Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Copyright 2016 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
15"""Transport adapter for Requests."""
17from __future__ import absolute_import
19import functools
20import logging
21import numbers
22import os
23import time
25try:
26 import requests
27except ImportError as caught_exc: # pragma: NO COVER
28 raise ImportError(
29 "The requests library is not installed from please install the requests package to use the requests transport."
30 ) from caught_exc
31import requests.adapters # pylint: disable=ungrouped-imports
32import requests.exceptions # pylint: disable=ungrouped-imports
33from requests.packages.urllib3.util.ssl_ import ( # type: ignore
34 create_urllib3_context,
35) # pylint: disable=ungrouped-imports
37from google.auth import environment_vars
38from google.auth import exceptions
39from google.auth import transport
40import google.auth.transport._mtls_helper
41from google.oauth2 import service_account
43_LOGGER = logging.getLogger(__name__)
45_DEFAULT_TIMEOUT = 120 # in seconds
48class _Response(transport.Response):
49 """Requests transport response adapter.
51 Args:
52 response (requests.Response): The raw Requests response.
53 """
55 def __init__(self, response):
56 self._response = response
58 @property
59 def status(self):
60 return self._response.status_code
62 @property
63 def headers(self):
64 return self._response.headers
66 @property
67 def data(self):
68 return self._response.content
71class TimeoutGuard(object):
72 """A context manager raising an error if the suite execution took too long.
74 Args:
75 timeout (Union[None, Union[float, Tuple[float, float]]]):
76 The maximum number of seconds a suite can run without the context
77 manager raising a timeout exception on exit. If passed as a tuple,
78 the smaller of the values is taken as a timeout. If ``None``, a
79 timeout error is never raised.
80 timeout_error_type (Optional[Exception]):
81 The type of the error to raise on timeout. Defaults to
82 :class:`requests.exceptions.Timeout`.
83 """
85 def __init__(self, timeout, timeout_error_type=requests.exceptions.Timeout):
86 self._timeout = timeout
87 self.remaining_timeout = timeout
88 self._timeout_error_type = timeout_error_type
90 def __enter__(self):
91 self._start = time.time()
92 return self
94 def __exit__(self, exc_type, exc_value, traceback):
95 if exc_value:
96 return # let the error bubble up automatically
98 if self._timeout is None:
99 return # nothing to do, the timeout was not specified
101 elapsed = time.time() - self._start
102 deadline_hit = False
104 if isinstance(self._timeout, numbers.Number):
105 self.remaining_timeout = self._timeout - elapsed
106 deadline_hit = self.remaining_timeout <= 0
107 else:
108 self.remaining_timeout = tuple(x - elapsed for x in self._timeout)
109 deadline_hit = min(self.remaining_timeout) <= 0
111 if deadline_hit:
112 raise self._timeout_error_type()
115class Request(transport.Request):
116 """Requests request adapter.
118 This class is used internally for making requests using various transports
119 in a consistent way. If you use :class:`AuthorizedSession` you do not need
120 to construct or use this class directly.
122 This class can be useful if you want to manually refresh a
123 :class:`~google.auth.credentials.Credentials` instance::
125 import google.auth.transport.requests
126 import requests
128 request = google.auth.transport.requests.Request()
130 credentials.refresh(request)
132 Args:
133 session (requests.Session): An instance :class:`requests.Session` used
134 to make HTTP requests. If not specified, a session will be created.
136 .. automethod:: __call__
137 """
139 def __init__(self, session=None):
140 if not session:
141 session = requests.Session()
143 self.session = session
145 def __del__(self):
146 try:
147 if hasattr(self, "session") and self.session is not None:
148 self.session.close()
149 except TypeError:
150 # NOTE: For certain Python binary built, the queue.Empty exception
151 # might not be considered a normal Python exception causing
152 # TypeError.
153 pass
155 def __call__(
156 self,
157 url,
158 method="GET",
159 body=None,
160 headers=None,
161 timeout=_DEFAULT_TIMEOUT,
162 **kwargs
163 ):
164 """Make an HTTP request using requests.
166 Args:
167 url (str): The URI to be requested.
168 method (str): The HTTP method to use for the request. Defaults
169 to 'GET'.
170 body (bytes): The payload or body in HTTP request.
171 headers (Mapping[str, str]): Request headers.
172 timeout (Optional[int]): The number of seconds to wait for a
173 response from the server. If not specified or if None, the
174 requests default timeout will be used.
175 kwargs: Additional arguments passed through to the underlying
176 requests :meth:`~requests.Session.request` method.
178 Returns:
179 google.auth.transport.Response: The HTTP response.
181 Raises:
182 google.auth.exceptions.TransportError: If any exception occurred.
