesis, and there MUST NOT be a space before the closing parenthesis. --> <rule ref="Squiz.Functions.FunctionDeclaration"/> <rule ref="Squiz.Functions.LowercaseFunctionKeywords"/> <!-- In the argument list, there MUST NOT be a space before each comma, and there MUST be one space after each comma. --> <rule ref="Squiz.Functions.FunctionDeclarationArgumentSpacing"> <properties> <property name="equalsSpacing" value="1"/> </properties> </rule> <!-- Method arguments with default values MUST go at the end of the argument list. --> <rule ref="PEAR.Functions.ValidDefaultValue"/> <!-- Argument lists MAY be split across multiple lines, where each subsequent line is indented once. When doing so, the first item in the list MUST be on the next line, and there MUST be only one argument per line. When the argument list is split across multiple lines, the closing parenthesis and opening brace MUST be placed together on their own line with one space between them. --> <rule ref="Squiz.Functions.MultiLineFunctionDeclaration"/> <!-- When present, the abstract and final declarations MUST precede the visibility declaration. When present, the static declaration MUST come after the visibility declaration. --> <!-- Method names SHOULD NOT be prefixed with a single underscore to indicate protected or private visibility. --> <rule ref="PSR2.Methods.MethodDeclaration" /> <!-- When making a method or function call, there MUST NOT be a space between the method or function name and the opening parenthesis, there MUST NOT be a space after the opening parenthesis, and there MUST NOT be a space before the closing parenthesis. In the argument list, there MUST NOT be a space before each comma, and there MUST be one space after each comma. Argument lists MAY be split across multiple lines, where each subsequent line is indented once. When doing so, the first item in the list MUST be on the next line, and there MUST be only one argument per line. --> <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/> <rule ref="PEAR.Functions.FunctionCallSignature"> <properties> <property name="allowMultipleArguments" value="false"/> </properties> </rule> <!-- The general style rules for control structures are as follows: There MUST be one space after the control structure keyword There MUST NOT be a space after the opening parenthesis There MUST NOT be a space before the closing parenthesis There MUST be one space between the closing parenthesis and the opening brace The structure body MUST be indented once The closing brace MUST be on the next line after the body --> <rule ref="Squiz.ControlStructures.ControlSignature"> <properties> <property name="ignoreComments" value="true"/> </properties> </rule> <rule ref="Squiz.WhiteSpace.ScopeClosingBrace"/> <rule ref="Squiz.ControlStructures.ForEachLoopDeclaration"/> <rule ref="Squiz.ControlStructures.ForLoopDeclaration"/> <rule ref="Squiz.ControlStructures.LowercaseDeclaration"/> <!-- The body of each structure MUST be enclosed by braces. This standardizes how the structures look, and reduces the likelihood of introducing errors as new lines get added to the body. --> <rule ref="Generic.ControlStructures.InlineControlStructure"/> <!-- The case statement MUST be indented once from switch, and the break keyword (or other terminating keyword) MUST be indented at the same level as the case body. There MUST be a comment such as // no break when fall-through is intentional in a non-empty case body. --> <rule ref="PSR2.ControlStructures.SwitchDeclaration" > <properties> <property name="indent" value="2" /> </properties> </rule> </ruleset> apiclient/LICENSE 0000644 00000024020 14736103211 0007515 0 ustar 00 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. apiclient/.github/ISSUE_TEMPLATE.md 0000644 00000000550 14736103211 0012557 0 ustar 00 **Heads up!** We appreciate any bug reports or other contributions, but please note that this issue tracker is only for this client library. We do not maintain the APIs that this client library talks to. If you have an issue or questions with how to use a particular API, you may be better off posting on Stackoverflow under the `google-api` tag. Thank you! auth/CONTRIBUTING.md 0000644 00000007107 14736103211 0007741 0 ustar 00 # How to become a contributor and submit your own code ## Contributor License Agreements We'd love to accept your sample apps and patches! Before we can take them, we have to jump a couple of legal hurdles. Please fill out either the individual or corporate Contributor License Agreement (CLA). * If you are an individual writing original source code and you're sure you own the intellectual property, then you'll need to sign an [individual CLA] (http://code.google.com/legal/individual-cla-v1.0.html). * If you work for a company that wants to allow you to contribute your work, then you'll need to sign a [corporate CLA] (http://code.google.com/legal/corporate-cla-v1.0.html). Follow either of the two links above to access the appropriate CLA and instructions for how to sign and return it. Once we receive it, we'll be able to accept your pull requests. ## Issue reporting * Check that the issue has not already been reported. * Check that the issue has not already been fixed in the latest code (a.k.a. `master`). * Be clear, concise and precise in your description of the problem. * Open an issue with a descriptive title and a summary in grammatically correct, complete sentences. * Include any relevant code to the issue summary. ## Pull requests * Read [how to properly contribute to open source projects on Github][2]. * Fork the project. * Use a topic/feature branch to easily amend a pull request later, if necessary. * Write [good commit messages][3]. * Use the same coding conventions as the rest of the project. * Commit and push until you are happy with your contribution. * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally. * Add an entry to the [Changelog](CHANGELOG.md) accordingly. See [changelog entry format](#changelog-entry-format). * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it. * Make sure the test suite is passing and the code you wrote doesn't produce phpunit or phplint offenses. * [Squash related commits together][5]. * Open a [pull request][4] that relates to *only* one subject with a clear title and description in grammatically correct, complete sentences. ### Changelog entry format Here are a few examples: ``` * ADC Support for User Refresh Tokens (@tbetbetbe[]) * [#16](https://github.com/google/google-auth-library-php/issues/16): ADC Support for User Refresh Tokens ([@tbetbetbe][]) ``` * Mark it up in [Markdown syntax][6]. * The entry line should start with `* ` (an asterisk and a space). * If the change has a related GitHub issue (e.g. a bug fix for a reported issue), put a link to the issue as `[#16](https://github.com/google/google-auth-library-php/issues/16): `. * Describe the brief of the change. The sentence should end with a punctuation. * At the end of the entry, add an implicit link to your GitHub user page as `([@username][])`. * If this is your first contribution to google-auth-library-php project, add a link definition for the implicit link to the bottom of the changelog as `[@username]: https://github.com/username`. [1]: https://github.com/google/google-auth-php-library/issues [2]: http://gun.io/blog/how-to-github-fork-branch-and-pull-request [3]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html [4]: https://help.github.com/articles/using-pull-requests [5]: http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html [6]: http://daringfireball.net/projects/markdown/syntax auth/autoload.php 0000644 00000002133 14736103211 0010023 0 ustar 00 <?php /* * Copyright 2014 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ function oauth2client_php_autoload($className) { $classPath = explode('_', $className); if ($classPath[0] != 'Google') { return; } if (count($classPath) > 3) { // Maximum class file path depth in this project is 3. $classPath = array_slice($classPath, 0, 3); } $filePath = dirname(__FILE__) . '/src/' . implode('/', $classPath) . '.php'; if (file_exists($filePath)) { require_once $filePath; } } spl_autoload_register('oauth2client_php_autoload'); auth/COPYING 0000644 00000026116 14736103211 0006544 0 ustar 00 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright 2015 Google Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. auth/CODE_OF_CONDUCT.md 0000644 00000003675 14736103211 0010315 0 ustar 00 # Contributor Code of Conduct As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery * Personal attacks * Trolling or insulting/derogatory comments * Public or private harassment * Publishing other's private information, such as physical or electronic addresses, without explicit permission * Other unethical or unprofessional conduct. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team. This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers. This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) auth/src/HttpHandler/Guzzle6HttpHandler.php 0000644 00000003344 14736103211 0014730 0 ustar 00 <?php /** * Copyright 2015 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\HttpHandler; use GuzzleHttp\ClientInterface; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; class Guzzle6HttpHandler { /** * @var ClientInterface */ private $client; /** * @param ClientInterface $client */ public function __construct(ClientInterface $client) { $this->client = $client; } /** * Accepts a PSR-7 request and an array of options and returns a PSR-7 response. * * @param RequestInterface $request * @param array $options * @return ResponseInterface */ public function __invoke(RequestInterface $request, array $options = []) { return $this->client->send($request, $options); } /** * Accepts a PSR-7 request and an array of options and returns a PromiseInterface * * @param RequestInterface $request * @param array $options * * @return \GuzzleHttp\Promise\PromiseInterface */ public function async(RequestInterface $request, array $options = []) { return $this->client->sendAsync($request, $options); } } auth/src/HttpHandler/HttpClientCache.php 0000644 00000002517 14736103211 0014227 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\HttpHandler; use GuzzleHttp\ClientInterface; /** * Stores an HTTP Client in order to prevent multiple instantiations. */ class HttpClientCache { /** * @var ClientInterface|null */ private static $httpClient; /** * Cache an HTTP Client for later calls. * * Passing null will unset the cached client. * * @param ClientInterface|null $client * @return void */ public static function setHttpClient(ClientInterface $client = null) { self::$httpClient = $client; } /** * Get the stored HTTP Client, or null. * * @return ClientInterface|null */ public static function getHttpClient() { return self::$httpClient; } } auth/src/HttpHandler/Guzzle7HttpHandler.php 0000644 00000001266 14736103211 0014732 0 ustar 00 <?php /** * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\HttpHandler; class Guzzle7HttpHandler extends Guzzle6HttpHandler { } auth/src/HttpHandler/HttpHandlerFactory.php 0000644 00000003325 14736103211 0014770 0 ustar 00 <?php /** * Copyright 2015 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\HttpHandler; use GuzzleHttp\Client; use GuzzleHttp\ClientInterface; class HttpHandlerFactory { /** * Builds out a default http handler for the installed version of guzzle. * * @param ClientInterface $client * @return Guzzle5HttpHandler|Guzzle6HttpHandler|Guzzle7HttpHandler * @throws \Exception */ public static function build(ClientInterface $client = null) { $client = $client ?: new Client(); $version = null; if (defined('GuzzleHttp\ClientInterface::MAJOR_VERSION')) { $version = ClientInterface::MAJOR_VERSION; } elseif (defined('GuzzleHttp\ClientInterface::VERSION')) { $version = (int) substr(ClientInterface::VERSION, 0, 1); } switch ($version) { case 5: return new Guzzle5HttpHandler($client); case 6: return new Guzzle6HttpHandler($client); case 7: return new Guzzle7HttpHandler($client); default: throw new \Exception('Version not supported'); } } } auth/src/HttpHandler/Guzzle5HttpHandler.php 0000644 00000007413 14736103211 0014730 0 ustar 00 <?php /** * Copyright 2015 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\HttpHandler; use Exception; use GuzzleHttp\ClientInterface; use GuzzleHttp\Message\ResponseInterface as Guzzle5ResponseInterface; use GuzzleHttp\Promise\Promise; use GuzzleHttp\Promise\RejectedPromise; use GuzzleHttp\Psr7\Response; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; class Guzzle5HttpHandler { /** * @var ClientInterface */ private $client; /** * @param ClientInterface $client */ public function __construct(ClientInterface $client) { $this->client = $client; } /** * Accepts a PSR-7 Request and an array of options and returns a PSR-7 response. * * @param RequestInterface $request * @param array $options * @return ResponseInterface */ public function __invoke(RequestInterface $request, array $options = []) { $response = $this->client->send( $this->createGuzzle5Request($request, $options) ); return $this->createPsr7Response($response); } /** * Accepts a PSR-7 request and an array of options and returns a PromiseInterface * * @param RequestInterface $request * @param array $options * @return Promise */ public function async(RequestInterface $request, array $options = []) { if (!class_exists('GuzzleHttp\Promise\Promise')) { throw new Exception('Install guzzlehttp/promises to use async with Guzzle 5'); } $futureResponse = $this->client->send( $this->createGuzzle5Request( $request, ['future' => true] + $options ) ); $promise = new Promise( function () use ($futureResponse) { try { $futureResponse->wait(); } catch (Exception $e) { // The promise is already delivered when the exception is // thrown, so don't rethrow it. } }, [$futureResponse, 'cancel'] ); $futureResponse->then([$promise, 'resolve'], [$promise, 'reject']); return $promise->then( function (Guzzle5ResponseInterface $response) { // Adapt the Guzzle 5 Response to a PSR-7 Response. return $this->createPsr7Response($response); }, function (Exception $e) { return new RejectedPromise($e); } ); } private function createGuzzle5Request(RequestInterface $request, array $options) { return $this->client->createRequest( $request->getMethod(), $request->getUri(), array_merge_recursive([ 'headers' => $request->getHeaders(), 'body' => $request->getBody(), ], $options) ); } private function createPsr7Response(Guzzle5ResponseInterface $response) { return new Response( $response->getStatusCode(), $response->getHeaders() ?: [], $response->getBody(), $response->getProtocolVersion(), $response->getReasonPhrase() ); } } auth/src/CredentialsLoader.php 0000644 00000016456 14736103211 0012403 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use Google\Auth\Credentials\InsecureCredentials; use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\Credentials\UserRefreshCredentials; use GuzzleHttp\ClientInterface; /** * CredentialsLoader contains the behaviour used to locate and find default * credentials files on the file system. */ abstract class CredentialsLoader implements FetchAuthTokenInterface { const TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'; const ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'; const WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'; const NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'; const AUTH_METADATA_KEY = 'authorization'; /** * @param string $cause * @return string */ private static function unableToReadEnv($cause) { $msg = 'Unable to read the credential file specified by '; $msg .= ' GOOGLE_APPLICATION_CREDENTIALS: '; $msg .= $cause; return $msg; } /** * @return bool */ private static function isOnWindows() { return strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; } /** * Returns the currently available major Guzzle version. * * @return int */ private static function getGuzzleMajorVersion() { if (defined('GuzzleHttp\ClientInterface::MAJOR_VERSION')) { return ClientInterface::MAJOR_VERSION; } if (defined('GuzzleHttp\ClientInterface::VERSION')) { return (int) substr(ClientInterface::VERSION, 0, 1); } throw new \Exception('Version not supported'); } /** * Load a JSON key from the path specified in the environment. * * Load a JSON key from the path specified in the environment * variable GOOGLE_APPLICATION_CREDENTIALS. Return null if * GOOGLE_APPLICATION_CREDENTIALS is not specified. * * @return array|null JSON key | null */ public static function fromEnv() { $path = getenv(self::ENV_VAR); if (empty($path)) { return; } if (!file_exists($path)) { $cause = 'file ' . $path . ' does not exist'; throw new \DomainException(self::unableToReadEnv($cause)); } $jsonKey = file_get_contents($path); return json_decode($jsonKey, true); } /** * Load a JSON key from a well known path. * * The well known path is OS dependent: * * * windows: %APPDATA%/gcloud/application_default_credentials.json * * others: $HOME/.config/gcloud/application_default_credentials.json * * If the file does not exist, this returns null. * * @return array|null JSON key | null */ public static function fromWellKnownFile() { $rootEnv = self::isOnWindows() ? 'APPDATA' : 'HOME'; $path = [getenv($rootEnv)]; if (!self::isOnWindows()) { $path[] = self::NON_WINDOWS_WELL_KNOWN_PATH_BASE; } $path[] = self::WELL_KNOWN_PATH; $path = implode(DIRECTORY_SEPARATOR, $path); if (!file_exists($path)) { return; } $jsonKey = file_get_contents($path); return json_decode($jsonKey, true); } /** * Create a new Credentials instance. