| Joe Gregorio | fd08e43 | 2012-08-09 14:17:41 -0400 | [diff] [blame] | 1 | # Copyright (C) 2012 Google Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | """Utilities for Google Compute Engine |
| 16 | |
| 17 | Utilities for making it easier to use OAuth 2.0 on Google Compute Engine. |
| 18 | """ |
| 19 | |
| 20 | __author__ = 'jcgregorio@google.com (Joe Gregorio)' |
| 21 | |
| 22 | import httplib2 |
| 23 | import logging |
| 24 | import uritemplate |
| 25 | |
| 26 | from oauth2client import util |
| 27 | from oauth2client.anyjson import simplejson |
| 28 | from oauth2client.client import AccessTokenRefreshError |
| 29 | from oauth2client.client import AssertionCredentials |
| 30 | |
| 31 | logger = logging.getLogger(__name__) |
| 32 | |
| 33 | # URI Template for the endpoint that returns access_tokens. |
| 34 | META = ('http://metadata.google.internal/0.1/meta-data/service-accounts/' |
| 35 | 'default/acquire{?scope}') |
| 36 | |
| 37 | |
| 38 | class AppAssertionCredentials(AssertionCredentials): |
| 39 | """Credentials object for Compute Engine Assertion Grants |
| 40 | |
| 41 | This object will allow a Compute Engine instance to identify itself to |
| 42 | Google and other OAuth 2.0 servers that can verify assertions. It can be used |
| 43 | for the purpose of accessing data stored under an account assigned to the |
| 44 | Compute Engine instance itself. |
| 45 | |
| 46 | This credential does not require a flow to instantiate because it represents |
| 47 | a two legged flow, and therefore has all of the required information to |
| 48 | generate and refresh its own access tokens. |
| 49 | """ |
| 50 | |
| 51 | @util.positional(2) |
| 52 | def __init__(self, scope, **kwargs): |
| 53 | """Constructor for AppAssertionCredentials |
| 54 | |
| 55 | Args: |
| 56 | scope: string or list of strings, scope(s) of the credentials being |
| 57 | requested. |
| 58 | """ |
| 59 | if type(scope) is list: |
| 60 | scope = ' '.join(scope) |
| 61 | self.scope = scope |
| 62 | |
| 63 | super(AppAssertionCredentials, self).__init__( |
| 64 | 'ignored' # assertion_type is ignore in this subclass. |
| 65 | ) |
| 66 | |
| 67 | @classmethod |
| 68 | def from_json(cls, json): |
| 69 | data = simplejson.loads(json) |
| 70 | return AppAssertionCredentials(data['scope']) |
| 71 | |
| 72 | def _refresh(self, http_request): |
| 73 | """Refreshes the access_token. |
| 74 | |
| 75 | Skip all the storage hoops and just refresh using the API. |
| 76 | |
| 77 | Args: |
| 78 | http_request: callable, a callable that matches the method signature of |
| 79 | httplib2.Http.request, used to make the refresh request. |
| 80 | |
| 81 | Raises: |
| 82 | AccessTokenRefreshError: When the refresh fails. |
| 83 | """ |
| 84 | uri = uritemplate.expand(META, {'scope': self.scope}) |
| 85 | response, content = http_request(uri) |
| 86 | if response.status == 200: |
| 87 | try: |
| 88 | d = simplejson.loads(content) |
| 89 | except StandardError, e: |
| 90 | raise AccessTokenRefreshError(str(e)) |
| 91 | self.access_token = d['accessToken'] |
| 92 | else: |
| 93 | raise AccessTokenRefreshError(content) |