Class: Google::Auth::GCECredentials

Inherits:

Signet::OAuth2::Client

• Object
• Signet::OAuth2::Client
• Google::Auth::GCECredentials

Defined in:

lib/googleauth/compute_engine.rb

Overview

Extends Signet::OAuth2::Client so that the auth token is obtained from the GCE metadata server.

Constant Summary

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary

Attributes included from BaseClient

#logger

Class Method Summary

• .on_gce?(_options = {}, _reload = false) ⇒ Boolean

  Detect if this appear to be a GCE instance, by checking if metadata is available.

• .reset_cache ⇒ Object (also: unmemoize_all)

Instance Method Summary

• #duplicate(options = {}) ⇒ Object

  Creates a duplicate of these credentials without the Signet::OAuth2::Client-specific transient state (e.g. cached tokens).

• #fetch_access_token(_options = {}) ⇒ Object

  Overrides the super class method to change how access tokens are fetched.

• #initialize(options = {}) ⇒ GCECredentials constructor

  Construct a GCECredentials.

• #update!(options = {}) ⇒ Google::Auth::GCECredentials

  Destructively updates these credentials.

Methods inherited from Signet::OAuth2::Client

#build_default_connection, #configure_connection, #fetch_access_token!, #generate_access_token_request, #googleauth_orig_generate_access_token_request, #orig_fetch_access_token!, #retry_with_error, #token_type, #update_signet_base, #update_token!, #update_token_signet_base

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ GCECredentials

Construct a GCECredentials

# File 'lib/googleauth/compute_engine.rb', line 87

def initialize options = {}
  # Override the constructor to remember whether the universe domain was
  # overridden by a constructor argument.
  @universe_domain_overridden = options["universe_domain"] || options[:universe_domain]
  # TODO: Remove when universe domain metadata endpoint is stable (see b/349488459).
  @disable_universe_domain_check = true
  super options
end

Class Method Details

.on_gce?(_options = {}, _reload = false) ⇒ Boolean

Detect if this appear to be a GCE instance, by checking if metadata is available. The parameters are deprecated and unused.

Returns:

• (Boolean)

# File 'lib/googleauth/compute_engine.rb', line 72

def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
  Google::Cloud.env.metadata?
end

.reset_cache ⇒ Object Also known as: unmemoize_all

# File 'lib/googleauth/compute_engine.rb', line 76

def reset_cache
  Google::Cloud.env.compute_metadata.reset_existence!
  Google::Cloud.env.compute_metadata.cache.expire_all!
end

Instance Method Details

#duplicate(options = {}) ⇒ Object

Creates a duplicate of these credentials without the Signet::OAuth2::Client-specific transient state (e.g. cached tokens)

Parameters:

• options (Hash) (defaults to: {}) —

  Overrides for the credentials parameters. The following keys are recognized in addition to keys in the Signet::OAuth2::Client

  • :universe_domain_overridden Whether the universe domain was overriden during credentials creation

# File 'lib/googleauth/compute_engine.rb', line 105

def duplicate options = {}
  options = deep_hash_normalize options
  super(
    {
      universe_domain_overridden: @universe_domain_overridden
    }.merge(options)
  )
end

#fetch_access_token(_options = {}) ⇒ Object

Overrides the super class method to change how access tokens are fetched.

# File 'lib/googleauth/compute_engine.rb', line 129

def fetch_access_token _options = {}
  query, entry =
    if token_type == :id_token
      [{ "audience" => target_audience, "format" => "full" }, "service-accounts/default/identity"]
    else
      [{}, "service-accounts/default/token"]
    end
  query[:scopes] = Array(scope).join "," if scope
  begin
    log_fetch_query
    resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
    log_fetch_resp resp
    case resp.status
    when 200
      build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
    when 403, 500
      raise Signet::UnexpectedStatusError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
    when 404
      raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
    else
      raise Signet::AuthorizationError, "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
    end
  rescue Google::Cloud::Env::MetadataServerNotResponding => e
    log_fetch_err e
    raise Signet::AuthorizationError, e.message
  end
end

#update!(options = {}) ⇒ Google::Auth::GCECredentials

Destructively updates these credentials.

This method is called by Signet::OAuth2::Client's constructor

Parameters:

• options (Hash) (defaults to: {}) —

  Overrides for the credentials parameters. The following keys are recognized in addition to keys in the Signet::OAuth2::Client

  • :universe_domain_overridden Whether the universe domain was overriden during credentials creation

Returns:

• (Google::Auth::GCECredentials)

# File 'lib/googleauth/compute_engine.rb', line 167

def update! options = {}
  # Normalize all keys to symbols to allow indifferent access.
  options = deep_hash_normalize options

  @universe_domain_overridden = options[:universe_domain_overridden] if options.key? :universe_domain_overridden

  super(options)

  self
end