From 98816f7b6728a6f68cba7c9ae40723e40639a1dd Mon Sep 17 00:00:00 2001
From: Tim Emiola <temiola@google.com>
Date: Thu, 23 Apr 2015 09:50:11 -0700
Subject: [PATCH] Adds more robust checking of the status code during compute
 engine auth.

Currently the implementation does not verify that a 200 response is received
before attempting to parse the JSON response.

This PR updates the behaviour to fail with an authorization error, similar to
how other auth library implementations.
---
 .rubocop_todo.yml                      |  8 +++---
 lib/googleauth/compute_engine.rb       | 20 +++++++++++++-
 spec/googleauth/compute_engine_spec.rb | 36 ++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index 8c99036..919ad7d 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1,15 +1,15 @@
 # This configuration was generated by `rubocop --auto-gen-config`
-# on 2015-03-06 19:51:00 -0800 using RuboCop version 0.28.0.
+# on 2015-04-23 09:39:10 -0700 using RuboCop version 0.30.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 3
+# Offense count: 4
 Metrics/AbcSize:
   Max: 24
 
-# Offense count: 3
+# Offense count: 6
 # Configuration parameters: CountComments.
 Metrics/MethodLength:
-  Max: 11
+  Max: 12
diff --git a/lib/googleauth/compute_engine.rb b/lib/googleauth/compute_engine.rb
index b820af1..358130a 100644
--- a/lib/googleauth/compute_engine.rb
+++ b/lib/googleauth/compute_engine.rb
@@ -35,13 +35,24 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
+    NO_METADATA_SERVER_ERROR = <<END
+Error code 404 trying to get security access token
+from Compute Engine metadata for the default service account. This
+may be because the virtual machine instance does not have permission
+scopes specified.
+END
+    UNEXPECTED_ERROR_SUFFIX = <<END
+trying to get security access token from Compute Engine metadata for
+the default service account
+END
+
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
       COMPUTE_AUTH_TOKEN_URI = 'http://169.254.169.254/computeMetadata/v1/'\
-                               'instance/service-accounts/default/token'
+      'instance/service-accounts/default/token'
       COMPUTE_CHECK_URI = 'http://169.254.169.254'
 
       class << self
@@ -78,6 +89,13 @@ module Google
         c = options[:connection] || Faraday.default_connection
         c.headers = { 'Metadata-Flavor' => 'Google' }
         resp = c.get(COMPUTE_AUTH_TOKEN_URI)
+        if resp.status == 404
+          fail(Signet::AuthorizationError, NO_METADATA_SERVER_ERROR)
+        end
+        if resp.status != 200
+          msg = "Unexpected error code #{resp.status}" + UNEXPECTED_ERROR_SUFFIX
+          fail(Signet::AuthorizationError, msg)
+        end
         Signet::OAuth2.parse_credentials(resp.body,
                                          resp.headers['content-type'])
       end
diff --git a/spec/googleauth/compute_engine_spec.rb b/spec/googleauth/compute_engine_spec.rb
index 95785cd..4666792 100644
--- a/spec/googleauth/compute_engine_spec.rb
+++ b/spec/googleauth/compute_engine_spec.rb
@@ -60,6 +60,42 @@ describe Google::Auth::GCECredentials do
 
   it_behaves_like 'apply/apply! are OK'
 
+  context 'metadata is unavailable' do
+    describe '#fetch_access_token' do
+      it 'should fail if the metadata request returns a 404' do
+        stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+          stub.get(MD_URI) do |_env|
+            [404,
+             { 'Metadata-Flavor' => 'Google' },
+             '']
+          end
+        end
+        c = Faraday.new do |b|
+          b.adapter(:test, stubs)
+        end
+        blk = proc { @client.fetch_access_token!(connection: c) }
+        expect(&blk).to raise_error Signet::AuthorizationError
+        stubs.verify_stubbed_calls
+      end
+
+      it 'should fail if metadata the request returns an unexpected codes' do
+        stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+          stub.get(MD_URI) do |_env|
+            [503,
+             { 'Metadata-Flavor' => 'Google' },
+             '']
+          end
+        end
+        c = Faraday.new do |b|
+          b.adapter(:test, stubs)
+        end
+        blk = proc { @client.fetch_access_token!(connection: c) }
+        expect(&blk).to raise_error Signet::AuthorizationError
+        stubs.verify_stubbed_calls
+      end
+    end
+  end
+
   describe '#on_gce?' do
     it 'should be true when Metadata-Flavor is Google' do
       stubs = Faraday::Adapter::Test::Stubs.new do |stub|