Index: client/third_party/google/auth/jwt.py |
diff --git a/client/third_party/google/auth/jwt.py b/client/third_party/google/auth/jwt.py |
new file mode 100644 |
index 0000000000000000000000000000000000000000..b1eb5fb91e95e393b8246e60eeef2f846a2b7d3a |
--- /dev/null |
+++ b/client/third_party/google/auth/jwt.py |
@@ -0,0 +1,755 @@ |
+# Copyright 2016 Google Inc. |
+# |
+# Licensed under the Apache License, Version 2.0 (the "License"); |
+# you may not use this file except in compliance with the License. |
+# You may obtain a copy of the License at |
+# |
+# http://www.apache.org/licenses/LICENSE-2.0 |
+# |
+# Unless required by applicable law or agreed to in writing, software |
+# distributed under the License is distributed on an "AS IS" BASIS, |
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
+# See the License for the specific language governing permissions and |
+# limitations under the License. |
+ |
+"""JSON Web Tokens |
+ |
+Provides support for creating (encoding) and verifying (decoding) JWTs, |
+especially JWTs generated and consumed by Google infrastructure. |
+ |
+See `rfc7519`_ for more details on JWTs. |
+ |
+To encode a JWT use :func:`encode`:: |
+ |
+ from google.auth import crypto |
+ from google.auth import jwt |
+ |
+ signer = crypt.Signer(private_key) |
+ payload = {'some': 'payload'} |
+ encoded = jwt.encode(signer, payload) |
+ |
+To decode a JWT and verify claims use :func:`decode`:: |
+ |
+ claims = jwt.decode(encoded, certs=public_certs) |
+ |
+You can also skip verification:: |
+ |
+ claims = jwt.decode(encoded, verify=False) |
+ |
+.. _rfc7519: https://tools.ietf.org/html/rfc7519 |
+ |
+""" |
+ |
+import base64 |
+import collections |
+import copy |
+import datetime |
+import json |
+ |
+import cachetools |
+from six.moves import urllib |
+ |
+from google.auth import _helpers |
+from google.auth import _service_account_info |
+from google.auth import crypt |
+from google.auth import exceptions |
+import google.auth.credentials |
+ |
+_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds |
+_DEFAULT_MAX_CACHE_SIZE = 10 |
+ |
+ |
+def encode(signer, payload, header=None, key_id=None): |
+ """Make a signed JWT. |
+ |
+ Args: |
+ signer (google.auth.crypt.Signer): The signer used to sign the JWT. |
+ payload (Mapping[str, str]): The JWT payload. |
+ header (Mapping[str, str]): Additional JWT header payload. |
+ key_id (str): The key id to add to the JWT header. If the |
+ signer has a key id it will be used as the default. If this is |
+ specified it will override the signer's key id. |
+ |
+ Returns: |
+ bytes: The encoded JWT. |
+ """ |
+ if header is None: |
+ header = {} |
+ |
+ if key_id is None: |
+ key_id = signer.key_id |
+ |
+ header.update({'typ': 'JWT', 'alg': 'RS256'}) |
+ |
+ if key_id is not None: |
+ header['kid'] = key_id |
+ |
+ segments = [ |
+ base64.urlsafe_b64encode(json.dumps(header).encode('utf-8')), |
+ base64.urlsafe_b64encode(json.dumps(payload).encode('utf-8')), |
+ ] |
+ |
+ signing_input = b'.'.join(segments) |
+ signature = signer.sign(signing_input) |
+ segments.append(base64.urlsafe_b64encode(signature)) |
+ |
+ return b'.'.join(segments) |
+ |
+ |
+def _decode_jwt_segment(encoded_section): |
+ """Decodes a single JWT segment.""" |
+ section_bytes = _helpers.padded_urlsafe_b64decode(encoded_section) |
+ try: |
+ return json.loads(section_bytes.decode('utf-8')) |
+ except ValueError: |
+ raise ValueError('Can\'t parse segment: {0}'.format(section_bytes)) |
+ |
+ |
+def _unverified_decode(token): |
+ """Decodes a token and does no verification. |
+ |
+ Args: |
+ token (Union[str, bytes]): The encoded JWT. |
+ |
+ Returns: |
+ Tuple[str, str, str, str]: header, payload, signed_section, and |
+ signature. |
+ |
+ Raises: |
+ ValueError: if there are an incorrect amount of segments in the token. |
+ """ |
+ token = _helpers.to_bytes(token) |
+ |
+ if token.count(b'.') != 2: |
+ raise ValueError( |
+ 'Wrong number of segments in token: {0}'.format(token)) |
+ |
+ encoded_header, encoded_payload, signature = token.split(b'.') |
+ signed_section = encoded_header + b'.' + encoded_payload |
