Google Git
Sign in
android / platform / external / adt-infra / 633951cf054fe937eab7ff3ebe151ed72966f41e / . / build / third_party / gcs_oauth2_boto_plugin / oauth2_client.py
blob: d68c6e5114f21036f41d6d7dc05073f1e6b67ec9 [file] [log] [blame]
# Copyright 2014 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""An OAuth2 client library.
This library provides a client implementation of the OAuth2 protocol (see
https://developers.google.com/storage/docs/authentication.html#oauth).
**** Experimental API ****
This module is experimental and is subject to modification or removal without
notice.
"""
# This implementation is a wrapper around the oauth2client implementation
# that implements caching of access tokens independent of refresh
# tokens (in the python API client oauth2client, there is a single class that
# encapsulates both refresh and access tokens).
from __future__ import absolute_import
import cgi
import datetime
import errno
from hashlib import sha1
import json
import logging
import os
import socket
import tempfile
import threading
import urllib
if os.environ.get('USER_AGENT'):
import boto
boto.UserAgent += os.environ.get('USER_AGENT')
from boto import config
import httplib2
from oauth2client import service_account
from oauth2client.client import AccessTokenRefreshError
from oauth2client.client import Credentials
from oauth2client.client import EXPIRY_FORMAT
from oauth2client.client import HAS_CRYPTO
from oauth2client.client import OAuth2Credentials
from retry_decorator.retry_decorator import retry as Retry
import socks
if HAS_CRYPTO:
from oauth2client.client import SignedJwtAssertionCredentials
LOG = logging.getLogger('oauth2_client')
# Lock used for checking/exchanging refresh token, so multithreaded
# operation doesn't attempt concurrent refreshes.
token_exchange_lock = threading.Lock()
DEFAULT_SCOPE = 'https://www.googleapis.com/auth/devstorage.full_control'
METADATA_SERVER = 'http://metadata.google.internal'
META_TOKEN_URI = (METADATA_SERVER + '/computeMetadata/v1/instance/'
'service-accounts/default/token')
META_HEADERS = {
'X-Google-Metadata-Request': 'True'
}
# Note: this is copied from gsutil's gslib.cred_types. It should be kept in
# sync. Also note that this library does not use HMAC, but it's preserved from
# gsutil's copy to maintain compatibility.
class CredTypes(object):
HMAC = "HMAC"
OAUTH2_SERVICE_ACCOUNT = "OAuth 2.0 Service Account"
OAUTH2_USER_ACCOUNT = "Oauth 2.0 User Account"
GCE = "GCE"
class Error(Exception):
"""Base exception for the OAuth2 module."""
pass
class AuthorizationCodeExchangeError(Error):
"""Error trying to exchange an authorization code into a refresh token."""
pass
class TokenCache(object):
"""Interface for OAuth2 token caches."""
def PutToken(self, key, value):
raise NotImplementedError
def GetToken(self, key):
raise NotImplementedError
class NoopTokenCache(TokenCache):
"""A stub implementation of TokenCache that does nothing."""
def PutToken(self, key, value):
pass
def GetToken(self, key):
return None
class InMemoryTokenCache(TokenCache):
"""An in-memory token cache.
The cache is implemented by a python dict, and inherits the thread-safety
properties of dict.
"""
def __init__(self):
super(InMemoryTokenCache, self).__init__()
self.cache = dict()
def PutToken(self, key, value):
LOG.debug('InMemoryTokenCache.PutToken: key=%s', key)
self.cache[key] = value
def GetToken(self, key):
value = self.cache.get(key, None)
LOG.debug('InMemoryTokenCache.GetToken: key=%s%s present',
key, ' not' if value is None else '')
return value
class FileSystemTokenCache(TokenCache):
"""An implementation of a token cache that persists tokens on disk.
Each token object in the cache is stored in serialized form in a separate
file. The cache file's name can be configured via a path pattern that is
parameterized by the key under which a value is cached and optionally the
current processes uid as obtained by os.getuid().
Since file names are generally publicly visible in the system, it is important
that the cache key does not leak information about the token's value. If
client code computes cache keys from token values, a cryptographically strong
one-way function must be used.