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param array $jsonKey the JSON credentials. * @return ServiceAccountCredentials|UserRefreshCredentials */ public static function makeCredentials($scope, array $jsonKey) { if (!array_key_exists('type', $jsonKey)) { throw new \InvalidArgumentException('json key is missing the type field'); } if ($jsonKey['type'] == 'service_account') { return new ServiceAccountCredentials($scope, $jsonKey); } if ($jsonKey['type'] == 'authorized_user') { return new UserRefreshCredentials($scope, $jsonKey); } throw new \InvalidArgumentException('invalid value in the type field'); } /** * Create an authorized HTTP Client from an instance of FetchAuthTokenInterface. * * @param FetchAuthTokenInterface $fetcher is used to fetch the auth token * @param array $httpClientOptions (optional) Array of request options to apply. * @param callable $httpHandler (optional) http client to fetch the token. * @param callable $tokenCallback (optional) function to be called when a new token is fetched. * @return \GuzzleHttp\Client */ public static function makeHttpClient( FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], callable $httpHandler = null, callable $tokenCallback = null ) { if (self::getGuzzleMajorVersion() === 5) { $client = new \GuzzleHttp\Client($httpClientOptions); $client->setDefaultOption('auth', 'google_auth'); $subscriber = new Subscriber\AuthTokenSubscriber( $fetcher, $httpHandler, $tokenCallback ); $client->getEmitter()->attach($subscriber); return $client; } $middleware = new Middleware\AuthTokenMiddleware( $fetcher, $httpHandler, $tokenCallback ); $stack = \GuzzleHttp\HandlerStack::create(); $stack->push($middleware); return new \GuzzleHttp\Client([ 'handler' => $stack, 'auth' => 'google_auth', ] + $httpClientOptions); } /** * Create a new instance of InsecureCredentials. * * @return InsecureCredentials */ public static function makeInsecureCredentials() { return new InsecureCredentials(); } /** * export a callback function which updates runtime metadata. * * @return array updateMetadata function */ public function getUpdateMetadataFunc() { return array($this, 'updateMetadata'); } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { $result = $this->fetchAuthToken($httpHandler); if (!isset($result['access_token'])) { return $metadata; } $metadata_copy = $metadata; $metadata_copy[self::AUTH_METADATA_KEY] = array('Bearer ' . $result['access_token']); return $metadata_copy; } } auth/src/Subscriber/SimpleSubscriber.php 0000644 00000005077 14736103211 0014374 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Subscriber; use GuzzleHttp\Event\BeforeEvent; use GuzzleHttp\Event\RequestEvents; use GuzzleHttp\Event\SubscriberInterface; /** * SimpleSubscriber is a Guzzle Subscriber that implements Google's Simple API * access. * * Requests are accessed using the Simple API access developer key. */ class SimpleSubscriber implements SubscriberInterface { /** * @var array */ private $config; /** * Create a new Simple plugin. * * The configuration array expects one option * - key: required, otherwise InvalidArgumentException is thrown * * @param array $config Configuration array */ public function __construct(array $config) { if (!isset($config['key'])) { throw new \InvalidArgumentException('requires a key to have been set'); } $this->config = array_merge([], $config); } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request query with the developer key if auth is set to simple. * * Example: * ``` * use Google\Auth\Subscriber\SimpleSubscriber; * use GuzzleHttp\Client; * * $my_key = 'is not the same as yours'; * $subscriber = new SimpleSubscriber(['key' => $my_key]); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/discovery/v1/', * 'defaults' => ['auth' => 'simple'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('drive/v2/rest'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="simple" with the developer key. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'simple') { return; } $request->getQuery()->overwriteWith($this->config); } } auth/src/Subscriber/AuthTokenSubscriber.php 0000644 00000010135 14736103211 0015034 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Subscriber; use Google\Auth\FetchAuthTokenInterface; use Google\Auth\GetQuotaProjectInterface; use GuzzleHttp\Event\BeforeEvent; use GuzzleHttp\Event\RequestEvents; use GuzzleHttp\Event\SubscriberInterface; /** * AuthTokenSubscriber is a Guzzle Subscriber that adds an Authorization header * provided by an object implementing FetchAuthTokenInterface. * * The FetchAuthTokenInterface#fetchAuthToken is used to obtain a hash; one of * the values value in that hash is added as the authorization header. * * Requests will be accessed with the authorization header: * * 'authorization' 'Bearer <value of auth_token>' */ class AuthTokenSubscriber implements SubscriberInterface { /** * @var callable */ private $httpHandler; /** * @var FetchAuthTokenInterface */ private $fetcher; /** * @var callable */ private $tokenCallback; /** * Creates a new AuthTokenSubscriber. * * @param FetchAuthTokenInterface $fetcher is used to fetch the auth token * @param callable $httpHandler (optional) http client to fetch the token. * @param callable $tokenCallback (optional) function to be called when a new token is fetched. */ public function __construct( FetchAuthTokenInterface $fetcher, callable $httpHandler = null, callable $tokenCallback = null ) { $this->fetcher = $fetcher; $this->httpHandler = $httpHandler; $this->tokenCallback = $tokenCallback; } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request with an Authorization header when auth is 'fetched_auth_token'. * * Example: * ``` * use GuzzleHttp\Client; * use Google\Auth\OAuth2; * use Google\Auth\Subscriber\AuthTokenSubscriber; * * $config = [..<oauth config param>.]; * $oauth2 = new OAuth2($config) * $subscriber = new AuthTokenSubscriber($oauth2); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'defaults' => ['auth' => 'google_auth'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="google_auth" will be authorized. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'google_auth') { return; } // Fetch the auth token. $auth_tokens = $this->fetcher->fetchAuthToken($this->httpHandler); if (array_key_exists('access_token', $auth_tokens)) { $request->setHeader('authorization', 'Bearer ' . $auth_tokens['access_token']); // notify the callback if applicable if ($this->tokenCallback) { call_user_func($this->tokenCallback, $this->fetcher->getCacheKey(), $auth_tokens['access_token']); } } if ($quotaProject = $this->getQuotaProject()) { $request->setHeader( GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER, $quotaProject ); } } private function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } } auth/src/Subscriber/ScopedAccessTokenSubscriber.php 0000644 00000012014 14736103211 0016470 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Subscriber; use Google\Auth\CacheTrait; use GuzzleHttp\Event\BeforeEvent; use GuzzleHttp\Event\RequestEvents; use GuzzleHttp\Event\SubscriberInterface; use Psr\Cache\CacheItemPoolInterface; /** * ScopedAccessTokenSubscriber is a Guzzle Subscriber that adds an Authorization * header provided by a closure. * * The closure returns an access token, taking the scope, either a single * string or an array of strings, as its value. If provided, a cache will be * used to preserve the access token for a given lifetime. * * Requests will be accessed with the authorization header: * * 'authorization' 'Bearer <access token obtained from the closure>' */ class ScopedAccessTokenSubscriber implements SubscriberInterface { use CacheTrait; const DEFAULT_CACHE_LIFETIME = 1500; /** * @var CacheItemPoolInterface */ private $cache; /** * @var callable The access token generator function */ private $tokenFunc; /** * @var array|string The scopes used to generate the token */ private $scopes; /** * @var array */ private $cacheConfig; /** * Creates a new ScopedAccessTokenSubscriber. * * @param callable $tokenFunc a token generator function * @param array|string $scopes the token authentication scopes * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache an implementation of CacheItemPoolInterface */ public function __construct( callable $tokenFunc, $scopes, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $this->tokenFunc = $tokenFunc; if (!(is_string($scopes) || is_array($scopes))) { throw new \InvalidArgumentException( 'wants scope should be string or array' ); } $this->scopes = $scopes; if (!is_null($cache)) { $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => self::DEFAULT_CACHE_LIFETIME, 'prefix' => '', ], $cacheConfig); } } /** * @return array */ public function getEvents() { return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]]; } /** * Updates the request with an Authorization header when auth is 'scoped'. * * E.g this could be used to authenticate using the AppEngine AppIdentityService. * * Example: * ``` * use google\appengine\api\app_identity\AppIdentityService; * use Google\Auth\Subscriber\ScopedAccessTokenSubscriber; * use GuzzleHttp\Client; * * $scope = 'https://www.googleapis.com/auth/taskqueue' * $subscriber = new ScopedAccessToken( * 'AppIdentityService::getAccessToken', * $scope, * ['prefix' => 'Google\Auth\ScopedAccessToken::'], * $cache = new Memcache() * ); * * $client = new Client([ * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'defaults' => ['auth' => 'scoped'] * ]); * $client->getEmitter()->attach($subscriber); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` * * @param BeforeEvent $event */ public function onBefore(BeforeEvent $event) { // Requests using "auth"="scoped" will be authorized. $request = $event->getRequest(); if ($request->getConfig()['auth'] != 'scoped') { return; } $auth_header = 'Bearer ' . $this->fetchToken(); $request->setHeader('authorization', $auth_header); } /** * @return string */ private function getCacheKey() { $key = null; if (is_string($this->scopes)) { $key .= $this->scopes; } elseif (is_array($this->scopes)) { $key .= implode(':', $this->scopes); } return $key; } /** * Determine if token is available in the cache, if not call tokenFunc to * fetch it. * * @return string */ private function fetchToken() { $cacheKey = $this->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (!empty($cached)) { return $cached; } $token = call_user_func($this->tokenFunc, $this->scopes); $this->setCachedValue($cacheKey, $token); return $token; } } auth/src/ServiceAccountSignerTrait.php 0000644 00000003464 14736103211 0014103 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use phpseclib\Crypt\RSA; /** * Sign a string using a Service Account private key. */ trait ServiceAccountSignerTrait { /** * Sign a string using the service account private key. * * @param string $stringToSign * @param bool $forceOpenssl Whether to use OpenSSL regardless of * whether phpseclib is installed. **Defaults to** `false`. * @return string */ public function signBlob($stringToSign, $forceOpenssl = false) { $privateKey = $this->auth->getSigningKey(); $signedString = ''; if (class_exists('\\phpseclib\\Crypt\\RSA') && !$forceOpenssl) { $rsa = new RSA; $rsa->loadKey($privateKey); $rsa->setSignatureMode(RSA::SIGNATURE_PKCS1); $rsa->setHash('sha256'); $signedString = $rsa->sign($stringToSign); } elseif (extension_loaded('openssl')) { openssl_sign($stringToSign, $signedString, $privateKey, 'sha256WithRSAEncryption'); } else { // @codeCoverageIgnoreStart throw new \RuntimeException('OpenSSL is not installed.'); } // @codeCoverageIgnoreEnd return base64_encode($signedString); } } auth/src/AccessToken.php 0000644 00000042365 14736103211 0011217 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use DateTime; use Exception; use Firebase\JWT\ExpiredException; use Firebase\JWT\JWT; use Firebase\JWT\SignatureInvalidException; use Google\Auth\Cache\MemoryCacheItemPool; use Google\Auth\HttpHandler\HttpClientCache; use Google\Auth\HttpHandler\HttpHandlerFactory; use GuzzleHttp\Psr7; use GuzzleHttp\Psr7\Request; use InvalidArgumentException; use phpseclib\Crypt\RSA; use phpseclib\Math\BigInteger; use Psr\Cache\CacheItemPoolInterface; use RuntimeException; use SimpleJWT\InvalidTokenException; use SimpleJWT\JWT as SimpleJWT; use SimpleJWT\Keys\KeyFactory; use SimpleJWT\Keys\KeySet; use UnexpectedValueException; /** * Wrapper around Google Access Tokens which provides convenience functions. * * @experimental */ class AccessToken { const FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs'; const IAP_CERT_URL = 'https://www.gstatic.com/iap/verify/public_key-jwk'; const IAP_ISSUER = 'https://cloud.google.com/iap'; const OAUTH2_ISSUER = 'accounts.google.com'; const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com'; const OAUTH2_REVOKE_URI = 'https://oauth2.googleapis.com/revoke'; /** * @var callable */ private $httpHandler; /** * @var CacheItemPoolInterface */ private $cache; /** * @param callable $httpHandler [optional] An HTTP Handler to deliver PSR-7 requests. * @param CacheItemPoolInterface $cache [optional] A PSR-6 compatible cache implementation. */ public function __construct( callable $httpHandler = null, CacheItemPoolInterface $cache = null ) { $this->httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); $this->cache = $cache ?: new MemoryCacheItemPool(); } /** * Verifies an id token and returns the authenticated apiLoginTicket. * Throws an exception if the id token is not valid. * The audience parameter can be used to control which id tokens are * accepted. By default, the id token must have been issued to this OAuth2 client. * * @param string $token The JSON Web Token to be verified. * @param array $options [optional] Configuration options. * @param string $options.audience The indended recipient of the token. * @param string $options.issuer The intended issuer of the token. * @param string $options.cacheKey The cache key of the cached certs. Defaults to * the sha1 of $certsLocation if provided, otherwise is set to * "federated_signon_certs_v3". * @param string $options.certsLocation The location (remote or local) from which * to retrieve certificates, if not cached. This value should only be * provided in limited circumstances in which you are sure of the * behavior. * @param bool $options.throwException Whether the function should throw an * exception if the verification fails. This is useful for * determining the reason verification failed. * @return array|bool the token payload, if successful, or false if not. * @throws InvalidArgumentException If certs could not be retrieved from a local file. * @throws InvalidArgumentException If received certs are in an invalid format. * @throws InvalidArgumentException If the cert alg is not supported. * @throws RuntimeException If certs could not be retrieved from a remote location. * @throws UnexpectedValueException If the token issuer does not match. * @throws UnexpectedValueException If the token audience does not match. */ public function verify($token, array $options = []) { $audience = isset($options['audience']) ? $options['audience'] : null; $issuer = isset($options['issuer']) ? $options['issuer'] : null; $certsLocation = isset($options['certsLocation']) ? $options['certsLocation'] : self::FEDERATED_SIGNON_CERT_URL; $cacheKey = isset($options['cacheKey']) ? $options['cacheKey'] : $this->getCacheKeyFromCertLocation($certsLocation); $throwException = isset($options['throwException']) ? $options['throwException'] : false; // for backwards compatibility // Check signature against each available cert. $certs = $this->getCerts($certsLocation, $cacheKey, $options); $alg = $this->determineAlg($certs); if (!in_array($alg, ['RS256', 'ES256'])) { throw new InvalidArgumentException( 'unrecognized "alg" in certs, expected ES256 or RS256' ); } try { if ($alg == 'RS256') { return $this->verifyRs256($token, $certs, $audience, $issuer); } return $this->verifyEs256($token, $certs, $audience, $issuer); } catch (ExpiredException $e) { // firebase/php-jwt 3+ } catch (\ExpiredException $e) { // firebase/php-jwt 2 } catch (SignatureInvalidException $e) { // firebase/php-jwt 3+ } catch (\SignatureInvalidException $e) { // firebase/php-jwt 2 } catch (InvalidTokenException $e) { // simplejwt } catch (DomainException $e) { } catch (InvalidArgumentException $e) { } catch (UnexpectedValueException $e) { } if ($throwException) { throw $e; } return false; } /** * Identifies the expected algorithm to verify by looking at the "alg" key * of the provided certs. * * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @return string The expected algorithm, such as "ES256" or "RS256". */ private function determineAlg(array $certs) { $alg = null; foreach ($certs as $cert) { if (empty($cert['alg'])) { throw new InvalidArgumentException( 'certs expects "alg" to be set' ); } $alg = $alg ?: $cert['alg']; if ($alg != $cert['alg']) { throw new InvalidArgumentException( 'More than one alg detected in certs' ); } } return $alg; } /** * Verifies an ES256-signed JWT. * * @param string $token The JSON Web Token to be verified. * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @param string|null $audience If set, returns false if the provided * audience does not match the "aud" claim on the JWT. * @param string|null $issuer If set, returns false if the provided * issuer does not match the "iss" claim on the JWT. * @return array|bool the token payload, if successful, or false if not. */ private function verifyEs256($token, array $certs, $audience = null, $issuer = null) { $this->checkSimpleJwt(); $jwkset = new KeySet(); foreach ($certs as $cert) { $jwkset->add(KeyFactory::create($cert, 'php')); } // Validate the signature using the key set and ES256 algorithm. $jwt = $this->callSimpleJwtDecode([$token, $jwkset, 'ES256']); $payload = $jwt->getClaims(); if (isset($payload['aud'])) { if ($audience && $payload['aud'] != $audience) { throw new UnexpectedValueException('Audience does not match'); } } // @see https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload $issuer = $issuer ?: self::IAP_ISSUER; if (!isset($payload['iss']) || $payload['iss'] !