+ signature = _helpers.padded_urlsafe_b64decode(signature) |
+ |
+ # Parse segments |
+ header = _decode_jwt_segment(encoded_header) |
+ payload = _decode_jwt_segment(encoded_payload) |
+ |
+ return header, payload, signed_section, signature |
+ |
+ |
+def decode_header(token): |
+ """Return the decoded header of a token. |
+ |
+ No verification is done. This is useful to extract the key id from |
+ the header in order to acquire the appropriate certificate to verify |
+ the token. |
+ |
+ Args: |
+ token (Union[str, bytes]): the encoded JWT. |
+ |
+ Returns: |
+ Mapping: The decoded JWT header. |
+ """ |
+ header, _, _, _ = _unverified_decode(token) |
+ return header |
+ |
+ |
+def _verify_iat_and_exp(payload): |
+ """Verifies the ``iat`` (Issued At) and ``exp`` (Expires) claims in a token |
+ payload. |
+ |
+ Args: |
+ payload (Mapping[str, str]): The JWT payload. |
+ |
+ Raises: |
+ ValueError: if any checks failed. |
+ """ |
+ now = _helpers.datetime_to_secs(_helpers.utcnow()) |
+ |
+ # Make sure the iat and exp claims are present. |
+ for key in ('iat', 'exp'): |
+ if key not in payload: |
+ raise ValueError( |
+ 'Token does not contain required claim {}'.format(key)) |
+ |
+ # Make sure the token wasn't issued in the future. |
+ iat = payload['iat'] |
+ # Err on the side of accepting a token that is slightly early to account |
+ # for clock skew. |
+ earliest = iat - _helpers.CLOCK_SKEW_SECS |
+ if now < earliest: |
+ raise ValueError('Token used too early, {} < {}'.format(now, iat)) |
+ |
+ # Make sure the token wasn't issued in the past. |
+ exp = payload['exp'] |
+ # Err on the side of accepting a token that is slightly out of date |
+ # to account for clow skew. |
+ latest = exp + _helpers.CLOCK_SKEW_SECS |
+ if latest < now: |
+ raise ValueError('Token expired, {} < {}'.format(latest, now)) |
+ |
+ |
+def decode(token, certs=None, verify=True, audience=None): |
+ """Decode and verify a JWT. |
+ |
+ Args: |
+ token (str): The encoded JWT. |
+ certs (Union[str, bytes, Mapping[str, Union[str, bytes]]]): The |
+ certificate used to validate the JWT signatyre. If bytes or string, |
+ it must the the public key certificate in PEM format. If a mapping, |
+ it must be a mapping of key IDs to public key certificates in PEM |
+ format. The mapping must contain the same key ID that's specified |
+ in the token's header. |
+ verify (bool): Whether to perform signature and claim validation. |
+ Verification is done by default. |
+ audience (str): The audience claim, 'aud', that this JWT should |
+ contain. If None then the JWT's 'aud' parameter is not verified. |
+ |
+ Returns: |
+ Mapping[str, str]: The deserialized JSON payload in the JWT. |
+ |
+ Raises: |
+ ValueError: if any verification checks failed. |
+ """ |
+ header, payload, signed_section, signature = _unverified_decode(token) |
+ |
+ if not verify: |
+ return payload |
+ |
+ # If certs is specified as a dictionary of key IDs to certificates, then |
+ # use the certificate identified by the key ID in the token header. |
+ if isinstance(certs, collections.Mapping): |
+ key_id = header.get('kid') |
+ if key_id: |
+ if key_id not in certs: |
+ raise ValueError( |
+ 'Certificate for key id {} not found.'.format(key_id)) |
+ certs_to_check = [certs[key_id]] |
+ # If there's no key id in the header, check against all of the certs. |
+ else: |
+ certs_to_check = certs.values() |
+ else: |
+ certs_to_check = certs |
+ |
+ # Verify that the signature matches the message. |
+ if not crypt.verify_signature(signed_section, signature, certs_to_check): |
+ raise ValueError('Could not verify token signature.') |
+ |
+ # Verify the issued at and created times in the payload. |
+ _verify_iat_and_exp(payload) |
+ |
+ # Check audience. |
+ if audience is not None: |
+ claim_audience = payload.get('aud') |
+ if audience != claim_audience: |
+ raise ValueError( |
+ 'Token has wrong audience {}, expected {}'.format( |
+ claim_audience, audience)) |
+ |
+ return payload |
+ |
+ |
+class Credentials(google.auth.credentials.Signing, |
+ google.auth.credentials.Credentials): |
+ """Credentials that use a JWT as the bearer token. |