"""
def __init__(self, path_pattern=None):
"""Creates a FileSystemTokenCache.
Args:
path_pattern: Optional string argument to specify the path pattern for
cache files. The argument should be a path with format placeholders
'%(key)s' and optionally '%(uid)s'. If the argument is omitted, the
default pattern
<tmpdir>/oauth2client-tokencache.%(uid)s.%(key)s
is used, where <tmpdir> is replaced with the system temp dir as
obtained from tempfile.gettempdir().
"""
super(FileSystemTokenCache, self).__init__()
self.path_pattern = path_pattern
if not path_pattern:
self.path_pattern = os.path.join(
tempfile.gettempdir(), 'oauth2_client-tokencache.%(uid)s.%(key)s')
def CacheFileName(self, key):
uid = '_'
try:
# os.getuid() doesn't seem to work in Windows
uid = str(os.getuid())
except:
pass
return self.path_pattern % {'key': key, 'uid': uid}
def PutToken(self, key, value):
"""Serializes the value to the key's filename.
To ensure that written tokens aren't leaked to a different users, we
a) unlink an existing cache file, if any (to ensure we don't fall victim
to symlink attacks and the like),
b) create a new file with O_CREAT | O_EXCL (to ensure nobody is trying to
race us)
If either of these steps fail, we simply give up (but log a warning). Not
caching access tokens is not catastrophic, and failure to create a file
can happen for either of the following reasons:
- someone is attacking us as above, in which case we want to default to
safe operation (not write the token);
- another legitimate process is racing us; in this case one of the two
will win and write the access token, which is fine;
- we don't have permission to remove the old file or write to the
specified directory, in which case we can't recover
Args:
key: the hash key to store.
value: the access_token value to serialize.
"""
cache_file = self.CacheFileName(key)
LOG.debug('FileSystemTokenCache.PutToken: key=%s, cache_file=%s',
key, cache_file)
try:
os.unlink(cache_file)
except:
# Ignore failure to unlink the file; if the file exists and can't be
# unlinked, the subsequent open with O_CREAT | O_EXCL will fail.
pass
flags = os.O_RDWR | os.O_CREAT | os.O_EXCL
# Accommodate Windows; stolen from python2.6/tempfile.py.
if hasattr(os, 'O_NOINHERIT'):
flags |= os.O_NOINHERIT
if hasattr(os, 'O_BINARY'):
flags |= os.O_BINARY
try:
fd = os.open(cache_file, flags, 0600)
except (OSError, IOError) as e:
LOG.warning('FileSystemTokenCache.PutToken: '
'Failed to create cache file %s: %s', cache_file, e)
return
f = os.fdopen(fd, 'w+b')
f.write(value.Serialize())
f.close()
def GetToken(self, key):
"""Returns a deserialized access token from the key's filename."""
value = None
cache_file = self.CacheFileName(key)
try:
f = open(cache_file)
value = AccessToken.UnSerialize(f.read())
f.close()
except (IOError, OSError) as e:
if e.errno != errno.ENOENT:
LOG.warning('FileSystemTokenCache.GetToken: '
'Failed to read cache file %s: %s', cache_file, e)
except Exception as e:
LOG.warning('FileSystemTokenCache.GetToken: '
'Failed to read cache file %s (possibly corrupted): %s',
cache_file, e)
LOG.debug('FileSystemTokenCache.GetToken: key=%s%s present (cache_file=%s)',
key, ' not' if value is None else '', cache_file)
return value
class OAuth2Client(object):
"""Common logic for OAuth2 clients."""
def __init__(self, cache_key_base, access_token_cache=None,
datetime_strategy=datetime.datetime, auth_uri=None,
token_uri=None, disable_ssl_certificate_validation=False,
proxy_host=None, proxy_port=None, proxy_user=None,
proxy_pass=None, ca_certs_file=None):
