You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
147 lines
4.1 KiB
147 lines
4.1 KiB
<?php
|
|
/*
|
|
* Copyright 2014 Google Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
if (!class_exists('Google_Client')) {
|
|
require_once dirname(__FILE__) . '/../autoload.php';
|
|
}
|
|
|
|
/**
|
|
* Authentication via built-in Compute Engine service accounts.
|
|
* The instance must be pre-configured with a service account
|
|
* and the appropriate scopes.
|
|
* @author Jonathan Parrott <jon.wayne.parrott@gmail.com>
|
|
*/
|
|
class Google_Auth_ComputeEngine extends Google_Auth_Abstract
|
|
{
|
|
const METADATA_AUTH_URL =
|
|
'http://metadata/computeMetadata/v1/instance/service-accounts/default/token';
|
|
private $client;
|
|
private $token;
|
|
|
|
public function __construct(Google_Client $client, $config = null)
|
|
{
|
|
$this->client = $client;
|
|
}
|
|
|
|
/**
|
|
* Perform an authenticated / signed apiHttpRequest.
|
|
* This function takes the apiHttpRequest, calls apiAuth->sign on it
|
|
* (which can modify the request in what ever way fits the auth mechanism)
|
|
* and then calls apiCurlIO::makeRequest on the signed request
|
|
*
|
|
* @param Google_Http_Request $request
|
|
* @return Google_Http_Request The resulting HTTP response including the
|
|
* responseHttpCode, responseHeaders and responseBody.
|
|
*/
|
|
public function authenticatedRequest(Google_Http_Request $request)
|
|
{
|
|
$request = $this->sign($request);
|
|
return $this->client->getIo()->makeRequest($request);
|
|
}
|
|
|
|
/**
|
|
* @param string $token
|
|
* @throws Google_Auth_Exception
|
|
*/
|
|
public function setAccessToken($token)
|
|
{
|
|
$token = json_decode($token, true);
|
|
if ($token == null) {
|
|
throw new Google_Auth_Exception('Could not json decode the token');
|
|
}
|
|
if (! isset($token['access_token'])) {
|
|
throw new Google_Auth_Exception("Invalid token format");
|
|
}
|
|
$token['created'] = time();
|
|
$this->token = $token;
|
|
}
|
|
|
|
public function getAccessToken()
|
|
{
|
|
return json_encode($this->token);
|
|
}
|
|
|
|
/**
|
|
* Acquires a new access token from the compute engine metadata server.
|
|
* @throws Google_Auth_Exception
|
|
*/
|
|
public function acquireAccessToken()
|
|
{
|
|
$request = new Google_Http_Request(
|
|
self::METADATA_AUTH_URL,
|
|
'GET',
|
|
array(
|
|
'Metadata-Flavor' => 'Google'
|
|
)
|
|
);
|
|
$request->disableGzip();
|
|
$response = $this->client->getIo()->makeRequest($request);
|
|
|
|
if ($response->getResponseHttpCode() == 200) {
|
|
$this->setAccessToken($response->getResponseBody());
|
|
$this->token['created'] = time();
|
|
return $this->getAccessToken();
|
|
} else {
|
|
throw new Google_Auth_Exception(
|
|
sprintf(
|
|
"Error fetching service account access token, message: '%s'",
|
|
$response->getResponseBody()
|
|
),
|
|
$response->getResponseHttpCode()
|
|
);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Include an accessToken in a given apiHttpRequest.
|
|
* @param Google_Http_Request $request
|
|
* @return Google_Http_Request
|
|
* @throws Google_Auth_Exception
|
|
*/
|
|
public function sign(Google_Http_Request $request)
|
|
{
|
|
if ($this->isAccessTokenExpired()) {
|
|
$this->acquireAccessToken();
|
|
}
|
|
|
|
$this->client->getLogger()->debug('Compute engine service account authentication');
|
|
|
|
$request->setRequestHeaders(
|
|
array('Authorization' => 'Bearer ' . $this->token['access_token'])
|
|
);
|
|
|
|
return $request;
|
|
}
|
|
|
|
/**
|
|
* Returns if the access_token is expired.
|
|
* @return bool Returns True if the access_token is expired.
|
|
*/
|
|
public function isAccessTokenExpired()
|
|
{
|
|
if (!$this->token || !isset($this->token['created'])) {
|
|
return true;
|
|
}
|
|
|
|
// If the token is set to expire in the next 30 seconds.
|
|
$expired = ($this->token['created']
|
|
+ ($this->token['expires_in'] - 30)) < time();
|
|
|
|
return $expired;
|
|
}
|
|
}
|