Merge branch 'main' into bump-auth-dep

Author: bshaffer

.github/sync-repo-settings.yaml

@@ -10,7 +10,8 @@ branchProtectionRules:
     - 'PHP 8.1 Unit Test'
     - 'PHP 8.2 Unit Test'
     - 'PHP 8.3 Unit Test'
-    - 'PHP 8.3 --prefer-lowest Unit Test'
+    - 'PHP 8.4'
+    - 'PHP 8.4 --prefer-lowest Unit Test'
     - 'PHP Style Check'
     - 'cla/google'
   requiredApprovingReviewCount: 1

.github/workflows/tests.yml

@@ -11,12 +11,12 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php: [ "8.0", "8.1", "8.2", "8.3" ]
+                php: [ "8.0", "8.1", "8.2", "8.3", "8.4" ]
                 composer-flags: [""]
                 include:
                   - php: "8.0"
                     composer-flags: "--prefer-lowest "
-                  - php: "8.3"
+                  - php: "8.4"
                     composer-flags: "--prefer-lowest "
         name: PHP ${{ matrix.php }} ${{ matrix.composer-flags }}Unit Test
         steps:

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [2.18.1](https://github.com/googleapis/google-api-php-client/compare/v2.18.0...v2.18.1) (2024-11-24)
+
+
+### Bug Fixes
+
+* Implicitly marking parameter  as nullable is deprecated ([#2638](https://github.com/googleapis/google-api-php-client/issues/2638)) ([de57db2](https://github.com/googleapis/google-api-php-client/commit/de57db2fdc0d56de1abbf778b28b77c3347eb3fd))
+
+## [2.18.0](https://github.com/googleapis/google-api-php-client/compare/v2.17.0...v2.18.0) (2024-10-16)
+
+
+### Features
+
+* **docs:** Use doctum shared workflow for reference docs ([#2618](https://github.com/googleapis/google-api-php-client/issues/2618)) ([242e2cb](https://github.com/googleapis/google-api-php-client/commit/242e2cb09ad5b25b047a862b4d521037e74cae29))
+
+
+### Bug Fixes
+
+* Explicit token caching issue ([#2358](https://github.com/googleapis/google-api-php-client/issues/2358)) ([dc13e5e](https://github.com/googleapis/google-api-php-client/commit/dc13e5e3f517148d3c66d151a5ab133b7840d8fb))
+
 ## [2.17.0](https://github.com/googleapis/google-api-php-client/compare/v2.16.0...v2.17.0) (2024-07-10)
 
 

src/AccessToken/Revoke.php

@@ -39,7 +39,7 @@ class Revoke
      * Instantiates the class, but does not initiate the login flow, leaving it
      * to the discretion of the caller.
      */
-    public function __construct(ClientInterface $http = null)
+    public function __construct(?ClientInterface $http = null)
     {
         $this->http = $http;
     }

src/AccessToken/Verify.php

@@ -59,17 +59,17 @@ class Verify
 
     /**
      * @var \Firebase\JWT\JWT
-    */
+     */
     public $jwt;
 
     /**
      * Instantiates the class, but does not initiate the login flow, leaving it
      * to the discretion of the caller.
      */
     public function __construct(
-        ClientInterface $http = null,
-        CacheItemPoolInterface $cache = null,
-        $jwt = null
+        ?ClientInterface $http = null,
+        ?CacheItemPoolInterface $cache = null,
+        ?JWT $jwt = null
     ) {
         if (null === $http) {
             $http = new Client();
@@ -130,7 +130,7 @@ public function verifyIdToken($idToken, $audience = null)
                     return false;
                 }
 
-                return (array) $payload;
+                return (array)$payload;
             } catch (ExpiredException $e) { // @phpstan-ignore-line
                 return false;
             } catch (ExpiredExceptionV3 $e) {
@@ -154,17 +154,17 @@ private function getCache()
      * Retrieve and cache a certificates file.
      *
      * @param string $url location
-     * @throws \Google\Exception
      * @return array certificates
+     * @throws \Google\Exception
      */
     private function retrieveCertsFromLocation($url)
     {
         // If we're retrieving a local file, just grab it.
         if (0 !== strpos($url, 'http')) {
             if (!$file = file_get_contents($url)) {
                 throw new GoogleException(
-                    "Failed to retrieve verification certificates: '" .
-                    $url . "'."
+                    "Failed to retrieve verification certificates: '".
+                    $url."'."
                 );
             }
 