# datetime_strategy is used to invoke utcnow() on; it is injected into the
# constructor for unit testing purposes.
self.auth_uri = auth_uri
self.token_uri = token_uri
self.cache_key_base = cache_key_base
self.datetime_strategy = datetime_strategy
self.access_token_cache = access_token_cache or InMemoryTokenCache()
self.disable_ssl_certificate_validation = disable_ssl_certificate_validation
self.ca_certs_file = ca_certs_file
if proxy_host and proxy_port:
self._proxy_info = httplib2.ProxyInfo(socks.PROXY_TYPE_HTTP,
proxy_host,
proxy_port,
proxy_user=proxy_user,
proxy_pass=proxy_pass,
proxy_rdns=True)
else:
self._proxy_info = None
def CreateHttpRequest(self):
return httplib2.Http(
ca_certs=self.ca_certs_file,
disable_ssl_certificate_validation=(
self.disable_ssl_certificate_validation),
proxy_info=self._proxy_info)
def GetAccessToken(self):
"""Obtains an access token for this client.
This client's access token cache is first checked for an existing,
not-yet-expired access token. If none is found, the client obtains a fresh
access token from the OAuth2 provider's token endpoint.
Returns:
The cached or freshly obtained AccessToken.
Raises:
AccessTokenRefreshError if an error occurs.
"""
# Ensure only one thread at a time attempts to get (and possibly refresh)
# the access token. This doesn't prevent concurrent refresh attempts across
# multiple gsutil instances, but at least protects against multiple threads
# simultaneously attempting to refresh when gsutil -m is used.
token_exchange_lock.acquire()
try:
cache_key = self.CacheKey()
LOG.debug('GetAccessToken: checking cache for key %s', cache_key)
access_token = self.access_token_cache.GetToken(cache_key)
LOG.debug('GetAccessToken: token from cache: %s', access_token)
if access_token is None or access_token.ShouldRefresh():
LOG.debug('GetAccessToken: fetching fresh access token...')
access_token = self.FetchAccessToken()
LOG.debug('GetAccessToken: fresh access token: %s', access_token)
self.access_token_cache.PutToken(cache_key, access_token)
return access_token
finally:
token_exchange_lock.release()
def CacheKey(self):
"""Computes a cache key.
The cache key is computed as the SHA1 hash of the refresh token for user
accounts, or the hash of the gs_service_client_id for service accounts,
which satisfies the FileSystemTokenCache requirement that cache keys do not
leak information about token values.
Returns:
A hash key.
"""
h = sha1()
h.update(self.cache_key_base)
return h.hexdigest()
def GetAuthorizationHeader(self):
"""Gets the access token HTTP authorization header value.
Returns:
The value of an Authorization HTTP header that authenticates
requests with an OAuth2 access token.
"""
return 'Bearer %s' % self.GetAccessToken().token
class _BaseOAuth2ServiceAccountClient(OAuth2Client):
"""Base class for OAuth2ServiceAccountClients.
Args:
client_id: The OAuth2 client ID of this client.
access_token_cache: An optional instance of a TokenCache. If omitted or
None, an InMemoryTokenCache is used.
auth_uri: The URI for OAuth2 authorization.
token_uri: The URI used to refresh access tokens.
datetime_strategy: datetime module strategy to use.
disable_ssl_certificate_validation: True if certifications should not be
validated.
proxy_host: An optional string specifying the host name of an HTTP proxy
to be used.
proxy_port: An optional int specifying the port number of an HTTP proxy
to be used.
proxy_user: An optional string specifying the user name for interacting
with the HTTP proxy.
proxy_pass: An optional string specifying the password for interacting
with the HTTP proxy.
ca_certs_file: The cacerts.txt file to use.
"""
def __init__(self, client_id, access_token_cache=None, auth_uri=None,
token_uri=None, datetime_strategy=datetime.datetime,
disable_ssl_certificate_validation=False,
proxy_host=None, proxy_port=None, proxy_user=None,
proxy_pass=None, ca_certs_file=None):
super(_BaseOAuth2ServiceAccountClient, self).__init__(
cache_key_base=client_id, auth_uri=auth_uri, token_uri=token_uri,
access_token_cache=access_token_cache,
datetime_strategy=datetime_strategy,
disable_ssl_certificate_validation=disable_ssl_certificate_validation,
proxy_host=proxy_host, proxy_port=proxy_port, proxy_user=proxy_user,
proxy_pass=proxy_pass, ca_certs_file=ca_certs_file)
self._client_id = client_id
def FetchAccessToken(self):
credentials = self.GetCredentials()
http = self.CreateHttpRequest()
credentials.refresh(http)
return AccessToken(credentials.access_token, credentials.token_expiry,
datetime_strategy=self.datetime_strategy)
class OAuth2ServiceAccountClient(_BaseOAuth2ServiceAccountClient):
"""An OAuth2 service account client using .p12 or .pem keys."""
