update composer dependencies

vendor/google/auth/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.6.0 (10/01/2019)
+
+* [feat] Add utility for verifying and revoking access tokens. (#243)
+* [docs] Fix README console terminology. (#242)
+* [feat] Support custom scopes with GCECredentials. (#239)
+* [fix] Fix phpseclib existence check. (#237)
+
 ## 1.5.2 (07/22/2019)
 
 * [fix] Move loadItems call out of `SysVCacheItemPool` constructor. (#229)

vendor/google/auth/README.md

@@ -47,7 +47,7 @@ you're building an application that uses Google Compute Engine.
 #### Download your Service Account Credentials JSON file
 
 To use `Application Default Credentials`, You first need to download a set of
-JSON credentials for your project. Go to **APIs & Auth** > **Credentials** in
+JSON credentials for your project. Go to **APIs & Services** > **Credentials** in
 the [Google Developers Console][developer console] and select
 **Service account** from the **Add credentials** dropdown.
 

vendor/google/auth/composer.json

@@ -21,7 +21,7 @@
     "phpseclib/phpseclib": "^2"
   },
   "suggest": {
-    "phpseclib/phpseclib": "May be used in place of OpenSSL for signing strings. Please require version ^2."
+    "phpseclib/phpseclib": "May be used in place of OpenSSL for signing strings or for token management. Please require version ^2."
   },
   "autoload": {
     "psr-4": {

