| Jon Wayne Parrott | 71ce2a0 | 2016-10-14 14:08:10 -0700 | [diff] [blame] | 1 | # Copyright 2016 Google Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | |
| 16 | """Interfaces for credentials.""" |
| 17 | |
| 18 | import abc |
| 19 | |
| 20 | import six |
| 21 | |
| 22 | from google.auth import _helpers |
| 23 | |
| 24 | |
| 25 | @six.add_metaclass(abc.ABCMeta) |
| 26 | class Credentials(object): |
| 27 | """Base class for all credentials. |
| 28 | |
| 29 | All credentials have a :attr:`token` that is used for authentication and |
| 30 | may also optionally set an :attr:`expiry` to indicate when the token will |
| 31 | no longer be valid. |
| 32 | |
| 33 | Most credentials will be :attr:`invalid` until :meth:`refresh` is called. |
| 34 | Credentials can do this automatically before the first HTTP request in |
| 35 | :meth:`before_request`. |
| 36 | |
| 37 | Although the token and expiration will change as the credentials are |
| 38 | :meth:`refreshed <refresh>` and used, credentials should be considered |
| 39 | immutable. Various credentials will accept configuration such as private |
| 40 | keys, scopes, and other options. These options are not changeable after |
| 41 | construction. Some classes will provide mechanisms to copy the credentials |
| 42 | with modifications such as :meth:`ScopedCredentials.with_scopes`. |
| 43 | """ |
| 44 | def __init__(self): |
| 45 | self.token = None |
| 46 | """str: The bearer token that can be used in HTTP headers to make |
| 47 | authenticated requests.""" |
| 48 | self.expiry = None |
| 49 | """Optional[datetime]: When the token expires and is no longer valid. |
| 50 | If this is None, the token is assumed to never expire.""" |
| 51 | |
| 52 | @property |
| 53 | def expired(self): |
| 54 | """Checks if the credentials are expired. |
| 55 | |
| 56 | Note that credentials can be invalid but not expired becaue Credentials |
| 57 | with :attr:`expiry` set to None is considered to never expire. |
| 58 | """ |
| 59 | now = _helpers.utcnow() |
| 60 | return self.expiry is not None and self.expiry <= now |
| 61 | |
| 62 | @property |
| 63 | def valid(self): |
| 64 | """Checks the validity of the credentials. |
| 65 | |
| 66 | This is True if the credentials have a :attr:`token` and the token |
| 67 | is not :attr:`expired`. |
| 68 | """ |
| 69 | return self.token is not None and not self.expired |
| 70 | |
| 71 | @abc.abstractmethod |
| 72 | def refresh(self, request): |
| 73 | """Refreshes the access token. |
| 74 | |
| 75 | Args: |
| 76 | request (google.auth.transport.Request): The object used to make |
| 77 | HTTP requests. |
| 78 | |
| 79 | Raises: |
| 80 | google.auth.exceptions.RefreshError: If the credentials could |
| 81 | not be refreshed. |
| 82 | """ |
| 83 | # pylint: disable=missing-raises-doc |
| 84 | # (pylint doesn't recognize that this is abstract) |
| 85 | raise NotImplementedError('Refresh must be implemented') |
| 86 | |
| 87 | def apply(self, headers, token=None): |
| 88 | """Apply the token to the authentication header. |
| 89 | |
| 90 | Args: |
| 91 | headers (Mapping): The HTTP request headers. |
| 92 | token (Optional[str]): If specified, overrides the current access |
| 93 | token. |
| 94 | """ |
| 95 | headers['authorization'] = 'Bearer {}'.format( |
| 96 | _helpers.from_bytes(token or self.token)) |
| 97 | |
| 98 | def before_request(self, request, method, url, headers): |
| 99 | """Performs credential-specific before request logic. |
| 100 | |
| 101 | Refreshes the credentials if necessary, then calls :meth:`apply` to |
| 102 | apply the token to the authentication header. |
| 103 | |
| 104 | Args: |
| Jon Wayne Parrott | a042549 | 2016-10-17 10:48:35 -0700 | [diff] [blame] | 105 | request (google.auth.transport.Request): The object used to make |
| Jon Wayne Parrott | 71ce2a0 | 2016-10-14 14:08:10 -0700 | [diff] [blame] | 106 | HTTP requests. |
| 107 | method (str): The request's HTTP method. |
| 108 | url (str): The request's URI. |
| 109 | headers (Mapping): The request's headers. |
| 110 | """ |
| 111 | # pylint: disable=unused-argument |
| 112 | # (Subclasses may use these arguments to ascertain information about |
| 113 | # the http request.) |
| 114 | if not self.valid: |
| 115 | self.refresh(request) |
| 116 | self.apply(headers) |
| 117 | |
| 118 | |
| 119 | @six.add_metaclass(abc.ABCMeta) |
| 120 | class Scoped(object): |
| 121 | """Interface for scoped credentials. |
| 122 | |