183 """
184 try:
185 _LOGGER.debug("Making request: %s %s", method, url)
186 response = self.session.request(
187 method, url, data=body, headers=headers, timeout=timeout, **kwargs
188 )
189 return _Response(response)
190 except requests.exceptions.RequestException as caught_exc:
191 new_exc = exceptions.TransportError(caught_exc)
192 raise new_exc from caught_exc
195class _MutualTlsAdapter(requests.adapters.HTTPAdapter):
196 """
197 A TransportAdapter that enables mutual TLS.
199 Args:
200 cert (bytes): client certificate in PEM format
201 key (bytes): client private key in PEM format
203 Raises:
204 ImportError: if certifi or pyOpenSSL is not installed
205 OpenSSL.crypto.Error: if client cert or key is invalid
206 """
208 def __init__(self, cert, key):
209 import certifi
210 from OpenSSL import crypto
211 import urllib3.contrib.pyopenssl # type: ignore
213 urllib3.contrib.pyopenssl.inject_into_urllib3()
215 pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
216 x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
218 ctx_poolmanager = create_urllib3_context()
219 ctx_poolmanager.load_verify_locations(cafile=certifi.where())
220 ctx_poolmanager._ctx.use_certificate(x509)
221 ctx_poolmanager._ctx.use_privatekey(pkey)
222 self._ctx_poolmanager = ctx_poolmanager
224 ctx_proxymanager = create_urllib3_context()
225 ctx_proxymanager.load_verify_locations(cafile=certifi.where())
226 ctx_proxymanager._ctx.use_certificate(x509)
227 ctx_proxymanager._ctx.use_privatekey(pkey)
228 self._ctx_proxymanager = ctx_proxymanager
230 super(_MutualTlsAdapter, self).__init__()
232 def init_poolmanager(self, *args, **kwargs):
233 kwargs["ssl_context"] = self._ctx_poolmanager
234 super(_MutualTlsAdapter, self).init_poolmanager(*args, **kwargs)
236 def proxy_manager_for(self, *args, **kwargs):
237 kwargs["ssl_context"] = self._ctx_proxymanager
238 return super(_MutualTlsAdapter, self).proxy_manager_for(*args, **kwargs)
241class _MutualTlsOffloadAdapter(requests.adapters.HTTPAdapter):
242 """
243 A TransportAdapter that enables mutual TLS and offloads the client side
244 signing operation to the signing library.
246 Args:
247 enterprise_cert_file_path (str): the path to a enterprise cert JSON
248 file. The file should contain the following field:
250 {
251 "libs": {
252 "signer_library": "...",
253 "offload_library": "..."
254 }
255 }
257 Raises:
258 ImportError: if certifi or pyOpenSSL is not installed
259 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
260 creation failed for any reason.
261 """
263 def __init__(self, enterprise_cert_file_path):
264 import certifi
265 from google.auth.transport import _custom_tls_signer
267 self.signer = _custom_tls_signer.CustomTlsSigner(enterprise_cert_file_path)
268 self.signer.load_libraries()
270 if not self.signer.should_use_provider():
271 import urllib3.contrib.pyopenssl
273 urllib3.contrib.pyopenssl.inject_into_urllib3()
275 poolmanager = create_urllib3_context()
276 poolmanager.load_verify_locations(cafile=certifi.where())
277 self.signer.attach_to_ssl_context(poolmanager)
278 self._ctx_poolmanager = poolmanager
280 proxymanager = create_urllib3_context()
281 proxymanager.load_verify_locations(cafile=certifi.where())
282 self.signer.attach_to_ssl_context(proxymanager)
283 self._ctx_proxymanager = proxymanager
285 super(_MutualTlsOffloadAdapter, self).__init__()
287 def init_poolmanager(self, *args, **kwargs):
288 kwargs["ssl_context"] = self._ctx_poolmanager
289 super(_MutualTlsOffloadAdapter, self).init_poolmanager(*args, **kwargs)
291 def proxy_manager_for(self, *args, **kwargs):
292 kwargs["ssl_context"] = self._ctx_proxymanager
293 return super(_MutualTlsOffloadAdapter, self).proxy_manager_for(*args, **kwargs)
296class AuthorizedSession(requests.Session):
297 """A Requests Session class with credentials.
299 This class is used to perform requests to API endpoints that require
300 authorization::
302 from google.auth.transport.requests import AuthorizedSession
304 authed_session = AuthorizedSession(credentials)
306 response = authed_session.request(
307 'GET', 'https://www.googleapis.com/storage/v1/b')
310 The underlying :meth:`request` implementation handles adding the
311 credentials' headers to the request and refreshing credentials as needed.
313 This class also supports mutual TLS via :meth:`configure_mtls_channel`
314 method. In order to use this method, the `GOOGLE_API_USE_CLIENT_CERTIFICATE`
315 environment variable must be explicitly set to ``true``, otherwise it does
316 nothing. Assume the environment is set to ``true``, the method behaves in the
317 following manner:
319 If client_cert_callback is provided, client certificate and private
320 key are loaded using the callback; if client_cert_callback is None,
321 application default SSL credentials will be used. Exceptions are raised if
322 there are problems with the certificate, private key, or the loading process,
323 so it should be called within a try/except block.
