blob: fa13f8ef80767b804289e7a734b8f818f4794948 [file] [log] [blame]
Jon Wayne Parrott04714752016-10-24 10:00:58 -07001# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080015"""Google App Engine standard environment support.
Jon Wayne Parrott04714752016-10-24 10:00:58 -070016
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080017This module provides authentication and signing for applications running on App
18Engine in the standard environment using the `App Identity API`_.
Jon Wayne Parrott04714752016-10-24 10:00:58 -070019
20
21.. _App Identity API:
22 https://cloud.google.com/appengine/docs/python/appidentity/
23"""
24
25import datetime
26
27from google.auth import _helpers
28from google.auth import credentials
Jon Wayne Parrott254befe2017-02-22 14:37:31 -080029from google.auth import crypt
Jon Wayne Parrott04714752016-10-24 10:00:58 -070030
31try:
32 from google.appengine.api import app_identity
33except ImportError:
34 app_identity = None
35
36
Jon Wayne Parrott254befe2017-02-22 14:37:31 -080037class Signer(crypt.Signer):
Jon Wayne Parrott5b4e9c82017-02-15 16:44:00 -080038 """Signs messages using the App Engine App Identity service.
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080039
40 This can be used in place of :class:`google.auth.crypt.Signer` when
41 running in the App Engine standard environment.
42 """
Jon Wayne Parrott5b4e9c82017-02-15 16:44:00 -080043
44 @property
45 def key_id(self):
46 """Optional[str]: The key ID used to identify this private key.
47
Jon Wayne Parrott254befe2017-02-22 14:37:31 -080048 .. warning::
49 This is always ``None``. The key ID used by App Engine can not
50 be reliably determined ahead of time.
Jon Wayne Parrott5b4e9c82017-02-15 16:44:00 -080051 """
Jon Wayne Parrott254befe2017-02-22 14:37:31 -080052 return None
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080053
Jon Wayne Parrott254befe2017-02-22 14:37:31 -080054 @_helpers.copy_docstring(crypt.Signer)
55 def sign(self, message):
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080056 message = _helpers.to_bytes(message)
Jon Wayne Parrott5b4e9c82017-02-15 16:44:00 -080057 _, signature = app_identity.sign_blob(message)
58 return signature
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -080059
60
Jon Wayne Parrott2148fde2016-10-24 13:44:25 -070061def get_project_id():
62 """Gets the project ID for the current App Engine application.
63
64 Returns:
65 str: The project ID
66
67 Raises:
68 EnvironmentError: If the App Engine APIs are unavailable.
69 """
Jon Wayne Parrott20e6e582016-12-19 10:21:23 -080070 # pylint: disable=missing-raises-doc
71 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't
72 # realize it's a valid alias.
Jon Wayne Parrott2148fde2016-10-24 13:44:25 -070073 if app_identity is None:
74 raise EnvironmentError(
75 'The App Engine APIs are not available.')
76 return app_identity.get_application_id()
77
78
Jon Wayne Parrott04714752016-10-24 10:00:58 -070079class Credentials(credentials.Scoped, credentials.Signing,
80 credentials.Credentials):
81 """App Engine standard environment credentials.
82
83 These credentials use the App Engine App Identity API to obtain access
84 tokens.
85 """
86
87 def __init__(self, scopes=None, service_account_id=None):
88 """
89 Args:
90 scopes (Sequence[str]): Scopes to request from the App Identity
91 API.
92 service_account_id (str): The service account ID passed into
93 :func:`google.appengine.api.app_identity.get_access_token`.
94 If not specified, the default application service account
95 ID will be used.
96
97 Raises:
98 EnvironmentError: If the App Engine APIs are unavailable.
99 """
Jon Wayne Parrott20e6e582016-12-19 10:21:23 -0800100 # pylint: disable=missing-raises-doc
101 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't
102 # realize it's a valid alias.
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700103 if app_identity is None:
104 raise EnvironmentError(
105 'The App Engine APIs are not available.')
106
107 super(Credentials, self).__init__()
108 self._scopes = scopes
109 self._service_account_id = service_account_id
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800110 self._signer = Signer()
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700111
112 @_helpers.copy_docstring(credentials.Credentials)
113 def refresh(self, request):
114 # pylint: disable=unused-argument
115 token, ttl = app_identity.get_access_token(
116 self._scopes, self._service_account_id)
Jon Wayne Parrott1cba0f82017-09-12 10:21:02 -0700117 expiry = datetime.datetime.utcfromtimestamp(ttl)
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700118
119 self.token, self.expiry = token, expiry
120
121 @property
Jon Wayne Parrott61ffb052016-11-08 09:30:30 -0800122 def service_account_email(self):
123 """The service account email."""
124 if self._service_account_id is None:
125 self._service_account_id = app_identity.get_service_account_name()
126 return self._service_account_id
127
128 @property
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700129 def requires_scopes(self):
130 """Checks if the credentials requires scopes.
131
132 Returns:
133 bool: True if there are no scopes set otherwise False.
134 """
135 return not self._scopes
136
137 @_helpers.copy_docstring(credentials.Scoped)
138 def with_scopes(self, scopes):
139 return Credentials(
140 scopes=scopes, service_account_id=self._service_account_id)
141
142 @_helpers.copy_docstring(credentials.Signing)
143 def sign_bytes(self, message):
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800144 return self._signer.sign(message)
Jon Wayne Parrott4c883f02016-12-02 14:26:33 -0800145
146 @property
147 @_helpers.copy_docstring(credentials.Signing)
148 def signer_email(self):
149 return self.service_account_email
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800150
151 @property
152 @_helpers.copy_docstring(credentials.Signing)
153 def signer(self):
154 return self._signer