Class: Google::Auth::GCECredentials

Inherits:

Signet::OAuth2::Client

Object
Signet::OAuth2::Client
Google::Auth::GCECredentials

show all

Extended by:: Memoist

Defined in:: lib/googleauth/compute_engine.rb

Overview

Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.

Constant Summary collapse

COMPUTE_AUTH_TOKEN_URI = The IP Address is used in the URIs to speed up failures on non-GCE systems.

'http://169.254.169.254/computeMetadata/v1/'\
'instance/service-accounts/default/token'.freeze

COMPUTE_CHECK_URI =

'http://169.254.169.254'.freeze

Class Method Summary collapse

.on_gce?(options = {}) ⇒ Boolean

Detect if this appear to be a GCE instance, by checking if metadata is available.

Instance Method Summary collapse

#fetch_access_token(options = {}) ⇒ Object

Overrides the super class method to change how access tokens are fetched.

Methods inherited from Signet::OAuth2::Client

#apply, #apply!, #fetch_access_token!, #notify_refresh_listeners, #on_refresh, #orig_fetch_access_token!, #retry_with_error, #updater_proc

Class Method Details

.on_gce?(options = {}) ⇒ `Boolean`

Detect if this appear to be a GCE instance, by checking if metadata is available

Returns:

(Boolean)

# File 'lib/googleauth/compute_engine.rb', line 63

def on_gce?(options = {})
  c = options[:connection] || Faraday.default_connection
  resp = c.get(COMPUTE_CHECK_URI) do |req|
    # Comment from: oauth2client/client.py
    #
    # Note: the explicit `timeout` below is a workaround. The underlying
    # issue is that resolving an unknown host on some networks will take
    # 20-30 seconds; making this timeout short fixes the issue, but
    # could lead to false negatives in the event that we are on GCE, but
    # the metadata resolution was particularly slow. The latter case is
    # "unlikely".
    req.options.timeout = 0.1
  end
  return false unless resp.status == 200
  return false unless resp.headers.key?('Metadata-Flavor')
  return resp.headers['Metadata-Flavor'] == 'Google'
rescue Faraday::TimeoutError, Faraday::ConnectionFailed
  return false
end

Instance Method Details

#fetch_access_token(options = {}) ⇒ `Object`

Overrides the super class method to change how access tokens are fetched.

# File 'lib/googleauth/compute_engine.rb', line 88

def fetch_access_token(options = {})
  c = options[:connection] || Faraday.default_connection
  c.headers = { 'Metadata-Flavor' => 'Google' }

  retry_with_error do
    resp = c.get(COMPUTE_AUTH_TOKEN_URI)
    case resp.status
    when 200
      Signet::OAuth2.parse_credentials(resp.body,
                                       resp.headers['content-type'])
    when 404
      raise(Signet::AuthorizationError, NO_METADATA_SERVER_ERROR)
    else
      msg = "Unexpected error code #{resp.status}" \
        "#{UNEXPECTED_ERROR_SUFFIX}"
      raise(Signet::AuthorizationError, msg)
    end
  end
end