Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/google/auth/transport/requests.py: 31%
183 statements
« prev ^ index » next coverage.py v7.3.1, created at 2023-09-25 06:37 +0000
1# Copyright 2016 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
15"""Transport adapter for Requests."""
17from __future__ import absolute_import
19import functools
20import logging
21import numbers
22import os
23import time
25try:
26 import requests
27except ImportError as caught_exc: # pragma: NO COVER
28 raise ImportError(
29 "The requests library is not installed from please install the requests package to use the requests transport."
30 ) from caught_exc
31import requests.adapters # pylint: disable=ungrouped-imports
32import requests.exceptions # pylint: disable=ungrouped-imports
33from requests.packages.urllib3.util.ssl_ import ( # type: ignore
34 create_urllib3_context,
35) # pylint: disable=ungrouped-imports
37from google.auth import environment_vars
38from google.auth import exceptions
39from google.auth import transport
40import google.auth.transport._mtls_helper
41from google.oauth2 import service_account
43_LOGGER = logging.getLogger(__name__)
45_DEFAULT_TIMEOUT = 120 # in seconds
48class _Response(transport.Response):
49 """Requests transport response adapter.
51 Args:
52 response (requests.Response): The raw Requests response.
53 """
55 def __init__(self, response):
56 self._response = response
58 @property
59 def status(self):
60 return self._response.status_code
62 @property
63 def headers(self):
64 return self._response.headers
66 @property
67 def data(self):
68 return self._response.content
71class TimeoutGuard(object):
72 """A context manager raising an error if the suite execution took too long.
74 Args:
75 timeout (Union[None, Union[float, Tuple[float, float]]]):
76 The maximum number of seconds a suite can run without the context
77 manager raising a timeout exception on exit. If passed as a tuple,
78 the smaller of the values is taken as a timeout. If ``None``, a
79 timeout error is never raised.
80 timeout_error_type (Optional[Exception]):
81 The type of the error to raise on timeout. Defaults to
82 :class:`requests.exceptions.Timeout`.
83 """
85 def __init__(self, timeout, timeout_error_type=requests.exceptions.Timeout):
86 self._timeout = timeout
87 self.remaining_timeout = timeout
88 self._timeout_error_type = timeout_error_type
90 def __enter__(self):
91 self._start = time.time()
92 return self
94 def __exit__(self, exc_type, exc_value, traceback):
95 if exc_value:
96 return # let the error bubble up automatically
98 if self._timeout is None:
99 return # nothing to do, the timeout was not specified
101 elapsed = time.time() - self._start
102 deadline_hit = False
104 if isinstance(self._timeout, numbers.Number):
105 self.remaining_timeout = self._timeout - elapsed
106 deadline_hit = self.remaining_timeout <= 0
107 else:
108 self.remaining_timeout = tuple(x - elapsed for x in self._timeout)
109 deadline_hit = min(self.remaining_timeout) <= 0
111 if deadline_hit:
112 raise self._timeout_error_type()
115class Request(transport.Request):
116 """Requests request adapter.
118 This class is used internally for making requests using various transports
119 in a consistent way. If you use :class:`AuthorizedSession` you do not need
120 to construct or use this class directly.
122 This class can be useful if you want to manually refresh a
123 :class:`~google.auth.credentials.Credentials` instance::
125 import google.auth.transport.requests
126 import requests
128 request = google.auth.transport.requests.Request()
130 credentials.refresh(request)
132 Args:
133 session (requests.Session): An instance :class:`requests.Session` used
134 to make HTTP requests. If not specified, a session will be created.
136 .. automethod:: __call__
137 """
139 def __init__(self, session=None):
140 if not session:
141 session = requests.Session()
143 self.session = session
145 def __del__(self):
146 try:
147 if hasattr(self, "session") and self.session is not None:
148 self.session.close()
149 except TypeError:
150 # NOTE: For certain Python binary built, the queue.Empty exception
151 # might not be considered a normal Python exception causing
152 # TypeError.
