googleauth 0.5.1 → 0.11.0

data/Gemfile

@@ -1,24 +1,27 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in googleauth.gemspec
 gemspec
 
 group :development do
-  gem 'bundler', '~> 1.9'
-  gem 'simplecov', '~> 0.9'
-  gem 'coveralls', '~> 0.7'
-  gem 'fakefs', '~> 0.6'
-  gem 'rake', '~> 10.0'
-  gem 'rubocop', '~> 0.30'
-  gem 'rspec', '~> 3.0'
-  gem 'redis', '~> 3.2'
-  gem 'fakeredis', '~> 0.5'
-  gem 'webmock', '~> 1.21'
-  gem 'rack-test', '~> 0.6'
-  gem 'sinatra'
+  gem "bundler", ">= 1.9"
+  gem "coveralls", "~> 0.7"
+  gem "fakefs", "~> 0.6"
+  gem "fakeredis", "~> 0.5"
+  gem "google-style", "~> 1.24.0"
+  gem "logging", "~> 2.0"
+  gem "rack-test", "~> 0.6"
+  gem "rake", "~> 10.0"
+  gem "redis", "~> 3.2"
+  gem "rspec", "~> 3.0"
+  gem "simplecov", "~> 0.9"
+  gem "sinatra"
+  gem "webmock", "~> 1.21"
 end
 
 platforms :jruby do
   group :development do
   end
 end
+
+gem "gems", "~> 1.2"

data/README.md

@@ -1,16 +1,13 @@
 # Google Auth Library for Ruby
 
 <dl>
-  <dt>Homepage</dt><dd><a href="http://www.github.com/google/google-auth-library-ruby">http://www.github.com/google/google-auth-library-ruby</a></dd>
+  <dt>Homepage</dt><dd><a href="http://www.github.com/googleapis/google-auth-library-ruby">http://www.github.com/googleapis/google-auth-library-ruby</a></dd>
   <dt>Authors</dt><dd><a href="mailto:temiola@google.com">Tim Emiola</a></dd>
   <dt>Copyright</dt><dd>Copyright © 2015 Google, Inc.</dd>
   <dt>License</dt><dd>Apache 2.0</dd>
 </dl>
 
 [![Gem Version](https://badge.fury.io/rb/googleauth.svg)](http://badge.fury.io/rb/googleauth)
-[![Build Status](https://secure.travis-ci.org/google/google-auth-library-ruby.png)](http://travis-ci.org/google/google-auth-library-ruby)
-[![Coverage Status](https://coveralls.io/repos/google/google-auth-library-ruby/badge.png)](https://coveralls.io/r/google/google-auth-library-ruby)
-[![Dependency Status](https://gemnasium.com/google/google-auth-library-ruby.png)](https://gemnasium.com/google/google-auth-library-ruby)
 
 ## Description
 
@@ -70,7 +67,7 @@ a generic authorizer useful for command line apps or custom integrations as
 well as a web variant tailored toward Rack-based applications.
 
 The authorizers are intended for authorization use cases. For sign-on,
-see [Google Idenity Platform](https://developers.google.com/identity/)
+see [Google Identity Platform](https://developers.google.com/identity/)
 
 ### Example (Web)
 
@@ -92,7 +89,7 @@ get('/authorize') do
   user_id = request.session['user_id']
   credentials = authorizer.get_credentials(user_id, request)
   if credentials.nil?
-    redirect authorizer.get_authorization_url(user_id: user_id, request: request)
+    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
   end
   # Credentials are valid, can call APIs
   # ...
@@ -111,6 +108,8 @@ end
 require 'googleauth'
 require 'googleauth/stores/file_token_store'
 
+OOB_URI = 'urn:ietf:wg:oauth:2.0:oob'
+
 scope = 'https://www.googleapis.com/auth/drive'
 client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
 token_store = Google::Auth::Stores::FileTokenStore.new(
@@ -119,7 +118,7 @@ authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)
 