== $issuer) { throw new UnexpectedValueException('Issuer does not match'); } return $payload; } /** * Verifies an RS256-signed JWT. * * @param string $token The JSON Web Token to be verified. * @param array $certs Certificate array according to the JWK spec (see * https://tools.ietf.org/html/rfc7517). * @param string|null $audience If set, returns false if the provided * audience does not match the "aud" claim on the JWT. * @param string|null $issuer If set, returns false if the provided * issuer does not match the "iss" claim on the JWT. * @return array|bool the token payload, if successful, or false if not. */ private function verifyRs256($token, array $certs, $audience = null, $issuer = null) { $this->checkAndInitializePhpsec(); $keys = []; foreach ($certs as $cert) { if (empty($cert['kid'])) { throw new InvalidArgumentException( 'certs expects "kid" to be set' ); } if (empty($cert['n']) || empty($cert['e'])) { throw new InvalidArgumentException( 'RSA certs expects "n" and "e" to be set' ); } $rsa = new RSA(); $rsa->loadKey([ 'n' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [ $cert['n'], ]), 256), 'e' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [ $cert['e'] ]), 256), ]); // create an array of key IDs to certs for the JWT library $keys[$cert['kid']] = $rsa->getPublicKey(); } $payload = $this->callJwtStatic('decode', [ $token, $keys, ['RS256'] ]); if (property_exists($payload, 'aud')) { if ($audience && $payload->aud != $audience) { throw new UnexpectedValueException('Audience does not match'); } } // support HTTP and HTTPS issuers // @see https://developers.google.com/identity/sign-in/web/backend-auth $issuers = $issuer ? [$issuer] : [self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS]; if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) { throw new UnexpectedValueException('Issuer does not match'); } return (array) $payload; } /** * Revoke an OAuth2 access token or refresh token. This method will revoke the current access * token, if a token isn't provided. * * @param string|array $token The token (access token or a refresh token) that should be revoked. * @param array $options [optional] Configuration options. * @return bool Returns True if the revocation was successful, otherwise False. */ public function revoke($token, array $options = []) { if (is_array($token)) { if (isset($token['refresh_token'])) { $token = $token['refresh_token']; } else { $token = $token['access_token']; } } $body = Psr7\stream_for(http_build_query(['token' => $token])); $request = new Request('POST', self::OAUTH2_REVOKE_URI, [ 'Cache-Control' => 'no-store', 'Content-Type' => 'application/x-www-form-urlencoded', ], $body); $httpHandler = $this->httpHandler; $response = $httpHandler($request, $options); return $response->getStatusCode() == 200; } /** * Gets federated sign-on certificates to use for verifying identity tokens. * Returns certs as array structure, where keys are key ids, and values * are PEM encoded certificates. * * @param string $location The location from which to retrieve certs. * @param string $cacheKey The key under which to cache the retrieved certs. * @param array $options [optional] Configuration options. * @return array * @throws InvalidArgumentException If received certs are in an invalid format. */ private function getCerts($location, $cacheKey, array $options = []) { $cacheItem = $this->cache->getItem($cacheKey); $certs = $cacheItem ? $cacheItem->get() : null; $gotNewCerts = false; if (!$certs) { $certs = $this->retrieveCertsFromLocation($location, $options); $gotNewCerts = true; } if (!isset($certs['keys'])) { if ($location !== self::IAP_CERT_URL) { throw new InvalidArgumentException( 'federated sign-on certs expects "keys" to be set' ); } throw new InvalidArgumentException( 'certs expects "keys" to be set' ); } // Push caching off until after verifying certs are in a valid format. // Don't want to cache bad data. if ($gotNewCerts) { $cacheItem->expiresAt(new DateTime('+1 hour')); $cacheItem->set($certs); $this->cache->save($cacheItem); } return $certs['keys']; } /** * Retrieve and cache a certificates file. * * @param $url string location * @param array $options [optional] Configuration options. * @return array certificates * @throws InvalidArgumentException If certs could not be retrieved from a local file. * @throws RuntimeException If certs could not be retrieved from a remote location. */ private function retrieveCertsFromLocation($url, array $options = []) { // If we're retrieving a local file, just grab it. if (strpos($url, 'http') !== 0) { if (!file_exists($url)) { throw new InvalidArgumentException(sprintf( 'Failed to retrieve verification certificates from path: %s.', $url )); } return json_decode(file_get_contents($url), true); } $httpHandler = $this->httpHandler; $response = $httpHandler(new Request('GET', $url), $options); if ($response->getStatusCode() == 200) { return json_decode((string) $response->getBody(), true); } throw new RuntimeException(sprintf( 'Failed to retrieve verification certificates: "%s".', $response->getBody()->getContents() ), $response->getStatusCode()); } private function checkAndInitializePhpsec() { // @codeCoverageIgnoreStart if (!class_exists('phpseclib\Crypt\RSA')) { throw new RuntimeException('Please require phpseclib/phpseclib v2 to use this utility.'); } // @codeCoverageIgnoreEnd $this->setPhpsecConstants(); } private function checkSimpleJwt() { // @codeCoverageIgnoreStart if (!class_exists('SimpleJWT\JWT')) { throw new RuntimeException('Please require kelvinmo/simplejwt ^0.2 to use this utility.'); } // @codeCoverageIgnoreEnd } /** * phpseclib calls "phpinfo" by default, which requires special * whitelisting in the AppEngine VM environment. This function * sets constants to bypass the need for phpseclib to check phpinfo * * @see phpseclib/Math/BigInteger * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85 * @codeCoverageIgnore */ private function setPhpsecConstants() { if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) { if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) { define('MATH_BIGINTEGER_OPENSSL_ENABLED', true); } if (!defined('CRYPT_RSA_MODE')) { define('CRYPT_RSA_MODE', RSA::MODE_OPENSSL); } } } /** * Provide a hook to mock calls to the JWT static methods. * * @param string $method * @param array $args * @return mixed */ protected function callJwtStatic($method, array $args = []) { $class = class_exists('Firebase\JWT\JWT') ? 'Firebase\JWT\JWT' : 'JWT'; return call_user_func_array([$class, $method], $args); } /** * Provide a hook to mock calls to the JWT static methods. * * @param array $args * @return mixed */ protected function callSimpleJwtDecode(array $args = []) { return call_user_func_array(['SimpleJWT\JWT', 'decode'], $args); } /** * Generate a cache key based on the cert location using sha1 with the * exception of using "federated_signon_certs_v3" to preserve BC. * * @param string $certsLocation * @return string */ private function getCacheKeyFromCertLocation($certsLocation) { $key = $certsLocation === self::FEDERATED_SIGNON_CERT_URL ? 'federated_signon_certs_v3' : sha1($certsLocation); return 'google_auth_certs_cache|' . $key; } } auth/src/OAuth2.php 0000644 00000106752 14736103211 0010120 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use Google\Auth\HttpHandler\HttpClientCache; use Google\Auth\HttpHandler\HttpHandlerFactory; use GuzzleHttp\Psr7; use GuzzleHttp\Psr7\Request; use InvalidArgumentException; use Psr\Http\Message\RequestInterface; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\UriInterface; /** * OAuth2 supports authentication by OAuth2 2-legged flows. * * It primary supports * - service account authorization * - authorization where a user already has an access token */ class OAuth2 implements FetchAuthTokenInterface { const DEFAULT_EXPIRY_SECONDS = 3600; // 1 hour const DEFAULT_SKEW_SECONDS = 60; // 1 minute const JWT_URN = 'urn:ietf:params:oauth:grant-type:jwt-bearer'; /** * TODO: determine known methods from the keys of JWT::methods. */ public static $knownSigningAlgorithms = array( 'HS256', 'HS512', 'HS384', 'RS256', ); /** * The well known grant types. * * @var array */ public static $knownGrantTypes = array( 'authorization_code', 'refresh_token', 'password', 'client_credentials', ); /** * - authorizationUri * The authorization server's HTTP endpoint capable of * authenticating the end-user and obtaining authorization. * * @var UriInterface */ private $authorizationUri; /** * - tokenCredentialUri * The authorization server's HTTP endpoint capable of issuing * tokens and refreshing expired tokens. * * @var UriInterface */ private $tokenCredentialUri; /** * The redirection URI used in the initial request. * * @var string */ private $redirectUri; /** * A unique identifier issued to the client to identify itself to the * authorization server. * * @var string */ private $clientId; /** * A shared symmetric secret issued by the authorization server, which is * used to authenticate the client. * * @var string */ private $clientSecret; /** * The resource owner's username. * * @var string */ private $username; /** * The resource owner's password. * * @var string */ private $password; /** * The scope of the access request, expressed either as an Array or as a * space-delimited string. * * @var array */ private $scope; /** * An arbitrary string designed to allow the client to maintain state. * * @var string */ private $state; /** * The authorization code issued to this client. * * Only used by the authorization code access grant type. * * @var string */ private $code; /** * The issuer ID when using assertion profile. * * @var string */ private $issuer; /** * The target audience for assertions. * * @var string */ private $audience; /** * The target sub when issuing assertions. * * @var string */ private $sub; /** * The number of seconds assertions are valid for. * * @var int */ private $expiry; /** * The signing key when using assertion profile. * * @var string */ private $signingKey; /** * The signing key id when using assertion profile. Param kid in jwt header * * @var string */ private $signingKeyId; /** * The signing algorithm when using an assertion profile. * * @var string */ private $signingAlgorithm; /** * The refresh token associated with the access token to be refreshed. * * @var string */ private $refreshToken; /** * The current access token. * * @var string */ private $accessToken; /** * The current ID token. * * @var string */ private $idToken; /** * The lifetime in seconds of the current access token. * * @var int */ private $expiresIn; /** * The expiration time of the access token as a number of seconds since the * unix epoch. * * @var int */ private $expiresAt; /** * The issue time of the access token as a number of seconds since the unix * epoch. * * @var int */ private $issuedAt; /** * The current grant type. * * @var string */ private $grantType; /** * When using an extension grant type, this is the set of parameters used by * that extension. */ private $extensionParams; /** * When using the toJwt function, these claims will be added to the JWT * payload. */ private $additionalClaims; /** * Create a new OAuthCredentials. * * The configuration array accepts various options * * - authorizationUri * The authorization server's HTTP endpoint capable of * authenticating the end-user and obtaining authorization. * * - tokenCredentialUri * The authorization server's HTTP endpoint capable of issuing * tokens and refreshing expired tokens. * * - clientId * A unique identifier issued to the client to identify itself to the * authorization server. * * - clientSecret * A shared symmetric secret issued by the authorization server, * which is used to authenticate the client. * * - scope * The scope of the access request, expressed either as an Array * or as a space-delimited String. * * - state * An arbitrary string designed to allow the client to maintain state. * * - redirectUri * The redirection URI used in the initial request. * * - username * The resource owner's username. * * - password * The resource owner's password. * * - issuer * Issuer ID when using assertion profile * * - audience * Target audience for assertions * * - expiry * Number of seconds assertions are valid for * * - signingKey * Signing key when using assertion profile * * - signingKeyId * Signing key id when using assertion profile * * - refreshToken * The refresh token associated with the access token * to be refreshed. * * - accessToken * The current access token for this client. * * - idToken * The current ID token for this client. * * - extensionParams * When using an extension grant type, this is the set of parameters used * by that extension. * * @param array $config Configuration array */ public function __construct(array $config) { $opts = array_merge([ 'expiry' => self::DEFAULT_EXPIRY_SECONDS, 'extensionParams' => [], 'authorizationUri' => null, 'redirectUri' => null, 'tokenCredentialUri' => null, 'state' => null, 'username' => null, 'password' => null, 'clientId' => null, 'clientSecret' => null, 'issuer' => null, 'sub' => null, 'audience' => null, 'signingKey' => null, 'signingKeyId' => null, 'signingAlgorithm' => null, 'scope' => null, 'additionalClaims' => [], ], $config); $this->setAuthorizationUri($opts['authorizationUri']); $this->setRedirectUri($opts['redirectUri']); $this->setTokenCredentialUri($opts['tokenCredentialUri']); $this->setState($opts['state']); $this->setUsername($opts['username']); $this->setPassword($opts['password']); $this->setClientId($opts['clientId']); $this->setClientSecret($opts['clientSecret']); $this->setIssuer($opts['issuer']); $this->setSub($opts['sub']); $this->setExpiry($opts['expiry']); $this->setAudience($opts['audience']); $this->setSigningKey($opts['signingKey']); $this->setSigningKeyId($opts['signingKeyId']); $this->setSigningAlgorithm($opts['signingAlgorithm']); $this->setScope($opts['scope']); $this->setExtensionParams($opts['extensionParams']); $this->setAdditionalClaims($opts['additionalClaims']); $this->updateToken($opts); } /** * Verifies the idToken if present. * * - if none is present, return null * - if present, but invalid, raises DomainException. * - otherwise returns the payload in the idtoken as a PHP object. * * The behavior of this method varies depending on the version of * `firebase/php-jwt` you are using. In versions lower than 3.0.0, if * `$publicKey` is null, the key is decoded without being verified. In * newer versions, if a public key is not given, this method will throw an * `\InvalidArgumentException`. * * @param string $publicKey The public key to use to authenticate the token * @param array $allowed_algs List of supported verification algorithms * @throws \DomainException if the token is missing an audience. * @throws \DomainException if the audience does not match the one set in * the OAuth2 class instance. * @throws \UnexpectedValueException If the token is invalid * @throws SignatureInvalidException If the signature is invalid. * @throws BeforeValidException If the token is not yet valid. * @throws ExpiredException If the token has expired. * @return null|object */ public function verifyIdToken($publicKey = null, $allowed_algs = array()) { $idToken = $this->getIdToken(); if (is_null($idToken)) { return null; } $resp = $this->jwtDecode($idToken, $publicKey, $allowed_algs); if (!property_exists($resp, 'aud')) { throw new \DomainException('No audience found the id token'); } if ($resp->aud != $this->getAudience()) { throw new \DomainException('Wrong audience present in the id token'); } return $resp; } /** * Obtains the encoded jwt from the instance data. * * @param array $config array optional configuration parameters * @return string */ public function toJwt(array $config = []) { if (is_null($this->getSigningKey())) { throw new \DomainException('No signing key available'); } if (is_null($this->getSigningAlgorithm())) { throw new \DomainException('No signing algorithm specified'); } $now = time(); $opts = array_merge([ 'skew' => self::DEFAULT_SKEW_SECONDS, ], $config); $assertion = [ 'iss' => $this->getIssuer(), 'aud' => $this->getAudience(), 'exp' => ($now + $this->getExpiry()), 'iat' => ($now - $opts['skew']), ]; foreach ($assertion as $k => $v) { if (is_null($v)) { throw new \DomainException($k . ' should not be null'); } } if (!(is_null($this->getScope()))) { $assertion['scope'] = $this->getScope(); } if (!(is_null($this->getSub()))) { $assertion['sub'] = $this->getSub(); } $assertion += $this->getAdditionalClaims(); return $this->jwtEncode( $assertion, $this->getSigningKey(), $this->getSigningAlgorithm(), $this->getSigningKeyId() ); } /** * Generates a request for token credentials. * * @return RequestInterface the authorization Url. */ public function generateCredentialsRequest() { $uri = $this->getTokenCredentialUri(); if (is_null($uri)) { throw new \DomainException('No token credential URI was set.'); } $grantType = $this->getGrantType(); $params = array('grant_type' => $grantType); switch ($grantType) { case 'authorization_code': $params['code'] = $this->getCode(); $params['redirect_uri'] = $this->getRedirectUri(); $this->addClientCredentials($params); break; case 'password': $params['username'] = $this->getUsername(); $params['password'] = $this->getPassword(); $this->addClientCredentials($params); break; case 'refresh_token': $params['refresh_token'] = $this->getRefreshToken(); $this->addClientCredentials($params); break; case self::JWT_URN: $params['assertion'] = $this->toJwt(); break; default: if (!is_null($this->getRedirectUri())) { # Grant type was supposed to be 'authorization_code', as there # is a redirect URI. throw new \DomainException('Missing authorization code'); } unset($params['grant_type']); if (!is_null($grantType)) { $params['grant_type'] = $grantType; } $params = array_merge($params, $this->getExtensionParams()); } $headers = [ 'Cache-Control' => 'no-store', 'Content-Type' => 'application/x-www-form-urlencoded', ]; return new Request( 'POST', $uri, $headers, Psr7\build_query($params) ); } /** * Fetches the auth tokens based on the current state. * * @param callable $httpHandler callback which delivers psr7 request * @return array the response */ public function fetchAuthToken(callable $httpHandler = null) { if (is_null($httpHandler)) { $httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient()); } $response = $httpHandler($this->generateCredentialsRequest()); $credentials = $this->parseTokenResponse($response); $this->updateToken($credentials); return $credentials; } /** * Obtains a key that can used to cache the results of #fetchAuthToken. * * The key is derived from the scopes. * * @return string a key that may be used to cache the auth token. */ public function getCacheKey() { if (is_array($this->scope)) { return implode(':', $this->scope); } if ($this->audience) { return $this->audience; } // If scope has not set, return null to indicate no caching. return null; } /** * Parses the fetched tokens. * * @param ResponseInterface $resp the response. * @return array the tokens parsed from the response body. * @throws \Exception */ public function parseTokenResponse(ResponseInterface $resp) { $body = (string)$resp->getBody(); if ($resp->hasHeader('Content-Type') && $resp->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded' ) { $res = array(); parse_str($body, $res); return $res; } // Assume it's JSON; if it's not throw an exception if (null === $res = json_decode($body, true)) { throw new \Exception('Invalid JSON response'); } return $res; } /** * Updates an OAuth 2.0 client. * * Example: * ``` * $oauth->updateToken([ * 'refresh_token' => 'n4E9O119d', * 'access_token' => 'FJQbwq9', * 'expires_in' => 3600 * ]); * ``` * * @param array $config * The configuration parameters related to the token. * * - refresh_token * The refresh token associated with the access token * to be refreshed. * * - access_token * The current access token for this client. * * - id_token * The current ID token for this client. * * - expires_in * The time in seconds until access token expiration. * * - expires_at * The time as an integer number of seconds since the Epoch * * - issued_at * The timestamp that the token was issued at. */ public function updateToken(array $config) { $opts = array_merge([ 'extensionParams' => [], 'access_token' => null, 'id_token' => null, 'expires_in' => null, 'expires_at' => null, 'issued_at' => null, ], $config); $this->setExpiresAt($opts['expires_at']); $this->setExpiresIn($opts['expires_in']); // By default, the token is issued at `Time.now` when `expiresIn` is set, // but this can be used to supply a more precise time. if (!is_null($opts['issued_at'])) { $this->setIssuedAt($opts['issued_at']); } $this->setAccessToken($opts['access_token']); $this->setIdToken($opts['id_token']); // The refresh token should only be updated if a value is explicitly // passed in, as some access token responses do not include a refresh // token. if (array_key_exists('refresh_token', $opts)) { $this->setRefreshToken($opts['refresh_token']); } } /** * Builds the authorization Uri that the user should be redirected to. * * @param array $config configuration options that customize the return url * @return UriInterface the authorization Url. * @throws InvalidArgumentException */ public function buildFullAuthorizationUri(array $config = []) { if (is_null($this->getAuthorizationUri())) { throw new InvalidArgumentException( 'requires an authorizationUri to have been set' ); } $params = array_merge([ 'response_type' => 'code', 'access_type' => 'offline', 'client_id' => $this->clientId, 'redirect_uri' => $this->redirectUri, 'state' => $this->state, 'scope' => $this->getScope(), ], $config); // Validate the auth_params if (is_null($params['client_id'])) { throw new InvalidArgumentException( 'missing the required client identifier' ); } if (is_null($params['redirect_uri'])) { throw new InvalidArgumentException('missing the required redirect URI'); } if (!empty($params['prompt']) && !empty($params['approval_prompt'])) { throw new InvalidArgumentException( 'prompt and approval_prompt are mutually exclusive' ); } // Construct the uri object; return it if it is valid. $result = clone $this->authorizationUri; $existingParams = Psr7\parse_query($result->getQuery()); $result = $result->withQuery( Psr7\build_query(array_merge($existingParams, $params)) ); if ($result->getScheme() != 'https') { throw new InvalidArgumentException( 'Authorization endpoint must be protected by TLS' ); } return $result; } /** * Sets the authorization server's HTTP endpoint capable of authenticating * the end-user and obtaining authorization. * * @param string $uri */ public function setAuthorizationUri($uri) { $this->authorizationUri = $this->coerceUri($uri); } /** * Gets the authorization server's HTTP endpoint capable of authenticating * the end-user and obtaining authorization. * * @return UriInterface */ public function getAuthorizationUri() { return $this->authorizationUri; } /** * Gets the authorization server's HTTP endpoint capable of issuing tokens * and refreshing expired tokens. * * @return string */ public function getTokenCredentialUri() { return $this->tokenCredentialUri; } /** * Sets the authorization server's HTTP endpoint capable of issuing tokens * and refreshing expired tokens. * * @param string $uri */ public function setTokenCredentialUri($uri) { $this->tokenCredentialUri = $this->coerceUri($uri); } /** * Gets the redirection URI used in the initial request. * * @return string */ public function getRedirectUri() { return $this->redirectUri; } /** * Sets the redirection URI used in the initial request. * * @param string $uri */ public function setRedirectUri($uri) { if (is_null($uri)) { $this->redirectUri = null; return; } // redirect URI must be absolute if (!$this->isAbsoluteUri($uri)) { // "postmessage" is a reserved URI string in Google-land // @see https://developers.google.com/identity/sign-in/web/server-side-flow if ('postmessage' !== (string)$uri) { throw new InvalidArgumentException( 'Redirect URI must be absolute' ); } } $this->redirectUri = (string)$uri; } /** * Gets the scope of the access requests as a space-delimited String. * * @return string */ public function getScope() { if (is_null($this->scope)) { return $this->scope; } return implode(' ', $this->scope); } /** * Sets the scope of the access request, expressed either as an Array or as * a space-delimited String. * * @param string|array $scope * @throws InvalidArgumentException */ public function setScope($scope) { if (is_null($scope)) { $this->scope = null; } elseif (is_string($scope)) { $this->scope = explode(' ', $scope); } elseif (is_array($scope)) { foreach ($scope as $s) { $pos = strpos($s, ' '); if ($pos !== false) { throw new InvalidArgumentException( 'array scope values should not contain spaces' ); } } $this->scope = $scope; } else { throw new InvalidArgumentException( 'scopes should be a string or array of strings' ); } } /** * Gets the current grant type. * * @return string */ public function getGrantType() { if (!is_null($this->grantType)) { return $this->grantType; } // Returns the inferred grant type, based on the current object instance // state. if (!is_null($this->code)) { return 'authorization_code'; } if (!is_null($this->refreshToken)) { return 'refresh_token'; } if (!is_null($this->username) && !is_null($this->password)) { return 'password'; } if (!is_null($this->issuer) && !is_null($this->signingKey)) { return self::JWT_URN; } return null; } /** * Sets the current grant type. * * @param $grantType * @throws InvalidArgumentException */ public function setGrantType($grantType) { if (in_array($grantType, self::$knownGrantTypes)) { $this->grantType = $grantType; } else { // validate URI if (!$this->isAbsoluteUri($grantType)) { throw new InvalidArgumentException( 'invalid grant type' ); } $this->grantType = (string)$grantType; } } /** * Gets an arbitrary string designed to allow the client to maintain state. * * @return string */ public function getState() { return $this->state; } /** * Sets an arbitrary string designed to allow the client to maintain state. * * @param string $state */ public function setState($state) { $this->state = $state; } /** * Gets the authorization code issued to this client. */ public function getCode() { return $this->code; } /** * Sets the authorization code issued to this client. * * @param string $code */ public function setCode($code) { $this->code = $code; } /** * Gets the resource owner's username. */ public function getUsername() { return $this->username; } /** * Sets the resource owner's username. * * @param string $username */ public function setUsername($username) { $this->username = $username; } /** * Gets the resource owner's password. */ public function getPassword() { return $this->password; } /** * Sets the resource owner's password. * * @param $password */ public function setPassword($password) { $this->password = $password; } /** * Sets a unique identifier issued to the client to identify itself to the * authorization server. */ public function getClientId() { return $this->clientId; } /** * Sets a unique identifier issued to the client to identify itself to the * authorization server. * * @param $clientId */ public function setClientId($clientId) { $this->clientId = $clientId; } /** * Gets a shared symmetric secret issued by the authorization server, which * is used to authenticate the client. */ public function getClientSecret() { return $this->clientSecret; } /** * Sets a shared symmetric secret issued by the authorization server, which * is used to authenticate the client. * * @param $clientSecret */ public function setClientSecret($clientSecret) { $this->clientSecret = $clientSecret; } /** * Gets the Issuer ID when using assertion profile. */ public function getIssuer() { return $this->issuer; } /** * Sets the Issuer ID when using assertion profile. * * @param string $issuer */ public function setIssuer($issuer) { $this->issuer = $issuer; } /** * Gets the target sub when issuing assertions. */ public function getSub() { return $this->sub; } /** * Sets the target sub when issuing assertions. * * @param string $sub */ public function setSub($sub) { $this->sub = $sub; } /** * Gets the target audience when issuing assertions. */ public function getAudience() { return $this->audience; } /** * Sets the target audience when issuing assertions. * * @param string $audience */ public function setAudience($audience) { $this->audience = $audience; } /** * Gets the signing key when using an assertion profile. */ public function getSigningKey() { return $this->signingKey; } /** * Sets the signing key when using an assertion profile. * * @param string $signingKey */ public function setSigningKey($signingKey) { $this->signingKey = $signingKey; } /** * Gets the signing key id when using an assertion profile. * * @return string */ public function getSigningKeyId() { return $this->signingKeyId; } /** * Sets the signing key id when using an assertion profile. * * @param string $signingKeyId */ public function setSigningKeyId($signingKeyId) { $this->signingKeyId = $signingKeyId; } /** * Gets the signing algorithm when using an assertion profile. * * @return string */ public function getSigningAlgorithm() { return $this->signingAlgorithm; } /** * Sets the signing algorithm when using an assertion profile. * * @param string $signingAlgorithm */ public function setSigningAlgorithm($signingAlgorithm) { if (is_null($signingAlgorithm)) { $this->signingAlgorithm = null; } elseif (!in_array($signingAlgorithm, self::$knownSigningAlgorithms)) { throw new InvalidArgumentException('unknown signing algorithm'); } else { $this->signingAlgorithm = $signingAlgorithm; } } /** * Gets the set of parameters used by extension when using an extension * grant type. */ public function getExtensionParams() { return $this->extensionParams; } /** * Sets the set of parameters used by extension when using an extension * grant type. * * @param $extensionParams */ public function setExtensionParams($extensionParams) { $this->extensionParams = $extensionParams; } /** * Gets the number of seconds assertions are valid for. */ public function getExpiry() { return $this->expiry; } /** * Sets the number of seconds assertions are valid for. * * @param int $expiry */ public function setExpiry($expiry) { $this->expiry = $expiry; } /** * Gets the lifetime of the access token in seconds. */ public function getExpiresIn() { return $this->expiresIn; } /** * Sets the lifetime of the access token in seconds. * * @param int $expiresIn */ public function setExpiresIn($expiresIn) { if (is_null($expiresIn)) { $this->expiresIn = null; $this->issuedAt = null; } else { $this->issuedAt = time(); $this->expiresIn = (int)$expiresIn; } } /** * Gets the time the current access token expires at. * * @return int */ public function getExpiresAt() { if (!is_null($this->expiresAt)) { return $this->expiresAt; } if (!is_null($this->issuedAt) && !is_null($this->expiresIn)) { return $this->issuedAt + $this->expiresIn; } return null; } /** * Returns true if the acccess token has expired. * * @return bool */ public function isExpired() { $expiration = $this->getExpiresAt(); $now = time(); return !is_null($expiration) && $now >= $expiration; } /** * Sets the time the current access token expires at. * * @param int $expiresAt */ public function setExpiresAt($expiresAt) { $this->expiresAt = $expiresAt; } /** * Gets the time the current access token was issued at. */ public function getIssuedAt() { return $this->issuedAt; } /** * Sets the time the current access token was issued at. * * @param int $issuedAt */ public function setIssuedAt($issuedAt) { $this->issuedAt = $issuedAt; } /** * Gets the current access token. */ public function getAccessToken() { return $this->accessToken; } /** * Sets the current access token. * * @param string $accessToken */ public function setAccessToken($accessToken) { $this->accessToken = $accessToken; } /** * Gets the current ID token. */ public function getIdToken() { return $this->idToken; } /** * Sets the current ID token. * * @param $idToken */ public function setIdToken($idToken) { $this->idToken = $idToken; } /** * Gets the refresh token associated with the current access token. */ public function getRefreshToken() { return $this->refreshToken; } /** * Sets the refresh token associated with the current access token. * * @param $refreshToken */ public function setRefreshToken($refreshToken) { $this->refreshToken = $refreshToken; } /** * Sets additional claims to be included in the JWT token * * @param array $additionalClaims */ public function setAdditionalClaims(array $additionalClaims) { $this->additionalClaims = $additionalClaims; } /** * Gets the additional claims to be included in the JWT token. * * @return array */ public function getAdditionalClaims() { return $this->additionalClaims; } /** * The expiration of the last received token. * * @return array */ public function getLastReceivedToken() { if ($token = $this->getAccessToken()) { return [ 'access_token' => $token, 'expires_at' => $this->getExpiresAt(), ]; } return null; } /** * Get the client ID. * * Alias of {@see Google\Auth\OAuth2::getClientId()}. * * @param callable $httpHandler * @return string * @access private */ public function getClientName(callable $httpHandler = null) { return $this->getClientId(); } /** * @todo handle uri as array * * @param string $uri * @return null|UriInterface */ private function coerceUri($uri) { if (is_null($uri)) { return; } return Psr7\uri_for($uri); } /** * @param string $idToken * @param string|array|null $publicKey * @param array $allowedAlgs * @return object */ private function jwtDecode($idToken, $publicKey, $allowedAlgs) { if (class_exists('Firebase\JWT\JWT')) { return \Firebase\JWT\JWT::decode($idToken, $publicKey, $allowedAlgs); } return \JWT::decode($idToken, $publicKey, $allowedAlgs); } private function jwtEncode($assertion, $signingKey, $signingAlgorithm, $signingKeyId = null) { if (class_exists('Firebase\JWT\JWT')) { return \Firebase\JWT\JWT::encode( $assertion, $signingKey, $signingAlgorithm, $signingKeyId ); } return \JWT::encode($assertion, $signingKey, $signingAlgorithm, $signingKeyId); } /** * Determines if the URI is absolute based on its scheme and host or path * (RFC 3986). * * @param string $uri * @return bool */ private function isAbsoluteUri($uri) { $uri = $this->coerceUri($uri); return $uri->getScheme() && ($uri->getHost() || $uri->getPath()); } /** * @param array $params * @return array */ private function addClientCredentials(&$params) { $clientId = $this->getClientId(); $clientSecret = $this->getClientSecret(); if ($clientId && $clientSecret) { $params['client_id'] = $clientId; $params['client_secret'] = $clientSecret; } return $params; } } auth/src/Iam.php 0000644 00000006053 14736103211 0007515 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use Google\Auth\HttpHandler\HttpClientCache; use Google\Auth\HttpHandler\HttpHandlerFactory; use GuzzleHttp\Psr7; /** * Tools for using the IAM API. * * @see https://cloud.google.com/iam/docs IAM Documentation */ class Iam { const IAM_API_ROOT = 'https://iamcredentials.googleapis.com/v1'; const SIGN_BLOB_PATH = '%s:signBlob?alt=json'; const SERVICE_ACCOUNT_NAME = 'projects/-/serviceAccounts/%s'; /** * @var callable */ private $httpHandler; /** * @param callable $httpHandler [optional] The HTTP Handler to send requests. */ public function __construct(callable $httpHandler = null) { $this->httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); } /** * Sign a string using the IAM signBlob API. * * Note that signing using IAM requires your service account to have the * `iam.serviceAccounts.signBlob` permission, part of the "Service Account * Token Creator" IAM role. * * @param string $email The service account email. * @param string $accessToken An access token from the service account. * @param string $stringToSign The string to be signed. * @param array $delegates [optional] A list of service account emails to * add to the delegate chain. If omitted, the value of `$email` will * be used. * @return string The signed string, base64-encoded. */ public function signBlob($email, $accessToken, $stringToSign, array $delegates = []) { $httpHandler = $this->httpHandler; $name = sprintf(self::SERVICE_ACCOUNT_NAME, $email); $uri = self::IAM_API_ROOT . '/' . sprintf(self::SIGN_BLOB_PATH, $name); if ($delegates) { foreach ($delegates as &$delegate) { $delegate = sprintf(self::SERVICE_ACCOUNT_NAME, $delegate); } } else { $delegates = [$name]; } $body = [ 'delegates' => $delegates, 'payload' => base64_encode($stringToSign), ]; $headers = [ 'Authorization' => 'Bearer ' . $accessToken ]; $request = new Psr7\Request( 'POST', $uri, $headers, Psr7\stream_for(json_encode($body)) ); $res = $httpHandler($request); $body = json_decode((string) $res->getBody(), true); return $body['signedBlob']; } } auth/src/GetQuotaProjectInterface.php 0000644 00000001663 14736103211 0013712 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; /** * An interface implemented by objects that can get quota projects. */ interface GetQuotaProjectInterface { const X_GOOG_USER_PROJECT_HEADER = 'X-Goog-User-Project'; /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject(); } auth/src/Cache/MemoryCacheItemPool.php 0000644 00000006147 14736103211 0013663 0 ustar 00 <?php /* * Copyright 2016 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Cache; use Psr\Cache\CacheItemInterface; use Psr\Cache\CacheItemPoolInterface; /** * Simple in-memory cache implementation. */ final class MemoryCacheItemPool implements CacheItemPoolInterface { /** * @var CacheItemInterface[] */ private $items; /** * @var CacheItemInterface[] */ private $deferredItems; /** * {@inheritdoc} */ public function getItem($key) { return current($this->getItems([$key])); } /** * {@inheritdoc} */ public function getItems(array $keys = []) { $items = []; foreach ($keys as $key) { $items[$key] = $this->hasItem($key) ? clone $this->items[$key] : new Item($key); } return $items; } /** * {@inheritdoc} */ public function hasItem($key) { $this->isValidKey($key); return isset($this->items[$key]) && $this->items[$key]->isHit(); } /** * {@inheritdoc} */ public function clear() { $this->items = []; $this->deferredItems = []; return true; } /** * {@inheritdoc} */ public function deleteItem($key) { return $this->deleteItems([$key]); } /** * {@inheritdoc} */ public function deleteItems(array $keys) { array_walk($keys, [$this, 'isValidKey']); foreach ($keys as $key) { unset($this->items[$key]); } return true; } /** * {@inheritdoc} */ public function save(CacheItemInterface $item) { $this->items[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function saveDeferred(CacheItemInterface $item) { $this->deferredItems[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function commit() { foreach ($this->deferredItems as $item) { $this->save($item); } $this->deferredItems = []; return true; } /** * Determines if the provided key is valid. * * @param string $key * @return bool * @throws InvalidArgumentException */ private function isValidKey($key) { $invalidCharacters = '{}()/\\\\@:'; if (!is_string($key) || preg_match("#[$invalidCharacters]#", $key)) { throw new InvalidArgumentException('The provided key is not valid: ' . var_export($key, true)); } return true; } } auth/src/Cache/Item.php 0000644 00000010273 14736103211 0010707 0 ustar 00 <?php /* * Copyright 2016 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Cache; use Psr\Cache\CacheItemInterface; /** * A cache item. */ final class Item implements CacheItemInterface { /** * @var string */ private $key; /** * @var mixed */ private $value; /** * @var \DateTime|null */ private $expiration; /** * @var bool */ private $isHit = false; /** * @param string $key */ public function __construct($key) { $this->key = $key; } /** * {@inheritdoc} */ public function getKey() { return $this->key; } /** * {@inheritdoc} */ public function get() { return $this->isHit() ? $this->value : null; } /** * {@inheritdoc} */ public function isHit() { if (!