@@ -175,7 +175,7 @@ private function retrieveCertsFromLocation($url)
         $response = $this->http->get($url);
 
         if ($response->getStatusCode() == 200) {
-            return json_decode((string) $response->getBody(), true);
+            return json_decode((string)$response->getBody(), true);
         }
         throw new GoogleException(
             sprintf(

src/AuthHandler/Guzzle6AuthHandler.php

@@ -20,7 +20,7 @@ class Guzzle6AuthHandler
     protected $cache;
     protected $cacheConfig;
 
-    public function __construct(CacheItemPoolInterface $cache = null, array $cacheConfig = [])
+    public function __construct(?CacheItemPoolInterface $cache = null, array $cacheConfig = [])
     {
         $this->cache = $cache;
         $this->cacheConfig = $cacheConfig;
@@ -29,7 +29,7 @@ public function __construct(CacheItemPoolInterface $cache = null, array $cacheCo
     public function attachCredentials(
         ClientInterface $http,
         CredentialsLoader $credentials,
-        callable $tokenCallback = null
+        ?callable $tokenCallback = null
     ) {
         // use the provided cache
         if ($this->cache) {
@@ -46,7 +46,7 @@ public function attachCredentials(
     public function attachCredentialsCache(
         ClientInterface $http,
         FetchAuthTokenCache $credentials,
-        callable $tokenCallback = null
+        ?callable $tokenCallback = null
     ) {
         // if we end up needing to make an HTTP request to retrieve credentials, we
         // can use our existing one, but we need to throw exceptions so the error
@@ -74,10 +74,18 @@ public function attachToken(ClientInterface $http, array $token, array $scopes)
             return $token['access_token'];
         };
 
+        // Derive a cache prefix from the token, to ensure setting a new token
+        // results in a cache-miss.
+        // Note: Supplying a custom "prefix" will bust this behavior.
+        $cacheConfig = $this->cacheConfig;
+        if (!isset($cacheConfig['prefix']) && isset($token['access_token'])) {
+            $cacheConfig['prefix'] = substr(sha1($token['access_token']), -10);
+        }
+
         $middleware = new ScopedAccessTokenMiddleware(
             $tokenFunc,
             $scopes,
-            $this->cacheConfig,
+            $cacheConfig,
             $this->cache
         );
 

src/Client.php

@@ -321,7 +321,7 @@ public function refreshTokenWithAssertion()
      * @param ClientInterface $authHttp optional.
      * @return array access token
      */
-    public function fetchAccessTokenWithAssertion(ClientInterface $authHttp = null)
+    public function fetchAccessTokenWithAssertion(?ClientInterface $authHttp = null)
     {
         if (!$this->isUsingApplicationDefaultCredentials()) {
             throw new DomainException(
@@ -454,7 +454,7 @@ public function createAuthUrl($scope = null, array $queryParams = [])
      * @param ClientInterface $http the http client object.
      * @return ClientInterface the http client object
      */
-    public function authorize(ClientInterface $http = null)
+    public function authorize(?ClientInterface $http = null)
     {
         $http = $http ?: $this->getHttpClient();
         $authHandler = $this->getAuthHandler();

src/Http/REST.php

@@ -54,7 +54,7 @@ public static function execute(
     ) {
         $runner = new Runner(
             $config,
-            sprintf('%s %s', $request->getMethod(), (string) $request->getUri()),
+            sprintf('%s %s', $request->getMethod(), (string)$request->getUri()),
             [self::class, 'doExecute'],
             [$client, $request, $expectedClass]
         );
@@ -120,15 +120,15 @@ interface_exists('\GuzzleHttp\Message\ResponseInterface')
      */
     public static function decodeHttpResponse(
         ResponseInterface $response,
-        RequestInterface $request = null,
+        ?RequestInterface $request = null,
         $expectedClass = null
     ) {
         $code = $response->getStatusCode();
 
         // retry strategy
         if (intVal($code) >= 400) {
             // if we errored out, it should be safe to grab the response body
-            $body = (string) $response->getBody();
+            $body = (string)$response->getBody();
 
