push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class ServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface { use ServiceAccountSignerTrait; /** * The OAuth2 instance used to conduct authorization. * * @var OAuth2 */ protected $auth; /** * Create a new ServiceAccountCredentials. * * @param string|array $scope the scope of the access request, expressed * either as an Array or as a space-delimited String. * @param string|array $jsonKey JSON credential file path or JSON credentials * as an associative array * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. */ public function __construct( $scope, $jsonKey, $sub = null ) { if (is_string($jsonKey)) { if (!file_exists($jsonKey)) { throw new \InvalidArgumentException('file does not exist'); } $jsonKeyStream = file_get_contents($jsonKey); if (!$jsonKey = json_decode($jsonKeyStream, true)) { throw new \LogicException('invalid json for auth config'); } } if (!array_key_exists('client_email', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the client_email field'); } if (!array_key_exists('private_key', $jsonKey)) { throw new \InvalidArgumentException( 'json key is missing the private_key field'); } $this->auth = new OAuth2([ 'audience' => self::TOKEN_CREDENTIAL_URI, 'issuer' => $jsonKey['client_email'], 'scope' => $scope, 'signingAlgorithm' => 'RS256', 'signingKey' => $jsonKey['private_key'], 'sub' => $sub, 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI, ]); } /** * @param callable $httpHandler * * @return array A set of auth related metadata, containing the following * keys: * - access_token (string) * - expires_in (int) * - token_type (string) */ public function fetchAuthToken(callable $httpHandler = null) { return $this->auth->fetchAuthToken($httpHandler); } /** * @return string */ public function getCacheKey() { $key = $this->auth->getIssuer() . ':' . $this->auth->getCacheKey(); if ($sub = $this->auth->getSub()) { $key .= ':' . $sub; } return $key; } /** * @return array */ public function getLastReceivedToken() { return $this->auth->getLastReceivedToken(); } /** * Updates metadata with the authorization token. * * @param array $metadata metadata hashmap * @param string $authUri optional auth uri * @param callable $httpHandler callback which delivers psr7 request * * @return array updated metadata hashmap */ public function updateMetadata( $metadata, $authUri = null, callable $httpHandler = null ) { // scope exists. use oauth implementation $scope = $this->auth->getScope(); if (!is_null($scope)) { return parent::updateMetadata($metadata, $authUri, $httpHandler); } // no scope found. create jwt with the auth uri $credJson = array( 'private_key' => $this->auth->getSigningKey(), 'client_email' => $this->auth->getIssuer(), ); $jwtCreds = new ServiceAccountJwtAccessCredentials($credJson); return $jwtCreds->updateMetadata($metadata, $authUri, $httpHandler); } /** * @param string $sub an email address account to impersonate, in situations when * the service account has been delegated domain wide access. */ public function setSub($sub) { $this->auth->setSub($sub); } /** * Get the client name from the keyfile. * * In this case, it returns the keyfile's client_email key. * * @param callable $httpHandler Not used by this credentials type. * @return string */ public function getClientName(callable $httpHandler = null) { return $this->auth->getIssuer(); } }