Source code for google.auth.app_engine

# Copyright 2016 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Google App Engine standard environment support.

This module provides authentication and signing for applications running on App
Engine in the standard environment using the `App Identity API`_.


.. _App Identity API:
    https://cloud.google.com/appengine/docs/python/appidentity/
"""

import datetime

from google.auth import _helpers
from google.auth import credentials
from google.auth import crypt
from google.auth import exceptions

# pytype: disable=import-error
try:
    from google.appengine.api import app_identity  # type: ignore
except ImportError:
    app_identity = None  # type: ignore
# pytype: enable=import-error


[docs]class Signer(crypt.Signer): """Signs messages using the App Engine App Identity service. This can be used in place of :class:`google.auth.crypt.Signer` when running in the App Engine standard environment. """ @property def key_id(self): """Optional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by App Engine can not be reliably determined ahead of time. """ return None
[docs] @_helpers.copy_docstring(crypt.Signer) def sign(self, message): message = _helpers.to_bytes(message) _, signature = app_identity.sign_blob(message) return signature
[docs]def get_project_id(): """Gets the project ID for the current App Engine application. Returns: str: The project ID Raises: google.auth.exceptions.OSError: If the App Engine APIs are unavailable. """ # pylint: disable=missing-raises-doc # Pylint rightfully thinks google.auth.exceptions.OSError is OSError, but doesn't # realize it's a valid alias. if app_identity is None: raise exceptions.OSError("The App Engine APIs are not available.") return app_identity.get_application_id()
[docs]class Credentials( credentials.Scoped, credentials.Signing, credentials.CredentialsWithQuotaProject ): """App Engine standard environment credentials. These credentials use the App Engine App Identity API to obtain access tokens. """ def __init__( self, scopes=None, default_scopes=None, service_account_id=None, quota_project_id=None, ): """ Args: scopes (Sequence[str]): Scopes to request from the App Identity API. default_scopes (Sequence[str]): Default scopes passed by a Google client library. Use 'scopes' for user-defined scopes. service_account_id (str): The service account ID passed into :func:`google.appengine.api.app_identity.get_access_token`. If not specified, the default application service account ID will be used. quota_project_id (Optional[str]): The project ID used for quota and billing. Raises: google.auth.exceptions.OSError: If the App Engine APIs are unavailable. """ # pylint: disable=missing-raises-doc # Pylint rightfully thinks google.auth.exceptions.OSError is OSError, but doesn't # realize it's a valid alias. if app_identity is None: raise exceptions.OSError("The App Engine APIs are not available.") super(Credentials, self).__init__() self._scopes = scopes self._default_scopes = default_scopes self._service_account_id = service_account_id self._signer = Signer() self._quota_project_id = quota_project_id
[docs] @_helpers.copy_docstring(credentials.Credentials) def refresh(self, request): scopes = self._scopes if self._scopes is not None else self._default_scopes # pylint: disable=unused-argument token, ttl = app_identity.get_access_token(scopes, self._service_account_id) expiry = datetime.datetime.utcfromtimestamp(ttl) self.token, self.expiry = token, expiry
@property def service_account_email(self): """The service account email.""" if self._service_account_id is None: self._service_account_id = app_identity.get_service_account_name() return self._service_account_id @property def requires_scopes(self): """Checks if the credentials requires scopes. Returns: bool: True if there are no scopes set otherwise False. """ return not self._scopes and not self._default_scopes
[docs] @_helpers.copy_docstring(credentials.Scoped) def with_scopes(self, scopes, default_scopes=None): return self.__class__( scopes=scopes, default_scopes=default_scopes, service_account_id=self._service_account_id, quota_project_id=self.quota_project_id, )
[docs] @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) def with_quota_project(self, quota_project_id): return self.__class__( scopes=self._scopes, service_account_id=self._service_account_id, quota_project_id=quota_project_id, )
[docs] @_helpers.copy_docstring(credentials.Signing) def sign_bytes(self, message): return self._signer.sign(message)
@property # type: ignore @_helpers.copy_docstring(credentials.Signing) def signer_email(self): return self.service_account_email @property # type: ignore @_helpers.copy_docstring(credentials.Signing) def signer(self): return self._signer