def __init__(self, client_id, private_key, password,
access_token_cache=None, auth_uri=None, token_uri=None,
datetime_strategy=datetime.datetime,
disable_ssl_certificate_validation=False,
proxy_host=None, proxy_port=None, proxy_user=None,
proxy_pass=None, ca_certs_file=None):
# Avoid long repeated kwargs list.
# pylint: disable=g-doc-args
"""Creates an OAuth2ServiceAccountClient.
Args:
client_id: The OAuth2 client ID of this client.
private_key: The private key associated with this service account.
password: The private key password used for the crypto signer.
Keyword arguments match the _BaseOAuth2ServiceAccountClient class.
"""
# pylint: enable=g-doc-args
super(OAuth2ServiceAccountClient, self).__init__(
client_id, auth_uri=auth_uri, token_uri=token_uri,
access_token_cache=access_token_cache,
datetime_strategy=datetime_strategy,
disable_ssl_certificate_validation=disable_ssl_certificate_validation,
proxy_host=proxy_host, proxy_port=proxy_port, proxy_user=proxy_user,
proxy_pass=proxy_pass, ca_certs_file=ca_certs_file)
self._private_key = private_key
self._password = password
def GetCredentials(self):
if HAS_CRYPTO:
return SignedJwtAssertionCredentials(
self._client_id, self._private_key, scope=DEFAULT_SCOPE,
private_key_password=self._password)
else:
raise MissingDependencyError(
'Service account authentication requires PyOpenSSL. Please install '
'this library and try again.')
# TODO: oauth2client should expose _ServiceAccountCredentials as it is the only
# way to properly set scopes. In the longer term this class should probably
# be refactored into oauth2client directly in a way that allows for setting of
# user agent and scopes. https://github.com/google/oauth2client/issues/164
# pylint: disable=protected-access
class ServiceAccountCredentials(service_account._ServiceAccountCredentials):
def to_json(self):
self.service_account_name = self._service_account_email
strip = (['_private_key'] +
Credentials.NON_SERIALIZED_MEMBERS)
return super(ServiceAccountCredentials, self)._to_json(strip)
@classmethod
def from_json(cls, s):
try:
data = json.loads(s)
retval = ServiceAccountCredentials(
service_account_id=data['_service_account_id'],
service_account_email=data['_service_account_email'],
private_key_id=data['_private_key_id'],
private_key_pkcs8_text=data['_private_key_pkcs8_text'],
scopes=[DEFAULT_SCOPE])
# TODO: Need to define user agent here,
# but it is not known until runtime.
retval.invalid = data['invalid']
retval.access_token = data['access_token']
if 'token_expiry' in data:
retval.token_expiry = datetime.datetime.strptime(
data['token_expiry'], EXPIRY_FORMAT)
return retval
except KeyError, e:
raise Exception('Your JSON credentials are invalid; '
'missing required entry %s.' % e[0])
# pylint: enable=protected-access
class OAuth2JsonServiceAccountClient(_BaseOAuth2ServiceAccountClient):
"""An OAuth2 service account client using .json keys."""
def __init__(self, client_id, service_account_email, private_key_id,
private_key_pkcs8_text, access_token_cache=None, auth_uri=None,
token_uri=None, datetime_strategy=datetime.datetime,
disable_ssl_certificate_validation=False,
proxy_host=None, proxy_port=None, proxy_user=None,
proxy_pass=None, ca_certs_file=None):
# Avoid long repeated kwargs list.
# pylint: disable=g-doc-args
"""Creates an OAuth2JsonServiceAccountClient.
Args:
client_id: The OAuth2 client ID of this client.
client_email: The email associated with this client.
private_key_id: The private key id associated with this service account.
private_key_pkcs8_text: The pkcs8 text containing the private key data.
