Class: Google::Auth::GCECredentials
- Inherits:
-
Signet::OAuth2::Client
- Object
- Signet::OAuth2::Client
- Google::Auth::GCECredentials
- Extended by:
- Memoist
- Defined in:
- lib/googleauth/compute_engine.rb
Overview
Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.
Constant Summary collapse
- DEFAULT_METADATA_HOST =
The IP Address is used in the URIs to speed up failures on non-GCE systems.
"169.254.169.254".freeze
- COMPUTE_AUTH_TOKEN_URI =
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
- COMPUTE_ID_TOKEN_URI =
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
- COMPUTE_CHECK_URI =
"http://169.254.169.254".freeze
Class Method Summary collapse
- .compute_auth_token_uri ⇒ Object
- .compute_check_uri ⇒ Object
- .compute_id_token_uri ⇒ Object
- .metadata_host ⇒ Object
-
.on_gce?(options = {}) ⇒ Boolean
Detect if this appear to be a GCE instance, by checking if metadata is available.
Instance Method Summary collapse
-
#fetch_access_token(options = {}) ⇒ Object
Overrides the super class method to change how access tokens are fetched.
Methods inherited from Signet::OAuth2::Client
#apply, #apply!, #build_default_connection, #configure_connection, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc
Class Method Details
.compute_auth_token_uri ⇒ Object
76 77 78 |
# File 'lib/googleauth/compute_engine.rb', line 76 def compute_auth_token_uri "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze end |
.compute_check_uri ⇒ Object
72 73 74 |
# File 'lib/googleauth/compute_engine.rb', line 72 def compute_check_uri "http://#{}".freeze end |
.compute_id_token_uri ⇒ Object
80 81 82 |
# File 'lib/googleauth/compute_engine.rb', line 80 def compute_id_token_uri "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze end |
.metadata_host ⇒ Object
68 69 70 |
# File 'lib/googleauth/compute_engine.rb', line 68 def ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST end |
.on_gce?(options = {}) ⇒ Boolean
Detect if this appear to be a GCE instance, by checking if metadata is available.
86 87 88 89 90 91 92 93 94 95 96 97 98 |
# File 'lib/googleauth/compute_engine.rb', line 86 def on_gce? = {} # TODO: This should use google-cloud-env instead. c = [:connection] || Faraday.default_connection headers = { "Metadata-Flavor" => "Google" } resp = c.get compute_check_uri, nil, headers do |req| req..timeout = 1.0 req..open_timeout = 0.1 end return false unless resp.status == 200 resp.headers["Metadata-Flavor"] == "Google" rescue Faraday::TimeoutError, Faraday::ConnectionFailed false end |
Instance Method Details
#fetch_access_token(options = {}) ⇒ Object
Overrides the super class method to change how access tokens are fetched.
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/googleauth/compute_engine.rb', line 105 def fetch_access_token = {} c = [:connection] || Faraday.default_connection retry_with_error do uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri query = target_audience ? { "audience" => target_audience, "format" => "full" } : {} query[:scopes] = Array(scope).join "," if scope resp = c.get uri, query, "Metadata-Flavor" => "Google" case resp.status when 200 content_type = resp.headers["content-type"] if content_type == "text/html" { (target_audience ? "id_token" : "access_token") => resp.body } else Signet::OAuth2.parse_credentials resp.body, content_type end when 403, 500 msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}" raise Signet::UnexpectedStatusError, msg when 404 raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR else msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}" raise Signet::AuthorizationError, msg end end end |