$this->isHit) { return false; } if ($this->expiration === null) { return true; } return $this->currentTime()->getTimestamp() < $this->expiration->getTimestamp(); } /** * {@inheritdoc} */ public function set($value) { $this->isHit = true; $this->value = $value; return $this; } /** * {@inheritdoc} */ public function expiresAt($expiration) { if ($this->isValidExpiration($expiration)) { $this->expiration = $expiration; return $this; } $implementationMessage = interface_exists('DateTimeInterface') ? 'implement interface DateTimeInterface' : 'be an instance of DateTime'; $error = sprintf( 'Argument 1 passed to %s::expiresAt() must %s, %s given', get_class($this), $implementationMessage, gettype($expiration) ); $this->handleError($error); } /** * {@inheritdoc} */ public function expiresAfter($time) { if (is_int($time)) { $this->expiration = $this->currentTime()->add(new \DateInterval("PT{$time}S")); } elseif ($time instanceof \DateInterval) { $this->expiration = $this->currentTime()->add($time); } elseif ($time === null) { $this->expiration = $time; } else { $message = 'Argument 1 passed to %s::expiresAfter() must be an ' . 'instance of DateInterval or of the type integer, %s given'; $error = sprintf($message, get_class($this), gettype($time)); $this->handleError($error); } return $this; } /** * Handles an error. * * @param string $error * @throws \TypeError */ private function handleError($error) { if (class_exists('TypeError')) { throw new \TypeError($error); } trigger_error($error, E_USER_ERROR); } /** * Determines if an expiration is valid based on the rules defined by PSR6. * * @param mixed $expiration * @return bool */ private function isValidExpiration($expiration) { if ($expiration === null) { return true; } // We test for two types here due to the fact the DateTimeInterface // was not introduced until PHP 5.5. Checking for the DateTime type as // well allows us to support 5.4. if ($expiration instanceof \DateTimeInterface) { return true; } if ($expiration instanceof \DateTime) { return true; } return false; } protected function currentTime() { return new \DateTime('now', new \DateTimeZone('UTC')); } } auth/src/Cache/SysVCacheItemPool.php 0000644 00000013612 14736103211 0013312 0 ustar 00 <?php /** * Copyright 2018 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Cache; use Psr\Cache\CacheItemInterface; use Psr\Cache\CacheItemPoolInterface; /** * SystemV shared memory based CacheItemPool implementation. * * This CacheItemPool implementation can be used among multiple processes, but * it doesn't provide any locking mechanism. If multiple processes write to * this ItemPool, you have to avoid race condition manually in your code. */ class SysVCacheItemPool implements CacheItemPoolInterface { const VAR_KEY = 1; const DEFAULT_PROJ = 'A'; const DEFAULT_MEMSIZE = 10000; const DEFAULT_PERM = 0600; /** @var int */ private $sysvKey; /** * @var CacheItemInterface[] */ private $items; /** * @var CacheItemInterface[] */ private $deferredItems; /** * @var array */ private $options; /* * @var bool */ private $hasLoadedItems = false; /** * Create a SystemV shared memory based CacheItemPool. * * @param array $options [optional] Configuration options. * @param int $options.variableKey The variable key for getting the data from * the shared memory. **Defaults to** 1. * @param $options.proj string The project identifier for ftok. This needs to * be a one character string. **Defaults to** 'A'. * @param $options.memsize int The memory size in bytes for shm_attach. * **Defaults to** 10000. * @param $options.perm int The permission for shm_attach. **Defaults to** * 0600. */ public function __construct($options = []) { if (! extension_loaded('sysvshm')) { throw new \RuntimeException( 'sysvshm extension is required to use this ItemPool' ); } $this->options = $options + [ 'variableKey' => self::VAR_KEY, 'proj' => self::DEFAULT_PROJ, 'memsize' => self::DEFAULT_MEMSIZE, 'perm' => self::DEFAULT_PERM ]; $this->items = []; $this->deferredItems = []; $this->sysvKey = ftok(__FILE__, $this->options['proj']); } public function getItem($key) { $this->loadItems(); return current($this->getItems([$key])); } /** * {@inheritdoc} */ public function getItems(array $keys = []) { $this->loadItems(); $items = []; foreach ($keys as $key) { $items[$key] = $this->hasItem($key) ? clone $this->items[$key] : new Item($key); } return $items; } /** * {@inheritdoc} */ public function hasItem($key) { $this->loadItems(); return isset($this->items[$key]) && $this->items[$key]->isHit(); } /** * {@inheritdoc} */ public function clear() { $this->items = []; $this->deferredItems = []; return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function deleteItem($key) { return $this->deleteItems([$key]); } /** * {@inheritdoc} */ public function deleteItems(array $keys) { if (!$this->hasLoadedItems) { $this->loadItems(); } foreach ($keys as $key) { unset($this->items[$key]); } return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function save(CacheItemInterface $item) { if (!$this->hasLoadedItems) { $this->loadItems(); } $this->items[$item->getKey()] = $item; return $this->saveCurrentItems(); } /** * {@inheritdoc} */ public function saveDeferred(CacheItemInterface $item) { $this->deferredItems[$item->getKey()] = $item; return true; } /** * {@inheritdoc} */ public function commit() { foreach ($this->deferredItems as $item) { if ($this->save($item) === false) { return false; } } $this->deferredItems = []; return true; } /** * Save the current items. * * @return bool true when success, false upon failure */ private function saveCurrentItems() { $shmid = shm_attach( $this->sysvKey, $this->options['memsize'], $this->options['perm'] ); if ($shmid !== false) { $ret = shm_put_var( $shmid, $this->options['variableKey'], $this->items ); shm_detach($shmid); return $ret; } return false; } /** * Load the items from the shared memory. * * @return bool true when success, false upon failure */ private function loadItems() { $shmid = shm_attach( $this->sysvKey, $this->options['memsize'], $this->options['perm'] ); if ($shmid !== false) { $data = @shm_get_var($shmid, $this->options['variableKey']); if (!empty($data)) { $this->items = $data; } else { $this->items = []; } shm_detach($shmid); $this->hasLoadedItems = true; return true; } return false; } } auth/src/Cache/InvalidArgumentException.php 0000644 00000001454 14736103211 0014762 0 ustar 00 <?php /* * Copyright 2016 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Cache; use Psr\Cache\InvalidArgumentException as PsrInvalidArgumentException; class InvalidArgumentException extends \InvalidArgumentException implements PsrInvalidArgumentException { } auth/src/FetchAuthTokenCache.php 0000644 00000012756 14736103211 0012616 0 ustar 00 <?php /* * Copyright 2010 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use Psr\Cache\CacheItemPoolInterface; /** * A class to implement caching for any object implementing * FetchAuthTokenInterface */ class FetchAuthTokenCache implements FetchAuthTokenInterface, GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface { use CacheTrait; /** * @var FetchAuthTokenInterface */ private $fetcher; /** * @var array */ private $cacheConfig; /** * @var CacheItemPoolInterface */ private $cache; /** * @param FetchAuthTokenInterface $fetcher A credentials fetcher * @param array $cacheConfig Configuration for the cache * @param CacheItemPoolInterface $cache */ public function __construct( FetchAuthTokenInterface $fetcher, array $cacheConfig = null, CacheItemPoolInterface $cache ) { $this->fetcher = $fetcher; $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => 1500, 'prefix' => '', ], (array) $cacheConfig); } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Checks the cache for a valid auth token and fetches the auth tokens * from the supplied fetcher. * * @param callable $httpHandler callback which delivers psr7 request * @return array the response * @throws \Exception */ public function fetchAuthToken(callable $httpHandler = null) { // Use the cached value if its available. // // TODO: correct caching; update the call to setCachedValue to set the expiry // to the value returned with the auth token. // // TODO: correct caching; enable the cache to be cleared. $cacheKey = $this->fetcher->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (is_array($cached)) { if (empty($cached['expires_at'])) { // If there is no expiration data, assume token is not expired. // (for JwtAccess and ID tokens) return $cached; } if (time() < $cached['expires_at']) { // access token is not expired return $cached; } } $auth_token = $this->fetcher->fetchAuthToken($httpHandler); if (isset($auth_token['access_token']) || isset($auth_token['id_token'])) { $this->setCachedValue($cacheKey, $auth_token); } return $auth_token; } /** * @return string */ public function getCacheKey() { return $this->getFullCacheKey($this->fetcher->getCacheKey()); } /** * @return array|null */ public function getLastReceivedToken() { return $this->fetcher->getLastReceivedToken(); } /** * Get the client name from the fetcher. * * @param callable $httpHandler An HTTP handler to deliver PSR7 requests. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->fetcher->getClientName($httpHandler); } /** * Sign a blob using the fetcher. * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl Require use of OpenSSL for local signing. Does * not apply to signing done using external services. **Defaults to** * `false`. * @return string The resulting signature. * @throws \RuntimeException If the fetcher does not implement * `Google\Auth\SignBlobInterface`. */ public function signBlob($stringToSign, $forceOpenSsl = false) { if (!$this->fetcher instanceof SignBlobInterface) { throw new \RuntimeException( 'Credentials fetcher does not implement ' . 'Google\Auth\SignBlobInterface' ); } return $this->fetcher->signBlob($stringToSign, $forceOpenSsl); } /** * Get the quota project used for this API request from the credentials * fetcher. * * @return string|null */ public function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } /* * Get the Project ID from the fetcher. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null * @throws \RuntimeException If the fetcher does not implement * `Google\Auth\ProvidesProjectIdInterface`. */ public function getProjectId(callable $httpHandler = null) { if (!$this->fetcher instanceof ProjectIdProviderInterface) { throw new \RuntimeException( 'Credentials fetcher does not implement ' . 'Google\Auth\ProvidesProjectIdInterface' ); } return $this->fetcher->getProjectId($httpHandler); } } auth/src/CacheTrait.php 0000644 00000004166 14736103211 0011021 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; trait CacheTrait { private $maxKeyLength = 64; /** * Gets the cached value if it is present in the cache when that is * available. */ private function getCachedValue($k) { if (is_null($this->cache)) { return; } $key = $this->getFullCacheKey($k); if (is_null($key)) { return; } $cacheItem = $this->cache->getItem($key); if ($cacheItem->isHit()) { return $cacheItem->get(); } } /** * Saves the value in the cache when that is available. */ private function setCachedValue($k, $v) { if (is_null($this->cache)) { return; } $key = $this->getFullCacheKey($k); if (is_null($key)) { return; } $cacheItem = $this->cache->getItem($key); $cacheItem->set($v); $cacheItem->expiresAfter($this->cacheConfig['lifetime']); return $this->cache->save($cacheItem); } private function getFullCacheKey($key) { if (is_null($key)) { return; } $key = $this->cacheConfig['prefix'] . $key; // ensure we do not have illegal characters $key = preg_replace('|[^a-zA-Z0-9_\.!]|', '', $key); // Hash keys if they exceed $maxKeyLength (defaults to 64) if ($this->maxKeyLength && strlen($key) > $this->maxKeyLength) { $key = substr(hash('sha256', $key), 0, $this->maxKeyLength); } return $key; } } auth/src/Middleware/SimpleMiddleware.php 0000644 00000005431 14736103211 0014312 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Middleware; use GuzzleHttp\Psr7; use Psr\Http\Message\RequestInterface; /** * SimpleMiddleware is a Guzzle Middleware that implements Google's Simple API * access. * * Requests are accessed using the Simple API access developer key. */ class SimpleMiddleware { /** * @var array */ private $config; /** * Create a new Simple plugin. * * The configuration array expects one option * - key: required, otherwise InvalidArgumentException is thrown * * @param array $config Configuration array */ public function __construct(array $config) { if (!isset($config['key'])) { throw new \InvalidArgumentException('requires a key to have been set'); } $this->config = array_merge(['key' => null], $config); } /** * Updates the request query with the developer key if auth is set to simple. * * use Google\Auth\Middleware\SimpleMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $my_key = 'is not the same as yours'; * $middleware = new SimpleMiddleware(['key' => $my_key]); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/discovery/v1/', * 'auth' => 'simple' * ]); * * $res = $client->get('drive/v2/rest'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="scoped" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'simple') { return $handler($request, $options); } $query = Psr7\parse_query($request->getUri()->getQuery()); $params = array_merge($query, $this->config); $uri = $request->getUri()->withQuery(Psr7\build_query($params)); $request = $request->withUri($uri); return $handler($request, $options); }; } } auth/src/Middleware/ScopedAccessTokenMiddleware.php 0000644 00000011737 14736103211 0016427 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Middleware; use Google\Auth\CacheTrait; use Psr\Cache\CacheItemPoolInterface; use Psr\Http\Message\RequestInterface; /** * ScopedAccessTokenMiddleware is a Guzzle Middleware that adds an Authorization * header provided by a closure. * * The closure returns an access token, taking the scope, either a single * string or an array of strings, as its value. If provided, a cache will be * used to preserve the access token for a given lifetime. * * Requests will be accessed with the authorization header: * * 'authorization' 'Bearer <value of auth_token>' */ class ScopedAccessTokenMiddleware { use CacheTrait; const DEFAULT_CACHE_LIFETIME = 1500; /** * @var CacheItemPoolInterface */ private $cache; /** * @var array configuration */ private $cacheConfig; /** * @var callable */ private $tokenFunc; /** * @var array|string */ private $scopes; /** * Creates a new ScopedAccessTokenMiddleware. * * @param callable $tokenFunc a token generator function * @param array|string $scopes the token authentication scopes * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache an implementation of CacheItemPoolInterface */ public function __construct( callable $tokenFunc, $scopes, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $this->tokenFunc = $tokenFunc; if (!(is_string($scopes) || is_array($scopes))) { throw new \InvalidArgumentException( 'wants scope should be string or array' ); } $this->scopes = $scopes; if (!is_null($cache)) { $this->cache = $cache; $this->cacheConfig = array_merge([ 'lifetime' => self::DEFAULT_CACHE_LIFETIME, 'prefix' => '', ], $cacheConfig); } } /** * Updates the request with an Authorization header when auth is 'scoped'. * * E.g this could be used to authenticate using the AppEngine * AppIdentityService. * * use google\appengine\api\app_identity\AppIdentityService; * use Google\Auth\Middleware\ScopedAccessTokenMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $scope = 'https://www.googleapis.com/auth/taskqueue' * $middleware = new ScopedAccessTokenMiddleware( * 'AppIdentityService::getAccessToken', * $scope, * [ 'prefix' => 'Google\Auth\ScopedAccessToken::' ], * $cache = new Memcache() * ); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'scoped' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="scoped" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'scoped') { return $handler($request, $options); } $request = $request->withHeader('authorization', 'Bearer ' . $this->fetchToken()); return $handler($request, $options); }; } /** * @return string */ private function getCacheKey() { $key = null; if (is_string($this->scopes)) { $key .