vendor/google/auth/src/AccessToken.php

@@ -0,0 +1,320 @@
+<?php
+/*
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Google\Auth;
+
+use Firebase\JWT\ExpiredException;
+use Firebase\JWT\JWT;
+use Firebase\JWT\SignatureInvalidException;
+use Google\Auth\Cache\MemoryCacheItemPool;
+use Google\Auth\HttpHandler\HttpClientCache;
+use Google\Auth\HttpHandler\HttpHandlerFactory;
+use GuzzleHttp\Psr7;
+use GuzzleHttp\Psr7\Request;
+use phpseclib\Crypt\RSA;
+use phpseclib\Math\BigInteger;
+use Psr\Cache\CacheItemPoolInterface;
+
+/**
+ * Wrapper around Google Access Tokens which provides convenience functions.
+ *
+ * @experimental
+ */
+class AccessToken
+{
+    const FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs';
+    const OAUTH2_ISSUER = 'accounts.google.com';
+    const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com';
+    const OAUTH2_REVOKE_URI = 'https://oauth2.googleapis.com/revoke';
+
+    /**
+     * @var callable
+     */
+    private $httpHandler;
+
+    /**
+     * @var CacheItemPoolInterface
+     */
+    private $cache;
+
+    /**
+     * @param callable $httpHandler [optional] An HTTP Handler to deliver PSR-7 requests.
+     * @param CacheItemPoolInterface $cache [optional] A PSR-6 compatible cache implementation.
+     */
+    public function __construct(
+        callable $httpHandler = null,
+        CacheItemPoolInterface $cache = null
+    ) {
+        // @codeCoverageIgnoreStart
+        if (!class_exists('phpseclib\Crypt\RSA')) {
+            throw new \RuntimeException('Please require phpseclib/phpseclib v2 to use this utility.');
+        }
+        // @codeCoverageIgnoreEnd
+
+        $this->httpHandler = $httpHandler
+            ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient());
+        $this->cache = $cache ?: new MemoryCacheItemPool();
+        $this->configureJwtService();
+
+        // set phpseclib constants if applicable
+        $this->setPhpsecConstants();
+    }
+
+    /**
+     * Verifies an id token and returns the authenticated apiLoginTicket.
+     * Throws an exception if the id token is not valid.
+     * The audience parameter can be used to control which id tokens are
+     * accepted.  By default, the id token must have been issued to this OAuth2 client.
+     *
+     * @param string $token The JSON Web Token to be verified.
+     * @param array $options [optional] {
+     *     Configuration options.
+     *
+     *     @type string $audience The indended recipient of the token.
+     *     @type string $certsLocation The location (remote or local) from which
+     *        to retrieve certificates, if not cached. This value should only be
+     *        provided in limited circumstances in which you are sure of the
+     *        behavior.
+     * }
+     * @return array|bool the token payload, if successful, or false if not.
+     * @throws \InvalidArgumentException If certs could not be retrieved from a local file.
+     * @throws \InvalidArgumentException If received certs are in an invalid format.
+     * @throws \RuntimeException If certs could not be retrieved from a remote location.
+     */
+    public function verify($token, array $options = [])
+    {
+        $audience = isset($options['audience'])
+            ? $options['audience']
+            : null;
+        $certsLocation = isset($options['certsLocation'])
+            ? $options['certsLocation']
+            : self::FEDERATED_SIGNON_CERT_URL;
+
+        unset($options['audience'], $options['certsLocation']);
+
+        // Check signature against each available cert.
+        // allow the loop to complete unless a known bad result is encountered.
+        $certs = $this->getFederatedSignOnCerts($certsLocation, $options);
+        foreach ($certs as $cert) {
+            $rsa = new RSA();
+            $rsa->loadKey([
+                'n' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [
+                    $cert['n']
+                ]), 256),
+                'e' => new BigInteger($this->callJwtStatic('urlsafeB64Decode', [
+                    $cert['e']
+                ]), 256)
+            ]);
+
+            try {
+                $pubkey = $rsa->getPublicKey();
+                $payload = $this->callJwtStatic('decode', [
+                    $token,
+                    $pubkey,
+                    ['RS256']
+                ]);
+
+                if (property_exists($payload, 'aud')) {
+                    if ($audience && $payload->aud != $audience) {
+                        return false;
+                    }
+                }
+
+                // support HTTP and HTTPS issuers
+                // @see https://developers.google.com/identity/sign-in/web/backend-auth
+                $issuers = [self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS];
+                if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) {
+                    return false;
+                }
+
+                return (array) $payload;
+            } catch (ExpiredException $e) {
+                return false;
+            } catch (\ExpiredException $e) {
+                // (firebase/php-jwt 2)
+                return false;
+            } catch (SignatureInvalidException $e) {
+                // continue
+            } catch (\SignatureInvalidException $e) {
+                // continue (firebase/php-jwt 2)
+            } catch (\DomainException $e) {
+                // continue
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Revoke an OAuth2 access token or refresh token. This method will revoke the current access
+     * token, if a token isn't provided.
+     *
+     * @param string|array $token The token (access token or a refresh token) that should be revoked.
+     * @param array $options [optional] Configuration options.
+     * @return boolean Returns True if the revocation was successful, otherwise False.
+     */
+    public function revoke($token, array $options = [])
+    {
+        if (is_array($token)) {
+            if (isset($token['refresh_token'])) {
+                $token = $token['refresh_token'];
+            } else {
+                $token = $token['access_token'];
+            }
+        }
+
+        $body = Psr7\stream_for(http_build_query(['token' => $token]));
+        $request = new Request('POST', self::OAUTH2_REVOKE_URI, [
+            'Cache-Control' => 'no-store',
+            'Content-Type'  => 'application/x-www-form-urlencoded',
+        ], $body);
+
+        $httpHandler = $this->httpHandler;
+
+        $response = $httpHandler($request, $options);
+
+        return $response->getStatusCode() == 200;
+    }
+
+    /**
+     * Gets federated sign-on certificates to use for verifying identity tokens.
+     * Returns certs as array structure, where keys are key ids, and values
+     * are PEM encoded certificates.
+     *
+     * @param string $location The location from which to retrieve certs.
+     * @param array $options [optional] Configuration options.
+     * @return array
+     * @throws \InvalidArgumentException If received certs are in an invalid format.
+     */
+    private function getFederatedSignOnCerts($location, array $options = [])
+    {
+        $cacheItem = $this->cache->getItem('federated_signon_certs_v3');
+        $certs = $cacheItem ? $cacheItem->get() : null;
+
+        $gotNewCerts = false;
+        if (!$certs) {
+            $certs = $this->retrieveCertsFromLocation($location, $options);
+
+            $gotNewCerts = true;
+        }
+
+        if (!isset($certs['keys'])) {
+            throw new \InvalidArgumentException(
+                'federated sign-on certs expects "keys" to be set'
+            );
+        }
+
+        // Push caching off until after verifying certs are in a valid format.
+        // Don't want to cache bad data.
+        if ($gotNewCerts) {
+            $cacheItem->expiresAt(new \DateTime('+1 hour'));
+            $cacheItem->set($certs);
+            $this->cache->save($cacheItem);
+        }
+
+        return $certs['keys'];
+    }
+
+    /**
+     * Retrieve and cache a certificates file.
+     *
+     * @param $url string location
+     * @param array $options [optional] Configuration options.
+     * @throws \RuntimeException
+     * @return array certificates
+     * @throws \InvalidArgumentException If certs could not be retrieved from a local file.
+     * @throws \RuntimeException If certs could not be retrieved from a remote location.
+     */
+    private function retrieveCertsFromLocation($url, array $options = [])
+    {
+        // If we're retrieving a local file, just grab it.
+        if (strpos($url, 'http') !== 0) {
+            if (!file_exists($url)) {
+                throw new \InvalidArgumentException(sprintf(
+                    'Failed to retrieve verification certificates from path: %s.',
+                    $url
+                ));
+            }
+
+            return json_decode(file_get_contents($url), true);
+        }
+
+        $httpHandler = $this->httpHandler;
+        $response = $httpHandler(new Request('GET', $url), $options);
+
+        if ($response->getStatusCode() == 200) {
+            return json_decode((string) $response->getBody(), true);
+        }
+
+        throw new \RuntimeException(sprintf(
+            'Failed to retrieve verification certificates: "%s".',
+            $response->getBody()->getContents()
+        ), $response->getStatusCode());
+    }
+
+    /**
+     * Set required defaults for JWT.
+     */
+    private function configureJwtService()
+    {
+        $class = class_exists('Firebase\JWT\JWT')
+            ? 'Firebase\JWT\JWT'
+            : '\JWT';
+
+        if (property_exists($class, 'leeway') && $class::$leeway < 1) {
+            // Ensures JWT leeway is at least 1
+            // @see https://github.com/google/google-api-php-client/issues/827
+            $class::$leeway = 1;
+        }
+    }
+
+    /**
+     * phpseclib calls "phpinfo" by default, which requires special
+     * whitelisting in the AppEngine VM environment. This function
+     * sets constants to bypass the need for phpseclib to check phpinfo
+     *
+     * @see phpseclib/Math/BigInteger
+     * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85
+     * @codeCoverageIgnore
+     */
+    private function setPhpsecConstants()
+    {
+        if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) {
+            if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) {
+                define('MATH_BIGINTEGER_OPENSSL_ENABLED', true);
+            }
+            if (!defined('CRYPT_RSA_MODE')) {
+                define('CRYPT_RSA_MODE', RSA::MODE_OPENSSL);
+            }
+        }
+    }
+
+    /**
+     * Provide a hook to mock calls to the JWT static methods.
+     *
+     * @param string $method
+     * @param array $args
+     * @return mixed
+     */
+    protected function callJwtStatic($method, array $args = [])
+    {
+        $class = class_exists('Firebase\JWT\JWT')
+            ? 'Firebase\JWT\JWT'
+            : 'JWT';
+        return call_user_func_array([$class, $method], $args);
+    }
+}