 credentials = authorizer.get_credentials(user_id)
 if credentials.nil?
-  url = authorizer.get_authorization_url(base_url: 'urn:ietf:wg:oauth:2.0:oob')
+  url = authorizer.get_authorization_url(base_url: OOB_URI )
   puts "Open #{url} in your browser and enter the resulting code:"
   code = gets
   credentials = authorizer.get_and_store_credentials_from_code(
@@ -129,6 +128,47 @@ end
 # OK to use credentials
 ```
 
+### Example (Service Account)
+
+```ruby
+scope = 'https://www.googleapis.com/auth/androidpublisher'
+
+authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: File.open('/path/to/service_account_json_key.json'),
+  scope: scope)
+
+authorizer.fetch_access_token!
+```
+
+### Example (Environment Variables)
+
+```bash
+export GOOGLE_ACCOUNT_TYPE=service_account
+export GOOGLE_CLIENT_ID=000000000000000000000
+export GOOGLE_CLIENT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com
+export GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
+```
+
+```ruby
+require 'googleauth'
+require 'google/apis/drive_v3'
+
+Drive = ::Google::Apis::DriveV3
+drive = Drive::DriveService.new
+
+# Auths with ENV vars:
+# "GOOGLE_CLIENT_ID",
+# "GOOGLE_CLIENT_EMAIL",
+# "GOOGLE_ACCOUNT_TYPE", 
+# "GOOGLE_PRIVATE_KEY"
+auth = ::Google::Auth::ServiceAccountCredentials
+  .make_creds(scope: 'https://www.googleapis.com/auth/drive')
+drive.authorization = auth
+
+list_files = drive.list_files()
+
+```
+
 ### Storage
 
 Authorizers require a storage instance to manage long term persistence of
@@ -138,15 +178,16 @@ access and refresh tokens. Two storage implementations are included:
 *   Google::Auth::Stores::RedisTokenStore
 
 Custom storage implementations can also be used. See
-[token_store.rb](lib/googleauth/token_store.rb) for additional details.
+[token_store.rb](https://googleapis.dev/ruby/googleauth/latest/Google/Auth/TokenStore.html) for additional details.
+
+## Supported Ruby Versions
 
-## What about auth in google-apis-ruby-client?
+This library requires Ruby 2.4 or later.
 
-The goal is for all auth done by
-[google-apis-ruby-client][google-apis-ruby-client] to be performed by this
-library. I.e, eventually google-apis-ruby-client will just take a dependency
-on this library.  This update is a work in progress, but should be completed
-by Q2 2015.
+In general, this library supports Ruby versions that are considered current and
+supported by Ruby Core (that is, Ruby versions that are either in normal
+maintenance or in security maintenance).
+See https://www.ruby-lang.org/en/downloads/branches/ for further details.
 
 ## License
 
@@ -165,7 +206,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[google-apis-ruby-client]: (https://github.com/google/google-api-ruby-client)
-[application default credentials]: (https://developers.google.com/accounts/docs/application-default-credentials)
-[contributing]: https://github.com/google/google-auth-library-ruby/tree/master/CONTRIBUTING.md
-[copying]: https://github.com/google/google-auth-library-ruby/tree/master/COPYING
+[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
+[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
+[copying]: https://github.com/googleapis/google-auth-library-ruby/tree/master/COPYING

data/Rakefile

@@ -1,15 +1,111 @@
 # -*- ruby -*-
-require 'rspec/core/rake_task'
-require 'rubocop/rake_task'
-require 'bundler/gem_tasks'
+require "json"
+require "bundler/gem_tasks"
 
-desc 'Run Rubocop to check for style violations'
-RuboCop::RakeTask.new
+task :ci do
+  header "Using Ruby - #{RUBY_VERSION}"
+  sh "bundle exec rubocop"
+  sh "bundle exec rspec"
+end
 
-desc 'Run rake task'
-RSpec::Core::RakeTask.new(:spec)
+task :release_gem, :tag do |_t, args|
+  tag = args[:tag]
+  raise "You must provide a tag to release." if tag.nil?
 
-desc 'Does rubocop lint and runs the specs'
-task all: [:rubocop, :spec]
+  # Verify the tag format "vVERSION"
+  m = tag.match /v(?<version>\S*)/
+  raise "Tag #{tag} does not match the expected format." if m.nil?
 
-task default: :all
+  version = m[:version]
+  raise "You must provide a version." if version.nil?
+
+  api_token = ENV["RUBYGEMS_API_TOKEN"]
+
+  require "gems"
+  if api_token
+    ::Gems.configure do |config|
+      config.key = api_token
+    end
+  end
+
+  Bundler.with_clean_env do
+    sh "rm -rf pkg"
+    sh "bundle update"
+    sh "bundle exec rake build"
+  end
+
+  path_to_be_pushed = "pkg/googleauth-#{version}.gem"
+  gem_was_published = nil
+  if File.file? path_to_be_pushed
+    begin
+      response = ::Gems.push File.new(path_to_be_pushed)
+      puts response
+      raise unless response.include? "Successfully registered gem:"
