-
Notifications
You must be signed in to change notification settings - Fork 382
/
computeclient.ts
139 lines (128 loc) Β· 4.54 KB
/
computeclient.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
// Copyright 2013 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import {GaxiosError} from 'gaxios';
import * as gcpMetadata from 'gcp-metadata';
import {CredentialRequest, Credentials} from './credentials';
import {GetTokenResponse, OAuth2Client, RefreshOptions} from './oauth2client';
export interface ComputeOptions extends RefreshOptions {
/**
* The service account email to use, or 'default'. A Compute Engine instance
* may have multiple service accounts.
*/
serviceAccountEmail?: string;
/**
* The scopes that will be requested when acquiring service account
* credentials. Only applicable to modern App Engine and Cloud Function
* runtimes as of March 2019.
*/
scopes?: string | string[];
}
export class Compute extends OAuth2Client {
readonly serviceAccountEmail: string;
scopes: string[];
/**
* Google Compute Engine service account credentials.
*
* Retrieve access token from the metadata server.
* See: https://developers.google.com/compute/docs/authentication
*/
constructor(options: ComputeOptions = {}) {
super(options);
// Start with an expired refresh token, which will automatically be
// refreshed before the first API call is made.
this.credentials = {expiry_date: 1, refresh_token: 'compute-placeholder'};
this.serviceAccountEmail = options.serviceAccountEmail || 'default';
this.scopes = Array.isArray(options.scopes)
? options.scopes
: options.scopes
? [options.scopes]
: [];
}
/**
* Refreshes the access token.
* @param refreshToken Unused parameter
*/
protected async refreshTokenNoCache(
// eslint-disable-next-line @typescript-eslint/no-unused-vars
refreshToken?: string | null
): Promise<GetTokenResponse> {
const tokenPath = `service-accounts/${this.serviceAccountEmail}/token`;
let data: CredentialRequest;
try {
const instanceOptions: gcpMetadata.Options = {
property: tokenPath,
};
if (this.scopes.length > 0) {
instanceOptions.params = {
scopes: this.scopes.join(','),
};
}
data = await gcpMetadata.instance(instanceOptions);
} catch (e) {
if (e instanceof GaxiosError) {
e.message = `Could not refresh access token: ${e.message}`;
this.wrapError(e);
}
throw e;
}
const tokens = data as Credentials;
if (data && data.expires_in) {
tokens.expiry_date = new Date().getTime() + data.expires_in * 1000;
delete (tokens as CredentialRequest).expires_in;
}
this.emit('tokens', tokens);
return {tokens, res: null};
}
/**
* Fetches an ID token.
* @param targetAudience the audience for the fetched ID token.
*/
async fetchIdToken(targetAudience: string): Promise<string> {
const idTokenPath =
`service-accounts/${this.serviceAccountEmail}/identity` +
`?format=full&audience=${targetAudience}`;
let idToken: string;
try {
const instanceOptions: gcpMetadata.Options = {
property: idTokenPath,
};
idToken = await gcpMetadata.instance(instanceOptions);
} catch (e) {
if (e instanceof Error) {
e.message = `Could not fetch ID token: ${e.message}`;
}
throw e;
}
return idToken;
}
protected wrapError(e: GaxiosError) {
const res = e.response;
if (res && res.status) {
e.status = res.status;
if (res.status === 403) {
e.message =
'A Forbidden error was returned while attempting to retrieve an access ' +
'token for the Compute Engine built-in service account. This may be because the Compute ' +
'Engine instance does not have the correct permission scopes specified: ' +
e.message;
} else if (res.status === 404) {
e.message =
'A Not Found error was returned while attempting to retrieve an access' +
'token for the Compute Engine built-in service account. This may be because the Compute ' +
'Engine instance does not have any permission scopes specified: ' +
e.message;
}
}
}
}