             // Check if we received errors, and add those to the Exception for convenience
             throw new GoogleServiceException($body, $code, null, self::getResponseErrors($body));
@@ -147,17 +147,17 @@ public static function decodeHttpResponse(
         return $response;
     }
 
-    private static function decodeBody(ResponseInterface $response, RequestInterface $request = null)
+    private static function decodeBody(ResponseInterface $response, ?RequestInterface $request = null)
     {
         if (self::isAltMedia($request)) {
             // don't decode the body, it's probably a really long string
             return '';
         }
 
-        return (string) $response->getBody();
+        return (string)$response->getBody();
     }
 
-    private static function determineExpectedClass($expectedClass, RequestInterface $request = null)
+    private static function determineExpectedClass($expectedClass, ?RequestInterface $request = null)
     {
         // "false" is used to explicitly prevent an expected class from being returned
         if (false === $expectedClass) {
@@ -184,7 +184,7 @@ private static function getResponseErrors($body)
         return null;
     }
 
-    private static function isAltMedia(RequestInterface $request = null)
+    private static function isAltMedia(?RequestInterface $request = null)
     {
         if ($request && $qs = $request->getUri()->getQuery()) {
             parse_str($qs, $query);

src/Service/Exception.php

@@ -39,7 +39,7 @@ class Exception extends GoogleException
     public function __construct(
         $message,
         $code = 0,
-        Exception $previous = null,
+        ?Exception $previous = null,
         $errors = []
     ) {
         if (version_compare(PHP_VERSION, '5.3.0') >= 0) {

src/Task/Composer.php

@@ -30,7 +30,7 @@ class Composer
      */
     public static function cleanup(
         Event $event,
-        Filesystem $filesystem = null
+        ?Filesystem $filesystem = null
     ) {
         $composer = $event->getComposer();
         $extra = $composer->getPackage()->getExtra();

tests/Google/AuthHandler/AuthHandlerTest.php

@@ -0,0 +1,82 @@
+<?php
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+namespace Google\Tests\AuthHandler;
+
+use Google\AuthHandler\AuthHandlerFactory;
+use Google\Auth\Cache\MemoryCacheItemPool;
+use GuzzleHttp\Client;
+use GuzzleHttp\Psr7\Request;
+use Google\Tests\BaseTest;
+
+class AuthHandlerTest extends BaseTest
+{
+    public function testSetAccessTokenResultsInAuthCacheMiss()
+    {
+        $client = new Client();
+        $cache = new MemoryCacheItemPool();
+        $authHandler = AuthHandlerFactory::build($cache);
+        $scopes = ['scope1', 'scope2'];
+
+        // Attach the first token to the HTTP client
+        $http1 = $authHandler->attachToken(
+            $client,
+            ['access_token' => '1234'],
+            $scopes
+        );
+
+        // Call our middleware and verify the token is set
+        $scopedMiddleware = $this->getGoogleAuthMiddleware($http1);
+        $request = $scopedMiddleware(new Request('GET', '/'), ['auth' => 'scoped']);
+        $this->assertEquals(['Bearer 1234'], $request->getHeader('Authorization'));
+
+        // Attach a new token to the HTTP client
+        $http2 = $authHandler->attachToken(
+            $client,
+            ['access_token' => '5678'],
+            $scopes
+        );
+
+        // Call our middleware and verify the NEW token is set
+        $scopedMiddleware = $this->getGoogleAuthMiddleware($http2);
+        $request = $scopedMiddleware(new Request('GET', '/'), ['auth' => 'scoped']);
+        $this->assertEquals(['Bearer 5678'], $request->getHeader('Authorization'));
+    }
+
+    private function getGoogleAuthMiddleware(Client $http)
+    {
+        // All sorts of horrible reflection to get at our middleware
+        $handler = $http->getConfig()['handler'];
+        $reflectionMethod = new \ReflectionMethod($handler, 'findByName');
+        $reflectionMethod->setAccessible(true);
+        $authMiddlewareIdx = $reflectionMethod->invoke($handler, 'google_auth');
+
+        $reflectionProperty = new \ReflectionProperty($handler, 'stack');
+        $reflectionProperty->setAccessible(true);
+        $stack = $reflectionProperty->getValue($handler);
+
+        $callable = $stack[$authMiddlewareIdx][0];
+        return $callable(function ($request) {
+            return $request;
+        });
+    }
+}