| 123 | OAuth 2.0-based credentials allow limiting access using scopes as described |
| 124 | in `RFC6749 Section 3.3`_. |
| 125 | If a credential class implements this interface then the credentials either |
| 126 | use scopes in their implementation. |
| 127 | |
| 128 | Some credentials require scopes in order to obtain a token. You can check |
| 129 | if scoping is necessary with :attr:`requires_scopes`:: |
| 130 | |
| 131 | if credentials.requires_scopes: |
| 132 | # Scoping is required. |
| 133 | credentials = credentials.create_scoped(['one', 'two']) |
| 134 | |
| 135 | Credentials that require scopes must either be constructed with scopes:: |
| 136 | |
| 137 | credentials = SomeScopedCredentials(scopes=['one', 'two']) |
| 138 | |
| 139 | Or must copy an existing instance using :meth:`with_scopes`:: |
| 140 | |
| 141 | scoped_credentials = credentials.with_scopes(scopes=['one', 'two']) |
| 142 | |
| 143 | Some credentials have scopes but do not allow or require scopes to be set, |
| 144 | these credentials can be used as-is. |
| 145 | |
| 146 | .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3 |
| 147 | """ |
| 148 | def __init__(self): |
| 149 | super(Scoped, self).__init__() |
| 150 | self._scopes = None |
| 151 | |
| 152 | @property |
| 153 | def scopes(self): |
| 154 | """Sequence[str]: the credentials' current set of scopes.""" |
| 155 | return self._scopes |
| 156 | |
| 157 | @abc.abstractproperty |
| 158 | def requires_scopes(self): |
| 159 | """True if these credentials require scopes to obtain an access token. |
| 160 | """ |
| 161 | return False |
| 162 | |
| 163 | @abc.abstractmethod |
| 164 | def with_scopes(self, scopes): |
| 165 | """Create a copy of these credentials with the specified scopes. |
| 166 | |
| 167 | Args: |
| 168 | scopes (Sequence[str]): The list of scopes to request. |
| 169 | |
| 170 | Raises: |
| 171 | NotImplementedError: If the credentials' scopes can not be changed. |
| 172 | This can be avoided by checking :attr:`requires_scopes` before |
| 173 | calling this method. |
| 174 | """ |
| 175 | raise NotImplementedError('This class does not require scoping.') |
| 176 | |
| 177 | def has_scopes(self, scopes): |
| 178 | """Checks if the credentials have the given scopes. |
| 179 | |
| 180 | .. warning: This method is not guaranteed to be accurate if the |
| 181 | credentials are :attr:`~Credentials.invalid`. |
| 182 | |
| 183 | Returns: |
| 184 | bool: True if the credentials have the given scopes. |
| 185 | """ |
| 186 | return set(scopes).issubset(set(self._scopes or [])) |
| 187 | |
| 188 | |
| Jon Wayne Parrott | f89a3cf | 2016-10-31 10:52:57 -0700 | [diff] [blame] | 189 | def with_scopes_if_required(credentials, scopes): |
| 190 | """Creates a copy of the credentials with scopes if scoping is required. |
| 191 | |
| 192 | This helper function is useful when you do not know (or care to know) the |
| 193 | specific type of credentials you are using (such as when you use |
| 194 | :func:`google.auth.default`). This function will call |
| 195 | :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if |
| 196 | the credentials require scoping. Otherwise, it will return the credentials |
| 197 | as-is. |
| 198 | |
| 199 | Args: |
| 200 | credentials (Credentials): The credentials to scope if necessary. |
| 201 | scopes (Sequence[str]): The list of scopes to use. |
| 202 | |
| 203 | Returns: |
| 204 | Credentials: Either a new set of scoped credentials, or the passed in |
| 205 | credentials instance if no scoping was required. |
| 206 | """ |
| 207 | if isinstance(credentials, Scoped) and credentials.requires_scopes: |
| 208 | return credentials.with_scopes(scopes) |
| 209 | else: |
| 210 | return credentials |
| 211 | |
| 212 | |
| Jon Wayne Parrott | 71ce2a0 | 2016-10-14 14:08:10 -0700 | [diff] [blame] | 213 | @six.add_metaclass(abc.ABCMeta) |
| 214 | class Signing(object): |
| 215 | """Interface for credentials that can cryptographically sign messages.""" |
| 216 | |
| 217 | @abc.abstractmethod |
| 218 | def sign_bytes(self, message): |
| 219 | """Signs the given message. |
| 220 | |
| 221 | Args: |
| 222 | message (bytes): The message to sign. |
| 223 | |
| 224 | Returns: |
| 225 | bytes: The message's cryptographic signature. |
| 226 | """ |
| 227 | # pylint: disable=missing-raises-doc,redundant-returns-doc |
| 228 | # (pylint doesn't recognize that this is abstract) |
| 229 | raise NotImplementedError('Sign bytes must be implemented.') |