Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 42468321a74f21086f9f896bb1ffc1bb2c5bf1f9 / . / google / auth / credentials.py
blob: 83683eb7a80dc587d5719aceebfa45b3a0351f06 [file] [log] [blame]
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]1# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15
16"""Interfaces for credentials."""
17
18import abc
19
20import six
21
22from google.auth import _helpers
23
24
25@six.add_metaclass(abc.ABCMeta)
26class Credentials(object):
27 """Base class for all credentials.
28
29 All credentials have a :attr:`token` that is used for authentication and
30 may also optionally set an :attr:`expiry` to indicate when the token will
31 no longer be valid.
32
33 Most credentials will be :attr:`invalid` until :meth:`refresh` is called.
34 Credentials can do this automatically before the first HTTP request in
35 :meth:`before_request`.
36
37 Although the token and expiration will change as the credentials are
38 :meth:`refreshed <refresh>` and used, credentials should be considered
39 immutable. Various credentials will accept configuration such as private
40 keys, scopes, and other options. These options are not changeable after
41 construction. Some classes will provide mechanisms to copy the credentials
42 with modifications such as :meth:`ScopedCredentials.with_scopes`.
43 """
44 def __init__(self):
45 self.token = None
46 """str: The bearer token that can be used in HTTP headers to make
47 authenticated requests."""
48 self.expiry = None
49 """Optional[datetime]: When the token expires and is no longer valid.
50 If this is None, the token is assumed to never expire."""
51
52 @property
53 def expired(self):
54 """Checks if the credentials are expired.
55
56 Note that credentials can be invalid but not expired becaue Credentials
57 with :attr:`expiry` set to None is considered to never expire.
58 """
Jon Wayne Parrott7af9f662017-05-08 09:40:56 -0700[diff] [blame]59 if not self.expiry:
60 return False
61
62 # Remove 5 minutes from expiry to err on the side of reporting
63 # expiration early so that we avoid the 401-refresh-retry loop.
64 skewed_expiry = self.expiry - _helpers.CLOCK_SKEW
65 return _helpers.utcnow() >= skewed_expiry
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]66
67 @property
68 def valid(self):
69 """Checks the validity of the credentials.
70
71 This is True if the credentials have a :attr:`token` and the token
72 is not :attr:`expired`.
73 """
74 return self.token is not None and not self.expired
75
76 @abc.abstractmethod
77 def refresh(self, request):
78 """Refreshes the access token.
79
80 Args:
81 request (google.auth.transport.Request): The object used to make
82 HTTP requests.
83
84 Raises:
85 google.auth.exceptions.RefreshError: If the credentials could
86 not be refreshed.
87 """
88 # pylint: disable=missing-raises-doc
89 # (pylint doesn't recognize that this is abstract)
90 raise NotImplementedError('Refresh must be implemented')
91
92 def apply(self, headers, token=None):
93 """Apply the token to the authentication header.
94
95 Args:
96 headers (Mapping): The HTTP request headers.
97 token (Optional[str]): If specified, overrides the current access
98 token.
99 """
100 headers['authorization'] = 'Bearer {}'.format(
101 _helpers.from_bytes(token or self.token))
102
103 def before_request(self, request, method, url, headers):
104 """Performs credential-specific before request logic.
105
106 Refreshes the credentials if necessary, then calls :meth:`apply` to
107 apply the token to the authentication header.
108
109 Args:
Jon Wayne Parrotta0425492016-10-17 10:48:35 -0700[diff] [blame]110 request (google.auth.transport.Request): The object used to make
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]111 HTTP requests.
Jon Wayne Parrotta2098192017-02-22 09:27:32 -0800[diff] [blame]112 method (str): The request's HTTP method or the RPC method being
113 invoked.
114 url (str): The request's URI or the RPC service's URI.
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]115 headers (Mapping): The request's headers.
116 """
117 # pylint: disable=unused-argument
118 # (Subclasses may use these arguments to ascertain information about
119 # the http request.)
120 if not self.valid:
121 self.refresh(request)
122 self.apply(headers)
123
124
125@six.add_metaclass(abc.ABCMeta)
Tres Seaver42468322017-09-11 15:36:53 -0400[diff] [blame^]126class ReadOnnlyScoped(object):
127 """Interface for credentials whose scopes can be queried.
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]128
129 OAuth 2.0-based credentials allow limiting access using scopes as described
130 in `RFC6749 Section 3.3`_.
131 If a credential class implements this interface then the credentials either
132 use scopes in their implementation.
133
134 Some credentials require scopes in order to obtain a token. You can check
135 if scoping is necessary with :attr:`requires_scopes`::
136
137 if credentials.requires_scopes:
138 # Scoping is required.
139 credentials = credentials.create_scoped(['one', 'two'])
140
141 Credentials that require scopes must either be constructed with scopes::
142
143 credentials = SomeScopedCredentials(scopes=['one', 'two'])
144
145 Or must copy an existing instance using :meth:`with_scopes`::
146
147 scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])
148
149 Some credentials have scopes but do not allow or require scopes to be set,
150 these credentials can be used as-is.
