push($middleware); * * $client = new Client([ * 'handler' => $stack, * 'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', * 'auth' => 'google_auth' * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); */ class GCECredentials extends CredentialsLoader implements SignBlobInterface, ProjectIdProviderInterface, GetQuotaProjectInterface { // phpcs:disable const cacheKey = 'GOOGLE_AUTH_PHP_GCE'; // phpcs:enable /** * The metadata IP address on appengine instances. * * The IP is used instead of the domain 'metadata' to avoid slow responses * when not on Compute Engine. */ const METADATA_IP = '169.254.169.254'; /** * The metadata path of the default token. */ const TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token'; /** * The metadata path of the default id token. */ const ID_TOKEN_URI_PATH = 'v1/instance/service-accounts/default/identity'; /** * The metadata path of the client ID. */ const CLIENT_ID_URI_PATH = 'v1/instance/service-accounts/default/email'; /** * The metadata path of the project ID. */ const PROJECT_ID_URI_PATH = 'v1/project/project-id'; /** * The header whose presence indicates GCE presence. */ const FLAVOR_HEADER = 'Metadata-Flavor'; /** * Note: the explicit `timeout` and `tries` below is a workaround. The underlying * issue is that resolving an unknown host on some networks will take * 20-30 seconds; making this timeout short fixes the issue, but * could lead to false negatives in the event that we are on GCE, but * the metadata resolution was particularly slow. The latter case is * "unlikely" since the expected 4-nines time is about 0.5 seconds. * This allows us to limit the total ping maximum timeout to 1.5 seconds * for developer desktop scenarios. */ const MAX_COMPUTE_PING_TRIES = 3; const COMPUTE_PING_CONNECTION_TIMEOUT_S = 0.5; /** * Flag used to ensure that the onGCE test is only done once;. * * @var bool */ private $hasCheckedOnGce = false; /** * Flag that stores the value of the onGCE check. * * @var bool */ private $isOnGce = false; /** * Result of fetchAuthToken. */ protected $lastReceivedToken; /** * @var string|null */ private $clientName; /** * @var string|null */ private $projectId; /** * @var Iam|null */ private $iam; /** * @var string */ private $tokenUri; /** * @var string */ private $targetAudience; /** * @var string|null */ private $quotaProject; /** * @param Iam $iam [optional] An IAM instance. * @param string|array $scope [optional] the scope of the access request, * expressed either as an array or as a space-delimited string. * @param string $targetAudience [optional] The audience for the ID token. * @param string $quotaProject [optional] Specifies a project to bill for access * charges associated with the request. */ public function __construct(Iam $iam = null, $scope = null, $targetAudience = null, $quotaProject = null) { $this->iam = $iam; if ($scope && $targetAudience) { throw new InvalidArgumentException( 'Scope and targetAudience cannot both be supplied' ); } $tokenUri = self::getTokenUri(); if ($scope) { if (is_string($scope)) { $scope = explode(' ', $scope); } $scope = implode(',', $scope); $tokenUri = $tokenUri . '?scopes='. $scope; } elseif ($targetAudience) { $tokenUri = sprintf( 'http://%s/computeMetadata/%s?audience=%s', self::METADATA_IP, self::ID_TOKEN_URI_PATH, $targetAudience ); $this->targetAudience = $targetAudience; } $this->tokenUri = $tokenUri; $this->quotaProject = $quotaProject; } /** * The full uri for accessing the default token. * * @return string */ public static function getTokenUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::TOKEN_URI_PATH; } /** * The full uri for accessing the default service account. * * @return string */ public static function getClientNameUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::CLIENT_ID_URI_PATH; } /** * The full uri for accessing the default project ID. * * @return string */ private static function getProjectIdUri() { $base = 'http://' . self::METADATA_IP . '/computeMetadata/'; return $base . self::PROJECT_ID_URI_PATH; } /** * Determines if this an App Engine Flexible instance, by accessing the * GAE_INSTANCE environment variable. * * @return bool true if this an App Engine Flexible Instance, false otherwise */ public static function onAppEngineFlexible() { return substr(getenv('GAE_INSTANCE'), 0, 4) === 'aef-'; } /** * Determines if this a GCE instance, by accessing the expected metadata * host. