1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<?php
/*
* Copyright 2014 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
if (!class_exists('Google_Client')) {
require_once dirname(__FILE__) . '/../autoload.php';
}
/**
* Authentication via built-in Compute Engine service accounts.
* The instance must be pre-configured with a service account
* and the appropriate scopes.
* @author Jonathan Parrott <jon.wayne.parrott@gmail.com>
*/
class Google_Auth_ComputeEngine extends Google_Auth_Abstract
{
const METADATA_AUTH_URL =
'http://metadata/computeMetadata/v1/instance/service-accounts/default/token';
private $client;
private $token;
public function __construct(Google_Client $client, $config = null)
{
$this->client = $client;
}
/**
* Perform an authenticated / signed apiHttpRequest.
* This function takes the apiHttpRequest, calls apiAuth->sign on it
* (which can modify the request in what ever way fits the auth mechanism)
* and then calls apiCurlIO::makeRequest on the signed request
*
* @param Google_Http_Request $request
* @return Google_Http_Request The resulting HTTP response including the
* responseHttpCode, responseHeaders and responseBody.
*/
public function authenticatedRequest(Google_Http_Request $request)
{
$request = $this->sign($request);
return $this->client->getIo()->makeRequest($request);
}
/**
* @param string $token
* @throws Google_Auth_Exception
*/
public function setAccessToken($token)
{
$token = json_decode($token, true);
if ($token == null) {
throw new Google_Auth_Exception('Could not json decode the token');
}
if (! isset($token['access_token'])) {
throw new Google_Auth_Exception("Invalid token format");
}
$token['created'] = time();
$this->token = $token;
}
public function getAccessToken()
{
return json_encode($this->token);
}
/**
* Acquires a new access token from the compute engine metadata server.
* @throws Google_Auth_Exception
*/
public function acquireAccessToken()
{
$request = new Google_Http_Request(
self::METADATA_AUTH_URL,
'GET',
array(
'Metadata-Flavor' => 'Google'
)
);
$request->disableGzip();
$response = $this->client->getIo()->makeRequest($request);
if ($response->getResponseHttpCode() == 200) {
$this->setAccessToken($response->getResponseBody());
$this->token['created'] = time();
return $this->getAccessToken();
} else {
throw new Google_Auth_Exception(
sprintf(
"Error fetching service account access token, message: '%s'",
$response->getResponseBody()
),
$response->getResponseHttpCode()
);
}
}
/**
* Include an accessToken in a given apiHttpRequest.
* @param Google_Http_Request $request
* @return Google_Http_Request
* @throws Google_Auth_Exception
*/
public function sign(Google_Http_Request $request)
{
if ($this->isAccessTokenExpired()) {
$this->acquireAccessToken();
}
$this->client->getLogger()->debug('Compute engine service account authentication');
$request->setRequestHeaders(
array('Authorization' => 'Bearer ' . $this->token['access_token'])
);
return $request;
}
/**
* Returns if the access_token is expired.
* @return bool Returns True if the access_token is expired.
*/
public function isAccessTokenExpired()
{
if (!$this->token || !isset($this->token['created'])) {
return true;
}
// If the token is set to expire in the next 30 seconds.
$expired = ($this->token['created']
+ ($this->token['expires_in'] - 30)) < time();
return $expired;
}
}