+      gem_was_published = true
+      puts "Successfully built and pushed googleauth for version #{version}"
+    rescue StandardError => e
+      gem_was_published = false
+      puts "Error while releasing googleauth version #{version}: #{e.message}"
+    end
+  else
+    raise "Cannot build googleauth for version #{version}"
+  end
+
+  Rake::Task["kokoro:publish_docs"].invoke if gem_was_published
+end
+
+namespace :kokoro do
+  task :load_env_vars do
+    service_account = "#{ENV['KOKORO_GFILE_DIR']}/service-account.json"
+    ENV["GOOGLE_APPLICATION_CREDENTIALS"] = service_account
+    filename = "#{ENV['KOKORO_GFILE_DIR']}/env_vars.json"
+    env_vars = JSON.parse File.read(filename)
+    env_vars.each { |k, v| ENV[k] = v }
+  end
+
+  task :presubmit do
+    Rake::Task["ci"].invoke
+  end
+
+  task :continuous do
+    Rake::Task["ci"].invoke
+  end
+
+  task :post do
+    require_relative "rakelib/link_checker.rb"
+
+    link_checker = LinkChecker.new
+    link_checker.run
+    exit link_checker.exit_status
+  end
+
+  task :nightly do
+    Rake::Task["ci"].invoke
+  end
+
+  task :release do
+    version = "0.1.0"
+    Bundler.with_clean_env do
+      version = `bundle exec gem list`
+                .split("\n").select { |line| line.include? "googleauth" }
+                .first.split("(").last.split(")").first || "0.1.0"
+    end
+    Rake::Task["kokoro:load_env_vars"].invoke
+    Rake::Task["release_gem"].invoke "v#{version}"
+  end
+
+  task :publish_docs do
+    require_relative "rakelib/devsite_builder.rb"
+
+    DevsiteBuilder.new(__dir__).publish
+  end
+end
+
+def header str, token = "#"
+  line_length = str.length + 8
+  puts ""
+  puts token * line_length
+  puts "#{token * 3} #{str} #{token * 3}"
+  puts token * line_length
+  puts ""
+end

data/googleauth.gemspec

@@ -1,35 +1,37 @@
 # -*- ruby -*-
 # encoding: utf-8
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
-require 'googleauth/version'
 
-Gem::Specification.new do |s|
-  s.name          = 'googleauth'
-  s.version       = Google::Auth::VERSION
-  s.authors       = ['Tim Emiola']
-  s.email         = 'temiola@google.com'
-  s.homepage      = 'https://github.com/google/google-auth-library-ruby'
-  s.summary       = 'Google Auth Library for Ruby'
-  s.license       = 'Apache-2.0'
-  s.description   = <<-eos
+$LOAD_PATH.push File.expand_path("lib", __dir__)
+require "googleauth/version"
+
+Gem::Specification.new do |gem|
+  gem.name          = "googleauth"
+  gem.version       = Google::Auth::VERSION
+  gem.authors       = ["Tim Emiola"]
+  gem.email         = "temiola@google.com"
+  gem.homepage      = "https://github.com/google/google-auth-library-ruby"
+  gem.summary       = "Google Auth Library for Ruby"
+  gem.license       = "Apache-2.0"
+  gem.description   = <<-DESCRIPTION
    Allows simple authorization for accessing Google APIs.
    Provide support for Application Default Credentials, as described at
    https://developers.google.com/accounts/docs/application-default-credentials
-  eos
+  DESCRIPTION
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- spec/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
-    File.basename(f)
+  gem.files         = `git ls-files`.split "\n"
+  gem.test_files    = `git ls-files -- spec/*`.split "\n"
+  gem.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
+    File.basename f
   end
-  s.require_paths = ['lib']
-  s.platform      = Gem::Platform::RUBY
+  gem.require_paths = ["lib"]
+  gem.platform      = Gem::Platform::RUBY
+  gem.required_ruby_version = ">= 2.4.0"
 
-  s.add_dependency 'faraday', '~> 0.9'
-  s.add_dependency 'logging', '~> 2.0'
-  s.add_dependency 'jwt', '~> 1.4'
-  s.add_dependency 'memoist', '~> 0.12'
-  s.add_dependency 'multi_json', '~> 1.11'
-  s.add_dependency 'os', '~> 0.9'
-  s.add_dependency 'signet', '~> 0.7'
+  gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
+  gem.add_dependency "jwt", ">= 1.4", "< 3.0"
+  gem.add_dependency "memoist", "~> 0.16"
+  gem.add_dependency "multi_json", "~> 1.11"
+  gem.add_dependency "os", ">= 0.9", "< 2.0"
+  gem.add_dependency "signet", "~> 0.12"
+  gem.add_development_dependency "yard", "~> 0.9"
 end

data/lib/googleauth/application_default.rb

@@ -0,0 +1,81 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/compute_engine"
+require "googleauth/default_credentials"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
+      Could not load the default credentials. Browse to
+      https://developers.google.com/accounts/docs/application-default-credentials
+      for more information
+    ERROR_MESSAGE
+
