Class: Google::Auth::GCECredentials

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::GCECredentials

Extended by:

Memoist

Defined in:

lib/googleauth/compute_engine.rb

Overview

Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.

Constant Summary

COMPUTE_AUTH_TOKEN_URI =

The IP Address is used in the URIs to speed up failures on non-GCE systems.

"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze

COMPUTE_ID_TOKEN_URI =

"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze

COMPUTE_CHECK_URI =

"http://169.254.169.254".freeze

Class Method Summary

• .on_gce?(options = {}) ⇒ Boolean

  Detect if this appear to be a GCE instance, by checking if metadata is available.

Instance Method Summary

• #fetch_access_token(options = {}) ⇒ Object

  Overrides the super class method to change how access tokens are fetched.

Methods inherited from Signet::OAuth2::Client

#apply, #apply!, #build_default_connection, #configure_connection, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc

Class Method Details

.on_gce?(options = {}) ⇒ Boolean

Detect if this appear to be a GCE instance, by checking if metadata is available.

Returns:

• (Boolean)

# File 'lib/googleauth/compute_engine.rb', line 65

def on_gce? options = {}
  # TODO: This should use google-cloud-env instead.
  c = options[:connection] || Faraday.default_connection
  headers = { "Metadata-Flavor" => "Google" }
  resp = c.get COMPUTE_CHECK_URI, nil, headers do |req|
    req.options.timeout = 1.0
    req.options.open_timeout = 0.1
  end
  return false unless resp.status == 200
  resp.headers["Metadata-Flavor"] == "Google"
rescue Faraday::TimeoutError, Faraday::ConnectionFailed
  false
end

Instance Method Details

#fetch_access_token(options = {}) ⇒ Object

Overrides the super class method to change how access tokens are fetched.

# File 'lib/googleauth/compute_engine.rb', line 84

def fetch_access_token options = {}
  c = options[:connection] || Faraday.default_connection
  retry_with_error do
    uri = target_audience ? COMPUTE_ID_TOKEN_URI : COMPUTE_AUTH_TOKEN_URI
    query = target_audience ? { "audience" => target_audience, "format" => "full" } : nil
    headers = { "Metadata-Flavor" => "Google" }
    resp = c.get uri, query, headers
    case resp.status
    when 200
      content_type = resp.headers["content-type"]
      if content_type == "text/html"
        { (target_audience ? "id_token" : "access_token") => resp.body }
      else
        Signet::OAuth2.parse_credentials resp.body, content_type
      end
    when 404
      raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
    else
      msg = "Unexpected error code #{resp.status}" \
        "#{UNEXPECTED_ERROR_SUFFIX}"
      raise Signet::AuthorizationError, msg
    end
  end
end