153 pass
155 def __call__(
156 self,
157 url,
158 method="GET",
159 body=None,
160 headers=None,
161 timeout=_DEFAULT_TIMEOUT,
162 **kwargs
163 ):
164 """Make an HTTP request using requests.
166 Args:
167 url (str): The URI to be requested.
168 method (str): The HTTP method to use for the request. Defaults
169 to 'GET'.
170 body (bytes): The payload or body in HTTP request.
171 headers (Mapping[str, str]): Request headers.
172 timeout (Optional[int]): The number of seconds to wait for a
173 response from the server. If not specified or if None, the
174 requests default timeout will be used.
175 kwargs: Additional arguments passed through to the underlying
176 requests :meth:`~requests.Session.request` method.
178 Returns:
179 google.auth.transport.Response: The HTTP response.
181 Raises:
182 google.auth.exceptions.TransportError: If any exception occurred.
183 """
184 try:
185 _LOGGER.debug("Making request: %s %s", method, url)
186 response = self.session.request(
187 method, url, data=body, headers=headers, timeout=timeout, **kwargs
188 )
189 return _Response(response)
190 except requests.exceptions.RequestException as caught_exc:
191 new_exc = exceptions.TransportError(caught_exc)
192 raise new_exc from caught_exc
195class _MutualTlsAdapter(requests.adapters.HTTPAdapter):
196 """
197 A TransportAdapter that enables mutual TLS.
199 Args:
200 cert (bytes): client certificate in PEM format
201 key (bytes): client private key in PEM format
203 Raises:
204 ImportError: if certifi or pyOpenSSL is not installed
205 OpenSSL.crypto.Error: if client cert or key is invalid
206 """
208 def __init__(self, cert, key):
209 import certifi
210 from OpenSSL import crypto
211 import urllib3.contrib.pyopenssl # type: ignore
213 urllib3.contrib.pyopenssl.inject_into_urllib3()
215 pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
216 x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
218 ctx_poolmanager = create_urllib3_context()
219 ctx_poolmanager.load_verify_locations(cafile=certifi.where())
220 ctx_poolmanager._ctx.use_certificate(x509)
221 ctx_poolmanager._ctx.use_privatekey(pkey)
222 self._ctx_poolmanager = ctx_poolmanager
224 ctx_proxymanager = create_urllib3_context()
225 ctx_proxymanager.load_verify_locations(cafile=certifi.where())
226 ctx_proxymanager._ctx.use_certificate(x509)
227 ctx_proxymanager._ctx.use_privatekey(pkey)
228 self._ctx_proxymanager = ctx_proxymanager
230 super(_MutualTlsAdapter, self).__init__()
232 def init_poolmanager(self, *args, **kwargs):
233 kwargs["ssl_context"] = self._ctx_poolmanager
234 super(_MutualTlsAdapter, self).init_poolmanager(*args, **kwargs)
236 def proxy_manager_for(self, *args, **kwargs):
237 kwargs["ssl_context"] = self._ctx_proxymanager
238 return super(_MutualTlsAdapter, self).proxy_manager_for(*args, **kwargs)
241class _MutualTlsOffloadAdapter(requests.adapters.HTTPAdapter):
242 """
243 A TransportAdapter that enables mutual TLS and offloads the client side
244 signing operation to the signing library.
246 Args:
247 enterprise_cert_file_path (str): the path to a enterprise cert JSON
248 file. The file should contain the following field:
250 {
251 "libs": {
252 "signer_library": "...",
253 "offload_library": "..."
254 }
255 }
257 Raises:
258 ImportError: if certifi or pyOpenSSL is not installed
259 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
260 creation failed for any reason.