+ |
+ These credentials require an "audience" claim. This claim identifies the |
+ intended recipient of the bearer token. |
+ |
+ The constructor arguments determine the claims for the JWT that is |
+ sent with requests. Usually, you'll construct these credentials with |
+ one of the helper constructors as shown in the next section. |
+ |
+ To create JWT credentials using a Google service account private key |
+ JSON file:: |
+ |
+ audience = 'https://pubsub.googleapis.com/google.pubsub.v1.Publisher' |
+ credentials = jwt.Credentials.from_service_account_file( |
+ 'service-account.json', |
+ audience=audience) |
+ |
+ If you already have the service account file loaded and parsed:: |
+ |
+ service_account_info = json.load(open('service_account.json')) |
+ credentials = jwt.Credentials.from_service_account_info( |
+ service_account_info, |
+ audience=audience) |
+ |
+ Both helper methods pass on arguments to the constructor, so you can |
+ specify the JWT claims:: |
+ |
+ credentials = jwt.Credentials.from_service_account_file( |
+ 'service-account.json', |
+ audience=audience, |
+ additional_claims={'meta': 'data'}) |
+ |
+ You can also construct the credentials directly if you have a |
+ :class:`~google.auth.crypt.Signer` instance:: |
+ |
+ credentials = jwt.Credentials( |
+ signer, |
+ issuer='your-issuer', |
+ subject='your-subject', |
+ audience=audience) |
+ |
+ The claims are considered immutable. If you want to modify the claims, |
+ you can easily create another instance using :meth:`with_claims`:: |
+ |
+ new_audience = ( |
+ 'https://pubsub.googleapis.com/google.pubsub.v1.Subscriber') |
+ new_credentials = credentials.with_claims(audience=new_audience) |
+ """ |
+ |
+ def __init__(self, signer, issuer, subject, audience, |
+ additional_claims=None, |
+ token_lifetime=_DEFAULT_TOKEN_LIFETIME_SECS): |
+ """ |
+ Args: |
+ signer (google.auth.crypt.Signer): The signer used to sign JWTs. |
+ issuer (str): The `iss` claim. |
+ subject (str): The `sub` claim. |
+ audience (str): the `aud` claim. The intended audience for the |
+ credentials. |
+ additional_claims (Mapping[str, str]): Any additional claims for |
+ the JWT payload. |
+ token_lifetime (int): The amount of time in seconds for |
+ which the token is valid. Defaults to 1 hour. |
+ """ |
+ super(Credentials, self).__init__() |
+ self._signer = signer |
+ self._issuer = issuer |
+ self._subject = subject |
+ self._audience = audience |
+ self._token_lifetime = token_lifetime |
+ |
+ if additional_claims is None: |
+ additional_claims = {} |
+ |
+ self._additional_claims = additional_claims |
+ |
+ @classmethod |
+ def _from_signer_and_info(cls, signer, info, **kwargs): |
+ """Creates a Credentials instance from a signer and service account |
+ info. |
+ |
+ Args: |
+ signer (google.auth.crypt.Signer): The signer used to sign JWTs. |
+ info (Mapping[str, str]): The service account info. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: The constructed credentials. |
+ |
+ Raises: |
+ ValueError: If the info is not in the expected format. |
+ """ |
+ kwargs.setdefault('subject', info['client_email']) |
+ kwargs.setdefault('issuer', info['client_email']) |
+ return cls(signer, **kwargs) |
+ |
+ @classmethod |
+ def from_service_account_info(cls, info, **kwargs): |
+ """Creates an Credentials instance from a dictionary. |
+ |
+ Args: |
+ info (Mapping[str, str]): The service account info in Google |
+ format. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: The constructed credentials. |
+ |
+ Raises: |
+ ValueError: If the info is not in the expected format. |
+ """ |
+ signer = _service_account_info.from_dict( |
+ info, require=['client_email']) |
+ return cls._from_signer_and_info(signer, info, **kwargs) |
+ |
+ @classmethod |
+ def from_service_account_file(cls, filename, **kwargs): |
+ """Creates a Credentials instance from a service account .json file |
+ in Google format. |
+ |
+ Args: |
+ filename (str): The path to the service account .json file. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: The constructed credentials. |
+ """ |
