Google_Auth_ComputeEngine

Authentication via built-in Compute Engine service accounts.

Defined (1)

The class is defined in the following location(s).

/includes/api-libs/Google/Auth/ComputeEngine.php  
  1. class Google_Auth_ComputeEngine extends Google_Auth_Abstract 
  2. const METADATA_AUTH_URL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/token'; 
  3. private $client; 
  4. private $token; 
  5.  
  6. public function __construct(Google_Client $client, $config = null) 
  7. $this->client = $client; 
  8.  
  9. /** 
  10. * Perform an authenticated / signed apiHttpRequest. 
  11. * This function takes the apiHttpRequest, calls apiAuth->sign on it 
  12. * (which can modify the request in what ever way fits the auth mechanism) 
  13. * and then calls apiCurlIO::makeRequest on the signed request 
  14. * @param Google_Http_Request $request 
  15. * @return Google_Http_Request The resulting HTTP response including the 
  16. * responseHttpCode, responseHeaders and responseBody. 
  17. */ 
  18. public function authenticatedRequest(Google_Http_Request $request) 
  19. $request = $this->sign($request); 
  20. return $this->client->getIo()->makeRequest($request); 
  21.  
  22. /** 
  23. * @param string $token 
  24. * @throws Google_Auth_Exception 
  25. */ 
  26. public function setAccessToken($token) 
  27. $token = json_decode($token, true); 
  28. if ($token == null) { 
  29. throw new Google_Auth_Exception('Could not json decode the token'); 
  30. if (! isset($token['access_token'])) { 
  31. throw new Google_Auth_Exception("Invalid token format"); 
  32. $token['created'] = time(); 
  33. $this->token = $token; 
  34.  
  35. public function getAccessToken() 
  36. return json_encode($this->token); 
  37.  
  38. /** 
  39. * Acquires a new access token from the compute engine metadata server. 
  40. * @throws Google_Auth_Exception 
  41. */ 
  42. public function acquireAccessToken() { 
  43. $request = new Google_Http_Request( 
  44. self::METADATA_AUTH_URL,  
  45. 'GET',  
  46. array( 
  47. 'Metadata-Flavor' => 'Google' 
  48. ); 
  49. $request->disableGzip(); 
  50. $response = $this->client->getIo()->makeRequest($request); 
  51.  
  52. if ($response->getResponseHttpCode() == 200) { 
  53. $this->setAccessToken($response->getResponseBody()); 
  54. $this->token['created'] = time(); 
  55. return $this->getAccessToken(); 
  56. } else { 
  57. throw new Google_Auth_Exception( 
  58. sprintf( 
  59. "Error fetching service account access token, message: '%s'",  
  60. $response->getResponseBody() 
  61. ),  
  62. $response->getResponseHttpCode() 
  63. ); 
  64.  
  65. /** 
  66. * Include an accessToken in a given apiHttpRequest. 
  67. * @param Google_Http_Request $request 
  68. * @return Google_Http_Request 
  69. * @throws Google_Auth_Exception 
  70. */ 
  71. public function sign(Google_Http_Request $request) 
  72. if($this->isAccessTokenExpired()) { 
  73. $this->acquireAccessToken(); 
  74.  
  75. $this->client->getLogger()->debug('Compute engine service account authentication'); 
  76.  
  77. $request->setRequestHeaders( 
  78. array('Authorization' => 'Bearer ' . $this->token['access_token']) 
  79. ); 
  80.  
  81. return $request; 
  82.  
  83. /** 
  84. * Returns if the access_token is expired. 
  85. * @return bool Returns True if the access_token is expired. 
  86. */ 
  87. public function isAccessTokenExpired() 
  88. if (!$this->token || !isset($this->token['created'])) { 
  89. return true; 
  90.  
  91. // If the token is set to expire in the next 30 seconds. 
  92. $expired = ($this->token['created'] 
  93. + ($this->token['expires_in'] - 30)) < time(); 
  94.  
  95. return $expired;