261 """
263 def __init__(self, enterprise_cert_file_path):
264 import certifi
265 import urllib3.contrib.pyopenssl
267 from google.auth.transport import _custom_tls_signer
269 # Call inject_into_urllib3 to activate certificate checking. See the
270 # following links for more info:
271 # (1) doc: https://github.com/urllib3/urllib3/blob/cb9ebf8aac5d75f64c8551820d760b72b619beff/src/urllib3/contrib/pyopenssl.py#L31-L32
272 # (2) mTLS example: https://github.com/urllib3/urllib3/issues/474#issuecomment-253168415
273 urllib3.contrib.pyopenssl.inject_into_urllib3()
275 self.signer = _custom_tls_signer.CustomTlsSigner(enterprise_cert_file_path)
276 self.signer.load_libraries()
277 self.signer.set_up_custom_key()
279 poolmanager = create_urllib3_context()
280 poolmanager.load_verify_locations(cafile=certifi.where())
281 self.signer.attach_to_ssl_context(poolmanager)
282 self._ctx_poolmanager = poolmanager
284 proxymanager = create_urllib3_context()
285 proxymanager.load_verify_locations(cafile=certifi.where())
286 self.signer.attach_to_ssl_context(proxymanager)
287 self._ctx_proxymanager = proxymanager
289 super(_MutualTlsOffloadAdapter, self).__init__()
291 def init_poolmanager(self, *args, **kwargs):
292 kwargs["ssl_context"] = self._ctx_poolmanager
293 super(_MutualTlsOffloadAdapter, self).init_poolmanager(*args, **kwargs)
295 def proxy_manager_for(self, *args, **kwargs):
296 kwargs["ssl_context"] = self._ctx_proxymanager
297 return super(_MutualTlsOffloadAdapter, self).proxy_manager_for(*args, **kwargs)
300class AuthorizedSession(requests.Session):
301 """A Requests Session class with credentials.
303 This class is used to perform requests to API endpoints that require
304 authorization::
306 from google.auth.transport.requests import AuthorizedSession
308 authed_session = AuthorizedSession(credentials)
310 response = authed_session.request(
311 'GET', 'https://www.googleapis.com/storage/v1/b')
314 The underlying :meth:`request` implementation handles adding the
315 credentials' headers to the request and refreshing credentials as needed.
317 This class also supports mutual TLS via :meth:`configure_mtls_channel`
318 method. In order to use this method, the `GOOGLE_API_USE_CLIENT_CERTIFICATE`
319 environment variable must be explicitly set to ``true``, otherwise it does
320 nothing. Assume the environment is set to ``true``, the method behaves in the
321 following manner:
323 If client_cert_callback is provided, client certificate and private
324 key are loaded using the callback; if client_cert_callback is None,
325 application default SSL credentials will be used. Exceptions are raised if
326 there are problems with the certificate, private key, or the loading process,
327 so it should be called within a try/except block.
329 First we set the environment variable to ``true``, then create an :class:`AuthorizedSession`
330 instance and specify the endpoints::
332 regular_endpoint = 'https://pubsub.googleapis.com/v1/projects/{my_project_id}/topics'
333 mtls_endpoint = 'https://pubsub.mtls.googleapis.com/v1/projects/{my_project_id}/topics'
335 authed_session = AuthorizedSession(credentials)
337 Now we can pass a callback to :meth:`configure_mtls_channel`::
339 def my_cert_callback():
340 # some code to load client cert bytes and private key bytes, both in
341 # PEM format.
342 some_code_to_load_client_cert_and_key()
343 if loaded:
344 return cert, key
345 raise MyClientCertFailureException()
347 # Always call configure_mtls_channel within a try/except block.
348 try:
349 authed_session.configure_mtls_channel(my_cert_callback)
350 except:
351 # handle exceptions.
353 if authed_session.is_mtls:
354 response = authed_session.request('GET', mtls_endpoint)
355 else:
356 response = authed_session.request('GET', regular_endpoint)
359 You can alternatively use application default SSL credentials like this::
361 try:
362 authed_session.configure_mtls_channel()
363 except:
364 # handle exceptions.
366 Args:
367 credentials (google.auth.credentials.Credentials): The credentials to
368 add to the request.
369 refresh_status_codes (Sequence[int]): Which HTTP status codes indicate
370 that credentials should be refreshed and the request should be
371 retried.
