Class: Google::Auth::GCECredentials

Inherits:
Signet::OAuth2::Client show all
Extended by:
Memoist
Defined in:
lib/googleauth/compute_engine.rb

Overview

Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.

Constant Summary collapse

DEFAULT_METADATA_HOST =

The IP Address is used in the URIs to speed up failures on non-GCE systems.

"169.254.169.254".freeze
COMPUTE_AUTH_TOKEN_URI = 
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
COMPUTE_ID_TOKEN_URI = 
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
COMPUTE_CHECK_URI = 
"http://169.254.169.254".freeze

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Signet::OAuth2::Client

#apply, #apply!, #build_default_connection, #configure_connection, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc

Class Method Details

.compute_auth_token_uriObject 



76
77
78
 
# File 'lib/googleauth/compute_engine.rb', line 76

def compute_auth_token_uri
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
end

.compute_check_uriObject 



72
73
74
 
# File 'lib/googleauth/compute_engine.rb', line 72

def compute_check_uri
  "http://#{metadata_host}".freeze
end

.compute_id_token_uriObject 



80
81
82
 
# File 'lib/googleauth/compute_engine.rb', line 80

def compute_id_token_uri
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
end

.metadata_hostObject 



68
69
70
 
# File 'lib/googleauth/compute_engine.rb', line 68

def metadata_host
  ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
end

.on_gce?(options = {}) ⇒ Boolean

Detect if this appear to be a GCE instance, by checking if metadata is available.

Returns:

  • (Boolean) 


86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'lib/googleauth/compute_engine.rb', line 86

def on_gce? options = {}
  # TODO: This should use google-cloud-env instead.
  c = options[:connection] || Faraday.default_connection
  headers = { "Metadata-Flavor" => "Google" }
  resp = c.get compute_check_uri, nil, headers do |req|
    req.options.timeout = 1.0
    req.options.open_timeout = 0.1
  end
  return false unless resp.status == 200
  resp.headers["Metadata-Flavor"] == "Google"
rescue Faraday::TimeoutError, Faraday::ConnectionFailed
  false
end

Instance Method Details

#fetch_access_token(options = {}) ⇒ Object

Overrides the super class method to change how access tokens are fetched.



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
# File 'lib/googleauth/compute_engine.rb', line 105

def fetch_access_token options = {}
  c = options[:connection] || Faraday.default_connection
  retry_with_error do
    uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
    query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
    query[:scopes] = Array(scope).join "," if scope
    resp = c.get uri, query, "Metadata-Flavor" => "Google"
    case resp.status
    when 200
      content_type = resp.headers["content-type"]
      if content_type == "text/html"
        { (target_audience ? "id_token" : "access_token") => resp.body }
      else
        Signet::OAuth2.parse_credentials resp.body, content_type
      end
    when 403, 500
      msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
      raise Signet::UnexpectedStatusError, msg
    when 404
      raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
    else
      msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
      raise Signet::AuthorizationError, msg
    end
  end
end