Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / a20981969f8b405d363de8efbf2413248ac4e53c / . / google / auth / credentials.py
blob: 8570957cc07e4584cf19aaa7028063e8159a01af [file] [log] [blame]
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]1# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15
16"""Interfaces for credentials."""
17
18import abc
19
20import six
21
22from google.auth import _helpers
23
24
25@six.add_metaclass(abc.ABCMeta)
26class Credentials(object):
27 """Base class for all credentials.
28
29 All credentials have a :attr:`token` that is used for authentication and
30 may also optionally set an :attr:`expiry` to indicate when the token will
31 no longer be valid.
32
33 Most credentials will be :attr:`invalid` until :meth:`refresh` is called.
34 Credentials can do this automatically before the first HTTP request in
35 :meth:`before_request`.
36
37 Although the token and expiration will change as the credentials are
38 :meth:`refreshed <refresh>` and used, credentials should be considered
39 immutable. Various credentials will accept configuration such as private
40 keys, scopes, and other options. These options are not changeable after
41 construction. Some classes will provide mechanisms to copy the credentials
42 with modifications such as :meth:`ScopedCredentials.with_scopes`.
43 """
44 def __init__(self):
45 self.token = None
46 """str: The bearer token that can be used in HTTP headers to make
47 authenticated requests."""
48 self.expiry = None
49 """Optional[datetime]: When the token expires and is no longer valid.
50 If this is None, the token is assumed to never expire."""
51
52 @property
53 def expired(self):
54 """Checks if the credentials are expired.
55
56 Note that credentials can be invalid but not expired becaue Credentials
57 with :attr:`expiry` set to None is considered to never expire.
58 """
59 now = _helpers.utcnow()
60 return self.expiry is not None and self.expiry <= now
61
62 @property
63 def valid(self):
64 """Checks the validity of the credentials.
65
66 This is True if the credentials have a :attr:`token` and the token
67 is not :attr:`expired`.
68 """
69 return self.token is not None and not self.expired
70
71 @abc.abstractmethod
72 def refresh(self, request):
73 """Refreshes the access token.
74
75 Args:
76 request (google.auth.transport.Request): The object used to make
77 HTTP requests.
78
79 Raises:
80 google.auth.exceptions.RefreshError: If the credentials could
81 not be refreshed.
82 """
83 # pylint: disable=missing-raises-doc
84 # (pylint doesn't recognize that this is abstract)
85 raise NotImplementedError('Refresh must be implemented')
86
87 def apply(self, headers, token=None):
88 """Apply the token to the authentication header.
89
90 Args:
91 headers (Mapping): The HTTP request headers.
92 token (Optional[str]): If specified, overrides the current access
93 token.
94 """
95 headers['authorization'] = 'Bearer {}'.format(
96 _helpers.from_bytes(token or self.token))
97
98 def before_request(self, request, method, url, headers):
99 """Performs credential-specific before request logic.
100
101 Refreshes the credentials if necessary, then calls :meth:`apply` to
102 apply the token to the authentication header.
103
104 Args:
Jon Wayne Parrotta0425492016-10-17 10:48:35 -0700[diff] [blame]105 request (google.auth.transport.Request): The object used to make
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]106 HTTP requests.
Jon Wayne Parrotta2098192017-02-22 09:27:32 -0800[diff] [blame^]107 method (str): The request's HTTP method or the RPC method being
108 invoked.
109 url (str): The request's URI or the RPC service's URI.
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]110 headers (Mapping): The request's headers.
111 """
112 # pylint: disable=unused-argument
113 # (Subclasses may use these arguments to ascertain information about
114 # the http request.)
115 if not self.valid:
116 self.refresh(request)
117 self.apply(headers)
118
119
120@six.add_metaclass(abc.ABCMeta)
121class Scoped(object):
122 """Interface for scoped credentials.
123
124 OAuth 2.0-based credentials allow limiting access using scopes as described
125 in `RFC6749 Section 3.3`_.
126 If a credential class implements this interface then the credentials either
127 use scopes in their implementation.
128
129 Some credentials require scopes in order to obtain a token. You can check
130 if scoping is necessary with :attr:`requires_scopes`::
131
132 if credentials.requires_scopes:
133 # Scoping is required.