372 max_refresh_attempts (int): The maximum number of times to attempt to
373 refresh the credentials and retry the request.
374 refresh_timeout (Optional[int]): The timeout value in seconds for
375 credential refresh HTTP requests.
376 auth_request (google.auth.transport.requests.Request):
377 (Optional) An instance of
378 :class:`~google.auth.transport.requests.Request` used when
379 refreshing credentials. If not passed,
380 an instance of :class:`~google.auth.transport.requests.Request`
381 is created.
382 default_host (Optional[str]): A host like "pubsub.googleapis.com".
383 This is used when a self-signed JWT is created from service
384 account credentials.
385 """
387 def __init__(
388 self,
389 credentials,
390 refresh_status_codes=transport.DEFAULT_REFRESH_STATUS_CODES,
391 max_refresh_attempts=transport.DEFAULT_MAX_REFRESH_ATTEMPTS,
392 refresh_timeout=None,
393 auth_request=None,
394 default_host=None,
395 ):
396 super(AuthorizedSession, self).__init__()
397 self.credentials = credentials
398 self._refresh_status_codes = refresh_status_codes
399 self._max_refresh_attempts = max_refresh_attempts
400 self._refresh_timeout = refresh_timeout
401 self._is_mtls = False
402 self._default_host = default_host
404 if auth_request is None:
405 self._auth_request_session = requests.Session()
407 # Using an adapter to make HTTP requests robust to network errors.
408 # This adapter retrys HTTP requests when network errors occur
409 # and the requests seems safely retryable.
410 retry_adapter = requests.adapters.HTTPAdapter(max_retries=3)
411 self._auth_request_session.mount("https://", retry_adapter)
413 # Do not pass `self` as the session here, as it can lead to
414 # infinite recursion.
415 auth_request = Request(self._auth_request_session)
416 else:
417 self._auth_request_session = None
419 # Request instance used by internal methods (for example,
420 # credentials.refresh).
421 self._auth_request = auth_request
423 # https://google.aip.dev/auth/4111
424 # Attempt to use self-signed JWTs when a service account is used.
425 if isinstance(self.credentials, service_account.Credentials):
426 self.credentials._create_self_signed_jwt(
427 "https://{}/".format(self._default_host) if self._default_host else None
428 )
430 def configure_mtls_channel(self, client_cert_callback=None):
431 """Configure the client certificate and key for SSL connection.
433 The function does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE` is
434 explicitly set to `true`. In this case if client certificate and key are
435 successfully obtained (from the given client_cert_callback or from application
436 default SSL credentials), a :class:`_MutualTlsAdapter` instance will be mounted
437 to "https://" prefix.
439 Args:
440 client_cert_callback (Optional[Callable[[], (bytes, bytes)]]):
441 The optional callback returns the client certificate and private
442 key bytes both in PEM format.
443 If the callback is None, application default SSL credentials
444 will be used.
446 Raises:
447 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
448 creation failed for any reason.
449 """
450 use_client_cert = os.getenv(
451 environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false"
452 )
453 if use_client_cert != "true":
454 self._is_mtls = False
455 return
457 try:
458 import OpenSSL
459 except ImportError as caught_exc:
460 new_exc = exceptions.MutualTLSChannelError(caught_exc)
461 raise new_exc from caught_exc
463 try:
464 (
465 self._is_mtls,
466 cert,
467 key,
468 ) = google.auth.transport._mtls_helper.get_client_cert_and_key(
469 client_cert_callback
470 )
472 if self._is_mtls:
473 mtls_adapter = _MutualTlsAdapter(cert, key)
474 self.mount("https://", mtls_adapter)
475 except (
476 exceptions.ClientCertError,
477 ImportError,
478 OpenSSL.crypto.Error,
479 ) as caught_exc:
480 new_exc = exceptions.MutualTLSChannelError(caught_exc)
481 raise new_exc from caught_exc
483 def request(
484 self,
485 method,
486 url,
487 data=None,
488 headers=None,
489 max_allowed_time=None,
490 timeout=_DEFAULT_TIMEOUT,
491 **kwargs
492 ):
493 """Implementation of Requests' request.
