| # Copyright 2016 Google Inc. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| """Google App Engine standard environment support. |
| |
| This module provides authentication and signing for applications running on App |
| Engine in the standard environment using the `App Identity API`_. |
| |
| |
| .. _App Identity API: |
| https://cloud.google.com/appengine/docs/python/appidentity/ |
| """ |
| |
| import datetime |
| |
| from google.auth import _helpers |
| from google.auth import credentials |
| |
| try: |
| from google.appengine.api import app_identity |
| except ImportError: |
| app_identity = None |
| |
| |
| class Signer(object): |
| """Signs messages using the App Engine App Identity service. |
| |
| This can be used in place of :class:`google.auth.crypt.Signer` when |
| running in the App Engine standard environment. |
| |
| .. warning:: |
| The App Identity service signs bytes using Google-managed keys. |
| Because of this it's possible that the key used to sign bytes will |
| change. In some cases this change can occur between successive calls |
| to :attr:`key_id` and :meth:`sign`. This could result in a signature |
| that was signed with a different key than the one indicated by |
| :attr:`key_id`. It's recommended that if you use this in your code |
| that you account for this behavior by building in retry logic. |
| """ |
| |
| @property |
| def key_id(self): |
| """Optional[str]: The key ID used to identify this private key. |
| |
| .. note:: |
| This makes a request to the App Identity service. |
| """ |
| key_id, _ = app_identity.sign_blob(b'') |
| return key_id |
| |
| @staticmethod |
| def sign(message): |
| """Signs a message. |
| |
| Args: |
| message (Union[str, bytes]): The message to be signed. |
| |
| Returns: |
| bytes: The signature of the message. |
| """ |
| message = _helpers.to_bytes(message) |
| _, signature = app_identity.sign_blob(message) |
| return signature |
| |
| |
| def get_project_id(): |
| """Gets the project ID for the current App Engine application. |
| |
| Returns: |
| str: The project ID |
| |
| Raises: |
| EnvironmentError: If the App Engine APIs are unavailable. |
| """ |
| # pylint: disable=missing-raises-doc |
| # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| # realize it's a valid alias. |
| if app_identity is None: |
| raise EnvironmentError( |
| 'The App Engine APIs are not available.') |
| return app_identity.get_application_id() |
| |
| |
| class Credentials(credentials.Scoped, credentials.Signing, |
| credentials.Credentials): |
| """App Engine standard environment credentials. |
| |
| These credentials use the App Engine App Identity API to obtain access |
| tokens. |
| """ |
| |
| def __init__(self, scopes=None, service_account_id=None): |
| """ |
| Args: |
| scopes (Sequence[str]): Scopes to request from the App Identity |
| API. |
| service_account_id (str): The service account ID passed into |
| :func:`google.appengine.api.app_identity.get_access_token`. |
| If not specified, the default application service account |
| ID will be used. |
| |
| Raises: |
| EnvironmentError: If the App Engine APIs are unavailable. |
| """ |
| # pylint: disable=missing-raises-doc |
| # Pylint rightfully thinks EnvironmentError is OSError, but doesn't |
| # realize it's a valid alias. |
| if app_identity is None: |
| raise EnvironmentError( |
| 'The App Engine APIs are not available.') |
| |
| super(Credentials, self).__init__() |
| self._scopes = scopes |
| self._service_account_id = service_account_id |
| self._signer = Signer() |
| |
| @_helpers.copy_docstring(credentials.Credentials) |
| def refresh(self, request): |
| # pylint: disable=unused-argument |
| token, ttl = app_identity.get_access_token( |
| self._scopes, self._service_account_id) |
| expiry = _helpers.utcnow() + datetime.timedelta(seconds=ttl) |
| |
| self.token, self.expiry = token, expiry |
| |
| @property |
| def service_account_email(self): |
| """The service account email.""" |
| if self._service_account_id is None: |
| self._service_account_id = app_identity.get_service_account_name() |
| return self._service_account_id |
| |
| @property |
| def requires_scopes(self): |
| """Checks if the credentials requires scopes. |
| |
| Returns: |
| bool: True if there are no scopes set otherwise False. |
| """ |
| return not self._scopes |
| |
| @_helpers.copy_docstring(credentials.Scoped) |
| def with_scopes(self, scopes): |
| return Credentials( |
| scopes=scopes, service_account_id=self._service_account_id) |
| |
| @_helpers.copy_docstring(credentials.Signing) |
| def sign_bytes(self, message): |
| return self._signer.sign(message) |
| |
| @property |
| @_helpers.copy_docstring(credentials.Signing) |
| def signer_email(self): |
| return self.service_account_email |
| |
| @property |
| @_helpers.copy_docstring(credentials.Signing) |
| def signer(self): |
| return self._signer |
