Merge branch 'dermesser:master' into master

2026-02-23 15:50:00 +01:00 · 2023-06-04 13:00:46 +02:00
parent 458bf6f7b2 3cc35783e8
commit 142ef5635e
9 changed files with 70 additions and 136 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "yup-oauth2"
-version = "8.1.0"
+version = "8.3.0"
 authors = ["Sebastian Thiel <byronimo@gmail.com>", "Lewin Bormann <lbo@spheniscida.de>"]
 repository = "https://github.com/dermesser/yup-oauth2"
 description = "An oauth2 implementation, providing the 'device', 'service account' and 'installed' authorization flows"
@@ -37,12 +37,12 @@ base64 = "0.13.0"
 futures = "0.3"
 http = "0.2"
 hyper = { version = "0.14", features = ["client", "server", "tcp", "http2"] }
-hyper-rustls = { version = "0.23", optional = true, features = ["http2"] }
+hyper-rustls = { version = "0.24", optional = true, features = ["http2"] }
 hyper-tls = { version = "0.5.0", optional = true }
 itertools = "0.10.0"
 log = "0.4"
 percent-encoding = "2"
-rustls = { version = "0.20.4", optional = true }
+rustls = { version = "0.21.0", optional = true }
 rustls-pemfile = { version = "1.0.1", optional = true }
 seahash = "4"
 serde = {version = "1.0", features = ["derive"]}
@@ -57,7 +57,7 @@ httptest = "0.15"
 env_logger = "0.10"
 tempfile = "3.1"
 webbrowser = "0.8"
-hyper-rustls = "0.23"
+hyper-rustls = "0.24"
 [workspace]
 members = ["examples/test-installed/", "examples/test-svc-acct/", "examples/test-device/", "examples/test-adc"]
--- a/README.md
+++ b/README.md
@@ -1,6 +1,5 @@
 [![Build
-Status](https://travis-ci.org/dermesser/yup-oauth2.svg)](https://travis-ci.org/dermesser/yup-oauth2)
+Status](https://github.com/dermesser/yup-oauth2/actions/workflows/test.yml/badge.svg)](https://github.com/dermesser/yup-oauth2/actions)
 [![codecov](https://codecov.io/gh/dermesser/yup-oauth2/branch/master/graph/badge.svg)](https://codecov.io/gh/dermesser/yup-oauth2)
 [![crates.io](https://img.shields.io/crates/v/yup-oauth2.svg)](https://crates.io/crates/yup-oauth2)
 **yup-oauth2** is a utility library which implements several OAuth 2.0 flows. It's mainly used by
@@ -27,18 +26,6 @@ doesn't, please let us know and/or contribute a fix!
 * Service account flow: Non-interactive authorization of server-to-server communication based on
  public key cryptography. Used for services like Cloud Pubsub, Cloud Storage, ...
 ### Usage
 Please have a look at the [API landing page][API-docs] for all the examples you will ever need.
 A simple commandline program which authenticates any scope and prints token information can be found
 in [the examples directory][examples].
 The video below shows the *auth* example in action. It's meant to be used as utility to record all
 server communication and improve protocol compliance.
