1# Copyright 2014 Google Inc. All rights reserved. 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15"""Utilities for Google Compute Engine 16 17Utilities for making it easier to use OAuth 2.0 on Google Compute Engine. 18""" 19 20import json 21import logging 22from six.moves import urllib 23 24from oauth2client._helpers import _from_bytes 25from oauth2client import util 26from oauth2client.client import HttpAccessTokenRefreshError 27from oauth2client.client import AssertionCredentials 28 29 30__author__ = '[email protected] (Joe Gregorio)' 31 32logger = logging.getLogger(__name__) 33 34# URI Template for the endpoint that returns access_tokens. 35META = ('http://metadata.google.internal/0.1/meta-data/service-accounts/' 36 'default/acquire{?scope}') 37 38 39class AppAssertionCredentials(AssertionCredentials): 40 """Credentials object for Compute Engine Assertion Grants 41 42 This object will allow a Compute Engine instance to identify itself to 43 Google and other OAuth 2.0 servers that can verify assertions. It can be 44 used for the purpose of accessing data stored under an account assigned to 45 the Compute Engine instance itself. 46 47 This credential does not require a flow to instantiate because it 48 represents a two legged flow, and therefore has all of the required 49 information to generate and refresh its own access tokens. 50 """ 51 52 @util.positional(2) 53 def __init__(self, scope, **kwargs): 54 """Constructor for AppAssertionCredentials 55 56 Args: 57 scope: string or iterable of strings, scope(s) of the credentials 58 being requested. 59 """ 60 self.scope = util.scopes_to_string(scope) 61 self.kwargs = kwargs 62 63 # Assertion type is no longer used, but still in the 64 # parent class signature. 65 super(AppAssertionCredentials, self).__init__(None) 66 67 @classmethod 68 def from_json(cls, json_data): 69 data = json.loads(_from_bytes(json_data)) 70 return AppAssertionCredentials(data['scope']) 71 72 def _refresh(self, http_request): 73 """Refreshes the access_token. 74 75 Skip all the storage hoops and just refresh using the API. 76 77 Args: 78 http_request: callable, a callable that matches the method 79 signature of httplib2.Http.request, used to make 80 the refresh request. 81 82 Raises: 83 HttpAccessTokenRefreshError: When the refresh fails. 84 """ 85 query = '?scope=%s' % urllib.parse.quote(self.scope, '') 86 uri = META.replace('{?scope}', query) 87 response, content = http_request(uri) 88 content = _from_bytes(content) 89 if response.status == 200: 90 try: 91 d = json.loads(content) 92 except Exception as e: 93 raise HttpAccessTokenRefreshError(str(e), 94 status=response.status) 95 self.access_token = d['accessToken'] 96 else: 97 if response.status == 404: 98 content += (' This can occur if a VM was created' 99 ' with no service account or scopes.') 100 raise HttpAccessTokenRefreshError(content, status=response.status) 101 102 @property 103 def serialization_data(self): 104 raise NotImplementedError( 105 'Cannot serialize credentials for GCE service accounts.') 106 107 def create_scoped_required(self): 108 return not self.scope 109 110 def create_scoped(self, scopes): 111 return AppAssertionCredentials(scopes, **self.kwargs) 112