Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 924191c7cc6f9aa957f312c2a0873d87799f5ce9 / . / google / auth / app_engine.py
blob: ec89dc0ea4c450d30ab86abd198a9b0325f6d371 [file] [log] [blame]
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]1# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -0800[diff] [blame]15"""Google App Engine standard environment support.
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]16
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -0800[diff] [blame]17This module provides authentication and signing for applications running on App
18Engine in the standard environment using the `App Identity API`_.
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]19
20
21.. _App Identity API:
22 https://cloud.google.com/appengine/docs/python/appidentity/
23"""
24
25import datetime
26
27from google.auth import _helpers
28from google.auth import credentials
29
30try:
31 from google.appengine.api import app_identity
32except ImportError:
33 app_identity = None
34
35
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -0800[diff] [blame]36class Signer(object):
37 """Signs messages using the App Engine app identity service.
38
39 This can be used in place of :class:`google.auth.crypt.Signer` when
40 running in the App Engine standard environment.
41 """
42 def __init__(self):
43 self.key_id = None
44
45 @staticmethod
46 def sign(message):
47 """Signs a message.
48
49 Args:
50 message (Union[str, bytes]): The message to be signed.
51
52 Returns:
53 bytes: The signature of the message.
54 """
55 message = _helpers.to_bytes(message)
56 return app_identity.sign_blob(message)
57
58
Jon Wayne Parrott2148fde2016-10-24 13:44:25 -0700[diff] [blame]59def get_project_id():
60 """Gets the project ID for the current App Engine application.
61
62 Returns:
63 str: The project ID
64
65 Raises:
66 EnvironmentError: If the App Engine APIs are unavailable.
67 """
Jon Wayne Parrott20e6e582016-12-19 10:21:23 -0800[diff] [blame]68 # pylint: disable=missing-raises-doc
69 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't
70 # realize it's a valid alias.
Jon Wayne Parrott2148fde2016-10-24 13:44:25 -0700[diff] [blame]71 if app_identity is None:
72 raise EnvironmentError(
73 'The App Engine APIs are not available.')
74 return app_identity.get_application_id()
75
76
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]77class Credentials(credentials.Scoped, credentials.Signing,
78 credentials.Credentials):
79 """App Engine standard environment credentials.
80
81 These credentials use the App Engine App Identity API to obtain access
82 tokens.
83 """
84
85 def __init__(self, scopes=None, service_account_id=None):
86 """
87 Args:
88 scopes (Sequence[str]): Scopes to request from the App Identity
89 API.
90 service_account_id (str): The service account ID passed into
91 :func:`google.appengine.api.app_identity.get_access_token`.
92 If not specified, the default application service account
93 ID will be used.
94
95 Raises:
96 EnvironmentError: If the App Engine APIs are unavailable.
97 """
Jon Wayne Parrott20e6e582016-12-19 10:21:23 -0800[diff] [blame]98 # pylint: disable=missing-raises-doc
99 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't
100 # realize it's a valid alias.
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]101 if app_identity is None:
102 raise EnvironmentError(
103 'The App Engine APIs are not available.')
104
105 super(Credentials, self).__init__()
106 self._scopes = scopes
107 self._service_account_id = service_account_id
108
109 @_helpers.copy_docstring(credentials.Credentials)
110 def refresh(self, request):
111 # pylint: disable=unused-argument
112 token, ttl = app_identity.get_access_token(
113 self._scopes, self._service_account_id)
114 expiry = _helpers.utcnow() + datetime.timedelta(seconds=ttl)
115
116 self.token, self.expiry = token, expiry
117
118 @property
Jon Wayne Parrott61ffb052016-11-08 09:30:30 -0800[diff] [blame]119 def service_account_email(self):
120 """The service account email."""
121 if self._service_account_id is None:
122 self._service_account_id = app_identity.get_service_account_name()
123 return self._service_account_id
124
125 @property
Jon Wayne Parrott04714752016-10-24 10:00:58 -0700[diff] [blame]126 def requires_scopes(self):
127 """Checks if the credentials requires scopes.
128
129 Returns:
130 bool: True if there are no scopes set otherwise False.
131 """
132 return not self._scopes
133
134 @_helpers.copy_docstring(credentials.Scoped)
135 def with_scopes(self, scopes):
136 return Credentials(
137 scopes=scopes, service_account_id=self._service_account_id)
138
139 @_helpers.copy_docstring(credentials.Signing)
140 def sign_bytes(self, message):
Jon Wayne Parrott256d2bf2016-12-13 16:12:02 -0800[diff] [blame]141 return Signer().sign(message)
Jon Wayne Parrott4c883f02016-12-02 14:26:33 -0800[diff] [blame]142
143 @property
144 @_helpers.copy_docstring(credentials.Signing)
145 def signer_email(self):
146 return self.service_account_email