325 First we set the environment variable to ``true``, then create an :class:`AuthorizedSession`
326 instance and specify the endpoints::
328 regular_endpoint = 'https://pubsub.googleapis.com/v1/projects/{my_project_id}/topics'
329 mtls_endpoint = 'https://pubsub.mtls.googleapis.com/v1/projects/{my_project_id}/topics'
331 authed_session = AuthorizedSession(credentials)
333 Now we can pass a callback to :meth:`configure_mtls_channel`::
335 def my_cert_callback():
336 # some code to load client cert bytes and private key bytes, both in
337 # PEM format.
338 some_code_to_load_client_cert_and_key()
339 if loaded:
340 return cert, key
341 raise MyClientCertFailureException()
343 # Always call configure_mtls_channel within a try/except block.
344 try:
345 authed_session.configure_mtls_channel(my_cert_callback)
346 except:
347 # handle exceptions.
349 if authed_session.is_mtls:
350 response = authed_session.request('GET', mtls_endpoint)
351 else:
352 response = authed_session.request('GET', regular_endpoint)
355 You can alternatively use application default SSL credentials like this::
357 try:
358 authed_session.configure_mtls_channel()
359 except:
360 # handle exceptions.
362 Args:
363 credentials (google.auth.credentials.Credentials): The credentials to
364 add to the request.
365 refresh_status_codes (Sequence[int]): Which HTTP status codes indicate
366 that credentials should be refreshed and the request should be
367 retried.
368 max_refresh_attempts (int): The maximum number of times to attempt to
369 refresh the credentials and retry the request.
370 refresh_timeout (Optional[int]): The timeout value in seconds for
371 credential refresh HTTP requests.
372 auth_request (google.auth.transport.requests.Request):
373 (Optional) An instance of
374 :class:`~google.auth.transport.requests.Request` used when
375 refreshing credentials. If not passed,
376 an instance of :class:`~google.auth.transport.requests.Request`
377 is created.
378 default_host (Optional[str]): A host like "pubsub.googleapis.com".
379 This is used when a self-signed JWT is created from service
380 account credentials.
381 """
383 def __init__(
384 self,
385 credentials,
386 refresh_status_codes=transport.DEFAULT_REFRESH_STATUS_CODES,
387 max_refresh_attempts=transport.DEFAULT_MAX_REFRESH_ATTEMPTS,
388 refresh_timeout=None,
389 auth_request=None,
390 default_host=None,
391 ):
392 super(AuthorizedSession, self).__init__()
393 self.credentials = credentials
394 self._refresh_status_codes = refresh_status_codes
395 self._max_refresh_attempts = max_refresh_attempts
396 self._refresh_timeout = refresh_timeout
397 self._is_mtls = False
398 self._default_host = default_host
400 if auth_request is None:
401 self._auth_request_session = requests.Session()
403 # Using an adapter to make HTTP requests robust to network errors.
404 # This adapter retrys HTTP requests when network errors occur
405 # and the requests seems safely retryable.
406 retry_adapter = requests.adapters.HTTPAdapter(max_retries=3)
407 self._auth_request_session.mount("https://", retry_adapter)
409 # Do not pass `self` as the session here, as it can lead to
410 # infinite recursion.
411 auth_request = Request(self._auth_request_session)
412 else:
413 self._auth_request_session = None
415 # Request instance used by internal methods (for example,
416 # credentials.refresh).
417 self._auth_request = auth_request
419 # https://google.aip.dev/auth/4111
420 # Attempt to use self-signed JWTs when a service account is used.
421 if isinstance(self.credentials, service_account.Credentials):
422 self.credentials._create_self_signed_jwt(
423 "https://{}/".format(self._default_host) if self._default_host else None
424 )
426 def configure_mtls_channel(self, client_cert_callback=None):
427 """Configure the client certificate and key for SSL connection.
429 The function does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE` is
430 explicitly set to `true`. In this case if client certificate and key are
431 successfully obtained (from the given client_cert_callback or from application
432 default SSL credentials), a :class:`_MutualTlsAdapter` instance will be mounted
433 to "https://" prefix.
435 Args:
436 client_cert_callback (Optional[Callable[[], (bytes, bytes)]]):
437 The optional callback returns the client certificate and private
438 key bytes both in PEM format.
439 If the callback is None, application default SSL credentials
440 will be used.
442 Raises:
443 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
444 creation failed for any reason.