134 credentials = credentials.create_scoped(['one', 'two'])
135
136 Credentials that require scopes must either be constructed with scopes::
137
138 credentials = SomeScopedCredentials(scopes=['one', 'two'])
139
140 Or must copy an existing instance using :meth:`with_scopes`::
141
142 scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])
143
144 Some credentials have scopes but do not allow or require scopes to be set,
145 these credentials can be used as-is.
146
147 .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3
148 """
149 def __init__(self):
150 super(Scoped, self).__init__()
151 self._scopes = None
152
153 @property
154 def scopes(self):
155 """Sequence[str]: the credentials' current set of scopes."""
156 return self._scopes
157
158 @abc.abstractproperty
159 def requires_scopes(self):
160 """True if these credentials require scopes to obtain an access token.
161 """
162 return False
163
164 @abc.abstractmethod
165 def with_scopes(self, scopes):
166 """Create a copy of these credentials with the specified scopes.
167
168 Args:
169 scopes (Sequence[str]): The list of scopes to request.
170
171 Raises:
172 NotImplementedError: If the credentials' scopes can not be changed.
173 This can be avoided by checking :attr:`requires_scopes` before
174 calling this method.
175 """
176 raise NotImplementedError('This class does not require scoping.')
177
178 def has_scopes(self, scopes):
179 """Checks if the credentials have the given scopes.
180
181 .. warning: This method is not guaranteed to be accurate if the
182 credentials are :attr:`~Credentials.invalid`.
183
184 Returns:
185 bool: True if the credentials have the given scopes.
186 """
187 return set(scopes).issubset(set(self._scopes or []))
188
189
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]190def with_scopes_if_required(credentials, scopes):
191 """Creates a copy of the credentials with scopes if scoping is required.
192
193 This helper function is useful when you do not know (or care to know) the
194 specific type of credentials you are using (such as when you use
195 :func:`google.auth.default`). This function will call
196 :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if
197 the credentials require scoping. Otherwise, it will return the credentials
198 as-is.
199
200 Args:
Jon Wayne Parrottbdbf2b12016-11-10 15:00:29 -0800[diff] [blame]201 credentials (google.auth.credentials.Credentials): The credentials to
Jon Wayne Parrott8c3a10b2016-11-10 12:42:50 -0800[diff] [blame]202 scope if necessary.
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]203 scopes (Sequence[str]): The list of scopes to use.
204
205 Returns:
Jon Wayne Parrottbdbf2b12016-11-10 15:00:29 -0800[diff] [blame]206 google.auth.credentials.Credentials: Either a new set of scoped
Jon Wayne Parrott8c3a10b2016-11-10 12:42:50 -0800[diff] [blame]207 credentials, or the passed in credentials instance if no scoping
208 was required.
Jon Wayne Parrottf89a3cf2016-10-31 10:52:57 -0700[diff] [blame]209 """
210 if isinstance(credentials, Scoped) and credentials.requires_scopes:
211 return credentials.with_scopes(scopes)
212 else:
213 return credentials
214
215
Jon Wayne Parrott71ce2a02016-10-14 14:08:10 -0700[diff] [blame]216@six.add_metaclass(abc.ABCMeta)
217class Signing(object):
218 """Interface for credentials that can cryptographically sign messages."""
219
220 @abc.abstractmethod
221 def sign_bytes(self, message):
222 """Signs the given message.
223
224 Args:
225 message (bytes): The message to sign.
226
227 Returns:
228 bytes: The message's cryptographic signature.
229 """
230 # pylint: disable=missing-raises-doc,redundant-returns-doc
231 # (pylint doesn't recognize that this is abstract)
232 raise NotImplementedError('Sign bytes must be implemented.')
Jon Wayne Parrott4c883f02016-12-02 14:26:33 -0800[diff] [blame]233
234 @abc.abstractproperty
235 def signer_email(self):
236 """Optional[str]: An email address that identifies the signer."""
237 # pylint: disable=missing-raises-doc
238 # (pylint doesn't recognize that this is abstract)
239 raise NotImplementedError('Signer email must be implemented.')
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800[diff] [blame]240
241 @abc.abstractproperty
242 def signer(self):
243 """google.auth.crypt.Signer: The signer used to sign bytes."""
244 # pylint: disable=missing-raises-doc
245 # (pylint doesn't recognize that this is abstract)
246 raise NotImplementedError('Signer must be implemented.')