Merge branch 'auth-metrics-dev-all' into auth-metrics-1

googleapis · Dec 1, 2023 · 0bed5d1 · 0bed5d1
2 parents 9fb009b + 682dc6c
commit 0bed5d1
Show file tree

Hide file tree

Showing 24 changed files with 1,501 additions and 83 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,33 @@
+name: Release Pre-Check
+on:
+  pull_request:
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  release-suite:
+    runs-on: ubuntu-latest
+    name: Run googleapis/google-cloud-php tests against latest version
+    if: github.event.pull_request.user.login == 'release-please[bot]'
+    steps:
+    - uses: actions/checkout@v4
+    - name: Clone googleapis/google-cloud-php
+      uses: actions/checkout@master
+      with:
+        repository: googleapis/google-cloud-php
+        path: google-cloud-php
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.1'
+        extensions: grpc
+    - name: Configure google/auth to dev-main
+      run: |
+        cd google-cloud-php
+        composer install -q -d dev
+        dev/google-cloud update-deps google/auth 'dev-main as 1.200.0' --add=dev
+    - name: Run google/cloud package tests
+      run: |
+        cd google-cloud-php
+        bash .github/run-package-tests.sh
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,38 @@
 
  * [feat]: add support for Firebase v6.0 (#391)
 
+## [1.33.0](https://github.com/googleapis/google-auth-library-php/compare/v1.32.1...v1.33.0) (2023-11-29)
+
+
+### Features
+
+* Add and implement universe domain interface ([#477](https://github.com/googleapis/google-auth-library-php/issues/477)) ([35781ed](https://github.com/googleapis/google-auth-library-php/commit/35781ed573aa9d831d38452eefbac790559dfb97))
+
+### Miscellaneous
+
+* Refactor `AuthTokenMiddleware` ([#492](https://github.com/googleapis/google-auth-library-php/pull/492))
+
+## [1.32.1](https://github.com/googleapis/google-auth-library-php/compare/v1.32.0...v1.32.1) (2023-10-17)
+
+
+### Bug Fixes
+
+* Allowed_algs not properly set for string value ([#489](https://github.com/googleapis/google-auth-library-php/issues/489)) ([0042b52](https://github.com/googleapis/google-auth-library-php/commit/0042b522ebbcffc6d6623e322d162d963eada3b5))
+
+## [1.32.0](https://github.com/googleapis/google-auth-library-php/compare/v1.31.0...v1.32.0) (2023-10-10)
+
+
+### Features
+
+* Respect cache control for access token certs ([#479](https://github.com/googleapis/google-auth-library-php/issues/479)) ([6d426b5](https://github.com/googleapis/google-auth-library-php/commit/6d426b5cb9462845d2c2d7d506318c9bee613528))
+
+## [1.31.0](https://github.com/googleapis/google-auth-library-php/compare/v1.30.0...v1.31.0) (2023-10-05)
+
+
+### Features
+
+* Add AWS credential source ([#474](https://github.com/googleapis/google-auth-library-php/issues/474)) ([e5bc897](https://github.com/googleapis/google-auth-library-php/commit/e5bc8979bf87159d9acab1ca8cb7cd7af008b2a6))
+
 ## [1.30.0](https://github.com/googleapis/google-auth-library-php/compare/v1.29.1...v1.30.0) (2023-09-07)
 
 

diff --git a/README.md b/README.md
@@ -257,6 +257,18 @@ print_r((string) $response->getBody());
 
 [iap-proxy-header]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
 
+#### External credentials (Workload identity federation)
+
+Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS),
+Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).
+
+Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud
+resources. Using identity federation, you can allow your workload to impersonate a service account. This lets you access
+Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.
+
+Follow the detailed instructions on how to
+[Configure Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds).
+
 #### Verifying JWTs
 
 If you are [using Google ID tokens to authenticate users][google-id-tokens], use

diff --git a/src/AccessToken.php b/src/AccessToken.php
@@ -311,11 +311,9 @@ private function getCerts($location, $cacheKey, array $options = [])
         $cacheItem = $this->cache->getItem($cacheKey);
         $certs = $cacheItem ? $cacheItem->get() : null;
 
-        $gotNewCerts = false;
+        $expireTime = null;
         if (!$certs) {
-            $certs = $this->retrieveCertsFromLocation($location, $options);
-
-            $gotNewCerts = true;
+            list($certs, $expireTime) = $this->retrieveCertsFromLocation($location, $options);
         }
 
         if (!isset($certs['keys'])) {
@@ -331,8 +329,8 @@ private function getCerts($location, $cacheKey, array $options = [])
 
         // Push caching off until after verifying certs are in a valid format.
         // Don't want to cache bad data.
-        if ($gotNewCerts) {
-            $cacheItem->expiresAt(new DateTime('+1 hour'));
+        if ($expireTime) {
+            $cacheItem->expiresAt(new DateTime($expireTime));
             $cacheItem->set($certs);
             $this->cache->save($cacheItem);
         }
@@ -345,13 +343,14 @@ private function getCerts($location, $cacheKey, array $options = [])
      *
      * @param string $url location
      * @param array<mixed> $options [optional] Configuration options.
-     * @return array<mixed> certificates
+     * @return array{array<mixed>, string}
      * @throws InvalidArgumentException If certs could not be retrieved from a local file.
      * @throws RuntimeException If certs could not be retrieved from a remote location.
      */
     private function retrieveCertsFromLocation($url, array $options = [])
     {
         // If we're retrieving a local file, just grab it.
+        $expireTime = '+1 hour';
         if (strpos($url, 'http') !== 0) {
             if (!file_exists($url)) {
                 throw new InvalidArgumentException(sprintf(
@@ -360,14 +359,28 @@ private function retrieveCertsFromLocation($url, array $options = [])
                 ));
             }
 
-            return json_decode((string) file_get_contents($url), true);
+            return [
+                json_decode((string) file_get_contents($url), true),
+                $expireTime
+            ];
         }
 
         $httpHandler = $this->httpHandler;
         $response = $httpHandler(new Request('GET', $url), $options);
 
         if ($response->getStatusCode() == 200) {
-            return json_decode((string) $response->getBody(), true);
+            if ($cacheControl = $response->getHeaderLine('Cache-Control')) {
+                array_map(function ($value) use (&$expireTime) {
+                    list($key, $value) = explode('=', $value) + [null, null];
+                    if (trim($key) == 'max-age') {
+                        $expireTime = '+' . $value . ' seconds';
+                    }
+                }, explode(',', $cacheControl));
+            }
+            return [
+                json_decode((string) $response->getBody(), true),
+                $expireTime
+            ];
         }
 
         throw new RuntimeException(sprintf(