OLD | NEW |
(Empty) | |
| 1 # Copyright 2016 Google Inc. |
| 2 # |
| 3 # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 # you may not use this file except in compliance with the License. |
| 5 # You may obtain a copy of the License at |
| 6 # |
| 7 # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 # |
| 9 # Unless required by applicable law or agreed to in writing, software |
| 10 # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 # See the License for the specific language governing permissions and |
| 13 # limitations under the License. |
| 14 |
| 15 """Google App Engine standard environment support. |
| 16 |
| 17 This module provides authentication and signing for applications running on App |
| 18 Engine in the standard environment using the `App Identity API`_. |
| 19 |
| 20 |
| 21 .. _App Identity API: |
| 22 https://cloud.google.com/appengine/docs/python/appidentity/ |
| 23 """ |
| 24 |
| 25 import datetime |
| 26 |
| 27 from google.auth import _helpers |
| 28 from google.auth import credentials |
| 29 from google.auth import crypt |
| 30 |
| 31 try: |
| 32 from google.appengine.api import app_identity |
| 33 except ImportError: |
| 34 app_identity = None |
| 35 |
| 36 |
| 37 class Signer(crypt.Signer): |
| 38 """Signs messages using the App Engine App Identity service. |
| 39 |
| 40 This can be used in place of :class:`google.auth.crypt.Signer` when |
| 41 running in the App Engine standard environment. |
| 42 """ |
| 43 |
| 44 @property |
| 45 def key_id(self): |
| 46 """Optional[str]: The key ID used to identify this private key. |
| 47 |
| 48 .. warning:: |
| 49 This is always ``None``. The key ID used by App Engine can not |
| 50 be reliably determined ahead of time. |
| 51 """ |
| 52 return None |
| 53 |
| 54 @_helpers.copy_docstring(crypt.Signer) |
| 55 def sign(self, message): |
| 56 message = _helpers.to_bytes(message) |
| 57 _, signature = app_identity.sign_blob(message) |
| 58 return signature |
| 59 |
| 60 |
| 61 def get_project_id(): |
| 62 """Gets the project ID for the current App Engine application. |
| 63 |
| 64 Returns: |
| 65 str: The project ID |
| 66 |
| 67 Raises: |
| 68 EnvironmentError: If the App Engine APIs are unavailable. |
| 69 """ |
| 70 # pylint: disable=missing-raises-doc |
| 71 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| 72 # realize it's a valid alias. |
| 73 if app_identity is None: |
| 74 raise EnvironmentError( |
| 75 'The App Engine APIs are not available.') |
| 76 return app_identity.get_application_id() |
| 77 |
| 78 |
| 79 class Credentials(credentials.Scoped, credentials.Signing, |
| 80 credentials.Credentials): |
| 81 """App Engine standard environment credentials. |
| 82 |
| 83 These credentials use the App Engine App Identity API to obtain access |
| 84 tokens. |
| 85 """ |
| 86 |
| 87 def __init__(self, scopes=None, service_account_id=None): |
| 88 """ |
| 89 Args: |
| 90 scopes (Sequence[str]): Scopes to request from the App Identity |
| 91 API. |
| 92 service_account_id (str): The service account ID passed into |
| 93 :func:`google.appengine.api.app_identity.get_access_token`. |
| 94 If not specified, the default application service account |
| 95 ID will be used. |
| 96 |
| 97 Raises: |
| 98 EnvironmentError: If the App Engine APIs are unavailable. |
| 99 """ |
| 100 # pylint: disable=missing-raises-doc |
| 101 # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| 102 # realize it's a valid alias. |
| 103 if app_identity is None: |
| 104 raise EnvironmentError( |
| 105 'The App Engine APIs are not available.') |
| 106 |
| 107 super(Credentials, self).__init__() |
| 108 self._scopes = scopes |
| 109 self._service_account_id = service_account_id |
| 110 self._signer = Signer() |
| 111 |
| 112 @_helpers.copy_docstring(credentials.Credentials) |
| 113 def refresh(self, request): |
| 114 # pylint: disable=unused-argument |
| 115 token, ttl = app_identity.get_access_token( |
| 116 self._scopes, self._service_account_id) |
| 117 expiry = _helpers.utcnow() + datetime.timedelta(seconds=ttl) |
| 118 |
| 119 self.token, self.expiry = token, expiry |
| 120 |
| 121 @property |
| 122 def service_account_email(self): |
| 123 """The service account email.""" |
| 124 if self._service_account_id is None: |
| 125 self._service_account_id = app_identity.get_service_account_name() |
| 126 return self._service_account_id |
| 127 |
| 128 @property |
| 129 def requires_scopes(self): |
| 130 """Checks if the credentials requires scopes. |
| 131 |
| 132 Returns: |
| 133 bool: True if there are no scopes set otherwise False. |
| 134 """ |
| 135 return not self._scopes |
| 136 |
| 137 @_helpers.copy_docstring(credentials.Scoped) |
| 138 def with_scopes(self, scopes): |
| 139 return Credentials( |
| 140 scopes=scopes, service_account_id=self._service_account_id) |
| 141 |
| 142 @_helpers.copy_docstring(credentials.Signing) |
| 143 def sign_bytes(self, message): |
| 144 return self._signer.sign(message) |
| 145 |
| 146 @property |
| 147 @_helpers.copy_docstring(credentials.Signing) |
| 148 def signer_email(self): |
| 149 return self.service_account_email |
| 150 |
| 151 @property |
| 152 @_helpers.copy_docstring(credentials.Signing) |
| 153 def signer(self): |
| 154 return self._signer |
OLD | NEW |