 ![usage][auth-usage]
 ## Versions
 * Version 1.x for Hyper versions below 12
--- a/examples/auth.rs-usage.gif
+++ b/examples/auth.rs-usage.gif
--- a/examples/auth.rs-usage.ttyrec
+++ b/examples/auth.rs-usage.ttyrec
--- a/examples/old/auth.rs
+++ b/examples/old/auth.rs
@@ -1,112 +0,0 @@
 use chrono::Local;
 use getopts::{Fail, HasArg, Occur, Options};
 use hyper_tls::HttpsConnector;
 use std::default::Default;
 use std::env;
 use std::thread::sleep;
 use std::time::Duration;
 use yup_oauth2::{self as oauth2, GetToken};
 fn usage(program: &str, opts: &Options, err: Option<Fail>) -> ! {
    if err.is_some() {
        println!("{}", err.unwrap());
        std::process::exit(1);
    }
    println!("{}", opts.short_usage(program) + " SCOPE [SCOPE ...]");
    println!(
        "{}",
        opts.usage(
            "A program to authenticate against oauthv2 services.\n\
             See https://developers.google.com/youtube/registering_an_application\n\
             and https://developers.google.com/youtube/v3/guides/authentication#devices"
        )
    );
    std::process::exit(0);
 }
 fn main() {
    let args: Vec<String> = env::args().collect();
    let prog = args[0].clone();
    let mut opts = Options::new();
    opts.opt(
        "c",
        "id",
        "oauthv2 ID of your application",
        "CLIENT_ID",
        HasArg::Yes,
        Occur::Req,
    )
    .opt(
        "s",
        "secret",
        "oauthv2 secret of your application",
        "CLIENT_SECRET",
        HasArg::Yes,
        Occur::Req,
    );
    let m = match opts.parse(&args[1..]) {
        Ok(m) => m,
        Err(e) => {
            usage(&prog, &opts, Some(e));
        }
    };
    if m.free.len() == 0 {
        let msg = Fail::ArgumentMissing(
            "you must provide one or more authorization scopes as free options".to_string(),
        );
        usage(&prog, &opts, Some(msg));
    }
    let secret = oauth2::ApplicationSecret {
        client_id: m.opt_str("c").unwrap(),
        client_secret: m.opt_str("s").unwrap(),
        token_uri: Default::default(),
        auth_uri: Default::default(),
        redirect_uris: Default::default(),
        ..Default::default()
    };
    println!("THIS PROGRAM PRINTS ALL COMMUNICATION TO STDERR !!!");
    struct StdoutHandler;
    impl oauth2::AuthenticatorDelegate for StdoutHandler {
        fn present_user_code(&mut self, pi: &oauth2::PollInformation) {
            println!(
                "Please enter '{}' at {} and authenticate the application for the\n\
                      given scopes. This is not a test !\n\
                      You have time until {} to do that.
                      Do not terminate the program until you deny or grant access !",
                pi.user_code,
                pi.verification_url,
                pi.expires_at.with_timezone(&Local)
            );
            let delay = Duration::from_secs(5);
            println!("Browser opens automatically in {:?} seconds", delay);
            sleep(delay);
            open::that(&pi.verification_url).ok();
            println!("DONE - waiting for authorization ...");
        }
    }
    let https = HttpsConnector::new(4).unwrap();
    let client = hyper::Client::builder().build(https);
    match oauth2::Authenticator::new(&secret, StdoutHandler, client, oauth2::NullStorage, None)
        .token(&m.free)
    {
        Ok(t) => {
            println!("Authentication granted !");
            println!("You should store the following information for use, or revoke it.");
            println!("All dates are given in UTC.");
            println!("{:?}", t);
        }
        Err(err) => {
            println!("Access token wasn't obtained: {}", err);
            std::process::exit(10);
        }
    };
 }
--- a/src/authenticator_delegate.rs
+++ b/src/authenticator_delegate.rs
@@ -156,3 +156,11 @@ impl DeviceFlowDelegate for DefaultDeviceFlowDelegate {}
 #[derive(Copy, Clone)]
 pub struct DefaultInstalledFlowDelegate;
 impl InstalledFlowDelegate for DefaultInstalledFlowDelegate {}
 /// The default installed-flow delegate (i.e.: show URL on stdout). Use this to specify
 /// a custom redirect URL.
 #[derive(Clone)]
 pub struct DefaultInstalledFlowDelegateWithRedirectURI(pub String);
 impl InstalledFlowDelegate for DefaultInstalledFlowDelegateWithRedirectURI {
    fn redirect_uri(&self) -> Option<&str> { Some(self.0.as_str()) }
 }
--- a/src/installed.rs
+++ b/src/installed.rs
@@ -97,6 +97,15 @@ pub struct InstalledFlow {
 impl InstalledFlow {
    /// Create a new InstalledFlow with the provided secret and method.