+ info, signer = _service_account_info.from_filename( |
+ filename, require=['client_email']) |
+ return cls._from_signer_and_info(signer, info, **kwargs) |
+ |
+ @classmethod |
+ def from_signing_credentials(cls, credentials, audience, **kwargs): |
+ """Creates a new :class:`google.auth.jwt.Credentials` instance from an |
+ existing :class:`google.auth.credentials.Signing` instance. |
+ |
+ The new instance will use the same signer as the existing instance and |
+ will use the existing instance's signer email as the issuer and |
+ subject by default. |
+ |
+ Example:: |
+ |
+ svc_creds = service_account.Credentials.from_service_account_file( |
+ 'service_account.json') |
+ audience = ( |
+ 'https://pubsub.googleapis.com/google.pubsub.v1.Publisher') |
+ jwt_creds = jwt.Credentials.from_signing_credentials( |
+ svc_creds, audience=audience) |
+ |
+ Args: |
+ credentials (google.auth.credentials.Signing): The credentials to |
+ use to construct the new credentials. |
+ audience (str): the `aud` claim. The intended audience for the |
+ credentials. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: A new Credentials instance. |
+ """ |
+ kwargs.setdefault('issuer', credentials.signer_email) |
+ kwargs.setdefault('subject', credentials.signer_email) |
+ return cls( |
+ credentials.signer, |
+ audience=audience, |
+ **kwargs) |
+ |
+ def with_claims(self, issuer=None, subject=None, audience=None, |
+ additional_claims=None): |
+ """Returns a copy of these credentials with modified claims. |
+ |
+ Args: |
+ issuer (str): The `iss` claim. If unspecified the current issuer |
+ claim will be used. |
+ subject (str): The `sub` claim. If unspecified the current subject |
+ claim will be used. |
+ audience (str): the `aud` claim. If unspecified the current |
+ audience claim will be used. |
+ additional_claims (Mapping[str, str]): Any additional claims for |
+ the JWT payload. This will be merged with the current |
+ additional claims. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: A new credentials instance. |
+ """ |
+ new_additional_claims = copy.deepcopy(self._additional_claims) |
+ new_additional_claims.update(additional_claims or {}) |
+ |
+ return Credentials( |
+ self._signer, |
+ issuer=issuer if issuer is not None else self._issuer, |
+ subject=subject if subject is not None else self._subject, |
+ audience=audience if audience is not None else self._audience, |
+ additional_claims=new_additional_claims) |
+ |
+ def _make_jwt(self): |
+ """Make a signed JWT. |
+ |
+ Returns: |
+ Tuple[bytes, datetime]: The encoded JWT and the expiration. |
+ """ |
+ now = _helpers.utcnow() |
+ lifetime = datetime.timedelta(seconds=self._token_lifetime) |
+ expiry = now + lifetime |
+ |
+ payload = { |
+ 'iss': self._issuer, |
+ 'sub': self._subject, |
+ 'iat': _helpers.datetime_to_secs(now), |
+ 'exp': _helpers.datetime_to_secs(expiry), |
+ 'aud': self._audience, |
+ } |
+ |
+ payload.update(self._additional_claims) |
+ |
+ jwt = encode(self._signer, payload) |
+ |
+ return jwt, expiry |
+ |
+ def refresh(self, request): |
+ """Refreshes the access token. |
+ |
+ Args: |
+ request (Any): Unused. |
+ """ |
+ # pylint: disable=unused-argument |
+ # (pylint doesn't correctly recognize overridden methods.) |
+ self.token, self.expiry = self._make_jwt() |
+ |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def sign_bytes(self, message): |
+ return self._signer.sign(message) |
+ |
+ @property |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def signer_email(self): |
+ return self._issuer |
+ |
+ @property |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def signer(self): |
+ return self._signer |
+ |
+ |
+class OnDemandCredentials( |
+ google.auth.credentials.Signing, |
+ google.auth.credentials.Credentials): |
+ """On-demand JWT credentials. |
+ |
+ Like :class:`Credentials`, this class uses a JWT as the bearer token for |
+ authentication. However, this class does not require the audience at |
+ construction time. Instead, it will generate a new token on-demand for |
+ each request using the request URI as the audience. It caches tokens |