495 Args:
496 timeout (Optional[Union[float, Tuple[float, float]]]):
497 The amount of time in seconds to wait for the server response
498 with each individual request. Can also be passed as a tuple
499 ``(connect_timeout, read_timeout)``. See :meth:`requests.Session.request`
500 documentation for details.
501 max_allowed_time (Optional[float]):
502 If the method runs longer than this, a ``Timeout`` exception is
503 automatically raised. Unlike the ``timeout`` parameter, this
504 value applies to the total method execution time, even if
505 multiple requests are made under the hood.
507 Mind that it is not guaranteed that the timeout error is raised
508 at ``max_allowed_time``. It might take longer, for example, if
509 an underlying request takes a lot of time, but the request
510 itself does not timeout, e.g. if a large file is being
511 transmitted. The timout error will be raised after such
512 request completes.
513 """
514 # pylint: disable=arguments-differ
515 # Requests has a ton of arguments to request, but only two
516 # (method, url) are required. We pass through all of the other
517 # arguments to super, so no need to exhaustively list them here.
519 # Use a kwarg for this instead of an attribute to maintain
520 # thread-safety.
521 _credential_refresh_attempt = kwargs.pop("_credential_refresh_attempt", 0)
523 # Make a copy of the headers. They will be modified by the credentials
524 # and we want to pass the original headers if we recurse.
525 request_headers = headers.copy() if headers is not None else {}
527 # Do not apply the timeout unconditionally in order to not override the
528 # _auth_request's default timeout.
529 auth_request = (
530 self._auth_request
531 if timeout is None
532 else functools.partial(self._auth_request, timeout=timeout)
533 )
535 remaining_time = max_allowed_time
537 with TimeoutGuard(remaining_time) as guard:
538 self.credentials.before_request(auth_request, method, url, request_headers)
539 remaining_time = guard.remaining_timeout
541 with TimeoutGuard(remaining_time) as guard:
542 response = super(AuthorizedSession, self).request(
543 method,
544 url,
545 data=data,
546 headers=request_headers,
547 timeout=timeout,
548 **kwargs
549 )
550 remaining_time = guard.remaining_timeout
552 # If the response indicated that the credentials needed to be
553 # refreshed, then refresh the credentials and re-attempt the
554 # request.
555 # A stored token may expire between the time it is retrieved and
556 # the time the request is made, so we may need to try twice.
557 if (
558 response.status_code in self._refresh_status_codes
559 and _credential_refresh_attempt < self._max_refresh_attempts
560 ):
562 _LOGGER.info(
563 "Refreshing credentials due to a %s response. Attempt %s/%s.",
564 response.status_code,
565 _credential_refresh_attempt + 1,
566 self._max_refresh_attempts,
567 )
569 # Do not apply the timeout unconditionally in order to not override the
570 # _auth_request's default timeout.
571 auth_request = (
572 self._auth_request
573 if timeout is None
574 else functools.partial(self._auth_request, timeout=timeout)
575 )
577 with TimeoutGuard(remaining_time) as guard:
578 self.credentials.refresh(auth_request)
579 remaining_time = guard.remaining_timeout
581 # Recurse. Pass in the original headers, not our modified set, but
582 # do pass the adjusted max allowed time (i.e. the remaining total time).
583 return self.request(
584 method,
585 url,
586 data=data,
587 headers=headers,
588 max_allowed_time=remaining_time,
589 timeout=timeout,
590 _credential_refresh_attempt=_credential_refresh_attempt + 1,
591 **kwargs
592 )
594 return response
596 @property
597 def is_mtls(self):
598 """Indicates if the created SSL channel is mutual TLS."""
599 return self._is_mtls
601 def close(self):
602 if self._auth_request_session is not None:
603 self._auth_request_session.close()
604 super(AuthorizedSession, self).close()