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * @return bool True if this a GCEInstance, false otherwise */ public static function onGce(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); $checkUri = 'http://' . self::METADATA_IP; for ($i = 1; $i <= self::MAX_COMPUTE_PING_TRIES; $i++) { try { // Comment from: oauth2client/client.py // // Note: the explicit `timeout` below is a workaround. The underlying // issue is that resolving an unknown host on some networks will take // 20-30 seconds; making this timeout short fixes the issue, but // could lead to false negatives in the event that we are on GCE, but // the metadata resolution was particularly slow. The latter case is // "unlikely". $resp = $httpHandler( new Request( 'GET', $checkUri, [self::FLAVOR_HEADER => 'Google'] ), ['timeout' => self::COMPUTE_PING_CONNECTION_TIMEOUT_S] ); return $resp->getHeaderLine(self::FLAVOR_HEADER) == 'Google'; } catch (ClientException $e) { } catch (ServerException $e) { } catch (RequestException $e) { } catch (ConnectException $e) { } } return false; } /** * Implements FetchAuthTokenInterface#fetchAuthToken. * * Fetches the auth tokens from the GCE metadata host if it is available. * If $httpHandler is not specified a the default HttpHandler is used. * * @param callable $httpHandler callback which delivers psr7 request * * @return array A set of auth related metadata, based on the token type. * * Access tokens have the following keys: * - access_token (string) * - expires_in (int) * - token_type (string) * ID tokens have the following keys: * - id_token (string) * * @throws \Exception */ public function fetchAuthToken(callable $httpHandler = null) { $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return array(); // return an empty array with no access token } $response = $this->getFromMetadata($httpHandler, $this->tokenUri); if ($this->targetAudience) { return ['id_token' => $response]; } if (null === $json = json_decode($response, true)) { throw new \Exception('Invalid JSON response'); } // store this so we can retrieve it later $this->lastReceivedToken = $json; $this->lastReceivedToken['expires_at'] = time() + $json['expires_in']; return $json; } /** * @return string */ public function getCacheKey() { return self::cacheKey; } /** * @return array|null */ public function getLastReceivedToken() { if ($this->lastReceivedToken) { return [ 'access_token' => $this->lastReceivedToken['access_token'], 'expires_at' => $this->lastReceivedToken['expires_at'], ]; } return null; } /** * Get the client name from GCE metadata. * * Subsequent calls will return a cached value. * * @param callable $httpHandler callback which delivers psr7 request * @return string */ public function getClientName(callable $httpHandler = null) { if ($this->clientName) { return $this->clientName; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return ''; } $this->clientName = $this->getFromMetadata($httpHandler, self::getClientNameUri()); return $this->clientName; } /** * Sign a string using the default service account private key. * * This implementation uses IAM's signBlob API. * * @see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob SignBlob * * @param string $stringToSign The string to sign. * @param bool $forceOpenSsl [optional] Does not apply to this credentials * type. * @return string */ public function signBlob($stringToSign, $forceOpenSsl = false) { $httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient()); // Providing a signer is useful for testing, but it's undocumented // because it's not something a user would generally need to do. $signer = $this->iam ?: new Iam($httpHandler); $email = $this->getClientName($httpHandler); $previousToken = $this->getLastReceivedToken(); $accessToken = $previousToken ? $previousToken['access_token'] : $this->fetchAuthToken($httpHandler)['access_token']; return $signer->signBlob($email, $accessToken, $stringToSign); } /** * Fetch the default Project ID from compute engine. * * Returns null if called outside GCE. * * @param callable $httpHandler Callback which delivers psr7 request * @return string|null */ public function getProjectId(callable $httpHandler = null) { if ($this->projectId) { return $this->projectId; } $httpHandler = $httpHandler ?: HttpHandlerFactory::build(HttpClientCache::getHttpClient()); if (!$this->hasCheckedOnGce) { $this->isOnGce = self::onGce($httpHandler); $this->hasCheckedOnGce = true; } if (!$this->isOnGce) { return null; } $this->projectId = $this->getFromMetadata($httpHandler, self::getProjectIdUri()); return $this->projectId; } /** * Fetch the value of a GCE metadata server URI. * * @param callable $httpHandler An HTTP Handler to deliver PSR7 requests. * @param string $uri The metadata URI. * @return string */ private function getFromMetadata(callable $httpHandler, $uri) { $resp = $httpHandler( new Request( 'GET', $uri, [self::FLAVOR_HEADER => 'Google'] ) ); return (string) $resp->getBody(); } /** * Get the quota project used for this API request * * @return string|null */ public function getQuotaProject() { return $this->quotaProject; } }