+    module_function
+
+    # Obtains the default credentials implementation to use in this
+    # environment.
+    #
+    # Use this to obtain the Application Default Credentials for accessing
+    # Google APIs.  Application Default Credentials are described in detail
+    # at https://cloud.google.com/docs/authentication/production.
+    #
+    # If supplied, scope is used to create the credentials instance, when it can
+    # be applied.  E.g, on google compute engine and for user credentials the
+    # scope is ignored.
+    #
+    # @param scope [string|array|nil] the scope(s) to access
+    # @param options [Hash] Connection options. These may be used to configure
+    #     the `Faraday::Connection` used for outgoing HTTP requests. For
+    #     example, if a connection proxy must be used in the current network,
+    #     you may provide a connection with with the needed proxy options.
+    #     The following keys are recognized:
+    #     * `:default_connection` The connection object to use for token
+    #       refresh requests.
+    #     * `:connection_builder` A `Proc` that creates and returns a
+    #       connection to use for token refresh requests.
+    #     * `:connection` The connection to use to determine whether GCE
+    #       metadata credentials are available.
+    def get_application_default scope = nil, options = {}
+      creds = DefaultCredentials.from_env(scope, options) ||
+              DefaultCredentials.from_well_known_path(scope, options) ||
+              DefaultCredentials.from_system_default_path(scope, options)
+      return creds unless creds.nil?
+      unless GCECredentials.on_gce? options
+        # Clear cache of the result of GCECredentials.on_gce?
+        GCECredentials.unmemoize_all
+        raise NOT_FOUND_ERROR
+      end
+      GCECredentials.new
+    end
+  end
+end

data/lib/googleauth/client_id.rb

@@ -27,19 +27,20 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
+require "multi_json"
+require "googleauth/credentials_loader"
 
 module Google
   module Auth
     # Representation of an application's identity for user authorization
     # flows.
     class ClientId
-      INSTALLED_APP = 'installed'
-      WEB_APP = 'web'
-      CLIENT_ID = 'client_id'
-      CLIENT_SECRET = 'client_secret'
+      INSTALLED_APP = "installed".freeze
+      WEB_APP = "web".freeze
+      CLIENT_ID = "client_id".freeze
+      CLIENT_SECRET = "client_secret".freeze
       MISSING_TOP_LEVEL_ELEMENT_ERROR =
-        "Expected top level property 'installed' or 'web' to be present."
+        "Expected top level property 'installed' or 'web' to be present.".freeze
 
       # Text identifier of the client ID
       # @return [String]
@@ -62,25 +63,26 @@ module Google
       # @note Direction instantion is discouraged to avoid embedding IDs
       #       & secrets in source. See {#from_file} to load from
       #       `client_secrets.json` files.
-      def initialize(id, secret)
-        fail 'Client id can not be nil' if id.nil?
-        fail 'Client secret can not be nil' if secret.nil?
+      def initialize id, secret
+        CredentialsLoader.warn_if_cloud_sdk_credentials id
+        raise "Client id can not be nil" if id.nil?
+        raise "Client secret can not be nil" if secret.nil?
         @id = id
         @secret = secret
       end
 
-      # Constructs a Client ID from a JSON file downloaed from the
+      # Constructs a Client ID from a JSON file downloaded from the
       # Google Developers Console.
       #
       # @param [String, File] file
       #  Path of file to read from
       # @return [Google::Auth::ClientID]
-      def self.from_file(file)
-        fail 'File can not be nil.' if file.nil?
-        File.open(file.to_s) do |f|
+      def self.from_file file
+        raise "File can not be nil." if file.nil?
+        File.open file.to_s do |f|
           json = f.read
-          config = MultiJson.load(json)
-          from_hash(config)
+          config = MultiJson.load json
+          from_hash config
         end
       end
 
@@ -91,11 +93,11 @@ module Google
       # @param [hash] config
       #  Parsed contents of the JSON file
       # @return [Google::Auth::ClientID]
-      def self.from_hash(config)
-        fail 'Hash can not be nil.' if config.nil?
+      def self.from_hash config
+        raise "Hash can not be nil." if config.nil?
         raw_detail = config[INSTALLED_APP] || config[WEB_APP]
-        fail MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
-        ClientId.new(raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET])