    ///
    /// In order to specify the redirect URL to use (in the case of `HTTPRedirect` or
    /// `HTTPPortRedirect` as method), either implement the `InstalledFlowDelegate` trait, or
    /// use the `DefaultInstalledFlowDelegateWithRedirectURI`, which presents the URL on stdout.
    /// The redirect URL to use is configured with the OAuth provider, and possible options are
    /// given in the `ApplicationSecret.redirect_uris` field.
    ///
    /// The `InstalledFlowDelegate` implementation should be assigned to the `flow_delegate` field
    /// of the `InstalledFlow` struct.
    pub(crate) fn new(
        app_secret: ApplicationSecret,
        method: InstalledFlowReturnMethod,
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -93,6 +93,11 @@ pub mod storage;
 mod types;
 pub use hyper;
 #[cfg(feature = "hyper-rustls")]
 pub use hyper_rustls;
 #[cfg(feature = "service_account")]
 #[doc(inline)]
 pub use crate::authenticator::ServiceAccountAuthenticator;
--- a/src/types.rs
+++ b/src/types.rs
@@ -1,7 +1,7 @@
 use crate::error::{AuthErrorOr, Error};
 use time::OffsetDateTime;
 use serde::{Deserialize, Serialize};
 use time::OffsetDateTime;
 /// Represents a token returned by oauth2 servers. All tokens are Bearer tokens. Other types of
 /// tokens are not supported.
@@ -12,7 +12,6 @@ pub struct AccessToken {
 }
 impl AccessToken {
    /// A string representation of the access token.
    pub fn token(&self) -> Option<&str> {
        self.access_token.as_deref()
@@ -30,7 +29,9 @@ impl AccessToken {
    pub fn is_expired(&self) -> bool {
        // Consider the token expired if it's within 1 minute of it's expiration time.
        self.expires_at
-            .map(|expiration_time| expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc())
+            .map(|expiration_time| {
                expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
            })
            .unwrap_or(false)
    }
 }
@@ -106,8 +107,19 @@ impl TokenInfo {
            _ => (),
        }
-        let expires_at = expires_in
+        let expires_at = match expires_in {
-            .map(|seconds_from_now| OffsetDateTime::now_utc() + time::Duration::seconds(seconds_from_now));
+            Some(seconds_from_now) => {
                Some(OffsetDateTime::now_utc() + time::Duration::seconds(seconds_from_now))
            }
            None if id_token.is_some() && access_token.is_none() => {
                // If the response contains only an ID token, an expiration date may not be
                // returned. According to the docs, the tokens are always valid for 1 hour.
                //
                // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oidc
                Some(OffsetDateTime::now_utc() + time::Duration::HOUR)
            }
            None => None,
        };
        Ok(TokenInfo {
            id_token,
@@ -120,7 +132,9 @@ impl TokenInfo {
    /// Returns true if we are expired.
    pub fn is_expired(&self) -> bool {
        self.expires_at
-            .map(|expiration_time| expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc())
+            .map(|expiration_time| {
                expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
            })
            .unwrap_or(false)
    }
 }
@@ -183,4 +197,27 @@ pub mod tests {
            ),
        }
    }
    #[test]
    fn default_expiry_for_id_token_only() {
        // If only an ID token is present, set a default expiration date
        let json = r#"{"id_token": "id"}"#;
        let token = TokenInfo::from_json(json.as_bytes()).unwrap();
        assert_eq!(token.id_token, Some("id".to_owned()));
        let expiry = token.expires_at.unwrap();
        assert!(expiry <= time::OffsetDateTime::now_utc() + time::Duration::HOUR);
    }
    #[test]
    fn no_default_expiry_for_access_token() {
        // Don't set a default expiration date if an access token is returned
        let json = r#"{"access_token": "access", "id_token": "id"}"#;
        let token = TokenInfo::from_json(json.as_bytes()).unwrap();
        assert_eq!(token.access_token, Some("access".to_owned()));
        assert_eq!(token.id_token, Some("id".to_owned()));
        assert_eq!(token.expires_at, None);
    }
 }