2015-02-12 03:23:34 +00:00
|
|
|
# Copyright 2015, Google Inc.
|
|
|
|
# All rights reserved.
|
|
|
|
#
|
|
|
|
# Redistribution and use in source and binary forms, with or without
|
|
|
|
# modification, are permitted provided that the following conditions are
|
|
|
|
# met:
|
|
|
|
#
|
|
|
|
# * Redistributions of source code must retain the above copyright
|
|
|
|
# notice, this list of conditions and the following disclaimer.
|
|
|
|
# * Redistributions in binary form must reproduce the above
|
|
|
|
# copyright notice, this list of conditions and the following disclaimer
|
|
|
|
# in the documentation and/or other materials provided with the
|
|
|
|
# distribution.
|
|
|
|
# * Neither the name of Google Inc. nor the names of its
|
|
|
|
# contributors may be used to endorse or promote products derived from
|
|
|
|
# this software without specific prior written permission.
|
|
|
|
#
|
|
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
|
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
2019-02-27 16:06:41 +00:00
|
|
|
require "faraday"
|
|
|
|
require "googleauth/signet"
|
|
|
|
require "memoist"
|
2015-02-12 03:23:34 +00:00
|
|
|
|
|
|
|
module Google
|
|
|
|
# Module Auth provides classes that provide Google-specific authorization
|
|
|
|
# used to access Google APIs.
|
|
|
|
module Auth
|
2019-03-15 19:34:54 +00:00
|
|
|
NO_METADATA_SERVER_ERROR = <<~ERROR.freeze
|
|
|
|
Error code 404 trying to get security access token
|
|
|
|
from Compute Engine metadata for the default service account. This
|
|
|
|
may be because the virtual machine instance does not have permission
|
|
|
|
scopes specified.
|
|
|
|
ERROR
|
|
|
|
UNEXPECTED_ERROR_SUFFIX = <<~ERROR.freeze
|
|
|
|
trying to get security access token from Compute Engine metadata for
|
|
|
|
the default service account
|
|
|
|
ERROR
|
2015-04-23 16:50:11 +00:00
|
|
|
|
2015-02-12 03:23:34 +00:00
|
|
|
# Extends Signet::OAuth2::Client so that the auth token is obtained from
|
|
|
|
# the GCE metadata server.
|
|
|
|
class GCECredentials < Signet::OAuth2::Client
|
|
|
|
# The IP Address is used in the URIs to speed up failures on non-GCE
|
|
|
|
# systems.
|
2020-10-09 16:32:26 +00:00
|
|
|
DEFAULT_METADATA_HOST = "169.254.169.254".freeze
|
|
|
|
|
|
|
|
# @private Unused and deprecated
|
2020-04-08 00:19:29 +00:00
|
|
|
COMPUTE_AUTH_TOKEN_URI =
|
|
|
|
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
2020-10-09 16:32:26 +00:00
|
|
|
# @private Unused and deprecated
|
2020-04-08 00:19:29 +00:00
|
|
|
COMPUTE_ID_TOKEN_URI =
|
|
|
|
"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
2020-10-09 16:32:26 +00:00
|
|
|
# @private Unused and deprecated
|
2019-02-27 16:06:41 +00:00
|
|
|
COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
|
2015-02-12 03:23:34 +00:00
|
|
|
|
2015-02-12 04:52:47 +00:00
|
|
|
class << self
|
|
|
|
extend Memoist
|
2015-02-13 00:58:48 +00:00
|
|
|
|
2020-10-09 16:32:26 +00:00
|
|
|
def metadata_host
|
|
|
|
ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
|
|
|
|
end
|
|
|
|
|
|
|
|
def compute_check_uri
|
|
|
|
"http://#{metadata_host}".freeze
|
|
|
|
end
|
|
|
|
|
|
|
|
def compute_auth_token_uri
|
|
|
|
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
|
|
|
|
end
|
|
|
|
|
|
|
|
def compute_id_token_uri
|
|
|
|
"#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
|
|
|
|
end
|
|
|
|
|
2015-02-12 04:52:47 +00:00
|
|
|
# Detect if this appear to be a GCE instance, by checking if metadata
|
2019-10-08 18:33:03 +00:00
|
|
|
# is available.
|
2019-03-15 19:34:54 +00:00
|
|
|
def on_gce? options = {}
|
2019-10-08 18:33:03 +00:00
|
|
|
# TODO: This should use google-cloud-env instead.
|
2015-02-12 04:52:47 +00:00
|
|
|
c = options[:connection] || Faraday.default_connection
|
2019-08-13 17:28:08 +00:00
|
|
|
headers = { "Metadata-Flavor" => "Google" }
|
2020-10-09 16:32:26 +00:00
|
|
|
resp = c.get compute_check_uri, nil, headers do |req|
|
2019-10-08 18:33:03 +00:00
|
|
|
req.options.timeout = 1.0
|
|
|
|
req.options.open_timeout = 0.1
|
2015-02-12 05:03:37 +00:00
|
|
|
end
|
2015-02-12 04:52:47 +00:00
|
|
|
return false unless resp.status == 200
|
2019-03-15 19:34:54 +00:00
|
|
|
resp.headers["Metadata-Flavor"] == "Google"
|
2015-02-13 00:58:48 +00:00
|
|
|
rescue Faraday::TimeoutError, Faraday::ConnectionFailed
|
2019-03-15 19:34:54 +00:00
|
|
|
false
|
2015-02-12 04:52:47 +00:00
|
|
|
end
|
2015-02-13 00:58:48 +00:00
|
|
|
|
2015-02-12 04:52:47 +00:00
|
|
|
memoize :on_gce?
|
2015-02-12 03:23:34 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Overrides the super class method to change how access tokens are
|
|
|
|
# fetched.
|
2019-03-15 19:34:54 +00:00
|
|
|
def fetch_access_token options = {}
|
2015-02-12 03:23:34 +00:00
|
|
|
c = options[:connection] || Faraday.default_connection
|
2017-02-25 12:45:07 +00:00
|
|
|
retry_with_error do
|
2020-10-09 16:32:26 +00:00
|
|
|
uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
|
2020-07-08 15:13:38 +00:00
|
|
|
query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
|
|
|
|
query[:scopes] = Array(scope).join " " if scope
|
2019-02-27 16:06:41 +00:00
|
|
|
headers = { "Metadata-Flavor" => "Google" }
|
2020-04-08 00:19:29 +00:00
|
|
|
resp = c.get uri, query, headers
|
2017-02-25 12:45:07 +00:00
|
|
|
case resp.status
|
|
|
|
when 200
|
2020-04-08 00:19:29 +00:00
|
|
|
content_type = resp.headers["content-type"]
|
|
|
|
if content_type == "text/html"
|
|
|
|
{ (target_audience ? "id_token" : "access_token") => resp.body }
|
|
|
|
else
|
|
|
|
Signet::OAuth2.parse_credentials resp.body, content_type
|
|
|
|
end
|
2017-02-25 12:45:07 +00:00
|
|
|
when 404
|
2019-03-15 19:34:54 +00:00
|
|
|
raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
|
2017-02-25 12:45:07 +00:00
|
|
|
else
|
2017-07-13 23:04:35 +00:00
|
|
|
msg = "Unexpected error code #{resp.status}" \
|
|
|
|
"#{UNEXPECTED_ERROR_SUFFIX}"
|
2019-03-15 19:34:54 +00:00
|
|
|
raise Signet::AuthorizationError, msg
|
2017-02-25 12:45:07 +00:00
|
|
|
end
|
2015-04-23 16:50:11 +00:00
|
|
|
end
|
2015-02-12 03:23:34 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|