+        raise MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
+        ClientId.new raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET]
       end
     end
   end

data/lib/googleauth/compute_engine.rb

@@ -27,57 +27,51 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'faraday'
-require 'googleauth/signet'
-require 'memoist'
+require "faraday"
+require "googleauth/signet"
+require "memoist"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    NO_METADATA_SERVER_ERROR = <<END
-Error code 404 trying to get security access token
-from Compute Engine metadata for the default service account. This
-may be because the virtual machine instance does not have permission
-scopes specified.
-END
-    UNEXPECTED_ERROR_SUFFIX = <<END
-trying to get security access token from Compute Engine metadata for
-the default service account
-END
+    NO_METADATA_SERVER_ERROR = <<~ERROR.freeze
+      Error code 404 trying to get security access token
+      from Compute Engine metadata for the default service account. This
+      may be because the virtual machine instance does not have permission
+      scopes specified.
+    ERROR
+    UNEXPECTED_ERROR_SUFFIX = <<~ERROR.freeze
+      trying to get security access token from Compute Engine metadata for
+      the default service account
+    ERROR
 
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
-      COMPUTE_AUTH_TOKEN_URI = 'http://169.254.169.254/computeMetadata/v1/'\
-      'instance/service-accounts/default/token'
-      COMPUTE_CHECK_URI = 'http://169.254.169.254'
+      COMPUTE_AUTH_TOKEN_URI = "http://169.254.169.254/computeMetadata/v1/"\
+      "instance/service-accounts/default/token".freeze
+      COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
         extend Memoist
 
         # Detect if this appear to be a GCE instance, by checking if metadata
-        # is available
-        def on_gce?(options = {})
+        # is available.
+        def on_gce? options = {}
+          # TODO: This should use google-cloud-env instead.
           c = options[:connection] || Faraday.default_connection
-          resp = c.get(COMPUTE_CHECK_URI) do |req|
-            # Comment from: oauth2client/client.py
-            #
-            # Note: the explicit `timeout` below is a workaround. The underlying
-            # issue is that resolving an unknown host on some networks will take
-            # 20-30 seconds; making this timeout short fixes the issue, but
-            # could lead to false negatives in the event that we are on GCE, but
-            # the metadata resolution was particularly slow. The latter case is
-            # "unlikely".
-            req.options.timeout = 0.1
+          headers = { "Metadata-Flavor" => "Google" }
+          resp = c.get COMPUTE_CHECK_URI, nil, headers do |req|
+            req.options.timeout = 1.0
+            req.options.open_timeout = 0.1
           end
           return false unless resp.status == 200
-          return false unless resp.headers.key?('Metadata-Flavor')
-          return resp.headers['Metadata-Flavor'] == 'Google'
+          resp.headers["Metadata-Flavor"] == "Google"
         rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-          return false
+          false
         end
 
         memoize :on_gce?
@@ -85,19 +79,22 @@ END
 
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token(options = {})
+      def fetch_access_token options = {}
         c = options[:connection] || Faraday.default_connection
-        c.headers = { 'Metadata-Flavor' => 'Google' }
-        resp = c.get(COMPUTE_AUTH_TOKEN_URI)
-        case resp.status
-        when 200
-          Signet::OAuth2.parse_credentials(resp.body,
-                                           resp.headers['content-type'])
-        when 404
-          fail(Signet::AuthorizationError, NO_METADATA_SERVER_ERROR)
-        else
-          msg = "Unexpected error code #{resp.status}" + UNEXPECTED_ERROR_SUFFIX
-          fail(Signet::AuthorizationError, msg)
+        retry_with_error do
+          headers = { "Metadata-Flavor" => "Google" }
+          resp = c.get COMPUTE_AUTH_TOKEN_URI, nil, headers
+          case resp.status
+          when 200
+            Signet::OAuth2.parse_credentials(resp.body,
+                                             resp.headers["content-type"])
+          when 404
+            raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
+          else
+            msg = "Unexpected error code #{resp.status}" \
+              "#{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::AuthorizationError, msg
+          end
         end
       end
     end