Keyword arguments match the _BaseOAuth2ServiceAccountClient class.
"""
# pylint: enable=g-doc-args
super(OAuth2JsonServiceAccountClient, self).__init__(
client_id, auth_uri=auth_uri, token_uri=token_uri,
access_token_cache=access_token_cache,
datetime_strategy=datetime_strategy,
disable_ssl_certificate_validation=disable_ssl_certificate_validation,
proxy_host=proxy_host, proxy_port=proxy_port, proxy_user=proxy_user,
proxy_pass=proxy_pass, ca_certs_file=ca_certs_file)
self._service_account_email = service_account_email
self._private_key_id = private_key_id
self._private_key_pkcs8_text = private_key_pkcs8_text
def GetCredentials(self):
return ServiceAccountCredentials(
service_account_id=self._client_id,
service_account_email=self._service_account_email,
private_key_id=self._private_key_id,
private_key_pkcs8_text=self._private_key_pkcs8_text,
scopes=[DEFAULT_SCOPE])
# TODO: Need to plumb user agent through here.
class GsAccessTokenRefreshError(Exception):
"""Transient error when requesting access token."""
def __init__(self, e):
super(Exception, self).__init__(e)
class GsInvalidRefreshTokenError(Exception):
def __init__(self, e):
super(Exception, self).__init__(e)
class MissingDependencyError(Exception):
def __init__(self, e):
super(Exception, self).__init__(e)
class OAuth2UserAccountClient(OAuth2Client):
"""An OAuth2 client."""
def __init__(self, token_uri, client_id, client_secret, refresh_token,
auth_uri=None, access_token_cache=None,
datetime_strategy=datetime.datetime,
disable_ssl_certificate_validation=False,
proxy_host=None, proxy_port=None, proxy_user=None,
proxy_pass=None, ca_certs_file=None):
"""Creates an OAuth2UserAccountClient.
Args:
token_uri: The URI used to refresh access tokens.
client_id: The OAuth2 client ID of this client.
client_secret: The OAuth2 client secret of this client.
refresh_token: The token used to refresh the access token.
auth_uri: The URI for OAuth2 authorization.
access_token_cache: An optional instance of a TokenCache. If omitted or
None, an InMemoryTokenCache is used.
datetime_strategy: datetime module strategy to use.
disable_ssl_certificate_validation: True if certifications should not be
validated.
proxy_host: An optional string specifying the host name of an HTTP proxy
to be used.
proxy_port: An optional int specifying the port number of an HTTP proxy
to be used.
proxy_user: An optional string specifying the user name for interacting
with the HTTP proxy.
proxy_pass: An optional string specifying the password for interacting
with the HTTP proxy.
ca_certs_file: The cacerts.txt file to use.
"""
super(OAuth2UserAccountClient, self).__init__(
cache_key_base=refresh_token, auth_uri=auth_uri, token_uri=token_uri,
access_token_cache=access_token_cache,
datetime_strategy=datetime_strategy,
disable_ssl_certificate_validation=disable_ssl_certificate_validation,
proxy_host=proxy_host, proxy_port=proxy_port, proxy_user=proxy_user,
proxy_pass=proxy_pass, ca_certs_file=ca_certs_file)
self.token_uri = token_uri
self.client_id = client_id
self.client_secret = client_secret
self.refresh_token = refresh_token
def GetCredentials(self):
"""Fetches a credentials objects from the provider's token endpoint."""
access_token = self.GetAccessToken()
credentials = OAuth2Credentials(
access_token.token, self.client_id, self.client_secret,
self.refresh_token, access_token.expiry, self.token_uri, None)
return credentials
@Retry(GsAccessTokenRefreshError,
tries=config.get('OAuth2', 'oauth2_refresh_retries', 6),
timeout_secs=1)
def FetchAccessToken(self):
"""Fetches an access token from the provider's token endpoint.
Fetches an access token from this client's OAuth2 provider's token endpoint.
Returns:
The fetched AccessToken.