151
152 .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3
153 """
154 def __init__(self):
Tres Seaver42468322017-09-11 15:36:53 -0400[diff] [blame^]155 super(ReadOnnlyScoped, self).__init__()
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]156 self._scopes = None
157
158 @property
159 def scopes(self):
160 """Sequence[str]: the credentials' current set of scopes."""
161 return self._scopes
162
163 @abc.abstractproperty
164 def requires_scopes(self):
165 """True if these credentials require scopes to obtain an access token.
166 """
167 return False
168
Tres Seaver42468322017-09-11 15:36:53 -0400[diff] [blame^]169 def has_scopes(self, scopes):
170 """Checks if the credentials have the given scopes.
171
172 .. warning: This method is not guaranteed to be accurate if the
173 credentials are :attr:`~Credentials.invalid`.
174
175 Returns:
176 bool: True if the credentials have the given scopes.
177 """
178 return set(scopes).issubset(set(self._scopes or []))
179
180
181class Scoped(ReadOnnlyScoped):
182 """Interface for credentials whose scopes can be replaced while copying.
183
184 OAuth 2.0-based credentials allow limiting access using scopes as described
185 in `RFC6749 Section 3.3`_.
186 If a credential class implements this interface then the credentials either
187 use scopes in their implementation.
188
189 Some credentials require scopes in order to obtain a token. You can check
190 if scoping is necessary with :attr:`requires_scopes`::
191
192 if credentials.requires_scopes:
193 # Scoping is required.
194 credentials = credentials.create_scoped(['one', 'two'])
195
196 Credentials that require scopes must either be constructed with scopes::
197
198 credentials = SomeScopedCredentials(scopes=['one', 'two'])
199
200 Or must copy an existing instance using :meth:`with_scopes`::
201
202 scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])
203
204 Some credentials have scopes but do not allow or require scopes to be set,
205 these credentials can be used as-is.
206
207 .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3
208 """
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]209 @abc.abstractmethod
210 def with_scopes(self, scopes):
211 """Create a copy of these credentials with the specified scopes.
212
213 Args:
214 scopes (Sequence[str]): The list of scopes to request.
215
216 Raises:
217 NotImplementedError: If the credentials' scopes can not be changed.
218 This can be avoided by checking :attr:`requires_scopes` before
219 calling this method.
220 """
221 raise NotImplementedError('This class does not require scoping.')
222
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]223
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]224def with_scopes_if_required(credentials, scopes):
225 """Creates a copy of the credentials with scopes if scoping is required.
226
227 This helper function is useful when you do not know (or care to know) the
228 specific type of credentials you are using (such as when you use
229 :func:`google.auth.default`). This function will call
230 :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if
231 the credentials require scoping. Otherwise, it will return the credentials
232 as-is.
233
234 Args:
Jon Wayne Parrottbdbf2b12016-11-10 15:00:29 -0800[diff] [blame]235 credentials (google.auth.credentials.Credentials): The credentials to
Jon Wayne Parrott8c3a10b2016-11-10 12:42:50 -0800[diff] [blame]236 scope if necessary.
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]237 scopes (Sequence[str]): The list of scopes to use.
238
239 Returns:
Jon Wayne Parrottbdbf2b12016-11-10 15:00:29 -0800[diff] [blame]240 google.auth.credentials.Credentials: Either a new set of scoped
Jon Wayne Parrott8c3a10b2016-11-10 12:42:50 -0800[diff] [blame]241 credentials, or the passed in credentials instance if no scoping
242 was required.
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]243 """
244 if isinstance(credentials, Scoped) and credentials.requires_scopes:
245 return credentials.with_scopes(scopes)
246 else:
247 return credentials
248
249
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]250@six.add_metaclass(abc.ABCMeta)
251class Signing(object):
252 """Interface for credentials that can cryptographically sign messages."""
253
254 @abc.abstractmethod
255 def sign_bytes(self, message):
256 """Signs the given message.
257
258 Args:
259 message (bytes): The message to sign.
260
261 Returns:
262 bytes: The message's cryptographic signature.
263 """
264 # pylint: disable=missing-raises-doc,redundant-returns-doc
265 # (pylint doesn't recognize that this is abstract)
266 raise NotImplementedError('Sign bytes must be implemented.')
Jon Wayne Parrott4c883f02016-12-02 14:26:33 -0800[diff] [blame]267
268 @abc.abstractproperty
269 def signer_email(self):
270 """Optional[str]: An email address that identifies the signer."""
271 # pylint: disable=missing-raises-doc
272 # (pylint doesn't recognize that this is abstract)
273 raise NotImplementedError('Signer email must be implemented.')
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800[diff] [blame]274
275 @abc.abstractproperty
276 def signer(self):
277 """google.auth.crypt.Signer: The signer used to sign bytes."""
278 # pylint: disable=missing-raises-doc
279 # (pylint doesn't recognize that this is abstract)
280 raise NotImplementedError('Signer must be implemented.')