+ so that multiple requests to the same URI do not incur the overhead |
+ of generating a new token every time. |
+ |
+ This behavior is especially useful for `gRPC`_ clients. A gRPC service may |
+ have multiple audience and gRPC clients may not know all of the audiences |
+ required for accessing a particular service. With these credentials, |
+ no knowledge of the audiences is required ahead of time. |
+ |
+ .. _grpc: http://www.grpc.io/ |
+ """ |
+ |
+ def __init__(self, signer, issuer, subject, |
+ additional_claims=None, |
+ token_lifetime=_DEFAULT_TOKEN_LIFETIME_SECS, |
+ max_cache_size=_DEFAULT_MAX_CACHE_SIZE): |
+ """ |
+ Args: |
+ signer (google.auth.crypt.Signer): The signer used to sign JWTs. |
+ issuer (str): The `iss` claim. |
+ subject (str): The `sub` claim. |
+ additional_claims (Mapping[str, str]): Any additional claims for |
+ the JWT payload. |
+ token_lifetime (int): The amount of time in seconds for |
+ which the token is valid. Defaults to 1 hour. |
+ max_cache_size (int): The maximum number of JWT tokens to keep in |
+ cache. Tokens are cached using :class:`cachetools.LRUCache`. |
+ """ |
+ super(OnDemandCredentials, self).__init__() |
+ self._signer = signer |
+ self._issuer = issuer |
+ self._subject = subject |
+ self._token_lifetime = token_lifetime |
+ |
+ if additional_claims is None: |
+ additional_claims = {} |
+ |
+ self._additional_claims = additional_claims |
+ self._cache = cachetools.LRUCache(maxsize=max_cache_size) |
+ |
+ @classmethod |
+ def _from_signer_and_info(cls, signer, info, **kwargs): |
+ """Creates an OnDemandCredentials instance from a signer and service |
+ account info. |
+ |
+ Args: |
+ signer (google.auth.crypt.Signer): The signer used to sign JWTs. |
+ info (Mapping[str, str]): The service account info. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.OnDemandCredentials: The constructed credentials. |
+ |
+ Raises: |
+ ValueError: If the info is not in the expected format. |
+ """ |
+ kwargs.setdefault('subject', info['client_email']) |
+ kwargs.setdefault('issuer', info['client_email']) |
+ return cls(signer, **kwargs) |
+ |
+ @classmethod |
+ def from_service_account_info(cls, info, **kwargs): |
+ """Creates an OnDemandCredentials instance from a dictionary. |
+ |
+ Args: |
+ info (Mapping[str, str]): The service account info in Google |
+ format. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.OnDemandCredentials: The constructed credentials. |
+ |
+ Raises: |
+ ValueError: If the info is not in the expected format. |
+ """ |
+ signer = _service_account_info.from_dict( |
+ info, require=['client_email']) |
+ return cls._from_signer_and_info(signer, info, **kwargs) |
+ |
+ @classmethod |
+ def from_service_account_file(cls, filename, **kwargs): |
+ """Creates an OnDemandCredentials instance from a service account .json |
+ file in Google format. |
+ |
+ Args: |
+ filename (str): The path to the service account .json file. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.OnDemandCredentials: The constructed credentials. |
+ """ |
+ info, signer = _service_account_info.from_filename( |
+ filename, require=['client_email']) |
+ return cls._from_signer_and_info(signer, info, **kwargs) |
+ |
+ @classmethod |
+ def from_signing_credentials(cls, credentials, **kwargs): |
+ """Creates a new :class:`google.auth.jwt.OnDemandCredentials` instance |
+ from an existing :class:`google.auth.credentials.Signing` instance. |
+ |
+ The new instance will use the same signer as the existing instance and |
+ will use the existing instance's signer email as the issuer and |
+ subject by default. |
+ |
+ Example:: |
+ |
+ svc_creds = service_account.Credentials.from_service_account_file( |
+ 'service_account.json') |
+ jwt_creds = jwt.OnDemandCredentials.from_signing_credentials( |
+ svc_creds) |
+ |
+ Args: |
+ credentials (google.auth.credentials.Signing): The credentials to |
+ use to construct the new credentials. |
+ kwargs: Additional arguments to pass to the constructor. |
+ |
+ Returns: |
+ google.auth.jwt.Credentials: A new Credentials instance. |
+ """ |
+ kwargs.setdefault('issuer', credentials.signer_email) |
