Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromium / tools / depot_tools / b43d98bf64843cf59c60732de21b7c07f0ed302e / . / auth.py
blob: 204cfb7d4e942e2f74fd5f335e059de97a127e49 [file] [log] [blame]
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]1# Copyright 2015 The Chromium Authors. All rights reserved.
vadimsh@chromium.orgcf6a5d22015-04-09 22:02:00 +0000[diff] [blame]2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]5"""Google OAuth2 related functions."""
vadimsh@chromium.orgcf6a5d22015-04-09 22:02:00 +0000[diff] [blame]6
Raul Tambre80ee78e2019-05-06 22:41:05 +0000[diff] [blame]7from __future__ import print_function
8
vadimsh@chromium.orgcf6a5d22015-04-09 22:02:00 +0000[diff] [blame]9import collections
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]10import datetime
11import functools
Edward Lemur202c5592019-10-21 22:44:52 +0000[diff] [blame]12import httplib2
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]13import json
14import logging
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]15import os
Edward Lemurba5bc992019-09-23 22:59:17 +0000[diff] [blame]16
17import subprocess2
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]18
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]19
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]20# This is what most GAE apps require for authentication.
21OAUTH_SCOPE_EMAIL = 'https://www.googleapis.com/auth/userinfo.email'
22# Gerrit and Git on *.googlesource.com require this scope.
23OAUTH_SCOPE_GERRIT = 'https://www.googleapis.com/auth/gerritcodereview'
24# Deprecated. Use OAUTH_SCOPE_EMAIL instead.
25OAUTH_SCOPES = OAUTH_SCOPE_EMAIL
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]26
vadimsh@chromium.orgcf6a5d22015-04-09 22:02:00 +0000[diff] [blame]27
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]28# Mockable datetime.datetime.utcnow for testing.
29def datetime_now():
30 return datetime.datetime.utcnow()
31
32
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]33# OAuth access token with its expiration time (UTC datetime or None if unknown).
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]34class AccessToken(collections.namedtuple('AccessToken', [
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]35 'token',
36 'expires_at',
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]37 ])):
38
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]39 def needs_refresh(self):
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]40 """True if this AccessToken should be refreshed."""
41 if self.expires_at is not None:
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]42 # Allow 30s of clock skew between client and backend.
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]43 return datetime_now() + datetime.timedelta(seconds=30) >= self.expires_at
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]44 # Token without expiration time never expires.
45 return False
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]46
47
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]48class LoginRequiredError(Exception):
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]49 """Interaction with the user is required to authenticate."""
50
Edward Lemurba5bc992019-09-23 22:59:17 +0000[diff] [blame]51 def __init__(self, scopes=OAUTH_SCOPE_EMAIL):
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]52 msg = (
53 'You are not logged in. Please login first by running:\n'
Edward Lemurba5bc992019-09-23 22:59:17 +0000[diff] [blame]54 ' luci-auth login -scopes %s' % scopes)
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]55 super(LoginRequiredError, self).__init__(msg)
56
57
Andrii Shyshkalov733d4ec2018-04-19 11:48:58 -0700[diff] [blame]58def has_luci_context_local_auth():
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]59 """Returns whether LUCI_CONTEXT should be used for ambient authentication."""
Edward Lemurb43d98b2019-10-30 17:33:20 +0000[diff] [blame^]60 ctx_path = os.environ.get('LUCI_CONTEXT')
61 if not ctx_path:
62 return False
63 try:
64 with open(ctx_path) as f:
65 loaded = json.load(f)
66 except (OSError, IOError, ValueError):
67 return False
68 return loaded.get('local_auth', {}).get('default_account_id') is not None
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]69
70
71class Authenticator(object):
72 """Object that knows how to refresh access tokens when needed.
