class Google::Auth::GCECredentials
Extends Signet::OAuth2::Client
so that the auth token is obtained from the GCE metadata server.
Constants
- COMPUTE_AUTH_TOKEN_URI
-
@private Unused and deprecated but retained to prevent breaking changes
- COMPUTE_CHECK_URI
-
@private Unused and deprecated but retained to prevent breaking changes
- COMPUTE_ID_TOKEN_URI
-
@private Unused and deprecated but retained to prevent breaking changes
- DEFAULT_METADATA_HOST
-
@private Unused and deprecated but retained to prevent breaking changes
Attributes
@private Temporary; remove when universe domain metadata endpoint is stable (see b/349488459).
Public Class Methods
Source
# File lib/googleauth/compute_engine.rb, line 60 def compute_auth_token_uri "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze end
@private Unused and deprecated
Source
# File lib/googleauth/compute_engine.rb, line 55 def compute_check_uri "http://#{metadata_host}".freeze end
@private Unused and deprecated
Source
# File lib/googleauth/compute_engine.rb, line 65 def compute_id_token_uri "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze end
@private Unused and deprecated
Source
# File lib/googleauth/compute_engine.rb, line 50 def metadata_host ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST end
@private Unused and deprecated
Source
# File lib/googleauth/compute_engine.rb, line 87 def initialize options = {} # Override the constructor to remember whether the universe domain was # overridden by a constructor argument. @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459). @disable_universe_domain_check = true super options end
Construct a GCECredentials
Source
# File lib/googleauth/compute_engine.rb, line 72 def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter Google::Cloud.env.metadata? end
Detect if this appear to be a GCE instance, by checking if metadata is available. The parameters are deprecated and unused.
Source
# File lib/googleauth/compute_engine.rb, line 76 def reset_cache Google::Cloud.env.compute_metadata.reset_existence! Google::Cloud.env.compute_metadata.cache.expire_all! end
Public Instance Methods
Source
# File lib/googleauth/compute_engine.rb, line 105 def duplicate options = {} options = deep_hash_normalize options super( { universe_domain_overridden: @universe_domain_overridden }.merge(options) ) end
Creates a duplicate of these credentials without the Signet::OAuth2::Client
-specific transient state (e.g. cached tokens)
@param options [Hash] Overrides for the credentials parameters.
The following keys are recognized in addition to keys in the Signet::OAuth2::Client * `:universe_domain_overridden` Whether the universe domain was overriden during credentials creation
Signet::OAuth2::Client#duplicate
Source
# File lib/googleauth/compute_engine.rb, line 129 def fetch_access_token _options = {} query, entry = if token_type == :id_token [{ "audience" => target_audience, "format" => "full" }, "service-accounts/default/identity"] else [{}, "service-accounts/default/token"] end query[:scopes] = Array(scope).join "," if scope begin log_fetch_query resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query log_fetch_resp resp case resp.status when 200 build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time when 403, 500 raise Signet::UnexpectedStatusError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}" when 404 raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR else raise Signet::AuthorizationError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}" end rescue Google::Cloud::Env::MetadataServerNotResponding => e log_fetch_err e raise Signet::AuthorizationError, e.message end end
Overrides the super class method to change how access tokens are fetched.
Source
# File lib/googleauth/compute_engine.rb, line 120 def universe_domain value = super return value unless value.nil? fetch_access_token! super end
@private Overrides universe_domain
getter to fetch lazily if it hasn’t been fetched yet. This is necessary specifically for Compute Engine because the universe comes from the metadata service, and isn’t known immediately on credential construction. All other credential types read the universe from their json key or other immediate input.
Source
# File lib/googleauth/compute_engine.rb, line 167 def update! options = {} # Normalize all keys to symbols to allow indifferent access. options = deep_hash_normalize options @universe_domain_overridden = options[:universe_domain_overridden] if options.key? :universe_domain_overridden super(options) self end
Destructively updates these credentials.
This method is called by ‘Signet::OAuth2::Client`’s constructor
@param options [Hash] Overrides for the credentials parameters.
The following keys are recognized in addition to keys in the Signet::OAuth2::Client * `:universe_domain_overridden` Whether the universe domain was overriden during credentials creation
@return [Google::Auth::GCECredentials]
Signet::OAuth2::Client#update!
Private Instance Methods
Source
# File lib/googleauth/compute_engine.rb, line 237 def add_universe_domain_to hash return if @universe_domain_overridden universe_domain = if disable_universe_domain_check # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459). "googleapis.com" else Google::Cloud.env.lookup_metadata "universe", "universe-domain" end universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty? hash["universe_domain"] = universe_domain.strip end
Source
# File lib/googleauth/compute_engine.rb, line 254 def adjust_for_stale_expires_in hash, retrieval_time return unless hash["expires_in"].is_a? Numeric offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round hash["expires_in"] -= offset if offset.positive? hash["expires_in"] = 0 if hash["expires_in"].negative? end
The response might have been cached, which means expires_in might be stale. Update it based on the time since the data was retrieved. We also ensure expires_in is conservative; subtracting at least 1 second to offset any skew from metadata server latency.
Source
# File lib/googleauth/compute_engine.rb, line 216 def build_token_hash body, content_type, retrieval_time hash = if ["text/html", "application/text"].include? content_type parse_encoded_token body else Signet::OAuth2.parse_credentials body, content_type end add_universe_domain_to hash adjust_for_stale_expires_in hash, retrieval_time hash end
Source
# File lib/googleauth/compute_engine.rb, line 207 def log_fetch_err _err logger&.info do Google::Logging::Message.from( message: "MDS did not respond to token request", "credentialsId" => object_id ) end end
Source
# File lib/googleauth/compute_engine.rb, line 180 def log_fetch_query if token_type == :id_token logger&.info do Google::Logging::Message.from( message: "Requesting id token from MDS with aud=#{target_audience}", "credentialsId" => object_id ) end else logger&.info do Google::Logging::Message.from( message: "Requesting access token from MDS", "credentialsId" => object_id ) end end end
Source
# File lib/googleauth/compute_engine.rb, line 198 def log_fetch_resp resp logger&.info do Google::Logging::Message.from( message: "Received #{resp.status} from MDS", "credentialsId" => object_id ) end end
Source
# File lib/googleauth/compute_engine.rb, line 228 def parse_encoded_token body hash = { token_type.to_s => body } if token_type == :id_token expires_at = expires_at_from_id_token body hash["expires_at"] = expires_at if expires_at end hash end