445 """
446 use_client_cert = os.getenv(
447 environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false"
448 )
449 if use_client_cert != "true":
450 self._is_mtls = False
451 return
453 try:
454 import OpenSSL
455 except ImportError as caught_exc:
456 new_exc = exceptions.MutualTLSChannelError(caught_exc)
457 raise new_exc from caught_exc
459 try:
460 (
461 self._is_mtls,
462 cert,
463 key,
464 ) = google.auth.transport._mtls_helper.get_client_cert_and_key(
465 client_cert_callback
466 )
468 if self._is_mtls:
469 mtls_adapter = _MutualTlsAdapter(cert, key)
470 self.mount("https://", mtls_adapter)
471 except (
472 exceptions.ClientCertError,
473 ImportError,
474 OpenSSL.crypto.Error,
475 ) as caught_exc:
476 new_exc = exceptions.MutualTLSChannelError(caught_exc)
477 raise new_exc from caught_exc
479 def request(
480 self,
481 method,
482 url,
483 data=None,
484 headers=None,
485 max_allowed_time=None,
486 timeout=_DEFAULT_TIMEOUT,
487 **kwargs
488 ):
489 """Implementation of Requests' request.
491 Args:
492 timeout (Optional[Union[float, Tuple[float, float]]]):
493 The amount of time in seconds to wait for the server response
494 with each individual request. Can also be passed as a tuple
495 ``(connect_timeout, read_timeout)``. See :meth:`requests.Session.request`
496 documentation for details.
497 max_allowed_time (Optional[float]):
498 If the method runs longer than this, a ``Timeout`` exception is
499 automatically raised. Unlike the ``timeout`` parameter, this
500 value applies to the total method execution time, even if
501 multiple requests are made under the hood.
503 Mind that it is not guaranteed that the timeout error is raised
504 at ``max_allowed_time``. It might take longer, for example, if
505 an underlying request takes a lot of time, but the request
506 itself does not timeout, e.g. if a large file is being
507 transmitted. The timout error will be raised after such
508 request completes.
509 """
510 # pylint: disable=arguments-differ
511 # Requests has a ton of arguments to request, but only two
512 # (method, url) are required. We pass through all of the other
513 # arguments to super, so no need to exhaustively list them here.
515 # Use a kwarg for this instead of an attribute to maintain
516 # thread-safety.
517 _credential_refresh_attempt = kwargs.pop("_credential_refresh_attempt", 0)
519 # Make a copy of the headers. They will be modified by the credentials
520 # and we want to pass the original headers if we recurse.
521 request_headers = headers.copy() if headers is not None else {}
523 # Do not apply the timeout unconditionally in order to not override the
524 # _auth_request's default timeout.
525 auth_request = (
526 self._auth_request
527 if timeout is None
528 else functools.partial(self._auth_request, timeout=timeout)
529 )
531 remaining_time = max_allowed_time
533 with TimeoutGuard(remaining_time) as guard:
534 self.credentials.before_request(auth_request, method, url, request_headers)
535 remaining_time = guard.remaining_timeout
537 with TimeoutGuard(remaining_time) as guard:
538 response = super(AuthorizedSession, self).request(
539 method,
540 url,
541 data=data,
542 headers=request_headers,
543 timeout=timeout,
544 **kwargs
545 )
546 remaining_time = guard.remaining_timeout
548 # If the response indicated that the credentials needed to be
549 # refreshed, then refresh the credentials and re-attempt the
550 # request.
551 # A stored token may expire between the time it is retrieved and
552 # the time the request is made, so we may need to try twice.
553 if (
554 response.status_code in self._refresh_status_codes
555 and _credential_refresh_attempt < self._max_refresh_attempts
556 ):
558 _LOGGER.info(
559 "Refreshing credentials due to a %s response. Attempt %s/%s.",
560 response.status_code,
561 _credential_refresh_attempt + 1,
562 self._max_refresh_attempts,
563 )
565 # Do not apply the timeout unconditionally in order to not override the
566 # _auth_request's default timeout.
567 auth_request = (
568 self._auth_request
569 if timeout is None
570 else functools.partial(self._auth_request, timeout=timeout)
571 )
573 with TimeoutGuard(remaining_time) as guard:
574 self.credentials.refresh(auth_request)
575 remaining_time = guard.remaining_timeout
577 # Recurse. Pass in the original headers, not our modified set, but
578 # do pass the adjusted max allowed time (i.e. the remaining total time).
579 return self.request(
580 method,
581 url,
582 data=data,
583 headers=headers,
584 max_allowed_time=remaining_time,
585 timeout=timeout,
586 _credential_refresh_attempt=_credential_refresh_attempt + 1,
587 **kwargs
588 )
590 return response
592 @property
593 def is_mtls(self):
594 """Indicates if the created SSL channel is mutual TLS."""
595 return self._is_mtls
597 def close(self):
598 if self._auth_request_session is not None:
599 self._auth_request_session.close()
600 super(AuthorizedSession, self).close()