You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

147 lines
4.1 KiB

<?php
/*
* Copyright 2014 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
if (!class_exists('Google_Client')) {
require_once dirname(__FILE__) . '/../autoload.php';
}
/**
* Authentication via built-in Compute Engine service accounts.
* The instance must be pre-configured with a service account
* and the appropriate scopes.
* @author Jonathan Parrott <jon.wayne.parrott@gmail.com>
*/
class Google_Auth_ComputeEngine extends Google_Auth_Abstract
{
const METADATA_AUTH_URL =
'http://metadata/computeMetadata/v1/instance/service-accounts/default/token';
private $client;
private $token;
public function __construct(Google_Client $client, $config = null)
{
$this->client = $client;
}
/**
* Perform an authenticated / signed apiHttpRequest.
* This function takes the apiHttpRequest, calls apiAuth->sign on it
* (which can modify the request in what ever way fits the auth mechanism)
* and then calls apiCurlIO::makeRequest on the signed request
*
* @param Google_Http_Request $request
* @return Google_Http_Request The resulting HTTP response including the
* responseHttpCode, responseHeaders and responseBody.
*/
public function authenticatedRequest(Google_Http_Request $request)
{
$request = $this->sign($request);
return $this->client->getIo()->makeRequest($request);
}
/**
* @param string $token
* @throws Google_Auth_Exception
*/
public function setAccessToken($token)
{
$token = json_decode($token, true);
if ($token == null) {
throw new Google_Auth_Exception('Could not json decode the token');
}
if (! isset($token['access_token'])) {
throw new Google_Auth_Exception("Invalid token format");
}
$token['created'] = time();
$this->token = $token;
}
public function getAccessToken()
{
return json_encode($this->token);
}
/**
* Acquires a new access token from the compute engine metadata server.
* @throws Google_Auth_Exception
*/
public function acquireAccessToken()
{
$request = new Google_Http_Request(
self::METADATA_AUTH_URL,
'GET',
array(
'Metadata-Flavor' => 'Google'
)
);
$request->disableGzip();
$response = $this->client->getIo()->makeRequest($request);
if ($response->getResponseHttpCode() == 200) {
$this->setAccessToken($response->getResponseBody());
$this->token['created'] = time();
return $this->getAccessToken();
} else {
throw new Google_Auth_Exception(
sprintf(
"Error fetching service account access token, message: '%s'",
$response->getResponseBody()
),
$response->getResponseHttpCode()
);
}
}
/**
* Include an accessToken in a given apiHttpRequest.
* @param Google_Http_Request $request
* @return Google_Http_Request
* @throws Google_Auth_Exception
*/
public function sign(Google_Http_Request $request)
{
if ($this->isAccessTokenExpired()) {
$this->acquireAccessToken();
}
$this->client->getLogger()->debug('Compute engine service account authentication');
$request->setRequestHeaders(
array('Authorization' => 'Bearer ' . $this->token['access_token'])
);
return $request;
}
/**
* Returns if the access_token is expired.
* @return bool Returns True if the access_token is expired.
*/
public function isAccessTokenExpired()
{
if (!$this->token || !isset($this->token['created'])) {
return true;
}
// If the token is set to expire in the next 30 seconds.
$expired = ($this->token['created']
+ ($this->token['expires_in'] - 30)) < time();
return $expired;
}
}