vendor/google/auth/src/ApplicationDefaultCredentials.php

@@ -161,7 +161,7 @@ class ApplicationDefaultCredentials
         } elseif (AppIdentityCredentials::onAppEngine() && !GCECredentials::onAppEngineFlexible()) {
             $creds = new AppIdentityCredentials($scope);
         } elseif (GCECredentials::onGce($httpHandler)) {
-            $creds = new GCECredentials();
+            $creds = new GCECredentials(null, $scope);
         }
 
         if (is_null($creds)) {

vendor/google/auth/src/Credentials/GCECredentials.php

@@ -121,11 +121,31 @@ class GCECredentials extends CredentialsLoader implements SignBlobInterface
     private $iam;
 
     /**
-     * @param Iam $iam [optional] An IAM instance.
+     * @var string
      */
-    public function __construct(Iam $iam = null)
+    private $tokenUri;
+
+    /**
+     * @param Iam $iam [optional] An IAM instance.
+     * @param string|array $scope [optional] the scope of the access request,
+     *        expressed either as an array or as a space-delimited string.
+     */
+    public function __construct(Iam $iam = null, $scope = null)
     {
         $this->iam = $iam;
+
+        $tokenUri = self::getTokenUri();
+        if ($scope) {
+            if (is_string($scope)) {
+                $scope = explode(' ', $scope);
+            }
+
+            $scope = implode(',', $scope);
+
+            $tokenUri = $tokenUri . '?scopes='. $scope;
+        }
+
+        $this->tokenUri = $tokenUri;
     }
 
     /**
@@ -235,7 +255,7 @@ class GCECredentials extends CredentialsLoader implements SignBlobInterface
             return array();  // return an empty array with no access token
         }
 
-        $json = $this->getFromMetadata($httpHandler, self::getTokenUri());
+        $json = $this->getFromMetadata($httpHandler, $this->tokenUri);
         if (null === $json = json_decode($json, true)) {
             throw new \Exception('Invalid JSON response');
         }

vendor/google/auth/src/ServiceAccountSignerTrait.php

@@ -37,7 +37,7 @@ trait ServiceAccountSignerTrait
         $privateKey = $this->auth->getSigningKey();
 
         $signedString = '';
-        if (class_exists('RSA') && !$forceOpenssl) {
+        if (class_exists('\\phpseclib\\Crypt\\RSA') && !$forceOpenssl) {
             $rsa = new RSA;
             $rsa->loadKey($privateKey);
             $rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);