= $this->scopes; } elseif (is_array($this->scopes)) { $key .= implode(':', $this->scopes); } return $key; } /** * Determine if token is available in the cache, if not call tokenFunc to * fetch it. * * @return string */ private function fetchToken() { $cacheKey = $this->getCacheKey(); $cached = $this->getCachedValue($cacheKey); if (!empty($cached)) { return $cached; } $token = call_user_func($this->tokenFunc, $this->scopes); $this->setCachedValue($cacheKey, $token); return $token; } } auth/src/Middleware/AuthTokenMiddleware.php 0000644 00000010756 14736103211 0014771 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Middleware; use Google\Auth\FetchAuthTokenInterface; use Google\Auth\GetQuotaProjectInterface; use Psr\Http\Message\RequestInterface; /** * AuthTokenMiddleware is a Guzzle Middleware that adds an Authorization header * provided by an object implementing FetchAuthTokenInterface. * * The FetchAuthTokenInterface#fetchAuthToken is used to obtain a hash; one of * the values value in that hash is added as the authorization header. * * Requests will be accessed with the authorization header: * * 'authorization' 'Bearer <value of auth_token>' */ class AuthTokenMiddleware { /** * @var callback */ private $httpHandler; /** * @var FetchAuthTokenInterface */ private $fetcher; /** * @var callable */ private $tokenCallback; /** * Creates a new AuthTokenMiddleware. * * @param FetchAuthTokenInterface $fetcher is used to fetch the auth token * @param callable $httpHandler (optional) callback which delivers psr7 request * @param callable $tokenCallback (optional) function to be called when a new token is fetched. */ public function __construct( FetchAuthTokenInterface $fetcher, callable $httpHandler = null, callable $tokenCallback = null ) { $this->fetcher = $fetcher; $this->httpHandler = $httpHandler; $this->tokenCallback = $tokenCallback; } /** * Updates the request with an Authorization header when auth is 'google_auth'. * * use Google\Auth\Middleware\AuthTokenMiddleware; * use Google\Auth\OAuth2; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $config = [..<oauth config param>.]; * $oauth2 = new OAuth2($config) * $middleware = new AuthTokenMiddleware($oauth2); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * * @param callable $handler * @return \Closure */ public function __invoke(callable $handler) { return function (RequestInterface $request, array $options) use ($handler) { // Requests using "auth"="google_auth" will be authorized. if (!isset($options['auth']) || $options['auth'] !== 'google_auth') { return $handler($request, $options); } $request = $request->withHeader('authorization', 'Bearer ' . $this->fetchToken()); if ($quotaProject = $this->getQuotaProject()) { $request = $request->withHeader( GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER, $quotaProject ); } return $handler($request, $options); }; } /** * Call fetcher to fetch the token. * * @return string */ private function fetchToken() { $auth_tokens = $this->fetcher->fetchAuthToken($this->httpHandler); if (array_key_exists('access_token', $auth_tokens)) { // notify the callback if applicable if ($this->tokenCallback) { call_user_func( $this->tokenCallback, $this->fetcher->getCacheKey(), $auth_tokens['access_token'] ); } return $auth_tokens['access_token']; } if (array_key_exists('id_token', $auth_tokens)) { return $auth_tokens['id_token']; } } private function getQuotaProject() { if ($this->fetcher instanceof GetQuotaProjectInterface) { return $this->fetcher->getQuotaProject(); } } } auth/src/ApplicationDefaultCredentials.php 0000644 00000025364 14736103211 0014743 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; use DomainException; use Google\Auth\Credentials\AppIdentityCredentials; use Google\Auth\Credentials\GCECredentials; use Google\Auth\Credentials\ServiceAccountCredentials; use Google\Auth\HttpHandler\HttpClientCache; use Google\Auth\HttpHandler\HttpHandlerFactory; use Google\Auth\Middleware\AuthTokenMiddleware; use Google\Auth\Subscriber\AuthTokenSubscriber; use GuzzleHttp\Client; use InvalidArgumentException; use Psr\Cache\CacheItemPoolInterface; /** * ApplicationDefaultCredentials obtains the default credentials for * authorizing a request to a Google service. * * Application Default Credentials are described here: * https://developers.google.com/accounts/docs/application-default-credentials * * This class implements the search for the application default credentials as * described in the link. * * It provides three factory methods: * - #get returns the computed credentials object * - #getSubscriber returns an AuthTokenSubscriber built from the credentials object * - #getMiddleware returns an AuthTokenMiddleware built from the credentials object * * This allows it to be used as follows with GuzzleHttp\Client: * * ``` * use Google\Auth\ApplicationDefaultCredentials; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $middleware = ApplicationDefaultCredentials::getMiddleware( * 'https://www.googleapis.com/auth/taskqueue' * ); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); * ``` */ class ApplicationDefaultCredentials { /** * Obtains an AuthTokenSubscriber that uses the default FetchAuthTokenInterface * implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the compute engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return AuthTokenSubscriber * @throws DomainException if no implementation can be obtained. */ public static function getSubscriber( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = self::getCredentials($scope, $httpHandler, $cacheConfig, $cache); return new AuthTokenSubscriber($creds, $httpHandler); } /** * Obtains an AuthTokenMiddleware that uses the default FetchAuthTokenInterface * implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the compute engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return AuthTokenMiddleware * @throws DomainException if no implementation can be obtained. */ public static function getMiddleware( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = self::getCredentials($scope, $httpHandler, $cacheConfig, $cache); return new AuthTokenMiddleware($creds, $httpHandler); } /** * Obtains an AuthTokenMiddleware which will fetch an access token to use in * the Authorization header. The middleware is configured with the default * FetchAuthTokenInterface implementation to use in this environment. * * If supplied, $scope is used to in creating the credentials instance if * this does not fallback to the Compute Engine defaults. * * @param string|array scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @param string $quotaProject specifies a project to bill for access * charges associated with the request. * * @return CredentialsLoader * @throws DomainException if no implementation can be obtained. */ public static function getCredentials( $scope = null, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null, $quotaProject = null ) { $creds = null; $jsonKey = CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); if (!$httpHandler) { if (!($client = HttpClientCache::getHttpClient())) { $client = new Client(); HttpClientCache::setHttpClient($client); } $httpHandler = HttpHandlerFactory::build($client); } if (!is_null($jsonKey)) { $jsonKey['quota_project'] = $quotaProject; $creds = CredentialsLoader::makeCredentials($scope, $jsonKey); } elseif (AppIdentityCredentials::onAppEngine() && !GCECredentials::onAppEngineFlexible()) { $creds = new AppIdentityCredentials($scope); } elseif (GCECredentials::onGce($httpHandler)) { $creds = new GCECredentials(null, $scope, null, $quotaProject); } if (is_null($creds)) { throw new DomainException(self::notFound()); } if (!is_null($cache)) { $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache); } return $creds; } /** * Obtains an AuthTokenMiddleware which will fetch an ID token to use in the * Authorization header. The middleware is configured with the default * FetchAuthTokenInterface implementation to use in this environment. * * If supplied, $targetAudience is used to set the "aud" on the resulting * ID token. * * @param string $targetAudience The audience for the ID token. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return AuthTokenMiddleware * @throws DomainException if no implementation can be obtained. */ public static function getIdTokenMiddleware( $targetAudience, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = self::getIdTokenCredentials($targetAudience, $httpHandler, $cacheConfig, $cache); return new AuthTokenMiddleware($creds, $httpHandler); } /** * Obtains the default FetchAuthTokenInterface implementation to use * in this environment, configured with a $targetAudience for fetching an ID * token. * * @param string $targetAudience The audience for the ID token. * @param callable $httpHandler callback which delivers psr7 request * @param array $cacheConfig configuration for the cache when it's present * @param CacheItemPoolInterface $cache A cache implementation, may be * provided if you have one already available for use. * @return CredentialsLoader * @throws DomainException if no implementation can be obtained. * @throws InvalidArgumentException if JSON "type" key is invalid */ public static function getIdTokenCredentials( $targetAudience, callable $httpHandler = null, array $cacheConfig = null, CacheItemPoolInterface $cache = null ) { $creds = null; $jsonKey = CredentialsLoader::fromEnv() ?: CredentialsLoader::fromWellKnownFile(); if (!$httpHandler) { if (!($client = HttpClientCache::getHttpClient())) { $client = new Client(); HttpClientCache::setHttpClient($client); } $httpHandler = HttpHandlerFactory::build($client); } if (!is_null($jsonKey)) { if (!array_key_exists('type', $jsonKey)) { throw new \InvalidArgumentException('json key is missing the type field'); } if ($jsonKey['type'] == 'authorized_user') { throw new InvalidArgumentException('ID tokens are not supported for end user credentials'); } if ($jsonKey['type'] != 'service_account') { throw new InvalidArgumentException('invalid value in the type field'); } $creds = new ServiceAccountCredentials(null, $jsonKey, null, $targetAudience); } elseif (GCECredentials::onGce($httpHandler)) { $creds = new GCECredentials(null, null, $targetAudience); } if (is_null($creds)) { throw new DomainException(self::notFound()); } if (!is_null($cache)) { $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache); } return $creds; } private static function notFound() { $msg = 'Could not load the default credentials. Browse to '; $msg .= 'https://developers.google.com'; $msg .= '/accounts/docs/application-default-credentials'; $msg .= ' for more information'; return $msg; } } auth/src/SignBlobInterface.php 0000644 00000002773 14736103211 0012334 0 ustar 00 <?php /* * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; /** * Describes a class which supports signing arbitrary strings. */ interface SignBlobInterface extends FetchAuthTokenInterface { /** * Sign a string using the method which is best for a given credentials type. * * @param string $stringToSign The string to sign. * @param bool $forceOpenssl Require use of OpenSSL for local signing. Does * not apply to signing done using external services. **Defaults to** * `false`. * @return string The resulting signature. Value should be base64-encoded. */ public function signBlob($stringToSign, $forceOpenssl = false); /** * Returns the current Client Name. * * @param callable $httpHandler callback which delivers psr7 request, if * one is required to obtain a client name. * @return string */ public function getClientName(callable $httpHandler = null); } auth/src/FetchAuthTokenInterface.php 0000644 00000003154 14736103211 0013503 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; /** * An interface implemented by objects that can fetch auth tokens. */ interface FetchAuthTokenInterface { /** * Fetches the auth tokens based on the current state. * * @param callable $httpHandler callback which delivers psr7 request * @return array a hash of auth tokens */ public function fetchAuthToken(callable $httpHandler = null); /** * Obtains a key that can used to cache the results of #fetchAuthToken. * * If the value is empty, the auth token is not cached. * * @return string a key that may be used to cache the auth token. */ public function getCacheKey(); /** * Returns an associative array with the token and * expiration time. * * @return null|array { * The last received access token. * * @var string $access_token The access token string. * @var int $expires_at The time the token expires as a UNIX timestamp. * } */ public function getLastReceivedToken(); } auth/src/Credentials/AppIdentityCredentials.php 0000644 00000015275 14736103211 0015662 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; /* * The AppIdentityService class is automatically defined on App Engine, * so including this dependency is not necessary, and will result in a * PHP fatal error in the App Engine environment. */ use google\appengine\api\app_identity\AppIdentityService; use Google\Auth\CredentialsLoader; use Google\Auth\ProjectIdProviderInterface; use Google\Auth\SignBlobInterface; /** * AppIdentityCredentials supports authorization on Google App Engine. * * It can be used to authorize requests using the AuthTokenMiddleware or * AuthTokenSubscriber, but will only succeed if being run on App Engine: * * Example: * ``` * use Google\Auth\Credentials\AppIdentityCredentials; * use Google\Auth\Middleware\AuthTokenMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $gae = new AppIdentityCredentials('https://www.googleapis.com/auth/books'); * $middleware = new AuthTokenMiddleware($gae); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/books/v1', * 'auth' => 'google_auth' * ]); * * $res = $client->get('volumes?q=Henry+David+Thoreau&country=US'); * ``` */ class AppIdentityCredentials extends CredentialsLoader implements SignBlobInterface, ProjectIdProviderInterface { /** * Result of fetchAuthToken. * * @var array */ protected $lastReceivedToken; /** * Array of OAuth2 scopes to be requested. * * @var array */ private $scope; /** * @var string */ private $clientName; /** * @param array $scope One or more scopes. */ public function __construct($scope = array()) { $this->scope = $scope; } /** * Determines if this an App Engine instance, by accessing the * SERVER_SOFTWARE environment variable (prod) or the APPENGINE_RUNTIME * environment variable (dev). * * @return bool true if this an App Engine Instance, false otherwise */ public static function onAppEngine() { $appEngineProduction = isset($_SERVER['SERVER_SOFTWARE']) && 0 === strpos($_SERVER['SERVER_SOFTWARE'], 'Google App Engine'); if ($appEngineProduction) { return true; } $appEngineDevAppServer = isset($_SERVER['APPENGINE_RUNTIME']) && $_SERVER['APPENGINE_RUNTIME'] == 'php'; if ($appEngineDevAppServer) { return true; } return false; } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Fetches the auth tokens using the AppIdentityService if available. * As the AppIdentityService uses protobufs to fetch the access token, * the GuzzleHttp\ClientInterface instance passed in will not be used. * * @param callable $httpHandler callback which delivers psr7 request * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expiration_time (string) */ public function fetchAuthToken(callable $httpHandler = null) { try { $this->checkAppEngineContext(); } catch (\Exception $e) { return []; } // AppIdentityService expects an array when multiple scopes are supplied $scope = is_array($this->scope) ? $this->scope : explode(' ', $this->scope); $token = AppIdentityService::getAccessToken($scope); $this->lastReceivedToken = $token; return $token; } /** * Sign a string using AppIdentityService. * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl [optional] Does not apply to this credentials * type. * @return string The signature, base64-encoded. * @throws \Exception If AppEngine SDK or mock is not available. */ public function signBlob($stringToSign, $forceOpenSsl = false) { $this->checkAppEngineContext(); return base64_encode(AppIdentityService::signForApp($stringToSign)['signature']); } /** * Get the project ID from AppIdentityService. * * Returns null if AppIdentityService is unavailable. * * @param callable $httpHandler Not used by this type. * @return string|null */ public function getProjectId(callable $httpHander = null) { try { $this->checkAppEngineContext(); } catch (\Exception $e) { return null; } return AppIdentityService::getApplicationId(); } /** * Get the client name from AppIdentityService. * * Subsequent calls to this method will return a cached value. * * @param callable $httpHandler Not used in this implementation. * @return string * @throws \Exception If AppEngine SDK or mock is not available. */ public function getClientName(callable $httpHandler = null) { $this->checkAppEngineContext(); if (!$this->clientName) { $this->clientName = AppIdentityService::getServiceAccountName(); } return $this->clientName; } /** * @return array|null */ public function getLastReceivedToken() { if ($this->lastReceivedToken) { return [ 'access_token' => $this->lastReceivedToken['access_token'], 'expires_at' => $this->lastReceivedToken['expiration_time'], ]; } return null; } /** * Caching is handled by the underlying AppIdentityService, return empty string * to prevent caching. * * @return string */ public function getCacheKey() { return ''; } private function checkAppEngineContext() { if (!self::onAppEngine() || !class_exists('google\appengine\api\app_identity\AppIdentityService')) { throw new \Exception( 'This class must be run in App Engine, or you must include the AppIdentityService ' . 'mock class defined in tests/mocks/AppIdentityService.php' ); } } } auth/src/Credentials/UserRefreshCredentials.php 0000644 00000010111 14736103211 0015645 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; use Google\Auth\CredentialsLoader; use Google\Auth\GetQuotaProjectInterface; use Google\Auth\OAuth2; /** * Authenticates requests using User Refresh credentials. * * This class allows authorizing requests from user refresh tokens. * * This the end of the result of a 3LO flow. E.g, the end result of * 'gcloud auth login' saves a file with these contents in well known * location * * @see [Application Default Credentials](http://goo.gl/mkAHpZ) */ class UserRefreshCredentials extends CredentialsLoader implements GetQuotaProjectInterface { /** * The OAuth2 instance used to conduct authorization. * * @var OAuth2 */ protected $auth; /** * The quota project associated with the JSON credentials */ protected $quotaProject; /** * Create a new UserRefreshCredentials. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param string|array $jsonKey JSON credential file path or JSON credentials * as an associative array */ public function __construct( $scope, $jsonKey ) { if (is_string($jsonKey)) { if (!file_exists($jsonKey)) { throw new \InvalidArgumentException('file does not exist'); } $jsonKeyStream = file_get_contents($jsonKey); if (!$jsonKey = json_decode($jsonKeyStream, true)) { throw new \LogicException('invalid json for auth config'); } } if (!array_key_exists('client_id', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_id field' ); } if (!array_key_exists('client_secret', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_secret field' ); } if (!array_key_exists('refresh_token', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the refresh_token field' ); } $this->auth = new OAuth2([ 'clientId' => $jsonKey['client_id'], 'clientSecret' => $jsonKey['client_secret'], 'refresh_token' => $jsonKey['refresh_token'], 'scope' => $scope, 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI, ]); if (array_key_exists('quota_project', $jsonKey)) { $this->quotaProject = (string) $jsonKey['quota_project']; } } /** * @param callable $httpHandler * * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expires_in (int) * - scope (string) * - token_type (string) * - id_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->auth->fetchAuthToken($httpHandler); } /** * @return string */ public function getCacheKey() { return $this->auth->getClientId() . ':' . $this->auth->getCacheKey(); } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } auth/src/Credentials/GCECredentials.php 0000644 00000034131 14736103211 0014016 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; use Google\Auth\CredentialsLoader; use Google\Auth\GetQuotaProjectInterface; use Google\Auth\HttpHandler\HttpClientCache; use Google\Auth\HttpHandler\HttpHandlerFactory; use Google\Auth\Iam; use Google\Auth\ProjectIdProviderInterface; use Google\Auth\SignBlobInterface; use GuzzleHttp\Exception\ClientException; use GuzzleHttp\Exception\ConnectException; use GuzzleHttp\Exception\RequestException; use GuzzleHttp\Exception\ServerException; use GuzzleHttp\Psr7\Request; use InvalidArgumentException; /** * GCECredentials supports authorization on Google Compute Engine. * * It can be used to authorize requests using the AuthTokenMiddleware, but will * only succeed if being run on GCE: * * use Google\Auth\Credentials\GCECredentials; * use Google\Auth\Middleware\AuthTokenMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $gce = new GCECredentials(); * $middleware = new AuthTokenMiddleware($gce); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class GCECredentials extends CredentialsLoader implements SignBlobInterface, ProjectIdProviderInterface, GetQuotaProjectInterface { // phpcs:disable const cacheKey = 'GOOGLE_AUTH_PHP_GCE'; // phpcs:enable /** * The metadata IP address on appengine instances. * * The IP is used instead of the domain 'metadata' to avoid slow responses * when not on Compute Engine. */ const METADATA_IP = '169.254.169.254'; /** * The metadata path of the default token. */ const TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token'; /** * The metadata path of the default id token. */ const ID_TOKEN_URI_PATH = 'v1/instance/service-accounts/default/identity'; /** * The metadata path of the client ID. */ const CLIENT_ID_URI_PATH = 'v1/instance/service-accounts/default/email'; /** * The metadata path of the project ID. */ const PROJECT_ID_URI_PATH = 'v1/project/project-id'; /** * The header whose presence indicates GCE presence. */ const FLAVOR_HEADER = 'Metadata-Flavor'; /** * Note: the explicit `timeout` and `tries` below is a workaround. The underlying * issue is that resolving an unknown host on some networks will take * 20-30 seconds; making this timeout short fixes the issue, but * could lead to false negatives in the event that we are on GCE, but * the metadata resolution was particularly slow. The latter case is * "unlikely" since the expected 4-nines time is about 0.5 seconds. * This allows us to limit the total ping maximum timeout to 1.5 seconds * for developer desktop scenarios. */ const MAX_COMPUTE_PING_TRIES = 3; const COMPUTE_PING_CONNECTION_TIMEOUT_S = 0.5; /** * Flag used to ensure that the onGCE test is only done once;. * * @var bool */ private $hasCheckedOnGce = false; /** * Flag that stores the value of the onGCE check. * * @var bool */ private $isOnGce = false; /** * Result of fetchAuthToken. */ protected $lastReceivedToken; /** * @var string|null */ private $clientName; /** * @var string|null */ private $projectId; /** * @var Iam|null */ private $iam; /** * @var string */ private $tokenUri; /** * @var string */ private $targetAudience; /** * @var string|null */ private $quotaProject; /** * @param Iam $iam [optional] An IAM instance. * @param string|array $scope [optional] the scope of the access request, * expressed either as an array or as a space-delimited string. * @param string $targetAudience [optional] The audience for the ID token. * @param string $quotaProject [optional] Specifies a project to bill for access * charges associated with the request. */ public function __construct(Iam $iam = null, $scope = null, $targetAudience = null, $quotaProject = null) { $this->iam = $iam; if ($scope && $targetAudience) { throw new InvalidArgumentException( 'Scope and targetAudience cannot both be supplied' ); } $tokenUri = self::getTokenUri(); if ($scope) { if (is_string($scope)) { $scope = explode(' ', $scope); } $scope = implode(',', $scope); $tokenUri = $tokenUri . '?scopes='. $scope; } elseif ($targetAudience) { $tokenUri = sprintf( 'http://%s/computeMetadata/%s?audience=%s', self::METADATA_IP, self::ID_TOKEN_URI_PATH, $targetAudience ); $this->targetAudience = $targetAudience; } $this->tokenUri = $tokenUri; $this->quotaProject = $quotaProject; } /** * The full uri for accessing the default token. * * @return string */ public static function getTokenUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::TOKEN_URI_PATH; } /** * The full uri for accessing the default service account. * * @return string */ public static function getClientNameUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::CLIENT_ID_URI_PATH; } /** * The full uri for accessing the default project ID. * * @return string */ private static function getProjectIdUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::PROJECT_ID_URI_PATH; } /** * Determines if this an App Engine Flexible instance, by accessing the * GAE_INSTANCE environment variable. * * @return bool true if this an App Engine Flexible Instance, false otherwise */ public static function onAppEngineFlexible() { return substr(getenv('GAE_INSTANCE'), 0, 4) === 'aef-'; } /** * Determines if this a GCE instance, by accessing the expected metadata * host. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * @return bool True if this a GCEInstance, false otherwise */ public static function onGce(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); $checkUri = 'http://' . self::METADATA_IP; for ($i = 1; $i <= self::MAX_COMPUTE_PING_TRIES; $i++) { try { // Comment from: oauth2client/client.py // // Note: the explicit `timeout` below is a workaround. The underlying // issue is that resolving an unknown host on some networks will take // 20-30 seconds; making this timeout short fixes the issue, but // could lead to false negatives in the event that we are on GCE, but // the metadata resolution was particularly slow. The latter case is // "unlikely". $resp = $httpHandler( new Request( 'GET', $checkUri, [self::FLAVOR_HEADER => 'Google'] ), ['timeout' => self::COMPUTE_PING_CONNECTION_TIMEOUT_S] ); return $resp->getHeaderLine(self::FLAVOR_HEADER) == 'Google'; } catch (ClientException $e) { } catch (ServerException $e) { } catch (RequestException $e) { } catch (ConnectException $e) { } } return false; } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Fetches the auth tokens from the GCE metadata host if it is available. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * * @return array A set of auth related metadata, based on the token type. * * Access tokens have the following keys: * - access_token (string) * - expires_in (int) * - token_type (string) * ID tokens have the following keys: * - id_token (string) * * @throws \Exception */ public function fetchAuthToken(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return array(); // return an empty array with no access token } $response = $this->getFromMetadata($httpHandler, $this->tokenUri); if ($this->targetAudience) { return ['id_token' => $response]; } if (null === $json = json_decode($response, true)) { throw new \Exception('Invalid JSON response'); } // store this so we can retrieve it later $this->lastReceivedToken = $json; $this->lastReceivedToken['expires_at'] = time() + $json['expires_in']; return $json; } /** * @return string */ public function getCacheKey() { return self::cacheKey; } /** * @return array|null */ public function getLastReceivedToken() { if ($this->lastReceivedToken) { return [ 'access_token' => $this->lastReceivedToken['access_token'], 'expires_at' => $this->lastReceivedToken['expires_at'], ]; } return null; } /** * Get the client name from GCE metadata. * * Subsequent calls will return a cached value. * * @param callable $httpHandler callback which delivers psr7 request * @return string */ public function getClientName(callable $httpHandler = null) { if ($this->clientName) { return $this->clientName; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return ''; } $this->clientName = $this->getFromMetadata($httpHandler, self::getClientNameUri()); return $this->clientName; } /** * Sign a string using the default service account private key. * * This implementation uses IAM's signBlob API. * * @see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl [optional] Does not apply to this credentials * type. * @return string */ public function signBlob($stringToSign, $forceOpenSsl = false) { $httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient()); // Providing a signer is useful for testing, but it's undocumented // because it's not something a user would generally need to do. $signer = $this->iam ?: new Iam($httpHandler); $email = $this->getClientName($httpHandler); $previousToken = $this->getLastReceivedToken(); $accessToken = $previousToken ? $previousToken['access_token'] : $this->fetchAuthToken($httpHandler)['access_token']; return $signer->signBlob($email, $accessToken, $stringToSign); } /** * Fetch the default Project ID from compute engine. * * Returns null if called outside GCE. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null */ public function getProjectId(callable $httpHandler = null) { if ($this->projectId) { return $this->projectId; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return null; } $this->projectId = $this->getFromMetadata($httpHandler, self::getProjectIdUri()); return $this->projectId; } /** * Fetch the value of a GCE metadata server URI. * * @param callable $httpHandler An HTTP Handler to deliver PSR7 requests. * @param string $uri The metadata URI. * @return string */ private function getFromMetadata(callable $httpHandler, $uri) { $resp = $httpHandler( new Request( 'GET', $uri, [self::FLAVOR_HEADER => 'Google'] ) ); return (string) $resp->getBody(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } auth/src/Credentials/ServiceAccountCredentials.php 0000644 00000017374 14736103211 0016347 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; use Google\Auth\CredentialsLoader; use Google\Auth\GetQuotaProjectInterface; use Google\Auth\OAuth2; use Google\Auth\ProjectIdProviderInterface; use Google\Auth\ServiceAccountSignerTrait; use Google\Auth\SignBlobInterface; use InvalidArgumentException; /** * ServiceAccountCredentials supports authorization using a Google service * account. * * (cf https://developers.google.com/accounts/docs/OAuth2ServiceAccount) * * It's initialized using the json key file that's downloadable from developer * console, which should contain a private_key and client_email fields that it * uses. * * Use it with AuthTokenMiddleware to authorize http requests: * * use Google\Auth\Credentials\ServiceAccountCredentials; * use Google\Auth\Middleware\AuthTokenMiddleware; * use GuzzleHttp\Client; * use GuzzleHttp\HandlerStack; * * $sa = new ServiceAccountCredentials( * 'https://www.googleapis.com/auth/taskqueue', * '/path/to/your/json/key_file.json' * ); * $middleware = new AuthTokenMiddleware($sa); * $stack = HandlerStack::create(); * $stack->push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class ServiceAccountCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface { use ServiceAccountSignerTrait; /** * The OAuth2 instance used to conduct authorization. * * @var OAuth2 */ protected $auth; /** * The quota project associated with the JSON credentials * * @var string */ protected $quotaProject; /* * @var string|null */ protected $projectId; /** * Create a new ServiceAccountCredentials. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param string|array $jsonKey JSON credential file path or JSON credentials * as an associative array * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. * @param string $targetAudience The audience for the ID token. */ public function __construct( $scope, $jsonKey, $sub = null, $targetAudience = null ) { if (is_string($jsonKey)) { if (!file_exists($jsonKey)) { throw new \InvalidArgumentException('file does not exist'); } $jsonKeyStream = file_get_contents($jsonKey); if (!$jsonKey = json_decode($jsonKeyStream, true)) { throw new \LogicException('invalid json for auth config'); } } if (!array_key_exists('client_email', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_email field' ); } if (!array_key_exists('private_key', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the private_key field' ); } if (array_key_exists('quota_project', $jsonKey)) { $this->quotaProject = (string) $jsonKey['quota_project']; } if ($scope && $targetAudience) { throw new InvalidArgumentException( 'Scope and targetAudience cannot both be supplied' ); } $additionalClaims = []; if ($targetAudience) { $additionalClaims = ['target_audience' => $targetAudience]; } $this->auth = new OAuth2([ 'audience' => self::TOKEN_CREDENTIAL_URI, 'issuer' => $jsonKey['client_email'], 'scope' => $scope, 'signingAlgorithm' => 'RS256', 'signingKey' => $jsonKey['private_key'], 'sub' => $sub, 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI, 'additionalClaims' => $additionalClaims, ]); $this->projectId = isset($jsonKey['project_id']) ? $jsonKey['project_id'] : null; } /** * @param callable $httpHandler * * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expires_in (int) * - token_type (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->auth->fetchAuthToken($httpHandler); } /** * @return string */ public function getCacheKey() { $key = $this->auth->getIssuer() . ':' . $this->auth->getCacheKey(); if ($sub = $this->auth->getSub()) { $key .= ':' . $sub; } return $key; } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Get the project ID from the service account keyfile. * * Returns null if the project ID does not exist in the keyfile. * * @param callable $httpHandler Not used by this credentials type. * @return string|null */ public function getProjectId(callable $httpHandler = null) { return $this->projectId; } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { // scope exists. use oauth implementation $scope = $this->auth->getScope(); if (!is_null($scope)) { return parent::updateMetadata($metadata, $authUri, $httpHandler); } // no scope found. create jwt with the auth uri $credJson = array( 'private_key' => $this->auth->getSigningKey(), 'client_email' => $this->auth->getIssuer(), ); $jwtCreds = new ServiceAccountJwtAccessCredentials($credJson); return $jwtCreds->updateMetadata($metadata, $authUri, $httpHandler); } /** * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. */ public function setSub($sub) { $this->auth->setSub($sub); } /** * Get the client name from the keyfile. * * In this case, it returns the keyfile's client_email key. * * @param callable $httpHandler Not used by this credentials type. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->auth->getIssuer(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } auth/src/Credentials/InsecureCredentials.php 0000644 00000003470 14736103211 0015177 0 ustar 00 <?php /* * Copyright 2018 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; use Google\Auth\FetchAuthTokenInterface; /** * Provides a set of credentials that will always return an empty access token. * This is useful for APIs which do not require authentication, for local * service emulators, and for testing. */ class InsecureCredentials implements FetchAuthTokenInterface { /** * @var array */ private $token = [ 'access_token' => '' ]; /** * Fetches the auth token. In this case it returns an empty string. * * @param callable $httpHandler * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->token; } /** * Returns the cache key. In this case it returns a null value, disabling * caching. * * @return string|null */ public function getCacheKey() { return null; } /** * Fetches the last received token. In this case, it returns the same empty string * auth token. * * @return array */ public function getLastReceivedToken() { return $this->token; } } auth/src/Credentials/IAMCredentials.php 0000644 00000004673 14736103211 0014036 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; /** * Authenticates requests using IAM credentials. */ class IAMCredentials { const SELECTOR_KEY = 'x-goog-iam-authority-selector'; const TOKEN_KEY = 'x-goog-iam-authorization-token'; /** * @var string */ private $selector; /** * @var string */ private $token; /** * @param $selector string the IAM selector * @param $token string the IAM token */ public function __construct($selector, $token) { if (!is_string($selector)) { throw new \InvalidArgumentException( 'selector must be a string' ); } if (!is_string($token)) { throw new \InvalidArgumentException( 'token must be a string' ); } $this->selector = $selector; $this->token = $token; } /** * export a callback function which updates runtime metadata. * * @return array updateMetadata function */ public function getUpdateMetadataFunc() { return array($this, 'updateMetadata'); } /** * Updates metadata with the appropriate header metadata. * * @param array $metadata metadata hashmap * @param string $unusedAuthUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * Note: this param is unused here, only included here for * consistency with other credentials class * * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $unusedAuthUri = null, callable $httpHandler = null ) { $metadata_copy = $metadata; $metadata_copy[self::SELECTOR_KEY] = $this->selector; $metadata_copy[self::TOKEN_KEY] = $this->token; return $metadata_copy; } } auth/src/Credentials/ServiceAccountJwtAccessCredentials.php 0000644 00000012636 14736103211 0020152 0 ustar 00 <?php /* * Copyright 2015 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth\Credentials; use Google\Auth\CredentialsLoader; use Google\Auth\GetQuotaProjectInterface; use Google\Auth\OAuth2; use Google\Auth\ProjectIdProviderInterface; use Google\Auth\ServiceAccountSignerTrait; use Google\Auth\SignBlobInterface; /** * Authenticates requests using Google's Service Account credentials via * JWT Access. * * This class allows authorizing requests for service accounts directly * from credentials from a json key file downloaded from the developer * console (via 'Generate new Json Key'). It is not part of any OAuth2 * flow, rather it creates a JWT and sends that as a credential. */ class ServiceAccountJwtAccessCredentials extends CredentialsLoader implements GetQuotaProjectInterface, SignBlobInterface, ProjectIdProviderInterface { use ServiceAccountSignerTrait; /** * The OAuth2 instance used to conduct authorization. * * @var OAuth2 */ protected $auth; /** * The quota project associated with the JSON credentials */ protected $quotaProject; /** * Create a new ServiceAccountJwtAccessCredentials. * * @param string|array $jsonKey JSON credential file path or JSON credentials * as an associative array */ public function __construct($jsonKey) { if (is_string($jsonKey)) { if (!file_exists($jsonKey)) { throw new \InvalidArgumentException('file does not exist'); } $jsonKeyStream = file_get_contents($jsonKey); if (!$jsonKey = json_decode($jsonKeyStream, true)) { throw new \LogicException('invalid json for auth config'); } } if (!array_key_exists('client_email', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_email field' ); } if (!array_key_exists('private_key', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the private_key field' ); } if (array_key_exists('quota_project', $jsonKey)) { $this->quotaProject = (string) $jsonKey['quota_project']; } $this->auth = new OAuth2([ 'issuer' => $jsonKey['client_email'], 'sub' => $jsonKey['client_email'], 'signingAlgorithm' => 'RS256', 'signingKey' => $jsonKey['private_key'], ]); $this->projectId = isset($jsonKey['project_id']) ? $jsonKey['project_id'] : null; } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { if (empty($authUri)) { return $metadata; } $this->auth->setAudience($authUri); return parent::updateMetadata($metadata, $authUri, $httpHandler); } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * @param callable $httpHandler * * @return array|void A set of auth related metadata, containing the * following keys: * - access_token (string) */ public function fetchAuthToken(callable $httpHandler = null) { $audience = $this->auth->getAudience(); if (empty($audience)) { return null; } $access_token = $this->auth->toJwt(); return array('access_token' => $access_token); } /** * @return string */ public function getCacheKey() { return $this->auth->getCacheKey(); } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Get the project ID from the service account keyfile. * * Returns null if the project ID does not exist in the keyfile. * * @param callable $httpHandler Not used by this credentials type. * @return string|null */ public function getProjectId(callable $httpHandler = null) { return $this->projectId; } /** * Get the client name from the keyfile. * * In this case, it returns the keyfile's client_email key. * * @param callable $httpHandler Not used by this credentials type. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->auth->getIssuer(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } } auth/src/ProjectIdProviderInterface.php 0000644 00000001702 14736103211 0014222 0 ustar 00 <?php /* * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ namespace Google\Auth; /** * Describes a Credentials object which supports fetching the project ID. */ interface ProjectIdProviderInterface { /** * Get the project ID. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null */ public function getProjectId(callable $httpHandler = null); } auth/README.md 0000644 00000017146 14736103211 0006773 0 ustar 00 # Google Auth Library for PHP <dl> <dt>Homepage</dt><dd><a href="http://www.github.com/google/google-auth-library-php">http://www.github.com/google/google-auth-library-php</a></dd> <dt>Authors</dt> <dd><a href="mailto:temiola@google.com">Tim Emiola</a></dd> <dd><a href="mailto:stanleycheung@google.com">Stanley Cheung</a></dd> <dd><a href="mailto:betterbrent@google.com">Brent Shaffer</a></dd> <dt>Copyright</dt><dd>Copyright © 2015 Google, Inc.</dd> <dt>License</dt><dd>Apache 2.0</dd> </dl> ## Description This is Google's officially supported PHP client library for using OAuth 2.0 authorization and authentication with Google APIs. View the [reference documentation][ref-docs]. ### Installing via Composer The recommended way to install the google auth library is through [Composer](http://getcomposer.org). ```bash # Install Composer curl -sS https://getcomposer.org/installer | php ``` Next, run the Composer command to install the latest stable version: ```bash composer.phar require google/auth ``` ## Application Default Credentials This library provides an implementation of [application default credentials][application default credentials] for PHP. The Application Default Credentials provide a simple way to get authorization credentials for use in calling Google APIs. They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Compute Engine. #### Download your Service Account Credentials JSON file To use `Application Default Credentials`, You first need to download a set of JSON credentials for your project. Go to **APIs & Services** > **Credentials** in the [Google Developers Console][developer console] and select **Service account** from the **Add credentials** dropdown. > This file is your *only copy* of these credentials. It should never be > committed with your source code, and should be stored securely. Once downloaded, store the path to this file in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. ```php putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); ``` > PHP's `putenv` function is just one way to set an environment variable. > Consider using `.htaccess` or apache configuration files as well. #### Enable the API you want to use Before making your API call, you must be sure the API you're calling has been enabled. Go to **APIs & Auth** > **APIs** in the [Google Developers Console][developer console] and enable the APIs you'd like to call. For the example below, you must enable the `Drive API`. #### Call the APIs As long as you update the environment variable below to point to *your* JSON credentials file, the following code should output a list of your Drive files. ```php use Google\Auth\ApplicationDefaultCredentials; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; // specify the path to your application credentials putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); // define the scopes for your API call $scopes = ['https://www.googleapis.com/auth/drive.readonly']; // create middleware $middleware = ApplicationDefaultCredentials::getMiddleware($scopes); $stack = HandlerStack::create(); $stack->push($middleware); // create the HTTP client $client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com', 'auth' => 'google_auth' // authorize all requests ]); // make the request $response = $client->get('drive/v2/files'); // show the result! print_r((string) $response->getBody()); ``` ##### Guzzle 5 Compatibility If you are using [Guzzle 5][Guzzle 5], replace the `create middleware` and `create the HTTP Client` steps with the following: ```php // create the HTTP client $client = new Client([ 'base_url' => 'https://www.googleapis.com', 'auth' => 'google_auth' // authorize all requests ]); // create subscriber $subscriber = ApplicationDefaultCredentials::getSubscriber($scopes); $client->getEmitter()->attach($subscriber); ``` #### Call using an ID Token If your application is running behind Cloud Run, or using Cloud Identity-Aware Proxy (IAP), you will need to fetch an ID token to access your application. For this, use the static method `getIdTokenMiddleware` on `ApplicationDefaultCredentials`. ```php use Google\Auth\ApplicationDefaultCredentials; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; // specify the path to your application credentials putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json'); // Provide the ID token audience. This can be a Client ID associated with an IAP application, // Or the URL associated with a CloudRun App // $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com'; // $targetAudience = 'https://service-1234-uc.a.run.app'; $targetAudience = 'YOUR_ID_TOKEN_AUDIENCE'; // create middleware $middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience); $stack = HandlerStack::create(); $stack->push($middleware); // create the HTTP client $client = new Client([ 'handler' => $stack, 'auth' => 'google_auth', // Cloud Run, IAP, or custom resource URL 'base_uri' => 'https://YOUR_PROTECTED_RESOURCE', ]); // make the request $response = $client->get('/'); // show the result! print_r((string) $response->getBody()); ``` For invoking Cloud Run services, your service account will need the [`Cloud Run Invoker`](https://cloud.google.com/run/docs/authenticating/service-to-service) IAM permission. For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID used when you set up your protected resource as the target audience. See how to [secure your IAP app with signed headers](https://cloud.google.com/iap/docs/signed-headers-howto). #### Verifying JWTs If you are [using Google ID tokens to authenticate users][google-id-tokens], use the `Google\Auth\AccessToken` class to verify the ID token: ```php use Google\Auth\AccessToken; $auth = new AccessToken(); $auth->verify($idToken); ``` If your app is running behind [Google Identity-Aware Proxy][iap-id-tokens] (IAP), you can verify the ID token coming from the IAP server by pointing to the appropriate certificate URL for IAP. This is because IAP signs the ID tokens with a different key than the Google Identity service: ```php use Google\Auth\AccessToken; $auth = new AccessToken(); $auth->verify($idToken, [ 'certsLocation' => AccessToken::IAP_CERT_URL ]); ``` [google-id-tokens]: https://developers.google.com/identity/sign-in/web/backend-auth [iap-id-tokens]: https://cloud.google.com/iap/docs/signed-headers-howto ## License This library is licensed under Apache 2.0. Full license text is available in [COPYING][copying]. ## Contributing See [CONTRIBUTING][contributing]. ## Support Please [report bugs at the project on Github](https://github.com/google/google-auth-library-php/issues). Don't hesitate to [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-php) about the client or APIs on [StackOverflow](http://stackoverflow.com). [ref-docs]: https://googleapis.github.io/google-auth-library-php/master/ [google-apis-php-client]: https://github.com/google/google-api-php-client [application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials [contributing]: https://github.com/google/google-auth-library-php/tree/master/.github/CONTRIBUTING.md [copying]: https://github.com/google/google-auth-library-php/tree/master/COPYING [Guzzle]: https://github.com/guzzle/guzzle [Guzzle 5]: http://docs.guzzlephp.org/en/5.3 [developer console]: https://console.developers.google.com auth/.php_cs 0000644 00000003343 14736103211 0006763 0 ustar 00 <?php /** * This file represents the configuration for Code Sniffing PSR-2-related * automatic checks of coding guidelines * Install @fabpot's great php-cs-fixer tool via * * $ composer global require fabpot/php-cs-fixer * * And then simply run * * $ php-cs-fixer fix --config-file .php_cs * * inside the root directory. * * http://www.php-fig.org/psr/psr-2/ * http://cs.sensiolabs.org */ if (PHP_SAPI !== 'cli') { die('This script supports command line usage only. Please check your command.'); } // Define in which folders to search and which folders to exclude // Exclude some directories that are excluded by Git anyways to speed up the sniffing $finder = Symfony\CS\Finder\DefaultFinder::create() ->exclude('vendor') ->in(__DIR__); // Return a Code Sniffing configuration using // all sniffers needed for PSR-2 // and additionally: // - Remove leading slashes in use clauses. // - PHP single-line arrays should not have trailing comma. // - Single-line whitespace before closing semicolon are prohibited. // - Remove unused use statements in the PHP source code // - Ensure Concatenation to have at least one whitespace around // - Remove trailing whitespace at the end of blank lines. return Symfony\CS\Config\Config::create() ->level(Symfony\CS\FixerInterface::PSR2_LEVEL) ->fixers([ 'remove_leading_slash_use', 'single_array_no_trailing_comma', 'spaces_before_semicolon', 'unused_use', 'concat_with_spaces', 'whitespacy_lines', 'ordered_use', 'single_quote', 'duplicate_semicolon', 'extra_empty_lines', 'phpdoc_no_package', 'phpdoc_scalar', 'no_empty_lines_after_phpdocs' ]) ->finder($finder); auth/CHANGELOG.md 0000644 00000010151 14736103211 0007312 0 ustar 00 ## 1.11.0 (7/22/2020) * [feat]: Check cache expiration (#291) * [fix]: OAuth2 cache key when audience is set (#291) ## 1.10.0 (7/8/2020) * [feat]: Add support for Guzzle 7 (#256) * [fix]: Remove SDK warning (#283) * [chore]: Switch to github pages deploy action (#284) ## 1.9.0 (5/14/2020) * [feat] Add quotaProject param for extensible client options support (#277) * [feat] Add signingKeyId param for jwt signing (#270) * [docs] Misc documentation improvements (#268, #278, #273) * [chore] Switch from Travis to Github Actions (#273) ## 1.8.0 (3/26/2020) * [feat] Add option to throw exception in AccessToken::verify(). (#265) * [feat] Add support for x-goog-user-project. (#254) * [feat] Add option to specify issuer in AccessToken::verify(). (#267) * [feat] Add getProjectId to credentials types where project IDs can be determined. (#230) ## 1.7.1 (02/12/2020) * [fix] Invalid character in iap cert cache key (#263) * [fix] Typo in exception for package name (#262) ## 1.7.0 (02/11/2020) * [feat] Add ID token to auth token methods. (#248) * [feat] Add support for ES256 in `AccessToken::verify`. (#255) * [fix] Let namespace match the file structure. (#258) * [fix] Construct RuntimeException. (#257) * [tests] Update tests for PHP 7.4 compatibility. (#253) * [chore] Add a couple more things to `.gitattributes`. (#252) ## 1.6.1 (10/29/2019) * [fix] Handle DST correctly for cache item expirations. (#246) ## 1.6.0 (10/01/2019) * [feat] Add utility for verifying and revoking access tokens. (#243) * [docs] Fix README console terminology. (#242) * [feat] Support custom scopes with GCECredentials. (#239) * [fix] Fix phpseclib existence check. (#237) ## 1.5.2 (07/22/2019) * [fix] Move loadItems call out of `SysVCacheItemPool` constructor. (#229) * [fix] Add `Metadata-Flavor` header to initial GCE metadata call. (#232) ## 1.5.1 (04/16/2019) * [fix] Moved `getClientName()` from `Google\Auth\FetchAuthTokenInterface` to `Google\Auth\SignBlobInterface`, and removed `getClientName()` from `InsecureCredentials` and `UserRefreshCredentials`. (#223) ## 1.5.0 (04/15/2019) ### Changes * Add support for signing strings with a Credentials instance. (#221) * [Docs] Describe the arrays returned by fetchAuthToken. (#216) * [Testing] Fix failing tests (#217) * Update GitHub issue templates (#214, #213) ## 1.4.0 (09/17/2018) ### Changes * Add support for insecure credentials (#208) ## 1.3.3 (08/27/2018) ### Changes * Add retry and increase timeout for GCE credentials (#195) * [Docs] Fix spelling (#204) * Update token url (#206) ## 1.3.2 (07/23/2018) ### Changes * Only emits a warning for gcloud credentials (#202) ## 1.3.1 (07/19/2018) ### Changes * Added a warning for 3 legged OAuth credentials (#199) * [Code cleanup] Removed useless else after return (#193) ## 1.3.0 (06/04/2018) ### Changes * Fixes usage of deprecated env var for GAE Flex (#189) * fix - guzzlehttp/psr7 dependency version definition (#190) * Added SystemV shared memory based CacheItemPool (#191) ## 1.2.1 (24/01/2018) ### Changes * Fixes array merging bug in Guzzle5HttpHandler (#186) * Fixes constructor argument bug in Subscriber & Middleware (#184) ## 1.2.0 (6/12/2017) ### Changes * Adds async method to HTTP handlers (#176) * Misc bug fixes and improvements (#177, #175, #178) ## 1.1.0 (10/10/2017) ### Changes * Supports additional claims in JWT tokens (#171) * Adds makeHttpClient for creating authorized Guzzle clients (#162) * Misc bug fixes/improvements (#168, #161, #167, #170, #143) ## 1.0.1 (31/07/2017) ### Changes * Adds support for Firebase 5.0 (#159) ## 1.0.0 (12/06/2017) ### Changes * Adds hashing and shortening to enforce max key length ([@bshaffer]) * Fix for better PSR-6 compliance - verifies a hit before getting the cache item ([@bshaffer]) * README fixes ([@bshaffer]) * Change authorization header key to lowercase ([@stanley-cheung]) ## 0.4.0 (23/04/2015) ### Changes * Export callback function to update auth metadata ([@stanley-cheung][]) * Adds an implementation of User Refresh Token auth ([@stanley-cheung][]) [@bshaffer]: https://github.com/bshaffer [@stanley-cheung]: https://github.com/stanley-cheung auth/LICENSE 0000644 00000024020 14736103211 0006506 0 ustar 00 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.