class Google::Auth::GCECredentials

Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.

Constants

COMPUTE_AUTH_TOKEN_URI

@private Unused and deprecated but retained to prevent breaking changes

COMPUTE_CHECK_URI

@private Unused and deprecated but retained to prevent breaking changes

COMPUTE_ID_TOKEN_URI

@private Unused and deprecated but retained to prevent breaking changes

DEFAULT_METADATA_HOST

@private Unused and deprecated but retained to prevent breaking changes

Public Class Methods

compute_auth_token_uri() click to toggle source

@private Unused and deprecated

# File lib/googleauth/compute_engine.rb, line 60
def compute_auth_token_uri
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
end
compute_check_uri() click to toggle source

@private Unused and deprecated

# File lib/googleauth/compute_engine.rb, line 55
def compute_check_uri
  "http://#{metadata_host}".freeze
end
compute_id_token_uri() click to toggle source

@private Unused and deprecated

# File lib/googleauth/compute_engine.rb, line 65
def compute_id_token_uri
  "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
end
metadata_host() click to toggle source

@private Unused and deprecated

# File lib/googleauth/compute_engine.rb, line 50
def metadata_host
  ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
end
new(options = {}) click to toggle source

Construct a GCECredentials

Calls superclass method
# File lib/googleauth/compute_engine.rb, line 84
def initialize options = {}
  # Override the constructor to remember whether the universe domain was
  # overridden by a constructor argument.
  @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
  super options
end
on_gce?(_options = {}) click to toggle source

Detect if this appear to be a GCE instance, by checking if metadata is available. The parameters are deprecated and unused.

# File lib/googleauth/compute_engine.rb, line 72
def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
  Google::Cloud.env.metadata?
end
reset_cache() click to toggle source
# File lib/googleauth/compute_engine.rb, line 76
def reset_cache
  Google::Cloud.env.compute_metadata.reset_existence!
  Google::Cloud.env.compute_metadata.cache.expire_all!
end
Also aliased as: unmemoize_all
unmemoize_all()
Alias for: reset_cache

Public Instance Methods

fetch_access_token(_options = {}) click to toggle source

Overrides the super class method to change how access tokens are fetched.

# File lib/googleauth/compute_engine.rb, line 93
def fetch_access_token _options = {}
  if token_type == :id_token
    query = { "audience" => target_audience, "format" => "full" }
    entry = "service-accounts/default/identity"
  else
    query = {}
    entry = "service-accounts/default/token"
  end
  query[:scopes] = Array(scope).join "," if scope
  begin
    resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
    case resp.status
    when 200
      build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
    when 403, 500
      msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
      raise Signet::UnexpectedStatusError, msg
    when 404
      raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
    else
      msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
      raise Signet::AuthorizationError, msg
    end
  rescue Google::Cloud::Env::MetadataServerNotResponding => e
    raise Signet::AuthorizationError, e.message
  end
end

Private Instance Methods

build_token_hash(body, content_type, retrieval_time) click to toggle source
# File lib/googleauth/compute_engine.rb, line 123
def build_token_hash body, content_type, retrieval_time
  hash =
    if ["text/html", "application/text"].include? content_type
      { token_type.to_s => body }
    else
      Signet::OAuth2.parse_credentials body, content_type
    end
  unless @universe_domain_overridden
    universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
    universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
    hash["universe_domain"] = universe_domain.strip
  end
  # The response might have been cached, which means expires_in might be
  # stale. Update it based on the time since the data was retrieved.
  # We also ensure expires_in is conservative; subtracting at least 1
  # second to offset any skew from metadata server latency.
  if hash["expires_in"].is_a? Numeric
    offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
    hash["expires_in"] -= offset if offset.positive?
    hash["expires_in"] = 0 if hash["expires_in"].negative?
  end
  hash
end