Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 1 | # Copyright 2016 Google Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 15 | """Google App Engine standard environment support. |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 16 | |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 17 | This module provides authentication and signing for applications running on App |
| 18 | Engine in the standard environment using the `App Identity API`_. |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 19 | |
| 20 | |
| 21 | .. _App Identity API: |
| 22 | https://cloud.google.com/appengine/docs/python/appidentity/ |
| 23 | """ |
| 24 | |
| 25 | import datetime |
| 26 | |
| 27 | from google.auth import _helpers |
| 28 | from google.auth import credentials |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 29 | from google.auth import crypt |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 30 | |
| 31 | try: |
| 32 | from google.appengine.api import app_identity |
| 33 | except ImportError: |
| 34 | app_identity = None |
| 35 | |
| 36 | |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 37 | class Signer(crypt.Signer): |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 38 | """Signs messages using the App Engine App Identity service. |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 39 | |
| 40 | This can be used in place of :class:`google.auth.crypt.Signer` when |
| 41 | running in the App Engine standard environment. |
| 42 | """ |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 43 | |
| 44 | @property |
| 45 | def key_id(self): |
| 46 | """Optional[str]: The key ID used to identify this private key. |
| 47 | |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 48 | .. warning:: |
| 49 | This is always ``None``. The key ID used by App Engine can not |
| 50 | be reliably determined ahead of time. |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 51 | """ |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 52 | return None |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 53 | |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 54 | @_helpers.copy_docstring(crypt.Signer) |
| 55 | def sign(self, message): |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 56 | message = _helpers.to_bytes(message) |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 57 | _, signature = app_identity.sign_blob(message) |
| 58 | return signature |
Jon Wayne Parrott | 256d2bf | 2016-12-13 16:12:02 -0800 | [diff] [blame] | 59 | |
| 60 | |
Jon Wayne Parrott | 2148fde | 2016-10-24 13:44:25 -0700 | [diff] [blame] | 61 | def get_project_id(): |
| 62 | """Gets the project ID for the current App Engine application. |
| 63 | |
| 64 | Returns: |
| 65 | str: The project ID |
| 66 | |
| 67 | Raises: |
| 68 | EnvironmentError: If the App Engine APIs are unavailable. |
| 69 | """ |
Jon Wayne Parrott | 20e6e58 | 2016-12-19 10:21:23 -0800 | [diff] [blame] | 70 | # pylint: disable=missing-raises-doc |
| 71 | # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| 72 | # realize it's a valid alias. |
Jon Wayne Parrott | 2148fde | 2016-10-24 13:44:25 -0700 | [diff] [blame] | 73 | if app_identity is None: |
| 74 | raise EnvironmentError( |
| 75 | 'The App Engine APIs are not available.') |
| 76 | return app_identity.get_application_id() |
| 77 | |
| 78 | |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 79 | class Credentials(credentials.Scoped, credentials.Signing, |
| 80 | credentials.Credentials): |
| 81 | """App Engine standard environment credentials. |
| 82 | |
| 83 | These credentials use the App Engine App Identity API to obtain access |
| 84 | tokens. |
| 85 | """ |
| 86 | |
| 87 | def __init__(self, scopes=None, service_account_id=None): |
| 88 | """ |
| 89 | Args: |
| 90 | scopes (Sequence[str]): Scopes to request from the App Identity |
| 91 | API. |
| 92 | service_account_id (str): The service account ID passed into |
| 93 | :func:`google.appengine.api.app_identity.get_access_token`. |
| 94 | If not specified, the default application service account |
| 95 | ID will be used. |
| 96 | |
| 97 | Raises: |
| 98 | EnvironmentError: If the App Engine APIs are unavailable. |
| 99 | """ |
Jon Wayne Parrott | 20e6e58 | 2016-12-19 10:21:23 -0800 | [diff] [blame] | 100 | # pylint: disable=missing-raises-doc |
| 101 | # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| 102 | # realize it's a valid alias. |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 103 | if app_identity is None: |
| 104 | raise EnvironmentError( |
| 105 | 'The App Engine APIs are not available.') |
| 106 | |
| 107 | super(Credentials, self).__init__() |
| 108 | self._scopes = scopes |
| 109 | self._service_account_id = service_account_id |
Jon Wayne Parrott | d722167 | 2017-02-16 09:05:11 -0800 | [diff] [blame] | 110 | self._signer = Signer() |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 111 | |
| 112 | @_helpers.copy_docstring(credentials.Credentials) |
| 113 | def refresh(self, request): |
| 114 | # pylint: disable=unused-argument |
| 115 | token, ttl = app_identity.get_access_token( |
| 116 | self._scopes, self._service_account_id) |
Jon Wayne Parrott | 1cba0f8 | 2017-09-12 10:21:02 -0700 | [diff] [blame^] | 117 | expiry = datetime.datetime.utcfromtimestamp(ttl) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 118 | |
| 119 | self.token, self.expiry = token, expiry |
| 120 | |
| 121 | @property |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 122 | def service_account_email(self): |
| 123 | """The service account email.""" |
| 124 | if self._service_account_id is None: |
| 125 | self._service_account_id = app_identity.get_service_account_name() |
| 126 | return self._service_account_id |
| 127 | |
| 128 | @property |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 129 | def requires_scopes(self): |
| 130 | """Checks if the credentials requires scopes. |
| 131 | |
| 132 | Returns: |
| 133 | bool: True if there are no scopes set otherwise False. |
| 134 | """ |
| 135 | return not self._scopes |
| 136 | |
| 137 | @_helpers.copy_docstring(credentials.Scoped) |
| 138 | def with_scopes(self, scopes): |
| 139 | return Credentials( |
| 140 | scopes=scopes, service_account_id=self._service_account_id) |
| 141 | |
| 142 | @_helpers.copy_docstring(credentials.Signing) |
| 143 | def sign_bytes(self, message): |
Jon Wayne Parrott | d722167 | 2017-02-16 09:05:11 -0800 | [diff] [blame] | 144 | return self._signer.sign(message) |
Jon Wayne Parrott | 4c883f0 | 2016-12-02 14:26:33 -0800 | [diff] [blame] | 145 | |
| 146 | @property |
| 147 | @_helpers.copy_docstring(credentials.Signing) |
| 148 | def signer_email(self): |
| 149 | return self.service_account_email |
Jon Wayne Parrott | d722167 | 2017-02-16 09:05:11 -0800 | [diff] [blame] | 150 | |
| 151 | @property |
| 152 | @_helpers.copy_docstring(credentials.Signing) |
| 153 | def signer(self): |
| 154 | return self._signer |