+ kwargs.setdefault('subject', credentials.signer_email) |
+ return cls(credentials.signer, **kwargs) |
+ |
+ def with_claims(self, issuer=None, subject=None, additional_claims=None): |
+ """Returns a copy of these credentials with modified claims. |
+ |
+ Args: |
+ issuer (str): The `iss` claim. If unspecified the current issuer |
+ claim will be used. |
+ subject (str): The `sub` claim. If unspecified the current subject |
+ claim will be used. |
+ additional_claims (Mapping[str, str]): Any additional claims for |
+ the JWT payload. This will be merged with the current |
+ additional claims. |
+ |
+ Returns: |
+ google.auth.jwt.OnDemandCredentials: A new credentials instance. |
+ """ |
+ new_additional_claims = copy.deepcopy(self._additional_claims) |
+ new_additional_claims.update(additional_claims or {}) |
+ |
+ return OnDemandCredentials( |
+ self._signer, |
+ issuer=issuer if issuer is not None else self._issuer, |
+ subject=subject if subject is not None else self._subject, |
+ additional_claims=new_additional_claims, |
+ max_cache_size=self._cache.maxsize) |
+ |
+ @property |
+ def valid(self): |
+ """Checks the validity of the credentials. |
+ |
+ These credentials are always valid because it generates tokens on |
+ demand. |
+ """ |
+ return True |
+ |
+ def _make_jwt_for_audience(self, audience): |
+ """Make a new JWT for the given audience. |
+ |
+ Args: |
+ audience (str): The intended audience. |
+ |
+ Returns: |
+ Tuple[bytes, datetime]: The encoded JWT and the expiration. |
+ """ |
+ now = _helpers.utcnow() |
+ lifetime = datetime.timedelta(seconds=self._token_lifetime) |
+ expiry = now + lifetime |
+ |
+ payload = { |
+ 'iss': self._issuer, |
+ 'sub': self._subject, |
+ 'iat': _helpers.datetime_to_secs(now), |
+ 'exp': _helpers.datetime_to_secs(expiry), |
+ 'aud': audience, |
+ } |
+ |
+ payload.update(self._additional_claims) |
+ |
+ jwt = encode(self._signer, payload) |
+ |
+ return jwt, expiry |
+ |
+ def _get_jwt_for_audience(self, audience): |
+ """Get a JWT For a given audience. |
+ |
+ If there is already an existing, non-expired token in the cache for |
+ the audience, that token is used. Otherwise, a new token will be |
+ created. |
+ |
+ Args: |
+ audience (str): The intended audience. |
+ |
+ Returns: |
+ bytes: The encoded JWT. |
+ """ |
+ token, expiry = self._cache.get(audience, (None, None)) |
+ |
+ if token is None or expiry < _helpers.utcnow(): |
+ token, expiry = self._make_jwt_for_audience(audience) |
+ self._cache[audience] = token, expiry |
+ |
+ return token |
+ |
+ def refresh(self, request): |
+ """Raises an exception, these credentials can not be directly |
+ refreshed. |
+ |
+ Args: |
+ request (Any): Unused. |
+ |
+ Raises: |
+ google.auth.RefreshError |
+ """ |
+ # pylint: disable=unused-argument |
+ # (pylint doesn't correctly recognize overridden methods.) |
+ raise exceptions.RefreshError( |
+ 'OnDemandCredentials can not be directly refreshed.') |
+ |
+ def before_request(self, request, method, url, headers): |
+ """Performs credential-specific before request logic. |
+ |
+ Args: |
+ request (Any): Unused. JWT credentials do not need to make an |
+ HTTP request to refresh. |
+ method (str): The request's HTTP method. |
+ url (str): The request's URI. This is used as the audience claim |
+ when generating the JWT. |
+ headers (Mapping): The request's headers. |
+ """ |
+ # pylint: disable=unused-argument |
+ # (pylint doesn't correctly recognize overridden methods.) |
+ parts = urllib.parse.urlsplit(url) |
+ # Strip query string and fragment |
+ audience = urllib.parse.urlunsplit( |
+ (parts.scheme, parts.netloc, parts.path, None, None)) |
+ token = self._get_jwt_for_audience(audience) |
+ self.apply(headers, token=token) |
+ |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def sign_bytes(self, message): |
+ return self._signer.sign(message) |
+ |
+ @property |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def signer_email(self): |
+ return self._issuer |
+ |
+ @property |
+ @_helpers.copy_docstring(google.auth.credentials.Signing) |
+ def signer(self): |
+ return self._signer |