73
74 Args:
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]75 scopes: space separated oauth scopes. Defaults to OAUTH_SCOPE_EMAIL.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]76 """
77
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]78 def __init__(self, scopes=OAUTH_SCOPE_EMAIL):
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]79 self._access_token = None
seanmccullough@chromium.org3e4a5812015-06-11 17:48:47 +0000[diff] [blame]80 self._scopes = scopes
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]81
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]82 def has_cached_credentials(self):
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]83 """Returns True if credentials can be obtained.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]84
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]85 If returns False, get_access_token() later will probably ask for interactive
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]86 login by raising LoginRequiredError.
Edward Lesmes989bc352019-10-17 05:45:35 +0000[diff] [blame]87
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]88 If returns True, get_access_token() won't ask for interactive login.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]89 """
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]90 return bool(self._get_luci_auth_token())
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]91
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]92 def get_access_token(self):
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]93 """Returns AccessToken, refreshing it if necessary.
94
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]95 Raises:
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]96 LoginRequiredError if user interaction is required.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]97 """
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]98 if self._access_token and not self._access_token.needs_refresh():
99 return self._access_token
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]100
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]101 # Token expired or missing. Maybe some other process already updated it,
102 # reload from the cache.
103 self._access_token = self._get_luci_auth_token()
104 if self._access_token and not self._access_token.needs_refresh():
105 return self._access_token
Edward Lesmes989bc352019-10-17 05:45:35 +0000[diff] [blame]106
Edward Lemur5b929a42019-10-21 17:57:39 +0000[diff] [blame]107 # Nope, still expired. Needs user interaction.
108 logging.error('Failed to create access token')
109 raise LoginRequiredError(self._scopes)
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]110
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]111 def authorize(self, http):
112 """Monkey patches authentication logic of httplib2.Http instance.
113
114 The modified http.request method will add authentication headers to each
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]115 request.
116
117 Args:
118 http: An instance of httplib2.Http.
119
120 Returns:
121 A modified instance of http that was passed in.
122 """
123 # Adapted from oauth2client.OAuth2Credentials.authorize.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]124 request_orig = http.request
125
126 @functools.wraps(request_orig)
127 def new_request(
128 uri, method='GET', body=None, headers=None,
129 redirections=httplib2.DEFAULT_MAX_REDIRECTS,
130 connection_type=None):
131 headers = (headers or {}).copy()
vadimsh@chromium.orgafbb0192015-04-13 23:26:31 +0000[diff] [blame]132 headers['Authorization'] = 'Bearer %s' % self.get_access_token().token
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]133 return request_orig(
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]134 uri, method, body, headers, redirections, connection_type)
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]135
136 http.request = new_request
137 return http
138
139 ## Private methods.
140
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]141 def _run_luci_auth_login(self):
142 """Run luci-auth login.
vadimsh@chromium.orgeed4df32015-04-10 21:30:20 +0000[diff] [blame]143
144 Returns:
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]145 AccessToken with credentials.
Edward Lesmes989bc352019-10-17 05:45:35 +0000[diff] [blame]146 """
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]147 logging.debug('Running luci-auth login')
148 subprocess2.check_call(['luci-auth', 'login', '-scopes', self._scopes])
149 return self._get_luci_auth_token()
Edward Lesmes989bc352019-10-17 05:45:35 +0000[diff] [blame]150
Edward Lemuracf922c2019-10-18 18:02:43 +0000[diff] [blame]151 def _get_luci_auth_token(self):
152 logging.debug('Running luci-auth token')
153 try:
154 out, err = subprocess2.check_call_out(
155 ['luci-auth', 'token', '-scopes', self._scopes, '-json-output', '-'],
156 stdout=subprocess2.PIPE, stderr=subprocess2.PIPE)
157 logging.debug('luci-auth token stderr:\n%s', err)
158 token_info = json.loads(out)
159 return AccessToken(
160 token_info['token'],
161 datetime.datetime.utcfromtimestamp(token_info['expiry']))
162 except subprocess2.CalledProcessError:
163 return None