"""
try:
http = self.CreateHttpRequest()
credentials = OAuth2Credentials(None, self.client_id, self.client_secret,
self.refresh_token, None, self.token_uri, None)
credentials.refresh(http)
return AccessToken(credentials.access_token,
credentials.token_expiry, datetime_strategy=self.datetime_strategy)
except AccessTokenRefreshError, e:
if 'Invalid response 403' in e.message:
# This is the most we can do at the moment to accurately detect rate
# limiting errors since they come back as 403s with no further
# information.
raise GsAccessTokenRefreshError(e)
elif 'invalid_grant' in e.message:
LOG.info("""
Attempted to retrieve an access token from an invalid refresh token. Two common
cases in which you will see this error are:
1. Your refresh token was revoked.
2. Your refresh token was typed incorrectly.
""")
raise GsInvalidRefreshTokenError(e)
else:
raise
class OAuth2GCEClient(OAuth2Client):
"""OAuth2 client for GCE instance."""
def __init__(self):
super(OAuth2GCEClient, self).__init__(
cache_key_base='',
# Only InMemoryTokenCache can be used with empty cache_key_base.
access_token_cache=InMemoryTokenCache())
@Retry(GsAccessTokenRefreshError,
tries=6,
timeout_secs=1)
def FetchAccessToken(self):
response = None
try:
http = httplib2.Http()
response, content = http.request(META_TOKEN_URI, method='GET',
body=None, headers=META_HEADERS)
except Exception:
raise GsAccessTokenRefreshError()
if response.status == 200:
d = json.loads(content)
return AccessToken(
d['access_token'],
datetime.datetime.now() +
datetime.timedelta(seconds=d.get('expires_in', 0)),
datetime_strategy=self.datetime_strategy)
def _IsGCE():
try:
http = httplib2.Http()
response, _ = http.request(METADATA_SERVER)
return response.status == 200
except (httplib2.ServerNotFoundError, socket.error):
# We might see something like "No route to host" propagated as a socket
# error. We might also catch transient socket errors, but at that point
# we're going to fail anyway, just with a different error message. With
# this approach, we'll avoid having to enumerate all possible non-transient
# socket errors.
return False
except Exception, e:
LOG.warning("Failed to determine whether we're running on GCE, so we'll"
"assume that we aren't: %s", e)
return False
return False
def CreateOAuth2GCEClient():
return OAuth2GCEClient() if _IsGCE() else None
class AccessToken(object):
"""Encapsulates an OAuth2 access token."""
def __init__(self, token, expiry, datetime_strategy=datetime.datetime):
self.token = token
self.expiry = expiry
self.datetime_strategy = datetime_strategy
@staticmethod
def UnSerialize(query):
"""Creates an AccessToken object from its serialized form."""
def GetValue(d, key):
return (d.get(key, [None]))[0]
kv = cgi.parse_qs(query)
if not kv['token']:
return None
expiry = None
expiry_tuple = GetValue(kv, 'expiry')
if expiry_tuple:
try:
expiry = datetime.datetime(
*[int(n) for n in expiry_tuple.split(',')])
except:
return None
return AccessToken(GetValue(kv, 'token'), expiry)
def Serialize(self):
"""Serializes this object as URI-encoded key-value pairs."""
# There's got to be a better way to serialize a datetime. Unfortunately,
# there is no reliable way to convert into a unix epoch.
kv = {'token': self.token}
if self.expiry:
t = self.expiry
tupl = (t.year, t.month, t.day, t.hour, t.minute, t.second, t.microsecond)
kv['expiry'] = ','.join([str(i) for i in tupl])
return urllib.urlencode(kv)
def ShouldRefresh(self, time_delta=300):
"""Whether the access token needs to be refreshed.
Args:
time_delta: refresh access token when it expires within time_delta secs.
Returns:
True if the token is expired or about to expire, False if the
token should be expected to work. Note that the token may still
be rejected, e.g. if it has been revoked server-side.
"""
if self.expiry is None:
return False
return (self.datetime_strategy.utcnow()
+ datetime.timedelta(seconds=time_delta) > self.expiry)
def __eq__(self, other):
return self.token == other.token and self.expiry == other.expiry
def __ne__(self, other):
return not self.__eq__(other)
def __str__(self):
return 'AccessToken(token=%s, expiry=%sZ)' % (self.token, self.expiry)